CN104378358A - HTTP Get Flood attack prevention method based on server log - Google Patents

HTTP Get Flood attack prevention method based on server log Download PDF

Info

Publication number
CN104378358A
CN104378358A CN201410569022.XA CN201410569022A CN104378358A CN 104378358 A CN104378358 A CN 104378358A CN 201410569022 A CN201410569022 A CN 201410569022A CN 104378358 A CN104378358 A CN 104378358A
Authority
CN
China
Prior art keywords
http
attack
flood
server
same request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201410569022.XA
Other languages
Chinese (zh)
Inventor
董立勉
左晓军
陈泽
侯波涛
卢宁
郗波
张君艳
常杰
王颖
董娜
刘伟娜
王春璞
刘惠颖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hebei Electric Power Construction Adjustment Test Institute
Original Assignee
Hebei Electric Power Construction Adjustment Test Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hebei Electric Power Construction Adjustment Test Institute filed Critical Hebei Electric Power Construction Adjustment Test Institute
Priority to CN201410569022.XA priority Critical patent/CN104378358A/en
Publication of CN104378358A publication Critical patent/CN104378358A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the field of network security in the computer networking technology subject, in particular to an HTTP Get Flood attack prevention method based on a server log. The HTTP Get Flood attack prevention method aims at solving the problem that in the prior art, the CC attack prevention effect is poor when the number of attack source IPs is large. By means of the HTTP Get Flood attack prevention method, protection better in effect is provided for the HTTP Get Flood attack in the CC attacks. Through the combination with whether the IPs of the same requests can feed back feedback responses meeting the requirements, whether an IP is the attack source IP of the HTTP Get Flood attack or not is judged by judging whether the number of IPs of the same requests within the assigned duration in the server log exceeds the threshold value or not through statistics and analysis, and the attack source IP is blocked. The method is simple in design and easy to implement, the method can well adapt to various existing servers and has wide application and popularization prospects.

Description

A kind of HTTP Get Flood attack guarding method based on server log
Technical field
The present invention relates to network safety filed in computer networking technology subject, particularly a kind of HTTP Get Flood attack guarding method based on server log.
Background technology
China in Recent Years network size presents expansion type and increases, and along with network activity, particularly network electricity business's is active, and network interaction development rapidly.And meanwhile, the attack form for network also starts to change to new direction under huge interests promote.At present, CC(Challenge Collapsar) attack become a kind of typical attack mode be widely used, technical difficulty due to its enforcement is lower and attack effect remarkable, and CC attacks a kind of common attack mode developed in network safety filed.CC attack predecessor for Fatboy attack, belong to DDoS(Distribution Denial of Service distributed denial of service, be called for short DDoS) attack in one.It is primary challenge target that CC attacks with Website page, real attack source IP can be concealed, generate the legitimate request pointing to destination server by proxy server, flow can not produce abnormal massive dataflow, but server can be caused normally to connect.The Attack Theory that CC attacks derives from famous Law of Barrel, and the heap(ed) capacity that namely wooden barrel can hold water is not determined by the place that wooden barrel is the highest, but by the minimum place decision of wooden barrel.It is exactly used for reference Law of Barrel that CC attacks, when launching a offensive to server, assailant usually needs to server request the application taking its more resource overhead, and such as access needs to take a large amount of cpu resource of server and carries out the page of computing or the application of the frequent accessing database of request needs.Based on above factor, the target that CC attacks is generally in Website server the page needing dynamically to generate and the page needing visit data base resource, the page resource of the type files such as such as asp, jsp and php.Assailant, mainly through controlling a large amount of zombie host or proxy server, sends accessing page request by zombie host or proxy server from trend server.When using corpse zombie host of certain scale or proxy server to carry out CC attack, huge flowing of access will be caused to the server page, servers go down can be caused, whole attack process simulates the legal data packet that normal client access Internet resources send simultaneously, has stronger disguise.CC attacks and mainly contains 2 kinds of attack patterns, and namely HTTP Get Flood(HTML (Hypertext Markup Language) floods) attack and link exhausted attack.
At present, common CC attacks protection and relies on fire compartment wall, limits CC attack, rely on fire compartment wall to limit or stop the effect of CC attack poor in a fairly large number of situation of IP that initiation CC attacks by carrying out control to the single IP linking number of access services device.
Summary of the invention
Time more for attack source IP quantity, prior art attacks the poor problem of protection effect to CC, the invention provides a kind of HTTP Get Flood attack guarding method based on server log, can attack for the HTTP Get Flood in CC attack the protection providing effect more excellent.
Technical scheme of the present invention is:
Based on a HTTP Get Flood attack guarding method for server log, it is characterized in that comprising the following steps:
A () checks server log;
B () judges to specify the quantity of same request IP in duration whether to exceed threshold value;
If c the quantity of same request IP exceedes threshold value in () step b, judge the attack source IP that same request IP attacks as HTTP Get Flood, block attack source IP, return step a;
If d the quantity of same request IP does not exceed threshold value in () step b, send response request to same request IP, and require the corresponding feedback response of same request IP feedback;
If e in () steps d, the satisfactory feedback response of the non-feedback of same request IP, judges the attack source IP that same request IP attacks as HTTP Get Flood, blocks attack source IP, return step a;
If f in () steps d, the satisfactory feedback response of same request IP feedback, returns step a.
Concrete, in step b, threshold value is judged by server running parameter, and server running parameter comprises server performance and server regular traffic flow.
Concrete, the response request sent to same request IP in steps d is the response request with tag mark.
Beneficial effect of the present invention: 1, perform technical solution of the present invention step a ~ f and can identify and the IP blocking HTTP Get Flood attack, realize the protection of attacking for HTTP Get Flood; 2, technical solution of the present invention step b sends the quantity set threshold value of access request for identical IP, with this threshold value for benchmark judges the attack source IP whether this IP attacks as HTTP Get Flood, even if the IP quantity initiating HTTP Get Flood attack is more, also can identifies one by one and block attack source IP; 3, foundation server running parameter, comprises server performance and server regular traffic flow sets this threshold value, can meet the requirement of shelter that different server is attacked for HTTP Get Flood; 4, the response request with tag mark sent to same request IP in steps d can judge whether this IP is malicious attacker.The present invention designs succinctly, easy to implement, all has good suitability with all kinds of server, has wide application and promotion prospect.
Accompanying drawing explanation
Fig. 1 is flow chart of the present invention.
Embodiment
Below in conjunction with accompanying drawing, the invention will be further described.
With reference to Fig. 1, the protection process attacked for HTTP Get Flood in the present embodiment comprises:
1. check server log;
2. judge to specify the quantity of same request IP in duration whether to exceed threshold value, this threshold value is judged by server running parameter, and server running parameter comprises server performance and server regular traffic flow;
If 3. the quantity of same request IP exceedes threshold value in step 2, judge the attack source IP that this same request IP attacks as HTTP Get Flood, block attack source IP, return step 1;
If 4. the quantity of same request IP does not exceed threshold value in step 2, send the response request with tag mark to same request IP, and require the corresponding feedback response of this same request IP feedback;
If the 5. satisfactory feedback response of the non-feedback of same request IP in step 4, judges the attack source IP that this same request IP attacks as HTTP Get Flood, blocks same request IP, return step 1;
If the 6. satisfactory feedback response of same request IP feedback in step 4, returns step 1.
In the present embodiment, server is the X3850 M2 type server of IBM brand, and its regular traffic flow is 500Mbps, and step 2 middle finger timing length is 60 seconds, and threshold value is 30 times.
It should be noted that, block the common practise that attack source IP is this area (network safety filed), even if the present invention is not described in detail, those skilled in the art also should know this step.
The above execution mode is only the preferred embodiments of the present invention, and and the feasible enforcement of non-invention exhaustive.For persons skilled in the art, to any apparent change done by it under the prerequisite not deviating from the principle of the invention and spirit, all should be contemplated as falling with within claims of the present invention.

Claims (3)

1., based on a HTTP Get Flood attack guarding method for server log, it is characterized in that comprising the following steps:
A () checks server log;
B () judges to specify the quantity of same request IP in duration whether to exceed threshold value;
If c the quantity of same request IP described in () step (b) exceedes threshold value, judge to block the attack source IP that same request IP attacks as HTTP Get Flood described attack source IP, return step (a);
If d the quantity of same request IP described in () step (b) does not exceed threshold value, send response request to described same request IP, and require the corresponding feedback response of described same request IP feedback;
If e the satisfactory feedback response of the non-feedback of same request IP described in () step (d), judges to block the attack source IP that same request IP attacks as HTTP Get Flood described attack source IP, return step (a);
If f the satisfactory feedback response of the feedback of same request IP described in () step (d), returns step (a).
2. a kind of HTTP Get Flood attack guarding method based on server log according to claim 1, it is characterized in that threshold value described in step (b) is judged by server running parameter, described server running parameter comprises server performance and server regular traffic flow.
3. a kind of HTTP Get Flood attack guarding method based on server log according to claim 2, is characterized in that the response request sent to described same request IP in step (d) is the response request with tag mark.
CN201410569022.XA 2014-10-23 2014-10-23 HTTP Get Flood attack prevention method based on server log Pending CN104378358A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410569022.XA CN104378358A (en) 2014-10-23 2014-10-23 HTTP Get Flood attack prevention method based on server log

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410569022.XA CN104378358A (en) 2014-10-23 2014-10-23 HTTP Get Flood attack prevention method based on server log

Publications (1)

Publication Number Publication Date
CN104378358A true CN104378358A (en) 2015-02-25

Family

ID=52557015

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410569022.XA Pending CN104378358A (en) 2014-10-23 2014-10-23 HTTP Get Flood attack prevention method based on server log

Country Status (1)

Country Link
CN (1) CN104378358A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105262760A (en) * 2015-10-30 2016-01-20 北京奇虎科技有限公司 Method and device for preventing action of maliciously visiting login/register interface
WO2017084529A1 (en) * 2015-11-19 2017-05-26 阿里巴巴集团控股有限公司 Network attacks identifying method and device
CN106953833A (en) * 2016-01-07 2017-07-14 无锡聚云科技有限公司 A kind of ddos attack detecting system
CN107682341A (en) * 2017-10-17 2018-02-09 北京奇安信科技有限公司 The means of defence and device of CC attacks
CN113452647A (en) * 2020-03-24 2021-09-28 百度在线网络技术(北京)有限公司 Feature identification method, feature identification device, electronic equipment and computer-readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101827081A (en) * 2010-02-09 2010-09-08 蓝盾信息安全技术股份有限公司 Method and system for detecting request safety
US20110107412A1 (en) * 2009-11-02 2011-05-05 Tai Jin Lee Apparatus for detecting and filtering ddos attack based on request uri type
CN103379099A (en) * 2012-04-19 2013-10-30 阿里巴巴集团控股有限公司 Hostile attack identification method and system
CN103685293A (en) * 2013-12-20 2014-03-26 北京奇虎科技有限公司 Protection method and device for denial of service attack

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110107412A1 (en) * 2009-11-02 2011-05-05 Tai Jin Lee Apparatus for detecting and filtering ddos attack based on request uri type
CN101827081A (en) * 2010-02-09 2010-09-08 蓝盾信息安全技术股份有限公司 Method and system for detecting request safety
CN103379099A (en) * 2012-04-19 2013-10-30 阿里巴巴集团控股有限公司 Hostile attack identification method and system
CN103685293A (en) * 2013-12-20 2014-03-26 北京奇虎科技有限公司 Protection method and device for denial of service attack

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105262760A (en) * 2015-10-30 2016-01-20 北京奇虎科技有限公司 Method and device for preventing action of maliciously visiting login/register interface
WO2017071551A1 (en) * 2015-10-30 2017-05-04 北京奇虎科技有限公司 Method and device for preventing malicious access to login/registration interface
WO2017084529A1 (en) * 2015-11-19 2017-05-26 阿里巴巴集团控股有限公司 Network attacks identifying method and device
US11240258B2 (en) 2015-11-19 2022-02-01 Alibaba Group Holding Limited Method and apparatus for identifying network attacks
CN106953833A (en) * 2016-01-07 2017-07-14 无锡聚云科技有限公司 A kind of ddos attack detecting system
CN107682341A (en) * 2017-10-17 2018-02-09 北京奇安信科技有限公司 The means of defence and device of CC attacks
CN113452647A (en) * 2020-03-24 2021-09-28 百度在线网络技术(北京)有限公司 Feature identification method, feature identification device, electronic equipment and computer-readable storage medium
CN113452647B (en) * 2020-03-24 2022-11-29 百度在线网络技术(北京)有限公司 Feature identification method, feature identification device, electronic equipment and computer-readable storage medium

Similar Documents

Publication Publication Date Title
CN102291390B (en) Method for defending against denial of service attack based on cloud computation platform
US10015193B2 (en) Methods and devices for identifying the presence of malware in a network
Choi et al. Detecting web based Ddos attack using mapreduce operations in cloud computing environment.
US8561188B1 (en) Command and control channel detection with query string signature
CN103856470B (en) Detecting method of distributed denial of service attacking and detection device
CN104378358A (en) HTTP Get Flood attack prevention method based on server log
CN110213208B (en) Method and device for processing request and storage medium
CN103916379B (en) A kind of CC attack recognition method and system based on high frequency statistics
Kumar et al. Classification of DDoS attack tools and its handling techniques and strategy at application layer
KR101250899B1 (en) Apparatus for detecting and preventing application layer distribute denial of service attack and method
KR100973076B1 (en) System for depending against distributed denial of service attack and method therefor
Arafat et al. A practical approach and mitigation techniques on application layer DDoS attack in web server
Huang et al. An authentication scheme to defend against UDP DrDoS attacks in 5G networks
CN104378359A (en) Link depletion type CC attack prevention method
KR20100072975A (en) Apparatus and method for managing network traffic based on flow and session
KR20090093187A (en) interception system of Pornographic and virus using of hash value.
CN104378357A (en) Protection method for HTTP Get Flood attack
Ismail et al. New framework to detect and prevent denial of service attack in cloud computing environment
Dar et al. Experimental analysis of DDoS attack and it's detection in Eucalyptus private cloud platform
Alosaimi et al. Simulation-based study of distributed denial of service attacks prevention in the cloud
Hu et al. Research of DDoS attack mechanism and its defense frame
Rawal et al. Emergence of DDoS resistant augmented Split architecture
Xiao et al. Defend against application-layer distributed denial-of-service attacks based on session suspicion probability model
Gupta et al. Profile and back off based distributed NIDS in cloud
Luo et al. DDOS Defense Strategy in Software Definition Networks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20150225

RJ01 Rejection of invention patent application after publication