CN106357628A - Attack defense method and device - Google Patents

Attack defense method and device Download PDF

Info

Publication number
CN106357628A
CN106357628A CN201610783731.7A CN201610783731A CN106357628A CN 106357628 A CN106357628 A CN 106357628A CN 201610783731 A CN201610783731 A CN 201610783731A CN 106357628 A CN106357628 A CN 106357628A
Authority
CN
China
Prior art keywords
address
user
attack
suspicious user
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610783731.7A
Other languages
Chinese (zh)
Other versions
CN106357628B (en
Inventor
杨枭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Neusoft Corp
Original Assignee
Neusoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Neusoft Corp filed Critical Neusoft Corp
Priority to CN201610783731.7A priority Critical patent/CN106357628B/en
Publication of CN106357628A publication Critical patent/CN106357628A/en
Application granted granted Critical
Publication of CN106357628B publication Critical patent/CN106357628B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses an attack defense method and device and relates to the technical field of network security. The attack defense method and device are used for increasing the accuracy rate of attack defense. The main technical scheme comprises steps as follows: suspicious user IP (internet protocol) addresses in session information are recognized through a preset threshold value, and the session information contains user IP addresses; the suspicious user IP addresses are subjected to attack IP address filtering according to a preset attack IP address database, and first residual suspicious user IP addresses are obtained; the first residual suspicious user IP addresses are subjected to attack IP address filtering according to service request information in the session information, and second residual suspicious user IP addresses are obtained; the second residual suspicious user IP addresses are subjected to attack IP address filtering according to a preset script program, and the preset script program is used for determining an attack IP address contained in the second residual suspicious user IP addresses; a service request sent by the attack IP address is rejected. The attack defense method and device are mainly used for defending attacks.

Description

The defence method attacked and device
Technical field
The present invention relates to technical field of network security, more particularly, to a kind of defence method of attack and device.
Background technology
The base attribute of network security is mainly shown as confidentiality, integrity, legitimacy and availability, and attacker is exactly To destroy these attributes by every ways and means.Distributed denial of service attack (distributed Denial of service, ddos) purpose be exactly to destroy the availability of network.Wherein, http flood (attack by request flooding Hit) it is when the common ddos attack pattern of former, it is the attack initiated for the web services of application layer, attacker imitates The internet behavior of normal users, sends substantial amounts of service request to the web server of target of attack, destination web server is once Attacked, it will lead to the web front-end attacked to respond slow, the operation layer logic such as java of rear end and more back-end data base Disposal ability pressure increase.
At present, the http (hypertext transfer protocol, HTTP) being sent by user please Ask number of times that http flood attack is on the defensive, that is, forbid in the unit interval, sending the user that http request number of times exceedes threshold value Access behavior, but there are some in actual life and send the normal users that http request number of times exceedes threshold value, and adopt This kind of mode equally also can mask the access behavior of normal users, therefore this kind mode defensive attack to manslaughter rate higher, existing There is the defence accuracy rate of attack defense method relatively low.
Content of the invention
In view of this, the present invention provides a kind of defence method of attack and device, and main purpose is to improve attack defending Accuracy rate.
According to one aspect of the invention, there is provided a kind of defence method of attack, comprising:
Suspicious user Internet protocol ip address in session information is identified by preset threshold value, comprises in described session information User ip address;
Attack ip address is filtered in suspicious user ip address according to preset attack ip address base, acquisition first is remaining can Doubtful user ip address;
Filtered from the described first remaining suspicious user ip address by the service request information in described session information Attack ip address, obtain the second remaining suspicious user ip address;
Attack ip address is filtered from the described second remaining suspicious user ip address according to preset script program, described pre- Put shell script for determining the attack ip address comprising in the described second remaining suspicious user ip address;
The service request that refusal is sent by described attack ip address.
Specifically, the suspicious user ip address in the described identification session information by preset threshold value includes:
The number of times sending service request in the unit interval by described user ip address is obtained from described session information;
The user ip address that the number of times sending service request in the described unit interval is more than the first preset threshold value is defined as Described suspicious user ip address.
Further, the described user ip ground that the number of times sending service request in the unit interval is more than the first preset threshold value After location is defined as described suspicious user ip address, methods described also includes:
Obtain the user ip ground sending the number of times of service request in the described unit interval less than or equal to the first preset threshold value Location;
The service request number of times of same subscriber ip address is counted from the user ip address of described acquisition;
The user ip address that described service request number of times is more than the second preset threshold value is defined as described suspicious user ip ground Location.
Specifically, described by the service request information in described session information from the described first remaining suspicious user ip Filter in address and attack ip address, obtain the second remaining suspicious user ip address and include:
Described attack ip is filtered from the described first remaining suspicious user ip address according to preset request url amount threshold Address, and using the first remaining suspicious user ip address after filtering as the first suspicious user ip address;
Url incorrect suspicious user ip ground will be asked according to preset url path in described first suspicious user ip address Location filters out, and using the first suspicious user ip address after filtering as the second suspicious user ip address;
Relation is redirected according to preset url incorrect by asking url to redirect relation in described second suspicious user ip address Suspicious user ip address filtering falls, and using the second suspicious user ip address after filtering as the 3rd suspicious user ip address;
Will be incorrect for request host field in described 3rd suspicious user ip address according to preset service device host field Suspicious user ip address filtering falls, and using the 3rd suspicious user ip address after filtering as the 4th suspicious user ip address;
The incorrect suspicious user of url length will be asked according to preset url length in described 4th suspicious user ip address Ip address filtering falls.
Specifically, described filtration from the described second remaining suspicious user ip address according to preset script program attacks ip Address includes:
Described preset script program is sent to the corresponding client in the described second remaining suspicious user ip address, so that The preset script program described in described client executing of obtaining;
If there is the client executing described preset script program error, described preset script program error will be executed Client corresponding suspicious user ip address is defined as described attack ip address.
Further, described will execute described preset script program error client corresponding suspicious user ip address true After being set to described attack ip address, methods described also includes:
If there is the execution correct client of described preset script program, to executing, described preset script program is correct Client sends checking information, so that the execution correct client of described preset script program receives according to described checking information The identifying code of input;
If described identifying code is not corresponding with described checking information, the correct client of described preset script program will be executed Corresponding suspicious user ip address is defined as attacking ip address;
If described identifying code is corresponding with described checking information, the correct client pair of described preset script program will be executed The suspicious user ip address answered is defined as trusted users ip.
Further, methods described also includes:
The suspicious user ip address that will determine as attacking ip address stores in described preset attack ip address base.
According to another aspect of the invention, there is provided a kind of defence installation of attack, comprising:
Recognition unit, for identifying the suspicious user Internet protocol ip address in session information by preset threshold value, described User ip address is comprised in session information;
First filter element, for filtering attack ip ground according to preset attack ip address base in suspicious user ip address Location, obtains the first remaining suspicious user ip address;
Second filter element, for remaining suspicious from described first by the service request information in described session information Filter in user ip address and attack ip address, obtain the second remaining suspicious user ip address;
3rd filter element, for filtering from the described second remaining suspicious user ip address according to preset script program Attack ip address, described preset script program is used for determining the attack ip comprising in the described second remaining suspicious user ip address Address;
Refusal unit, the service request being sent by described attack ip address for refusal.
Specifically, described recognition unit includes:
Acquisition module, sends service for obtaining in the unit interval from described session information by described user ip address The number of times of request;
Determining module, for being more than the user of the first preset threshold value by the number of times sending service request in the described unit interval Ip address is defined as described suspicious user ip address.
Further, described recognition unit also includes:
Described acquisition module, is additionally operable to obtain the number of times sending service request in the described unit interval less than or equal to first The user ip address of preset threshold value;
Statistical module, for counting the service request time of same subscriber ip address from the user ip address of described acquisition Number;
Described determining module, the user ip address for described service request number of times is more than the second preset threshold value is defined as Described suspicious user ip address.
Specifically, described second filter element includes:
First filtering module, for according to preset request url amount threshold from the described first remaining suspicious user ip ground Described attack ip address is filtered in location, and using the first remaining suspicious user ip address after filtering as the first suspicious user ip Address;
Second filtering module, for according to preset url path by request url in described first suspicious user ip address not just True suspicious user ip address filtering falls, and using the first suspicious user ip address after filtering as the second suspicious user ip ground Location;
3rd filtering module, will ask url for redirecting relation according to preset url in described second suspicious user ip address The relation that redirects incorrect suspicious user ip address filtering falls, and can as the 3rd using the second suspicious user ip address after filtering Doubtful user ip address;
4th filtering module, for asking in described 3rd suspicious user ip address according to preset service device host field Host field incorrect suspicious user ip address filtering falls, and can as the 4th using the 3rd suspicious user ip address after filtering Doubtful user ip address;
5th filtering module, for asking url length according to preset url length in described 4th suspicious user ip address Incorrect suspicious user ip address filtering falls.
Specifically, described 3rd filter element includes:
Sending module, corresponds to for described preset script program is sent to the described second remaining suspicious user ip address Client so that preset script program described in described client executing;
Determining module, if for there is the client executing described preset script program error, will execute described preset The client corresponding suspicious user ip address of shell script mistake is defined as described attack ip address.
Described sending module, if be additionally operable to there is the execution correct client of described preset script program, to execution institute State the correct client of preset script program and send checking information, so that the execution correct client of described preset script program Receive the identifying code according to the input of described checking information;
Described determining module, if it is not corresponding with described checking information to be additionally operable to described identifying code, will execute described preset The correct client of shell script corresponding suspicious user ip address is defined as attacking ip address;
Described determining module, if it is corresponding with described checking information to be additionally operable to described identifying code, will execute described preset foot The correct client of this program corresponding suspicious user ip address is defined as trusted users ip.
Further, described device also includes:
Memory element, the suspicious user ip address for will determine as attacking ip address stores described preset attack ip ground In the storehouse of location.
By technique scheme, technical scheme provided in an embodiment of the present invention at least has the advantage that
A kind of defence method of attack provided in an embodiment of the present invention and device, first pass through preset threshold value identification session letter Suspicious user ip address in breath, comprises user ip address in described session information, then existed according to preset attack ip address base Filter in suspicious user ip address and attack ip address, and obtain the first remaining suspicious user ip address, then pass through described meeting Service request information in words information filters attack ip address from the described first remaining suspicious user ip address, obtains second Remaining suspicious user ip address, and filtered from the described second remaining suspicious user ip address according to preset script program and attack Hit ip address, the service request that finally refusal is sent by described attack ip address.With at present according to sending in the unit interval Request number of times is on the defensive to http flood attack and compares, and the embodiment of the present invention is by the way of filtering layer by layer to http Flood attack is on the defensive, that is, first pass through the suspicious user ip address that preset threshold value identifies in session information, then root successively Filter out attack according to preset attack ip address base, service request information, preset script program layer by layer from suspicious user ip address Ip address, and attack defending is realized by the service request that refusal attacks the transmission of ip address, thus can by the embodiment of the present invention Improve the accuracy rate of attack defending.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, And can be practiced according to the content of description, and in order to allow the above and other objects of the present invention, feature and advantage can Become apparent, below especially exemplified by the specific embodiment of the present invention.
Brief description
By reading the detailed description of hereafter preferred implementation, various other advantages and benefit are common for this area Technical staff will be clear from understanding.Accompanying drawing is only used for illustrating the purpose of preferred implementation, and is not considered as to the present invention Restriction.And in whole accompanying drawing, it is denoted by the same reference numerals identical part.In the accompanying drawings:
Fig. 1 shows a kind of defence method flow chart of attack provided in an embodiment of the present invention;
Fig. 2 shows a kind of defence installation structured flowchart of attack provided in an embodiment of the present invention;
Fig. 3 shows another kind of defence installation structured flowchart attacked provided in an embodiment of the present invention.
Specific embodiment
It is more fully described the exemplary embodiment of the disclosure below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing Exemplary embodiment it being understood, however, that may be realized in various forms the disclosure and should not be by embodiments set forth here Limited.On the contrary, these embodiments are provided to be able to be best understood from the disclosure, and can be by the scope of the present disclosure Complete conveys to those skilled in the art.
Embodiments provide a kind of defence method of attack, as shown in figure 1, the method includes:
101st, the suspicious user Internet protocol ip address in session information is identified by preset threshold value.
Wherein, comprise user ip address in described session information.Session information is session information, is user and web Interactive information between (world wide web, WWW) server, is the relevant information being connected based on a data stream, can The ip address that doubtful user ip address can be thought trusted users or attack user.
It should be noted that the number of times that normal users send service request within the unit interval all can have a threshold value, if The number of times that certain user sends service request within the unit interval does not meet this threshold value, illustrates that this user is possible to use for attacking Family, so need for corresponding for this user ip address to be defined as suspicious user ip address.Therefore the embodiment of the present invention is by preset Threshold value identifies the suspicious user ip address in session information, and described preset threshold value can be according to the feature of web server and just conventional The internet behavior at family determines, specifically can be pre- according to determining to the request number of times that purpose ip address sends in the normal users unit interval Put the size of threshold value, such as normal users were less than or equal to 5 to the request number of times that purpose ip address sends in 1 minute, then can will be preset Threshold value is set to 5, if the number of times that user sent service request to purpose ip address in 1 minute is more than 5, can be by this user couple The ip address answered is defined as suspicious user ip address.
102nd, attack ip address is filtered in suspicious user ip address according to preset attack ip address base, obtain first remaining Suspicious user ip address.
Wherein, described preset attack ip address base is pre-configured, comprise in preset attack ip address base all The attack ip address determining.If suspicious user ip address occurs in preset attack ip address base, by this suspicious user ip ground Location is defined as attacking ip address, and the attack ip address filtering in suspicious user ip address is fallen, suspicious after then filtering User ip address is defined as the first remaining suspicious user ip address;If suspicious user ip address is in preset attack ip address base Do not occur, then further mistake is carried out by the suspicious user ip remaining to first of the service request information in step 103 address Filter, to filter out the attack ip address determining by service request information.
103rd, by the service request information in described session information from the described first remaining suspicious user ip address Filter and attack ip address, obtain the second remaining suspicious user ip address.
Wherein, described service request information is specifically as follows url (the uniform resource of user's request Locator, URL), the information such as host field, the embodiment of the present invention is not specifically limited.Implement in the present invention In example, specifically relation, preset service device host can be redirected according to preset request url amount threshold, preset url path, preset url The information such as field, preset url length filter attack ip address from the first remaining suspicious user ip address.Will the first residue Suspicious user ip address in url number of requests do not meet preset request url amount threshold, request url be not preset url Path, request url redirect relation do not meet preset url redirect relation, request server host field do not meet preset The suspicious user ip address that the length violation of server host field and request url closes preset url length is defined as attacking ip Address, and will determine as attack ip address filter out from the first remaining suspicious user ip address, finally will filter after First remaining suspicious user ip address is defined as the second remaining suspicious user ip address.
104th, attack ip address is filtered from the described second remaining suspicious user ip address according to preset script program.
Wherein, described preset script program is used for determining the attack comprising in the described second remaining suspicious user ip address Ip address, preset script program is javascript step program, and client determines suspicious use by executing preset script program Whether family ip address is to attack ip address, if client executing preset script program error, will be corresponding with client suspicious User ip address is to attack ip address;If client executing preset script program is correct, verified by man-machine interaction further Code mode judges that suspicious user ip address is for attacking ip address, if the identifying code mistake of client input, will be with client Corresponding suspicious user ip address is defined as attacking ip address, if the identifying code of client input is correct, will be with client pair The suspicious user ip address answered is defined as credible ip address.
105th, the service request that refusal is sent by described attack ip address.
A kind of defence method of attack provided in an embodiment of the present invention, is attacked to http flood by the way of filtering layer by layer Hit and be on the defensive, that is, first pass through the suspicious user ip address that preset threshold value identifies in session information, then successively according to preset Attack ip address base, service request information, preset script program and filter out attack ip address from suspicious user ip address layer by layer, And attack defending is realized by the service request that refusal attacks the transmission of ip address.Due to meeting can be quickly recognized by preset threshold value Suspicious user ip address in words information, and pass sequentially through preset attack ip address base, service and ask according to the speed order filtering Ask information, preset script program that the attack ip address in suspicious user ip address is filtered, can improve and determine attack ip's Efficiency, thus can improve accuracy rate and the efficiency of attack defending by the embodiment of the present invention.
In order to preferably illustrate to the defence method of attack provided in an embodiment of the present invention, following examples will be directed to Above steps is refined and is extended.
Specifically, by preset threshold value, step 101 identifies that the suspicious user ip address in session information includes: from described meeting The number of times sending service request in the unit interval by described user ip address is obtained in words information;To send out in the described unit interval The number of times sending service request is defined as described suspicious user ip address more than the user ip address of the first preset threshold value.Wherein, One preset threshold value determines according to the service request number of times sending in the normal users unit interval, if normal users were sent out in 1 minute The service request number of times sending is 10, then the first preset threshold value can be set to 10, if user sent service request in 1 minute Number of times is more than 10, then corresponding for this user ip address can be defined as suspicious user ip address.
Further, will be true more than the user ip address of the first preset threshold value for the number of times sending service request in the unit interval After being set to described suspicious user ip address, methods described also includes: obtains and sends the secondary of service request in the described unit interval Number is less than or equal to the user ip address of the first preset threshold value;Statistics same subscriber ip ground from the user ip address of described acquisition The service request number of times of location;The user ip address that described service request number of times is more than the second preset threshold value is defined as described suspicious User ip address.
It should be noted that because the corresponding ip of the user in same LAN address is identical, and corresponding session information Difference, therefore in order to prevent attacker from launching a offensive to web server by the multiple stage terminal unit in LAN, needs to count Then service request number of times is more than the second preset threshold value by the service request number of times of same subscriber ip address in user ip address User ip address is defined as suspicious user ip address.Wherein, the second preset threshold value is normally sent out according in the unit interval in LAN The service request number of times that send and determine.For example, three identical user ip ground are got within the unit interval by session information Location, they are respectively 10,15,20 to the service request number of times that web server sends, the service request that this user ip address sends Number adds up to 45, if the second preset threshold value is 30, user ip address can be defined as suspicious user ip address.
Specifically, step 103 by the service request information in described session information from the described first remaining suspicious use Filter in the ip address of family and attack ip address, obtain the second remaining suspicious user ip address and include: according to preset request url quantity Threshold value filters described attack ip address from the described first remaining suspicious user ip address, and after filtering first is remaining Suspicious user ip address is as the first suspicious user ip address;According to preset url path by described first suspicious user ip address Middle request url incorrect suspicious user ip address filtering falls, and using the first suspicious user ip address after filtering as second Suspicious user ip address;Relation is redirected according to preset url request url in described second suspicious user ip address is redirected relation not Correct suspicious user ip address filtering falls, and using the second suspicious user ip address after filtering as the 3rd suspicious user ip ground Location;The incorrect suspicious use of host field will be asked according to preset service device host field in described 3rd suspicious user ip address Family ip address filtering falls, and using the 3rd suspicious user ip address after filtering as the 4th suspicious user ip address;According to preset Request url length incorrect suspicious user ip address filtering in described 4th suspicious user ip address is fallen by url length.
Wherein, request url amount threshold is according to asking the quantity of same url to determine in the normal users unit interval, if The quantity of same url is asked to exceed preset request url amount threshold, then by corresponding for user a ip address in user's a unit interval It is defined as attacking ip address, and the attack ip address of determination is filtered out from the first remaining suspicious user ip address;Preset Url path pre-sets in web server, if the url of user's request is not the url road setting in web server Footpath, then be defined as attacking ip address by corresponding for this user ip address, and by the attack ip address determining from the first suspicious user Ip filters out in address;Preset url redirects what relation also pre-set in web server, specifically can pass through Reference represents that url's redirects relation, and such as user passes through the webpage b of webpage a jump request, and setting in web server The relation that redirects only pass through webpage c could requested webpage b, incorrect, the therefore general that redirects relation of the request url of this user is described This user corresponding ip address is defined as attacking ip address, and by the attack ip address determining from the second suspicious user ip address Filter out;Preset service device host field is the host field in web server, if user's request host field is not service The host field of device, then be defined as attacking ip address by corresponding for this user ip address, and by the attack ip address determining from the Filter out in three suspicious user ip addresses;Preset url length is configured according to the actual requirements, and url length is specifically permissible For 20,30,40 etc., the embodiment of the present invention is not specifically limited, if the url length of user's request exceedes preset url length, Just this user corresponding ip address is defined as attacking ip address, and by the attack ip address determining from the 4th suspicious user ip ground Filter out in location.
It should be noted that due to according to the speed order filtering successively according to preset request url, preset url path, in advance Put url and redirect relation, preset service device host field, the attack of preset url length suspicious user ip remaining to first address Ip is filtered address, can improve and determine the efficiency attacking ip, thus can improve the effect of attack defending by the embodiment of the present invention Rate.
Specifically, step 104 filters from the described second remaining suspicious user ip address according to preset script program and attacks Hit ip address to include: described preset script program is sent to the corresponding client in the described second remaining suspicious user ip address End, so that preset script program described in described client executing;If there is the client executing described preset script program error End, then be defined as described attack ip ground by the client corresponding suspicious user ip address executing described preset script program error Location.Wherein, preset script program is javascript step program, and client determines suspicious use by executing preset script program Whether family ip address is to attack ip address.
Further, described will execute described preset script program error client corresponding suspicious user ip address true After being set to described attack ip address, methods described also includes: if there is the execution correct client of described preset script program, Then send checking information to the execution correct client of described preset script program, so that just executing described preset script program True client receives the identifying code according to the input of described checking information;If described identifying code is not corresponding with described checking information, Then execution described preset script program correct client corresponding suspicious user ip address is defined as attacking ip address;If institute State identifying code corresponding with described checking information, then will execute the corresponding suspicious user of the correct client of described preset script program Ip address is defined as trusted users ip.
Further, methods described also includes: will determine as attack ip address suspicious user ip address store described In preset attack ip address base.To realize updating the attack ip address in preset attack ip address base.It should be noted that when pre- Put attack ip address base in attack ip address be reassigned to normal users use when, user in order to realize send service please Ask, need to send subscriber authentication request to web server, after web server is verified, by preset attack ip address base In corresponding attack ip address delete, the normal service request of user is realized with this.
Further, the embodiment of the present invention provides a kind of defence installation of attack, as shown in Fig. 2 described device includes: know Other unit 21, the first filter element 22, the second filter element 23, the 3rd filter element 24, refusal unit 25.
Recognition unit 21, for identifying the suspicious user Internet protocol ip address in session information, institute by preset threshold value State and in session information, comprise user ip address;
Session information is session information, is the interactive information between user and web server, is based on a data The relevant information that stream connects, the ip address that suspicious user ip can think address trusted users or attack user.
It should be noted that the number of times that normal users send service request within the unit interval all can have a threshold value, if The number of times that certain user sends service request within the unit interval does not meet this threshold value, illustrates that this user is possible to use for attacking Family, so need for corresponding for this user ip address to be defined as suspicious user ip address.Therefore the embodiment of the present invention is by preset Threshold value identifies the suspicious user ip address in session information, and described preset threshold value can be according to the feature of web server and just conventional The internet behavior at family determines, specifically can be pre- according to determining to the request number of times that purpose ip address sends in the normal users unit interval Put the size of threshold value, such as normal users were less than or equal to 5 to the request number of times that purpose ip address sends in 1 minute, then can will be preset Threshold value is set to 5, if the number of times that user sent service request to purpose ip address in 1 minute is more than 5, can be by this user couple The ip address answered is defined as suspicious user ip address.
First filter element 22, for filtering attack ip ground according to preset attack ip address base in suspicious user ip address Location, obtains the first remaining suspicious user ip address;
Wherein, described preset attack ip address base is pre-configured, comprise in preset attack ip address base all The attack ip address determining.If suspicious user ip address occurs in preset attack ip address base, by this suspicious user ip ground Location is defined as attacking ip address, and the attack ip address filtering in suspicious user ip address is fallen, suspicious after then filtering User ip address is defined as the first remaining suspicious user ip address;If suspicious user ip address is in preset attack ip address base Do not occur, then further mistake is carried out by the suspicious user ip remaining to first of the service request information in step 103 address Filter, to filter out the attack ip address determining by service request information.
Second filter element 23, for by the service request information in described session information from described first remaining can Filter in doubtful user ip address and attack ip address, obtain the second remaining suspicious user ip address;
Wherein, described service request information is specifically as follows url (the uniform resource of user's request Locator, URL), the information such as host field, the embodiment of the present invention is not specifically limited.Implement in the present invention In example, specifically relation, preset service device host can be redirected according to preset request url amount threshold, preset url path, preset url The information such as field, preset url length filter attack ip address from the first remaining suspicious user ip address.Will the first residue Suspicious user ip address in url number of requests do not meet preset request url amount threshold, request url be not preset url Path, request url redirect relation do not meet preset url redirect relation, request server host field do not meet preset The suspicious user ip address that the length violation of server host field and request url closes preset url length is defined as attacking ip Address, and will determine as attack ip address filter out from the first remaining suspicious user ip address, finally will filter after First remaining suspicious user ip address is defined as the second remaining suspicious user ip address.
3rd filter element 24, for according to preset script program from the described second remaining suspicious user ip address mistake Ip address is attacked in filter, and described preset script program is used for determining the attack comprising in the described second remaining suspicious user ip address Ip address;
Wherein, preset script program is javascript step program, and client is passed through to execute the determination of preset script program Whether suspicious user ip address is to attack ip address, if client executing preset script program error, will be corresponding with client Suspicious user ip address be attack ip address;If client executing preset script program is correct, further by man-machine friendship Mutually identifying code mode judges that suspicious user ip address is for attacking ip address, if the identifying code mistake of client input, will be with Client corresponding suspicious user ip address is defined as attacking ip address, if the identifying code of client input is correct, will be with visitor Family end corresponding suspicious user ip address is defined as credible ip address.
Refusal unit 25, the service request being sent by described attack ip address for refusal.
Further, as shown in figure 3, described recognition unit 21 includes.
Acquisition module 211, is sent by described user ip address for obtaining in the unit interval from described session information The number of times of service request;
Determining module 212, for being more than the first preset threshold value by the number of times sending service request in the described unit interval User ip address is defined as described suspicious user ip address.Wherein, the first preset threshold value is sent out according in the normal users unit interval The service request number of times that send and determine, if the service request number of times that normal users sent in 1 minute is 10, can be preset by first Threshold value is set to 10, if the number of times that user sent service request in 1 minute is more than 10, can be by corresponding for this user ip address It is defined as suspicious user ip address.
Further, described recognition unit 21 also includes:
Described acquisition module 211, the number of times being additionally operable to obtain transmission service request in the described unit interval is less than or equal to The user ip address of the first preset threshold value;
Statistical module 213, for counting the service request of same subscriber ip address from the user ip address of described acquisition Number of times;
Described determining module 212, the user ip address for described service request number of times is more than the second preset threshold value is true It is set to described suspicious user ip address.
It should be noted that because the corresponding ip of the user in same LAN address is identical, and corresponding session information Difference, therefore in order to prevent attacker from launching a offensive to web server by the multiple stage terminal unit in LAN, needs to count Then service request number of times is more than the second preset threshold value by the service request number of times of same subscriber ip address in user ip address User ip address is defined as suspicious user ip address.Wherein, the second preset threshold value is normally sent out according in the unit interval in LAN The service request number of times that send and determine.For example, three identical user ip ground are got within the unit interval by session information Location, they are respectively 10,15,20 to the service request number of times that web server sends, the service request that this user ip address sends Number adds up to 45, if the second preset threshold value is 30, user ip address can be defined as suspicious user ip address.
Specifically, described second filter element 23 includes:
First filtering module 231, for according to preset request url amount threshold from the described first remaining suspicious user ip Described attack ip address is filtered in address, and using the first remaining suspicious user ip address after filtering as the first suspicious user Ip address;
Second filtering module 232, for asking url according to preset url path in described first suspicious user ip address Incorrect suspicious user ip address filtering falls, and using the first suspicious user ip address after filtering as the second suspicious user ip Address;
3rd filtering module 233, will ask in described second suspicious user ip address for redirecting relation according to preset url Url redirects relation incorrect suspicious user ip address filtering and falls, and using the second suspicious user ip address after filtering as the Three suspicious user ip addresses;
4th filtering module 234, for according to preset service device host field by described 3rd suspicious user ip address Request host field incorrect suspicious user ip address filtering falls, and using the 3rd suspicious user ip address after filtering as the Four suspicious user ip addresses;
5th filtering module 235, for asking url according to preset url length in described 4th suspicious user ip address Length incorrect suspicious user ip address filtering falls.
Wherein, request url amount threshold is according to asking the quantity of same url to determine in the normal users unit interval, if The quantity of same url is asked to exceed preset request url amount threshold, then by corresponding for user a ip address in user's a unit interval It is defined as attacking ip address, and the attack ip address of determination is filtered out from the first remaining suspicious user ip address;Preset Url path pre-sets in web server, if the url of user's request is not the url road setting in web server Footpath, then be defined as attacking ip address by corresponding for this user ip address, and by the attack ip address determining from the first suspicious user Ip filters out in address;Preset url redirects what relation also pre-set in web server, specifically can pass through Reference represents that url's redirects relation, and such as user passes through the webpage b of webpage a jump request, and setting in web server The relation that redirects only pass through webpage c could requested webpage b, incorrect, the therefore general that redirects relation of the request url of this user is described This user corresponding ip address is defined as attacking ip address, and by the attack ip address determining from the second suspicious user ip address Filter out;Preset service device host field is the host field in web server, if user's request host field is not service The host field of device, then be defined as attacking ip address by corresponding for this user ip address, and by the attack ip address determining from the Filter out in three suspicious user ip addresses;Preset url length is configured according to the actual requirements, and url length is specifically permissible For 20,30,40 etc., the embodiment of the present invention is not specifically limited, if the url length of user's request exceedes preset url length, Just this user corresponding ip address is defined as attacking ip address, and by the attack ip address determining from the 4th suspicious user ip ground Filter out in location.
It should be noted that due to according to the speed order filtering successively according to preset request url, preset url path, in advance Put url and redirect relation, preset service device host field, the attack of preset url length suspicious user ip remaining to first address Ip is filtered address, can improve and determine the efficiency attacking ip, thus can improve the effect of attack defending by the embodiment of the present invention Rate.
Specifically, described 3rd filter element 24 includes:
Sending module 241, for being sent to the described second remaining suspicious user ip address by described preset script program Corresponding client, so that preset script program described in described client executing;
Determining module 242, if for there is the client executing described preset script program error, will execute described pre- The client corresponding suspicious user ip address putting shell script mistake is defined as described attack ip address.
Described sending module 241, if be additionally operable to there is the execution correct client of described preset script program, to execution The correct client of described preset script program sends checking information, so that the execution correct client of described preset script program End receives the identifying code according to the input of described checking information;
Described determining module 242, if it is not corresponding with described checking information to be additionally operable to described identifying code, will execute described pre- Put the correct client of shell script corresponding suspicious user ip address to be defined as attacking ip address;
Described determining module 242, if it is corresponding with described checking information to be additionally operable to described identifying code, will execute described preset The correct client of shell script corresponding suspicious user ip address is defined as trusted users ip.
Further, described device also includes:
Memory element 26, the suspicious user ip address for will determine as attacking ip address stores described preset attack ip In address base.
It should be noted that using when the attack ip address in preset attack ip address base is reassigned to normal users When, user, in order to realize sending service request, needs to send subscriber authentication request to web server, web server is verified By rear, attack ip address corresponding in preset attack ip address base deleted, the normal service request of user is realized with this.
Another kind of defence installation attacked provided in an embodiment of the present invention, to http flood by the way of filtering layer by layer Attack is on the defensive, that is, first pass through the suspicious user ip address that preset threshold value identifies in session information, then successively according to pre- Put attack ip address base, service request information, preset script program and filter out attack ip ground from suspicious user ip address layer by layer Location, and attack defending is realized by the service request that refusal attacks the transmission of ip address.Due to can quickly be identified by preset threshold value Go out the suspicious user ip address in session information, and preset attack ip address base, clothes are passed sequentially through according to the speed order filtering Business solicited message, preset script program filter to the attack ip address in suspicious user ip address, can improve determination and attack The efficiency of ip, thus can improve accuracy rate and the efficiency of attack defending by the embodiment of the present invention.
In the above-described embodiments, the description to each embodiment all emphasizes particularly on different fields, and does not have the portion described in detail in certain embodiment Point, may refer to the associated description of other embodiment.
It is understood that the correlated characteristic in said method and device can mutually reference.In addition, in above-described embodiment " first ", " second " etc. be for distinguishing each embodiment, and do not represent the quality of each embodiment.
Those skilled in the art can be understood that, for convenience and simplicity of description, the system of foregoing description, Device and the specific work process of unit, may be referred to the corresponding process in preceding method embodiment, will not be described here.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein. Various general-purpose systems can also be used together with based on teaching in this.As described above, construct required by this kind of system Structure be obvious.Additionally, the present invention is also not for any certain programmed language.It is understood that, it is possible to use various Programming language realizes the content of invention described herein, and the description above language-specific done is to disclose this Bright preferred forms.
In description mentioned herein, illustrate a large amount of details.It is to be appreciated, however, that the enforcement of the present invention Example can be put into practice in the case of not having these details.In some instances, known method, structure are not been shown in detail And technology, so as not to obscure the understanding of this description.
Similarly it will be appreciated that in order to simplify the disclosure and help understand one or more of each inventive aspect, Above in the description to the exemplary embodiment of the present invention, each feature of the present invention is grouped together into single enforcement sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect an intention that i.e. required guarantor The application claims of shield more features than the feature being expressly recited in each claim.More precisely, it is such as following Claims reflected as, inventive aspect is all features less than single embodiment disclosed above.Therefore, The claims following specific embodiment are thus expressly incorporated in this specific embodiment, wherein each claim itself All as the separate embodiments of the present invention.
Those skilled in the art are appreciated that and the module in the equipment in embodiment can be carried out adaptively Change and they are arranged in one or more equipment different from this embodiment.Can be the module in embodiment or list Unit or assembly be combined into a module or unit or assembly, and can be divided in addition multiple submodule or subelement or Sub-component.In addition to such feature and/or at least some of process or unit exclude each other, can adopt any Combination is to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed Where method or all processes of equipment or unit are combined.Unless expressly stated otherwise, this specification (includes adjoint power Profit requires, summary and accompanying drawing) disclosed in each feature can carry out generation by the alternative features providing identical, equivalent or similar purpose Replace.
Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments In included some features rather than further feature, but the combination of the feature of different embodiment means to be in the present invention's Within the scope of and form different embodiments.For example, in the following claims, embodiment required for protection appoint One of meaning can in any combination mode using.
The all parts embodiment of the present invention can be realized with hardware, or to run on one or more processor Software module realize, or with combinations thereof realize.It will be understood by those of skill in the art that can use in practice Microprocessor or digital signal processor (dsp) are realizing in defence method and the device of attack according to embodiments of the present invention Some or all parts some or all functions.The present invention is also implemented as executing side as described herein Some or all equipment of method or program of device (for example, computer program and computer program).Such The program realizing the present invention can store on a computer-readable medium, or can have the shape of one or more signal Formula.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or with any other shape Formula provides.
It should be noted that above-described embodiment the present invention will be described rather than limits the invention, and ability Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference markss between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Element listed in the claims or step.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can come real by means of the hardware including some different elements and by means of properly programmed computer Existing.If in the unit claim listing equipment for drying, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame Claim.

Claims (10)

1. a kind of defence method of attack is it is characterised in that include:
Suspicious user Internet protocol ip address in session information is identified by preset threshold value, in described session information, comprises user Ip address;
Attack ip address is filtered in suspicious user ip address according to preset attack ip address base, obtains the first remaining suspicious use Family ip address;
Attack is filtered from the described first remaining suspicious user ip address by the service request information in described session information Ip address, obtains the second remaining suspicious user ip address;
Attack ip address, described preset foot are filtered from the described second remaining suspicious user ip address according to preset script program This program is used for determining the attack ip address comprising in the described second remaining suspicious user ip address;
The service request that refusal is sent by described attack ip address.
2. method according to claim 1 it is characterised in that described by preset threshold value identify session information in suspicious User ip address includes:
The number of times sending service request in the unit interval by described user ip address is obtained from described session information;
The user ip address that the number of times sending service request in the described unit interval is more than the first preset threshold value is defined as described Suspicious user ip address.
3. method according to claim 2 is it is characterised in that described will be big for the number of times sending service request in the unit interval After the user ip address of the first preset threshold value is defined as described suspicious user ip address, methods described also includes:
Obtain the user ip address less than or equal to the first preset threshold value for the number of times sending service request in the described unit interval;
The service request number of times of same subscriber ip address is counted from the user ip address of described acquisition;
The user ip address that described service request number of times is more than the second preset threshold value is defined as described suspicious user ip address.
4. method according to claim 1 it is characterised in that described by the service request information in described session information Filter from the described first remaining suspicious user ip address and attack ip address, obtain the second remaining suspicious user ip address bag Include:
Described attack ip ground is filtered from the described first remaining suspicious user ip address according to preset request url amount threshold Location, and using the first remaining suspicious user ip address after filtering as the first suspicious user ip address;
Url incorrect suspicious user ip address mistake will be asked according to preset url path in described first suspicious user ip address Filter, and using the first suspicious user ip address after filtering as the second suspicious user ip address;
Relation is redirected according to preset url incorrect suspicious by asking url to redirect relation in described second suspicious user ip address User's ip address filtering falls, and using the second suspicious user ip address after filtering as the 3rd suspicious user ip address;
Will be incorrect suspicious for request host field in described 3rd suspicious user ip address according to preset service device host field User's ip address filtering falls, and using the 3rd suspicious user ip address after filtering as the 4th suspicious user ip address;
Url length incorrect suspicious user ip ground will be asked according to preset url length in described 4th suspicious user ip address Location filters out.
5. method according to claim 1 is it is characterised in that described remaining from described second according to preset script program Filter attack ip address in suspicious user ip address to include:
Described preset script program is sent to the corresponding client in the described second remaining suspicious user ip address, so that institute State preset script program described in client executing;
If there is the client executing described preset script program error, the client of described preset script program error will be executed Corresponding suspicious user ip address is held to be defined as described attack ip address.
6. method according to claim 5 is it is characterised in that described will execute the client of described preset script program error After holding corresponding suspicious user ip address to be defined as described attack ip address, methods described also includes:
If there is the execution correct client of described preset script program, to the execution correct client of described preset script program End sends checking information, so that the execution correct client of described preset script program receives and inputted according to described checking information Identifying code;
If described identifying code is not corresponding with described checking information, the correct client of described preset script program will be executed and correspond to Suspicious user ip address be defined as attack ip address;
If described identifying code is corresponding with described checking information, the correct client of described preset script program will be executed corresponding Suspicious user ip address is defined as trusted users ip.
7. the method according to any one of claim 1-6 is it is characterised in that methods described also includes:
The suspicious user ip address that will determine as attacking ip address stores in described preset attack ip address base.
8. a kind of defence installation of attack is it is characterised in that include:
Recognition unit, for identifying the suspicious user Internet protocol ip address in session information, described session by preset threshold value User ip address is comprised in information;
First filter element, for filtering attack ip address in suspicious user ip address according to preset attack ip address base, obtains Obtain the first remaining suspicious user ip address;
Second filter element, for by the service request information in described session information from the described first remaining suspicious user Filter in ip address and attack ip address, obtain the second remaining suspicious user ip address;
3rd filter element, for filtering attack according to preset script program from the described second remaining suspicious user ip address Ip address, described preset script program is used for determining the attack ip ground comprising in the described second remaining suspicious user ip address Location;
Refusal unit, the service request being sent by described attack ip address for refusal.
9. device according to claim 8 is it is characterised in that described recognition unit includes:
Acquisition module, sends service request for obtaining in the unit interval from described session information by described user ip address Number of times;
Determining module, for being more than the user ip ground of the first preset threshold value by the number of times sending service request in the described unit interval Location is defined as described suspicious user ip address.
10. device according to claim 9 is it is characterised in that described recognition unit also includes:
Described acquisition module, the number of times being additionally operable to obtain transmission service request in the described unit interval is preset less than or equal to first The user ip address of threshold value;
Statistical module, for counting the service request number of times of same subscriber ip address from the user ip address of described acquisition;
Described determining module, the user ip address for described service request number of times is more than the second preset threshold value is defined as described Suspicious user ip address.
CN201610783731.7A 2016-08-31 2016-08-31 The defence method and device of attack Active CN106357628B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610783731.7A CN106357628B (en) 2016-08-31 2016-08-31 The defence method and device of attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610783731.7A CN106357628B (en) 2016-08-31 2016-08-31 The defence method and device of attack

Publications (2)

Publication Number Publication Date
CN106357628A true CN106357628A (en) 2017-01-25
CN106357628B CN106357628B (en) 2019-09-06

Family

ID=57858274

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610783731.7A Active CN106357628B (en) 2016-08-31 2016-08-31 The defence method and device of attack

Country Status (1)

Country Link
CN (1) CN106357628B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108833450A (en) * 2018-08-22 2018-11-16 网宿科技股份有限公司 A kind of realization server anti-attack method and device
CN110166408A (en) * 2018-02-13 2019-08-23 北京京东尚科信息技术有限公司 Defend the methods, devices and systems of extensive aggression
CN110532753A (en) * 2019-07-01 2019-12-03 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) The safety protecting method and equipment of train operation monitoring and recording device business data flow
CN111241543A (en) * 2020-01-07 2020-06-05 中国搜索信息科技股份有限公司 Method and system for intelligently resisting DDoS attack by application layer
CN113452647A (en) * 2020-03-24 2021-09-28 百度在线网络技术(北京)有限公司 Feature identification method, feature identification device, electronic equipment and computer-readable storage medium
CN113810486A (en) * 2021-09-13 2021-12-17 珠海格力电器股份有限公司 Internet of things platform docking method and device, electronic equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080295169A1 (en) * 2007-05-25 2008-11-27 Crume Jeffery L Detecting and defending against man-in-the-middle attacks
CN102891829A (en) * 2011-07-18 2013-01-23 航天信息股份有限公司 Method and system for detecting and defending distributed denial of service attack
CN103685294A (en) * 2013-12-20 2014-03-26 北京奇虎科技有限公司 Method and device for identifying attack sources of denial of service attack
CN103856470A (en) * 2012-12-06 2014-06-11 腾讯科技(深圳)有限公司 Distributed denial of service attack detection method and device
CN104935609A (en) * 2015-07-17 2015-09-23 北京京东尚科信息技术有限公司 Network attack detection method and detection apparatus
US9392019B2 (en) * 2014-07-28 2016-07-12 Lenovo Enterprise (Singapore) Pte. Ltd. Managing cyber attacks through change of network address

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080295169A1 (en) * 2007-05-25 2008-11-27 Crume Jeffery L Detecting and defending against man-in-the-middle attacks
CN102891829A (en) * 2011-07-18 2013-01-23 航天信息股份有限公司 Method and system for detecting and defending distributed denial of service attack
CN103856470A (en) * 2012-12-06 2014-06-11 腾讯科技(深圳)有限公司 Distributed denial of service attack detection method and device
CN103685294A (en) * 2013-12-20 2014-03-26 北京奇虎科技有限公司 Method and device for identifying attack sources of denial of service attack
US9392019B2 (en) * 2014-07-28 2016-07-12 Lenovo Enterprise (Singapore) Pte. Ltd. Managing cyber attacks through change of network address
CN104935609A (en) * 2015-07-17 2015-09-23 北京京东尚科信息技术有限公司 Network attack detection method and detection apparatus

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李鸿彬等: "一种高效抵御SIP洪泛攻击的防御模型", 《计算机工程》 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110166408A (en) * 2018-02-13 2019-08-23 北京京东尚科信息技术有限公司 Defend the methods, devices and systems of extensive aggression
CN110166408B (en) * 2018-02-13 2022-09-06 北京京东尚科信息技术有限公司 Method, device and system for defending flood attack
CN108833450A (en) * 2018-08-22 2018-11-16 网宿科技股份有限公司 A kind of realization server anti-attack method and device
WO2020037781A1 (en) * 2018-08-22 2020-02-27 网宿科技股份有限公司 Anti-attack method and device for server
CN108833450B (en) * 2018-08-22 2020-07-10 网宿科技股份有限公司 Method and device for preventing server from being attacked
CN110532753A (en) * 2019-07-01 2019-12-03 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) The safety protecting method and equipment of train operation monitoring and recording device business data flow
CN111241543A (en) * 2020-01-07 2020-06-05 中国搜索信息科技股份有限公司 Method and system for intelligently resisting DDoS attack by application layer
CN113452647A (en) * 2020-03-24 2021-09-28 百度在线网络技术(北京)有限公司 Feature identification method, feature identification device, electronic equipment and computer-readable storage medium
CN113452647B (en) * 2020-03-24 2022-11-29 百度在线网络技术(北京)有限公司 Feature identification method, feature identification device, electronic equipment and computer-readable storage medium
CN113810486A (en) * 2021-09-13 2021-12-17 珠海格力电器股份有限公司 Internet of things platform docking method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN106357628B (en) 2019-09-06

Similar Documents

Publication Publication Date Title
CN106357628A (en) Attack defense method and device
CN103701795B (en) The recognition methods of the attack source of Denial of Service attack and device
US10826872B2 (en) Security policy for browser extensions
CN104519018B (en) A kind of methods, devices and systems preventing the malicious requests for server
US8375120B2 (en) Domain name system security network
CN107465648B (en) Abnormal equipment identification method and device
US20100154055A1 (en) Prefix Domain Matching for Anti-Phishing Pattern Matching
CN106789983A (en) A kind of CC attack defense methods and its system of defense
CN109088909B (en) Service gray level publishing method and device based on merchant type
CN105635126A (en) Malicious URL access protection method, client side, security server and system
CN111786966A (en) Method and device for browsing webpage
CN112995162B (en) Network traffic processing method and device, electronic equipment and storage medium
CN113098835A (en) Honeypot implementation method based on block chain, honeypot client and honeypot system
Ghafir et al. DNS query failure and algorithmically generated domain-flux detection
CN108632634A (en) A kind of providing method and device of direct broadcast service
CN108512805B (en) Network security defense method and network security defense device
CN106209907A (en) A kind of method and device detecting malicious attack
KR101072981B1 (en) Protection system against DDoS
CN105939320A (en) Message processing method and device
CN112583827B (en) Data leakage detection method and device
CN114500026A (en) Network traffic processing method, device and storage medium
US10462158B2 (en) URL selection method, URL selection system, URL selection device, and URL selection program
CN106888192A (en) The method and device that a kind of resistance DNS is attacked
KR101042226B1 (en) The method of counteracting distributed denial of service attack using network filter monitoring white list and dummy web server
Yagi et al. Design of provider-provisioned website protection scheme against malware distribution

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant