CC進攻很容易提倡,而且險些不需要本錢,導致此刻的CC進攻越來越多。
大部門搞CC進攻的人,都是用在網上下載的東西,這些東西很少去偽造特征,所以會留下一些陳跡。
利用下面的呼吁,可以闡明下是否在被CC進攻。
第一條呼吁:
tcpdump -s0 -A -n -i any | grep -o -E '(GET|POST|HEAD) .*'
正常的輸出功效雷同于這樣
POST /ajax/validator.php HTTP/1.1
POST /api_redirect.php HTTP/1.1
GET /team/57085.html HTTP/1.1
POST /order/pay.php HTTP/1.1
GET /static/goodsimg/20140324/1_47.jpg HTTP/1.1
GET /static/theme/qq/css/index.css HTTP/1.1
GET /static/js/index.js HTTP/1.1
GET /static/js/customize.js HTTP/1.1
GET /ajax/loginjs.php?type=topbar& HTTP/1.1
GET /static/js/jquery.js HTTP/1.1
GET /ajax/load_team_time.php?team_id=57085 HTTP/1.1
GET /static/theme/qq/css/index.css HTTP/1.1
GET /static/js/lazyload/jquery.lazyload.min.js HTTP/1.1
GET /static/js/MSIE.PNG.js HTTP/1.1
GET /static/js/index.js HTTP/1.1
GET /static/js/customize.js HTTP/1.1
GET /ajax/loginjs.php?type=topbar& HTTP/1.1
GET /static/theme/qq/css/i/logo.jpg HTTP/1.1
GET /static/theme/qq/css/i/logos.png HTTP/1.1
GET /static/theme/qq/css/i/hot.gif HTTP/1.1
GET /static/theme/qq/css/i/brand.gif HTTP/1.1
GET /static/theme/qq/css/i/new.gif HTTP/1.1
GET /static/js/jquery.js HTTP/1.1
GET /static/theme/qq/css/i/logo.jpg HTTP/1.1
正常呼吁功效以靜態文件為主,好比css,js,各類圖片。
假如是被進攻,會呈現大量牢靠的地點,好比進攻的是首頁,會有大量的“GET / HTTP/1.1”,可能有必然特征的地點,好比進攻的假如是Discuz論壇,那么大概會呈現大量的“/thread-隨機數字-1-1.html”這樣的地點。
第二條呼吁:
tcpdump -s0 -A -n -i any | grep ^User-Agent
輸出功效雷同于下面:
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)
User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.2)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
這個是查察客戶端的useragent,,正常的功效中,是各類百般的useragent。
大大都進攻利用的是牢靠的useragent,也就是會看到同一個useragent在刷屏。隨機的useragent只見過一次,可是給搞成了雷同于這樣“axd5m8usy”,照舊可以判別出來。
第三條呼吁:
tcpdump -s0 -A -n -i any | grep ^Host
假如呆板上的網站太多,可以用上面的呼吁找出是哪個網站在被大量請求
輸出功效雷同于下面這樣
Host: www.server110.com
Host: www.server110.com
Host: www.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: www.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: www.server110.com
Host: www.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: www.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: www.server110.com
一般系統不會默認安裝tcpdump呼吁
centos安裝要領:yum install -y tcpdump
debian/ubuntu安裝要領:apt-get install -y tcpdump
許多小白用戶不分明如何配置日志,查察日志,利用上面的呼吁則簡樸的多,復制到呼吁行上運行即可。
Linux主機簡樸判定CC進攻的呼吁
