Post-attack handling of servers CC

In fact, defending against CC attacks is essentially the same as defending against DDoS attacks, which are designed to consume server resources. The principle of DDoS attacks is a flaw in the TCP/IP protocol, when designers thought Internet users were the people of the Internet, but now the Internet environment is much more complex.

Two machines communicate to make a so-called three handshake, first, the client sends a request (SYN), the server receives the request, fills in the Session information table (TCB, saved in memory), and feedback to the client a response packet (syn-ack), the connection is in the TIME_WAIT state, If the client's ACK packet is not received at the end, it attempts to send the response packet syn-ack at intervals, so that the server closes the session and removes the session from the TCB after several retries and the client has not responded. The wait process is approximately 30 seconds. When an attacker initiates a 100,000-count request (SYN) to a server-open port and itself refuses to send a syn-ack response, the server's TCB will quickly exceed the load, and the attacker can forge the source IP address in the package so that the attacker is not blocked by the packets returned by the server. As you can see, this is a fairly serious issue in the TCP/IP protocol. Filtering packets through a firewall policy can prevent DDOS attacks to some extent.

At the moment, the CC attack is mainly for the WEB application to compare the consumption of resources where the crazy request, for example, the search function in the forum, if not restricted, let people search, the normal configuration of the server in hundreds of concurrent requests, the MYSQL service is dead.

To defend against CC attacks, it is necessary to know that there are three kinds of it, direct attack, agent attack, botnet attack.

Direct attacks are primarily targeted at WEB applications that have significant flaws, which are generally rare when the program writes a problem. Botnet attacks are somewhat similar to DDOS attacks, and are not defensible at the WEB application level, so we do not delve into these two scenarios.

Here to mainly discuss the second, proxy attacks, CC attackers generally operate a number of proxy servers, such as 100 agents, and then each agent issued 10 requests at the same time, so that the WEB server received 1000 concurrent requests, and after making the request, immediately disconnect the agent connection, To avoid the data returned by the agent to block the bandwidth itself, and not to start a re-request, the WEB server will respond to these requests of the process queue, the database server is the same, so that the normal request will be processed, as if you went to the cafeteria to eat, generally only less than 10 people in line, There are 1000 people in front of you today, then your chances are small and small, when the page opens extremely slowly or white screen.

Defending against CC attacks

discuz!5.5 in the previous anti-CC based on the addition of two methods, according to the actual attack situation, through the configuration of the appropriate resistance method. Confined to space, not elaborating the principle of confrontation, now the configuration method to do a brief description.

Configuration file config.inc.php

$attackevasive = 0; Forum defense level to prevent denial-of-service attacks caused by a large number of unhealthy requests

Protect against Denial of service attacks caused by a large number of normal requests

0= off, 1=cookie refresh limit, 2 = Restrict proxy access, 4 = two requests, 8 = answer question (need to answer questions on first visit)

Combination: 1|2, 1|4, 2|8, 1|2|4 ...

Normally set to 0, in the event of attack, analysis of its attack methods and rules, combined use. Can try to set to 2, 2|4, 1|2|4|, 1|2|4|8, if 1|2|4|8 not yet, we think that the application level is not able to withstand, perhaps the host suffered from the attack from the botnet DDOS attacks, we recommend that you start from a firewall policy.

This article is from the "it--Brother" blog, please make sure to keep this source http://402753795.blog.51cto.com/10788998/1765406

Post-attack handling of servers CC