CC攻擊很容易發起，并且幾乎不需要成本，導致現在的CC攻擊越來越多。大部分搞CC攻擊的人，都是用在網上下載的工具，這些工具很少去偽造特征，所以會留下一些痕跡。使用下面的命令，可以分析下是否在被CC攻擊。第一條命令：

tcpdump -s0 -A -n -i any | grep -o -E (GET|POST|HEAD) .*

正常的輸出結果類似于這樣POST /ajax/validator.php HTTP/1.1POST /api_redirect.php HTTP/1.1GET /team/57085.html HTTP/1.1POST /order/pay.php HTTP/1.1GET /static/goodsimg/20140324/1_47.jpg HTTP/1.1GET /static/theme/qq/css/index.css HTTP/1.1GET /static/js/index.js HTTP/1.1GET /static/js/customize.js HTTP/1.1GET /ajax/loginjs.php?type=topbar HTTP/1.1GET /static/js/jquery.js HTTP/1.1GET /ajax/load_team_time.php?team_id=57085 HTTP/1.1GET /static/theme/qq/css/index.css HTTP/1.1GET /static/js/lazyload/jquery.lazyload.min.js HTTP/1.1GET /static/js/MSIE.PNG.js HTTP/1.1GET /static/js/index.js HTTP/1.1GET /static/js/customize.js HTTP/1.1GET /ajax/loginjs.php?type=topbar HTTP/1.1GET /static/theme/qq/css/i/logo.jpg HTTP/1.1GET /static/theme/qq/css/i/logos.png HTTP/1.1GET /static/theme/qq/css/i/hot.gif HTTP/1.1GET /static/theme/qq/css/i/brand.gif HTTP/1.1GET /static/theme/qq/css/i/new.gif HTTP/1.1GET /static/js/jquery.js HTTP/1.1GET /static/theme/qq/css/i/logo.jpg HTTP/1.1正常命令結果以靜態文件為主，比如css,js,各種圖片。如果是被攻擊，會出現大量固定的地址，比如攻擊的是首頁，會有大量的GET / HTTP/1.1，或者有一定特征的地址，比如攻擊的如果是Discuz論壇，那么可能會出現大量的/thread-隨機數字-1-1.html這樣的地址。第二條命令：

tcpdump -s0 -A -n -i any | grep^User-Agent

輸出結果類似于下面：User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.2)User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)這個是查看客戶端的useragent，正常的結果中，是各種各樣的useragent。大多數攻擊使用的是固定的useragent，也就是會看到同一個useragent在刷屏。隨機的useragent只見過一次，但是給搞成了類似于這樣axd5m8usy，還是可以分辨出來。第三條命令：

tcpdump -s0 -A -n -i any | grep ^Host

如果機器上的網站太多，可以用上面的命令找出是哪個網站在被大量請求輸出結果類似于下面這樣Host:www.server110.comHost:www.server110.comHost:www.server110.comHost: upload.server110.comHost: upload.server110.comHost: upload.server110.comHost: upload.server110.comHost: upload.server110.comHost: upload.server110.comHost: upload.server110.comHost: upload.server110.comHost: upload.server110.comHost:www.server110.comHost: upload.server110.comHost: upload.server110.comHost: upload.server110.comHost:www.server110.comHost:www.server110.comHost: upload.server110.comHost: upload.server110.comHost: upload.server110.comHost:www.server110.comHost: upload.server110.comHost: upload.server110.comHost:www.server110.com一般系統不會默認安裝tcpdump命令centos安裝方法：yum install -y tcpdumpdebian/ubuntu安裝方法：apt-get install -y tcpdump很多小白用戶不懂得如何設置日志，查看日志，使用上面的命令則簡單的多，復制到命令行上運行即可。