CC attacks in Linux VPS

1. What is a CC attack?
CC attacks use a large number of proxy servers to initiate a large number of connections to the target computer, resulting in depletion of the target server resources and DOS.
Attack principle: CC is mainly used to attack pages. Everyone has this experience: when visiting a Forum, if the forum is large and there are many visitors, the page opening speed will be slow, right ?! Generally, the more people access the forum, the more pages the Forum has, the larger the database, the higher the frequency of access, and the considerable amount of system resources occupied, now, I know why many space service providers say that you should not upload forums, chat rooms, or other things.

 

A static page does not need many resources on the server. You can even read it from the memory and send it to you, but the Forum is different. I will read a post, the system needs to go to the database to determine whether I have the permission to read the Post. If so, read the content in the post and display it. The database is accessed at least twice, if the size of the database is 200 MB, the system will probably search for the MB data space. How many CPU resources and time is required? If I search for a keyword, the time is more impressive, because the previous search can be limited to a very small range. For example, the user permission can only query the user table, and the post content can only query the post table, in addition, you can immediately stop the query, and the search will certainly make a judgment on all the data, which consumes a considerable amount of time.

CC makes full use of this feature to simulate the constant access of multiple users (the number of threads is the number of users) (to access pages that require a large amount of data operations, that is, pages that require a large amount of CPU time ). Many of my friends asked, why do I need a proxy? Because the proxy can effectively hide its identity or bypass all firewalls, basically all firewalls detect the number of concurrent TCP/IP connections, if it exceeds a certain number, it will be considered as Connection-Flood.

Proxy attacks can also ensure good connection. We have sent data here, and the proxy will help us forward the data to the other server, so we can immediately disconnect, the proxy will continue to connect to the other party (I know that someone has used 2000 proxies to generate 0.35 million concurrent connections ).

Ii. How to prevent it?
I. Preparations
1. log on to the VPS control panel and be ready to restart the VPS at any time.
2. Shut down the Web Server first. Excessive load will make subsequent operations very difficult, and even cannot directly log on to SSH.
3. Remove the configured Web Server automatically after it is started.
(If you have been unable to log on to the system, and the load is too high after the restart, you will not be able to log on to the system after the instance is started up. www.linuxidc.com can contact the Administrator to disable the IP address or port 80 of the VPS on the master machine, log on to the system using the virtual console on the parent machine, perform 2 & 3 operations, and then unseal them)

2. Find the attacker's IP address
1. Create the file ip address. php In the root directory of the website and write the following content.

<? Php
$ Real_ip = getenv ('HTTP _ X_FORWARDED_FOR ');
If (isset ($ real_ip )){
Shell_exec ("echo $ real_ip> real_ip.txt ");
Shell_exec ("echo $ _ SERVER [REMOTE_ADDR]> proxy.txt ");
} Else {
Shell_exec ("echo $ _ SERVER [REMOTE_ADDR]> ips.txt ");
} Echo: the server is under attack and is collecting attack sources. Please visit this site in a few minutes. Multiple accesses to this site within five minutes may be used as an attack source with an IP address. Thank you for your cooperation! ';
?> 2. Set the pseudo-static state and rewrite all accesses to ip. php.
Nginx rules:

Rewrite (. *)/ip. php; Lighttpd rules:

Url. rewrite = (
"^/(. + )/? $ "=>"/Ip. php"
3. Start the Web Server to collect IP addresses.
After setting 1 and 2, start the Web Server and record IP information.
It is recommended that the collection time be 3 to 5 minutes, and then the Web Server is disabled again.
Real_ip.txt: the IP addresses stored in this file are more than 80% identical. This IP address is the IP address of the platform where attackers are launching attacks.
Proxy.txt, which stores the IP address of the proxy server called by the attacker and needs to be blocked.
Ips.txt, which records the IP addresses that do not show the characteristics of the proxy server, and determines whether the IP addresses are attack sources based on the number of visits.

Iii. supplement to the previous paragraph
If WEB logs are enabled on VPS, you can view the log file growth rate to determine which site is under attack.
If logs are not enabled and the number of sites is small, it is convenient to enable logs temporarily.
If logs are not enabled and the number of sites is too large, you can use the temporary Web Server configuration file to set a default site without binding a virtual host. Add the following line to ip. php.

Shell_exec ("echo $ _ SERVER [HTTP_HOST]> domain.txt"); 4. Block the IP address.

 

Create File ban. php
$ Num ){
If ($ num> $ threshold ){
$ Ip = trim ($ ip );
$ Cmd = "iptables-I INPUT-p tcp-dport 80-s $ ip-j DROP ";
Shell_exec ($ cmd );
Echo "$ ip baned !";
$ Ban_num ++;
}
} $ Proxy_arr = array_unique(file('ips.txt '));
Foreach ($ proxy_arr as $ proxy ){
$ Proxy = trim ($ proxy );
$ Cmd = "iptables-I INPUT-p tcp-dport 80-s $ ip-j DROP ";
Shell_exec ($ cmd );
Echo "$ ip baned !";
$ Ban_num ++;
} Echo "total: $ ban_num ips ";
?> Run the script with the following command (make sure that the php Command is in PATH)

The php ban.php script depends on the results saved in ips.txt in section 2. When the number of IP access records exceeds 10, it is blocked as an attack source. If it is a proxy server, it is directly blocked without judging the number of times.
After the IP address is closed, all the website settings are restored to normal, and the website can continue to run normally.

5. Some details
In order to keep the description of the operation process as concise as possible, there is no excessive explanation added in the above content, and you will stay here for a unified description.
1. The nature of "Proxy Server"
Two values related to TCP & HTTP, REMOTE_ADDR and HTTP_X_FORWARDED_FOR.
(1) REMOTE_ADDR always obtains the IP address of a host closest to the Web server. If no proxy is used, this value is the visitor's IP address. If a proxy is used, this value is the IP address of the proxy server. If multiple proxy servers are connected, this value is the IP address of the last proxy server before the Web server.
REMOTE_ADDR is determined by the TCP/IP layer and cannot be modified or forged.
(2) HTTP_X_FORWARDED_FOR, because the value belongs to the HTTP part rather than the TCP/IP, no matter what the value is, it does not affect data transmission. In fact, in general, if a visitor directly accesses the Web server, this value is blank; When a transparent proxy is used, this value is set by the proxy server as the visitor's IP address; when an anonymous proxy is connected, this value may be the IP address of the proxy server, or it may be null or random.
HTTP_X_FORWARDED_FOR can be arbitrarily modified. Most proxy servers are transparent proxies. That is to say, this value is set to the IP address of the original visitor.

2. CC attacks
Sort by processing efficiency from high to low.
(Because this article is for VPS servers, VPS is simply a low-end alternative to servers, and the memory and CPU resources are generally low, of course, the higher the processing efficiency, the better .)
(1) network transmission layer. That is, the iptables used in this article. This tool is used by the system kernel to directly disable the attacker connection when establishing a network connection. After the attack source is processed at this layer, the consumed resources are almost negligible.
(2) At the Web Server layer, most Web servers can set IP addresses that prohibit access. At this layer, the solution is similar to the above, but the efficiency is lower.
(3) The Script layer filters out attack sources by formulating policies suitable for the script program. There are a lot of solutions circulating on the network at this layer, but they are not suitable for VPS, And the setting difficulty may be increased several times or dozens of times.

3. Why not I collect IP addresses from logs?
There are two main considerations: first, most VPS users disable the log because the disk space is too small and it is difficult to clear logs frequently.
Second, if the IP address is collected from logs, the script is much more complicated and may need to be adjusted based on the situation. Considering that most of the people who will read this article may not master more technologies, the purpose of this article is to follow this step to solve the problem.