Linux server is being attacked for processing

May 12, 2016, around 14 o'clock received a customer service notice said, "the website blew up."

Open Xshell, Telnet Server, top a look at the load, the average load to more than 100, to know that usually is about 2-3.

View is httpd service ran full, slowly ... Slowly ... The server is down, presumably by a CC attack or a DDoS attack.

Okay, honestly, check the logs:

Suppose Apache log files are here:/var/log/httpd/access.log "The build environment has changed"

Find requests 20 IP (commonly used to find the source of attack):

[[email protected] ~]# netstat-anlp|grep 80|grep Tcp|awk ' {print $} ' |awk-f: ' {print '} ' |sort|uniq-c|sort-nr|head-n2 0 302700 127.0.0.1 xxxxxxxxxxxxxx

The local loopback address.

View Timewait

[[email protected] ~]# netstat-n|grep Time_wait|awk ' {print $} ' |sort|uniq-c|sort-rn|head-n20 11080 192.168.xx.xx:*** Xxxxxxxxxxxxxxxxxxxxx

is the link address of the database.

Maximum number of IP accesses for a single server:

[[email protected] log]# Cat/var/log/httpd/access.log|awk ' {print $} ' |sort|uniq-c|sort-nr|head-10 232111 218.xxx.xxx . xxx 144089 xxx.xxx.xxx.xxx 111629 xxx.xxx.xxx.xxx 79444 59.xxx.xxx.xxx 76718 119.xxx.xxx.xxx 68785 xxx.xxx.208.30 622 xxx.xxx.236.103 *********************

Okay, we got "Attack IP".
A server of the same IP 20多万次, n server load is n * 20多万次, this IP is certainly not normal. Bind the secondary IP and discover that you can access the website and assume that it is the IP of the CDN.
View Log one Access address (dynamic address) is brushed.

The search is not 218.xxx.xxx.xxx real attack IP, so there is no limit. Finally, you can only contact the CDN service provider, let it restrict access on the CDN side, each IP can only access the number of times per second. Server load returns to normal after effective .

A small summary:

1. Website traffic is normal, just at the beginning did not identify as an attack, to solve the problem caused a certain delay, no abnormal flow statistics, CNZZ statistics 14:00 higher than usual, but if there are new into the big promotion channel can also be recognized as normal.

2. There is a limit on nginx, but it is the problem of Apache, headache you go to medical foot?

##  User's  IP  address   $binary _remote_addr  as  key, with up to  50  concurrent connections per  IP  address ##  you want to open   thousands of connections   brush me?   More than  50  connection, direct return  503  error to you, do not handle your request at all limit_conn_zone  $binary _remote_addr zone =totalconnlimitzone:10m ;limit_conn  totalconnlimitzone  50;limit_conn_log_level  notice;##  user  IP  address   $binary _remote_addr  as  key, each  IP  address processed per second  10  request ##  you want to use the program hundreds of times per second brush me, no, no sooner, will not deal with, direct return  503  error to you limit_req_zone  $binary _remote_ addr zone=connlimitzone:10m  rate=10r/s;limit_req_log_level notice;server {         listen       80;         server_name  www.xxxxxx.com xxxxxx.com;         root /wwwroot/web/xxxxxx.com/;        access_log off;        error_log /data/wwwroot/log/ www.xxxxxx.com-error.log;        if  ($host  =  ' Xxxxxx.com ')  {                 rewrite ^/(. *) $ http://www.xxxxxx.com/$1 permanent;         }        location / {                 ##  up  5  Queued,  Due to processing  10  requests per second  + 5 queue, you send a maximum of  15  requests a second, and then return directly  503  error to you                  limit_req zone= connlimitzone burst=10 nodelay;                 proxy_pass      http://127.0.0.1:xxxxxx;                 expires      1d;                 proxy_redirect off;                 proxy_set_header  Host  $host;                 proxy_set_header X-Real-IP  $remote _addr;                 proxy_set_header X-Forwarded-For  $proxy _add_x_ forwarded_for;                 }        location ~ .*\. (jpg|jpeg|gif|png|ico|asf|avi|fla|flv|mp3|mp4|rm|rmi|rmvb|wav|wma|wmv|7z|aiff|bmp|csv|doc|docx|gz|gzip|mid|xml|zip|mov|mpc|mepg|mpg|ods|odt|pdf|ppt|pptx|pxd|qt|ram|rar|rtf|sdc|sitd |SWF|SXC|SXW|TAR|TGZ|TIF|TIFF|TXT|VSD|XLS|XLSX) $ {                 expires      30d;                 access_log off;         }        location ~ .*\. (JS|CSS) $ {            expires       30d;            access_log  off;        }         Deny 218.xxx.xxx.xxx;}

3. In the program to make a judgment, if the malicious click on the verification code or other prompts.

4. Follow-up work: limit on the server.

Http://www.jb51.net/article/58060.htm "Not tested"

Think about it, if the local test is sure to pass, but the server has a CDN over, IP is recorded by the CDN IP, if the restrictions on normal visitors will also be limited.

Limit the number of visits to the Cdn tier and add a CDN IP whitelist to the server, limiting the direct attack server IP.

5. Other commands:

Output 404url Address to/root/404page.txt

awk ' ($9 ~/404/) '/var/log/httpd/access.log | awk ' {print $9,$7} ' | Sort >/root/404page.txt

The most visited time period

awk ' {print $4} '/var/log/httpd/access.log |cut-c 14-18|sort|uniq-c|sort-nr|head

View the top 10 URLs for today's visit:

Cat/var/log/httpd/access.log | awk ' {print $7} ' | Sort | uniq-c | Sort-nr | Head-n 10

To view the top 10 URLs for a given day:

Cat/var/log/httpd/access.log | grep "10/dec/2010" | awk ' {print $7} ' | Sort | uniq-c | Sort-nr | Head-n 10

This article is from the "Hongtashan" blog, make sure to keep this source http://9388751.blog.51cto.com/9378751/1775389

Linux server is being attacked for processing