I. 30 minutes before life and death: don't trust any surveillance panel
1. Visual inspection (3 minutes to pinpoint the problem)
Symptom 1: Website opens slowly but server CPU shows <30%
fulfillment ss-s-s. Check TCP connection count (usually >100k during attacks)
case (law): ESTAB connection reaches 320,000 during attack on a novel site
Symptom 2: Spike in requests for specific documents
Tracking with real-time logs:tail -f access.log | grep -E 'wp-login|api/v1'
Real-world discovery: attackers' favorite forgeries /contact.php requesting
Symptom 3: Sudden share of foreign IP >80%
Quick Stats command:awk '{print $1}' access.log | sort | uniq -c | sort -nr | head -20
2. Attack type determination table (with sample signature logs)
| Type of attack | identifying characteristic | Sample logs |
|---|---|---|
| CC attack | Fixed UserAgent repeat visits | Mozilla/5.0 (Windows NT 6.1; rv:60.0) |
| DNS reflection | Large number of UDP packets on port 53 | src_port=53 && protocol=UDP |
| Slowloris | Keep the connection half open for more than 30 seconds | [28/Aug/2023:14:22:15] "POST |
II. Four axes to save lives (implemented in order of priority)
1. Enterprise CDN cleansing (effective in 5 minutes)
Cloudflare Enterprise Edition configuration details:
# Customized WAF rules (against CC attacks) http.request.uri contains "/wp-admin" && cf.threat_score > 2 && ip.geoip.asnum not in {1234 5678} -> Block
Note: asnum needs to be entered in advance as a cooperative operator number
2. Temporary IP switching (to be prepared in advance)
Cold IP Activation Steps::
-
- Modify DNS TTL to 60 seconds (original record stays alive)
- The new server is configured with differentiated industrial control parameters:
# Modify MaxKeepAliveRequests to 50 # Disable mod_negotiation module
- Enable IP blacklist synchronization:
rsync -avz /etc/iptables root@newIP:/etc/
3. Search engine life preservation settings
Google Intensive Care Access::
-
- Submit an emergency notification in Search Console
- Place the
google_verify.htmlcalibration file - Use this meta tag declaration:
<meta name="googlebot" content="unavailable_after: 2023-09-01T12:00:00+08:00">
Third, high-level confrontation skills (details that hackers won't tell you)
1. Fake botnet decoys
Deploy honeypot systems on non-business ports (e.g. 8080)
Implanting fake API responses:
{ "status": "error", "code": "INVALID_ATTACK_SIGNATURE" }
Case in point: a gaming platform uses this method to induce attackers to continuously consume resources
2. SEO traffic diversion techniques
Dynamically generated geo-blocking pages (to preserve weight):
<?php
if ($_SERVER['HTTP_CF_IPCOUNTRY'] == 'RU') {
header("HTTP/1.1 503 Service Temporarily Unavailable");
include('rus_attack.html');
exit;
}
? >
3. Search engine spider whitelisting
Nginx configuration example:
if ($http_user_agent ~* (Googlebot|Bingbot)) { set $realip $remote_addr; access_by_lua_file /path/to/whitelist.lua; }
IV. Post-disaster reconstruction (more important than defense)
1. Log forensic analysis
Attack mapping is generated using ELK stacks:
# Extraction Attack Characterization cat access.log | grep ' 500 ' | awk '{print $7}' | sort | uniq -c | sort -nr > attack_pattern.txt
2. The three principles of weight restoration
- 301 Redirect Gradient Migration::
Old URL → temporary URL → new URL (transition over 3 months)
- Access to CDN::
flat-roofed building aging (metallurgy) associates CDN5 3 hours. www.cdn5.com StoneCDN imminent stonecdn.com
3. Backchain contamination removal
Bulk export of spammy outbound links using Ahrefs:
# Automated filtering script (example) if 'viagra' in anchor_text or DR<20: submit_disavow()
V. Darknet monitoring (prevention of secondary attacks)
1. Attacker profiling
Search for exposed devices via Shodan:
org: "China Telecom" product: "Apache httpd" port: "80"
Search for group keywords in Telegram:
site:t.me "DDoS Order Taking" OR "Stress Testing"
2. Defense costing sheet
| Scale of attack | Recommended Programs | monthly cost | SEO Impact Cycle |
|---|---|---|---|
| <150Gbps | jqcdn.com | $500 | 30 days |
| 50-200Gbps | jqcdn.com | $2000 | 30 days |
| >200Gbps | Self-built cleaning center | $15k+ | 30 days + |
lesson learned through blood and tears: 2021 A financial site's recovery period was extended by a factor of 3 due to misconfigured CDN caching rules. Remember: Disable all page caching during an attack!
Note: The technical means involved in this article need to be used within the scope of the law, and some of the data has been desensitized. The defense strategy is updated in February 2025, please adjust according to the latest attack patterns.
[Attack traffic analysis mapping]
→ Phase 1: TCP SYN Flood (lasts 18 minutes)
→ Phase 2: HTTP slow attack (duration 2 hours)
→ Phase 3: Hybrid CC attacks (150 per IP/sec)
DDoS attack emergency 5 soul torture (with real stepping on the case)
Q1: Can I just shut down the server when my website gets knocked down?
pit case: 2022 an e-commerce station O&M direct power outage, resulting in Baidu index plummeted 72%
✅ Correct operation:
- Keep the server running but limit the bandwidth (with
tc qdisc(current limiting) - Global Replacement to 503 Maintenance Page (retains SEO weight)
- Mark "Temporarily closed" in Google Search Console.
Q2: Can I carry an attack with a free CDN?
The Truth in Data: jqcdn free version actual cleaning capacity ≤ 50Gbps
✅ Grading program:
Small traffic attack (<30Gbps): Enable "5-second shield" + human verification
Medium to high traffic attacks: must install jqcdn rules engine (filter unconventional HTTP headers)
⚠️ Note: Free protection against CC attacks
Q3: How can I confirm that a competitor is messing with me?
The Three Elements of Forensics::
- Precise matching of promotions during attack hours (±2 hours)
- Persistent attacks on low-weight pages (e.g. /about.html)
- Accompanied by a large number of spammy outbound link attacks (monitored with Ahrefs)
✉️ forensic template:netstat -tn | awk '{print $5}' | cut -d: -f1 | sort | uniq -c
Q4: Do I have to change my IP after being attacked?
New responses for 2025::
Short term: rotate with Anycast IP pool (DNSMadeEasy recommended)
Long-term: deploy BGP defense (cost from $800/month)
🚫 Fatal error: change IP without cleaning backdoor program → 72% probability of being compromised again
Q5: How long do attacks usually last?
Black market conditions::
Demonstration-type attack: 15-30 minutes ($50 per hour)
Commercial Strike: 6-72 hours ($1200 per day)
✅ Counterstrategy:
Hour 1: Initiate flow cleaning
Hour 3: Activate secondary data center
Hour 12: Requesting traffic traction from your ISP
experience based on one's own blood and tearsThe same attacker got 9 consecutive hits in 3 months because a webmaster neglected to analyze the attack logs. Remember: After each attack, you must use thetcpdumpSave the original packet!