[前言]最近朋友的网站受到CC攻击,就向我咨询,因为我对防cc攻击也不是很了解,所以我也不敢一下子给他什么好的答案。今天,我就写了下面的资料,看能不能给他,和大家一个好的方案,如果大家有对防CC攻击更好的主意,请留言与我,我们一起学习,谢谢!
<?php
if (isset($_SERVER)){
$realip = $_SERVER[HTTP_X_FORWARDED_FOR];
}
else
{
$realip = getenv("HTTP_X_FORWARDED_FOR");
}
if($realip<>""){
$remoteip=$_SERVER['REMOTE_ADDR'];
log_ip($remoteip,$realip);
}
function log_ip($remote_ip,$real_ip)
{
$temp_time = date("y-m-d G:i:s");
$temp_result = $temp_time."\t".$real_ip."\t".$remote_ip."\n";
if(!$fhandle=fopen("cc_log.txt","a+")){
print "error";
exit;
}
fwrite($fhandle,$temp_result);
fclose($fhandle);
}
?>
此段代码作用:
将代理访问的真实IP记录到日志中,以便排查分析。
以下是cc_log.txt的内容(此代码生产是因我通过CC攻击软件攻击生产的)
Time Real_ip Remote_ip <=此行是我自己添加的
09-09-05 13:50:47 122.144.131.72 60.248.212.230
09-09-05 13:50:47 122.144.131.72 60.248.212.230
09-09-05 13:50:47 122.144.131.72 60.248.212.230
09-09-05 13:50:48 122.144.131.72 60.248.212.230
09-09-05 13:50:48 122.144.131.72 60.248.212.230
09-09-05 13:50:48 122.144.131.72 60.248.212.230
09-09-05 13:50:49 122.144.131.72 60.248.212.230
09-09-05 13:50:49 122.144.131.72 219.146.172.91
09-09-05 13:50:49 122.144.131.72 219.146.172.91
09-09-05 13:50:49 122.144.131.72 219.146.172.91
09-09-05 13:50:49 122.144.131.72 219.146.172.91
09-09-05 13:50:49 122.144.131.72 219.146.172.91
09-09-05 13:50:49 122.144.131.72 60.248.212.230
09-09-05 13:50:49 122.144.131.72 60.248.212.230
09-09-05 13:50:50 122.144.131.72 219.146.172.91
09-09-05 13:50:50 122.144.131.72 219.146.172.91
09-09-05 13:50:50 122.144.131.72 219.146.172.91
09-09-05 13:50:50 122.144.131.72 219.146.172.91
09-09-05 13:50:50 122.144.131.72 219.146.172.91
09-09-05 13:50:51 122.144.131.72 60.248.212.230
在仅仅有4秒的时间内,就从真实IP 122.144.131.72 以代理IP(60.248.212.230,219.146.172.91)来访问我这台服务器,可见这台真实客户端
是有问题的,这时,我们应该用防火墙(iptables)禁止掉这些真实IP,以使他们的请求,在入口就Deny掉。
<?php
session_start();
$timestamp = time();
$cc_nowtime = $timestamp ;
if (session_is_registered('cc_lasttime')){
$cc_lasttime = $_SESSION['cc_lasttime'];
$cc_times = $_SESSION['cc_times'] + 1;
$_SESSION['cc_times'] = $cc_times;
}else{
$cc_lasttime = $cc_nowtime;
$cc_times = 1;
$_SESSION['cc_times'] = $cc_times;
$_SESSION['cc_lasttime'] = $cc_lasttime;
}
if (($cc_nowtime - $cc_lasttime)<5){
if ($cc_times>=10){
header(sprintf("Location: %s",'http://127.0.0.1'));
exit;
}
}else{
$cc_times = 0;
$_SESSION['cc_lasttime'] = $cc_nowtime;
$_SESSION['cc_times'] = $cc_times;
}
?>
这段代码的作用:
同一会话,如果在5秒钟内,刷新了10次就将响应指向到本地服务(http://127.0.0.1)
<?php
if (isset($_SERVER)){
$realip = $_SERVER[HTTP_X_FORWARDED_FOR];
}
else
{
$realip = getenv("HTTP_X_FORWARDED_FOR");
}
if($realip<>""){
$remoteip=$_SERVER['REMOTE_ADDR'];
log_ip($remoteip,$realip);
}
function log_ip($remote_ip,$real_ip)
{
$temp_time = date("y-m-d G:i:s");
$temp_result = $temp_time."\t".$real_ip."\t".$remote_ip."\n";
if(!$fhandle=fopen("cc_log.txt","a+")){
print "error";
exit;
}
fwrite($fhandle,$temp_result);
fclose($fhandle);
}
?>
此段代码作用:
将代理访问的真实IP记录到日志中,以便排查分析。
以下是cc_log.txt的内容(此代码生产是因我通过CC攻击软件攻击生产的)
Time Real_ip Remote_ip <=此行是我自己添加的
09-09-05 13:50:47 122.144.131.72 60.248.212.230
09-09-05 13:50:47 122.144.131.72 60.248.212.230
09-09-05 13:50:47 122.144.131.72 60.248.212.230
09-09-05 13:50:48 122.144.131.72 60.248.212.230
09-09-05 13:50:48 122.144.131.72 60.248.212.230
09-09-05 13:50:48 122.144.131.72 60.248.212.230
09-09-05 13:50:49 122.144.131.72 60.248.212.230
09-09-05 13:50:49 122.144.131.72 219.146.172.91
09-09-05 13:50:49 122.144.131.72 219.146.172.91
09-09-05 13:50:49 122.144.131.72 219.146.172.91
09-09-05 13:50:49 122.144.131.72 219.146.172.91
09-09-05 13:50:49 122.144.131.72 219.146.172.91
09-09-05 13:50:49 122.144.131.72 60.248.212.230
09-09-05 13:50:49 122.144.131.72 60.248.212.230
09-09-05 13:50:50 122.144.131.72 219.146.172.91
09-09-05 13:50:50 122.144.131.72 219.146.172.91
09-09-05 13:50:50 122.144.131.72 219.146.172.91
09-09-05 13:50:50 122.144.131.72 219.146.172.91
09-09-05 13:50:50 122.144.131.72 219.146.172.91
09-09-05 13:50:51 122.144.131.72 60.248.212.230
在仅仅有4秒的时间内,就从真实IP 122.144.131.72 以代理IP(60.248.212.230,219.146.172.91)来访问我这台服务器,可见这台真实客户端
是有问题的,这时,我们应该用防火墙(iptables)禁止掉这些真实IP,以使他们的请求,在入口就Deny掉。
<?php
session_start();
$timestamp = time();
$cc_nowtime = $timestamp ;
if (session_is_registered('cc_lasttime')){
$cc_lasttime = $_SESSION['cc_lasttime'];
$cc_times = $_SESSION['cc_times'] + 1;
$_SESSION['cc_times'] = $cc_times;
}else{
$cc_lasttime = $cc_nowtime;
$cc_times = 1;
$_SESSION['cc_times'] = $cc_times;
$_SESSION['cc_lasttime'] = $cc_lasttime;
}
if (($cc_nowtime - $cc_lasttime)<5){
if ($cc_times>=10){
header(sprintf("Location: %s",'http://127.0.0.1'));
exit;
}
}else{
$cc_times = 0;
$_SESSION['cc_lasttime'] = $cc_nowtime;
$_SESSION['cc_times'] = $cc_times;
}
?>
这段代码的作用:
同一会话,如果在5秒钟内,刷新了10次就将响应指向到本地服务(http://127.0.0.1)
[感言]个人认为,第一段代码可以与应用一起发布,并定期对cc_log.txt进行分析,以便保护服务。而第二段代码,在第一段代码近期出现过多代理请求,此时可以将此段代码放入到应用中,起到一定的防CC攻击(因为会话过多也会消耗服务器资源的,大家应当灵活应用)。当然 ,如果有硬防是更好的。不过,我曾在网上看到硬防看起后,会造成部分蜘蛛无法正常抓取,不过,大家可以通过http日志,将蜘蛛ip整理出来,交给相关的技术人员,以使其IP放入硬防的白名单中。
本文转自hahazhu0634 51CTO博客,原文链接:http://blog.51cto.com/5ydycm/199083,如需转载请自行联系原作者
