Beans · 2014/06/27 17:01
0 x00 background
These days, a customer reported that his website often has mysql 1040 errors. His online users are only less than 1000, and the mysql configuration is no problem. When USING VPS, linode160+ cost a month.
There was no reason for that, so I ran a series of canvases. Top, mysqld went up to over 900%.
0x01 Solutions & Ideas
I suspect CC attack, since the system is centos, I run the following two lines of command.
netstat -anlp|grep 80|grep tcp|awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -n20 | netstat -ant |awk '/:80/{split($5,ip,":"); ++A[ip[1]]}END{for(i in A) print A[i],i}' |sort -rn|head -n20Copy the codeKeep a record of IP requests that are excessive.
199.27.133 174.127.94. * 199.27.128. *. *Copy the codeStart to block IP, specific can see me run the command below. This article mainly uses iptables to block. For details about how to use iptables, see iptables Tutorial
Iptables -I INPUT -s 174.127.94.0/16 -j DROP iptables -I INPUT -s 199.27.128.0/16 -j DROP iptables -I INPUT -s 199.27.133.0/16 -j DROP iptables -I INPUT -s 193.1.0.0/8 -j DROPCopy the codeAfter running these commands, we have completed the blocking operation, but we need to save it, otherwise the above rules will disappear when the system restarts.
service iptables save
Copy the codeRun the following command to see who gets the most traffic (requiring the server to have tcpdump installed)
tcpdump -i eth0 -tnn dst port 80 -c 1000 | awk -F"." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr |head -20 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 1000 packets captured 1000 packets received by filter 0 packets dropped by kernel 1420 IP 174.7.7. *Copy the codeThen record the excessive IP addresses of packets and use the above method to block them.
run
service iptables save
Copy the codeSave and restart
iptables service iptables restart
Copy the codeThis step is recommended to carry out several times, found abnormal IP use the above method to block. If false sealing occurs, you can refer to the following command to unlock
Iptables -d INPUT -s 222.142.0/16 -j DROPCopy the code0x02 Common Commands
The command to seal a single IP is:
Iptables -I INPUT -s 211.1.0.0 -j DROPCopy the codeThe command to block IP segments is:
Iptables -I INPUT -s 211.1.0.0/16 -j DROP iptables -I INPUT -s 211.2.0.0/16 -j DROP iptables -I INPUT -s 211.3.0.0/16 -j DROPCopy the codeThe command to seal the entire section B was:
Iptables -I INPUT -s 211.0.0.0/8 -j DROPCopy the codeThe command to seal several sections is:
Iptables -I INPUT -s 61.37.80.0/24 -j DROP IPtables -I INPUT -s 61.37.81.0/24 -j DROPCopy the code0 x03 follow-up
After the above operation, the customer’s website is normal, almost seconds open, of course, this and his VPS to force also have a certain relationship. Top, the server resources are normal.