CN108268774A - The determination method and device of query-attack - Google Patents

The determination method and device of query-attack Download PDF

Info

Publication number
CN108268774A
CN108268774A CN201710005255.0A CN201710005255A CN108268774A CN 108268774 A CN108268774 A CN 108268774A CN 201710005255 A CN201710005255 A CN 201710005255A CN 108268774 A CN108268774 A CN 108268774A
Authority
CN
China
Prior art keywords
request
attack
file
query
parameter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710005255.0A
Other languages
Chinese (zh)
Other versions
CN108268774B (en
Inventor
庞申杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201710005255.0A priority Critical patent/CN108268774B/en
Publication of CN108268774A publication Critical patent/CN108268774A/en
Application granted granted Critical
Publication of CN108268774B publication Critical patent/CN108268774B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application provides a kind of determination method and device of query-attack, this method application on the server, including:The request for files different in website is received, and the request for being directed toward different files is redirected to the safety detection program based on script;The parameter of the request is analyzed based on the safety detection program, whether is query-attack based on the analysis result judgement request.Pass through the technical solution of the application, it solves the problems, such as effectively identify the query-attack for backdoor file in the prior art, it can realize the automatic identification to all requests received, and it is intercepted when being judged as query-attack, it is not necessary to modify document code, so as to which query-attack be avoided to cause to attack to website.

Description

The determination method and device of query-attack
Technical field
This application involves technical field of network security more particularly to the determination methods and device of a kind of query-attack.
Background technology
In the prior art, Waf (Website Application Firewall, website application firewall) can be to Web The query-attack being subject in (Website, website) application is protected and is intercepted, and is that one kind is based on known attack characterization rules pair Http (Hyper Text Transfer Protocol, the hypertext transfer protocol) requests and response flowed through is detected and blocks The fire wall cut.
Waf based on script is used with current Web using identical script, such as php (Hypertext Preprocessor, HyperText Preprocessor), the language such as asp (Active Server Page, Active Server Pages) carry out It writes, it, will by the way that the Waf write script files are written in a global profile all quoted by other most files Native codes are injected into the filtering and interception realized in application to be protected to query-attack, but attacker is sent Backdoor file, since it will not quote global profile, then Waf can not perform based on Waf feet the request for being directed to backdoor file The identification of this document also can not just perform interception.
Invention content
The application provides the determination method and device of query-attack, in the prior art can not be effectively to backdoor file with solution The problems such as being identified and intercepting.
According to the embodiment of the present application in a first aspect, provide a kind of determination method of query-attack, using on the server, Including:
The request for files different in website is received, and the request for being directed toward different files is redirected to based on script Safety detection program;
The parameter of the request is analyzed based on the safety detection program, based on the analysis result judgement request whether be Query-attack.
According to the second aspect of the embodiment of the present application, a kind of server is provided, including:
Overall situation request trapping module for capturing the request for files different in website, and will be directed toward different files Request is redirected to the safety detection program based on script;When being run under fastcgi patterns, it is requested to scan the request The first configuration file under catalogue where file;The configuration item in first configuration file is loaded, the configuration item is obtained and refers to Specified script file in fixed path;And the specified script file is introduced into the requested file destination of request Head;When being run under non-fastcgi patterns, the request is redirected to specified script file;
Attacks results decision module, for analyzing the parameter of the request based on the safety detection program, by the parameter of request It is compared with parameter preset, whether is query-attack based on the comparison result judgement request.
According to the third aspect of the embodiment of the present application, a kind of decision maker of query-attack is provided, is applied in server On, including:
Unit is redirected, for receiving the request for files different in website, and the request weight that different files will be directed toward It is directed to the safety detection program based on script;
Identifying unit for being analyzed the parameter of the request based on the safety detection program, is judged based on analysis result Whether the request is query-attack.
According to the fourth aspect of the embodiment of the present application, a kind of decision maker of query-attack is provided, the equipment is service Device, including:Processor;For storing the memory of the processor-executable instruction;Wherein, the processor is configured as:
The request for files different in website is received, and the request for being directed toward different files is redirected to based on script Safety detection program;
The parameter of the request is analyzed based on the safety detection program, based on the analysis result judgement request whether be Query-attack.
According to the fifth aspect of the invention, a kind of computer storage media is provided, journey is stored in the storage medium Sequence instructs, and described instruction includes:
The request for files different in website is received, and the request for being directed toward different files is redirected to based on script Safety detection program;
The parameter of the request is analyzed based on the safety detection program, based on the analysis result judgement request whether be Query-attack.
By above technical scheme as it can be seen that when server is run under fastcgi patterns in embodiments herein, pass through by Specified script file is introduced into the head of the requested file destination of request of reception;When being run under non-fastcgi patterns, lead to The redirection characteristic using configuration file is crossed, is redirected requests in specified script file, can be realized and be received to all Request, the automatic identification of the request including being directed to backdoor file, it is not necessary to modify document codes, realize Noninvasive, so as to Query-attack is avoided to cause to attack to website;And the application can be disposed under low rights and be come into force, and realize lightweight.
Description of the drawings
Fig. 1 is the schematic diagram of a scenario of the determination method of the application query-attack;
Fig. 2 is one embodiment flow chart of the determination method of the application query-attack;
Fig. 3 is one embodiment flow chart of the determination method of the application query-attack;
Fig. 4 is one embodiment block diagram of the application server;
Fig. 5 is a kind of hardware structure diagram of equipment where the decision maker of the application query-attack;
Fig. 6 is one embodiment block diagram of the decision maker of the application query-attack.
Specific embodiment
It is only merely for the purpose of description specific embodiment in term used in this application, and is not intended to be limiting the application. It is also intended in the application and " one kind " of singulative used in the attached claims, " described " and "the" including majority Form, unless context clearly shows that other meanings.It is also understood that term "and/or" used herein refers to and wraps Containing one or more associated list items purposes, any or all may be combined.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application A little information should not necessarily be limited by these terms.These terms are only used for same type of information being distinguished from each other out.For example, not departing from In the case of the application range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as One information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or " when ... When " or " in response to determining ".
In the prior art, the application firewall based on script, need to find one all referred to by most of file it is complete Then Waf codes are written in the global profile in office file, to detect whether the request received is malicious attack request.It is this One drawback of mode is needed manually to the code of global profile into edlin, this this may result in Edit Error or causes Situations such as global profile is unavailable.Another drawback is:If there is the orphan file of unreferenced global profile, then in addition to It needs to global profile into edlin, it is also necessary to which, to the orphan file into edlin, this adds increased the cumbersome journeys of artificial treatment Degree, and it can not be identified if without being directed to the orphan file into edlin;And for the back door of attacker's upload File due to its unreferenced global profile, also can not be identified and edit, thus server can not capture be sent to orphan file or The request of backdoor file also can not just be judged and intercepted to this component requests.
Embodiments herein proposes a kind of determination method and device of query-attack, and server is in fastcgi (Common Gateway Interface, common gateway interface) when running under pattern, by the way that specified Waf script files are written to reception In first request, the automatic identification to the first request and interception can be realized;When being run under non-fastcgi patterns, pass through profit With the redirection characteristic of configuration file, the second request of reception is redirected in specified Waf script files and is identified and blocks It cuts, it is not necessary to modify document codes, and all the second requests received can be identified, be also achieved that all scripts text The protection of part.Embodiments herein can be applied in server, and server can be a physically or logically server, Can share the physically or logically server of different responsibilities by two or more, mutually cooperate with to realize that the application is implemented The various functions of server in example.The embodiment of the present application between the type and server of server the type of communication network, Agreement etc. does not limit.
It is the schematic diagram of a scenario of the determination method of the query-attack of the embodiment of the present application referring to Fig. 1, Fig. 1 includes:First Server, such as Web server, Web server handle the request received, which is user for parsing Http agreements Pass through second server, such as the request for files different in website that browser server is sent, of second server Number can be multiple, and three are illustrated only in Fig. 1 and is illustrated, Web server comes from the request that script inlet receives Second server, the Waf shell scripts being then based on Web server are judged and are handled to request, if it is determined that receiving The request arrived is malicious attack, then the query-attack is handled, without the request is reached its requested target text Part, so as to avoid file destination by malicious attack.Specifically, when Web server is run under fastcgi patterns, such as Fruit decision request is query-attack, then setting processing is carried out, such as intercept, ignore, if it is determined that not being query-attack, then The request is continued to execute in the requested file destination of the request.When Web server is run under non-fastcgi patterns, such as If it is determined that fruit request is query-attack, then setting processing is carried out, such as intercept, ignore, if it is determined that not being that attack please It asks, is then sent in its requested file destination in the request and continues to execute the request.
The flow of the determination method of the query-attack in first server is applied as shown in Fig. 2, including the following steps:
Step 201, server receive the first request for files different in website, and the request that will be directed toward different files It is redirected to the safety detection program based on script.
In the embodiment of the present application, first server is required for being made whether for each request from second server For malicious attack request judgement, to ensure the safety of network.The request includes submitting in a manner of get or post etc. various Request, such as Http requests.Wherein server receives request and is asked it can be appreciated that capturing and being sent to all of different files It asks.
In the embodiment of the present application, server can be in fastcgi patterns (first mode) and non-fastcgi patterns (second Pattern) under run.Since the first configuration file only comes into force when server is run under fastcgi patterns, and the second configuration text Part only comes into force when server is run under non-fastcgi patterns, thus the application discuss respectively under both modes how The request received is identified.And embodiment illustrated in fig. 2 is mainly used for explanation in the flrst mode, how to receiving First request be identified.
In step 201, when being run under fastcgi patterns, specified script file is introduced into the first request and is asked File destination head.
Specifically, step 201 can be accomplished in the following manner:
First, the first configuration file under catalogue where server scans the requested file destination of the first request.
Then, after server scanning to the first configuration file, the configuration item in the first configuration file is loaded, this is obtained and matches Put the specified Waf script files in the path that item is specified.
Finally, the specified Waf script files in configuration item are introduced into the first requested mesh of request of reception by server Mark the head of file.
In the embodiment of the present application, Web scripts, the language such as including php, asp, Web script files all support dynamically Comprising another script file, i.e., the code copies in another script file to current location are run.In the configuration of php In file, the configuration file for the .user.ini that can be loaded dynamically there are one, that is, the first configuration text being mentioned above Part when server is run under fastcgi patterns, can scan the catalogue where current perform script file, receive Catalogue where the first requested file destination of request, abbreviation current directory, server scan the .user.ini under current directory Configuration file, and the configuration item of the .user.ini configuration files is loaded, the effect of configuration item is specified one automatic comprising finger Determine the path of file auto_append_file (file included automatically in top of file), then, all feet under current directory For this document before being parsed by server, meeting includes the text specified in auto_append_file in top of file automatically Part, that is, the specified file is written in the first request.The specified file can be such as Waf script files, as this The safety detection program of application, in the Waf script files, can be realized based on Waf shell scripts global request filtering and It intercepts.
Since specified file is introduced into top of file by the effect of configuration item, thus will be specified in the embodiment of the present application Waf script files are introduced into the head of the first requested file destination of request of reception, so that first request enters Waf feet This program performs Waf script files to judge whether being query-attack.
Step 202, based on safety detection program analyze this first request parameter, based on analysis result judge this first please No Seeking Truth is query-attack.
In step 202, server can specify the parameter in the first request of Waf script files extraction based on this.
Wherein, the URL of file that server is directed to the first request in specified Waf script files is parsed, so as to Extracting parameter, the parameter can include:The filename of request, source IP address, the data, that is, get/post/cookie numbers submitted According to, Http request headers etc.
Then, the first parameter of extraction is compared server with parameter preset.
The parameter preset is it can be appreciated that default rule.For example, the first requested file of request is entitled Rule is hit when aux.asp, shell.asp, shell.php, hit rule when source ip addresses are preset address, such as user IP blacklists can be set, and GET/POST/COOKIE data are with SQL (Structured Query Language, structure Change query language) injection request data when hit rule, Http request headers be with put methods, head methods submit request Hit rule during head.It is thus possible to determine whether first request is malicious attack request.Malicious attack request includes:SQL is noted Enter loophole, file uploads loophole, file includes loophole and xss (Cross Site Scripting, cross-site scripting attack) leaks A variety of situations such as hole.Based on different loophole types is counted, corresponding request feature can be sorted out and be converted to rule, by this Rule is default in the server, so that the first request is identified in server.Comparison result at least two parameters with it is pre- When setting parameter is consistent, determine that first request is query-attack.
Since the first request is all initiated for file, can all be passed in the file of request, for the malice of backdoor file Query-attack can be passed to backdoor file and be run.Backdoor file is static file in itself, will not generate any attack function, only Have and ask to trigger by malicious attack, can just run, generate attack function, such as obtain information that hacker wants etc..The application is real It applies in example, malicious attack is asked to carry out setting processing, such as intercept, ignore or pursuit attack path etc., thus malice is attacked Hitting request will not be passed in backdoor file, and backdoor file will not be run, and would not also generate any attack function.
In the embodiment of the present application, malicious attack determined by interception is asked, and first request is prevented to perform original program, and defeated Go out attack prompting, it is current under attack to remind, and record the information of this attack.
After step 202, if it is determined that first request is not query-attack, when being run under fastcgi patterns, First request is continued to execute in file destination.
Substantially it is to be introduced into Waf codes when calling Waf shell scripts using .user.ini modes in the application The head of current location, i.e. file destination performs, therefore specified Waf script files are finished can perform suceeding generation automatically Code.
The determination method of query-attack provided by the embodiments of the present application when server is operated under fastcgi patterns, leads to The configuration item auto_append_file using .user.ini configuration files is crossed, specified Waf script files can be introduced into first The head of requested file destination is asked, so as to which the place of fire wall code can be carried out before the first request performs original code Reason is filtered and intercepts to determining malicious attack request, it is made not enter subsequent execution program, is avoided under attack. In the prior art since backdoor file does not quote global profile, thus the request for backdoor file can not be detected, with showing There is technology to compare, head of the present invention since specified Waf script files to be introduced into the requested file destination of the first request, because And any request can be detected, query-attack is handled, even if the first requested file destination of request is lonely Found file, specified Waf script files can also be introduced into the orphan file by backdoor file, the progress of the head of backdoor file is above-mentioned Processing, because without omitting any request for orphan file and backdoor file, the safety of network is effectively ensured.The opposing party Face, application firewall needs to go to install using administrator right in deployment in the prior art, and implementation method is complicated, flexibility Difference, and the method that the application provides only needs have file that permission is written to Web catalogues, thus be easy to dispose, it can be low Deployment comes into force under permission, realizes lightweight;And due to without Web server, thus tool are modified and restarted to original code There is Noninvasive.
In one embodiment, server receives the first request, and it is requested which is passed to the first request In file destination index.php, when index.php is ready to carry out, the .user.ini configuration texts under current directory are retrieved The code of specified Waf script files by the configuration item in loading configuration file, is introduced into file destination by part automatically The head of index.php, then starts the code that sequence performs specified Waf script files, specified Waf script files find this Attack signature (parameter preset) is contained in the username parameters of one request, has hit rule, then judges that first request is Query-attack, stopping continue to execute the original codes of file destination index.php, and return to one interception message of visitor. If specified Waf script files check the parameter of the first request, do not find to include parameter preset, then start performance objective file The original codes of index.php.
The flow of another embodiment of the determination method of the query-attack in first server is applied as shown in figure 3, packet Include following steps:
Step 301, server receive the second request for different files, will be directed toward the second request weight of different files It is directed to the safety detection program based on script.
In the embodiment of the present application, first server is required for being made whether for each request from second server For malicious attack request judgement, to ensure the safety of network.The request includes submitting in a manner of get or post etc. various Request, such as Http requests.Wherein server receives request and is asked it can be appreciated that capturing and being sent to all of different files It asks.
Step 302, when being run under non-fastcgi patterns, based on the parameter of the second request of safety detection program analysis, base Judge whether the second request is query-attack in analysis result.
In the embodiment of the present application, when server is run under non-fastcgi patterns, the second configuration under root is scanned File.
In the configuration file of apache, there are one the configuration file that file name is .htaccess, i.e., the second configuration texts Part, second configuration file are placed in Web roots the URL rewritings, it can be achieved that various requests, the request weight that will be specified It is directed in another script file.Based on the characteristic, server can be held by the .htaccess configuration files by all The specified Waf scripts that this second request is redirected in above-mentioned specified Waf script files, i.e. embodiment illustrated in fig. 2 of traveling far and wide are literary It is handled in part, to judge whether second request is malicious attack request.
Then, server obtains the configuration information of the second configuration file, and is reset the second request based on the configuration information To in specified Waf script files.
In the embodiment of the present application, living document will be sent to, that is, the second request for including parameter input by user redirects Into Waf shell scripts, the data in the second request include in this case:The filename of request, the parameter of request.
.htaccess the configuration information of configuration file has many functions, including not handling, redirecting, changing and forwarding Deng, but the function of its redirection has only been used in the embodiment of the present application.
When it is not query-attack to be judged as the second request, Web request is sent to requested file destination and continues to hold Row.
In the embodiment of the present disclosure, using .htaccessc configuration files come when redirecting the second request, due to this second Request has been redirected to Waf scripts, therefore when the second request for being judged as receiving is not query-attack, needs in Waf feet After present treatment, the second request is passed back to be sent to file destination, return to former application and continue to execute follow-up code.
The determination method of query-attack provided by the embodiments of the present application, when server is operated under non-fastcgi patterns, By using the redirection function of the configuration information of .htaccess configuration files, the second request can be redirected to this and specified In Web script files, so as to which the processing of fire wall code can be carried out before the second request performs original code, determine this Two requests make it not enter subsequent execution program, avoid being attacked for it is filtered and is intercepted during malicious attack request It hits.In the prior art since backdoor file does not quote global profile, thus it can not detect and be asked for the second of backdoor file It asks, compared with prior art, the present invention can be detected any second request, and query-attack is handled, even if should The second requested file destination of request is that orphan file, backdoor file can also be redirected to specified script file, into The above-mentioned processing of row, it is thus possible to accurately comprehensively the second request is detected and be identified, will not be omitted any for back door Second request of file, is effectively ensured the safety of network.On the other hand, application firewall is needed in deployment in the prior art It goes to install using administrator right, and implementation method is complicated, flexibility is poor, and the method that the application provides can be under low rights Deployment comes into force, and realizes lightweight;And due to being invaded without Web server is modified and restarted to original code, thus with non- Entering property.
In one embodiment, when server receives the second request, the parameter of the second request is redirected to specified Waf Script file, such as waf.php, and the code of specified Waf script files is performed, to judge whether wrapped in the parameter of the second request Containing predefined parameter, when containing attack signature during specified Waf script files identify username parameters, illustrate the second request Rule is hit, server stops the second request being redirected back to the operation of the file destination index.php of its request, and returns Give attacker one interception message.If specified Waf script files check the parameter of the second request, do not find to include attack spy Second request is then redirected back to its requested file destination index.php, then starts performance objective file by sign Code in index.php.
It is the module diagram of the server of the embodiment of the present application referring to Fig. 4, Fig. 4 includes:Request capture global module 11, attacks results decision module 12 and execution module 13.
Wherein, global request trapping module 11 is for capturing the request for files different in website, and will be directed toward different The request of file is redirected to the safety detection program based on script.
Specifically, when global request trapping module 11 is run under fastcgi patterns, it is requested to scan the request The first configuration file under catalogue where file;The configuration item in first configuration file is loaded, the configuration item is obtained and refers to Specified script file in fixed path;The specified script file is introduced into the head of the requested file destination of request Portion.When being run under non-fastcgi patterns, which is redirected to specified script file.
Attacks results decision module 12 be used for the parameter based on safety detection program analysis request, by the parameter of request with it is preset Whether parameter compares, and be query-attack based on comparison result decision request.
In one embodiment, which can also include:Execution module 13, for being asked in the judgement of attacks results decision module 12 When asking as query-attack, setting processing is carried out to query-attack, which includes:Interception, pursuit attack path, in ignoring It is one or more.
Corresponding with the embodiment of the determination method of the application query-attack, present invention also provides the judgements of query-attack The embodiment of device and equipment.
The embodiment of the decision maker of the application query-attack can be applied on the server.Device embodiment can pass through Software is realized, can also be realized by way of hardware or software and hardware combining.For implemented in software, anticipate as a logic Device in justice is to be read computer program instructions corresponding in nonvolatile memory by the processor of equipment where it Into memory, operation is formed.For hardware view, as shown in figure 5, to be set where the decision maker of the application query-attack A kind of standby hardware structure diagram in addition to processor 510 shown in fig. 5, memory 520, network interface 530 and non-volatile is deposited Except reservoir 550, the equipment in embodiment where device 550 can also include other generally according to the actual functional capability of the equipment Hardware is no longer shown one by one in Fig. 5.
It is one embodiment block diagram of the decision maker of the application query-attack, which, which can apply, is taking referring to Fig. 6 It is engaged on device, which includes:Redirect unit 610 and identifying unit 620.
Wherein, unit 610 is redirected, for receiving the request for files different in website, and different files will be directed toward Request be redirected to the safety detection program based on script;
Identifying unit 620 for the parameter based on safety detection program analysis request, judges described ask based on analysis result No Seeking Truth is query-attack.
In an optional realization method, (being not shown in Fig. 6) can be included by redirecting unit 610:
First processing subelement, during for running in the flrst mode, the request institute is introduced by specified script file The head of the file destination of request.
In an optional realization method, the first processing subelement can include (being not shown in Fig. 6):
First scan module, for scanning the first configuration file under the requested file place catalogue of the request;
Acquisition module for loading the configuration item in first configuration file, obtains the path that the configuration item is specified In specified script file;
Module is introduced, for specified script file to be introduced into the head of the requested file destination of request.
In another optional realization method, which can also include (being not shown in Fig. 6):
First execution unit, if not being query-attack for the request, when running in the first mode, described It asks to continue to execute the request in requested file destination.
In an optional realization method, (being not shown in Fig. 6) can be included by redirecting unit 610:
The request during for running under the second mode, is redirected to specified script file by second processing subelement.
In another optional realization method, second processing subelement includes (being not shown in Fig. 6):
Second scan module, for scanning the second configuration file under root;
The request is redirected to specified foot by redirection module for the configuration information based on second configuration file This document.
In another optional realization method, which can also include (being not shown in Fig. 6):
Second execution unit, if not being query-attack for the request, when running in the second mode, by described in Request is sent to requested file destination and continues to execute.
In another optional realization method, identifying unit 620 can include (being not shown in Fig. 6):
Subelement is extracted, is extracted in the request under the safety detection program for being based on the specified script file Parameter;
Comparison subunit, for the website parameter of extraction to be compared with parameter preset;
Subelement is judged, for when comparison result is consistent with the parameter preset at least two parameters, described in judgement It asks as query-attack.
In another optional realization method,
The parameter of the extraction includes:The filename of request, submits data and http request at source internet protocol IP address It is one or more in head.
In another optional realization method, which can also include (being not shown in Fig. 6):
Processing unit, for when judging the request for query-attack, setting processing, institute to be carried out to the query-attack Setting processing is stated to include:Interception, pursuit attack path, ignore in it is one or more.
The function of each unit and the realization process of effect specifically refer to and step are corresponded in the above method in above device Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related part is referring to method reality Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separating component The unit of explanation may or may not be physically separate, and the component shown as unit can be or can also It is not physical unit, you can be located at a place or can also be distributed in multiple network element.It can be according to reality It needs that some or all of module therein is selected to realize the purpose of application scheme.Those of ordinary skill in the art are not paying In the case of going out creative work, you can to understand and implement.
As seen from the above-described embodiment, when server is run under fastcgi patterns, by the way that specified script file is introduced into The head of the requested file destination of request of reception;When being run under non-fastcgi patterns, by using the weight of configuration file Directional characteristic is redirected requests in specified script file, can realize the automatic knowledge to all Web requests received Not, and when being judged as query-attack it is intercepted, it is not necessary to modify document code, so as to which query-attack be avoided to cause to attack to website It hits.
Those skilled in the art will readily occur to the application its after considering specification and putting into practice invention disclosed herein Its embodiment.This application is intended to cover any variations, uses, or adaptations of the application, these modifications, purposes or Person's adaptive change follows the general principle of the application and including the undocumented common knowledge in the art of the application Or conventional techniques.Description and embodiments are considered only as illustratively, and the true scope and spirit of the application are by following Claim is pointed out.
It should be understood that the precision architecture that the application is not limited to be described above and be shown in the drawings, and And various modifications and changes may be made without departing from the scope thereof.Scope of the present application is only limited by appended claim.

Claims (24)

1. a kind of determination method of query-attack, using on the server, which is characterized in that including:
The request for files different in website is received, and the request for being directed toward different files is redirected to the safety based on script Detect program;
The parameter of the request is analyzed based on the safety detection program, whether is attack based on the analysis result judgement request Request.
2. according to the method described in claim 1, it is characterized in that, described be redirected to the request for being directed toward different files is based on The safety detection program of script, including:
When running in the flrst mode, specified script file is introduced into the head of the requested file destination of request.
3. according to the method described in claim 2, it is characterized in that, described be introduced into described ask by specified script file The head for the file destination asked, including:
The first configuration file under catalogue where scanning the requested file of request;
The configuration item in first configuration file is loaded, obtains the specified script file in the path that the configuration item is specified;
The specified script file is introduced into the head of the requested file destination of request.
4. according to the method described in claim 2, it is characterized in that, described judge whether the request is to attack based on analysis result It hits after request, the method further includes:
If the request is not query-attack, when running in the first mode, in the requested file destination of request In continue to execute the request.
5. according to the method described in claim 1, it is characterized in that, described be redirected to the request for being directed toward different files is based on The safety detection program of script, including:
When running under the second mode, the request is redirected to specified script file.
6. according to the method described in claim 5, it is characterized in that, it is described by it is described request be redirected to specified script file, Including:
Scan the second configuration file under root;
The request is redirected to specified script file by the configuration information based on second configuration file.
7. according to the method described in claim 5, it is characterized in that, described judge whether the request is to attack based on analysis result It hits after request, the method further includes:
If the request is not query-attack, when running in the second mode, the request is sent to requested mesh Mark file continues to execute.
8. according to the method described in claim 1, it is characterized in that, described analyze the request based on the safety detection program Parameter, based on analysis result judgement it is described request whether be query-attack, including:
Parameter in extracting the request under the safety detection program based on specified script file;
The parameter of extraction is compared with parameter preset;
When comparison result is consistent with the parameter preset at least two parameters, it is query-attack to judge the request.
9. according to the method described in claim 8, it is characterized in that, the parameter of the extraction includes:The filename of request, source are mutual It is one or more in networking protocol IP address, submission data and hypertext transfer protocol http request head.
10. according to the method described in any one of claim 1-9, which is characterized in that described based on described in analysis result judgement After whether request is query-attack, the method further includes:
When judging the request for query-attack, setting processing is carried out to the query-attack, the setting processing includes:It blocks Cut, pursuit attack path, ignore in it is one or more.
11. a kind of server, which is characterized in that including:
Overall situation request trapping module, for capturing the request for files different in website, and the request that different files will be directed toward It is redirected to the safety detection program based on script;When being run under fastcgi patterns, the requested file of request is scanned The first configuration file under the catalogue of place;The configuration item in first configuration file is loaded, obtains what the configuration item was specified Specified script file in path;And the specified script file is introduced into the head of the requested file destination of request Portion;When being run under non-fastcgi patterns, the request is redirected to specified script file;
Attacks results decision module, for analyzing the parameter of the request based on the safety detection program, by the parameter of request and in advance Whether setting parameter is compared, be query-attack based on the comparison result judgement request.
12. server according to claim 11, which is characterized in that the server further includes:
Execution module, for the attacks results decision module judgement it is described request for query-attack when, to the query-attack into Row setting processing, the setting processing include:Interception, pursuit attack path, ignore in it is one or more.
13. a kind of blocking apparatus of query-attack, using on the server, which is characterized in that including:
Unit is redirected, for receiving the request for files different in website, and the request for being directed toward different files is redirected To the safety detection program based on script;
Identifying unit, for analyzing the parameter of the request based on the safety detection program, based on described in analysis result judgement Whether request is query-attack.
14. device according to claim 13, which is characterized in that the redirection unit includes:
First processing subelement, during for running in the flrst mode, described asked is introduced by specified script file File destination head.
15. device according to claim 12, which is characterized in that the first processing subelement includes:
First scan module, for scanning the first configuration file under the requested file place catalogue of the request;
Acquisition module for loading the configuration item in first configuration file, is obtained in the path that the configuration item is specified Specified script file;
Module is introduced, for the specified script file to be introduced into the head of the requested file destination of request.
16. device according to claim 14, which is characterized in that described device further includes:
First execution unit, if not being query-attack for the request, when running in the first mode, in the request The request is continued to execute in requested file destination.
17. device according to claim 13, which is characterized in that the redirection unit includes:
The request during for running under the second mode, is redirected to specified script file by second processing subelement.
18. device according to claim 17, which is characterized in that the second processing subelement includes:
Second scan module, for scanning the second configuration file under root;
The request is redirected to specified script text by redirection module for the configuration information based on second configuration file Part.
19. device according to claim 17, which is characterized in that described device further includes:
Second execution unit, if not being query-attack for the request, when running in the second mode, by the request Requested file destination is sent to continue to execute.
20. device according to claim 13, which is characterized in that the identifying unit includes:
Subelement is extracted, for the parameter in extracting the request under the safety detection program based on specified script file;
Comparison subunit, for the parameter of extraction to be compared with parameter preset;
Subelement is judged, for when comparison result is consistent with the parameter preset at least two parameters, judging the request For query-attack.
21. device according to claim 20, which is characterized in that the parameter of the extraction includes:The filename of request, source It is one or more in internet protocol address, submission data and hypertext transfer protocol http request head.
22. according to the device described in any one of claim 12-21, which is characterized in that described device further includes:
Processing unit, it is described to set for when judging the request for query-attack, carrying out setting processing to the query-attack Fixed processing includes:Interception, pursuit attack path, ignore in it is one or more.
23. a kind of blocking apparatus of query-attack, which is characterized in that the equipment is server, including:Processor;For depositing Store up the memory of the processor-executable instruction;Wherein, the processor is configured as:
The request for files different in website is received, and the request for being directed toward different files is redirected to the safety based on script Detect program;
The parameter of the request is analyzed based on the safety detection program, whether is attack based on the analysis result judgement request Request.
24. a kind of computer storage media, have program stored therein instruction in the storage medium, which is characterized in that described instruction packet It includes:
The request for files different in website is received, and the request for being directed toward different files is redirected to the safety based on script Detect program;
The parameter of the request is analyzed based on the safety detection program, whether is attack based on the analysis result judgement request Request.
CN201710005255.0A 2017-01-04 2017-01-04 Method and device for judging attack request Active CN108268774B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710005255.0A CN108268774B (en) 2017-01-04 2017-01-04 Method and device for judging attack request

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710005255.0A CN108268774B (en) 2017-01-04 2017-01-04 Method and device for judging attack request

Publications (2)

Publication Number Publication Date
CN108268774A true CN108268774A (en) 2018-07-10
CN108268774B CN108268774B (en) 2021-07-23

Family

ID=62770707

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710005255.0A Active CN108268774B (en) 2017-01-04 2017-01-04 Method and device for judging attack request

Country Status (1)

Country Link
CN (1) CN108268774B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111428237A (en) * 2020-03-06 2020-07-17 支付宝(杭州)信息技术有限公司 Attack risk identification method, system and device and electronic equipment
CN113329032A (en) * 2021-06-23 2021-08-31 深信服科技股份有限公司 Attack detection method, device, equipment and medium
CN113626106A (en) * 2021-08-19 2021-11-09 吉林亿联银行股份有限公司 Method and system for realizing data interception

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101789947A (en) * 2010-02-21 2010-07-28 成都市华为赛门铁克科技有限公司 Method and firewall for preventing HTTP POST flooding attacks
CN102316087A (en) * 2010-07-05 2012-01-11 潘塔安全***公司 The detection method that network application is attacked
CN103916389A (en) * 2014-03-19 2014-07-09 汉柏科技有限公司 Method for preventing HttpFlood attack and firewall
US9443012B2 (en) * 2012-01-31 2016-09-13 Ncr Corporation Method of determining http process information

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101789947A (en) * 2010-02-21 2010-07-28 成都市华为赛门铁克科技有限公司 Method and firewall for preventing HTTP POST flooding attacks
CN102316087A (en) * 2010-07-05 2012-01-11 潘塔安全***公司 The detection method that network application is attacked
US9443012B2 (en) * 2012-01-31 2016-09-13 Ncr Corporation Method of determining http process information
CN103916389A (en) * 2014-03-19 2014-07-09 汉柏科技有限公司 Method for preventing HttpFlood attack and firewall

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111428237A (en) * 2020-03-06 2020-07-17 支付宝(杭州)信息技术有限公司 Attack risk identification method, system and device and electronic equipment
CN111428237B (en) * 2020-03-06 2022-08-12 支付宝(杭州)信息技术有限公司 Attack risk identification method, system and device and electronic equipment
CN113329032A (en) * 2021-06-23 2021-08-31 深信服科技股份有限公司 Attack detection method, device, equipment and medium
CN113329032B (en) * 2021-06-23 2023-02-03 深信服科技股份有限公司 Attack detection method, device, equipment and medium
CN113626106A (en) * 2021-08-19 2021-11-09 吉林亿联银行股份有限公司 Method and system for realizing data interception

Also Published As

Publication number Publication date
CN108268774B (en) 2021-07-23

Similar Documents

Publication Publication Date Title
US10785254B2 (en) Network attack defense method, apparatus, and system
US10021129B2 (en) Systems and methods for malware detection and scanning
Seifert et al. Honeyc-the low-interaction client honeypot
US9197664B1 (en) System and method for malware containment
US9558355B2 (en) Security scan based on dynamic taint
EP3557843B1 (en) Content delivery network (cdn) bot detection using compound feature sets
US10474811B2 (en) Systems and methods for detecting malicious code
US20080222299A1 (en) Method for preventing session token theft
Alosefer et al. Honeyware: a web-based low interaction client honeypot
US20190394228A1 (en) Mitigating attacks on server computers by enforcing platform policies on client computers
GB2512954A (en) Detecting and marking client devices
KR20080100204A (en) Client side attack resistant phishing detection
CN105939326A (en) Message processing method and device
US20170032147A1 (en) Obscuring user web usage patterns
CN113098835A (en) Honeypot implementation method based on block chain, honeypot client and honeypot system
CN108268774A (en) The determination method and device of query-attack
Djanali et al. SQL injection detection and prevention system with raspberry Pi honeypot cluster for trapping attacker
US20170374099A1 (en) Attack content analysis program, attack content analysis method, and attack content analysis apparatus
CN117544335A (en) Bait activation method, device, equipment and storage medium
CN116781331A (en) Reverse proxy-based honeypot trapping network attack tracing method and device
CN107294994B (en) CSRF protection method and system based on cloud platform
CN115688100A (en) Method, device, equipment and medium for placing bait file
US20220131877A1 (en) Neutralizing Evasion Techniques of Malicious Websites
CN110602104B (en) Method and device for preventing public cloud disk from being maliciously utilized by botnet
de Sousa XS-Leaks Crutch: Assisted Detection & Exploitation of Cross-Site Leaks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant