Nginx Defense cc Attack tutorial

Source: Internet
Author: User

The cc attack, HTTP flood, is a low-cost attack (with just a few HTTP proxy servers), covert (small cc attacks typically do not cause network bottlenecks), difficult to defend (indistinguishable from normal access requests), and powerful (resulting in the same effects as DDoS traffic attacks). , the website can not be opened for a long time) and other characteristics known. Regular HTTP flood defense for JS bounce back, two requests to verify the whitelist and multilayer cache (seven-tier, four-tier common cache) to implement the defensive body.


cc attacks, the first result is often the attack server CPU full, high memory consumption, and even disk IO high occupancy. Usually there is always a task on the server that will never be processed, so the CC attack, which is also a denial-of-service attack, is one of the DDoS attacks.


So how should cc attacks be defended?


first webmaster friends need to calm down, opponents attack your project, the purpose is to you from chaos, calm down, just ready to draw the sword against.


What is the amount of analysis:

Netstat-an | grep ': '-C

This is the number of connections to determine the 80 port, with this number and the third-party statistical code on the site compared to, if the gap is wide, even the server card to statistics, then it is definitely a CC attack.
If the resource is too high or even the SSH command is difficult to execute, pause the Web service for a while (don't feel lost, the service can't be accessed, why keep wasting resources?). )


1. Beginner Essentials: Limit access rate
To configure a throttling statement #详细后续编辑using the Conf field in Http://tengine.taobao.org/document_cn/http_limit_req_cn.html #


2. Escape the thief: find common features of attack
Sort by number of connections

Netstat-nat|grep ": |awk ' {print $} ' |awk-f: ' {print '} ' | Sort| Uniq-c|sort-n

Find the IP with the largest number of connections (assuming 22.00.**.11) and match in the log

Cat/log/nginx/access.log | grep "22.00.**.11" | More

Identify the features of the tool used by the attacker in the access log, and then try to block it in the Conf.



3. Revenge is not mercy: Ban


If the attacker uses the tool's UA containing the "Bench" field, it can be masked in the Conf:

Location/{    if ($http _user_agent ~ "Bench") {        return 444;    }}

  






Appendix: Common defense against CC attack algorithms


Log Analysis
Block IP that is too frequently accessed in the log
An IP block that does not conform to the human character in the log (the same URL accesses the unreasonable number of times, etc.)

Nginx Defense cc Attack tutorial

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.