CC attack is a type of DDoS (distributed denial of service). Compared with other DDoS attacks, CC seems to be more technical. In this kind of attack, you can't see the fake IP, and you can't see the extremely large abnormal traffic, but the server cannot be connected normally, and an ordinary user of ADSL is enough to hang up a high-performance Web server. This shows its harmfulness, and it is no exaggeration to call it a "Web killer". What worries webmasters the most is that the technical content of this attack is not very high. Using tools and some IP proxies, a user with a beginner or intermediate computer level can implement a DDoS attack.
So how to ensure the security of these web servers? To protect against CC attacks, it is necessary to understand the principles of CC attacks and if CC attacks are discovered and the preventive measures against CC attacks.
First. The principle of
CC attack:
The principle of the CC attack is that the attacker controls certain hosts to continuously send a large number of data packets to the other server, causing server resources to be exhausted, until the crash. CC is mainly used to attack pages. Everyone has this experience: when a webpage is visited by a large number of people, it will be slow to open the webpage. CC is to simulate multiple users (the number of threads is the number of users). Accessing pages that require a lot of data operations (that is, a lot of CPU time) causes a waste of server resources. The CPU stays at 100% for a long time, and there will always be unfinished connections until the network is congested, and normal access is suspended.
Second. Types of
CC attacks:
There are three types of CC attacks, direct attacks, proxy attacks, and botnet attacks.
Direct attacks are mainly aimed at WEB applications with important flaws. Generally speaking, this happens only when there is a problem with the writing of the program, which is relatively rare.
Botnet attacks are a bit similar to DDOS attacks, and they are no longer defendable from the WEB application level.
Proxy attack: CC attackers generally operate a batch of proxy servers, for example, 100 proxies, and then each proxy sends 10 requests at the same time, so that the WEB server receives 1000 concurrent requests at the same time, and after sending the request, it will be disconnected immediately Disconnect the connection with the agent to prevent the data returned by the agent from blocking its own bandwidth and unable to initiate another request. At this time, the WEB server will queue the processes that respond to these requests, and the database server will do the same. In this way, normal requests It will be processed very late, just like when you went to the cafeteria to eat, there were usually less than ten people in the line, but today there are a thousand people in front, so the chance of your turn is very small. At this time, the page opens extremely slowly or a blank screen appears.
Third. Attack symptoms
CC attacks have a certain degree of concealment, so how to determine that the server is or has been subjected to CC attacks? We can use the following three methods to determine.
(1). Command line method
Generally, when the web server is under a CC attack, port 80 will be closed to the outside world, because this port has been blocked by a large amount of junk data and the normal connection is terminated. We can view it by entering the command netstat-an on the command line. If you see a large number of similar connection records like the following, you can basically be attacked by CC:
...
TCP 192.168.1.3:80 192.168.1.6:2205 SYN_RECEIVED 4
TCP 192.168.1.3:80 192.168.1.6: 2205 SYN_RECEIVED 4
TCP 192.168.1.3:80 192.168.1.6: 2205 SYN_RECEIVED 4
TCP 192.168.1.3:80 192.168.1.6: 2205 SYN_RECEIVED 4
TCP 192.168.1.3:80 192.168.1.6: 2205 SYN_RECEIVED 4
...
Among them, "192.168.1.6" is the IP of the host used to proxy the attack, and "SYN_RECEIVED" is the TCP connection status flag, which means "in the initial synchronization state of the connection", indicating that the handshake response cannot be established and is waiting. This is the characteristic of the attack. Generally, there will be many such records, indicating attacks from different proxy IPs.
(2). Batch method
The above method requires manual input of commands and if there are too many web server IP connections, which seems to be more laborious, we can create a batch file to determine whether there is a CC attack through the script code. Open Notepad and type the following code to save as CC.bat:
@echooff
time /t >>log.log
netstat -n -p tcp |find “:80”>>Log.log
notepad log.log
Alibaba Cloud-Promote AD
exit
The meaning of the above script is to filter out all current connections to port 80. When we feel that the server is abnormal, we can double-click to run the batch file, and then view all connections in the opened log.log file. If the same IP has more connections to the server, then it can be basically determined that the IP is carrying out a CC attack on the server.
(3). View system log
The above two methods have a drawback, only the current CC attack can be viewed, and there is no way to determine whether the web server has suffered a CC attack before. At this time, we can check through the web log, because the web log faithfully records all IP access The situation of web resources. By viewing the log, we can determine whether the web server has suffered a CC attack before, and determine the attacker's IP and then take further measures.
Web logs are generally in the C:\WINDOWS\system32\LogFiles\HTTPERR directory, and a log file similar to httperr1.log is used in this directory. This file is a record of Web access errors. The administrator can select the corresponding log to open according to the log time attribute to analyze whether the Web is attacked by CC. By default, there are not many items recorded in the Web log. We can set it through IIS to allow the Web log to record more items for security analysis. The steps are:
"Start→Administrative Tools" open "Internet Information Server", expand the item on the left to locate the corresponding Web site, then right-click and select "Properties" to open the site properties window, and click the "Properties" button under the "Website" tab , Under the "Advanced" tab of the "Logging Properties" window, you can check the corresponding "Extended Properties" to allow Web logs to record. For example, the "number of bytes sent", "number of bytes received", and "time used" are not selected by default, but they are very useful in recording and judging CC attacks and can be checked. In addition, if you have high security requirements, you can set the "New Log Schedule" under the "General" tab to record it "hourly" or "every day". To make it easier to determine the time for future analysis, you can check "Use local time for file naming and creation".
Fourth, CC attack defense strategy
Make sure that the web server is or has been subjected to a CC attack, then how to effectively prevent it?
(1). Cancel domain name binding
Generally, cc attacks are aimed at the domain name of the website. For example, our website domain name is "www.star-net.cn", then the attacker will set the attack target as the domain name in the attack tool and then carry out the attack.
Our measure for such an attack is to cancel the binding of this domain name on IIS, making the CC attack lose its target. The specific steps are: Open "IIS Manager" and locate the specific site, right click "Properties" to open the properties panel of the site, click the "Advanced" button to the right of the IP address, select the domain name item for editing, and set the "Host Header Value" Delete or change to another value (domain name).
After the simulation test, the CPU of the Web server immediately restored to normal state after the domain name binding was cancelled, and the access and connection via IP were all normal. But the shortcomings are also obvious. Cancellation or change of the domain name will bring about the same for others' visits. In addition, it is invalid for CC attacks against IP. Even if the attacker finds out that the domain name is changed, he will also implement the new domain name. attack.
(2). Domain spoofing resolution
If a CC attack against a domain name is found, we can resolve the attacked domain name to the address 127.0.0.1. We know that 127.0.0.1 is the local loopback IP used for network testing. If the attacked domain name is resolved to this IP, the attacker can achieve the purpose of attacking himself, so that no matter how many broilers or agents he has Downtime, let it suffer.
In addition, when our web server suffers a CC attack, the attacked domain name is resolved to the authoritative government website or the website of the Internet police, and the Internet police can clean them up.
Nowadays, most Web sites use dynamic domain name resolution services provided by service providers like "Xinwang", and you can log in and set them up.
(3). Change the web port
Under normal circumstances, the web server provides external services through port 80, so the attacker uses the default port 80 to attack when attacking. Therefore, we can modify the web port to prevent CC attacks. Run the IIS manager, locate the corresponding site, open the site "Properties" panel, there is a TCP port under "Website ID" that defaults to 80, we can modify it to another port.
(4).IIS shields IP
If we find the source IP of the CC attack through commands or in the log, we can set in IIS to block the IP's access to the Web site, so as to achieve the purpose of preventing IIS attacks. In the "Properties" panel of the corresponding site, click the "Directory Security" tab, and click the "Edit" button under "IP Address and Domain Name Now" to open the settings dialog box. In this window, we can set "authorized access" that is "whitelist", or "deny access" that is "blacklist". For example, we can add the attacker's IP to the "Access Denied" list to block the IP's access to the Web.
Fifth, CC attack prevention methods
To prevent CC attacks, it is not necessary to use high defense servers. For example, using anti-CC attack software can effectively prevent CC attacks. Recommend some CC prevention measures:
1. Optimize the code
Use the cache as much as possible to store duplicate query content and reduce the resource overhead of duplicate data queries. Reduce calls to complex frameworks, reduce unnecessary data requests and processing logic. During program execution, release resources in time, such as closing mysql connection in time, closing memcache connection in time, etc., to reduce the consumption of empty connections.
2. Restrictive measures
Add pre-condition judgment to some programs with higher load. The feasible judgment methods are as follows:
You must have the session information issued by the website (it can simply prevent centralized requests initiated by the program); you must have the correct referer (which can effectively prevent embedded code attacks); some client-type requests (such as some typical bad Spider feature); the same session can only be executed once in a few seconds.
3. Improve the log
Keep the access log as complete as possible. The log analysis program can determine abnormal access as soon as possible, such as a single IP intensive access; such as a surge in requests for specific URLs year-on-year.
