阿里云IP遭受DDOS攻击 快速切换IP实践
#1 介绍
运行平台: 阿里云
访问链路: 域名 -> 负载均衡EIP -> 容器
网站无法访问,查询服务运行正常,查询公网流量异常高后断流了
咨询工程师是公网IP遭受DDOS攻击后触发风控安全DDOS黑洞断流
阿里云EIP默认提供不超过5Gbps的基础DDoS防护能力
创建shell脚本检查网站断流后快速切换公网IP恢复
#2、创建shell脚本实践
#2.1 检测域名是否可达
domain_name="elvin.vip"
domain_sub="k8s-lb"
if ping -c 1 $domain_sub .$domain_name &> /dev/null; then
echo "$(date +'%F %T') $domain_sub .$domain_name is online"
else
echo "$(date +'%F %T') $domain_sub .$domain_name is not online."
fi
#2.2 查询负载均衡器的公网IP
wget https://aliyuncli.alicdn.com/aliyun-cli-linux-latest-amd64.tgz
tar -zxf aliyun-cli-linux-latest-amd64.tgz -C /usr/local/bin/
rm -f aliyun-cli-linux-latest-amd64.tgz
export ALICLOUD_ACCESS_KEY_ID='key_id_xxx'
export ALICLOUD_ACCESS_KEY_SECRET='key_secret_xxx'
export ALICLOUD_REGION_ID='cn-shanghai'
LOAD_BALANCER_ID="lb-xxxxxxxx"
EIP_INFO=$(aliyun vpc DescribeEipAddresses --RegionId $ALICLOUD_REGION_ID | jq --arg lb_id "$LOAD_BALANCER_ID " '.EipAddresses.EipAddress[] | select(.InstanceId == $lb_id and .InstanceType == "SlbInstance")' )
OLD_EIP_IP=$(echo $EIP_INFO | jq -r '.IpAddress' )
OLD_EIP_ID=$(echo $EIP_INFO | jq -r '.AllocationId' )
#2.3 创建新的EIP
EIP_OUTPUT=$(aliyun vpc AllocateEipAddress --RegionId $ALICLOUD_REGION_ID --InternetChargeType PayByTraffic --Bandwidth 100 --Name $domain_sub )
EIP_ID=$(echo $EIP_OUTPUT | jq -r '.AllocationId' )
EIP_IP=$(echo $EIP_OUTPUT | jq -r '.EipAddress' )
#2.4 负载均衡器绑定新的EIP
aliyun vpc UnassociateEipAddress --RegionId $ALICLOUD_REGION_ID --AllocationId $OLD_EIP_ID --InstanceId $LOAD_BALANCER_ID --InstanceType SlbInstance
ASSOCIATE_OUTPUT=$(aliyun vpc AssociateEipAddress --RegionId $ALICLOUD_REGION_ID --AllocationId $EIP_ID --InstanceId $LOAD_BALANCER_ID --InstanceType SlbInstance)
aliyun vpc ReleaseEipAddress --AllocationId $OLD_EIP_ID
#2.5 更新域名的A记录
RECORD_ID=$(aliyun alidns DescribeDomainRecords --DomainName $domain_name | jq -r --arg rr "$domain_sub " '.DomainRecords.Record[] | select(.RR == $rr) | .RecordId' )
aliyun alidns UpdateDomainRecord --RecordId $RECORD_ID --RR $domain_sub --Type A --Value $EIP_IP
#3 完整的shell实例
#!/bin/bash
domain_name="elvin.vip"
domain_sub="k8s-lb"
LOAD_BALANCER_ID="lb-xxxxxxxx"
[ -d /data/txt ] || mkdir -p /data/txt
ckFile=/data/txt/$domain_sub .$domain_name .ck
runLog=/data/txt/$domain_sub .$domain_name .log
if [ -f $ckFile ]; then
now_time=$(date +%s)
file_time=$(stat -c %Y $ckFile )
time_diff=$((now_time - file_time))
if [ $time_diff -ge 600 ]; then
rm -f $ckFile
echo "$(date +'%F %T') skip run once" >>$runLog
exit 0
fi
fi
for ((i=1; i<4; i++));do
if ping -c 1 $domain_sub .$domain_name &> /dev/null; then
echo "$(date +'%F %T') $domain_sub .$domain_name is online" >>$runLog
nk=99
i=99
exit 0
else
echo "$(date +'%F %T') $domain_sub .$domain_name is not online. Retrying..." >>$runLog
sleep 5
fi
done
if [ "$nk " = "99" ];then
exit 0
else
echo "$(date +'%F %T') Domain is not reachable after 3 attempts." >>$runLog
fi
export ALICLOUD_ACCESS_KEY_ID='key_id_xxx'
export ALICLOUD_ACCESS_KEY_SECRET='key_secret_xxx'
export ALICLOUD_REGION_ID='cn-shanghai'
EIP_INFO=$(aliyun vpc DescribeEipAddresses --RegionId $ALICLOUD_REGION_ID | jq --arg lb_id "$LOAD_BALANCER_ID " '.EipAddresses.EipAddress[] | select(.InstanceId == $lb_id and .InstanceType == "SlbInstance")' )
OLD_EIP_IP=$(echo $EIP_INFO | jq -r '.IpAddress' )
OLD_EIP_ID=$(echo $EIP_INFO | jq -r '.AllocationId' )
if [ -z "$OLD_EIP_IP " ]; then
echo "$(date +'%F %T') Failed to find OLD_EIP_IP" >>$runLog
exit 1
fi
echo "$(date +'%F %T') Old EIP: $OLD_EIP_IP " >>$runLog
EIP_OUTPUT=$(aliyun vpc AllocateEipAddress --RegionId $ALICLOUD_REGION_ID --InternetChargeType PayByTraffic --Bandwidth 100 --Name $domain_sub )
EIP_ID=$(echo $EIP_OUTPUT | jq -r '.AllocationId' )
EIP_IP=$(echo $EIP_OUTPUT | jq -r '.EipAddress' )
if [ -z "$EIP_ID " ] || [ -z "$EIP_IP " ]; then
echo "$(date +'%F %T') Test Failed: Failed to create EIP." >>$runLog
echo "eip_create: $EIP_OUTPUT " >>$runLog
exit 1
fi
echo "$(date +'%F %T') New EIP: $EIP_IP " >>$runLog
echo "$(date +'%F %T') Remove LB-EIP" >>$runLog >>$runLog
aliyun vpc UnassociateEipAddress --RegionId $ALICLOUD_REGION_ID --AllocationId $OLD_EIP_ID --InstanceId $LOAD_BALANCER_ID --InstanceType SlbInstance >>$runLog
sleep 2
ASSOCIATE_OUTPUT=$(aliyun vpc AssociateEipAddress --RegionId $ALICLOUD_REGION_ID --AllocationId $EIP_ID --InstanceId $LOAD_BALANCER_ID --InstanceType SlbInstance)
if [ $? -ne 0 ]; then
echo "$(date +'%F %T') EIP add to LB Failed." >>$runLog
echo "eip_update: $ASSOCIATE_OUTPUT " >>$runLog
exit 1
else
echo "$(date +'%F %T') eip_update: $ASSOCIATE_OUTPUT " >>$runLog
fi
sleep 2
echo "$(date +'%F %T') Release old EIP $OLD_EIP_ID " >>$runLog
aliyun vpc ReleaseEipAddress --AllocationId $OLD_EIP_ID >>$runLog
RECORD_ID=$(aliyun alidns DescribeDomainRecords --DomainName $domain_name | jq -r --arg rr "$domain_sub " '.DomainRecords.Record[] | select(.RR == $rr) | .RecordId' )
echo "$(date +'%F %T') Update IP: $domain_sub .$domain_name $EIP_IP " >>$runLog
aliyun alidns UpdateDomainRecord --RecordId $RECORD_ID --RR $domain_sub --Type A --Value $EIP_IP >>$runLog
export ddtxt="notice from ip-update \n$domain_sub .$domain_name \n$EIP_IP "
export ddtoken="10b70b4fcb8a5ddad86b7a4396183639a6a99c2660xxxxxx"
curl -ks -m 5 http://files.elvin.vip/shell/ddmsg.url.txt.sh |bash
export txtmsg="notice from ip-update \n$domain_sub .$domain_name \n$EIP_IP "
export larktoken="f6bfc69d-2617-46d7-a42b-123xxxxxx"
curl -ks -m 5 http://files.elvin.vip/shell/lkmsg.txt.sh |bash
date +"%F %T" >$ckFile
exit 0
source: https://gitee.com/alivv/elvin-demo/blob/master/shell/aliyun.lb.eip.update.sh
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】博客园社区专享云产品让利特惠,阿里云新客6.5折上折
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 一个费力不讨好的项目,让我损失了近一半的绩效!
· 清华大学推出第四讲使用 DeepSeek + DeepResearch 让科研像聊天一样简单!
· 实操Deepseek接入个人知识库
· CSnakes vs Python.NET:高效嵌入与灵活互通的跨语言方案对比
· Plotly.NET 一个为 .NET 打造的强大开源交互式图表库
2018-01-03 使用linuxbridge + vlan网络模式