Crude CC attack-HTTP Flood

Crude CC attack-HTTP Flood

HTTP Flood is an attack on Web Services in Layer 7 protocol.

Hazard:

Simple attack methods, difficult defense and filtering, and huge impact on hosts

Attack method:

HTTP Flood attacks do not need to control a large number of bots. Instead, they use port scanning programs to search for anonymous HTTP proxies or SOCKS proxies on the Internet. Attackers use anonymous proxies to initiate HTTP requests to attack targets. Disguised as a normal user's request for a site, the site resources are consumed through a large number of connections.

Attack resources:

Anonymous proxy is a rich resource. It is not difficult to obtain the proxy in a few days. Therefore, the attack is easy to initiate and can be sustained in a long time.

Attack impact:

HTTP Flood attacks are initiated at the application layer to simulate normal user request behavior, which is closely related to website businesses. There is no unified defense method to defend against such attacks. Incorrect filtering rules may mistakenly kill a large number of users. HTTP Flood attacks can cause serious chain reactions. When the front-end continuously does not request and carries a large number of database operations, not only does the front-end response of the attacked Web be slow, it also indirectly attacks backend server programs, such as database programs. Increasing their pressure can cause the database to become stuck and crash in severe cases. It even affects related hosts, such as log storage servers and image servers.

CC Attack:

HTTP Flood is called a CC attack. CC is short for Challenge Collapsar, and Collapsar is a DDoS Defense device of a famous security company in China.

The focus of HTTP Flood attacks is to break through the front-end cache and directly reach the Web Server through the field settings in the HTTP header.

HTTP Flood is also critical to the selection of targets. Generally, attackers can search pages that require massive data queries as attack targets, which can consume as many resources as possible on the server. During the attack, try to select the pages accessed by normal users through the APP. Generally, they are various Web APIs. Both normal users and malicious traffic come from apps. The difference between humans and machines is very small. It is difficult to distinguish between normal users and malicious traffic.

Script writing ideas:

1. obtain enough proxies from the agent publishing site on the Internet.

Get Proxy:

1. software such as Agent Superman and flower thorn agent (including this software) are collected from some agent release sites.

2. Some agent release sites collect information from other agent release sites (collect larger agent release sites in China and abroad), resulting in a high response rate.

3. There are some other ports that scan a large number of IP addresses on a high-bandwidth server, such as 80, 80, and 3128. Check whether the port is a proxy protocol and then perform verification, the quality of Agent obtained by this method is relatively high. It is the first-hand information ......

2. verify the availability of the proxy. Otherwise, it is just a waste of Host resources.

3. Initiate proxy requests to launch attacks.

Afterwards, I did a stress test last week, but I did not have the weapon to take advantage of it. As a result, the test was not ideal, so I wrote a test tool myself. Note:

Based on the results we have completed over the past few days, we need to pay attention to some points.

For CC testing tools, it is not recommended to send packets without restrictions. it is meaningless to set a low timeout so that the CPU usage of your host will be slowed down, if the request is disconnected, the server directly ignores the request. You can directly connect to obtain data.

A random parameter value must be added to the GET request method. No matter the original parameter is random or a custom random parameter, it is necessary to cross some caches.

The HTTP header must be customized. Set useragent to normal or search engine. Regerer must be set. After all, the log records only a few pieces of information.

We recommend that you use multi-process and multi-thread methods in python to maximize the effectiveness of the host CPU caused by GIL locks.

Writing distributed statements is the ideal state. It crawls proxy addresses through online programs, requests access resources, and controls commands in B/S mode. This is simple and practical.

Load query command:

Take apache as an Example

1. view the number of concurrent workers:

netstat -an | grep ESTABLISHED | wc -l

Compare the Number Difference of MaxClients in httpd. conf.

2. Check the number of processes:

ps aux|grep httpd|wc –l

3. You can use the following parameters to view data:

ps -ef|grep httpd|wc -l1388

Count the number of httpd processes. A single request starts a process and is used on the Apache server.

This indicates that Apache can process 1388 concurrent requests. Apache can automatically adjust this value based on the load.

netstat -nat|grep -i "80"|wc –l

Script:

Although the script is quite simple, it will not be released for the time being, because it will be used for stress testing. Write it by yourself!

After that:

Some things really need to be written to know the problem, this time I chose python to complete. Multi-process and multi-thread methods are used to complete the process. In addition, the request module is easy to use. It was a great pleasure to solve the problems of passing parameters, controlling the thread pool and process pool, and serialization of parameters through various means. During the subsequent tests, I used two hundred proxies to stop many of my friends' blogs. I felt the effect was good.