What is a cc attack?
A CC attack is the use of a large number of proxy servers to initiate a large number of connections to target computers, causing the target server resource exhaustion to cause denial of service. So how to judge the query cc attack?
This article mainly introduces some Linux commands for judging cc attacks.
View connections for all 80 ports
Netstat-nat|grep-i "|wc-l"
Sort the connected IP by the number of connections
NETSTAT-ANP | grep ' TCP\|UDP ' | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n
Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n
Netstat-ntu | awk ' {print $} ' | Egrep-o "[0-9]{1,3}\. [0-9] {1,3}\. [0-9] {1,3}\. [0-9] {1,3} "| Sort | uniq-c | Sort-nr
View TCP connection Status
Netstat-nat |awk ' {print $6} ' |sort|uniq-c|sort-rn
Netstat-n | awk '/^tcp/{print $NF} ' |sort|uniq-c|sort-rn
Netstat-n | awk '/^tcp/{++s[$NF]}; END {for (a in S) print A, s[a]} '
Netstat-n | awk '/^tcp/{++state[$NF]}; END {for (key in) print key, "\ T", State[key]} '
Netstat-n | awk '/^tcp/{++arr[$NF]}; END {for (k in arr) print K, "\ T", arr[k]} '
Netstat-ant | awk ' {print $NF} ' | Grep-v ' [A-z] | Sort | Uniq-c
See the 20 IPs with the highest number of 80 port connections
Cat/www/web_logs/waitalone.cn_access.log|awk ' {print '} ' |sort|uniq-c|sort-nr|head-100
Tail-n 10000/www/web_logs/waitalone.cn_access.log|awk ' {print $} ' |sort|uniq-c|sort-nr|head-100
Cat/www/web_logs/waitalone.cn_access.log|awk ' {print '} ' |sort|uniq-c|sort-nr|head-100
Netstat-anlp|grep 80|grep Tcp|awk ' {print $} ' |awk-f: ' {print '} ' |sort|uniq-c|sort-nr|head-n20
Netstat-ant |awk '/:80/{split ($5,ip, ":"); ++a[ip[1]]}end{for (i in A) print A,i} ' |sort-rn|head-n20
Sniff 80-port access with tcpdump to see who is the tallest
Tcpdump-i ETH0-TNN DST Port 80-c 1000 | Awk-f "." ' {print $ '. $ "." $ "." $4} ' | Sort | uniq-c | Sort-nr |head-20
Find more time_wait connections
Netstat-n|grep Time_wait|awk ' {print $} ' |sort|uniq-c|sort-rn|head-n20
Find more SYN connections
Netstat-an | grep SYN | awk ' {print $} ' | Awk-f: ' {print $} ' | Sort | uniq-c | Sort-nr | More
Some common commands for iptables IP segments under Linux:
The commands for a single IP are:
Iptables-i input-s 211.1.0.0-j DROP
The command for the IP segment is:
Iptables-i input-s 211.1.0.0/16-j DROP
Iptables-i input-s 211.2.0.0/16-j DROP
Iptables-i input-s 211.3.0.0/16-j DROP
The command that seals the whole paragraph is:
Iptables-i input-s 211.0.0.0/8-j DROP
The commands to seal several paragraphs are:
Iptables-i input-s 61.37.80.0/24-j DROP
Iptables-i input-s 61.37.81.0/24-j DROP
There are three ways to start self-running on a server:
1. Add it to the/etc/rc.local
2, Iptables-save >/etc/sysconfig/iptables can put your current iptables rules into the/etc/sysconfig/iptables, the system starts iptables automatically
Yes.
3, service Iptables save can also put your current iptables rules in/etc/sysconfig/iptables, the system starts iptables automatic execution.
The latter two are better, and the general Iptables service will be more secure before the network service is restarted.
To unpack the words:
iptables-d input-s IP Address-j REJECT
The iptables-f all cleared away.
Linux Check cc attack