Anti-CC attack case

Glossary: the term CC = Challenge Collapsar is originated from Baidu encyclopedia. Its predecessor is the Fatboy attack, which aims to form a denial of service by continuously sending connection requests to the website, CC attacks are a type of DDOS (Distributed Denial of Service). Compared with other DDOS attacks, CC attacks seem more technical. You cannot see the real source IP address or abnormal traffic, but the server cannot connect normally. What worries webmasters most about this attack is its low technical level. They can use tools and some IP addresses to act as proxies for an early and intermediate computer-level user to launch attacks. Therefore, it is necessary for everyone to understand the principles of CC attacks and the prevention measures for CC attacks.How CC attacks workThe principle of CC attack is that attackers control some hosts to repeatedly send a large number of packets to the other server, causing server resource depletion until the server crashes. CC is mainly used to attack pages. Everyone has this experience: When a webpage has a large number of visitors, it will slow down to open the webpage, CC simulates multiple users (the number of threads is the number of users) to constantly access those pages that require a large amount of data operations (that is, a large amount of CPU time), resulting in a waste of server resources, when the CPU remains at 100% for a long time, there will always be endless connections until network congestion occurs and normal access is terminated.Anti-CC attackCC attacks can be classified as DDoS attacks. The principles are the same, that is, sending a large amount of request data to cause Server Denial of Service is a connection attack. CC attacks can be divided into proxy CC attacks and zombie CC attacks. Proxy CC attacks enable hackers to generate valid webpage requests directed to the affected host by using the proxy server to implement DOS, and disguise them as Challenge Collapsar ). In contrast, bot CC attacks are more difficult for hackers to use CC attack software to control a large number of bots and launch attacks than the latter. This is because bots can simulate requests from normal users to access the website. Forge into a valid data packet. CC attacks are mainly used to attack websites. I think everyone has this experience: when visiting a website, if the website is relatively large and there are many visitors, the page opening speed will be slow, right ?! Generally, the more people access the forum, the more pages the Forum has, the larger the database, the higher the frequency of access, and the considerable amount of system resources occupied, now, I know why many space service providers say that you should not upload forums, chat rooms, or other things. A static page does not need many resources on the server. You can even read the page from the memory and send it to you. However, dynamic websites such as forums are different. I will read a post, the system needs to go to the database to determine whether I have the permission to read the Post. If yes, read the content in the post and display it. The database is accessed at least twice, if the size of the database is MB, the system will probably search for the data space of MB. How many CPU resources and time is required? If I search for a keyword, the time is more impressive, because the previous search can be limited to a very small range. For example, the user permission can only query the user table, and the post content can only query the post table, in addition, you can immediately stop the query, and the search will certainly make a judgment on all the data, which consumes a considerable amount of time. CC attacks make full use of this feature to simulate the constant access of multiple users (the number of threads is the number of users) (to access pages that require a large amount of data operations, that is, pages that require a large amount of CPU time, for example, asp/php/jsp/cgi ). Many of my friends asked, why do I need a proxy? Because the proxy can effectively hide its identity or bypass all firewalls, basically all firewalls detect the number of concurrent TCP/IP connections, if it exceeds a certain number, it will be considered as Connection-Flood. Of course, you can also use bots to launch CC attacks. The CC attack effect of broilers is more impressive. Cause the server CPU to % 100 or even crash. Proxy attacks can also ensure good connection. We have sent data here, and the proxy will help us forward the data to the other server, so we can immediately disconnect, the proxy will continue to connect to the other party (I know that someone has used 2000 proxies to generate 0.35 million concurrent connections ). Of course, CC can also use this method to attack FTP, game port, chat room, etc., can also realize TCP-FLOOD, these are effective after testing. To defend against CC attacks, you can use multiple methods to prohibit website proxy access, make websites static pages as much as possible, and limit the number of connections. Before the incident: My attacked website was a company offline service, but the website is still running and there is no access. However, on the day of the attack, I found that the number of connections on the site monitored increased from, so I logged on to the website to view the number of online users. The actual number of logon users is me! If the network card Traffic is less than 50 kb, you have to solve the problem. So you can view the access logs, and the logs keep recording the access from non-site sites, for example, the domain name of my website is www.51cto.com, but the content recorded in the log is as follows (this log is what I handled after the cc attack, but let everyone see the access phenomenon ): 199.201.122.141-[10/Jan/2013: 10: 45: 03 + 0800] GET http://www.7xgj.com:81/login.jsp?id=106&name=%C7%C1%A6%A7%D1%F3 HTTPS/1.1 "403" 564" http://www.7xgj.com:81/login.jsp?id=+N3&name=+C3 "" Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1) "" 0.000 "" 340 ""-"199.201.122.141-[10/Jan/2013: 10: 45: 04 + 0800] GET http://www.7xgj.com:81/login.jsp?id=106&name=%C7%C1%A6%A7%D1%F3 HTTPS/1.1 "403" 564" http://www.7xgj.com:81/login.jsp?id=+N3&name=+C3 "" Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1) "" 0.000 "" 340 ""-"199.201.122.141-[10/Jan/2013: 10: 45: 04 + 0800] GET http://www.7xgj.com:81/login.jsp?id=512&name=%B4%B4%C6%A0%A7%C7 HTTPS/1.1 "403" 564" http://www.7xgj.com:81/login.jsp?id=+N3&name=+C3 "" Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1) "" 0.000 "" 340 ""-"199.201.122.141-[10/Jan/2013: 10: 45: 05 + 0800] GET http://www.7xgj.com:81/login.jsp?id=512&name=%B4%B4%C6%A0%A7%C7 HTTPS/1.1 "403" 564" http://www.7xgj.com:81/login.jsp?id=+N3&name=+C3 "" Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1) "" 0.000 "" 340 ""-"199.201.122.141-[10/Jan/2013: 10: 45: 05 + 0800] GET http://www.7xgj.com:81/login.jsp?id=898&name=%F1%B0%E8%D2%C5%F1 HTTPS/1.1 "403" 564" http://www.7xgj.com:81/login.jsp?id=+N3&name=+C3 "" Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1) "" 0.000 "" 340 ""-"199.201.122.141-[10/Jan/2013: 10: 45: 06 + 0800] GET http://www.7xgj.com:81/login.jsp?id=898&name=%F1%B0%E8%D2%C5%F1 HTTPS/1.1 "403" 564" http://www.7xgj.com:81/login.jsp?id=+N3&name=+C3 "" Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1) "" 0.000 "" 340 ""-"199.201.122.141-[10/Jan/2013: 10: 45: 06 + 0800] GET http://www.7xgj.com:81/login.jsp?id=173&name=%E7%C5%A0%D5%A2%E5 HTTPS/1.1 "403" 564" http://www.7xgj.com:81/login.jsp?id=+N3&name=+C3 "" Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1) "" 0.000 "" 340 ""-"199.201.122.141-[10/Jan/2013: 10: 45: 07 + 0800] GET http://www.7xgj.com:81/login.jsp?id=173&name=%E7%C5%A0%D5%A2%E5 HTTPS/1.1 "403" 564" http://www.7xgj.com:81/login.jsp?id=+N3&name=+C3 "" Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1) "" 0.000 "" 340 ""-"this ip address sends a large number of non-site access connections in a short time, so we should first drop him on the firewall :#! /Bin/shIP = 'Tail-n 1000/data/logs/test. log | awk '{print $1}' | sort | uniq-c | sort-rn | awk '$1> 100 {print $2} ''for I in $ IPdoiptables- I input-p tcp -- dport 80-s $ I-j DROPdone, the number of connections immediately drops to the normal level, in addition to iptables, the empty Host header of the nginx virtual host is disabled: server {listen 80 default; location/{return 403 ;}} all requests with ip addresses are denied. At first, we thought it was a dns resolution problem in a region. After analyzing logs, the source ip addresses were distributed across the world. It was initially determined that this was an attack initiated by another proxy server.