CN106789983A - A kind of CC attack defense methods and its system of defense - Google Patents
A kind of CC attack defense methods and its system of defense Download PDFInfo
- Publication number
- CN106789983A CN106789983A CN201611121460.5A CN201611121460A CN106789983A CN 106789983 A CN106789983 A CN 106789983A CN 201611121460 A CN201611121460 A CN 201611121460A CN 106789983 A CN106789983 A CN 106789983A
- Authority
- CN
- China
- Prior art keywords
- request
- protection
- user
- blacklist
- code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses method and its system that a kind of defence CC is attacked, for the user's request for being sent to Web server, by intercepting the protection process of filter process and different stage, the effective protection to Web server is realized.Interception process sets blacklist and white list, is intercepted by Internet and application layer is intercepted, and interception filtering is carried out to the request in Web catalogues;The protection of different stage includes basic protection, middle rank protection and/or senior protection module;Middle rank protection includes basic protection and the identification based on user behavior;Senior protective unit includes basic protection and real user identification.The technical scheme that the present invention is provided can effectively resist Web server CC attacks, and CC of the protection based on single IP access frequencys substantially attacks protection, and intermediate, senior protection realizes that CC attacks protection based on user behavior, can effectively resist slow CC and attack or fast CC attacks.
Description
Technical field
Attacked (Challenge Collapsar) the present invention relates to web portal security technology, more particularly to a kind of defence CC
Method and its system.
Background technology
CC attack (Challenge Collapsar) be DDoS (DDoS, Distributed Denial of Service,
Distributed denial of service) one kind, be also a kind of common website attack method, this attack be can not see false IP, be can not see
King-sized abnormal flow, and, this technology realizes that threshold is relatively low, as long as using suitable instrument and some IP generations
Reason, at the beginning of one, the computer user of intermediate level can be realized as this kind attack.Therefore, with very big threat.
CC attack principle be attacker control some main frames ceaselessly send packet to other side's server cause service
Device resource exhaustion, until machine collapse of delaying.CC is mainly used to attack the page, and everyone has such experience:When a webpage
When the number of access is especially more, opening webpage is just slow, and CC is exactly that (how many thread are exactly how many is used the multiple users of simulation
Family) ceaselessly conduct interviews those need mass data operate (being exactly to need a large amount of CPU times) the page, cause server to provide
The waste in source, CPU is in 100% for a long time, has the connection that cannot be processed completely forever until causing network congestion, normal to access
It is terminated.
The characteristics of being attacked according to CC, the method that CC is attacked can be divided into fast CC attacks and be attacked with slow CC, and it is single-point that fast CC is attacked
Or multiple spot frequently sends HTTP request to server for a long time;It is that occupancy multiple HTTP please for a long time for single-point or multiple spot that slow CC is attacked
Seek process.CC is attacked can be also divided into:Direct attack, proxy attack, Botnet attack three kinds.Directly attack mainly for have weight
Want the web application of defect, be in general program write it is problematic when just occur such case, it is relatively more rare.
Botnet is attacked and is somewhat similarly to DDOS attack, cannot be defendd from web application aspect, so proxy attack is
CC attackers can typically operate a collection of proxy server, for example 100 agency, then each agency be simultaneously emitted by 10 please
Ask, such Web server receives 1000 concurrent requests simultaneously, and after request is sent, the connection of agency broken at once,
The data for avoiding agency from returning block the bandwidth of itself, and can not send and ask again, and at this moment Web server will respond these
The process of request carries out queue, and database server is same, so, normal request will be come behind located
Reason, causes normal request page open extremely slow or white screen, it is impossible to effectively protect the network security of server.
The content of the invention
In order to overcome the above-mentioned deficiencies of the prior art, the present invention provides a kind of CC attack defense methods and its system, with standard
Really identification CC is attacked, and realizes the effective protection to Web server.CC attack defending systems mainly include interceptions/clearance module with
Protection module;Wherein, interception/clearance module includes that Internet is intercepted and application layer is intercepted;Protection module includes basic protection mould
Block, intermediate protection module and senior protection module, CC attack defense methods are walked mainly for Web server by above-mentioned module
Suddenly interception filtering is carried out to the request in Web catalogues, the protection process of optional different stage is finally realized to Web server
Effectively protection.
In order to be more clearly described to inventive technique scheme, the variable symbol that is related to, threshold symbol are determined
Justice and agreement, such as table 1:
The description of the variable symbol of the present invention of table 1, threshold symbol and its implication
Variable in above-mentioned symbol table, can voluntarily be set by user in span.
The present invention provide technical scheme be:
A kind of CC attack defense methods, for the user's request for being sent to Web server, by intercepting filter process and not
The protection process of same level, realizes the effective protection to Web server, comprises the following steps:
A. process is intercepted:Blacklist and white list are set, interception filtering is carried out to the request in Web catalogues, pass sequentially through
Internet is intercepted and application layer is intercepted;
The setting and renewal of blacklist and white list:Blacklist, white list can manually add IP and enter black by user
List or white list, also support that system adds IP into blacklist, white list automatically.IP in blacklist accesses Web page please
Ask and be dropped, the IP in white list accesses Web page request without CC protection modules, directly lets pass, at Web server
Reason.
Interception process specifically performs following operation:
A1. Internet is intercepted:Recognize whether request IP is intercepted in blacklist or in white list by Internet;
A11. whether Internet identification request IP, when asking IP in blacklist, abandons the request in blacklist, ties
Beam defence operation;
A12. whether Internet identification request IP, when asking IP in white list, is transferred to application layer and blocks in white list
Step A22 during cutting;
A13. when Internet identification request IP is neither in blacklist nor in white list when, perform application layer and intercepted
Journey;
A2. application layer is intercepted:Ask whether IP is intercepted in blacklist or in white list by application layer identification;
A21. whether application-layer authentication asks IP in blacklist:When asking IP in blacklist, the request is abandoned, tied
Beam defence operation;
A22. whether application-layer authentication asks IP in white list:When asking IP in white list, the request is given
Web server normal process, terminates defence operation;
A23. when application-layer authentication request IP is neither in blacklist nor in white list when, CC protection process is performed;
B.CC protection process, is divided into basic protection, middle rank protection and senior protection;
Basic protection is configured limiting time T, the HTTP request quantity M and concurrent request number N of single IP by user, is led to
Cross and be limited in a period of time the HTTP request quantity of each IP or the concurrent request number of times of list IP and implement protection, be to take entirely
Realize at business device end;Both can guarantee that user normally accessed, and can recognize and intercept fast CC attacks and slow CC attacks;
Middle rank protection increases the recognition methods based on user behavior on the basis of foundation protection unit, first with each IP
When secondary (server is recorded without this IP) accesses, the analysable JS encryptions script of browser is returned;After browser resolves JS and decryption
The request server completion checking again of associated decryption information will be used;Middle rank protection can be significantly greatly increased assault cost, together
When verified by expiration parameter and greatly increase each IP by the difficulty verified, the parameter during checking can also effectively prevent from testing
CC during card is attacked, and can to greatest extent reduce the HTTP request quantity that attacker is sent to server.
Senior protection adds real user recognition methods on the basis of foundation protection unit, with each IP (services first
Device without this IP record) access when, return graphical verification code, user naked eyes identification graphical verification code, and will identify that come checking
Code is sent to server and completes checking;Senior protection causes that assault cost is bigger than middle rank protection.
Basic protection, middle rank protection and senior protection perform following operation respectively:
B1.CC protects foundation protection process, and user's request is protected by IP request number of times and parallel connection quantity;
Specifically include following steps:
B11. IP request number of times threshold value M are set, judges whether IP requests exceed set point number M in T seconds time;If it is,
Then IP is added in the blacklist of blocking module, is failed in blacklist more than the IP after setting time, this kind request is lost
Abandon;Otherwise, then following steps are continued;
B12. setting parallel connection amount threshold N, judges whether parallel connection quantity exceedes limitation;If it is IP is added
It is added in the blacklist of blocking module, is failed in blacklist more than the IP after setting time K, and abandon the request;Otherwise, after
Continuous following steps;
B13. Web server normal process is given by the request;
The intermediate protection process of B2.CC protection, carries out foundation protection first, then by identifying user successively ask IP whether be
By the IP, the user's request IP that verify whether be whether request for the first time, user's request are that Code after browser resolves JS is returned
Return hospitality ask, whether the uncorrelated request of user's request IP connection number F exceedes setting limitation to be protected;Specifically include following step
Suddenly:
B21. judge user's request IP whether be by verify IP;If it is, into normal Web request flow, tying
Beam fence operation;Otherwise, following steps are continued;
B22. judge whether user's request IP is request for the first time;If it is, the JS Validation Codes section for returning to encryption is arrived
Request end, code segment needs browser resolves, parses the Code of encryption;Otherwise, following steps are continued;
B23. judge whether user's request is that Code after browser resolves JS returns to request;If it is, checking Code
Whether correct, if Code is correct, whether checking Code times of return are overtime, if it times out, the IP is added into blacklist
In;If identifying code has not timed out, by checking, the IP is added in the IP result sets by verifying, and the request is handed over
Web server treatment is given, terminates fence operation;The result set has certain ageing, can enter by with IP in the result set
Row compares, and judges whether IP is to send request for the first time, and timeliness of the IP in result set is set by the user;
In the present invention, result concentration is put into by the IP for verifying, without being directly added in white list, it is therefore an objective to limit
IP's processed is ageing, if be placed directly on the white list IP will not be verified again.So, in fact, white list is mainly use
Family is manually entered the IP of trust, once and IP checkings do not pass through to be put directly into blacklist.
If Code is incorrect, directly by IP addition blacklists;If after the request is not browser resolves JS
Code return request, then continue following steps;
B24. judge whether the uncorrelated request connection number F of the IP exceedes setting and limit;If it is, the IP is added to
The blacklist of blocking module, and the request is abandoned, terminate fence operation;Otherwise continue following steps;
B25. new JS codes are returned, step B22 is returned to.
B3.CC protects senior protection module, carries out foundation protection first, then by identifying user successively ask IP whether be
By verify IP, user's request IP whether be for the first time request, user's request whether be requests verification code request, user's request
Whether it is that authentication code is asked, whether uncorrelated request connection number transfinites to be protected;Specifically include following steps:
B31. whether be by verify IPIf it is, giving Web server treatment, normal execution flow by the request
Journey;Otherwise follow the steps below;
Whether B32.IP is request for the first timeIf it is, returning to identifying code interface;Otherwise follow the steps below;
B33. whether it is requests verification code requestIf it is verify whether to exceed identifying code request number of times IIf it is,
The IP is then added into the blacklist in blocking module;If it is not, returning to identifying code picture to request end;Tested if not request
Card code request, then continue following steps;
B34. whether it is authentication code requestIf it is, whether authentication code correct, if identifying code correctly if test
Card identifying code whether time-out J, if had not timed out, by IP be labeled as be verified state, reduce the request path, give Web
The server normal process request, if identifying code is overtime, the IP is added in the blacklist of blocking module.If checking
Code is incorrect, then whether authentication code request number of times I transfinites, if transfinited, the IP is added to black in blocking module
In list, if request number of times does not transfinite, identifying code error message is returned to, and forbid user to refresh identifying code again.If
It is not authentication code request, then continues following steps;
B35. whether uncorrelated request connection number H transfinitesIf transfinited, the IP is added to the blacklist of blocking module
In, and abandon the request;If do not transfinited, step B32 is returned to.
In above-mentioned senior protection process, addition is manually entered identifying code step, if identifying code is in the effective time of regulation
Interior input is correct, just the request of user can be reduced into raw requests URL, and transfer to Web server normally to perform asking for user
Ask, if identifying code is within effective time, be not input into correctly, then the IP is judged to that CC is attacked, be added in blacklist.
Present invention also offers a kind of CC attack defending systems (device), mainly include interception/clearance unit (module) and
Protective unit (module);Wherein, interception/clearance unit includes that Internet is intercepted and application layer is intercepted;Protective unit includes basic
Protection module, intermediate protection module and senior protection module;
Interception unit, is mainly used in that the IP of user's request is intercepted or let pass, and this unit realizes the black name of generation IP
List and white list, except supporting that user manually adds IP into black, white list, also support that system adds black, white list automatically.It is black
IP in list accesses Web page request and is dropped, and the IP in white list accesses Web page and asks without CC protection modules,
Directly let pass, processed by Web server;Blocking module realizes with application layer in Internet and the IP of user's request is carried out
Intercept or let pass;
Basic protective unit, the HTTP request quantity M for being limited in each IP in T time, or list IP's concurrently please
Times N is sought, full server end is realized, cannot bypassed substantially.Protection effect:After reasonably relevant parameter is set, both can guarantee that
User normally accesses, but can recognize and intercept faster slower CC attack, in the unit certain hour of list IP, HTTP request quantity with
And concurrent request number is configured by user.
Intermediate protective unit, on the basis of foundation protection unit, adds the recognizer based on user behavior, i.e., with every
During individual IP (server is recorded without this IP) access first, the analysable JS encryptions script of browser is returned;Browser resolves JS is simultaneously
The request server completion checking again of associated decryption information will be used after decryption.The effect of protection is not crack JS in hacker
In the case of encryption script, if hacker has 1000 attack IP, and want to implement the premise that extensive CC attacks be must be every
Access manually is carried out once in the browser of platform IP to server, this kind of method is significantly greatly increased assault cost, at the same time,
There is one in middle rank protection and be verified expiration parameter, difficulty of each IP by checking is greatly increased again, during checking
Parameter can also effectively prevent the CC in verification process from attacking, if having spent cost to crack JS code segments, also CC bases are anti-
Shield unit, this can to greatest extent reduce the HTTP request quantity that attacker is sent to server.
Senior protective unit, on the basis of foundation protection unit, adds real user recognizer, i.e., with each IP
When (server is recorded without this IP) accesses first, graphical verification code, user's naked eyes identification graphical verification code are returned to, and will identify that
The identifying code for coming is sent to server and completes checking.This unit protection effect be hacker cannot automatic identification identifying code feelings
Under condition, if hacker has 1000 attack IP, and want to implement the premise that extensive CC attacks be must be in every browser of IP
In server is carried out one-time authentication code identification (than middle rank protection once manually access it is more time-consuming), which increase than middle rank prevent
The bigger intrusion scene of shield, at the same time, in senior protection also has one to be verified expiration parameter, more increases each
IP all by the difficulty verified, if having spent cost to realize, also CC foundation protections unit, this can to greatest extent reduce and attack
The person of hitting can be sent to the HTTP request quantity of server.In addition, in the case of hacker's energy automatic identification identifying code, itself needs
Very big cost (because each identifying code has maximum errors number and effective time, thus cannot Brute Force, add identifying code
The degree of disturbance of figure is very high, and automatic program identification cannot be used substantially), with middle rank protection, if energy automatic identification is tested
Card code is not that, completely around CC protection, foundation protection still can effectively run.
By above unit, the device of CC attack defendings is realized, using the device, user sets according to local server demand
The parameter that senior protection, middle rank are protected, foundation protection is included in each layer of protection is put, the effective protection to Web server is realized.
The beneficial effects of the invention are as follows:
The present invention provides the method and its system that a kind of defence CC is attacked, for the user's request for being sent to Web server,
By intercepting the protection process of filter process and different stage, the effective protection to Web server is realized.Interception process sets black
List and white list, are intercepted by Internet and application layer is intercepted, and interception filtering is carried out to the request in Web catalogues;It is not at the same level
Other protection includes basic protection, middle rank protection and/or senior protection module;Middle rank protection includes basic protection and based on user
The identification of behavior;Senior protective unit includes basic protection and real user identification.
The technical scheme provided using the present invention, can effectively resist Web server CC attacks, intermediate, senior protection mould
Block is based on the CC attack protection that user behavior is realized, foundation protection module is that the CC based on single IP access frequencys attacks protection.
The foundation protection module that this programme is provided can effectively resist slow CC and attack with intermediate protection module, and senior protection module can have
Effect is resisted fast CC and is attacked.
Brief description of the drawings
Fig. 1 is the overall flow figure of the CC attack defense methods that the present invention is provided.
Fig. 2 is the FB(flow block) of the blocking module that the present invention is provided.
Fig. 3 is the FB(flow block) that the CC that the present invention is provided attacks protection foundation protection module.
Fig. 4 is the FB(flow block) that the CC that the present invention is provided attacks the intermediate protection module of protection.
Fig. 5 is the FB(flow block) that the CC that the present invention is provided attacks senior protection module.
Specific embodiment
Below in conjunction with the accompanying drawings, the present invention, the model of but do not limit the invention in any way are further described by embodiment
Enclose.
The present invention provides a kind of CC attack defending systems, including blocking module, foundation protection module, intermediate protection module,
Senior protection module;It is the overall flow of the CC attack defense methods that the present invention is provided shown in Fig. 1, is asked by being sent to user
Intercepted and protected, the purpose of Web server CC attacks is resisted so as to reach, present invention specific implementation is comprised the following steps:
A. blocking module, performs following operation (such as Fig. 2):
A1. user transmit a request to Web server;
A2. realize that the Internet of blocking module realizes black, white list mechanism by the Internet of blocking module;
The Internet of blocking module is provided with blacklist and white list;Initial list is sky, can be by follow-up protection mould
Actively toward list the inside addition IP, user also can voluntarily carry out list addition to block;Blacklist and white list do not have identical IP;
A3. first determine whether request IP whether in blacklist, if in the blacklist of blocking module in, then abandon should
Request, if it was not then continuing following steps;
A4. continue judge ask IP whether in white list, if in white list in, then carry out step A6;Otherwise,
Continue following steps;
A5. blocking module is also realized having tested black, white list mechanism in application layer, and first, whether checking request IP is in black name
Dan Zhong, if abandoning the request;Otherwise, following steps are continued;
The application layer of blocking module is again provided with blacklist and white list, and the blacklist of Internet of blocking module and white
List is synchronized update;
A6. whether request IP is in white listIf, giving Web server by the request carries out normal flow, knot
Beam is operated;Otherwise, CC protection modules are given to be processed.
Blocking module is the same in black, the white list of Internet and application layer, but demonstrates request in Internet
IP is in white list, in addition it is also necessary in application-layer authentication, because whether application layer can not obtain request IP in white list.
Blocking module plays filtering function.In addition to program can automatically update blacklist, this programme also provide user manually add it is black,
White list.
CC protection modules include foundation protection module, intermediate protection module and senior protection module, can select one and be protected.
The foundation protection module of B.CC protection, specifically includes following steps (such as Fig. 3):
B1. whether (time period may be configured as 10-9999 seconds) IP requests (may be configured as more than set point number M in time T
10-99999 times)If being not above set point number, step B2 is continued executing with;If it does, the IP then is added into interception
In the blacklist of module, after more than setting time K (may be configured as 1-1440 minutes), the IP fails in blacklist, this kind
Request is dropped;
Wherein time T, IP request number of times M, IP is adding the out-of-service time K needs of blacklist to be manually configured.
B2. judge whether parallel connection quantity N exceedes limitationIf being not above limitation, step B3 is continued executing with;Such as
Fruit exceedes limitation and then IP is added in the blacklist of blocking module, is failed in blacklist more than the IP after setting time K, and
Abandon the request;
Wherein out-of-service time Ks of parallel connection quantity limitation N, the IP in blacklist is added needs manually to be configured.And
Row connection quantity N limitations may be configured as 0-9999 times, and 0 expression does not limit parallel number of times;Out-of-service time K may be configured as 1-1440 points
Clock.
B3. Web server normal process, end operation are given by the request.
The intermediate protection module of C.CC protection, specifically includes following steps (such as Fig. 4):
C1. in intermediate protection module, it is necessary first to which, by foundation protection module, specific steps are identical with step B, by B
Foundation protection after enter into the middle rank peculiar flow of protection, step specific as follows;
C2. the IP for asking whether be by verify IPIf it is, asking flow into normal Web treatment;Otherwise,
Continue following steps;
Can by scan through the IP result sets of checking compare request IP recognize request IP whether be by checking
IP;
C3. judge whether request IP is request for the first timeIf asking for the first time, then the JS Validation Codes of encryption are returned
Section arrives request end, and code segment needs browser resolves (Code of parsing encryption);Therefore, the JS Validation Codes section of encryption can be just
Often parse and return, illustrate transmission request is browser;Otherwise, it is not request for the first time, continues following steps;
JS codes are one section of Code codes of encryption, if general request is sent by browser, checking JS energy
Enough normally by browser resolves, and the Code after decryption is returned to protection module, if the request sent using agency, instrument,
The JS code segments cannot be usually parsed, also just correct Code protection module cannot be returned to, can be thus prevented effectively from
CC is attacked, and the process is parsed and returning result automatically by browser, and user is perceived less than the process.
C4. whether it is that Code after browser resolves JS returns to requestIf it is, whether checking Code is correct, if
It is correct then checking Code times of return it is whether overtime, if it times out, the IP add blocking module blacklist in;If checking is not
Whether time-out, then by checking, be added to the IP result set and (can be used to judge whether IP has been verified by, be for the first time
Request) in, and Web server normal process is given by the request, terminate defence operation;If Code is incorrect, directly will
The IP is added in blocking module blacklist;If the request is not Code after browser resolves IS returns to request, continue with
Lower step;
It is verified, the IP can be added in result set, mainly whether the IP in the request of C2 process verifications has led to
Cross, result set setting time in effectively, an IP by checking after be not at all the time by state, beyond setting
After effective time G, the IP auto-idleds, the setting of the time exceedes also for whether IP is that request provides basis for estimation for the first time
After setting time, the IP retransmits request, is designated as request for the first time.
C5. during verifying in R seconds, whether the uncorrelated request connection number F of the IP exceedes limitationIf it is, by the IP
It is added in the blacklist of blocking module, and abandons the request;Otherwise continue following steps;
C6. new JS codes are returned, continues step C3.
The senior protection module of D.CC protection, specifically includes following steps (such as Fig. 5):
D1. in senior protection module, it is necessary first to by foundation protection module, specific steps include it is consistent in B, by B
Protection after enter into the peculiar flow of senior protection, step specific as follows;
D2. request IP whether be by verify IPIf it is, giving Web server treatment by the request, normally hold
Row flow;Otherwise follow the steps below;
Whether D3.IP is request for the first timeIf it is, returning to identifying code interface;Identifying code interface is a Web page
Face, it is necessary to access the user input graphical verification code of website, being only input into correct identifying code can normally access for the first time;
This step needs user input identifying code to be prevented effectively from CC attacks in senior protection;Some can be effectively defendd to be realized using agency
CC attack (due to agency can not be manually entered identifying code, it is necessary to the link of user input identifying code can be prevented effectively from it is such
CC is attacked);Otherwise follow the steps below;
D4. whether it is requests verification code requestIf it is, judging whether to exceed the request number of times I of requests verification codeSuch as
Fruit is that the IP then is added into the blacklist in blocking module;If it is not, returning to identifying code picture to request end, user input
Correct identifying code can just be verified;Asked if not requests verification code, then continue following steps;
Identifying code request number of times limits I by manually being set.
D5. whether it is authentication code requestIf it is, whether first authentication code is correct, if identifying code is correct,
Whether authentication code is overtime (in single identifying code J seconds effectively), if had not timed out, IP is labeled as to be verified state,
Reduce the request path, give Web server normal process the request, IP by checking after within the regular hour effectively (by
User sets effective time G), terminate defence operation;If identifying code is overtime, the IP is added to the blacklist of blocking module
In.If identifying code is incorrect, whether authentication code request number of times I transfinites, if transfinited, the IP is added into interception
In blacklist in module, if request number of times does not transfinite, identifying code error message is returned, and forbids user to refresh again and tested
Card code.Asked if not authentication code, then continue following steps;
This step, on the basis of original base request, addition is manually entered identifying code step, if identifying code is in regulation
Input is correct in effective time, just the request of user can be reduced into raw requests URL, and transfer to Web server normally to perform
The request of user, if identifying code is within effective time, is not input into correctly, then the IP is judged into CC is attacked, and is added to black name
Dan Zhong.Identifying code request number of times I, identifying code effective time J in this step is by manually being set.
D6. whether uncorrelated request connection number transfinites (uncorrelated number of request H is set by the user)If transfinited, should
IP is added in the blacklist of blocking module, and abandons the request;If do not transfinited, step D3 is carried out.
Uncorrelated request connection number threshold value is by manually being set.
So far, a kind of CC attack defendings scheme is finished.
Below by example, the present invention will be further described.
Following examples provide a CC protection module for the C/S model for showing a C language, management end be one with
Windows is the terminal computer M of operating system, and agent side is a server S with Linux as system, and Web is deployed on S
Service, the IP of S is 192.168.1.47, and active user is Admin, logs in management end M, and be connected to agent side S, Yong Huke
It is configured with attacking protection to website CC.CC protection modules include that providing technical scheme using the present invention realizes in the present embodiment
Foundation protection, middle pole protection and senior protection module;During specific implementation, can be realized by selecting the protection module of different stage
CC to website attacks protection:
Embodiment one:If single IP accessed the implementation for reaching y triggering CC attack protection per x seconds, specific as follows:
1) Admin is protected based on M ends setting CC protection levels, and set the parameter of foundation protection as:Single IP is per x
Second, if access reaches y times, or sets up more than z parallel connections, then the time for locking the IP is v minutes;
2) hacker carries ab instruments and sends strike order to server end using httpd:
./ab-n/-c m http:// 192.168.1.47/login.jsp, the parameter-n of this order represents that transmission is asked for m times
Ask ,-c represents that resume m is connected in parallel.
3) Admin set foundation protection module parameter value as:X=10, y=10, z=10, v=10;
4) hacker sends request using ab instruments, orders and is:./ab-n 20http://192.168.1.47/
Login.jsp, the order is asked for the server of 192.168.1.47 sends 20 times (m=20) to IP address, m now>y
(20>10), i.e., IP requests exceed the number of times 10 of setting in 10s, and can be added to for the IP that send ab orders by foundation protection module blocks
In the blacklist cut in module, the IP is effective in blacklist in 10 minutes, i.e. the IP will be locked 10 minutes, abandon the IP
Request;
Embodiment two:Single IP sets up and attacks protection more than z parallel connection number triggerings CC, is embodied as follows:
If 1) be set to for foundation protection module parameter by Admin:X=10, y=100, z=10, v=10;Try one's best herein
Y is set into big parameter, prevents from attacking protection due to access times triggering CC, and skip the CC protection of parallel connection number triggering.
2) now, hacker is ./ab-c 20http using the order that ab instruments send://192.168.1.47/
Login.jsp, the order is for 20 concurrent access, m now are set up in the Web applications of 192.168.1.47 to server ip
>z(20>10), single IP parallel connections number exceedes number 10, and the IP for sending ab orders can be added to interception mould by foundation protection module
In blacklist in block, the IP is effective in blacklist in 10 minutes, i.e. the IP will be locked 10 minutes, and abandoning the IP please
Ask;
Above procedure be by concurrent connection number transfinite triggering CC attack protection implement explanation.
1) Admin sets CC protection levels as middle rank is protected at M ends, and set the parameter of protection as:Single IP is every x seconds,
If access reaches y times, or sets up more than z parallel connections, then this is locked IP v minutes, j is at most allowed not in k seconds during checking
Association requests are connected, by effective in r hours after checking.
2) now Admin arrange parameters value is:V=1, K=10, j=10, r=1, x=9999, y=9999, z=
9999;
3) hacker is attacked it using fiddler instruments:http:// 192.168.1.47/, uncorrelated number of request surpasses
In limited time (when sending uncorrelated request more than j=10 using fiddler), IP will be locked 1 minute;If using instrument in checking
Between access http within k=10 seconds:// 192.168.1.47/login.jsp is recorded more than j=10 bars, and IP requests cannot be again
Secondary success;If the IP, being capable of successful access http in 1 hour after verifying://192.168.1.47/login.jsp.
Embodiment three:Implement senior protection module:
1) Admin sets CC protection levels as senior protection at M ends, and set protection parameter as:Single IP was visited per x seconds
Reached y times if asking, or set up more than z parallel connections, then lock this IP v minutes, at most allow to access q by list IP before checking
Secondary, identifying code at most allows refreshing frequency f times, interior effective, single IP preservations s minutes in g seconds of single identifying code, single by after checking
Individual IP is by effective in r hours after checking.
2) now setup parameter value is:X=10, y=9999, z=9999, v=10, q=10, f=3, g=60, s=
10, r=1, it is to make the senior peculiar flow of protection effectively that parameter current is tried one's best, so x, y, z, v values can be maximums, if
Preceding access times are verified more than 10 times, both in identifying code input process, there are other to ask, then the IP is added to interception mould
In the blacklist of block, and abandon the request.Setting user only has 3 chances of refreshing identifying code herein, and single identifying code has
The effect time is 60 seconds, single IP by checking after only in 1 hour effectively, more than 1 hour after, it is necessary to verify again.So far, CC
The senior means of defence of attack defending is implemented to terminate.
It should be noted that the purpose for publicizing and implementing example is help further understands the present invention, but the skill of this area
Art personnel be appreciated that:Do not departing from the present invention and spirit and scope of the appended claims, various substitutions and modifications are all
It is possible.Therefore, the present invention should not be limited to embodiment disclosure of that, and the scope of protection of present invention is with claim
The scope that book is defined is defined.
Claims (6)
1. a kind of CC attack defense methods, for the user's request for being sent to Web server, by intercepting filter process and difference
The CC protection process of rank, realizes the effective protection to Web server, comprises the following steps:
A. process is intercepted:Blacklist and white list are set, interception filtering is carried out to the request in Web catalogues, pass sequentially through network
Layer is intercepted and application layer is intercepted;It is specific to perform following operation:
A1. Internet is intercepted:Recognize whether request IP is intercepted or let pass in blacklist or in white list by Internet;
A11. whether Internet identification request IP, when asking IP in blacklist, abandons the request in blacklist, terminates anti-
Imperial operation;
A12. whether Internet identification request IP, when asking IP in white list, is transferred to application layer and intercepted in white list
Step A22 in journey;
A13. when Internet identification request IP is neither in blacklist nor in white list when, perform application layer and intercept process;
A2. application layer is intercepted:Ask whether IP is intercepted in blacklist or in white list by application layer identification;
A21. whether application-layer authentication asks IP in blacklist:When asking IP in blacklist, the request is abandoned, terminate anti-
Imperial operation;
A22. whether application-layer authentication asks IP in white list:When asking IP in white list, Web clothes are given by the request
Business device normal process, terminates defence operation;
A23. when application-layer authentication request IP is neither in blacklist nor in white list when, CC protection process is performed;
B.CC protection process:It is divided into basic protection, middle rank protection and senior protection;
Basic protection process is configured time threshold, HTTP request amount threshold and the concurrent request number threshold of single IP by user
Value, protection is implemented by limiting in a period of time interior HTTP request quantity of each IP or the concurrent request number of times of list IP, is
Full server end implements protection;Both can guarantee that user normally accessed, and can recognize and intercept fast CC attacks and slow CC attacks;
Intermediate protection process includes basic protection process and the peculiar process of middle rank protection, and the intermediate protection process is being protected substantially
On the basis of unit, increase the recognition methods based on user behavior, when each IP is accessed first, return to browser analysable
JS encrypts script;After browser resolves JS and decryption, request server completes checking to the decryption information that will be used again;Also include
Expiration parameter is verified;The intermediate protection process causes that assault cost is significantly greatly increased, while being tested by expiration parameter
Card causes that each IP is greatly increased by the difficulty verified, the parameter during checking effectively prevents the CC in verification process from attacking,
Thus reach reduces the purpose that attacker is sent to the HTTP request quantity of server to greatest extent;
Senior protection process includes basic protection process and the peculiar process of senior protection, and the senior protection process is being protected substantially
On the basis of unit, increase real user recognition methods, when each IP is accessed first, return to graphical verification code, user is visually
Identification graphical verification code, and will identify that the identifying code for coming is sent to server and completes checking;Senior protection causes assault
Cost is bigger than middle rank protection, thus reaches the purpose protected Web server.
2. defence method as claimed in claim 1, it is characterized in that, IP into the blacklist or white can be manually added by user
List, or system adds IP into the blacklist or white list automatically during defence;When request accesses the IP of Web page
During for IP in blacklist, access Web page request is dropped;IP in being white list as the IP that request accesses Web page
When, the access Web page is asked without CC protection process, is sent directly to Web server treatment.
3. defence method as claimed in claim 1, it is characterized in that, the basic protection process is by IP request number of times and connects parallel
Quantity is connect to protect user's request;Specifically include following steps:
B11. IP request number of times threshold values are set, judges whether IP requests exceed setting IP request number of times threshold values in certain hour;Such as
Fruit is that then IP is added in the blacklist of interception process, is failed in blacklist more than the IP after setting time, this kind request
It is dropped;Otherwise, then following steps are continued;
B12. setting parallel connection amount threshold, judges whether parallel connection quantity exceedes the parallel connection amount threshold;Such as
Fruit is that then IP is added in the blacklist of interception process, is failed in blacklist more than the IP after setting time, and abandon this
Request;Otherwise, following steps are continued;
B13. Web server normal process is given by the request;
The intermediate protection process, carries out the basic protection, then ask whether IP is to pass through by identifying user successively first
Whether IP, the user's request IP of checking are whether request for the first time, user's request are that Code after browser resolves JS returns please
Ask, whether the uncorrelated request connection number of user's request IP exceedes the uncorrelated request for setting and connect number threshold restriction to be prevented
Shield;Specifically include following steps:
B21. judge user's request IP whether be by verify IP;If it is, into normal Web request flow, terminating anti-
Shield operation;Otherwise, following steps are continued;
B22. judge whether user's request IP is request for the first time;If it is, the JS Validation Codes section for returning to encryption arrives request
End, code segment needs browser resolves, parses the Code of encryption;Otherwise, following steps are continued;
B23. judge whether user's request is that Code after browser resolves JS returns to request;If it is, whether verifying Code
Correctly, if Code is correct, whether checking Code times of return are overtime, if it times out, by IP addition blacklists;Such as
Fruit identifying code has not timed out, then by checking, the IP is added in the IP result sets by verifying, and give Web by the request
Server process, terminates fence operation;If Code is incorrect, directly by IP addition blacklists;
If the request is not the Code after browser resolves JS returns to request, continue following steps;
B24. judge whether the uncorrelated request connection number of the IP exceedes setting and limit;If it is, the IP is added into interception
The blacklist of process, and the request is abandoned, terminate fence operation;Otherwise continue following steps;
B25. new JS codes are returned, step B22 is returned to;
The senior protection process carries out the basic protection first, then asks whether IP is by testing by identifying user successively
IP, the user's request IP of card whether be for the first time request, user's request whether be requests verification code request, user's request whether be
Whether the request of authentication code, uncorrelated request connection number transfinite to be protected;Specifically include following steps:
B31. judge whether it is the IP by verifyingIf it is, giving Web server treatment, normal execution flow by the request
Journey;Otherwise follow the steps below;
B32. judge whether IP is request for the first timeIf it is, anti-ruin identifying code interface;Otherwise follow the steps below;
B33. judge whether it is requests verification code requestIf it is verify whether to exceed identifying code request number of timesIf it is,
The IP is added into the blacklist during intercepting;If it is not, returning to identifying code picture to request end;If not requests verification
Code request, then continue following steps;
B34. judge whether it is authentication code requestIf it is, whether authentication code correct, if identifying code correctly if test
Whether card identifying code is overtime, if had not timed out, by IP labeled as state is verified, reduces the request path, gives Web clothes
The business device normal process request;If identifying code is overtime, the IP is added in the blacklist of interception process;If identifying code
Incorrect, then whether authentication code request number of times transfinites, if transfinited, the IP is added into the blacklist during intercepting
In, if request number of times does not transfinite, identifying code error message is returned to, and forbid user to refresh identifying code again;If not
Authentication code request, then continue following steps;
B35. judge whether uncorrelated request connection number transfinitesIf transfinited, the IP is added to the blacklist of interception process
In, and abandon the request, end operation;If transfiniting, then step B32 is returned to.
4. defence method as claimed in claim 1, it is characterized in that, the time threshold of the single IP in the basic protection process can set
It is set to 10-9999 seconds;HTTP request amount threshold may be configured as 10-99999 times;Concurrent request number threshold value may be configured as 0-9999
It is secondary.
5. a kind of CC attack defending systems, it is characterized in that, the system of defense includes interception/clearance unit and protective unit;Institute
Interception/clearance unit is stated to be intercepted including Internet and application layer interception;The protective unit includes that basic protection module, middle rank are anti-
Protect one or more in module and senior protection module;
The interception/clearance unit, it is described to block for the IP of user's request to be intercepted or let pass with application layer in Internet
The blacklist and white list for cutting unit setting and updating IP realize that the IP of user's request is intercepted or let pass;
The basic protective unit, for being limited in the HTTP request quantity of a period of time interior each IP or concurrently please for list IP
Number of times is sought, is that full server end is realized so that both can guarantee that user normally accessed, and can recognized and intercept faster slower CC attacks;
The intermediate protective unit includes basic protective unit and the recognition unit based on user behavior;It is described based on user behavior
Recognition unit realize, when each IP is accessed first, returning to browser analysable JS encryption scripts;Browser resolves JS is simultaneously
The request server completion checking again of associated decryption information will be used after decryption;Thus reach and reduce to greatest extent attacker's hair
It is sent to the HTTP request quantity of server and realizes the purpose protected server;
The senior protective unit includes basic protective unit and real user recognition unit;The real user recognition unit reality
When present each IP is accessed first, graphical verification code, user's naked eyes identification graphical verification code are returned to, and will identify that the checking for coming
Code is sent to server and completes checking;Thus the purpose of effectively protection server is reached.
6. defence method as claimed in claim 1, it is characterized in that, the interception/clearance unit is all provided with Internet and application layer
There are blacklist and white list, the interception/clearance unit is synchronized update in the blacklist and white list of Internet and application layer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611121460.5A CN106789983B (en) | 2016-12-08 | 2016-12-08 | A kind of CC attack defense method and its system of defense |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611121460.5A CN106789983B (en) | 2016-12-08 | 2016-12-08 | A kind of CC attack defense method and its system of defense |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106789983A true CN106789983A (en) | 2017-05-31 |
| CN106789983B CN106789983B (en) | 2019-09-06 |
Family
ID=58877306
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611121460.5A Active CN106789983B (en) | 2016-12-08 | 2016-12-08 | A kind of CC attack defense method and its system of defense |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106789983B (en) |
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107295017A (en) * | 2017-08-10 | 2017-10-24 | 四川长虹电器股份有限公司 | CC means of defences based on user authentication |
| CN107295022A (en) * | 2017-08-23 | 2017-10-24 | 四川长虹电器股份有限公司 | A kind of client certificate method based on man-machine identification |
| CN107659511A (en) * | 2017-08-16 | 2018-02-02 | 华为技术有限公司 | A kind of overload controlling method, main frame and storage medium and program product |
| CN107743118A (en) * | 2017-09-25 | 2018-02-27 | 北京奇安信科技有限公司 | A kind of stagewise network safety protection method and device |
| CN107786539A (en) * | 2017-09-20 | 2018-03-09 | 杭州安恒信息技术有限公司 | A kind of method that anti-CC attacks are carried out based on DNS |
| CN107995198A (en) * | 2017-12-05 | 2018-05-04 | 北京知道创宇信息技术有限公司 | Information processing method, device, electronic equipment and storage medium |
| CN108334774A (en) * | 2018-01-24 | 2018-07-27 | 中国银联股份有限公司 | A kind of method, first server and the second server of detection attack |
| CN108833410A (en) * | 2018-06-19 | 2018-11-16 | 网宿科技股份有限公司 | A kind of means of defence and system for HTTP Flood attack |
| CN109005164A (en) * | 2018-07-20 | 2018-12-14 | 深圳市网心科技有限公司 | A kind of network system, equipment, network data exchange method and storage medium |
| CN110581844A (en) * | 2019-08-21 | 2019-12-17 | 浙江大学 | method of forensics in mimicry defense |
| WO2019242052A1 (en) * | 2018-06-19 | 2019-12-26 | 网宿科技股份有限公司 | Method and device for protecting against http flood attack |
| CN111092881A (en) * | 2019-12-12 | 2020-05-01 | 杭州安恒信息技术股份有限公司 | Access interception method, device, equipment and readable storage medium |
| CN111147480A (en) * | 2019-12-25 | 2020-05-12 | 中国银联股份有限公司 | File access control method, device, equipment and medium |
| CN111241543A (en) * | 2020-01-07 | 2020-06-05 | 中国搜索信息科技股份有限公司 | Method and system for intelligently resisting DDoS attack by application layer |
| CN111327615A (en) * | 2020-02-21 | 2020-06-23 | 浙江德迅网络安全技术有限公司 | CC attack protection method and system |
| CN111786990A (en) * | 2020-06-29 | 2020-10-16 | 杭州优云科技有限公司 | Defense method and system for WEB active push skip page |
| CN112104611A (en) * | 2020-08-20 | 2020-12-18 | 广东网堤信息安全技术有限公司 | CC attack protection management method |
| CN112202821A (en) * | 2020-12-04 | 2021-01-08 | 北京优炫软件股份有限公司 | Identification defense system and method for CC attack |
| CN112615887A (en) * | 2020-12-30 | 2021-04-06 | 福州掌中云科技有限公司 | Method and system for defending CC attack |
| CN112910927A (en) * | 2021-03-19 | 2021-06-04 | 厦门星纵信息科技有限公司 | SIP registration method for defending external network attack |
| CN113037841A (en) * | 2021-03-08 | 2021-06-25 | 北京靠谱云科技有限公司 | Protection method for providing distributed denial of attack |
| CN114710331A (en) * | 2022-03-23 | 2022-07-05 | 新华三信息安全技术有限公司 | Security defense method and network security equipment |
| CN115361179A (en) * | 2022-08-04 | 2022-11-18 | 四川启睿克科技有限公司 | CC attack protection method based on custom interception identification |
| CN116366372A (en) * | 2023-05-31 | 2023-06-30 | 北京嘉铭创新科技有限公司 | Network attack interception method, device, equipment and medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102137111A (en) * | 2011-04-20 | 2011-07-27 | 北京蓝汛通信技术有限责任公司 | Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server |
| CN102281298A (en) * | 2011-08-10 | 2011-12-14 | 深信服网络科技(深圳)有限公司 | Method and device for detecting and defending challenge collapsar (CC) attack |
| CN103685293A (en) * | 2013-12-20 | 2014-03-26 | 北京奇虎科技有限公司 | Protection method and device for denial of service attack |
| CN105162793A (en) * | 2015-09-23 | 2015-12-16 | 上海云盾信息技术有限公司 | Method and apparatus for defending against network attacks |
-
2016
- 2016-12-08 CN CN201611121460.5A patent/CN106789983B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102137111A (en) * | 2011-04-20 | 2011-07-27 | 北京蓝汛通信技术有限责任公司 | Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server |
| CN102281298A (en) * | 2011-08-10 | 2011-12-14 | 深信服网络科技(深圳)有限公司 | Method and device for detecting and defending challenge collapsar (CC) attack |
| CN103685293A (en) * | 2013-12-20 | 2014-03-26 | 北京奇虎科技有限公司 | Protection method and device for denial of service attack |
| CN105162793A (en) * | 2015-09-23 | 2015-12-16 | 上海云盾信息技术有限公司 | Method and apparatus for defending against network attacks |
Cited By (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107295017A (en) * | 2017-08-10 | 2017-10-24 | 四川长虹电器股份有限公司 | CC means of defences based on user authentication |
| CN107659511A (en) * | 2017-08-16 | 2018-02-02 | 华为技术有限公司 | A kind of overload controlling method, main frame and storage medium and program product |
| CN107295022A (en) * | 2017-08-23 | 2017-10-24 | 四川长虹电器股份有限公司 | A kind of client certificate method based on man-machine identification |
| CN107786539A (en) * | 2017-09-20 | 2018-03-09 | 杭州安恒信息技术有限公司 | A kind of method that anti-CC attacks are carried out based on DNS |
| CN107743118A (en) * | 2017-09-25 | 2018-02-27 | 北京奇安信科技有限公司 | A kind of stagewise network safety protection method and device |
| CN107743118B (en) * | 2017-09-25 | 2020-11-03 | 奇安信科技集团股份有限公司 | Hierarchical network security protection method and device |
| CN107995198A (en) * | 2017-12-05 | 2018-05-04 | 北京知道创宇信息技术有限公司 | Information processing method, device, electronic equipment and storage medium |
| CN108334774A (en) * | 2018-01-24 | 2018-07-27 | 中国银联股份有限公司 | A kind of method, first server and the second server of detection attack |
| WO2019242052A1 (en) * | 2018-06-19 | 2019-12-26 | 网宿科技股份有限公司 | Method and device for protecting against http flood attack |
| CN108833410A (en) * | 2018-06-19 | 2018-11-16 | 网宿科技股份有限公司 | A kind of means of defence and system for HTTP Flood attack |
| CN109005164A (en) * | 2018-07-20 | 2018-12-14 | 深圳市网心科技有限公司 | A kind of network system, equipment, network data exchange method and storage medium |
| CN110581844A (en) * | 2019-08-21 | 2019-12-17 | 浙江大学 | method of forensics in mimicry defense |
| CN111092881A (en) * | 2019-12-12 | 2020-05-01 | 杭州安恒信息技术股份有限公司 | Access interception method, device, equipment and readable storage medium |
| CN111147480A (en) * | 2019-12-25 | 2020-05-12 | 中国银联股份有限公司 | File access control method, device, equipment and medium |
| CN111241543A (en) * | 2020-01-07 | 2020-06-05 | 中国搜索信息科技股份有限公司 | Method and system for intelligently resisting DDoS attack by application layer |
| CN111327615A (en) * | 2020-02-21 | 2020-06-23 | 浙江德迅网络安全技术有限公司 | CC attack protection method and system |
| CN111786990A (en) * | 2020-06-29 | 2020-10-16 | 杭州优云科技有限公司 | Defense method and system for WEB active push skip page |
| CN111786990B (en) * | 2020-06-29 | 2021-02-02 | 杭州优云科技有限公司 | Defense method and system for WEB active push skip page |
| CN112104611A (en) * | 2020-08-20 | 2020-12-18 | 广东网堤信息安全技术有限公司 | CC attack protection management method |
| CN112202821A (en) * | 2020-12-04 | 2021-01-08 | 北京优炫软件股份有限公司 | Identification defense system and method for CC attack |
| CN112615887A (en) * | 2020-12-30 | 2021-04-06 | 福州掌中云科技有限公司 | Method and system for defending CC attack |
| CN112615887B (en) * | 2020-12-30 | 2023-07-28 | 福州掌中云科技有限公司 | CC attack defending method and system |
| CN113037841A (en) * | 2021-03-08 | 2021-06-25 | 北京靠谱云科技有限公司 | Protection method for providing distributed denial of attack |
| CN112910927A (en) * | 2021-03-19 | 2021-06-04 | 厦门星纵信息科技有限公司 | SIP registration method for defending external network attack |
| CN114710331A (en) * | 2022-03-23 | 2022-07-05 | 新华三信息安全技术有限公司 | Security defense method and network security equipment |
| CN115361179A (en) * | 2022-08-04 | 2022-11-18 | 四川启睿克科技有限公司 | CC attack protection method based on custom interception identification |
| CN116366372A (en) * | 2023-05-31 | 2023-06-30 | 北京嘉铭创新科技有限公司 | Network attack interception method, device, equipment and medium |
| CN116366372B (en) * | 2023-05-31 | 2023-08-04 | 北京嘉铭创新科技有限公司 | Network attack interception method, device, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106789983B (en) | 2019-09-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106789983B (en) | A kind of CC attack defense method and its system of defense | |
| US9807092B1 (en) | Systems and methods for classification of internet devices as hostile or benign | |
| CN107770171B (en) | Verification method and system for anti-crawler of server | |
| US8806591B2 (en) | Authentication risk evaluation | |
| US11212281B2 (en) | Attacker detection via fingerprinting cookie mechanism | |
| US20170324555A1 (en) | System and method for preemptive self-healing security | |
| CN106850690B (en) | Honeypot construction method and system | |
| CN105516208B (en) | A kind of WEB web site url dynamic hidden methods effectivelying prevent network attack | |
| CN107634967B (en) | CSRFtoken defense system and method for CSRF attack | |
| US8943599B2 (en) | Certifying server side web applications against security vulnerabilities | |
| Hassan et al. | Broken authentication and session management vulnerability: a case study of web application | |
| CN106790238A (en) | It is a kind of to forge CSRF defence authentication method and device across station request | |
| CN103685293A (en) | Protection method and device for denial of service attack | |
| CN114826663B (en) | Honeypot identification method, device, equipment and storage medium | |
| CN109977673A (en) | A kind of loophole restorative procedure and system based on web site system safety | |
| US20220407858A1 (en) | Methods and systems for ip-based network intrusion detection and prevention | |
| JP2009003559A (en) | Computer system for single sign-on server, and program | |
| Sharieh et al. | Securing apis and chaos engineering | |
| Vykopal et al. | Network-based dictionary attack detection | |
| CN102045310B (en) | Industrial Internet intrusion detection as well as defense method and device | |
| Yu et al. | Analysis and suggestions for the security of web applications | |
| Sharma et al. | Vulnerabilities, attacks and their mitigation: An implementation on internet of things (IoT) | |
| Waziri et al. | A Secure Maturity Model for Protecting e-Government Services: A Case of Tanzania | |
| JP2013522936A (en) | Block malicious access | |
| AlAmeen | Building a robust client-side protection against cross site request forgery |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |