This month is the last month of this year, in the second half of this year, there are many things happened, one of them makes me very distressed, but up to now, I am still not sure whether the problem has been completely solved. That is the event that this site was attacked. This matter is really one wave after another, wrote several articles. For example, “view the WEBSITE was CC attack IP”, “and shoot cloud flow storm, one hundred lessons”. There was also a lack of energy, not writing articles, in short, the problem continued. At this point, I was reminded of my book “On the Dark Forest Law of the Internet” and my book “Once again baptized by the Dark Forest Law”. So if you want to go further, in the protection of their own above or more efforts. Don’t be unkind to others. Don’t be unkind to others. Here, specifically comb, these months happened, as well as my coping plan.
I can’t remember the exact time. The first time there was a problem was probably around July or August this year. At the same time, the server is abnormal. The CPU has soared to 100% and there is no response for a long time. Finally, the server can only be restarted to restore normal. However, this time, the IP queried through the log is not the real IP address of the attack, but the IP address of the cloud again. Because I started CDN and the nginx configuration is not in place, the IP address obtained is not real. Therefore, the interception IP configured in the back end of Youpaiyun has no effect, and the server will still break down after a period of time. During the period, I even thought that the server would automatically restart periodically, but after setting it, I found that it did not work, so it was nothing. \
The second time, I got the real IP through the configuration, and also compared the access log of Youpaiyun. I got some IP and added it to the IP blacklist. At the same time, IP access restriction and CC protection are enabled. It seems to have an effect, did not appear again and again in a few days. \
Third time, I still want to start with anti-CC, after querying nginx can support flow control. Since Apache was used at the time, it took a lot of effort to test the effect and was switched to Nginx. Whenever confidence, think can, reality always hit. Can’t give up easily, after all the work. \
For the fourth time, after a long ordeal, I wanted to determine whether the server had been attacked or the website. I made a decision to move the site to another Linux server and just do it. It took a while, but we’re done. But the problem is, I am a blog site, there are a lot of pictures, my original pictures are put in ali cloud OSS space, through the server to do a proxy forwarding, take the bandwidth of the server, so it is free to use, direct access to the public network is a traffic charge. For normal free access, images still need to go to the Windows server. I’m afraid the server will go down and the picture will hang. Then I made a compromise, and made a load balance in the Linux server, increasing the weight of the access link of The Windows service, and reducing the weight of the access link of the public network configured by the Linux server. The weight distribution of the load is proportional. When all connections are normal, the higher the weight, the more the load is allocated. When one connection is down, another connection is accessed. Hope to achieve a website and pictures can be normal access, in case of Windows server down, but also through the public network traffic normal access. \
Imagination is beautiful, reality is cruel. My plan is still flawed. Although there will be a link will visit another link, but after my verification, if the local access is not outdated, will directly jump to the normal link above. If the machine has access to this address, and the address is good at first and then hangs, it will not jump to another normal address. It’s also possible that I configured it incorrectly. And the images are cached, so testing is difficult, and I’m not sure what the real scene looks like. There was another problem that caused me to abandon the solution two days later and restart the site and migrate it back. The Linux server has a bandwidth of only 1m, and web access is painfully slow.
The fifth time, FINALLY, I changed my mind and started from the server. The server is down because the CPU is full. Came across a server security dog software. They have two free software, one is server security dog, one is website security dog. I thought, this is not just, already so, anyway, the result can not be worse. So I installed the server Security dog. The network firewall Settings interface is like this, you can do a lot of custom Settings. After all, I’m not a professional, so I can only use this software as a defense. Unfortunately, another site security dog, Windows server. Iis and Apache are supported, nGINx is not supported. In order to eliminate the problem completely, I simply installed Apache again, and also installed the website security dog. At this point, the server did not go down frequently. But the site is slower than it used to be, taking seven or eight seconds to open a page, sometimes faster. The size of the heart tired, at this time I do not want to explore, opened the security strategy block, slowly slowly, but will not visit. \
The sixth time, a text message caught my attention. Shoot cloud available balance 19.37 yuan. I was attacked, and it was a low-level attack, and if it hadn’t been for the server security dog, my losses would have been even greater. 33W normal requests, 367W abnormal requests, over 200 GIGABytes of traffic costs. This time, the alarm monitoring threshold is optimized. \
The seventh time, spent a few months, the site is normal, but the speed is more outrageous, if only from baidu search links over, still can endure, if it is to search from the station, can not endure, along with no response, and even trigger interception. Each operation takes at least 7-8 seconds and the experience is extremely unfriendly. After my friend told me about it, I thought it was time. Nginx is generally faster than Apache, so the first thing I did was switch apache back to Nginx. Of course, the site security dog can not be used, can only uninstall. Not sure which configuration was causing slow access, I turned off many Settings. Shortly after switching back, I found that the website was slow, and then the pagoda was not responding, and the CPU was 100% again. After the restart, it returned to normal, and began to slow down after two minutes. Check the website logs, there are a lot of suspicious records. For example, wp-includes/wlwmainfest.xml and data/admin/allowurl.txt are mostly used for scanning attacks. After shutting down Nginx and getting back to normal, I started working on countermeasures. The following has been added to the configuration of the site. This intercepts the access. Various Settings were then restored. The site is up and running, and the speed of the site has not improved much.
\
The eighth, continue to study, with the server’s other site access is still very fast, to eliminate some interference. Apache has been resolved and nginx has been switched. This site uses CDN, then eliminate the problem of CDN. Copy a set of sites, add secondary domain name, map site address. Sites that do not use CDN are still slower. Troubleshoot CDN configuration problems. The website security dog has been uninstalled. The website security dog is not affected. The server security dog has been closed, after checking there are still services hanging in the background, so uninstall the service, verify again, has nothing to do with this, reinstall the recovery Settings. Before, visiting the web page, waitting TTFB for a long time, sometimes even up to ten seconds. The database connection localhost was changed to 127.0.0.1. The number of requests in F12 is excessive in terms of article pages. Most images are slow to access.
So I switched themes, and again, the speed boost was instant. It turns out that the program itself is a problem, in a variety of interception configurations, so that the already slow response of the website is even slower. And while the previous theme, the article page, loaded all the images at once, the new theme is lazily loaded, scrolling down will re-request the image. The speed of opening the page is naturally fast. After observation, another possible influence is the theme of the thumbnail control, the speed of the new theme is indeed much faster.
As mentioned earlier, I am not sure that the problem has been completely resolved, although access is not slow at this time and there are no outages due to a large number of intercepts, and there is no guarantee that they will not occur later. Occasionally look at the log or can see some crumbs small acts of scanning attacks, server security dog will often have a reminder of the attack. I want you to be human.