What is a cc attack, how to prevent the site from being a cc attack method aggregation

The CC attack (Challenge Collapsar) is a DDoS (distributed denial of service) and is a common site attack method, the attacker through the proxy server or broiler to the victim host constantly send a large number of packets, causing the other server resources exhausted, until the crash.

The CC attack (Challenge Collapsar) is a DDoS (distributed denial of service) and is a common site attack method, the attacker through the proxy server or broiler to the victim host constantly send a large number of packets, causing the other server resources exhausted, until the crash.

The level of attack technology is low, and with tools and some IP proxies, a user at the beginning and intermediate levels of the computer can execute the attack. However, if you understand the principle of CC attacks, it is not difficult to implement some effective precautions against CC attacks.

There are usually several ways to prevent CC attacks, one is through the firewall, and some network companies also provide some firewall services, such as XX website defender and xx Bao, there is a way to write program prevention, yesterday, the site encountered CC attack, which also let me try to prevent the effectiveness of the CC attack method.

At first I want to use a certain site defender to prevent attacks, from the interface, it seems to prevent a large number of CC attacks, but log on the site found that traffic is still abnormal, attack or still, it seems that the site defender's effect did not reach.

In principle, basically all firewalls will detect the number of concurrent TCP/IP connections, and a certain number of frequencies will be considered connection-flood. However, if the number of IPs is large enough to make the number of connections to a single IP less, then firewalls may not be able to prevent CC attacks.

In fact, through the analysis of the site log, it is easy to tell which IP is the CC attack, because the CC attack is after all through the program to crawl the Web page, and the characteristics of ordinary visitors are still very large, such as ordinary visitors to a Web page, will be continuously crawl Web pages of HTML files, CSS files, JS files and pictures, and a series of related files, and CC attackers only crawl a URL address of the file, do not crawl other types of files, the user agent is also the majority of users and ordinary viewers, which can easily distinguish on the server which visitors are cc attacks, Since you can determine the attacker's IP, then the precautionary measures are very simple, only need to block these IP in batches, you can achieve the purpose of preventing CC attacks.

Finally, I spent half an hour to write a small program, after running automatically block hundreds of IP, the site is normal, thus proving that the firewall for the protection of the CC attack is not effective, the most effective method is in the server side through the program automatic shielding to prevent.

It seems that the threshold of CC attack is really low ah, make a hundreds of agent or broiler can attack others, its cost is very low, but the effect is obvious, if the attacker's traffic is huge, through the way of consuming bandwidth resources can be attacked. However, the CC attack also has a clear technical flaw, that is, the attacker's IP is not massive, usually hundreds of thousands of level, and is the real access to the Site page, which makes the site can be filtered through the process of easy access to these attackers IP, batch masking, then this cc attack will be prevented.????

IIS expert CC Defense system This is a CC defense effect or good software, now recommend to everyone

IIS Experts

:http://www.jb51.net/softs/43858.html

Following is a demonstration of the IIS expert cc defense feature

??? CC attacks, with DDoS, UDP, SYN Flood and for today's most popular four attack modes, hardware firewall defense UDP, such as better, but for the CC of this full-connection attack, software defense more dominant;
??? CC Defense principle is summed up: the use of agent or broiler, a server (some) consumes a large amount of processing (file) of a large number of requests, far beyond the processing capacity of the server, resulting in server paralysis, unable to respond to normal requests;
??? Basic features: You can view the current number of TCP connections through the cmd command: Netstat–an, if you find a number of duplicate waiting connections, such as "TCP 211.87.147.4:80 220.10.69.67:2205 syn_received 4", And the server CPU has been 100%, bandwidth usage is also very high, stop the network service after the CPU use to return to normal, this situation can be judged as a CC attack.
??? The IIS expert's CC defense, compared to other software defenses, has the advantage of intelligent defense and does not affect the access of normal users, and we then demonstrate:

One? CC Defense basic Information settings:
??? We first set the CC defense after sending to the client browser prompt message, 1:

Figure 1 Setting up a cc attack blocker alert message

??? Next, set the CC defense basic parameters, Figure 2:

Figure 2 CC Defense basic parameter settings

??? On the defensive performance index, if you can't defend CC, we can set it down a little bit, like 8-15.
??? Once set up, let's continue:
Ii.. Deny proxy access:
??? 1, the General cc use the agent to attack, we selected in Figure 2, "Deny all proxy access" can be good to prevent the attack of proxy access. Set the browser's proxy, open the test page, 3:

Figure 3 Prohibit proxy access to the server

Iii.. Defend against malicious refresh Demo:
??? 1,? In Figure 2, set the number of single IP connections to access the upper limit of 15 (meaning that each IP within one second to allow 15 requests for a page), exceeding that limit is considered malicious flush, the system intercepts, 4:

Figure 4 Intercepting single IP malicious flush

??? After the IP is intercepted, according to Figure 2, "Defense unlock Time", after that time the IP automatically unblocked, if continue to attack, continue to intercept! After interception, the interception log can be produced immediately: Blacklist_ip.log

Iv. defense against Broiler attack demo (semi-automatic filter for example):
??? More advanced CC attacks, in addition to the use of agents, but also the use of broiler attacks, causing the server overwhelmed, IIS experts if the discovery of broiler attacks, immediately will require access to the page user input authentication, verify that the user can access, while the server other non-attack pages can be accessed as usual, No effect at all, Figure 5:

Figure 5 Normal access after entering a verification code

??? After the page is protected, according to the "defensive unlock time" in Figure 2, the page's defenses are automatically lifted after that time, and the IIS expert will continue to re-protect the page if it continues to be attacked! After interception, the log can be generated immediately: Blacklist_cc.log

Five? IP blacklist:
??? For untrusted IPs, you can blacklist them directly to prevent access to the server, 6:

Figure 6 Setting the IP blacklist

??? Set the IP "127.0.0.1" to the blacklist, users who access through the IP will be intercepted, 7:

Figure 7 Block IP

??? After the CC defense, the IIS expert logs the attack log, 5:

Figure 5 CC Defense logs seen on the master side

Vi.. Summary:

??? 1,? IIS experts have tested successfully defending against 8000TCP connection attacks;
??? 2,? CC Defense effect is related to many factors, including defense rule setting, server's own parameter, illegal user attack object, illegal user attack mode, etc.
??? 3, in order to be more humane, IIS experts will not be reckless to the normal user refused, and the white list system is a good solution to this problem;

What is a cc attack, how to prevent the site from being a cc attack method aggregation