Simple Analysis of a CC attack

Last Update:2013-11-21 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

A cc attack was detected in the morning. The following is a conclusion from the analysis of IIS logs on this site ......

2012-06-08 10: 02: 36:

Start attack ......

Attack address: GET/index. asp-80-183.203.12.18 Mozilla/4.0 200 0 0

2012-06-08 10: 14: 19:

After 12 minutes of attack and 44351 GET requests, the attack was temporarily stopped.

Why is the attack suspended?

Well, I guess he didn't see any attack effect, because this site didn't respond to this low-level attack ......

2012-06-08 10: 39: 53:

GET/index. asp a = rss 80-180.96.19.24 Mozilla/4.0 + (compatible; + MSIE + 6.0; + Windows + 5.1) 200 0 0

After 25 minutes of attack suspension, the attacker began to attack again.

However, the attack address is changed to:/index. asp? A = rss

User-Agent changed to: Mozilla/4.0 + (compatible; + MSIE + 6.0; + Windows + 5.1)

I have to say that the attacker finally became smarter and chose a "dynamic page" for attack.

Well, unfortunately, this is actually a static page ......

Unfortunately, all websites on this site are static pages ......

10:46:13

After 7 minutes of attack and 2697 GET requests, the attack was stopped again ......

As expected, the attacker did not see any effect and was disappointed to stop the attack ......

11:28:02

GET/index. asp I = 2565 80-119.147.241.58 Mozilla/4.0 200 0 0

After more than 40 minutes, the attack began again ......

Perseverance, child ......

This smart time, I found a link to an article to launch an attack.

Well, unfortunately, from the first visit to this article, this article has been cached, and it has become a static page ......

And, because of the existence of "Anti-CC.asp", in addition to adding some clicks to the article on this site, I am afraid it will not cause any impact ......

11:42:08 www.2cto.com

I accidentally found a website exception, So I restarted IIS and made some simple operations. The attack ended here.

Number of attacks: 49894 GET requests, with a length of 14 minutes and 6 seconds.

Attacker features:

1. Attackers should use common software that relies on proxy for CC attacks.

2. Unified User-Agent values.

3. The IP source is a variety of free HTTP proxies.

4. Haha, unfortunately, you can easily track the real IP address (the real IP address is in the HTTP header) because of your normal HTTP proxy ).

Postscript:

To address this CC attack, you can simply add the attack IP addresses to the blacklist of the local IP Security Policy in batches. This takes effect immediately.

Because this site limits the maximum number of IIS connections to only a few hundred, when the number of connections reaches the limit value, it will appear temporarily: Service Unavailable, without any impact.

(The number of IIS connections has been modified, and the attack IP address is blacklisted ......)

Attach the list of attack IP addresses:

1.20.6.179
101.226.33.190
101.226.33.206
101.20.36.234
109.111.182.202
109.123.126.253
109.175.28.43
109.70.65.199
110.137.63.44
110.139.62.115
110.234.71.142
110.44.113.253
110.77.237.148
110.77.238.123
110.77.239.227
111.68.97.178
111.94.141.4
112.217.228.212
112.223.15.34
112.230.252.194
112.25.12.36
112.25.12.37
112.25.12.38
112.25.12.39
112.78.147.131
112.90.224.195
112.90.33.239
112.90.33.240
112.94.250.242
113.105.93.119
113.106.48.103
113.212.126.29
113.53.254.123
114.199.120.6
115.119.206.103
115.124.64.25
115.124.65.253
115.124.79.166
115.236.19.223
115.236.19.227
115.236.19.228
115.85.65.162
116.112.66.102
116.212.112.247
116.228.182.186
116.90.211.136
117.239.105.130
118.212.129.175
118.96.149.65
118.97.30.210
118.99.98.119
119.110.66.202
119.110.71.109
119.147.241.58
119.161.238.90
119.167.225.12
119.2.69.238
119.235.54.69
119.46.90.28
119.82.248.67
119.97.146.148
120.136.26.194
120.136.5.36
120.29.157.250
121.31.253.60
121.33.243.58
121.33.249.170
122.117.43.13
122.136.65.103
122.141.242.199
122.141.243.215
122.141.243.216
122.144.4.102
122.144.4.106
122.154.162.3
122.184.133.212
122.205.95.14
122.225.107.27
122.225.22.22
122.227.16.189
122.72.0.1
122.72.0.227
122.72.112.142
122.72.112.148
122.72.112136
122.72.112.184
122.72.124.2
122.72.124.3
122.72.2.184
122.72.2.188
122.72.2.200
123.131.165.156
123.234.31.130
123.50.56.206
124.160.239.223
124.160.239.234
124.195.6.243
124.205.178.51
124.207.162.117
124.207.162.118
124.207.162.119
124.207.162.190
124.219.18.81
124.6.36.2
124.81.113.183
125.167.122.78
125.210.188.35
125.67.230.192
125.93.180.234
159.20.160.106
164.77.222.226
173.167.18.06
173.236.204.117
173.248.139.218
174.128.242.66
175.103.44.243
175.103.60.28
175.136.246.105
175.176.244.178
176.9.29.htm
177.12.97.35
177.36.243.7
177.44.133.26
177.46.33.80
177.75.176.254
177.85.233.80
178.135.51.214
180.139.91.27
180.151.27.129
180.178.104.146
180.178.109.201
180.211.162.22
180.211.180.194
180.241.27.37
180.241.28.136
180.242.156.216
180.243.169.135
180.243.235.40
180.244.126.171
180.244.193.110
180.244.196.14
180.244.208.185
180.245.120.41
180.246.178.166
180.246.224.6
180.247.149.247
180.247.251.146
180.247.54.41
180.251.29.115
180.251.4.193
180.252.181.3
180.94.80.18
180.96.19.24
180.96.19.25
181.64.81.129
182.16.254.162
182.23.11.246
182.23.13.226
182.23.8.122
182.253.6.84
182.99.127.29
183.203.12.14
183.203.12.15
183.203.12.16
183.203.12.17
183.203.12.18
183.203.12.19
183.203.12.21
186.109.91.204
186.113.178.234
186.194.7.179
186.208.101.70
186.208.73.6
186.211.7.254
186.216.160.147
186.228.41.210
186.251.6.202
186.3.78.234
186.4.110.36
186.46.121.42
186.46.41.146
186.88.133.212
186.89.159.193
186.90.24.198
186.90.44.60
186.90.55.125
186.92.157.132
186.92.215.123
186.92.254.27
186.93.122.230
186.93.154.205
187.111.210.23
187.28.74.139
188.127.226.211
188.128.6.150
189.22.25.162
189.3.240.26
189.41.162.126
189.75.181.55
189.77.188.46
189.89.154.82
189.89.157.66
190.108.83.21
190.111.121.57
190.121.135.178
190.121.143.243
190.14.250.118
190.15.193.65
190.15.199.90
190.151.111.202
190.16.102.117
190.200.180.77
190.213.73.105
190.214.5.19
190.221.29.214
190.242.40.38
190.242.40.50
190.254.88.74
190.20.207.86
190.40.28.83
190.42.49.47
190.66.11.52
190.85.134.27
190.85.37.90
190.90.7.229
190.96.64.234
190.98.248.114
193.190.154.173
193.252.201.136
193.27.209.200
194.44.243.142
194.78.234.117
195.28.31.62
195.3.254.159
2.228.6.74
200.105.237.58
200.110.180.4
200.121.57.83
200.129.173.226
200.139.176.146
200.141.202.162
200.166.251.200
200.169.75.38
200.178.100.102
200.196.234.26
200.196.51.130
200.24.196.20
200.251.56.18
200.27.114.228
200.42.69.94
200.54.92.187
200.60.11.19
200.61.31.66
200.72.32.173
200.73.197.250
200.85.152.107
200.88.243.214
201.130.47.33
201.15.62.235
201.219.3.5
201.251.112.119
201.251.62.20.
201.51.80.90
202.105.233.40
202.115.207.25
202.117.4.226
202.129.185.112
202.137.11.166
202.137.2.250
202.153.228.179
202.153.228.38
202.159.6.146
2018.1.188.98
2018.4.192.9
2018.4.53.100
202.169.54.157
202.171.34.234
202.191.57.37
202.43.74.66
202.51.107.37
202.51.113.58
202.51.119.38
202.51.120.58
202.53.172.250
202.75.102.18
202.91.247.89
203.113.102.61
203.114.106.138
203.122.192.59
203.131.67.22
203.156.20.58
203.190.190.68
203.190.55.236
203.215.48.78
203.43.23.254
203.62.1.75
203.77.252.34
203.93.104.10
207.211.86.6
209.88.88.40
210.0.205.70
210.101.131.231
210.101.131.20.
210.242.215.210
210.242.215.211
210.242.215.212
210.242.215.213
210.242.215.214
210.242.215.215
210.242.215.216
210.242.215.217
210.242.215.218
210.242.215.219
210.57.215.130
211.239.84.131
212.92.210.62
212.92.210.64
212.92.210.67
212.92.210.71
212.92.210.72
212.92.210.77
212.92.210.79
212.92.210.83
212.92.210.86
212.92.210.87
213.96.248.147
216.157.222.2
216.157.73.242
218.107.193.59
218.15.164.131
218.247.138.40
218.29.54.105
218.6.13.35
218.65.230.212
218.69.96.4
218.76.157.98
218.87.20.10
218.94.149.114
219.133.36.198
219.145.93.110
219.159.105.180
219.159.198.57
219.234.130.38
219.234.130.39
219.83.100.195
219.94.243.74
220.118.19.148
220.128.246.14
220.194.59.163
220.227.90.238
220.243.2.242
220.248.162.130
220.20.2.100
220.20.2.101
220.20.2.102
220.20.2.103
220.20.2.104
220.20.2.105
220.20.2.106
220.20.2.107
220.20.2.108
220.20.2.109
220.20.2.112
220.20.2.113
220.20.2.114
220.20.2.115
220.20.2.116
220.20.2.117
220.20.2.118
220.20.2.119
220.20.2.120
220.20.2.121
220.4262.123
220.20.2.124
220.20.2.125
220.20.2.126
220.20.2.127
220.20.2.128
220.20.2.129
220.20.2.130
220.20.2.131
220.20.2.132
220.20.2.134
220.20.2.135
220.20.2.136
220.20.2.6.2
220.20.2.138
220.20.2.139
220.20.2.140
220.20.2.141
220.20.2.142
220.20.2.143
220.20.2.144
220.20.2.147
220.20.2.148
220.20.2.149
220.20.2.150
220.20.2.151
220.20.2.153
220.20.2.154
220.20.2.155
220.20.2.156
220.20.2.158
220.20.2.159
220.20.2.160
220.000000001
220.000000002
220.000000003
220.000000004
220.000000005
220.000000006
220.000000007
220.000000008
220.000000009
220.20.2.170
220.20.2.171
220.20.2.172
220.20.2.173
220.20.2.98
220.20.2.99
221.133.238.138
221.179.35.94
221.195.42.195
221.199.190.155
221.2.159.175
221.2.174.164
221.204.222.228
221.208.195.69
221.7.145.42
221.7.228.138
222.124.207.26
222.124.207.29
222.124.33.37
222.165.175.246
222.169.15.234
222.200.161.100
222.42.18.113
222.73.220.168
222.83.160.45
222.89.55.123
223.4.10.225
223.4.2.158
27.111.36.194
27.115.118.66
27.47.129.139
31.151.46.89
31.209.98.18
31.25.137.202
31.7.56.72
36.68.157.180
41.129.116.204
41.186.3.170
41.196.22.244
41.205.99.100
41.210.52.202
41.215.247.146
41.73.2.36
41.73.231.164
41.75.201.146
41.75.204.71
41.78.103.42
41.78.239.194
41.89.211.5
46.10.180.111
46.148.44.149
46.164.138.190
46.252.32.202
46.31.26.12
49.212.86.136
50.22.206.179
58.18.253.98
58.247.113.186
58.248.217.216
58.248.217.217
58.252.100.31
58.59.9.126
58.67.147.198
59.172.208.186
59.34.57.68
59.57.15.71
60.209.7.54
60.210.169.246
60.217.32.143
60.217.32.148
60.251.59.68
60.28.186.114
60.28.219.218
60.28.245.20.
61.135.208.131
61.141.21.34
61.147.88.106
61.153.219.245
61.160.202.201
61.166.155.230
61.167.49.188
61.185.143.178
61.49.34.43
62.121.64.19
62.201.214.54
62.92.115.100
63.240.248.248
64.243.191.86
64.85.181.45
67.205.96.72
68.71.76.242
71.13.87.62
72.64.146.136
77.28.99.19
77.48.243.250
77.71.1.190
78.30.137.212
78.45.44.95
79.120.177.37
79.140.105.122
79.170.50.38
80.120.42.142
80.233.133.75
80.241.245.242
80.26.67.17
80.36.161.169
80.71.144.162
80.74.160.66
80.80.166.59
80.81.34.178
80.90.12.36
81.17.23.216
81.17.24.178
81.17.24.99
82.129.141.183
83.102.228.188
84.20.82.82
84.41.108.74
84.88.67.222
88.146.193.61
88.198.179.119
88.85.108.16
89.111.232.94
89.134.241.112
89.135.18.91
90.182.182.154
90.189.123.3
91.137.155.2
91.200.171.245
91.202.144.77
92.20.66.241
92.87.18.254
93.114.61.245
93.116.214.107
93.123.45.23
93.152.175.1
93.86.249.179
94.102.153.150
94.155.51.112
94.189.169.78
94.189.182.221
94.42.176.108
95.170.205.194
97.94254.147
99.47.3.234
99.47.3.235

Author: Nuclear & apos; Atk Network Security Research Center

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More