CN106357628A - Attack defense method and device - Google Patents
Attack defense method and device Download PDFInfo
- Publication number
- CN106357628A CN106357628A CN201610783731.7A CN201610783731A CN106357628A CN 106357628 A CN106357628 A CN 106357628A CN 201610783731 A CN201610783731 A CN 201610783731A CN 106357628 A CN106357628 A CN 106357628A
- Authority
- CN
- China
- Prior art keywords
- address
- user
- attack
- suspicious user
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses an attack defense method and device and relates to the technical field of network security. The attack defense method and device are used for increasing the accuracy rate of attack defense. The main technical scheme comprises steps as follows: suspicious user IP (internet protocol) addresses in session information are recognized through a preset threshold value, and the session information contains user IP addresses; the suspicious user IP addresses are subjected to attack IP address filtering according to a preset attack IP address database, and first residual suspicious user IP addresses are obtained; the first residual suspicious user IP addresses are subjected to attack IP address filtering according to service request information in the session information, and second residual suspicious user IP addresses are obtained; the second residual suspicious user IP addresses are subjected to attack IP address filtering according to a preset script program, and the preset script program is used for determining an attack IP address contained in the second residual suspicious user IP addresses; a service request sent by the attack IP address is rejected. The attack defense method and device are mainly used for defending attacks.
Description
Technical field
The present invention relates to technical field of network security, more particularly, to a kind of defence method of attack and device.
Background technology
The base attribute of network security is mainly shown as confidentiality, integrity, legitimacy and availability, and attacker is exactly
To destroy these attributes by every ways and means.Distributed denial of service attack (distributed
Denial of service, ddos) purpose be exactly to destroy the availability of network.Wherein, http flood (attack by request flooding
Hit) it is when the common ddos attack pattern of former, it is the attack initiated for the web services of application layer, attacker imitates
The internet behavior of normal users, sends substantial amounts of service request to the web server of target of attack, destination web server is once
Attacked, it will lead to the web front-end attacked to respond slow, the operation layer logic such as java of rear end and more back-end data base
Disposal ability pressure increase.
At present, the http (hypertext transfer protocol, HTTP) being sent by user please
Ask number of times that http flood attack is on the defensive, that is, forbid in the unit interval, sending the user that http request number of times exceedes threshold value
Access behavior, but there are some in actual life and send the normal users that http request number of times exceedes threshold value, and adopt
This kind of mode equally also can mask the access behavior of normal users, therefore this kind mode defensive attack to manslaughter rate higher, existing
There is the defence accuracy rate of attack defense method relatively low.
Content of the invention
In view of this, the present invention provides a kind of defence method of attack and device, and main purpose is to improve attack defending
Accuracy rate.
According to one aspect of the invention, there is provided a kind of defence method of attack, comprising:
Suspicious user Internet protocol ip address in session information is identified by preset threshold value, comprises in described session information
User ip address;
Attack ip address is filtered in suspicious user ip address according to preset attack ip address base, acquisition first is remaining can
Doubtful user ip address;
Filtered from the described first remaining suspicious user ip address by the service request information in described session information
Attack ip address, obtain the second remaining suspicious user ip address;
Attack ip address is filtered from the described second remaining suspicious user ip address according to preset script program, described pre-
Put shell script for determining the attack ip address comprising in the described second remaining suspicious user ip address;
The service request that refusal is sent by described attack ip address.
Specifically, the suspicious user ip address in the described identification session information by preset threshold value includes:
The number of times sending service request in the unit interval by described user ip address is obtained from described session information;
The user ip address that the number of times sending service request in the described unit interval is more than the first preset threshold value is defined as
Described suspicious user ip address.
Further, the described user ip ground that the number of times sending service request in the unit interval is more than the first preset threshold value
After location is defined as described suspicious user ip address, methods described also includes:
Obtain the user ip ground sending the number of times of service request in the described unit interval less than or equal to the first preset threshold value
Location;
The service request number of times of same subscriber ip address is counted from the user ip address of described acquisition;
The user ip address that described service request number of times is more than the second preset threshold value is defined as described suspicious user ip ground
Location.
Specifically, described by the service request information in described session information from the described first remaining suspicious user ip
Filter in address and attack ip address, obtain the second remaining suspicious user ip address and include:
Described attack ip is filtered from the described first remaining suspicious user ip address according to preset request url amount threshold
Address, and using the first remaining suspicious user ip address after filtering as the first suspicious user ip address;
Url incorrect suspicious user ip ground will be asked according to preset url path in described first suspicious user ip address
Location filters out, and using the first suspicious user ip address after filtering as the second suspicious user ip address;
Relation is redirected according to preset url incorrect by asking url to redirect relation in described second suspicious user ip address
Suspicious user ip address filtering falls, and using the second suspicious user ip address after filtering as the 3rd suspicious user ip address;
Will be incorrect for request host field in described 3rd suspicious user ip address according to preset service device host field
Suspicious user ip address filtering falls, and using the 3rd suspicious user ip address after filtering as the 4th suspicious user ip address;
The incorrect suspicious user of url length will be asked according to preset url length in described 4th suspicious user ip address
Ip address filtering falls.
Specifically, described filtration from the described second remaining suspicious user ip address according to preset script program attacks ip
Address includes:
Described preset script program is sent to the corresponding client in the described second remaining suspicious user ip address, so that
The preset script program described in described client executing of obtaining;
If there is the client executing described preset script program error, described preset script program error will be executed
Client corresponding suspicious user ip address is defined as described attack ip address.
Further, described will execute described preset script program error client corresponding suspicious user ip address true
After being set to described attack ip address, methods described also includes:
If there is the execution correct client of described preset script program, to executing, described preset script program is correct
Client sends checking information, so that the execution correct client of described preset script program receives according to described checking information
The identifying code of input;
If described identifying code is not corresponding with described checking information, the correct client of described preset script program will be executed
Corresponding suspicious user ip address is defined as attacking ip address;
If described identifying code is corresponding with described checking information, the correct client pair of described preset script program will be executed
The suspicious user ip address answered is defined as trusted users ip.
Further, methods described also includes:
The suspicious user ip address that will determine as attacking ip address stores in described preset attack ip address base.
According to another aspect of the invention, there is provided a kind of defence installation of attack, comprising:
Recognition unit, for identifying the suspicious user Internet protocol ip address in session information by preset threshold value, described
User ip address is comprised in session information;
First filter element, for filtering attack ip ground according to preset attack ip address base in suspicious user ip address
Location, obtains the first remaining suspicious user ip address;
Second filter element, for remaining suspicious from described first by the service request information in described session information
Filter in user ip address and attack ip address, obtain the second remaining suspicious user ip address;
3rd filter element, for filtering from the described second remaining suspicious user ip address according to preset script program
Attack ip address, described preset script program is used for determining the attack ip comprising in the described second remaining suspicious user ip address
Address;
Refusal unit, the service request being sent by described attack ip address for refusal.
Specifically, described recognition unit includes:
Acquisition module, sends service for obtaining in the unit interval from described session information by described user ip address
The number of times of request;
Determining module, for being more than the user of the first preset threshold value by the number of times sending service request in the described unit interval
Ip address is defined as described suspicious user ip address.
Further, described recognition unit also includes:
Described acquisition module, is additionally operable to obtain the number of times sending service request in the described unit interval less than or equal to first
The user ip address of preset threshold value;
Statistical module, for counting the service request time of same subscriber ip address from the user ip address of described acquisition
Number;
Described determining module, the user ip address for described service request number of times is more than the second preset threshold value is defined as
Described suspicious user ip address.
Specifically, described second filter element includes:
First filtering module, for according to preset request url amount threshold from the described first remaining suspicious user ip ground
Described attack ip address is filtered in location, and using the first remaining suspicious user ip address after filtering as the first suspicious user ip
Address;
Second filtering module, for according to preset url path by request url in described first suspicious user ip address not just
True suspicious user ip address filtering falls, and using the first suspicious user ip address after filtering as the second suspicious user ip ground
Location;
3rd filtering module, will ask url for redirecting relation according to preset url in described second suspicious user ip address
The relation that redirects incorrect suspicious user ip address filtering falls, and can as the 3rd using the second suspicious user ip address after filtering
Doubtful user ip address;
4th filtering module, for asking in described 3rd suspicious user ip address according to preset service device host field
Host field incorrect suspicious user ip address filtering falls, and can as the 4th using the 3rd suspicious user ip address after filtering
Doubtful user ip address;
5th filtering module, for asking url length according to preset url length in described 4th suspicious user ip address
Incorrect suspicious user ip address filtering falls.
Specifically, described 3rd filter element includes:
Sending module, corresponds to for described preset script program is sent to the described second remaining suspicious user ip address
Client so that preset script program described in described client executing;
Determining module, if for there is the client executing described preset script program error, will execute described preset
The client corresponding suspicious user ip address of shell script mistake is defined as described attack ip address.
Described sending module, if be additionally operable to there is the execution correct client of described preset script program, to execution institute
State the correct client of preset script program and send checking information, so that the execution correct client of described preset script program
Receive the identifying code according to the input of described checking information;
Described determining module, if it is not corresponding with described checking information to be additionally operable to described identifying code, will execute described preset
The correct client of shell script corresponding suspicious user ip address is defined as attacking ip address;
Described determining module, if it is corresponding with described checking information to be additionally operable to described identifying code, will execute described preset foot
The correct client of this program corresponding suspicious user ip address is defined as trusted users ip.
Further, described device also includes:
Memory element, the suspicious user ip address for will determine as attacking ip address stores described preset attack ip ground
In the storehouse of location.
By technique scheme, technical scheme provided in an embodiment of the present invention at least has the advantage that
A kind of defence method of attack provided in an embodiment of the present invention and device, first pass through preset threshold value identification session letter
Suspicious user ip address in breath, comprises user ip address in described session information, then existed according to preset attack ip address base
Filter in suspicious user ip address and attack ip address, and obtain the first remaining suspicious user ip address, then pass through described meeting
Service request information in words information filters attack ip address from the described first remaining suspicious user ip address, obtains second
Remaining suspicious user ip address, and filtered from the described second remaining suspicious user ip address according to preset script program and attack
Hit ip address, the service request that finally refusal is sent by described attack ip address.With at present according to sending in the unit interval
Request number of times is on the defensive to http flood attack and compares, and the embodiment of the present invention is by the way of filtering layer by layer to http
Flood attack is on the defensive, that is, first pass through the suspicious user ip address that preset threshold value identifies in session information, then root successively
Filter out attack according to preset attack ip address base, service request information, preset script program layer by layer from suspicious user ip address
Ip address, and attack defending is realized by the service request that refusal attacks the transmission of ip address, thus can by the embodiment of the present invention
Improve the accuracy rate of attack defending.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention,
And can be practiced according to the content of description, and in order to allow the above and other objects of the present invention, feature and advantage can
Become apparent, below especially exemplified by the specific embodiment of the present invention.
Brief description
By reading the detailed description of hereafter preferred implementation, various other advantages and benefit are common for this area
Technical staff will be clear from understanding.Accompanying drawing is only used for illustrating the purpose of preferred implementation, and is not considered as to the present invention
Restriction.And in whole accompanying drawing, it is denoted by the same reference numerals identical part.In the accompanying drawings:
Fig. 1 shows a kind of defence method flow chart of attack provided in an embodiment of the present invention;
Fig. 2 shows a kind of defence installation structured flowchart of attack provided in an embodiment of the present invention;
Fig. 3 shows another kind of defence installation structured flowchart attacked provided in an embodiment of the present invention.
Specific embodiment
It is more fully described the exemplary embodiment of the disclosure below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing
Exemplary embodiment it being understood, however, that may be realized in various forms the disclosure and should not be by embodiments set forth here
Limited.On the contrary, these embodiments are provided to be able to be best understood from the disclosure, and can be by the scope of the present disclosure
Complete conveys to those skilled in the art.
Embodiments provide a kind of defence method of attack, as shown in figure 1, the method includes:
101st, the suspicious user Internet protocol ip address in session information is identified by preset threshold value.
Wherein, comprise user ip address in described session information.Session information is session information, is user and web
Interactive information between (world wide web, WWW) server, is the relevant information being connected based on a data stream, can
The ip address that doubtful user ip address can be thought trusted users or attack user.
It should be noted that the number of times that normal users send service request within the unit interval all can have a threshold value, if
The number of times that certain user sends service request within the unit interval does not meet this threshold value, illustrates that this user is possible to use for attacking
Family, so need for corresponding for this user ip address to be defined as suspicious user ip address.Therefore the embodiment of the present invention is by preset
Threshold value identifies the suspicious user ip address in session information, and described preset threshold value can be according to the feature of web server and just conventional
The internet behavior at family determines, specifically can be pre- according to determining to the request number of times that purpose ip address sends in the normal users unit interval
Put the size of threshold value, such as normal users were less than or equal to 5 to the request number of times that purpose ip address sends in 1 minute, then can will be preset
Threshold value is set to 5, if the number of times that user sent service request to purpose ip address in 1 minute is more than 5, can be by this user couple
The ip address answered is defined as suspicious user ip address.
102nd, attack ip address is filtered in suspicious user ip address according to preset attack ip address base, obtain first remaining
Suspicious user ip address.
Wherein, described preset attack ip address base is pre-configured, comprise in preset attack ip address base all
The attack ip address determining.If suspicious user ip address occurs in preset attack ip address base, by this suspicious user ip ground
Location is defined as attacking ip address, and the attack ip address filtering in suspicious user ip address is fallen, suspicious after then filtering
User ip address is defined as the first remaining suspicious user ip address;If suspicious user ip address is in preset attack ip address base
Do not occur, then further mistake is carried out by the suspicious user ip remaining to first of the service request information in step 103 address
Filter, to filter out the attack ip address determining by service request information.
103rd, by the service request information in described session information from the described first remaining suspicious user ip address
Filter and attack ip address, obtain the second remaining suspicious user ip address.
Wherein, described service request information is specifically as follows url (the uniform resource of user's request
Locator, URL), the information such as host field, the embodiment of the present invention is not specifically limited.Implement in the present invention
In example, specifically relation, preset service device host can be redirected according to preset request url amount threshold, preset url path, preset url
The information such as field, preset url length filter attack ip address from the first remaining suspicious user ip address.Will the first residue
Suspicious user ip address in url number of requests do not meet preset request url amount threshold, request url be not preset url
Path, request url redirect relation do not meet preset url redirect relation, request server host field do not meet preset
The suspicious user ip address that the length violation of server host field and request url closes preset url length is defined as attacking ip
Address, and will determine as attack ip address filter out from the first remaining suspicious user ip address, finally will filter after
First remaining suspicious user ip address is defined as the second remaining suspicious user ip address.
104th, attack ip address is filtered from the described second remaining suspicious user ip address according to preset script program.
Wherein, described preset script program is used for determining the attack comprising in the described second remaining suspicious user ip address
Ip address, preset script program is javascript step program, and client determines suspicious use by executing preset script program
Whether family ip address is to attack ip address, if client executing preset script program error, will be corresponding with client suspicious
User ip address is to attack ip address;If client executing preset script program is correct, verified by man-machine interaction further
Code mode judges that suspicious user ip address is for attacking ip address, if the identifying code mistake of client input, will be with client
Corresponding suspicious user ip address is defined as attacking ip address, if the identifying code of client input is correct, will be with client pair
The suspicious user ip address answered is defined as credible ip address.
105th, the service request that refusal is sent by described attack ip address.
A kind of defence method of attack provided in an embodiment of the present invention, is attacked to http flood by the way of filtering layer by layer
Hit and be on the defensive, that is, first pass through the suspicious user ip address that preset threshold value identifies in session information, then successively according to preset
Attack ip address base, service request information, preset script program and filter out attack ip address from suspicious user ip address layer by layer,
And attack defending is realized by the service request that refusal attacks the transmission of ip address.Due to meeting can be quickly recognized by preset threshold value
Suspicious user ip address in words information, and pass sequentially through preset attack ip address base, service and ask according to the speed order filtering
Ask information, preset script program that the attack ip address in suspicious user ip address is filtered, can improve and determine attack ip's
Efficiency, thus can improve accuracy rate and the efficiency of attack defending by the embodiment of the present invention.
In order to preferably illustrate to the defence method of attack provided in an embodiment of the present invention, following examples will be directed to
Above steps is refined and is extended.
Specifically, by preset threshold value, step 101 identifies that the suspicious user ip address in session information includes: from described meeting
The number of times sending service request in the unit interval by described user ip address is obtained in words information;To send out in the described unit interval
The number of times sending service request is defined as described suspicious user ip address more than the user ip address of the first preset threshold value.Wherein,
One preset threshold value determines according to the service request number of times sending in the normal users unit interval, if normal users were sent out in 1 minute
The service request number of times sending is 10, then the first preset threshold value can be set to 10, if user sent service request in 1 minute
Number of times is more than 10, then corresponding for this user ip address can be defined as suspicious user ip address.
Further, will be true more than the user ip address of the first preset threshold value for the number of times sending service request in the unit interval
After being set to described suspicious user ip address, methods described also includes: obtains and sends the secondary of service request in the described unit interval
Number is less than or equal to the user ip address of the first preset threshold value;Statistics same subscriber ip ground from the user ip address of described acquisition
The service request number of times of location;The user ip address that described service request number of times is more than the second preset threshold value is defined as described suspicious
User ip address.
It should be noted that because the corresponding ip of the user in same LAN address is identical, and corresponding session information
Difference, therefore in order to prevent attacker from launching a offensive to web server by the multiple stage terminal unit in LAN, needs to count
Then service request number of times is more than the second preset threshold value by the service request number of times of same subscriber ip address in user ip address
User ip address is defined as suspicious user ip address.Wherein, the second preset threshold value is normally sent out according in the unit interval in LAN
The service request number of times that send and determine.For example, three identical user ip ground are got within the unit interval by session information
Location, they are respectively 10,15,20 to the service request number of times that web server sends, the service request that this user ip address sends
Number adds up to 45, if the second preset threshold value is 30, user ip address can be defined as suspicious user ip address.
Specifically, step 103 by the service request information in described session information from the described first remaining suspicious use
Filter in the ip address of family and attack ip address, obtain the second remaining suspicious user ip address and include: according to preset request url quantity
Threshold value filters described attack ip address from the described first remaining suspicious user ip address, and after filtering first is remaining
Suspicious user ip address is as the first suspicious user ip address;According to preset url path by described first suspicious user ip address
Middle request url incorrect suspicious user ip address filtering falls, and using the first suspicious user ip address after filtering as second
Suspicious user ip address;Relation is redirected according to preset url request url in described second suspicious user ip address is redirected relation not
Correct suspicious user ip address filtering falls, and using the second suspicious user ip address after filtering as the 3rd suspicious user ip ground
Location;The incorrect suspicious use of host field will be asked according to preset service device host field in described 3rd suspicious user ip address
Family ip address filtering falls, and using the 3rd suspicious user ip address after filtering as the 4th suspicious user ip address;According to preset
Request url length incorrect suspicious user ip address filtering in described 4th suspicious user ip address is fallen by url length.
Wherein, request url amount threshold is according to asking the quantity of same url to determine in the normal users unit interval, if
The quantity of same url is asked to exceed preset request url amount threshold, then by corresponding for user a ip address in user's a unit interval
It is defined as attacking ip address, and the attack ip address of determination is filtered out from the first remaining suspicious user ip address;Preset
Url path pre-sets in web server, if the url of user's request is not the url road setting in web server
Footpath, then be defined as attacking ip address by corresponding for this user ip address, and by the attack ip address determining from the first suspicious user
Ip filters out in address;Preset url redirects what relation also pre-set in web server, specifically can pass through
Reference represents that url's redirects relation, and such as user passes through the webpage b of webpage a jump request, and setting in web server
The relation that redirects only pass through webpage c could requested webpage b, incorrect, the therefore general that redirects relation of the request url of this user is described
This user corresponding ip address is defined as attacking ip address, and by the attack ip address determining from the second suspicious user ip address
Filter out;Preset service device host field is the host field in web server, if user's request host field is not service
The host field of device, then be defined as attacking ip address by corresponding for this user ip address, and by the attack ip address determining from the
Filter out in three suspicious user ip addresses;Preset url length is configured according to the actual requirements, and url length is specifically permissible
For 20,30,40 etc., the embodiment of the present invention is not specifically limited, if the url length of user's request exceedes preset url length,
Just this user corresponding ip address is defined as attacking ip address, and by the attack ip address determining from the 4th suspicious user ip ground
Filter out in location.
It should be noted that due to according to the speed order filtering successively according to preset request url, preset url path, in advance
Put url and redirect relation, preset service device host field, the attack of preset url length suspicious user ip remaining to first address
Ip is filtered address, can improve and determine the efficiency attacking ip, thus can improve the effect of attack defending by the embodiment of the present invention
Rate.
Specifically, step 104 filters from the described second remaining suspicious user ip address according to preset script program and attacks
Hit ip address to include: described preset script program is sent to the corresponding client in the described second remaining suspicious user ip address
End, so that preset script program described in described client executing;If there is the client executing described preset script program error
End, then be defined as described attack ip ground by the client corresponding suspicious user ip address executing described preset script program error
Location.Wherein, preset script program is javascript step program, and client determines suspicious use by executing preset script program
Whether family ip address is to attack ip address.
Further, described will execute described preset script program error client corresponding suspicious user ip address true
After being set to described attack ip address, methods described also includes: if there is the execution correct client of described preset script program,
Then send checking information to the execution correct client of described preset script program, so that just executing described preset script program
True client receives the identifying code according to the input of described checking information;If described identifying code is not corresponding with described checking information,
Then execution described preset script program correct client corresponding suspicious user ip address is defined as attacking ip address;If institute
State identifying code corresponding with described checking information, then will execute the corresponding suspicious user of the correct client of described preset script program
Ip address is defined as trusted users ip.
Further, methods described also includes: will determine as attack ip address suspicious user ip address store described
In preset attack ip address base.To realize updating the attack ip address in preset attack ip address base.It should be noted that when pre-
Put attack ip address base in attack ip address be reassigned to normal users use when, user in order to realize send service please
Ask, need to send subscriber authentication request to web server, after web server is verified, by preset attack ip address base
In corresponding attack ip address delete, the normal service request of user is realized with this.
Further, the embodiment of the present invention provides a kind of defence installation of attack, as shown in Fig. 2 described device includes: know
Other unit 21, the first filter element 22, the second filter element 23, the 3rd filter element 24, refusal unit 25.
Recognition unit 21, for identifying the suspicious user Internet protocol ip address in session information, institute by preset threshold value
State and in session information, comprise user ip address;
Session information is session information, is the interactive information between user and web server, is based on a data
The relevant information that stream connects, the ip address that suspicious user ip can think address trusted users or attack user.
It should be noted that the number of times that normal users send service request within the unit interval all can have a threshold value, if
The number of times that certain user sends service request within the unit interval does not meet this threshold value, illustrates that this user is possible to use for attacking
Family, so need for corresponding for this user ip address to be defined as suspicious user ip address.Therefore the embodiment of the present invention is by preset
Threshold value identifies the suspicious user ip address in session information, and described preset threshold value can be according to the feature of web server and just conventional
The internet behavior at family determines, specifically can be pre- according to determining to the request number of times that purpose ip address sends in the normal users unit interval
Put the size of threshold value, such as normal users were less than or equal to 5 to the request number of times that purpose ip address sends in 1 minute, then can will be preset
Threshold value is set to 5, if the number of times that user sent service request to purpose ip address in 1 minute is more than 5, can be by this user couple
The ip address answered is defined as suspicious user ip address.
First filter element 22, for filtering attack ip ground according to preset attack ip address base in suspicious user ip address
Location, obtains the first remaining suspicious user ip address;
Wherein, described preset attack ip address base is pre-configured, comprise in preset attack ip address base all
The attack ip address determining.If suspicious user ip address occurs in preset attack ip address base, by this suspicious user ip ground
Location is defined as attacking ip address, and the attack ip address filtering in suspicious user ip address is fallen, suspicious after then filtering
User ip address is defined as the first remaining suspicious user ip address;If suspicious user ip address is in preset attack ip address base
Do not occur, then further mistake is carried out by the suspicious user ip remaining to first of the service request information in step 103 address
Filter, to filter out the attack ip address determining by service request information.
Second filter element 23, for by the service request information in described session information from described first remaining can
Filter in doubtful user ip address and attack ip address, obtain the second remaining suspicious user ip address;
Wherein, described service request information is specifically as follows url (the uniform resource of user's request
Locator, URL), the information such as host field, the embodiment of the present invention is not specifically limited.Implement in the present invention
In example, specifically relation, preset service device host can be redirected according to preset request url amount threshold, preset url path, preset url
The information such as field, preset url length filter attack ip address from the first remaining suspicious user ip address.Will the first residue
Suspicious user ip address in url number of requests do not meet preset request url amount threshold, request url be not preset url
Path, request url redirect relation do not meet preset url redirect relation, request server host field do not meet preset
The suspicious user ip address that the length violation of server host field and request url closes preset url length is defined as attacking ip
Address, and will determine as attack ip address filter out from the first remaining suspicious user ip address, finally will filter after
First remaining suspicious user ip address is defined as the second remaining suspicious user ip address.
3rd filter element 24, for according to preset script program from the described second remaining suspicious user ip address mistake
Ip address is attacked in filter, and described preset script program is used for determining the attack comprising in the described second remaining suspicious user ip address
Ip address;
Wherein, preset script program is javascript step program, and client is passed through to execute the determination of preset script program
Whether suspicious user ip address is to attack ip address, if client executing preset script program error, will be corresponding with client
Suspicious user ip address be attack ip address;If client executing preset script program is correct, further by man-machine friendship
Mutually identifying code mode judges that suspicious user ip address is for attacking ip address, if the identifying code mistake of client input, will be with
Client corresponding suspicious user ip address is defined as attacking ip address, if the identifying code of client input is correct, will be with visitor
Family end corresponding suspicious user ip address is defined as credible ip address.
Refusal unit 25, the service request being sent by described attack ip address for refusal.
Further, as shown in figure 3, described recognition unit 21 includes.
Acquisition module 211, is sent by described user ip address for obtaining in the unit interval from described session information
The number of times of service request;
Determining module 212, for being more than the first preset threshold value by the number of times sending service request in the described unit interval
User ip address is defined as described suspicious user ip address.Wherein, the first preset threshold value is sent out according in the normal users unit interval
The service request number of times that send and determine, if the service request number of times that normal users sent in 1 minute is 10, can be preset by first
Threshold value is set to 10, if the number of times that user sent service request in 1 minute is more than 10, can be by corresponding for this user ip address
It is defined as suspicious user ip address.
Further, described recognition unit 21 also includes:
Described acquisition module 211, the number of times being additionally operable to obtain transmission service request in the described unit interval is less than or equal to
The user ip address of the first preset threshold value;
Statistical module 213, for counting the service request of same subscriber ip address from the user ip address of described acquisition
Number of times;
Described determining module 212, the user ip address for described service request number of times is more than the second preset threshold value is true
It is set to described suspicious user ip address.
It should be noted that because the corresponding ip of the user in same LAN address is identical, and corresponding session information
Difference, therefore in order to prevent attacker from launching a offensive to web server by the multiple stage terminal unit in LAN, needs to count
Then service request number of times is more than the second preset threshold value by the service request number of times of same subscriber ip address in user ip address
User ip address is defined as suspicious user ip address.Wherein, the second preset threshold value is normally sent out according in the unit interval in LAN
The service request number of times that send and determine.For example, three identical user ip ground are got within the unit interval by session information
Location, they are respectively 10,15,20 to the service request number of times that web server sends, the service request that this user ip address sends
Number adds up to 45, if the second preset threshold value is 30, user ip address can be defined as suspicious user ip address.
Specifically, described second filter element 23 includes:
First filtering module 231, for according to preset request url amount threshold from the described first remaining suspicious user ip
Described attack ip address is filtered in address, and using the first remaining suspicious user ip address after filtering as the first suspicious user
Ip address;
Second filtering module 232, for asking url according to preset url path in described first suspicious user ip address
Incorrect suspicious user ip address filtering falls, and using the first suspicious user ip address after filtering as the second suspicious user ip
Address;
3rd filtering module 233, will ask in described second suspicious user ip address for redirecting relation according to preset url
Url redirects relation incorrect suspicious user ip address filtering and falls, and using the second suspicious user ip address after filtering as the
Three suspicious user ip addresses;
4th filtering module 234, for according to preset service device host field by described 3rd suspicious user ip address
Request host field incorrect suspicious user ip address filtering falls, and using the 3rd suspicious user ip address after filtering as the
Four suspicious user ip addresses;
5th filtering module 235, for asking url according to preset url length in described 4th suspicious user ip address
Length incorrect suspicious user ip address filtering falls.
Wherein, request url amount threshold is according to asking the quantity of same url to determine in the normal users unit interval, if
The quantity of same url is asked to exceed preset request url amount threshold, then by corresponding for user a ip address in user's a unit interval
It is defined as attacking ip address, and the attack ip address of determination is filtered out from the first remaining suspicious user ip address;Preset
Url path pre-sets in web server, if the url of user's request is not the url road setting in web server
Footpath, then be defined as attacking ip address by corresponding for this user ip address, and by the attack ip address determining from the first suspicious user
Ip filters out in address;Preset url redirects what relation also pre-set in web server, specifically can pass through
Reference represents that url's redirects relation, and such as user passes through the webpage b of webpage a jump request, and setting in web server
The relation that redirects only pass through webpage c could requested webpage b, incorrect, the therefore general that redirects relation of the request url of this user is described
This user corresponding ip address is defined as attacking ip address, and by the attack ip address determining from the second suspicious user ip address
Filter out;Preset service device host field is the host field in web server, if user's request host field is not service
The host field of device, then be defined as attacking ip address by corresponding for this user ip address, and by the attack ip address determining from the
Filter out in three suspicious user ip addresses;Preset url length is configured according to the actual requirements, and url length is specifically permissible
For 20,30,40 etc., the embodiment of the present invention is not specifically limited, if the url length of user's request exceedes preset url length,
Just this user corresponding ip address is defined as attacking ip address, and by the attack ip address determining from the 4th suspicious user ip ground
Filter out in location.
It should be noted that due to according to the speed order filtering successively according to preset request url, preset url path, in advance
Put url and redirect relation, preset service device host field, the attack of preset url length suspicious user ip remaining to first address
Ip is filtered address, can improve and determine the efficiency attacking ip, thus can improve the effect of attack defending by the embodiment of the present invention
Rate.
Specifically, described 3rd filter element 24 includes:
Sending module 241, for being sent to the described second remaining suspicious user ip address by described preset script program
Corresponding client, so that preset script program described in described client executing;
Determining module 242, if for there is the client executing described preset script program error, will execute described pre-
The client corresponding suspicious user ip address putting shell script mistake is defined as described attack ip address.
Described sending module 241, if be additionally operable to there is the execution correct client of described preset script program, to execution
The correct client of described preset script program sends checking information, so that the execution correct client of described preset script program
End receives the identifying code according to the input of described checking information;
Described determining module 242, if it is not corresponding with described checking information to be additionally operable to described identifying code, will execute described pre-
Put the correct client of shell script corresponding suspicious user ip address to be defined as attacking ip address;
Described determining module 242, if it is corresponding with described checking information to be additionally operable to described identifying code, will execute described preset
The correct client of shell script corresponding suspicious user ip address is defined as trusted users ip.
Further, described device also includes:
Memory element 26, the suspicious user ip address for will determine as attacking ip address stores described preset attack ip
In address base.
It should be noted that using when the attack ip address in preset attack ip address base is reassigned to normal users
When, user, in order to realize sending service request, needs to send subscriber authentication request to web server, web server is verified
By rear, attack ip address corresponding in preset attack ip address base deleted, the normal service request of user is realized with this.
Another kind of defence installation attacked provided in an embodiment of the present invention, to http flood by the way of filtering layer by layer
Attack is on the defensive, that is, first pass through the suspicious user ip address that preset threshold value identifies in session information, then successively according to pre-
Put attack ip address base, service request information, preset script program and filter out attack ip ground from suspicious user ip address layer by layer
Location, and attack defending is realized by the service request that refusal attacks the transmission of ip address.Due to can quickly be identified by preset threshold value
Go out the suspicious user ip address in session information, and preset attack ip address base, clothes are passed sequentially through according to the speed order filtering
Business solicited message, preset script program filter to the attack ip address in suspicious user ip address, can improve determination and attack
The efficiency of ip, thus can improve accuracy rate and the efficiency of attack defending by the embodiment of the present invention.
In the above-described embodiments, the description to each embodiment all emphasizes particularly on different fields, and does not have the portion described in detail in certain embodiment
Point, may refer to the associated description of other embodiment.
It is understood that the correlated characteristic in said method and device can mutually reference.In addition, in above-described embodiment
" first ", " second " etc. be for distinguishing each embodiment, and do not represent the quality of each embodiment.
Those skilled in the art can be understood that, for convenience and simplicity of description, the system of foregoing description,
Device and the specific work process of unit, may be referred to the corresponding process in preceding method embodiment, will not be described here.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein.
Various general-purpose systems can also be used together with based on teaching in this.As described above, construct required by this kind of system
Structure be obvious.Additionally, the present invention is also not for any certain programmed language.It is understood that, it is possible to use various
Programming language realizes the content of invention described herein, and the description above language-specific done is to disclose this
Bright preferred forms.
In description mentioned herein, illustrate a large amount of details.It is to be appreciated, however, that the enforcement of the present invention
Example can be put into practice in the case of not having these details.In some instances, known method, structure are not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly it will be appreciated that in order to simplify the disclosure and help understand one or more of each inventive aspect,
Above in the description to the exemplary embodiment of the present invention, each feature of the present invention is grouped together into single enforcement sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect an intention that i.e. required guarantor
The application claims of shield more features than the feature being expressly recited in each claim.More precisely, it is such as following
Claims reflected as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
The claims following specific embodiment are thus expressly incorporated in this specific embodiment, wherein each claim itself
All as the separate embodiments of the present invention.
Those skilled in the art are appreciated that and the module in the equipment in embodiment can be carried out adaptively
Change and they are arranged in one or more equipment different from this embodiment.Can be the module in embodiment or list
Unit or assembly be combined into a module or unit or assembly, and can be divided in addition multiple submodule or subelement or
Sub-component.In addition to such feature and/or at least some of process or unit exclude each other, can adopt any
Combination is to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed
Where method or all processes of equipment or unit are combined.Unless expressly stated otherwise, this specification (includes adjoint power
Profit requires, summary and accompanying drawing) disclosed in each feature can carry out generation by the alternative features providing identical, equivalent or similar purpose
Replace.
Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments
In included some features rather than further feature, but the combination of the feature of different embodiment means to be in the present invention's
Within the scope of and form different embodiments.For example, in the following claims, embodiment required for protection appoint
One of meaning can in any combination mode using.
The all parts embodiment of the present invention can be realized with hardware, or to run on one or more processor
Software module realize, or with combinations thereof realize.It will be understood by those of skill in the art that can use in practice
Microprocessor or digital signal processor (dsp) are realizing in defence method and the device of attack according to embodiments of the present invention
Some or all parts some or all functions.The present invention is also implemented as executing side as described herein
Some or all equipment of method or program of device (for example, computer program and computer program).Such
The program realizing the present invention can store on a computer-readable medium, or can have the shape of one or more signal
Formula.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or with any other shape
Formula provides.
It should be noted that above-described embodiment the present invention will be described rather than limits the invention, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference markss between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element listed in the claims or step.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can come real by means of the hardware including some different elements and by means of properly programmed computer
Existing.If in the unit claim listing equipment for drying, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame
Claim.
Claims (10)
1. a kind of defence method of attack is it is characterised in that include:
Suspicious user Internet protocol ip address in session information is identified by preset threshold value, in described session information, comprises user
Ip address;
Attack ip address is filtered in suspicious user ip address according to preset attack ip address base, obtains the first remaining suspicious use
Family ip address;
Attack is filtered from the described first remaining suspicious user ip address by the service request information in described session information
Ip address, obtains the second remaining suspicious user ip address;
Attack ip address, described preset foot are filtered from the described second remaining suspicious user ip address according to preset script program
This program is used for determining the attack ip address comprising in the described second remaining suspicious user ip address;
The service request that refusal is sent by described attack ip address.
2. method according to claim 1 it is characterised in that described by preset threshold value identify session information in suspicious
User ip address includes:
The number of times sending service request in the unit interval by described user ip address is obtained from described session information;
The user ip address that the number of times sending service request in the described unit interval is more than the first preset threshold value is defined as described
Suspicious user ip address.
3. method according to claim 2 is it is characterised in that described will be big for the number of times sending service request in the unit interval
After the user ip address of the first preset threshold value is defined as described suspicious user ip address, methods described also includes:
Obtain the user ip address less than or equal to the first preset threshold value for the number of times sending service request in the described unit interval;
The service request number of times of same subscriber ip address is counted from the user ip address of described acquisition;
The user ip address that described service request number of times is more than the second preset threshold value is defined as described suspicious user ip address.
4. method according to claim 1 it is characterised in that described by the service request information in described session information
Filter from the described first remaining suspicious user ip address and attack ip address, obtain the second remaining suspicious user ip address bag
Include:
Described attack ip ground is filtered from the described first remaining suspicious user ip address according to preset request url amount threshold
Location, and using the first remaining suspicious user ip address after filtering as the first suspicious user ip address;
Url incorrect suspicious user ip address mistake will be asked according to preset url path in described first suspicious user ip address
Filter, and using the first suspicious user ip address after filtering as the second suspicious user ip address;
Relation is redirected according to preset url incorrect suspicious by asking url to redirect relation in described second suspicious user ip address
User's ip address filtering falls, and using the second suspicious user ip address after filtering as the 3rd suspicious user ip address;
Will be incorrect suspicious for request host field in described 3rd suspicious user ip address according to preset service device host field
User's ip address filtering falls, and using the 3rd suspicious user ip address after filtering as the 4th suspicious user ip address;
Url length incorrect suspicious user ip ground will be asked according to preset url length in described 4th suspicious user ip address
Location filters out.
5. method according to claim 1 is it is characterised in that described remaining from described second according to preset script program
Filter attack ip address in suspicious user ip address to include:
Described preset script program is sent to the corresponding client in the described second remaining suspicious user ip address, so that institute
State preset script program described in client executing;
If there is the client executing described preset script program error, the client of described preset script program error will be executed
Corresponding suspicious user ip address is held to be defined as described attack ip address.
6. method according to claim 5 is it is characterised in that described will execute the client of described preset script program error
After holding corresponding suspicious user ip address to be defined as described attack ip address, methods described also includes:
If there is the execution correct client of described preset script program, to the execution correct client of described preset script program
End sends checking information, so that the execution correct client of described preset script program receives and inputted according to described checking information
Identifying code;
If described identifying code is not corresponding with described checking information, the correct client of described preset script program will be executed and correspond to
Suspicious user ip address be defined as attack ip address;
If described identifying code is corresponding with described checking information, the correct client of described preset script program will be executed corresponding
Suspicious user ip address is defined as trusted users ip.
7. the method according to any one of claim 1-6 is it is characterised in that methods described also includes:
The suspicious user ip address that will determine as attacking ip address stores in described preset attack ip address base.
8. a kind of defence installation of attack is it is characterised in that include:
Recognition unit, for identifying the suspicious user Internet protocol ip address in session information, described session by preset threshold value
User ip address is comprised in information;
First filter element, for filtering attack ip address in suspicious user ip address according to preset attack ip address base, obtains
Obtain the first remaining suspicious user ip address;
Second filter element, for by the service request information in described session information from the described first remaining suspicious user
Filter in ip address and attack ip address, obtain the second remaining suspicious user ip address;
3rd filter element, for filtering attack according to preset script program from the described second remaining suspicious user ip address
Ip address, described preset script program is used for determining the attack ip ground comprising in the described second remaining suspicious user ip address
Location;
Refusal unit, the service request being sent by described attack ip address for refusal.
9. device according to claim 8 is it is characterised in that described recognition unit includes:
Acquisition module, sends service request for obtaining in the unit interval from described session information by described user ip address
Number of times;
Determining module, for being more than the user ip ground of the first preset threshold value by the number of times sending service request in the described unit interval
Location is defined as described suspicious user ip address.
10. device according to claim 9 is it is characterised in that described recognition unit also includes:
Described acquisition module, the number of times being additionally operable to obtain transmission service request in the described unit interval is preset less than or equal to first
The user ip address of threshold value;
Statistical module, for counting the service request number of times of same subscriber ip address from the user ip address of described acquisition;
Described determining module, the user ip address for described service request number of times is more than the second preset threshold value is defined as described
Suspicious user ip address.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610783731.7A CN106357628B (en) | 2016-08-31 | 2016-08-31 | The defence method and device of attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610783731.7A CN106357628B (en) | 2016-08-31 | 2016-08-31 | The defence method and device of attack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106357628A true CN106357628A (en) | 2017-01-25 |
CN106357628B CN106357628B (en) | 2019-09-06 |
Family
ID=57858274
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610783731.7A Active CN106357628B (en) | 2016-08-31 | 2016-08-31 | The defence method and device of attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106357628B (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108833450A (en) * | 2018-08-22 | 2018-11-16 | 网宿科技股份有限公司 | A kind of realization server anti-attack method and device |
CN110166408A (en) * | 2018-02-13 | 2019-08-23 | 北京京东尚科信息技术有限公司 | Defend the methods, devices and systems of extensive aggression |
CN110532753A (en) * | 2019-07-01 | 2019-12-03 | 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) | The safety protecting method and equipment of train operation monitoring and recording device business data flow |
CN111241543A (en) * | 2020-01-07 | 2020-06-05 | 中国搜索信息科技股份有限公司 | Method and system for intelligently resisting DDoS attack by application layer |
CN113452647A (en) * | 2020-03-24 | 2021-09-28 | 百度在线网络技术(北京)有限公司 | Feature identification method, feature identification device, electronic equipment and computer-readable storage medium |
CN113810486A (en) * | 2021-09-13 | 2021-12-17 | 珠海格力电器股份有限公司 | Internet of things platform docking method and device, electronic equipment and storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080295169A1 (en) * | 2007-05-25 | 2008-11-27 | Crume Jeffery L | Detecting and defending against man-in-the-middle attacks |
CN102891829A (en) * | 2011-07-18 | 2013-01-23 | 航天信息股份有限公司 | Method and system for detecting and defending distributed denial of service attack |
CN103685294A (en) * | 2013-12-20 | 2014-03-26 | 北京奇虎科技有限公司 | Method and device for identifying attack sources of denial of service attack |
CN103856470A (en) * | 2012-12-06 | 2014-06-11 | 腾讯科技(深圳)有限公司 | Distributed denial of service attack detection method and device |
CN104935609A (en) * | 2015-07-17 | 2015-09-23 | 北京京东尚科信息技术有限公司 | Network attack detection method and detection apparatus |
US9392019B2 (en) * | 2014-07-28 | 2016-07-12 | Lenovo Enterprise (Singapore) Pte. Ltd. | Managing cyber attacks through change of network address |
-
2016
- 2016-08-31 CN CN201610783731.7A patent/CN106357628B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080295169A1 (en) * | 2007-05-25 | 2008-11-27 | Crume Jeffery L | Detecting and defending against man-in-the-middle attacks |
CN102891829A (en) * | 2011-07-18 | 2013-01-23 | 航天信息股份有限公司 | Method and system for detecting and defending distributed denial of service attack |
CN103856470A (en) * | 2012-12-06 | 2014-06-11 | 腾讯科技(深圳)有限公司 | Distributed denial of service attack detection method and device |
CN103685294A (en) * | 2013-12-20 | 2014-03-26 | 北京奇虎科技有限公司 | Method and device for identifying attack sources of denial of service attack |
US9392019B2 (en) * | 2014-07-28 | 2016-07-12 | Lenovo Enterprise (Singapore) Pte. Ltd. | Managing cyber attacks through change of network address |
CN104935609A (en) * | 2015-07-17 | 2015-09-23 | 北京京东尚科信息技术有限公司 | Network attack detection method and detection apparatus |
Non-Patent Citations (1)
Title |
---|
李鸿彬等: "一种高效抵御SIP洪泛攻击的防御模型", 《计算机工程》 * |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110166408A (en) * | 2018-02-13 | 2019-08-23 | 北京京东尚科信息技术有限公司 | Defend the methods, devices and systems of extensive aggression |
CN110166408B (en) * | 2018-02-13 | 2022-09-06 | 北京京东尚科信息技术有限公司 | Method, device and system for defending flood attack |
CN108833450A (en) * | 2018-08-22 | 2018-11-16 | 网宿科技股份有限公司 | A kind of realization server anti-attack method and device |
WO2020037781A1 (en) * | 2018-08-22 | 2020-02-27 | 网宿科技股份有限公司 | Anti-attack method and device for server |
CN108833450B (en) * | 2018-08-22 | 2020-07-10 | 网宿科技股份有限公司 | Method and device for preventing server from being attacked |
CN110532753A (en) * | 2019-07-01 | 2019-12-03 | 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) | The safety protecting method and equipment of train operation monitoring and recording device business data flow |
CN111241543A (en) * | 2020-01-07 | 2020-06-05 | 中国搜索信息科技股份有限公司 | Method and system for intelligently resisting DDoS attack by application layer |
CN113452647A (en) * | 2020-03-24 | 2021-09-28 | 百度在线网络技术(北京)有限公司 | Feature identification method, feature identification device, electronic equipment and computer-readable storage medium |
CN113452647B (en) * | 2020-03-24 | 2022-11-29 | 百度在线网络技术(北京)有限公司 | Feature identification method, feature identification device, electronic equipment and computer-readable storage medium |
CN113810486A (en) * | 2021-09-13 | 2021-12-17 | 珠海格力电器股份有限公司 | Internet of things platform docking method and device, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN106357628B (en) | 2019-09-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106357628A (en) | Attack defense method and device | |
CN103701795B (en) | The recognition methods of the attack source of Denial of Service attack and device | |
US10826872B2 (en) | Security policy for browser extensions | |
CN104519018B (en) | A kind of methods, devices and systems preventing the malicious requests for server | |
US8375120B2 (en) | Domain name system security network | |
CN107465648B (en) | Abnormal equipment identification method and device | |
US20100154055A1 (en) | Prefix Domain Matching for Anti-Phishing Pattern Matching | |
CN106789983A (en) | A kind of CC attack defense methods and its system of defense | |
CN109088909B (en) | Service gray level publishing method and device based on merchant type | |
CN105635126A (en) | Malicious URL access protection method, client side, security server and system | |
CN111786966A (en) | Method and device for browsing webpage | |
CN112995162B (en) | Network traffic processing method and device, electronic equipment and storage medium | |
CN113098835A (en) | Honeypot implementation method based on block chain, honeypot client and honeypot system | |
Ghafir et al. | DNS query failure and algorithmically generated domain-flux detection | |
CN108632634A (en) | A kind of providing method and device of direct broadcast service | |
CN108512805B (en) | Network security defense method and network security defense device | |
CN106209907A (en) | A kind of method and device detecting malicious attack | |
KR101072981B1 (en) | Protection system against DDoS | |
CN105939320A (en) | Message processing method and device | |
CN112583827B (en) | Data leakage detection method and device | |
CN114500026A (en) | Network traffic processing method, device and storage medium | |
US10462158B2 (en) | URL selection method, URL selection system, URL selection device, and URL selection program | |
CN106888192A (en) | The method and device that a kind of resistance DNS is attacked | |
KR101042226B1 (en) | The method of counteracting distributed denial of service attack using network filter monitoring white list and dummy web server | |
Yagi et al. | Design of provider-provisioned website protection scheme against malware distribution |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |