CN113242260A - Attack detection method and device, electronic equipment and storage medium - Google Patents
Attack detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN113242260A CN113242260A CN202110643746.4A CN202110643746A CN113242260A CN 113242260 A CN113242260 A CN 113242260A CN 202110643746 A CN202110643746 A CN 202110643746A CN 113242260 A CN113242260 A CN 113242260A
- Authority
- CN
- China
- Prior art keywords
- packet
- data
- target
- target object
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides an attack detection method, an attack detection device, electronic equipment and a storage medium, which consider that a transmission layer has the operating characteristic of best effort transmission, can determine a target object serving as a comparison reference from a packet header and other data packets in a packet body for a target data packet to be detected in the packet body in the process of receiving an Http message, and can further determine whether the Http message is transmitted as best effort by comparing the data volume of the target data packet and the data volume of the target object, thereby realizing the detection of the slow Http denial of service attack. Based on the invention, the slow Http denial of service attack can be accurately and rapidly detected, and the detection stability is improved.
Description
Technical Field
The present invention relates to the field of software technologies, and in particular, to an attack detection method and apparatus, an electronic device, and a storage medium.
Background
DDoS (Distributed Denial of Service) has become an important threat in the field of network security today. DDoS attacks typically occur without any precursor and the attacker can drain the resources of the target server with little effort.
As a system of rights in rows, information interaction is carried out between the system and the external service provider in a butt joint mode through an Http mode, and when the Http link is hijacked, the system is possibly attacked by Http Post flooding. And Slow Http Post (Slow Http denial of service attack) is one of them.
Therefore, how to effectively detect the Slow Http Post attack is an urgent problem to be solved.
Disclosure of Invention
In view of the above, to solve the above problems, the present invention provides an attack detection method, apparatus, electronic device and storage medium, and the technical solution is as follows:
one aspect of the present invention provides an attack detection method, including:
receiving an Http message in transmission, wherein the Http message comprises a packet header and a packet body, and the packet body comprises a plurality of data packets;
determining a target object serving as a comparison reference of the target data packet to be detected from the packet header and other data packets in the packet body aiming at the target data packet to be detected;
and detecting whether the Http message has a slow Http denial of service attack by comparing the data volume of the target data packet with the data volume of the target object.
Preferably, the method further comprises:
extracting a field value of a target field in the packet header, wherein the target field is used for representing the whole data volume of the packet body;
and if the overall data volume corresponding to the field value is larger than a preset data volume threshold value, executing the step of determining a target object serving as a comparison reference of the target data packet aiming at the target data packet to be detected from the packet header and other data packets in the packet body.
Preferably, the type of the target data packet is a first data packet received for the first time;
correspondingly, the determining a target object as a comparison reference from the packet header and other data packets in the packet body includes:
taking the packet header as a target object corresponding to the first data packet;
correspondingly, the detecting whether the Http message has a slow Http denial of service attack by comparing the data amount of the target data packet with the data amount of the target object includes:
and if the data volume of the first data packet is less than or equal to the data volume of the packet header, determining that the Http message has a slow Http denial of service attack.
Preferably, the type of the target data packet is a second data packet received non-first time and non-last time;
correspondingly, the determining a target object as a comparison reference from the packet header and other data packets in the packet body includes:
taking the first data packet received for the first time as a target object corresponding to the second data packet;
correspondingly, the detecting whether the Http message has a slow Http denial of service attack by comparing the data amount of the target data packet with the data amount of the target object includes:
and if the data volume of the second data packet is larger than that of the first data packet, or the data volume difference between the first data packet and the second data packet is larger than a preset data volume difference threshold value, determining that the Http message has a slow Http denial of service attack.
Another aspect of the present invention provides an attack detection apparatus, including:
the packet receiving module is used for receiving an Http message in transmission, wherein the Http message comprises a packet header and a packet body, and the packet body comprises a plurality of data packets;
the attack detection module is used for determining a target object serving as a comparison reference of the target data packet to be detected from the packet header and other data packets in the packet body aiming at the target data packet to be detected; and detecting whether the Http message has a slow Http denial of service attack by comparing the data volume of the target data packet with the data volume of the target object.
Preferably, the attack detection module is further configured to:
extracting a field value of a target field in the packet header, wherein the target field is used for representing the whole data volume of the packet body; and if the overall data volume corresponding to the field value is larger than a preset data volume threshold value, executing the step of determining a target object serving as a comparison reference of the target data packet aiming at the target data packet to be detected from the packet header and other data packets in the packet body.
Preferably, the type of the target data packet is a first data packet received for the first time;
correspondingly, the attack detection module, configured to determine a target object as a comparison reference from the packet header and other data packets in the packet body, is specifically configured to:
taking the packet header as a target object corresponding to the first data packet;
correspondingly, the attack detection module, configured to detect whether the Http message has a slow Http denial of service attack by comparing the data amount of the target data packet with the data amount of the target object, is specifically configured to:
and if the data volume of the first data packet is less than or equal to the data volume of the packet header, determining that the Http message has a slow Http denial of service attack.
Preferably, the type of the target data packet is a second data packet received non-first time and non-last time;
correspondingly, the attack detection module, configured to determine a target object as a comparison reference from the packet header and other data packets in the packet body, is specifically configured to:
taking the first data packet received for the first time as a target object corresponding to the second data packet;
correspondingly, the attack detection module, configured to detect whether the Http message has a slow Http denial of service attack by comparing the data amount of the target data packet with the data amount of the target object, is specifically configured to:
and if the data volume of the second data packet is larger than that of the first data packet, or the data volume difference between the first data packet and the second data packet is larger than a preset data volume difference threshold value, determining that the Http message has a slow Http denial of service attack.
Another aspect of the present invention provides an electronic device, including: at least one memory and at least one processor; the memory stores a program, and the processor calls the program stored in the memory, wherein the program is used for realizing any one of the attack detection methods.
Another aspect of the present invention provides a storage medium having stored therein computer-executable instructions for performing any one of the attack detection methods.
Compared with the prior art, the invention has the following beneficial effects:
the invention provides an attack detection method, an attack detection device, electronic equipment and a storage medium, which consider that a transmission layer has the operating characteristic of best effort transmission, can determine a target object serving as a comparison reference from a packet header and other data packets in a packet body for a target data packet to be detected in the packet body in the process of receiving an Http message, and can further determine whether the Http message is transmitted as best effort by comparing the data volume of the target data packet and the data volume of the target object, thereby realizing the detection of the slow Http denial of service attack. Based on the invention, the slow Http denial of service attack can be accurately and rapidly detected, and the detection stability is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic diagram of a transmission manner of an Http message according to an embodiment of the present invention;
fig. 2 is a flowchart of a method of an attack detection method according to an embodiment of the present invention;
fig. 3 is a flowchart of another method of an attack detection method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an attack detection apparatus provided in an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
To facilitate understanding of the present invention, concepts related to the present invention are explained below:
DDoS: distributed Denial of Service, Distributed Denial of attack. The method refers to that a plurality of attackers in different positions attack one or a plurality of targets at the same time, or one attacker controls a plurality of machines in different positions and uses the machines to attack victims at the same time. Since the points of attack launch are distributed in different places, this type of attack is known as a distributed denial of service attack, in which there may be multiple attackers.
And a Slow Http Post, which belongs to an application layer Slow Http denial of service attack, wherein an attacker uses a normal Post request to transmit data, but the Content-Length field value in the message header is set to a large value. However, in order to occupy the established request connection for a long time, an attacker sets a very small data transmission size in a transmission body (i.e. a packet body) which starts to be performed after a request header (i.e. a packet header) is confirmed, so that the WEB server considers that the request data is not completely transmitted, the request connection is reserved for a long time, and when a connection resource pool of the server is occupied by similar attack requests, a denial of service is caused.
At this stage, the usual defense against Slow Http Post is to respond according to TCP and UDP traffic or number of connections per hour. However, the related art is prone to errors in determination due to large changes in network traffic.
In contrast, the invention aims to establish a set of Slow Http Post attack detection scheme based on data packet inspection from an inline system, judge the detailed content of each request packet body, prevent the Slow Http Post attack by judging the size of the received data packet, and avoid the instability possibly occurring in the way of network flow.
To implement the present invention, the inventors first analyze the operation characteristics of the best-effort transmission that the transport layer has:
when a user on the network sends an HTTP POST request to the WEB server, the transport layer has a best effort operational characteristic in order to achieve the most efficient data transfer and to optimize the transmission performance. The HTTP POST request is transmitted in the form of an HTTP message, and when the HTTP message is split into a plurality of data packets, the HTTP POST request is split and transmitted according to the maximum transmission size, which is an embodiment of best effort transmission.
Referring to a schematic diagram of a transmission manner of an Http message shown in fig. 1, the Http message is divided into a packet header and a packet body, where the packet body is composed of N data packets, and when the Http message is transmitted, the packet header is transmitted first, and then the 1 st data packet, the 2 nd data packet, and the … … nth data packet are transmitted in sequence. Of course, in some scenarios, a packet with the packet body and the 1 st packet attached together is sent first, and then the remaining packets are sent in sequence. Normally, the data size of the 1 st data packet matches the maximum transmission size, and is larger than the data size of the header and other data packets.
Based on this, in combination with the attack principle of the Slow Http Post, an embodiment of the present invention provides an attack detection method for the Slow Http Post, which may be applied to a WEB server, and refer to a method flowchart shown in fig. 2, where the method includes the following steps:
and S10, receiving an Http message in transmission, wherein the Http message comprises a packet header and a packet body, and the packet body comprises a plurality of data packets.
In the embodiment of the present invention, the Http message in transmission is received through the gateway, and with reference to fig. 1, the Http message is received in sequence according to the header, the 1 st data packet, the 2 nd data packet, and the … … nth data packet.
And S20, aiming at the target data packet to be detected, determining a target object as a comparison reference from the packet head and other data packets in the packet body.
In the embodiment of the present invention, with continuing reference to fig. 1, considering that the transport layer has the best-effort operation characteristic, the target packet may select one of the 1 st packet or the 2 nd to N-1 st packets. Since the nth packet is the last packet, which is likely to be the remainder after being split according to the maximum transmission size, the probability that the data amount meets the best-effort operation characteristic is low, and therefore the nth packet is not selected by the target packet.
Further, if the target data packet is the 1 st data packet, the target object serving as the comparison reference of the target data packet is the packet header; if the target data packet is one of the 2 nd to the N-1 st data packets, the target object serving as the comparison reference is the 1 st data packet.
S30, by comparing the data quantity of the target data packet and the target object, it is detected whether the Http message has a slow Http denial of service attack.
1) Referring to fig. 1, the 1 st data packet is the first data packet received for the first time, and the target object is the packet header.
Correspondingly, step S30 "detecting whether there is a slow Http denial of service attack in Http message by comparing the data amount of the target data packet and the target object" may include the following steps:
and if the data volume of the first data packet is less than or equal to the data volume of the packet header, determining that the Http message has a slow Http denial of service attack.
In the embodiment of the present invention, with reference to fig. 1, the data amount of the 1 st data packet is larger than the data amount of the packet header under a normal condition, so that once the data amount of the 1 st data packet is smaller than or equal to the data amount of the packet header, it can be determined that the Http message has a Slow Http Post attack.
Of course, if the data amount of the 1 st packet is greater than the data amount of the packet header, it is determined that there is no Slow Http Post attack currently receiving the 1 st packet, and further, the Slow Http Post attack may be continuously detected by subsequently processing the 2 nd to N-1 th packets as target packets.
2) With reference to fig. 1, the ith data packet of the 2 nd to N-1 th data packets is the second data packet received non-first time and non-last time, and the target object is the 1 st data packet.
Correspondingly, step S30 "detecting whether there is a slow Http denial of service attack in Http message by comparing the data amount of the target data packet and the target object" may include the following steps:
and if the data volume of the second data packet is larger than that of the first data packet or the data volume difference between the first data packet and the second data packet is larger than a preset data volume difference threshold value, determining that the Http message has a slow Http denial of service attack.
In the embodiment of the present invention, with reference to fig. 1, as for the ith packet, under a normal condition, the data size of the packet is not greater than the data size of the 1 st packet, so that once the data size of the ith packet is greater than the data size of the 1 st packet, it indicates that the Http message does not exhibit the best-effort operation characteristic during transmission, and it may be determined that the Http message has a Slow Http Post attack.
In addition, if the data amount of the ith packet is too small compared with the data amount of the 1 st packet, it indicates that the ith packet is set to be a very small data transmission size, so that it can be determined that the Http message has a Slow Http Post attack. Specifically, the embodiment of the present invention may set the data amount difference threshold according to an actual application scenario, where the threshold is a positive value, and when the data amount difference between the 1 st data packet and the ith data packet is greater than the threshold, it indicates that the data amount of the ith data packet is too small.
Of course, if the data amount of the ith packet is less than or equal to the data amount of the 1 st packet, it is determined that there is no Slow Http Post attack currently receiving the ith packet, and further, the Slow Http Post attack may be continuously detected by subsequently processing other packets received after the ith packet as target packets.
In addition, if the data amount difference between the 1 st data packet and the ith data packet is less than or equal to the data amount difference threshold, it is determined that there is no Slow Http Post attack at the time when the ith data packet is received, and further, the Slow Http Post attack can be continuously detected by processing other data packets received after the ith data packet as target data packets.
It should be noted that, in the embodiment of the present invention, each data packet in the packet body of the Http message may be sequentially used as a target data packet to be detected, so as to implement Slow Http Post detection on detailed contents in the message. In addition, a data packet which meets a certain rule can be selected from the packet body of the Http message as a target data packet according to the certain rule, such as random extraction, a certain time interval or a certain sampling frequency, so as to reduce the processing amount of Slow Http Post detection. The method and the device can be set by combining with practical application scenes, and the method and the device are not limited in the embodiment of the invention.
It should be further noted that, in the embodiment of the present invention, the detection of the packet header or the data amount of the data packet in the Http message may be obtained by using the prior art, for example, in an analysis manner, which is not limited in the embodiment of the present invention.
In other embodiments, to improve the efficiency of Slow Http Post attack detection, on the basis of the attack detection method shown in fig. 1, an embodiment of the present invention further includes the following steps, and a flowchart of the method is shown in fig. 3, and includes:
s40, extracting the field value of the target field in the packet header, wherein the target field is used for representing the whole data volume of the packet body; if the overall data amount corresponding to the field value is greater than the preset data amount threshold, step S20 is executed.
In the embodiment of the invention, the target field in the packet header is the Content-Length field, and before the transmission layer starts to transmit the Http message, the transmission layer sets the Content-Length field value to a numerical value matched with the whole data volume (namely the sum of the data volumes) of all the data packets in the packet body. Therefore, the overall data volume of the subsequent packet can be determined by extracting the field value of the target field in the packet header, and if the overall data volume is larger than the data volume threshold value, the possibility that the Http message belongs to the Slow Http Post is considered to be extremely high, and the attack detection of the subsequent Slow Http Post is carried out at the moment.
Of course, if the overall data amount corresponding to the field value is less than or equal to the data amount threshold, no operation is performed to reduce the data processing amount, and the subsequent Slow Http Post attack detection is not performed. Therefore, the speed of processing the data packet is improved, the efficiency is improved, and the influence on normal post request transaction is avoided.
It should be noted that, for the data amount delta threshold and the data amount threshold in the embodiment of the present invention, an appropriate value may be obtained by a simulation training mode of the present invention, so as to improve the accuracy of attack detection.
In the attack detection method provided by the embodiment of the invention, considering that the transmission layer has the operating characteristic of best effort transmission, in the process of receiving the Http message, for the target data packet to be detected in the packet body, the target object serving as the comparison reference can be determined from the packet header and other data packets in the packet body, and then whether the Http message is transmitted as best effort can be determined by comparing the data amount of the target data packet and the data amount of the target object, so that the detection of the slow Http denial of service attack is realized. Based on the invention, the slow Http denial of service attack can be accurately and rapidly detected, and the detection stability is improved.
Based on the attack detection method provided by the above embodiment, an embodiment of the present invention correspondingly provides a device for executing the attack detection method, where a schematic structural diagram of the device is shown in fig. 4, and the device includes:
the message receiving module 10 is configured to receive an Http message in transmission, where the Http message includes a packet header and a packet body, and the packet body includes a plurality of data packets;
an attack detection module 20, configured to determine, for a target data packet to be detected, a target object serving as a comparison reference from a packet header and other data packets in a packet body; and detecting whether the Http message has a slow Http denial of service attack or not by comparing the data amount of the target data packet with the data amount of the target object.
Optionally, the attack detection module 20 is further configured to:
extracting the field value of a target field in the packet header, wherein the target field is used for representing the whole data volume of the packet body; and if the overall data volume corresponding to the field value is larger than a preset data volume threshold value, determining a target object serving as a comparison reference of the target data packet from the packet header and other data packets in the packet body aiming at the target data packet to be detected.
Optionally, the type of the target data packet is a first data packet received for the first time;
correspondingly, the attack detection module 20 for determining the target object as the comparison reference from the packet header and other data packets in the packet body is specifically configured to:
taking the packet header as a target object corresponding to the first data packet;
correspondingly, the attack detection module 20 is configured to detect whether the Http message has a slow Http denial of service attack by comparing the data amount of the target data packet with the data amount of the target object, and specifically configured to:
and if the data volume of the first data packet is less than or equal to the data volume of the packet header, determining that the Http message has a slow Http denial of service attack.
Optionally, the type of the target data packet is a second data packet received non-first time and non-last time;
correspondingly, the attack detection module 20 for determining the target object as the comparison reference from the packet header and other data packets in the packet body is specifically configured to:
taking the first data packet received for the first time as a target object corresponding to the second data packet;
correspondingly, the attack detection module 20 is configured to detect whether the Http message has a slow Http denial of service attack by comparing the data amount of the target data packet with the data amount of the target object, and specifically configured to:
and if the data volume of the second data packet is larger than that of the first data packet or the data volume difference between the first data packet and the second data packet is larger than a preset data volume difference threshold value, determining that the Http message has a slow Http denial of service attack.
It should be noted that, for the detailed functions of each module in the embodiment of the present invention, reference may be made to the corresponding disclosure of the embodiment of the attack detection method, and details are not described herein again.
Based on the attack detection method provided by the above embodiment, an embodiment of the present invention further provides an electronic device, where the electronic device includes: at least one memory and at least one processor; the memory stores a program, the processor calls the program stored in the memory, and the program is used for realizing the attack detection method.
Based on the attack detection method provided by the above embodiment, an embodiment of the present invention further provides a storage medium, where the storage medium stores computer-executable instructions, and the computer-executable instructions are used for executing the attack detection method.
The attack detection method, the attack detection device, the electronic device and the storage medium provided by the invention are described in detail, specific examples are applied in the description to explain the principle and the implementation of the invention, and the description of the embodiments is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
It is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include or include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. An attack detection method, characterized in that the method comprises:
receiving an Http message in transmission, wherein the Http message comprises a packet header and a packet body, and the packet body comprises a plurality of data packets;
determining a target object serving as a comparison reference of the target data packet to be detected from the packet header and other data packets in the packet body aiming at the target data packet to be detected;
and detecting whether the Http message has a slow Http denial of service attack by comparing the data volume of the target data packet with the data volume of the target object.
2. The method of claim 1, further comprising:
extracting a field value of a target field in the packet header, wherein the target field is used for representing the whole data volume of the packet body;
and if the overall data volume corresponding to the field value is larger than a preset data volume threshold value, executing the step of determining a target object serving as a comparison reference of the target data packet aiming at the target data packet to be detected from the packet header and other data packets in the packet body.
3. The method of claim 1, wherein the type of the target packet is a first packet received for the first time;
correspondingly, the determining a target object as a comparison reference from the packet header and other data packets in the packet body includes:
taking the packet header as a target object corresponding to the first data packet;
correspondingly, the detecting whether the Http message has a slow Http denial of service attack by comparing the data amount of the target data packet with the data amount of the target object includes:
and if the data volume of the first data packet is less than or equal to the data volume of the packet header, determining that the Http message has a slow Http denial of service attack.
4. The method of claim 1, wherein the type of the target packet is a second packet received non-first time and non-last time;
correspondingly, the determining a target object as a comparison reference from the packet header and other data packets in the packet body includes:
taking the first data packet received for the first time as a target object corresponding to the second data packet;
correspondingly, the detecting whether the Http message has a slow Http denial of service attack by comparing the data amount of the target data packet with the data amount of the target object includes:
and if the data volume of the second data packet is larger than that of the first data packet, or the data volume difference between the first data packet and the second data packet is larger than a preset data volume difference threshold value, determining that the Http message has a slow Http denial of service attack.
5. An attack detection apparatus, characterized in that the apparatus comprises:
the packet receiving module is used for receiving an Http message in transmission, wherein the Http message comprises a packet header and a packet body, and the packet body comprises a plurality of data packets;
the attack detection module is used for determining a target object serving as a comparison reference of the target data packet to be detected from the packet header and other data packets in the packet body aiming at the target data packet to be detected; and detecting whether the Http message has a slow Http denial of service attack by comparing the data volume of the target data packet with the data volume of the target object.
6. The apparatus of claim 5, wherein the attack detection module is further configured to:
extracting a field value of a target field in the packet header, wherein the target field is used for representing the whole data volume of the packet body; and if the overall data volume corresponding to the field value is larger than a preset data volume threshold value, executing the step of determining a target object serving as a comparison reference of the target data packet aiming at the target data packet to be detected from the packet header and other data packets in the packet body.
7. The apparatus of claim 5, wherein the type of the target packet is a first packet received for the first time;
correspondingly, the attack detection module, configured to determine a target object as a comparison reference from the packet header and other data packets in the packet body, is specifically configured to:
taking the packet header as a target object corresponding to the first data packet;
correspondingly, the attack detection module, configured to detect whether the Http message has a slow Http denial of service attack by comparing the data amount of the target data packet with the data amount of the target object, is specifically configured to:
and if the data volume of the first data packet is less than or equal to the data volume of the packet header, determining that the Http message has a slow Http denial of service attack.
8. The apparatus of claim 5, wherein the type of the target packet is a second packet received non-first time and non-last time;
correspondingly, the attack detection module, configured to determine a target object as a comparison reference from the packet header and other data packets in the packet body, is specifically configured to:
taking the first data packet received for the first time as a target object corresponding to the second data packet;
correspondingly, the attack detection module, configured to detect whether the Http message has a slow Http denial of service attack by comparing the data amount of the target data packet with the data amount of the target object, is specifically configured to:
and if the data volume of the second data packet is larger than that of the first data packet, or the data volume difference between the first data packet and the second data packet is larger than a preset data volume difference threshold value, determining that the Http message has a slow Http denial of service attack.
9. An electronic device, characterized in that the electronic device comprises: at least one memory and at least one processor; the memory stores a program, and the processor calls the program stored in the memory, and the program is used for realizing the attack detection method of any one of claims 1 to 4.
10. A storage medium having stored thereon computer-executable instructions for performing the attack detection method of any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110643746.4A CN113242260B (en) | 2021-06-09 | 2021-06-09 | Attack detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110643746.4A CN113242260B (en) | 2021-06-09 | 2021-06-09 | Attack detection method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113242260A true CN113242260A (en) | 2021-08-10 |
| CN113242260B CN113242260B (en) | 2023-02-21 |
Family
ID=77139391
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110643746.4A Active CN113242260B (en) | 2021-06-09 | 2021-06-09 | Attack detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113242260B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114448661A (en) * | 2021-12-16 | 2022-05-06 | 北京邮电大学 | Slow denial of service attack detection method and related equipment |
| CN116074083A (en) * | 2023-01-28 | 2023-05-05 | 天翼云科技有限公司 | Method and device for identifying slow attack, electronic equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130042322A1 (en) * | 2011-08-10 | 2013-02-14 | Electronics And Telecommunications Research Institute | SYSTEM AND METHOD FOR DETERMINING APPLICATION LAYER-BASED SLOW DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACK |
| CN106471778A (en) * | 2014-07-04 | 2017-03-01 | 日本电信电话株式会社 | Attack detecting device, attack detection method and attack detecting program |
| CN109040140A (en) * | 2018-10-16 | 2018-12-18 | 杭州迪普科技股份有限公司 | A kind of attack detection method and device at a slow speed |
-
2021
- 2021-06-09 CN CN202110643746.4A patent/CN113242260B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130042322A1 (en) * | 2011-08-10 | 2013-02-14 | Electronics And Telecommunications Research Institute | SYSTEM AND METHOD FOR DETERMINING APPLICATION LAYER-BASED SLOW DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACK |
| CN106471778A (en) * | 2014-07-04 | 2017-03-01 | 日本电信电话株式会社 | Attack detecting device, attack detection method and attack detecting program |
| CN109040140A (en) * | 2018-10-16 | 2018-12-18 | 杭州迪普科技股份有限公司 | A kind of attack detection method and device at a slow speed |
Non-Patent Citations (1)
| Title |
|---|
| 邓诗琪等: "基于数据包检查的Slow HTTP POST攻击检测方法", 《网络空间安全》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114448661A (en) * | 2021-12-16 | 2022-05-06 | 北京邮电大学 | Slow denial of service attack detection method and related equipment |
| CN116074083A (en) * | 2023-01-28 | 2023-05-05 | 天翼云科技有限公司 | Method and device for identifying slow attack, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113242260B (en) | 2023-02-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11122067B2 (en) | Methods for detecting and mitigating malicious network behavior and devices thereof | |
| CN109194680B (en) | Network attack identification method, device and equipment | |
| US8661522B2 (en) | Method and apparatus for probabilistic matching to authenticate hosts during distributed denial of service attack | |
| CN107395632B (en) | SYN Flood protection method, device, cleaning equipment and medium | |
| CN110784464B (en) | Client verification method, device and system for flooding attack and electronic equipment | |
| CN113242260B (en) | Attack detection method and device, electronic equipment and storage medium | |
| US20120324573A1 (en) | Method for determining whether or not specific network session is under denial-of-service attack and method for the same | |
| CN111800401B (en) | Service message protection method, device, system and computer equipment | |
| WO2020037781A1 (en) | Anti-attack method and device for server | |
| CN109040140B (en) | Slow attack detection method and device | |
| CN111565203B (en) | Method, device and system for protecting service request and computer equipment | |
| CN113179280B (en) | Deception defense method and device based on malicious code external connection behaviors and electronic equipment | |
| CN110719256A (en) | IP fragment attack defense method and device and network attack defense equipment | |
| CN112565307A (en) | Method and device for performing entrance management and control on DDoS attack | |
| CN109474623B (en) | Network security protection and parameter determination method, device, equipment and medium thereof | |
| CN111988421B (en) | Method and system for recording DDoS attack log abstract based on block chain | |
| CN113765849B (en) | Abnormal network flow detection method and device | |
| US11178177B1 (en) | System and method for preventing session level attacks | |
| CN101795277A (en) | Flow detection method and equipment in unidirectional flow detection mode | |
| CN108471427B (en) | Method and device for defending attack | |
| CN108833410B (en) | Protection method and system for HTTP Flood attack | |
| CN108551461A (en) | It is a kind of to detect the method that WAF is disposed, the method for calculating WAF support IPV6 degree | |
| CN114697088A (en) | Method and device for determining network attack and electronic equipment | |
| CN112087464B (en) | SYN Flood attack cleaning method and device, electronic device and readable storage medium | |
| CN112702358A (en) | SYN Flood attack protection method and device, electronic device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |