CN106302347B - A kind of network attack treating method and apparatus - Google Patents

A kind of network attack treating method and apparatus Download PDF

Info

Publication number
CN106302347B
CN106302347B CN201510284470.XA CN201510284470A CN106302347B CN 106302347 B CN106302347 B CN 106302347B CN 201510284470 A CN201510284470 A CN 201510284470A CN 106302347 B CN106302347 B CN 106302347B
Authority
CN
China
Prior art keywords
address
source
connection number
threshold
equal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510284470.XA
Other languages
Chinese (zh)
Other versions
CN106302347A (en
Inventor
张倩
孙磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201510284470.XA priority Critical patent/CN106302347B/en
Priority to PCT/CN2016/080311 priority patent/WO2016188294A1/en
Publication of CN106302347A publication Critical patent/CN106302347A/en
Application granted granted Critical
Publication of CN106302347B publication Critical patent/CN106302347B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Abstract

The embodiment of the present application provides a kind of network attack processing method and processing device.The network attack processing method includes: to obtain the first IP address and the corresponding connection number of first IP address of connection server;Judge whether the corresponding connection number of first IP address is greater than or equal to first threshold;If so, shielding is connected to the source IP address of first IP address.The embodiment of the present application not only ensure that the overall stability of server and network, moreover, reducing the service impact under fire IP address by shielding source IP address, reduce the influence to website visiting.

Description

A kind of network attack treating method and apparatus
Technical field
This application involves fields of communication technology, at a kind of network attack processing method and a kind of network attack Manage device.
Background technique
Fictitious host computer is also " web space ", is that an operation server on the internet is divided into multiple to have Corresponding FTP (File Transfer Protocol, file transmission association are given in a certain size hard drive space, each space View) permission and web access permission, to be used for website orientation.
In order to protect the stabilization and safety of server entirety, the firewall of server can monitor the network to each fictitious host computer Attack, firewall understand the IP address to the fictitious host computer attacked automatically after judging that attack scale reaches certain threshold value Do shielding processing.
However, although the shielding to attack target ip address can guarantee the overall stability of server and network, After the IP address shielding attacked, it also will affect the business where the IP address, influence website visiting.
Therefore, a technical problem that needs to be urgently solved by technical personnel in the field at present is exactly: how can be reduced network Attack is to by the service impact of attack IP address.
Summary of the invention
The technical problem to be solved in the embodiments of the present application is that providing a kind of network attack processing method, network can be reduced Attack is to by the service impact of attack IP address.
Correspondingly, the embodiment of the present application also provides a kind of network attack device, to guarantee the above method realization and Using.
To solve the above-mentioned problems, this application discloses a kind of network attack processing methods, comprising:
Obtain the first IP address and the corresponding connection number of first IP address of connection server;
Judge whether the corresponding connection number of first IP address is greater than or equal to first threshold;
If so, shielding is connected to the source IP address of first IP address.
It is further, described to shield the source IP address for being connected to first IP address, comprising:
Obtain each source IP address and the corresponding connection number of each source IP address for being connected to first IP address;
Judge the source IP address for being greater than or equal to second threshold in each source IP address with the presence or absence of connection number;
If it exists, then the source IP address that the connection number is greater than or equal to second threshold is shielded.
Further, the method also includes:
When source IP address of the connection number more than or equal to the second threshold is not present in each source IP address, shielding First IP address.
Further, the shielding connection number is greater than or equal to the source IP address of second threshold, comprising:
Judge the connection number be greater than or equal to second threshold source IP address corresponding to connection number and whether be greater than Or it is equal to the first threshold;
If so, shielding the source IP address that the connection number is greater than or equal to second threshold.
Further, the method also includes:
When the connection number be greater than or equal to connection number corresponding to the source IP address of second threshold and be less than described the When one threshold value, first IP address is shielded.
Further, the method also includes:
When meeting prerequisite, stop the shielding to first IP address.
The embodiment of the present application also discloses a kind of network attack processing unit, comprising:
Acquiring unit is configured as obtaining the first IP address and the corresponding connection of first IP address of connection server Number;
Judging unit is configured as judging whether the corresponding connection number of first IP address is greater than or equal to the first threshold Value;
Processing unit is configured as determining that the corresponding connection number of first IP address is greater than or waits when the judging unit When first threshold, shielding is connected to the source IP address of first IP address.
Further, the processing unit includes:
Subelement is obtained, is configured as with obtaining each source IP address for being connected to first IP address and each source IP The corresponding connection number in location;
Judgment sub-unit is configured as judging in each source IP address being greater than or equal to the second threshold with the presence or absence of connection number The source IP address of value;
Subelement is shielded, is configured as determining that there are connection numbers to be greater than in each source IP address when the judgment sub-unit Or equal to second threshold source IP address when, shield the connection number be greater than or equal to second threshold source IP address.
Further, the processing unit is additionally configured to when there is no connection numbers to be greater than or equal in each source IP address When the source IP address of the second threshold, first IP address is shielded.
Further, the shielding subelement includes:
Lower layer's judgment sub-unit is configured as judging that the connection number is right more than or equal to the source IP address of second threshold institute The connection number answered and whether be greater than or equal to the first threshold;
Underlying shield subelement is configured as determining that the connection number is greater than or equal to the when lower layer's judgment sub-unit Connection number corresponding to the source IP address of two threshold values and be greater than or equal to the first threshold when, shield the connection number and be greater than Or the source IP address equal to second threshold.
Further, the underlying shield subelement is additionally configured to be greater than or equal to second threshold when the connection number Connection number corresponding to source IP address and when being less than the first threshold, shield first IP address.
Compared with prior art, the embodiment of the present application includes the following advantages:
The embodiment of the present application connects the connection number of the IP address of server by detection, and is more than certain threshold value in connection number When, confirm the IP address by network attack, then to connect all or part of source IP address of the IP address under fire into Row shielding, not only ensure that the overall stability of server and network, moreover, being reduced by shielding source IP address under fire The service impact of IP address reduces the influence to website visiting.Also, this method is confirmed under fire by monitoring connection number IP address, compared with the existing technology in hardware firewall, black hole etc. monitoring means, network can be determined more accurately out The object of attack is also more suitable for the network attack protection of fictitious host computer itself.
Detailed description of the invention
Fig. 1 is a kind of step flow chart of network attack processing method embodiment of the application;
Fig. 2 is the step flow chart of another network attack processing method embodiment of the application;
Fig. 3 is a kind of structural block diagram of network attack processing device embodiment of the application;
Fig. 4 is a kind of structural block diagram of processing unit in the embodiment of the present application;
Fig. 5 is a kind of structural block diagram for shielding subelement in the embodiment of the present application.
Specific embodiment
In order to make the above objects, features, and advantages of the present application more apparent, with reference to the accompanying drawing and it is specific real Applying mode, the present application will be further described in detail.
Referring to Fig.1, a kind of step flow chart of network attack processing method embodiment of the application is shown, it specifically can be with Include the following steps:
Step 101, the first IP address and the corresponding connection number of the first IP address of connection server are obtained.
In the embodiment of the present application, multiple fictitious host computers can be marked off on server, server can pass through disclosed end Mouth such as 80 ports are connect with each fictitious host computer.
Network attack processing unit can be server itself, be also possible to that a device in the server is arranged, or Independently of server but the device that can be communicated with server.
The firewall that the device is different from server is detected the network that each fictitious host computer is subject to by indexs such as bandwidth and attacked It hits.In this step, which will obtain IP address and the corresponding company of each IP address of each fictitious host computer of connection on the server Connect number.Wherein, the first IP address is the IP address of the fictitious host computer of any connection on the server, and " first " is only for table It states conveniently, not refers in particular to a certain IP address.The corresponding connection number of first IP address refers to that institute's source IP address connects the first IP The connection number of address.
The device can also can be monitored in real time with obtaining the first IP with timing acquisition first IP address and its connection number Location and its connection number.
Step 102, judge whether the corresponding connection number of the first IP address is greater than or equal to first threshold.
It is pre- to judge whether the connection number is greater than or equal to after obtaining the first IP address and its corresponding connection number for the device The first threshold first set.The first threshold can be passed through according to the scale of server, the application scenarios of fictitious host computer and connection number The setting such as value is tested, herein without limitation.
If the corresponding connection number of the first IP address is greater than or equal to first threshold, illustrate first IP address by net Network attack, and then execute step 103;If being less than the first threshold, illustrates that first IP address is not affected by network attack, be in Safe condition.
Step 103, shielding is connected to the source IP address of the first IP address.
It is not directly to this in the present embodiment when the corresponding connection number of the first IP address is greater than or equal to first threshold First IP address is shielded, but is shielded to some or all of first IP address source IP address is connected to.Specifically , the device with can determining the source IP that needs shield according to the connection number for the source IP address for being connected to first IP address Location.
The device can according to the method described above detect all IP address for connecting fictitious host computer on the server And processing.
The embodiment of the present application connects the connection number of the IP address of server by detection, and is more than certain threshold value in connection number When, confirm the IP address by network attack, then to connect all or part of source IP address of the IP address under fire into Row shielding, not only ensure that the overall stability of server and network, moreover, being reduced by shielding source IP address under fire The service impact of IP address reduces the influence to website visiting.Also, this method is confirmed under fire by monitoring connection number IP address, compared with the existing technology in hardware firewall, black hole etc. monitoring means, network can be determined more accurately out The object of attack is also more suitable for the network attack protection of fictitious host computer itself.
Referring to Fig. 2, the step flow chart of another network attack processing method embodiment of the application is shown, specifically may be used To include the following steps:
Step 201, the first IP address and the corresponding connection number of the first IP address of connection server are obtained.
Step 202, judge whether the corresponding connection number of the first IP address is greater than or equal to first threshold.
Step 201~202 are similar with step 101~102 in previous embodiment, and details are not described herein again.
In the present embodiment, when the corresponding connection number of the first IP address is less than first threshold, network attack processing dress It sets and confirms that first IP address is not affected by network attack.
When the corresponding connection number of the first IP address is greater than or equal to first threshold, which needs to shield The source IP address for being connected to the first IP address is covered, which can specifically include following steps:
Step 203, each source IP address and the corresponding connection number of each source IP address for being connected to the first IP address are obtained.
The device further obtains each source IP address for being connected to first IP address and its corresponding connection number, such as source IP Address 1, connection number 10;Source IP address 2, connection number 100;Source IP address 3, connection number 1000;......
Step 204, judge the source IP address for being greater than or equal to second threshold in each source IP address with the presence or absence of connection number.
The device checks whether that there are the source IPs that connection number is greater than or equal to second threshold from the result that upper step obtains The setting method of address, the second threshold is similar with first threshold.The second threshold can be less than first threshold.
If result be there is no the source IP address that connection number is greater than or equal to second threshold, the device can consider this One IP address can not judge source by the attack in force of multiple source IP address.In this case as the case may be, Ke Yizhi It connects and shields all source IP address, step 205 can also be executed.
If result is there are the source IP address that connection number is greater than or equal to second threshold, which can directly shield this A little connection numbers are greater than or equal to the source IP address of second threshold, can also record these connection numbers first more than or equal to second The source IP address of threshold value and its corresponding connection number, such as IP N1 connection number Y1;IP N2 connection number Y2;IP N3 connection number Y3, so Step 206 is executed afterwards.
Step 205, the first IP address is shielded.
It after shielding the first IP address, can further notify that user is attacked by first IP address, attack is waited to terminate. After detecting attack, or when meeting prerequisite, the shielding to the first IP address can be automatically stopped.
Step 206, judge connection number be greater than or equal to second threshold source IP address corresponding to connection number and whether More than or equal to first threshold.
The device calculates the sum that connection number is greater than or equal to connection number corresponding to the source IP address of second threshold, such as Y1 + Y2+Y3, then whether judgement should and be greater than or equal to first threshold.
If connection number and be greater than or equal to first threshold, illustrate network attack that first IP address is subject to for minority The network attack that source IP address is initiated, can execute step 207 at this time.
If connection number and be less than the first threshold, illustrate first IP address by the extensive of multiple source IP address Attack, can not judge source.In this case as the case may be, all source IP address can be directly shielded, can also be executed Step 205.
Step 207, shielding connection number is greater than or equal to the source IP address of second threshold.
After shielding source IP address, it can notify that user protects successfully by attack, user can continue to access the first IP Address.
The present embodiment by being monitored to number of network connections, according to the case where connection number determine the scale of network attack with Source, and according to different network attack situations, the source IP address launched a offensive or the IP address attacked are shielded respectively Operation, the attack in force such as initiated for a small amount of IP can be defendd by way of taking shielding this part IP;For It cannot judge that the attack initiated by a small amount of IP is then shielded to by attack IP, server and overall network be protected, to reach To the purpose of protection server monolithic stability and safety.This method is not simple from fictitious host computer to the IP address attacked Firewall end shield, but be analyzed and processed according to attack source is quantitative, net can be determined more accurately out in this method The object of network attack simultaneously carries out corresponding protective treatment.
It should be noted that for simple description, therefore, it is stated as a series of action groups for embodiment of the method It closes, but those skilled in the art should understand that, the embodiment of the present application is not limited by the described action sequence, because according to According to the embodiment of the present application, some steps may be performed in other sequences or simultaneously.Secondly, those skilled in the art also should Know, the embodiments described in the specification are all preferred embodiments, and related movement not necessarily the application is implemented Necessary to example.
Referring to Fig. 3, a kind of structural block diagram of network attack processing device embodiment of the application is shown, can specifically include Such as lower unit:
Acquiring unit 301 is configured as obtaining the first IP address of connection server and first IP address is corresponding Connection number.
Judging unit 302 is configured as judging whether the corresponding connection number of first IP address is greater than or equal to first Threshold value.
Processing unit 303 is configured as determining that the corresponding connection number of first IP address is big when the judging unit 302 When first threshold, shielding is connected to the source IP address of first IP address.
The device detects the connection number of the IP address of connection server by said units, and is more than certain threshold in connection number When value, the IP address is confirmed by network attack, then to all or part of source IP address for connecting the IP address under fire It is shielded, not only ensure that the overall stability of server and network, moreover, being reduced by shielding source IP address to being attacked The service impact for hitting IP address reduces the influence to website visiting.Also, the device is attacked by monitoring connection number to confirm The IP address hit, the monitoring means in middle hardware firewall, black hole etc., can be determined more accurately out net compared with the existing technology The object of network attack is also more suitable for the network attack protection of fictitious host computer itself.
In another embodiment, as shown in figure 4, processing unit 303 may further include:
Subelement 401 is obtained, is configured as obtaining each source IP address for being connected to first IP address and each source The corresponding connection number of IP address;
Judgment sub-unit 402 is configured as judging in each source IP address being greater than or equal to the with the presence or absence of connection number The source IP address of two threshold values;
Subelement 403 is shielded, is configured as determining there is connection in each source IP address when the judgment sub-unit 402 When number is greater than or equal to the source IP address of second threshold, the source IP address that the connection number is greater than or equal to second threshold is shielded.
In another embodiment, which is additionally configured to when there is no connection numbers in each source IP address More than or equal to the second threshold source IP address when, shield first IP address.
In another embodiment, as shown in figure 5, the shielding subelement 403 may further include:
Lower layer's judgment sub-unit 501 is configured as judging the source IP address that the connection number is greater than or equal to second threshold Corresponding connection number and whether be greater than or equal to the first threshold;
Underlying shield subelement 502, be configured as when lower layer's judgment sub-unit 501 determine the connection number be greater than or Connection number corresponding to source IP address equal to second threshold and be greater than or equal to the first threshold when, shield the connection Number is greater than or equal to the source IP address of second threshold.
The underlying shield subelement 502 can be additionally configured to be greater than or equal to the source of second threshold when the connection number Connection number corresponding to IP address and when being less than the first threshold, shield first IP address.
The device determines the scale of network attack according to the case where connection number and comes by being monitored to number of network connections Source, and according to different network attack situations, shielding behaviour is done to the source IP address launched a offensive or the IP address attacked respectively Make, the attack in force such as initiated for a small amount of IP, can be defendd by way of taking shielding this part IP;For not Can judge it is that the attack initiated by a small amount of IP is then shielded to by attack IP, server and overall network be protected, to reach Protect the purpose of server monolithic stability and safety.The device is not simple from the anti-of fictitious host computer to the IP address attacked Wall with flues end shield, but be analyzed and processed according to attack source is quantitative, which can be determined more accurately out network The object of attack simultaneously carries out corresponding protective treatment.
The embodiment of the present application also discloses a kind of server, including memory and processor.
Processor and memory are connected with each other by bus;Bus can be isa bus, pci bus or eisa bus etc.. The bus can be divided into address bus, data/address bus, control bus etc..
Wherein, memory is for storing a Duan Chengxu, and specifically, program may include program code, said program code Including computer operation instruction.Memory may include high speed RAM memory, it is also possible to further include nonvolatile memory (non-volatile memory), for example, at least a magnetic disk storage.
Processor is used to read the program code in memory, executes following steps:
Obtain the first IP address and the corresponding connection number of first IP address of connection server;
Judge whether the corresponding connection number of first IP address is greater than or equal to first threshold;
If so, shielding is connected to the source IP address of first IP address.
For device embodiment, since it is basically similar to the method embodiment, related so being described relatively simple Place illustrates referring to the part of embodiment of the method.
All the embodiments in this specification are described in a progressive manner, the highlights of each of the examples are with The difference of other embodiments, the same or similar parts between the embodiments can be referred to each other.
It should be understood by those skilled in the art that, the embodiments of the present application may be provided as method, apparatus or calculating Machine program product.Therefore, the embodiment of the present application can be used complete hardware embodiment, complete software embodiment or combine software and The form of the embodiment of hardware aspect.Moreover, the embodiment of the present application can be used one or more wherein include computer can With in the computer-usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) of program code The form of the computer program product of implementation.
In a typical configuration, the computer equipment includes one or more processors (CPU), input/output Interface, network interface and memory.Memory may include the non-volatile memory in computer-readable medium, random access memory The forms such as device (RAM) and/or Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is to calculate The example of machine readable medium.Computer-readable medium includes that permanent and non-permanent, removable and non-removable media can be with Realize that information is stored by any method or technique.Information can be computer readable instructions, data structure, the module of program or Other data.The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory techniques, CD-ROM are read-only Memory (CD-ROM), digital versatile disc (DVD) or other optical storage, magnetic cassettes, tape magnetic disk storage or Other magnetic storage devices or any other non-transmission medium, can be used for storage can be accessed by a computing device information.According to Herein defines, and computer-readable medium does not include non-persistent computer readable media (transitory media), such as The data-signal and carrier wave of modulation.
The embodiment of the present application is referring to according to the method for the embodiment of the present application, terminal device (system) and computer program The flowchart and/or the block diagram of product describes.It should be understood that flowchart and/or the block diagram can be realized by computer program instructions In each flow and/or block and flowchart and/or the block diagram in process and/or box combination.It can provide these Computer program instructions are set to general purpose computer, special purpose computer, Embedded Processor or other programmable data processing terminals Standby processor is to generate a machine, so that being held by the processor of computer or other programmable data processing terminal devices Capable instruction generates for realizing in one or more flows of the flowchart and/or one or more blocks of the block diagram The device of specified function.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing terminal devices In computer-readable memory operate in a specific manner, so that instruction stored in the computer readable memory generates packet The manufacture of command device is included, which realizes in one side of one or more flows of the flowchart and/or block diagram The function of being specified in frame or multiple boxes.
These computer program instructions can also be loaded into computer or other programmable data processing terminal devices, so that Series of operation steps are executed on computer or other programmable terminal equipments to generate computer implemented processing, thus The instruction executed on computer or other programmable terminal equipments is provided for realizing in one or more flows of the flowchart And/or in one or more blocks of the block diagram specify function the step of.
Although preferred embodiments of the embodiments of the present application have been described, once a person skilled in the art knows bases This creative concept, then additional changes and modifications can be made to these embodiments.So the following claims are intended to be interpreted as Including preferred embodiment and all change and modification within the scope of the embodiments of the present application.
Finally, it is to be noted that, herein, relational terms such as first and second and the like be used merely to by One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation Between there are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant meaning Covering non-exclusive inclusion, so that process, method, article or terminal device including a series of elements not only wrap Those elements are included, but also including other elements that are not explicitly listed, or further includes for this process, method, article Or the element that terminal device is intrinsic.In the absence of more restrictions, limited by sentence " including one ... " Element, it is not excluded that including identical being wanted in the process, method of the element, article or terminal device there is also other Element.
Above to a kind of network attack processing method provided herein and a kind of network attack processing unit, carry out It is discussed in detail, specific examples are used herein to illustrate the principle and implementation manner of the present application, above embodiments Illustrate to be merely used to help understand the present processes and its core concept;At the same time, for those skilled in the art, according to According to the thought of the application, there will be changes in the specific implementation manner and application range, in conclusion the content of the present specification It should not be construed as the limitation to the application.

Claims (7)

1. a kind of network attack processing method characterized by comprising
Obtain the first IP address and the corresponding connection number of first IP address of connection server;The first IP address packet It includes: the IP address of any fictitious host computer being connected on the server;
Judge whether the corresponding connection number of first IP address is greater than or equal to first threshold;
If so, shielding is connected to the source IP address of first IP address;
It is wherein, described to shield the source IP address for being connected to first IP address, comprising:
Judgement is connected to the source for being greater than or equal to second threshold in the source IP address of first IP address with the presence or absence of connection number IP address, to obtain judging result;
It is yes in the judging result and the connection number is greater than or equal to connection number corresponding to the source IP address of second threshold And in the case where being greater than or equal to the first threshold, shield the source IP of the connection number more than or equal to second threshold Location;
The method also includes:
It is yes in the judging result and the connection number is greater than or equal to connection number corresponding to the source IP address of second threshold And in the case where being less than the first threshold, shield first IP address.
2. the method according to claim 1, wherein the shielding is with being connected to the source IP of first IP address Location, comprising:
Obtain each source IP address and the corresponding connection number of each source IP address for being connected to first IP address;
Judge the source IP address for being greater than or equal to second threshold in each source IP address with the presence or absence of connection number;
If it exists, then the source IP address that the connection number is greater than or equal to second threshold is shielded.
3. according to the method described in claim 2, it is characterized in that, the method also includes:
When source IP address of the connection number more than or equal to the second threshold is not present in each source IP address, described in shielding First IP address.
4. method according to claim 1 or 3, which is characterized in that the method also includes:
When meeting prerequisite, stop the shielding to first IP address.
5. a kind of network attack processing unit characterized by comprising
Acquiring unit is configured as obtaining the first IP address and the corresponding connection number of first IP address of connection server; First IP address includes: the IP address of any fictitious host computer being connected on the server;
Judging unit is configured as judging whether the corresponding connection number of first IP address is greater than or equal to first threshold;
Processing unit is configured as determining that the corresponding connection number of first IP address is greater than or equal to the when the judging unit When one threshold value, judgement, which is connected in the source IP address of first IP address, is greater than or equal to second threshold with the presence or absence of connection number Source IP address, to obtain judging result, and be yes in the judging result and the connection number is greater than or equal to second threshold Source IP address corresponding to connection number and be greater than or equal to the first threshold in the case where, shield the connection number and be greater than Or the source IP address equal to second threshold;
The processing unit is additionally configured to be yes in the judging result and the connection number is greater than or equal to second threshold Connection number corresponding to source IP address and in the case where being less than the first threshold, shield first IP address.
6. device according to claim 5, which is characterized in that the processing unit be additionally configured to obtain be connected to it is described Each source IP address of first IP address and the corresponding connection number of each source IP address, judge whether deposit in each source IP address It is greater than or equal to the source IP address of second threshold in connection number, and when there are connection numbers to be greater than in judgement each source IP address Or equal to second threshold source IP address when, shield the connection number be greater than or equal to second threshold source IP address.
7. device according to claim 6, which is characterized in that
The processing unit is additionally configured to when there is no connection numbers to be greater than or equal to second threshold in each source IP address When the source IP address of value, first IP address is shielded.
CN201510284470.XA 2015-05-28 2015-05-28 A kind of network attack treating method and apparatus Active CN106302347B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201510284470.XA CN106302347B (en) 2015-05-28 2015-05-28 A kind of network attack treating method and apparatus
PCT/CN2016/080311 WO2016188294A1 (en) 2015-05-28 2016-04-27 Network attack processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510284470.XA CN106302347B (en) 2015-05-28 2015-05-28 A kind of network attack treating method and apparatus

Publications (2)

Publication Number Publication Date
CN106302347A CN106302347A (en) 2017-01-04
CN106302347B true CN106302347B (en) 2019-11-05

Family

ID=57392586

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510284470.XA Active CN106302347B (en) 2015-05-28 2015-05-28 A kind of network attack treating method and apparatus

Country Status (2)

Country Link
CN (1) CN106302347B (en)
WO (1) WO2016188294A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108965336B (en) * 2018-09-10 2021-03-23 杭州迪普科技股份有限公司 Attack detection method and device
CN111669359A (en) * 2019-03-09 2020-09-15 深圳市锐速云计算有限公司 Novel network attack processing method and device
TWI707565B (en) * 2019-04-19 2020-10-11 國立中央大學 Network attacker identifying method and network system
CN112738089B (en) * 2020-12-29 2023-03-28 中国建设银行股份有限公司 Method and device for automatically backtracking source ip under complex network environment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101594269A (en) * 2009-06-29 2009-12-02 成都市华为赛门铁克科技有限公司 A kind of detection method of unusual connection, device and gateway device
CN102014116A (en) * 2009-09-03 2011-04-13 丛林网络公司 Protecting against distributed network flood attacks
CN103001972A (en) * 2012-12-25 2013-03-27 苏州山石网络有限公司 Identification method and identification device and firewall for DDOS (distributed denial of service) attack
WO2014040292A1 (en) * 2012-09-17 2014-03-20 华为技术有限公司 Protection method and device against attacks
CN104601542A (en) * 2014-12-05 2015-05-06 国云科技股份有限公司 DDOS (distributed denial of service) active protection method applicable to virtual machine

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20130030086A (en) * 2011-09-16 2013-03-26 한국전자통신연구원 Method and apparatus for defending distributed denial of service attack through abnomal terminated session
CN104243223A (en) * 2013-06-06 2014-12-24 天津蜀都科技有限公司 High accuracy application identification method and device
CN103701795B (en) * 2013-12-20 2017-11-24 北京奇安信科技有限公司 The recognition methods of the attack source of Denial of Service attack and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101594269A (en) * 2009-06-29 2009-12-02 成都市华为赛门铁克科技有限公司 A kind of detection method of unusual connection, device and gateway device
CN102014116A (en) * 2009-09-03 2011-04-13 丛林网络公司 Protecting against distributed network flood attacks
WO2014040292A1 (en) * 2012-09-17 2014-03-20 华为技术有限公司 Protection method and device against attacks
CN103001972A (en) * 2012-12-25 2013-03-27 苏州山石网络有限公司 Identification method and identification device and firewall for DDOS (distributed denial of service) attack
CN104601542A (en) * 2014-12-05 2015-05-06 国云科技股份有限公司 DDOS (distributed denial of service) active protection method applicable to virtual machine

Also Published As

Publication number Publication date
WO2016188294A1 (en) 2016-12-01
CN106302347A (en) 2017-01-04

Similar Documents

Publication Publication Date Title
CN107659583B (en) Method and system for detecting attack in fact
EP3014813B1 (en) Rootkit detection by using hardware resources to detect inconsistencies in network traffic
CN106302347B (en) A kind of network attack treating method and apparatus
WO2016148865A1 (en) Methods and systems for improving analytics in distributed networks
US11336617B2 (en) Graphical representation of security threats in a network
US10063519B1 (en) Automatically optimizing web application firewall rule sets
EP2854362B1 (en) Software network behavior analysis and identification system
CN109344611B (en) Application access control method, terminal equipment and medium
EP3337106B1 (en) Identification system, identification device and identification method
US9661006B2 (en) Method for protection of automotive components in intravehicle communication system
CN107395608B (en) Network access abnormity detection method and device
EP3657371A1 (en) Information processing device, information processing method, and information processing program
WO2016121348A1 (en) Anti-malware device, anti-malware system, anti-malware method, and recording medium in which anti-malware program is stored
US20200012788A1 (en) Analysis device, analysis method and computer-readable recording medium
EP3144845A1 (en) Detection device, detection method, and detection program
JP2015179979A (en) Attack detection system, attack detection apparatus, attack detection method, and attack detection program
CN111177727A (en) Vulnerability detection method and device
CN107135199B (en) Method and device for detecting webpage backdoor
CN114428962B (en) Vulnerability risk priority processing method and device
US20140373158A1 (en) Detecting security vulnerabilities on computing devices
US10193903B1 (en) Systems and methods for detecting suspicious microcontroller messages
WO2016014021A1 (en) Security indicator linkage determination
CN105447348B (en) A kind of hidden method of display window, device and user terminal
KR102022626B1 (en) Apparatus and method for detecting attack by using log analysis
CN113765914A (en) CC attack protection method, system, computer equipment and readable storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant