Monitoring and warning | is the website attacked?

Some time ago , My website seems to have been attacked , Let's take a look at the scene of the accident today , And share accident analysis ideas and prevention and control measures after the accident .

cause

Let's see how I found out that the website was attacked .

Usually , In order to ensure the stable operation of online websites and background services , We need to add monitoring alarm function to the project , When something unexpected happens , The system will send a notification to the administrator as soon as possible .

Because my project uses Tencent cloud development To deploy , Quota monitoring and alarm are provided by default , It can prevent excessive consumption of resources , Very convenient .

But alarms are not enough , There's something wrong , How can we analyze it ？ There must be some clues to troubleshooting .

Tencent cloud development The default is cloud function 、 Cloud hosting And so on provide monitoring and logging , No need to write a line of code , You can see the running information and detailed logs of the resources , Such as request time 、IP Address 、 Request header information, etc , Very convenient .

Besides , When I was still developing , Added some logs and data escalation to the service , For example, which user performed what operation at which time . The more detailed the record is , The more convenient it is to find problems . Of course , Meaningless content doesn't have to be recorded , Otherwise, when I read the log, it's full of , It's bad for your eyes and it's inefficient ！

I always think of projects as my own children （ Even though I don't have children yet ）, therefore , I look at the monitoring and logs every day , To understand “ children ” Physical condition .

The most common monitoring indicator I see is service Call the number , It largely reflects the access of user traffic .

Under normal circumstances , The graph of the number of calls over time should look like this , Nobody's watching at night , During the day, the traffic is stable , Occasionally there are small peaks ：

But one day , All of a sudden, I saw this graph below , Let's take a look at the characteristics of this curve ？

you 're right , There is a long hair on the Mediterranean ！ stay 25 Near Fen , The number of calls suddenly soared , We generally call this phenomenon “ Traffic spikes ”, Call this one on the monitor chart “ skin needling ”.

Most of the time , Burr is not a good thing . See this curve , My first reaction was not “ Oh my god , The project is on fire ？”, It is “ Oh my god , Being attacked ！”

Was it attacked or not ？ Who attacked me ？ No, I'm really angry （ With a little bit of fantasy ）？

With these questions , Let's have a quick analysis .

analysis

Just look at the graph above , It can't be analyzed , We have to look for clues from the scene of the accident .

Fortunately, cloud development has helped us record access logs , Choose the time period of the accident （ With 25 Minutes as a benchmark , The front and back are empty 5 minute ）, And then the corresponding logs are filtered out .

For more flexible analysis , We export logs locally , Use Excel Wait for the spreadsheet to open it .

then , Let's analyze the log , First look at Log production time This column , The time of the crime ：

Did you find out ？ Log production time is very uniform ！ About per second 3 - 4 strip .

This shows that , It's probably not a human access service , Instead, the machine automatically sends requests on a certain frequency .

Look at the content of the log , The structure of each log is as follows ：

//  Request time 
2021-04-29T04:22:05.937752445Z
//  The person who initiated the request  IP
stdout F 169.254.128.20
//  Request header 
HEAD /webroot.bak HTTP/1.1\
//  Response status code 
200 0 
//  Request address 
http://www.code-nav.cn/webroot.bak
//  Request browser identity 
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

among , Request time 、 request IP、 The request address is the key information . Time has just been analyzed , Let's look at the request IP And address .

I'm going to search the table for all of the above IP, Find all IP The addresses are the same ！

Now I'm relieved , I think it's just a little fight .

Then I looked at the request address of several consecutive logs , Something like that ：

http://www.code-nav.cn/111.gz
http://www.code-nav.cn/111.tar.bz2
http://www.code-nav.cn/111.dat
http://www.code-nav.cn/111.bz2
http://www.code-nav.cn/222.tgz
http://www.code-nav.cn/222.gz
http://www.code-nav.cn/333.zip
...

notice "111"、"222"、"333" I get it in general , This attacker should be scanning my website with dictionary enumeration , Trying to find the background address of the website .

The principle of attack is simple , Just like when we were kids trying to crack someone else's password , One by one crazy random trial . It's just that attackers usually use some website scanning tools , Use the possible password as a dictionary , Give it to the machine , It's just a test instead of manual work . The number and frequency of trials are higher , This is called “ Blast ”.

I think back to the fear of being dominated by network security class in college ...

Based on the above analysis , the “ The attacker ” I should just take my website to practice , After all, the scanning frequency is not high 、 It doesn't last long , Of course , I hope so .

The prevention and control

It didn't hurt much , It's very insulting ！ Let me fully realize that my website is short of weight in terms of security . At least you should give me an alarm when abnormal traffic appears , Send a text message or something ！

If you build your own server to deploy the website project , Need to access or develop a business monitoring alarm system , Although there are many such third-party systems on the Internet , such as Zabbix、Prometheus（AlertManager）、Grafana etc. , But they all need to be deployed and maintained by themselves , It needs a certain cost of human and material resources .

But using Tencent cloud development , In addition to the basic resource quota alarm mentioned above , You can also customize various advanced alarm strategies flexibly .

For example, add a call limit alarm to the like function , First select the alarm object as “ Cloud functions ”：

Reconfigure the trigger conditions , such as 5 More than... Calls in minutes 100 Second, it will give an alarm ：

Then configure the alarm receiver 、 Alarm mode 、 Time periods, etc , Support email 、 SMS 、 WeChat, etc. , There are many choices ：

So it's done , be modeled on , You can add alarms to every function with the smallest granularity , I can feel the accident at the first time .

author ： Yunkai releases Taoist fish skin

Product introduction

Development of cloud （Tencent CloudBase,TCB） It is the cloud native integrated development environment and tool platform provided by Tencent cloud , High availability for developers 、 Automatic elastic scaling back-end cloud services , Include calculations 、 Storage 、 Hosting etc. serverless Chemical ability , It can be used for cloud integrated development of multiple end applications （ Applet , official account ,Web application ,Flutter Client, etc ）, Help developers build and manage back-end services and cloud resources in a unified way , It avoids the tedious server construction and operation and maintenance in the application development process , Developers can focus on the implementation of business logic , The development threshold is lower , More efficient . Open Cloud Development ：https://console.cloud.tencent.com/tcb?tdl_anchor=techsite Product documentation ：https://cloud.tencent.com/product/tcb?from=12763 Technical documentation ：https://cloudbase.net?from=10004 Technology exchange group 、 The latest information is concerned about the official account of WeChat 【 Tencent cloud development 】