How does the Web server avoid CC attacks?

CC attacksWhat is more terrible than DDOS attacks is that CC attacks are hard to prevent. Why? 1. IP addresses from CC attacks are real and scattered; 2. CC attack data packets are normal data packets; 3. CC attack requests are all valid requests, the request cannot be rejected.

1. Attack principles

The principle of CC attack is that attackers control some hosts to repeatedly send a large number of packets to the other server, causing server resource depletion until the server crashes. CC is mainly used to attack pages. Everyone has this experience: When a webpage has a large number of visitors, it will slow down to open the webpage, CC simulates multiple users (the number of threads is the number of users) to constantly access those pages that require a large amount of data operations (that is, a large amount of CPU time), resulting in a waste of server resources, when the CPU remains at 100% for a long time, there will always be endless connections until network congestion occurs and normal access is terminated.

2. attack symptoms

CC attacks are concealed. How can we determine whether the server is under or has been under CC attacks? We can use the following three methods to determine.

(1). Command Line Method

Generally, when the Web server suffers a CC attack, port 80 is shut down because the port has been blocked by a large amount of junk data and the normal connection has been suspended. You can run the command netstat-an on the command line to check whether the connection records are similar to the following:

......
 
TCP 192.168.1.3: 80 192.168.1.6: 2203 SYN_RECEIVED 4
 
TCP 192.168.1.3: 80 192.168.1.6: 2203 SYN_RECEIVED 4
 
TCP 192.168.1.3: 80 192.168.1.6: 2203 SYN_RECEIVED 4
 
TCP 192.168.1.3: 80 192.168.1.6: 2203 SYN_RECEIVED 4
 
TCP 192.168.1.3: 80 192.168.1.6: 2203 SYN_RECEIVED 4 ......

"192.168.1.6" is the IP address of the host used for proxy attacks, and "SYN_RECEIVED" is the TCP connection status mark,

Indicates that the handshake cannot be established and the response is waiting.

This is the attack feature. In general, there are many such records, indicating attacks from different proxy IP addresses.

(2). Batch Processing

The preceding method requires manual command input. If the Web server has too many IP connections,

We can create a batch processing file and use the script code to determine whether CC attacks exist. Open notepad and type the following code to save it as CC. bat:

 

@ Echo off
 
Time/t> log. log
 
Netstat-n-p tcp | find ": 80"> Log. log
 
Notepad log. log
 
Exit

 

 

 

The above script means to filter all the connections from port 80. When we feel that the server is abnormal, we can double-click the batch processing file and view all the connections in the opened log. log file. If the same IP address has a large number of connections to the server, it can be determined that the IP address is launching CC attacks on the server.

(3). view system logs

The preceding two methods have drawbacks. You can only view the current CC attack. You can check the Web server for any possible CC attack, because Web logs faithfully record all IP addresses accessing Web resources. By checking the logs, we can determine whether the Web server has suffered CC attacks, determine the attacker's IP address, and then take further measures.

Web logs are generally stored in the C: WINDOWSsystem32LogFilesHTTPERR directory. A log file similar to httperr1.log is used in this directory, which records Web access errors. The administrator can select the log to open based on the log time attribute to analyze whether the Web is under CC attack.

By default, there are not many items recorded in Web logs. We can set them through IIS to allow Web logs to record more items for security analysis. The procedure is as follows:

"Start> Administrative Tools" open "Internet Information Server", expand the items on the left to locate the corresponding Web site, right-click and choose "properties" to open the site Properties window, on the "website" tab, click "properties". In the "advanced" tab of the "log record properties" window, you can select the corresponding "extended properties ", so that Web logs can be recorded. For example, "Number of sent bytes", "number of received bytes", and "time used" are not selected by default, however, it is very useful to record and Judge CC attacks. You can select this option.

In addition, if you have high security requirements, you can set the "New log plan" under the "General" tab, let it record every hour or every day. To facilitate future analysis, you can select "file name and local time for Creation ".

The severity of CC attacks is expected to attract your attention and increase your awareness of defense.