CN110808967B - Detection method for challenging black hole attack and related device - Google Patents
Detection method for challenging black hole attack and related device Download PDFInfo
- Publication number
- CN110808967B CN110808967B CN201911015170.6A CN201911015170A CN110808967B CN 110808967 B CN110808967 B CN 110808967B CN 201911015170 A CN201911015170 A CN 201911015170A CN 110808967 B CN110808967 B CN 110808967B
- Authority
- CN
- China
- Prior art keywords
- attack
- url
- page access
- access request
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The disclosure relates to the field of network security, and provides a detection method for challenging black hole attacks and a related device, wherein the method comprises the following steps: calculating the request rate and/or concentration of the URL according to the statistical information of the URL corresponding to the page access request; judging whether a suspected challenge black hole CC attack exists according to the request rate and/or the concentration ratio; if the suspicious CC attack exists, acquiring the current running state information of the server; and if the current running state information does not meet the preset condition, judging that the suspicious CC attack is the CC attack. By combining the rate and concentration of access requests and the current operating state of the server, the false alarm rate can be reduced.
Description
Technical Field
The present disclosure relates to the field of network security, and in particular, to a method and a related device for detecting a challenging black hole attack.
Background
An attacker selects an application requiring more resource overhead in a page opened by a server when initiating an attack, such as a page requiring a large amount of CPU resources of the server for operation or an application requiring a large amount of access to a database, and when the server does not have time to process the access requests, the page cannot respond to the access requests of normal users.
The prior art only detects whether CC attacks exist according to the rate and the concentration of access requests, and has higher false alarm rate.
Disclosure of Invention
The present disclosure is directed to a method and a related device for detecting a challenging black hole attack, which can reduce a false alarm rate by combining a rate and a concentration of access requests and a current operating state of a server.
In order to achieve the above purpose, the embodiments of the present disclosure adopt the following technical solutions:
in a first aspect, an embodiment of the present disclosure provides a method for detecting a challenge black hole attack, where the method is applied to a network device, the network device is in communication connection with a client and a server, and the client sends a page access request to the server through the network device, where the method includes: calculating the request rate and/or concentration of the URL according to the statistical information of the URL corresponding to the page access request; judging whether a suspected challenge black hole CC attack exists according to the request rate and/or the concentration ratio; if the suspicious CC attack exists, acquiring the current running state information of the server; and if the current running state information meets the preset condition, judging that the suspicious CC attack is the CC attack.
In a second aspect, the present disclosure provides a detection apparatus for challenging black hole attacks, which is applied to a network device, where the network device is in communication connection with a client and a server, and the client sends a page access request to the server through the network device, and the apparatus includes a calculation module, a suspected attack determination module, and a first attack determination module, where the calculation module is configured to calculate a request rate and/or a concentration of a URL according to statistical information of the URL corresponding to the page access request; the suspicious attack judging module is used for judging whether suspicious CC attack exists according to the request rate and/or the concentration; a first attack determination module to: if the suspicious CC attack exists, acquiring the current running state information of the server; and if the current running state information meets the preset condition, judging that the suspicious CC attack is the CC attack.
In a third aspect, an embodiment of the present disclosure provides a network device, where the network device includes: one or more processors; a memory for storing one or more programs that, when executed by the one or more processors, cause the one or more processors to implement the method of detecting a challenging black hole attack as described in any of the preceding embodiments.
In a fourth aspect, the disclosed embodiments provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for detecting a challenge black hole attack according to any one of the foregoing embodiments.
Compared with the prior art, the method has the following beneficial effects: the embodiment of the disclosure provides a method and a related device for detecting challenge black hole attack, which first judge whether suspicious challenge black hole CC attack exists according to a request rate and/or concentration of a Uniform Resource Locator (URL), if the suspicious CC attack exists, obtain current running state information of a server, and determine whether the suspicious CC attack is real CC attack by judging whether the current running state information of the server meets a preset condition.
In order to make the aforementioned objects, features and advantages of the present disclosure more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
To more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present disclosure and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings may be obtained from the drawings without inventive effort.
Fig. 1 shows a schematic view of an application scenario provided by an embodiment of the present disclosure.
Fig. 2 shows a schematic block diagram of a network device provided by an embodiment of the present disclosure.
Fig. 3 shows a flowchart of a detection method for challenging black hole attack according to an embodiment of the present disclosure.
Fig. 4 shows a flowchart of another detection method for challenging black hole attack provided by the embodiment of the present disclosure.
Fig. 5 is a flowchart illustrating a method for updating statistical information of a URL according to an embodiment of the present disclosure.
Fig. 6 shows a functional block diagram of a detection apparatus for challenging black hole attack according to an embodiment of the present disclosure.
Icon: 10-a network device; 20-a client; 30-a server; 11-a memory; 12-a communication interface; 13-a processor; 14-a bus; 100-detection means for challenging black hole attacks; 110-a calculation module; 120-suspicious attack judgment module; 130-a first attack determination module; 140-a second attack determination module; 150-update module.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present disclosure more clear, the technical solutions of the embodiments of the present disclosure will be described clearly and completely with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are some, but not all embodiments of the present disclosure. The components of the embodiments of the present disclosure, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present disclosure, presented in the figures, is not intended to limit the scope of the claimed disclosure, but is merely representative of selected embodiments of the disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
In the description of the present disclosure, it should be noted that if the terms "upper", "lower", "inner", "outer", etc. are used for indicating the orientation or positional relationship based on the orientation or positional relationship shown in the drawings or the orientation or positional relationship which the present invention is used to usually place, the description is only for convenience of describing and simplifying the present disclosure, but not for indicating or implying that the referred device or element must have a specific orientation, be constructed and operated in a specific orientation, and thus should not be construed as limiting the present disclosure.
Furthermore, the appearances of the terms "first," "second," and the like, if any, are used solely to distinguish one from another and are not to be construed as indicating or implying relative importance.
It should be noted that the features in the embodiments of the present disclosure may be combined with each other without conflict.
There are 3 main attack modes: a single-host virtual multi-IP address attack mode, a proxy server group attack mode and a botnet attack mode. In the single-host virtual multi-IP address attack mode, an attacker utilizes one host to fictitious form a plurality of IP addresses to send access request packets to a designated page of a server, and when the server is not in time to process the access requests, the page cannot respond to the access requests of normal users. In the proxy server group attack mode, an attacker sends a page access request to a proxy server through an attack host, then the attack host can immediately disconnect the connection with the proxy server and immediately send the next access request, because the proxy server can certainly access the appointed page resource of the application server after receiving an access request instruction, when the application server does not have time to process a large number of access requests, the page cannot respond to the access request of a normal user, and the normal access is rejected at the moment. In the botnet attack mode, an attacker sends an attack instruction to a botnet host through an attack host, the botnet host automatically sends a page access request to an application server, and when the botnet with a certain scale is used for CC attack, huge access flow can be caused to the page of the application server, and the server can be paralyzed. Therefore, with the upgrade of the CC attack form, more and more CC attacks are applied in the attack, the attack traffic is usually different and real lP addresses and a relatively complete access process, and this attack highly simulates the process of normally accessing the application server by a plurality of users, so that the method has strong concealment, and the existing method for detecting CC attacks by simply using the request rate and/or concentration ratio cannot meet the requirement of accuracy for detecting CC attacks.
In view of this, the present disclosure provides a method and a related device for detecting a challenging black hole attack, which can reduce the false alarm rate of CC attack detection. Which will be described in detail below.
Referring to fig. 1, fig. 1 is a schematic view illustrating an application scenario provided by an embodiment of the present disclosure, in fig. 1, a network device 10 is in communication connection with both a client 20 and a server 30, when the client 20 needs to access the server 30, a page access request is first sent to the network device 10, the network device 10 forwards the page access request to the server 30, the server 30 sends feedback information responding to the page access request to the network device 10, the network device 10 forwards the feedback information to the client 20, when the client 20 is controlled by an attacker or an attacker, a large number of page access requests are sent to the server 30 through the network device 10, the network device 10 performs CC attack detection on the received page access request, and when it is detected that the page access request from the client 20 is a CC attack, the page access request from the client 20 is blocked, thereby preventing the server 30 from being unable to normally provide the service due to the CC attack.
The detection method for challenging black hole attacks provided by the embodiment of the present disclosure may be applied to the network device 10 in fig. 1, and a schematic block diagram of the network device 10 is introduced below.
Referring to fig. 2, fig. 2 shows a schematic block diagram of a network device 10 according to an embodiment of the present disclosure. Network device 10 also includes memory 11, communication interface 12, processor 13, and bus 14. The memory 11, the communication interface 12, and the processor 13 are connected by a bus 14.
The memory 11 is used for storing a program, such as the detection device for challenging black hole attacks described above, the detection device for challenging black hole attacks includes at least one software functional module which can be stored in the memory 11 in a form of software or firmware (firmware), and the processor 13 executes the program after receiving an execution instruction to implement the detection method for challenging black hole attacks disclosed in the above embodiments.
The Memory 11 may include a high-speed Random Access Memory (RAM) and may also include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. Alternatively, the memory 11 may be a storage device built in the processor 13, or may be a storage device independent of the processor 13.
The communication connection of the network device 10 with other external devices is realized by at least one communication interface 12 (which may be wired or wireless).
The bus 14 may be an ISA bus, PCI bus, EISA bus, or the like. Only one bi-directional arrow is shown in fig. 2, but this does not indicate only one bus or one type of bus.
The processor 13 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 13. The Processor 13 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components.
Fig. 3 is a flowchart illustrating a method for detecting a challenge black hole attack according to an embodiment of the present disclosure, where the method includes:
and step S101, calculating the request rate and/or concentration of the URL according to the statistical information of the URL corresponding to the page access request.
In this embodiment, the request rate and/or the concentration of the URL may be calculated in real time, or the request rate and/or the concentration of the URL in a detection period may also be calculated, where the detection period is a preset time period for determining whether there is a suspected CC attack, each detection period may be determined once for the CC attack, the detection period may be set according to the needs of an actual scene, when the requirement on the real-time performance of CC detection is high, the detection period may be set to be shorter, for example, the detection period is set to 1s, and when the requirement on the real-time performance of CC detection is low, the detection period may be set to be longer, for example, the detection period is set to 10 s. The detection period is shorter, the influence on the service processing of the current network equipment is larger, the detection period is longer, the influence on the service processing of the current network equipment is smaller, and a user can balance the real-time property of CC detection and the influence on the service processing of the current network equipment according to requirements and then set the detection period.
In this embodiment, after receiving the page access request, the network device 10 obtains a source IP address that sends the page access request, extracts a URL from the page access request, that is, an address of a page that needs to be accessed in the page access request, performs statistics on the page access request according to the source IP address and the URL, and performs statistics on the page access request from the same source IP address and for the same web page that accesses the same website. It should be noted that, in addition to obtaining the source IP address, information such as mdcID, vrfridex, etc. of the page access request may also be obtained, where the mdcID is used to uniquely identify a multi-tenant Device environment MDC (MDC). An MDC is a logical device, a physical device is divided into a plurality of logical devices through a virtualization technology, and the MDC has own exclusive software and hardware resources and operates independently. Each MDC may be considered an independent physical device for the user. Vrfridex is the index number of a Virtual Routing Forwarding (VRF) table, and the VRF allows multiple instances of a Routing table to coexist with one router at the same time, thereby providing the function of programming multiple Virtual routers from one physical router. In this embodiment, the page access requests may also be counted according to the source IP address, the mdcID, the vrfridex, and the URL, that is, the page access requests from the same source IP address, accessed to the same web page of the same website through the same MDC and the same vrfridex are counted.
In this embodiment, for the same source IP address or the same source IP address, the same MDC, and the same vrfridex, a request rate and/or a concentration of URLs in a detection period are calculated, where the request rate of each URL is the number of page access requests in the URL/the detection period, and the concentration is the sum of the number of page access requests in the URL/the number of page access requests in all URLs. For example, in the current detection period, two URLs, i.e., the URL1 and the URL2, are visited by the same source IP address, the number of page access requests of the URL1 is 10, the number of page access requests of the URL2 is 20, and the detection period is 10s, then the request rate of the URL1 is 10/10s 1, that is, the number of requests per second is 1, and the concentration of the URLs 1 is 10/(10+20) 1/3.
And step S102, judging whether a suspected challenge black hole CC attack exists according to the request rate and/or the concentration ratio.
In this embodiment, according to the needs of an actual scenario, it may be determined whether there is a suspected CC attack only according to the request rate, that is, when the request rate is greater than a preset rate threshold, it is determined that there is a suspected CC attack, otherwise, it is determined that there is no suspected CC attack. Whether suspicious CC attacks exist can be judged only according to the concentration ratio, namely when the concentration ratio is larger than a preset concentration ratio threshold value, the suspicious CC attacks exist, and otherwise, the suspicious CC attacks do not exist. The request rate and the priority of the concentration level may also be set, for example, the priority of the request rate is set to be higher than the priority of the concentration level, when the request rate is less than or equal to a preset rate threshold, it is determined whether the concentration level is greater than a preset concentration level threshold, when the request rate is greater than the preset concentration level threshold, it is determined that there is a suspected CC attack, otherwise, it is determined that there is no suspected CC attack.
Step S103, if the suspicious CC attack exists, the current running state information of the server is obtained.
In the embodiment of the present disclosure, the current operation state information is information that can measure the load of the server 30, for example, the utilization rate of the CPU of the server 30, the utilization rate of the memory, and the like.
And step S104, if the current running state information meets the preset condition, judging that the suspicious CC attack is the CC attack.
In the embodiment of the present disclosure, the preset condition is a preset range in which the server 30 may not normally operate, for example, the preset range in which the server 30 may not normally operate is a preset range in which the utilization rate of the CPU is greater than 70%, when the utilization rate of the CPU is within the preset range, it is considered that the server 30 is under CC attack, there is a risk that the server may not normally operate, and the currently suspected CC attack is a CC attack. In addition, the preset condition may also be a preset range of the preset abnormal threshold, for example, the preset abnormal threshold is 10, and the preset range is (-1%, + 1%), that is, on the basis of the preset abnormal threshold, the upward floating is not more than 1%, the downward floating is not more than 1%, both of which satisfy the preset condition, otherwise, the preset condition is not satisfied.
The method for detecting black hole attacks provided in the above embodiment determines whether a suspected CC attack is a true CC attack according to the current operating state of the server after determining the suspected CC attack according to the request rate and the concentration by combining the rate and the concentration of the access request and the current operating state of the server, thereby reducing the false alarm rate of CC attack detection.
In the embodiment of the present disclosure, as a specific implementation manner, the current operation state information includes CPU operation data, memory operation data, and network operation data, and determining that the suspected CC attack is a CC attack may be implemented in the following manner:
and when any data of the CPU operation data, the memory operation data and the network operation data is not in the corresponding preset range, judging that the suspicious CC attack is the CC attack.
In the embodiment of the present disclosure, the preset conditions at this time are: any data of the CPU operation data, the memory operation data and the network operation data is not in the corresponding preset range, the CPU operation data comprises but is not limited to the utilization rate of the CPU, the idle rate of the CPU and the like, the memory operation data comprises but is not limited to the utilization rate of the memory, the number of available pages of the memory and the like. Network operational data includes, but is not limited to, link status, network performance, services provided by the network, and quality of service.
The current operation state information of the server can be acquired by performance monitoring software which is operated on the server in advance, and can also be acquired by executing related commands. The performance monitoring software includes, but is not limited to, the Paessler PRTG Network monitoring software, the LibreNMS monitoring software, the Network Quality analysis NQA (NQA) tool, and the like. The related command may be a command provided by the operating system itself, or may be a new command developed again based on the command provided by the operating system itself, for example, the operating system running on the server is linux, and the CPU utilization may be checked by executing a top command.
It should be noted that the current operation state information is not limited to the CPU operation data, the memory operation data, and the network operation data, and may also include information such as operation data of a process that processes a page access request, and utilization data of a storage resource.
The method and the device for detecting the CC attack further judge whether the suspicious CC attack is the real CC attack or not by adopting the running state information of the server, can reasonably adjust the preset range of each running data in the running state information at any time according to the running state of the server and the current application scene, and improve the accuracy of the detection of the CC attack.
Based on the same inventive idea as the detection method for challenging black hole attacks, the embodiment of the present disclosure further provides another way of determining whether the suspected CC attack is a CC attack, please refer to fig. 4, where fig. 4 shows a flowchart of another detection method for challenging black hole attacks provided by the embodiment of the present disclosure, and the way of determining whether the suspected CC attack is a CC attack may further include the following steps:
step S105, if the suspicious CC attack exists, calculating the processing time of the URL; the processing time of the URL is the average processing time from the time when the network equipment sends the page access request corresponding to the URL to the time when the network equipment receives the feedback information sent by the server responding to the page access request.
In this embodiment, the processing time of the URL may be calculated in real time, or may be calculated within one detection period. For each page access request, the network device 10 calculates a forwarding time from the forwarding time of the page access request to the server 30 to a receiving time of feedback information generated by the server 30 in response to the page access request, takes a time length between the receiving time and the corresponding forwarding time as a processing time of the page access request, and takes an average value of the processing times of all the page access requests in each URL as the processing time of the URL. For example, there are 5 page access requests for accessing the URL of page 1 of website 1, and the corresponding processing times are: 1. 2, 1, the processing time of the URL is: (1+2+1+2+1)/5 ═ 1.4.
And step S106, if the processing time of the URL is greater than a preset threshold value, judging that the suspicious CC attack is the CC attack.
In this embodiment, the preset threshold is a processing time for the server 30 to be able to process the page access request normally, and the preset threshold may be set by the user according to an actual application scenario, for example, during a period when the service of the server 30 is busy, the preset threshold may be set to be slightly longer, for example, 5 seconds, and during a period when the service of the server 30 is idle, the preset threshold may be set to be slightly shorter, for example, 1 second.
Step S105 and step S106 may be determined in parallel with step S103 and step S104, that is, either one of them may be used, or the method may be supplemented with step S103 and step S104, that is, the determination is performed in step S103 and step S104, and if the predetermined condition is not satisfied, step S105 and step S106 are determined.
It should be noted that, in order to ensure flexibility of detection of CC attack, on one hand, a switch may be set, and only when the switch is turned on, it is determined whether there is a suspected CC attack at the end of the current detection period, otherwise, the determination of the suspected CC attack is not started, and certainly, the determination of whether the subsequent suspected CC attack is a CC attack is not performed. On the other hand, a white list may be set, and the web page access request conforming to the white list is directly forwarded to the server 30, so that the statistical information of the corresponding URL does not need to be updated according to the web page access request.
It should be further noted that, after determining that there is a CC attack, a processing action for the CC attack may be configured, for example, a source IP address corresponding to the URL is added to a blacklist, so that the network device 10 directly discards a page access request from the source IP address and does not forward the page access request to the server 30, thereby avoiding the CC attack on the server 30.
It should be noted that, in order to improve the accuracy of the suspected CC attack determination, a test of human machine identification, a string of letters and/or numbers (shown as a deformed picture) generated randomly by human machine identification, and a text box may be added after the request rate and/or concentration is determined. To pass the test and prove that you are people, only the characters that you see in the picture need to be input into the text box. Spurious page access requests can thus be discerned.
The detection method for challenging black hole attacks provided by the embodiment can further reduce the false alarm rate of detection of CC attacks by increasing judgment of processing time of page access requests.
In this embodiment, in order to ensure the accuracy of detecting the CC attack, the URL needs to be subjected to accurate statistics, and therefore, the embodiment of the present disclosure further provides an update method of statistical information of the URL. Referring to fig. 5, fig. 5 is a flowchart illustrating a method for updating statistical information of a URL according to an embodiment of the present disclosure, where the method for updating includes:
step S201, receiving a page access request for accessing the server sent by the client.
Step S202, analyzing the page access request and obtaining the URL identification of the page access request.
In this embodiment, the URL identifier may be obtained by combining the source IP address and the URL, or may be obtained by combining the source IP address, mdcID, and vrfridex.
It should be noted that, by setting the rule filtering condition, the page access request is filtered first, and only the filtered page access request is subjected to URL statistics. For example, a rule is preset, the rule includes a destination IP, a destination port, and a filtering index, and whether the page access request satisfies the filtering index is determined according to the destination IP and the destination port of the page access request obtained through parsing, and the page access request satisfying the filtering index is filtered without participating in subsequent URL statistics.
Step S203, updating the statistical information of the URL corresponding to the page access request according to the URL identification.
In this embodiment, the statistical information of the URL includes, but is not limited to, a URL corresponding to the page access request at the current time or in the current detection period, the number of times of the page access request of each URL, the processing time of each page access request, and the like. For example, the pages accessed from the source IP address 192.168.1.10 in the current detection period, and the number of accesses per page.
It should be noted that, when a detection period is set, the calculation request rate and the calculation request concentration may be calculated at the end of each detection period, and after the calculation request rate and the calculation request concentration are calculated, the network device 10 deletes the statistical information of each URL to ensure that the statistical information of the next detection period is not affected by the current detection period, so that the statistical information of the URL of the current detection period can truly reflect the access condition of the URL in the current detection period, thereby ensuring the accuracy and the real-time performance of the detection of the CC attack.
In order to perform the corresponding steps in the above embodiments and various possible implementations, an implementation of the detection apparatus for challenging black hole attack is given below. Referring to fig. 6, fig. 6 is a functional block diagram of a detection apparatus 100 for challenging black hole attack according to an embodiment of the present disclosure. It should be noted that the basic principle and the generated technical effect of the detection apparatus 100 for challenging black hole attack provided by the present embodiment are the same as those of the above embodiments, and for the sake of brief description, no mention is made in this embodiment, and reference may be made to the corresponding contents in the above embodiments. The apparatus 100 for detecting a black hole challenge is applied to the network device 10, and the apparatus 100 for detecting a black hole challenge is described below with reference to fig. 2 and 6, where the apparatus 100 for detecting a black hole challenge includes: a calculation module 110, a suspected attack determination module 120, a first attack determination module 130, a second attack determination module 140, and an update module 150.
The calculating module 110 is configured to calculate a request rate and/or a concentration of the URL according to the statistical information of the URL corresponding to the page access request.
And the suspected attack judging module 120 is configured to judge whether a suspected challenging black hole CC attack exists according to the request rate and/or the concentration.
A first attack determination module 130 to: if the suspicious CC attack exists, acquiring the current running state information of the server; and if the current running state information meets the preset condition, judging that the suspicious CC attack is the CC attack.
Specifically, the current operation state information of the server includes CPU operation data, memory operation data, and network operation data, and the first attack determining module 130 is specifically configured to: and when any data of the CPU operation data, the memory operation data and the network operation data is not in the corresponding preset range, judging that the suspicious CC attack is the CC attack.
A second attack determination module 140 to: if the suspicious CC attack exists, calculating the processing time of the URL; the processing time of the URL is the average processing time from the time when the network equipment sends the page access request corresponding to the URL to the time when the network equipment receives the feedback information sent by the server responding to the page access request; and if the processing time of the URL is greater than a preset threshold value, judging that the suspicious CC attack is the CC attack.
An update module 150 configured to: receiving a page access request for accessing a server sent by a client; analyzing the page access request, and acquiring a URL (uniform resource locator) identifier of the page access request; and updating the statistical information of the URL corresponding to the page access request according to the URL identification.
The detection apparatus 100 for challenging black hole attack in fig. 6 may be stored in the memory 11 in fig. 2, and after receiving the execution instruction, the processor 13 in fig. 2 executes the program of the detection apparatus 100 for challenging black hole attack to implement the detection method for challenging black hole attack disclosed in the above embodiments.
The embodiment of the disclosure provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the method for detecting a challenge black hole attack as described in any one of the foregoing embodiments is implemented.
To sum up, the embodiments of the present disclosure provide a method and a related apparatus for detecting a challenge black hole attack, which are applied to a network device, where the network device is in communication connection with a client and a server, and the client sends a page access request to the server through the network device, where the method includes: calculating the request rate and/or concentration of the URL according to the statistical information of the URL corresponding to the page access request; judging whether a suspected challenge black hole CC attack exists according to the request rate and/or the concentration ratio; if the suspicious CC attack exists, acquiring the current running state information of the server; and if the current running state information meets the preset condition, judging that the suspicious CC attack is the CC attack. Compared with the prior art, the method has the following beneficial effects: the embodiment of the disclosure reduces the false alarm rate of CC attack detection by detecting whether CC attack exists or not by combining the rate and concentration of the access request and the current running state of an attacker.
The above description is only for the specific embodiments of the present disclosure, but the scope of the present disclosure is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present disclosure should be covered within the scope of the present disclosure. Therefore, the protection scope of the present disclosure shall be subject to the protection scope of the claims.
Claims (10)
1. A detection method for challenging black hole attacks is applied to a network device, the network device is in communication connection with a client and a server, the client sends a page access request to the server through the network device, and the method comprises the following steps:
calculating the request rate and/or concentration of the URL according to the statistical information of the URL corresponding to the page access request, wherein the statistical information of the URL represents the statistical result of the page access requests from the same source IP address and accessing the same webpage of the same website, the request rate of the URL represents the page access request times in the URL in a detection period, and the concentration of the URL represents the ratio of the page access request times in the URL to the sum of the page request times in all URLs;
judging whether a suspicious challenge black hole CC attack exists according to the request rate and/or the concentration ratio;
if the suspicious CC attack exists, acquiring the current running state information of the server;
and if the current running state information meets a preset condition, judging that the suspicious CC attack is the CC attack.
2. The method according to claim 1, wherein the current operating state information includes CPU operating data, memory operating data, and network operating data, and if the current operating state information satisfies a predetermined condition, the method for determining the suspected CC attack as a CC attack includes:
and when any one of the CPU operation data, the memory operation data and the network operation data is not in a corresponding preset range, judging that the suspicious CC attack is a CC attack.
3. The method for detecting a challenging black hole attack as recited in claim 1, said method further comprising:
if the suspicious CC attack exists, calculating the processing time of the URL; the processing time of the URL is the average processing time from the time when the network equipment sends the page access request corresponding to the URL to the time when the network equipment receives feedback information sent by the server in response to the page access request;
and if the processing time of the URL is greater than a preset threshold value, judging that the suspicious CC attack is the CC attack.
4. The method for detecting a challenging black hole attack as recited in claim 1, said method further comprising:
receiving a page access request for accessing the server, which is sent by the client;
analyzing the page access request, and acquiring a URL (uniform resource locator) identifier of the page access request;
and updating the statistical information of the URL corresponding to the page access request according to the URL identification.
5. A detection device for challenging black hole attacks is applied to a network device, the network device is in communication connection with a client and a server, the client sends a page access request to the server through the network device, and the device comprises:
the calculation module is used for calculating the request rate and/or concentration of the URL according to the statistical information of the URL corresponding to the page access request, wherein the statistical information of the URL represents the statistical result of the page access requests from the same source IP address and accessing the same webpage of the same website, the request rate of the URL represents the page access request times in the URL in a detection period, and the concentration of the URL represents the ratio of the page access request times in the URL to the sum of the page request times in all URLs;
the suspicious attack judging module is used for judging whether suspicious challenge black hole CC attacks exist according to the request rate and/or the concentration ratio;
a first attack determination module to:
if the suspicious CC attack exists, acquiring the current running state information of the server;
and if the current running state information meets a preset condition, judging that the suspicious CC attack is the CC attack.
6. The apparatus according to claim 5, wherein the current operating state information includes CPU operating data, memory operating data, and network operating data, and the attack determination module is specifically configured to:
and when any one of the CPU operation data, the memory operation data and the network operation data is not in a corresponding preset range, judging that the suspicious CC attack is a CC attack.
7. The apparatus for detecting a challenging black hole attack of claim 5, wherein said apparatus further comprises a second attack determination module for:
if the suspicious CC attack exists, calculating the processing time of the URL; the processing time of the URL is the average processing time from the time when the network equipment sends the page access request corresponding to the URL to the time when the network equipment receives feedback information sent by the server in response to the page access request;
and if the processing time of the URL is greater than a preset threshold value, judging that the suspicious CC attack is the CC attack.
8. The apparatus for detecting a challenging black hole attack as recited in claim 5, said apparatus further comprising an update module for:
receiving a page access request for accessing the server, which is sent by the client;
analyzing the page access request, and acquiring a URL (uniform resource locator) identifier of the page access request;
and updating the statistical information of the URL corresponding to the page access request according to the URL identification.
9. A network device, characterized in that the network device comprises:
one or more processors;
a memory for storing one or more programs that, when executed by the one or more processors, cause the one or more processors to implement the method of detecting a challenging black hole attack as recited in any of claims 1-4.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the method for detecting a challenging black hole attack according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911015170.6A CN110808967B (en) | 2019-10-24 | 2019-10-24 | Detection method for challenging black hole attack and related device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911015170.6A CN110808967B (en) | 2019-10-24 | 2019-10-24 | Detection method for challenging black hole attack and related device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110808967A CN110808967A (en) | 2020-02-18 |
| CN110808967B true CN110808967B (en) | 2022-04-08 |
Family
ID=69489013
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911015170.6A Active CN110808967B (en) | 2019-10-24 | 2019-10-24 | Detection method for challenging black hole attack and related device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110808967B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111565195A (en) * | 2020-05-21 | 2020-08-21 | 杭州安恒信息技术股份有限公司 | Challenge black hole attack defense method of distributed system and distributed system |
| CN113037841B (en) * | 2021-03-08 | 2022-10-14 | 厦门靠谱云股份有限公司 | Protection method for providing distributed denial of attack |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103916379A (en) * | 2013-12-04 | 2014-07-09 | 哈尔滨安天科技股份有限公司 | CC attack identification method and system based on high frequency statistics |
| WO2017218031A1 (en) * | 2016-06-16 | 2017-12-21 | Level 3 Communications, Llc | Systems and methods for preventing denial of service attacks utilizing a proxy server |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7617170B2 (en) * | 2006-10-09 | 2009-11-10 | Radware, Ltd. | Generated anomaly pattern for HTTP flood protection |
| CN101437030B (en) * | 2008-11-29 | 2012-02-22 | 成都市华为赛门铁克科技有限公司 | Method for preventing server from being attacked, detection device and monitoring device |
| CN104753863B (en) * | 2013-12-26 | 2018-10-26 | ***通信集团公司 | A kind of defence method of distributed denial of service attack, equipment and system |
| CN106789270A (en) * | 2016-12-27 | 2017-05-31 | 浪潮软件集团有限公司 | Method and system for realizing centralized operation and maintenance management of information system |
-
2019
- 2019-10-24 CN CN201911015170.6A patent/CN110808967B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103916379A (en) * | 2013-12-04 | 2014-07-09 | 哈尔滨安天科技股份有限公司 | CC attack identification method and system based on high frequency statistics |
| WO2017218031A1 (en) * | 2016-06-16 | 2017-12-21 | Level 3 Communications, Llc | Systems and methods for preventing denial of service attacks utilizing a proxy server |
Non-Patent Citations (1)
| Title |
|---|
| 基于主机行为分析的CC攻击识别技术;马云莺;《网络安全技术与应用》;20170415(第04期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110808967A (en) | 2020-02-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109561141B (en) | CDN node selection method and equipment | |
| US11671402B2 (en) | Service resource scheduling method and apparatus | |
| CN107872402B (en) | Global flow scheduling method and device and electronic equipment | |
| CN107294982B (en) | Webpage backdoor detection method and device and computer readable storage medium | |
| CN107624233B (en) | VPN transmission tunnel scheduling method and device and VPN client server | |
| US8856325B2 (en) | Network element failure detection | |
| US20120023588A1 (en) | Filtering method, system, and network equipment | |
| CN110417778B (en) | Access request processing method and device | |
| CN105940655B (en) | System for preventing DDos attack | |
| CN108259425A (en) | The determining method, apparatus and server of query-attack | |
| JP2019021294A (en) | SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS | |
| CN110636068B (en) | Method and device for identifying unknown CDN node in CC attack protection | |
| CN106899549B (en) | Network security detection method and device | |
| CN110808967B (en) | Detection method for challenging black hole attack and related device | |
| CN114095567B (en) | Data access request processing method and device, computer equipment and medium | |
| GB2516972A (en) | Validating DDoS attacks based on social media content | |
| CN112019516B (en) | Access control method, device, equipment and storage medium for shared file | |
| CN113765980A (en) | Current limiting method, device, system, server and storage medium | |
| CN106330951A (en) | Network protection method, network protection device and network protection system | |
| CN106789413B (en) | Method and device for detecting proxy internet surfing | |
| WO2014114127A1 (en) | Method, apparatus and system for webpage access control | |
| JP7462757B2 (en) | Network security protection method and protection device | |
| CN109842518B (en) | Content distribution network disaster tolerance method and device, computer equipment and storage medium | |
| CN108156247B (en) | Data communication method, device, system, terminal and readable storage medium | |
| US20140208385A1 (en) | Method, apparatus and system for webpage access control |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |