CN103685293B - Protection method and device for denial of service attack - Google Patents
Protection method and device for denial of service attack Download PDFInfo
- Publication number
- CN103685293B CN103685293B CN201310713371.XA CN201310713371A CN103685293B CN 103685293 B CN103685293 B CN 103685293B CN 201310713371 A CN201310713371 A CN 201310713371A CN 103685293 B CN103685293 B CN 103685293B
- Authority
- CN
- China
- Prior art keywords
- request
- response
- data
- service attack
- denial
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 230000004224 protection Effects 0.000 title claims abstract description 31
- 230000004044 response Effects 0.000 claims abstract description 78
- 235000014510 cooky Nutrition 0.000 claims description 27
- 238000013515 script Methods 0.000 claims description 27
- 238000004458 analytical method Methods 0.000 claims description 14
- 235000013399 edible fruits Nutrition 0.000 claims description 2
- 230000000717 retained effect Effects 0.000 claims 2
- 230000008569 process Effects 0.000 description 12
- 230000007123 defense Effects 0.000 description 10
- 238000012795 verification Methods 0.000 description 8
- 230000000694 effects Effects 0.000 description 7
- 230000008859 change Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 206010001488 Aggression Diseases 0.000 description 5
- 230000016571 aggressive behavior Effects 0.000 description 5
- 208000012761 aggressive behavior Diseases 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 5
- 230000002159 abnormal effect Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 4
- 230000005856 abnormality Effects 0.000 description 3
- 230000004888 barrier function Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000014759 maintenance of location Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003449 preventive effect Effects 0.000 description 2
- 230000001681 protective effect Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000007619 statistical method Methods 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 1
- 230000002547 anomalous effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000000205 computational method Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001035 drying Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 1
- 230000004083 survival effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention provides a protection method and device for denial of service attack. The protection method for denial of service attack includes the steps: acquiring trigger events of a host suffered from denial of service attack; generating a response message with authentication data according to access requests transmitted to the host by a request source, and returning the response message to the request source; acquiring response of the request source to the response message, and judging whether the response contains response data of the authentication data or not and whether the response data are matched with the authentication data or not; retaining the access requests transmitted to the host by the request source if any judgment result is no. By the aid of the technical scheme, secure and reliable operation of the protection target host is guaranteed, and network security is improved.
Description
Technical field
The present invention relates to internet security field, the means of defence and device of more particularly to a kind of Denial of Service attack.
Background technology
Denial of Service attack is that attacker tries every possible means to allow target machine to stop providing service or resource is accessed, and is that hacker commonly uses
One of attack meanses.The resource of a large amount of targets of attack is consumed using a large amount of requests beyond responding ability, these resources include
Disk space, internal memory, the process even network bandwidth, so as to prevent the access of normal users.Some service quilts can be made when serious
Suspend even main frame to crash.
Used as one kind of Denial of Service attack, CC attacks (Challenge Collapsar, Challenging black hole attack), is profit
With constantly connection request being sent to website, cause a kind of malicious attack means of the purpose to form refusal service.Its principle is mould
Intend multiple users ceaselessly conduct interviews those need mass data operate the page, cause destination host server resource consume
To the greatest extent, until machine collapse of delaying.
As the attack pattern that CC is attacked is the access request by analog subscriber, it is difficult to make a distinction, and CC is attacked
Technical threshold it is relatively low, can be carried out attacking using the Agent IP of some instruments and certain skilled quantity, and CC attacked
Attack effect is obvious.
Denial of Service attack is directed in prior art, the processing scheme that particularly CC is attacked is essentially consisted in destination service
The optimization of device, for example, forbid website proxy access, limits connection quantity, website is made the methods such as static page as far as possible.But
The method more than forbidden proxy access and limit connection quantity can affect normal users to access website, additionally, due to the type of webpage
With the restriction of content, also webpage cannot be all set to static page, and this mode can not be completely eliminated refusal clothes
The effect that business is attacked.
The content of the invention
In view of the above problems, it is proposed that the present invention so as to provide one kind overcome the problems referred to above or at least in part solve on
State the means of defence of the preventer and corresponding Denial of Service attack of the Denial of Service attack of problem.The present invention one is further
Purpose be will cause eliminate attack effect of the Denial of Service attack to destination host.
According to one aspect of the present invention, there is provided a kind of means of defence of Denial of Service attack.The Denial of Service attack
Means of defence comprise the following steps:Obtain the trigger event that main frame is denied service attack;Sent out to main frame according to request source
The access request for going out generates the response message with checking data, and returns to request source;Request source is obtained to response message
Response, and whether include in judging to respond the response data and response data of checking data whether with checking Data Matching;If
Any of the above judged result is no, retains the access request that request source is sent to main frame.
Alternatively, the generation step of trigger event includes:The access request for sending is obtained to main frame;Access request is carried out
Denial of Service attack is recognized, and the result recognized according to Denial of Service attack produces the triggering thing that main frame is denied service attack
Part.
Alternatively, if it is determined that response includes response data and response data and checking data to verifying data
Match somebody with somebody, it is allowed to which access request is sent to main frame.
Alternatively, also include to after the access request that main frame sends in retention request source:Access log to asking source
It is analyzed, to determine the effectiveness of the protection to asking source.
Alternatively, verify that data are browser client information cookie, match with the response message with cookie information
Response data be that the request of host address is jumped to cookie information.
Alternatively, verify that data are script file, the response data matched with the response message with script file is foot
The implementing result of presents.
Alternatively, verify that data are image data, the response data matched with the response message with image data is band
There is the request for jumping to host address of image data Text region result.
According to another aspect of the present invention, additionally provide a kind of preventer of Denial of Service attack.The refusal is serviced
The preventer of attack includes:Event acquisition module, is denied the trigger event of service attack for obtaining main frame;Response mould
Block, for generating response message with checking data to the access request that main frame sends according to request source, and returns to request
Source;Whether judge module, for obtaining response of the request source to response message, and include the response of checking data in judging to respond
Data and response data whether with checking Data Matching;Performing module, is no, retention request for any of the above judged result
The access request that source is sent to main frame.
Alternatively, event acquisition module is configured to:The access request for sending is obtained to main frame;Access request is refused
Service attack identification absolutely, and the result recognized according to Denial of Service attack produces the triggering thing that main frame is denied service attack
Part.
Alternatively, performing module is additionally operable to:In the case where the judged result of judge module is and is, it is allowed to access request
Send to main frame.
Alternatively, the preventer of above-mentioned Denial of Service attack also includes:Log analysis module, for the visit to asking source
Ask that daily record is analyzed, to determine the effectiveness of the protection to asking source.
Alternatively, the checking data included in the response message that responder module is returned include following any one:Browser
User profile cookie, script file, image data.
The means of defence and preventer of the Denial of Service attack of the present invention is it is determined that objective of defense main frame is denied clothes
When business is attacked, checking information is returned to attack source, in the case where checking information is undesirable, ignore solicited message, for
For objective of defense main frame, it can be ensured that reliability service, respective service is provided to normal users.So as to ensure objective of defense master
The safe and reliable operation of machine, improves internet security.
Further, feedback and the checking of checking information are carried out by the way of various ways cooperation, is constituted multi-level
Preventive means.
Further, according to the attack signature of Denial of Service attack to and objective of defense main frame accessing characteristic to refusing
The attack source of service attack absolutely is identified, and reduces as far as possible and aligns the impact that frequentation is asked, improves Consumer's Experience.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention,
And can be practiced according to the content of description, and in order to allow the above and other objects of the present invention, feature and advantage can
Become apparent, below especially exemplified by the specific embodiment of the present invention.
According to the detailed description below in conjunction with accompanying drawing to the specific embodiment of the invention, those skilled in the art will be brighter
The above-mentioned and other purposes of the present invention, advantages and features.
Description of the drawings
By the detailed description for reading hereafter preferred implementation, various other advantages and benefit are common for this area
Technical staff will be clear from understanding.Accompanying drawing is only used for the purpose for illustrating preferred implementation, and is not considered as to the present invention
Restriction.And in whole accompanying drawing, it is denoted by the same reference numerals identical part.In the accompanying drawings:
Fig. 1 is the network application environment of the preventer 200 of Denial of Service attack according to an embodiment of the invention
Schematic diagram;
Fig. 2 is 200 schematic diagram of preventer of Denial of Service attack according to an embodiment of the invention;And
Fig. 3 is the schematic diagram of the means of defence of Denial of Service attack according to an embodiment of the invention.
Specific embodiment
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein.
Various general-purpose systems can also be used together based on teaching in this.As described above, construct required by this kind of system
Structure be obvious.Additionally, the present invention is also not for any certain programmed language.It is understood that, it is possible to use it is various
Programming language realizes the content of invention described herein, and the description done to language-specific above is to disclose this
Bright preferred forms.
Fig. 1 is the network application environment of the preventer 200 of Denial of Service attack according to an embodiment of the invention
Schematic diagram, in figure, during 110 access target website of webpage client, through the parsing of domain name analysis system, by the domain name of input
The 120 corresponding address of node server that webpage guard system is distributed in various places machine room is resolved to, node server 120 is by mutual
Networking and access request is sent to the main frame (host) 140 of targeted website, web application guard system is provided with before host140
130 (Web Application Firewall, abbreviation WAF), the access request sent to destination host 140 has to pass through
WAF130 gets to destination host 140, and WAF130 is used as website fire prevention fire wall, there is provided the acceleration of website and buffer service,
Hacker can be prevented using invading to website across leaks such as station injections, guarding website is not tampered with and invades, and improves website master
The safety of machine.The identifying device 200 of the attack source of the Denial of Service attack of the embodiment of the present invention is connected with multiple WAF130 data
Connect, the attack identifing source of Denial of Service attack is carried out according to the access request sent to destination host 140 that WAF130 is received.
The mode of Denial of Service attack includes following various ways:Using single Internet protocol address (Internet
Protocol, process IP address) to the single URL of a certain host (Uniform Resource Locator,
Abbreviation URL) carry out attacking, single URL carried out attacking, multiple URL carried out attacking, used using single IP using multiple IP
Multiple IP are attacked to multiple URL.
The preventer 200 of the Denial of Service attack of the Denial of Service attack of the embodiment of the present invention and its corresponding refusal clothes
The means of defence that business is attacked can carry out security protection to various types of Denial of Service attacks.
Fig. 2 is 200 schematic diagram of preventer of Denial of Service attack according to an embodiment of the invention.The refusal is serviced
The preventer 200 of attack can include in general manner:Event acquisition module 210, responder module 220, judge module 230, hold
Row module 240, can also increase in some schemes for optimizing and be provided with log analysis module 250.
In with upper-part, event acquisition module 210 is used to obtain the trigger event that main frame is denied service attack;Should
Module 220 is answered for generating response message with checking data to the access request that main frame sends according to request source, and is returned
Give request source;Judge module 230 is used to obtain response of the request source to response message, and whether includes checking number in judging response
According to response data and response data whether with checking Data Matching;Performing module 240 for any of the above judged result is
It is no, retain the access request that request source is sent to main frame.
Wherein, event acquisition module 210 can determine whether refusal clothes by the request to objective of defense main frame
Business is attacked.A kind of optional configuration mode of event acquisition module 210 is:The access request for sending is obtained to main frame;Please to accessing
Asking carries out Denial of Service attack identification, and the result recognized according to Denial of Service attack produces main frame and is denied service attack
Trigger event.Above trigger event can include:The visit capacity of destination host rise sharply or a certain URL the feelings such as visit capacity is abnormal
Condition.
If it is determined that the judged result of module 230 is yes, illustrate that requesting party has passed through checking, performing module 240 can permit
Perhaps access request is sent to main frame.
The preventer 200 of the Denial of Service attack of the present embodiment can also utilize daily record to verify its protection effect
The access log in 250 pairs of request sources of analysis module is analyzed, to determine the effectiveness of the protection to asking source.
The checking data included in the response message that responder module 200 is returned include following any one:Browser client
Information cookie, script file, image data.
When it is browser client information cookie to verify data, request sender obtains browser client information cookie
Afterwards, normal operating is that the request that the host address is jumped to the cookie information is resend to WAF130, if please
The request that sender returns is asked not to cookie process, it may be said that the request of bright request sender is aggressive behavior.
When it is script file JavaScript to verify data, after request sender obtains javascript, normal operating
To perform the javascript, and the implementing result of script is returned to, if the request that request sender returns is not carried out
Javascript, it is also possible to which the request for illustrating to ask sender is aggressive behavior.
Picture checking data are also a kind of effective means of defence, and for example current accessed amount exceeds threshold value, can be to all
Request sender send picture, similar to the mode of identifying code, requesting party need the word that will be included in picture or other
Content is input into and is fed back to destination host, proves that current accessed is normal if the recognition result of picture is corresponding with picture
Access.
Three of the above method can carry out selection use, it is also possible to which cooperation is used jointly, for example, made using cookie
For checking information, the resource of consumption is minimum, and can complete authentification of message in the case of not having any interference to normal users,
But easily attacked back door to bypass, when log analysis module 250 determines that cookie checkings are bypassed by analyzing, opened script
File verification, if script file checking is bypassed again, opens picture checking, as picture verification mode needs user to carry out
Operation, aligns frequentation and asks that user can produce interference, but verification the verifying results are preferable.By multi-level preventing mechanism, can improve
The barrier propterty of Denial of Service attack.
The embodiment of the present invention additionally provides a kind of means of defence of Denial of Service attack, the protection side of the Denial of Service attack
Method can be performed by the preventer 200 of the Denial of Service attack in above example, to take precautions against Denial of Service attack.Fig. 3
It is the schematic diagram of the means of defence of Denial of Service attack according to an embodiment of the invention, the protection side of the Denial of Service attack
Method is comprised the following steps:
Step S302, obtains the trigger event that main frame is denied service attack;
Step S304, generates response message with checking data to the access request that main frame sends according to request source, and
Return to request source;
Step S306, obtains response of the request source to response message;
Step S308, whether include in judging to respond the response data and response data of checking data whether with checking number
According to matching;
Step S310, if any one of step S308 judged result is no, retains the access that request source is sent to main frame
Request.
If the judged result of step S308 is being, request source is returned to into protection to the access request that main frame sends
Destination host.
The generation step of the trigger event acquired in step S302 includes:The access request for sending is obtained to main frame;To visiting
Ask that request carries out Denial of Service attack identification, and the result generation main frame recognized according to Denial of Service attack is denied service and attacks
The trigger event hit.
Preferably, the access log for asking source can also be analyzed after step S310, to determine security protection
Effectiveness.
The checking data included in response message are generated in step S304 includes following any one:Browser client information
Cookie, script file, image data.
When it is browser client information cookie to verify data, request sender obtains browser client information cookie
Afterwards, normal operating is that the request that the host address is jumped to the cookie information is resend to WAF130, if please
The request that sender returns is asked not to cookie process, it may be said that the request of bright request sender is aggressive behavior.
When it is script file JavaScript to verify data, after request sender obtains javascript, normal operating
To perform the javascript, and the implementing result of script is returned to, if the request that request sender returns is not carried out
Javascript, it is also possible to which the request for illustrating to ask sender is aggressive behavior.
Picture checking data are also a kind of effective means of defence, and for example current accessed amount exceeds threshold value, can be to all
Request sender send picture, similar to the mode of identifying code, requesting party need the word that will be included in picture or other
Content is input into and is fed back to destination host, proves that current accessed is normal if the recognition result of picture is corresponding with picture
Access.
Three of the above method can carry out selection use, it is also possible to which cooperation is used jointly, for example, made using cookie
For checking information, the resource of consumption is minimum, and can complete authentification of message in the case of not having any interference to normal users,
But easily attacked back door to bypass, when determining that cookie checkings are bypassed by the further analysis analysis to access log,
Script file checking is opened, if script file checking is bypassed again, picture checking is opened, as picture verification mode needs
User is operated, and is aligned frequentation and is asked that user can produce interference, but verification the verifying results are preferable.By multi-level preventing mechanism,
The barrier propterty of Denial of Service attack can be improved.
When first to the visit capacity exception of objective of defense main frame, the means of defence of the Denial of Service attack of the present embodiment is opened
Realize that flow process is further described.
In the case where service attack is denied, in the short period of time, the objective of defense main frame 140 of access request is received
To request amount can be significantly hotter than normal request amount, but for different websites, its visit capacity is different.In order that right
The threshold value that Target Protection main frame 140 is arranged meets the access ability of the destination host 140, the threshold that can be judged to request amount with dynamic
Value is counted, and statistical method can be included at interval of first request amount of the first scheduled time segment record, obtains multiple
One request amount;Multiple sample values are picked out according to preset rules from multiple first request amounts;Calculate the average of multiple sample values
Value, according to meansigma methodss given threshold.
Wherein choose sample mode can be:Multiple first request amounts produce in the second predetermined amount of time are chosen at,
Second predetermined amount of time is the integral multiple of the first predetermined amount of time, by multiple first requests produced in the second predetermined amount of time
Maximum in amount is designated as the second request amount;Selected in continuous multiple second predetermined amount of time respectively and draw multiple second requests
Amount, and after the larger data of deviation are filtered from multiple second request amounts, obtain multiple sample values.Above request amount threshold value can be with
For sample value plus and meansigma methodss and pre-determined factor product, the span of pre-determined factor is:1.05 to 1.3.
In order to ensure that the accuracy of identification, first scheduled time of the above and second scheduled time have passed through the substantial amounts of time
Tested, if wherein first scheduled time set too short, its undulatory property is larger, the situation for misrecognition easily occur, such as
Fruit sets long, and its undulatory property is excessively smoothed, it is impossible to reflect the change of request amount;Through the results of a large amount of tests, first
The scheduled time could be arranged to 3 to 8 minutes, and optimal value is 5 minutes, that is, at interval of 5 minutes, it is determined that sending out in this 5 minutes
The access request total amount for going out is used as the first request amount.
In order to determine above request amount threshold value, it is thus necessary to determine that the maximum access request amount in the case of normal access, due to
The access of general website is all that day fluctuates for unit, therefore, second scheduled time can use the time of one day, so as to choose
The process of sample value can be:Obtain in the time, every first request amount of 5 minutes, 288 first so as to a day please
Maximum is selected in the amount of asking as the second request amount.As the second request amount may be affected by abnormal factorses, can cause
Substantially there is relatively large deviation in some values, and such as statistics one day error causes request amount to be zero;Or clothes are denied in certain day
Business is attacked, and visit capacity increases, what the larger data of this obvious deviation abnormal access were caused, and needs are filtered.It is a kind of
From the second request amount, the straightforward procedure of selection sample value can be:30 the second request amounts in nearest 30 days are selected, is filtered
Fall three data of three data and minimum of maximum, using remaining 24 the second request amounts as sample value.This mode meter
Calculate simple, effectiveness is higher.The method for choosing sample value in addition from the second request amount can also be carried out using the method for variance
Statistics, second request amount of the variance more than certain predetermined value is deleted.
The effect of above pre-determined factor is to reserve certain abundant value to web site requests amount, prevent the feelings blocked by mistake
Condition, the span of pre-determined factor is:1.05 to 1.3, the general optimal value chosen can be 1.2.Namely will be beyond normal
The situation of the 20% of the maximum visit capacity of access is used as the condition for determining Denial of Service attack.
It is determined above go out request amount threshold value can be dynamic adjustment, such as daily timing was using the access of 30 days before this
Data carry out the calculating of threshold value, more accurate so as to judge, such as in the case where the visit capacity of website gradually increases, can dynamic
Increase threshold value, prevent because the situation that business change causes to occur Denial of Service attack identification mistake occurs.The meter of threshold value
Calculation process is also not limited to adding and average to sample value, as long as the system of the maximum of the normal visit capacity in website can be reflected
Meter computational methods may be incorporated for the calculating to threshold value, and the present embodiment preferably adds and is only averagely the less one kind side of amount of calculation
Formula.
The first Preset Time of the above, the second Preset Time, pre-determined factor are drawn according to the situation of network access statistics
Empirical value, can be flexibly adjusted according to the change of Denial of Service attack.
Draw through statistical analysiss in above request amount data running log in real time from all of WAF130.
When in the first Preset Time, total request amount that destination host 140 is received exceedes above request amount threshold value, you can to recognize
To receive Denial of Service attack.Open the preventing mechanism of the Denial of Service attack that the present embodiment is provided.
First, using cookie bounce-back security protections, WAF130 is issued with safety label cookie to all requesting parties
Pressure jump instruction, and monitor whether comprising the safety label in the subsequent request of requesting party, if it has, assert that requesting party is led to
Checking is crossed, the request by verifying can be sent from WAF130 to destination host 140.But this mode is relatively easy, attacker
There is a possibility that to bypass.Therefore need conditional code and request amount to including in subsequent request to verify, protection is had
Effect property is verified.
Secondly, using script file JavaScript security protections, WAF130 is issued to carry to all requesting parties and is redirected life
Script file JavaScript is used in order, and after only requesting party receives and performs above script, the code in script includes jump
The order of specified address is gone back to, when only other side's browser is normal access browser client, browser just understands perform script,
Complete checking.However, js scripts are plaintext transmission, some hidden danger being cracked are there is also, needs are periodically carried out to js codes
Update, while the conditional code and request amount by including in analysis request, verifies to the effectiveness of protection.
Both the above mode, does not interfere with the experience of user, if both the above mode is cracked, can adopt
Picture verification mode is protected, and sends picture to all of request sender, and similar to the mode of identifying code, requesting party needs
The word included in picture or other guide are input into and are fed back to destination host, if the recognition result of picture and figure
Piece correspondence then proves that current accessed is normal access, otherwise, filters the request, and this verification mode needs the cooperation of user
Protection can be reached.
Three of the above verification mode, works in coordination, and protection dynamics is successively increased, and improves the protection effect of Denial of Service attack
Really.
In order to further reduce impact of the security protection to user and the consumption to preventer resource, can also adopt
Following two ways is used, attack source is identified, reduce protective range.
Wherein first kind of way is:
After the request amount of Target Protection main frame exceedes the request threshold value of the above, it is determined that there are Access Events, identification is opened
The mechanism of attack source.
Whether first determine whether in the 3rd predetermined amount of time to destination host host140 access requests total amount more than default
Web portal security response lag;If so, exception response amount and normal visit capacity that host140 access requests are returned are obtained, and is judged
Whether host140 exceedes default response ratio threshold with the ratio of normal visit capacity according to the exception response amount that access request is returned
Value.Judge whether pacify more than default website to the access request total amount that destination host 140 sends in the 3rd predetermined amount of time
The purpose of total regression threshold value is, it is ensured that the operation stability of the destination host 140, less for some microsite visit capacities,
Fluctuation of service, its abnormal response are general also not due to impact under attack, if it is different response occur in these websites
The attack source identification step of Denial of Service attack is triggered when often, preventer resource can be consumed.
Therefore, when response condition is monitored, need to set up a survival mechanisms, the only destination host to there is certain visit capacity
140 monitoring for carrying out response abnormality event.The 3rd scheduled time of the above is set according to the ruuning situation of destination host 140,
In general, could be arranged to 10 seconds to 30 seconds, optimal setting is 20 seconds, if in 20 seconds, what destination host 140 was received please
Ask total amount to exceed web portal security response lag, and exception response amount exceedes default response ratio with the ratio of normal visit capacity
Threshold value, if response ratio threshold value reaches more than 50%, it is possible to think response abnormality occur, such as exception response amount reaches
80% or more, then may determine that response abnormality occurs in destination host 140, trigger the cognitron of the attack source of Denial of Service attack
System.
The corresponding numerical value of above web portal security response lag can should be with the request of normal process according to general website
Amount is configured, it is ensured that web site requests amount is normal.
When single attack source carries out Denial of Service attack, the number of the access request that attack source ip is sent to host140
, considerably beyond normal visit capacity, so in this case, the number of requests of attack source is considerably beyond other normal requests for amount
Source, therefore judging that the first visit capacity accounts for the ratio of access request total amount and exceed default ratio, it is possible to assert the first access
It is the attack source for sending Denial of Service attack to measure corresponding request source.Default ratio is the attack row to Denial of Service attack above
To be analyzed the empirical value for drawing, 80% or so is typically could be arranged to, that is, if receiving the triggering of anomalous event,
If ought be interior for the previous period, the request amount in a certain request source accounts for the 80% of all request amounts, it is possible to assert the request
Source is attack source, carries out security protection to the attack source.
Attack source to identifying is protected using any one or more fit system in three of the above protection method,
And protective treatment is not done to the normal request source outside attack source, so as to improve the normal experience for accessing user, and
Save the resource of preventer.
In addition, the second way is:
The present embodiment can carry out attack identifing source in the way of being attacked to single URL to many attack sources, so as to reality
The security protection of existing targeted, concrete identification process include:
Obtain the list of the access request of multiple uniform resource position mark URLs of destination host;Drawn using list query
First URL, a URL are the maximum URL of access request amount in the first predetermined amount of time;Using list
Inquiry draws one or more the request sources for sending most requests in the 4th predetermined amount of time to the first URL;Judge a URL
Whether the accounting of the total access request amount shared by the access of reception exceedes default access accounting;Judge that access request amount is maximum to ask
Ask whether the request amount in source exceedes request threshold value;If above judged result is being, it is determined that request source is Denial of Service attack
Attack source.
Wherein the acquisition modes of access request list can be:Url list is obtained using the running log file of WAF130,
The running log file of the web application guard system WAF130 being connected with targeted host data is read for example;To running log text
Part file is analyzed, and obtains list, and request source inventory and inventory that each URL of destination host is received are have recorded in list
In the access request amount that sends of each request source.Table 1 shows the identification dress of the attack source of the Denial of Service attack of the present embodiment
Put 200 url lists obtained using WAF running logs.
Table 1
As shown in table 1, by the analysis to journal file, certain host to there is multiple URL, respectively URL1, URL2,
URL3 ..., in the first predetermined amount of time, the request source that request access is sent to URL1 is IP1, IP2, IP3, IP4;It is right
It is IP2, IP3, IP4 that URL2 sends the request source of request access;The request source that request access is sent to URL3 is IP2, IP3.
If the access request amount of URL1 is maximum in the 4th predetermined amount of time, using URL1 as a URL, it is then determined that
Go out now request and access one or more maximum IP of URL1, judge that the shared accountings to all URL request amounts of host of URL1 are
It is no more than default request accounting, and request accesses the visit capacity of one or more maximum IP of URL1 and whether exceedes default request
Threshold value, if two judged results are, it is determined that the request access URL1 maximum corresponding request sources of one or more IP are can
Doubtful attack source.
Default request accounting is that the aggressive behavior to Denial of Service attack is analyzed the empirical value for drawing above, typically may be used
To be set to 80% to 90%, also just say that the request amount of a URL reception accounts for the overwhelming majority of host request amounts, it is possible to think
The URL is subject to attacks.
Default request threshold value can be fixedly installed above, but in order to meet the request situation of different host, and dynamic
The change of the request amount of change, a kind of set-up mode is:Using default basic value divided by accounting, will obtain except business with it is default
Allowance addition is blocked by mistake;Will add up obtain plus and conduct request threshold value.The computing formula of such as predetermined threshold value is:
Threshold value=default basic value/accounting+block allowance by mistake
Default basic value value be 100, it is default block allowance value by mistake in the case of 100, if a URL is received
Request amount reach the 90% of the total request amounts of host, then can obtain threshold value=100/90%+100=211.1, so as to if
Request source of the request amount sent to a URL more than 211 times, that is, think that the request source is present and attack dubiety.
More than default basic value and it is default block the suspicious actual access situation according to host of allowance by mistake, flexibly set
Put, the concrete value of the above is only actual citing.
After suspected attack source is determined, further attack source can be analyzed, to determine whether suspected attack source is true
Positive attack source, in this case, the method for concrete analysis can be:Judge current suspected attack source whether except a URL
Outward, if request other URL of host, if current suspected attack source also requests other URL except a URL, according to
The attack characteristics of Denial of Service attack, the not actual attack source in the suspected attack source.When specifically being judged, it can be determined that should
Host can be accessed more than 2 URL so that whether attack source is concentrated within a period of time, in this way, can will exclude this can
Doubtful attack source.If suspected attack source only have issued request to a URL, it is possible to determine which has carried out Denial of Service attack,
Security protection is carried out to the attack source directly.
In order to after service attack is denied, realize the identification of attack source as early as possible, the 4th predetermined amount of time of the above can be with
10 seconds are set to 30 seconds, that is, 1 minute after under attack within realize the identification to attack source and process, greatly improve
The security protection efficiency of Denial of Service attack.
The means of defence and preventer of the Denial of Service attack of the embodiment of the present invention is it is determined that objective of defense main frame is subject to
During Denial of Service attack, checking information is returned to attack source, in the case where checking information is undesirable, ignore request letter
Breath, for objective of defense main frame, it can be ensured that reliability service, provides respective service to normal users.It is anti-so as to ensure
The safe and reliable operation of shield destination host, improves internet security.
Further, feedback and the checking of checking information are carried out by the way of various ways cooperation, is constituted multi-level
Preventive means.
Further, according to the attack signature of Denial of Service attack to and objective of defense main frame accessing characteristic to refusing
The attack source of service attack absolutely is identified, and reduces as far as possible and aligns the impact that frequentation is asked, improves Consumer's Experience.
In description mentioned herein, a large amount of details are illustrated.It is to be appreciated, however, that the enforcement of the present invention
Example can be put into practice in the case where not having these details.In some instances, known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help understand one or more in each inventive aspect, exist
Above to, in the description of the exemplary embodiment of the present invention, each feature of the present invention is grouped together into single enforcement sometimes
In example, figure or descriptions thereof.However, should the method for the disclosure be construed to reflect following intention:I.e. required guarantor
The more features of feature is expressly recited in each claim by the application claims ratio of shield.More precisely, such as following
Claims it is reflected as, inventive aspect is less than all features of single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself
All as the separate embodiments of the present invention.
Those skilled in the art are appreciated that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more different from embodiment equipment.Can be the module or list in embodiment
Unit or component are combined into a module or unit or component, and can be divided in addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit is excluded each other, can adopt any
Combine to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (includes adjoint power
Profit is required, summary and accompanying drawing) disclosed in each feature can it is identical by offers, be equal to or the alternative features of similar purpose carry out generation
Replace.
Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments
In some included features rather than further feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in detail in the claims, embodiment required for protection one of arbitrarily
Can in any combination mode using.
The present invention all parts embodiment can be realized with hardware, or with one or more processor operation
Software module realize, or with combinations thereof realize.It will be understood by those of skill in the art that can use in practice
Microprocessor or digital signal processor (DSP) are realizing the preventer of Denial of Service attack according to embodiments of the present invention
In some or all parts some or all functions.The present invention is also implemented as described herein for performing
Some or all equipment of method or program of device (for example, computer program and computer program).So
Realization the present invention program can store on a computer-readable medium, or can have one or more signal shape
Formula.Such signal can be downloaded from internet website and be obtained, or provide on carrier signal, or with any other shape
Formula is provided.
It should be noted that above-described embodiment the present invention will be described rather than limits the invention, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference markss between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not
Element listed in the claims or step.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can come real by means of the hardware for including some different elements and by means of properly programmed computer
It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and be run after fame
Claim.
So far, although those skilled in the art will appreciate that detailed herein illustrate and describe multiple showing for the present invention
Example property embodiment, but, without departing from the spirit and scope of the present invention, still can be direct according to present disclosure
It is determined that or deriving many other variations or modifications for meeting the principle of the invention.Therefore, the scope of the present invention is understood that and recognizes
It is set to and covers all these other variations or modifications.
Claims (9)
1. a kind of means of defence of Denial of Service attack, including:
Obtain the trigger event that main frame is denied service attack;
Response message with checking data is generated to the access request that the main frame sends according to request source, and is returned to described
Request source;
Response of the request source to the response message is obtained, and in judging the response, whether includes the checking data
Response data and the response data whether with the checking Data Matching;
If any of the above judged result is no, the access request that the request source is sent to the main frame is retained,
Also include after the access request that the request source is sent to the main frame is retained:Access log to the request source
It is analyzed, to determine the effectiveness of the protection to the request source, wherein
The checking data include:Browser client information cookie, script file, image data, and
After being bypassed using cookie checkings by the analysis determination to the access log, script file checking is opened,
It is determined that after being bypassed using script file checking, opening image data checking.
2. method according to claim 1, wherein, the generation step of the trigger event includes:
The access request for sending is obtained to the main frame;
Denial of Service attack identification is carried out to the access request, and the result recognized according to the Denial of Service attack produces master
Machine is denied the trigger event of service attack.
3. method according to claim 1, wherein, if it is determined that the response includes the response to the checking data
Data and the response data and the checking Data Matching, it is allowed to which the access request is sent to the main frame.
4. according to the method in any one of claims 1 to 3, wherein, it is described checking data be browser client information
During cookie, the response data matched with the response message with the cookie information is to redirect with the cookie information
To the request of the host address.
5. according to the method in any one of claims 1 to 3, wherein, when the checking data are script file, and carry
The response data of the response message matching of the script file is the implementing result of the script file.
6. according to the method in any one of claims 1 to 3, wherein, when the checking data are image data, and carry
The response data of the response message matching of the image data is to jump to institute with the image data Text region result
State the request of host address.
7. a kind of preventer of Denial of Service attack, including:
Event acquisition module, is denied the trigger event of service attack for obtaining main frame;
Responder module, disappears for generating the response with checking data to the access request that the main frame sends according to request source
Breath, and return to the request source;
Whether judge module, for obtaining response of the request source to the response message, and include in judging the response
The response data and the response data of the checking data whether with the checking Data Matching;
Performing module, is no for any of the above judged result, retains the access request that the request source is sent to the main frame;
Log analysis module, for being analyzed to the access log in the request source, to determine the protection to the request source
Effectiveness, wherein
The checking data include:Browser client information cookie, script file, image data, and
After the log analysis module is bypassed using cookie checkings by the analysis determination to the access log, foot is opened
Presents is verified, after it is determined that being bypassed using script file checking, opens image data checking.
8. device according to claim 7, wherein, the event acquisition module is configured to:
The access request for sending is obtained to the main frame;Denial of Service attack identification is carried out to the access request, and according to institute
The result for stating Denial of Service attack identification produces the trigger event that main frame is denied service attack.
9. device according to claim 7, wherein, the performing module is additionally operable to:Tie in the judgement of the judge module
Fruit is in the case of being, it is allowed to which the access request is sent to the main frame.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310713371.XA CN103685293B (en) | 2013-12-20 | 2013-12-20 | Protection method and device for denial of service attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310713371.XA CN103685293B (en) | 2013-12-20 | 2013-12-20 | Protection method and device for denial of service attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103685293A CN103685293A (en) | 2014-03-26 |
| CN103685293B true CN103685293B (en) | 2017-05-03 |
Family
ID=50321607
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310713371.XA Active CN103685293B (en) | 2013-12-20 | 2013-12-20 | Protection method and device for denial of service attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103685293B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104378358A (en) * | 2014-10-23 | 2015-02-25 | 河北省电力建设调整试验所 | HTTP Get Flood attack prevention method based on server log |
| CN105656843B (en) * | 2014-11-11 | 2020-07-24 | 腾讯数码(天津)有限公司 | Application layer protection method and device based on verification and network equipment |
| CN106685899B (en) * | 2015-11-09 | 2020-10-30 | 创新先进技术有限公司 | Method and device for identifying malicious access |
| CN105939361B (en) * | 2016-06-23 | 2019-06-07 | 杭州迪普科技股份有限公司 | Defend the method and device of CC attack |
| CN106789983B (en) * | 2016-12-08 | 2019-09-06 | 北京安普诺信息技术有限公司 | A kind of CC attack defense method and its system of defense |
| CN108476199A (en) * | 2016-12-23 | 2018-08-31 | 深圳投之家金融信息服务有限公司 | A kind of system and method for detection and defence CC attacks based on token mechanism |
| CN106850687A (en) * | 2017-03-29 | 2017-06-13 | 北京百度网讯科技有限公司 | Method and apparatus for detecting network attack |
| CN107360198B (en) * | 2017-09-12 | 2020-04-10 | 中国联合网络通信集团有限公司 | Suspicious domain name detection method and system |
| CN108134803B (en) * | 2018-01-29 | 2021-02-26 | 杭州迪普科技股份有限公司 | URL attack protection method and device |
| CN108959923B (en) * | 2018-05-31 | 2022-05-17 | 深圳壹账通智能科技有限公司 | Comprehensive security sensing method and device, computer equipment and storage medium |
| CN113179247B (en) * | 2021-03-23 | 2023-05-23 | 杭州安恒信息技术股份有限公司 | Denial of service attack protection method, electronic device and storage medium |
| CN115987536A (en) * | 2021-10-15 | 2023-04-18 | 华为技术有限公司 | Message source address identification method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101150586A (en) * | 2007-11-20 | 2008-03-26 | 杭州华三通信技术有限公司 | CC attack prevention method and device |
| US7404211B2 (en) * | 2002-09-26 | 2008-07-22 | Kabushiki Kaisha Toshiba | Systems and methods for protecting a server computer |
| CN101834866A (en) * | 2010-05-05 | 2010-09-15 | 北京来安科技有限公司 | CC (Communication Center) attack protective method and system thereof |
-
2013
- 2013-12-20 CN CN201310713371.XA patent/CN103685293B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7404211B2 (en) * | 2002-09-26 | 2008-07-22 | Kabushiki Kaisha Toshiba | Systems and methods for protecting a server computer |
| CN101150586A (en) * | 2007-11-20 | 2008-03-26 | 杭州华三通信技术有限公司 | CC attack prevention method and device |
| CN101834866A (en) * | 2010-05-05 | 2010-09-15 | 北京来安科技有限公司 | CC (Communication Center) attack protective method and system thereof |
Non-Patent Citations (1)
| Title |
|---|
| CC攻击检测方法研究;陈仲华等;《电信科学》;20090515(第5期);第64页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103685293A (en) | 2014-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103685293B (en) | Protection method and device for denial of service attack | |
| CN103701793B (en) | The recognition methods of server broiler chicken and device | |
| CN103701795B (en) | The recognition methods of the attack source of Denial of Service attack and device | |
| CN103685294B (en) | Method and device for identifying attack sources of denial of service attack | |
| CN104301302B (en) | Go beyond one's commission attack detection method and device | |
| US8826400B2 (en) | System for automated prevention of fraud | |
| CN107634967B (en) | CSRFtoken defense system and method for CSRF attack | |
| US20180218145A1 (en) | Systems and methods for access control to web applications and identification of web browsers | |
| US8850567B1 (en) | Unauthorized URL requests detection | |
| US20200213333A1 (en) | Detection of remote fraudulent activity in a client-server-system | |
| EP3301883A1 (en) | Protecting against the introduction of alien content | |
| WO2017074619A1 (en) | Multi-layer computer security countermeasures | |
| CN110071941B (en) | Network attack detection method, equipment, storage medium and computer equipment | |
| CN103701794A (en) | Identification method and device for denial of service attack | |
| CN107579997A (en) | Wireless network intrusion detection system | |
| CN107465702A (en) | Method for early warning and device based on wireless network invasion | |
| CN107509200A (en) | Equipment localization method and device based on wireless network invasion | |
| Lalia et al. | Implementation of web browser extension for mitigating CSRF attack | |
| CN107294994B (en) | CSRF protection method and system based on cloud platform | |
| JP6842951B2 (en) | Unauthorized access detectors, programs and methods | |
| CN104852907A (en) | Cross-site request forgery CSRF attack recognition method and device | |
| Wang et al. | XSS attack detection and prevention system based on instruction set randomization | |
| Zhou et al. | Strengthening XSRF defenses for legacy web applications using whitebox analysis and transformation | |
| Ponnavaikko et al. | Risk mitigation for cross site scripting attacks using signature based model on the server side | |
| Kour | A Review on Cross-Site Request Forgery and its Defense Mechanism |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20161122 Address after: 100015 Chaoyang District Road, Jiuxianqiao, No. 10, building No. 3, floor 15, floor 17, 1701-26, Applicant after: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Applicant before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Applicant before: Qizhi software (Beijing) Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Patentee after: Qianxin Technology Group Co.,Ltd. Address before: 100015 15, 17 floor 1701-26, 3 building, 10 Jiuxianqiao Road, Chaoyang District, Beijing. Patentee before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. |
|
| CP03 | Change of name, title or address | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210107 Address after: 100044 2nd floor, building 1, yard 26, Xizhimenwai South Road, Xicheng District, Beijing Patentee after: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. Patentee after: Qianxin Technology Group Co.,Ltd. Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Patentee before: Qianxin Technology Group Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| CP03 | Change of name, title or address |
Address after: 2nd Floor, Building 1, Yard 26, Xizhimenwai South Road, Xicheng District, Beijing, 100032 Patentee after: Qianxin Wangshen information technology (Beijing) Co.,Ltd. Patentee after: Qianxin Technology Group Co.,Ltd. Address before: 100044 2nd floor, building 1, yard 26, Xizhimenwai South Road, Xicheng District, Beijing Patentee before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. Patentee before: Qianxin Technology Group Co.,Ltd. |
|
| CP03 | Change of name, title or address |