VPS出现攻击和被人CC的时候处理的一些办法

2012年05月29日 1067点热度 0人点赞 0条评论

T2给出的解决办法,大家可以参考参考。在母鸡执行哦~~别搞错了

It would appear that your server is launching a network-based attack against another server somewhere else. If you look at your bandwidth utilization (from the Traffic tab) you'll see that your server is flooding the bandwidth connection.

Most likely either your server or a VPS on your server has been hacked and it's now acting as part of a botnet.

In order to determine which of your IPs is consuming all of the bandwidth you'll need to run a packet capture on your server while the attack is taking place. If you're unable to access the server via SSH or via XenCenter (if using XenServer) then you can access the server out-of-band using the serial console access.

Log in to your server and first try running this command:

/usr/sbin/tcpdump -e -nn -c 200

That will dump 200 packets to the terminal. Hopefully it is obvious from the output which IP is responsible for sending out the majority of the bandwidth.

If the offending IP is not obvious from the output then you can try filtering the output of tcpdump through a small analysis script we have. Try these commands:

----
cd /tmp

wget http://centos.take2hosting.com/dumpCount.pl

chmod 755 dumpCount.pl

/usr/sbin/tcpdump -e -nn -c 200 | ./dumpCount.pl
----

And look to see if the Top Sender (Bytes or Packets) looks to be the offending IP.

If you're unable to determine the attacker from there then you should start stopping/suspending your VPSes (if you're running VPSes) one at a time until the problem subsides. Then you'll know which VPS is causing the problem.

Sandyliao

保持飢渴好吃的性格、維持好攝之徒的愛好、繼續在三流的技術下活著!

文章评论

您需要 登录 之后才可以评论