Solutions for CC attacks on websites.

If you are worried that your website is under CC attack or have never experienced it, please check it out (maybe it will be used later)
Recently, my friend's website was attacked by CC attacks because I didn't know much about anti-cc attacks, so I didn't dare to give him any good answers. today, I wrote the following documents to see if I can give them a good solution for everyone.
Reference
<? Php
If (isset ($ _ SERVER )){
$ Realip = $ _ SERVER [HTTP_X_FORWARDED_FOR];
}
Else
{
$ Realip = getenv ("HTTP_X_FORWARDED_FOR ");
}
If ($ realip <> ""){
$ Remoteip = $ _ SERVER [REMOTE_ADDR];
Log_ip ($ remoteip, $ realip );
}
Function log_ip ($ remote_ip, $ real_ip)
{
$ Temp_time = date ("y-m-d G: I: s ");
$ Temp_result = $ temp_time. ". $ real_ip.". $ remote_ip ."";
If (! $Fhandle=fopen(“cc_log.txt "," a + ")){
Print "error ";
Exit;
}
Fwrite ($ fhandle, $ temp_result );
Fclose ($ fhandle );
}
?>

Function of this code segment:
Record the real IP address accessed by the proxy to the log for troubleshooting and analysis.
Below is the content of cc_log.txt (this code is produced due to CC attack software attacks)
Reference
Time Real_ip Remote_ip <= this line is added by myself
09-09-05 13:50:47 122.144.131.72 60.248.212.230
09-09-05 13:50:47 122.144.131.72 60.248.212.230
09-09-05 13:50:47 122.144.131.72 60.248.212.230
09-09-05 13:50:48 122.144.131.72 60.248.212.230
09-09-05 13:50:48 122.144.131.72 60.248.212.230
09-09-05 13:50:48 122.144.131.72 60.248.212.230
09-09-05 13:50:49 122.144.131.72 60.248.212.230
09-09-05 13:50:49 122.144.131.72 219.146.172.91
09-09-05 13:50:49 122.144.131.72 219.146.172.91
09-09-05 13:50:49 122.144.131.72 219.146.172.91
09-09-05 13:50:49 122.144.131.72 219.146.172.91
09-09-05 13:50:49 122.144.131.72 219.146.172.91
09-09-05 13:50:49 122.144.131.72 60.248.212.230
09-09-05 13:50:49 122.144.131.72 60.248.212.230
09-09-05 13:50:50 122.144.131.72 219.146.172.91
09-09-05 13:50:50 122.144.131.72 219.146.172.91
09-09-05 13:50:50 122.144.131.72 219.146.172.91
09-09-05 13:50:50 122.144.131.72 219.146.172.91
09-09-05 13:50:50 122.144.131.72 219.146.172.91
09-09-05 13:50:51 122.144.131.72 60.248.212.230

Access this server from the real IP address 122.144.131.72 with the proxy IP address (60.248.212.230, 219.146.172.91) within just four seconds.
There is a problem. In this case, we should use the firewall (iptables) to disable these real IP addresses so that their requests will be Deny at the entrance.

Reference
<? Php
Session_start ();
$ Timestamp = time ();
$ Cc_nowtime = $ timestamp;
If (session_is_registered ('CC _ lasttime ')){
$ Cc_lasttime = $ _ SESSION [cc_lasttime];
$ Cc_times = $ _ SESSION [cc_times] + 1;
$ _ SESSION [cc_times] = $ cc_times;
} Else {
$ Cc_lasttime = $ cc_nowtime;
$ Cc_times = 1;
$ _ SESSION [cc_times] = $ cc_times;
$ _ SESSION [cc_lasttime] = $ cc_lasttime;
}
If ($ cc_nowtime-$ cc_lasttime) <5 ){
If ($ cc_times> = 10 ){
Header (sprintf ("Location: % s", 'HTTP: // 127.0.0.1 ′));
Exit;
}
} Else {
$ Cc_times = 0;
$ _ SESSION [cc_lasttime] = $ cc_nowtime;
$ _ SESSION [cc_times] = $ cc_times;
}
?>
The role of this Code:
If the same session is refreshed 10 times in five seconds, the response is directed to the Local Service (Http: // 127.0.0.1)
I personally think that the first code can be combined with the application, and cc_log.txt can be analyzed regularly to protect the service. in the second code segment, too many proxy requests have recently occurred in the first code segment. In this case, you can put this code segment into the application, to prevent CC attacks (because too many sessions consume server resources, you should use them flexibly ). of course, hardware protection is better. however, I have seen on the Internet that hard defense looks like this will make some spider unable to crawl normally. However, you can use http logs to sort out the spider ip address and hand it over to the relevant technical staff, to add the IP address to the hard-Defense White List.