Cc detection and defense

What is a CC attack? CC attacks use a large number of proxy servers to initiate a large number of connections to the target computer, resulting in depletion of the target server resources and DOS. So how can we determine whether to query CC attacks? This article mainly introduces some commands for judging CC attacks in Linux.

# View the number of connections on port 80 netstat-nat | grep-I "80" | wc-l # Sort the connected IP addresses by the number of connections netstat-anp | grep 'tcp \ | udp '| awk' {print $5} '| cut-d: -f1 | sort | uniq-c | sort-nnetstat-ntu | awk '{print $5}' | cut-d: -f1 | sort | uniq-c | sort-nnetstat-ntu | awk '{print $5}' | egrep-o "[0-9] {1, 3 }\. [0-9] {1, 3 }\. [0-9] {1, 3 }\. [0-9] {1, 3} "| sort | uniq-c | sort-nr # View TCP connection status netstat-nat | awk '{print $6}' | sort | uniq -c | sort- Rnnetstat-n | awk '/^ tcp/{print $ NF}' | sort | uniq-c | sort-rnnetstat-n | awk '/^ tcp/{++ S [$ NF]}; END {for (a in S) print a, S [a]} 'netstat-n | awk'/^ tcp/{++ state [$ NF]}; END {for (key in state) print key, "\ t ", state [key]} 'netstat-n | awk'/^ tcp/{++ arr [$ NF]}; END {for (k in arr) print k, "\ t ", arr [k]} 'netstat-ant | awk' {print $ NF} '| grep-V' [a-z]' | sort | uniq-c # view port 80 connections up to 20 IPcat/www/web_logs /Waitalone.cn _ access. log | awk '{print $1}' | sort | uniq-c | sort-nr | head-100 tail-n 10000/www/web_logs/waitalone.cn _ access. log | awk '{print $1}' | sort | uniq-c | sort-nr | head-100cat/www/web_logs/waitalone.cn _ access. log | awk '{print $1}' | sort | uniq-c | sort-nr | head-100 netstat-anlp | grep 80 | grep tcp | awk '{print $5} '| awk-F: '{print $1}' | sort | uniq-c | sort-nr | head-n20netstat-ant | awk '/: 80/{split ($5, ip, ":"); ++ A [ip [1]} END {for (I in A) print, i} '| sort-rn | head-n20 # Use tcpdump to sniff access to port 80 to see who has the highest tcpdump-I eth0-tnn dst port 80-c 1000 | awk-F ". "'{print $1 ". "$2 ". "$3 ". "$4} '| sort | uniq-c | sort-nr | head-20 # search for more time_wait connections netstat-n | grep TIME_WAIT | awk' {print $5 }' | sort | uniq-c | sort-rn | head-n20 # Find More SYN connections. netstat-an | grep SYN | awk '{print $5}' | awk-F: '{print $1}' | sort | uniq-c | sort-nr | More # Common commands for using iptables to block ip segments in linux: # the command for blocking a single IP address is iptables-I INPUT-s 211.1.0.0-j DROP # the command for blocking IP segments is: iptables-I input-s 211.1.0.0/16-j DROPiptables-I input-s 211.2.0.0/16-j DROPiptables-I INPUT-s 211.3.0.0/16-j DROP # command for the entire segment yes: iptables-I INPUT-s 211.0.0.0/8-j DROP # the command for sealing several segments is: iptables-I input-s 61.37.80.0/24-j DROPiptables-I INPUT-s 61.37.81.0/24-j DROP # There are three methods to start self-running on the server: #1. Add it to/etc/rc. local #2. iptables-save>/etc/sysconfig/iptables can put your current iptables rules into/etc/sysconfig/iptables, which is automatically executed when the system starts iptables. #3. service iptables save can also put your current iptables rules in/etc/sysconfig/iptables. When the system starts iptables, # It runs automatically. # The last two are better. Generally, the iptables service is enabled before the network service, which is safer. # Unseal: iptables-d input-s IP address-j REJECTiptables-F # Clear all