First, we use the most famous RedHat Linux for testing the configuration method of the client and server we use to attack. In this attack test, I use fedora core3, the software uses the most famous DDoS attack tool TFN2k Linux. The attacked Windows server system uses the apache2 ftp vnc enabled by windows2000server service, which is not closely related to Apache attacks.
Start to set up the server.
0. D
current number of TCP connectionsNetstat-n | awk '/^tcp/{++s[$NF]} END {for (a in S) print A, s[a]} 'Time_wait 51Fin_wait1 5Established 155SYN_RECV 12Although this will allow Nginx to process only one request a second, but there will still be a lot of waiting in the queue to handle, which will also occupy a lot of TCP connections, from the results of the above command can be seen.What if it does?Limit_req Zone=req_one burst=120 Nodelay;A request that exceeds burst size after Nodelay will return
causes a large number of TCP connection requests to wait .http{. #定义一个名为allips的limit_req_zone used to store session, size is 10M memory, #以 $binary _remote_addr to key, limit the average request per second to 20 , #1M能存储16000个状态, the value of Rete must be an integer, #如果限制两秒钟一个请求, can be set to 30r/m limit_req_zone $binary _remote_addr zone=allips:10m rate=000/ s; server{... location {... #限制每ip每秒不超过20个请求, the number of leaky barrels burst is 5 #brust的意思就是, as Fruit 1 seconds,2,3, the 4-second
This article provides a detailed analysis of PHP programs to prevent ddos, dns, and cluster server attacks.
The code is as follows:
// Query the forbidden IP address$ Ip = $ _ SERVER ['remote _ ADDR '];$ Fileht = ". htaccess2 ";If (! File_exists ($ fileht ))File_put_contents ($ fileht ,"");$ Filehtarr = @ file ($ fileht );If (in_array ($ ip. "\ r \ n", $ filehtarr ))Die ("Warning :".""." Your IP address
How to prevent local users from using fsockopen for DDOS attacks in the IIS environment
/*
From: http://bbs.it-home.org
Date: 2013/2/17
*/
$ Fp = fsockopen ("udp: // $ ip", $ rand, $ errno, $ errstr, 5 );
If ($ fp ){
Fwrite ($ fp, $ out );
Fclose ($ fp );
?>
In this case, you can modify php. ini, disable the fsockopen function, an
1, a traffic attack , mainly for the network bandwidth attack, that is, a large number of attack packets causing network bandwidth is blocked, legitimate network packets are buried by a false attack packet can not reach the host;2, another resource exhaustion attack , mainly for the server host attack, that is, through a large number of attack packets caused the host's memory is exhausted or CPU by the kernel and the application to complete the network service is not available.Reference: http://
Connect VPS Enter First command
Netstat-anp |awk ' {print $} ' |sort|uniq-c |sort-rn
Here we look at Syn_recv these, see his connection number is not high, good hundreds of, it is possible to be DDoS
The next trace is from which IP emits syn
directive: Netstat-an | grep SYN | awk ' {print $} ' | Awk-f: ' {print $} ' | Sort | uniq-c | Sort-nr | More
Next, keep looking, input instructions.
Netstat-ntu | grep SYN | awk ' {print $} ' | Cut-d:-f1 | S
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.