Recently I changed my blog to an independent server, so I studied IIS to prevent CC attacks.
My idea is to retrieve the list of IP addresses connected to the current network every 2 seconds and determine whether the number of connections of the remote IP address exceeds 100. If yes, access is prohibited from being added to the IIS blacklist.
Tested as a system service program and found that it can be prevented when there are few bots, but when there are too many bots, the number of IP list connections reaches tens of thousands or even hundreds of thousands, and the CPU usage has always been % 100,000
The server will run slowly, and the program will also become very slow when getting the list of network connection IP addresses. The efficiency of getting one time is estimated to be about one minute, filter out the IP addresses to check whether there are more than 100 remote connection IP addresses. This operation consumes a large amount of system resources and takes several minutes to block an IP address. if hundreds of bots attack CC at the same time, it will first cause the server's CPU usage to reach 100, and then this program will occupy a lot of memory and CPU during execution, the overlapping of the two results in the inability to process the IP address blacklist in a timely manner. If there are too many bots, it may take several minutes to process the IP address blacklist. The longer the CPU temperature increases, the more time the Remote Desktop of the FTP service cannot be processed in a timely manner, the Remote Desktop cannot be connected, so the protection program still fails. You have to change your mind.
Think about a driver like the current firewall, so that you can start to judge before the network reaches IIS, and then block the IP address access when the packet does not reach the IIS request, this will not cause the CPU usage to reach % 100, so the CC attack can be solved, but I won't write the driver. Alas, the cup has not been completed for a few days.
I don't know if the Windows environment is similar to the Linux iptables firewall. You can limit the number of connections of each IP address to each port and block L7, if you have such a firewall, I hope you can recommend it. If you do not have it, you can only find a solution. Then, the server will not directly connect to the wan. You should first use a dual-nic route OS soft route for calculation, then, the port is mapped to the web server.
Author: Wang Jianyu