WAVE PCM soundfile format
The WAVE file format is a subset of Microsoft's RIFF specification for the storage of multimedia files. A RIFF file starts out with a file header followed by a sequence of data chunks. A WAVE file is often just a RIFF file with a single "WAVE" chunk which consists of two sub-chunks -- a "fmt " chunk specifying the data format and a "data" chunk containing the actual sample data. Call this form the "Canonical form". Who knows how it really all works. An almost complete description which seems totally useless unless you want to spend a week looking over it can be found at MSDN (mostly describes the non-PCM, or registered proprietary data formats).

I use the standard WAVE format as created by the sox program:
1.jpg
Offset Size Name Description

The canonical WAVE format starts with the RIFF header:

0 4 ChunkID Contains the letters "RIFF" in ASCII form

                           (0x52494646 big-endian form).

4 4 ChunkSize 36 + SubChunk2Size, or more precisely:

                           4 + (8 + SubChunk1Size) + (8 + SubChunk2Size)
                           This is the size of the rest of the chunk 
                           following this number.  This is the size of the 
                           entire file in bytes minus 8 bytes for the
                           two fields not included in this count:
                           ChunkID and ChunkSize.

8 4 Format Contains the letters "WAVE"

                           (0x57415645 big-endian form).

The "WAVE" format consists of two subchunks: "fmt " and "data":
The "fmt " subchunk describes the sound data's format:

12 4 Subchunk1ID Contains the letters "fmt "

                           (0x666d7420 big-endian form).

16 4 Subchunk1Size 16 for PCM. This is the size of the

                           rest of the Subchunk which follows this number.

20 2 AudioFormat PCM = 1 (i.e. Linear quantization)

                           Values other than 1 indicate some 
                           form of compression.

22 2 NumChannels Mono = 1, Stereo = 2, etc.
24 4 SampleRate 8000, 44100, etc.
28 4 ByteRate == SampleRate NumChannels BitsPerSample/8
32 2 BlockAlign == NumChannels * BitsPerSample/8

                           The number of bytes for one sample including
                           all channels. I wonder what happens when
                           this number isn't an integer?

34 2 BitsPerSample 8 bits = 8, 16 bits = 16, etc.

      2   ExtraParamSize   if PCM, then doesn't exist
      X   ExtraParams      space for extra parameters

The "data" subchunk contains the size of the data and the actual sound:

36 4 Subchunk2ID Contains the letters "data"

                           (0x64617461 big-endian form).

40 4 Subchunk2Size == NumSamples NumChannels BitsPerSample/8

                           This is the number of bytes in the data.
                           You can also think of this as the size
                           of the read of the subchunk following this 
                           number.

44 * Data The actual sound data.

As an example, here are the opening 72 bytes of a WAVE file with bytes shown as hexadecimal numbers:

52 49 46 46 24 08 00 00 57 41 56 45 66 6d 74 20 10 00 00 00 01 00 02 00
22 56 00 00 88 58 01 00 04 00 10 00 64 61 74 61 00 08 00 00 00 00 00 00
24 17 1e f3 3c 13 3c 14 16 f9 18 f9 34 e7 23 a6 3c f2 24 f2 11 ce 1a 0d
Here is the interpretation of these bytes as a WAVE soundfile:
2.JPG
Notes:
The default byte ordering assumed for WAVE data files is little-endian. Files written using the big-endian byte ordering scheme have the identifier RIFX instead of RIFF.
The sample data must end on an even byte boundary. Whatever that means.
8-bit samples are stored as unsigned bytes, ranging from 0 to 255. 16-bit samples are stored as 2's-complement signed integers, ranging from -32768 to 32767.
There may be additional subchunks in a Wave data stream. If so, each will have a char[4] SubChunkID, and unsigned long SubChunkSize, and SubChunkSize amount of data.
RIFF stands for Resource Interchange File Format.
General discussion of RIFF files:
Multimedia applications require the storage and management of a wide variety of data, including bitmaps, audio data, video data, and peripheral device control information. RIFF provides a way to store all these varied types of data. The type of data a RIFF file contains is indicated by the file extension. Examples of data that may be stored in RIFF files are:
Audio/visual interleaved data (.AVI)
Waveform data (.WAV)
Bitmapped data (.RDI)
MIDI information (.RMI)
Color palette (.PAL)
Multimedia movie (.RMN)
Animated cursor (.ANI)
A bundle of other RIFF files (.BND)
NOTE: At this point, AVI files are the only type of RIFF files that have been fully implemented using the current RIFF specification. Although WAV files have been implemented, these files are very simple, and their developers typically use an older specification in constructing them.

一、DDOS认识

    分布式拒绝服务(DDoS:Distributed Denial of Service)攻击指借助于客户/服务器技术,将多个计算机联合起来作为攻击平台,对一个或多个目标发动DDoS攻击,从而成倍地提高拒绝服务攻击的威力。

=========================================================================================================

二、DDOS防范

1、一般的DDOS攻击可以修改/proc/sys/net/ipv4/tcp_max_syn_backlog里的参数就行了,默认参数一般都很小,设为8000以上,一般的DDOS攻击就可以解决了。

2、如果上升到timeout阶段,可以将/proc/sys/net/ipv4/tcp_fin_timeout设小点。

3、比较彻底的解决方法是添置硬件防火墙。不过,硬件防火墙价格比较昂贵。可以考虑利用Linux系统本身提供的防火墙功能来防御。

①防止syn攻击(DDOOS攻击的一种)

 代码如下

iptables -I INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -I FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT    防止同步包洪水(Sync Flood)

②防止各种端口扫描

 代码如下

iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

③Ping洪水攻击(Ping of Death)

 代码如下

iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

④、Linux下设置

如果你的服务器配置不太好,TCPTIME_WAIT套接字数量达到两、三万,服务器很容易被拖死。通过修改Linux内核参数,可以减少服务器的TIME_WAIT套接字数量。

TIME_WAIT查看命令: netstat-an | grep "TIME_WAIT" | wc -l 

在Linux下,如CentOS,可以通过修改/etc/sysctl.conf文件来达到目的。

查看SYN相关的配置

/sbin/sysctl -a |grep syn

vim /etc/sysctl.conf

增加以下几行:以下是代码片段:

 代码如下

net.ipv4.tcp_fin_timeout = 30            
net.ipv4.tcp_keepalive_time = 1200       
net.ipv4.tcp_syncookies = 1             
net.ipv4.tcp_tw_reuse = 1               
net.ipv4.tcp_tw_recycle = 1             
net.ipv4.ip_local_port_range = 1024 65000 
net.ipv4.tcp_max_syn_backlog = 2048     
net.ipv4.tcp_max_tw_buckets = 5000      
net.ipv4.tcp_synack_retries = 3              
net.ipv4.tcp_syn_retries = 3                

net.ipv4.tcp_fin_timeout                       修改系統默认的TIMEOUT 时间。

net.ipv4.tcp_keepalive_time= 1200              表示当keepalive起用的时候,TCP发送keepalive消息的频度。缺省是2小时,改为20分钟。

net.ipv4.tcp_syncookies= 1                      表示开启SYNCookies。当出现SYN等待队列溢出时,启用cookies来处理,可防范少量SYN攻击,默认为0,表示关闭;

net.ipv4.tcp_tw_reuse= 1                       表示开启重用。允许将TIME-WAIT sockets重新用于新的TCP连接,默认为0,表示关闭;

net.ipv4.tcp_tw_recycle= 1                     表示开启TCP连接中TIME-WAIT sockets的快速回收,默认为0,表示关闭;

net.ipv4.ip_local_port_range= 10000 65000         表示用于向外连接的端口范围。缺省情况下很小:32768到61000,改为10000到65000。(注意:这里不要将最低值设的太低,否则可能会占用掉正常的端口!)

net.ipv4.tcp_max_syn_backlog= 8192             表示SYN队列的长度,默认为1024,加大队列长度为8192,可以容纳更多等待连接的网络连接数。

net.ipv4.tcp_max_tw_buckets= 5000             表示系统同时保持TIME_WAIT的最大数量,如果超过这个数字,TIME_WAIT将立刻被清除并打印警告信息。默认为180000,改为5000。对于Apache、Nginx等服务器,上几行的参数可以很好地减少TIME_WAIT套接字数量,但是对于 Squid,效果却不大。此项参数可以控制TIME_WAIT的最大数量,避免Squid服务器被大量的TIME_WAIT拖死。

net.ipv4.tcp_synack_retries                      为了打开对端的连接,内核需要发送一个SYN并附带一个回应前面一个SYN的ACK。也就是所谓三次握手中的第二次握手。这个设置决定了内核放弃连接之前发送SYN+ACK包的数量。

net.ipv4.tcp_syn_retries                         在内核放弃建立连接之前发送SYN包的数量

 

加大SYN队列长度可以容纳更多等待连接的网络连接数,打开SYN Cookie功能可以阻止部分SYN攻击,降低重试次数也有一定效果。

=========================================================================================================

三、检测SYN攻击
1、# netstat -n -p -t
tcp0 0 10.11.11.11:23124.173.152.8:25882 SYN_RECV-
tcp0 0 10.11.11.11:23236.15.133.204:2577 SYN_RECV-
tcp0 0 10.11.11.11:23127.160.6.129:51748 SYN_RECV-

LINUX系统中看到的,很多连接处于SYN_RECV状态(在WINDOWS系统中是SYN_RECEIVED状态),源IP地址都是随机的,表明这是一种带有IP欺骗的SYN攻击。
2、# netstat -n -p -t | grep SYN_RECV | grep :80 | wc -l
324
查看在LINUX环境下某个端囗的未连接队列的条目数,显示TCP端囗22的未连接数有324个,虽然还远达不到系统极限,但应该引起管理员的注意。
3、# netstat -na | grep SYN_RECV
tcp 0 0 58.193.192.20:80 221.0.108.162:32383 SYN_RECV
tcp 0 0 58.193.192.20:80 125.85.118.231:2601 SYN_RECV
tcp 0 0 58.193.192.20:80 222.242.171.215:2696 SYN_RECV
tcp 0 0 58.193.192.20:80 116.52.10.51:2629 SYN_RECV
tcp 0 0 58.193.192.20:80 218.171.175.157:1117
4、# netstat -na | grep SYN_RECV |wc
11 66 979

=========================================================================================================

四、SYN配置

1、查看系统SYN相关的配置

/sbin/sysctl -a | grep syn

net.ipv6.conf.default.max_desync_factor = 600
net.ipv6.conf.all.max_desync_factor = 600
net.ipv6.conf.eth0.max_desync_factor = 600
net.ipv6.conf.lo.max_desync_factor = 600
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
fs.quota.syncs = 18
2、SYN相关配置

防范SYN攻击设置,缩短SYN-Timeout时间:
iptables -A FORWARD -p tcp –syn -m limit –limit 1/s -j ACCEPT
iptables -A INPUT -i eth0 -m limit –limit 1/sec –limit-burst 5 -j ACCEPT

每秒最多3个 syn 封包进入表达为 :
iptables -N syn-flood
iptables -A INPUT -p tcp –syn -j syn-flood
iptables -A syn-flood -p tcp –syn -m limit –limit 1/s –limit-burst 3 -j RETURN
iptables -A syn-flood -j REJECT

设置syncookies:

sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.forwarding=0
/sbin/sysctl -w net.ipv4.conf.default.accept_source_route=0 # 禁用icmp源路由选项
/sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # 忽略icmp ping广播包,应开启
/sbin/sysctl -w net.ipv4.icmp_echo_ignore_all=1 # 忽略所有icmp ping数据,覆盖上一项

 =========================================================================================================

五、受到DDOS攻击后,如何处理和切换

1、使用iptables屏蔽攻击IP

首先使用以下代码,找出攻击者IP

netstat -ntu | awk'{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

以下命令将显示所有打开你的服务器的活跃连接,如果它显示连接超过500,那么将肯定有问题。

使用以下代码显示连接到80段口的活跃的网络连接

netstat -n | grep:80 |wc -l

以下命令结果是100或以上,那么服务器可能被同步攻击。

netstat -n | grep:80 | grep SYN |wc -l

 

一旦你获得了攻击你的服务器的IP列表,你可以很容易地阻止它。

使用下面的命令来阻止IP或任何其他特定的IP:

route addipaddress reject

一旦你在服务器上阻止了一个特定IP的访问,你可以检查对它的阻止是否有效

通过使用下面的命令:

route -n |grepIPaddress

 

当你发现攻击你服务器的IP你可以使用下面的命令来关闭他们的连接:

iptables -A INPUT1 -s $IPADRESS -j DROP/REJECT

请注意你必须用你使用netstat命令找到的IP数替换$IPADRESS

service iptablesrestart

service iptablessave

上面的命令执行后,停止httpd连接,重启httpd服务

使用下面的命令:

killall -KILLhttpd

service httpdstartssl

 

2、软件解决

㈠、使用DDoS deflate+iptables

DDoS deflate是一款免费的用来防御和减轻DDoS攻击的脚本。它通过netstat监测跟踪创建大量网络连接的IP地址,在检测到某个结点超过预设的限制时,该程序会通过APF或IPTABLES禁止或阻挡这些IP.

安装DDoS deflate
wget http://www.inetbase.com/scripts/ddos/install.sh //下载DDoSdeflate
chmod 0700 install.sh //添加权限
./install.sh //执行

配置DDoS deflate

下面是DDoS deflate的默认配置位于/usr/local/ddos/ddos.conf,默认如下:

Paths of thescript and other files

PROGDIR="/usr/local/ddos"
PROG="/usr/local/ddos/ddos.sh"
IGNORE_IP_LIST="/usr/local/ddos/ignore.ip.list" //IP地址白名单
CRON="/etc/cron.d/ddos.cron" //定时执行程序
APF="/etc/apf/apf"
IPT="/sbin/iptables"

 

frequency inminutes for running the script
Caution: Every time this setting is changed, run the script with --cron
option so that the new frequency takes effect

FREQ=1 //检查时间间隔,默认1分钟

How manyconnections define a bad IP? Indicate that below.

NO_OF_CONNECTIONS=150 //最大连接数,超过这个数IP就会被屏蔽,一般默认即可

APF_BAN=1(Make sure your APF version is atleast 0.96)
APF_BAN=0 (Uses iptables for banning ips instead of APF)

APF_BAN=1 //使用APF还是iptables。推荐使用iptables,将APF_BAN的值改为0即可。

KILL=0 (BadIPs are'nt banned, good for interactive execution of script)
KILL=1 (Recommended setting)

KILL=1 //是否屏蔽IP,默认即可

An email issent to the following address when an IP is banned.
Blank would suppress sending of mails

EMAIL_TO="root" //当IP被屏蔽时给指定邮箱发送邮件,推荐使用,换成自己的邮箱即可

 

Number ofseconds the banned ip should remain in blacklist.

BAN_PERIOD=600 //禁用IP时间,默认600秒,可根据情况调整

用户可根据给默认配置文件加上的注释提示内容,修改配置文件。

查看/usr/local/ddos/ddos.sh文件的第117行

netstat -ntu | awk‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST

修改为以下代码即可!

netstat -ntu | awk‘{print $5}’ | cut -d: -f1 | sed -n ‘/[0-9]/p’ | sort |uniq -c | sort -nr > $BAD_IP_LIST

测试防ddos攻击效果

NO_OF_CONNECTIONS=3        

这里为了方便测试,设置为3。生产环境下,几十到几百都可以理解为正常,上千肯定就是不正常了,除非是应用内部各个服务器之间的通信

通过一台固定ip的机器ssh连接该服务器,当连接到超过3甚至更多时,不会立刻显示连不上,因为ddos.sh默认一分钟运行一次,当过不到一分钟时,会发现连接掉了,查看部署了防ddos软件的服务器上可以看到iptables的策略中多了:

DROP all --31.210.16.29.broad.cs.gd.dynamic.163data.com.cn anywhere

说明确实生效了,当10分钟后,iptables上这条策略会被取消的

关于如何查看单个IP的连接数目可以通过如下命令查看,依次排列:

netstat -na|grep ESTABLISHED|awk'{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -r -n
..............
     40 127.0.0.1
      1 121.9.252.28
      1 173.117.140.69

ddos攻击很常见,攻击效果也很好,比如像前段时间由于维基创始人引发的那次大范围的攻击。
如果有专门防止ddos的硬件设备的话最好,没有的话就利用DDoS-Deflate结合iptables在一定程度上防范ddos攻击也是一种很好的策略。

㈡、使用智能dns解析,自动解析到好的服务器

需要在dnspod.cn购买

㈢、使用负载均衡

两台或两台服务器以上,LVS+Keepalive或LVS+heartbeat实现双机或多机热备
————————————————
版权声明:本文为CSDN博主「程序猿_wt」的原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/weixin_37202689/article/details/72843355