Prevent Phpddos attacks

First to understand what is Phpddos traffic attacks, Phpddos is a hacker through the intrusion Web service implanted Phpshell to control this phpshell to other victims or their own service to send UDP attack packets stop DDoS attacks, such attacks have one of the greatest characteristics, Is the upload of traffic instantly increased, usually flow up to dozens of or nearly hundred m, will be the entire server, and the entire cabinet to block the broadband, so that the site can not operate, and such attacks, we can not from the remote processing, one but the Phpshell operation, your broadband will be all occupied, remote can not connect.

What can be done after the attack is to contact the staff of the room, let him in your service. Turn off your IIS, and then do not check clearly which site was invaded, as far as possible a site also do not open, so as not to be attacked again, how to see whether this attack, can not say to turn off the ISS good, is this attack, And depending on the more accurate view, can be sure what is the problem, turn over 360 security guards, and then open the function encyclopedia, to find the flow of the firewall, where you can see each process upload and download a few of the traffic, attention to hide the system service also points open to see, ordinary are upload super big is Phpddos attack, and ordinary will be in w3wp.exe and mysql.exe upload traffic will be very large, the smallest also hundreds of m, the largest number of G, good know is this attack, we will think of methods to deal with.

Treatment methods:

1. The application of 360 flow firewall, the w3wp.exe and Mysql.exe upload traffic restrictions, based on your service to the situation of the broadband to stop restrictions, the general restrictions in 200-300KB are no problem, so not afraid of Phpshell launched a large flow of attacks, However, there is a flaw in this approach, that is, when you restart the service, you previously restricted w3wp.exe and Mysql.exe will not work, to be a new limit, the way friends must pay attention to this point.

2. After changing the operating environment of PHP to deal with, open php.ini find disable_functions= This, and then change the back to Gzinflate,passthru,exec,system,chroot,scandir,chgrp, Chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog, Readlink,symlink,popepassthru,stream_socket_server,fsocket,fsockopen. Allow_url_fopen = off, and then find the Extension=php_sockets.dll, the front plus a semicolon, that is, shielding the item.

3. After the search for attack source processing, the bulk of the site to find all the existence of Phpshell attack source code, source code for (because the code is too messy to show the picture to everyone) as shown:

After a lot of search site can have similar to the source code on the map, find the deletion, the site permissions set to not write, so that the site did not repair the flaws before, will not be implanted in the Trojan.