Methods to prevent PHPDDOS packets from attacking others
- 2020-05-06 12:02:53
- OfStack
says how to prevent PHPDDOS from contracting
Since the fsockopen() function is used to request the outside, it is not allowed to request
php.ini sets
allow_url_fopen = Off
If so, he can still deliver
extension=php_sockets.dll
To
;extension=php_sockets.dll
Restart APACHE, IIS, NGINX
This prevents PHP DDOS from contracting
's penalty policy for this type of attack is
Further violations will proceed with these following actions:
We will allow 24 hours hours
the problem
The second time is to immediately format the server
3rd violation-Cancellation with no refund. The third time is to cancel the service without giving a refund
For this problem, give a simple description,
Performance characteristics: as soon as IIS is opened, the server's outflow bandwidth is used up -- that is, the server is constantly sending packets to others, this situation is different from being attacked by ddos,Ddos is constantly receiving a large number of packets.
Solution:
Stop IIS, so you can't attack outside for a while, and then
Disable the above code:
Set
in c:\windows\ php.ini
disable_functions = gzinflate passthru, exec system, chroot, scandir, chgrp, chown, shell_exec, proc_open, proc_get_status, ini_alter, ini_alter, ini_restore, dl, pfsockopen, openlog, syslog , readlink symlink popepassthru stream_socket_server, fsocket, fsockopen
Set the value to Off
in c:\windows\ php.ini
allow_url_fopen = Off
And:
; extension = php_sockets. dll
In front of; Number must have, which means limit the use of sockets.dll
In front of; Keep
Then start IIS
In the IP policy, or firewall, all udp are prohibited from sending
outward
linux under solution
I. the machine is prohibited to send UDP package
to the outside world
Es199en-A OUTPUT-p udp j DROP
Ports that require UDP services (e.g. DNS)
are allowed
Es214en-I OUTPUT-p udp --dport 53-d 8.8.8.8-j ACCEPT
The green "53" is the UDP port required by DNS, and the yellow "8.8.8.8" part is DNS IP. According to the Settings of your server, if you do not know the DNS IP used by your current server, you can execute the following command in SSH to obtain
cat /etc/ resolv.conf |grep nameserver |awk 'NR==1{print $2}'
Complete iptables rules
Open external and internal DNS port 53
Ban all other outbound UDP agreement
Boot iptables
In addition to the above code because my server is using a Google DNS to parse, my server external access (on the server on the Internet, you need to, if only the server, without yum installation can also need not), so I open access to 8.8.4.4 and 8.8.8.8, if you are not set to Google DNS, so it must be modified into your DNS itself. What is the DNS used? Can you query
with the following method
Download phpddos_jb51.rar
using IP security policy Usage:
First start - run - gpedit.msc find IP security policy
Right-click - all tasks - select import policy
Finally, assign the policy
if (eregi("ddos-udp",$read)) {
fputs($verbinden,"privmsg $Channel :ddos-udp � started udp flood � $read2[4]\n\n");
$fp = fsockopen("udp://$read2[4]", 500, $errno, $errstr, 30);
if (!$fp)
{
$fp = fsockopen("udp://$read2[4]", 500, $errno, $errstr, 30);
Since the fsockopen() function is used to request the outside, it is not allowed to request
php.ini sets
allow_url_fopen = Off
If so, he can still deliver
extension=php_sockets.dll
To
;extension=php_sockets.dll
Restart APACHE, IIS, NGINX
This prevents PHP DDOS from contracting
's penalty policy for this type of attack is
Further violations will proceed with these following actions:
We will allow 24 hours hours
the problem
The second time is to immediately format the server
3rd violation-Cancellation with no refund. The third time is to cancel the service without giving a refund
For this problem, give a simple description,
Performance characteristics: as soon as IIS is opened, the server's outflow bandwidth is used up -- that is, the server is constantly sending packets to others, this situation is different from being attacked by ddos,Ddos is constantly receiving a large number of packets.
Solution:
Stop IIS, so you can't attack outside for a while, and then
Disable the above code:
Set
in c:\windows\ php.ini
disable_functions = gzinflate passthru, exec system, chroot, scandir, chgrp, chown, shell_exec, proc_open, proc_get_status, ini_alter, ini_alter, ini_restore, dl, pfsockopen, openlog, syslog , readlink symlink popepassthru stream_socket_server, fsocket, fsockopen
Set the value to Off
in c:\windows\ php.ini
allow_url_fopen = Off
And:
; extension = php_sockets. dll
In front of; Number must have, which means limit the use of sockets.dll
In front of; Keep
Then start IIS
In the IP policy, or firewall, all udp are prohibited from sending
outward
linux under solution
I. the machine is prohibited to send UDP package
to the outside world
Es199en-A OUTPUT-p udp j DROP
Ports that require UDP services (e.g. DNS)
are allowed
Es214en-I OUTPUT-p udp --dport 53-d 8.8.8.8-j ACCEPT
The green "53" is the UDP port required by DNS, and the yellow "8.8.8.8" part is DNS IP. According to the Settings of your server, if you do not know the DNS IP used by your current server, you can execute the following command in SSH to obtain
cat /etc/ resolv.conf |grep nameserver |awk 'NR==1{print $2}'
Complete iptables rules
#iptables -A INPUT -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
#iptables -A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -p tcp -m tcp --sport 1024:65535 -d 8.8.4.4 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -p udp -m udp --sport 1024:65535 -d 8.8.8.8 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -p udp -j REJECT
#/etc/rc.d/init.d/iptables save
# service iptables restart
#chkconfig iptables on
Open external and internal DNS port 53
Ban all other outbound UDP agreement
Boot iptables
In addition to the above code because my server is using a Google DNS to parse, my server external access (on the server on the Internet, you need to, if only the server, without yum installation can also need not), so I open access to 8.8.4.4 and 8.8.8.8, if you are not set to Google DNS, so it must be modified into your DNS itself. What is the DNS used? Can you query
with the following method
Download phpddos_jb51.rar
using IP security policy Usage:
First start - run - gpedit.msc find IP security policy
Right-click - all tasks - select import policy
Finally, assign the policy