CC Attack principle
CC is primarily used to attack pages. We all have such experience, that is, when visiting the forum, if this forum is relatively large, more people visit, open the page will be slower, right?! Generally speaking, the more people visit, the more The forum page, the larger the database, the frequency of access is also higher, the system resources occupied is quite considerable, now know why many space service providers say we do not upload forums, chat room and so on.
A static page does not require the server's resources. Can even say directly from the memory read out to you can be, but the forum is not the same, I read a post, the system needs to be in the database to determine whether I read the post permission, if there is, read the contents of the post, show out- There are at least 2 databases accessed, if the size of the database is 200MB, the system is likely to be in this 200MB size of the data space search again, this requires how much CPU resources and time? If I was looking for a keyword, then the time was more impressive, Because the previous search can be limited to a very small scope, such as user rights only to check the user table, post content only check the post table, and can immediately stop the query, and search will certainly all the data to make a judgment, the time spent is quite large.
CC is the full use of this feature, simulation of multiple users (how many threads is how many users) non-stop access (access to those who need a lot of data operations, is a lot of CPU time to the page).
Attack phenomenon:
The server's traffic can reach more than dozens of m in an instant, the website can't open. Restarting IIS will find traffic coming down. Viewing the IIS logs reveals that many different IPs have repeatedly accessed one of the same files. Viewing C:windowssystem32logfileshttperr will find many errors in the IIS log, as follows:
2007-08-22 06:05:28 61.140.127.206 61905 61.139.129.56 http/1.1?
prodid=0961 503 Connlimit Pool21
2007-08-22 06:05:28 221.8.137.99 3916 61.139.129.56 http/1.1? prodid=0961
503 Connlimit Pool21
2007-08-22 06:05:28 220.187.143.183 4059 61.139.129.56 http/1.1?
prodid=0961 503 Connlimit Pool21
2007-08-22 06:05:28 218.18.42.231 1791 61.139.129.56 http/1.1?
prodid=0961 503 Connlimit Pool21
2007-08-22 06:05:28 125.109.129.32 3030 61.139.129.56 http/1.1?
prodid=0961 503 Connlimit Pool21
2007-08-22 06:05:28 58.216.2.232 1224 61.139.129.56 http/1.1? prodid=0961
503 Connlimit Pool21
...
You can see that a lot of different IP are accessing list.asp this file. The above phenomenon is the characteristics of the CC attack. Depending on the number of meat machines used to launch the CC attack, small attacks can cause the site to be slow or unstable, and large attacks can keep the site from being opened.
As a result of such attacks, it is simulated that normal users constantly request a Web page. So the general firewall is very difficult to defend. Now, based on actual work experience, let's talk about how to solve this attack problem without firewalls.
Because CC attacks are used by the meat machine or agent to access our server, it is not the same as the Synflood attack. Synfoold has been a constant change of the false IP, and the CC attack IP is the real IP and basically does not change, as long as we use security policy to all these IP sealed off on it.
Read the method introduced by netizens, but a piece of hand-by-piece, and attack IP is generally thousands of different IP. It's too troublesome to use a manual IP approach. Here we use the program to implement the automatic sealing of these ip!
The program mainly reads the IIS log of this website, analyzes the IP address, and automatically closes with security policy. The VBS code is as follows:
Copy Code code as follows:
' Code starts
Set fileobj=createobject ("Scripting.FileSystemObject")
Logfilepath= "E:w3logw3svc237ex070512old.log" note specifies the log path for the attacked Web site.
' If it is a virtual host, to find out which site is under attack, you can view: C:windowssystem32logfileshttperr,
It is easy to analyze from the error log.
Writelog "netsh ipsec static add policy Name=xblue"
Writelog "netsh ipsec static add filterlist Name=denyip"
Overip= ""
F_name=logfilepath
' Specify log file
' Program function: Extract IP from logfiles into the filtering format required by IPSec, and import filtering into IPSec. Suitable for a site subject to a large number of CC attacks.
Set Fileobj88=createobject ("Scripting.FileSystemObject")
Set myfile=fileobj88. OpenTextFile (F_name,1,false)
Contentover=myfile. ReadAll ()
Contentip=lcase (Contentover)
Myfile.close
Set fileobj88=nothing
On Error Resume Next
Myline=split (CONTENTIP,CHR (13))
For i=0 to UBound (myline)-1
Myline2=split (Myline (i), "")
Newip=myline2 (6)
' Specifies the detached identity string!
If InStr (OVERIP,NEWIP) =0 Then ' removes duplicate IP.
Overip=overip&newip
Dsafasf=split (Newip, ".")
If UBound (dsafasf) =3 Then
Writelog "netsh ipsec static add filter Filterlist=denyip srcaddr=" &newip& "Dstaddr=me
Dstport=80 protocol=tcp "
End If
Else
WScript.Echo Newip & "is exits!"
End If
Next
Writelog "netsh ipsec static add filteraction name=denyact Action=block"
Writelog "netsh ipsec static add rule name=kill3389 Policy=xblue Filterlist=denyip
Filteraction=denyact "
Writelog "netsh ipsec static set policy Name=xblue assign=y"
Sub writelog (errmes) ' Export IPSec policy file is a bat file.
Ipfilename= "Denyerrorip.bat"
Set Logfile=fileobj.opentextfile (ipfilename,8,true)
Logfile.writeline Errmes
Logfile.close
Set logfile=nothing
End Sub
' End of code
Save the above code as a. vbs file and set the path of the log. Double-click to run, and then generate a Denyerrorip.bat file after running, this is the policy file that IPSec needs, directly double-click to run.
The CC attack problem can be resolved by completing the operation.