CC is mainly used to attack pages. Everyone has the experience that when visiting a forum, if the forum is relatively large and there are many visitors, the speed of opening the page will be relatively slow! The more people visit, the more pages on the forum, the larger the database, the higher the frequency of access, and the considerable amount of system resources consumed.
“A static page does not require much resources from the server, and it can even be said that it can be read directly from memory and sent to you. However, forums are different. Each time I view a post, the system needs to go to the database to determine whether I have permission to read the post. If so, it reads the content in the post and displays it. Here, at least two database accesses have been made. If the database size is 200 MB,”, The system is likely to search through this 200MB data space. If you search for a keyword, the time is even more significant, because the previous search can be limited to a very small range, such as user permissions only checking the user table, and post content only checking the post table. Moreover, once found, you can immediately stop the query, and the search will definitely make a judgment on all the data, consuming considerable time.
CC makes full use of this feature to simulate multiple users (as many threads as users) continuously accessing (accessing pages that require a lot of data operations, that is, a lot of CPU time). Many friends ask, why use a proxy? “Because agents can effectively hide their identity, they can also bypass all firewalls, because basically all firewalls detect the number of concurrent TCP/IP connections, and if the number exceeds a certain frequency, it will be considered a Connection Flood.”.
“Using proxy attacks can also maintain connectivity very well. We sent data here, and the proxy helped us forward it to the other server. We can immediately disconnect, and the proxy will continue to maintain connectivity with the other party (I know that someone has used 2000 agents to generate 350000 concurrent connections).”.
Let’s assume that the processing time for Search.asp on server A needs 0.01S (multithreading is only a time division, which has no impact on the conclusion), which means that it can guarantee 100 search requests per second, and the maximum connection time allowed by the server is 60s. Then we use CC to simulate 120 concurrent users’ connections. After 1 minute, the server has been requested 7200 times and processed 6000 times, So there are 1200 concurrent connections left that have not been processed. Some friends will say, “Lost connection!”! Lost connection! The problem is that the servers are lost in a first come, second served order. These 1200 servers were launched in the last 10 seconds. Do you want to lose them?! “It’s still early. After calculation, when the server starts losing connections at full load, there should be 7200 concurrent connections in the queue, and then the server starts losing connections at 120 connections per second. The connections we initiate are also 120 connections per second. The server will always have connections that cannot be processed completely, with the server’s CPU at 100% and maintained for a long time. Then, after 60 seconds of losing connections, the server determines that it cannot process them, and that new connections cannot be processed.”, The server has reached a super busy state.
Of course, CC can also use this method to attack FTP and implement TCP FLOOD, which have been tested to be effective.
Symptoms of website being attacked by CC
1、If the website is a dynamic website, such as asp/asp.net/php, and is attacked by CC, the IIS site will prompt SERVER IS TOO BUSY with an error. If IIS is not used to provide website services, the program that provides website services will automatically crash and make an error without any reason.”. If the problem with the website program is eliminated and this type of situation occurs, it can basically be concluded that the website has been attacked by CC.
2、If the website is a static site, such as an html page, and is attacked by CC, open the Task Manager and check the network traffic. You will find that the transmission of data in the network application is seriously high. Under a large number of CC attacks, it can even reach 99% of the network occupation. Of course, in the case of CC attacks, the website cannot be accessed normally, but connecting to the server through 3389 can still connect normally.
3、If it is attacked by a small amount of CC, the site can still be accessed intermittently, but some relatively large files, such as images, may not be displayed. If a dynamic website is attacked by a small amount of CC, it can also be found that the CPU usage of the server is soaring. This is the most basic symptom of CC attacks.
If your website experiences one of the symptoms of CC attacks mentioned above, please do not panic. Just contact us to purchase a Huosan Cloud APP shield, which can be very effective in defending against various types of CC attacks once and for all.
