Anti-DDOS attack practices

Author: ccpp0

System: freebsd

First round of attack:
Time: around fifteen o'clock P.M.

Suddenly found that the company's web server could not be accessed, attempt remote login, unable to connect, call the idc to restart the server. Immediately after the startup, log on to the system and check that the attack continues, and all 230 apache processes are in the working state. Because the server is old and the memory is only 512 MB, the system starts to use swap and the system is paused. Therefore, all httpd are killed, and the server returns to normal later. The load value is reduced from 140 to normal.

Starting to capture packets, we found that the traffic was very small and it seemed that the attack had stopped. We tried to start httpd and the system was normal. Check the httpd log and find that IP addresses from all over the world are trying login. php, but it gave the wrong url, where there is no login. php, other logs are basically normal, except limit RST .... this log is also normal because of the large number of connections in the attack.

Observe for 10 minutes and the attack stops.

Second round of attack:
Time: 17:50 P.M.

With the previous attack experience, I began to observe the status of the web server. at, the load of the machine increased sharply. It can be confirmed that a round of attacks started.

First, stop httpd, because it has been unable to move. Then capture the packet. tcpdump-c 10000-I em0-n dst port 80>/root/pkts finds a large influx of data packets, filters out IP addresses, and does not have a very concentrated IP address, therefore, it is suspected that DDoS is followed by the suspicious address filtered from the log last time. Compare the packet capture results and find many repeated records.

Analysis:

This is not a simple DDoS attack, because all httpd processes are started, and logs are left. According to the packet capture records, each address has a complete three-way handshake, so OK, all attack sources are real, not fake IP addresses.

There are a total of 265 suspicious IP addresses, which are mostly foreign IP addresses in Europe, especially in Spain. The company's customers in Europe can be very rare, with only the loss of the car.

Measures taken:

Add all 265 IP addresses to the _ blank "> firewall, filter all ipfw add 550 deny tcp from % to me 80, and restart httpd.

After three hours of observation, the total number of ACL data packets in the ipfw List continues to grow, but the company's web server is working normally.

So far, this attack has come to an end for the time being. It is not ruled out that it will continue to happen later. However, because attackers are using real bots, it is rare to master more than 300 bots, therefore, it is basically impossible for him to launch an attack again in a short period of time.