Linux DDOS and CC attack Solution

Linux DDOS and CC attack Solution
BackgroundNowadays, DDOS attacks are becoming more and more frequent. DDOS Denial-of-Service can be implemented without any technology. Some webmasters often report mysql 1040 errors on their websites, and their online users are less than one thousand, mysql configuration is fine. Generally, you need to pay attention to this situation. Your website may be attacked by CC attacks. Solutions and ideas CC attack defense measures, since the system is centos, run the following two lines of commands. Netstat-anlp | grep 80 | grep tcp | awk '{print $5}' | awk-F: '{print $1}' | sort | uniq-c | sort-nr | head-n20 | netstat-ant | awk '/: 80/{split ($5, ip, ":"); ++ A [ip [1]} END {for (I in A) print A [I], i} '| sort-rn | head-n20 records too many IP addresses in the request. 222.127.94.*247.27.128. * 145.27.large. * start to ban IP addresses. For details, refer to the commands I run below. This article uses iptables to block

Iptables-I input-s 222.127.94.0/16-j DROPiptables-I input-s 247.27.128.0/16-j DROPiptables-I input-s 145.27.133.0/16-j DROPiptables-I INPUT-s 193.1.0.0 /8-j DROP [block the entire segment with caution]

 

After running these commands, we have completed the ban operation, but we have to save it. If it is not saved, the rules set above will disappear after the system is restarted. 1 service iptables save run the following command to check who has the highest access volume (the server must install tcpdump)

 tcpdump -i eth0 -tnn dst port 80 -c 1000 | awk -F"." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr |head -20tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes1000 packets captured1000 packets received by filter0 packets dropped by kernel1420 IP 174.7.7.* 

 

Then, record the excessive IP addresses of packets and block them with the above method. Run service iptables save and restart 1 iptables service iptables restart. We recommend that you perform this step several times more times to block abnormal IP addresses. If an unblocking error occurs, refer to the following unblocking command to unseal iptables-d input-s 222.142.2.0/16-j DROP. The command used to block a single IP address is: the command for iptables-I INPUT-s 211.1.0.0-j DROP an IP segment is:

 iptables -I INPUT -s 211.1.0.0/16 -j DROPiptables -I INPUT -s 211.2.0.0/16 -j DROPiptables -I INPUT -s 211.3.0.0/16 -j DROP 

 

The command for sealing the entire B segment is iptables-I INPUT-s 211.0.0.0/8-j DROP the command for sealing several segments is: iptables-I input-s 61.37.80.0/24-j DROPiptables-I INPUT-s 61.37.81.0/24-j DROP after the above operations, the customer's website is normal, it's almost a second. Of course, this has something to do with its vps. Top, and the server resources are normal. The above method only depends on the specific operation. I have a lot of ideas about network security and don't give hackers a chance!