Analysis and Prevention of HTTP and FTP TCP-FLOOD CC attack in CentOS 6.5

We often encounter some problems, such as http cc attacks and FTP TCP-FLOOD attacks, as shown in, we can see the continuous anonymous speculative attacks of illegal users. at this time, we have a variety of solutions. You can try to solve this problem by blocking the IP address. Of course, you need to write a shell to determine how many times a user attempts to log on and block it.

CC is an attack tool (software) based on the principles of DDOS attacks!

First, DoS (Denial of Service): Blocking services refers to attempts by hackers to prevent normal users from using services on the network.

DDoS (Distributed Denial of Service): Distributed blocking Service is a special case of DoS. It means that hackers use multiple machines to attack at the same time to prevent normal users from using the Service.

Besides, CC is mainly used to attack pages. Everyone has this experience: When a webpage has a large number of visitors, it will be slow to open the webpage. CC is used to simulate multiple users (the number of threads is the number of users) non-stop access to pages that require a large amount of data operations-that is, pages that require a large amount of CPU time, resulting in a waste of server resources. The CPU is at 100% for a long time and there will always be endless connections, when it reaches the super busy state, the network is blocked! Normal access will fail!

CC is mainly used to attack pages. everyone has this experience: when visiting a Forum, if the forum is large and there are many visitors, the page opening speed will be slow, right ?! Generally, the more people access the forum, the more pages the Forum has, the larger the database, the higher the frequency of access, and the considerable amount of system resources occupied, now, I know why many space service providers say that you should not upload forums, chat rooms, or other things.

A static page does not need many resources on the server. You can even read it from the memory and send it to you, but the Forum is different. I will read a post, the system needs to go to the database to determine whether I have the permission to read the Post. If so, read the content in the post and display it. The database is accessed at least twice, if the size of the database is MB, the system will probably search for the data space of MB. How many CPU resources and time is required? If I search for a keyword, the time is more impressive, because the previous search can be limited to a very small range. For example, the user permission can only query the user table, and the post content can only query the post table, in addition, you can immediately stop the query, and the search will certainly make a judgment on all the data, which consumes a considerable amount of time.

CC makes full use of this feature to simulate the constant access of multiple users (the number of threads is the number of users) (to access pages that require a large amount of data operations, that is, pages that require a large amount of CPU time ). Many of my friends asked, why do I need a proxy? Because the proxy can effectively hide its identity or bypass all firewalls, basically all firewalls detect the number of concurrent TCP/IP connections, if it exceeds a certain number, it will be considered as Connection-Flood.

Proxy attacks can also ensure good connection. We have sent data here, and the proxy will help us forward the data to the other server, so we can immediately disconnect, the proxy will continue to connect to the other party (I know that someone has used 2000 proxies to generate 0.35 million concurrent connections ).

Many friends may not be able to understand it very well. Let me describe it. let's assume that server A is against Search. the processing time of asp is 0.01 S (multithreading is only time division and does not affect the conclusion). That is to say, it can ensure the Search requests of 100 users in one second, the maximum connection time allowed by the server is 60 s, so we use CC to simulate 120 concurrent connections. After 1 minute, the server is requested 7200 times and processed 6000 times, so the remaining 1200 concurrent connections are not processed. some may say: Lost connection! Lost connection! The problem is that the servers are dropped in the order of first arrival and second arrival. These 1200 servers were initiated in the last 10 seconds. Do you want to lose them ?! It's still early. After calculation, when the server starts to lose connections when the server is full and negative, there should be 7200 concurrent connections in the queue, and then the server starts to lose connections in 120/second, the number of connections we initiate is also 120 per second. The server will never be able to process the connection. The server's CPU usage is 100% and remains unchanged for a long time, and the server that lost the connection will not be able to process the connection, the new connection cannot be processed, so that the server is very busy.

Of course, CC can also use this method to attack FTP, you can also achieve TCP-FLOOD, these are tested effective.

Defense methods

After talking about the attack principle, we will certainly ask, how can we defend against it? I don't know how to prevent using the hardware firewall, unless you completely block page access, my method is to implement defense through page writing.

1. Use Cookie authentication. At this time, my friend said that cookies are also allowed in CC, But here cookies are used for all connections, so you can enable IP + Cookie authentication.

2. use Session. this judgment is more convenient than Cookie. It can be used not only for IP authentication, but also for anti-Refresh mode. When the page is refreshed, it will not be accessed, and no refresh symbol will be used to refresh it. let's give you some DEMO code, Session:

Program code:

<%
 
If session ("refresh") <> 1 then
 
Session ("refresh") = session ("refresh") + 1
 
Response. redirect "index. asp"
 
End if
 
%> 〉

In this way, the user's first access will make Refresh = 1, the second access, normal, and the third access will not allow him to access it. It is regarded as a Refresh, and a time parameter can be added to allow access for how long, in this way, access to time-consuming pages is restricted, which has almost no impact on normal customers.

3. the HTTP_X_FORWARDED_FOR variable sent by the proxy is used to determine the real IP address of the machine attacked by the proxy. This can be used to find the attacker. Of course, not all proxy servers are sent, however, many Proxies send this parameter. code details:

Program code:

<%
 
Dim fsoObject
 
Dim tsObject
 
Dim file
 
If Request. ServerVariables ("HTTP_X_FORWARDED_FOR") = "" then
 
Response. write "No proxy access"
 
Response. end
 
End if
 
Set fsoObject = Server. CreateObject ("Scripting. FileSystemObject ")
 
File = server. mappath ("CCLog.txt ")
 
If not fsoObject. fileexists (file) then
 
FsoObject. createtextfile file, true, false
 
End if
 
Set tsObject = fsoObject. OpenTextFile (file, 8)
 
TsObject. Writeline Request. ServerVariables ("HTTP_X_FORWARDED_FOR ")
 
& Amp; "[" Request. ServerVariables ("REMOTE_ADDR") & amp; "]" & amp; now ()
 
Set fsoObject = Nothing
 
Set tsObject = Nothing
 
Response. write "with proxy access"
 
%> 〉

In this example, cclog.txt is generated. The record format is: real IP Address [proxy IP address] time. To see which real IP address appears more times, you will know who is under attack. make this code into Conn. asp files, replace the files that connect to the database, so that all database requests are connected to the file, and then the attacker can be found immediately.

4. Another method is to add the statement for Data Query after Redirect so that the other party must first access a judgment page and then Redirect the past.

5. On servers with multiple sites, it is very effective to strictly limit the number of IP connections allowed by each site and the CPU usage time.

CC defense should start with code. In fact, a good page code should pay attention to these things, as well as SQL injection. It is not only an intrusion tool, but also a DDOS gap, everyone should pay attention to it in the code. for example, a server has launched a 5000-line CC attack and has no response because all its database access requests must have a random parameter in the Session, which is a static page, no effect. it was suddenly found that a request would be sent to an external server. It took a long time and there was no authentication. The server was immediately overloaded due to a 800-line attack.

The defense at the code layer should start from the ground up. A script code error may affect the entire site, or even the entire server. Be careful!