Research on preventing CC attacks from IIS

Source: Internet
Author: User

Recently I changed my blog to an independent server, so I studied IIS to prevent CC attacks.
My idea is to retrieve the list of IP addresses connected to the current network every 2 seconds and determine whether the number of connections of the remote IP address exceeds 100. If yes, access is prohibited from being added to the IIS blacklist.
Tested as a system service program and found that it can be prevented when there are few bots, but when there are too many bots, the number of IP list connections reaches tens of thousands or even hundreds of thousands, and the CPU usage has always been % 100,000
The server will run slowly, and the program will also become very slow when getting the list of network connection IP addresses. The efficiency of getting one time is estimated to be about one minute, filter out the IP addresses to check whether there are more than 100 remote connection IP addresses. This operation consumes a large amount of system resources and takes several minutes to block an IP address. if hundreds of bots attack CC at the same time, it will first cause the server's CPU usage to reach 100, and then this program will occupy a lot of memory and CPU during execution, the overlapping of the two results in the inability to process the IP address blacklist in a timely manner. If there are too many bots, it may take several minutes to process the IP address blacklist. The longer the CPU temperature increases, the more time the Remote Desktop of the FTP service cannot be processed in a timely manner, the Remote Desktop cannot be connected, so the protection program still fails. You have to change your mind.
Think about a driver like the current firewall, so that you can start to judge before the network reaches IIS, and then block the IP address access when the packet does not reach the IIS request, this will not cause the CPU usage to reach % 100, so the CC attack can be solved, but I won't write the driver. Alas, the cup has not been completed for a few days.
I don't know if the Windows environment is similar to the Linux iptables firewall. You can limit the number of connections of each IP address to each port and block L7, if you have such a firewall, I hope you can recommend it. If you do not have it, you can only find a solution. Then, the server will not directly connect to the wan. You should first use a dual-nic route OS soft route for calculation, then, the port is mapped to the web server.

Author: Wang Jianyu

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.