CC attack Principle
CC is mainly used to attack pages. everyone has this experience: when visiting a Forum, if the forum is large and there are many visitors, the page opening speed will be slow, right ?! Generally, the more people access the forum, the more pages the Forum has, the larger the database, the higher the frequency of access, and the considerable amount of system resources occupied, now, I know why many space service providers say that you should not upload forums, chat rooms, or other things.
A static page does not need many resources on the server. You can even read it from the memory and send it to you, but the Forum is different. I will read a post, the system needs to go to the database to determine whether I have the permission to read the Post. If so, read the content in the post and display it. The database is accessed at least twice, if the size of the database is MB, the system will probably search for the data space of MB. How many CPU resources and time is required? If I search for a keyword, the time is more impressive, because the previous search can be limited to a very small range. For example, the user permission can only query the user table, and the post content can only query the post table, in addition, you can immediately stop the query, and the search will certainly make a judgment on all the data, which consumes a considerable amount of time.
CC makes full use of this feature to simulate the constant access of multiple users (the number of threads is the number of users) (to access pages that require a large amount of data operations, that is, pages that require a large amount of CPU time ).
Attack symptom:
The server's traffic can instantly exceed dozens of MB, and the website cannot be opened. Restart IIS and the traffic will immediately drop. When viewing IIS logs, we can find that many different IP addresses repeatedly access the same file. Check C: windowssystem32logfileshttperr to find many IIS logs with errors, as shown below:
06:05:28 61.140.127.206 61905 61.139.129.56 80 HTTP/1.1 get/list. asp?
Prodid = 0961 503 30 connlimit pool21
06:05:28 221.8.137.99 3916 61.139.129.56 80 HTTP/1.1 get/list. asp? Prodid = 1, 0961
503 30 connlimit pool21
06:05:28 220.187.143.183 4059 61.139.129.56 80 HTTP/1.1 get/list. asp?
Prodid = 0961 503 30 connlimit pool21
06:05:28 218.18.42.231 1791 61.139.129.56 80 HTTP/1.1 get/list. asp?
Prodid = 0961 503 30 connlimit pool21
06:05:28 125.109.129.32 3030 61.139.129.56 80 HTTP/1.1 get/list. asp?
Prodid = 0961 503 30 connlimit pool21
06:05:28 58.216.2.20.1224 61.139.129.56 80 HTTP/1.1 get/list. asp? Prodid = 1, 0961
503 30 connlimit pool21
...
We can see that many different IP addresses are accessing the list. asp file. The above phenomena are the characteristics of CC attacks. Based on the number of bots used to launch CC attacks, small attacks can lead to slow or unstable websites. Large attacks can prevent websites from being opened all the time.
This type of attack simulates a normal user's constant request for a webpage. Therefore, firewalls are difficult to defend against. Based on our actual work experience, let's talk about how to solve this attack problem without using a firewall.
Because CC attacks use bots or proxies to access our servers, they are different from synflood attacks. Synfoold has always been a constantly changing fake IP address, and the IP addresses of CC attacks are all real IP addresses, which are basically unchanged. As long as we use security policies to block all these IP addresses, we can.
I have read the methods described by some netizens, but the attack IP address is usually several thousand different IP addresses. It is too troublesome to manually seal an IP address. Next we use Program To automatically block these IP addresses!
The program mainly reads IIS logs of this website, analyzes the IP addresses, and automatically closes the logs with security policies. Vbs Code As follows:
Copy code The Code is as follows: 'Code starts.
Set fileobj = Createobject ("scripting. FileSystemObject ")
Logfilepath = "E: w3logw3svc237ex070512old. log" 'specify the Log Path of the attacked website.
'If it is a virtual host and you want to check which website is under attack, you can view: C: windowssystem32logfileshttperr,
It is easy to analyze the error logs.
Writelog "netsh IPSec static add Policy Name = xblue"
Writelog "netsh IPSec static add filterlist name = denyip"
OverIP = ""
F_name = logfilepath
'Specify the log file
'Program function: extract the IP addresses in logfiles into the filtering format required by IPSec and import them to IPSEC for filtering. Suitable for a website that is under massive CC attacks.
Set fileobj88 = Createobject ("scripting. FileSystemObject ")
Set myfile = fileobj88.opentextfile (f_name, 1, false)
Contentover = myfile. readall ()
Contentip = lcase (contentover)
Myfile. Close
Set fileobj88 = nothing
On Error resume next
Myline = Split (contentip, CHR (13 ))
For I = 0 to ubound (myline)-1
Myline2 = Split (myline (I ),"")
Newip = myline2 (6)
'Specifies the separator string!
If instr (overIP, newip) = 0 then 'removes duplicate IP addresses.
OverIP = overIP & newip
Dsafasf = Split (newip ,".")
If ubound (dsafasf) = 3 then
Writelog "netsh IPSec static Add filter filterlist = denyip srcaddr =" & newip & "dstaddr = me
Dstport = 80 protocol = TCP"
End if
Else
Wscript. Echo newip & "is exits! "
End if
Next
Writelog "netsh IPSec static add filteraction name = denyact action = block"
Writelog "netsh IPSec static add rule name = kill3389 policy = xblue filterlist = denyip
Filteraction = denyact"
Writelog "netsh IPSec static set policy name = xblue assign = y"
Sub writelog (errmes) 'the policy file for exporting IPSec is a bat file.
Ipfilename = "denyerrorip. Bat"
Set logfile = fileobj. opentextfile (ipfilename, 8, true)
Logfile. writeline errmes
Logfile. Close
Set logfile = nothing
End sub
'Code ended
Save the preceding code as a. vbs file and set the Log Path. Double-click the task and generate a denyerrorip. BAT file after the task is completed. This is the policy file required by IPSec. You can simply double-click it to run it.
CC attacks can be solved after the operation is completed.
