TWI476624B - Methods and Systems for Handling Abnormal Requests in Distributed Applications - Google Patents

Methods and Systems for Handling Abnormal Requests in Distributed Applications Download PDF

Info

Publication number
TWI476624B
TWI476624B TW098115850A TW98115850A TWI476624B TW I476624 B TWI476624 B TW I476624B TW 098115850 A TW098115850 A TW 098115850A TW 98115850 A TW98115850 A TW 98115850A TW I476624 B TWI476624 B TW I476624B
Authority
TW
Taiwan
Prior art keywords
user terminal
access request
identification information
application server
server
Prior art date
Application number
TW098115850A
Other languages
Chinese (zh)
Other versions
TW201040786A (en
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to TW098115850A priority Critical patent/TWI476624B/en
Publication of TW201040786A publication Critical patent/TW201040786A/en
Application granted granted Critical
Publication of TWI476624B publication Critical patent/TWI476624B/en

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Description

分佈式應用中處理非正常請求的方法及系統Method and system for processing abnormal requests in distributed applications

本發明屬於網際網路安全領域,特別關於一種分佈式應用中處理非正常請求的方法及系統。The invention belongs to the field of internet security, and in particular relates to a method and system for processing abnormal requests in a distributed application.

隨著網際網路的快速發展,大型的綜合性門戶網站,面臨著越來越嚴重的安全風險。尤其是來自外部系統的各式各樣的惡意攻擊,其中包括一些無惡意的大量高併發的請求,如通過機器同時並行發起海量的請求,致使伺服器瞬間需要處理的服務請求數大增而耗盡伺服器的資源。使正常用戶的請求不能得到滿足,嚴重者致使伺服器死機而使網站崩潰。還有爬蟲程式,來源一般是各類搜尋引擎、各類商業競爭對手、商業資料分析網站等來爬取網站的資料。對方的程式會發起大量的請求。而使伺服器因無法處理而死機。可見這些重複性的、高併發的非用戶正常請求,極易耗盡有效的伺服器資源,而使正常的用戶請求得不到有效回應。With the rapid development of the Internet, large-scale integrated portals are facing increasingly serious security risks. In particular, a variety of malicious attacks from external systems, including a large number of highly concurrent requests that are not malicious, such as the simultaneous request to launch a large number of requests through the machine, resulting in a large increase in the number of service requests that the server needs to process instantaneously. Make the resources of the server. The request of the normal user cannot be satisfied, and the serious cause the server to crash and crash the website. There are also crawler programs. The source is generally a variety of search engines, various commercial competitors, commercial data analysis websites, etc. to crawl the website. The other party's program will initiate a large number of requests. And the server crashed because it could not be processed. It can be seen that these repetitive, high-concurrency non-user normal requests are extremely easy to exhaust effective server resources, so that normal user requests are not effectively responded.

對於上述的惡意攻擊,現有技術中採用分佈式的應用來應對,分佈式的應用就是通過眾多應用伺服器接收用戶請求,由於有數量眾多的伺服器接受請求,這類請求會分散到各台伺服器上,但是在分佈式應用中可能無法對非正常用戶請求進行有效識別。For the malicious attack mentioned above, the distributed technology is used in the prior art, and the distributed application receives user requests through a plurality of application servers. Since a large number of servers accept requests, such requests are distributed to each server. On the device, but in a distributed application, it may not be possible to effectively identify abnormal user requests.

為了解決現有技術中,在分佈式應用中,可能無法對非正常用戶請求進行有效的識別的問題,本發明實施例提供了一種分佈式應用中處理非正常請求的方法,包括:各應用伺服器分別接收用戶終端發送的資源定位符URL資源訪問請求;各應用伺服器分別向防惡意攻擊伺服器發送URL資源訪問請求的事件請求資訊,該事件請求資訊包括:接收訪問請求的時間資訊,訪問請求所攜帶的目標URL和用戶終端的標識資訊;防惡意攻擊伺服器根據接收的事件請求資訊,匯總具有同一標識的用戶終端單位時間內訪問同一URL資源的次數;防惡意攻擊伺服器根據匯總的結果,以及預定義的訪問規則,識別非正常的訪問請求。In order to solve the problem in the prior art that an abnormal user request cannot be effectively identified in a distributed application, the embodiment of the present invention provides a method for processing an abnormal request in a distributed application, including: each application server Receiving, respectively, a resource locator URL resource access request sent by the user terminal; each application server separately sending event request information of the URL resource access request to the anti-malicious attack server, where the event request information includes: receiving time information of the access request, and accessing the request The target URL and the identification information of the user terminal are carried; the anti-malicious attack server aggregates the number of times the user terminal having the same identifier accesses the same URL resource in a unit time according to the received event request information; the anti-malicious attack server according to the summary result And predefined access rules to identify unusual access requests.

同時本發明實施例還提供一種分佈式應用中處理非正常請求的系統,包括:多個應用伺服器:用於接收用戶終端發送的資源定位符URL資源訪問請求,以及發送URL資源訪問請求的事件請求資訊,該事件請求資訊包括:接收訪問請求的時間資訊,訪問請求所攜帶的目標URL和用戶終端的標識資訊;防惡意攻擊伺服器:用於根據接收應用伺服器的事件請求資訊,匯總具有同一標識的用戶終端單位時間內訪問同一URL資源的次數;根據匯總的結果,以及該URL資源所對應的預定義的訪問規則,識別非正常的訪問請求。The embodiment of the present invention further provides a system for processing an abnormal request in a distributed application, including: multiple application servers: a resource locator URL resource access request sent by a user terminal, and an event for sending a URL resource access request. Requesting information, the event request information includes: time information for receiving the access request, the target URL carried by the access request, and the identification information of the user terminal; the anti-malicious attack server: used to receive the event request information according to the receiving application server, and the summary has The number of times the user terminal of the same identifier accesses the same URL resource in a unit time; according to the result of the aggregation, and the predefined access rule corresponding to the URL resource, the abnormal access request is identified.

由上述本發明提供的具體實施方案可以看出,正是由於防惡意攻擊伺服器匯總具有同一標識的用戶終端單位時間內訪問同一URL資源的次數,因此可以有效識別非正常的訪問請求。It can be seen from the specific implementation provided by the foregoing invention that it is because the anti-malicious attack server aggregates the number of times that the user terminal having the same identifier accesses the same URL resource in a unit time, so that an abnormal access request can be effectively identified.

本發明提供的第一實施例是一種分佈式應用中處理非正常請求的方法,方法流程如圖1所示,包括:步驟101:4台應用伺服器接收用戶終端發送的URL資源訪問請求。The first embodiment of the present invention provides a method for processing an abnormal request in a distributed application. The method is as shown in FIG. 1 and includes: Step 101: Four application servers receive a URL resource access request sent by a user terminal.

應用伺服器1接收標識資訊為IP位址192.168.0.1的用戶終端發送的對URL1的訪問請求,應用伺服器2接收標識資訊為IP位址192.168.0.1的用戶終端發送的對URL2的訪問請求,應用伺服器3接收標識資訊為IP位址192.168.0.2的用戶終端發送的對URL1的訪問請求,應用伺服器4接收標識資訊為IP位址192.168.0.1的用戶終端發送的對URL1的訪問請求。本實施例中僅以4台應用伺服器作為示例說明,但不限於4台應用伺服器,應用中可根據實際情況採用少於或多於4台應用伺服器。來自同一用戶終端或不同用戶終端的訪問請求可被隨機均勻的分配給各伺服器。The application server 1 receives the access request for the URL1 sent by the user terminal whose identification information is the IP address 192.168.0.1, and the application server 2 receives the access request for the URL2 sent by the user terminal whose identification information is the IP address 192.168.0.1. The application server 3 receives the access request for the URL1 sent by the user terminal whose identification information is the IP address 192.168.0.2, and the application server 4 receives the access request for the URL1 sent by the user terminal whose identification information is the IP address 192.168.0.1. In this embodiment, only four application servers are used as an example, but not limited to four application servers. In the application, less than or more than four application servers may be used according to actual conditions. Access requests from the same user terminal or different user terminals can be randomly and evenly distributed to the servers.

步驟102:4台應用伺服器分別提取訪問請求的事件請求資訊。事件請求資訊包括:接收訪問請求的時間資訊,以及訪問請求中攜帶的目標URL、用戶終端的IP位址。用戶終端IP位址這裏作為用戶終端的標識資訊,用戶終端的標識資訊還可以是用戶終端COOKIE資料或用戶終端MAC位址。Step 102: The four application servers respectively extract event request information of the access request. The event request information includes: time information for receiving the access request, and the target URL carried in the access request and the IP address of the user terminal. The user terminal IP address is used herein as the identification information of the user terminal, and the identification information of the user terminal may also be the user terminal COOKIE data or the user terminal MAC address.

應用伺服器1提取接收時間t1,其接收的訪問請求中攜帶的URL1、IP位址192.168.0.1,應用伺服器2、3、4執行類似操作,在實際應用中以上過程是不斷變化的,如在時間t2應用伺服器1接收IP位址為192.168.0.3的用戶終端發送的對URL4的訪問請求,在時間t2應用伺服器2接收IP位址為192.168.0.4的用戶終端發送的對URL3的訪問請求。The application server 1 extracts the receiving time t1, and the URL1 and the IP address 192.168.0.1 carried in the access request received by the application server 1 perform similar operations in the application server 2, 3, 4, and the above process is constantly changing in practical applications, such as At time t2, the application server 1 receives an access request to the URL 4 sent by the user terminal having the IP address of 192.168.0.3, and at time t2, the application server 2 receives the access to the URL 3 sent by the user terminal having the IP address of 192.168.0.4. request.

步驟103:各應用伺服器調用篩檢程式,篩檢程式讀取應用伺服器的IP黑名單,分別檢查各事件請求資訊攜帶的用戶終端的IP位址是否在黑名單中,若是,則立即拒絕訪問請求,結束。若否,則執行步驟104。Step 103: Each application server invokes a screening program, and the screening program reads the IP blacklist of the application server, and checks whether the IP address of the user terminal carried in each event request information is in the blacklist, and if so, immediately rejects Access the request and end. If no, step 104 is performed.

應用伺服器在資料庫篩檢程式讀取IP黑名單,經檢查發現,IP地址192.168.0.2在黑名單中,拒絕IP位址192.168.0.2的用戶終端的訪問請求。IP位址192.168.0.1不在黑名單中,執行步驟104。The application server reads the IP blacklist in the database screening program. After checking, the IP address 192.168.0.2 is in the blacklist, and the access request of the user terminal with the IP address 192.168.0.2 is rejected. The IP address 192.168.0.1 is not in the blacklist, and step 104 is performed.

步驟104:篩檢程式分析剩餘的事件請求資訊攜帶的目標URL,判斷是否處於保護中,若是則拒絕訪問請求,結束。否則執行步驟105。Step 104: The screening program analyzes the target URL carried in the remaining event request information, determines whether it is in protection, and if so, rejects the access request and ends. Otherwise, step 105 is performed.

根據業務應用的實際情況需要對某個URL設置一定的訪問規則,比如在某一時段該URL訪問次數已超出預定的標準,或該URL只有具備一定許可權的用戶才能訪問,此時需設定該URL不允許被訪問。According to the actual situation of the business application, a certain access rule needs to be set for a certain URL. For example, the URL access times exceed the predetermined standard in a certain period of time, or the URL can only be accessed by a user with certain permission. The URL is not allowed to be accessed.

篩檢程式從應用伺服器1、2、4接收的訪問請求的事件請求資訊中分別提取目標URL:URL1、URL2,經判斷URL2處於保護中即URL2不允許被訪問,拒絕對URL2的訪問請求,這樣做的目的是實現多級過濾,即不僅實現IP位址的過濾,還實現對URL的過濾,URL1未處於保護中,執行步驟105。The screening program extracts the target URLs from the event request information of the access request received by the application server 1, 2, 4: URL1, URL2, and determines that the URL2 is in protection, that is, the URL2 is not allowed to be accessed, and the access request to the URL2 is denied. The purpose of this is to implement multi-level filtering, that is, not only to filter the IP address, but also to filter the URL, and the URL1 is not in protection, and step 105 is performed.

步驟105:篩檢程式向防惡意攻擊伺服器發送通過篩檢程式檢查的事件請求資訊,請求防惡意攻擊伺服器分析對應的訪問請求是否存在異常。Step 105: The screening program sends an event request information that is checked by the screening program to the anti-malicious attack server, and requests the anti-malware attack server to analyze whether the corresponding access request is abnormal.

篩檢程式向防惡意攻擊伺服器發送應用伺服器1、4接收的訪問請求的事件請求資訊。The screening program sends event request information of the access request received by the application servers 1, 4 to the anti-malicious attack server.

步驟106:防惡意攻擊伺服器根據接收的全部事件請求資訊,匯總單位時間內具有同一標識的用戶終端訪問同一URL資源的次數。Step 106: The anti-malicious attack server summarizes the number of times the user terminal having the same identifier accesses the same URL resource in a unit time according to all the event request information received.

防惡意攻擊伺服器根據應用伺服器1、4接收的訪問請求的事件請求資訊,匯總標識資訊為IP位址192.168.0.1的用戶終端在一分鐘內對URL1的訪問次數為100次。Based on the event request information of the access request received by the application server 1, 4, the anti-malicious attack server aggregates the number of accesses to the URL1 by the user terminal whose identification information is the IP address 192.168.0.1 in one minute.

步驟107:防惡意攻擊伺服器根據匯總的結果,以及該URL資源所對應的預定義的訪問規則,識別非正常的訪問請求。Step 107: The anti-malicious attack server identifies the abnormal access request according to the summarized result and the predefined access rule corresponding to the URL resource.

防惡意攻擊伺服器根據標識資訊為IP位址192.168.0.1的用戶終端在一分鐘內對URL1的訪問次數為100次這一匯總結果,以及預定義的URL1的訪問規則(標識資訊為同一IP位址的用戶終端一分鐘內對URL1的訪問次數不得大於50次),認定IP位址為192.168.0.1的用戶終端對URL1的訪問請求是導常,該異常的規則是鎖定IP192.168.0.1五分鐘,將IP地址192.168.0. 1發送回應用伺服器,應用伺服器更新IP黑名單,將IP位址192.168.0. 1加入IP黑名單,在五分鐘之內再有IP位址為192.168.0.1的用戶終端針對URL1的請求,則拒絕。防惡意攻擊伺服器將預定處理規則通告所有應用伺服器,各應用伺服器可以根據預定處理規則決定是全部拒絕IP位址192.168.0. 1的訪問,還是拒絕IP位址192.163.0. 1對URL1的訪問。當然,防惡意攻擊伺服器根據匯總的結果,以及一個預定義的統一的訪問規則,識別非正常的訪問請求。The anti-malware server uses the identification information as the summary result of the number of times the user terminal of the IP address 192.168.0.1 accesses the URL1 in one minute is 100 times, and the access rule of the predefined URL1 (the identification information is the same IP bit). The user terminal of the address must not access the URL1 more than 50 times in one minute. The user terminal with the IP address of 192.168.0.1 is authorized to access the URL1. The abnormal rule is to lock the IP192.168.0.1. Minutes, the IP address 192.168.0. 1 is sent back to the application server, the application server updates the IP blacklist, and the IP address 192.168.0. 1 is added to the IP blacklist, and the IP address is 192.168 within five minutes. The user terminal of .0.1 is rejected for the request of URL1. The anti-malicious attack server advertises the application processing rule to all the application servers, and each application server can determine whether to reject all IP address 192.168.0. 1 or reject IP address 192.163.0. 1 according to predetermined processing rules. Access to URL1. Of course, the anti-malicious attack server identifies abnormal access requests based on the aggregated results and a predefined unified access rule.

步驟108:對通過了篩檢程式的檢查而無異常的事件請求資訊對應的訪問請求進行業務處理。Step 108: Perform business processing on the access request corresponding to the event request information that has passed the check of the screening program without abnormality.

應用伺服器1、4接收的訪問請求的事件請求資訊通過了篩檢程式的檢查而無異常,應用伺服器1、4對接收的訪問請求進行業務處理。應用伺服器2、3接收的訪問請求的事件請求資訊沒有通過了篩檢程式的檢查,應用伺服器2、3則不會對接收的訪問請求進行業務處理。The event request information of the access request received by the application servers 1, 4 passes the check of the screening program without abnormality, and the application servers 1, 4 perform business processing on the received access request. The event request information of the access request received by the application server 2, 3 does not pass the check of the screening program, and the application servers 2, 3 do not perform business processing on the received access request.

其中步驟108對通過了篩檢程式的檢查而無異常的事件請求資訊對應的訪問請求進行業務處理,和步驟105-107防惡意攻擊伺服器識別非正常的訪問請求的相關步驟同步進行,這樣即可以保證對本次訪問請求的即時業務處理,又能保證若本次訪問請求為惡意攻擊,則可在該IP位址的下次訪問請求時根據預定處理規則進行處理。Step 108 is performed on the access request corresponding to the event request information that has passed the screening program without abnormality, and is synchronized with the steps of step 105-107 to prevent the malicious attack server from identifying the abnormal access request, that is, The instant service processing of the current access request can be guaranteed, and if the current access request is a malicious attack, the next processing request of the IP address can be processed according to a predetermined processing rule.

本發明提供的第二實施例是一種分佈式應用中處理非正常請求的系統,其結構如圖2所示,包括:多個應用伺服器202:用於接收用戶終端發送的資源定位符URL資源訪問請求,以及發送URL資源訪問請求的事件請求資訊,該事件請求資訊包括:接收訪問請求的時間資訊,訪問請求所攜帶的目標URL和用戶終端的標識資訊;防惡意攻擊伺服器204:用於根據接收應用伺服器的事件請求資訊,匯總具有同一標識的用戶終端單位時間內訪問同一URL資源的次數;根據匯總的結果,以及該URL資源所對應的預定義的訪問規則,識別非正常的訪問請求。The second embodiment of the present invention provides a system for processing an abnormal request in a distributed application. The structure is as shown in FIG. 2, and includes: multiple application servers 202: for receiving resource locator URL resources sent by a user terminal. An access request, and an event request information for sending a URL resource access request, the event request information includes: time information for receiving the access request, a target URL carried by the access request, and identification information of the user terminal; and the anti-malicious attack server 204: used for According to the event request information of the receiving application server, the number of times that the user terminal having the same identifier accesses the same URL resource in a unit time is summarized; and the abnormal access is identified according to the result of the aggregation and the predefined access rule corresponding to the URL resource. request.

進一步,該系統還包括:篩檢程式206:用於讀取應用伺服器202的標識資訊黑名單,若用戶終端的標識資訊不在黑名單中,則向防惡意攻擊伺服器204發送事件請求資訊。Further, the system further includes: a screening program 206: for reading the blacklist of the identification information of the application server 202, and sending the event request information to the anti-malicious attack server 204 if the identification information of the user terminal is not in the blacklist.

其中,應用伺服器202調用篩檢程式206發送事件請求訊息;進一步,篩檢程式206確定不在黑名單中的標識資訊的用戶終端訪問的目標URL不處於保護中,則向防惡意攻擊伺服器204發送事件請求資訊。The application server 202 calls the screening program 206 to send an event request message. Further, the screening program 206 determines that the target URL accessed by the user terminal that is not in the blacklist is not protected, and then the anti-malicious attack server 204 Send event request information.

進一步,應用伺服器202還用於對向防惡意攻擊伺服器發送的事件請求資訊對應的訪問請求進行業務處理。Further, the application server 202 is further configured to perform service processing on the access request corresponding to the event request information sent by the anti-malicious attack server.

進一步,防惡意攻擊伺服器204:還用於將發送非正常訪問請求的用戶終端的標識資訊通知給應用伺服器202,應用伺服器202將該標識資訊加入標識資訊黑名單。Further, the anti-malicious attack server 204 is further configured to notify the application server 202 of the identification information of the user terminal that sends the abnormal access request, and the application server 202 adds the identification information to the identification information blacklist.

進一步,防惡意攻擊伺服器204:還用於通知應用伺服器202,對非正常訪問請求的預定處理規則,應用伺服器202根據預定處理規則對非正常訪問請求進行處理操作。Further, the anti-malicious attack server 204 is further configured to notify the application server 202 that, for a predetermined processing rule of the abnormal access request, the application server 202 performs a processing operation on the abnormal access request according to the predetermined processing rule.

顯然,本領域的技術人員可以對本發明進行各種改動和變形而不脫離本發明的精神和範圍。這樣,倘若本發明的這些修改和變形屬於本發明申請專利範圍及其等同技術的範圍之內,則本發明也意圖包含這些改動和變形在內。It will be apparent that those skilled in the art can make various modifications and variations of the invention without departing from the spirit and scope of the invention. Thus, it is intended that the present invention cover the modifications and modifications of the invention

202...應用伺服器202. . . Application server

204...防惡意攻擊伺服器204. . . Anti-malicious attack server

206...篩檢程式206. . . Screening program

圖1為本發明提供的第一實施例方法流程圖;1 is a flow chart of a method according to a first embodiment of the present invention;

圖2為本發明提供的第二實施例系統結構圖。2 is a system structural diagram of a second embodiment provided by the present invention.

Claims (14)

一種分佈式應用中處理非正常請求的方法,其特徵在於,包括:各應用伺服器分別接收用戶終端發送的資源定位符URL資源訪問請求;各該應用伺服器分別提取該訪問請求的事件請求資訊,其中,該事件請求資訊包括:接收訪問請求的時間資訊、訪問請求所攜帶的目標URL和用戶終端的標識資訊;判斷該用戶終端的該標識資訊是否在黑名單中;若該用戶終端的該標識資訊不在該黑名單中,則進一步判斷該用戶終端訪問的該目標URL是否處於保護中;若該用戶終端訪問的該目標URL不處於保護中,則各該應用伺服器分別向防惡意攻擊伺服器發送該事件請求資訊;該防惡意攻擊伺服器根據接收的該事件請求資訊,匯總具有同一標識的用戶終端單位時間內訪問同一URL資源的次數;以及該防惡意攻擊伺服器根據匯總的結果,以及預定義的訪問規則,識別非正常的訪問請求。 A method for processing an abnormal request in a distributed application, comprising: each application server separately receiving a resource locator URL resource access request sent by a user terminal; and each application server separately extracts event request information of the access request The event request information includes: time information for receiving the access request, the target URL carried by the access request, and the identification information of the user terminal; determining whether the identification information of the user terminal is in the blacklist; if the user terminal If the identification information is not in the blacklist, it is further determined whether the target URL accessed by the user terminal is in protection; if the target URL accessed by the user terminal is not in protection, each application server separately provides an anti-malicious attack server. Transmitting the event request information; the anti-malicious attack server sums up the number of times the user terminal having the same identifier accesses the same URL resource in a unit time according to the received event request information; and the anti-malicious attack server according to the summary result And predefined access rules to identify unusual visits Request. 如申請專利範圍第1項所述的方法,其中,該應用伺服器於至少以下一個條件時拒絕該訪問請求:若該用戶終端的標識資訊在黑名單中:以及該用戶終端訪問的該目標URL處於保護中。 The method of claim 1, wherein the application server rejects the access request when at least one of the following conditions: if the identification information of the user terminal is in a blacklist: and the target URL accessed by the user terminal In protection. 如申請專利範圍第1項所述的方法,其中,各該應用伺服器分別向防惡意攻擊伺服器發送事件請求資訊具體為:各應用伺服器分別調用篩檢程式,篩檢程式讀取應用伺服器的標識資訊黑名單。 The method of claim 1, wherein each of the application servers respectively sends event request information to the anti-malicious attack server, wherein each application server separately calls a screening program, and the screening program reads the application server. The blacklist of identification information for the device. 如申請專利範圍第1項所述的方法,其中,發送事件請求資訊的應用伺服器還對相應的訪問請求進行業務處理。 The method of claim 1, wherein the application server that sends the event request information further performs business processing on the corresponding access request. 如申請專利範圍第1項所述的方法,其中,防惡意攻擊伺服器識別非正常的訪問請求步驟後還包括:該防惡意攻擊伺服器將發送非正常訪問請求的用戶終端的標識資訊通知給應用伺服器,應用伺服器將該標識資訊加入標識資訊黑名單。 The method of claim 1, wherein the anti-malicious attack server after the step of identifying the abnormal access request further comprises: the anti-malicious attack server notifying the identification information of the user terminal that sends the abnormal access request to The application server adds the identification information to the blacklist of identification information. 如申請專利範圍第1項所述的方法,其中,防惡意攻擊伺服器識別非正常的訪問請求步驟後還包括:該防惡意攻擊伺服器通知應用伺服器,對非正常訪問請求的預定處理規則,該應用伺服器根據預定處理規則對非正常訪問請求進行處理操作。 The method of claim 1, wherein the anti-malicious attack server after the step of identifying the abnormal access request further comprises: the anti-malicious attack server notifying the application server, the predetermined processing rule for the abnormal access request The application server performs a processing operation on the abnormal access request according to a predetermined processing rule. 如申請專利範圍第1項所述的方法,其中,該用戶終端的標識資訊包括:網路協定IP位址、介質訪問控制MAC位址和COOKIE資料。 The method of claim 1, wherein the identification information of the user terminal comprises: a network protocol IP address, a medium access control MAC address, and a COOKIE data. 一種分佈式應用中處理非正常請求的系統,其特徵在於,包括:多個應用伺服器經組構用於: 接收用戶終端發送的資源定位符URL資源訪問請求,以及發送URL資源訪問請求的事件請求資訊,提取該訪問請求的事件請求資訊,其中,該事件請求資訊包括:接收訪問請求的時間資訊,訪問請求所攜帶的目標URL和用戶終端的標識資訊;判斷該用戶終端的該標識資訊是否在黑名單中;若該用戶終端的該標識資訊不在該黑名單中,則進一步判斷該用戶終端訪問的該目標URL是否處於保護中;若該用戶終端訪問的該目標URL不處於保護中,則各該應用伺服器分別向防惡意攻擊伺服器發送該事件請求資訊;防惡意攻擊伺服器,經組構用於:根據所接收的應用伺服器的事件請求資訊,匯總具有同一標識的用戶終端單位時間內訪問同一URL資源的次數;以及根據匯總的結果,以及該URL資源所對應的預定義的訪問規則,識別非正常的訪問請求。 A system for processing abnormal requests in a distributed application, comprising: a plurality of application servers configured to: Receiving a resource locator URL resource access request sent by the user terminal, and sending event request information of the URL resource access request, and extracting event request information of the access request, where the event request information includes: time information for receiving the access request, and the access request Determining the target URL of the user terminal and the identification information of the user terminal; determining whether the identification information of the user terminal is in the blacklist; if the identification information of the user terminal is not in the blacklist, further determining the target accessed by the user terminal Whether the URL is in protection; if the target URL accessed by the user terminal is not in protection, each application server separately sends the event request information to the anti-malicious attack server; the anti-malicious attack server is configured by the organization : collecting, according to the received event request information of the application server, the number of times the user terminal having the same identifier accesses the same URL resource in a unit time; and identifying according to the summary result and the predefined access rule corresponding to the URL resource Abnormal access request. 如申請專利範圍第8項所述的系統,其中,該等應用伺服器於至少以下一個條件時拒絕該訪問請求:若該用戶終端的標識資訊在黑名單中;以及該用戶終端訪問的該目標URL處於保護中。 The system of claim 8, wherein the application server rejects the access request when at least one of the following conditions: if the identification information of the user terminal is in a blacklist; and the target accessed by the user terminal The URL is in protection. 如申請專利範圍第8項所述的系統,其中,還包 括:篩檢程式:用於讀取應用伺服器的標識資訊黑名單,若用戶終端的標識資訊不在黑名單中,則向防惡意攻擊伺服器發送事件請求資訊;其中,該應用伺服器調用該篩檢程式發送該事件請求訊息。 The system of claim 8, wherein the package is further included The screening program is configured to: read the blacklist of the identification information of the application server, and send the event request information to the anti-malicious attack server if the identification information of the user terminal is not in the blacklist; wherein the application server invokes the The screening program sends the event request message. 如申請專利範圍第8項所述的系統,其中,該篩檢程式確定不在黑名單中的該標識資訊的用戶終端訪問的該目標URL不處於保護中,則向該防惡意攻擊伺服器發送事件請求資訊。 The system of claim 8, wherein the screening program determines that the target URL accessed by the user terminal of the identification information that is not in the blacklist is not in protection, and sends an event to the anti-malicious attack server. Request information. 如申請專利範圍第8項所述的系統,其中,該應用伺服器還用於對向防惡意攻擊伺服器發送的事件請求資訊對應的訪問請求進行業務處理。 The system of claim 8, wherein the application server is further configured to perform service processing on an access request corresponding to the event request information sent by the anti-malicious attack server. 如申請專利範圍第8項所述的系統,其中,該防惡意攻擊伺服器:還用於將發送非正常訪問請求的用戶終端的標識資訊通知給該應用伺服器,該應用伺服器將該標識資訊加入標識資訊黑名單。 The system of claim 8, wherein the anti-malicious attack server is further configured to notify the application server of the identification information of the user terminal that sends the abnormal access request, and the application server identifies the identifier Information is added to the blacklist of identification information. 如申請專利範圍第8項所述的系統,其中,該防惡意攻擊伺服器:還用於通知應用伺服器,對非正常訪問請求的預定處理規則,該應用伺服器根據預定處理規則對非正常訪問請求進行處理操作。The system of claim 8, wherein the anti-malicious attack server is further configured to notify an application server that a predetermined processing rule for an abnormal access request is abnormal according to a predetermined processing rule. Access requests for processing.
TW098115850A 2009-05-13 2009-05-13 Methods and Systems for Handling Abnormal Requests in Distributed Applications TWI476624B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW098115850A TWI476624B (en) 2009-05-13 2009-05-13 Methods and Systems for Handling Abnormal Requests in Distributed Applications

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW098115850A TWI476624B (en) 2009-05-13 2009-05-13 Methods and Systems for Handling Abnormal Requests in Distributed Applications

Publications (2)

Publication Number Publication Date
TW201040786A TW201040786A (en) 2010-11-16
TWI476624B true TWI476624B (en) 2015-03-11

Family

ID=44996084

Family Applications (1)

Application Number Title Priority Date Filing Date
TW098115850A TWI476624B (en) 2009-05-13 2009-05-13 Methods and Systems for Handling Abnormal Requests in Distributed Applications

Country Status (1)

Country Link
TW (1) TWI476624B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111507734B (en) * 2020-04-15 2023-07-04 抖音视界有限公司 Method and device for identifying cheating request, electronic equipment and computer storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010044820A1 (en) * 2000-04-06 2001-11-22 Scott Adam Marc Method and system for website content integrity assurance
US20080086435A1 (en) * 2006-10-09 2008-04-10 Radware, Ltd. Adaptive Behavioral HTTP Flood Protection
CN101242416A (en) * 2001-12-10 2008-08-13 思科技术公司 Method and device for filtering and analyzing communication traffic based on packet
US20080196085A1 (en) * 2005-02-18 2008-08-14 Duaxes Corporation Communication Control Apparatus

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010044820A1 (en) * 2000-04-06 2001-11-22 Scott Adam Marc Method and system for website content integrity assurance
CN101242416A (en) * 2001-12-10 2008-08-13 思科技术公司 Method and device for filtering and analyzing communication traffic based on packet
US20080196085A1 (en) * 2005-02-18 2008-08-14 Duaxes Corporation Communication Control Apparatus
US20080086435A1 (en) * 2006-10-09 2008-04-10 Radware, Ltd. Adaptive Behavioral HTTP Flood Protection

Also Published As

Publication number Publication date
TW201040786A (en) 2010-11-16

Similar Documents

Publication Publication Date Title
CN101674293B (en) Method and system for processing abnormal request in distributed application
US9762543B2 (en) Using DNS communications to filter domain names
US10212134B2 (en) Centralized management and enforcement of online privacy policies
KR101890272B1 (en) Automated verification method of security event and automated verification apparatus of security event
US9027128B1 (en) Automatic identification of malicious budget codes and compromised websites that are employed in phishing attacks
US11729214B1 (en) Method of generating and using credentials to detect the source of account takeovers
CN104219219B (en) A kind of method of data processing, server and system
US20150128247A1 (en) Centralized device reputation center
TWI476624B (en) Methods and Systems for Handling Abnormal Requests in Distributed Applications
CN114938313B (en) Man-machine identification method and device based on dynamic token
JP5743822B2 (en) Information leakage prevention device and restriction information generation device
CN107294994B (en) CSRF protection method and system based on cloud platform
CN114793171A (en) Access request intercepting method and device, storage medium and electronic device
CN112637171A (en) Data traffic processing method, device, equipment, system and storage medium
US10462180B1 (en) System and method for mitigating phishing attacks against a secured computing device
Balaji et al. EUDIS-an encryption scheme for user-data security in public networks
TW201815142A (en) Method for detecting domain flux botnets through proxy server logs capable of detecting hostile networks that do not belong to websites of the normal application program or CDN connection
Jin et al. Mitigating HTTP GET Flooding attacks through modified NetFPGA reference router
WO2018166365A1 (en) Method and device for recording website access log
CN113037724B (en) Method and device for detecting illegal access
TW201818289A (en) Method of detecting internet information security and its implemented system
Bubaker et al. A Systematic Mapping Study on Web services Security Threats, Vulnerabilities, and Countermeasures
CN116566634A (en) Security protection method, system, electronic device and computer readable storage medium
KR20110069481A (en) Apparatus and method for maintaining security
CN110691075A (en) Network security communication system