CN108400955A - A kind of means of defence and system of network attack - Google Patents

A kind of means of defence and system of network attack Download PDF

Info

Publication number
CN108400955A
CN108400955A CN201710067267.6A CN201710067267A CN108400955A CN 108400955 A CN108400955 A CN 108400955A CN 201710067267 A CN201710067267 A CN 201710067267A CN 108400955 A CN108400955 A CN 108400955A
Authority
CN
China
Prior art keywords
information
client
network request
address
address information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710067267.6A
Other languages
Chinese (zh)
Other versions
CN108400955B (en
Inventor
金帅
张浩浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201710067267.6A priority Critical patent/CN108400955B/en
Publication of CN108400955A publication Critical patent/CN108400955A/en
Application granted granted Critical
Publication of CN108400955B publication Critical patent/CN108400955B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention discloses the means of defence of network attack and systems, are applied to technical field of information processing.In the method for the present embodiment, the network request that the safeguard of network attack can parse the client of broker machines forwarding obtains the address information of client, then the first check information is calculated according to the address information of client, and determines the trust list of client-based address information according to the first check information.In this way in the protection process of network attack, it can directly confirm whether client is normal client according to the address information and trust list for the client for initiating network request, the trust list based on source IP information is compared in the prior art, it can prevent in the case of being deployed with broker machines in systems, for the transparent transmission of the network request of broiler chicken because caused by list is trusted in the hit of the IP information of broker machines.

Description

A kind of means of defence and system of network attack
Technical field
The present invention relates to technical field of information processing, more particularly to the means of defence and system of a kind of network attack.
Background technology
Attacker generates the legitimate request for being directed toward victim host by proxy server or broiler chicken, realizes distributed refusal Service (Distributed Denial of Service, DDOS) and camouflage are just Challenging black hole (ChallengeCollapsar, CC) is attacked.Here broiler chicken is also referred to as puppet's machine, refer to can by the machine of hacker's remote control, For example broken through by hacker with " grey pigeon " equal induction user click or computer or user computer is leaky has been planted wooden horse, it is black Visitor can arbitrarily manipulate it and do anything using it.
In the prior art, CC safeguards are disposed in a network, when CC safeguards detect that server is attacked by CC When, the network request that can be sent to client is analyzed, and the source network agreement (Internet of network layer is extracted Protocol, IP) information, using the source IP information carry out it is certain check information is calculated, then obtained according to check information To the trust list based on source IP information.In this way in the protection process of network attack, if the network request of some client The source IP information of middle network layer is not belonging to trust list, then the client is broiler chicken.But for disposing proxy machine in a network The case where device, using existing network protection method, it may appear that a large amount of network requests that broiler chicken is sent can trust list because of hit And it is transparent to server.
Invention content
The embodiment of the present invention provides a kind of means of defence and system of network attack, realizes the net initiated according to client The address information of client, which determines, in network request trusts list.
The embodiment of the present invention provides a kind of means of defence of network attack, including:
The network request for obtaining at least client of first-level agent's machine forwarding, parses the network request and obtains the visitor The address information at family end;
The first check information is calculated according to the address information of the client;
If in the network request further including the second check information, and second check information is verified with described first Information is consistent, and the address information of the client is added and trusts list, the network request is transmitted to server.
The embodiment of the present invention provides a kind of guard system of network attack, including:
First address acquisition unit, the network request for obtaining at least client of first-level agent's machine forwarding, parsing The network request obtains the address information of the client;
Computing unit is verified, for calculating the first check information according to the address information of the client;
First processing units, if for further including the second check information in the network request, and described second verifies Information is consistent with first check information, and the address information of the client is added and trusts list, by the network request It is transmitted to server.
As it can be seen that in the method for the present embodiment, the safeguard of network attack can parse the client of broker machines forwarding Network request obtain the address information of client, the first check information, and root are then calculated according to the address information of client The trust list of client-based address information is determined according to the first check information.In this way in the protection process of network attack, It can directly confirm whether client is normal clients according to the address information and trust list for the client for initiating network request End, compares with the trust list in the prior art based on source IP information, can prevent the feelings for being deployed with broker machines in systems Under condition, for the transparent transmission of the network request of broiler chicken because caused by list is trusted in the hit of the IP information of broker machines.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention without having to pay creative labor, may be used also for those of ordinary skill in the art With obtain other attached drawings according to these attached drawings.
Fig. 1 is the structural representation for the system that a kind of means of defence of network attack provided in an embodiment of the present invention is applied Figure;
Fig. 2 is a kind of flow chart of the means of defence of network attack provided in an embodiment of the present invention;
Fig. 3 is the flow chart of the means of defence of another network attack provided in an embodiment of the present invention;
Fig. 4 is a kind of schematic diagram of the means of defence for network attack that Application Example of the present invention provides;
Fig. 5 is a kind of structural schematic diagram of the guard system of network attack provided in an embodiment of the present invention;
Fig. 6 is the structural schematic diagram of the guard system of another network attack provided in an embodiment of the present invention;
Fig. 7 is a kind of structural schematic diagram of network equipment provided in an embodiment of the present invention.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, those of ordinary skill in the art are obtained every other without creative efforts Embodiment shall fall within the protection scope of the present invention.
Term " first ", " second ", " third " " in description and claims of this specification and above-mentioned attached drawing The (if present)s such as four " are for distinguishing similar object, without being used to describe specific sequence or precedence.It should manage The data that solution uses in this way can be interchanged in the appropriate case, so that the embodiment of the present invention described herein for example can be to remove Sequence other than those of illustrating or describe herein is implemented.In addition, term " comprising " and " having " and theirs is any Deformation, it is intended that cover not exclusively include, for example, containing the process of series of steps or unit, method, system, production Product or equipment those of are not necessarily limited to clearly to list step or unit, but may include not listing clearly or for this The intrinsic other steps of processes, method, product or equipment or unit a bit.
The embodiment of the present invention provides a kind of means of defence of network attack, mainly can be applied to system as shown in Figure 1 In, include client, at least first-level agent's machine (illustrating by taking multistage as an example in Fig. 1) within the system, network attack is prevented Equipment and server are protected, wherein:Client is mainly used for the network request initiated to server, such as hypertext transfer protocol (HyperText Transfer Protocol, HTTP) request etc.;Broker machines are mainly used for the network for forwarding client to initiate Request;The safeguard of network attack is mainly used for determining whether client is broiler chicken according to the network request of client, to Server is avoided to be attacked by network attack, such as CC.
The method of the present embodiment is the method performed by the safeguard of the network attack in Fig. 1, flow chart such as Fig. 2 institutes Show, including:
Step 101, the network request of at least client of first-level agent's machine forwarding is obtained, parsing network request obtains visitor The address information at family end.
Client is made to initiate network request it is appreciated that user can operate client, for example HTTP request, network are attacked The safeguard hit obtains the network request after at least forwarding of first-level agent's machine, parses the network request and obtains client The address information at end.
Wherein, when network request any level broker machines, which can set source in the message header of network request The information (being specially the address information of a network node in the broker machines) of standby address field is placed into the message of network request A certain field in body is specifically forwarding (X-Forwarded-For) field in HTTP request, and by the broker machines Address information is added to source device address field in the message header of network request, is then forwarded to next network node.If being There are Multistage Proxy machine, the safeguard of network attack that can get the network request of afterbody broker machines forwarding in system, In this way the specific fields of network request (for example forwarding field) include just the network request passed through network node (including Client and broker machines) address information, then when executing this step 101, the safeguard of network attack can parse network The content of specific fields (for example forwarding field) in request will forward the first item content in field to believe as the address of client Breath;If there was only first-level agent's machine in system, the safeguard of network attack can get first-level agent's machine forwarding Network request can parse the content of specific fields in network request (for example forwarding field), directly when executing this step 101 The content of field will be forwarded as the address information of client.
In addition, if no in system dispose broker machines, the specific fields (for example forwarding field) of internet message Content is sky, and source device address field includes the address information of client in the message header of internet message.
It should be noted that the method for the present embodiment can be when the safeguard of network attack is detecting server incident Start the method executed when being attacked by CC, can also be to start any time communicated between a client and a server to execute Method.
Step 102, the first check information is calculated according to the address information of client, specifically, the protection of network attack is set It is standby that address information and other information, such as the address information of purpose equipment of client etc. can be formed to information group, and to letter Breath group carries out Hash calculation and obtains the first check information.
Step 103, if in network request further including the second check information, and the second check information and the first check information Unanimously, illustrate that by client be normal client, then the address information of client is added and trusts list, network request is forwarded To server.Further, if not including that the second check information or the second check information and the first verification are believed in network request It ceases inconsistent, the first check information is returned into client, so that client initiates to carry the network request of the first check information.
Wherein, the second check information is the safeguard of network attack during client initiates network request for the first time The address information of client calculates and returns to the check information of client in the network request initiated for the first time according to client.This Sample normal client re-initiates network request, and the second check information is carried in network request, and for broiler chicken, it is The second check information that the safeguard of network attack returns will not be parsed, it will not in the network request that such broiler chicken re-initiates Carry the second check information.
It should be noted that when the safeguard of network attack is after establishing trust list, if the trust list corresponds to Client initiate network request again, the safeguard of network attack can directly confirm the client according to the trust list For normal client, the network request initiated again is directly transmitted to server.
As it can be seen that in the method for the present embodiment, the safeguard of network attack can parse the client of broker machines forwarding Network request obtain the address information of client, the first check information, and root are then calculated according to the address information of client The trust list of client-based address information is determined according to the first check information.In this way in the protection process of network attack, It can directly confirm whether client is normal clients according to the address information and trust list for the client for initiating network request End, compares with the trust list in the prior art based on source IP information, can prevent the feelings for being deployed with broker machines in systems Under condition, for the transparent transmission of the network request of broiler chicken because caused by list is trusted in the hit of the IP information of broker machines.
Refering to what is shown in Fig. 3, in a specific embodiment, the safeguard of network attack is executing above-mentioned steps 101 Later, following steps 104 can be first carried out:
Step 104, the address information of client is matched with locally-stored trust list, if matched, Illustrate that it is normal client to initiate the client of network request, executes step 105;If they do not match executing above-mentioned steps again 102 and 103, that is, it needs to calculate the first check information by the address information of client, then be confirmed according to the first check information Whether client is normal client, and then is added and trusts list.
Step 105, network request is transmitted to server.
In another specific embodiment, the safeguard of network attack can also parse before executing step 102 Network request obtains the address information of at least first-level agent's machine, in this way when executing step 102, is believed according to the address of client The address information of breath and at least first-level agent's machine calculates the first check information.In this case, the protection of network attack is set It is standby when the address information of client is added in executing above-mentioned steps 103, can also be by the address of at least first-level agent's machine List is trusted in information corresponding addition together with the address information of client.
Specifically, the safeguard of network attack obtains the address information of at least first-level agent's machine in parsing network request When, the content of the forwarding field of network request can be parsed, it directly will be at least one in forwarding field in addition to first item Hold the address information as at least first-level agent's machine.Alternatively, source device in the forwarding field and message header of parsing network request The content of address field, will forward the contents of other contents and source device address field in addition to first item in field as At least address information of first-level agent's machine.Here, it is the address information of client to forward first item content in field.
In another specific embodiment, in order to avoid hacker captures and forges check information, the protection of network attack During equipment generates the second check information when client initiates network request for the first time, it is added according to preset period (ratio Such as half an hour) newer undated parameter value, then the second check information that the safeguard of network attack generates has certain The term of validity.
In this way, if it is more than above-mentioned pre- that client initiates duration used in network request this process according to the second check information Period set, and the safeguard of network attack is in executing above-mentioned steps 102 when calculating the first check information, specifically basis The address information of client and the first check information is calculated according to newer undated parameter value of preset period, i.e., by client Address information and information group is formed according to preset period newer undated parameter value and other information, Hash is carried out to information group The first check information is calculated.Since undated parameter value changes, then network attack safeguard calculate the first school It tests information and the second check information in network request is inconsistent, need the first check information returning to client, so as to visitor It initiates to carry the network request of the first check information within the above-mentioned preset period in family end.
It should be noted that described can be with the parameter of arbitrary parameter according to preset period newer undated parameter value Value, as long as the parameter value of the parameter can be updated according to the preset period.
Illustrate that the method for the present embodiment, the method for the present embodiment are mainly used in below with specific application example In system as shown in Figure 1, illustrate so that broker machines is level-ones and two-stage as an example, and the network request that client is initiated is The address information of HTTP request, client and broker machines is respectively the IP information of client and broker machines.Then in this implementation In example:
(1) for disposing first-level agent's machine in system as shown in Figure 1 the case where, the means of defence flow of network attack Figure is as shown in figure 4, include:
Step 201, when client initiates HTTP request, in the source device address field addition of the message header of HTTP request The IP information of client, broker machines are sent to by HTTP request;Broker machines are by client in the message header of HTTP request IP information is placed into the X-Forwarded-For fields of the message body of HTTP request, and in the source device address word of message header HTTP request, is then forwarded by the IP information of Duan Tianjia broker machines.
Step 202, the safeguard of network attack obtains the HTTP request of broker machines forwarding, parses X- in HTTP request The content of Forwarded-For fields obtains the IP information of client.If the IP information hit network attack of client is anti- The trust list for protecting equipment storage then illustrates that the client is normal client, the HTTP request of acquisition is transmitted to server; If do not hit, step 203 is executed.
Step 203, the safeguard of network attack is by the IP information and other information of client (such as the IP of purpose equipment Information) composition information group, it can be according to cyclic redundancy check code (Cyclic Redundancy Check, CRC) algorithm and information One 32 cryptographic Hash are calculated in group, using the cryptographic Hash as the first check information.
Step 204, the safeguard of network attack parses the Cookie words in the HTTP request of above-mentioned broker machines forwarding The content of section, if the field includes the second check information, and the second check information is consistent with the first check information, then will be objective The IP information at family end, which is added, trusts list, and the HTTP request is transmitted to server.If the field does not include the second verification Information or the second check information and the first check information are inconsistent, then follow the steps 205.
Step 205, the first check information is returned to client by the safeguard of network attack, specifically can be by the first school It tests in Information encapsulation to one section of JavaScript program, backtracking returns to client to client by broker machines.
Step 206, for normal client, the JavaScript program can be executed, parsing obtains the first verification letter First check information, is then filled into the Cookie fields of network request, re-initiates network request by breath.When network attack Safeguard receives the network request of normal client initiation, can be protected according to the method for above-mentioned steps 201 to 204.
For broiler chicken, then JavaScript program is not carried out, but directly re-initiates network request, in network It will not carry any check information in request, in this way when the safeguard of network attack receives the network request of broiler chicken initiation, It can be protected according to the method for above-mentioned steps 201 to 203 and step 205.
Further, in other specific embodiments, the safeguard of network attack when executing above-mentioned steps 203, The content for also needing to the source device address field of message header in parsing HTTP request will including the IP information of broker machines The IP information of broker machines and the IP information and other information of client form information group, then calculate the first school according to information group Test information.
In addition, the safeguard of network attack is in executing above-mentioned steps 203 when calculating the first check information, it can basis The IP information of client calculates the first check information according to preset period newer undated parameter value and other information.
(2) for disposing two-stage broker machines in system as shown in Figure 1 the case where and above-mentioned deployment first-level agent machine In the case of, the method performed by the safeguard of network attack is similar, unlike, first-level agent's machine is asked in forwarding HTTP After asking, secondary agent's machine receives the HTTP request of first-level agent's machine forwarding, can be by level-one generation in the message header of HTTP request In the X-Forwarded-For fields for the message body that the IP information of reason machine is placed into HTTP request, in this way in X- Just include the IP information of client and first-level agent's machine in Forwarded-For fields, and in the source device address of message header Field adds the IP information of secondary agent's machine, is then forwarded HTTP request.And the safeguard of network attack obtains After the HTTP request of second agent's machine forwarding, the first item content for parsing X-Forwarded-For fields in HTTP request is made For the IP information of client.
The embodiment of the present invention also provides a kind of guard system of network attack, and structural schematic diagram is as shown in figure 5, specifically may be used To include:
First address acquisition unit 10, the network request for obtaining at least client of first-level agent's machine forwarding, solution It analyses the network request and obtains the address information of the client;
First address acquisition unit 10 is specifically used for parsing the content of the forwarding field of the network request, by institute State address information of the content as the client of forwarding field, or, using the first item content in the forwarding field as The address information of the client.
Computing unit 11 is verified, based on the address information of the client by being obtained according to first address acquisition unit 10 Calculate the first check information.Verification computing unit 11 specifically can be used for according to the address information of the client and according to preset Period, newer undated parameter value calculated first check information.
First processing units 12, if for further including the second check information in the network request, and second school It is consistent with the first check information that the verification computing unit 11 calculates to test information, and letter is added in the address information of the client Appoint list, the network request is transmitted to server.
As it can be seen that in the guard system of the network attack of the present embodiment, the first address acquisition unit 10 can parse proxy machine The network request of the client of device forwarding obtains the address information of client, then verifies ground of the computing unit 11 according to client Location information calculates the first check information, and then first processing units 12 determine client-based address according to the first check information The trust list of information.It, can be according to the address for the client for initiating network request in this way in the protection process of network attack Information and trust list directly confirm whether client is normal client, and the trust name based on source IP information in the prior art Single-phase ratio can prevent in the case of being deployed with broker machines in systems, because list is trusted in the IP information hit of broker machines Caused by for broiler chicken network request transparent transmission.
Refering to what is shown in Fig. 6, in a specific embodiment, the guard system of network attack is in addition to may include such as Fig. 5 Shown in outside structure, can also include the second address acquisition unit 13 and second processing unit 14, wherein:
Second address acquisition unit 13 obtains the address of at least first-level agent's machine for parsing the network request Information;In this way verification computing unit 11 will according to first address acquisition unit 10 obtain client address information and The address information for at least first-level agent machine that second address acquisition unit 13 obtains calculates first check information.
Wherein, the second address acquisition unit 13 is specifically used for parsing the content of the forwarding field of the network request, by institute State address information of at least one content as at least first-level agent's machine in forwarding field in addition to first item;Or, The forwarding field of the network request and the content of source device address field in message header are parsed, it will be in the forwarding field except the Address of the content of other contents and the source device address field except one as at least first-level agent's machine Information.
In the present embodiment, first processing units 12 are additionally operable to the client for obtaining first address acquisition unit 10 Address information matched with locally-stored trust list, if matched, the network request is transmitted to described Server notifies the verification computing unit 11 to calculate the first check information if mismatched.
Second processing unit 14, if for not including second check information in the network request, or, the second school When testing information and inconsistent the first check information, first check information is returned into the client, so as to the client It initiates to carry the network request of first check information in end.
In the present embodiment, after the first address acquisition unit 10 obtains the address information of client, second can be first passed through Processing unit 14 carries out the trust list of matching processing locality, if they do not match being just notified that verification computing unit 11 calculates First check information.
The embodiment of the present invention also provides a kind of network equipment, and structural schematic diagram is as shown in fig. 7, the network equipment can be because matching It sets or performance is different and generate bigger difference, may include one or more central processing units (central Processing units, CPU) 20 (for example, one or more processors) and memory 21, one or more are deposited Store up the storage medium 22 (such as one or more mass memory units) of application program 221 or data 222.Wherein, it stores Device 21 and storage medium 22 can be of short duration storage or persistent storage.The program for being stored in storage medium 22 may include one or More than one module (diagram does not mark), each module may include to the series of instructions operation in the network equipment.More into one Step ground, central processing unit 20 could be provided as communicating with storage medium 22, execute one in storage medium 22 on network devices Series of instructions operates.
Specifically, the application program 221 stored in storage medium 22 includes the security application program of network attack, and should Program may include the first address acquisition unit 10 in the guard system of above-mentioned network attack, verification computing unit 11, and first Processing unit 12, the second address acquisition unit 13 and second processing unit 14, herein without repeating.Further, central Processor 20 could be provided as communicating with storage medium 22, execute the network attack stored in storage medium 22 on network devices The corresponding sequence of operations of security application program.
The network equipment can also include one or more power supplys 23, one or more wired or wireless networks connect Mouth 24, one or more input/output interfaces 25, and/or, one or more operating systems 223, such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM etc..
The step performed by the guard system by network attack described in above method embodiment can be based on Fig. 7 institutes The structure of the network equipment shown.
One of ordinary skill in the art will appreciate that all or part of step in the various methods of above-described embodiment is can It is completed with instructing relevant hardware by program, which can be stored in a computer readable storage medium, storage Medium may include:Read-only memory (ROM), random access memory ram), disk or CD etc..
The means of defence and system for being provided for the embodiments of the invention network attack above are described in detail, herein In apply specific case principle and implementation of the present invention are described, the explanation of above example is only intended to sides Assistant solves the method and its core concept of the present invention;Meanwhile for those of ordinary skill in the art, think of according to the present invention Think, there will be changes in the specific implementation manner and application range, in conclusion the content of the present specification should not be construed as pair The limitation of the present invention.

Claims (14)

1. a kind of means of defence of network attack, which is characterized in that including:
The network request for obtaining at least client of first-level agent's machine forwarding, parses the network request and obtains the client Address information;
The first check information is calculated according to the address information of the client;
If in the network request further including the second check information, and second check information and first check information Unanimously, the address information of the client is added and trusts list, the network request is transmitted to server.
2. the method as described in claim 1, which is characterized in that the parsing network request obtains the ground of the client Location information, specifically includes:
The content for parsing the forwarding field of the network request, using the content of the forwarding field as the address of the client Information, or, using the first item content in the forwarding field as the address information of the client.
3. the method as described in claim 1, which is characterized in that the network request of the client for obtaining broker machines forwarding Later, the method further includes:
It parses the network request and obtains the address information of at least first-level agent's machine;
It is described to be specifically included according to the address information of the client the first check information of calculating:According to the address of the client The address information of information and at least first-level agent's machine calculates first check information.
4. method as claimed in claim 3, which is characterized in that the parsing network request obtains at least level-one generation The address information for managing machine, specifically includes:
The content for parsing the forwarding field of the network request, will be at least one in the forwarding field in addition to first item Hold the address information as at least first-level agent's machine;Or,
The forwarding field of the network request and the content of source device address field in message header are parsed, it will be in the forwarding field The content of other contents and the source device address field in addition to first item is as at least first-level agent's machine Address information.
5. the method as described in claim 1, which is characterized in that described to calculate the first school according to the address information of the client Information is tested, is specifically included:
First verification is calculated according to the address information of the client and according to preset period newer undated parameter value Information.
6. such as method described in any one of claim 1 to 5, which is characterized in that the address information according to the client Before calculating the first check information, the method further includes:
The address information of the client is matched with locally-stored trust list, if matched, by the net Network request is transmitted to the server, if the step of mismatching, executing the first check information of the calculating.
7. such as method described in any one of claim 1 to 5, which is characterized in that the method further includes:
If in the network request not including second check information or second check information and the first check information It is inconsistent, first check information is returned into the client, so that the client is initiated to carry first verification The network request of information.
8. a kind of guard system of network attack, which is characterized in that including:
First address acquisition unit, the network request for obtaining the client that at least first-level agent's machine forwards, described in parsing Network request obtains the address information of the client;
Computing unit is verified, for calculating the first check information according to the address information of the client;
First processing units, if for further including the second check information in the network request, and second check information It is consistent with first check information, the address information of the client is added and trusts list, the network request is forwarded To server.
9. system as claimed in claim 8, which is characterized in that
First address acquisition unit is specifically used for parsing the content of the forwarding field of the network request, by the forwarding Address information of the content of field as the client, or, using the first item content in the forwarding field as the visitor The address information at family end.
10. system as claimed in claim 8, which is characterized in that further include:
Second address acquisition unit obtains the address information of at least first-level agent's machine for parsing the network request;
The verification computing unit is specifically used for the address according to the address information of the client and at least first-level agent's machine Information calculates first check information.
11. system as claimed in claim 10, which is characterized in that
Second address acquisition unit is specifically used for parsing the content of the forwarding field of the network request, by the forwarding Address information of at least one content as at least first-level agent's machine in field in addition to first item;Or, parsing institute State the forwarding field of network request and the content of source device address field in message header, will in the forwarding field except first item it Address information of the content of outer other contents and the source device address field as at least first-level agent's machine.
12. system as claimed in claim 8, which is characterized in that
The verification computing unit is specifically used for newer more according to the address information of the client and according to the preset period New parameter value calculates first check information.
13. such as claim 8 to 12 any one of them system, which is characterized in that
The first processing units are additionally operable to the address information of the client and locally-stored trust list progress Match, if matched, the network request is transmitted to the server, if mismatched, it is single to notify that the verification calculates Member calculates the first check information.
14. system as claimed in claim 13, which is characterized in that further include:
Second processing unit, if for not including second check information or second verification in the network request Information and the first check information are inconsistent, and first check information is returned to the client, so that the client is sent out Act the network request for carrying first check information.
CN201710067267.6A 2017-02-06 2017-02-06 Network attack protection method and system Active CN108400955B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710067267.6A CN108400955B (en) 2017-02-06 2017-02-06 Network attack protection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710067267.6A CN108400955B (en) 2017-02-06 2017-02-06 Network attack protection method and system

Publications (2)

Publication Number Publication Date
CN108400955A true CN108400955A (en) 2018-08-14
CN108400955B CN108400955B (en) 2020-12-22

Family

ID=63094508

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710067267.6A Active CN108400955B (en) 2017-02-06 2017-02-06 Network attack protection method and system

Country Status (1)

Country Link
CN (1) CN108400955B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110636068A (en) * 2019-09-24 2019-12-31 杭州安恒信息技术股份有限公司 Method and device for identifying unknown CDN node in CC attack protection
CN112272164A (en) * 2020-09-30 2021-01-26 新华三信息安全技术有限公司 Message processing method and device
CN112953921A (en) * 2021-02-02 2021-06-11 深信服科技股份有限公司 Scanning behavior identification method, device, equipment and storage medium
CN114237179A (en) * 2021-12-16 2022-03-25 常熟华庆汽车部件有限公司 Implementation method of flexible coating automatic control system based on industrial Internet of things
CN114640704A (en) * 2022-05-18 2022-06-17 山东云天安全技术有限公司 Communication data acquisition method, system, computer equipment and readable storage medium

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050166049A1 (en) * 2004-01-26 2005-07-28 Cisco Technologies, Inc. Upper-level protocol authentication
CN101834866A (en) * 2010-05-05 2010-09-15 北京来安科技有限公司 CC (Communication Center) attack protective method and system thereof
CN102404345A (en) * 2011-12-26 2012-04-04 山石网科通信技术(北京)有限公司 Distributed attack prevention method and device
CN102571547A (en) * 2010-12-29 2012-07-11 北京启明星辰信息技术股份有限公司 Method and device for controlling hyper text transport protocol (HTTP) traffic
CN103607392A (en) * 2010-12-14 2014-02-26 华为数字技术(成都)有限公司 Method and device used for preventing fishing attack
CN103888490A (en) * 2012-12-20 2014-06-25 上海天泰网络技术有限公司 Automatic WEB client man-machine identification method
CN103916389A (en) * 2014-03-19 2014-07-09 汉柏科技有限公司 Method for preventing HttpFlood attack and firewall
CN104023024A (en) * 2014-06-13 2014-09-03 中国民航信息网络股份有限公司 Network defense method and device
CN104079557A (en) * 2014-05-22 2014-10-01 汉柏科技有限公司 CC attack protection method and device
CN104113559A (en) * 2014-08-13 2014-10-22 浪潮电子信息产业股份有限公司 Method for resisting tcp full-link attack
CN104378450A (en) * 2013-08-12 2015-02-25 深圳市腾讯计算机***有限公司 Protection method and device for network attacks
CN104519018A (en) * 2013-09-29 2015-04-15 阿里巴巴集团控股有限公司 Method, device and system for preventing malicious requests for server
CN105075216A (en) * 2013-03-11 2015-11-18 思科技术公司 Identification of originating IP address and client port connection
CN105100093A (en) * 2015-07-15 2015-11-25 联动优势科技有限公司 Identity authentication method and identity authentication server
CN105959313A (en) * 2016-06-29 2016-09-21 杭州迪普科技有限公司 Method and device for preventing HTTP proxy attack

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050166049A1 (en) * 2004-01-26 2005-07-28 Cisco Technologies, Inc. Upper-level protocol authentication
CN101834866A (en) * 2010-05-05 2010-09-15 北京来安科技有限公司 CC (Communication Center) attack protective method and system thereof
CN103607392A (en) * 2010-12-14 2014-02-26 华为数字技术(成都)有限公司 Method and device used for preventing fishing attack
CN102571547A (en) * 2010-12-29 2012-07-11 北京启明星辰信息技术股份有限公司 Method and device for controlling hyper text transport protocol (HTTP) traffic
CN102404345A (en) * 2011-12-26 2012-04-04 山石网科通信技术(北京)有限公司 Distributed attack prevention method and device
CN103888490A (en) * 2012-12-20 2014-06-25 上海天泰网络技术有限公司 Automatic WEB client man-machine identification method
CN105075216A (en) * 2013-03-11 2015-11-18 思科技术公司 Identification of originating IP address and client port connection
CN104378450A (en) * 2013-08-12 2015-02-25 深圳市腾讯计算机***有限公司 Protection method and device for network attacks
CN104519018A (en) * 2013-09-29 2015-04-15 阿里巴巴集团控股有限公司 Method, device and system for preventing malicious requests for server
CN103916389A (en) * 2014-03-19 2014-07-09 汉柏科技有限公司 Method for preventing HttpFlood attack and firewall
CN104079557A (en) * 2014-05-22 2014-10-01 汉柏科技有限公司 CC attack protection method and device
CN104023024A (en) * 2014-06-13 2014-09-03 中国民航信息网络股份有限公司 Network defense method and device
CN104113559A (en) * 2014-08-13 2014-10-22 浪潮电子信息产业股份有限公司 Method for resisting tcp full-link attack
CN105100093A (en) * 2015-07-15 2015-11-25 联动优势科技有限公司 Identity authentication method and identity authentication server
CN105959313A (en) * 2016-06-29 2016-09-21 杭州迪普科技有限公司 Method and device for preventing HTTP proxy attack

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110636068A (en) * 2019-09-24 2019-12-31 杭州安恒信息技术股份有限公司 Method and device for identifying unknown CDN node in CC attack protection
CN110636068B (en) * 2019-09-24 2022-01-28 杭州安恒信息技术股份有限公司 Method and device for identifying unknown CDN node in CC attack protection
CN112272164A (en) * 2020-09-30 2021-01-26 新华三信息安全技术有限公司 Message processing method and device
CN112953921A (en) * 2021-02-02 2021-06-11 深信服科技股份有限公司 Scanning behavior identification method, device, equipment and storage medium
CN114237179A (en) * 2021-12-16 2022-03-25 常熟华庆汽车部件有限公司 Implementation method of flexible coating automatic control system based on industrial Internet of things
CN114237179B (en) * 2021-12-16 2023-09-08 常熟华庆汽车部件有限公司 Implementation method of flexible coating automatic control system based on industrial Internet of things
CN114640704A (en) * 2022-05-18 2022-06-17 山东云天安全技术有限公司 Communication data acquisition method, system, computer equipment and readable storage medium
CN114640704B (en) * 2022-05-18 2022-08-19 山东云天安全技术有限公司 Communication data acquisition method, system, computer equipment and readable storage medium

Also Published As

Publication number Publication date
CN108400955B (en) 2020-12-22

Similar Documents

Publication Publication Date Title
CN111079104B (en) Authority control method, device, equipment and storage medium
US9985989B2 (en) Managing dynamic deceptive environments
US10432652B1 (en) Methods for detecting and mitigating malicious network behavior and devices thereof
US11388189B2 (en) Method for detecting brute force attack and related apparatus
CN108400955A (en) A kind of means of defence and system of network attack
CN103067385B (en) The method of defence Hijack Attack and fire compartment wall
US11381629B2 (en) Passive detection of forged web browsers
Li et al. Security issues in OAuth 2.0 SSO implementations
US8516575B2 (en) Systems, methods, and media for enforcing a security policy in a network including a plurality of components
US11212281B2 (en) Attacker detection via fingerprinting cookie mechanism
US11330016B2 (en) Generating collection rules based on security rules
EP2472822A2 (en) Method and system for estimating the reliability of blacklists of botnet-infected computers
Albin A comparative analysis of the snort and suricata intrusion-detection systems
CN112398781B (en) Attack testing method, host server and control server
CN109617917A (en) Address virtual Web application security firewall methods, devices and systems
CN106576051A (en) Zero day threat detection using host application/program to user agent mapping
Masoud et al. On tackling social engineering web phishing attacks utilizing software defined networks (SDN) approach
Morais et al. Security protocol testing using attack trees
JP2024023875A (en) Inline malware detection
KR20110029340A (en) Protection system against ddos
Ahmed et al. PhishCatcher: Client-Side Defense Against Web Spoofing Attacks Using Machine Learning
Bruschi et al. Formal verification of ARP (address resolution protocol) through SMT-based model checking-A case study
CN116074280A (en) Application intrusion prevention system identification method, device, equipment and storage medium
Wang et al. Transparent discovery of hidden service
Karlström The WebSocket protocol and security: best practices and worst weaknesses

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant