开发者社区> 问答> 正文

Linux主机简单判断CC攻击的命令

CC攻击很容易发起,并且几乎不需要成本,导致现在的CC攻击越来越多。
大部分搞CC攻击的人,都是用在网上下载的工具,这些工具很少去伪造特征,所以会留下一些痕迹。
使用下面的命令,可以分析下是否在被CC攻击。



第一条命令:
tcpdump -s0 -A -n -i any | grep -o -E '(GET|POST|HEAD) .*'


正常的输出结果类似于这样

POST /ajax/validator.php HTTP/1.1
POST /api_redirect.php HTTP/1.1
GET /team/57085.html HTTP/1.1
POST /order/pay.php HTTP/1.1
GET /static/goodsimg/20140324/1_47.jpg HTTP/1.1
GET /static/theme/qq/css/index.css HTTP/1.1
GET /static/js/index.js HTTP/1.1
GET /static/js/customize.js HTTP/1.1
GET /ajax/loginjs.php?type=topbar& HTTP/1.1
GET /static/js/jquery.js HTTP/1.1
GET /ajax/load_team_time.php?team_id=57085 HTTP/1.1
GET /static/theme/qq/css/index.css HTTP/1.1
GET /static/js/lazyload/jquery.lazyload.min.js HTTP/1.1
GET /static/js/MSIE.PNG.js HTTP/1.1
GET /static/js/index.js HTTP/1.1
GET /static/js/customize.js HTTP/1.1
GET /ajax/loginjs.php?type=topbar& HTTP/1.1
GET /static/theme/qq/css/i/logo.jpg HTTP/1.1
GET /static/theme/qq/css/i/logos.png HTTP/1.1
GET /static/theme/qq/css/i/hot.gif HTTP/1.1
GET /static/theme/qq/css/i/brand.gif HTTP/1.1
GET /static/theme/qq/css/i/new.gif HTTP/1.1
GET /static/js/jquery.js HTTP/1.1
GET /static/theme/qq/css/i/logo.jpg HTTP/1.1
正常命令结果以静态文件为主,比如css,js,各种图片。
如果是被攻击,会出现大量固定的地址,比如攻击的是首页,会有大量的“GET / HTTP/1.1”,或者有一定特征的地址,比如攻击的如何是Discuz论坛,那么可能会出现大量的“/thread-随机数字-1-1.html”这样的地址。


第二条命令:
tcpdump -s0 -A -n -i any | grep  ^User-Agent

输出结果类似于下面:

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)
User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; + http://www.bing.com/bingbot.htm)
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.2)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)


这个是查看客户端的useragent,正常的结果中,是各种各样的useragent。
大多数攻击使用的是固定的useragent,也就是会看到同一个useragent在刷屏。随机的useragent只见过一次,但是给搞成了类似于这样“axd5m8usy”,还是可以分辨出来。


第三条命令:
tcpdump -s0 -A -n -i any | grep ^Host

如果机器上的网站太多,可以用上面的命令找出是哪个网站在被大量请求
输出结果类似于下面这样

Host: www.server110.com
Host: www.server110.com
Host: www.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: www.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: www.server110.com
Host: www.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: www.server110.com
Host: upload.server110.com
Host: upload.server110.com
Host: www.server110.com


一般系统不会默认安装tcpdump命令
centos安装方法:yum install -y tcpdump
debian/ubuntu安装方法:apt-get install -y tcpdump

很多小白用户不懂得如何设置日志,查看日志,使用上面的命令则简单的多,复制到命令行上运行即可。


原文地址:
http://www.server110.com/linux_sec/201406/10670.html

展开
收起
云代维 2014-06-07 11:23:09 25235 0
10 条回答
写回答
取消 提交回答
  • ReLinux主机简单判断CC攻击的命令
    谢谢分享  学习了
    2016-08-19 17:29:27
    赞同 展开评论 打赏
  • ReLinux主机简单判断CC攻击的命令
    谢谢分享
    2015-10-14 16:27:16
    赞同 展开评论 打赏
  • ReLinux主机简单判断CC攻击的命令
    学习了,谢谢分享
    2015-09-08 16:19:33
    赞同 展开评论 打赏
  • 认真看完以后我觉得应该给你加分!
    2014-07-21 15:32:31
    赞同 展开评论 打赏
  • ReLinux主机简单判断CC攻击的命令
    不错
    2014-06-09 15:20:49
    赞同 展开评论 打赏
  • 不错,支持~
    2014-06-08 23:21:57
    赞同 展开评论 打赏
  • ReLinux主机简单判断CC攻击的命令
    谢谢楼主分享,有用,收藏了
    2014-06-08 19:32:28
    赞同 展开评论 打赏
  • 学习了。
    2014-06-08 07:43:25
    赞同 展开评论 打赏
  • 谢谢分享
    2014-06-08 00:07:02
    赞同 展开评论 打赏
  • 论坛总版主
    好东西。。帮顶了
    2014-06-07 21:42:38
    赞同 展开评论 打赏
滑动查看更多
问答排行榜
最热
最新

相关电子书

更多
Alibaba Cloud Linux 3 发布 立即下载
ECS系统指南之Linux系统诊断 立即下载
ECS运维指南 之 Linux系统诊断 立即下载