CN108400955A - A kind of means of defence and system of network attack - Google Patents
A kind of means of defence and system of network attack Download PDFInfo
- Publication number
- CN108400955A CN108400955A CN201710067267.6A CN201710067267A CN108400955A CN 108400955 A CN108400955 A CN 108400955A CN 201710067267 A CN201710067267 A CN 201710067267A CN 108400955 A CN108400955 A CN 108400955A
- Authority
- CN
- China
- Prior art keywords
- information
- client
- network request
- address
- address information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention discloses the means of defence of network attack and systems, are applied to technical field of information processing.In the method for the present embodiment, the network request that the safeguard of network attack can parse the client of broker machines forwarding obtains the address information of client, then the first check information is calculated according to the address information of client, and determines the trust list of client-based address information according to the first check information.In this way in the protection process of network attack, it can directly confirm whether client is normal client according to the address information and trust list for the client for initiating network request, the trust list based on source IP information is compared in the prior art, it can prevent in the case of being deployed with broker machines in systems, for the transparent transmission of the network request of broiler chicken because caused by list is trusted in the hit of the IP information of broker machines.
Description
Technical field
The present invention relates to technical field of information processing, more particularly to the means of defence and system of a kind of network attack.
Background technology
Attacker generates the legitimate request for being directed toward victim host by proxy server or broiler chicken, realizes distributed refusal
Service (Distributed Denial of Service, DDOS) and camouflage are just Challenging black hole
(ChallengeCollapsar, CC) is attacked.Here broiler chicken is also referred to as puppet's machine, refer to can by the machine of hacker's remote control,
For example broken through by hacker with " grey pigeon " equal induction user click or computer or user computer is leaky has been planted wooden horse, it is black
Visitor can arbitrarily manipulate it and do anything using it.
In the prior art, CC safeguards are disposed in a network, when CC safeguards detect that server is attacked by CC
When, the network request that can be sent to client is analyzed, and the source network agreement (Internet of network layer is extracted
Protocol, IP) information, using the source IP information carry out it is certain check information is calculated, then obtained according to check information
To the trust list based on source IP information.In this way in the protection process of network attack, if the network request of some client
The source IP information of middle network layer is not belonging to trust list, then the client is broiler chicken.But for disposing proxy machine in a network
The case where device, using existing network protection method, it may appear that a large amount of network requests that broiler chicken is sent can trust list because of hit
And it is transparent to server.
Invention content
The embodiment of the present invention provides a kind of means of defence and system of network attack, realizes the net initiated according to client
The address information of client, which determines, in network request trusts list.
The embodiment of the present invention provides a kind of means of defence of network attack, including:
The network request for obtaining at least client of first-level agent's machine forwarding, parses the network request and obtains the visitor
The address information at family end;
The first check information is calculated according to the address information of the client;
If in the network request further including the second check information, and second check information is verified with described first
Information is consistent, and the address information of the client is added and trusts list, the network request is transmitted to server.
The embodiment of the present invention provides a kind of guard system of network attack, including:
First address acquisition unit, the network request for obtaining at least client of first-level agent's machine forwarding, parsing
The network request obtains the address information of the client;
Computing unit is verified, for calculating the first check information according to the address information of the client;
First processing units, if for further including the second check information in the network request, and described second verifies
Information is consistent with first check information, and the address information of the client is added and trusts list, by the network request
It is transmitted to server.
As it can be seen that in the method for the present embodiment, the safeguard of network attack can parse the client of broker machines forwarding
Network request obtain the address information of client, the first check information, and root are then calculated according to the address information of client
The trust list of client-based address information is determined according to the first check information.In this way in the protection process of network attack,
It can directly confirm whether client is normal clients according to the address information and trust list for the client for initiating network request
End, compares with the trust list in the prior art based on source IP information, can prevent the feelings for being deployed with broker machines in systems
Under condition, for the transparent transmission of the network request of broiler chicken because caused by list is trusted in the hit of the IP information of broker machines.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention without having to pay creative labor, may be used also for those of ordinary skill in the art
With obtain other attached drawings according to these attached drawings.
Fig. 1 is the structural representation for the system that a kind of means of defence of network attack provided in an embodiment of the present invention is applied
Figure;
Fig. 2 is a kind of flow chart of the means of defence of network attack provided in an embodiment of the present invention;
Fig. 3 is the flow chart of the means of defence of another network attack provided in an embodiment of the present invention;
Fig. 4 is a kind of schematic diagram of the means of defence for network attack that Application Example of the present invention provides;
Fig. 5 is a kind of structural schematic diagram of the guard system of network attack provided in an embodiment of the present invention;
Fig. 6 is the structural schematic diagram of the guard system of another network attack provided in an embodiment of the present invention;
Fig. 7 is a kind of structural schematic diagram of network equipment provided in an embodiment of the present invention.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art are obtained every other without creative efforts
Embodiment shall fall within the protection scope of the present invention.
Term " first ", " second ", " third " " in description and claims of this specification and above-mentioned attached drawing
The (if present)s such as four " are for distinguishing similar object, without being used to describe specific sequence or precedence.It should manage
The data that solution uses in this way can be interchanged in the appropriate case, so that the embodiment of the present invention described herein for example can be to remove
Sequence other than those of illustrating or describe herein is implemented.In addition, term " comprising " and " having " and theirs is any
Deformation, it is intended that cover not exclusively include, for example, containing the process of series of steps or unit, method, system, production
Product or equipment those of are not necessarily limited to clearly to list step or unit, but may include not listing clearly or for this
The intrinsic other steps of processes, method, product or equipment or unit a bit.
The embodiment of the present invention provides a kind of means of defence of network attack, mainly can be applied to system as shown in Figure 1
In, include client, at least first-level agent's machine (illustrating by taking multistage as an example in Fig. 1) within the system, network attack is prevented
Equipment and server are protected, wherein:Client is mainly used for the network request initiated to server, such as hypertext transfer protocol
(HyperText Transfer Protocol, HTTP) request etc.;Broker machines are mainly used for the network for forwarding client to initiate
Request;The safeguard of network attack is mainly used for determining whether client is broiler chicken according to the network request of client, to
Server is avoided to be attacked by network attack, such as CC.
The method of the present embodiment is the method performed by the safeguard of the network attack in Fig. 1, flow chart such as Fig. 2 institutes
Show, including:
Step 101, the network request of at least client of first-level agent's machine forwarding is obtained, parsing network request obtains visitor
The address information at family end.
Client is made to initiate network request it is appreciated that user can operate client, for example HTTP request, network are attacked
The safeguard hit obtains the network request after at least forwarding of first-level agent's machine, parses the network request and obtains client
The address information at end.
Wherein, when network request any level broker machines, which can set source in the message header of network request
The information (being specially the address information of a network node in the broker machines) of standby address field is placed into the message of network request
A certain field in body is specifically forwarding (X-Forwarded-For) field in HTTP request, and by the broker machines
Address information is added to source device address field in the message header of network request, is then forwarded to next network node.If being
There are Multistage Proxy machine, the safeguard of network attack that can get the network request of afterbody broker machines forwarding in system,
In this way the specific fields of network request (for example forwarding field) include just the network request passed through network node (including
Client and broker machines) address information, then when executing this step 101, the safeguard of network attack can parse network
The content of specific fields (for example forwarding field) in request will forward the first item content in field to believe as the address of client
Breath;If there was only first-level agent's machine in system, the safeguard of network attack can get first-level agent's machine forwarding
Network request can parse the content of specific fields in network request (for example forwarding field), directly when executing this step 101
The content of field will be forwarded as the address information of client.
In addition, if no in system dispose broker machines, the specific fields (for example forwarding field) of internet message
Content is sky, and source device address field includes the address information of client in the message header of internet message.
It should be noted that the method for the present embodiment can be when the safeguard of network attack is detecting server incident
Start the method executed when being attacked by CC, can also be to start any time communicated between a client and a server to execute
Method.
Step 102, the first check information is calculated according to the address information of client, specifically, the protection of network attack is set
It is standby that address information and other information, such as the address information of purpose equipment of client etc. can be formed to information group, and to letter
Breath group carries out Hash calculation and obtains the first check information.
Step 103, if in network request further including the second check information, and the second check information and the first check information
Unanimously, illustrate that by client be normal client, then the address information of client is added and trusts list, network request is forwarded
To server.Further, if not including that the second check information or the second check information and the first verification are believed in network request
It ceases inconsistent, the first check information is returned into client, so that client initiates to carry the network request of the first check information.
Wherein, the second check information is the safeguard of network attack during client initiates network request for the first time
The address information of client calculates and returns to the check information of client in the network request initiated for the first time according to client.This
Sample normal client re-initiates network request, and the second check information is carried in network request, and for broiler chicken, it is
The second check information that the safeguard of network attack returns will not be parsed, it will not in the network request that such broiler chicken re-initiates
Carry the second check information.
It should be noted that when the safeguard of network attack is after establishing trust list, if the trust list corresponds to
Client initiate network request again, the safeguard of network attack can directly confirm the client according to the trust list
For normal client, the network request initiated again is directly transmitted to server.
As it can be seen that in the method for the present embodiment, the safeguard of network attack can parse the client of broker machines forwarding
Network request obtain the address information of client, the first check information, and root are then calculated according to the address information of client
The trust list of client-based address information is determined according to the first check information.In this way in the protection process of network attack,
It can directly confirm whether client is normal clients according to the address information and trust list for the client for initiating network request
End, compares with the trust list in the prior art based on source IP information, can prevent the feelings for being deployed with broker machines in systems
Under condition, for the transparent transmission of the network request of broiler chicken because caused by list is trusted in the hit of the IP information of broker machines.
Refering to what is shown in Fig. 3, in a specific embodiment, the safeguard of network attack is executing above-mentioned steps 101
Later, following steps 104 can be first carried out:
Step 104, the address information of client is matched with locally-stored trust list, if matched,
Illustrate that it is normal client to initiate the client of network request, executes step 105;If they do not match executing above-mentioned steps again
102 and 103, that is, it needs to calculate the first check information by the address information of client, then be confirmed according to the first check information
Whether client is normal client, and then is added and trusts list.
Step 105, network request is transmitted to server.
In another specific embodiment, the safeguard of network attack can also parse before executing step 102
Network request obtains the address information of at least first-level agent's machine, in this way when executing step 102, is believed according to the address of client
The address information of breath and at least first-level agent's machine calculates the first check information.In this case, the protection of network attack is set
It is standby when the address information of client is added in executing above-mentioned steps 103, can also be by the address of at least first-level agent's machine
List is trusted in information corresponding addition together with the address information of client.
Specifically, the safeguard of network attack obtains the address information of at least first-level agent's machine in parsing network request
When, the content of the forwarding field of network request can be parsed, it directly will be at least one in forwarding field in addition to first item
Hold the address information as at least first-level agent's machine.Alternatively, source device in the forwarding field and message header of parsing network request
The content of address field, will forward the contents of other contents and source device address field in addition to first item in field as
At least address information of first-level agent's machine.Here, it is the address information of client to forward first item content in field.
In another specific embodiment, in order to avoid hacker captures and forges check information, the protection of network attack
During equipment generates the second check information when client initiates network request for the first time, it is added according to preset period (ratio
Such as half an hour) newer undated parameter value, then the second check information that the safeguard of network attack generates has certain
The term of validity.
In this way, if it is more than above-mentioned pre- that client initiates duration used in network request this process according to the second check information
Period set, and the safeguard of network attack is in executing above-mentioned steps 102 when calculating the first check information, specifically basis
The address information of client and the first check information is calculated according to newer undated parameter value of preset period, i.e., by client
Address information and information group is formed according to preset period newer undated parameter value and other information, Hash is carried out to information group
The first check information is calculated.Since undated parameter value changes, then network attack safeguard calculate the first school
It tests information and the second check information in network request is inconsistent, need the first check information returning to client, so as to visitor
It initiates to carry the network request of the first check information within the above-mentioned preset period in family end.
It should be noted that described can be with the parameter of arbitrary parameter according to preset period newer undated parameter value
Value, as long as the parameter value of the parameter can be updated according to the preset period.
Illustrate that the method for the present embodiment, the method for the present embodiment are mainly used in below with specific application example
In system as shown in Figure 1, illustrate so that broker machines is level-ones and two-stage as an example, and the network request that client is initiated is
The address information of HTTP request, client and broker machines is respectively the IP information of client and broker machines.Then in this implementation
In example:
(1) for disposing first-level agent's machine in system as shown in Figure 1 the case where, the means of defence flow of network attack
Figure is as shown in figure 4, include:
Step 201, when client initiates HTTP request, in the source device address field addition of the message header of HTTP request
The IP information of client, broker machines are sent to by HTTP request;Broker machines are by client in the message header of HTTP request
IP information is placed into the X-Forwarded-For fields of the message body of HTTP request, and in the source device address word of message header
HTTP request, is then forwarded by the IP information of Duan Tianjia broker machines.
Step 202, the safeguard of network attack obtains the HTTP request of broker machines forwarding, parses X- in HTTP request
The content of Forwarded-For fields obtains the IP information of client.If the IP information hit network attack of client is anti-
The trust list for protecting equipment storage then illustrates that the client is normal client, the HTTP request of acquisition is transmitted to server;
If do not hit, step 203 is executed.
Step 203, the safeguard of network attack is by the IP information and other information of client (such as the IP of purpose equipment
Information) composition information group, it can be according to cyclic redundancy check code (Cyclic Redundancy Check, CRC) algorithm and information
One 32 cryptographic Hash are calculated in group, using the cryptographic Hash as the first check information.
Step 204, the safeguard of network attack parses the Cookie words in the HTTP request of above-mentioned broker machines forwarding
The content of section, if the field includes the second check information, and the second check information is consistent with the first check information, then will be objective
The IP information at family end, which is added, trusts list, and the HTTP request is transmitted to server.If the field does not include the second verification
Information or the second check information and the first check information are inconsistent, then follow the steps 205.
Step 205, the first check information is returned to client by the safeguard of network attack, specifically can be by the first school
It tests in Information encapsulation to one section of JavaScript program, backtracking returns to client to client by broker machines.
Step 206, for normal client, the JavaScript program can be executed, parsing obtains the first verification letter
First check information, is then filled into the Cookie fields of network request, re-initiates network request by breath.When network attack
Safeguard receives the network request of normal client initiation, can be protected according to the method for above-mentioned steps 201 to 204.
For broiler chicken, then JavaScript program is not carried out, but directly re-initiates network request, in network
It will not carry any check information in request, in this way when the safeguard of network attack receives the network request of broiler chicken initiation,
It can be protected according to the method for above-mentioned steps 201 to 203 and step 205.
Further, in other specific embodiments, the safeguard of network attack when executing above-mentioned steps 203,
The content for also needing to the source device address field of message header in parsing HTTP request will including the IP information of broker machines
The IP information of broker machines and the IP information and other information of client form information group, then calculate the first school according to information group
Test information.
In addition, the safeguard of network attack is in executing above-mentioned steps 203 when calculating the first check information, it can basis
The IP information of client calculates the first check information according to preset period newer undated parameter value and other information.
(2) for disposing two-stage broker machines in system as shown in Figure 1 the case where and above-mentioned deployment first-level agent machine
In the case of, the method performed by the safeguard of network attack is similar, unlike, first-level agent's machine is asked in forwarding HTTP
After asking, secondary agent's machine receives the HTTP request of first-level agent's machine forwarding, can be by level-one generation in the message header of HTTP request
In the X-Forwarded-For fields for the message body that the IP information of reason machine is placed into HTTP request, in this way in X-
Just include the IP information of client and first-level agent's machine in Forwarded-For fields, and in the source device address of message header
Field adds the IP information of secondary agent's machine, is then forwarded HTTP request.And the safeguard of network attack obtains
After the HTTP request of second agent's machine forwarding, the first item content for parsing X-Forwarded-For fields in HTTP request is made
For the IP information of client.
The embodiment of the present invention also provides a kind of guard system of network attack, and structural schematic diagram is as shown in figure 5, specifically may be used
To include:
First address acquisition unit 10, the network request for obtaining at least client of first-level agent's machine forwarding, solution
It analyses the network request and obtains the address information of the client;
First address acquisition unit 10 is specifically used for parsing the content of the forwarding field of the network request, by institute
State address information of the content as the client of forwarding field, or, using the first item content in the forwarding field as
The address information of the client.
Computing unit 11 is verified, based on the address information of the client by being obtained according to first address acquisition unit 10
Calculate the first check information.Verification computing unit 11 specifically can be used for according to the address information of the client and according to preset
Period, newer undated parameter value calculated first check information.
First processing units 12, if for further including the second check information in the network request, and second school
It is consistent with the first check information that the verification computing unit 11 calculates to test information, and letter is added in the address information of the client
Appoint list, the network request is transmitted to server.
As it can be seen that in the guard system of the network attack of the present embodiment, the first address acquisition unit 10 can parse proxy machine
The network request of the client of device forwarding obtains the address information of client, then verifies ground of the computing unit 11 according to client
Location information calculates the first check information, and then first processing units 12 determine client-based address according to the first check information
The trust list of information.It, can be according to the address for the client for initiating network request in this way in the protection process of network attack
Information and trust list directly confirm whether client is normal client, and the trust name based on source IP information in the prior art
Single-phase ratio can prevent in the case of being deployed with broker machines in systems, because list is trusted in the IP information hit of broker machines
Caused by for broiler chicken network request transparent transmission.
Refering to what is shown in Fig. 6, in a specific embodiment, the guard system of network attack is in addition to may include such as Fig. 5
Shown in outside structure, can also include the second address acquisition unit 13 and second processing unit 14, wherein:
Second address acquisition unit 13 obtains the address of at least first-level agent's machine for parsing the network request
Information;In this way verification computing unit 11 will according to first address acquisition unit 10 obtain client address information and
The address information for at least first-level agent machine that second address acquisition unit 13 obtains calculates first check information.
Wherein, the second address acquisition unit 13 is specifically used for parsing the content of the forwarding field of the network request, by institute
State address information of at least one content as at least first-level agent's machine in forwarding field in addition to first item;Or,
The forwarding field of the network request and the content of source device address field in message header are parsed, it will be in the forwarding field except the
Address of the content of other contents and the source device address field except one as at least first-level agent's machine
Information.
In the present embodiment, first processing units 12 are additionally operable to the client for obtaining first address acquisition unit 10
Address information matched with locally-stored trust list, if matched, the network request is transmitted to described
Server notifies the verification computing unit 11 to calculate the first check information if mismatched.
Second processing unit 14, if for not including second check information in the network request, or, the second school
When testing information and inconsistent the first check information, first check information is returned into the client, so as to the client
It initiates to carry the network request of first check information in end.
In the present embodiment, after the first address acquisition unit 10 obtains the address information of client, second can be first passed through
Processing unit 14 carries out the trust list of matching processing locality, if they do not match being just notified that verification computing unit 11 calculates
First check information.
The embodiment of the present invention also provides a kind of network equipment, and structural schematic diagram is as shown in fig. 7, the network equipment can be because matching
It sets or performance is different and generate bigger difference, may include one or more central processing units (central
Processing units, CPU) 20 (for example, one or more processors) and memory 21, one or more are deposited
Store up the storage medium 22 (such as one or more mass memory units) of application program 221 or data 222.Wherein, it stores
Device 21 and storage medium 22 can be of short duration storage or persistent storage.The program for being stored in storage medium 22 may include one or
More than one module (diagram does not mark), each module may include to the series of instructions operation in the network equipment.More into one
Step ground, central processing unit 20 could be provided as communicating with storage medium 22, execute one in storage medium 22 on network devices
Series of instructions operates.
Specifically, the application program 221 stored in storage medium 22 includes the security application program of network attack, and should
Program may include the first address acquisition unit 10 in the guard system of above-mentioned network attack, verification computing unit 11, and first
Processing unit 12, the second address acquisition unit 13 and second processing unit 14, herein without repeating.Further, central
Processor 20 could be provided as communicating with storage medium 22, execute the network attack stored in storage medium 22 on network devices
The corresponding sequence of operations of security application program.
The network equipment can also include one or more power supplys 23, one or more wired or wireless networks connect
Mouth 24, one or more input/output interfaces 25, and/or, one or more operating systems 223, such as Windows
ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM etc..
The step performed by the guard system by network attack described in above method embodiment can be based on Fig. 7 institutes
The structure of the network equipment shown.
One of ordinary skill in the art will appreciate that all or part of step in the various methods of above-described embodiment is can
It is completed with instructing relevant hardware by program, which can be stored in a computer readable storage medium, storage
Medium may include:Read-only memory (ROM), random access memory ram), disk or CD etc..
The means of defence and system for being provided for the embodiments of the invention network attack above are described in detail, herein
In apply specific case principle and implementation of the present invention are described, the explanation of above example is only intended to sides
Assistant solves the method and its core concept of the present invention;Meanwhile for those of ordinary skill in the art, think of according to the present invention
Think, there will be changes in the specific implementation manner and application range, in conclusion the content of the present specification should not be construed as pair
The limitation of the present invention.
Claims (14)
1. a kind of means of defence of network attack, which is characterized in that including:
The network request for obtaining at least client of first-level agent's machine forwarding, parses the network request and obtains the client
Address information;
The first check information is calculated according to the address information of the client;
If in the network request further including the second check information, and second check information and first check information
Unanimously, the address information of the client is added and trusts list, the network request is transmitted to server.
2. the method as described in claim 1, which is characterized in that the parsing network request obtains the ground of the client
Location information, specifically includes:
The content for parsing the forwarding field of the network request, using the content of the forwarding field as the address of the client
Information, or, using the first item content in the forwarding field as the address information of the client.
3. the method as described in claim 1, which is characterized in that the network request of the client for obtaining broker machines forwarding
Later, the method further includes:
It parses the network request and obtains the address information of at least first-level agent's machine;
It is described to be specifically included according to the address information of the client the first check information of calculating:According to the address of the client
The address information of information and at least first-level agent's machine calculates first check information.
4. method as claimed in claim 3, which is characterized in that the parsing network request obtains at least level-one generation
The address information for managing machine, specifically includes:
The content for parsing the forwarding field of the network request, will be at least one in the forwarding field in addition to first item
Hold the address information as at least first-level agent's machine;Or,
The forwarding field of the network request and the content of source device address field in message header are parsed, it will be in the forwarding field
The content of other contents and the source device address field in addition to first item is as at least first-level agent's machine
Address information.
5. the method as described in claim 1, which is characterized in that described to calculate the first school according to the address information of the client
Information is tested, is specifically included:
First verification is calculated according to the address information of the client and according to preset period newer undated parameter value
Information.
6. such as method described in any one of claim 1 to 5, which is characterized in that the address information according to the client
Before calculating the first check information, the method further includes:
The address information of the client is matched with locally-stored trust list, if matched, by the net
Network request is transmitted to the server, if the step of mismatching, executing the first check information of the calculating.
7. such as method described in any one of claim 1 to 5, which is characterized in that the method further includes:
If in the network request not including second check information or second check information and the first check information
It is inconsistent, first check information is returned into the client, so that the client is initiated to carry first verification
The network request of information.
8. a kind of guard system of network attack, which is characterized in that including:
First address acquisition unit, the network request for obtaining the client that at least first-level agent's machine forwards, described in parsing
Network request obtains the address information of the client;
Computing unit is verified, for calculating the first check information according to the address information of the client;
First processing units, if for further including the second check information in the network request, and second check information
It is consistent with first check information, the address information of the client is added and trusts list, the network request is forwarded
To server.
9. system as claimed in claim 8, which is characterized in that
First address acquisition unit is specifically used for parsing the content of the forwarding field of the network request, by the forwarding
Address information of the content of field as the client, or, using the first item content in the forwarding field as the visitor
The address information at family end.
10. system as claimed in claim 8, which is characterized in that further include:
Second address acquisition unit obtains the address information of at least first-level agent's machine for parsing the network request;
The verification computing unit is specifically used for the address according to the address information of the client and at least first-level agent's machine
Information calculates first check information.
11. system as claimed in claim 10, which is characterized in that
Second address acquisition unit is specifically used for parsing the content of the forwarding field of the network request, by the forwarding
Address information of at least one content as at least first-level agent's machine in field in addition to first item;Or, parsing institute
State the forwarding field of network request and the content of source device address field in message header, will in the forwarding field except first item it
Address information of the content of outer other contents and the source device address field as at least first-level agent's machine.
12. system as claimed in claim 8, which is characterized in that
The verification computing unit is specifically used for newer more according to the address information of the client and according to the preset period
New parameter value calculates first check information.
13. such as claim 8 to 12 any one of them system, which is characterized in that
The first processing units are additionally operable to the address information of the client and locally-stored trust list progress
Match, if matched, the network request is transmitted to the server, if mismatched, it is single to notify that the verification calculates
Member calculates the first check information.
14. system as claimed in claim 13, which is characterized in that further include:
Second processing unit, if for not including second check information or second verification in the network request
Information and the first check information are inconsistent, and first check information is returned to the client, so that the client is sent out
Act the network request for carrying first check information.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710067267.6A CN108400955B (en) | 2017-02-06 | 2017-02-06 | Network attack protection method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710067267.6A CN108400955B (en) | 2017-02-06 | 2017-02-06 | Network attack protection method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108400955A true CN108400955A (en) | 2018-08-14 |
CN108400955B CN108400955B (en) | 2020-12-22 |
Family
ID=63094508
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710067267.6A Active CN108400955B (en) | 2017-02-06 | 2017-02-06 | Network attack protection method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108400955B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110636068A (en) * | 2019-09-24 | 2019-12-31 | 杭州安恒信息技术股份有限公司 | Method and device for identifying unknown CDN node in CC attack protection |
CN112272164A (en) * | 2020-09-30 | 2021-01-26 | 新华三信息安全技术有限公司 | Message processing method and device |
CN112953921A (en) * | 2021-02-02 | 2021-06-11 | 深信服科技股份有限公司 | Scanning behavior identification method, device, equipment and storage medium |
CN114237179A (en) * | 2021-12-16 | 2022-03-25 | 常熟华庆汽车部件有限公司 | Implementation method of flexible coating automatic control system based on industrial Internet of things |
CN114640704A (en) * | 2022-05-18 | 2022-06-17 | 山东云天安全技术有限公司 | Communication data acquisition method, system, computer equipment and readable storage medium |
Citations (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050166049A1 (en) * | 2004-01-26 | 2005-07-28 | Cisco Technologies, Inc. | Upper-level protocol authentication |
CN101834866A (en) * | 2010-05-05 | 2010-09-15 | 北京来安科技有限公司 | CC (Communication Center) attack protective method and system thereof |
CN102404345A (en) * | 2011-12-26 | 2012-04-04 | 山石网科通信技术(北京)有限公司 | Distributed attack prevention method and device |
CN102571547A (en) * | 2010-12-29 | 2012-07-11 | 北京启明星辰信息技术股份有限公司 | Method and device for controlling hyper text transport protocol (HTTP) traffic |
CN103607392A (en) * | 2010-12-14 | 2014-02-26 | 华为数字技术(成都)有限公司 | Method and device used for preventing fishing attack |
CN103888490A (en) * | 2012-12-20 | 2014-06-25 | 上海天泰网络技术有限公司 | Automatic WEB client man-machine identification method |
CN103916389A (en) * | 2014-03-19 | 2014-07-09 | 汉柏科技有限公司 | Method for preventing HttpFlood attack and firewall |
CN104023024A (en) * | 2014-06-13 | 2014-09-03 | 中国民航信息网络股份有限公司 | Network defense method and device |
CN104079557A (en) * | 2014-05-22 | 2014-10-01 | 汉柏科技有限公司 | CC attack protection method and device |
CN104113559A (en) * | 2014-08-13 | 2014-10-22 | 浪潮电子信息产业股份有限公司 | Method for resisting tcp full-link attack |
CN104378450A (en) * | 2013-08-12 | 2015-02-25 | 深圳市腾讯计算机***有限公司 | Protection method and device for network attacks |
CN104519018A (en) * | 2013-09-29 | 2015-04-15 | 阿里巴巴集团控股有限公司 | Method, device and system for preventing malicious requests for server |
CN105075216A (en) * | 2013-03-11 | 2015-11-18 | 思科技术公司 | Identification of originating IP address and client port connection |
CN105100093A (en) * | 2015-07-15 | 2015-11-25 | 联动优势科技有限公司 | Identity authentication method and identity authentication server |
CN105959313A (en) * | 2016-06-29 | 2016-09-21 | 杭州迪普科技有限公司 | Method and device for preventing HTTP proxy attack |
-
2017
- 2017-02-06 CN CN201710067267.6A patent/CN108400955B/en active Active
Patent Citations (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050166049A1 (en) * | 2004-01-26 | 2005-07-28 | Cisco Technologies, Inc. | Upper-level protocol authentication |
CN101834866A (en) * | 2010-05-05 | 2010-09-15 | 北京来安科技有限公司 | CC (Communication Center) attack protective method and system thereof |
CN103607392A (en) * | 2010-12-14 | 2014-02-26 | 华为数字技术(成都)有限公司 | Method and device used for preventing fishing attack |
CN102571547A (en) * | 2010-12-29 | 2012-07-11 | 北京启明星辰信息技术股份有限公司 | Method and device for controlling hyper text transport protocol (HTTP) traffic |
CN102404345A (en) * | 2011-12-26 | 2012-04-04 | 山石网科通信技术(北京)有限公司 | Distributed attack prevention method and device |
CN103888490A (en) * | 2012-12-20 | 2014-06-25 | 上海天泰网络技术有限公司 | Automatic WEB client man-machine identification method |
CN105075216A (en) * | 2013-03-11 | 2015-11-18 | 思科技术公司 | Identification of originating IP address and client port connection |
CN104378450A (en) * | 2013-08-12 | 2015-02-25 | 深圳市腾讯计算机***有限公司 | Protection method and device for network attacks |
CN104519018A (en) * | 2013-09-29 | 2015-04-15 | 阿里巴巴集团控股有限公司 | Method, device and system for preventing malicious requests for server |
CN103916389A (en) * | 2014-03-19 | 2014-07-09 | 汉柏科技有限公司 | Method for preventing HttpFlood attack and firewall |
CN104079557A (en) * | 2014-05-22 | 2014-10-01 | 汉柏科技有限公司 | CC attack protection method and device |
CN104023024A (en) * | 2014-06-13 | 2014-09-03 | 中国民航信息网络股份有限公司 | Network defense method and device |
CN104113559A (en) * | 2014-08-13 | 2014-10-22 | 浪潮电子信息产业股份有限公司 | Method for resisting tcp full-link attack |
CN105100093A (en) * | 2015-07-15 | 2015-11-25 | 联动优势科技有限公司 | Identity authentication method and identity authentication server |
CN105959313A (en) * | 2016-06-29 | 2016-09-21 | 杭州迪普科技有限公司 | Method and device for preventing HTTP proxy attack |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110636068A (en) * | 2019-09-24 | 2019-12-31 | 杭州安恒信息技术股份有限公司 | Method and device for identifying unknown CDN node in CC attack protection |
CN110636068B (en) * | 2019-09-24 | 2022-01-28 | 杭州安恒信息技术股份有限公司 | Method and device for identifying unknown CDN node in CC attack protection |
CN112272164A (en) * | 2020-09-30 | 2021-01-26 | 新华三信息安全技术有限公司 | Message processing method and device |
CN112953921A (en) * | 2021-02-02 | 2021-06-11 | 深信服科技股份有限公司 | Scanning behavior identification method, device, equipment and storage medium |
CN114237179A (en) * | 2021-12-16 | 2022-03-25 | 常熟华庆汽车部件有限公司 | Implementation method of flexible coating automatic control system based on industrial Internet of things |
CN114237179B (en) * | 2021-12-16 | 2023-09-08 | 常熟华庆汽车部件有限公司 | Implementation method of flexible coating automatic control system based on industrial Internet of things |
CN114640704A (en) * | 2022-05-18 | 2022-06-17 | 山东云天安全技术有限公司 | Communication data acquisition method, system, computer equipment and readable storage medium |
CN114640704B (en) * | 2022-05-18 | 2022-08-19 | 山东云天安全技术有限公司 | Communication data acquisition method, system, computer equipment and readable storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN108400955B (en) | 2020-12-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111079104B (en) | Authority control method, device, equipment and storage medium | |
US9985989B2 (en) | Managing dynamic deceptive environments | |
US10432652B1 (en) | Methods for detecting and mitigating malicious network behavior and devices thereof | |
US11388189B2 (en) | Method for detecting brute force attack and related apparatus | |
CN108400955A (en) | A kind of means of defence and system of network attack | |
CN103067385B (en) | The method of defence Hijack Attack and fire compartment wall | |
US11381629B2 (en) | Passive detection of forged web browsers | |
Li et al. | Security issues in OAuth 2.0 SSO implementations | |
US8516575B2 (en) | Systems, methods, and media for enforcing a security policy in a network including a plurality of components | |
US11212281B2 (en) | Attacker detection via fingerprinting cookie mechanism | |
US11330016B2 (en) | Generating collection rules based on security rules | |
EP2472822A2 (en) | Method and system for estimating the reliability of blacklists of botnet-infected computers | |
Albin | A comparative analysis of the snort and suricata intrusion-detection systems | |
CN112398781B (en) | Attack testing method, host server and control server | |
CN109617917A (en) | Address virtual Web application security firewall methods, devices and systems | |
CN106576051A (en) | Zero day threat detection using host application/program to user agent mapping | |
Masoud et al. | On tackling social engineering web phishing attacks utilizing software defined networks (SDN) approach | |
Morais et al. | Security protocol testing using attack trees | |
JP2024023875A (en) | Inline malware detection | |
KR20110029340A (en) | Protection system against ddos | |
Ahmed et al. | PhishCatcher: Client-Side Defense Against Web Spoofing Attacks Using Machine Learning | |
Bruschi et al. | Formal verification of ARP (address resolution protocol) through SMT-based model checking-A case study | |
CN116074280A (en) | Application intrusion prevention system identification method, device, equipment and storage medium | |
Wang et al. | Transparent discovery of hidden service | |
Karlström | The WebSocket protocol and security: best practices and worst weaknesses |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |