Copyright: Attribution, allow others to create paper-based, and must distribute paper (based on the original license agreement with the same license Creative Commons )
BACKGROUND 0 × 01
The background is this, a business website is DDoS friend, first threatened to 800 yuan RMB, then turn to provide a DDOS service, then he is a DoS training, it is a sell DDoS software, and finally turned into a DDoS high protection provider, and finally to the police uncle, police filed success story.
0 × 02 threat from hackers
In just the past few days, he was a friend came DDoS news, brick saw his outgoing messages are moved, say their customer service number to receive threat information to 01 guests, said to kill you immediately.
The friend may have seen scenes of people, this threat can be intimidated by him you, too naive.
You can take a look at the following chart.
This surge in traffic you see above can also be seen, after the server is really hung up, really I hung up and hung up.
The friend silently glanced at the price of high imitation, the price again penetrated his heart amount of defense. I bought, I bought, I can not afford. I can not afford a joke, but this is too expensive.
But this time his friend to think of it, the customer service message is that hackers micro-channel contacts, the first to add a micro-channel will be his friend.
Such a long conversation, probably means that the other party to 800 dollars, and also help out other competitors. The answer is more of a friend of the arts, money, money to go to the boss.
0 × 03 common form of attack traffic
With this, we insert a technology content, several common forms of attack traffic.
Layer 7 attack
CC (ChallengeCollapsar) 1. a large number of broilers produced.
2. to a large number of giant garbage bag WEB service port sent (in fact, not great, single 1MB or more).
Layer 4 to attack
3.TCP sync attack, and each time ran tcp handshake, pure tease free-style manner.
In addition to attacking sync mode, the other two, can reach the layer 7, is formed WEB service log.
The first species and a second species, we can see the nginx logs, large post of unsolicited requests to have a problem, request data, it may not comply with the HTTP specification.
Relatively coarse filter burst request, the following method can simply added to nginx.conf configuration, non http request protocol data.
1. Method defined in Request:
if ($request_method !~ ^(GET|HEAD)$ ) {
return 444;
}
2. qualified host name:
if ($host !~* xxx\.com$) {
return 444;
}
0 × 04 WAF protection
We have a lot of services are using nginx, openresy, tengine set up, so do the WAF protection is also a very normal thing with nginx lua, look at the following configuration will be able to know who is friends with the WAF it.
CC written with LUA security policy is a relatively very simple and quick process.
Threat generated a lot of requests 501 and 444.
After the hit strategy, resulting in a corresponding hit the log.
Even if we know exactly attack to intercept also problematic, we deployed on the server of the WAF, but the front-end services as well as CDN and LVS, can analyze the threat at the back end, but can not ip block resistance on these devices off.
Also, log analysis friend also did not use big data level, in the manual log analysis stage, such an analysis and response speed and WAF is difficult to work together.
But even WAF can block part of the threat, when small server room and still have bandwidth limit, once please seek deep congestion bandwidth greater than this limit, no response is still the same.
And there is no room blocking function, only the alarm function, general loans accounted for a large, business will be off the network industry machine room.
About 0 × 05 and Bo
Attacks corpuscles, but the friend feels right or wrong, or to simulate it yourself DDoS own machine.
Pick up the open line and beloved GO:
package main
import (
"fmt"
"io"
"io/ioutil"
"net/http"
"os"
"time"
"strconv"
)
func main() {
start := time.Now()
ch := make(chan string)
var count int64 = 1
times,_ := strconv.ParseInt(os.Args[1],10,64)
url := os.Args[2]
for count = 0; count <= times; count++ {
go fetch(url, ch, count) // start a goroutine
}
for count = 0; count <= times; count++ {
fmt.Println(<-ch) // receive from channel ch
}
fmt.Printf("%.2fs elapsed\n", time.Since(start).Seconds())
}
func fetch(url string, ch chan<- string,count int64) {
start := time.Now()
resp, err := http.Get(url)
if err != nil {
ch <- fmt.Sprint(err) // send to channel ch
return
}
nbytes, err := io.Copy(ioutil.Discard, resp.Body)
resp.Body.Close() // don't leak resources
if err != nil {
ch <- fmt.Sprintf("while reading %s: %v", url, err)
return
}
secs := time.Since(start).Seconds()
ch <- fmt.Sprintf("%7d %.2fs %7d %s",count, secs, nbytes,url)
}
The code you write awesome, maybe some friends need this code to put the old rules on github: go-attacker
0 × 06 using high anti
This friend homemade GO is to simulate a large number of GET requests. Her friend found themselves against their own, can not withstand the same service, there is going to cause congestion, simply by WRK received it, it simulates a normal HTTP request on the line.
wrk -c1000-t10 -d10 --latency http://127.0.0.1:8080 /find
The same results could not carry, you have to find that his brother talk.
The results of this launch DDoS buddy from attack into training, to teach the relevant training fee 1200, quick, time, high economic efficiency, but break the law, you can not do this!
Friends do not give 200 people, but there is a new situation, not only training, but also sell software, black production now so you can do business, so versatile.
0 × 07 forensic official newspaper
Friends look, please reinforcement bar, high defense still have to buy, and then reported to the official, this time you have to go to the police uncle.
100 meters before the friendly exchanges and policeman, and the policeman chatted, I discovered a problem.
800 yuan is also out of reach 5000 yuan ah, but the policeman let go back to collect the evidence.
0 × 08 Test imitation
The friend finally found a service company to provide high-imitation, hoping beyond automatic switch, you can manually switch to high imitation.
Because there are a lot of domain access, discovered during the testing phase, access high after imitation, it looks like there are a lot of normal traffic flow management and the CDN service is eliminated, so the day lost a lot of sales orders. Because still in the testing phase, we need further testing to confirm and processing white.
Users -> CDN-> High imitation -> Services.
On the high protection of the really easy to use ah, this friend would like to ask DDoS friends, receiving live does not receive the test.
To this, we want to ask, anti-DDOS hard drive can also give to one.
Continued to attack for some time, but the service looks like it should not hang.
0 × 09 filing successful
end of the article is that the success of this friend of filing, or uncle to the police force, can not threaten to catch a friend $ 800 to see the follow-up.
Safety study 0 × 10
This friend also on a high imitation, but also the filing, quickly seize the time interval between the use of learning safety knowledge, to find the open class on Freebuf see, security technology to book hates few when goes. Security was asked what's the use, like his friend if the service is attacked, lost orders per day, the cost of the order should be far from 800 yuan this amount.