"Essay" Linux hosts simple command to judge CC attacks

Today I saw a very interesting command tcpdump, recorded here.

If you want to see the detailed usage of tcpdump, you can click here.

　What is a cc attack?

On the CC attack, here is a quote from Baidu's explanation:

The principle of the CC attack is that the attacker controls that some hosts keep sending large packets of data to the other server, causing the server to run out of resources until the outage crashes. CC is mainly used to attack the page, everyone has the experience: when a page access to a particularly large number of times, the opening of the Web page is slow, CC is to simulate multiple users (how many threads is how many users) constantly access to those who need a lot of data operations (that is, the need for a lot of CPU time) page, resulting in a waste of server resources, the CPU for a long time at 100%, always have to handle the connection until the network congestion, normal access is aborted.

As for how to defend against CC attacks, you can prevent the site proxy access, try to make the site static pages, limit the number of connections, modify the maximum time-out period and other methods to avoid resolution.

Understand the principle of CC attack and defense methods. One of the most important things to solve now is how to detect if a server is under a CC attack.

Here's a way to simply determine if you're under a CC attack:

　　Tcpdump

Set to: Packet analysis tools that intercept packets on the network according to the user's definition. Tcpdump can intercept the "head" of the packets that are transmitted in the network to provide analysis. It supports filtering on the network layer, protocol, host, network, or port, and provides logical statements such as and, or, not, to help you get rid of useless information.

The Linux system does not install Tcpdump by default. If there is no installation inside the system, you can use the following method:

CentOS Installation Method:

Yum Install-y tcpdump

Ubuntu/debian Installation Method

Apt-get intsall-y tcpdump

Once installed, you can use the following command to view the information:

First article:

Tcpdump-s0-a-n-i Any | Grep-o-E ' (get| Post| HEAD). * '

After running this command in the system, if you visit a Web site, the following results are typically displayed:

Normal command results are static files, such as CSS,JS, a variety of pictures.

If it is attacked, there will be a large number of fixed address, such as the attack is the home page, there will be a lot of "get/http/1.1", or have a certain characteristics of the address.

　　

Article II:

Tcpdump-s0-a-n-i Any | grep  ^user-agent

　　
This allows you to see some information about useragent, such as systems, browsers, and so on. In, the first 4 are accessed via the Firfox browser, followed by IE. We can easily see this information.

This is a view of the client side of the useragent, in normal results, is a variety of useragent.

Most attacks use a fixed useragent, that is, you will see the same useragent in the brush screen. Random useragent only once, but to make a similar to such "axd5m8usy", or can be distinguished out.

Article III:

Tcpdump-s0-a-n-i Any | grep ^host

　　

If there are too many sites on the machine, you can use the command above to find out which website is being requested in large quantities.

　　

"Essay" Linux hosts simple command to judge CC attacks