The use of Nignx cleverly solves the DDOS attacks I have encountered

: This article mainly introduces how to use Nignx to skillfully solve the DDOS attacks I have encountered. if you are interested in the PHP Tutorial, please refer to it. 1. problem

My APP has been online for some time. suddenly one day I found that online products could not send verification codes.

Log on to the background of the third-party SMS verification code service and find that the problem is serious.

3	Youbiquan	15797
4	Youbiquan	57
5	Youbiquan	49	November
6	Youbiquan	54	2015-12-21
7	Youbiquan	64

I found that a few days ago, the text message service actually sent more than 15000 text messages and directly wiped out the service fee.

If you want to find the cause, you can only find the logs of the Nignx.

The log shows a large number of accesses to the SMS interface, and when I view the log, the log is still frantically appended, which is a typical ddos attack. Of course, the core content is the crazy access to the SMS interface.

221.178.182.21 - - [05/Jan/2016:16:19:25 +0800] "POST /myinterface?showType=smsAuthcode HTTP/1.1" 200 161 "-" "Dalvik/1.6.0 (Linux; U; Android 4.4.3; XM50h Build/19.1.1.C.1.2)" "-"171.82.225.66 - - [05/Jan/2016:16:19:32 +0800] "POST /myinterface?showType=smsAuthcode HTTP/1.1" 200 161 "-" "Dalvik/1.6.0 (Linux; U; Android 4.4.4; 2014812 MIUI/V6.6.3.0.KHJCNCF)" "-"171.82.225.66 - - [05/Jan/2016:16:19:32 +0800] "POST /myinterface?showType=smsAuthcode HTTP/1.1" 200 161 "-" "Dalvik/1.6.0 (Linux; U; Android 4.4.4; 2014812 MIUI/V6.6.3.0.KHJCNCF)" "-"110.89.16.13 - - [05/Jan/2016:16:19:49 +0800] "POST /myinterface?showType=smsAuthcode HTTP/1.1" 200 161 "-" "Dalvik/1.6.0 (Linux; U; Android 4.2.2; R827T Build/JDQ39)" "-"110.89.16.13 - - [05/Jan/2016:16:19:49 +0800] "POST /myinterface?showType=smsAuthcode HTTP/1.1" 200 161 "-" "Dalvik/1.6.0 (Linux; U; Android 4.2.2; R827T Build/JDQ39)" "-"118.114.160.200 - - [05/Jan/2016:16:21:26 +0800] "POST /myinterface?showType=smsAuthcode HTTP/1.1" 200 161 "-" "Mozilla/5.0" "-"118.114.160.200 - - [05/Jan/2016:16:21:39 +0800] "POST /myinterface?showType=smsAuthcode HTTP/1.1" 200 161 "-" "Mozilla/5.0" "-"119.122.0.136 - - [05/Jan/2016:16:21:41 +0800] "POST /myinterface?showType=smsAuthcode HTTP/1.1" 200 161 "-" "Mozilla/5.0" "-"118.114.160.200 - - [05/Jan/2016:16:21:51 +0800] "POST /myinterface?showType=smsAuthcode HTTP/1.1" 200 161 "-" "Mozilla/5.0" "-"

Even when a lot of traffic is too large, you may feel that the server cannot provide services normally and is on the verge of a crash.

2. temporary plan

Before figuring out the problem, I first thought of stopping the text message service so that attackers could not access the service, but could not turn off the server. after all, online users are still using it.

Therefore, use nginx to rewrite this interface.

if ( $request_uri ~* "showType=smsAuthcode" ){      rewrite ^/ http://www.baidu.com/;}

Of course, there may be many configuration methods. here is just a solution to the problem. for specific configuration, refer to more professional nginx configuration materials.

Sorry, I forwarded the attack request to Baidu. In fact, just return a value, such as 200.

3. log-based analysis solution

Of course, this problem cannot be solved, and online users cannot register new users.

The solution I first came up with was to restrict access to IP addresses. I analyzed the log. some ip attacks reached several thousand times, and some of them only accessed several times. There is no way to determine whether the ip address is a real user or an IP address that attacks the machine. I found a solution on the internet that allows an interface to limit the number of ip addresses to be accessed within a certain period of time.

iptables -A INPUT -p tcp --dport 80 -d xx.xx.xx.xx -m string --string "/myinterface?showType=smsAuthcode" --algo kmp -m recent --name httpuser --setiptables -A INPUT -m recent --update --name httpuser --seconds 86400 --hitcount 4 -j LOG --log-level 5 --log-prefix 'HTTP attack: 'iptables -A INPUT -m string --string "/myinterface?showType=smsAuthcode" --algo kmp -m recent --update --name httpuser --seconds 86400 --hitcount 10 -j REJECT                

The basic meaning is to match the string of the access request. if you find that there is access to the SMS interface, use the recent module to record the access. if there are more than four accesses in a day, you cannot access the SMS interface any more.

In fact, it is also a solution with a certain effect

Serial Number	Account	Quantity (entries)	Date
2	Youbiquan	540	2016-01-08
3	Youbiquan	2857	2016-01-04
4	Youbiquan	388	2016-01-05
5	Youbiquan	2469	2016-01-06

Although the IP address-based protection is somewhat effective, it is still not completely protected. we usually send about 50 messages a day. after the IP firewall is set, there are still thousands of messages per day. After analysis, we found that the attack uses too many IP addresses, so we feel that there is no hope for IP address defense.

One day, I opened the nginx access log and suddenly found that the attack behavior of the user-agent is very short, and there is a significant difference with other user-agent access.

It seems that the attacker's user-agen is "Ila/5.0", and then there will be no more, while other accesses will have more information, including the system version and browser.

According to this conjecture, I used a program to analyze the user-agent. only the UA accessing the SMS interface has a very short "Ila/5.0". other accesses do not have this UA, but there are still some short UA

Dalvik/1.6.0 (Linux; U; Android 4.2.2; R827T Build/JDQ39)" "-"

So I searched for it and found that Dalvik was an Android virtual machine. it instantly became clear that it was completely possible to intercept Ila/5.0 and the virtual machine based on UA defense. Will the problem be solved.

The following code is added to the nginx configuration:

if ($http_user_agent = "Mozilla/5.0") {       return 503;}if ($http_user_agent ~* "Dalvik/1.6.0") {       return 503;}

The first section strictly matches the UA starting with Dalvik, which is the UA of the virtual machine.

As a result, after using this method to prevent attacks, the results were instantly obvious.

2

Youbiquan

57

2016-01-09

According to the new method, after the new defense, the number of messages sent by the text message directly returned to the previous normal level, and I used several mobile phones to test it, which is OK.

However, they cannot be happy too early. it seems that attackers can easily forge UA and want to completely solve DDOS attacks. they also need to learn more about science and culture ~

The above describes how to use nginx to skillfully solve the DDOS attacks I have encountered, including some content. I hope my friends who are interested in the PHP Tutorial will be helpful.