CN103139138B - A kind of application layer denial of service means of defence based on client detection and system - Google Patents
A kind of application layer denial of service means of defence based on client detection and system Download PDFInfo
- Publication number
- CN103139138B CN103139138B CN201110373611.7A CN201110373611A CN103139138B CN 103139138 B CN103139138 B CN 103139138B CN 201110373611 A CN201110373611 A CN 201110373611A CN 103139138 B CN103139138 B CN 103139138B
- Authority
- CN
- China
- Prior art keywords
- connection request
- client side
- web client
- authentication information
- web
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention provides a kind of application layer denial of service means of defence based on client detection and system, the method comprises: step one, and this safeguard is tackled this WEB client side and is sent to an initial connection request of this WEB server end and sends a javascript Validation Code to this client; Step 2, this WEB client side is run this javascript Validation Code, if this WEB client side cannot this avascript Validation Code of successful operation, then this initial connection request is dropped, if can run successfully, this WEB client side generates an authentication information, this WEB client side send one again connection request to this WEB server end, this again connection request comprise this authentication information; Step 3, this connection request verifying this authentication information again tackled by this safeguard, if be verified, then to this again connection request let pass.
Description
Technical field
The present invention relates to information science technology field, particularly relate to a kind of application layer denial of service means of defence based on client detection and system.
Background technology
Dos based on WEBServer attacks more and more general at present, client can send a large amount of WEB requests by a simple attacker to WEB server, each client sends a request, WEB server has all needed a series of work, script is resolved, data base querying etc., if client transmission is requested many, the system resource that server consumption can be caused too much and then termination client response.
Traditional detection application layer Denial of Service attack, is all analyze in network layer (TCP/UDP), carries out judgement attack according to empirical value in the past.Rule of thumb threshold value carries out detection Denial of Service attack, and the product reaction of actual market of mediating a settlement theoretically, effect is unsatisfactory.Such detection method, the success rate of detection and accuracy rate are not very high, often occur the situation of error detection.Such as, in following scene, traditional detection method just there will be the detection of mistake:
Certain shopping website, starts a large amount of discounting activities in the specific time.Visit capacity can situation than usual go up greatly a lot, if also make the attack detecting of a benchmark of usual detection threshold, has just occurred error detection, attack is used as in access normally, thus causes the business of this website all cannot normally carry out.
As can be seen to the formation of conventional art and job description, traditional detection application layer Denial of Service attack, just make use of service connection and adds up, inreal participation certain connect.
The technology of traditional detection application layer Denial of Service attack, mainly includes attack detecting technology such as detecting HTTPProxyFlood, CCProxyFlood, ConnectionExhausted.The detection method adopted is divided into two kinds: the first adds up within certain unit interval, from the frequency of certain source address access main frame; The second is, the frequency that statistics destination host is accessed within the unit interval.These two kinds of detection methods mainly comprise the three large steps such as machine statistics, artificial correction, flow matches.
In addition, a kind of typical testing mechanism based on WebServer is also had, for each client specifies a reliability rating.Reliability rating is determined by the expense of WebServer cost in request process.The client that reliability rating is high just can obtain higher in unit interval Web request, and the Web request amount of the unit interval of the client of low reliability rating can be limited in lower scope and so on.
It is obvious that the shortcoming of this testing mechanism compares, and Dos query-attack still can be received by WebServer and process.Although the quantity of Dos query-attack and speed are limited within a very little scope, the object that it can not be allowed to reach Dos attack, WebSever still can be a part of resource of this part Dos query-attack cost.
Summary of the invention
The technical problem that the present invention solves is, a kind of application layer denial of service means of defence based on client detection and system are provided, for distinguishing legal WEB request and unauthorized access, only connection handling is carried out for legal WEB request, and unauthorized access can not be processed.
Whether the present invention is used for detecting client before client-requested arrives WEB server and uses browser to conduct interviews, browser access is considered as Lawful access, non-browser access is considered as unauthorized access, uses the resource of attacker to WEB server to consume to avoid client.
For solving the problem, the invention discloses a kind of application layer denial of service means of defence detected based on client, be applied in the system comprising WEB client side, safeguard and WEB server end, the method comprises:
Step one, this safeguard is tackled this WEB client side and is sent to an initial connection request of this WEB server end and sends a javascript Validation Code to this WEB client side;
Step 2, this WEB client side is run this javascript Validation Code, if this WEB client side cannot this javascript Validation Code of successful operation, then this initial connection request is dropped, if can run successfully, this WEB client side generates an authentication information, this WEB client side send one again connection request to this WEB server end, this again connection request comprise this authentication information;
Step 3, this connection request verifying this authentication information again tackled by this safeguard, if be verified, then to this again connection request let pass.
This step 3 also comprises, this safeguard to checking unsanctioned this again connection request abandon.
This authentication information is random generation.
This authentication information is included in the arbitrary fields of Cookie, HTTPReferer or HTTP stem.
In this step 2, this javascript Validation Code runs successfully, and this javascript Validation Code forces this WEB client side to send this connection request again.
The invention also discloses a kind of application layer denial of service guard system detected based on client, comprising: WEB client side, safeguard and WEB server end;
Wherein, this safeguard is sent to an initial connection request of this WEB server end for tackling this WEB client side and sends a javascript Validation Code to this WEB client side;
This WEB client side is run this javascript Validation Code, if this WEB client side cannot this javascript Validation Code of successful operation, then this safeguard abandons this initial connection request, if this WEB client side can be run successfully, this WEB client side generates an authentication information, this WEB client side send one again connection request to this WEB server end, this again connection request comprise this authentication information;
This connection request verifying this authentication information again tackled by this safeguard, if be verified, then to this again connection request let pass.
This safeguard to checking unsanctioned this again connection request abandon.
This authentication information is random generation.
This authentication information is included in the arbitrary fields of Cookie, HTTPReferer or HTTP stem.
This javascript Validation Code runs successfully, and this javascript Validation Code forces this WEB client side to send this connection request again.
The present invention really take part in service and connects, and directly abandons, do not perform subsequent treatment, saved system resource, improve the speed of system process, avoid the waste of system resource illegal WEB request.Perform subsequent treatment to legal WEB request, accuracy is higher.Meanwhile, the verification method that the present invention adopts, can not change the operation logic of business, this verification method is transparent for the customer, the imperceptible existence having checking.
Moreover, the present invention take into account various variant and the artificial reverse-examination survey attack option of Denial of Service attack simultaneously.Utilize the detection to the random authentication information produced, even if can when this javascript Validation Code be cracked, also cannot send the correct connection request with client authentication information, thus achieve the strick precaution of surveying attack option for artificial reverse-examination.
Accompanying drawing explanation
Fig. 1 is the structural representation of a kind of application layer denial of service guard system based on client detection of the present invention;
Figure 2 shows that the schematic flow sheet of a kind of application layer denial of service means of defence based on client detection of the present invention.
Embodiment
In order to reach detection, take precautions against Web application Denial of Service attack, the present invention adopts the mechanism distinguishing legal Web request and Dos query-attack.The present invention, based on Web requesting client, utilizes a kind of client recognition technology, carrys out the particular type of Intelligent Recognition client.Thus further, detect whether a Web request is legal, or illegal Dos attacks.
The attack technology of all WEB server, the client of launching a offensive is all use attacker to send a large amount of requests at short notice, thus completes attack.If client uses browser, so client cannot send a large amount of request.Visible, client type (use browser) and legal WEB ask to there is corresponding relation.Therefore, need a kind of means to differentiate the type of client, namely distinguish client and use browser, or a kind of program of giving out a contract for a project for attacking, if the type of client can be judged accurately, good attack-defending effect so just can be reached.
Want the type of identify customer end, the way that the present invention uses judges whether client has the ability of resolving JavaScript script.
JavaScript is a kind of network script language, often by webpage be used for Curve guide impeller, checking list, detect browser, create cookies, and more apply, all browsers all possess explanation and the n-back test of javascript script, but attacker does not possess the analytic ability of javascript script, the present invention is used as judging client whether for the major criterion of browser with this.
Figure 1 shows that the structural representation of a kind of application layer denial of service guard system based on client detection of the present invention.This system comprises WEB client side 10, safeguard 20 and WEB server end 30.This safeguard 20 can be arranged on separately a server or be arranged in WEB server end 30.
Figure 2 shows that the schematic flow sheet of a kind of application layer denial of service means of defence based on client detection of the present invention.
Step 201, WEB client side 10 sends a connection request A1 to WEB server end 30.
This connection request A1 is such as a HTTP request.
Step 202, this connection request A1 tackled by safeguard 20, and safeguard 20 sends one section of javascript Validation Code to the WEB client side 10 sending this connection request A1 simultaneously.
Step 203, this WEB client side 10 is run this javascript Validation Code, if this WEB client side 10 can this javascript Validation Code of successful operation, performs step 205, if this WEB client side 10 can not this javascript Validation Code of successful operation, perform step 204.
All browsers all possess explanation and the n-back test of javascript script, but attacker does not possess the analytic ability of javascript script, and the present invention is used as judging client whether for the major criterion of browser with this.That is, if WEB client side 10 is based on real browser, operation javascript Validation Code that just can be correct, if WEB client side 10 is not based on real browser, but for sending Dos query-attack, then operation javascript Validation Code that can not be correct.The present invention distinguishes legal WEB request with this and Dos attacks.
Step 204, safeguard 20 abandons this connection request A1, and the method terminates.
If WEB client side 10 can not this javascript Validation Code of successful operation, illustrate that this connection request A1 is not legal WEB request but Dos attacks, so, be identified as the connection request A1 that Dos attacks and be dropped.
In one embodiment, this safeguard 20 exceedes the scheduled time and does not receive reply, this reply is such as the A2 of connection request described in step 205, be then considered as " WEB client side 10 can not this javascript Validation Code of successful operation ", then safeguard 20 abandons this connection request A1.The mode of other conventional judgements " WEB client side 10 can not this javascript Validation Code of successful operation " is also in open scope of the present invention.
Step 205, this WEB client side 10 generates an authentication information, and this WEB client side 10 sends a connection request A2 to this WEB server end 30, and this connection request A2 comprises this authentication information.
If this javascript Validation Code of WEB client side 10 energy successful operation, illustrate that this connection request A1 is that legal WEB request instead of Dos attack, then this connection request A1 being identified as legal WEB request is not dropped and is proceeded follow-up connection handling.
In step 205, this javascript Validation Code that this WEB client side 10 is run forces this WEB client side 10 to send this connection request A2.This authentication information is random generation.This authentication information can be included in the arbitrary fields of Cookie, HTTPReferer or HTTP stem.
This connection request A1 and this connection request A2 has identical URL, is sent to same address, makes user not change the function logic of original connection procedure to method of the present invention, completely transparent to user.
Step 206, this safeguard 20 is tackled this connection request A2 and is verified this authentication information wherein, if be verified, performs step 207, if do not pass through, performs step 208.
Wherein in step 202., this safeguard 20 produces at random this authentication information and is also recorded in the internal memory of safeguard 20, is added in this javascript Validation Code by this encrypted authentication information meanwhile.If this WEB client side 10 can this javascript Validation Code of successful operation, then can be correct this authentication information is deciphered and generates this new connection request A2, then this authentication information is comprised in this connection request A2.In step 206, when this connection request A2 tackled by safeguard 20, the authentication information in the authentication information and connection request A2 stored in internal memory can be utilized to compare, if comparison success, be considered as being verified, continue to perform step 207.
Step 207, this safeguard 20 is let pass to this connection request A2.
This connection request A2 is sent to WEB server end 30.
Step 208, this safeguard 20 abandons this connection request A2.
Owing to producing this authentication information all at random at every turn, even if so cracked this javascript Validation Code, the correct connection request with client authentication information also cannot be sent.Thus ensure that the authenticity of connection request.
In one embodiment, connection request A1 is
http:// www.testdos.com.
The connection request A2 forcing client 10 to resend after javascript Validation Code performs is
http:// www.testdos.com/? cookiesession8341=HLLUNNJJJJ34JJNNL
Wherein, cookiesession8341 is exactly authentication information.
This authentication information, also can be included in Cookie, in the arbitrary fields of HTTPReferer or HTTP stem.
The present invention, in order to avoid the drawback of traditional detection method, have employed a kind of reasonably affirmation mechanism.The present invention really take part in service and connects, and adopts verification technique.After client sends connection request, tackle the connection request that this client sends immediately, verify, if be judged as that non-legally WEB asks, then directly abandon, do not perform subsequent treatment, save system resource, improve the speed of system process, avoid the waste of system resource.If be judged as that legal WEB request just performs subsequent treatment.Meanwhile, the verification method that the present invention adopts, can not change the operation logic of business, this verification method is transparent for the customer, the imperceptible existence having checking, and accuracy is higher.
Moreover, the present invention take into account simultaneously, and attack option is surveyed in the various variant of Denial of Service attack and artificial reverse-examination.Utilize the detection to the random authentication information produced, even if can when this javascript Validation Code be cracked, also cannot send the correct connection request with client authentication information, thus achieve the strick precaution of surveying attack option for artificial reverse-examination.
Claims (10)
1., based on the application layer denial of service means of defence that client detects, be applied in the system comprising WEB client side, safeguard and WEB server end, it is characterized in that, the method comprises:
Step one, this safeguard is tackled this WEB client side and is sent to an initial connection request of this WEB server end and sends a javascript Validation Code to this WEB client side;
Step 2, this WEB client side is run this javascript Validation Code, if this WEB client side cannot this javascript Validation Code of successful operation, then this initial connection request is dropped, if can run successfully, this WEB client side generates an authentication information, this WEB client side send one again connection request to this WEB server end, this again connection request comprise this authentication information;
Step 3, this connection request verifying this authentication information again tackled by this safeguard, if be verified, then to this again connection request let pass.
2. the method for claim 1, is characterized in that, this step 3 comprises further, this safeguard to checking unsanctioned this again connection request abandon.
3. the method for claim 1, is characterized in that, this authentication information is random generation.
4. the method for claim 1, is characterized in that, this authentication information is included in the arbitrary fields of Cookie, HTTPReferer or HTTP stem.
5. the method for claim 1, is characterized in that, in this step 2, this javascript Validation Code runs successfully, and this javascript Validation Code forces this WEB client side to send this connection request again.
6., based on the application layer denial of service guard system that client detects, it is characterized in that, comprising: WEB client side, safeguard and WEB server end;
Wherein, this safeguard is sent to an initial connection request of this WEB server end for tackling this WEB client side and sends a javascript Validation Code to this WEB client side;
This WEB client side is run this javascript Validation Code, if this WEB client side cannot this javascript Validation Code of successful operation, then this safeguard abandons this initial connection request, if this WEB client side can be run successfully, this WEB client side generates an authentication information, this WEB client side send one again connection request to this WEB server end, this again connection request comprise this authentication information;
This connection request verifying this authentication information again tackled by this safeguard, if be verified, then to this again connection request let pass.
7. system as claimed in claim 6, is characterized in that, this safeguard to checking unsanctioned this again connection request abandon.
8. system as claimed in claim 6, is characterized in that, this authentication information is random generation.
9. system as claimed in claim 6, it is characterized in that, this authentication information is included in the arbitrary fields of Cookie, HTTPReferer or HTTP stem.
10. system as claimed in claim 6, it is characterized in that, this javascript Validation Code runs successfully, and this javascript Validation Code forces this WEB client side to send this connection request again.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110373611.7A CN103139138B (en) | 2011-11-22 | 2011-11-22 | A kind of application layer denial of service means of defence based on client detection and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110373611.7A CN103139138B (en) | 2011-11-22 | 2011-11-22 | A kind of application layer denial of service means of defence based on client detection and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103139138A CN103139138A (en) | 2013-06-05 |
| CN103139138B true CN103139138B (en) | 2016-02-03 |
Family
ID=48498453
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110373611.7A Active CN103139138B (en) | 2011-11-22 | 2011-11-22 | A kind of application layer denial of service means of defence based on client detection and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103139138B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106254347A (en) * | 2016-08-03 | 2016-12-21 | 浙江宇视科技有限公司 | A kind of WEB page access method and device |
Families Citing this family (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103997494B (en) * | 2014-05-22 | 2018-02-06 | 北京京东尚科信息技术有限公司 | A kind of method and system for resisting assault |
| CN104023024A (en) * | 2014-06-13 | 2014-09-03 | 中国民航信息网络股份有限公司 | Network defense method and device |
| CN105162793A (en) * | 2015-09-23 | 2015-12-16 | 上海云盾信息技术有限公司 | Method and apparatus for defending against network attacks |
| CN105592070B (en) * | 2015-11-16 | 2018-10-23 | 中国银联股份有限公司 | Application layer DDoS defence methods and system |
| CN105430011B (en) * | 2015-12-25 | 2019-02-26 | 杭州朗和科技有限公司 | A kind of method and apparatus detecting distributed denial of service attack |
| CN105610856A (en) * | 2016-01-26 | 2016-05-25 | 深圳一卡易网络科技有限公司 | DDoS(Distributed Denial of Service)attack defensive system for application layer based on multiple feature recognition |
| CN105656912A (en) * | 2016-01-29 | 2016-06-08 | 广西咪付网络技术有限公司 | Mobile intelligent terminal APP request process control method |
| CN105897694B (en) * | 2016-03-25 | 2019-02-26 | 网宿科技股份有限公司 | A kind of client session recognition methods and system |
| CN107454041B (en) | 2016-05-31 | 2020-06-02 | 阿里巴巴集团控股有限公司 | Method and device for preventing server from being attacked |
| CN107786489B (en) * | 2016-08-24 | 2021-03-26 | 腾讯科技(深圳)有限公司 | Access request verification method and device |
| CN107241306B (en) * | 2017-01-06 | 2020-11-06 | 深圳市九州安域科技有限公司 | Man-machine identification method, server, client and man-machine identification system |
| CN110554651B (en) * | 2019-09-19 | 2021-07-30 | 哈尔滨工业大学 | Private Internet of things system for measuring and controlling temperature of microfluidic chip |
| CN111478903A (en) * | 2020-04-07 | 2020-07-31 | 浙江同花顺智能科技有限公司 | Client-based verification method, server and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1798024A (en) * | 2004-12-20 | 2006-07-05 | 上海贝尔阿尔卡特股份有限公司 | Method and device for implementing multicast authentication and fee charging |
| CN101247391A (en) * | 2007-12-28 | 2008-08-20 | 上海电力学院 | OPC safety proxy system and proxy method thereof |
| CN101436958A (en) * | 2007-11-16 | 2009-05-20 | 太极计算机股份有限公司 | Method for resisting abnegation service aggression |
| CN101951603A (en) * | 2010-10-14 | 2011-01-19 | 中国电子科技集团公司第三十研究所 | Access control method and system for wireless local area network |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1598807A (en) * | 2003-09-17 | 2005-03-23 | 深圳市格林耐特通信技术有限责任公司 | WEB identification method |
| CN101901221B (en) * | 2009-05-27 | 2012-08-29 | 北京启明星辰信息技术股份有限公司 | Method and device for detecting cross site scripting |
| CN102082780B (en) * | 2009-11-30 | 2014-03-05 | 国际商业机器公司 | Method and device for verifying security |
-
2011
- 2011-11-22 CN CN201110373611.7A patent/CN103139138B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1798024A (en) * | 2004-12-20 | 2006-07-05 | 上海贝尔阿尔卡特股份有限公司 | Method and device for implementing multicast authentication and fee charging |
| CN101436958A (en) * | 2007-11-16 | 2009-05-20 | 太极计算机股份有限公司 | Method for resisting abnegation service aggression |
| CN101247391A (en) * | 2007-12-28 | 2008-08-20 | 上海电力学院 | OPC safety proxy system and proxy method thereof |
| CN101951603A (en) * | 2010-10-14 | 2011-01-19 | 中国电子科技集团公司第三十研究所 | Access control method and system for wireless local area network |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106254347A (en) * | 2016-08-03 | 2016-12-21 | 浙江宇视科技有限公司 | A kind of WEB page access method and device |
| CN106254347B (en) * | 2016-08-03 | 2019-08-02 | 浙江宇视科技有限公司 | A kind of WEB page access method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103139138A (en) | 2013-06-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103139138B (en) | A kind of application layer denial of service means of defence based on client detection and system | |
| US10248782B2 (en) | Systems and methods for access control to web applications and identification of web browsers | |
| KR101001132B1 (en) | Method and System for Determining Vulnerability of Web Application | |
| CN107634967B (en) | CSRFtoken defense system and method for CSRF attack | |
| CN110417778B (en) | Access request processing method and device | |
| CN107046544B (en) | Method and device for identifying illegal access request to website | |
| US11451583B2 (en) | System and method to detect and block bot traffic | |
| CN105930727A (en) | Web-based crawler identification algorithm | |
| CN109039987A (en) | A kind of user account login method, device, electronic equipment and storage medium | |
| CN102638448A (en) | Method for judging phishing websites based on non-content analysis | |
| CN110113366B (en) | CSRF vulnerability detection method and device, computing device and storage medium | |
| CN104580230B (en) | Verification method and device are attacked in website | |
| CN104580112B (en) | A kind of service authentication method, system and server | |
| CN102073822A (en) | Method and system for preventing user information from leaking | |
| KR101369743B1 (en) | Apparatus and method for verifying referer | |
| CN106998335A (en) | A kind of leak detection method, gateway device, browser and system | |
| CN106161453A (en) | A kind of SSLstrip defence method based on historical information | |
| CN107454041B (en) | Method and device for preventing server from being attacked | |
| Rajalingam et al. | Prevention of phishing attacks based on discriminative key point features of webpages | |
| CN102891861A (en) | Client-based phishing website detecting method and device | |
| Fietkau et al. | The elephant in the background: A quantitative approachto empower users against web browser fingerprinting | |
| CN109446807A (en) | The method, apparatus and electronic equipment of malicious robot are intercepted for identification | |
| CN112116350B (en) | Payment network environment detection method applied to block chain payment and network server | |
| WO2021236159A1 (en) | Verifying device and application integrity | |
| CN106790102A (en) | A kind of QR based on URL features yards of phishing recognition methods and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |