最近项目网站(lnmp环境)在某一个时间段,发现流量会暴增且达到峰值,检查nginx_error.log日志发现大量错误信息,
2014/10/21 16:50:56 [error] 6873#0: *34811 FastCGI sent in stderr:
"Primary script unknown" while reading response header from upstream,
client: 1x.1x9.xx.xx, server: xxx.com, request: "GET
/track.php?source=emar&wi=NzUzODU1fDAwMzIwMmRmNWE2ZDNlMzBjMDlk&target= [] HTTP/1.0", upstream: "fastcgi://127.0.0.1:9000", [] host: ".com", referrer: "thread-11612260-1-1.html" []
初步判断通过track.php大量请求到项目网站并referrer到bbs.xxxxx.com,马上检查web服务器却没有发现track.php文件,马上感觉到网站是受到cc攻击了
解决过程中,尝试了几个方法,效果均都不善人意
1、通过iptables禁止不知名ip段(从error日志截取)地访问,
# iptables -A INPUT -s 1x.1x9.xx.xx/24 -j DROP
结论:影响了负载均衡的正常使用,需放弃;
2、通过netstat查看web服务器的当前连接数,通过iptables禁止链接数较多而不属于运维管理的ip地址,
# 查看当前链接数命令:
# netstat -anlp | grep 80 | grep tcp | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq -c | sort -nr | head -n20 | netstat -ant | awk '/:80/{split($5,ip,":");++A[ip[1]]}END{for(i in A) print A[i],i}' | sort -rn | head -n20
# iptables -A INPUT -s 1x.1x9.xx.10 -j DROP
……
# iptables -A INPUT -s 1x.1x9.xx.250 -j DROP
结论:影响了负载均衡的正常使用,需放弃;
3、通过iptables禁止数据流output到域名bbs.xxxxx.com,
# iptables -A OUTPUT -d 2xx.1xx.2x8.xx9 -j DROP
结论:效果不明显,需放弃;
4、利用nginx禁用ip访问的方法,先在nginx-conf目录新建nginx_badip.conf,
方法(1):
deny 1x.1x9.xx.xx/24;
方法(2):
deny 1x.1x9.xx.2
deny 1x.1x9.xx.3
……
deny 1x.1x9.xx.254
然后在conf.d/default.conf下添加一行配置,
server {
……
include nginx_badip.conf;
……
}
结论:方法(1):影响负载均衡的正常使用,方法(2):影响项目业务上某些功能的正常使用,这两种方法也只能放弃;
最终方法:通过nginx内置变量,针对$http_referer、$request_filename和$request进行访问控制,
判断如果是xxxxx.com或者track.php的链接则全部断开并不返回任何信息,nginx配置如下,
server {
listen 80;
server_name .com;
if ($http_referer ~* "xxxxx.com") {
return 444;
}
if ($request_filename ~ "^/track.php") {
return 444;
}
……
}
此时检测nginx_error.log,已经没发现有之前的报错了。然后继续检查nginx_access.log,发现和track.php有以下相关记录,
1x.1x9.xx.xx - - [21/Oct/2014:16:54:56 +0800] "GET /track.php?source=emar&wi=NzUzODU1fDAwMzIwMmRmNWE2ZDNlMzBjMDlk&target= HTTP/1.0" 404 564 "forum-46-1.html" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
于是设想将这部分流量导入项目网站首页试试,继续添加一个判断,
server {
if ($request ~* "track.php") {
rewrite ^(.*) http://.com permanent;
}
……
}
再检查nginx_access.log,
1x.1x9.xx.xx - - [21/Oct/2014:17:52:16 +0800] "GET /track.php?source=emar&wi=NzUzODU1fDAwMzIwMmRmNWE2ZDNlMzBjMDlk&target= HTTP/1.0" 301 178 "forum-46-1.html" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; LCJB; rv:11.0) like Gecko"
至此受cc攻击的问题得到解决了,流量亦成功跳转到项目网站了。
阅读(1957) | 评论(0) | 转发(0) |
