Web site methods to prevent CC attacks

CC Attack (Challenge Collapsar) is a kind of DDoS (distributed denial of service), it is also a kind of common website attack method, the attacker sends a large number of packets to the victim host through Proxy server or broiler, causing the other server resources to run out, until the downtime crashes.

CC attacks are low in technology, using tools and some IP proxies, an initial, intermediate level of computer users can implement the attack. However, if you understand the principle of the CC attack, it is not difficult to implement some effective precautions against the CC attack.

There are usually several ways to prevent CC attacks, one is through the firewall, some other network companies also provide some firewall services, such as XX website guards and xx Bao, there is a way to write their own program prevention, yesterday, the site encountered CC attack, which also let me try a variety of methods to prevent the effectiveness of CC attack.

At first I want to use a certain website guardian to prevent attacks, from the interface, it seems to be to prevent a large number of CC attacks, but after the site found that traffic is still abnormal, attacks or still, it seems that the effect of the site defender has not been achieved.

From the principle, basically all firewalls will detect concurrent TCP/IP connection number, more than a certain frequency will be considered connection-flood. However, if the number of IP is large enough to make a single IP less than the number of connections, then the firewall may not be able to prevent CC attacks.

Not only that, I also found that after the launch of a certain website defender, instead, it is easier to be CC attack, because this site defender can not filter out CC attack, attack IP after its acceleration, replace as the guardian of this site IP, the Web server side of the IP display is the same, resulting in server-side can not filter these IP.

In fact, does not use the Website Guardian class service, directly through the analysis website log, or is very easy to distinguish which IP is the CC attack, because the CC attack is after all through the program to crawl the webpage, with the ordinary viewer's characteristic difference is still very big, for example the ordinary visitor accesses a webpage, will continue to crawl the pages of HTML files, CSS files, JS files and pictures and a series of related files, and CC attackers will only crawl a URL address file, will not crawl other types of files, the user agent is also most of the same as ordinary viewers, This can be easily identified on the server which visitors are CC attacks, since you can determine the IP of the attacker, then the precautionary measures are very simple, only the bulk of these IP shielding, you can achieve the purpose of preventing CC attacks.

Finally, I spent half an hour to write a small program, after the operation of the automatic shielding hundreds of IP, the site is normal, thus proving that the firewall for the CC attack is not effective defense, the most effective method or in the server-side through the program automatic shielding to prevent.

It seems that the threshold of CC attack is really low ah, get a hundreds of agent or chicken can attack others, its cost is very low, but the effect is more obvious, if the attackers traffic is huge, through the use of bandwidth resources can be attacked. However, there are also obvious technical flaws in the CC attack, is the attacker's IP is not massive, is usually hundreds of thousands of level, and is a real visit to the Site page, which allows the site to filter through the way, easy access to these attackers IP, bulk shielding, then this cc attack will be prevented.