Linux主機簡單判斷CC攻擊的命令

原文連接

CC攻擊很容易發起，而且幾乎不須要成本，致使如今的CC攻擊愈來愈多。 
大部分搞CC攻擊的人，都是用在網上下載的工具，這些工具不多去僞造特徵，因此會留下一些痕跡。 
使用下面的命令，能夠分析下是否在被CC攻擊。 
 
 
第一條命令： 
tcpdump -s0 -A -n -i any | grep -o -E '(GET|POST|HEAD) .*' 
 
 
正常的輸出結果相似於這樣 
 
POST /ajax/validator.PHP HTTP/1.1 
POST /api_redirect.php HTTP/1.1 
GET /team/57085.html HTTP/1.1 
POST /order/pay.php HTTP/1.1 
GET /static/goodsimg/20140324/1_47.jpg HTTP/1.1 
GET /static/theme/qq/css/index.css HTTP/1.1 
GET /static/js/index.js HTTP/1.1 
GET /static/js/customize.js HTTP/1.1 
GET /ajax/loginjs.php?type=topbar& HTTP/1.1 
GET /static/js/jQuery.js HTTP/1.1 
GET /ajax/load_team_time.php?team_id=57085 HTTP/1.1 
GET /static/theme/qq/css/index.css HTTP/1.1 
GET /static/js/lazyload/jquery.lazyload.min.js HTTP/1.1 
GET /static/js/MSIE.PNG.js HTTP/1.1 
GET /static/js/index.js HTTP/1.1 
GET /static/js/customize.js HTTP/1.1 
GET /ajax/loginjs.php?type=topbar& HTTP/1.1 
GET /static/theme/qq/css/i/logo.jpg HTTP/1.1 
GET /static/theme/qq/css/i/logos.png HTTP/1.1 
GET /static/theme/qq/css/i/hot.gif HTTP/1.1 
GET /static/theme/qq/css/i/brand.gif HTTP/1.1 
GET /static/theme/qq/css/i/new.gif HTTP/1.1 
GET /static/js/jquery.js HTTP/1.1 
GET /static/theme/qq/css/i/logo.jpg HTTP/1.1 
正常命令結果以靜態文件爲主，好比css,js,各類圖片。 
若是是被攻擊，會出現大量固定的地址，好比攻擊的是首頁，會有大量的「GET / HTTP/1.1」，或者有必定特徵的地址，好比攻擊的如何是Discuz論壇，那麼可能會出現大量的「/thread-隨機數字-1-1.html」這樣的地址。 
 
 
第二條命令： 
tcpdump -s0 -A -n -i any | grep  ^User-Agent 
 
輸出結果相似於下面： 
 
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) 
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space) 
User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) 
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) 
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.2) 
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 
 
 
這個是查看客戶端的useragent，正常的結果中，是各類各樣的useragent。 
大多數攻擊使用的是固定的useragent，也就是會看到同一個useragent在刷屏。隨機的useragent只見過一次，可是給搞成了相似於這樣「axd5m8usy」，仍是能夠分辨出來。 
 
 
第三條命令： 
tcpdump -s0 -A -n -i any | grep ^Host 
 
若是機器上的網站太多，能夠用上面的命令找出是哪一個網站在被大量請求 
輸出結果相似於下面這樣 
 
Host: www.server110.com 
Host: www.server110.com 
Host: www.server110.com 
Host: upload.server110.com 
Host: upload.server110.com 
Host: upload.server110.com 
Host: upload.server110.com 
Host: upload.server110.com 
Host: upload.server110.com 
Host: upload.server110.com 
Host: upload.server110.com 
Host: upload.server110.com 
Host: www.server110.com 
Host: upload.server110.com 
Host: upload.server110.com 
Host: upload.server110.com 
Host: www.server110.com 
Host: www.server110.com 
Host: upload.server110.com 
Host: upload.server110.com 
Host: upload.server110.com 
Host: www.server110.com 
Host: upload.server110.com 
Host: upload.server110.com 
Host: www.server110.com 
 
 
通常系統不會默認安裝tcpdump命令 
centos安裝方法：yum install -y tcpdump 
debian/ubuntu安裝方法：apt-get install -y tcpdump 
 
不少小白用戶不懂得如何設置日誌，查看日誌，使用上面的命令則簡單的多，複製到命令行上運行便可。 
 
 

原文連接