What is a CC attack?
Attackers use proxy servers or botnets to generate legitimate requests to victim hosts, implementing DDOS and masquerading as CC (Challenge Collapsar).
principle
CC (Challenge Collapsar) attack is a type of DDoS attack that uses a proxy server or botnet to send a large number of seemingly legitimate requests to a victim server. CC is named after its tool, the attacker
Use a proxy mechanism to launch a DDoS attack using the many widely available free proxy servers. Many free proxy servers support an anonymous mode, which makes tracking very difficult.
The principle of CC attack is that the attacker controls some hosts to keep sending a large number of data packets to the other server, causing the server to run out of resources until it crashes. CC is mainly used to attack pages or applications, everyone has this
Experience: When a webpage is visited by a particularly large number of people, it is slow to open the webpage. CC is to simulate multiple users (as many threads as many users) to continuously access those that require a large number of users
According to the operation (that is, it requires a lot of CPU time) of the page, resulting in a waste of server resources. The CPU is at 100% for a long time, and there are always connections that cannot be processed until the network is congested, and normal access is aborted.
Anti-CC attackCC attacks can be classified as a type of DDoS attack. The principle between them is the same, that is, sending a large amount of request data to cause the server to deny service, is a connection attack. CC attacks can be divided into proxy CC attacks, and meat
Chicken CC attack. Proxy CC attack is a hacker using a proxy server to generate a legitimate web page request to the victim host, implement DDoS, and disguise it as: cc (Challenge Collapsar). The broiler CC attack is used by hackers
CC attack software, control a large number of broilers, launch attacks, the latter is more difficult to defend than the former. Because broilers can simulate the request of normal users to visit the website. Forged into legitimate data packets.
A static page doesn't require much server resources, and it can even be said that it can be read directly from memory and sent to you, but dynamic websites such as forums are different. When I read a post, the system needs to go to the database to judge
Do I have permission to read the post? If so, read the content in the post and display it - I have accessed the database at least twice. If the size of the database is 200MB, the system is likely to be in this 200MB.
How much CPU resources and time does it take to search the size of the data space? If I am looking for a keyword, then the time is more considerable, because the previous search can be limited to a small range, such as user rights
Restricted to the user table, the post content is only checked in the post table, and the query can be stopped immediately if found, and the search will definitely make a judgment on all the data, which consumes a considerable amount of time.
The CC attack takes full advantage of this feature and simulates multiple users (as many as there are threads) constantly accessing (accessing pages that require a lot of data operations, that is, require a lot of CPU time, such as
Asp/php/jsp/cgi). Many friends asked, why use a proxy? Because proxies can effectively hide their identities and bypass all firewalls, because basically all firewalls detect concurrency
The number of TCP/IP connections exceeds a certain number and a certain frequency will be considered a Connection-Flood. Of course, you can also use broilers to launch CC attacks. The CC attack effect of broilers is more impressive. Causes the server CPU100%, even
The phenomenon of crashing.
The use of proxy attacks can also maintain a good connection. The data is sent here, and the proxy forwards it to the other party's server, which can be disconnected immediately. The proxy will continue to maintain a connection with the other party (the record I know is that someone used 2000
The proxy generates 350,000 concurrent connections).Of course, CC can also use this method to attack FTP, game ports, chat rooms, etc., and can also implement TCP-FLOOD, which have been tested and effective.
attack symptoms
CC attacks have a certain degree of stealth, so how to determine whether a server is suffering or has suffered a CC attack? This can be determined by the following three methods.
1. Command line method
In general, when the web server is attacked by CC, port 80 will be closed to the outside world, because this port has been blocked by a large amount of garbage data, and the normal connection has been aborted. You can enter the command line
-Have netstat -an checkSee, "SYN_RECEIVED" is the TCP connection status flag, which means "in the initial synchronization state of the connection", indicating that the handshake cannot be established and the reply is in the waiting state. This is the attack
The characteristics of the hit, generally such a record a
There are usually many bars indicating attacks from different proxy IPs.
2. Batch processing
The above method requires manual input of commands, and if too many Web server IP connections seem laborious, a batch file can be created, and the script code can be used to determine whether there is a CC attack.
The script filters out all current connections to port 80. When you feel that the server is abnormal, you can double-click to run the batch file, and then view all connections in the open log.log file. If the same IP has more than
More connections to the serverThen you can basically determine that the IP is conducting a CC attack on the server.
3. Check the system log
Web logs are generally in the C:\ WINDOWS\ system32\ LogFiles\ HTTPERR directory, which uses a log file similar to htperr1.log, which is a record of web access errors. Administrator
You can follow the log.
The time attribute selects the corresponding log to open to analyze whether the web has been attacked by CC.
By default, there are not many items recorded in the Web log. You can set it through IIS to let the Web log record more items for security analysis. The operation steps are: "Start → management tool" Open
"Internet Information Services"Device", expand the item on the left to locate to the corresponding Web site, then right-click and select "Properties" to open the site properties window, and click the "Properties" button under the "Website" tab.
Select "Advanced" in the "Logging Properties" windowUnder the item card, you can check the corresponding "extended properties" to let the Web log record. For example, "number of bytes sent", "number of bytes received",
The three items "elapsed time" are not selected by default, but they are judged in the record.
CC attack is very useful, you can check it. In addition, if you have high security requirements, you can set the "New Log Plan" under the "General" tab to record "hourly" or "daily".
In order to determine the time for future analysis, check "Use local time for file naming and creation".
Defense method
For a CC attack, a variety of methods must be employed to defend against it, and these methods are essentially designed to improve the server's concurrency capabilities.
1. Server vertical scaling and horizontal scaling
Funding permitting, this is the simplest method. Essentially, this method is not for CC attacks, but to improve the ability of the service itself to handle concurrency, but it does improve the carrying capacity of CC attacks. Vertical scaling:
It refers to increasing the hardware capacity of each server, such as upgrading the CPU, increasing memory, upgrading SSD solid state drives, etc. Horizontal scaling refers to increasing the carrying capacity by adding servers to provide services. The above expansion and expansion can be found in each service
It is carried out at various levels, including application servers, database servers, and cache servers, among others.
2. Data cache (memory level, do not use files)
For data that is highly common in the service, reusable by multiple users, or reusable by a single user multiple times, once retrieved from the database or calculated, it is best to put it in the cache, and subsequent requests can be directly retrieved from the cache
Data, reduce the retrieval pressure of the database and the computational pressure of the application server, and can quickly return results and release processes, thus relieving the memory pressure of the server. It is important to note that the cache should not be in file form, which can make
Use memory-based nosql caching services such as redis, mem-cached, etc., and separate from the application server and deploy it separately in the local area network. The network IO in the local area network must be higher than the disk IO. In order not to make the local area network a bottleneck,
Gigabit networks are also necessary.
3. Static page
Like data caching, page data is essentially data. The common means is to generate static html page files, using the caching function of the client side browser or the caching service of the server, and the buffering service of the CDN node.
Both can reduce the data retrieval and computing pressure on the server side, respond quickly to results and release the connection process.
4. User-level call frequency limitations
Regardless of whether the service is logged in or not, the client side can be assigned a unique identification ID (later called SID) based on the session, etc. The server level can store the SID in the cache. When the client side requests a service, if there is no
SID (cookie or request parameters, etc.), the server level quickly assigns one and returns it. If it's ok, this request may not return data, or the SID will be assigned independently of the business service. When the client side requests, it brings a valid SID
(That is, the SID can be matched in the server level cache), then the client side can limit the frequency according to the SID. For requests with illegal SIDs, the service is directly denied. Compared with the frequency limit based on IP, the frequency limit based on SID
It is more accurate and controllable to avoid manslaughter to the greatest extent.
5. IP restrictions
Finally, IP throttling can still be used in conjunction with the above rules, but it can be prefaced to a) JCb layer firewall or load balancer, and the threshold of throttling can be increased to prevent malicious access from penetrating the application server
This causes pressure on the application server.