C # web servers under webflood attacks and current defense measures

When the CPU usage of the web server reaches 100% for two consecutive times, the first time I thought about where I wrote an error during the upgrade, there was an endless loop, And I restarted the server three times.

However, after analyzing the Code, there is no endless loop, so when the CPU reaches 100% again for the second time, I checked it carefully.

The CPU usage of w3wp.exe reaches 65%, the CPU usage of SQL server reaches 35%, the site is aspx, and the server is installed with SQL server2008, in the activity analyzer, we quickly saw that three statements have been being executed, which can be up to 0.14 million times per minute.

This amount is obviously abnormal. According to the statement analysis, the problem may be on a certain two pages, so we renamed this page first, and the CPU usage actually fell down, in the normal 6% ~ In the range of 15%.

In IIS, no logs are added to the site and cannot be tracked. Therefore, after logging is added, the page name is changed to the previous one. The CPU usage lasted for 10 minutes, with the record, rename the page again so that the site can be accessed normally.

After downloading logs to a local machine, we can use the offline log analysis software to check that an ip address in the United States has been accessing the page, and the number of times has reached 1.41 million in 10 minutes. Because this page is equivalent to statistics, a large number of databases are requested at a time, so it has been accessed for so long, causing the program to always call SQL server.

Let's take a look at the browser type he uses: webbench1.5. To be honest, I was the first time I saw this thing. Baidu only found out that it was originally a server stress testing software, you only need one command to allow N concurrent accesses at the same time, and the access lasts for any time.

 

Webbench1.5 is used in Linux. The company has no environment and finds the windows version webbench5.0 on the Internet. However, after a try, it finds that the effect is different from that of webbench1.5.

Finally, the two pages are directly added. As long as the request header includes webshells, the request is directly blocked. In addition, the anti-refresh function is added, and frequent accesses within a period of time reach a certain number of times, and the requests are added to the blacklist, access is allowed after 10 minutes.

After the defense measures were adopted, the guy hasn't made any changes, and he doesn't know how to use them. But I believe it can play a role, but it doesn't really work. Only this ip address can be used to restrict access to the site.