CloudFlare Business 依旧被搞瘫痪求助

aveline

2015-02-22 10:10:54 +08:00

CF 里面是不是有条 direct 的记录 ...

oott123

2015-02-22 10:11:59 +08:00

当然，如果你有 CDN ，你需要在源服务器上配置只接受来自 CDN 的流量。

a2z

2015-02-22 10:12:10 +08:00

你加上cdn之后没有换源ip，这样cdn根本没有用，对方还按照旧的ip打。
限制只允许cf的ip访问对于ddos来说也没有用，因为流量还是到达了你的服务器，只是你自己选择不接受而已。

Yamade

2015-02-22 10:13:01 +08:00

看下日志.应该是DDOS绕过了CDN,直接到了后端IP.
建议Nginx限制下,贴上日志看下.染过CloudFlare一定有规则.

aveline

2015-02-22 10:15:18 +08:00

发邮件的时候暴露了 IP，换用 Mailgun 或者 Sendcloud 什么的试试？或者把邮件服务器单独出来？

Return-Path: <www-data@li***-***.members.linode.com>
Received: from li***-***.members.linode.com (li***-***.members.linode.com. [106.185.52.*])
by mx.google.com with ESMTPS id do3si16706383pbb.158.2015.02.21.18.12.13
for <huo360@xswan.net>
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Sat, 21 Feb 2015 18:12:13 -0800 (PST)
Received-SPF: none (google.com: www-data@li***-***.members.linode.com does not designate permitted sender hosts) client-ip=106.185.52.*;
Received: from li***-***.members.linode.com (localhost [127.0.0.1])
by li***-***.members.linode.com (8.14.3/8.14.3/Debian-9.1ubuntu1) with ESMTP id t1M2CAut010538
for <huo360@xswan.net>; Sun, 22 Feb 2015 10:12:10 +0800
Received: (from www-data@localhost)
by li***-***.members.linode.com (8.14.3/8.14.3/Submit) id t1M2CAYa010537;
Sun, 22 Feb 2015 10:12:10 +0800
Date: Sun, 22 Feb 2015 10:12:10 +0800
Message-Id: <201502220212.t1M2CAYa010537@li***-***.members.linode.com>

aveline

2015-02-22 10:16:47 +08:00

另外 DDoS 在 iptables 限制其实没多大用 ... 流量都已经到你主机了才 drop =_=

Jack

2015-02-22 10:19:00 +08:00

@a2z IP换过了。。。那就无解了么。。。 - -

Jack

2015-02-22 10:19:51 +08:00

@Yamade 日志看不出来异常。。

Yamade

2015-02-22 10:23:02 +08:00

@Jack 贴出来在说.

Jack

2015-02-22 10:23:16 +08:00

@aveline 没有用邮件服务。。。被攻击的网站是subhd.com。。。

Jack

2015-02-22 10:31:13 +08:00

PS：有没有自带防御的大陆访问速度还不错的国外主机服务呢？！。。这么搞实在太麻烦了。。。贵点也没关系

elgoog

2015-02-22 10:52:28 +08:00

不会是subhd吧

oott123

2015-02-22 10:54:11 +08:00

@aveline
@a2z
请教两位，iptables 对 DDoS 的防御作用真的没用嘛？
比如常见的 syn 攻击，流量最多也就是握手包吧？
似乎 udp 协议的攻击流量会大一些…

aiguozhedaodan

2015-02-22 11:01:40 +08:00

这你应该去hostloc.com问

typcn

2015-02-22 11:02:05 +08:00

是不是哪个子域名暴漏的 IP ？或者是 @ 裸域？
DDoS 攻击的大多数都是没有技术的，不会去挖掘你的程序漏洞的，甚至他们连修改 host header 都不会。

binarymann

2015-02-22 11:03:49 +08:00

@elgoog 估计是...搞不明白为什么这么好一个字幕站不找谁不惹谁会被攻击呢？

Jack

2015-02-22 11:08:23 +08:00

@Yamade 173.245.62.109 - - [21/Feb/2015:20:53:02 +0800] "GET /search/%E5%AE%9E%E4%B9%A0%E5%8C%BB%E7%94%9F%E6%A0%BC%E8%95%BE HTTP/1.1" 200 7030 "http://subhd.com/search/%E5%AE%9E%E4%B9%A0%E5%8C%BB%E7%94%9F%E6%A0%BC%E8%95%BE" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36"
199.27.133.22 - - [21/Feb/2015:20:53:02 +0800] "GET /search/%e6%9e%97%e6%ad%a3%e8%8b%b1/ HTTP/1.1" 302 5 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; Sicent)"
173.245.48.137 - - [21/Feb/2015:20:53:02 +0800] "GET / HTTP/1.1" 200 4322 "-" "Mozilla/5.0 (Windows; U; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
199.27.128.230 - - [21/Feb/2015:20:53:03 +0800] "GET /search/Nightcrawler HTTP/1.1" 200 7215 "http://subhd.com/search/Nightcrawler" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
141.101.85.52 - - [21/Feb/2015:20:53:03 +0800] "GET / HTTP/1.1" 200 4322 "-" "Mozilla/5.0 (Windows; U; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
173.245.62.76 - - [21/Feb/2015:20:53:03 +0800] "GET /sub/poster/s/p2221541233.jpg HTTP/1.1" 304 0 "http://subhd.com/subs" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36"
173.245.48.81 - - [21/Feb/2015:20:53:03 +0800] "GET /search/%e7%8b%bc%e5%9b%be%e8%85%be/ HTTP/1.1" 200 3462 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)"
173.245.62.189 - - [21/Feb/2015:20:53:03 +0800] "GET /sub/shooter/9/%5B%E6%8E%A2%E7%B4%A2%E9%A2%91%E9%81%93.%E5%AE%87%E5%AE%99%E7%9A%84%E5%BD%A2%E6%88%90.%E7%AC%AC%E4%B8%80%E5%AD%A3%5D.Discovery.Ch.How.the.Universe.Works.Season%208%E9%9B%86%E5%85%A8%20%E4%B8%AD%E8%8B%B1%E6%96%87%E5%AD%97%E5%B9%95.rar HTTP/1.1" 206 8192 "http://subhd.com/a/221104" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)"
108.162.222.225 - - [21/Feb/2015:20:53:03 +0800] "GET /sub/poster/s/p2201863327.jpg HTTP/1.1" 200 6053 "http://subhd.com/subs" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36"
199.27.128.220 - - [21/Feb/2015:20:53:03 +0800] "GET / HTTP/1.1" 200 4448 "http://subhd.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36"
173.245.48.125 - - [21/Feb/2015:20:53:03 +0800] "GET /www/js/subhd.min.js HTTP/1.1" 304 0 "http://subhd.com/search/Nightcrawler" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
108.162.222.222 - - [21/Feb/2015:20:53:03 +0800] "GET /subs HTTP/1.1" 200 7316 "http://subhd.com/" "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36"
173.245.62.189 - - [21/Feb/2015:20:53:03 +0800] "GET /sub/shooter/9/%5B%E6%8E%A2%E7%B4%A2%E9%A2%91%E9%81%93.%E5%AE%87%E5%AE%99%E7%9A%84%E5%BD%A2%E6%88%90.%E7%AC%AC%E4%B8%80%E5%AD%A3%5D.Discovery.Ch.How.the.Universe.Works.Season%208%E9%9B%86%E5%85%A8%20%E4%B8%AD%E8%8B%B1%E6%96%87%E5%AD%97%E5%B9%95.rar HTTP/1.1" 206 12288 "http://subhd.com/a/221104" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)"
173.245.62.151 - - [21/Feb/2015:20:53:03 +0800] "GET /www/js/subhd.min.js HTTP/1.1" 304 0 "http://subhd.com/subs" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36"
173.245.48.80 - - [21/Feb/2015:20:53:03 +0800] "GET / HTTP/1.1" 200 4322 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
173.245.48.137 - - [21/Feb/2015:20:53:03 +0800] "GET / HTTP/1.1" 200 4321 "-" "Mozilla/5.0 (Windows; U; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
199.27.133.28 - - [21/Feb/2015:20:53:03 +0800] "GET /search/%e6%9e%97%e6%ad%a3%e8%8b%b1/ HTTP/1.1" 200 4662 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; Sicent)"
108.162.215.131 - - [21/Feb/2015:20:53:03 +0800] "GET / HTTP/1.1" 200 4352 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 718; .NET CLR 2.0.50727; AskTbAVR-IDW/5.15.2.23268; youxihe.1647)"
108.162.222.141 - - [21/Feb/2015:20:53:03 +0800] "GET /d/6533054 HTTP/1.1" 200 3933 "http://subhd.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36"
173.245.62.121 - - [21/Feb/2015:20:53:03 +0800] "GET /subs HTTP/1.1" 200 7202 "http://subhd.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0"

Jack

2015-02-22 11:25:25 +08:00

@typcn 我就想知道啊。。但是目前无解。。。

cnbeining

2015-02-22 11:38:55 +08:00

1. Linode不抗D。去找OVH先。

2. 换IP Range，飞走。

3. 关闭一切的直接访问途径。一般泄露的是邮件等地方。把他们拎出去，换其他服务，或者换别的机器。

4. 确定你的主IP不暴露后，去CF把安全调到最高吧。

5. nginx设置下，只接受CF的IP段，避免扫描大法。

你的防御比他的攻击便宜，等等就是了。

Yamade

2015-02-22 11:50:29 +08:00

@Jack 你给的日志看都是正常的访问IP,这些IP来自 CloudFlare. 能不能贴下绕过 CloudFlare 的访问IP日志.