CloudFlare Business 依旧被搞瘫痪求助

2015-02-22 10:09:37 +08:00
 Jack

Linode + CloudFlare Business依旧被DDoS攻击导致IP被挂空了,现在不知道是为什么。

CF说流量并没有全部从CF通过,又让我做了些设置,有什么可能性通过PHP或者MYSQL漏洞得到了我的服务器的真实IP而绕过了CF吗?

如果我通过iptables限制服务器只允许来自CF的IP访问,这样能成功block掉攻击IP吗?

求解。。。。

15381 次点击
所在节点    站长
57 条回复
aveline
2015-02-22 10:10:54 +08:00
CF 里面是不是有条 direct 的记录 ...
oott123
2015-02-22 10:11:59 +08:00
当然,如果你有 CDN ,你需要在源服务器上配置只接受来自 CDN 的流量。
a2z
2015-02-22 10:12:10 +08:00
你加上cdn之后没有换源ip,这样cdn根本没有用,对方还按照旧的ip打。
限制只允许cf的ip访问对于ddos来说也没有用,因为流量还是到达了你的服务器,只是你自己选择不接受而已。
Yamade
2015-02-22 10:13:01 +08:00
看下日志.应该是DDOS绕过了CDN,直接到了后端IP.
建议Nginx限制下,贴上日志看下.染过CloudFlare一定有规则.
aveline
2015-02-22 10:15:18 +08:00
发邮件的时候暴露了 IP,换用 Mailgun 或者 Sendcloud 什么的试试?或者把邮件服务器单独出来?

Return-Path: <www-data@li***-***.members.linode.com>
Received: from li***-***.members.linode.com (li***-***.members.linode.com. [106.185.52.*])
by mx.google.com with ESMTPS id do3si16706383pbb.158.2015.02.21.18.12.13
for <huo360@xswan.net>
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Sat, 21 Feb 2015 18:12:13 -0800 (PST)
Received-SPF: none (google.com: www-data@li***-***.members.linode.com does not designate permitted sender hosts) client-ip=106.185.52.*;
Received: from li***-***.members.linode.com (localhost [127.0.0.1])
by li***-***.members.linode.com (8.14.3/8.14.3/Debian-9.1ubuntu1) with ESMTP id t1M2CAut010538
for <huo360@xswan.net>; Sun, 22 Feb 2015 10:12:10 +0800
Received: (from www-data@localhost)
by li***-***.members.linode.com (8.14.3/8.14.3/Submit) id t1M2CAYa010537;
Sun, 22 Feb 2015 10:12:10 +0800
Date: Sun, 22 Feb 2015 10:12:10 +0800
Message-Id: <201502220212.t1M2CAYa010537@li***-***.members.linode.com>
aveline
2015-02-22 10:16:47 +08:00
另外 DDoS 在 iptables 限制其实没多大用 ... 流量都已经到你主机了才 drop =_=
Jack
2015-02-22 10:19:00 +08:00
@a2z IP换过了。。。那就无解了么。。。 - -
Jack
2015-02-22 10:19:51 +08:00
@Yamade 日志看不出来异常。。
Yamade
2015-02-22 10:23:02 +08:00
@Jack 贴出来在说.
Jack
2015-02-22 10:23:16 +08:00
@aveline 没有用邮件服务。。。被攻击的网站是subhd.com。。。
Jack
2015-02-22 10:31:13 +08:00
PS:有没有自带防御的大陆访问速度还不错的国外主机服务呢?!。。这么搞实在太麻烦了。。。贵点也没关系
elgoog
2015-02-22 10:52:28 +08:00
不会是subhd吧
oott123
2015-02-22 10:54:11 +08:00
@aveline
@a2z
请教两位,iptables 对 DDoS 的防御作用真的没用嘛?
比如常见的 syn 攻击,流量最多也就是握手包吧?
似乎 udp 协议的攻击流量会大一些…
aiguozhedaodan
2015-02-22 11:01:40 +08:00
这你应该去hostloc.com问
typcn
2015-02-22 11:02:05 +08:00
是不是哪个子域名暴漏的 IP ?或者是 @ 裸域?
DDoS 攻击的大多数都是没有技术的,不会去挖掘你的程序漏洞的,甚至他们连修改 host header 都不会。
binarymann
2015-02-22 11:03:49 +08:00
@elgoog 估计是...搞不明白为什么这么好一个字幕站不找谁不惹谁会被攻击呢?
Jack
2015-02-22 11:08:23 +08:00
@Yamade 173.245.62.109 - - [21/Feb/2015:20:53:02 +0800] "GET /search/%E5%AE%9E%E4%B9%A0%E5%8C%BB%E7%94%9F%E6%A0%BC%E8%95%BE HTTP/1.1" 200 7030 "http://subhd.com/search/%E5%AE%9E%E4%B9%A0%E5%8C%BB%E7%94%9F%E6%A0%BC%E8%95%BE" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36"
199.27.133.22 - - [21/Feb/2015:20:53:02 +0800] "GET /search/%e6%9e%97%e6%ad%a3%e8%8b%b1/ HTTP/1.1" 302 5 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; Sicent)"
173.245.48.137 - - [21/Feb/2015:20:53:02 +0800] "GET / HTTP/1.1" 200 4322 "-" "Mozilla/5.0 (Windows; U; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
199.27.128.230 - - [21/Feb/2015:20:53:03 +0800] "GET /search/Nightcrawler HTTP/1.1" 200 7215 "http://subhd.com/search/Nightcrawler" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
141.101.85.52 - - [21/Feb/2015:20:53:03 +0800] "GET / HTTP/1.1" 200 4322 "-" "Mozilla/5.0 (Windows; U; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
173.245.62.76 - - [21/Feb/2015:20:53:03 +0800] "GET /sub/poster/s/p2221541233.jpg HTTP/1.1" 304 0 "http://subhd.com/subs" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36"
173.245.48.81 - - [21/Feb/2015:20:53:03 +0800] "GET /search/%e7%8b%bc%e5%9b%be%e8%85%be/ HTTP/1.1" 200 3462 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)"
173.245.62.189 - - [21/Feb/2015:20:53:03 +0800] "GET /sub/shooter/9/%5B%E6%8E%A2%E7%B4%A2%E9%A2%91%E9%81%93.%E5%AE%87%E5%AE%99%E7%9A%84%E5%BD%A2%E6%88%90.%E7%AC%AC%E4%B8%80%E5%AD%A3%5D.Discovery.Ch.How.the.Universe.Works.Season%208%E9%9B%86%E5%85%A8%20%E4%B8%AD%E8%8B%B1%E6%96%87%E5%AD%97%E5%B9%95.rar HTTP/1.1" 206 8192 "http://subhd.com/a/221104" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)"
108.162.222.225 - - [21/Feb/2015:20:53:03 +0800] "GET /sub/poster/s/p2201863327.jpg HTTP/1.1" 200 6053 "http://subhd.com/subs" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36"
199.27.128.220 - - [21/Feb/2015:20:53:03 +0800] "GET / HTTP/1.1" 200 4448 "http://subhd.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36"
173.245.48.125 - - [21/Feb/2015:20:53:03 +0800] "GET /www/js/subhd.min.js HTTP/1.1" 304 0 "http://subhd.com/search/Nightcrawler" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
108.162.222.222 - - [21/Feb/2015:20:53:03 +0800] "GET /subs HTTP/1.1" 200 7316 "http://subhd.com/" "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36"
173.245.62.189 - - [21/Feb/2015:20:53:03 +0800] "GET /sub/shooter/9/%5B%E6%8E%A2%E7%B4%A2%E9%A2%91%E9%81%93.%E5%AE%87%E5%AE%99%E7%9A%84%E5%BD%A2%E6%88%90.%E7%AC%AC%E4%B8%80%E5%AD%A3%5D.Discovery.Ch.How.the.Universe.Works.Season%208%E9%9B%86%E5%85%A8%20%E4%B8%AD%E8%8B%B1%E6%96%87%E5%AD%97%E5%B9%95.rar HTTP/1.1" 206 12288 "http://subhd.com/a/221104" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)"
173.245.62.151 - - [21/Feb/2015:20:53:03 +0800] "GET /www/js/subhd.min.js HTTP/1.1" 304 0 "http://subhd.com/subs" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36"
173.245.48.80 - - [21/Feb/2015:20:53:03 +0800] "GET / HTTP/1.1" 200 4322 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
173.245.48.137 - - [21/Feb/2015:20:53:03 +0800] "GET / HTTP/1.1" 200 4321 "-" "Mozilla/5.0 (Windows; U; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
199.27.133.28 - - [21/Feb/2015:20:53:03 +0800] "GET /search/%e6%9e%97%e6%ad%a3%e8%8b%b1/ HTTP/1.1" 200 4662 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; Sicent)"
108.162.215.131 - - [21/Feb/2015:20:53:03 +0800] "GET / HTTP/1.1" 200 4352 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 718; .NET CLR 2.0.50727; AskTbAVR-IDW/5.15.2.23268; youxihe.1647)"
108.162.222.141 - - [21/Feb/2015:20:53:03 +0800] "GET /d/6533054 HTTP/1.1" 200 3933 "http://subhd.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36"
173.245.62.121 - - [21/Feb/2015:20:53:03 +0800] "GET /subs HTTP/1.1" 200 7202 "http://subhd.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0"
Jack
2015-02-22 11:25:25 +08:00
@typcn 我就想知道啊。。 但是目前无解。。。
cnbeining
2015-02-22 11:38:55 +08:00
1. Linode不抗D。去找OVH先。

2. 换IP Range,飞走。

3. 关闭一切的直接访问途径。一般泄露的是邮件等地方。把他们拎出去,换其他服务,或者换别的机器。

4. 确定你的主IP不暴露后,去CF把安全调到最高吧。

5. nginx设置下,只接受CF的IP段,避免扫描大法。

你的防御比他的攻击便宜,等等就是了。
Yamade
2015-02-22 11:50:29 +08:00
@Jack 你给的日志看都是正常的访问IP,这些IP来自 CloudFlare. 能不能贴下绕过 CloudFlare 的访问IP日志.

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/172131

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX