最近我注意到我的服务器的 CPU 负载正在快速增加。在任何一天,CPU 负载都不会达到 2.5。我有以下服务器:
Intel® Xeon® E3-1270 v2 Single Processor - Quad Core Dedicated Server
CPU Speed: 4 x 3.5 Ghz w/ 8MB Smart Cache
Motherboard: SuperMicro X9SCM-F
Total Cores: 4 Cores + 8 Threads
RAM: 32 GB DDR3 1333 ECC
Hard Drive: 120GB
Smart Cache: 8MB
当服务器达到 4.5 时,我立即使用 ssh 登录到我的服务器并发出此命令netstat -na |grep :80 |wc -l以查看我有多少个连接。令我惊讶的是,它达到了 950 多个连接。
当我通过发出此命令查看 IP 地址时netstat -na |grep :80,我发现该 IP210.4.99.44消耗了超过 600 个连接。
当我查看 access.log 时,我发现此 IP 地址有以下信息:
210.4.99.44 - - [06/Jul/2013:10:59:23 +0800] "GET /java/4552/sites/all/modules/ctools/css/ctools.css HTTP/1.0" 200 59506 "http://www.mysite.com/java/4552/site$
210.4.99.44 - - [06/Jul/2013:10:59:23 +0800] "GET /forums/programming/c/sites/all/themes/arras/custom.css HTTP/1.0" 404 24875 "http://www.mysite.com/forums/pr$
210.4.99.44 - - [06/Jul/2013:10:59:23 +0800] "GET /comment/reply/3673/21593/misc/drupal.js HTTP/1.0" 200 32289 "http://www.mysite.com/comment/reply/3673/21593$
210.4.99.44 - - [06/Jul/2013:10:59:23 +0800] "GET /forums/programming/c/sites/all/themes/arras/arras.css HTTP/1.0" 404 25012 "http://www.mysite.com/forums/pro$
210.4.99.44 - - [06/Jul/2013:10:59:23 +0800] "GET /forums/programming/c/sites/all/themes/arras/arras-blue.css HTTP/1.0" 404 24921 "http://www.mysite.com/forum$
210.4.99.44 - - [06/Jul/2013:10:59:23 +0800] "GET /comment/reply/3673/21593/modules/system/system.messages.css HTTP/1.0" 200 32507 "http://www.mysite.com/comm$
210.4.99.44 - - [06/Jul/2013:10:59:23 +0800] "GET /comment/reply/3673/21593/modules/system/system.theme.css HTTP/1.0" 200 32691 "http://www.mysite.com/comment$
210.4.99.44 - - [06/Jul/2013:10:59:23 +0800] "GET /comment/reply/3673/21593/modules/user/user.css HTTP/1.0" 200 32378 "http://www.mysite.com/comment/reply/367$
210.4.99.44 - - [06/Jul/2013:10:59:23 +0800] "GET /comment/reply/3673/21593/misc/jquery.once.js HTTP/1.0" 200 32586 "http://www.mysite.com/comment/reply/3673/$
210.4.99.44 - - [06/Jul/2013:10:59:24 +0800] "GET /comment/reply/3673/21593/misc/textarea.js HTTP/1.0" 200 32543 "http://www.mysite.com/comment/reply/3673/215$
210.4.99.44 - - [06/Jul/2013:10:59:24 +0800] "GET /forums/programming/c/sites/all/modules/views/css/views.css HTTP/1.0" 404 24931 "http://www.mysite.com/forum$
210.4.99.44 - - [06/Jul/2013:10:59:24 +0800] "GET /comment/reply/3673/21593/misc/jquery.js HTTP/1.0" 200 32424 "http://www.mysite.com/comment/reply/3673/21593$
210.4.99.44 - - [06/Jul/2013:10:59:24 +0800] "GET /comment/reply/3673/21593/modules/comment/comment.css HTTP/1.0" 200 32556 "http://www.mysite.com/comment/rep$
210.4.99.44 - - [06/Jul/2013:10:59:24 +0800] "GET /forums/programming/c/sites/all/modules/video_filter/video_filter.css HTTP/1.0" 404 24868 "http://www.mysite$
210.4.99.44 - - [06/Jul/2013:10:59:24 +0800] "GET /comment/reply/3673/21593/modules/system/system.base.css HTTP/1.0" 200 32663 "http://www.mysite.com/comment/$
210.4.99.44 - - [06/Jul/2013:10:59:29 +0800] "GET /forums/programming/visual-basic-60/sites/all/themes/arras/ie6.css HTTP/1.0" 404 24973 "http://www.mysite.co$
210.4.99.44 - - [06/Jul/2013:10:59:29 +0800] "GET /forums/programming/visual-basic-60/sites/all/themes/arras/arras-blue.css HTTP/1.0" 404 24048 "http://www.mysite$
210.4.99.44 - - [06/Jul/2013:10:59:29 +0800] "GET /forums/programming/c/c/sites/all/modules/ctools/css/ctools.css HTTP/1.0" 404 24945 "http://www.mysite.com/f$
210.4.99.44 - - [06/Jul/2013:10:59:29 +0800] "GET /forums/programming/visual-basic-60/sites/all/modules/video_filter/video_filter.css HTTP/1.0" 404 25067 "http://www.$
210.4.99.44 - - [06/Jul/2013:10:59:33 +0800] "GET /sites/default/files/download/donk90/file1.zip HTTP/1.0" 200 133016 "http://www.mysite.com/sites/default/fi$
210.4.99.44 - - [06/Jul/2013:10:59:34 +0800] "GET /forums/programming/c/c/misc/jquery.js HTTP/1.0" 404 24918 "http://www.mysite.com/forums/programming/c/c/mis$
210.4.99.44 - - [06/Jul/2013:10:59:34 +0800] "GET /forums/programming/visual-basic-60/sites/all/themes/arras/suckerfish.css HTTP/1.0" 404 25088 "http://www.mysite$
210.4.99.44 - - [06/Jul/2013:10:59:34 +0800] "GET /forums/programming/visual-basic-60/sites/all/themes/arras/custom.css HTTP/1.0" 404 24853 "http://www.mysite$
210.4.99.44 - - [06/Jul/2013:10:59:34 +0800] "GET /forums/programming/c/c/misc/drupal.js HTTP/1.0" 404 25001 "http://www.mysite.com/forums/programming/c/c/mis$
210.4.99.44 - - [06/Jul/2013:10:59:35 +0800] "GET /forums/programming/visual-basic-60/sites/all/themes/arras/html-elements.css HTTP/1.0" 404 24943 "http://www.mysite$
210.4.99.44 - - [06/Jul/2013:10:59:35 +0800] "GET /forums/programming/visual-basic-60/modules/user/user.css HTTP/1.0" 404 25182 "http://www.mysite.com/forums/$210.4.99.44 - - [06/Jul/2013:10:59:35 +0800] "GET /forums/programming/visual-basic-60/sites/all/themes/arras/arras.css HTTP/1.0" 404 24962 "http://www.mysite.$
210.4.99.44 - - [06/Jul/2013:10:59:35 +0800] "GET /forums/programming/visual-basic-60/sites/all/themes/arras/geshifilter-languages.css HTTP/1.0" 404 24957 "http://www$
210.4.99.44 - - [06/Jul/2013:10:59:35 +0800] "GET /forums/programming/visual-basic-60/public:/geshi/geshifilter-languages.css HTTP/1.0" 404 24855 "http://www.mysite$
210.4.99.44 - - [06/Jul/2013:10:59:35 +0800] "GET /forums/programming/visual-basic-60/sites/all/modules/geshifilter/geshifilter.css HTTP/1.0" 404 25081 "http://www.so$
210.4.99.44 - - [06/Jul/2013:10:59:35 +0800] "GET /forums/programming/visual-basic-60/modules/system/system.base.css HTTP/1.0" 404 24883 "http://www.mysite.co$
210.4.99.44 - - [06/Jul/2013:10:59:35 +0800] "GET /forums/programming/visual-basic-60/modules/system/system.menus.css HTTP/1.0" 404 25044 "http://www.mysite.c$
210.4.99.44 - - [06/Jul/2013:10:59:35 +0800] "GET /forums/programming/visual-basic-60/sites/all/modules/views/css/views.css HTTP/1.0" 404 24914 "http://www.mysite$
210.4.99.44 - - [06/Jul/2013:10:59:35 +0800] "GET /forums/programming/visual-basic-60/modules/field/theme/field.css HTTP/1.0" 404 24926 "http://www.mysite.com$
210.4.99.44 - - [06/Jul/2013:10:59:35 +0800] "GET /forums/programming/visual-basic-60/modules/system/system.messages.css HTTP/1.0" 404 24976 "http://www.mysiteste$
210.4.99.44 - - [06/Jul/2013:10:59:35 +0800] "GET /forums/programming/visual-basic-60/sites/all/modules/ctools/css/ctools.css HTTP/1.0" 404 24960 "http://www.mysite$
210.4.99.44 - - [06/Jul/2013:10:59:35 +0800] "GET /forums/programming/visual-basic-60/modules/system/system.theme.css HTTP/1.0" 404 25088 "http://www.mysite.c$
210.4.99.44 - - [06/Jul/2013:10:59:35 +0800] "GET /forums/programming/visual-basic-60/modules/book/book.css HTTP/1.0" 404 24941 "http://www.mysite.com/forums/$
210.4.99.44 - - [06/Jul/2013:10:59:35 +0800] "GET /forums/programming/visual-basic-60/modules/forum/forum.css HTTP/1.0" 404 24989 "http://www.mysite.com/forum$
210.4.99.44 - - [06/Jul/2013:10:59:35 +0800] "GET /forums/programming/visual-basic-60/misc/jquery.once.js HTTP/1.0" 404 24950 "http://www.mysite.com/forums/pr$
210.4.99.44 - - [06/Jul/2013:10:59:35 +0800] "GET /forums/programming/visual-basic-60/modules/node/node.css HTTP/1.0" 404 24970 "http://www.mysite.com/forums/$
210.4.99.44 - - [06/Jul/2013:10:59:36 +0800] "GET /forums/programming/visual-basic-60/modules/poll/poll.css HTTP/1.0" 404 25049 "http://www.mysite.com/forums/$
210.4.99.44 - - [06/Jul/2013:10:59:36 +0800] "GET /forums/programming/visual-basic-60/misc/drupal.js HTTP/1.0" 404 24885 "http://www.mysite.com/forums/program$
210.4.99.44 - - [06/Jul/2013:10:59:36 +0800] "GET /users/jvidals/sites/all/themes/arras/ie6.css HTTP/1.0" 404 24955 "http://www.mysite.com/users/jvidals/sites$
210.4.99.44 - - [06/Jul/2013:10:59:36 +0800] "GET /forums/programming/visual-basic-60/modules/comment/comment.css HTTP/1.0" 404 24889 "http://www.mysite.com/f$
210.4.99.44 - - [06/Jul/2013:10:59:36 +0800] "GET /forums/programming/visual-basic-60/misc/jquery.js HTTP/1.0" 404 24928 "http://www.mysite.com/forums/program$
210.4.99.44 - - [06/Jul/2013:10:59:36 +0800] "GET /users/jvidals/sites/all/themes/arras/suckerfish.js HTTP/1.0" 404 24915 "http://www.mysite.com/users/jvidals$
210.4.99.44 - - [06/Jul/2013:10:59:36 +0800] "GET /users/jvidals/sites/all/themes/arras/suckerfish.css HTTP/1.0" 404 24946 "http://www.mysite.com/users/jvidal$
210.4.99.44 - - [06/Jul/2013:10:59:38 +0800] "GET /sites/default/files/download/VincentProgrammer/phonebook.zip HTTP/1.0" 200 46500 "http://www.mysite.com/sit$
210.4.99.44 - - [06/Jul/2013:10:59:47 +0800] "GET /java/4552/misc/jquery.js HTTP/1.0" 200 45624 "http://www.mysite.com/java/4552/misc" "WE 9.50"
210.4.99.44 - - [06/Jul/2013:10:59:53 +0800] "GET /tutorials/php/php-tutorial.html HTTP/1.0" 200 45632 "http://www.mysite.com/comment/reply/3673/sites/all/the$
210.4.99.44 - - [06/Jul/2013:10:59:54 +0800] "GET /tutorials/php/php-tutorial.html HTTP/1.0" 200 45640 "http://www.mysite.com/comment/reply/3673/sites/all/mod$
210.4.99.44 - - [06/Jul/2013:10:59:58 +0800] "GET /tutorials/php/php-tutorial.html HTTP/1.0" 200 45640 "http://www.mysite.com/comment/reply/3673/modules/field$
210.4.99.44 - - [06/Jul/2013:11:00:26 +0800] "GET /sites/default/files/download/user/voting_system.zip HTTP/1.0" 200 1227639 "http://www.mysite$
请注意,这只是该 IP 地址访问的几个示例页面。
我赶紧用iptables封锁该IP地址,CPU负载很快就降到了0.8......
这是某种形式的 DDOS 攻击吗?
我以为 DDOS 攻击来自不同的 IP 地址,但实际发生的情况是只有一个 IP 地址。我还以为 DDOS 攻击只是使用 ping 命令发送数据包。但我的服务器日志显示该 IP 地址正在打开我网站上的网页(就像普通访问者一样),但并没有 ping 我的服务器。
该 IP 地址持续发送请求近两个小时,直到我将其屏蔽。
那么这是什么样的攻击?他们使用什么工具?我认为这是一个“ab”基准测试工具。但我还没有尝试过,所以我不能确定他们是否使用了它。
顺便说一句,封锁这个 IP 地址后,连接数下降到 280 左右。所以我相信这个 IP 确实在攻击我的服务器。
请提供任何帮助。
答案1
我不会担心这个。它看起来像是一个决定访问的爬虫,它们经常快速地访问页面 - 从外观上看,您的网站上有大量样式表。我强烈建议使用某种缓存(Varnish、nginx 前端、CDN(如果需要))来减轻 Apache 的负担。
答案2
DDOS首先,没有“分布式”(多个 IP)就不算是攻击。既然这已经造成了问题,那么你可以正确地称其为DOS攻击。
但从表面上看,它并不是故意要进行拒绝服务攻击。它看起来更像是一个爬虫。(我们可以判断,因为 URL 不是随机的,它们似乎处于“跟踪页面上的所有链接”模式。)爬虫曾是速度太快,但很容易做到。例如,尝试“wget 处于抓取模式”。
添加缓存层将不是帮助防止爬虫(除非你的网站非常小,完全适合缓存)。更好的解决方法是运行mod_evasive——这至少会迫使爬虫速度变慢。逃避真正的 (D)DOS 攻击很复杂,但这不是“真正的”攻击。
但让我们仔细看看这些日志:
"GET /.../file1.zip HTTP/1.0" 200
"GET /../jquery.js HTTP/1.0" 404
"GET /../suckerfish.css HTTP/1.0" 404
"GET /../custom.css HTTP/1.0" 404
"GET /../drupal.js HTTP/1.0" 404
您的网页似乎包含大量无效链接。这增加了他的攻击次数(因为他跟踪了每个链接)。另外,您真的需要 zip 文件链接吗?生成 zip 文件链接的成本可能很高。请考虑尝试通过 robots.txt 阻止机器人访问您的网站(或 zip 文件)。在您的网站上发布抓取政策(和/或直接提供数据转储)也可能会有所帮助!
专业提示:如果您的页面是由脚本(即 mod_php 或 mod_perl)生成的,那么您就是在使用 Apache 作为应用服务器。每次您需要处理静态请求时,您都会浪费几百 MB 的 RAM。将您的图片/javascript/css 移动到占用空间较小的其他 Web 服务器。一种方法是设置第二个未配置模块的 Apache 服务器,或以反向代理模式配置 nginx。但更简单的方法是使用 CDN 服务器,如 S3 或 CloudFront。这样您的应用服务器就根本不会参与“静态”请求,并且页面的加载速度会更快,因为它可以与动态元素并行下载静态元素。