CN104378358A - HTTP Get Flood attack prevention method based on server log - Google Patents
HTTP Get Flood attack prevention method based on server log Download PDFInfo
- Publication number
- CN104378358A CN104378358A CN201410569022.XA CN201410569022A CN104378358A CN 104378358 A CN104378358 A CN 104378358A CN 201410569022 A CN201410569022 A CN 201410569022A CN 104378358 A CN104378358 A CN 104378358A
- Authority
- CN
- China
- Prior art keywords
- http
- attack
- flood
- server
- same request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the field of network security in the computer networking technology subject, in particular to an HTTP Get Flood attack prevention method based on a server log. The HTTP Get Flood attack prevention method aims at solving the problem that in the prior art, the CC attack prevention effect is poor when the number of attack source IPs is large. By means of the HTTP Get Flood attack prevention method, protection better in effect is provided for the HTTP Get Flood attack in the CC attacks. Through the combination with whether the IPs of the same requests can feed back feedback responses meeting the requirements, whether an IP is the attack source IP of the HTTP Get Flood attack or not is judged by judging whether the number of IPs of the same requests within the assigned duration in the server log exceeds the threshold value or not through statistics and analysis, and the attack source IP is blocked. The method is simple in design and easy to implement, the method can well adapt to various existing servers and has wide application and popularization prospects.
Description
Technical field
The present invention relates to network safety filed in computer networking technology subject, particularly a kind of HTTP Get Flood attack guarding method based on server log.
Background technology
China in Recent Years network size presents expansion type and increases, and along with network activity, particularly network electricity business's is active, and network interaction development rapidly.And meanwhile, the attack form for network also starts to change to new direction under huge interests promote.At present, CC(Challenge Collapsar) attack become a kind of typical attack mode be widely used, technical difficulty due to its enforcement is lower and attack effect remarkable, and CC attacks a kind of common attack mode developed in network safety filed.CC attack predecessor for Fatboy attack, belong to DDoS(Distribution Denial of Service distributed denial of service, be called for short DDoS) attack in one.It is primary challenge target that CC attacks with Website page, real attack source IP can be concealed, generate the legitimate request pointing to destination server by proxy server, flow can not produce abnormal massive dataflow, but server can be caused normally to connect.The Attack Theory that CC attacks derives from famous Law of Barrel, and the heap(ed) capacity that namely wooden barrel can hold water is not determined by the place that wooden barrel is the highest, but by the minimum place decision of wooden barrel.It is exactly used for reference Law of Barrel that CC attacks, when launching a offensive to server, assailant usually needs to server request the application taking its more resource overhead, and such as access needs to take a large amount of cpu resource of server and carries out the page of computing or the application of the frequent accessing database of request needs.Based on above factor, the target that CC attacks is generally in Website server the page needing dynamically to generate and the page needing visit data base resource, the page resource of the type files such as such as asp, jsp and php.Assailant, mainly through controlling a large amount of zombie host or proxy server, sends accessing page request by zombie host or proxy server from trend server.When using corpse zombie host of certain scale or proxy server to carry out CC attack, huge flowing of access will be caused to the server page, servers go down can be caused, whole attack process simulates the legal data packet that normal client access Internet resources send simultaneously, has stronger disguise.CC attacks and mainly contains 2 kinds of attack patterns, and namely HTTP Get Flood(HTML (Hypertext Markup Language) floods) attack and link exhausted attack.
At present, common CC attacks protection and relies on fire compartment wall, limits CC attack, rely on fire compartment wall to limit or stop the effect of CC attack poor in a fairly large number of situation of IP that initiation CC attacks by carrying out control to the single IP linking number of access services device.
Summary of the invention
Time more for attack source IP quantity, prior art attacks the poor problem of protection effect to CC, the invention provides a kind of HTTP Get Flood attack guarding method based on server log, can attack for the HTTP Get Flood in CC attack the protection providing effect more excellent.
Technical scheme of the present invention is:
Based on a HTTP Get Flood attack guarding method for server log, it is characterized in that comprising the following steps:
A () checks server log;
B () judges to specify the quantity of same request IP in duration whether to exceed threshold value;
If c the quantity of same request IP exceedes threshold value in () step b, judge the attack source IP that same request IP attacks as HTTP Get Flood, block attack source IP, return step a;
If d the quantity of same request IP does not exceed threshold value in () step b, send response request to same request IP, and require the corresponding feedback response of same request IP feedback;
If e in () steps d, the satisfactory feedback response of the non-feedback of same request IP, judges the attack source IP that same request IP attacks as HTTP Get Flood, blocks attack source IP, return step a;
If f in () steps d, the satisfactory feedback response of same request IP feedback, returns step a.
Concrete, in step b, threshold value is judged by server running parameter, and server running parameter comprises server performance and server regular traffic flow.
Concrete, the response request sent to same request IP in steps d is the response request with tag mark.
Beneficial effect of the present invention: 1, perform technical solution of the present invention step a ~ f and can identify and the IP blocking HTTP Get Flood attack, realize the protection of attacking for HTTP Get Flood; 2, technical solution of the present invention step b sends the quantity set threshold value of access request for identical IP, with this threshold value for benchmark judges the attack source IP whether this IP attacks as HTTP Get Flood, even if the IP quantity initiating HTTP Get Flood attack is more, also can identifies one by one and block attack source IP; 3, foundation server running parameter, comprises server performance and server regular traffic flow sets this threshold value, can meet the requirement of shelter that different server is attacked for HTTP Get Flood; 4, the response request with tag mark sent to same request IP in steps d can judge whether this IP is malicious attacker.The present invention designs succinctly, easy to implement, all has good suitability with all kinds of server, has wide application and promotion prospect.
Accompanying drawing explanation
Fig. 1 is flow chart of the present invention.
Embodiment
Below in conjunction with accompanying drawing, the invention will be further described.
With reference to Fig. 1, the protection process attacked for HTTP Get Flood in the present embodiment comprises:
1. check server log;
2. judge to specify the quantity of same request IP in duration whether to exceed threshold value, this threshold value is judged by server running parameter, and server running parameter comprises server performance and server regular traffic flow;
If 3. the quantity of same request IP exceedes threshold value in step 2, judge the attack source IP that this same request IP attacks as HTTP Get Flood, block attack source IP, return step 1;
If 4. the quantity of same request IP does not exceed threshold value in step 2, send the response request with tag mark to same request IP, and require the corresponding feedback response of this same request IP feedback;
If the 5. satisfactory feedback response of the non-feedback of same request IP in step 4, judges the attack source IP that this same request IP attacks as HTTP Get Flood, blocks same request IP, return step 1;
If the 6. satisfactory feedback response of same request IP feedback in step 4, returns step 1.
In the present embodiment, server is the X3850 M2 type server of IBM brand, and its regular traffic flow is 500Mbps, and step 2 middle finger timing length is 60 seconds, and threshold value is 30 times.
It should be noted that, block the common practise that attack source IP is this area (network safety filed), even if the present invention is not described in detail, those skilled in the art also should know this step.
The above execution mode is only the preferred embodiments of the present invention, and and the feasible enforcement of non-invention exhaustive.For persons skilled in the art, to any apparent change done by it under the prerequisite not deviating from the principle of the invention and spirit, all should be contemplated as falling with within claims of the present invention.
Claims (3)
1., based on a HTTP Get Flood attack guarding method for server log, it is characterized in that comprising the following steps:
A () checks server log;
B () judges to specify the quantity of same request IP in duration whether to exceed threshold value;
If c the quantity of same request IP described in () step (b) exceedes threshold value, judge to block the attack source IP that same request IP attacks as HTTP Get Flood described attack source IP, return step (a);
If d the quantity of same request IP described in () step (b) does not exceed threshold value, send response request to described same request IP, and require the corresponding feedback response of described same request IP feedback;
If e the satisfactory feedback response of the non-feedback of same request IP described in () step (d), judges to block the attack source IP that same request IP attacks as HTTP Get Flood described attack source IP, return step (a);
If f the satisfactory feedback response of the feedback of same request IP described in () step (d), returns step (a).
2. a kind of HTTP Get Flood attack guarding method based on server log according to claim 1, it is characterized in that threshold value described in step (b) is judged by server running parameter, described server running parameter comprises server performance and server regular traffic flow.
3. a kind of HTTP Get Flood attack guarding method based on server log according to claim 2, is characterized in that the response request sent to described same request IP in step (d) is the response request with tag mark.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410569022.XA CN104378358A (en) | 2014-10-23 | 2014-10-23 | HTTP Get Flood attack prevention method based on server log |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410569022.XA CN104378358A (en) | 2014-10-23 | 2014-10-23 | HTTP Get Flood attack prevention method based on server log |
Publications (1)
Publication Number | Publication Date |
---|---|
CN104378358A true CN104378358A (en) | 2015-02-25 |
Family
ID=52557015
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410569022.XA Pending CN104378358A (en) | 2014-10-23 | 2014-10-23 | HTTP Get Flood attack prevention method based on server log |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104378358A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105262760A (en) * | 2015-10-30 | 2016-01-20 | 北京奇虎科技有限公司 | Method and device for preventing action of maliciously visiting login/register interface |
WO2017084529A1 (en) * | 2015-11-19 | 2017-05-26 | 阿里巴巴集团控股有限公司 | Network attacks identifying method and device |
CN106953833A (en) * | 2016-01-07 | 2017-07-14 | 无锡聚云科技有限公司 | A kind of ddos attack detecting system |
CN107682341A (en) * | 2017-10-17 | 2018-02-09 | 北京奇安信科技有限公司 | The means of defence and device of CC attacks |
CN113452647A (en) * | 2020-03-24 | 2021-09-28 | 百度在线网络技术(北京)有限公司 | Feature identification method, feature identification device, electronic equipment and computer-readable storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101827081A (en) * | 2010-02-09 | 2010-09-08 | 蓝盾信息安全技术股份有限公司 | Method and system for detecting request safety |
US20110107412A1 (en) * | 2009-11-02 | 2011-05-05 | Tai Jin Lee | Apparatus for detecting and filtering ddos attack based on request uri type |
CN103379099A (en) * | 2012-04-19 | 2013-10-30 | 阿里巴巴集团控股有限公司 | Hostile attack identification method and system |
CN103685293A (en) * | 2013-12-20 | 2014-03-26 | 北京奇虎科技有限公司 | Protection method and device for denial of service attack |
-
2014
- 2014-10-23 CN CN201410569022.XA patent/CN104378358A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110107412A1 (en) * | 2009-11-02 | 2011-05-05 | Tai Jin Lee | Apparatus for detecting and filtering ddos attack based on request uri type |
CN101827081A (en) * | 2010-02-09 | 2010-09-08 | 蓝盾信息安全技术股份有限公司 | Method and system for detecting request safety |
CN103379099A (en) * | 2012-04-19 | 2013-10-30 | 阿里巴巴集团控股有限公司 | Hostile attack identification method and system |
CN103685293A (en) * | 2013-12-20 | 2014-03-26 | 北京奇虎科技有限公司 | Protection method and device for denial of service attack |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105262760A (en) * | 2015-10-30 | 2016-01-20 | 北京奇虎科技有限公司 | Method and device for preventing action of maliciously visiting login/register interface |
WO2017071551A1 (en) * | 2015-10-30 | 2017-05-04 | 北京奇虎科技有限公司 | Method and device for preventing malicious access to login/registration interface |
WO2017084529A1 (en) * | 2015-11-19 | 2017-05-26 | 阿里巴巴集团控股有限公司 | Network attacks identifying method and device |
US11240258B2 (en) | 2015-11-19 | 2022-02-01 | Alibaba Group Holding Limited | Method and apparatus for identifying network attacks |
CN106953833A (en) * | 2016-01-07 | 2017-07-14 | 无锡聚云科技有限公司 | A kind of ddos attack detecting system |
CN107682341A (en) * | 2017-10-17 | 2018-02-09 | 北京奇安信科技有限公司 | The means of defence and device of CC attacks |
CN113452647A (en) * | 2020-03-24 | 2021-09-28 | 百度在线网络技术(北京)有限公司 | Feature identification method, feature identification device, electronic equipment and computer-readable storage medium |
CN113452647B (en) * | 2020-03-24 | 2022-11-29 | 百度在线网络技术(北京)有限公司 | Feature identification method, feature identification device, electronic equipment and computer-readable storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102291390B (en) | Method for defending against denial of service attack based on cloud computation platform | |
US10015193B2 (en) | Methods and devices for identifying the presence of malware in a network | |
Choi et al. | Detecting web based Ddos attack using mapreduce operations in cloud computing environment. | |
US8561188B1 (en) | Command and control channel detection with query string signature | |
CN103856470B (en) | Detecting method of distributed denial of service attacking and detection device | |
CN104378358A (en) | HTTP Get Flood attack prevention method based on server log | |
CN110213208B (en) | Method and device for processing request and storage medium | |
CN103916379B (en) | A kind of CC attack recognition method and system based on high frequency statistics | |
Kumar et al. | Classification of DDoS attack tools and its handling techniques and strategy at application layer | |
KR101250899B1 (en) | Apparatus for detecting and preventing application layer distribute denial of service attack and method | |
KR100973076B1 (en) | System for depending against distributed denial of service attack and method therefor | |
Arafat et al. | A practical approach and mitigation techniques on application layer DDoS attack in web server | |
Huang et al. | An authentication scheme to defend against UDP DrDoS attacks in 5G networks | |
CN104378359A (en) | Link depletion type CC attack prevention method | |
KR20100072975A (en) | Apparatus and method for managing network traffic based on flow and session | |
KR20090093187A (en) | interception system of Pornographic and virus using of hash value. | |
CN104378357A (en) | Protection method for HTTP Get Flood attack | |
Ismail et al. | New framework to detect and prevent denial of service attack in cloud computing environment | |
Dar et al. | Experimental analysis of DDoS attack and it's detection in Eucalyptus private cloud platform | |
Alosaimi et al. | Simulation-based study of distributed denial of service attacks prevention in the cloud | |
Hu et al. | Research of DDoS attack mechanism and its defense frame | |
Rawal et al. | Emergence of DDoS resistant augmented Split architecture | |
Xiao et al. | Defend against application-layer distributed denial-of-service attacks based on session suspicion probability model | |
Gupta et al. | Profile and back off based distributed NIDS in cloud | |
Luo et al. | DDOS Defense Strategy in Software Definition Networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150225 |
|
RJ01 | Rejection of invention patent application after publication |