Shulou(Shulou.com)06/01 Report--

Take a look at your service's access log, filter it in the firewall, or filter it in the web server. There are the following methods.

1. Restrict IP access for specific IP access cases

two。 Limit the number of visits to the same IP per unit time

Another way is to use Iptables to prevent DOS scripts

#! / bin/bashnetstat-an | grep SYN_RECV | awk'{print$5}'| awk-F:'{print$1}'| sort | uniq-c | sort-rn | awk'{if ($1 > 1) print$ 2} 'for i in $(cat / tmp/dropip) do/sbin/iptables-An INPUT-s $I-j DROPecho "$i kill at `date`" > > / var/log/ddosdone

The script counts the number of IP in SYN_RECV and the number reaches 5, and sets the INPUT chain written to Iptables to reject.

SYN flood * * is one of the most common types in DDOS. It is a way to take advantage of the defects of TCP protocol to send a large number of fake TCP connection requests to the host, so that the resources of the host server are exhausted (full CPU load or insufficient memory). The goal of SYN is not only the server, any network device may be affected by this, the SYN for network devices often lead to the paralysis of the whole network. How should enterprises be protected from SYN? Today Mohist Security is here to share how to use iptables to ease SYN. **

1. Modify the number of wait

Sysctl-w net.ipv4.tcp_max_syn_backlog=2048

2. Enable syncookies

Sysctl-w net.ipv4.tcp_syncookies=1

3. Modify the number of retries

Sysctl-w net.ipv4.tcp_syn_retries = 0

The number of retransmissions is set to 0. As long as there is no response from the client, the connection will be discarded immediately. The default setting is 5 times.

4. Limit the number of concurrency of a single IP

Use iptables to limit the number of concurrent connections to a single address:

Iptables-t filter-An INPUT-p tcp--dport 80-- tcp-flags FIN,SYN,RST,ACK SYN-m connlimit--connlimit-above 10-- connlimit-mask 32-j REJECT

5. Limit the number of concurrency of Class C subnets

Use iptables to limit the number of concurrent links in a single class c subnet:

Iptables-t filter-An INPUT-p tcp--dport 80-- tcp-flags FIN,SYN,RST,ACK SYN-m connlimit--connlimit-above 10-- connlimit-mask 24-j REJECT

6. Limit the number of connections per unit time

The settings are as follows:

Iptables-t filter-An INPUT-p tcp-dport 80-m-- state-- syn-m recent-- set

Iptables-t filter-An INPUT-p tcp-- dport 80-m-- state-- syn-m recent-- update-- seconds 60-- hitcount 30-j DROP

7. Modify modprobe.conf

In order to achieve better results, you need to modify / etc/modprobe.conf

Options ipt_recent ip_list_tot=1000 ip_pkt_list_tot=60

Function: record 10000 addresses with 60 packets per address. The maximum ip_list_tot is 8100. Exceeding this value will result in iptables error.

8. Limit the maximum number of connections per address

Iptables-I INPUT-p tcp-- dport 80-m connlimit--connlimit-above 50-j D

Through these settings, the impact of SYN** can be mitigated, but if you are flooded by hundreds of kilograms of T-level traffic, you can only choose commercial-grade anti-DDOS services like Mosher Security. The high defense of Mohist Shield can hide the real IP of the server and use the new WAF algorithm filtering technology to remove abnormal DDOS traffic and ensure the normal operation of the server.

CC** rationalists control that some hosts keep sending a large number of packets to each other's servers, causing server resources to be exhausted until the crash. CC is mainly used for pages, and everyone has this experience: when a web page is visited by a large number of people, it is slow to open a web page. CC is a simulation of multiple users (the number of threads is the number of users) constantly visiting pages that require a lot of data operations (that is, a lot of CPU time), resulting in a waste of server resources. CPU is 100% for a long time. There will always be endless connections until normal access is aborted due to network congestion. CC defense strategy * *

1. After unbinding the domain name and unbinding the domain name, the CPU of the Web server can immediately return to normal, and everything is normal for access through IP. But the deficiency is also obvious. Canceling or changing the domain name brings no change to the access of others. In addition, it is invalid for the CC for IP. Even after the replacement domain name is discovered, the new domain name will be implemented.

two。 Change the Web port generally the Web server provides services through port 80, so the implementation is carried out on the default port 80, so the Web port can be modified to prevent CC.

3.IIS blocking IP We find the source IP of the CC by command or viewing the log, and we can set the IIS to block the access of the IP to the Web site, so as to prevent IIS.

* * precautions against CC*

1. The optimization code uses caching as much as possible to store duplicate query contents and reduce the overhead of duplicate data query resources. Reduce the invocation of complex frameworks, reduce unnecessary data requests and processing logic. During the execution of the program, timely release of resources, such as timely closure of mysql connections, timely closure of memcache connections, etc., to reduce the consumption of empty connections.

two。 Restriction means add precondition judgment to some programs with high load. The feasible judgment methods are as follows: must have session information issued by the website before it can be used (can simply block centralized requests initiated by the program); must have correct referer (which can effectively prevent embedded code); prohibit some client type requests (such as some typical bad spider features) The same session can only be executed once per second.

3. Perfect the log and keep the access log as complete as possible. Log analyzer can identify abnormal access as soon as possible, such as single ip intensive access; for example, the surge of specific url year-on-year requests.

* * 1. Dos* (Denial of Service attack)

It is a way for the server to make the server appear static. Sometimes ask the service to stop or deny the service. The principle is to send a large number of legitimate requests to the server, the server can not tell whether these requests are normal requests or requests, so they will be accepted according to the order. A large number of requests can cause the server to stop working or deny service. This is Dos*.

* * II. DDOS*

Concept

Distributed denial of Service (Distributed Denial of Service), which simply means that sending a large number of requests paralyzes the server. DDos is based on DOS, and it can be understood that dos is an one-on-one fight, while ddos is a group fight. Because of the development of modern technology, the lethality of dos is reduced, so there is DDOS, which combines a large number of computer devices to one or more goals with the help of public networks. **

Case

SYN Flood, simply say tcp three-way handshake, the client server sends out a request to establish a connection, and then the server returns a message indicating that the request is accepted, and then the client will also return a message and finally establish a connection. Well, if there is such a situation, the person forges the ip address and sends a message to the server to request a connection, and the server receives it. According to the rule of the tcp three-way handshake, the server also has to respond to a message, but the ip is forged. To whom does the message respond? if there is an error in the second handshake, the third handshake will not proceed smoothly. At this time, the server can not receive the message sent by the client during the third handshake, and repeat the operation of the second handshake. If the person forges a large number of ip addresses and sends requests, the server will maintain a very large semi-connection waiting list, which takes up a lot of resources, and finally the server crashes.

CC, initiated on the application layer http protocol, simulates normal users to send a large number of requests until the site is denied service.

The reason for being *

The server does not have enough bandwidth to block the traffic.

Prevention

The most direct way to increase bandwidth. However, if he uses computers everywhere, his bandwidth will not cost a lot of money, but for the server, the bandwidth is very expensive.

Cloud service providers have their own complete DDoS solutions and can provide rich bandwidth resources. -High defense is recommended if it is Aliyun.

1. Use high-performance network equipment

First of all, it is necessary to ensure that network equipment can not become a bottleneck, so when choosing routers, switches, hardware firewalls and other devices, we should try to choose products with high popularity and good reputation. In addition, if you have a special relationship or agreement with network providers, it is even better to ask them to make traffic restrictions at network contacts to counter certain types of DDOS when a large number of them occur.

2. Try to avoid the use of NAT.

Whether routers or hardware protection wall devices, try to avoid the use of network address translation NAT, because the use of this technology will greatly reduce the network communication capacity, in fact, the reason is very simple, because NAT needs to translate addresses back and forth, and the checksum of network packets needs to be calculated in the translation process, so a lot of CPU time is wasted, but sometimes NAT must be used, so there is no good way.

3. Adequate network bandwidth guarantee

Network bandwidth directly determines the ability to withstand. If there is only 10m bandwidth, it is difficult to fight against the current SYNFlood no matter what measures are taken. At present, at least 100m of shared bandwidth should be chosen, and the best thing to do is to hang it on the 1000m backbone. However, it should be noted that the network card on the host is 1000m does not mean that its network bandwidth is gigabit. If it is connected to a 100m switch, its actual bandwidth will not exceed 100m, and even if it is connected to 100m of bandwidth, it does not mean a 100m bandwidth, because network service providers are likely to limit the actual bandwidth to 10m on the switch, which must be made clear.

4. Turn the website into a static page

A large number of facts have proved that making the website into a static page as much as possible can not only greatly improve the anti-* ability, but also bring a lot of trouble to * *, at least so far about the HTML overflow has not appeared, take a look! Sina, Sohu, NetEase and other portals are mainly static pages. If you do not need dynamic script calls, then get it to another separate host to avoid suffering from * even the main server. Of course, it is OK to put some appropriate scripts that do not call the database. In addition, it is best to deny access to the proxy in the scripts that need to call the database. Because experience has shown that 80% of using agents to visit your site is malicious.

Common web security and protection principles

Sql injection principle

It is by inserting the SQL command into the Web form to submit or enter the query string of the domain name or page request, and finally deceive the server to execute malicious SQL commands

Generally speaking, there are the following points:

1. Never trust the user's input, to verify the user's input, you can use regular expressions, or limit the length, convert single quotation marks and double "-", etc.

two。 Never use dynamic assembly SQL, you can use parameterized SQL or directly use stored procedures for data query and access

3. Never use a database connection with administrator privileges, use a separate database connection with limited permissions for each application

4. Do not store confidential information in plain text, please encrypt or hash off passwords and sensitive information

The principle and Prevention of XSS

Xss (cross-site scripting) * * refers to the insertion of malicious html tags or javascript code into a Web page. For example, the user puts a seemingly secure link in the forum to deceive the user's private information in cookie after the user clicks, or adds a malicious form in the forum. When the user submits the form, the information is transmitted to the server of the user, rather than the trusted site that the user originally thought.

XSS prevention method

First of all, the user input places and variables in the code need to carefully check the length and filter the characters such as "", ";", "'" and so on; secondly, anything must be encode before it is written to the page to avoid accidentally getting html tag out. If this level is done well, at least more than half of the XSS can be blocked.

What's the difference between XSS and CSRF?

XSS is about getting information, and you don't need to know the codes and packets of other user pages in advance. CSRF is to replace the user to complete the specified action, you need to know the code and packets of other user pages. To complete a CSRF***, the victim must complete two steps in turn

Log in to trusted website An and generate Cookie locally

Without logging out of A, visit dangerous website B

Defense of CSRF

The server has a variety of CSRF methods, but the general idea is the same, that is, to add pseudorandom numbers to the client page.

The method of passing the CAPTCHA

Do you know about Web injection * * (the most common XSS and CSRF)?

SQL injection

Insert the SQL command into the form or enter the URL query string to submit, deceiving the server to execute malicious SQL.

XSS (Cross Site Script), cross-site scripting *

Insert malicious code into the page and execute the embedded malicious code to achieve the goal when the user browses the page

CSRF (Cross Site Request Forgery) to forge requests across sites

Falsify legitimate requests to allow users to access the login without knowing it, and make use of user trust to achieve the purpose of *

* * how to prevent Web frontend *?

Do not trust any external incoming data

Do relevant format checking, filtering and other operations according to user input

Do not trust any incoming third-party data

Use CORS to set up Access-Control-Allow-Origin

More secure use of Cookie

Setting Cookie to HttpOnly forbids JavaScript from operating Cookie

Prevent web pages from being embedded as iframe by other websites

The server side sets the X-Frame-Options response header to prevent the page from being embedded

* * APR* found

First diagnose whether it is ARP virus *

1, when we find that the Internet has obviously slowed down, or suddenly dropped, we can use the arp-a command to check the ARP table: (click the "start" button-select "run"-enter "cmd" click the "OK" button, enter the "arp-a" command in the window) if you find that the MAC address of the gateway has changed, or that there are many IP pointing to the same physical address, then it must be the result of ARP deception. At this point, you can clear the arp list through "arp-d" and revisit it.

2. Use ARP firewall software (such as 360ARP firewall, AntiARPSniffer, etc.).

* * how to determine whether the switch is subject to ARP* and how to handle it

* * 1. If the network is affected by ARP*, the following phenomena may occur:

1. Users are offline, frequently disconnected from the Internet, access to the Internet is slow, business is interrupted or unable to access the Internet.

2. The CPU occupancy rate of the equipment is high, the device is managed, the device is dropped, the main and standby status of the equipment is oscillated, and the red flash of the device port indicator is displayed.

3. Ping has delay, packet loss or failure.

The machine in the LAN is deceived by the ARP virus. If you find the source machine and kill the virus or kill it, the machine in the LAN will return to normal, so how can you quickly locate the source machine of *?

1. Use arp-a command. When we find that the Internet is significantly slower, or suddenly dropped, we can use the arp-a command to check the ARP table. If you find that the MAC address of the gateway has changed, or if you find that many IP addresses point to the same MAC address, it must be the result of ARP***.

2. Use the color shadow ARP firewall software to check. If the network card is in mixed mode or the speed of sending ARP request packets is large or the total number of ARP request packets is very large, it is possible that this machine is the "culprit". After positioning the machine, do the virus information collection work.

3. View it through the system History of the router. Because ARP programs will send out a large number of data packets when they break out, resulting in local area network communication congestion and their own processing capacity limitations, users will feel that the Internet speed is getting slower and slower. When the ARP program stops running, the user will resume surfing the Internet from the router, and the user will be disconnected again during the switching process. This message represents a change in the user's MAC address. When ARP** starts running, the MAC address of all hosts in the LAN is updated to the MAC address of the virus host (that is, the MAC New address of all information is the same as the MAC address of the virus host). At the same time, the MAC address information of all users is the same in the "user statistics" of the router.

If you see a large number of MAC Old addresses consistent in the router's system History, it means that ARP has been present in the local area network (when the ARP program stops running, the host restores its real MAC address on the router).

* method:

* * 1. A simple fraud *

This is common by sending fake ARP packets to defraud the route and the policy host, so that the policy host thinks it is a legitimate host, and then completes the fraud. this kind of fraud mostly occurs in the same network segment, because the route does not forward the packets of this network segment, of course, there is a way to complete different network segments, so you have to go through the ICMP protocol to tell the router to select the route from scratch.

two。 According to ARP's DOS,

This is a newly presented method, D.O.S, also known as denial of service, when a large number of connection requests are sent to a host, because the host's processing capacity is limited, can not provide services for normal users, there will be a denial of service. If you use ARP to hide yourself in this process, the real IP will not appear on the log of the host and will not affect the local machine.

3. MAC Flooding

This is a risk comparison, which can overflow the ARP table of the communication machine, making it impossible for all networks to communicate properly.

4. Sniffing of Communication Environment

In the beginning of the small local area network, we used HUB to interconnect, which is a method of broadcasting, each packet will pass through every host in the network, through the use of software, we will be able to smell and talk about all the data of the local area network. Nowadays, the network is mostly a communication environment, and the transmission of data within the network is locked in a specific policy. The established policy communication host, on the basis of ARP fraud, can pseudo-form its own host into a central forwarding station to monitor the communication between the two hosts.

* * Protection of arp*

1. ARP cache timeout setting

The timeout value is generally set for table items in the ARP cache, and shortening this timeout value can be useful to avoid overflow of ARP tables.

2. IP+MAC access manipulation-recommended

It is not safe to rely solely on IP or MAC to establish a trust connection. The ideal security connection is based on IP+MAC, which is one of the factors that make it necessary for us to bind IP and MAC on the campus network.

3. Static ARP cache table

Each host has a corresponding table temporarily hosting IP-MAC. ARP*** changes this cache to achieve the intention of fraud. Using static ARP to bind the correct MAC is a useful way. Using arp-a under the command line can check the ARP cache table at that time.

4. Automatic query

At a normal time, make a database corresponding to IP and MAC, and then regularly check whether the corresponding contact between IP and MAC is normal, regularly check the traffic list of the communication machine, and check the packet loss rate.

ARP can not cause much damage in this province, and once it is contacted and used, its risk is inestimable, because the doubts of ARP itself make it very difficult to guard against ARP. Often check the network situation at that time and monitor traffic is a good atmosphere for a webmaster.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.