CC attack (Challenge Collapsar) is a kind of DDOS (distributed denial of service) and a common website attack method. The attacker sends a large number of data packets to the victim host through a proxy server or broiler, causing the server resources of the other party. Exhausted, until the crash.
Determine whether the server is under
CC attack
Command line method
Generally, when subjected to a
CC attack, the Web server will have the phenomenon of DDOS attack software with port 80 closed to the outside, because this port has been blocked by a large amount of DDOS attack software junk data. The normal DDOS attack software connection is terminated.
So you can check it by typing the command netstat -an on the command line. If you see a lot of similar DDOS attack software like the following
Basically, the connection record can be attacked by CC:
...
TCP 192.168.1.3:80 192.168.1.6:2203 SYN_RECEIVED 4
TCP 192.168.1.3:80 192.168.1.6:2203 SYN_RECEIVED 4
TCP 192.168.1.3:80 192.168.1.6:2203 SYN_RECEIVED 4
TCP 192.168.1.3:80 192.168.1.6:2203 SYN_RECEIVED 4
TCP 192.168.1.3:80 192.168.1.6:2203 SYN_RECEIVED 4
...
Among them, "is the DDOS attack software IP of the DDOS attack software host used to proxy the attack, "SYN_RECEIVED" is the TCP connection status flag, which means "the initial synchronization state of the connected DDOS attack software", indicating that the handshake response cannot be established and is waiting Status. This is the characteristic of the attacked DDOS attack software. Under normal circumstances, there will be many records of such DDOS attack software, indicating DDOS attack software attacks from different DDOS attack software proxy IPs.
Batch method
The above method requires manual input of commands and if there are too many web server IP connections, it seems more laborious, we can create a batch file to determine whether there is a CC attack through the script code. Open Notepad and type the following code to save as CC.bat:
@echo off time /t >>log.log
netstat -n -p tcp |find ":80">>Log.log notepad log.log exit The meaning of the DDOS attack software of the above DDOS attack software script is to filter out all the current DDOS attack software to the 80 port DDOS attack software connection . When we feel that the server is abnormal, we can double-click to run the batch file, and then view all the DDOS attack software connections in the opened DDOS attack software log.log file. If there are more DDOS attack software connections from the same IP to the server's DDOS attack software, it can basically be determined that the IP is carrying out a CC attack on the server.
View system log
The above two methods of DDOS attack software have a drawback. You can only view the current DDOS attack software CC attack. There is no way to determine whether the Web server has suffered a CC attack before. At this time, we can check it through the Web log, because the Web log is faithful. It records all the DDOS attack software situations of IP accessing Web resources. By viewing the log, we can determine whether the Web server has suffered a CC attack before, and determine the attacker's DDOS attack software IP and then take further DDOS attack software measures.
The web log is generally in the C:WINDOWSsystem32LogFilesHTTPERR directory. This directory uses a DDOS attack software log file similar to httperr1.log. This file is the DDOS attack software record that records Web access errors. The administrator can select the corresponding DDOS attack software log to open according to the log time attribute to analyze whether the Web is attacked by CC.
By default, there are not many DDOS attack software items recorded in the Web log. We can set it through IIS to allow the Web log to record more DDOS attack software items for security analysis. The operation steps are: "Start→Administrative Tools" open "Internet Information Server", expand the DDOS attack software item on the left to locate the corresponding DDOS attack software Web site, and then right-click and select "Properties" to open the site properties window. Click the "Properties" button under the "Website" tab. Under the "Advanced" tab of the DDOS attack software in the "Logging Properties" window, you can check the corresponding DDOS attack software "Extended Properties" so that Web logs can be recorded.
For example, the DDOS attack software "the number of bytes sent by the DDOS attack software", "the number of bytes received by the DDOS attack software", and "the time spent
Solution
Cancel domain name binding
Generally, CC attacks are aimed at the domain name of the website. For example, if the domain name of the website is "xxx", then the attacker will set the attack target as the domain name in the attack tool and then carry out the attack.
The measure for such an attack is to cancel the binding of this domain name on the IIS, making the CC attack lose its target. The specific steps are: Open "IIS Manager" and locate the specific site, right-click "Properties" to open the properties panel of the site, click the "Advanced" button to the right of the IP address, select the domain name item for editing, and set the "Host Header Value" Delete or change to another value (domain name).
Example simulation test, after canceling the domain name binding, the CPU of the Web server immediately returns to its normal state, and the access and connection through the IP are all normal. But the shortcomings are also obvious. Canceling or changing the domain name brings inconvenience to others' access. In addition, it is invalid for CC attacks against IP. Even if the attacker finds out that the domain name is changed, he will also attack the new domain name. .
Change web port
Under normal circumstances, the web server provides external services through port 80, so the attacker uses the default port 80 to attack when attacking. Therefore, we can modify the web port to prevent CC attacks. Run IIS Manager, locate the corresponding site, open the "Properties" panel of the site, there is a TCP port under "Website ID" that defaults to 80, we can modify it to other ports.
ⅡS shield IP
When we find the source IP of the CC attack through commands or in the log, we can set in IIS to block the IP access to the Web site, so as to achieve the purpose of preventing IIS attacks. In the "Properties" panel of the corresponding site, click the "Directory Security" tab, and click the "Edit" button under "IP Address and Domain Name Now" to open the settings dialog box. In this window, we can set "Authorized Access" that is "Whitelist", or "Deny Access" or "Blacklist". For example, we can add the attacker's IP to the "Access Denied" list to block the IP's access to the Web.
IPSec blocking
IPSec is an excellent system firewall. When excluding other types of DDOS attacks, you can use IP policies to counter attacks against CC attacks. Taking the IP 219.128.*.43 as an example, the author actually blocks access to this IP.
Step 1: "Start→Administrative Tools", open "Local Security Settings", right-click "IP Security Policy, select "Create IP Security Policy on the local machine", then click "Next", enter the policy "Name" and "description". Then, by default, an IPSec policy named "CC Attack" was created in the "next step" all the way.
Step 2: Right-click on "IP Security Policy, in the local machine" and select "Manage IP Filter Table and Filter Operations", click "Add" in the window that opens, and add the same section in the "IP Filter List" window The name and description of the step. Uncheck "Use Add Wizard" and click "Add". In the "Address" option of the "IP Filter Properties" window, set the "Source Address" to "192.168.1.6" and the Destination Address to "My IP Address", uncheck "Mirroring"; click the "Protocol" option Card, set the "protocol type" to "TCP", set the "protocol port" to "from any port" to "this port 80" and finally confirm to exit.
Step 3: In the "New Rule Properties" window, click the "CC Attack" rule you just created, click "Add" under the "Filter Operation" tab, and click "Block" under "Security Measures". Under the "General" tab, name the filter "Prevent CC Attacks" and confirm to exit.
Step 4: Click the "Block CC Attacks" filter you just created, and exit the IP Policy Editor with "OK" all the way. You can see that a policy named "Block CC Attacks" has been created successfully in the Group Policy window, and then Right-click the policy and select "Assign". In this way, the IP is blocked.