CN106302347B - A kind of network attack treating method and apparatus - Google Patents
A kind of network attack treating method and apparatus Download PDFInfo
- Publication number
- CN106302347B CN106302347B CN201510284470.XA CN201510284470A CN106302347B CN 106302347 B CN106302347 B CN 106302347B CN 201510284470 A CN201510284470 A CN 201510284470A CN 106302347 B CN106302347 B CN 106302347B
- Authority
- CN
- China
- Prior art keywords
- address
- source
- connection number
- threshold
- equal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Abstract
The embodiment of the present application provides a kind of network attack processing method and processing device.The network attack processing method includes: to obtain the first IP address and the corresponding connection number of first IP address of connection server;Judge whether the corresponding connection number of first IP address is greater than or equal to first threshold;If so, shielding is connected to the source IP address of first IP address.The embodiment of the present application not only ensure that the overall stability of server and network, moreover, reducing the service impact under fire IP address by shielding source IP address, reduce the influence to website visiting.
Description
Technical field
This application involves fields of communication technology, at a kind of network attack processing method and a kind of network attack
Manage device.
Background technique
Fictitious host computer is also " web space ", is that an operation server on the internet is divided into multiple to have
Corresponding FTP (File Transfer Protocol, file transmission association are given in a certain size hard drive space, each space
View) permission and web access permission, to be used for website orientation.
In order to protect the stabilization and safety of server entirety, the firewall of server can monitor the network to each fictitious host computer
Attack, firewall understand the IP address to the fictitious host computer attacked automatically after judging that attack scale reaches certain threshold value
Do shielding processing.
However, although the shielding to attack target ip address can guarantee the overall stability of server and network,
After the IP address shielding attacked, it also will affect the business where the IP address, influence website visiting.
Therefore, a technical problem that needs to be urgently solved by technical personnel in the field at present is exactly: how can be reduced network
Attack is to by the service impact of attack IP address.
Summary of the invention
The technical problem to be solved in the embodiments of the present application is that providing a kind of network attack processing method, network can be reduced
Attack is to by the service impact of attack IP address.
Correspondingly, the embodiment of the present application also provides a kind of network attack device, to guarantee the above method realization and
Using.
To solve the above-mentioned problems, this application discloses a kind of network attack processing methods, comprising:
Obtain the first IP address and the corresponding connection number of first IP address of connection server;
Judge whether the corresponding connection number of first IP address is greater than or equal to first threshold;
If so, shielding is connected to the source IP address of first IP address.
It is further, described to shield the source IP address for being connected to first IP address, comprising:
Obtain each source IP address and the corresponding connection number of each source IP address for being connected to first IP address;
Judge the source IP address for being greater than or equal to second threshold in each source IP address with the presence or absence of connection number;
If it exists, then the source IP address that the connection number is greater than or equal to second threshold is shielded.
Further, the method also includes:
When source IP address of the connection number more than or equal to the second threshold is not present in each source IP address, shielding
First IP address.
Further, the shielding connection number is greater than or equal to the source IP address of second threshold, comprising:
Judge the connection number be greater than or equal to second threshold source IP address corresponding to connection number and whether be greater than
Or it is equal to the first threshold;
If so, shielding the source IP address that the connection number is greater than or equal to second threshold.
Further, the method also includes:
When the connection number be greater than or equal to connection number corresponding to the source IP address of second threshold and be less than described the
When one threshold value, first IP address is shielded.
Further, the method also includes:
When meeting prerequisite, stop the shielding to first IP address.
The embodiment of the present application also discloses a kind of network attack processing unit, comprising:
Acquiring unit is configured as obtaining the first IP address and the corresponding connection of first IP address of connection server
Number;
Judging unit is configured as judging whether the corresponding connection number of first IP address is greater than or equal to the first threshold
Value;
Processing unit is configured as determining that the corresponding connection number of first IP address is greater than or waits when the judging unit
When first threshold, shielding is connected to the source IP address of first IP address.
Further, the processing unit includes:
Subelement is obtained, is configured as with obtaining each source IP address for being connected to first IP address and each source IP
The corresponding connection number in location;
Judgment sub-unit is configured as judging in each source IP address being greater than or equal to the second threshold with the presence or absence of connection number
The source IP address of value;
Subelement is shielded, is configured as determining that there are connection numbers to be greater than in each source IP address when the judgment sub-unit
Or equal to second threshold source IP address when, shield the connection number be greater than or equal to second threshold source IP address.
Further, the processing unit is additionally configured to when there is no connection numbers to be greater than or equal in each source IP address
When the source IP address of the second threshold, first IP address is shielded.
Further, the shielding subelement includes:
Lower layer's judgment sub-unit is configured as judging that the connection number is right more than or equal to the source IP address of second threshold institute
The connection number answered and whether be greater than or equal to the first threshold;
Underlying shield subelement is configured as determining that the connection number is greater than or equal to the when lower layer's judgment sub-unit
Connection number corresponding to the source IP address of two threshold values and be greater than or equal to the first threshold when, shield the connection number and be greater than
Or the source IP address equal to second threshold.
Further, the underlying shield subelement is additionally configured to be greater than or equal to second threshold when the connection number
Connection number corresponding to source IP address and when being less than the first threshold, shield first IP address.
Compared with prior art, the embodiment of the present application includes the following advantages:
The embodiment of the present application connects the connection number of the IP address of server by detection, and is more than certain threshold value in connection number
When, confirm the IP address by network attack, then to connect all or part of source IP address of the IP address under fire into
Row shielding, not only ensure that the overall stability of server and network, moreover, being reduced by shielding source IP address under fire
The service impact of IP address reduces the influence to website visiting.Also, this method is confirmed under fire by monitoring connection number
IP address, compared with the existing technology in hardware firewall, black hole etc. monitoring means, network can be determined more accurately out
The object of attack is also more suitable for the network attack protection of fictitious host computer itself.
Detailed description of the invention
Fig. 1 is a kind of step flow chart of network attack processing method embodiment of the application;
Fig. 2 is the step flow chart of another network attack processing method embodiment of the application;
Fig. 3 is a kind of structural block diagram of network attack processing device embodiment of the application;
Fig. 4 is a kind of structural block diagram of processing unit in the embodiment of the present application;
Fig. 5 is a kind of structural block diagram for shielding subelement in the embodiment of the present application.
Specific embodiment
In order to make the above objects, features, and advantages of the present application more apparent, with reference to the accompanying drawing and it is specific real
Applying mode, the present application will be further described in detail.
Referring to Fig.1, a kind of step flow chart of network attack processing method embodiment of the application is shown, it specifically can be with
Include the following steps:
Step 101, the first IP address and the corresponding connection number of the first IP address of connection server are obtained.
In the embodiment of the present application, multiple fictitious host computers can be marked off on server, server can pass through disclosed end
Mouth such as 80 ports are connect with each fictitious host computer.
Network attack processing unit can be server itself, be also possible to that a device in the server is arranged, or
Independently of server but the device that can be communicated with server.
The firewall that the device is different from server is detected the network that each fictitious host computer is subject to by indexs such as bandwidth and attacked
It hits.In this step, which will obtain IP address and the corresponding company of each IP address of each fictitious host computer of connection on the server
Connect number.Wherein, the first IP address is the IP address of the fictitious host computer of any connection on the server, and " first " is only for table
It states conveniently, not refers in particular to a certain IP address.The corresponding connection number of first IP address refers to that institute's source IP address connects the first IP
The connection number of address.
The device can also can be monitored in real time with obtaining the first IP with timing acquisition first IP address and its connection number
Location and its connection number.
Step 102, judge whether the corresponding connection number of the first IP address is greater than or equal to first threshold.
It is pre- to judge whether the connection number is greater than or equal to after obtaining the first IP address and its corresponding connection number for the device
The first threshold first set.The first threshold can be passed through according to the scale of server, the application scenarios of fictitious host computer and connection number
The setting such as value is tested, herein without limitation.
If the corresponding connection number of the first IP address is greater than or equal to first threshold, illustrate first IP address by net
Network attack, and then execute step 103;If being less than the first threshold, illustrates that first IP address is not affected by network attack, be in
Safe condition.
Step 103, shielding is connected to the source IP address of the first IP address.
It is not directly to this in the present embodiment when the corresponding connection number of the first IP address is greater than or equal to first threshold
First IP address is shielded, but is shielded to some or all of first IP address source IP address is connected to.Specifically
, the device with can determining the source IP that needs shield according to the connection number for the source IP address for being connected to first IP address
Location.
The device can according to the method described above detect all IP address for connecting fictitious host computer on the server
And processing.
The embodiment of the present application connects the connection number of the IP address of server by detection, and is more than certain threshold value in connection number
When, confirm the IP address by network attack, then to connect all or part of source IP address of the IP address under fire into
Row shielding, not only ensure that the overall stability of server and network, moreover, being reduced by shielding source IP address under fire
The service impact of IP address reduces the influence to website visiting.Also, this method is confirmed under fire by monitoring connection number
IP address, compared with the existing technology in hardware firewall, black hole etc. monitoring means, network can be determined more accurately out
The object of attack is also more suitable for the network attack protection of fictitious host computer itself.
Referring to Fig. 2, the step flow chart of another network attack processing method embodiment of the application is shown, specifically may be used
To include the following steps:
Step 201, the first IP address and the corresponding connection number of the first IP address of connection server are obtained.
Step 202, judge whether the corresponding connection number of the first IP address is greater than or equal to first threshold.
Step 201~202 are similar with step 101~102 in previous embodiment, and details are not described herein again.
In the present embodiment, when the corresponding connection number of the first IP address is less than first threshold, network attack processing dress
It sets and confirms that first IP address is not affected by network attack.
When the corresponding connection number of the first IP address is greater than or equal to first threshold, which needs to shield
The source IP address for being connected to the first IP address is covered, which can specifically include following steps:
Step 203, each source IP address and the corresponding connection number of each source IP address for being connected to the first IP address are obtained.
The device further obtains each source IP address for being connected to first IP address and its corresponding connection number, such as source IP
Address 1, connection number 10;Source IP address 2, connection number 100;Source IP address 3, connection number 1000;......
Step 204, judge the source IP address for being greater than or equal to second threshold in each source IP address with the presence or absence of connection number.
The device checks whether that there are the source IPs that connection number is greater than or equal to second threshold from the result that upper step obtains
The setting method of address, the second threshold is similar with first threshold.The second threshold can be less than first threshold.
If result be there is no the source IP address that connection number is greater than or equal to second threshold, the device can consider this
One IP address can not judge source by the attack in force of multiple source IP address.In this case as the case may be, Ke Yizhi
It connects and shields all source IP address, step 205 can also be executed.
If result is there are the source IP address that connection number is greater than or equal to second threshold, which can directly shield this
A little connection numbers are greater than or equal to the source IP address of second threshold, can also record these connection numbers first more than or equal to second
The source IP address of threshold value and its corresponding connection number, such as IP N1 connection number Y1;IP N2 connection number Y2;IP N3 connection number Y3, so
Step 206 is executed afterwards.
Step 205, the first IP address is shielded.
It after shielding the first IP address, can further notify that user is attacked by first IP address, attack is waited to terminate.
After detecting attack, or when meeting prerequisite, the shielding to the first IP address can be automatically stopped.
Step 206, judge connection number be greater than or equal to second threshold source IP address corresponding to connection number and whether
More than or equal to first threshold.
The device calculates the sum that connection number is greater than or equal to connection number corresponding to the source IP address of second threshold, such as Y1
+ Y2+Y3, then whether judgement should and be greater than or equal to first threshold.
If connection number and be greater than or equal to first threshold, illustrate network attack that first IP address is subject to for minority
The network attack that source IP address is initiated, can execute step 207 at this time.
If connection number and be less than the first threshold, illustrate first IP address by the extensive of multiple source IP address
Attack, can not judge source.In this case as the case may be, all source IP address can be directly shielded, can also be executed
Step 205.
Step 207, shielding connection number is greater than or equal to the source IP address of second threshold.
After shielding source IP address, it can notify that user protects successfully by attack, user can continue to access the first IP
Address.
The present embodiment by being monitored to number of network connections, according to the case where connection number determine the scale of network attack with
Source, and according to different network attack situations, the source IP address launched a offensive or the IP address attacked are shielded respectively
Operation, the attack in force such as initiated for a small amount of IP can be defendd by way of taking shielding this part IP;For
It cannot judge that the attack initiated by a small amount of IP is then shielded to by attack IP, server and overall network be protected, to reach
To the purpose of protection server monolithic stability and safety.This method is not simple from fictitious host computer to the IP address attacked
Firewall end shield, but be analyzed and processed according to attack source is quantitative, net can be determined more accurately out in this method
The object of network attack simultaneously carries out corresponding protective treatment.
It should be noted that for simple description, therefore, it is stated as a series of action groups for embodiment of the method
It closes, but those skilled in the art should understand that, the embodiment of the present application is not limited by the described action sequence, because according to
According to the embodiment of the present application, some steps may be performed in other sequences or simultaneously.Secondly, those skilled in the art also should
Know, the embodiments described in the specification are all preferred embodiments, and related movement not necessarily the application is implemented
Necessary to example.
Referring to Fig. 3, a kind of structural block diagram of network attack processing device embodiment of the application is shown, can specifically include
Such as lower unit:
Acquiring unit 301 is configured as obtaining the first IP address of connection server and first IP address is corresponding
Connection number.
Judging unit 302 is configured as judging whether the corresponding connection number of first IP address is greater than or equal to first
Threshold value.
Processing unit 303 is configured as determining that the corresponding connection number of first IP address is big when the judging unit 302
When first threshold, shielding is connected to the source IP address of first IP address.
The device detects the connection number of the IP address of connection server by said units, and is more than certain threshold in connection number
When value, the IP address is confirmed by network attack, then to all or part of source IP address for connecting the IP address under fire
It is shielded, not only ensure that the overall stability of server and network, moreover, being reduced by shielding source IP address to being attacked
The service impact for hitting IP address reduces the influence to website visiting.Also, the device is attacked by monitoring connection number to confirm
The IP address hit, the monitoring means in middle hardware firewall, black hole etc., can be determined more accurately out net compared with the existing technology
The object of network attack is also more suitable for the network attack protection of fictitious host computer itself.
In another embodiment, as shown in figure 4, processing unit 303 may further include:
Subelement 401 is obtained, is configured as obtaining each source IP address for being connected to first IP address and each source
The corresponding connection number of IP address;
Judgment sub-unit 402 is configured as judging in each source IP address being greater than or equal to the with the presence or absence of connection number
The source IP address of two threshold values;
Subelement 403 is shielded, is configured as determining there is connection in each source IP address when the judgment sub-unit 402
When number is greater than or equal to the source IP address of second threshold, the source IP address that the connection number is greater than or equal to second threshold is shielded.
In another embodiment, which is additionally configured to when there is no connection numbers in each source IP address
More than or equal to the second threshold source IP address when, shield first IP address.
In another embodiment, as shown in figure 5, the shielding subelement 403 may further include:
Lower layer's judgment sub-unit 501 is configured as judging the source IP address that the connection number is greater than or equal to second threshold
Corresponding connection number and whether be greater than or equal to the first threshold;
Underlying shield subelement 502, be configured as when lower layer's judgment sub-unit 501 determine the connection number be greater than or
Connection number corresponding to source IP address equal to second threshold and be greater than or equal to the first threshold when, shield the connection
Number is greater than or equal to the source IP address of second threshold.
The underlying shield subelement 502 can be additionally configured to be greater than or equal to the source of second threshold when the connection number
Connection number corresponding to IP address and when being less than the first threshold, shield first IP address.
The device determines the scale of network attack according to the case where connection number and comes by being monitored to number of network connections
Source, and according to different network attack situations, shielding behaviour is done to the source IP address launched a offensive or the IP address attacked respectively
Make, the attack in force such as initiated for a small amount of IP, can be defendd by way of taking shielding this part IP;For not
Can judge it is that the attack initiated by a small amount of IP is then shielded to by attack IP, server and overall network be protected, to reach
Protect the purpose of server monolithic stability and safety.The device is not simple from the anti-of fictitious host computer to the IP address attacked
Wall with flues end shield, but be analyzed and processed according to attack source is quantitative, which can be determined more accurately out network
The object of attack simultaneously carries out corresponding protective treatment.
The embodiment of the present application also discloses a kind of server, including memory and processor.
Processor and memory are connected with each other by bus;Bus can be isa bus, pci bus or eisa bus etc..
The bus can be divided into address bus, data/address bus, control bus etc..
Wherein, memory is for storing a Duan Chengxu, and specifically, program may include program code, said program code
Including computer operation instruction.Memory may include high speed RAM memory, it is also possible to further include nonvolatile memory
(non-volatile memory), for example, at least a magnetic disk storage.
Processor is used to read the program code in memory, executes following steps:
Obtain the first IP address and the corresponding connection number of first IP address of connection server;
Judge whether the corresponding connection number of first IP address is greater than or equal to first threshold;
If so, shielding is connected to the source IP address of first IP address.
For device embodiment, since it is basically similar to the method embodiment, related so being described relatively simple
Place illustrates referring to the part of embodiment of the method.
All the embodiments in this specification are described in a progressive manner, the highlights of each of the examples are with
The difference of other embodiments, the same or similar parts between the embodiments can be referred to each other.
It should be understood by those skilled in the art that, the embodiments of the present application may be provided as method, apparatus or calculating
Machine program product.Therefore, the embodiment of the present application can be used complete hardware embodiment, complete software embodiment or combine software and
The form of the embodiment of hardware aspect.Moreover, the embodiment of the present application can be used one or more wherein include computer can
With in the computer-usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) of program code
The form of the computer program product of implementation.
In a typical configuration, the computer equipment includes one or more processors (CPU), input/output
Interface, network interface and memory.Memory may include the non-volatile memory in computer-readable medium, random access memory
The forms such as device (RAM) and/or Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is to calculate
The example of machine readable medium.Computer-readable medium includes that permanent and non-permanent, removable and non-removable media can be with
Realize that information is stored by any method or technique.Information can be computer readable instructions, data structure, the module of program or
Other data.The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory
(SRAM), dynamic random access memory (DRAM), other kinds of random access memory (RAM), read-only memory
(ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory techniques, CD-ROM are read-only
Memory (CD-ROM), digital versatile disc (DVD) or other optical storage, magnetic cassettes, tape magnetic disk storage or
Other magnetic storage devices or any other non-transmission medium, can be used for storage can be accessed by a computing device information.According to
Herein defines, and computer-readable medium does not include non-persistent computer readable media (transitory media), such as
The data-signal and carrier wave of modulation.
The embodiment of the present application is referring to according to the method for the embodiment of the present application, terminal device (system) and computer program
The flowchart and/or the block diagram of product describes.It should be understood that flowchart and/or the block diagram can be realized by computer program instructions
In each flow and/or block and flowchart and/or the block diagram in process and/or box combination.It can provide these
Computer program instructions are set to general purpose computer, special purpose computer, Embedded Processor or other programmable data processing terminals
Standby processor is to generate a machine, so that being held by the processor of computer or other programmable data processing terminal devices
Capable instruction generates for realizing in one or more flows of the flowchart and/or one or more blocks of the block diagram
The device of specified function.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing terminal devices
In computer-readable memory operate in a specific manner, so that instruction stored in the computer readable memory generates packet
The manufacture of command device is included, which realizes in one side of one or more flows of the flowchart and/or block diagram
The function of being specified in frame or multiple boxes.
These computer program instructions can also be loaded into computer or other programmable data processing terminal devices, so that
Series of operation steps are executed on computer or other programmable terminal equipments to generate computer implemented processing, thus
The instruction executed on computer or other programmable terminal equipments is provided for realizing in one or more flows of the flowchart
And/or in one or more blocks of the block diagram specify function the step of.
Although preferred embodiments of the embodiments of the present application have been described, once a person skilled in the art knows bases
This creative concept, then additional changes and modifications can be made to these embodiments.So the following claims are intended to be interpreted as
Including preferred embodiment and all change and modification within the scope of the embodiments of the present application.
Finally, it is to be noted that, herein, relational terms such as first and second and the like be used merely to by
One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation
Between there are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant meaning
Covering non-exclusive inclusion, so that process, method, article or terminal device including a series of elements not only wrap
Those elements are included, but also including other elements that are not explicitly listed, or further includes for this process, method, article
Or the element that terminal device is intrinsic.In the absence of more restrictions, limited by sentence " including one ... "
Element, it is not excluded that including identical being wanted in the process, method of the element, article or terminal device there is also other
Element.
Above to a kind of network attack processing method provided herein and a kind of network attack processing unit, carry out
It is discussed in detail, specific examples are used herein to illustrate the principle and implementation manner of the present application, above embodiments
Illustrate to be merely used to help understand the present processes and its core concept;At the same time, for those skilled in the art, according to
According to the thought of the application, there will be changes in the specific implementation manner and application range, in conclusion the content of the present specification
It should not be construed as the limitation to the application.
Claims (7)
1. a kind of network attack processing method characterized by comprising
Obtain the first IP address and the corresponding connection number of first IP address of connection server;The first IP address packet
It includes: the IP address of any fictitious host computer being connected on the server;
Judge whether the corresponding connection number of first IP address is greater than or equal to first threshold;
If so, shielding is connected to the source IP address of first IP address;
It is wherein, described to shield the source IP address for being connected to first IP address, comprising:
Judgement is connected to the source for being greater than or equal to second threshold in the source IP address of first IP address with the presence or absence of connection number
IP address, to obtain judging result;
It is yes in the judging result and the connection number is greater than or equal to connection number corresponding to the source IP address of second threshold
And in the case where being greater than or equal to the first threshold, shield the source IP of the connection number more than or equal to second threshold
Location;
The method also includes:
It is yes in the judging result and the connection number is greater than or equal to connection number corresponding to the source IP address of second threshold
And in the case where being less than the first threshold, shield first IP address.
2. the method according to claim 1, wherein the shielding is with being connected to the source IP of first IP address
Location, comprising:
Obtain each source IP address and the corresponding connection number of each source IP address for being connected to first IP address;
Judge the source IP address for being greater than or equal to second threshold in each source IP address with the presence or absence of connection number;
If it exists, then the source IP address that the connection number is greater than or equal to second threshold is shielded.
3. according to the method described in claim 2, it is characterized in that, the method also includes:
When source IP address of the connection number more than or equal to the second threshold is not present in each source IP address, described in shielding
First IP address.
4. method according to claim 1 or 3, which is characterized in that the method also includes:
When meeting prerequisite, stop the shielding to first IP address.
5. a kind of network attack processing unit characterized by comprising
Acquiring unit is configured as obtaining the first IP address and the corresponding connection number of first IP address of connection server;
First IP address includes: the IP address of any fictitious host computer being connected on the server;
Judging unit is configured as judging whether the corresponding connection number of first IP address is greater than or equal to first threshold;
Processing unit is configured as determining that the corresponding connection number of first IP address is greater than or equal to the when the judging unit
When one threshold value, judgement, which is connected in the source IP address of first IP address, is greater than or equal to second threshold with the presence or absence of connection number
Source IP address, to obtain judging result, and be yes in the judging result and the connection number is greater than or equal to second threshold
Source IP address corresponding to connection number and be greater than or equal to the first threshold in the case where, shield the connection number and be greater than
Or the source IP address equal to second threshold;
The processing unit is additionally configured to be yes in the judging result and the connection number is greater than or equal to second threshold
Connection number corresponding to source IP address and in the case where being less than the first threshold, shield first IP address.
6. device according to claim 5, which is characterized in that the processing unit be additionally configured to obtain be connected to it is described
Each source IP address of first IP address and the corresponding connection number of each source IP address, judge whether deposit in each source IP address
It is greater than or equal to the source IP address of second threshold in connection number, and when there are connection numbers to be greater than in judgement each source IP address
Or equal to second threshold source IP address when, shield the connection number be greater than or equal to second threshold source IP address.
7. device according to claim 6, which is characterized in that
The processing unit is additionally configured to when there is no connection numbers to be greater than or equal to second threshold in each source IP address
When the source IP address of value, first IP address is shielded.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510284470.XA CN106302347B (en) | 2015-05-28 | 2015-05-28 | A kind of network attack treating method and apparatus |
PCT/CN2016/080311 WO2016188294A1 (en) | 2015-05-28 | 2016-04-27 | Network attack processing method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510284470.XA CN106302347B (en) | 2015-05-28 | 2015-05-28 | A kind of network attack treating method and apparatus |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106302347A CN106302347A (en) | 2017-01-04 |
CN106302347B true CN106302347B (en) | 2019-11-05 |
Family
ID=57392586
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510284470.XA Active CN106302347B (en) | 2015-05-28 | 2015-05-28 | A kind of network attack treating method and apparatus |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN106302347B (en) |
WO (1) | WO2016188294A1 (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108965336B (en) * | 2018-09-10 | 2021-03-23 | 杭州迪普科技股份有限公司 | Attack detection method and device |
CN111669359A (en) * | 2019-03-09 | 2020-09-15 | 深圳市锐速云计算有限公司 | Novel network attack processing method and device |
TWI707565B (en) * | 2019-04-19 | 2020-10-11 | 國立中央大學 | Network attacker identifying method and network system |
CN112738089B (en) * | 2020-12-29 | 2023-03-28 | 中国建设银行股份有限公司 | Method and device for automatically backtracking source ip under complex network environment |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101594269A (en) * | 2009-06-29 | 2009-12-02 | 成都市华为赛门铁克科技有限公司 | A kind of detection method of unusual connection, device and gateway device |
CN102014116A (en) * | 2009-09-03 | 2011-04-13 | 丛林网络公司 | Protecting against distributed network flood attacks |
CN103001972A (en) * | 2012-12-25 | 2013-03-27 | 苏州山石网络有限公司 | Identification method and identification device and firewall for DDOS (distributed denial of service) attack |
WO2014040292A1 (en) * | 2012-09-17 | 2014-03-20 | 华为技术有限公司 | Protection method and device against attacks |
CN104601542A (en) * | 2014-12-05 | 2015-05-06 | 国云科技股份有限公司 | DDOS (distributed denial of service) active protection method applicable to virtual machine |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20130030086A (en) * | 2011-09-16 | 2013-03-26 | 한국전자통신연구원 | Method and apparatus for defending distributed denial of service attack through abnomal terminated session |
CN104243223A (en) * | 2013-06-06 | 2014-12-24 | 天津蜀都科技有限公司 | High accuracy application identification method and device |
CN103701795B (en) * | 2013-12-20 | 2017-11-24 | 北京奇安信科技有限公司 | The recognition methods of the attack source of Denial of Service attack and device |
-
2015
- 2015-05-28 CN CN201510284470.XA patent/CN106302347B/en active Active
-
2016
- 2016-04-27 WO PCT/CN2016/080311 patent/WO2016188294A1/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101594269A (en) * | 2009-06-29 | 2009-12-02 | 成都市华为赛门铁克科技有限公司 | A kind of detection method of unusual connection, device and gateway device |
CN102014116A (en) * | 2009-09-03 | 2011-04-13 | 丛林网络公司 | Protecting against distributed network flood attacks |
WO2014040292A1 (en) * | 2012-09-17 | 2014-03-20 | 华为技术有限公司 | Protection method and device against attacks |
CN103001972A (en) * | 2012-12-25 | 2013-03-27 | 苏州山石网络有限公司 | Identification method and identification device and firewall for DDOS (distributed denial of service) attack |
CN104601542A (en) * | 2014-12-05 | 2015-05-06 | 国云科技股份有限公司 | DDOS (distributed denial of service) active protection method applicable to virtual machine |
Also Published As
Publication number | Publication date |
---|---|
WO2016188294A1 (en) | 2016-12-01 |
CN106302347A (en) | 2017-01-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107659583B (en) | Method and system for detecting attack in fact | |
EP3014813B1 (en) | Rootkit detection by using hardware resources to detect inconsistencies in network traffic | |
CN106302347B (en) | A kind of network attack treating method and apparatus | |
WO2016148865A1 (en) | Methods and systems for improving analytics in distributed networks | |
US11336617B2 (en) | Graphical representation of security threats in a network | |
US10063519B1 (en) | Automatically optimizing web application firewall rule sets | |
EP2854362B1 (en) | Software network behavior analysis and identification system | |
CN109344611B (en) | Application access control method, terminal equipment and medium | |
EP3337106B1 (en) | Identification system, identification device and identification method | |
US9661006B2 (en) | Method for protection of automotive components in intravehicle communication system | |
CN107395608B (en) | Network access abnormity detection method and device | |
EP3657371A1 (en) | Information processing device, information processing method, and information processing program | |
WO2016121348A1 (en) | Anti-malware device, anti-malware system, anti-malware method, and recording medium in which anti-malware program is stored | |
US20200012788A1 (en) | Analysis device, analysis method and computer-readable recording medium | |
EP3144845A1 (en) | Detection device, detection method, and detection program | |
JP2015179979A (en) | Attack detection system, attack detection apparatus, attack detection method, and attack detection program | |
CN111177727A (en) | Vulnerability detection method and device | |
CN107135199B (en) | Method and device for detecting webpage backdoor | |
CN114428962B (en) | Vulnerability risk priority processing method and device | |
US20140373158A1 (en) | Detecting security vulnerabilities on computing devices | |
US10193903B1 (en) | Systems and methods for detecting suspicious microcontroller messages | |
WO2016014021A1 (en) | Security indicator linkage determination | |
CN105447348B (en) | A kind of hidden method of display window, device and user terminal | |
KR102022626B1 (en) | Apparatus and method for detecting attack by using log analysis | |
CN113765914A (en) | CC attack protection method, system, computer equipment and readable storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |