What is a CC attack? What is the difference from a DDOS attack?

Suitable for readers: DDOS researchers, webmasters, and network administrators
Prerequisites: Basic ASP Reading Capability

Many of my friends know the bucket theory. The maximum capacity of a bucket is determined not by its highest capacity, but by its lowest capacity. The same is true for servers, the security of a server is also determined by its most vulnerable aspect. The most vulnerable aspect is how dangerous a server is. The same is true for DDOS attacks. As long as your server has a resource-consuming location with insufficient limits, it will immediately become the target of DDOS attacks. For example, the SYN-FLOOD, it is to use the server semi-connection status is more resource consumption than the full connection status, and the SYN initiator only needs to keep sending packets, does not need much resources at all.

A good DDOS attack must be through the consumption of their very few resources to bring the other side of the larger resource consumption, otherwise such as ICMP-FLOOD and UDP-FLOOD must be the same as other people's bandwidth, the number of resources consumed by the server on the other side is also subject to the loss of resources. The efficiency is extremely low, and it is easy to be found. Now there are basically no other users.

Attack principles
CC is mainly used to attack pages. Everyone has this experience: when visiting a Forum, if the forum is large and there are many visitors, the page opening speed will be slow, right ?! Generally, the more people access the forum, the more pages the Forum has, the larger the database, the higher the frequency of access, and the considerable amount of system resources occupied, now, I know why many space service providers say that you should not upload forums, chat rooms, or other things.

A static page does not need many resources on the server. You can even read it from the memory and send it to you, but the Forum is different. I will read a post, the system needs to go to the database to determine whether I have the permission to read the Post. If so, read the content in the post and display it. The database is accessed at least twice, if the size of the database is MB, the system will probably search for the data space of MB. How many CPU resources and time is required? If I search for a keyword, the time is more impressive, because the previous search can be limited to a very small range. For example, the user permission can only query the user table, and the post content can only query the post table, in addition, you can immediately stop the query, and the search will certainly make a judgment on all the data, which consumes a considerable amount of time.
CC makes full use of this feature to simulate the constant access of multiple users (the number of threads is the number of users) (to access pages that require a large amount of data operations, that is, pages that require a large amount of CPU time ). Many of my friends asked, why do I need a proxy? Because the proxy can effectively hide its identity or bypass all firewalls, basically all firewalls detect the number of concurrent TCP/IP connections, if it exceeds a certain number, it will be considered as Connection-Flood.

Proxy attacks can also ensure good connection. We have sent data here, and the proxy will help us forward the data to the other server, so we can immediately disconnect, the proxy will continue to connect to the other party (I know that someone has used 2000 proxies to generate 0.35 million concurrent connections ).
Many friends may not be able to understand it very well. Let me describe it. Let's assume that server A is against Search. the processing time of asp is 0.01 S (multithreading is only time division and does not affect the conclusion). That is to say, it can ensure the Search requests of 100 users in one second, the maximum connection time allowed by the server is 60 s, so we use CC to simulate 120 concurrent connections. After 1 minute, the server is requested 7200 times and processed 6000 times, as a result, the remaining 1200 concurrent connections are not processed. Some may say: Lost connection! Lost connection! The problem is that the servers are dropped in the order of first arrival and second arrival. These 1200 servers were initiated in the last 10 seconds. Do you want to lose them ?! It's still early. After calculation, when the server starts to lose connections when the server is full and negative, there should be 7200 concurrent connections in the queue, and then the server starts to lose connections in 120/second, the number of connections we initiate is also 120 per second. The server will never be able to process the connection. The server's CPU usage is 100% and remains unchanged for a long time, and the server that lost the connection will not be able to process the connection, the new connection cannot be processed, so that the server is very busy.

Let's assume that the server only processes Search For 0.01 S, that is, 10 ms (you can go to various forums with open time display). We only use 120 threads, many servers have far longer lost connections than 60 s. We use more than 120 threads, which is terrible as you can imagine. As long as the client sends a disconnect message, the connection persistence is done by the proxy, when the server receives an SQL request, it will certainly enter the queue, whether or not the connection is disconnected, and the server is concurrent, not sequential, so that more requests will enter the memory request, it has a higher load on the server.
Of course, CC can also use this method to attack FTP, you can also achieve TCP-FLOOD, these are tested effective.

Defense methods
After talking about the attack principle, we will certainly ask, how can we defend against it? I don't know how to prevent using the hardware firewall, unless you completely block page access, my method is to implement defense through page writing.
1. Use Cookie authentication. At this time, my friend said that cookies are also allowed in CC, but the cookies here are used for all connections, so you can enable IP + Cookie authentication.
2. Use Session. This judgment is more convenient than Cookie. It can be used not only for IP authentication, but also for anti-Refresh mode. When the page is refreshed, it will not be accessed, and no refresh symbol will be used to refresh it. Let's give you some DEMO code, Session:
1 then
Session ("refresh") = session ("refresh") + 1
Response. redirect "index. asp"
End if
%>
In this way, the user's first access will make Refresh = 1, the second access, normal, and the third access will not allow him to access it. It is regarded as a Refresh, and a time parameter can be added to allow access for how long, in this way, access to time-consuming pages is restricted, which has almost no impact on normal customers.
3. the HTTP_X_FORWARDED_FOR variable sent by the proxy is used to determine the real IP address of the machine attacked by the proxy. This can be used to find the attacker. Of course, not all proxy servers are sent, however, many Proxies send this parameter. Code details:
In this example, cclog.txt is generated. The record format is: real IP Address [proxy IP address] time. To see which real IP address appears more times, you will know who is under attack. Make the code into a Conn. asp file to replace the files that connect to the database, so that all database requests are connected to the file, and then the attacker can be immediately detected.
4. Another method is to add the statement for Data Query after Redirect so that the other party must first access a judgment page and then Redirect the past.
5. On servers with multiple sites, it is very effective to strictly limit the number of IP connections allowed by each site and the CPU usage time.
CC defense should start with code. In fact, a good page code should pay attention to these things, as well as SQL injection. It is not only an intrusion tool, but also a DDOS gap, everyone should pay attention to it in the code. For example, a server has launched a 5000-line CC attack and has no response because all its database access requests must have a random parameter in the Session, which is a static page, no effect. It was suddenly found that a request would be sent to an external server. It took a long time and there was no authentication. The server was immediately overloaded due to a 800-line attack.

The defense at the code layer should start from the ground up. A script code error may affect the entire site, or even the entire server. Be careful!