One 、 What is? CC attack ？

CC Mainly used to attack the page . We all have this experience , When visiting the Forum , If this forum is large , A lot of people visited , Page opening will be slow , For not ?！ Generally speaking , The more people you visit , The more pages there are in the Forum , The larger the database , The higher the frequency of being interviewed , The system resources occupied are considerable .

A static page does not take up much server resources , It can even be said that it can be read directly from the memory and sent to you . But the forum is different , I see a post , The system needs to go to the database to judge whether I have the permission to read posts , If there is , Just read the content of the post , Show it .

Here at least visited 2 Secondary database , If the volume of the database has 200MB size , The system is likely to be here 200MB Search through the size of the data space , How much does it take CPU Resources and time ？ If I am looking for a keyword , Then the time is more considerable , Because the previous search can be limited to a very small range , For example, the user authority only checks the user table , Post content only check the post table , And if you find it, you can stop the query immediately , And the search will certainly make a judgment on all the data , The time consumed is quite large .

CC Is to make full use of this feature , Simulate multiple users ( As many threads as many users ) Keep visiting ( Access operations that require a lot of data , It just needs a lot of CPU Page of time ). Many friends ask , Why use a proxy ？ Because agents can effectively hide their identity , You can also bypass all firewalls , Because basically all firewalls detect concurrency TCP/IP Number of connections , Beyond a certain number, a certain frequency is considered to be Connection-Flood.
　　
Using proxy attacks can also maintain a good connection , We sent data here , Agents help us forward to each other's servers , We can immediately disconnect , The agent will continue to connect with each other ( The record I know is that someone used 2000 An agent produces 35 Million concurrent connections ).
　　
Maybe many friends can't understand it well , Let me describe it . Let's assume that the server A Yes Search.asp The processing time of requires 0.01S( Multithreading is just time slicing , It has no effect on the conclusion ), In other words, one second can guarantee 100 Of users Search request , The maximum connection time allowed by the server is 60s, So we use CC simulation 120 Multiple users connect concurrently , So after 1 minute , The server's was requested 7200 Time , Processed 6000 Time , So there is 1200 Concurrent connections were not processed .

Some friends will say ： Lost connection ！ Lost connection ！ The problem is that servers are lost in a first come first served order , this 1200 One is at the end 10 It was initiated in seconds , Want to lose ?！ After calculation , When the server is full and the connection is lost , There should be 7200 Concurrent connections are queued , Then the server starts 120 individual / Seconds of lost connection , The connection we launched is also 120 individual / second , The server always has connections that can't be processed , Server's CPU 100% And keep it for a long time , Then lose the connection 60 The second server also judged that it could not handle it , The new connection can't handle , This makes the server super busy .

Of course ,CC You can also use this method to FTP The attack , It can also be realized TCP-FLOOD, These are tested and effective .

Two 、 How to determine whether a website is CC attack ？

1、 If the site is dynamic , such as asp/asp.net/php etc. , In being CC In the case of an attack ,IIS The site will error prompt SERVER IS TOO BUSY, If not IIS To provide Web Services , You'll find that the program that provides Web Services crashes automatically for no reason , error . If the problem with the website program is ruled out , And this kind of situation , Basically, it can be concluded that the website is CC attacked .

2、 If the site is static , such as html page , In being CC In the case of an attack , Open Task Manager , Look at the network traffic , It will be found that the sending of data in the network application is on the high side , In a large number of CC Under attack , It will even reach 99% Network occupation of , Of course , In being CC In the case of attack, the website cannot be visited normally , But by 3389 You can still connect to the server normally .

3、 If it's a small amount of CC attack , The site can still be accessed intermittently , But some of the bigger files , For example, pictures can not be displayed . If it's a dynamic website, it's a small amount CC attack , We'll also find the server CPU The occupancy rate is soaring . This is the most basic CC Attack symptoms .

3、 ... and 、CC How to defend against an attack ？

about CC attack , There are many ways to defend it , And these methods are also to improve the concurrency of the server

1、 Server vertical expansion and horizontal expansion

When funds permit , This is the simplest way , In essence , This method is not for CC The attack , It's about improving the service's ability to handle concurrency , But it did improve right CC The carrying capacity of the attack . Vertical expansion ： It means to increase the hardware capacity of each server , Such as upgrading CPU、 Increase memory 、 upgrade SSD SSDs, etc . Levels increase ： It means to increase the bearing capacity by increasing the servers providing services . The above expansion and capacity expansion can be carried out at all levels of the service , Include ： application server 、 Database server, cache server and so on .

2、 Data caching ( Memory level , Don't use documents )

For services with a high degree of commonality , Multi user reusable , Or data that can be reused multiple times by a single user , Once retrieved from the database , Or by calculation , It's best to put it in the cache , Subsequent requests can get data directly from the cache , Reduce the retrieval pressure of database and the computing pressure of application server , And can quickly return the results and release the process , It can also relieve the memory pressure of the server . It should be noted that , Do not use cache file format , have access to redis、mem—cached And memory based nosql Caching services , And separate from the application server , Separately deployed in the LAN . A network within a local area network IO It must be better than disk IO higher . In order not to make LAN a bottleneck , Gigabit networks are also necessary .

3、 Page static

Like data caching , Page data is essentially data , A common approach is to generate static html pagefile , Use the client browser's caching function or the server's caching service , as well as CDN Buffering services for nodes , Can reduce the pressure of data retrieval and calculation on the server side , Respond quickly to the results and release the connection process .

4、 User level call frequency limit

Whether the service has login status or not , be based on session And other methods can assign unique identification to the client ID( It's called SID), The server can send SID Store in cache . When a client requests a service , If you don't have SID(cookie Medium or request parameter medium ), Then the server quickly allocates one and returns . If you can , This request can not return data , Or will allocate SID Independent business services . When the client requests, it brings legal SID( namely SID It can match to... In the server cache ), It can be based on SID Limit the frequency of the client . And for SID An illegal request , Direct denial of service . Compared with IP The frequency limit , according to SID The frequency limit of is more precise and controllable , It can avoid accidental killing to the greatest extent .

5、IP Limit

Last ,IP Restrictions can still be used in conjunction with the above rules , But it can be preceded to )JCb Layer firewall or load balancer , And you can increase the threshold of the limit , Prevent malicious access from penetrating the application server , Cause application server pressure .

Thank you for reading , Pay attention and don't get lost ~