Attack | difference
For readers: DDoS researcher, major webmaster, network administrator
Pre-Knowledge: ASP Basic reading ability
Many friends know the barrel theory, the maximum capacity of a bucket of water is not determined by its highest place, but by its lowest place, the server is the same, the security of the server is determined by its weakest point, and the most vulnerable places are more dangerous than the server. DDoS is the same, as long as your server has a very resource-intensive places, restrictions are not enough, immediately become someone else DDoS object. For example, it is the use of the server's Syn-flood state than the full connection state more resources, and SYN initiator only need to keep the contract, do not need much resources.
A good DDoS attack must be through their own very little resource consumption to bring the other side of the larger resource consumption, otherwise, such as Icmp-flood and Udp-flood must be the same as the bandwidth of others, the other server consumes how much resources themselves also have to pay the amount of resources, efficiency is extremely low, and very easy to be found , and now basically no one uses it.
Attack principle
CC is primarily used to attack pages. We all have such experience, that is, when visiting the forum, if this forum is relatively large, more people visit, open the page will be slower, right?! Generally speaking, the more people visit, the more The forum page, the larger the database, the frequency of access is also higher, the system resources occupied is quite considerable, now know why many space service providers say we do not upload forums, chat room and so on.
A static page does not require the server's resources. Can even say directly from the memory read out to you can be, but the forum is not the same, I read a post, the system needs to be in the database to determine whether I read the post permission, if there is, read the contents of the post, show out- There are at least 2 databases accessed, if the size of the database is 200MB, the system is likely to be in this 200MB size of the data space search again, this requires how much CPU resources and time? If I'm looking for a keyword, then the time is more impressive, because the previous search can be limited to a very small scope, such as user rights only to check the user table, post content only check the post table, and can immediately stop the query, and search will certainly all the data to make a judgment, the time spent is quite large.
CC is the full use of this feature, simulation of multiple users (how many threads is how many users) non-stop access (access to those who need a lot of data operations, is a lot of CPU time to the page). Many friends ask, why use the agent? Because the agent can effectively hide their identity, can also bypass all firewalls, because basically all firewalls will detect concurrent TCP/IP connection number, more than a certain frequency will be considered connection-flood.
The use of proxy attacks can also be very good to keep the connection, we send data here, the agent to help us forward to the other server, we can immediately disconnect, the agent will continue to maintain the connection with the other (I know the record is someone using 2000 agents generated 350,000 concurrent connections).
Perhaps a lot of friends are not very good understanding, let me describe it. We assume that server A to search.asp processing time needs 0.01S (multithreading is only time division, no effect on the conclusion), that is, he can guarantee 100 users of the search request, the server allows maximum connection time of 60s, then we use CC Simulation 120 users concurrent connection, then after 1 Minutes, the server was requested 7,200 times, handled 6,000 times, so the remaining 1200 concurrent connections were not processed. Some friends will say: Lost connection! Drop the connection! The problem is that the server is in the order of arrival, these 1200 were launched in the last 10 seconds, want to lose?! Still early, after calculation, server full negative start to drop the connection, there should be 7,200 concurrent connections exist in the queue, and then the server started 120/sec dropped connection, we launched the connection is 120/sec, the server will always have to handle the connection, the server's CPU 100% and long time to maintain, Then lose the connection of 60 seconds server also judge processing not come over, the new connection also can not handle, so the server reached the super busy state.
Let's assume that server processing search uses only 0.01S. That is 10 milliseconds (this speed you can go to each have open time to show the forum to see), we use only 120 of the thread, many servers lost connection time is far longer than 60S, our use line Cheng more than 120, can imagine terrible it, and the client just sent Disconnect, the connection is maintained by the agent, and when the server receives the SQL request, will definitely enter the queue, regardless of whether the connection has been disconnected, and the server is concurrent, not sequential execution, so that more requests into the memory request, the server more burden.
Of course, CC can also use this method to attack FTP, also can implement Tcp-flood, these are tested and effective.
Prevention Methods
Said the principle of attack, we will certainly ask, then how to defense? I don't know how to guard against using a hardware firewall, unless you completely block the page access, my method is through the writing of the page to achieve defense.
1. Use cookie authentication. At this time friend said CC inside also allow cookies, but here's the cookie is all the connection is used, so enable Ip+cookie authentication is OK.
2. Use session. This judgment is more convenient than cookies, not only can IP authentication, but also can prevent the refresh mode, in the page to judge the refresh, is refreshing will not let it access, no refresh symbol to it refresh symbol. Give me some demo code, session:
1 Then
Session ("Refresh") =session ("Refresh") +1
Response.Redirect "Index.asp"
End If
%>
So the user's first visit will make Refresh=1, the second visit, Normal, the third, do not let him visit, think is refreshing, can add a time parameter, let how much time to allow access, so that limit the time consuming pages of access, the normal customer has little impact.
3. Through the http_x_forwarded_for variable sent by the agent to determine the use of proxy attack machine real IP, this trick can be found to launch the attack of the people, of course, not all the proxy servers are sent, but there are many agents send this parameter. Detailed code:
This will generate CCLog.txt, its record format is: The real IP [proxy IP] time, to see which real IP appears more often, you will know who is attacking. Make this code a conn.asp file, instead of the files that connect to the database, so that all database requests are connected to the file, and the attacker can be found immediately.
4. Another way to do this is to redirect the statement that needs to be made to the data query, so that the other party must first visit a judgment page and then redirect the past.
5. On servers with multiple stations, it is a very effective method to strictly limit the number of IP connections and CPU hours allowed per station.
CC's defense to start from the code, in fact, a good page code should pay attention to these things, as well as SQL injection, not only an intrusion tool, but also a DDoS gap, everyone should be in the code attention. For example, a server, the 5000-line cc attack, no response, because all of its access to database requests must be a random parameter in the session, all static pages, no effect. Suddenly found that it has a request and the outside of the server to obtain, it takes a long time, and there is no certification, open a 800-line attack, the server immediately full load.
The code layer of defense needs to start from the point drop, a script code error, may bring the whole station, or even the impact of the entire server, be cautious!