CN106534078A - Method and device for establishing black list - Google Patents
Method and device for establishing black list Download PDFInfo
- Publication number
- CN106534078A CN106534078A CN201610912740.1A CN201610912740A CN106534078A CN 106534078 A CN106534078 A CN 106534078A CN 201610912740 A CN201610912740 A CN 201610912740A CN 106534078 A CN106534078 A CN 106534078A
- Authority
- CN
- China
- Prior art keywords
- address
- attack source
- interval
- blacklist
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of network safety, and especially relates to a method and device for establishing a black list so as to realize fast pre-judgment and forbidding of attack source IPs. The method comprises the following steps: establishing a first IP address section according to continuity of the IP addresses; identifying the attack source IPs in the first IP address section; determining a plurality of second IP address areas according to space between adjacent attack source IPs and a first threshold value; and determining density of attack source IPs in a second IP address section, and if the density of the attack source IPs is larger than a second threshold value, recording information of the first attack source IP and the last attack source IP in the second IP address section into the black list. The established black list reflects distribution rules of the attack source IPs, so that the black list can realize fast pre-judgment of the attack source IPs and forbidding efficiency is improved; and equipment performance is enhanced.
Description
Technical field
A kind of the present invention relates to technical field of network security, more particularly to method and device for setting up blacklist.
Background technology
In recent years, hacker was more and more lower using the cost that instrument of giving out a contract for a project, broiler chicken etc. are launched a offensive, big flow attack
More and more frequently, used as a requisite ring in security solution, the performance pressures for bearing are also more next for flow cleaning equipment
It is bigger.Flow cleaning equipment recognizes attack source, and the method for rapidly and efficiently blocking attack traffic always cleans manufacturer and service provider
The emphasis of technical research.
In the prior art scheme, cleaning equipment is to close down attack source internet protocol address by way of blacklist mostly
(Internet Protocol Address, IP address), the foremost that blacklist is processed in flow, when identifying attack source IP
When be just added in blacklist, so as to the foremost of processing procedure abandon attack source IP attack traffic, so can just carry
Rise equipment performance.However, cleaning equipment is when attack source is closed down, one is found often, one is closed, due to cleaning equipment
Limited memory, causes blacklist to tend not to cover all of attack source IP, and, even if all record is closed down, there is also interior
Deposit consuming huge, and the problem of inefficiency of tabling look-up.On the other hand due to more and more, the cleaning equipment of present big flow attack
The performance pressures for bearing are increasing, often for each source address is required for going to judge whether using certain detection method
It is attack source, the substantial amounts of performance for consuming equipment.Therefore exist in prior art and close inefficiency, it is serious to consume
The problem of equipment performance.
The content of the invention
The present invention provides a kind of method and device for setting up blacklist, to solve to close efficiency present in prior art
Lowly, the serious problem for consuming equipment performance.
The embodiment of the present invention provides a kind of method for setting up blacklist, including:
According to the continuity of IP address, the first IP address is set up interval;
Recognize the first IP address interval in attack source IP;
According to the spacing between adjacent attack source IP, multiple second IP address areas are determined from the first IP address interval, its
In, it is smaller than first threshold between the adjacent attack source IP in each second IP address area;
It is interval for each second IP address, determine the density of the attack source IP in the second IP address interval, if attack source
The density of IP is more than Second Threshold, then by the information of the second IP address interval interior first attack source IP and last attack source IP
It is recorded in blacklist.
Optionally it is determined that the density of the attack source IP in the second IP address interval, including:
Second IP address area includes the attack source IP and non-attack source IP between adjacent attack source IP;
The ratio of whole IP quantity that the quantity of attack source IP in the second IP address interval is included with the second IP address interval
It is worth the density as the attack source IP in the second IP address interval.
Alternatively, also include:
If the density of attack source IP is less than Second Threshold or attack source IP is not put under the second IP address interval, will attack
Among source IP is recorded in blacklist.
Alternatively, including:
Judge whether attack source IP is public network IP;
If attack source IP is public network IP, the attacked port under the IP of attack source is recognized;
Among attack source IP and attacked port are recorded in blacklist jointly.
The embodiment of the present invention provides a kind of method of intercept attack source IP, including:
If blacklist includes access IP address, the access request of Intercept Interview IP address or attacking for Intercept Interview IP address
Hit the access request of port;
If the interval corresponding first attack source IP of the second IP address for falling in blacklist of IP address and last of accessing
Between one attack source IP, then the access of the attacked port of the access request of Intercept Interview IP address or Intercept Interview IP address please
Ask.
The embodiment of the present invention provides a kind of device for setting up blacklist, including:
Address module, for the continuity according to IP address, sets up the first IP address interval;
Identification module, for recognizing the attack source IP in the first IP address interval;
Division module, for according to the spacing between adjacent attack source IP, determining multiple the from the first IP address interval
Two IP address areas, wherein, are smaller than first threshold between the adjacent attack source IP in each second IP address area;
Processing module, for interval for each second IP address, determines attack source IP's in the second IP address interval
Density, if the density of attack source IP is more than Second Threshold, will be the second IP address interval in first attack source IP and last
The information record of attack source IP is in blacklist.
Alternatively, also include:
Identification module, is additionally operable to judge whether attack source IP is public network IP;
Identification module, is additionally operable to, when attack source is public network IP, recognize the attacked port under the IP of attack source;
Processing module, is additionally operable to when attack source IP is public network IP, will be attack source IP common with the attacked port of attack source
Among being recorded in blacklist.
Alternatively, including:
Second IP address area includes the attack source IP and non-attack source IP between adjacent attack source IP;
Processing module, for will the second IP address interval in attack source IP quantity it is complete with what the second IP address interval included
Density of the ratio of portion's IP quantity as the attack source IP in the second IP address interval.
Alternatively, also include:
Processing module, is additionally operable to not put under the 2nd IP ground when the density of attack source IP less than Second Threshold or attack source IP
When location is interval, among attack source IP is recorded in blacklist.
The embodiment of the present invention provides a kind of device of intercept attack source IP, including:
Identification module, accesses IP address for recognizing;
Processing module, for when blacklist is comprising IP address is accessed, the access request of Intercept Interview IP address or interception
Access the access request of the attacked port of IP address;
Processing module, is additionally operable to the interval corresponding first attack of the second IP address fallen in blacklist when access IP address
When between source IP and last attack source IP, the attack end of the access request or Intercept Interview IP address of Intercept Interview IP address
The access request of mouth.
In sum, a kind of method and device for setting up blacklist is embodiments provided, including:According to IP address
Continuity, set up the first IP address interval;Recognize the first IP address interval in attack source IP;According to adjacent attack source IP it
Between spacing, from the first IP address interval in determine multiple second IP address areas, it is wherein, adjacent in each second IP address area
First threshold is smaller than between the IP of attack source;It is interval for each second IP address, determine in the second IP address interval
The density of attack source IP, if the density of attack source IP is more than Second Threshold, by the second IP address interval interior first attack source IP
With the information record of last attack source IP in blacklist.The embodiment of the present invention according to the characteristics of existing attack, pin
Continuity IP address is analyzed, by the interval bag of the second IP address marked off according to the spacing between adjacent attack source IP
Contain some attack source IP closer to the distance, so can tentatively draw potential IP attack region;Again by further right
Attack source IP density screenings, can select densely distributed the second IP address interval in attack source, now only need to be by the second IP address
Interval first and last IP address just can identify all attack source IP in the second IP address interval in being recorded in blacklist, and not
Attack source IP between first and last IP address need to be recorded within blacklist, so that the blacklist obtained with this scheme can be anti-
The regularity of distribution of attack source IP is reflected, therefore the quick anticipation to attack source IP can be realized so as to improve envelope using this blacklist
Prohibit efficiency, enhance equipment performance.Additionally, record attack source IP in the way of interval can also reduce accounting for memory source
With.
Description of the drawings
For the technical scheme being illustrated more clearly that in the embodiment of the present invention, below will be to making needed for embodiment description
Accompanying drawing is briefly introduced, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for this
For the those of ordinary skill in field, without having to pay creative labor, can be obtaining which according to these accompanying drawings
His accompanying drawing.
Fig. 1 is a kind of method flow diagram for setting up blacklist provided in an embodiment of the present invention;
Fig. 2 is a kind of attack source IP distribution maps provided in an embodiment of the present invention;
Fig. 3 is a kind of apparatus structure schematic diagram for setting up blacklist provided in an embodiment of the present invention;
Fig. 4 is a kind of blocking apparatus schematic diagram provided in an embodiment of the present invention.
Specific embodiment
In order that the object, technical solutions and advantages of the present invention are clearer, below in conjunction with accompanying drawing the present invention is made into
One step ground is described in detail, it is clear that described embodiment is only present invention some embodiments, rather than the enforcement of whole
Example.Based on the embodiment in the present invention, what those of ordinary skill in the art were obtained under the premise of creative work is not made
All other embodiment, belongs to the scope of protection of the invention.
Fig. 1 illustrates a kind of method flow diagram for setting up blacklist provided in an embodiment of the present invention, such as Fig. 1 institutes
Show, mainly include the following steps that:
S101:According to the continuity of IP address, the first IP address is set up interval;
S102:Recognize the first IP address interval in attack source IP;
S103:According to the spacing between adjacent attack source IP, multiple second IP address are determined from the first IP address interval
Area, wherein, is smaller than first threshold between the adjacent attack source IP in each second IP address area;
S104:It is interval for each second IP address, determine the density of the attack source IP in the second IP address interval, if attacking
The density of source IP is hit more than Second Threshold, then by the second IP address interval interior first attack source IP's and last attack source IP
Information record is in blacklist.
In specific implementation process, step S101:According to the continuity of IP address, the first IP address is set up interval;To access
IP address by continuity arrange, such as with minimum IP address 0.0.0.0, maximum IP address 255.255.255.255 is built in order
The IP address of vertical full dose is interval.Alternatively, the first IP address interval can be true according to the IP address range accessed in actual conditions
It is fixed, can so simplify the subsequent operation during blacklist is set up.Fig. 2 illustrates provided in an embodiment of the present invention one
Attack source IP distribution maps are planted, as shown in Fig. 2 totally 20 IP address between the first IP address interval is included from IP1 to IP20, often
Between individual continuous IP address at intervals of 1, even the IP address of IP1 is 0.0.0.0, then the address of IP20 is 0.0.0.19.
Alternatively, when setting up the first IP address interval, it is not intended that in actual conditions, whether have the connection request of certain IP address, it is only single
Process in terms of the order arrangement of pure secondary IP address, i.e.,:Even if lacking part IP address, also give tacit consent to these IP address and exist.Such as IP3
Connection request is not initiated, but when setting up the first IP address interval, is still given tacit consent to IP3 presence, is included in the first IP address interval
In.As current assault mostly is by the way of contiguous ip address, this mode can effectively carry out attack source IP point
Analysis.
In step s 102, each IP address in the first IP address interval is identified, judges that whether which be
Attack source IP.Alternatively, attack source IP is recognized using probe algorithm, i.e., probe data packet is sent to each IP address, if
IP address feeds back to a feedback data packet, then be normal IP, conversely, being then attack source IP.Alternatively it is also possible to adopt flow
Baseline recognizes attack source IP, that is, count the flow information of IP address, by this flow information and the flow baseline pair of normal users
Than if the port flow of this IP address has exceeded the flow baseline of normal users, this IP address is exactly attack source IP.It is optional
Ground, if there is the part actually IP address without access request that acquiescence is present in the first IP address interval, gives tacit consent to these IP
Address is normal IP address.As shown in Fig. 2 IP3 is the IP ground for actually having no access request that acquiescence is present when setting up list
Location, when being identified, it is normal IP just to give tacit consent to which, and such as IP2, and IP5, IP6 etc. are the attack source IP that identifies.
Spacing between the adjacent attack source IP of step S103 can be the IP quantity being spaced between adjacent attack source IP, the
One threshold value can be set according to the actual requirements;By taking Fig. 2 as an example, the present invention illustrates a kind of the second IP address area of division
Between method.As shown in Fig. 2 include 10 attack sources in the first IP address interval, respectively IP2, IP5, IP6, IP7,
IP9, IP12, IP15, IP16, IP17 and IP18.The spacing between each adjacent attack source IP is calculated, if being smaller than default
First threshold, then put these attack sources IP and the normal IP between them under the 2nd IP interval.For example, if default first
Threshold value is 2, then IP5, IP6, IP7, IP8 and IP9 constitute the second IP address interval, IP15, IP16, IP17 and IP18 structure
It is interval into another second IP address.
The density of the attack source IP in step S104 in the second IP address interval can by the quantity of attack source IP with it is non-
Attack source IP quantity ratio, or according to the number of attack source IP quantity determining.Alternatively, embodiments provide
A kind of method of calculating attack source IP density, the second IP address interval include attack source IP and between adjacent attack source IP
Non-attack source IP;Whole IP quantity that the quantity of attack source IP in the second IP address interval is included with the second IP address interval
Ratio as the second IP address interval in attack source IP density.Such as, for the second IP address interval A, including IP5,
IP6, IP7, IP8 and IP9 totally 5 IP address, wherein have 3 IP address for attack source IP, the then attack of the second IP address interval A
Source IP density is 0.6;And for example the second IP address interval B, including IP15, IP16, IP17 and IP18 totally four IP address, and this four
Individual IP address is all attack source IP, then the attack source IP density of the second IP address interval B is 1.Attack source IP density is more than default
The interval first and last IP address of the second IP address of Second Threshold can be recorded in blacklist, alternatively, according to practical application
Situation arranges Second Threshold.Alternatively, Second Threshold is reduced by appropriate, can give out a contract for a project to the utilization that do not reach instrument, broiler chicken
Etc. the attack for sending, such as distributed denial of service attack (Distributed Denial of Service, DDoS), realize pre-
Close down, protect in advance, this is because, the attack pattern sent similar to instrument of giving out a contract for a project, broiler chicken etc., source IP address is regular
Change, in some instances it may even be possible to be continuous source IP address, be marked by the source IP address to reaching message, reduce interval
Closeness coefficient, it is possible to close the message of the source IP address much not reached, eliminates and parses these packets, then add black
The step of list.Alternatively, is closed to blacklist setting the time, within the time of closing, forbid the IP address on blacklist to access please
Ask, after the time of closing terminates, refresh blacklist and close list.If the density of attack source IP is more than Second Threshold, by the 2nd IP
In address section, the information record of first attack source IP and last attack source IP is in blacklist.As shown in Figure 2 first
IP address is interval, it is assumed that the first IP address interval division in by Fig. 2 has gone out two the second IP address intervals, the second IP address area
Between A be made up of IP5, IP6, IP7, IP8 and IP9, the second IP address interval B is made up of IP15, IP16, IP17 and IP18, if
The attack source IP density of two IP address interval A and the second IP address interval B is both greater than default Second Threshold, then respectively in black name
Record IP5 and IP9 to represent the second IP address interval A in list, record IP15 and IP18 to represent that the second IP address is interval
B.Alternatively, if the density of attack source IP is less than Second Threshold or attack source IP is not put under the second IP address interval,
Among attack source IP is recorded in the blacklist.As illustrated in fig. 2, it is assumed that constituting second by IP5, IP6, IP7, IP8 and IP9
IP address is interval, and its attack source IP density is 0.6, but Second Threshold is 0.8, and now attack source IP5, IP7 and IP9 is just independent
Among being recorded in blacklist.Again as illustrated in fig. 2, it is assumed that first threshold is 2, then attack source IP2 will be excluded from all of the
Become an independent attack source IP outside two IP address interval, among now also needing for IP2 to be individually recorded in blacklist.Will
Scattered attack source IP is individually recorded in blacklist, blacklist can be avoided to omit attack source, strengthen the protection energy of blacklist
Power.
Alternatively, according to the spacing between adjacent attack source IP, multiple 2nd IP ground are determined from the first IP address interval
Before the area of location, also include:Judge whether attack source IP is public network IP;If attack source IP is public network IP, the attack source is recognized
Attacked port under IP;Among the attack source IP and the attacked port are recorded in the blacklist jointly.Due to network
The presence of address translation technique (Network Address Translation, NAT) so that attack source IP may be one
Public network IP.Public network IP is shared by multiple ports, and in these ports, existing normal port, has attacked port again.Tradition closes source IP
Technology can cause to manslaughter normal port.In the method for the invention specific implementation process, when it is determined that IP address is attack
After the IP of source, further can judge whether the IP address is public network IP according to the port distribution of IP address, if public network IP, then basis
Port flow distribution under the IP address is compared with the flow baseline of the flow set according to normal port, judges to attack end
Mouthful, the more normal port of attacked port has obvious flow amplification, this attack source IP and attacked port is stored in blacklist jointly
In, i.e., the attacked port under the IP of attack source is only closed down, has so just been avoided and normal port is manslaughtered.Optionally, for bag
Situation containing public network IP, what the embodiment of the present invention provided another kind of blacklist set up mode, including:Set up the first IP address interval
Afterwards, the attack source IP in identification interval;After confirming that some IP address is attack source IP, further confirm that whether which is public network
IP;If attack source IP is public network IP, confirms the attacked port of attack source IP, attack source IP is recorded in jointly with supply port
The public network IP of blacklist closes area, meanwhile, this public network IP is removed from the first IP address interval;To removing the attack for public network IP
The first IP intervals in source divide the second IP address interval as stated above and calculate attack source IP density, when density is calculated, attack
Hitting source IP numbers and the second address section length all needs to deduct the number of removed public network IP;When attack source IP is more than the second threshold
During value, among the initial attack source IP of the second address section and end attack source IP are recorded in blacklist jointly, and area is indicated
Between in removed public network IP information.
Alternatively, for the situation comprising public network IP, embodiments provide another kind and be not required to public network IP from the
The interval mode for setting up blacklist for removing of one IP address, by taking Fig. 2 as an example, table one illustrates embodiment of the present invention offer
A kind of blacklist form of expression, as shown in Table 1, include independent attack source IP in closing IP, also include attack source
IP is interval, after IP is closed, has further distinguished the public network IP extremely corresponding attacked port in lower section.Assume that first threshold is 2
When, Second Threshold is 0.8, then the attack source IP2 in Fig. 2 is isolated attack source IP, is individually recorded in closing for blacklist
In IP, but which is not public network IP, therefore no public network IP and attacked port record;Although IP5, IP6, IP7, IP8 and IP9 are constituted
Second IP address is interval, but its attack source IP density is 0.6, and less than Second Threshold, therefore IP5, IP7 and IP9 are also independent
Closing in IP for blacklist, the non-public network IP of three is recorded in, therefore is also recorded without public network IP and attacked port;IP12 and IP9 and
The distance of IP15 is all 3, and more than first threshold, therefore IP12 also serves as an isolated attack source IP and is individually recorded in black name
Single closes in IP, and IP12 is publicly-owned IP, and its attacked port is port 1 and port 2;IP15, IP16, IP17 and IP18 are full
Sufficient first threshold, meets Second Threshold, therefore all IP using IP15 and IP18 signs therebetween again, but wherein IP16 is
Public network IP, its attacked port are port 4 and port 6.
Table one
The embodiment of the present invention provides a kind of method using above-mentioned blacklist intercept attack source IP, comprises the following steps:
Step one:Identification accesses IP address;
Step 2:Among whether queried access IP address is recorded in blacklist or whether fall into blacklist the 2nd IP ground
Between the corresponding first attack source IP and last attack source IP of location interval;
Step 3:If described access the interval corresponding first attack source IP of the second IP address that IP address is fallen in blacklist
And the IP of last attack source between, then the attacked port of the access request of Intercept Interview IP address or Intercept Interview IP address
Access request.
In step 3, if accessing the non-public network IP of IP address, the access request of the IP address is intercepted;If accessing IP address
For public network IP, then the access request of the attacked port of the IP address is intercepted.Alternatively, whether access IP address is that public network IP can be with
Judged by the record content of blacklist, i.e. if having recorded the attacked port information of the access IP address, the visit in blacklist
Ask that IP address is public network IP, need to determine whether this access enters whether to come from the attacked port for accessing IP address, if so, then
Forbid this visit, if it is not, access request of then letting pass.Alternatively, access whether IP address is that public network IP can also be in step one
Judged while middle identification IP address.Alternatively, it is in the case of judging whether IP address is public network IP in step one, black
List can be divided into two regions of non-public network IP and public network IP, if it is public network IP to access IP address, in the public network IP of blacklist
Region makes a look up, if accessing the non-public network IP of IP address, makes a look up in the non-public network IP region of blacklist.
Alternatively, if access IP address be individually recorded in blacklist, the access request of Intercept Interview IP address or
The access request of the attacked port of Intercept Interview IP address.If accessing the non-public network IP of IP address, this access for accessing IP is intercepted
Request, if access IP address is public network IP, judges that whether this accesses the access request of IP from attacked port, if so, then blocks
This access request is cut, if it is not, this access request of then letting pass.By taking the blacklist shown in table one as an example, when the access request for receiving IP2
When, as which is individually recorded in blacklist, and it is not public network IP, therefore directly forbids which to access;When the visit for receiving IP12
When asking request, due to not only have recorded IP12 in blacklist for attack source IP, the attacking for public network IP and IP12 that be also recorded for IP12
Hit port, therefore also need to judge which port this visit of IP12 is asked from, if this time the access request of IP12 from
Port 1 or port 2, then intercept this visit request, otherwise, clearance this visit request;When the access request of IP16 is received,
IP lists are closed by retrieving blacklist, is confirmed which is located in the interval of IP15-IP18 marks, but is have recorded in blacklist simultaneously
IP16 is public network IP, now also needs to judge which port is the access request of IP16 come from, if coming from port 4 or port 6,
This visit request is intercepted, otherwise, clearance this visit request.
In sum, a kind of method for setting up blacklist is embodiments provided, including:According to the continuous of IP address
Property, set up the first IP address interval;Recognize the first IP address interval in attack source IP;Between between adjacent attack source IP
Away from, multiple second IP address areas are determined from the first IP address interval, wherein, the adjacent attack source in each second IP address area
First threshold is smaller than between IP;It is interval for each second IP address, determine the attack source in the second IP address interval
The density of IP, if the density of attack source IP is more than Second Threshold, by the second IP address interval interior first attack source IP and finally
The information record of one attack source IP is in blacklist.The embodiment of the present invention according to the characteristics of existing attack, for continuous
Property IP address is analyzed, if being included by the second IP address interval marked off according to the spacing between adjacent attack source IP
Dry attack source IP closer to the distance, so can tentatively draw potential IP attack region;Again by further to attack source
IP density is screened, and can select densely distributed the second IP address interval in attack source, now only need to be interval by the second IP address
First and last IP address just can identify all attack source IP in the second IP address interval in being recorded in blacklist, without by head
Attack source IP between last IP address is recorded within blacklist, so that the blacklist obtained with this scheme can reflect attack
The regularity of distribution of source IP, therefore can realize that the quick anticipation to attack source IP closes effect so as to improve using this blacklist
Rate, enhances equipment performance.Additionally, in the way of interval recording attack source IP can also reduce the occupancy to memory source.
Based on identical technology design, the embodiment of the present invention also provides a kind of device for setting up blacklist, and the device can be held
Row said method embodiment.Fig. 3 illustrates a kind of device 300 for setting up blacklist provided in an embodiment of the present invention, such as
Shown in Fig. 3, mainly include:Address module 301, identification module 302, division module 303 and processing module 304, wherein:
Address module 301, for the continuity according to IP address, sets up the first IP address interval;
Identification module 302, for recognizing the attack source IP in the first IP address interval;
Division module 303, for according to the spacing between adjacent attack source IP, determining multiple from the first IP address interval
Second IP address area, wherein, is smaller than first threshold between the adjacent attack source IP in each second IP address area;
Processing module 304, for interval for each second IP address, determines the attack source IP in the second IP address interval
Density, if the density of attack source IP is more than Second Threshold, will be the second IP address interval in first attack source IP and last
The information record of individual attack source IP is in blacklist.
Alternatively, also include:
Identification module 302, is additionally operable to judge whether attack source IP is public network IP;
Identification module 302, is additionally operable to, when attack source is public network IP, recognize the attacked port under the IP of attack source;
Processing module 304, is additionally operable to when attack source IP is public network IP, will be attack source IP common with the attacked port of attack source
With among being recorded in blacklist.
Alternatively, including:
Second IP address area includes the attack source IP and non-attack source IP between adjacent attack source IP;
Processing module 304, for the quantity of attack source IP in the second IP address interval is included with the second IP address interval
Whole IP quantity ratio as the second IP address interval in attack source IP density.
Alternatively, also include:
Processing module 304, is additionally operable to not put under second when the density of attack source IP less than Second Threshold or attack source IP
When IP address is interval, among attack source IP is recorded in blacklist.
Fig. 4 illustrates the embodiment of the present invention and provides a kind of device of intercept attack source IP, as shown in figure 4, intercepting
Device 400 includes:Identification module 401 and processing module 402, wherein:
Identification module 401, accesses IP address for recognizing;
Processing module 402, when blacklist accesses IP address and attack of the blacklist not comprising access IP address comprising described
During port, the access request of Intercept Interview IP address;
Processing module 402, is additionally operable to when blacklist is comprising access IP address and blacklist is comprising the attack for accessing IP address
During port, the access request of the attacked port of Intercept Interview IP address;
Processing module 402, is additionally operable to interval corresponding first when the second IP address for falling in blacklist of IP address is accessed
Between attack source IP and last attack source IP and when blacklist does not include the attacked port of access IP address, Intercept Interview IP
The access request of address;
Processing module 402, is additionally operable to corresponding when the second IP address interval for falling in the blacklist of IP address is accessed
Between first attack source IP and last attack source IP and the blacklist comprising it is described access IP address attacked port, then
Intercept the access request of the attacked port for accessing IP address.
In sum, a kind of method and device for setting up blacklist is embodiments provided, including:According to IP address
Continuity, set up the first IP address interval;Recognize the first IP address interval in attack source IP;According to adjacent attack source IP it
Between spacing, from the first IP address interval in determine multiple second IP address areas, it is wherein, adjacent in each second IP address area
First threshold is smaller than between the IP of attack source;It is interval for each second IP address, determine in the second IP address interval
The density of attack source IP, if the density of attack source IP is more than Second Threshold, by the second IP address interval interior first attack source IP
With the information record of last attack source IP in blacklist.The embodiment of the present invention according to the characteristics of existing attack, pin
Continuity IP address is analyzed, by the interval bag of the second IP address marked off according to the spacing between adjacent attack source IP
Contain some attack source IP closer to the distance, so can tentatively draw potential IP attack region;Again by further right
Attack source IP density screenings, can select densely distributed the second IP address interval in attack source, now only need to be by the second IP address
Interval first and last IP address just can identify all attack source IP in the second IP address interval in being recorded in blacklist, and not
Attack source IP between first and last IP address need to be recorded within blacklist, so that the blacklist obtained with this scheme can be anti-
The regularity of distribution of attack source IP is reflected, therefore the quick anticipation to attack source IP can be realized so as to improve envelope using this blacklist
Prohibit efficiency, enhance equipment performance.Additionally, record attack source IP in the way of interval can also reduce accounting for memory source
With.
The present invention be with reference to method according to embodiments of the present invention, equipment (system), and computer program flow process
Figure and/or block diagram are describing.It should be understood that can be by computer program instructions flowchart and/or each stream in block diagram
The combination of journey and/or square frame and flow chart and/or the flow process in block diagram and/or square frame.These computer programs can be provided
The processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce
A raw machine so that produced for reality by the instruction of computer or the computing device of other programmable data processing devices
The device of the function of specifying in present one flow process of flow chart or one square frame of multiple flow processs and/or block diagram or multiple square frames.
These computer program instructions may be alternatively stored in and can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that the instruction being stored in the computer-readable memory is produced to be included referring to
Make the manufacture of device, the command device realize in one flow process of flow chart or one square frame of multiple flow processs and/or block diagram or
The function of specifying in multiple square frames.
These computer program instructions can be also loaded in computer or other programmable data processing devices so that in meter
Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented process, so as in computer or
The instruction performed on other programmable devices is provided for realizing in one flow process of flow chart or multiple flow processs and/or block diagram one
The step of function of specifying in individual square frame or multiple square frames.
, but those skilled in the art once know basic creation although preferred embodiments of the present invention have been described
Property concept, then can make other change and modification to these embodiments.So, claims are intended to be construed to include excellent
Select embodiment and fall into the had altered of the scope of the invention and change.
Obviously, those skilled in the art can carry out the essence of various changes and modification without deviating from the present invention to the present invention
God and scope.So, if these modifications of the present invention and modification belong to the scope of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to comprising these changes and modification.
Claims (10)
1. a kind of method for setting up blacklist, it is characterised in that include:
According to the continuity of IP address, the first IP address is set up interval;
Recognize the attack source IP in first IP address interval;
According to the spacing between adjacent attack source IP, determine that multiple second IP address are interval from first IP address interval,
Wherein, it is smaller than first threshold between the adjacent attack source IP in each second IP address interval;
It is interval for each second IP address, determine the density of the attack source IP in the second IP address interval, if described attack
The density of source IP is hit more than Second Threshold, then will the interval interior first attack source IP of second IP address and last attack source
IP pair records are in blacklist.
2. the method for claim 1, it is characterised in that determine that attack source IP's in the second IP address interval is close
Degree, including:
The second IP address area includes the attack source IP and non-attack source IP between adjacent attack source IP;
Whole IP quantity that the quantity of attack source IP in second IP address interval is included with the second IP address interval
Ratio as second IP address interval in attack source IP density.
3. the method for claim 1, it is characterised in that also include:
If the density of the attack source IP is less than the Second Threshold or the attack source IP is not put under second IP address
Interval, then among being recorded in the blacklist by the attack source IP.
4. the method as described in any one of claims 1 to 3, it is characterised in that include:
Judge whether the attack source IP is public network IP;
If the attack source IP is public network IP, the attacked port under the attack source IP is recognized;
Among the attack source IP and the attacked port are recorded in the blacklist jointly.
5. a kind of method of intercept attack source IP, it is characterised in that using the blacklist as described in any one of Claims 1-4,
Including:
Identification accesses IP address;
If the blacklist includes the access IP address, intercept the access request for accessing IP address or intercept the visit
Ask the access request of the attacked port of IP address;
If the interval corresponding first attack source IP of the second IP address for falling in the blacklist of IP address and last of accessing
Between one attack source IP, then intercept the access request for accessing IP address or intercept the attacked port for accessing IP address
Access request.
6. a kind of device for setting up blacklist, it is characterised in that include:
Address module, for the continuity according to IP address, sets up the first IP address interval;
Identification module, for recognizing the attack source IP in the first IP address interval;
Division module, for according to the spacing between adjacent attack source IP, determining multiple the from first IP address interval
Two IP address areas, wherein, are smaller than first threshold between the adjacent attack source IP in each second IP address area;
Processing module, for interval for each second IP address, determines attack source IP's in the second IP address interval
Density, if the density of the attack source IP is more than Second Threshold, will be second IP address interval in first attack source IP with
The information record of last attack source IP is in blacklist.
7. device as claimed in claim 6, it is characterised in that include:
The second IP address area includes the attack source IP and non-attack source IP between adjacent attack source IP;
The processing module, specifically for by second IP address interval in attack source IP quantity and second IP address
Density of the ratio of whole IP quantity that interval includes as the attack source IP in second IP address interval.
8. device as claimed in claim 6, it is characterised in that also include:
The processing module, be additionally operable to density as the attack source IP less than the Second Threshold or the attack source IP not by
When putting the second IP address interval under, among the attack source IP is recorded in the blacklist.
9. the device as described in any one of claim 6 to 8, it is characterised in that also include:
The identification module, is additionally operable to judge whether the attack source IP is public network IP;
The identification module, is additionally operable to, when the attack source is public network IP, recognize the attacked port under the attack source IP;
The processing module, is additionally operable to when attack source IP is the public network IP, by the attack source IP and the attack source
Among the attacked port is recorded in the blacklist jointly.
10. a kind of device of intercept attack source IP, it is characterised in that include:
Identification module, accesses IP address for recognizing;
Processing module, for when the blacklist is comprising the access IP address, intercepting the access for accessing IP address please
Seek or intercept the access request of the attacked port for accessing IP address;
The processing module, is additionally operable to when described that to access the second IP address interval for falling in the blacklist of IP address corresponding
When between first attack source IP and last attack source IP, intercept the access request for accessing IP address or intercept the visit
Ask the access request of the attacked port of IP address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610912740.1A CN106534078B (en) | 2016-10-19 | 2016-10-19 | A kind of method and device for establishing blacklist |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610912740.1A CN106534078B (en) | 2016-10-19 | 2016-10-19 | A kind of method and device for establishing blacklist |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106534078A true CN106534078A (en) | 2017-03-22 |
| CN106534078B CN106534078B (en) | 2019-07-02 |
Family
ID=58332722
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610912740.1A Active CN106534078B (en) | 2016-10-19 | 2016-10-19 | A kind of method and device for establishing blacklist |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106534078B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107395655A (en) * | 2017-09-15 | 2017-11-24 | 郑州云海信息技术有限公司 | A kind of system and method that network access is controlled using blacklist |
| CN109495489A (en) * | 2018-12-04 | 2019-03-19 | 合肥天骋电子商务有限公司 | A kind of information security processing system |
| CN110213254A (en) * | 2019-05-27 | 2019-09-06 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and apparatus that Internet protocol IP packet is forged in identification |
| CN111241543A (en) * | 2020-01-07 | 2020-06-05 | 中国搜索信息科技股份有限公司 | Method and system for intelligently resisting DDoS attack by application layer |
| CN114338168A (en) * | 2021-12-29 | 2022-04-12 | 赛尔网络有限公司 | IP address dynamic blocking method, device, equipment and medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102891794A (en) * | 2011-07-22 | 2013-01-23 | 华为技术有限公司 | Data packet transmission control method and gateway device |
| CN104125313A (en) * | 2014-07-11 | 2014-10-29 | 广州华多网络科技有限公司 | Network voting method and device |
| US20140325648A1 (en) * | 2012-09-17 | 2014-10-30 | Huawei Technologies Co., Ltd. | Attack Defense Method and Device |
| CN104573530A (en) * | 2015-02-26 | 2015-04-29 | 浪潮电子信息产业股份有限公司 | Security reinforcing system for server |
| US20150288715A1 (en) * | 2014-04-03 | 2015-10-08 | Automattic, Inc. | Systems And Methods For Protecting Websites From Botnet Attacks |
-
2016
- 2016-10-19 CN CN201610912740.1A patent/CN106534078B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102891794A (en) * | 2011-07-22 | 2013-01-23 | 华为技术有限公司 | Data packet transmission control method and gateway device |
| US20140325648A1 (en) * | 2012-09-17 | 2014-10-30 | Huawei Technologies Co., Ltd. | Attack Defense Method and Device |
| US20150288715A1 (en) * | 2014-04-03 | 2015-10-08 | Automattic, Inc. | Systems And Methods For Protecting Websites From Botnet Attacks |
| CN104125313A (en) * | 2014-07-11 | 2014-10-29 | 广州华多网络科技有限公司 | Network voting method and device |
| CN104573530A (en) * | 2015-02-26 | 2015-04-29 | 浪潮电子信息产业股份有限公司 | Security reinforcing system for server |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107395655A (en) * | 2017-09-15 | 2017-11-24 | 郑州云海信息技术有限公司 | A kind of system and method that network access is controlled using blacklist |
| CN109495489A (en) * | 2018-12-04 | 2019-03-19 | 合肥天骋电子商务有限公司 | A kind of information security processing system |
| CN110213254A (en) * | 2019-05-27 | 2019-09-06 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and apparatus that Internet protocol IP packet is forged in identification |
| CN111241543A (en) * | 2020-01-07 | 2020-06-05 | 中国搜索信息科技股份有限公司 | Method and system for intelligently resisting DDoS attack by application layer |
| CN114338168A (en) * | 2021-12-29 | 2022-04-12 | 赛尔网络有限公司 | IP address dynamic blocking method, device, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106534078B (en) | 2019-07-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106534078A (en) | Method and device for establishing black list | |
| Yadav et al. | Winning with DNS failures: Strategies for faster botnet detection | |
| CN105337966B (en) | For the treating method and apparatus of network attack | |
| EP2530874B1 (en) | Method and apparatus for detecting network attacks using a flow based technique | |
| US9934379B2 (en) | Methods, systems, and computer readable media for detecting a compromised computing host | |
| US10374913B2 (en) | Data retention probes and related methods | |
| CN107124434B (en) | Method and system for discovering DNS malicious attack traffic | |
| EP2830260B1 (en) | Rule matching method and device | |
| WO1999048303A2 (en) | Method for blocking denial of service and address spoofing attacks on a private network | |
| JP2009534001A (en) | Malicious attack detection system and related use method | |
| CN106657161B (en) | Method and device for realizing data packet filtering | |
| KR20140027616A (en) | Apparatus and method for detecting http botnet based on the density of web transaction | |
| RU2690749C1 (en) | Method of protecting computer networks | |
| CN113992356A (en) | Method and device for detecting IP attack and electronic equipment | |
| EP3618355B1 (en) | Systems and methods for operating a networking device | |
| CN106790175A (en) | The detection method and device of a kind of worm event | |
| CN113079124B (en) | Intrusion behavior detection method and system and electronic equipment | |
| KR101293954B1 (en) | Apparatus and method for detecting roundabout access | |
| KR102211503B1 (en) | Harmful ip determining method | |
| Matsumoto et al. | Adaptive Bloom filter: A space-efficient counting algorithm for unpredictable network traffic | |
| US7917649B2 (en) | Technique for monitoring source addresses through statistical clustering of packets | |
| Cai et al. | Honeynet games: a game theoretic approach to defending network monitors | |
| RU2680038C1 (en) | Method of computer networks protection | |
| RU2686023C1 (en) | Method of protecting computer networks | |
| CN113556342A (en) | DNS cache server prefix change attack protection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Patentee after: NSFOCUS Technologies Group Co.,Ltd. Patentee after: NSFOCUS TECHNOLOGIES Inc. Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. Patentee before: NSFOCUS TECHNOLOGIES Inc. |