CN106357628B - The defence method and device of attack - Google Patents

The defence method and device of attack Download PDF

Info

Publication number
CN106357628B
CN106357628B CN201610783731.7A CN201610783731A CN106357628B CN 106357628 B CN106357628 B CN 106357628B CN 201610783731 A CN201610783731 A CN 201610783731A CN 106357628 B CN106357628 B CN 106357628B
Authority
CN
China
Prior art keywords
address
suspicious user
attack
preset
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610783731.7A
Other languages
Chinese (zh)
Other versions
CN106357628A (en
Inventor
杨枭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Neusoft Corp
Original Assignee
Neusoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Neusoft Corp filed Critical Neusoft Corp
Priority to CN201610783731.7A priority Critical patent/CN106357628B/en
Publication of CN106357628A publication Critical patent/CN106357628A/en
Application granted granted Critical
Publication of CN106357628B publication Critical patent/CN106357628B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of defence method of attack and devices, it is related to technical field of network security, for improving the accuracy rate of attack defending, main technical schemes of the invention are as follows: the suspicious user Internet protocol IP address in session information is identified by preset threshold value, includes IP address in the session information;Attack IP address is filtered in suspicious user IP address according to preset attack IP address library, obtains the first remaining suspicious user IP address;Attack IP address is filtered from the described first remaining suspicious user IP address by the service request information in the session information, obtains the second remaining suspicious user IP address;Attack IP address is filtered from the described second remaining suspicious user IP address according to preset script program, the preset script program is for determining the attack IP address for including in the described second remaining suspicious user IP address;The service request that refusal is sent by the attack IP address.Present invention is mainly used for defensive attacks.

Description

The defence method and device of attack
Technical field
The present invention relates to technical field of network security more particularly to the defence methods and device of a kind of attack.
Background technique
The essential attribute of network security is mainly shown as confidentiality, integrality, legitimacy and availability, and attacker is exactly These attributes are destroyed by every ways and means.Distributed denial of service attack (Distributed Denial of Service, DDoS) purpose be exactly to destroy the availability of network.Wherein, HTTP Flood (attack by request flooding Hit) it is when the common ddos attack mode of former, it is the WEB service for application layer and the attack initiated, attacker imitate The internet behavior of normal users sends a large amount of service request to the WEB server of target of attack, and target WEB server is once It is attacked, it will lead to the WEB front-end attacked response slowly, the operation layers such as Java of rear end logic and more back-end data base Processing capacity pressure increase.
Currently, being asked by the HTTP (Hypertext transfer protocol, hypertext transfer protocol) that user issues It asks number to be on the defensive HTTP Flood attack, that is, forbids issuing the user that HTTP request number is more than threshold value in the unit time Access behavior, but there is some transmission HTTP request numbers to be more than the normal users of threshold value in real life, and use This kind of mode equally can also mask the access behavior of normal users, thus this kind of mode defensive attack to manslaughter rate higher, it is existing There is the defence accuracy rate of attack defense method lower.
Summary of the invention
In view of this, the present invention provides the defence method and device of a kind of attack, main purpose is to improve attack defending Accuracy rate.
According to the present invention on one side, a kind of defence method of attack is provided, comprising:
The suspicious user Internet protocol IP address in session information is identified by preset threshold value, includes in the session information IP address;
Attack IP address is filtered in suspicious user IP address according to preset attack IP address library, acquisition first is remaining can Doubt IP address;
It is filtered from the described first remaining suspicious user IP address by the service request information in the session information IP address is attacked, the second remaining suspicious user IP address is obtained;
Attack IP address is filtered from the described second remaining suspicious user IP address according to preset script program, it is described pre- Shell script is set for determining the attack IP address for including in the described second remaining suspicious user IP address;
The service request that refusal is sent by the attack IP address.
Specifically, described identify that the suspicious user IP address in session information includes: by preset threshold value
From being obtained in the session information in the unit time by the number of IP address transmission service request;
The IP address that the number that service request is sent in the unit time is greater than the first preset threshold value is determined as The suspicious user IP address.
Further, the User IP that the number that service request is sent in the unit time is greater than to first preset threshold value Location is determined as after the suspicious user IP address, the method also includes:
It obtains and sends the number of service request in the unit time and be less than or equal to the User IP of the first preset threshold value Location;
The service request number of same subscriber IP address is counted from the IP address of the acquisition;
The service request number is greater than the IP address of the second preset threshold value with being determined as the suspicious user IP Location.
Specifically, the service request information by the session information is from the described first remaining suspicious user IP Filtering attack IP address in address, obtaining the second remaining suspicious user IP address includes:
The attack IP is filtered from the described first remaining suspicious user IP address according to preset request URL amount threshold Address, and using the filtered first remaining suspicious user IP address as the first suspicious user IP address;
By the incorrect suspicious user IP of request URL in the first suspicious user IP address according to the preset path URL Location filters out, and using filtered first suspicious user IP address as the second suspicious user IP address;
Jumping relationship according to preset URL, that request URL in the second suspicious user IP address jumped relationship is incorrect Suspicious user IP address filters out, and using filtered second suspicious user IP address as third suspicious user IP address;
Host field will be requested incorrect in the third suspicious user IP address according to preset service device host field Suspicious user IP address filters out, and using filtered third suspicious user IP address as the 4th suspicious user IP address;
According to preset URL length by the incorrect suspicious user of request URL length in the 4th suspicious user IP address IP address filters out.
Specifically, described filter attack IP according to preset script program from the described second remaining suspicious user IP address Address includes:
The preset script program is sent to the corresponding client of the described second remaining suspicious user IP address, so that Obtain preset script program described in the client executing;
The client of the preset script program error is executed if it exists, then will execute the preset script program error The corresponding suspicious user IP address of client is determined as the attack IP address.
Further, the corresponding suspicious user IP address of client that will execute the preset script program error is true It is set to after the attack IP address, the method also includes:
Execute the correct client of preset script program if it exists, then it is correct to the preset script program is executed Client sends verification information, receives so that executing the correct client of the preset script program according to the verification information The identifying code of input;
If the identifying code and the verification information be not corresponding, the correct client of preset script program will be executed Corresponding suspicious user IP address is determined as attacking IP address;
If the identifying code is corresponding with the verification information, the correct client pair of preset script program will be executed The suspicious user IP address answered is determined as trusted users IP.
Further, the method also includes:
The suspicious user IP address that will determine as attack IP address is stored into the preset attack IP address library.
According to the present invention on the other hand, a kind of defence installation of attack is provided, comprising:
Recognition unit, it is described for identifying the suspicious user Internet protocol IP address in session information by preset threshold value It include IP address in session information;
First filter element, for filtering attack IP in suspicious user IP address according to preset attack IP address library Location obtains the first remaining suspicious user IP address;
Second filter element, for remaining suspicious from described first by the service request information in the session information Filtering attack IP address, obtains the second remaining suspicious user IP address in IP address;
Third filter element, for being filtered from the described second remaining suspicious user IP address according to preset script program IP address is attacked, the preset script program is for determining the attack IP for including in the described second remaining suspicious user IP address Address;
Refuse unit, the service request for refusing to send by the attack IP address.
Specifically, the recognition unit includes:
Module is obtained, for sending service by the IP address out of in the session information acquisition unit time The number of request;
Determining module, for the number for sending service request in the unit time to be greater than to the user of the first preset threshold value IP address is determined as the suspicious user IP address.
Further, the recognition unit further include:
The acquisition module is also used to obtain the number that service request is sent in the unit time less than or equal to first The IP address of preset threshold value;
Statistical module, for counting the service request time of same subscriber IP address from the IP address of the acquisition Number;
The determining module, the IP address for the service request number to be greater than the second preset threshold value are determined as The suspicious user IP address.
Specifically, second filter element includes:
First filtering module is used for according to preset request URL amount threshold from the described first remaining suspicious user IP The attack IP address is filtered in location, and using the filtered first remaining suspicious user IP address as the first suspicious user IP Address;
Second filtering module, for according to the preset path URL by request URL in the first suspicious user IP address not just True suspicious user IP address filters out, and as the second suspicious user IP using filtered first suspicious user IP address Location;
Third filtering module, for jumping relationship for request URL in the second suspicious user IP address according to preset URL It jumps the incorrect suspicious user IP address of relationship to filter out, and can as third using filtered second suspicious user IP address Doubt IP address;
4th filtering module, for will be requested in the third suspicious user IP address according to preset service device host field The incorrect suspicious user IP address of host field filters out, and can as the 4th using filtered third suspicious user IP address Doubt IP address;
5th filtering module, for according to preset URL length by request URL length in the 4th suspicious user IP address Incorrect suspicious user IP address filters out.
Specifically, the third filter element includes:
Sending module, it is corresponding for the preset script program to be sent to the described second remaining suspicious user IP address Client so that preset script program described in the client executing;
Determining module will then execute described preset for executing the client of the preset script program error if it exists The corresponding suspicious user IP address of the client of shell script mistake is determined as the attack IP address.
The sending module is also used to execute the correct client of preset script program if it exists, then to execution institute It states the correct client of preset script program and sends verification information, so that executing the correct client of preset script program Receive the identifying code inputted according to the verification information;
The determining module will execute described preset if being also used to the identifying code and the verification information is not corresponding The corresponding suspicious user IP address of the correct client of shell script is determined as attacking IP address;
The determining module will execute the preset foot if it is corresponding with the verification information to be also used to the identifying code The corresponding suspicious user IP address of the correct client of this program is determined as trusted users IP.
Further, described device further include:
Storage unit, for will determine as the suspicious user IP address storage of attack IP address to the preset attack IP In the library of location.
By above-mentioned technical proposal, technical solution provided in an embodiment of the present invention is at least had the advantage that
The defence method and device of a kind of attack provided in an embodiment of the present invention identify session letter by preset threshold value first Suspicious user IP address in breath includes IP address in the session information, is then existed according to preset attack IP address library Filtering attack IP address in suspicious user IP address, and the first remaining suspicious user IP address is obtained, then pass through the meeting Service request information in words information filters attack IP address from the described first remaining suspicious user IP address, obtains second Remaining suspicious user IP address, and filtered and attacked from the described second remaining suspicious user IP address according to preset script program IP address is hit, the service request sent by the attack IP address is finally refused.With at present according to issuing in the unit time Request number of times is on the defensive to HTTP Flood attack and compares, and the embodiment of the present invention is by the way of layering to HTTP Flood attack is on the defensive, i.e., first by the suspicious user IP address in preset threshold value identification session information, then successively root Attack is filtered out layer by layer from suspicious user IP address according to preset attack IP address library, service request information, preset script program IP address, and attack defending is realized by the service request that refusal attack IP address is sent, to through the embodiment of the present invention may be used Improve the accuracy rate of attack defending.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention, And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows a kind of defence method flow chart of attack provided in an embodiment of the present invention;
Fig. 2 shows a kind of defence installation structural block diagrams of attack provided in an embodiment of the present invention;
Fig. 3 shows the defence installation structural block diagram of another attack provided in an embodiment of the present invention.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure It is fully disclosed to those skilled in the art.
The embodiment of the invention provides a kind of defence methods of attack, as shown in Figure 1, this method comprises:
101, the suspicious user Internet protocol IP address in session information is identified by preset threshold value.
It wherein, include IP address in the session information.Session information, that is, Session information, is user and WEB Interactive information between (World Wide Web, WWW) server is the relevant information based on data stream connection, can Doubtful IP address can be with the IP address for trusted users or attack user.
It should be noted that the number that normal users send service request within the unit time can all have a threshold value, if The number that some user sends service request within the unit time does not meet this threshold value, illustrates that the user is possible to use for attack Family, so needing the corresponding IP address of the user being determined as suspicious user IP address.Therefore the embodiment of the present invention passes through preset Threshold value identifies the suspicious user IP address in session information, and the preset threshold value can be according to the characteristics of WEB server and just common The internet behavior at family determines, can specifically be determined according to the request number of times sent in the normal users unit time to purpose IP address pre- The size for setting threshold value then can will be preset if the request number of times sent in normal users 1 minute to purpose IP address is less than or equal to 5 Threshold value is set as 5, can be by the user couple if user was greater than 5 to the number that purpose IP address sends service request in 1 minute The IP address answered is determined as suspicious user IP address.
102, attack IP address is filtered in suspicious user IP address according to preset attack IP address library, it is remaining to obtain first Suspicious user IP address.
Wherein, the preset attack IP address library is pre-configured, in preset attack IP address library comprising it is all Determining attack IP address.If suspicious user IP address occurs in preset attack IP address library, by suspicious user IP Location is determined as attacking IP address, and the attack IP address in suspicious user IP address is filtered out, then will be filtered suspicious IP address is determined as the first remaining suspicious user IP address;If suspicious user IP address is in preset attack IP address library Do not occur, then further mistake is carried out to the first remaining suspicious user IP address by the service request information in step 103 Filter, to filter out the attack IP address determined by service request information.
103, through the service request information in the session information from the described first remaining suspicious user IP address Filtering attack IP address, obtains the second remaining suspicious user IP address.
Wherein, the service request information is specifically as follows URL (the Uniform Resource of user's request Locator, uniform resource locator), information, the embodiment of the present invention such as host field be not specifically limited.Implement in the present invention In example, specifically relationship, preset service device host can be jumped according to preset request URL amount threshold, the preset path URL, preset URL The information such as field, preset URL length filter attack IP address from the first remaining suspicious user IP address.I.e. by the first residue Suspicious user IP address in URL request discrepancy of quantity closes preset request URL amount threshold, the URL of request is not preset URL Path, request URL jump relationship do not meet preset URL jump relationship, request server host field do not meet it is preset The suspicious user IP address that the length violation of server host field and request URL closes preset URL length is determined as attacking IP Address, and the IP address that will determine as attack is filtered out from the first remaining suspicious user IP address, it finally will be filtered First remaining suspicious user IP address is determined as the second remaining suspicious user IP address.
104, attack IP address is filtered from the described second remaining suspicious user IP address according to preset script program.
Wherein, the preset script program is for determining the attack for including in the described second remaining suspicious user IP address IP address, preset script program are javascript step program, and client determines suspicious use by executing preset script program Whether family IP address is that attack IP address will be corresponding with client suspicious if client executing preset script program error IP address is attack IP address;If client executing preset script program is correct, further verified by human-computer interaction Code mode judge suspicious user IP address be for attack IP address, if client input identifying code mistake, will be with client Corresponding suspicious user IP address is determined as attacking IP address, will be with client pair if the identifying code of client input is correct The suspicious user IP address answered is determined as trusted IP address.
105, refuse the service request sent by the attack IP address.
A kind of defence method of attack provided in an embodiment of the present invention, attacks HTTP Flood by the way of layering It hits and is on the defensive, i.e., the suspicious user IP address in session information is identified by preset threshold value first, then successively according to preset Attack IP address library, service request information, preset script program filter out attack IP address layer by layer from suspicious user IP address, And attack defending is realized by the service request that refusal attack IP address is sent.Since meeting can be quickly recognized by preset threshold value Talk about information in suspicious user IP address, and according to the speed of filtering sequence pass sequentially through preset attack IP address library, service is asked It asks information, preset script program to be filtered the attack IP address in suspicious user IP address, can be improved and determine attack IP's Efficiency, so that the accuracy rate and efficiency of attack defending can be improved through the embodiment of the present invention.
In order to preferably be illustrated to the defence method of attack provided in an embodiment of the present invention, following embodiment will be directed to Above steps is refined and is extended.
Specifically, step 101 identifies that the suspicious user IP address in session information includes: from the meeting by preset threshold value Talk about the number for obtaining in information and sending service request in the unit time by the IP address;It will be sent out in the unit time The IP address for sending the number of service request to be greater than the first preset threshold value is determined as the suspicious user IP address.Wherein, One preset threshold value determines that user sends out in 1 minute if normal according to the service request number sent in the normal users unit time The service request number sent is 10, then 10 can be set by the first preset threshold value, if user sends service request in 1 minute Number is greater than 10, then the corresponding IP address of the user can be determined as suspicious user IP address.
Further, the IP address for the number that service request is sent in the unit time being greater than the first preset threshold value is true It is set to after the suspicious user IP address, the method also includes: obtain time that service request is sent in the unit time Number is less than or equal to the IP address of the first preset threshold value;Same subscriber IP is counted from the IP address of the acquisition The service request number of location;The IP address that the service request number is greater than the second preset threshold value is determined as described suspicious IP address.
It should be noted that since the corresponding IP address of user in same local area network is identical, and corresponding session information Difference, therefore attacker is launched a offensive by more terminal devices in local area network to WEB server in order to prevent, needs to count Then service request number is greater than the second preset threshold value by the service request number of same subscriber IP address in IP address IP address is determined as suspicious user IP address.Wherein, the second preset threshold value is normally sent out according in the unit time in local area network The service request number that send and determine.For example, with getting three identical User IPs within the unit time by session information Location, they to WEB server send service request number be respectively 10,15,20, the IP address send service request Number adds up to 45, if the second preset threshold value is 30, IP address can be determined as to suspicious user IP address.
Specifically, step 103 is by the service request information in the session information from the described first remaining suspicious use Filtering attack IP address in the IP address of family, obtaining the second remaining suspicious user IP address includes: according to preset request URL quantity Threshold value filters the attack IP address from the described first remaining suspicious user IP address, and remaining by filtered first Suspicious user IP address is as the first suspicious user IP address;According to the preset path URL by the first suspicious user IP address The middle incorrect suspicious user IP address of request URL filters out, and using filtered first suspicious user IP address as second Suspicious user IP address;Relationship is jumped according to preset URL, and request URL in the second suspicious user IP address is jumped into relationship not Correct suspicious user IP address filters out, and as third suspicious user IP using filtered second suspicious user IP address Location;The incorrect suspicious use of host field will be requested in the third suspicious user IP address according to preset service device host field Family IP address filters out, and using filtered third suspicious user IP address as the 4th suspicious user IP address;According to preset URL length filters out the incorrect suspicious user IP address of request URL length in the 4th suspicious user IP address.
Wherein, request URL amount threshold is determined according to the quantity of same URL is requested in the normal users unit time, if The quantity of the same URL of request is more than preset request URL amount threshold in user's A unit time, then by the corresponding IP address of user A It is determined as attacking IP address, and determining attack IP address is filtered out from the first remaining suspicious user IP address;It is preset The path URL is pre-set in WEB server, if the URL of user's request is not the road URL set in WEB server The corresponding IP address of the user is then determined as attacking IP address by diameter, and by determining attack IP address from the first suspicious user It is filtered out in IP address;Preset URL jumps what relationship was also pre-set in WEB server, can specifically pass through Reference indicates that URL's jumps relationship, if user passes through the webpage B of webpage A jump request, and be arranged in WEB server Jump relationship only pass through webpage C could requested webpage B, illustrate the request URL of the user to jump relationship incorrect, therefore will The corresponding IP address of the user is determined as attacking IP address, and by determining attack IP address from the second suspicious user IP address It filters out;Preset service device host field is the host field in WEB server, if it is service that user, which requests host field not, The corresponding IP address of the user is then determined as attacking IP address by the host field of device, and by determining attack IP address from the It is filtered out in three suspicious user IP address;Preset URL length is configured according to actual needs, and URL length specifically can be with It is 20,30,40 etc., the embodiment of the present invention is not specifically limited, if the URL length of user's request is more than preset URL length, The corresponding IP address of the user will be determined as attacking IP address, and from the 4th suspicious user IP by determining attack IP address It is filtered out in location.
It should be noted that due to according to the speed of filtering sequence successively according to preset request URL, the preset path URL, pre- It sets URL and jumps the attack of relationship, preset service device host field, preset URL length to the first remaining suspicious user IP address IP address is filtered, and the efficiency for determining attack IP can be improved, so that the effect of attack defending can be improved through the embodiment of the present invention Rate.
It is attacked specifically, step 104 is filtered from the described second remaining suspicious user IP address according to preset script program Hitting IP address includes: that the preset script program is sent to the corresponding client of the described second remaining suspicious user IP address End, so that preset script program described in the client executing;The client of the preset script program error is executed if it exists End, then with being determined as the attack IP by the corresponding suspicious user IP address of the client for executing the preset script program error Location.Wherein, preset script program is javascript step program, and client determines suspicious use by executing preset script program Whether family IP address is attack IP address.
Further, the corresponding suspicious user IP address of client that will execute the preset script program error is true It is set to after the attack IP address, the method also includes: the correct client of preset script program is executed if it exists, Then to the correct client transmission verification information of the preset script program is executed, so that executing the preset script program just True client receives the identifying code inputted according to the verification information;If the identifying code and the verification information be not corresponding, The corresponding suspicious user IP address of the correct client of preset script program will be then executed to be determined as attacking IP address;If institute It is corresponding with the verification information to state identifying code, then will execute the corresponding suspicious user of the correct client of preset script program IP address is determined as trusted users IP.
Further, the method also includes: will determine as the suspicious user IP address storage of attack IP address to described In preset attack IP address library.To realize the attack IP address updated in preset attack IP address library.It should be noted that when pre- Set attack IP address library in attack IP address be reassigned to normal users in use, user in order to realize send service ask It asks, needs to send subscriber authentication request to WEB server, after WEB server is verified, by preset attack IP address library In corresponding attack IP address delete, the normal service request of user is realized with this.
Further, the embodiment of the present invention provides a kind of defence installation of attack, as shown in Fig. 2, described device includes: to know Other unit 21, the first filter element 22, the second filter element 23, third filter element 24, refusal unit 25.
Recognition unit 21, for identifying the suspicious user Internet protocol IP address in session information, institute by preset threshold value It states in session information comprising IP address;
Session information, that is, Session information is the interactive information between user and WEB server, is based on a data The relevant information of connection is flowed, suspicious user IP address can be with the IP address for trusted users or attack user.
It should be noted that the number that normal users send service request within the unit time can all have a threshold value, if The number that some user sends service request within the unit time does not meet this threshold value, illustrates that the user is possible to use for attack Family, so needing the corresponding IP address of the user being determined as suspicious user IP address.Therefore the embodiment of the present invention passes through preset Threshold value identifies the suspicious user IP address in session information, and the preset threshold value can be according to the characteristics of WEB server and just common The internet behavior at family determines, can specifically be determined according to the request number of times sent in the normal users unit time to purpose IP address pre- The size for setting threshold value then can will be preset if the request number of times sent in normal users 1 minute to purpose IP address is less than or equal to 5 Threshold value is set as 5, can be by the user couple if user was greater than 5 to the number that purpose IP address sends service request in 1 minute The IP address answered is determined as suspicious user IP address.
First filter element 22, for filtering attack IP in suspicious user IP address according to preset attack IP address library Location obtains the first remaining suspicious user IP address;
Wherein, the preset attack IP address library is pre-configured, in preset attack IP address library comprising it is all Determining attack IP address.If suspicious user IP address occurs in preset attack IP address library, by suspicious user IP Location is determined as attacking IP address, and the attack IP address in suspicious user IP address is filtered out, then will be filtered suspicious IP address is determined as the first remaining suspicious user IP address;If suspicious user IP address is in preset attack IP address library Do not occur, then further mistake is carried out to the first remaining suspicious user IP address by the service request information in step 103 Filter, to filter out the attack IP address determined by service request information.
Second filter element 23, for by the service request information in the session information from described first it is remaining can Filtering attack IP address in IP address is doubted, the second remaining suspicious user IP address is obtained;
Wherein, the service request information is specifically as follows URL (the Uniform Resource of user's request Locator, uniform resource locator), information, the embodiment of the present invention such as host field be not specifically limited.Implement in the present invention In example, specifically relationship, preset service device host can be jumped according to preset request URL amount threshold, the preset path URL, preset URL The information such as field, preset URL length filter attack IP address from the first remaining suspicious user IP address.I.e. by the first residue Suspicious user IP address in URL request discrepancy of quantity closes preset request URL amount threshold, the URL of request is not preset URL Path, request URL jump relationship do not meet preset URL jump relationship, request server host field do not meet it is preset The suspicious user IP address that the length violation of server host field and request URL closes preset URL length is determined as attacking IP Address, and the IP address that will determine as attack is filtered out from the first remaining suspicious user IP address, it finally will be filtered First remaining suspicious user IP address is determined as the second remaining suspicious user IP address.
Third filter element 24, for according to preset script program from the described second remaining suspicious user IP address mistake Filter attack IP address, the preset script program is for determining the attack for including in the described second remaining suspicious user IP address IP address;
Wherein, preset script program is javascript step program, and client is determined by executing preset script program Whether suspicious user IP address is that attack IP address will be corresponding with client if client executing preset script program error Suspicious user IP address be attack IP address;If client executing preset script program is correct, further pass through man-machine friendship Mutual identifying code mode judge suspicious user IP address be to attack IP address, will be with if the identifying code mistake of client input The corresponding suspicious user IP address of client is determined as attacking IP address, will be with visitor if the identifying code of client input is correct The corresponding suspicious user IP address in family end is determined as trusted IP address.
Refuse unit 25, the service request for refusing to send by the attack IP address.
Further, as shown in figure 3, the recognition unit 21 includes.
Module 211 is obtained, for sending out of in the session information acquisition unit time by the IP address The number of service request;
Determining module 212, for the number for sending service request in the unit time to be greater than the first preset threshold value IP address is determined as the suspicious user IP address.Wherein, the first preset threshold value in the normal users unit time according to sending out The service request number that send and determine, the service request number that user sends in 1 minute if normal is 10, then can be preset by first Threshold value is set as 10, can be by the corresponding IP address of the user if the number that user sends service request in 1 minute is greater than 10 It is determined as suspicious user IP address.
Further, the recognition unit 21 further include:
The acquisition module 211, the number for being also used to obtain transmission service request in the unit time are less than or equal to The IP address of first preset threshold value;
Statistical module 213, for counting the service request of same subscriber IP address from the IP address of the acquisition Number;
The determining module 212, the IP address for the service request number to be greater than the second preset threshold value are true It is set to the suspicious user IP address.
It should be noted that since the corresponding IP address of user in same local area network is identical, and corresponding session information Difference, therefore attacker is launched a offensive by more terminal devices in local area network to WEB server in order to prevent, needs to count Then service request number is greater than the second preset threshold value by the service request number of same subscriber IP address in IP address IP address is determined as suspicious user IP address.Wherein, the second preset threshold value is normally sent out according in the unit time in local area network The service request number that send and determine.For example, with getting three identical User IPs within the unit time by session information Location, they to WEB server send service request number be respectively 10,15,20, the IP address send service request Number adds up to 45, if the second preset threshold value is 30, IP address can be determined as to suspicious user IP address.
Specifically, second filter element 23 includes:
First filtering module 231, for according to preset request URL amount threshold from the described first remaining suspicious user IP The attack IP address is filtered in address, and using the filtered first remaining suspicious user IP address as the first suspicious user IP address;
Second filtering module 232, for according to the preset path URL by request URL in the first suspicious user IP address Incorrect suspicious user IP address filters out, and using filtered first suspicious user IP address as the second suspicious user IP Address;
Third filtering module 233 will be requested for jumping relationship according to preset URL in the second suspicious user IP address URL jumps the incorrect suspicious user IP address of relationship and filters out, and using filtered second suspicious user IP address as Three suspicious user IP address;
4th filtering module 234, being used for will be in the third suspicious user IP address according to preset service device host field The request incorrect suspicious user IP address of host field filters out, and using filtered third suspicious user IP address as the Four suspicious user IP address;
5th filtering module 235, for according to preset URL length by request URL in the 4th suspicious user IP address The incorrect suspicious user IP address of length filters out.
Wherein, request URL amount threshold is determined according to the quantity of same URL is requested in the normal users unit time, if The quantity of the same URL of request is more than preset request URL amount threshold in user's A unit time, then by the corresponding IP address of user A It is determined as attacking IP address, and determining attack IP address is filtered out from the first remaining suspicious user IP address;It is preset The path URL is pre-set in WEB server, if the URL of user's request is not the road URL set in WEB server The corresponding IP address of the user is then determined as attacking IP address by diameter, and by determining attack IP address from the first suspicious user It is filtered out in IP address;Preset URL jumps what relationship was also pre-set in WEB server, can specifically pass through Reference indicates that URL's jumps relationship, if user passes through the webpage B of webpage A jump request, and be arranged in WEB server Jump relationship only pass through webpage C could requested webpage B, illustrate the request URL of the user to jump relationship incorrect, therefore will The corresponding IP address of the user is determined as attacking IP address, and by determining attack IP address from the second suspicious user IP address It filters out;Preset service device host field is the host field in WEB server, if it is service that user, which requests host field not, The corresponding IP address of the user is then determined as attacking IP address by the host field of device, and by determining attack IP address from the It is filtered out in three suspicious user IP address;Preset URL length is configured according to actual needs, and URL length specifically can be with It is 20,30,40 etc., the embodiment of the present invention is not specifically limited, if the URL length of user's request is more than preset URL length, The corresponding IP address of the user will be determined as attacking IP address, and from the 4th suspicious user IP by determining attack IP address It is filtered out in location.
It should be noted that due to according to the speed of filtering sequence successively according to preset request URL, the preset path URL, pre- It sets URL and jumps the attack of relationship, preset service device host field, preset URL length to the first remaining suspicious user IP address IP address is filtered, and the efficiency for determining attack IP can be improved, so that the effect of attack defending can be improved through the embodiment of the present invention Rate.
Specifically, the third filter element 24 includes:
Sending module 241, for the preset script program to be sent to the described second remaining suspicious user IP address Corresponding client, so that preset script program described in the client executing;
Determining module 242 will then execute described pre- for executing the client of the preset script program error if it exists The corresponding suspicious user IP address of client for setting shell script mistake is determined as the attack IP address.
The sending module 241 is also used to execute the correct client of preset script program if it exists, then Xiang Zhihang The correct client of preset script program sends verification information, so that executing the correct client of preset script program End receives the identifying code inputted according to the verification information;
The determining module 242 will execute described pre- if being also used to the identifying code and the verification information is not corresponding The corresponding suspicious user IP address of the correct client of shell script is set to be determined as attacking IP address;
The determining module 242 will execute described preset if it is corresponding with the verification information to be also used to the identifying code The corresponding suspicious user IP address of the correct client of shell script is determined as trusted users IP.
Further, described device further include:
Storage unit 26, the suspicious user IP address for will determine as attack IP address are stored to the preset attack IP In address base.
It should be noted that when the attack IP address in preset attack IP address library is reassigned to normal users use When, user needs to send subscriber authentication request, WEB server verifying to WEB server to realize transmission service request By rear, attack IP address corresponding in preset attack IP address library is deleted, the normal service request of user is realized with this.
The defence installation of another attack provided in an embodiment of the present invention, to HTTP Flood by the way of layering Attack is on the defensive, i.e., the suspicious user IP address in session information is identified by preset threshold value first, then successively according to pre- Set attack IP address library, service request information, preset script program with filtering out attack IP layer by layer from suspicious user IP address Location, and attack defending is realized by the service request that refusal attack IP address is sent.Due to can quickly be identified by preset threshold value Suspicious user IP address in session information out, and preset attack IP address library, clothes are passed sequentially through according to the speed of filtering sequence Business solicited message, preset script program are filtered the attack IP address in suspicious user IP address, and determining attack can be improved The efficiency of IP, so that the accuracy rate and efficiency of attack defending can be improved through the embodiment of the present invention.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment Point, reference can be made to the related descriptions of other embodiments.
It is understood that the correlated characteristic in the above method and device can be referred to mutually.In addition, in above-described embodiment " first ", " second " etc. be and not represent the superiority and inferiority of each embodiment for distinguishing each embodiment.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
Algorithm and display are not inherently related to any particular computer, virtual system, or other device provided herein. Various general-purpose systems can also be used together with teachings based herein.As described above, it constructs required by this kind of system Structure be obvious.In addition, the present invention is also not directed to any particular programming language.It should be understood that can use various Programming language realizes summary of the invention described herein, and the description done above to language-specific is to disclose this hair Bright preferred forms.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention Example can be practiced without these specific details.In some instances, well known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this specification.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of the various inventive aspects, Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: i.e. required to protect Shield the present invention claims features more more than feature expressly recited in each claim.More precisely, as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself All as a separate embodiment of the present invention.
Those skilled in the art will understand that can be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more devices different from this embodiment.It can be the module or list in embodiment Member or component are combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it can use any Combination is to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed All process or units of what method or apparatus are combined.Unless expressly stated otherwise, this specification is (including adjoint power Benefit require, abstract and attached drawing) disclosed in each feature can carry out generation with an alternative feature that provides the same, equivalent, or similar purpose It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments In included certain features rather than other feature, but the combination of the feature of different embodiments mean it is of the invention Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed Meaning one of can in any combination mode come using.
Various component embodiments of the invention can be implemented in hardware, or to run on one or more processors Software module realize, or be implemented in a combination thereof.It will be understood by those of skill in the art that can be used in practice In the defence method and device of microprocessor or digital signal processor (DSP) to realize attack according to an embodiment of the present invention Some or all components some or all functions.The present invention is also implemented as executing side as described herein Some or all device or device programs (for example, computer program and computer program product) of method.It is such It realizes that program of the invention can store on a computer-readable medium, or can have the shape of one or more signal Formula.Such signal can be downloaded from an internet website to obtain, and perhaps be provided on the carrier signal or with any other shape Formula provides.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Element or step listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame Claim.

Claims (10)

1. a kind of defence method of attack characterized by comprising
The suspicious user Internet protocol IP address in session information is identified by preset threshold value, includes user in the session information IP address, the preset threshold value are determined according to the request number of times sent in the normal users unit time to purpose IP address;
Attack IP address is filtered in suspicious user IP address according to preset attack IP address library, obtains the first remaining suspicious use Family IP address;
Attack is filtered from the described first remaining suspicious user IP address by the service request information in the session information IP address obtains the second remaining suspicious user IP address;
Attack IP address, the preset foot are filtered from the described second remaining suspicious user IP address according to preset script program This program is for determining the attack IP address for including in the described second remaining suspicious user IP address;
The service request that refusal is sent by the attack IP address.
2. the method according to claim 1, wherein described by suspicious in preset threshold value identification session information IP address includes:
From being obtained in the session information in the unit time by the number of IP address transmission service request;
The IP address that the number that service request is sent in the unit time is greater than the first preset threshold value is determined as described Suspicious user IP address.
3. according to the method described in claim 2, it is characterized in that, the number that will send service request in the unit time is big After the IP address of the first preset threshold value is determined as the suspicious user IP address, the method also includes:
Obtain IP address of the number less than or equal to the first preset threshold value that service request is sent in the unit time;
The service request number of same subscriber IP address is counted from the IP address of the acquisition;
The IP address that the service request number is greater than the second preset threshold value is determined as the suspicious user IP address.
4. the method according to claim 1, wherein the service request information by the session information Filtering attack IP address, obtains the second remaining suspicious user IP address packet from the described first remaining suspicious user IP address It includes:
The attack IP is filtered from the described first remaining suspicious user IP address according to preset request URL amount threshold Location, and using the filtered first remaining suspicious user IP address as the first suspicious user IP address;
According to the preset path URL by the incorrect suspicious user IP address mistake of request URL in the first suspicious user IP address It filters, and using filtered first suspicious user IP address as the second suspicious user IP address;
Jumping relationship according to preset URL, that request URL in the second suspicious user IP address jumped relationship is incorrect suspicious IP address filters out, and using filtered second suspicious user IP address as third suspicious user IP address;
Host field will be requested incorrect suspicious in the third suspicious user IP address according to preset service device host field IP address filters out, and using filtered third suspicious user IP address as the 4th suspicious user IP address;
By the incorrect suspicious user IP of request URL length in the 4th suspicious user IP address according to preset URL length Location filters out.
5. the method according to claim 1, wherein described remaining from described second according to preset script program Filtering attack IP address includes: in suspicious user IP address
The preset script program is sent to the corresponding client of the described second remaining suspicious user IP address, so that institute State preset script program described in client executing;
The client of the preset script program error is executed if it exists, then will execute the client of the preset script program error Corresponding suspicious user IP address is held to be determined as the attack IP address.
6. according to the method described in claim 5, it is characterized in that, the client that the preset script program error will be executed Corresponding suspicious user IP address is held to be determined as after the attack IP address, the method also includes:
The correct client of preset script program is executed if it exists, then to the execution correct client of preset script program End sends verification information, is inputted so that executing the correct client of the preset script program and receiving according to the verification information Identifying code;
If the identifying code and the verification information be not corresponding, it is corresponding that the correct client of the preset script program will be executed Suspicious user IP address be determined as attack IP address;
If the identifying code is corresponding with the verification information, it is corresponding that the correct client of preset script program will be executed Suspicious user IP address is determined as trusted users IP.
7. method according to claim 1 to 6, which is characterized in that the method also includes:
The suspicious user IP address that will determine as attack IP address is stored into the preset attack IP address library.
8. a kind of defence installation of attack characterized by comprising
Recognition unit, for identifying the suspicious user Internet protocol IP address in session information, the session by preset threshold value It include IP address in information, the preset threshold value is to ask according in the normal users unit time to what purpose IP address was sent Number is asked to determine;
First filter element is obtained for filtering attack IP address in suspicious user IP address according to preset attack IP address library Obtain the first remaining suspicious user IP address;
Second filter element, for passing through the service request information in the session information from the described first remaining suspicious user Filtering attack IP address, obtains the second remaining suspicious user IP address in IP address;
Third filter element, for filtering attack from the described second remaining suspicious user IP address according to preset script program IP address, the preset script program is for determining the attack IP for including in the described second remaining suspicious user IP address Location;
Refuse unit, the service request for refusing to send by the attack IP address.
9. device according to claim 8, which is characterized in that the recognition unit includes:
Module is obtained, for sending service request by the IP address out of in the session information acquisition unit time Number;
Determining module, for the number for sending service request in the unit time to be greater than to the User IP of the first preset threshold value Location is determined as the suspicious user IP address.
10. device according to claim 9, which is characterized in that the recognition unit further include:
The acquisition module, the number for being also used to obtain transmission service request in the unit time are preset less than or equal to first The IP address of threshold value;
Statistical module, for counting the service request number of same subscriber IP address from the IP address of the acquisition;
The determining module, the IP address for the service request number to be greater than the second preset threshold value are determined as described Suspicious user IP address.
CN201610783731.7A 2016-08-31 2016-08-31 The defence method and device of attack Active CN106357628B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610783731.7A CN106357628B (en) 2016-08-31 2016-08-31 The defence method and device of attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610783731.7A CN106357628B (en) 2016-08-31 2016-08-31 The defence method and device of attack

Publications (2)

Publication Number Publication Date
CN106357628A CN106357628A (en) 2017-01-25
CN106357628B true CN106357628B (en) 2019-09-06

Family

ID=57858274

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610783731.7A Active CN106357628B (en) 2016-08-31 2016-08-31 The defence method and device of attack

Country Status (1)

Country Link
CN (1) CN106357628B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110166408B (en) * 2018-02-13 2022-09-06 北京京东尚科信息技术有限公司 Method, device and system for defending flood attack
CN108833450B (en) * 2018-08-22 2020-07-10 网宿科技股份有限公司 Method and device for preventing server from being attacked
CN110532753A (en) * 2019-07-01 2019-12-03 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) The safety protecting method and equipment of train operation monitoring and recording device business data flow
CN111241543B (en) * 2020-01-07 2021-03-02 中国搜索信息科技股份有限公司 Method and system for intelligently resisting DDoS attack by application layer
CN113452647B (en) * 2020-03-24 2022-11-29 百度在线网络技术(北京)有限公司 Feature identification method, feature identification device, electronic equipment and computer-readable storage medium
CN113810486B (en) * 2021-09-13 2022-12-20 珠海格力电器股份有限公司 Internet of things platform docking method and device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102891829A (en) * 2011-07-18 2013-01-23 航天信息股份有限公司 Method and system for detecting and defending distributed denial of service attack
CN103685294A (en) * 2013-12-20 2014-03-26 北京奇虎科技有限公司 Method and device for identifying attack sources of denial of service attack
CN103856470A (en) * 2012-12-06 2014-06-11 腾讯科技(深圳)有限公司 Distributed denial of service attack detection method and device
CN104935609A (en) * 2015-07-17 2015-09-23 北京京东尚科信息技术有限公司 Network attack detection method and detection apparatus
US9392019B2 (en) * 2014-07-28 2016-07-12 Lenovo Enterprise (Singapore) Pte. Ltd. Managing cyber attacks through change of network address

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8533821B2 (en) * 2007-05-25 2013-09-10 International Business Machines Corporation Detecting and defending against man-in-the-middle attacks

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102891829A (en) * 2011-07-18 2013-01-23 航天信息股份有限公司 Method and system for detecting and defending distributed denial of service attack
CN103856470A (en) * 2012-12-06 2014-06-11 腾讯科技(深圳)有限公司 Distributed denial of service attack detection method and device
CN103685294A (en) * 2013-12-20 2014-03-26 北京奇虎科技有限公司 Method and device for identifying attack sources of denial of service attack
US9392019B2 (en) * 2014-07-28 2016-07-12 Lenovo Enterprise (Singapore) Pte. Ltd. Managing cyber attacks through change of network address
CN104935609A (en) * 2015-07-17 2015-09-23 北京京东尚科信息技术有限公司 Network attack detection method and detection apparatus

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
一种高效抵御SIP洪泛攻击的防御模型;李鸿彬等;《计算机工程》;20130215;全文

Also Published As

Publication number Publication date
CN106357628A (en) 2017-01-25

Similar Documents

Publication Publication Date Title
CN106357628B (en) The defence method and device of attack
US9773109B2 (en) Alternate files returned for suspicious processes in a compromised computer network
CN106161451B (en) Defend the method, apparatus and system of CC attack
CN103701795B (en) The recognition methods of the attack source of Denial of Service attack and device
CN102932329B (en) A kind of method, device and client device that the behavior of program is tackled
CN109951500A (en) Network attack detecting method and device
CN104333529B (en) The detection method and system of HTTP dos attacks under a kind of cloud computing environment
CN107888546A (en) network attack defence method, device and system
CN107645478B (en) Network attack defense system, method and device
CN107743118B (en) Hierarchical network security protection method and device
CN103973635B (en) Page access control method and relevant apparatus and system
US20140157415A1 (en) Information security analysis using game theory and simulation
CN106603555A (en) Method and device for preventing library-hit attacks
AU2010258278A1 (en) Identifying bots
CN106549980A (en) A kind of malice C&C server determines method and device
CN110365712A (en) A kind of defence method and system of distributed denial of service attack
CN107426243A (en) A kind of network safety protection method and device
CN108632634A (en) A kind of providing method and device of direct broadcast service
CN110166420A (en) Rebound shell blocking-up method and device
CN108512805B (en) Network security defense method and network security defense device
CN108282443B (en) Crawler behavior identification method and device
Ismail et al. New framework to detect and prevent denial of service attack in cloud computing environment
CN106888192A (en) The method and device that a kind of resistance DNS is attacked
CN109413022A (en) A kind of method and apparatus based on user behavior detection HTTP FLOOD attack
KR101042226B1 (en) The method of counteracting distributed denial of service attack using network filter monitoring white list and dummy web server

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant