CN106790073A - A kind of blocking-up method of Web server malicious attack, device and fire wall - Google Patents

A kind of blocking-up method of Web server malicious attack, device and fire wall Download PDF

Info

Publication number
CN106790073A
CN106790073A CN201611192582.3A CN201611192582A CN106790073A CN 106790073 A CN106790073 A CN 106790073A CN 201611192582 A CN201611192582 A CN 201611192582A CN 106790073 A CN106790073 A CN 106790073A
Authority
CN
China
Prior art keywords
client
access request
identification information
malicious attack
cookie
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611192582.3A
Other languages
Chinese (zh)
Other versions
CN106790073B (en
Inventor
郭波
郭一波
赵东宾
何艳华
李志捷
张元立
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Venus Information Security Technology Co Ltd
Venustech Group Inc
Original Assignee
Beijing Venus Information Security Technology Co Ltd
Venustech Group Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Venus Information Security Technology Co Ltd, Venustech Group Inc filed Critical Beijing Venus Information Security Technology Co Ltd
Priority to CN201611192582.3A priority Critical patent/CN106790073B/en
Publication of CN106790073A publication Critical patent/CN106790073A/en
Application granted granted Critical
Publication of CN106790073B publication Critical patent/CN106790073B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications

Abstract

The invention discloses a kind of blocking-up method of Web server malicious attack, device and fire wall, the blocking-up method includes:Receive the access request transmitted by client access Web server;Judge whether the access request is malicious attack request, if so, the client then is labeled as into malicious attack client;Abandon the access request and block the subsequent access request that the malicious attack client sends.As can be seen here, it is not that directly IP address is blocked in the present invention, but only the client for initiating malicious attack is blocked, it is ensured that the normal users without malicious attack still can normally accesses Web server in LAN.

Description

A kind of blocking-up method of Web server malicious attack, device and fire wall
Technical field
It is to be related to a kind of resistance of Web server malicious attack in particular the invention belongs to field of information security technology Disconnected method, device and fire wall.
Background technology
With continuing to develop for Internet technology, increasing user need to be linked into internet come obtain data, The activities such as various websites are accessed, what is used by user Internet access is all IPV4 addresses, and the quantity of IPV4 addresses has Limit, result in the address exhaustion of IPV4.
In order to tackle the problem of IPV4 address exhaustions, most company, government, Internet bar etc. with quantity compared with multi-client Place be substantially these clients be set to LAN, then after NAT device carries out NAT address conversions, connection To in internet.Can thus cause that all clients in LAN only access internet using a public network IP.
Simultaneously, the malicious attack for Web server is also more and more rampant.Malicious attack is mainly attacked including reptile Attacked with vulnerability scanning, attacker automates attack tool etc. and attack Web server by scanning probe instrument.
Strengthen the security of Web server to tackle the Network Security Devices such as malicious attack, website deployment fire wall. The method of existing fire wall reply Web server malicious attack is, once identifying attack, just to block the access of IP address.
But, due to there is substantial amounts of user in LAN, if simply one of user actively initiate malicious attack or Because the factors such as poisoning, wooden horse passively initiate malicious attack, once blocking the access that the user uses IP address, will result in All users in whole LAN cannot access Web server.For the user without malicious attack, also cannot be just Web server is asked in frequentation.
Therefore, one kind is needed badly after attack is identified, still can ensure do not have the normal of malicious attack in LAN The method that user can normally access Web server.
The content of the invention
In view of this, the invention provides a kind of blocking-up method of Web server malicious attack, device and fire wall, with Solve to cause due to there is abnormal user in LAN in the prior art all users in whole LAN all cannot just frequentation Ask the technical problem of Web server.
To achieve the above object, the present invention provides following technical scheme:
The invention provides a kind of blocking-up method of Web server malicious attack, including:
Receive the access request transmitted by client access Web server;
Judge whether the access request is malicious attack request, if so, the client then is labeled as into malicious attack Client;
Abandon the access request and block the subsequent access request that the malicious attack client sends.
Preferably, it is described to include the client labeled as malicious attack client:
The access request is parsed, the identification information of the client is obtained;
Client corresponding with the identification information in default template is attacked labeled as malice according to the identification information Hit client.
Preferably, the parsing access request, the identification information for obtaining the client includes:
The access request is parsed using the method for protocol analysis, analysis result is obtained;
Judge whether include Cookie in the analysis result;
If so, then the session information of Web server as the identification information of the client will be accessed in the Cookie;
If it is not, then obtaining the Cookie comprising identification information using preset algorithm according to the analysis result;
The Cookie comprising identification information is replied into the client as redirection message, so that the client End stores the Cookie and the Cookie is carried in next access request.
Preferably, the parsing access request, also includes after the identification information for obtaining the client:
The access request is parsed, the IP address of the client is obtained;
The default template of identification information generation of IP address and the client according to the client.
Preferably, wherein, the identification information of same IP address correspondence multiple client, the blocking in the default template Method also includes:
The identification information of the client under the IP address and the IP address of client in the default template is used into report Table and/or the mode of daily record are sent to display module and are shown.
Another aspect of the present invention provides a kind of occluding device of Web server malicious attack, including:
Receiver module, for receiving the access request transmitted by client access Web server;
Judge module, for judging whether the access request is malicious attack request, if so, then by the client mark It is designated as malicious attack client;
Processing module, asks for abandoning the access request and blocking the subsequent access of the malicious attack client transmission Ask.
Preferably, the judge module includes:
Resolution unit, for parsing the access request, obtains the identification information of the client;
Indexing unit, for according to the identification information by client corresponding with the identification information in default template Labeled as malicious attack client.
Preferably, the resolution unit includes:
First parsing subelement, the access request is parsed for the method using protocol analysis, obtains analysis result;
Judging unit, for judging whether include Cookie in the analysis result;If so, then by the Cookie The session information of Web server is accessed as the identification information of the client;If it is not, then being used according to the analysis result Preset algorithm obtains the Cookie comprising identification information;
Unit is redirected, for the Cookie comprising identification information to be replied into the client as redirection message End, so that the client stores the Cookie and the Cookie is carried in next access request.
Preferably, also include:
Second parsing subelement, for parsing the access request, obtains the IP address of the client;
Generation unit, for the default mould of identification information generation of the IP address according to the client and the client Plate.
Another aspect of the present invention discloses a kind of fire wall, including occluding device described above.
Understood via above-mentioned technical scheme, compared with prior art, attacked the invention discloses a kind of Web server malice Blocking-up method, device and the fire wall for hitting, the blocking-up method include:Receive the visit transmitted by client access Web server Ask request;Judge whether the access request is malicious attack request, if so, then by the client labeled as malicious attack visitor Family end;Abandon the access request and block the subsequent access request that the malicious attack client sends.As can be seen here, this hair It is not that directly IP address is blocked in bright, but only the client for initiating malicious attack is blocked, it is ensured that office The normal users without malicious attack still can normally access Web server in the net of domain.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing The accompanying drawing to be used needed for having technology description is briefly described, it should be apparent that, drawings in the following description are only this Inventive embodiment, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis The accompanying drawing of offer obtains other accompanying drawings.
Fig. 1 is a kind of schematic flow sheet of the blocking-up method of Web server malicious attack provided in an embodiment of the present invention;
Fig. 2 is that a kind of another flow of the blocking-up method of Web server malicious attack provided in an embodiment of the present invention is shown It is intended to;
Fig. 3 is a kind of structural representation of the occluding device of Web server malicious attack provided in an embodiment of the present invention.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.It is based on Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made Embodiment, belongs to the scope of protection of the invention.
In the prior art, be to the blocking-up method of malicious attack once find access request be malicious attack, then obtain The IP address of access request client is sent, this client is then blocked by way of blocking IP address to Web server Malicious attack.
This kind of blocking for IP, only have recorded the log information of blocking IP, for the investigation and evidence collection nothing of real attacker Method provides evident information.
And, once blocking the access that the user uses IP address, will result in all users in whole LAN Web server cannot all be accessed.For the user without malicious attack, Web server also cannot be normally accessed.
In order to solve the problems of in the prior art, to be attacked the embodiment of the invention discloses a kind of Web server malice Blocking-up method, device and the fire wall for hitting.The following detailed description of technical scheme.
Fig. 1 is a kind of schematic flow sheet of the blocking-up method of Web server malicious attack that the present invention is provided.
It is shown in Figure 1, the invention provides a kind of blocking-up method of Web server malicious attack, including:
S101, reception client access the access request transmitted by Web server;
In the embodiment of the present invention, the blocking-up method is preferably applied in fire wall.Fire wall be erected at Web server with Between client, as connection Web server and a bridge of client.
In actual use, fire wall is generally deployed as gateway mode, any need access Web server flow or Request is required for pass through by fire wall.
Therefore, in the embodiment of the present invention, when client needs to access Web server, fire wall can be sent out in access request The access request that client sends is received before being sent to Web server.
In actual use, this step can also be the flow that real-time detection client accesses Web server, the flow Include that the client accesses the access request of Web server.
S102, judge the access request whether be malicious attack request, if so, then by the client labeled as malice Attack client;
Whether when access request is received, it is malice to judge that this is asked using detection means ripe in the prior art Query-attack, such as query-attack such as malice reptile, vulnerability scanning.
If so, being then marked to the client launched a offensive, malicious attack client is marked as.
In actual use can be identification outflow in the presence or absence of malicious attack request, if in the presence of by the visitor Family but labeled as malicious attack client.
If it is not, can be let pass to the access request so that client can normally access Web client, it is of course also possible to Other strategies are performed, whether such as Web server reaches access upper limit etc., is corresponding subsequent operation is performed to this request Can, do not repeated herein.
S103, the discarding access request simultaneously block the subsequent access request that the malicious attack client sends.
If this access request is asked for malicious attack, access request is abandoned, that is, abandon packet or report that client sends Text.Protect Web server not under attack.
Also, the subsequent request that blocking malicious attack client sends.Namely by client's end shield, itself and Web are blocked The communication and connection of server, and prevent the attack that it attempts to carry out again with Web server within the follow-up time period.Afterwards The continuous time period can set occurrence, such as 1 hour, 1 day, one week or permanent according to actual situation or reference by user.
Certainly, after mark is eliminated or reaches the limitation time, would not be shielded to client, can also sent out Go out prompting request to ask the user whether to remove mark, user operates mark according to actual conditions, receives user couple The operation of malicious client mark, is purged or reservation operations to mark.
Understood via above-mentioned technical scheme, compared with prior art, attacked the invention discloses a kind of Web server malice The blocking-up method for hitting, including:Receive the access request transmitted by client access Web server;Judging the access request is No is malicious attack request, if so, the client then is labeled as into malicious attack client;Abandon the access request and hinder The subsequent access request that the disconnected malicious attack client sends.As can be seen here, it is not that directly IP address is carried out in the present invention Blocking, but only the client for initiating malicious attack is blocked, it is ensured that in LAN without malicious attack just Conventional family still can normally access Web server.
Parsing is performed to access request to get the identification information of client.The identification information is described for characterizing Client accesses the record of Web server.
, it is necessary to judge whether the access request is that malicious attack request is following and this process is entered to advance in above-described embodiment The introduction of one step.
Shown in reference picture 2, Fig. 2 is a kind of blocking-up method of Web server malicious attack of offer in the embodiment of the present invention Another schematic flow sheet.
A kind of blocking-up method of Web server malicious attack that the present invention is provided, including:
S201, reception client access the access request transmitted by Web server;
S202, the parsing access request, obtain the identification information of the client;
Client corresponding with the identification information in default template is attacked labeled as malice according to the identification information Hit client.
S203, the discarding access request simultaneously block the subsequent access request that the malicious attack client sends.
Wherein, S201 is identical with foregoing S101 and 103 with S203, does not repeat excessively herein.
Mainly step S202 is introduced below.
Default template in the present invention includes multiple client and each self-corresponding identification information, i.e. in default template In be include each access Web server client and the corresponding identification information of each client.
After access request is analyzed for malicious attack request, identification information according to client by default template should Client is marked, and mark can be associated with default template by way of Policy Table, has in Policy Table to malice Attack the implementation strategy of client.Can also be that flag data row are set in default template.It is, of course, also possible to be other shapes Formula, as long as can will attack client is labeled as malicious attack client, is not limited specifically herein.
Wherein, S202 is segmented into following steps.
The parsing access request, the identification information for obtaining the client includes:
The access request is parsed using the method for protocol analysis, analysis result is obtained;
Judge whether include Cookie in the analysis result;
If so, then the session information of Web server as the identification information of the client will be accessed in the Cookie;
If it is not, then obtaining the Cookie comprising identification information using preset algorithm according to the analysis result;
The Cookie comprising identification information is replied into the client as redirection message, so that the client End stores the Cookie and the Cookie is carried in next access request.
Generally, in the art, if user have accessed the client access Web server that certain website, i.e. user use, Generally can all indicate client to store the record for accessing this website, usually indicate client stored cookie.In Cookie, Generally all include the i.e. well-known session identification sessionID of session information, the occurrence of the sessionID of each client is Uniquely, therefore, each session information is different.The well-known sessionID can characterize client and have accessed certain Web service Device., there are the sessionID of oneself in such as Sina, Sohu etc. in Cookie files.
Therefore, in the embodiment of the present invention, the identification information of client is obtained, it can be understood as well-known in acquisition Cookie sessionID。
In the embodiment of the present invention, access request is parsed using protocol analysis method ripe in the prior art, obtained To analysis result.The IP address of bag client in analysis result, (UA generally comprises operating system, browser letter to User-Agent Breath), Accept (file type that browser is received), Cookie.Host (domain name), Accept-Language can also be included The data related to client such as (language that browser is received), requesting method URL.
If having Cookie in analysis result, prove that this client accessed Web server, by Cookie Session information as the client identification information.
If not, not including the situation of well-known sessionID namely.Then according to analysis result, given birth to using preset algorithm Into unique identification information, and the identification information be carried in Cookie reply to the client as redirection message, Terminate this session, that is, disconnect the connection with client.
After client receives this Cookie, this Cookie is stored, arrived as the data is activation in access request next time Fire wall.
If it should be noted that when analysis result includes Cookie, can also judge whether included in this Cookie There is the session information of client, if do not got, can also perform subsequent step, generate unique identification information, will be described Cookie comprising identification information replies to the client as redirection message.
Calculate client identification information can (UA generally comprises operating system, browses according to IP, User-agent Device information), Accept (browser receive file type), Host (domain name), (browser is received Accept-Language Language), the field such as requesting method URL and Time Calculation gained, specific calculation is not defined herein, as long as can be with Obtain unique identification information.
In above-described embodiment, it is noted that default template, the method to the default template of generation is introduced below.
The parsing access request, also includes after the identification information for obtaining the client:
The access request is parsed, the IP address of the client is obtained;
The default template of identification information generation of IP address and the client according to the client.
After the access request for receiving client transmission, no matter whether this access request is malicious attack, all can be by visitor The IP address at family end and the identification information of client are stored in default template as corresponding relation.Preset template is appreciated that It is IP and the corresponding table of mark.
Optionally, same IP address corresponds to the identification information of multiple client, the blocking-up method in the default template Also include:
The identification information of the client under the IP address and the IP address of client in the default template is used into report Table and/or the mode of daily record are sent to display module and are shown.
After default template is established, form and daily record displaying can be carried out according to IP and client identification.
According to the corresponding relation by the client under the IP address and the IP address of client in the default template Identification information be sent to display module using the mode of form and/or daily record and shown.
When in identifying the access request for malicious attack or detection flows with malicious attack, will include The information such as client history access file, attack fragment, access time are uploaded in event log, while in event log The client identification information is recorded, is stored in database.
The present invention is can be seen that according to above-mentioned introduction to have the effect that:
1) identification client sign and NAT change IP, can be used for attacking the tracking traced to the source, fixed according to client-side information Position attacker's equipment.
2) IP is not blocked, is indicated according to client and blocked, it is to avoid in the environment of NAT conversions, the resistance to whole LAN It is disconnected.
3) IP and client sign corresponding templates are attacked, can be used to be attacked is traced to the source, and attack is navigated to by IP LAN where person, by client identification information, distinguishes the equipment in LAN.Follow the trail of the attack thing of client sign Part, can carry out form displaying from same IP but the dimension of different clients.The access row of different clients is recorded in form For attack counts the quantity of client in same IP LANs, the behavior of different clients is contrasted, to suspicious client End behavior is shown.
It is corresponding with above method embodiment, there is provided a kind of Web server malicious attack in the embodiment of the present invention Occluding device.
A kind of occluding device of the Web server malicious attack provided referring to Fig. 3, the present invention includes:
A kind of occluding device of Web server malicious attack, it is characterised in that including:
Receiver module 301, for receiving the access request transmitted by client access Web server;
Judge module 302, for judging whether the access request is malicious attack request, if so, then by the client End is labeled as malicious attack client;
Processing module 303, for abandoning the access request and blocking the follow-up visit that the malicious attack client sends Ask request.
Optionally, the judge module includes:
Resolution unit, for parsing the access request, obtains the identification information of the client;
Indexing unit, for according to the identification information by client corresponding with the identification information in default template Labeled as malicious attack client.
Optionally, the resolution unit includes:
First parsing subelement, the access request is parsed for the method using protocol analysis, obtains analysis result;
Judging unit, for judging whether include Cookie in the analysis result;If so, then by the Cookie The session information of Web server is accessed as the identification information of the client;If it is not, then being used according to the analysis result Preset algorithm obtains the Cookie comprising identification information;
Unit is redirected, for the Cookie comprising identification information to be replied into the client as redirection message End, so that the client stores the Cookie and the Cookie is carried in next access request.
Optionally, also include:
Second parsing subelement, for parsing the access request, obtains the IP address of the client;
Generation unit, for the default mould of identification information generation of the IP address according to the client and the client Plate.
It should be noted that a kind of occluding device of Web server malicious attack of the present embodiment can use above-mentioned side The blocking-up method of a kind of Web server malicious attack in method embodiment, for realizing the whole skills in above method embodiment Art scheme, the function of its modules can be implemented according to the method in above method embodiment, and it implements process The associated description in above-described embodiment is can refer to, here is omitted.
Another aspect of the present invention discloses a kind of fire wall, including occluding device described above.
Understood via above-mentioned technical scheme, compared with prior art, understood via above-mentioned technical scheme, with existing skill Art is compared, the invention discloses a kind of blocking-up method of Web server malicious attack, device and fire wall, the occluding device Receive the access request transmitted by client access Web server;Judge whether the access request is malicious attack request, if It is that the client is then labeled as malicious attack client;Abandon the access request and block the malicious attack client Hold the subsequent access request for sending.As can be seen here, it is not that directly IP address is blocked in the present invention, but only to hair The client for playing malicious attack is blocked, it is ensured that the normal users without malicious attack still can be normal in LAN Access Web server.
Certainly, fire wall can also realize above-mentioned occluding device identical function.
It should be noted that each embodiment in this specification is described by the way of progressive, each embodiment weight Point explanation is all difference with other embodiment, between each embodiment identical similar part mutually referring to.
Method proposed by the invention is exemplarily described above in association with accompanying drawing, the explanation of above example is It is used to help understand core concept of the invention.For those of ordinary skill in the art, according to thought of the invention, specific Be will change in implementation method and range of application.In sum, this specification content should not be construed as to of the invention Limitation.
The foregoing description of the disclosed embodiments, enables professional and technical personnel in the field to realize or uses the present invention. Various modifications to these embodiments will be apparent for those skilled in the art, as defined herein General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, the present invention The embodiments shown herein is not intended to be limited to, and is to fit to and principles disclosed herein and features of novelty phase one The scope most wide for causing.

Claims (10)

1. a kind of blocking-up method of Web server malicious attack, it is characterised in that including:
Receive the access request transmitted by client access Web server;
Judge whether the access request is malicious attack request, if so, the client then is labeled as into malicious attack client End;
Abandon the access request and block the subsequent access request that the malicious attack client sends.
2. blocking-up method according to claim 1, it is characterised in that it is described by the client labeled as malicious attack visitor Family end includes:
The access request is parsed, the identification information of the client is obtained;
According to the identification information by client corresponding with the identification information in default template labeled as malicious attack visitor Family end.
3. blocking-up method according to claim 2, it is characterised in that the parsing access request, obtains the visitor The identification information at family end includes:
The access request is parsed using the method for protocol analysis, analysis result is obtained;
Judge whether include Cookie in the analysis result;
If the determination result is YES, then the session information of Web server as the mark of the client will be accessed in the Cookie Knowledge information;
If it is not, then obtaining the Cookie comprising identification information using preset algorithm according to the analysis result;
The Cookie comprising identification information is replied into the client as redirection message, so that the client is deposited Store up the Cookie and the Cookie is carried in next access request.
4. the blocking-up method according to Claims 2 or 3, it is characterised in that the parsing access request, obtains described Also include after the identification information of client:
The access request is parsed, the IP address of the client is obtained;
The default template of identification information generation of IP address and the client according to the client.
5. blocking-up method according to claim 4, it is characterised in that wherein, same IP address pair in the default template Answering the identification information of multiple client, the blocking-up method also includes:
By the identification information of the client under the IP address and the IP address of client in the default template using form and/ Or the mode of daily record is sent to display module and is shown.
6. a kind of occluding device of Web server malicious attack, it is characterised in that including:
Receiver module, for receiving the access request transmitted by client access Web server;
Judge module, for judging whether the access request is malicious attack request, if so, being then labeled as the client Malicious attack client;
Processing module, for abandoning the access request and blocking the subsequent access request that the malicious attack client sends.
7. occluding device according to claim 6, it is characterised in that the judge module includes:
Resolution unit, for parsing the access request, obtains the identification information of the client;
Indexing unit, for being marked client corresponding with the identification information in default template according to the identification information It is malicious attack client.
8. occluding device according to claim 7, it is characterised in that the resolution unit includes:
First parsing subelement, the access request is parsed for the method using protocol analysis, obtains analysis result;
Judging unit, for judging whether include Cookie in the analysis result;If so, will then be accessed in the Cookie The session information of Web server as the client identification information;If it is not, then according to the analysis result, using default Algorithm obtains the Cookie comprising identification information;
Unit is redirected, for the Cookie comprising identification information to be replied into the client as redirection message, So that the client stores the Cookie and the Cookie is carried in next access request.
9. the occluding device according to claim 6 or 7, it is characterised in that also include:
Second parsing subelement, for parsing the access request, obtains the IP address of the client;
Generation unit, for the default template of identification information generation of the IP address according to the client and the client.
10. a kind of fire wall, it is characterised in that including the occluding device described in claim 6 to 9 any one.
CN201611192582.3A 2016-12-21 2016-12-21 Blocking method and device for malicious attack of Web server and firewall Active CN106790073B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611192582.3A CN106790073B (en) 2016-12-21 2016-12-21 Blocking method and device for malicious attack of Web server and firewall

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611192582.3A CN106790073B (en) 2016-12-21 2016-12-21 Blocking method and device for malicious attack of Web server and firewall

Publications (2)

Publication Number Publication Date
CN106790073A true CN106790073A (en) 2017-05-31
CN106790073B CN106790073B (en) 2020-06-05

Family

ID=58893690

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611192582.3A Active CN106790073B (en) 2016-12-21 2016-12-21 Blocking method and device for malicious attack of Web server and firewall

Country Status (1)

Country Link
CN (1) CN106790073B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107241333A (en) * 2017-06-13 2017-10-10 上海微烛信息技术有限公司 Recognition methods, system, Network Security Device and the server of exception request
CN112217777A (en) * 2019-07-12 2021-01-12 上海云盾信息技术有限公司 Attack backtracking method and equipment
CN114465744A (en) * 2021-09-15 2022-05-10 中科方德软件有限公司 Safety access method and network firewall system
CN116582366A (en) * 2023-07-12 2023-08-11 中国电信股份有限公司 Web attack prevention method, device and system and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20110043373A (en) * 2009-10-21 2011-04-27 충남대학교산학협력단 Sip dos attack detection and prevention system and method using hidden markov model
CN102932380A (en) * 2012-11-30 2013-02-13 网宿科技股份有限公司 Distributed method and distributed system for preventing malicious attacks based on content distribution network
CN103384242A (en) * 2013-03-15 2013-11-06 中标软件有限公司 Intrusion detection method and system based on Nginx proxy server
CN104811424A (en) * 2014-01-26 2015-07-29 腾讯科技(深圳)有限公司 Malicious user identification method and device
CN105516073A (en) * 2014-10-20 2016-04-20 中国银联股份有限公司 Network intrusion prevention method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20110043373A (en) * 2009-10-21 2011-04-27 충남대학교산학협력단 Sip dos attack detection and prevention system and method using hidden markov model
CN102932380A (en) * 2012-11-30 2013-02-13 网宿科技股份有限公司 Distributed method and distributed system for preventing malicious attacks based on content distribution network
CN103384242A (en) * 2013-03-15 2013-11-06 中标软件有限公司 Intrusion detection method and system based on Nginx proxy server
CN104811424A (en) * 2014-01-26 2015-07-29 腾讯科技(深圳)有限公司 Malicious user identification method and device
CN105516073A (en) * 2014-10-20 2016-04-20 中国银联股份有限公司 Network intrusion prevention method

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107241333A (en) * 2017-06-13 2017-10-10 上海微烛信息技术有限公司 Recognition methods, system, Network Security Device and the server of exception request
CN112217777A (en) * 2019-07-12 2021-01-12 上海云盾信息技术有限公司 Attack backtracking method and equipment
CN114465744A (en) * 2021-09-15 2022-05-10 中科方德软件有限公司 Safety access method and network firewall system
CN116582366A (en) * 2023-07-12 2023-08-11 中国电信股份有限公司 Web attack prevention method, device and system and storage medium
CN116582366B (en) * 2023-07-12 2023-09-15 中国电信股份有限公司 Web attack prevention method, device and system and storage medium

Also Published As

Publication number Publication date
CN106790073B (en) 2020-06-05

Similar Documents

Publication Publication Date Title
Bortzmeyer DNS privacy considerations
CN105262738B (en) A kind of method of router and its preventing ARP aggression
CN1965309B (en) Relay determination method and system
EP2916512B1 (en) Method for classifying a TCP connection carrying HTTP traffic as a trusted or an untrusted TCP connection
CN103067385B (en) The method of defence Hijack Attack and fire compartment wall
CN102884764B (en) Message receiving method, deep packet inspection device, and system
CN106790073A (en) A kind of blocking-up method of Web server malicious attack, device and fire wall
Pras et al. Attacks by “Anonymous‿ WikiLeaks Proponents not Anonymous
CN106657035B (en) A kind of network message transmission method and device
US8726384B2 (en) Apparatus, and system for determining and cautioning users of internet connected clients of potentially malicious software and method for operating such
CN105939326A (en) Message processing method and device
CN104935551B (en) A kind of webpage tamper protective device and method
CN103905399A (en) Account registration management method and apparatus
CN106453610B (en) The HTTPS data flow auditing method and system of operatable object quotient's backbone network
CN112311722B (en) Access control method, device, equipment and computer readable storage medium
JP4693174B2 (en) Intermediate node
CN108028847A (en) Internet connection apparatus, central management server and internal connection method
CN106411819A (en) Method and apparatus for recognizing proxy Internet protocol address
CN105812324B (en) The method, apparatus and system of IDC information security management
US11979374B2 (en) Local network device connection control
Čermák et al. Detection of DNS traffic anomalies in large networks
CN103634289A (en) Communication block apparatus and communication block method
KR101265448B1 (en) Method of detecting phishing site using network filter driver
Jin et al. A detour strategy for visiting phishing URLs based on dynamic DNS response policy zone
DeKok Use of Status-Server Packets in the Remote Authentication Dial In User Service (RADIUS) Protocol

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant