Anti-CC attack case

Name origin

CC = Challenge Collapsar, formerly known as the Fatboy Attack, is the purpose of creating a denial of service by continually sending a connection request to the Web site,

CC attacks are a type of DDoS (distributed denial of service) that appears to be more technical than other DDoS attack CC. This attack you can not see the real source IP, see very large abnormal traffic, but caused the server could not be a normal connection. The most concern is that this attack technology is low, the use of tools and a number of IP agents at the beginning, intermediate level of computer users can implement the attack. Therefore, it is necessary to understand the principle of CC attack and if you find the CC attack and its precautions.

The principle of CC attack

The principle of the CC attack is that the attacker controls some hosts to keep sending a large number of packets to the other server, causing the server to run out of resources until downtime crashes. CC is primarily used to attack pages, everyone has this experience: when a Web page visits a very large number of times, open the page is slow, CC is to simulate multiple users (how many threads are many users) Non-stop access to those who need a lot of data operations (that is, the need for a large amount of CPU time) of the page, Cause the waste of server resources, CPU for a long time in 100%, always have to deal with the connection until the network congestion, normal access was aborted.

Anti-CC attack

CC attacks can be categorized as one of the DDoS attacks. The principle is the same, that is, sending a large amount of request data to cause the server to refuse the service, is a connection attack. CC attacks can be divided into agent cc attacks, and broiler cc attacks. Agent CC attack is the use of Proxy server to generate malicious host to the legitimate Web page request, the implementation of DOS, and camouflage is called: CC (Challenge Collapsar). and the Broiler cc attack is the hacker uses the CC attack software, controls the massive broiler, launches the attack, compared to the latter is more difficult to defend than the former. Because the broiler can simulate a normal user's request to visit the site. Forged into legal packets.

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/

CC attacks are primarily used to attack Web sites. Presumably we all have such experience, that is, when visiting a website, if this site is relatively large, more people visit, open the page will be slower, right?! Generally speaking, the more people visit, the more The forum page, the larger the database, the frequency of access is also higher, the system resources occupied is quite considerable, now know why many space service providers say we do not upload forums, chat room and so on.

A static page does not require the server's resources. Can even say directly from the memory read out to you can be, but the forum, such as the dynamic site is not the same, I read a post, the system needs to be in the database to determine whether I have read the rights of posts, if there is, read the contents of the post, show out- There are at least 2 databases accessed, if the size of the database is 200MB, the system is likely to be in this 200MB size of the data space search again, this requires how much CPU resources and time? If I'm looking for a keyword, then the time is more impressive, because the previous search can be limited to a very small scope, such as user rights only to check the user table, post content only check the post table, and can immediately stop the query, and search will certainly all the data to make a judgment, the time spent is quite large.

The CC attack takes advantage of the fact that multiple users (how many threads are users) are constantly being accessed (access to pages that require a lot of data, such as asp/php/jsp/cgi), that require a lot of CPU time. Many friends ask, why use the agent? Because the agent can effectively hide their identity, can also bypass all firewalls, because basically all firewalls will detect concurrent TCP/IP connection number, more than a certain frequency will be considered connection-flood. Of course, you can also use the broiler to launch CC attacks. The CC attack effect of broiler is more significant. Causes the server cpu%100, even freezes the phenomenon.

The use of proxy attacks can also be very good to keep the connection, we send data here, the agent to help us forward to the other server, we can immediately disconnect, the agent will continue to maintain the connection with the other (I know the record is someone using 2000 agents generated 350,000 concurrent connections).

Of course, CC can also use this method to the FTP, game port, chat room, etc. to attack, can also achieve tcp-flood, these are tested and effective.

Defense cc attacks can be done in a variety of ways, prohibit the site proxy access, as far as possible to make the site static pages, limit the number of connections.

Before the incident: Originally my attack site is the company offline a business, but the site is still running, there is no traffic. But on the day of the attack, I found that the number of connections on this site has soared from 8 o'clock onwards, so log on to the site to view the number of people online, the results of the actual number of people on my! and the network card traffic is less than 50K, the problem appears to have to solve AH

So open access log to view, the log kept records of non-this site access, such as my site domain name for www.51cto.com but the log of the contents of the following (this log is I deal with CC attacks, just let everyone see the phenomenon of access):

199.201.122.141-[10/jan/2013:10:45:03 +0800] Get http://www.7xgj.com:81/login.jsp?id=106&name=%C7%C1%A6%A7%D1 %F3 http/1.1 "403" 564 "Http://www.7xgj.com:81/login.jsp?id=+N3&name=+C3" mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1) "" 0.000 "" 340 ""-"

199.201.122.141-[10/jan/2013:10:45:04 +0800] Get http://www.7xgj.com:81/login.jsp?id=106&name=%C7%C1%A6%A7%D1 %F3 http/1.1 "403" 564 "Http://www.7xgj.com:81/login.jsp?id=+N3&name=+C3" mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1) "" 0.000 "" 340 ""-"

199.201.122.141-[10/jan/2013:10:45:04 +0800] Get http://www.7xgj.com:81/login.jsp?id=512&name=%B4%B4%C6%A0%A7 %c7 http/1.1 "403" 564 "Http://www.7xgj.com:81/login.jsp?id=+N3&name=+C3" mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1) "" 0.000 "" 340 ""-"

199.201.122.141-[10/jan/2013:10:45:05 +0800] Get http://www.7xgj.com:81/login.jsp?id=512&name=%B4%B4%C6%A0%A7 %c7 http/1.1 "403" 564 "Http://www.7xgj.com:81/login.jsp?id=+N3&name=+C3" mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1) "" 0.000 "" 340 ""-"

199.201.122.141-[10/jan/2013:10:45:05 +0800] Get http://www.7xgj.com:81/login.jsp?id=898&name=%F1%B0%E8%D2%C5 %F1 http/1.1 "403" 564 "Http://www.7xgj.com:81/login.jsp?id=+N3&name=+C3" mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1) "" 0.000 "" 340 ""-"

199.201.122.141-[10/jan/2013:10:45:06 +0800] Get http://www.7xgj.com:81/login.jsp?id=898&name=%F1%B0%E8%D2%C5 %F1 http/1.1 "403" 564 "Http://www.7xgj.com:81/login.jsp?id=+N3&name=+C3" mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1) "" 0.000 "" 340 ""-"

199.201.122.141-[10/jan/2013:10:45:06 +0800] Get http://www.7xgj.com:81/login.jsp?id=173&name=%E7%C5%A0%D5%A2 %e5 http/1.1 "403" 564 "Http://www.7xgj.com:81/login.jsp?id=+N3&name=+C3" mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1) "" 0.000 "" 340 ""-"

199.201.122.141-[10/jan/2013:10:45:07 +0800] Get http://www.7xgj.com:81/login.jsp?id=173&name=%E7%C5%A0%D5%A2 %e5 http/1.1 "403" 564 "Http://www.7xgj.com:81/login.jsp?id=+N3&name=+C3" mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1) "" 0.000 "" 340 ""-"

This IP for a short time to send a large number of such non-site access to the connection, so first put him on the fire wall to kill:

#!/bin/sh

ip= ' Tail-n 1000/data/logs/test.log | awk ' {print $} ' | Sort | uniq-c | sort-rn| awk ' $ > {print $} '

For I in $IP

Todo

Iptables-i input-p TCP--dport 80-s $i-j DROP

Done

This allows the number of connections to drop to normal levels immediately, except in the case of iptables, and the empty host header with the Nginx virtual host disabled:

server {

Listen default;

Location/{

return 403;

}

}

Deny access to all requests for IP access. Start to think is a region DNS resolution problem, after analysis log, the source of IP distribution around the world. Preliminary judgment, this is an attack initiated by another proxy server.

This article from "Zhaohaihua _ Yun-Wei Road" blog, please be sure to retain this source http://baiying.blog.51cto.com/1068039/1113087