Skip to main content
We are Brand SEO Beijing serving international business, your marketing partner, Contact us by mi@mgsh.com.cn

Teach you a trick to use a firewall to block UA (User Agent) network attacks

A few days ago, someone maliciously attacked this website and the server. At the beginning, the pace was slow, and the server was restarted. Later, it was terrible. After entering the server background, I could not enter the server. I could only stop the website. Once the website was started, the server jumped in seconds. , and then, the first thing to restart the server is to stop the website, check the log, and find that the database of the server is frequently called, the network layer data is full, the application layer calls the CPU and the content is also full, the reason is that some people use the Wordpress search function of this website, frequently How often is the search performed? It is roughly calculated that thousands of requests come in every second.

MGSH-1-Ali-被攻击屏幕截图 2022-08-27 182211

The node where the incident happened is very meaningful. First, various patches and repairs were performed on the server, but the problem failed to solve the problem. It is suspected that the Ali server was attacked and the part was transferred to the server. Possibly, so I added Ali's firewall, and it became stable. I asked Ali how to add a firewall and it was fine, but I couldn't see the attack data. Well, this is really unreasonable, so it started to become unstable again, and then I still look at it. No data.

Later, it was found that the basic version of Ali's fire prevention is not low in one year, and it can't stop the attack. If it is based on its high-end package, the annual cost will be quite a lot.Therefore, the enterprise-level/professional-level Pagoda firewall of the pagoda panel was selected.While there is no one to help (or pay for it) with configuration, the tools are available after all.Due to the complexity of the problem, asking for help can only get partial help in the complex problem, so米国生活Research the problem and solve the problem yourself. This article starts with UA.

UA User Agent Definition

User Agent (UA for short) is a special string header that enables the server to identify the operating system and version, CPU type, browser and version, browser rendering engine, browser language, browser plug-ins, etc. used by the client. .

Network attack UA analysis

From the perspective of IP statistics, a large number of IPs come from Zhengzhou, and Zhengzhou Telecom, Zhengzhou Unicom, and Beijing Mobile.After the previous IP was blocked, Shaanxi Aliyun was added recently.

Network attack IP 2022-09-09 195118网络攻击IP2 2022-09-09 195118

From Alibaba Cloud IP Search Attack - 2022-09-09 200643

Alibaba Cloud IP Attack Details 2022-09-09 200722

URL source code 2022-09-09 200859

URL decoding 2022-09-09 200931

Zuo Qinglong and right Baihu, with unrighteous hearts and lack of diligence, in the way that they seem to be doing promotion, they are actually carrying out pure attacks.

UA data download

Through the Pagoda panel, you can purchase a professional enterprise version of the firewall, and download the Excel table according to the analysis of the series of tools. You will use the functions of Excel to comprehensively sort, filter, delete duplicate data, conditional formatting-duplicate data, and perform detailed analysis of UA data.

Linux Android 5 2022-09-09 202712

UA regular expressions

In the process of batch data processing of http protocol, regular expression is a tool that is often used. There are many mature website tools in foreign countries. In domestic use of regular expressions, it is indeed difficult to find proficient regular expressions on the side, platforms, etc. The talent of the expression, it is a pity, the following米国生活Will share the usage of UA's regular expressions through their own combat and learning, which can be used for firewall configuration.

UA value:

Mozilla/5.0 (Linux; Android 5.0; SM-G900P Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Mobile Safari/537.36

The above UA uses regular expressions to match exactly as follows:

^Mozilla\/5\.0.\(Linux\;.Android.5\.0\;.SM\-G900P.Build\/LRX21T\).AppleWebKit\/537\.36\ (KHTML\,.like.Gecko\).Chrome\/92\.0\.4515\.159.Mobile.Safari\/537\.36

Instructions for use:

First, switch the input method to the English half-width state. This thing is a rule developed and formulated by the old Western countries. For a more accurate understanding, the following description will not add punctuation marks.

^ indicates the character at which the regular expression should start

\ Represents an escape character. Each symbol character must be escaped with \ to maintain the original attribute.

. Represents a character position in the original character. The character needs to be escaped with \ and the escaped format is \. And the space in the original string needs to be replaced by . Replacement means that it is a character if not used. Replacement may require otherRegular expressionIt is not recommended to use too many ways for beginners. The above way is simple and accurate

The meaning of exact matching is complete matching. One character is not bad, that is, the regular regular expression is only converted for this UA, and the difference of one character does not take effect.like米国生活Do the same as the precision marketing service of brand marketing,Optimizing brand terms, only to improve the reputation and brand voice of the brand word.

The above UA uses regular expression fuzzy matching as:

^Mozilla\/5\.0.\(Linux\;.Android.5\.0\;.*Chrome.*Safari\/537\.36

Among them, .* means to match any character arbitrarily, any number of times, and fuzzy matching expresses that Mozilla 5.0 uses Linux Android 5.0 Chrome browser Apple Safari 537 36 version kernel, so the range is much wider, and now Android is not as low as 5.0 In addition, Android's use of Apple browser is almost impossible for ordinary users to achieve, only technical operations and fake data can be achieved, so blocking this technical attack does not affect real users visiting the website.

The above description has clearly expressed how to use regular expressions to use UA, no more examples,米国生活The official website is still under attack, preventing attackers from discovering this prevention method, continuously changing data, causing米国生活Constantly modifying the protection strategy, this kind of PK is meaningless and wastes money and people.

fuzzy matching in米国生活In the network marketing and brand marketing programs, they belong to the scope of public domain marketing, which is to screen their own customers in a larger scope.

米国生活The way public opinion influences

Other protection methods

In addition to using firewalls to shield User Agents, it is also necessary to use multiple methods for comprehensive protection, such as IP, URL, POST, GET, URI, Cookies, Header, etc., such as米国生活The official website was only attacked violently by IP from Zhengzhou. After restricting the IP of Zhengzhou, the same attack method was transferred to the IP of other regions. At this time, the other party's attack is active. If there is no other restrictions such as UA, only IP protection is not enough. .

Look, when the website is attacked and paralyzed, the engineer asks you tens of thousands of dollars to restore the website. It's not expensive. It takes a lot of technical knowledge to handle this matter. However,米国生活10 do not, although the money is a small thing for the loss of website business, 5 do not, the first time came米国生活If you deduct "1" on the screen on the official website, there will definitely be discounts for new visitors. Don't pay 3. With so much knowledge, so many skills, and so much workload, the shipping cost of using a truck to pull you down is more than 3 If you still want a discount, type "want" on the screen, 2 and 9 don't want it. If you pull you down, you will have to digest it with a team for a month.米国生活I'm going to give new fans a discount today, remember to click the attention above,米国生活It's not stupid, you pay attention or not, I can see it in the background, place an order now, the discount will come home, and if you want the discount home, hit "home" on the screen!Link up soon... put米国生活The best deals for babies on the site.

I am amusing myself...

米国生活When the anchor says the final price, he always swipes the screen in advance, and the anchor's teeth are itchy...

However, in front of the routine and after identifying the routine, there are always gamers who米国生活candid,"米国生活I already knew."米国生活I don't want to expose it anymore, but I still think it's not good and it's not convenient to crack down on fakes.

I made myself cry...

I cried without sound and without tears. When I saved this article, it seemed to be in a state of being hijacked. I entered the page that reminded me of the loss. I didn’t save it. I clicked the return button and wanted to return to the editing state, but I found that it was an unsaved editing state. The test text clicks the save button again, and it is lost again, but I found that I can submit it by clicking refresh on the missing page. There are so many words, I typed it twice...

Who is going to hijack my job, I know that people with a simple mind and a big chest like me always have bad thoughts. Who doesn't want to be hijacked?I put my hands on my chest, only to hear a tearing sound, my clothes were torn with a long crack, come on, come rob me, yes, I couldn't help but amused myself...

In the words of the Supreme Treasure in "Journey to the West" to Chun Thirty Niang, come on, stab me, I drew a stroke on my chest with the edge of the palm of my right hand, and gave you a wink to inspire you, come on, stab me. Digging out my heart, I want to see too...

Can you wait for me to post the article before robbing it? Isn't there xmlrpc? I'm so active, I've already tore it out. I'll check the goods first, the goods can be robbed again, if they don't work, I'll let them go.

Back to Top