服务器遭受CC攻击怎么搞?
今天上午,应急的时候遇到了一个客户服务器疑似遭受了CC攻击,空余就把CC整理一下
netstat -ano 输出的结果
tcp 0 0 192.168.5.135:80 182.140.227.21:43779 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:59421 TIME_WAIT
tcp 0 0 192.168.5.135:80 120.199.93.7:20910 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:54850 TIME_WAIT
tcp 0 0 192.168.5.135:80 120.199.93.9:52886 TIME_WAIT
tcp 0 0 192.168.5.135:80 120.199.93.7:21813 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:13540 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:62526 TIME_WAIT
tcp 0 0 192.168.5.135:80 221.204.18.16:5207 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:58612 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:8786 TIME_WAIT
tcp 0 0 192.168.5.135:80 120.199.93.9:52899 TIME_WAIT
tcp 0 0 192.168.5.135:80 182.140.227.18:20206 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.18:1087 TIME_WAIT
tcp 0 0 192.168.5.135:80 182.140.227.17:16603 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:63105 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:63413 TIME_WAIT
tcp 0 0 192.168.5.135:80 182.140.227.16:52527 TIME_WAIT
tcp 0 0 192.168.5.135:80 61.160.224.7:5654 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:7029 TIME_WAIT
tcp 0 0 192.168.5.135:80 221.204.18.23:56996 TIME_WAIT
tcp 0 0 192.168.5.135:80 221.204.18.16:58080 TIME_WAIT
tcp 0 0 192.168.5.135:80 120.199.93.9:49741 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:64320 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:64792 TIME_WAIT
tcp 0 0 192.168.5.135:80 123.6.13.12:51689 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:58154 TIME_WAIT
tcp 0 0 192.168.5.135:80 120.199.93.9:54846 TIME_WAIT
tcp 0 0 192.168.5.135:80 42.81.56.4:27775 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:44557 TIME_WAIT
tcp 0 0 192.168.5.135:80 120.199.93.9:49729 TIME_WAIT
tcp 0 0 192.168.5.135:80 182.140.227.18:44392 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:1244 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:50512 TIME_WAIT
tcp 0 0 192.168.5.135:80 221.204.18.16:57368 TIME_WAIT
tcp 0 0 192.168.5.135:80 221.204.18.16:61796 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:48745 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:45109 TIME_WAIT
tcp 0 0 192.168.5.135:80 221.204.18.16:2962 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:59698 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:47941 TIME_WAIT
tcp 0 0 192.168.5.135:80 221.204.18.16:1106 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:56325 TIME_WAIT
tcp 0 0 192.168.5.135:80 120.199.93.7:12980 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:2209 TIME_WAIT
tcp 0 0 192.168.5.135:80 120.199.93.9:47685 TIME_WAIT
tcp 0 0 192.168.5.135:80 221.204.18.16:2430 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:14599 TIME_WAIT
tcp 0 0 192.168.5.135:80 120.199.93.9:49754 TIME_WAIT
tcp 0 0 192.168.5.135:80 221.204.18.16:55882 TIME_WAIT
tcp 0 0 192.168.5.135:80 120.199.93.9:47634 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.18:33798 TIME_WAIT
tcp 0 0 192.168.5.135:80 120.199.93.9:40079 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.18:4559 TIME_WAIT
tcp 0 0 192.168.5.135:80 182.140.227.16:8592 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:13874 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:1502 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:5526 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:63767 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:14756 TIME_WAIT
tcp 0 0 192.168.5.135:80 182.140.227.16:51491 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:48293 TIME_WAIT
tcp 0 0 192.168.5.135:80 221.204.18.16:2469 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.18:4796 TIME_WAIT
tcp 0 0 192.168.5.135:80 221.204.18.16:59033 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.17:49584 TIME_WAIT
tcp 0 0 192.168.5.135:80 123.6.13.10:2949 TIME_WAIT
tcp 0 0 192.168.5.135:80 221.204.18.16:1513 TIME_WAIT
tcp 0 0 192.168.5.135:80 182.140.227.17:20606 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.18:5016 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:60322 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:55176 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:59815 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.18:64584 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:46841 TIME_WAIT
tcp 0 0 192.168.5.135:80 61.160.224.7:3992 TIME_WAIT
tcp 0 0 192.168.5.135:80 182.140.227.22:32405 TIME_WAIT
tcp 0 0 192.168.5.135:80 120.199.93.8:27289 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:59362 TIME_WAIT
tcp 0 0 192.168.5.135:80 120.199.93.9:41501 TIME_WAIT
tcp 0 0 192.168.5.135:80 123.6.13.11:4843 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:13238 TIME_WAIT
tcp 0 0 192.168.5.135:80 123.6.13.8:31606 TIME_WAIT
tcp 0 0 192.168.5.135:80 182.140.227.17:45563 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:42254 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:54195 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:52433 TIME_WAIT
tcp 0 0 192.168.5.135:80 120.199.93.8:36198 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:62171 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:4284 TIME_WAIT
tcp 0 0 192.168.5.135:80 182.140.227.17:51083 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:48035 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.18:4635 TIME_WAIT
tcp 0 0 192.168.5.135:80 221.204.18.16:60319 TIME_WAIT
tcp 0 0 192.168.5.135:80 221.204.18.16:56036 TIME_WAIT
tcp 0 0 192.168.5.135:80 42.81.56.5:63546 TIME_WAIT
tcp 0 0 192.168.5.135:80 182.140.227.16:5320 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.18:4104 TIME_WAIT
tcp 0 0 192.168.5.135:80 221.204.18.18:23095 TIME_WAIT
tcp 0 0 192.168.5.135:80 123.6.13.12:62943 TIME_WAIT
tcp 0 0 192.168.5.135:80 221.204.18.16:64311 TIME_WAIT
tcp 0 0 192.168.5.135:56058 192.168.5.5:443 TIME_WAIT
tcp 0 0 192.168.5.135:80 61.160.224.7:1708 TIME_WAIT
tcp 0 0 192.168.5.135:80 120.199.93.9:53950 TIME_WAIT
tcp 0 0 192.168.5.135:80 221.204.18.16:8268 TIME_WAIT
tcp 0 0 192.168.5.135:80 123.6.13.11:6398 TIME_WAIT
tcp 0 0 192.168.5.135:80 221.204.18.16:4879 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:13050 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:4163 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:50122 TIME_WAIT
tcp 0 0 192.168.5.135:80 221.204.18.16:1077 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:6258 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:13321 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:56809 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:50840 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:55262 TIME_WAIT
tcp 0 0 192.168.5.135:80 120.199.93.9:49726 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:43949 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:54122 TIME_WAIT
tcp 0 0 192.168.5.135:80 120.199.93.7:21791 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:8259 TIME_WAIT
tcp 0 0 192.168.5.135:80 123.6.13.8:37328 TIME_WAIT
tcp 0 0 192.168.5.135:80 123.6.13.8:39406 TIME_WAIT
tcp 0 0 192.168.5.135:80 117.107.128.162:14695 TIME_WAIT
tcp 0 0 192.168.5.135:80 61.160.224.10:61538 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.21:31853 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:46326 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:60789 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:11682 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:57665 TIME_WAIT
tcp 0 0 192.168.5.135:80 221.204.18.16:57883 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.18:2997 TIME_WAIT
tcp 0 0 192.168.5.135:80 120.199.93.8:43486 TIME_WAIT
tcp 0 0 192.168.5.135:80 221.204.18.16:58618 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:56408 TIME_WAIT
tcp 0 0 192.168.5.135:80 182.140.227.16:52196 ESTABLISHED
tcp 0 0 192.168.5.135:80 112.25.60.15:7527 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:3689 TIME_WAIT
tcp 0 0 192.168.5.135:80 221.204.18.16:61110 TIME_WAIT
tcp 0 0 192.168.5.135:80 61.240.144.25:39293 TIME_WAIT
tcp 0 0 192.168.5.135:80 120.199.93.9:40076 TIME_WAIT
tcp 0 0 192.168.5.135:80 120.199.93.8:34250 TIME_WAIT
tcp 0 0 192.168.5.135:80 112.25.60.15:42872 TIME_WAIT
tcp 0 0 192.168.5.135:80 120.199.93.9:53934 TIME_WAIT
tcp 0 0 192.168.5.135:80 221.204.18.16:55362 TIME_WAIT
tcp 0 0 192.168.5.135:80 221.204.18.16:57328 TIME_WAIT
tcp 0 0 192.168.5.135:80 221.204.18.16:64976 TIME_WAIT
解决:
思路很简单,让服务器尽快的收回浪费的TIME_WAIT资源,让服务器尽快重用TIME_WAIT资源
WIndows服务器遭受CC攻击判别方法:
1.遭受CC攻击时web服务器会出现80端口对外关闭现象
netstat -ano如果出现大量SYN_RECEEIVED 或者TIME_WAIT那么大概率事件服务器就是cc攻击了表明无法建立握手应答处于等待状态
2.我们可以通过写一个批处理的脚本来判断服务器是不是处于cc攻击的状态
比如说:
echo off time /t >>log.log
netstat -n -p tcp lfind “:80”>>Log.log notepad log.log
exit
脚本大概意思就是筛选当前所有ddos到80端口的外来链接
嫌麻烦直接netstat -ano|findstr “80” > c:\log.log
3.直接看web日志,路径在C:WINDOWSsystem32LogFilesHTTPERR目录下会有类似httperr1.log啥啥的日志文件,可能存在很多日志,可以根据日志时间什么的判断,一般默认web日志记录的ddos攻击软件项并不多,我们可以建议用户通过.iis配置,让web日志记录更多
大概操作时这样:
开始→管理工具”打开“Internet信息服务器”,展开左侧的DDOS攻击软件项定位到到相应的DDOS攻击软件Web站点,
然后右键点击选择“属性”打开站点属性窗口,在“网站”选项卡下点击“属性”按钮,在“日志记录属 性”窗口的DDOS攻击软件“高级”选项卡下可以勾选相应的DDOS攻击软件“扩展属性”,以便让Web日志进行记录。 比如其中的DDOS攻击软件“发送的DDOS攻击软件字节数”、“接收的DDOS攻击软件字节数”、“所用时间 ”这三项默认是没有选中的DDOS攻击软件,但在记录判断CC攻击中是非常有用的DDOS攻击软件,可以勾选。如果你对安全的DDOS攻击软件要求比较高,可以在“常规”选项卡下对“新日志计划”进行设置,让其“每小时 ”或者“每一天”进行记录。为了便于日后进行分析时好确定时间可以勾选“文件命名和创建使用当地时间”
Linux服务器判别方法:
1.tcpdump
a. 通过tcpdump -s0 -A -n -i any | grep -o -E '(GET|POST|HEAD) .*'判断,一般都属输出一些静态文件比如说css,js啥啥的,如果出现差不多固定的地址或者非常奇怪的地址,多半就是被攻击了
b:通过tcpdump -s0 -A -n -i any | grep ^User-Agent判断,不同用户正常访问是可以通过useragent看出来的,但你看到很多固定的useragent输出,那一定是被攻击了
c: 如果你服上有很多网站,你可以用tcpdump -s0 -A -n -i any | grep ^Host来输出那个网站正在被疯狂请求
2.netstat
a.通过netstat -nat|grep -i “80”|wc -l来查看80端口的连接数
b.通过netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n对ip连接数进行排序
b. 通过netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n 判断,IP前面的数字时链接书,正常网站几十到一百都算正常,但出现几千,那大概率事件就是肯定cc攻击了
如果你服的httpd服务被疯狂的c了,那么你可以通过设置一些参数让服务器主动断开与客户服务端连接,为毛?因为他猫了个咪的你不断开,就会导致更多资源被阻塞
修改/etc/sysctl.conf文件,添加:
net.ipv4.tcp+syncookies = 1 //开启SYN_Coolies
net.ipv4 tw_recycle =1 //让time_wait可以重用
net.ipv4.tcp_fin_timeout =30 //默认的超时时间
先写这么多,以后遇到,在来总结