CN105656843A - Application layer protection method and apparatus based on verification and network equipment - Google Patents
Application layer protection method and apparatus based on verification and network equipment Download PDFInfo
- Publication number
- CN105656843A CN105656843A CN201410632727.1A CN201410632727A CN105656843A CN 105656843 A CN105656843 A CN 105656843A CN 201410632727 A CN201410632727 A CN 201410632727A CN 105656843 A CN105656843 A CN 105656843A
- Authority
- CN
- China
- Prior art keywords
- protection method
- checking
- webserver
- statistics
- terminal equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses an application layer protection method and apparatus based on verification and network equipment. A target verification protection mode corresponding to a network server is determined, i.e. aiming at different performance states of the network server, different verification protection modes can be adopted; when terminal equipment is to access the network server, an access request sent to the network server by the terminal equipment is intercepted and captured, the terminal equipment is verified in the target verification protection mode corresponding to the performance of the network server, only the access request sent by the terminal device which passes the verification can be transmitted to the network server, and distinguished protection on the terminal equipment is achieved in different verification protection modes, so that the probability of generating the condition of filtering out a request sent by a normal client is reduced, and a protection effect is improved.
Description
Technical field
The present invention relates to network technology field, more specifically, it relates to a kind of applied layer means of defence based on checking, device and the network equipment.
Background technology
Along with the complexity of interconnected web-based applications constantly increase with the network bandwidth constantly normal, server resource will become the main bottleneck in network. Owing to the calculated amount of applied layer is generally heavier, therefore, assailant only needs to use a small amount of query-attack just to be enough to exhaust the resource of destination service device, causes server cannot process the request of normal legal, such as denial of service attack etc. Denial of service is attacked following two kinds of attack modes: bandwidth exhaustion type and main frame resource depletion mode. The target of bandwidth exhaustion type is the bandwidth being taken target network by HTTP request legal in a large number, makes normal users cannot carry out Web access. Main frame resource depletion mode is different from bandwidth exhaustion type, its objective is the resource in order to exhaust destination service device (such as: CPU, storer, Socket etc.). Assailant impels server to return large files (such as image, video file etc.) by a small amount of HTTP request, or impels server to run the shell script (such as the data processing of complexity, cryptographic calculations and checking etc.) of some complexity. This kind of mode does not need very high attack rate just can exhaust rapidly the resource of main frame, and has more disguise.
At present, relatively conventional a kind of means of defence to network attack is, bandwidth controller limiting bandwidth comes attack resistance, this kind of protection method can tackle those flows exceeding server holding capacity, with the service quality of Deterministic service device, while but this kind of protection method limits attack, normal network flow is also tackled; Also having a kind of abnormality detection model attacked for network, the client terminal that the number of times asking same one page within the unit time exceedes predetermined threshold value, by detecting those client terminals asking same one page too frequently based on the technology of threshold value, is masked by it.
But, contriver finds in the process realizing the present invention, and method network attack protected conventional at present is all too simple, it is easy to the request that normal client sends also being filtered out, protection effect is poor.
Summary of the invention
It is an object of the invention to provide a kind of applied layer means of defence based on checking, device and the network equipment, to reduce the requested probability filtering this situation and occurring of normal client transmission, it is to increase protection effect.
For achieving the above object, the present invention provides following technical scheme:
Based on an applied layer means of defence for checking, comprising:
Intercept and capture the access request that terminating unit sends to the webserver;
According to the target verification protection method corresponding with the performance index parameter of the described webserver, described terminating unit is verified; Wherein, described target verification protection method is in multiple checking protection method; The protection effect of different checking protection method is different;
The access request that the terminating unit verified by described target verification protection method is sent is sent to the described webserver.
The embodiment of the present invention also provides a kind of applied layer safety guard based on checking, comprising:
Intercept and capture module, for intercepting and capturing the access request that terminating unit sends to the webserver;
Authentication module, for verifying described terminating unit according to the target verification protection method corresponding with the performance index parameter of the described webserver; Wherein, described target verification protection method is in multiple checking protection method; The protection effect of different checking protection method is different;
Sending module, for being sent to the described webserver by the access request that the terminating unit verified by described target verification protection method is sent.
The embodiment of the present invention also provides a kind of network equipment, and the described network equipment comprises as above based on the applied layer safety guard verified.
By above scheme, a kind of applied layer means of defence based on checking, device and the network equipment that the application provides, determining the target verification protection method corresponding with the described webserver, namely different performance state for the webserver can adopt different checking protection methods; When access web server wanted by terminating unit, intercept and capture the access request that terminating unit sends to the webserver, by the target verification protection method corresponding with the performance of the webserver, terminating unit is verified, the access request that the terminating unit being only verified sends just is forwarded to the webserver, realize there be being protected by terminating unit of differentiation by differentiated checking protection method, thus reduce the requested probability filtering this situation and occurring of normal client transmission, it is to increase protection effect.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, it is briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
A kind of flowchart of the applied layer means of defence based on checking that Fig. 1 provides for the embodiment of the present invention;
A kind of flowchart of the deterministic process of the target verification protection method corresponding with the performance index parameter of the webserver that Fig. 2 provides for the embodiment of the present invention;
Another kind of flowchart of the deterministic process of the target verification protection method corresponding with the performance index parameter of the webserver that Fig. 3 provides for the embodiment of the present invention;
Another flowchart of the deterministic process of the target verification protection method corresponding with the performance index parameter of the webserver that Fig. 4 provides for the embodiment of the present invention;
Another flowchart of the deterministic process of the target verification protection method corresponding with the performance index parameter of the webserver that Fig. 5 provides for the embodiment of the present invention;
A kind of structural representation of the applied layer safety guard based on checking that Fig. 6 provides for the embodiment of the present invention;
Another kind of structural representation of the applied layer safety guard based on checking that Fig. 7 provides for the embodiment of the present invention;
Another structural representation of the applied layer safety guard based on checking that Fig. 8 provides for the embodiment of the present invention;
Another structural representation of the applied layer means of defence based on checking that Fig. 9 provides for the embodiment of the present invention;
A kind of structural representation of the first statistics module that Figure 10 provides for the embodiment of the present invention;
Another kind of structural representation of the first statistics module that Figure 11 provides for the embodiment of the present invention;
Another structural representation of the applied layer safety guard based on checking that Figure 12 provides for the embodiment of the present invention;
Another structural representation of the applied layer safety guard based on checking that Figure 13 provides for the embodiment of the present invention;
A kind of hardware block diagram of the network equipment that Figure 14 provides for the embodiment of the present invention;
A kind of structural representation of the network system that Figure 15 provides for the embodiment of the present invention.
Term " first " in specification sheets and claim book and above-mentioned accompanying drawing, " the 2nd ", " the 3rd " " 4th " etc. (if existence) are for distinguishing similar part, and need not be used for describing specific order or precedence. Should be appreciated that the data of like this use can be exchanged in the appropriate case, so that the embodiment of the application described herein can to implement except the order except illustrated here.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is only the present invention's part embodiment, instead of whole embodiments. Based on the embodiment in the present invention, those of ordinary skill in the art, not making other embodiments all obtained under creative work prerequisite, belong to the scope of protection of the invention.
The applied layer means of defence based on checking that the embodiment of the present invention provides and application of installation are in the network equipment.
Refer to Fig. 1, a kind of flowchart of the applied layer means of defence based on checking that Fig. 1 provides, it is possible to comprising for the embodiment of the present invention:
Step S11: intercept and capture the access request that terminating unit sends to the webserver;
Step S12: described terminating unit is verified according to the target verification protection method corresponding with the performance index parameter of the described webserver; Wherein, described target verification protection method is in multiple checking protection method; The protection effect of different checking protection method is different;
In the embodiment of the present invention, for the webserver, the performance based on the webserver determines that from multiple checking protection method a checking protection method is target verification protection method. When there being terminating unit to send access request to this webserver, by this target verification protection method, the terminating unit of this webserver of request access is verified.
The performance index parameter of the webserver can comprise CPU occupancy, bandwidth usage rate, memory usage etc.
Wherein, when determining corresponding with the performance index parameter of described webserver target verification protection method for the first time, target verification protection method can be any one in described multiple checking protection method, and specifically which can pre-determine; Or, it is also possible to by user's triggering selection.
Optionally, described multiple checking protection method can at least comprise following three class checking protection methods:
A class: browser challenge redirect; As, common are 200 redirects or 302 redirects etc.
B class: browser challenge redirect and checking code checking; Wherein, checking code can be divided into again traditional picture validation code (character etc. as inputted in picture by user) and based on a difficult problem checking code (as, for user presents a calculating formula, calculate by user, using calculation result as checking code etc.); Owing to the checking protection effect of the checking code based on a difficult problem is more better than traditional picture validation code; Therefore, it is also possible to B class is segmented further; As, it is possible to it is divided into:
B1 class: browser challenge redirect and conventional pictures checking code checking;
B2 class: browser challenge redirect and the checking code based on a difficult problem are verified.
C class: browser challenge redirect, checking code are verified and access request is carried out speed limit.
Wherein, the protection effect of B class checking protection method is better than the protection effect of A class checking protection method; The protection effect of C class checking protection method is better than the protection effect of B class checking protection method.
When using B class checking mode, it is possible to first terminating unit is carried out browser challenge redirect checking, carry out checking code checking again to by the terminating unit of browser challenge redirect checking;
When using C class checking mode, it is possible to first terminating unit is carried out browser challenge redirect checking, carry out checking code checking again to by the terminating unit of browser challenge redirect checking; To the protection method carrying out being carried out by terminating unit speed limit by the terminating unit of checking code checking again.
When verifying that mode is verified by A class, it is possible to whether the access request that distinguishing terminal equipment sends is sent by browser;
When verifying that mode is verified by B class, can the access request that sends of distinguishing terminal equipment be sent by legal browser by checking code checking, or be sent by illegal browser (such as instrument);
When verifying that mode is verified by C class; speed limit is carried out by one or more terminating units that visit capacity is maximum; what have differentiation carries out speed limit to terminating unit; reduce the requested probability filtering this situation and occurring of normal client transmission further; the protecting network server that can greatly change, the attack of effective security application layer.
Such as, for ease of describing, it is possible to be each checking protection method definition checking grade, it is possible to definition checking grade is more high, and protection effect is more good.
Step S13: the access request that the terminating unit verified by described target verification protection method is sent is sent to the described webserver.
The access request that the terminating unit being only verified sends just is forwarded to the webserver, and the access request that the terminating unit that checking is not passed through sends then is not forwarded to the webserver.
Wherein, verify that the terminating unit not passed through comprises terminating unit checking process not responded.
A kind of applied layer means of defence based on checking that the embodiment of the present invention provides, it is determined that the target verification protection method corresponding with the described webserver, namely different performance state for the webserver can adopt different checking protection methods; When access web server wanted by terminating unit, intercept and capture the access request that terminating unit sends to the webserver, by the target verification protection method corresponding with the performance of the webserver, terminating unit is verified, the access request that the terminating unit being only verified sends just is forwarded to the webserver, realize there be being protected by terminating unit of differentiation by differentiated checking protection method, thus reduce the requested probability filtering this situation and occurring of normal client transmission, it is to increase protection effect.
In above-described embodiment, optionally, a kind of flowchart of the deterministic process of corresponding with the performance index parameter of described webserver target verification protection method is as shown in Figure 2, it is possible to comprising:
Step S21: verifying that using first protection method is as in the process that described terminating unit is verified by target verification protection method, gathers the performance index parameter of the described webserver;
After terminating unit carries out checking protection, the performance of the webserver may change. In the embodiment of the present invention, in the process verified by terminating unit, go back the performance index parameter of collection network server, whether change to judge the performance of the webserver.
Step S22: the performance variation situation judging the described webserver according to described performance index parameter;
Step S23: if the performance index parameter of the described webserver indicates the performance of the described webserver not change or degradation, switches to the 2nd checking protection method by described target verification protection method by the first checking protection method; Wherein, the protection effect of the 2nd checking protection method is better than the protection effect of described first checking protection method.
Wherein, the performance of the webserver does not change and can comprise: the performance index parameter value of the webserver does not change; Or, the change of the performance index parameter of the webserver is little, and the changing value such as the performance index parameter of the webserver is less than a preset value.
In the embodiment of the present invention, if the performance index parameter of the described webserver indicates the performance of the described webserver not change or degradation, illustrate that the protection effect of the first checking protection is poor, therefore can improve checking degree of protection, to improve protection effect. Such as, if target verification protection method is B class checking protection method, then target verification protection method can be switched to C class checking protection method.
On basis embodiment illustrated in fig. 2, another kind of flowchart of the deterministic process of the target verification protection method corresponding with the performance index parameter of the described webserver that the application provides is as shown in Figure 3, it is also possible to comprising:
Step S31: if the performance index parameter of the described webserver indicates the performance of the described webserver to meet the configuration requirement of the described webserver, verifies described first checking protection method described terminating unit as target verification protection method.
If after terminating unit being carried out checking protection by target verification protection method, the performance index parameter of the webserver indicates the performance of the described webserver to meet the configuration requirement of the described webserver, illustrate that the performance recovery of the webserver is normal, now can continue to use the first checking protection method to be verified by the terminating unit of access web server.
On basis embodiment illustrated in fig. 3, another flowchart of the deterministic process of the target verification protection method corresponding with the performance index parameter of the described webserver that the application provides is as shown in Figure 4, verifying that using first protection method is as in the process that described terminating unit is verified by target verification protection method, it is also possible to comprising:
Step S41: the frequency that statistics network server is accessed under default statistics dimension degree;
Step S42: when the described webserver accessed frequency under default statistics dimension degree is less than the first predetermined threshold value, and the performance index parameter of the described webserver is when reaching preset duration when indicating the performance of the described webserver to meet configuration requirement lasting of the described webserver, described target verification protection method is switched to the 3rd checking protection method by the first checking protection method; Wherein, the protection effect of the first checking protection method is better than the protection effect of described 3rd checking protection method.
In the embodiment of the present invention, after terminating unit being carried out checking protection by the first checking protection method, if the webserver accessed frequency under default statistics dimension degree is less than the first predetermined threshold value, what illustrate that the accessed amount of the webserver drops to the webserver can in tolerance range, if the performance index parameter now stating the webserver reaches preset duration when indicating the performance of the described webserver to meet configuration requirement lasting of the described webserver, illustrate that network is attacked to eliminate, now can reduce checking degree of protection. If the first checking protection method has been the checking protection method of the lowest class, then can cancel checking protection process, or, continue to use the first checking protection method that terminating unit carries out checking protection.
In above-described embodiment, optionally, it is also possible to when receiving the checking protection method regulating command that user triggers, the checking protection method corresponding with the described webserver according to described checking protection method regulating command pair switches.
In above-described embodiment, optionally, another flowchart of the deterministic process of corresponding with the performance index parameter of described webserver target verification protection method is as shown in Figure 5, it is possible to comprising:
Step S51: the frequency that statistics network server is accessed under default statistics dimension degree;
Step S52: the performance index parameter gathering the described webserver;
Step S53: when the described webserver accessed frequency under default statistics dimension degree is greater than the 2nd predetermined threshold value, and the performance index parameter of the described webserver is when indicating the configuration requirement that the performance of the described webserver does not meet the described webserver, it is determined that the first checking protection method is target verification protection method; Described first checking protection method is in described multiple checking protection method.
That is, in the embodiment of the present invention, when detecting that the webserver is subject to network attack, automatically start a kind of checking protection method according to practical situation, attack can immediately prevent the webserver to be subject to network.
The embodiment of the present invention uses under can being applied to the scene not taking safeguard procedures, namely, under the scene not taking safeguard procedures, if detecting that the webserver is subject to network and attacks, can automatically start a kind of checking protection method by the applied layer means of defence based on checking that the embodiment of the present invention provides, attack can immediately prevent the webserver to be subject to network.
Fig. 4 or embodiment illustrated in fig. 5 in, optionally, described statistics dimension degree can be server dimension degree;
The accessed frequency of described statistics network server under default statistics dimension degree can comprise:
Add up the frequency that the described webserver is accessed.
Arranging multiple CGI(Common gateway interface) (CommonGatewayInterface, CGI) in the usual webserver, the resource in the webserver can be positioned by this CGI(Common gateway interface).
In the embodiment of the present invention, no matter that CGI(Common gateway interface) of the webserver is conducted interviews by terminating unit, all adds up as the access to the webserver.
Fig. 4 or embodiment illustrated in fig. 5 in, optionally, described statistics dimension degree can be resource dimension;
The accessed frequency of described statistics network server under default statistics dimension degree can comprise:
Add up the frequency that in the described webserver, each resource is accessed.
In the embodiment of the present invention, the webserver point resource is added up, the frequency that namely in statistics network server, each resource is accessed. Wherein, being located by gateway interface due to the resource in the webserver, therefore, adding up the frequency that in the described webserver, each resource is accessed is also exactly add up the frequency that in the described webserver, each CGI(Common gateway interface) is accessed.
In above-described embodiment, optionally, the applied layer means of defence based on checking that the application provides can also comprise: the access frequency that the described webserver is conducted interviews by statistics first terminal equipment under described default statistics dimension degree;
Described access request is carried out speed limit can comprise:
Judge first terminal equipment described statistics dimension degree under access frequency meet pre-conditioned;
When the access frequency of described first terminal equipment under described statistics dimension degree meets pre-conditioned, described first terminal is carried out speed limit for the access request of equipment.
Wherein, the access frequency of described first terminal equipment under described statistics dimension degree meets and pre-conditioned can be:
Access frequency and the described first terminal equipment of described first terminal equipment under described statistics dimension degree is greater than the first predetermined threshold value in the difference of the described access benchmark added up under dimension degree, then illustrate that described first terminal equipment meets pre-conditioned in the described access frequency adding up under dimension degree. In the embodiment of the present invention, when the access frequency of first terminal equipment under described statistics dimension degree and described first terminal equipment are greater than the first predetermined threshold value in the difference of the described access benchmark added up under dimension degree, illustrate first terminal equipment described statistics dimension degree under access frequency uprush, concrete first predetermined threshold value is how many, it is possible to determine according to the demand for security of the webserver and experience.
Such as, the daily access frequency of the webserver is 1 second 10 times by first terminal equipment, if the daily access frequency of the webserver is turned into suddenly 1 second 1000 times by first terminal equipment, then illustrate that the access frequency of the webserver is met pre-conditioned by first terminal equipment, now can lose 990 requests after the 10th access request, so that first terminal equipment is carried out speed limit.
The access frequency of described first terminal equipment under described statistics dimension degree meets:
The webserver accessed frequency under default statistics dimension degree is greater than the 3rd predetermined threshold value, and the access frequency of described first terminal equipment under described statistics dimension degree is when being greater than the 4th predetermined threshold value, illustrate that described first terminal equipment meets pre-conditioned in the described access frequency added up under dimension degree.
The access frequency of described first terminal equipment under described statistics dimension degree meets:
Described first terminal equipment is in the terminating unit of the described webserver of all access, one or several terminating unit that access frequency is the highest.
If the access frequency of the terminating unit of the described webserver of all access is sorted according to order from high to low, so, if first terminal equipment described statistics dimension degree under access frequency come before n position, so, it may be determined that the access frequency of first terminal equipment under described statistics dimension degree meets pre-conditioned. N be more than or equal to 1 positive integer.
That is, n the terminating unit that the frequency of access web server is the highest is only carried out speed limit by the embodiment of the present invention.
In above-described embodiment, optionally, the applied layer means of defence based on checking that the embodiment of the present application provides can also comprise: the access frequency that the described webserver is conducted interviews by statistics first terminal equipment under described default statistics dimension degree; Whether the access behavior sequence monitoring described first terminal equipment is abnormal;
Described access request is carried out speed limit can comprise:
When the access frequency of described first terminal equipment under described statistics dimension degree is greater than the 2nd predetermined threshold value, and during the access behavior sequence variation of described first terminal equipment, the access request of described first terminal equipment is carried out speed limit.
Access behavior sequence refers to when terminating unit needs to be conducted interviews by the webserver, it is necessary to conduct interviews in sequence. Such as, if first terminal equipment wants the first CGI(Common gateway interface) of access web server, it is necessary to the 2nd CGI(Common gateway interface) of first access web server just row; And if first terminal equipment is not accessed the 2nd CGI(Common gateway interface) and directly accessed the first CGI(Common gateway interface), then the access behavior sequence variation of first terminal equipment is described.
Corresponding with embodiment of the method, the application also provides a kind of applied layer safety guard based on checking, and a kind of structural representation of the applied layer safety guard based on checking that the application provides is as shown in Figure 6, it is possible to comprising:
Intercept and capture module 61, authentication module 62 and sending module 63; Wherein,
Intercept and capture the access request that module 61 sends to the webserver for intercepting and capturing terminating unit;
Authentication module 62 is for verifying described terminating unit according to the target verification protection method corresponding with the performance index parameter of the described webserver; Wherein, described target verification protection method is in multiple checking protection method; The protection effect of different checking protection method is different;
In the embodiment of the present invention, for the webserver, the performance based on the webserver determines that from multiple checking protection method a checking protection method is target verification protection method. When there being terminating unit to send access request to this webserver, by this target verification protection method, the terminating unit of this webserver of request access is verified.
The performance index parameter of the webserver can comprise CPU occupancy, bandwidth usage rate, memory usage etc.
Wherein, when determining corresponding with the performance index parameter of described webserver target verification protection method for the first time, target verification protection method can be any one in described multiple checking protection method, and specifically which can pre-determine; Or, it is also possible to by user's triggering selection.
Optionally, described multiple checking protection method can at least comprise following three class checking protection methods:
A class: browser challenge redirect; As, common are 200 redirects or 302 redirects etc.
B class: browser challenge redirect and checking code checking; Wherein, checking code can be divided into again traditional picture validation code (character etc. as inputted in picture by user) and based on a difficult problem checking code (as, for user presents a calculating formula, calculate by user, using calculation result as checking code etc.); Owing to the checking protection effect of the checking code based on a difficult problem is more better than traditional picture validation code; Therefore, it is also possible to B class is segmented further; As, it is possible to it is divided into:
B1 class: browser challenge redirect and conventional pictures checking code checking;
B2 class: browser challenge redirect and the checking code based on a difficult problem are verified.
C class: browser challenge redirect, checking code are verified and access request is carried out speed limit.
Wherein, the protection effect of B class checking protection method is better than the protection effect of A class checking protection method; The protection effect of C class checking protection method is better than the protection effect of B class checking protection method.
When using B class checking mode, it is possible to first terminating unit is carried out browser challenge redirect checking, carry out checking code checking again to by the terminating unit of browser challenge redirect checking;
When using C class checking mode, it is possible to first terminating unit is carried out browser challenge redirect checking, carry out checking code checking again to by the terminating unit of browser challenge redirect checking; To the protection method carrying out being carried out by terminating unit speed limit by the terminating unit of checking code checking again.
When verifying that mode is verified by A class, it is possible to whether the access request that distinguishing terminal equipment sends is sent by browser;
When verifying that mode is verified by B class, can the access request that sends of distinguishing terminal equipment be sent by legal browser by checking code checking, or be sent by illegal browser (such as instrument);
When verifying that mode is verified by C class; speed limit is carried out by one or more terminating units that visit capacity is maximum; what have differentiation carries out speed limit to terminating unit; reduce the requested probability filtering this situation and occurring of normal client transmission further; the protecting network server that can greatly change, the attack of effective security application layer.
Such as, for ease of describing, it is possible to be each checking protection method definition checking grade, it is possible to definition checking grade is more high, and protection effect is more good.
Sending module 63 is for being sent to the described webserver by the access request that the terminating unit verified by described target verification protection method is sent.
The access request that the terminating unit being only verified sends just is forwarded to the webserver, and the access request that the terminating unit that checking is not passed through sends then is not forwarded to the webserver.
Wherein, verify that the terminating unit not passed through comprises terminating unit checking process not responded.
A kind of applied layer safety guard based on checking that the embodiment of the present invention provides, it is determined that the target verification protection method corresponding with the described webserver, namely different performance state for the webserver can adopt different checking protection methods; When access web server wanted by terminating unit, intercept and capture the access request that terminating unit sends to the webserver, by the target verification protection method corresponding with the performance of the webserver, terminating unit is verified, the access request that the terminating unit being only verified sends just is forwarded to the webserver, realize there be being protected by terminating unit of differentiation by differentiated checking protection method, thus reduce the requested probability filtering this situation and occurring of normal client transmission, it is to increase protection effect.
Above-described embodiment, optionally, on basis embodiment illustrated in fig. 6, another kind of structural representation of the applied layer safety guard based on checking that the application provides is as shown in Figure 7, it is also possible to comprising:
First handover module 71, for verifying that using first protection method is as in the process that described terminating unit is verified by target verification protection method, gather the performance index parameter of the described webserver, judge the performance variation situation of the described webserver according to described performance index parameter; If the performance index parameter of the described webserver indicates the performance of the described webserver do not change or during degradation, by the first checking protection method, described target verification protection method switched to the 2nd checking protection method; Wherein, the protection effect of the 2nd checking protection method is better than the protection effect of described first checking protection method.
Wherein, the performance of the webserver does not change and can comprise: the performance index parameter value of the webserver does not change; Or, the change of the performance index parameter of the webserver is little, and the changing value such as the performance index parameter of the webserver is less than a preset value.
In the embodiment of the present invention, if the performance index parameter of the described webserver indicates the performance of the described webserver not change or degradation, illustrate that the protection effect of the first checking protection is poor, therefore can improve checking degree of protection, to improve protection effect. Such as, if target verification protection method is B class checking protection method, then target verification protection method can be switched to C class checking protection method.
Optionally, first handover module 71 can also be used for, if the performance index parameter of the described webserver indicates the performance of the described webserver to meet the configuration requirement of the described webserver, described terminating unit is verified by described first checking protection method as target verification protection method.
If after terminating unit being carried out checking protection by target verification protection method, the performance index parameter of the webserver indicates the performance of the described webserver to meet the configuration requirement of the described webserver, illustrate that the performance recovery of the webserver is normal, now can continue to use the first checking protection method to be verified by the terminating unit of access web server.
Further, it is also possible to comprising:
First statistics module 72 and the 2nd handover module 73; Wherein,
First statistics module 72 is for statistics network server accessed frequency under default statistics dimension degree;
2nd handover module 73 is for being less than the first predetermined threshold value when the described webserver accessed frequency under default statistics dimension degree, and the performance index parameter of the described webserver is when reaching preset duration when indicating the performance of the described webserver to meet configuration requirement lasting of the described webserver, described target verification protection method is switched to the 3rd checking protection method by the first checking protection method; Wherein, the protection effect of the first checking protection method is better than the protection effect of described 3rd checking protection method.
In the embodiment of the present invention, after terminating unit being carried out checking protection by the first checking protection method, if the webserver accessed frequency under default statistics dimension degree is less than the first predetermined threshold value, what illustrate that the accessed amount of the webserver drops to the webserver can in tolerance range, if the performance index parameter now stating the webserver reaches preset duration when indicating the performance of the described webserver to meet configuration requirement lasting of the described webserver, illustrate that network is attacked to eliminate, now can reduce checking degree of protection. If the first checking protection method has been the checking protection method of the lowest class, then can cancel checking protection process, or, continue to use the first checking protection method that terminating unit carries out checking protection.
In above-described embodiment, optionally, on basis embodiment illustrated in fig. 6, another structural representation of the applied layer safety guard based on checking that the application provides is as shown in Figure 8, it is also possible to comprising:
First statistics module 72, acquisition module 81 and determination module 82; Wherein,
First statistics module 72 is for statistics network server accessed frequency under default statistics dimension degree;
Acquisition module 81 is for gathering the performance index parameter of the described webserver;
Determination module 82 is for being greater than the 2nd predetermined threshold value when the described webserver accessed frequency under default statistics dimension degree, and the performance index parameter of the described webserver is when indicating the configuration requirement that the performance of the described webserver does not meet the described webserver, it is determined that the first checking protection method is target verification protection method; Described first checking protection method is in described multiple checking protection method.
That is, in the embodiment of the present invention, when detecting that the webserver is subject to network attack, automatically start a kind of checking protection method according to practical situation, attack can immediately prevent the webserver to be subject to network.
The embodiment of the present invention uses under can being applied to the scene not taking safeguard procedures, namely, under the scene not taking safeguard procedures, if detecting that the webserver is subject to network and attacks, can automatically start a kind of checking protection method by the applied layer means of defence based on checking that the embodiment of the present invention provides, attack can immediately prevent the webserver to be subject to network.
It should be noted that, the first statistics module 72, acquisition module 81 and determination module 82 are also applicable in other device embodiment of the application's offer.
Above-described embodiment, optionally, on basis embodiment illustrated in fig. 6, another structural representation of the applied layer means of defence based on checking that the application provides is as shown in Figure 9, it is also possible to comprising:
3rd handover module 91, for when receiving the checking protection method regulating command that user triggers, the checking protection method corresponding with the described webserver according to described checking protection method regulating command pair switches.
Equally, the 3rd handover module 91 can also be applicable in other device embodiment that the application provides.
In above-described embodiment, optionally, described statistics dimension degree can be server dimension degree;
A kind of structural representation of described first statistics module 72 is as shown in Figure 10, it is possible to comprising:
First statistic unit 101, for adding up the accessed frequency of the described webserver.
Arranging multiple CGI(Common gateway interface) (CommonGatewayInterface, CGI) in the usual webserver, the resource in the webserver can be positioned by this CGI(Common gateway interface).
In the embodiment of the present invention, no matter that CGI(Common gateway interface) of the webserver is conducted interviews by terminating unit, is all considered as the access to the webserver.
In above-described embodiment, optionally, described statistics dimension degree can be resource dimension;
Another kind of structural representation of described first statistics module 72 is as shown in figure 11, it is possible to comprising:
2nd statistic unit 111, for adding up the frequency that in the described webserver, each resource is accessed.
In the embodiment of the present invention, the webserver point resource is added up, the frequency that namely in statistics network server, each resource is accessed. Wherein, being located by gateway interface due to the resource in the webserver, therefore, adding up the frequency that in the described webserver, each resource is accessed is also exactly add up the frequency that in the described webserver, each CGI(Common gateway interface) is accessed.
In above-described embodiment, optionally, on basis embodiment illustrated in fig. 6, another structural representation of the applied layer safety guard based on checking that the application provides is as shown in figure 12, it is also possible to comprising:
2nd statistics module 121; Wherein,
The access frequency that the described webserver is conducted interviews by the 2nd statistics module 121 for adding up first terminal equipment under described default statistics dimension degree;
Described authentication module 62 can comprise:
First speed limit unit, for when described first terminal equipment described statistics dimension degree under access frequency meet pre-conditioned time, the access request of described first terminal equipment is carried out speed limit.
Wherein, the access frequency of described first terminal equipment under described statistics dimension degree meets and pre-conditioned can be:
Access frequency and the described first terminal equipment of described first terminal equipment under described statistics dimension degree is greater than the first predetermined threshold value in the difference of the described access benchmark added up under dimension degree, then illustrate that described first terminal equipment meets pre-conditioned in the described access frequency adding up under dimension degree. In the embodiment of the present invention, when the access frequency of first terminal equipment under described statistics dimension degree and described first terminal equipment are greater than the first predetermined threshold value in the difference of the described access benchmark added up under dimension degree, illustrate first terminal equipment described statistics dimension degree under access frequency uprush, concrete first predetermined threshold value is how many, it is possible to determine according to the demand for security of the webserver and experience.
Such as, the daily access frequency of the webserver is 1 second 10 times by first terminal equipment, if the daily access frequency of the webserver is turned into suddenly 1 second 1000 times by first terminal equipment, then illustrate that the access frequency of the webserver is met pre-conditioned by first terminal equipment, now can lose 990 requests after the 10th access request, so that first terminal equipment is carried out speed limit.
The access frequency of described first terminal equipment under described statistics dimension degree meets:
The webserver accessed frequency under default statistics dimension degree is greater than the 3rd predetermined threshold value, and the access frequency of described first terminal equipment under described statistics dimension degree is when being greater than the 4th predetermined threshold value, illustrate that described first terminal equipment meets pre-conditioned in the described access frequency added up under dimension degree.
The access frequency of described first terminal equipment under described statistics dimension degree meets:
Described first terminal equipment is in the terminating unit of the described webserver of all access, one or several terminating unit that access frequency is the highest.
If the access frequency of the terminating unit of the described webserver of all access is sorted according to order from high to low, so, if first terminal equipment described statistics dimension degree under access frequency come before n position, so, it may be determined that the access frequency of first terminal equipment under described statistics dimension degree meets pre-conditioned. N be more than or equal to 1 positive integer.
That is, n the terminating unit that the frequency of access web server is the highest is only carried out speed limit by the embodiment of the present invention.
In above-described embodiment, optionally, on basis embodiment illustrated in fig. 6, another structural representation of the applied layer safety guard based on checking that the application provides is as shown in figure 13, it is also possible to comprising:
2nd statistics module 121 and monitoring modular 131; Wherein,
The access frequency that the described webserver is conducted interviews by the 2nd statistics module 121 for adding up first terminal equipment under described default statistics dimension degree;
Whether monitoring modular 131 is abnormal for monitoring the access behavior sequence of described first terminal equipment;
Described authentication module 62 can comprise:
2nd speed limit unit, for being greater than the 2nd predetermined threshold value when the access frequency of described first terminal equipment under described statistics dimension degree, and during the access behavior sequence variation of described first terminal equipment, carries out speed limit to the access request of described first terminal equipment.
Access behavior sequence refers to when terminating unit needs to be conducted interviews by the webserver, it is necessary to conduct interviews in sequence. Such as, if first terminal equipment wants the first CGI(Common gateway interface) of access web server, it is necessary to the 2nd CGI(Common gateway interface) of first access web server just row; And if first terminal equipment is not accessed the 2nd CGI(Common gateway interface) and directly accessed the first CGI(Common gateway interface), then the access behavior sequence variation of first terminal equipment is described.
The application also provides a kind of network equipment, and this network equipment has the as above applied layer safety guard based on checking described in any device embodiment.
Figure 14 shows a kind of hardware block diagram of the network equipment that the application provides, and this network equipment can comprise:
Treater 1, communication interface 2, storer 3 and communication bus 4;
Wherein treater 1, communication interface 2, storer 3 complete mutual communication by communication bus 4;
Optionally, communication interface 2 can be the interface of communication module, such as the interface of gsm module, or Ethernet interface etc.;
Treater 1, for steering routine;
Storer 3, for depositing program;
Program can comprise program code, and described program code comprises computer operation instruction.
Treater 1 may be a central processor CPU, or specific unicircuit ASIC (ApplicationSpecificIntegratedCircuit), or is configured to implement one or more unicircuit of the embodiment of the present invention.
Storer 3 may comprise high-speed RAM storer, it is also possible to also comprises nonvolatile memory (non-volatilememory), such as at least one multiple head unit.
Wherein, program can be specifically for:
Intercept and capture the access request that terminating unit sends to the webserver;
According to the target verification protection method corresponding with the performance index parameter of the described webserver, described terminating unit is verified; Wherein, described target verification protection method is in multiple checking protection method; The protection effect of different checking protection method is different;
The access request that the terminating unit verified by described target verification protection method is sent is sent to the described webserver.
The application also provides a kind of network system, and a kind of structural representation of the network system that the application provides is as shown in figure 15, it is possible to comprising:
Terminating unit 151, router 152, the network equipment 153 and the webserver 154; Wherein,
Terminating unit 151 can access internet by router 152;
The access request that terminating unit 151 sends reaches the webserver 154 after being verified based on the applied layer safety guard 153 of checking, it is achieved to the access of the webserver 154.
" normal request " shown in Figure 15 is namely by the request of checking.
Wherein, the network equipment 153 can perform following step:
Intercept and capture the access request that terminating unit sends to the webserver;
According to the target verification protection method corresponding with the performance index parameter of the described webserver, described terminating unit is verified; Wherein, described target verification protection method is in multiple checking protection method; The protection effect of different checking protection method is different;
The access request that the terminating unit verified by described target verification protection method is sent is sent to the described webserver.
Wherein, described target verification mode can be: browser challenge redirect; Or, browser challenge redirect and checking code checking; Or, browser challenge redirect, checking code are verified and access request are carried out speed limit.
Those of ordinary skill in the art are it should be appreciated that the unit of each example that describes in conjunction with embodiment disclosed herein and algorithm steps, it is possible to realize with the combination of electronic hardware or computer software and electronic hardware. These functions perform with hardware or software mode actually, depend on application-specific and the design constraint of technical scheme. Each specifically can should be used for using different methods to realize described function by professional and technical personnel, but this kind realizes should not thinking the scope exceeding the present invention.
The technician of art can be well understood to, for convenience and simplicity of description, and the device of foregoing description and the concrete working process of unit, it is possible to reference to the corresponding process in aforementioned embodiment of the method, do not repeat them here.
In several embodiments that the application provides, it should be appreciated that, disclosed device and method, it is possible to realize by another way. Such as, device embodiment described above is only schematic, such as, the division of described unit, being only a kind of logic function to divide, actual can have other dividing mode when realizing, such as multiple unit or assembly can in conjunction with or a system can be integrated into, or some features can ignore, or do not perform. Another point, shown or discussed coupling each other or directly coupling or communication connection can be the indirect coupling by some interfaces, device or unit or communication connection, it is possible to be electrical, machinery or other form.
The described unit illustrated as separating component or can may not be and physically separates, and the parts as unit display can be or may not be physical location, namely can be positioned at a place, or can also be distributed on multiple NE. Some or all of unit wherein can be selected according to the actual needs to realize the object of the present embodiment scheme.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, it is also possible to is that the independent physics of each unit exists, it is also possible to two or more unit are in a unit integrated.
If described function realize using the form of software functional unit and as independent production marketing or when using, it is possible to be stored in a computer read/write memory medium. Based on such understanding, the technical scheme of the present invention in essence or says that the part of part or this technical scheme prior art contributed can embody with the form of software product, this computer software product is stored in a storage media, comprise some instructions with so that a computer equipment (can be Personal Computer, server, or the network equipment etc.) perform all or part of step of method described in each embodiment of the present invention. And aforesaid storage media comprises: USB flash disk, portable hard drive, read-only storage (ROM, Read-OnlyMemory), random access memory (RAM, RandomAccessMemory), magnetic disc or CD etc. various can be program code stored medium
To the above-mentioned explanation of the disclosed embodiments, professional and technical personnel in the field are enable to realize or use the present invention. To be apparent for those skilled in the art to the multiple amendment of these embodiments, General Principle as defined herein can without departing from the spirit or scope of the present invention, realize in other embodiments. Therefore, the present invention can not be limited in these embodiments shown in this article, but be met the widest scope consistent with principle disclosed herein and features of novelty.
Claims (23)
1. the applied layer means of defence based on checking, it is characterised in that, comprising:
Intercept and capture the access request that terminating unit sends to the webserver;
According to the target verification protection method corresponding with the performance index parameter of the described webserver, described terminating unit is verified; Wherein, described target verification protection method is in multiple checking protection method; The protection effect of different checking protection method is different;
The access request that the terminating unit verified by described target verification protection method is sent is sent to the described webserver.
2. method according to claim 1, it is characterised in that, the deterministic process of the target verification protection method that the performance index parameter of the described and described webserver is corresponding comprises:
Verifying that using first protection method is as in the process that described terminating unit is verified by target verification protection method, gathers the performance index parameter of the described webserver, judges the performance variation situation of the described webserver according to described performance index parameter;
If the performance index parameter of the described webserver indicates the performance of the described webserver not change or degradation, described target verification protection method is switched to the 2nd checking protection method by the first checking protection method; Wherein, the protection effect of the 2nd checking protection method is better than the protection effect of described first checking protection method.
3. method according to claim 2, it is characterised in that, also comprise:
If the performance index parameter of the described webserver indicates the performance of the described webserver to meet the configuration requirement of the described webserver, described terminating unit is verified by described first checking protection method as target verification protection method.
4. method according to claim 3, it is characterised in that, verifying that using first protection method is as, in the process that described terminating unit is verified by target verification protection method, also comprising:
The frequency that statistics network server is accessed under default statistics dimension degree;
When the described webserver accessed frequency under default statistics dimension degree is less than the first predetermined threshold value, and the performance index parameter of the described webserver is when reaching preset duration when indicating the performance of the described webserver to meet configuration requirement lasting of the described webserver, described target verification protection method is switched to the 3rd checking protection method by the first checking protection method; Wherein, the protection effect of the first checking protection method is better than the protection effect of described 3rd checking protection method.
5. method according to claim 1, it is characterised in that, the deterministic process of the target verification protection method that the performance index parameter of the described and described webserver is corresponding comprises:
The frequency that statistics network server is accessed under default statistics dimension degree;
Gather the performance index parameter of the described webserver;
When the described webserver accessed frequency under default statistics dimension degree is greater than the 2nd predetermined threshold value, and the performance index parameter of the described webserver is when indicating the configuration requirement that the performance of the described webserver does not meet the described webserver, it is determined that the first checking protection method is target verification protection method; Described first checking protection method is in described multiple checking protection method.
6. method according to claim 1, it is characterised in that, also comprise:
When receiving the checking protection method regulating command that user triggers, the checking protection method corresponding with the described webserver according to described checking protection method regulating command pair switches.
7. method according to claim 4 or 5, it is characterised in that, described statistics dimension degree is server dimension degree;
The accessed frequency of described statistics network server under default statistics dimension degree comprises:
Add up the frequency that the described webserver is accessed.
8. method according to claim 4 or 5, it is characterised in that, described statistics dimension degree is resource dimension;
The accessed frequency of described statistics network server under default statistics dimension degree comprises:
Add up the frequency that in the described webserver, each resource is accessed.
9. method according to claim 1, it is characterised in that, described multiple checking protection method at least comprises following three class checking protection methods:
A class: browser challenge redirect;
B class: browser challenge redirect and checking code checking;
C class: browser challenge redirect, checking code are verified and access request is carried out speed limit;
Wherein, the protection effect of B class checking protection method is better than the protection effect of A class checking protection method; The protection effect of C class checking protection method is better than the protection effect of B class checking protection method.
10. method according to claim 9, it is characterised in that, also comprise: the access frequency that the described webserver is conducted interviews by statistics first terminal equipment under described default statistics dimension degree;
Described access request carried out speed limit comprise:
When the access frequency of described first terminal equipment under described statistics dimension degree meets pre-conditioned, described first terminal is carried out speed limit for the access request of equipment.
11. methods according to claim 9, it is characterised in that, also comprise: the access frequency that the described webserver is conducted interviews by statistics first terminal equipment under described default statistics dimension degree; Whether the access behavior sequence monitoring described first terminal equipment is abnormal;
Described access request carried out speed limit comprise:
When the access frequency of described first terminal equipment under described statistics dimension degree is greater than the 2nd predetermined threshold value, and during the access behavior sequence variation of described first terminal equipment, the access request of described first terminal equipment is carried out speed limit.
12. 1 kinds of applied layer safety guards based on checking, it is characterised in that, comprising:
Intercept and capture module, for intercepting and capturing the access request that terminating unit sends to the webserver;
Authentication module, for verifying described terminating unit according to the target verification protection method corresponding with the performance index parameter of the described webserver; Wherein, described target verification protection method is in multiple checking protection method; The protection effect of different checking protection method is different;
Sending module, for being sent to the described webserver by the access request that the terminating unit verified by described target verification protection method is sent.
13. devices according to claim 12, it is characterised in that, also comprise:
First handover module, for verifying that using first protection method is as in the process that described terminating unit is verified by target verification protection method, gather the performance index parameter of the described webserver, judge the performance variation situation of the described webserver according to described performance index parameter; If the performance index parameter of the described webserver indicates the performance of the described webserver not change or degradation, described target verification protection method is switched to the 2nd checking protection method by the first checking protection method; Wherein, the protection effect of the 2nd checking protection method is better than the protection effect of described first checking protection method.
14. devices according to claim 13, it is characterized in that, described first handover module also for, if the performance index parameter of the described webserver indicates the performance of the described webserver to meet the configuration requirement of the described webserver, described terminating unit is verified by described first checking protection method as target verification protection method.
15. devices according to claim 14, it is characterised in that, also comprise:
First statistics module, for the frequency that statistics network server is accessed under default statistics dimension degree;
2nd handover module, for being less than the first predetermined threshold value when the described webserver accessed frequency under default statistics dimension degree, and the performance index parameter of the described webserver is when reaching preset duration when indicating the performance of the described webserver to meet configuration requirement lasting of the described webserver, described target verification protection method is switched to the 3rd checking protection method by the first checking protection method; Wherein, the protection effect of the first checking protection method is better than the protection effect of described 3rd checking protection method.
16. devices according to claim 12, it is characterised in that, also comprise:
First statistics module, for the frequency that statistics network server is accessed under default statistics dimension degree;
Acquisition module, for gathering the performance index parameter of the described webserver;
Determination module, for being greater than the 2nd predetermined threshold value when the described webserver accessed frequency under default statistics dimension degree, and the performance index parameter of the described webserver is when indicating the configuration requirement that the performance of the described webserver does not meet the described webserver, it is determined that the first checking protection method is target verification protection method; Described first checking protection method is in described multiple checking protection method.
17. devices according to claim 12, it is characterised in that, also comprise:
3rd handover module, for when receiving the checking protection method regulating command that user triggers, the checking protection method corresponding with the described webserver according to described checking protection method regulating command pair switches.
18. devices according to claim 15 or 16, it is characterised in that, described statistics dimension degree is server dimension degree;
Described first statistics module comprises:
First statistic unit, for adding up the accessed frequency of the described webserver.
19. devices according to claim 15 or 16, it is characterised in that, described statistics dimension degree is resource dimension;
Described first statistics module comprises:
2nd statistic unit, for adding up the frequency that in the described webserver, each resource is accessed.
20. devices according to claim 12, it is characterised in that, described multiple checking protection method at least comprises following three class checking protection methods:
A class: browser challenge redirect;
B class: browser challenge redirect and checking code checking;
C class: browser challenge redirect, checking code are verified and access request is carried out speed limit;
Wherein, the protection effect of the 2nd class checking protection method is better than the protection effect of first kind checking protection method; The protection effect of the 3rd class checking protection method is better than the protection effect of the 2nd class checking protection method.
21. devices according to claim 20, it is characterised in that, also comprise:
2nd statistics module, for adding up the access frequency that the described webserver is conducted interviews by first terminal equipment under described default statistics dimension degree;
Described authentication module comprises:
First speed limit unit, for when described first terminal equipment described statistics dimension degree under access frequency meet pre-conditioned time, the access request of described first terminal equipment is carried out speed limit.
22. devices according to claim 20, it is characterised in that, also comprise:
2nd statistics module, for adding up the access frequency that the described webserver is conducted interviews by first terminal equipment under described default statistics dimension degree;
Monitoring modular, whether abnormal for monitoring the access behavior sequence of described first terminal equipment;
Described authentication module comprises:
2nd speed limit unit, for being greater than the 2nd predetermined threshold value when the access frequency of described first terminal equipment under described statistics dimension degree, and during the access behavior sequence variation of described first terminal equipment, carries out speed limit to the access request of described first terminal equipment.
23. 1 kinds of network equipments, it is characterised in that, comprise the applied layer safety guard based on checking as described in claim 12-22 any one.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410632727.1A CN105656843B (en) | 2014-11-11 | 2014-11-11 | Application layer protection method and device based on verification and network equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410632727.1A CN105656843B (en) | 2014-11-11 | 2014-11-11 | Application layer protection method and device based on verification and network equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105656843A true CN105656843A (en) | 2016-06-08 |
| CN105656843B CN105656843B (en) | 2020-07-24 |
Family
ID=56483088
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410632727.1A Active CN105656843B (en) | 2014-11-11 | 2014-11-11 | Application layer protection method and device based on verification and network equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105656843B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018059480A1 (en) * | 2016-09-29 | 2018-04-05 | 腾讯科技(深圳)有限公司 | Method, device, and system for defending against network attack |
| CN108429772A (en) * | 2018-06-19 | 2018-08-21 | 网宿科技股份有限公司 | A kind of means of defence and device for HTTP Flood attacks |
| CN109005143A (en) * | 2017-06-07 | 2018-12-14 | 上海中兴软件有限责任公司 | A kind of method and device of adjustment website load |
| CN111953664A (en) * | 2020-07-27 | 2020-11-17 | 新浪网技术(中国)有限公司 | User request verification method and system based on variable security level |
| WO2023001053A1 (en) * | 2021-07-21 | 2023-01-26 | 华为技术有限公司 | Device verification method, apparatus and system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101383832A (en) * | 2008-10-07 | 2009-03-11 | 成都市华为赛门铁克科技有限公司 | Challenging black hole attack defense method and device |
| CN102045327A (en) * | 2009-10-09 | 2011-05-04 | 杭州华三通信技术有限公司 | Method and equipment for defending against CC attack |
| US20110289320A1 (en) * | 2007-06-12 | 2011-11-24 | Twitchell Jr Robert W | Network watermark |
| CN103118036A (en) * | 2013-03-07 | 2013-05-22 | 上海电机学院 | Cloud end based intelligent security protection system and method |
| CN103685293A (en) * | 2013-12-20 | 2014-03-26 | 北京奇虎科技有限公司 | Protection method and device for denial of service attack |
| CN103746987A (en) * | 2013-12-31 | 2014-04-23 | 东软集团股份有限公司 | Method and system for detecting DoS attack in semantic Web application |
-
2014
- 2014-11-11 CN CN201410632727.1A patent/CN105656843B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110289320A1 (en) * | 2007-06-12 | 2011-11-24 | Twitchell Jr Robert W | Network watermark |
| CN101383832A (en) * | 2008-10-07 | 2009-03-11 | 成都市华为赛门铁克科技有限公司 | Challenging black hole attack defense method and device |
| CN102045327A (en) * | 2009-10-09 | 2011-05-04 | 杭州华三通信技术有限公司 | Method and equipment for defending against CC attack |
| CN103118036A (en) * | 2013-03-07 | 2013-05-22 | 上海电机学院 | Cloud end based intelligent security protection system and method |
| CN103685293A (en) * | 2013-12-20 | 2014-03-26 | 北京奇虎科技有限公司 | Protection method and device for denial of service attack |
| CN103746987A (en) * | 2013-12-31 | 2014-04-23 | 东软集团股份有限公司 | Method and system for detecting DoS attack in semantic Web application |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018059480A1 (en) * | 2016-09-29 | 2018-04-05 | 腾讯科技(深圳)有限公司 | Method, device, and system for defending against network attack |
| CN107888546A (en) * | 2016-09-29 | 2018-04-06 | 腾讯科技(深圳)有限公司 | network attack defence method, device and system |
| US10785254B2 (en) | 2016-09-29 | 2020-09-22 | Tencent Technology (Shenzhen) Company Limited | Network attack defense method, apparatus, and system |
| CN109005143A (en) * | 2017-06-07 | 2018-12-14 | 上海中兴软件有限责任公司 | A kind of method and device of adjustment website load |
| CN108429772A (en) * | 2018-06-19 | 2018-08-21 | 网宿科技股份有限公司 | A kind of means of defence and device for HTTP Flood attacks |
| WO2019242052A1 (en) * | 2018-06-19 | 2019-12-26 | 网宿科技股份有限公司 | Method and device for protecting against http flood attack |
| CN111953664A (en) * | 2020-07-27 | 2020-11-17 | 新浪网技术(中国)有限公司 | User request verification method and system based on variable security level |
| WO2023001053A1 (en) * | 2021-07-21 | 2023-01-26 | 华为技术有限公司 | Device verification method, apparatus and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105656843B (en) | 2020-07-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105577608B (en) | Network attack behavior detection method and device | |
| US8438639B2 (en) | Apparatus for detecting and filtering application layer DDoS attack of web service | |
| CN107211016B (en) | Session security partitioning and application profiler | |
| EP2528005B1 (en) | System and method for reducing false positives during detection of network attacks | |
| EP2790382B1 (en) | Protection method and device against attacks | |
| EP2854361B1 (en) | Apparatus and method for protecting communication pattern of network traffic | |
| EP2863611B1 (en) | Device for detecting cyber attack based on event analysis and method thereof | |
| CN105656843A (en) | Application layer protection method and apparatus based on verification and network equipment | |
| US9350758B1 (en) | Distributed denial of service (DDoS) honeypots | |
| JP6726331B2 (en) | Systems and methods for regulating access requests | |
| US20180054458A1 (en) | System and method for mitigating distributed denial of service attacks in a cloud environment | |
| CN107645478B (en) | Network attack defense system, method and device | |
| CN110099027B (en) | Service message transmission method and device, storage medium and electronic device | |
| KR20050081439A (en) | System of network security and working method thereof | |
| CN105897674A (en) | DDoS attack protection method applied to CDN server group and system | |
| TWI492090B (en) | System and method for guarding against dispersive blocking attacks | |
| JP2016508353A (en) | Improved streaming method and system for processing network metadata | |
| CA2887428C (en) | A computer implemented system and method for secure path selection using network rating | |
| US20160294848A1 (en) | Method for protection of automotive components in intravehicle communication system | |
| CN107682341A (en) | The means of defence and device of CC attacks | |
| CN109657463A (en) | A kind of defence method and device of message flood attack | |
| EP2747345B1 (en) | Ips detection processing method, network security device and system | |
| US11831670B1 (en) | System and method for prioritizing distributed system risk remediations | |
| CN104184746B (en) | Method and device for processing data by gateway | |
| CN105812324A (en) | Method, device and system for IDC information safety management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |