Cckiller:linux Lightweight CC Attack Defense tool, second level check, auto darken and release _linux shell

Zhanggo blog A long time ago to share a CC attack defense script, write is not good, but was 51CTO accidentally reproduced. Since then, the blog has often been taken to practicing the road of not return.

Of course, there are still a lot of friends in the production environment to use, and will leave a message to ask related questions. Based on the needs of these questions, I spent some time writing a more satisfying lightweight CC attack defense script, and I gave it a more iconic name: Cckiller, translated as cc Terminator.

First, the function affirms

Before I share it, I must say, as we all know, DDoS attacks refer to distributed denial of service. and CC attack is only a kind of DDoS attack, this article describes the CC attack, refers to each IP is a high concurrent request attack, rather than distributed massive IP low concurrent DDoS attack!

For personal Low-cost Server, in addition to using CDN to protect, at least I did not think how to withstand the massive IP attack! Because each IP is a normal UA to request, and each IP low concurrent request and the normal user request, and will not trigger the defense threshold, at the same time to 1000, or even tens of thousands, the personal low server bandwidth in the first time will be occupied, can not continue to provide services!

Therefore, if your website is being subjected to a massive IP low concurrent DDoS attack, then this article shares the Cckiller to be helpless. Go ahead and open CDN to expand bandwidth!

Second, Function introduction

With the above statement, the Cckiller is roughly a positioning: Cckiller is a lightweight cc attack defense for personal low-cost servers that can withstand high concurrent attacks from a single IP.

The functional features of the current design are as follows:
①, second level check
A lot of people write defense scripts that use the Linux system's scheduled tasks crontab to check them regularly. The finest particle of crontab is 1 minutes, which means the script can be checked only 1 minutes at the fastest speed. It would be very unpleasant for some obsessive-compulsive disorder.

So, I still use the while loop to implement a second-level check to achieve finer particles, according to the ideas shared before. Of course, Cckiller was written by me as a system service, more flexible and stable.
②, Black and long
Cckiller can be set to pull black when the length, the default is 10 minutes. When a malicious request is found, it automatically pulls the target IP and automatically releases it when the Black is over, which is a big improvement on the script I wrote earlier.
③, concurrent threshold value
Cckiller can set the maximum number of requests for a single IP, and if an IP request exceeds a set threshold, it will be temporarily black for a period of time.
④, send mail
This function has nothing to say, meaning is not big. And the sending success rate and the environment of the server also have a great relationship.
⑤, concurrent display
After installation, the direct run Cckiller lists the current system's request ranking, and can clearly see the current request IP and concurrency numbers. The-s parameter can also continue to customize the requirements, such as cckiller-s 10 to display the current concurrent number of the top 10 IP.
⑥, manual pull Black
Support manual pull black, after execution will immediately check, the concurrent request over n IP pull black for a period of time, such as Cckiller-k 100 will be currently more than 100 requests for IP pull black for a period of time, if no will not perform any pull black operation.

Third, the tool installs
①, online installation

Since I may often update some features or fix some bugs, I only provide an online installation to ensure that the scripts are up to date.

The installation is very simple, and you can enter the configuration step by executing the following command:

Copy Code code as follows:

wget--no-check-certificate-o install.sh https://zhangge.net/wp-content/uploads/files/cckiller/install.sh?ver= 1.0.1 && chmod +x install.sh &&/install.sh-i

②, tool configuration

Because each server may not be the same, there is a process for customizing the configuration.

After you perform the above installation command, you will enter the optional configuration section, as shown in the figure:

Prompt to use the script default configuration, and if it is (y), display the default configuration and ask if you want to continue:

The default configuration is as follows:

Copy Code code as follows:

The time interval:20 s #每20s检查一次系统请求情况
The Forbidden time:600 s #拉黑时长设为10分钟
Adminstrator email:root@localhost #邮件对象设置为root @localhost (that is, send mail off)
Connections allow:100 #单个IP并发限制为100

If you do not meet your needs, you can use CTRL + C to terminate the script, or continue the installation, because the tool designed the configuration modification function, so there is no need to worry.

If you do not use the default configuration (n), you will be asked to enter parameters to customize the configuration:

As shown in the diagram, I will define the parameters in order to check every 10 seconds, pull black when the length of 300 seconds, the sender set as a blog mailbox, the concurrency limit is set to 60, enter after the pop-up will pop a hint, let you check, if there is no problem you will install and start directly:

③, Service Control

After installation, the Cckiller will be registered as a system service, then you can use the service to control the Cckiller.
Use the standard service definition to support start | Stop | Restart | Status four parameters. So, you can use
Service Cckiller Stop Cckiller, or you can use service Cckiller status to view the status.

④, Integration command

After a successful installation, the system will also have a Cckiller command, the existing function of this command is as follows:
Cckiller-h can pull out help information:

Copy Code code as follows:

Cckiller version 1.0.0 Author:jager <ge@zhangge.net>
Copyright©2015 zhangge.net. All rights reserved.
Usage:cckiller [OPTIONS] [N]
N:number of TCP/UDP connections (default 100)
OPTIONS:
-H | --help:show This help screen
-K | --kill:block the offending IP making more than N connections
-S | --show:show the top "N" connections to System current

My broken English also can make up to explain the function of it ~

-K is pull black function, need to bring in the back of the concurrent number you want to pull black, such as cckiller-k 100 will pull black The current request is greater than 100 of the IP for a period of time (and the length of the pull black)

-S is to show concurrent rankings, but also need to bring a number behind, such as Cckiller-s 10 can display the current number of concurrent ranking of the top 10 IP.
⑤, File structure
As shown in the figure above, the script installation directory is/usr/local/cckiller and has the following structure:

cckiller/
├──cckiller #主程序
├──log/#日志目录 (new features Ver 1.0.1)
├──ck.conf #配置文件
├──ignore.ip.list #白名单
└──install.sh #安装和卸载脚本

0 directories, 5 files

Very simple also more specification of the structure, of course, subsequent functions if more and more, this structure may be updated, this is something.

If you are familiar with VIM, you can define tool parameters as long as you edit ck.conf:

Copy Code code as follows:

##### Paths of the script and other files
Progdir= "/usr/local/cckiller"
Prog= "/usr/local/cckiller/cckiller"
Logdir= "/usr/local/cckiller/log"
Ignore_ip_list= "/usr/local/cckiller/ignore.ip.list"
ipt= "/sbin/iptables"
Dkname=cckiller
dkver=1.0.1
##### sleep_time Set Check frequency, unit seconds
sleep_time=10
##### no_of_connections Set concurrency limit
No_of_connections=60
##### Email_to Set the sending object for the message
Email_to= "Ge@zhangge.net"
##### Ban_period Set Black time length, unit seconds
ban_period=300

It doesn't matter if you're not familiar. You can also perform./install.sh-c to initialize the tools, reset all the parameters, and the process is consistent with the first installation.
⑥, white list
Tool installation will default to all of the system IP will be added to the white list, to avoid their own to pull black embarrassment. If you have other IP to add white, you can add IP to the Cckiller installation directory in the Ignore.ip.list file, each line.

Ps: The current whitelist does not support IP segments, please look forward to follow-up updates.
⑦, uninstall Tool
A friend who has a heart may have noticed that install.sh can take parameters. I have designed several commonly used loading and unloading functions when I write code, as follows:

Copy Code code as follows:

#直接执行./install.sh will display the following Help information
###################################################################
# Cckiller Version 1.0.1 Author:jager <ge@zhangge.net> #
# For more information, please visit https://zhangge.net/5066.html #
#-----------------------------------------------------------------#
# Copyright @2015 zhangge.net.              All rights reserved. #
###################################################################

Usage:configure.sh [OPTIONS]

OPTIONS:
-H | --help:show help of Cckiller
-u | --update:update Check for Cckiller [not available now]
-C | --config:edit the Configure of Cckiller again
-I. | --install:install Cckiller version 1.0.0 to this System
-u | --uninstall:uninstall Cckiller from this System

which

The-u parameter is used to upgrade tools, but is not available because there is no time yet to write (Ver 1.0.2 has supported online updates)

The-i parameter is used to install the tool and, if installed, prompts and terminates

-c parameter is used to configure tools for easy installation and modify tool configuration at any time

The-u parameter is used to uninstall the tool, note is capitalized Oh!

So we can use./install.sh-u uninstall Cckiller as shown:

Iv. Attack and defense test

After successfully installing and enabling Cckiller, we can use the stress test tool to test black and release effects, such as Webbench or AB.
If the concurrency limit set by Cckiller is 100 and the check interval is 10s, use the Webbench test as follows:
Webbench-c 101-t http://www.yourwebsite.com/
After you start the test, you can immediately go to the server to view the firewall:
Iptables-nvl
With a few more brushes, you can see that the Webbench server IP is already in the drop rule.
OK has been pulled black, you wait for a 10 minutes to see the firewall, you can find Webbench server IP has disappeared, successfully released!

Ps: If the message is correct, then you should also receive the alarm message from the tool, such as a webmaster suffering from cc attack to send me feedback:

V. More instructions ①, configuring concurrency Restrictions
Cckiller the maximum number of connections is configured, it is recommended that the number of concurrent numbers generated by a single Web page be judged.

Situation A: Your site has done the static and dynamic separation, then statically request to another domain name (assuming static resources hosted on another server or CDN), a single IP request a page may only produce a number of concurrent (assuming 5), we assume that a user is very strong, he likes to quickly drag and drop open your site multiple pages, For example, open 10 at the same time, then the normal user's normal maximum concurrency you can also be basically sure? Concurrency restriction: 10x5=50. If someone refreshes your dozens of pages at the same time, you don't believe in malice, do you?

Situation B: If there is no separation of movement, then a page generated by the concurrency may be more, each CSS, JS, pictures will produce a request. So, in this case, you need to calculate a little bit of concurrent requests from a single page of your site, for example, a single page will produce 30 requests, you also need to consider the user may drag multiple pages in a row, assuming I allow users to refresh 10 pages at the same time, then the concurrency limit can be set to 300, So

Fault tolerance: From A and B, cckiller in fact there is a blind spot, that is, if the user IP is a company's unified export, that is, proxy Internet IP, then the tool will easily manslaughter innocent. So, in addition to A and B, you have to consider the audience type of your site. For example, I am a personal blog, at the same time by a company multiple Windows drag and drop access, this situation is not much? If this audience is likely to exist, the concurrency limit can be set to a greater extent to avoid the wrong killing of innocent people. Of course, pull Black is only 10 minutes, also not "ever a Knave" ...

Of course, in either case, the concurrency limit can be higher than the estimated setting, and this is a matter of discretion!
②, insufficiency and perfection
Cckiller is my recent use of leisure time, hurried to do, there will inevitably be a variety of problems. There is no time for testing and perfecting. However, there are still several webmaster in use, no feedback abnormal. Of course, I share the online installation method, but also for the subsequent updates to facilitate. But compared to my previous defense scripts, Cckiller has made great strides, very simple installation, more powerful features!

Functional planning:

A. Online upgrade function

Needless to say, the existing tools have been reserved and may later be added to the version judgment and update functions.

B. Adding additional security protection settings

At present, the tool is the same as the spot, directly on the inspection, there is no system environment to do some initialization of the settings. For example, the website General iptables setting, sync flood attack defense and so on. The following will be installed as an optional feature.

C. Integrated fool-style firewall control function

Not every webmaster will be skilled operation Iptables, so may consider to cckiller this command to integrate a ban and unban IP functions, such as prohibiting an IP, the implementation of cckiller-d $IP can reduce the threshold of the use of iptables.

In addition, it is worth noting that Cckiller is only suitable for the bare-Ben Web site, and not suitable for the use of CDN's website, because the use of CDN, request over IP are CDN nodes, you can not pull CDN node also black it? Ps: In fact, you can also use, you put the concurrency limit slightly set higher, even if pull black CDN node also pull black 10 minutes, not too much impact.

To solve this problem, I will find time to study directly from the Nginx log to get real source IP to deny access. At present, there has been a phased progress, please look forward to!
Appendix: Updating Records

2015-09-23 Ver 1.0.1:

White list to support the IP section of the new Black to determine whether or not there is a iptables operation of IP judgment; increase the logging function, a daily log file, located in the installation directory under the log file; Integrated manual pull black IP and IP, use cckiller-b $IP pull black, use Cckiller-u $IP to be closed.

2015-11-29 Ver 1.0.2:

New online update function, execute./INSTALL.SH-U to detect new versions:

If a new version is found, the update is displayed and the update is prompted to do so. The selection will be updated to the new version, which requires reconfiguration, but the IP or port whitelist will remain unchanged.

New Port Whitelist feature

Users should be required to add this port whitelist function. The last item in the configuration Cckiller will prompt for the port whitelist:

If you need to exclude certain ports, as shown in the last line of the figure, the input ports are separated by commas, such as 21,2121,8000

This update is not necessary function, in the use of friends can be updated on demand, of course, the new online update this function, but also a strong recommendation to update, to facilitate follow-up detection Cckiller is the latest version.

Updates inevitably exist unexpected flaws, the use of any problems, please leave a message to inform, thank you!