Principle of CC attack
CC is mainly used to attack pages. Everyone has this experience, that is, when visiting a forum, if the forum is relatively large and there are more people visiting, the speed of opening the page will be slower, right?! Generally Generally speaking, the more people visit, the more pages the forum has, the larger the database is, the higher the frequency of visits, and the system resources occupied are considerable. Now I know why many space service providers say that you should not upload forums. Let’s wait for the chat room.
A static page does not require many server resources. It can even be read directly from the memory and sent to you. But the forum is different. When I read a post, the system needs to judge it in the database. Do I have permission to read the post? If so, read the content in the post and display it - the database has been accessed at least 2 times. If the database is 200MB in size, the system is likely to store the 200MB of data. How much CPU resources and time does it take to search the space? If I am searching for a keyword, the time will be even more considerable, because the previous search can be limited to a small range, for example, the user permissions only check the user table and post content Just check the post table, and you can stop the query immediately when you find it. The search will definitely judge all the data once, which consumes a lot of time.
CC takes full advantage of this feature to simulate multiple users (how many threads are How many users) are constantly accessing (accessing pages that require a lot of data operations, that is, a lot of CPU time).
Attack phenomenon:
The traffic of the server can reach more than tens of M in an instant, and the website cannot be opened. Restart iis and you will find that the traffic will drop immediately. Looking at the IIS logs, you will find that many different IPs access the same file repeatedly. Check C:WINDOWSsystem32LogFilesHTTPERR and you will find many error IIS logs, as follows:
2007-08-22 06:05:28 61.140.127.206 61905 61.139.129.56 80 HTTP/1.1 GET /list.asp?
ProdId=0961 503 30 ConnLimit pool21
2007-08-22 06:05:28 221.8.137.99 3916 61.139.129.56 80 HTTP/1.1 GET /list.asp?ProdId=0961
503 30 ConnLimit pool21
2007-08-22 06:05:28 220.187.143.183 4059 61.139.129.56 80 HTTP/1.1 GET /list.asp?
ProdId=0961 503 30 ConnLimit pool21
2007-08-22 06:05:28 218.18.42.231 1791 61.139.129.56 80 HTTP/1.1 GET /list.asp?
ProdId=0961 503 30 ConnLimit pool21
2007-08-22 06:05:28 125.109.129.32 3030 61.139.129.56 80 HTTP/1.1 GET /list.asp?
ProdId=0961 503 30 ConnLimit pool21
2007-08-22 06:05:28 58.216.2.232 1224 61.139.129.56 80 HTTP/1.1 GET /list.asp?ProdId=0961
503 30 ConnLimit pool21
...
It can be seen that many different IPs are accessing the list.asp file. The above phenomena are the characteristics of CC attacks. Depending on the number of meat machines used to launch CC attacks, small attacks can cause the website to be slow or unstable, and large attacks can make the website unable to be opened all the time.
Because this type of attack simulates normal users to continuously request a web page. Therefore, it is difficult to defend against ordinary firewalls. Below, based on actual work experience, we will talk about how to solve this attack problem without using a firewall.
Because CC attacks use meat machines or proxies to access our servers, they are different from synflood attacks. synfoold has always been a constantly changing fake IP, while the IPs used in CC attacks are all real IPs and basically do not change. As long as we use security policies to block all these IPs, it will be fine.
I have seen the method introduced by some netizens, but it is just a manual block one by one, and the attack IP is usually thousands of different IPs. It is too troublesome to block IP manually. Next we use a program to automatically block these IPs!
The program mainly reads the IIS log of this website, analyzes the IP address, and automatically blocks it using security policies. The VBS code is as follows:
'Code starts
Set fileobj=CreateObject("Scripting.FileSystemObject")
logfilepath="E:w3logW3SVC237ex070512old.log" 'Pay attention to specifying the log path of the attacked website.
'If it is a virtual host, to find out which website is under attack, you can check: C:WINDOWSsystem32LogFilesHTTPERR.
It is easy to analyze according to the error log.
writelog "netsh ipsec static add policy name=XBLUE"
writelog "netsh ipsec static add filterlist name=denyip"
overip=""
f_name=logfilepath
'Specify log file
' program function: extract the IP in logfiles into the filtering format required by ipsec, and import it into ipsec for filtering. Suitable for situations where a website is subject to a large number of CC attacks.
' by China Webmaster Data Center http://www.ixzz.com China's largest virtual hosting service provider, 12G all-purpose space for 350 yuan!
'2007-5-12
'This program is original to this site. If you want to quote it, please keep our URL.
set fileobj88=CreateObject("Scripting.FileSystemObject")
Set MYFILE=fileobj88.OpenTextFile(f_name,1,false)
contentover=MYFILE.ReadAll()
contentip=lcase(contentover)
MYFILE.close
set fileobj88=nothing
on error resume next
myline=split(contentip,chr(13))
for i=0 to ubound(myline)-1
myline2=split(myline(i)," ")
newip=myline2(6)
'Specify a separate identification string!
if instr(overip,newip)=0 then 'Remove duplicate IPs.
overip=overip&newip
dsafasf=split(newip,".")
if ubound(dsafasf)=3 then
writelog "netsh ipsec static add filter filterlist=denyip srcaddr="&newip&" dstaddr=Me
dstport=80 protocol=TCP"
end if
else
wscript.echo newip &" is exits!"
end if
next
writelog "netsh ipsec static add filteraction name=denyact action=block"
writelog "netsh ipsec static add rule name=kill3389 policy=XBLUE filterlist=denyip
filteraction=denyact"
writelog "netsh ipsec static set policy name=XBLUE assign=y"
Sub writelog(errmes) 'Export the IPsec policy file to a bat file.
ipfilename="denyerrorip.bat"
Set logfile=fileobj.opentextfile(ipfilename,8,true)
logfile.writeline errmes
logfile.close
Set logfile=nothing
End Sub
'At the end of the code,
save the above code as a .vbs file and set the path of the log. Just double-click to run. After running, a denyerrorip.bat file will be generated. This is the policy file required by ipsec. Just double-click to run.
After running, the CC attack problem can be solved.