What is a CC attack
CC attack is simple (Challengecollapsar)
The principle of the CC attack is that the attacker controls some hosts to keep sending a large number of packets to the other server, causing the server to run out of resources until downtime crashes. CC is primarily used to attack pages, everyone has this experience: when a Web page visits a very large number of times, open the page is slow, CC is to simulate multiple users (how many threads are many users) Non-stop access to those who need a lot of data operations (that is, the need for a large amount of CPU time) of the page, Cause the waste of server resources, CPU for a long time in 100%, always have to deal with the connection until the network congestion, normal access was aborted.
Ways to prevent CC attacks
I have two ways to prevent this cc attack.
The first is to use the local firewall to solve the firewall can be installed within CSF, this drawback is only to prevent small-scale cc attacks and DDoS (my standing in the Aliyun, so do not worry too much about DDoS) cc attack more fierce then the machine is also directly cup full.
The second way is to add CDN, this is the best way to prevent CC attacks, but the CDN generally want money, so I found a https://www.yundun.cn/login, said to be specifically to prevent CC DDoS, in fact, is a CDN, there is a free package, It's enough for my station.
Now, let's talk about my specific change protection.
First installs the CSF firewall, this relatively simple and does not need to change the domain name anything, the small scale directly solves.
First, install the dependent package:
The code is as follows |
Copy Code |
Yum Install Perl-libwww-perl perl iptables |
Second, download and install CSF:
The code is as follows |
Copy Code |
wget http://www.configserver.com/free/csf.tgz Tar-xzf csf.tgz CD CSF SH install.sh
|
Test whether CSF can work properly:
The code is as follows |
Copy Code |
[Root@localhost csf]# perl/etc/csf/csftest.pl Testing Ip_tables/iptable_filter ... Ok Testing Ipt_log ... Ok Testing Ipt_multiport/xt_multiport ... Ok Testing Ipt_reject ... Ok Testing ipt_state/xt_state ... Ok Testing Ipt_limit/xt_limit ... Ok Testing ipt_recent ... Ok Testing Xt_connlimit ... Ok Testing Ipt_owner/xt_owner ... Ok Testing Iptable_nat/ipt_redirect ... Ok Testing Iptable_nat/ipt_dnat ... Ok RESULT:CSF should function on this server
|
Iv. Configuration of CSF:
The configuration file for CSF is
The code is as follows |
Copy Code |
Vim/etc/csf/csf.conf # Allow Incoming TCP ports # recommends that you change the default port for SSH (22) to another port, but be sure to add the new port to the next line tcp_in = "20,21,47,81,1723,25,53,80,110,143,443,465,587,993,995〃 # Allow Outgoing TCP ports ditto, add SSH login port to the next line. # in cases where certain programs require a range of ports to open, such as PUREFTPD's passive mode, you can open a 30000-35000-range port using a 30,000:35,000-like approach. Tcp_out = "20,21,47,81,1723,25,53,80,110,113,443〃 # Allow Incoming UDP ports udp_in = "20,21,53〃 # Allow Outgoing UDP ports # to allow outgoing traceroute add 33434:33523 to this list Udp_out = "20,21,53,113,123〃 # Allow incoming ping allow others to ping your server, default 1, Allow. 0 is not allowed. icmp_in = "1〃 All of the above configuration you can understand, the following introduction of a few more commonly used: Immune to certain types of small scale DDos attacks: # Connection tracking. This option enables tracking of the all connections from IP # addresses to the server. If the total number of connections is greater than # This value then the offending IP address is blocked. This can is used to help # Prevent some types of DOS attack. # # Care should is taken with this option. It ' s entirely possible that you'll # false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD # and HTTP so it could is quite easy to trigger, especially with a lot of # Closed connections in time_wait. However, for a server this is prone to DOS # Attacks this is very useful. A reasonable setting for this option might # be arround 200. # # To disable this feature, set this to 0 Ct_limit = "#" # #固定时间内同一个IP请求的此数 # Connection tracking interval. Set this to the number of seconds between # Connection Tracking Scans Ct_interval = "#" # #指上面的固定时间, Unit seconds # Send An email alert if a IP address was blocked due to connection tracking Ct_email_alert = "1" # #是否发送邮件 # If you are want to make IP blocks permanent then set this to 1, otherwise blocks # would be temporary and would be cleared after ct_block_time seconds # whether to take a permanent shield for suspicious IP, the default is 0, that is, temporary shielding. Ct_permanent = "0" # If you opt for temporary IP blocks for CT, then the following is the interval # in seconds that's IP would remained blocked for (e.g. 1800 = mins) # Temporary Shielding time Ct_block_time = "1800" # If you don ' t want to count the TIME_WAIT state against the connection count # then set the following to ' 1〃 Ct_skip_time_wait = "0" # #是否统计TIME_WAIT链接状态 # If you are want to count specific states (e.g. syn_recv) then add the states # to the following as a comma separated list. e.g. "syn_recv,time_wait" # Leave This option empty to count all states against Ct_limit Ct_states = "" # #是否分国家来统计, fill in the name of the country # If you are want to count specific ports (e.g. 80,443) then add the ports # to the following as a comma separated list. e.g. "80,443〃 # # Leave This option empty to count all ports against Ct_limit # What port to detect, for empty then detect all, to prevent SSH words can be null, statistics all. Ct_ports = "" After you have made the above settings, you can test it first. If there is no problem, change to formal mode, just test mode. # change the default 1 to 0. testing = "0" Under/etc/csf/There are two files of Csf.allow and Csf.deny, Allow is a trusted IP, you can write your own IP to prevent false seal. A deny is a blocked IP. |
If there is an adjustment, you need to restart the CFS service
According to the above method of installation of CSF basically small cc attack is resolved, my station just add good also resolved, you can attack the next day increased, there is no way only to use the second way
Registered Cloud Shield account number, authentication domain name, change domain name point to the domain name of Cloud shield, I have not received the attack after adding