Win2003 Web server anti-CC attack detailed graphics and text tutorial

1, Attack principle

The principle of the CC attack is that the attacker controls some hosts to keep sending a large number of packets to the other server, causing the server to run out of resources until downtime crashes. CC is primarily used to attack pages, everyone has this experience: when a Web page visits a very large number of times, open the page is slow, CC is to simulate multiple users (how many threads are many users) Non-stop access to those who need a lot of data operations (that is, the need for a large amount of CPU time) of the page, Cause the waste of server resources, CPU for a long time in 100%, always have to deal with the connection until the network congestion, normal access was aborted.

2. Attack symptom

The CC attack has some concealment, so how can you determine if the server is suffering or has suffered a CC attack? We can determine this by following three methods.

(1). Command Line method

Typically, when a CC attack occurs, the Web server will have a 80 port shutdown because the port has been blocked by a large amount of garbage data and the normal connection is aborted. We can view it by typing the command Netstat-an at the command line, and if we see a large number of connection records similar to the following, they can basically be cc-attacked: (Figure 1)

......
TCP 192.168.1.3:80 192.168.1.6:2203 syn_received 4
TCP 192.168.1.3:80 192.168.1.6:2203 syn_received 4
TCP 192.168.1.3:80 192.168.1.6:2203 syn_received 4
TCP 192.168.1.3:80 192.168.1.6:2203 syn_received 4
TCP 192.168.1.3:80 192.168.1.6:2203 syn_received 4 ...
　　

where "192.168.1.6" is used to proxy attacks of the host's IP, "syn_received" is the TCP connection status flag, meaning "is in the initial sync state of the connection", indicating that the handshake response could not be established in wait state. This is the characteristics of the attack, in general, such records will generally have a number of lines, representing the attacks from different proxy IP.

(2). Batch processing method

The above method requires manual input, and if the Web server IP connection is too much, we can create a batch file that determines whether a CC attack exists through the script code. Open Notepad and type the following code to save as Cc.bat:

@echo off
time/t >>log.log
Netstat-n-P TCP |find ":" >>log.log
Notepad Log.log
Exit
The meaning of the above script is to filter out all current connections to port 80. When we feel a server exception, you can double-click to run the batch file, and then view all the connections in the open Log.log file. If the same IP has a relatively many connections to the server, it is basically possible to determine that the IP is a cc attack on the server. (Figure 2)

　　(3). View System Log

The above two methods have the disadvantage of only viewing the current CC attack, to determine whether the Web server before the CC attack is powerless, we can search through the Web log, because the Web logs faithfully record all IP access to Web resources. By looking at the logs we can have the Web server before the CC attack and identify the attacker's IP and then take further action.

Web logs are typically in the C:windowssystem32logfileshttperr directory, which uses a log file similar to Httperr1.log, which is a record of Web access errors. The administrator can select the appropriate log opening based on the log time properties to analyze whether the web is being hacked by CC. (Figure 3)

By default, there are not many entries for Web logging, which we can set up through IIS to allow web logs to record more entries for security analysis. The following steps are:

Start → admin tool to open Internet Information Server Expand the item to the left to navigate to the appropriate Web site, then right-click to select Properties to open the Site Properties window, click the Properties button under the Web Site tab, and in the "Advanced" section of the Logging Properties window tab, you can check the appropriate extended properties to allow the Web log to be logged. For example, the "bytes Sent," "Bytes Received," and "time spent" of these three items are not selected by default, but are useful in recording the CC attack, and can be checked. In addition, if you have high security requirements, you can set up the new log schedule under the General tab to record hourly or every day. In order to make it easier to analyze later, you can check "file naming and creation using local time". (Figure 4)

　　3. CC Attack defense strategy

Determine if the Web server is or has been subjected to a CC attack, so how to prevent it effectively? Based on personal experience, the author provides the following defensive measures.

　　(1). Remove domain Binding

General CC attacks are targeted at the site's domain name, such as our site domain name is "www.gslw.com", then the attacker in the attack tool set the object for the domain name and then implement the attack.

Our measure for such an attack is to cancel the binding of this domain name on IIS and let the CC attack lose its target. The specific steps are: Open IIS Manager to locate the specific Site right button "Properties" to open the site's Properties panel, click on the right side of the IP address of the "Advanced" button, select the domain name to edit, the "host header value" deleted or changed to other values (domain name). (Figure 5)

The author of the example simulation test, the cancellation of the domain name of the Web server after the CPU immediately return to normal state, through IP access to connect all normal.　But the deficiencies are also obvious, the cancellation or change of the domain name for other people's access to bring the same, in addition, for the IP cc attack It is not valid, even if the replacement of the domain name attacker found, he will also attack the new domain name. (2). Domain Name Spoofing Resolution

If a CC attack is found for a domain name, we can resolve the domain name of the attack to the 127.0.0.1 address. We know that 127.0.0.1 is a local loop IP is used for network testing, if the domain name of the attack to resolve to this IP, you can achieve the attackers themselves to attack their own purposes, so that he more chickens or agents will also be down, so that they deserve it.

In addition, when our Web server suffers a CC attack, the domain name of the attack is resolved to the state authoritative government website or the website of the network police, so that its network police to collect them.

Now the general Web site is to use similar "new network" such as service providers to provide dynamic domain name resolution services, you can login to set up after.

　　(3). Change the web port

In general, the Web server provides services through 80 ports, so attackers attack with the default 80 port, so we can modify the Web port to prevent CC attacks. Run IIS Manager, navigate to the site, open the site Properties panel, and under the site ID there is a TCP port that defaults to 80, and we modify it to another port. (Figure 6)

　　(4). IIS Shielding IP

We are able to prevent IIS attacks by setting up access to the Web site in IIS by using the command or by checking the log to discover the source IP of the cc attack. In the properties panel of the corresponding site, click the Directory Security tab and click the Edit button under IP address and domain name now to open the Settings dialog box. In this window we can set "grant access" is the "white list", you can also set "Access Denied" that is, "blacklist." For example, we can add an attacker's IP to the Deny access list and block access to the web for that IP. (Figure 7)

　　

(5). IPSec Lockdown

IPSec is a good system firewall that can be used to set an IP policy against a CC attack when other types of DDoS attacks are excluded. To 219.128.*.43 this IP as an example, the author of the actual operation of the IP access blockade.

Step one: "Start → admin tools", open "Local Security Settings", right-click "IP Security Policy, select" Create IP Security Policy on local Machine ", then click" Next ", enter Policy" name "and" description ". Then, by default, the next step creates an IPSec policy called "Seal cc attack." (Figure 8)

The second step: right click on "IP Security Policy, Local machine" Select "Manage IP filter table and filter action", in the open window, "Add" in the IP Filter List window to add the name and description information of the first step. Cancel the "Use Add Wizard" Check and click "Add". Set the source address to "192.168.1.6" under the Address option in the IP Filter Properties window. The destination address is "My IP address", uncheck "Mirror", click the "Protocol" tab, set "protocol type" to "TCP", set "protocol port" to "from any port" to " This port 80 "is finally determined to exit