May 12, 2016, around 14 o'clock received a customer service notice said, "the website blew up."
Open Xshell, Telnet Server, top a look at the load, the average load to more than 100, to know that usually is about 2-3.
View is httpd service ran full, slowly ... Slowly ... The server is down, presumably by a CC attack or a DDoS attack.
Okay, honestly, check the logs:
Suppose Apache log files are here:/var/log/httpd/access.log "The build environment has changed"
Find requests 20 IP (commonly used to find the source of attack):
[[email protected] ~]# netstat-anlp|grep 80|grep Tcp|awk ' {print $} ' |awk-f: ' {print '} ' |sort|uniq-c|sort-nr|head-n2 0 302700 127.0.0.1 xxxxxxxxxxxxxx
The local loopback address.
View Timewait
[[email protected] ~]# netstat-n|grep Time_wait|awk ' {print $} ' |sort|uniq-c|sort-rn|head-n20 11080 192.168.xx.xx:*** Xxxxxxxxxxxxxxxxxxxxx
is the link address of the database.
Maximum number of IP accesses for a single server:
[[email protected] log]# Cat/var/log/httpd/access.log|awk ' {print $} ' |sort|uniq-c|sort-nr|head-10 232111 218.xxx.xxx . xxx 144089 xxx.xxx.xxx.xxx 111629 xxx.xxx.xxx.xxx 79444 59.xxx.xxx.xxx 76718 119.xxx.xxx.xxx 68785 xxx.xxx.208.30 622 xxx.xxx.236.103 *********************
Okay, we got "Attack IP".
A server of the same IP 20多万次, n server load is n * 20多万次, this IP is certainly not normal. Bind the secondary IP and discover that you can access the website and assume that it is the IP of the CDN.
View Log one Access address (dynamic address) is brushed.
The search is not 218.xxx.xxx.xxx real attack IP, so there is no limit. Finally, you can only contact the CDN service provider, let it restrict access on the CDN side, each IP can only access the number of times per second. Server load returns to normal after effective .
A small summary:
1. Website traffic is normal, just at the beginning did not identify as an attack, to solve the problem caused a certain delay, no abnormal flow statistics, CNZZ statistics 14:00 higher than usual, but if there are new into the big promotion channel can also be recognized as normal.
2. There is a limit on nginx, but it is the problem of Apache, headache you go to medical foot?
## User's IP address $binary _remote_addr as key, with up to 50 concurrent connections per IP address ## you want to open thousands of connections brush me? More than 50 connection, direct return 503 error to you, do not handle your request at all limit_conn_zone $binary _remote_addr zone =totalconnlimitzone:10m ;limit_conn totalconnlimitzone 50;limit_conn_log_level notice;## user IP address $binary _remote_addr as key, each IP address processed per second 10 request ## you want to use the program hundreds of times per second brush me, no, no sooner, will not deal with, direct return 503 error to you limit_req_zone $binary _remote_ addr zone=connlimitzone:10m rate=10r/s;limit_req_log_level notice;server { listen 80; server_name www.xxxxxx.com xxxxxx.com; root /wwwroot/web/xxxxxx.com/; access_log off; error_log /data/wwwroot/log/ www.xxxxxx.com-error.log; if ($host = ' Xxxxxx.com ') { rewrite ^/(. *) $ http://www.xxxxxx.com/$1 permanent; } location / { ## up 5 Queued, Due to processing 10 requests per second + 5 queue, you send a maximum of 15 requests a second, and then return directly 503 error to you limit_req zone= connlimitzone burst=10 nodelay; proxy_pass http://127.0.0.1:xxxxxx; expires 1d; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote _addr; proxy_set_header X-Forwarded-For $proxy _add_x_ forwarded_for; } location ~ .*\. (jpg|jpeg|gif|png|ico|asf|avi|fla|flv|mp3|mp4|rm|rmi|rmvb|wav|wma|wmv|7z|aiff|bmp|csv|doc|docx|gz|gzip|mid|xml|zip|mov|mpc|mepg|mpg|ods|odt|pdf|ppt|pptx|pxd|qt|ram|rar|rtf|sdc|sitd |SWF|SXC|SXW|TAR|TGZ|TIF|TIFF|TXT|VSD|XLS|XLSX) $ { expires 30d; access_log off; } location ~ .*\. (JS|CSS) $ { expires 30d; access_log off; } Deny 218.xxx.xxx.xxx;}
3. In the program to make a judgment, if the malicious click on the verification code or other prompts.
4. Follow-up work: limit on the server.
Http://www.jb51.net/article/58060.htm "Not tested"
Think about it, if the local test is sure to pass, but the server has a CDN over, IP is recorded by the CDN IP, if the restrictions on normal visitors will also be limited.
Limit the number of visits to the Cdn tier and add a CDN IP whitelist to the server, limiting the direct attack server IP.
5. Other commands:
Output 404url Address to/root/404page.txt
awk ' ($9 ~/404/) '/var/log/httpd/access.log | awk ' {print $9,$7} ' | Sort >/root/404page.txt
The most visited time period
awk ' {print $4} '/var/log/httpd/access.log |cut-c 14-18|sort|uniq-c|sort-nr|head
View the top 10 URLs for today's visit:
Cat/var/log/httpd/access.log | awk ' {print $7} ' | Sort | uniq-c | Sort-nr | Head-n 10
To view the top 10 URLs for a given day:
Cat/var/log/httpd/access.log | grep "10/dec/2010" | awk ' {print $7} ' | Sort | uniq-c | Sort-nr | Head-n 10
This article is from the "Hongtashan" blog, make sure to keep this source http://9388751.blog.51cto.com/9378751/1775389
Linux server is being attacked for processing