A Case of CC Attack on Tomcat Backend Server

       Recently, while following up on a project, I discovered many abnormal links in the backend Tomcat server logs. These appeared as numerous requests from strange domain names and IP addresses, causing the website logs to fill up rapidly, as shown below:

Since the frontend uses Nginx and its logs are normal, the information above strongly suggests that the backend server is under a CC attack. My guess is that the public IP and port were scanned by the attacking side. The solution for this case is as follows:

1. Change the original service port.
2. Bind the Tomcat server to an internal IP address, so it is only accessible from the internal network (since my Tomcat is used solely as a backend, this approach works).

These are the solutions we applied. Different cases may require different approaches, but I’m sharing this here for your reference. If you have any

Leave a Comment

Your email address will not be published.