- 论坛徽章:
- 0
|
本帖最后由 coralzd 于 2012-04-25 14:51 编辑
关于ddos的原理我就说了,大家都是高手。
这里说明一下,我的环境到现在长期遭受恶意的ddos七层攻击,攻击主要针对论坛的帖子列表,说白了主要是打php,刚开始的时候,借用了著名的JDFW,但是误杀率太高,连我们的都无法打开自己论坛。看来还是得自己动手,FW有时候不靠谱。我的做法就是分析nginx的访问日志。找出url的规律性。- 123.232.102.228 - - [07/Mar/2012:14:24:23 +0800] "GET /forum-116-20.html HTTP/1.0" "200" 232347 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" "-"
- 123.232.102.228 - - [07/Mar/2012:14:24:23 +0800] "GET /forum-1402-1.html HTTP/1.0" "200" 253872 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" "-"
- 123.232.102.228 - - [07/Mar/2012:14:24:23 +0800] "GET /forum-63-1.html HTTP/1.0" "200" 118163 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" "-"
- 123.232.102.228 - - [07/Mar/2012:14:24:23 +0800] "GET /forum-1342-1.html HTTP/1.0" "200" 235327 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" "-"
- 123.232.102.228 - - [07/Mar/2012:14:24:23 +0800] "GET /forum.php?mod=forumdisplay&fid=58 HTTP/1.0" "200" 283377 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" "-"
复制代码 找到上面的连接,可以发现其返回客户端的流量高达200多k,造成php负担很重和网卡流量激增及系统负载很高。机房出口的带宽几次被堵塞。日志中的user-agent都是一样的,可以在nginx里面设置if ( $http_user_agent ~* "Mozilla/4.0\ \(compatible;\ MSIE\ 6.0;\ Windows\ NT\ 5.0\;\ .NET\ CLR\ 1.1.4322\)" ) {
return 444;
}
然后reload nginx。效果很明显
屏蔽的恶意连接- 222.133.37.29 - - [25/Apr/2012:14:51:00 +0800] "GET /forum.php?mod=forumdisplay&fid=219&filter=typeid&typeid=208 HTTP/1.0" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"
- 222.133.37.29 - - [25/Apr/2012:14:51:00 +0800] "GET /forum.php?mod=forumdisplay&fid=219&filter=typeid&typeid=208 HTTP/1.0" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"
- 222.133.37.29 - - [25/Apr/2012:14:51:00 +0800] "GET /forum.php?mod=forumdisplay&fid=219&filter=typeid&typeid=208 HTTP/1.0" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"
- 222.133.37.29 - - [25/Apr/2012:14:51:01 +0800] "GET /forum.php?mod=forumdisplay&fid=219&filter=typeid&typeid=208 HTTP/1.0" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"
- 222.133.37.29 - - [25/Apr/2012:14:51:01 +0800] "GET /forum.php?mod=forumdisplay&fid=219&filter=typeid&typeid=208 HTTP/1.0" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"
- 222.133.37.29 - - [25/Apr/2012:14:51:01 +0800] "GET /forum.php?mod=forumdisplay&fid=219&filter=typeid&typeid=208 HTTP/1.0" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"
- 222.133.37.29 - - [25/Apr/2012:14:51:01 +0800] "GET /forum.php?mod=forumdisplay&fid=219&filter=typeid&typeid=208 HTTP/1.0" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"
- 222.133.37.29 - - [25/Apr/2012:14:51:01 +0800] "GET /forum.php?mod=forumdisplay&fid=219&filter=typeid&typeid=208 HTTP/1.0" 444 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"
复制代码 |
|