Home app has been online for some time, and suddenly one day found online products can not send verification code.
Login to the third-party SMS Verification Code Service backstage, found that the problem is serious.
| 3 | Youbiquan | 15797 | 2015-12-25 |
| 4 | Youbiquan | 57 | 2015-12-23 |
| 5 | Youbiquan | 49 | 2015-12-22 |
| 6 | Youbiquan | 54 | 2015-12-21 |
| 7 | Youbiquan | 64 | 2015-12-20 |
Found a few days ago, SMS service incredibly sent out to more than 15,000 text messages out, directly to the service fee brush.
To find the reason, we can only find Nignx log.
Log, found a lot of access to the SMS interface, and in my view, the log is still crazy append, is a typical DDoS attack. Of course, the core content of the SMS interface is the crazy traffic
221.178.182.21--[05/jan/2016:16:19:25 +0800] "Post/myinterface?showtype=smsauthcode http/1.1" 161 "-" "dalvik/1.6 .0 (Linux; U Android 4.4.3; xm50h build/19.1.1.c.1.2) ""-"171.82.225.66--[05/jan/2016:16:19:32 +0800]" Post/myinterface?showtype=smsauthcode http/1.1 "161"-"dalvik/1.6.0" (Linux; U Android 4.4.4; 2014812 MIUI/V6.6.3.0.KHJCNCF) ""-"171.82.225.66--[05/jan/2016:16:19:32 +0800]" post/myinterface?showtype= Smsauthcode http/1.1 "161"-"dalvik/1.6.0" (Linux; U Android 4.4.4; 2014812 MIUI/V6.6.3.0.KHJCNCF) ""-"110.89.16.13--[05/jan/2016:16:19:49 +0800]" post/myinterface?showtype= Smsauthcode http/1.1 "161"-"dalvik/1.6.0" (Linux; U Android 4.2.2; r827t build/jdq39) ""-"110.89.16.13--[05/jan/2016:16:19:49 +0800]" Post/myinterface?showtype=smsauthcode http/1.1 " 161 "-" "dalvik/1.6.0 (Linux; U Android 4.2.2; r827t build/jdq39) ""-"118.114.160.200--[05/jan/2016:16:21:26 +0800]" Post/myinterface?showtype=smsauthcode http/ 1.1 "200 161"-" "mozilla/5.0" "-" 118.114.160.200--[05/jan/2016:16:21:39 +0800] "Post/myinterface?showtype=smsauthcode http/1.1" 200 161 "-" "mozilla/5.0" "-" 119.122.0.136--[05/jan/2016:16:21:41 +0800] "Post/myinterface?showtype=smsauthcode http/1.1 "161"-"mozilla/5.0" "-" 118.114.160.200--[05/jan/2016:16:21:51 +0800] "Post/myinterface?showtype=smsauthcode HT tp/1.1 "161"-"mozilla/5.0" "-"Even when a lot of traffic is too large, it will feel that the server does not provide services, at the edge of the crash.
2. Interim programme
Before figuring out the problem, the first thing to think about is that the SMS service is stopped, so that the attacker cannot access the service, but the server cannot be turned off, after all, the online user is still in use.
So first use Nginx to rewrite this interface.
if ($request _uri ~* "Showtype=smsauthcode") { rewrite ^/http://www.baidu.com/;}First to Baidu sorry, the attack request forwarded to Baidu. In fact, just return a value, for example, 200.
3. Log analysis-based scenarios
Of course, the problem is not solved, online users can not register new users.
I first thought of the scheme or the IP access restrictions, analyzed the log, some IP attacks reached thousands of times, of course, some IP only a few times access. For IP access several times, in fact there is no way to determine whether the real user or attack the IP of the machine. On the Internet to find a can let an interface, within a certain period of time, limit the number of IP access scenarios.
Iptables-a input-p tcp--dport 80-d xx.xx.xx.xx-m string--string "/myinterface?showtype=smsauthcode"--algo kmp-m re cent--name Httpuser--setiptables-a input-m recent--update--name httpuser--seconds 86400--hitcount 4-j LOG--log-l Evel 5--log-prefix ' HTTP attack: ' iptables-a input-m string--string '/myinterface?showtype=smsauthcode '--algo kmp-m Recent--update--name httpuser--seconds 86400--hitcount 10-j REJECT
In fact, there is a certain effect of the scheme
| Serial Number | Account | NumberQuantity (article) | Date |
|---|---|---|---|
| 2 | Youbiquan | 540 | 2016-01-08 |
| 3 | Youbiquan | 2857 | 2016-01-04 |
| 4 | Youbiquan | 388 | 2016-01-05 |
| 5 | Youbiquan | 2469 | 2016-01-06 |
One day, helpless, I opened the Nginx access log, suddenly found that the attack behavior of User-agent is very short, and other access to the user-agent there is a significant difference.
It seems that the attacker's User-agen are "mozila/5.0", and then there is no more information, including the system version, the browser, and so on.
According to this conjecture, I went to use the program analysis User-agent, sure enough only to access the SMS interface in the UA there is a very short "mozila/5.0", the other access does not exist in this UA, but there are some not short UA
So the search, found that Dalvik is an Android virtual machine, instantly feel clear, feel completely can be based on the UA Guard, the mozila/5.0 and virtual machine all intercept, the problem does not solve it.dalvik/1.6.0 (Linux; U Android 4.2.2; r827t build/jdq39) ""-"
So in the Nginx configuration, add the following several pieces of code
if ($http _user_agent = "mozilla/5.0") { return 503;} if ($http _user_agent ~* "dalvik/1.6.0") { return 503;}The first paragraph is strictly match mozila/5.0 the meaning of the second paragraph to Dalvik the beginning of the UA, is the virtual machine UA.
Sure enough in the use of this way to prevent the moment has a clear effect.
| 2 | Youbiquan | 57 | 2016-01-09 |
According to the new method, after the newly guard, the number of text messages sent directly back to the normal level before, they used a few mobile phone test, is OK.
But also not happy too early, it seems that attackers can easily forge UA, want to completely solve the DDoS, but also learn more scientific and cultural knowledge to do it ~
The above describes the use of Nignx skillfully solve the DDoS attacks I encountered, including aspects of the content, I hope that the PHP tutorial interested in a friend helpful.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
