Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to prevent CC attacks in Linux systems. The quality of the article is high, so Xiaobian shares it with you as a reference. I hope you have a certain understanding of relevant knowledge after reading this article.

What is CC Attack?

CC attack is simple (ChallengeCollapsar)

CC attack is based on the attacker controlling some hosts to send a large number of packets to the other server, causing the server to run out of resources until it crashes. CC is mainly used to attack the page, everyone has this experience: when a web page visits a particularly large number of people, open the page is slow, CC is to simulate multiple users (how many threads is how many users) keep accessing those pages that require a lot of data operations (that is, require a lot of CPU time), resulting in a waste of server resources, CPU for a long time at 100%, there are always endless connections until the network congestion, normal access is aborted.

How to Prevent CC Attack

There are two ways to prevent this CC attack.

The first is to use the firewall of the machine to solve the firewall that can be installed in CSF. The disadvantage of this is that it can only prevent small-scale CC attacks and DDOS (my station is in Alibaba Cloud, so don't worry too much about DDOS). If the CC attack is fierce, the machine will also run full of CUP directly.

The second way is to add a CDN, which is the best way to prevent CC attacks, but CDN generally costs money.

Now let's talk about specific protection changes.

First install CSF firewall, this is relatively simple and do not have to change the domain name of what, small-scale directly solved.

1. Install dependency packages:

yum install perl-libwww-perl perl iptables

Download and install CSF:

wget http://www.configserver.com/free/csf.tgz

tar -xzf csf.tgz

cd csf

sh install.sh

3. Test whether CSF can work normally:

[root@localhost csf]# perl /etc/csf/csftest.pl

Testing ip_tables/iptable_filter.。. OK

Testing ipt_LOG.。. OK

Testing ipt_multiport/xt_multiport.。. OK

Testing ipt_REJECT.。. OK

Testing ipt_state/xt_state.。. OK

Testing ipt_limit/xt_limit.。. OK

Testing ipt_recent.。. OK

Testing xt_connlimit.。. OK

Testing ipt_owner/xt_owner.。. OK

Testing iptable_nat/ipt_REDIRECT.。. OK

Testing iptable_nat/ipt_DNAT.。. OK

RESULT： csf should function on this server

IV. Configuration of CSF:

CSF profile is

vim /etc/csf/csf.conf

# Allow incoming TCP ports

#It is recommended that you change SSH default port (22) to another port, but be sure to add the new port to the next line

TCP_IN = "20，21，47，81，1723，25，53，80，110，143，443，465，587，993，995〃

# Allow outgoing TCP ports Idem, add SSH login port to the next line.

#In cases where some programs require a range of ports to be opened, such as Pureftpd's passive mode, ports in the range 30000 - 35000 can be opened in a manner similar to 30000:35000.

TCP_OUT = "20，21，47，81，1723，25，53，80，110，113，443〃

# Allow incoming UDP ports

UDP_IN = "20，21，53〃

# Allow outgoing UDP ports

# To allow outgoing traceroute add 33434:33523 to this list

UDP_OUT = "20，21，53，113，123〃

# Allow incoming PING Whether to allow others to ping your server, the default is 1, allowed. 0 is not allowed.

ICMP_IN = "1〃

The above configurations are understood at a glance, and here are a few more commonly used ones:

Previous Page 12 Next Page Total 2 Page

Immunity to certain types of small-scale DDos attacks:

# Connection Tracking. This option enables tracking of all connections from IP

# addresses to the server. If the total number of connections is greater than

# this value then the offending IP address is blocked. This can be used to help

# prevent some types of DOS attack.

#

# Care should be taken with this option. It’s entirely possible that you will

# see false-positives. Some protocols can be connection hungry， e.g. FTP， IMAPD

# and HTTP so it could be quite easy to trigger， especially with a lot of

# closed connections in TIME_WAIT. However， for a server that is prone to DOS

# attacks this may be very useful. A reasonable setting for this option might

# be arround 200.

#

# To disable this feature， set this to 0

CT_LIMIT = "200"##This number of requests for the same IP in a fixed time period

# Connection Tracking interval. Set this to the the number of seconds between

# connection tracking scans

CT_INTERVAL = "30" ##refers to the fixed time above in seconds

# Send an email alert if an IP address is blocked due to connection tracking

CT_EMAIL_ALERT = "1" ##Send mail

# If you want to make IP blocks permanent then set this to 1， otherwise blocks

# will be temporary and will be cleared after CT_BLOCK_TIME seconds

#Whether to permanently block suspicious IPs. Default is 0, i.e. temporary blocking.

CT_PERMANENT = "0"

# If you opt for temporary IP blocks for CT， then the following is the interval

# in seconds that the IP will remained blocked for （e.g. 1800 = 30 mins）

#Temporary Shielding Time

CT_BLOCK_TIME = "1800"

# If you don’t want to count the TIME_WAIT state against the connection count

# then set the following to "1〃

CT_SKIP_TIME_WAIT = "0" ##Count TIME_WAIT link status

# If you only want to count specific states （e.g. SYN_RECV） then add the states

# to the following as a comma separated list. E.g. "SYN_RECV，TIME_WAIT"

# Leave this option empty to count all states against CT_LIMIT

CT_STATES = ""##Statistics by country, country name filled in

# If you only want to count specific ports （e.g. 80，443） then add the ports

# to the following as a comma separated list. E.g. "80，443〃

#

# Leave this option empty to count all ports against CT_LIMIT

#What port to detect, if empty, detect all, prevent ssh, then can be empty, count all.

CT_PORTS = ""

After making the above settings, you can test it first. If there is no problem, change to formal mode, just test mode.

#Change the default 1 to 0.

TESTING = "0"

Under/etc/csf/there are two files csf.allow and csf.deny,

allow is a trusted IP, you can write your IP here to prevent false sealing.

Deny is the IP that is blocked.

If there are adjustments, you need to restart the cfs service

How to prevent CC attacks in Linux systems is shared here. I hope the above content can be of some help to everyone and learn more. If you think the article is good, you can share it so that more people can see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.