Nginx Defense cc Attack tutorial

The cc attack, HTTP flood, is a low-cost attack (with just a few HTTP proxy servers), covert (small cc attacks typically do not cause network bottlenecks), difficult to defend (indistinguishable from normal access requests), and powerful (resulting in the same effects as DDoS traffic attacks). , the website can not be opened for a long time) and other characteristics known. Regular HTTP flood defense for JS bounce back, two requests to verify the whitelist and multilayer cache (seven-tier, four-tier common cache) to implement the defensive body.


cc attacks, the first result is often the attack server CPU full, high memory consumption, and even disk IO high occupancy. Usually there is always a task on the server that will never be processed, so the CC attack, which is also a denial-of-service attack, is one of the DDoS attacks.


So how should cc attacks be defended?


first webmaster friends need to calm down, opponents attack your project, the purpose is to you from chaos, calm down, just ready to draw the sword against.


What is the amount of analysis:

Netstat-an | grep ': '-C

This is the number of connections to determine the 80 port, with this number and the third-party statistical code on the site compared to, if the gap is wide, even the server card to statistics, then it is definitely a CC attack.
If the resource is too high or even the SSH command is difficult to execute, pause the Web service for a while (don't feel lost, the service can't be accessed, why keep wasting resources?). ）


1. Beginner Essentials: Limit access rate
To configure a throttling statement #详细后续编辑using the Conf field in Http://tengine.taobao.org/document_cn/http_limit_req_cn.html #


2. Escape the thief: find common features of attack
Sort by number of connections

Netstat-nat|grep ": |awk ' {print $} ' |awk-f: ' {print '} ' | Sort| Uniq-c|sort-n

Find the IP with the largest number of connections (assuming 22.00.**.11) and match in the log

Cat/log/nginx/access.log | grep "22.00.**.11" | More

Identify the features of the tool used by the attacker in the access log, and then try to block it in the Conf.



3. Revenge is not mercy: Ban


If the attacker uses the tool's UA containing the "Bench" field, it can be masked in the Conf:

Location/{    if ($http _user_agent ~ "Bench") {        return 444;    }}

　　

Appendix: Common defense against CC attack algorithms


Log Analysis
Block IP that is too frequently accessed in the log
An IP block that does not conform to the human character in the log (the same URL accesses the unreasonable number of times, etc.)

Nginx Defense cc Attack tutorial