How to use Iptables to prevent a Web server from being cc-attacked

CC attacks are more frightening than DDoS attacks, where CC attacks are generally hard to prevent. Why, then? First, because the CC attack IP is true, decentralized; second, the CC attack packets are the normal packet; third, the CC attack request, all are valid requests, cannot reject the request.

1, Attack principle

The principle of the CC attack is that the attacker controls some hosts to keep sending a large number of packets to the other server, causing the server to run out of resources until downtime crashes. CC is primarily used to attack pages, everyone has this experience: when a Web page visits a very large number of times, open the page is slow, CC is to simulate multiple users (how many threads are many users) Non-stop access to those who need a lot of data operations (that is, the need for a large amount of CPU time) of the page, Cause the waste of server resources, CPU for a long time in 100%, always have to deal with the connection until the network congestion, normal access was aborted.

2. Attack symptom

The CC attack has some concealment, so how can you determine if the server is suffering or has suffered a CC attack? We can determine this by following three methods.

(1). Command Line method

Typically, when a CC attack occurs, the Web server will have a 80 port shutdown because the port has been blocked by a large amount of garbage data and the normal connection is aborted. We can view it by typing the command Netstat-an at the command line, and if we see a large number of connection records similar to the following, you can basically be cc-attacked:

 
  
  

  
   
   
......
  
   
   

  
   
   
TCP 192.168.1.3:80 192.168.1.6:2203 syn_received 4
  
   
   

  
   
   
TCP 192.168.1.3:80 192.168.1.6:2203 syn_received 4
  
   
   

  
   
   
TCP 192.168.1.3:80 192.168.1.6:2203 syn_received 4
  
   
   

  
   
   
TCP 192.168.1.3:80 192.168.1.6:2203 syn_received 4
  
   
   

  
   
   
TCP 192.168.1.3:80 192.168.1.6:2203 syn_received 4 ...
 
  
  

where "192.168.1.6" is used to proxy attacks of the host's IP, "syn_received" is the TCP connection status flag, meaning "is in the initial sync state of the connection", indicating that the handshake response could not be established in wait state. This is the characteristics of the attack, in general, such records will generally have a number of lines, representing the attacks from different proxy IP.

(2). Batch processing method

The above method requires manual input, and if the Web server IP connection is too much, we can create a batch file that determines whether a CC attack exists through the script code. Open Notepad and type the following code to save as Cc.bat:

 
  
  

  
   
   
@echo off
  
   
   

  
   
   
time/t >>log.log
  
   
   

  
   
   
Netstat-n-P TCP |find ":" >>log.log
  
   
   

  
   
   
Notepad Log.log
  
   
   

  
   
   
Exit
 
  
  

The meaning of the above script is to filter out all current connections to port 80. When we feel a server exception, you can double-click to run the batch file, and then view all the connections in the open Log.log file. If the same IP has a relatively many connections to the server, it is basically possible to determine that the IP is a cc attack on the server.

(3). View System Log

The above two methods have the disadvantage of only viewing the current CC attack, to determine whether the Web server before the CC attack is powerless, we can search through the Web log, because the Web logs faithfully record all IP access to Web resources. By looking at the logs we can have the Web server before the CC attack and identify the attacker's IP and then take further action.

Web logs are typically in the C:windowssystem32logfileshttperr directory, which uses a log file similar to Httperr1.log, which is a record of Web access errors. The administrator can select the appropriate log opening based on the log time properties to analyze whether the web is being hacked by CC.

By default, there are not many entries for Web logging, which we can set up through IIS to allow web logs to record more entries for security analysis. The following steps are:

Start → admin tool to open Internet Information Server Expand the item to the left to navigate to the appropriate Web site, then right-click to select Properties to open the Site Properties window, click the Properties button under the Web Site tab, and in the "Advanced" section of the Logging Properties window tab, you can check the appropriate extended properties to allow the Web log to be logged. For example, the "bytes Sent," "Bytes Received," and "time spent" of these three items are not selected by default, but are useful in recording the CC attack, and can be checked.

In addition, if you have high security requirements, you can set up the new log schedule under the General tab to record hourly or every day. In order to make it easier to analyze later, you can check "file naming and creation using local time".

The severity of the CC attack I hope you can arouse attention, a lot of awareness of prevention.

Article http://www.fkddos.com/tech/2012/0925/4.html from DDoS Software