About CC Attacks

CC attack has certain concealment, so how to determine whether the server is suffering or has been attacked by CC? The following three methods can be used to determine it.
1. When the command line method is generally attacked by CC, the Web server will be closed to the outside world on port 80, because this port has been blocked by a large amount of junk data, and the normal connection will be terminated.It can be viewed by entering the command netstat -an on the command line. "SYN_RECEIVED" is the TCP connection status flag, which means "is in the initial synchronization state of the connection", indicating that the handshake response cannot be established and is in a waiting state.This is the characteristic of an attack. In general, there are many such records, indicating attacks from different proxy IPs.
2. Batch method The above method requires manual input of commands and if there are too many IP connections to the Web server, it seems to be laborious. You can create a batch file and use the script code to determine whether there is a CC attack.The script filters out all current connections to port 80.When you feel that the server is abnormal, you can double-click to run the batch file, and then check all connections in the open log.log file.If the same IP has more connections to the server, it can basically be determined that the IP is performing a CC attack on the server.
3. View system logs Web logs are generally located in the C:\WINDOWS\system32\LogFiles\HTTPERR directory, and a log file similar to httperr1.log is used in this directory. This file is a record of web access errors.The administrator can select the corresponding log to open according to the log time attribute to analyze whether the Web is attacked by CC.
By default, there are not many items recorded in the Web log. You can set it through IIS to allow the Web log to record more items for security analysis.The operation steps are: "Start→Administrative Tools" to open "Internet Information Server", expand the item on the left to locate the corresponding Web site, then right-click and select "Properties" to open the site properties window, under the "Website" tabClick the "Properties" button, and under the "Advanced" tab of the "Logging Properties" window, you can check the corresponding "Extended Properties" to allow Web logs to be recorded.For example, the three items of "bytes sent", "bytes received", and "time used" are not selected by default, but they are very useful in recording and judging CC attacks and can be selected.In addition, if you have high security requirements, you can set the "New Log Schedule" under the "General" tab to log it "hourly" or "every day".In order to determine the time for future analysis, you can check the "Use local time for file naming and creation".