记录一下最近受到的网络攻击

第一个是公司的网站，被山西联通的IP刷流量
本来换了CDN账号，忘记设监控告警了，被刷了三天没发现，上V2EX摸鱼看到了别人的帖子，看流量统计一模一样的情况才知道被刷了。
相关的文章或帖子：
https://blog.projectoms.com/pages/1363.html
https://www.dogecloud.com/announcement/26
https://v2ex.com/t/1055510
https://www.v2ex.com/t/1055422
https://mp.weixin.qq.com/s/cl_ZAZ1PpP1NIT1UXa7PeQ
https://www.coderbusy.com/archives/3442.html
https://chenyan98.cn/4819.html
https://www.docn.net/1059.html

被刷的CDN监控
2024-07-23T07:19:37.png
刷的频率其实不高，所以识别不了攻击
只能去封IP

221.205.168.0/23
60.221.231.0/24
211.90.146.0/24
122.195.22.0/24
118.81.184.0/23
124.163.207.0/24
124.163.208.0/24
183.185.14.0/24
36.35.38.0/24
60.221.195.0/24

网友收集了相关IP
https://github.com/unclemcz/ban-pcdn-ip

20240723124445 60.221.195.232 www.xxx.com /skin/images/017.png 196 146 26 514 https://www.xxx.com/skin/images/017.png 1 "Mozilla/5.0 (iPhone; CPU iPhone OS 9_0_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13A404 Safari/601.1" "(null)" GET HTTPS hit 34218
20240723124445 60.221.195.232 www.xxx.com /skin/images/017.png 197 146 26 514 https://www.xxx.com/skin/images/017.png 1 "Mozilla/5.0 (iPad; CPU OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1" "(null)" GET HTTPS hit 34218
20240723124445 60.221.195.232 www.xxx.com /skin/images/017.png 197 146 26 514 https://www.xxx.com/skin/images/017.png 1 "Mozilla/5.0 (Linux; Android 6.0; DIG-L03) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.80 Mobile Safari/537.36" "(null)" GET HTTPS hit 34218
20240723124445 60.221.195.232 www.xxx.com /skin/images/017.png 196 146 26 514 https://www.xxx.com/skin/images/017.png 1 "Mozilla/5.0 (Linux; Android 6.0; CAM-L03) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.64 Mobile Safari/537.36" "(null)" GET HTTPS hit 34218
20240723124445 60.221.195.232 www.xxx.com /skin/images/017.png 196 146 26 514 https://www.xxx.com/skin/images/017.png 1 "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36" "(null)" GET HTTPS hit 34218
20240723124445 60.221.195.232 www.xxx.com /skin/images/017.png 197 146 26 514 https://www.xxx.com/skin/images/017.png 1 "Mozilla/5.0 (Linux; U; Android-4.0.3; en-us; Galaxy Nexus Build/IML74K) AppleWebKit/535.7 (KHTML, like Gecko) CrMo/16.0.912.75 Mobile Safari/535.7" "(null)" GET HTTPS hit 34218

上面是一些访问日志,访问一个比较大的图片,然后UA还都不一样

然后是另外一个客户的站点,用了腾讯云的EO,专门用来加速海外的访问流量
会固定访问API的短信接口,导致API整个挂掉,访问频率不算高,然后用的是个人版,没有Bot防护(不确定是否会被识别到)
攻击了将近一周,UA都是没有更换
2024-07-23T07:48:34.png
这个是近一天的拦截次数
2024-07-23T07:49:42.png
拦截的基本都是日韩还有香港的IP
EO统计这里有个JA3指纹,显示是空值
2024-07-23T07:54:44.png