Linux主机简朴判定CC进攻的呼吁
大部门搞CC进攻的人,都是用在网上下载的东西,这些东西很少去伪造特征,所以会留下一些陈迹。
利用下面的呼吁,可以阐明下是否在被CC进攻。
第一条呼吁: tcpdump -s0 -A -n -i any | grep -o -E '(GET|POST|HEAD) .*'
正常的输出功效雷同于这样 POST /ajax/validator.php HTTP/1.1 POST /api_redirect.php HTTP/1.1 GET /team/57085.html HTTP/1.1 POST /order/pay.php HTTP/1.1 GET /static/goodsimg/20140324/1_47.jpg HTTP/1.1 GET /static/theme/qq/css/index.css HTTP/1.1 GET /static/js/index.js HTTP/1.1 GET /static/js/customize.js HTTP/1.1 GET /ajax/loginjs.php?type=topbar& HTTP/1.1 GET /static/js/jquery.js HTTP/1.1 GET /ajax/load_team_time.php?team_id=57085 HTTP/1.1 GET /static/theme/qq/css/index.css HTTP/1.1 GET /static/js/lazyload/jquery.lazyload.min.js HTTP/1.1 GET /static/js/MSIE.PNG.js HTTP/1.1 GET /static/js/index.js HTTP/1.1 GET /static/js/customize.js HTTP/1.1 GET /ajax/loginjs.php?type=topbar& HTTP/1.1 GET /static/theme/qq/css/i/logo.jpg HTTP/1.1 GET /static/theme/qq/css/i/logos.png HTTP/1.1 GET /static/theme/qq/css/i/hot.gif HTTP/1.1 GET /static/theme/qq/css/i/brand.gif HTTP/1.1 GET /static/theme/qq/css/i/new.gif HTTP/1.1 GET /static/js/jquery.js HTTP/1.1 GET /static/theme/qq/css/i/logo.jpg HTTP/1.1 正常呼吁功效以静态文件为主,好比css,js,各类图片。 假如是被进攻,会呈现大量牢靠的地点,好比进攻的是首页,会有大量的“GET / HTTP/1.1”,可能有必然特征的地点,好比进攻的假如是Discuz论坛,那么大概会呈现大量的“/thread-随机数字-1-1.html”这样的地点。
第二条呼吁: tcpdump -s0 -A -n -i any | grep ^User-Agent
输出功效雷同于下面: User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.2) User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
这个是查察客户端的useragent,,正常的功效中,是各类百般的useragent。 大大都进攻利用的是牢靠的useragent,也就是会看到同一个useragent在刷屏。随机的useragent只见过一次,可是给搞成了雷同于这样“axd5m8usy”,照旧可以判别出来。
第三条呼吁: tcpdump -s0 -A -n -i any | grep ^Host
假如呆板上的网站太多,可以用上面的呼吁找出是哪个网站在被大量请求 输出功效雷同于下面这样 Host: www.server110.com Host: www.server110.com Host: www.server110.com Host: upload.server110.com Host: upload.server110.com Host: upload.server110.com Host: upload.server110.com Host: upload.server110.com Host: upload.server110.com Host: upload.server110.com Host: upload.server110.com Host: upload.server110.com Host: www.server110.com Host: upload.server110.com Host: upload.server110.com Host: upload.server110.com Host: www.server110.com Host: www.server110.com Host: upload.server110.com Host: upload.server110.com Host: upload.server110.com Host: www.server110.com Host: upload.server110.com Host: upload.server110.com Host: www.server110.com
一般系统不会默认安装tcpdump呼吁 centos安装要领:yum install -y tcpdump debian/ubuntu安装要领:apt-get install -y tcpdump
许多小白用户不分明如何配置日志,查察日志,利用上面的呼吁则简朴的多,复制到呼吁行上运行即可。