CN107911219A - A kind of anti-CC methods of API based on key signature - Google Patents
A kind of anti-CC methods of API based on key signature Download PDFInfo
- Publication number
- CN107911219A CN107911219A CN201711097536.XA CN201711097536A CN107911219A CN 107911219 A CN107911219 A CN 107911219A CN 201711097536 A CN201711097536 A CN 201711097536A CN 107911219 A CN107911219 A CN 107911219A
- Authority
- CN
- China
- Prior art keywords
- request
- signature
- api
- key
- algo
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of anti-CC methods of API based on key signature, the method accesses the request feature of server according to client, client uses the key that system generates, signed using signature algorithm to raw requests, after system receives request, the request after signature is verified with key, the request that verification passes through of letting pass, the request of verification failure is intercepted, can more accurately and effectively detect that CC is attacked.In addition, it is specific URL that self-defined URL protection rule, which does not limit, keyword match can also be passed through;If include raw requests expired time in signature, if system node receives the request after signature, contrast expired time is earlier than current time after parsing, then direct interception request.
Description
Technical field
The present invention relates to CC attack protection field, the particularly a kind of anti-CC methods of API based on key signature.
Background technology
With flourishing for mobile Internet and popularizing on a large scale for Internet of Things, various mobile platform Malware layers go out
Not poor, substantial amounts of mobile equipment and the internet of things equipment without security guarantee bring corpse into by criminal as " broiler chicken "
Network, and then manipulate it and attack other network equipments, after controlled quentity controlled variable reaches certain amount level, ddos attack is carried out, this is right
The attacking and defending of DDoS brings new challenge.
CC attacks are a types of ddos attack, are a kind of attacks of the FLOOD specifically for Web application layers, attack
Person sends destination Web server the request of a large amount of seeming legitimacies, causes Web by the meat machine on proxy server or network
Server resource exhausts, until machine of delaying runs quickly and bursts, so as to cannot respond to the request of normal users.
The common method of detection CC attacks is to judge to ask by asking the threshold value that IP asks server mostly at present
Whether it is attack, when the number of the request server of some IP certain time exceedes threshold value, it is CC to decide that the request
Attack.But the mode of CC attacks now, usually it is forged into normally using distributed proxy server or Botnet
Request accesses server, and the frequency that each agency or corpse IP send request to server is not very high, when what is attacked
When agency or corpse IP reach certain quantity, it equally will also result in server resource and exhaust, therefore by client ip to clothes
Whether the frequency threshold of business device request is CC attacks to judge to ask, and often causes to fail to report.Simultaneously because client accesses clothes
The characteristics of business end API, can be appreciated that the similar features request of a large amount of high concurrents, such as browser feature User-Agent mono- in server-side
Cause, client operating system is consistent, request URL highly similar (same URL, different URL parameters) etc., this and agency or corpse
The query-attack that network initiates server is extremely similar, when the anti-CC systems of general Web are detected, it is difficult to effectively detect
Go out the type CC attacks, normal request may be determined as that CC is attacked, produce wrong report, influence the normal use of server-side API.
Relational language
API(Application Programming Interface):Application programming interfaces, are software systems difference groups
Into the interface of part linking;
CC (Challenge Collapsar, Challenging black hole) is attacked:A type of ddos attack, using constantly it is right
Server, which sends a large amount of legitimate connection requests, to be made to form refusal service;
MD5(MD5Message-Digest Algorithm):It is a kind of widely used Cryptographic Hash Function, can produces
The hashed value of 128 (16 byte) is born, for ensuring that information transmission is complete consistent;
SHA-1 (Secure Hash Algorithm, secure hash method 1):It is a kind of Cryptographic Hash Function, can generates
One 160 (20 byte) hashed value for being referred to as eap-message digest, hashed value common appearance form position 40 hexadecimal number.
The content of the invention
The technical problems to be solved by the invention are to provide a kind of anti-CC methods of API based on key signature, according to client
End accesses the feature of server request, and client is used the key that system generates, raw requests are signed using signature algorithm
Name, after system receives request, verifies the request after signature with key, and the request that verification passes through of letting pass, intercepts verification and lose
The request lost, can more accurately and effectively detect that CC is attacked.
In order to solve the above technical problems, the technical solution adopted by the present invention is:
A kind of anti-CC methods of API based on key signature, comprise the following steps:
Step 1:System increases the anti-CC functional configuration entrances of API for user;
Step 2:The anti-CC functions of API are opened, system generates key A UTH_TOKEN for active user automatically;
Step 3:User enters the anti-CC rule settings pages of API, checks the key A UTH_TOKEN that system is user's generation,
The anti-CC rules of API are set;
Step 4:When client accesses API, by the key A UTH_TOKEN generated in signature algorithm ALGO, step 2, request
Expired time EXP_TIME, random string NONCE, request address URL arrive character string according to ASCII orders with ' | ' splicing
PARAMS_A;
Step 5:Client signs the character string PARAMS_A obtained in step 4 according to signature algorithm ALGO, obtains
To signature character string SIGNATURE_A;
Step 6:Client uses ' | ' by ALGO, EXP_TIME, NONCE, SIGNATURE_A according to ASCII sequential concatenations
Obtain character string API_AUTH;
Step 7:It is the API_AUTH in step 6 that client, which sets the self-defined head X-API_AUTH values of HTTP request, is sent
Request;
Step 8:When system receives request, the anti-CC rules of the API whether URL of request is set in matching step 3 judged,
If mismatch, it is allowed to which request accesses Web server, the request of Web server normal response;If it does, carry out step 9;
Step 9:System analysis HTTP headers, extract information from self-defined head X-API_AUTH, including ALGO,
EXP_TIME, NONCE, URL, SIGNATURE_A, extract the key A UTH_TOKEN generated in step 2 in being configured from website;
Step 10:System uses ' | ' to spell ALGO, AUTH_TOKEN, EXP_TIME, NONCE, URL according to ASCII orders
Connect to obtain character string PARAMS_B;
Step 11:Signature character string SIGNATURE_B is calculated using signature algorithm ALGO;
Step 12:Verified, if SIGNATYRE_A and SIGNATURE_B is identical and EXP_TIME is more than current
Between, then allow request to access Web server, otherwise, verification failure, the direct interception request of system, returns to 403 conditional codes.
Specifically, the signature algorithm ALGO in the step 4 is MD5.
Specifically, the signature algorithm ALGO in the step 4 is SHA-1.
Compared with prior art, the beneficial effects of the invention are as follows:1) user can independently choose whether to open in step 2
The anti-CC functions of API, temporary closing function is selected when server request flow is less, can be subtracted to a certain extent
The expense that few protection produces;2) user can protect rule with self-defined URL in step 3, be on the defensive for specific URL, than
As user can protect login page, prevent from logging in explosion;3) in step 4, the specific ginseng of raw requests can be increased
Number, prevents the request of user to be tampered;4) signed by key to raw requests, can when user meets with CC attacks
More accurately and effectively detect that CC is attacked, implement to intercept, reduce wrong report, ensure user's API server normal operation.
Brief description of the drawings
The anti-CC method flow schematic diagrams of API of Fig. 1 present invention based on key signature.
Embodiment
The present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.
A kind of anti-CC methods of API based on key signature, comprise the following steps:
Step 1:System increases the anti-CC functional configuration entrances of API for user;
Step 2:The anti-CC functions of API are opened, system generates key A UTH_TOKEN for active user automatically;
Step 3:User enters the anti-CC rule settings pages of API, checks the key A UTH_TOKEN that system is user's generation,
The anti-CC rules of API are set;
Step 4:It is close by being generated in signature algorithm ALGO (including MD5 and SHA-1), step 2 when client accesses API
Key AUTH_TOKEN, request expired time EXP_TIME, random string NONCE, request address URL are used according to ASCII orders
Character string PARAMS_A is arrived in ' | ' splicing;
Step 5:Client signs the character string PARAMS_A obtained in step 4 according to signature algorithm ALGO, obtains
To signature character string SIGNATURE_A;
Step 6:Client uses ' | ' by ALGO, EXP_TIME, NONCE, SIGNATURE_A according to ASCII sequential concatenations
Obtain character string API_AUTH;
Step 7:It is the API_AUTH in step 6 that client, which sets the self-defined head X-API_AUTH values of HTTP request, is sent
Request;
Step 8:When system receives request, the anti-CC rules of the API whether URL of request is set in matching step 3 judged,
If mismatch, it is allowed to which request accesses Web server, the request of Web server normal response;If it does, carry out step 9;
Step 9:System analysis HTTP headers, extract information from self-defined head X-API_AUTH, including ALGO,
EXP_TIME, NONCE, URL, SIGNATURE_A, extract the key A UTH_TOKEN generated in step 2 in being configured from website;
Step 10:System uses ' | ' to spell ALGO, AUTH_TOKEN, EXP_TIME, NONCE, URL according to ASCII orders
Connect to obtain character string PARAMS_B;
Step 11:Signature character string SIGNATURE_B is calculated using signature algorithm ALGO;
Step 12:Verified, if SIGNATYRE_A and SIGNATURE_B is identical and EXP_TIME is more than current
Between, then allow request to access Web server, otherwise, verification failure, the direct interception request of system, returns to 403 conditional codes.
Wherein, the anti-CC rules of API represent set of URL conjunction, and rule can be regular expression;System refers to the anti-CC systems of API, bag
Include foreground user configuration entrance and CC detection guard systems.PARAMS_A in step 4 can increase the specific of client request
Parameter, can prevent the request of client to be tampered;Client can be according to pair of the URL protection rule selectivity oneself set
Raw requests are signed.In addition, if raw requests expired time is included in signature, if after system node receives signature
Request, contrasts expired time earlier than current time, then direct interception request after parsing.
Claims (3)
1. a kind of anti-CC methods of API based on key signature, it is characterised in that comprise the following steps:
Step 1:System increases the anti-CC functional configuration entrances of API for user;
Step 2:The anti-CC functions of API are opened, system generates key A UTH_TOKEN for active user automatically;
Step 3:User enters the anti-CC rule settings pages of API, checks the key A UTH_TOKEN that system is user's generation, sets
The anti-CC rules of API;
Step 4:It is when client accesses API, the key A UTH_TOKEN generated in signature algorithm ALGO, step 2, request is expired
Time EXP_TIME, random string NONCE, request address URL arrive character string according to ASCII orders with ' | ' splicing
PARAMS_A;
Step 5:Client signs the character string PARAMS_A obtained in step 4 according to signature algorithm ALGO, is signed
Name character string SIGNATURE_A;
Step 6:Client uses ' | ' to obtain ALGO, EXP_TIME, NONCE, SIGNATURE_A according to ASCII sequential concatenations
Character string API_AUTH;
Step 7:It is the API_AUTH in step 6 that client, which sets the self-defined head X-API_AUTH values of HTTP request, sends request;
Step 8:When system receives request, the anti-CC rules of the API whether URL of request is set in matching step 3 judged, if
Mismatch, it is allowed to which request accesses Web server, the request of Web server normal response;If it does, carry out step 9;
Step 9:System analysis HTTP headers, information, including ALGO, EXP_ are extracted from self-defined head X-API_AUTH
TIME, NONCE, URL, SIGNATURE_A, extract the key A UTH_TOKEN generated in step 2 in being configured from website;
Step 10:System uses ' | ' to obtain ALGO, AUTH_TOKEN, EXP_TIME, NONCE, URL according to ASCII sequential concatenations
To character string PARAMS_B;
Step 11:Signature character string SIGNATURE_B is calculated using signature algorithm ALGO;
Step 12:Verified, if SIGNATYRE_A and SIGNATURE_B is identical and EXP_TIME is more than current time,
Request is allowed to access Web server, otherwise, verification failure, the direct interception request of system, returns to 403 conditional codes.
2. the anti-CC methods of a kind of API based on key signature as claimed in claim 1, it is characterised in that in the step 4
Signature algorithm ALGO is MD5.
3. the anti-CC methods of a kind of API based on key signature as claimed in claim 1, it is characterised in that in the step 4
Signature algorithm ALGO is SHA-1.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711097536.XA CN107911219A (en) | 2017-11-09 | 2017-11-09 | A kind of anti-CC methods of API based on key signature |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711097536.XA CN107911219A (en) | 2017-11-09 | 2017-11-09 | A kind of anti-CC methods of API based on key signature |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107911219A true CN107911219A (en) | 2018-04-13 |
Family
ID=61844546
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711097536.XA Pending CN107911219A (en) | 2017-11-09 | 2017-11-09 | A kind of anti-CC methods of API based on key signature |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107911219A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109413105A (en) * | 2018-12-12 | 2019-03-01 | 深圳市丰巢科技有限公司 | A kind of network request processing method, device, computer equipment and storage medium |
CN110611564A (en) * | 2019-07-30 | 2019-12-24 | 云南昆钢电子信息科技有限公司 | System and method for defending API replay attack based on timestamp |
CN112311776A (en) * | 2020-10-21 | 2021-02-02 | 浪潮云信息技术股份公司 | System and method for preventing flooding attack of API gateway |
CN112699374A (en) * | 2020-12-28 | 2021-04-23 | 山东鲁能软件技术有限公司 | Integrity checking vulnerability security protection method and system |
WO2021137769A1 (en) * | 2019-12-31 | 2021-07-08 | Envision Digital International Pte. Ltd. | Method and apparatus for sending and verifying request, and device thereof |
CN114301708A (en) * | 2021-12-30 | 2022-04-08 | 金蝶智慧科技(深圳)有限公司 | Identity authentication method, identity authentication server and related device |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110214157A1 (en) * | 2000-09-25 | 2011-09-01 | Yevgeny Korsunsky | Securing a network with data flow processing |
CN103701946A (en) * | 2013-12-20 | 2014-04-02 | 珠海金山网络游戏科技有限公司 | Method and system for client-side to be in communication with server through URL (Universal Resource Locator) |
CN104994108A (en) * | 2015-07-14 | 2015-10-21 | 中国联合网络通信集团有限公司 | URL filtering method, device and system |
CN105187430A (en) * | 2015-09-18 | 2015-12-23 | 浪潮通用软件有限公司 | Reverse proxy server, reverse proxy system and reverse proxy method |
KR101672791B1 (en) * | 2015-10-26 | 2016-11-07 | 고려대학교 산학협력단 | Method and system for detection of vulnerability on html5 mobile web application |
CN106571923A (en) * | 2016-10-21 | 2017-04-19 | 天津海量信息技术股份有限公司 | User data signature verification method with time effectiveness |
-
2017
- 2017-11-09 CN CN201711097536.XA patent/CN107911219A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110214157A1 (en) * | 2000-09-25 | 2011-09-01 | Yevgeny Korsunsky | Securing a network with data flow processing |
CN103701946A (en) * | 2013-12-20 | 2014-04-02 | 珠海金山网络游戏科技有限公司 | Method and system for client-side to be in communication with server through URL (Universal Resource Locator) |
CN104994108A (en) * | 2015-07-14 | 2015-10-21 | 中国联合网络通信集团有限公司 | URL filtering method, device and system |
CN105187430A (en) * | 2015-09-18 | 2015-12-23 | 浪潮通用软件有限公司 | Reverse proxy server, reverse proxy system and reverse proxy method |
KR101672791B1 (en) * | 2015-10-26 | 2016-11-07 | 고려대학교 산학협력단 | Method and system for detection of vulnerability on html5 mobile web application |
CN106571923A (en) * | 2016-10-21 | 2017-04-19 | 天津海量信息技术股份有限公司 | User data signature verification method with time effectiveness |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109413105A (en) * | 2018-12-12 | 2019-03-01 | 深圳市丰巢科技有限公司 | A kind of network request processing method, device, computer equipment and storage medium |
CN110611564A (en) * | 2019-07-30 | 2019-12-24 | 云南昆钢电子信息科技有限公司 | System and method for defending API replay attack based on timestamp |
WO2021137769A1 (en) * | 2019-12-31 | 2021-07-08 | Envision Digital International Pte. Ltd. | Method and apparatus for sending and verifying request, and device thereof |
CN112311776A (en) * | 2020-10-21 | 2021-02-02 | 浪潮云信息技术股份公司 | System and method for preventing flooding attack of API gateway |
CN112311776B (en) * | 2020-10-21 | 2022-08-30 | 浪潮云信息技术股份公司 | System and method for preventing flooding attack of API gateway |
CN112699374A (en) * | 2020-12-28 | 2021-04-23 | 山东鲁能软件技术有限公司 | Integrity checking vulnerability security protection method and system |
CN114301708A (en) * | 2021-12-30 | 2022-04-08 | 金蝶智慧科技(深圳)有限公司 | Identity authentication method, identity authentication server and related device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107911219A (en) | A kind of anti-CC methods of API based on key signature | |
US9386078B2 (en) | Controlling application programming interface transactions based on content of earlier transactions | |
Bringer et al. | A survey: Recent advances and future trends in honeypot research | |
CN104052734B (en) | It the attack detecting that is identified using global device-fingerprint and prevents | |
Wurzinger et al. | Automatically generating models for botnet detection | |
US9705895B1 (en) | System and methods for classifying internet devices as hostile or benign | |
Zarras et al. | Automated generation of models for fast and precise detection of HTTP-based malware | |
JP7388613B2 (en) | Packet processing method and apparatus, device, and computer readable storage medium | |
JP2019021294A (en) | SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS | |
JP5832951B2 (en) | Attack determination device, attack determination method, and attack determination program | |
Latha et al. | A survey on network attacks and Intrusion detection systems | |
Huang et al. | An authentication scheme to defend against UDP DrDoS attacks in 5G networks | |
Mishra et al. | Intelligent phishing detection system using similarity matching algorithms | |
Atighetchi et al. | Attribute-based prevention of phishing attacks | |
Vidal et al. | Evolutions of evasion techniques aigainst network intrusion detection systems | |
CN107294994B (en) | CSRF protection method and system based on cloud platform | |
Yin et al. | Optimal remote access Trojans detection based on network behavior. | |
CN113328976B (en) | Security threat event identification method, device and equipment | |
Czyczyn-Egird et al. | The effectiveness of data mining techniques in the detection of DDoS attacks | |
Sharma et al. | Detection of ARP Spoofing: A command line execution method | |
Zarras et al. | Hiding behind the shoulders of giants: Abusing crawlers for indirect Web attacks | |
Adamov et al. | Discovering new indicators for botnet traffic detection | |
CN114553452B (en) | Attack defense method and protection equipment | |
Khan et al. | Security Tradeoff in Network Virtualization and Their Countermeasures | |
Pondkule et al. | Botshark—detection and prevention of peer-to-peer botnets by tracking conversation using cart |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180413 |
|
RJ01 | Rejection of invention patent application after publication |