CN107911219A - A kind of anti-CC methods of API based on key signature - Google Patents

A kind of anti-CC methods of API based on key signature Download PDF

Info

Publication number
CN107911219A
CN107911219A CN201711097536.XA CN201711097536A CN107911219A CN 107911219 A CN107911219 A CN 107911219A CN 201711097536 A CN201711097536 A CN 201711097536A CN 107911219 A CN107911219 A CN 107911219A
Authority
CN
China
Prior art keywords
request
signature
api
key
algo
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711097536.XA
Other languages
Chinese (zh)
Inventor
孙越
徐晓林
赵永亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Zhidaochuangyu Information Technology Co Ltd
Original Assignee
Chengdu Zhidaochuangyu Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Zhidaochuangyu Information Technology Co Ltd filed Critical Chengdu Zhidaochuangyu Information Technology Co Ltd
Priority to CN201711097536.XA priority Critical patent/CN107911219A/en
Publication of CN107911219A publication Critical patent/CN107911219A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of anti-CC methods of API based on key signature, the method accesses the request feature of server according to client, client uses the key that system generates, signed using signature algorithm to raw requests, after system receives request, the request after signature is verified with key, the request that verification passes through of letting pass, the request of verification failure is intercepted, can more accurately and effectively detect that CC is attacked.In addition, it is specific URL that self-defined URL protection rule, which does not limit, keyword match can also be passed through;If include raw requests expired time in signature, if system node receives the request after signature, contrast expired time is earlier than current time after parsing, then direct interception request.

Description

A kind of anti-CC methods of API based on key signature
Technical field
The present invention relates to CC attack protection field, the particularly a kind of anti-CC methods of API based on key signature.
Background technology
With flourishing for mobile Internet and popularizing on a large scale for Internet of Things, various mobile platform Malware layers go out Not poor, substantial amounts of mobile equipment and the internet of things equipment without security guarantee bring corpse into by criminal as " broiler chicken " Network, and then manipulate it and attack other network equipments, after controlled quentity controlled variable reaches certain amount level, ddos attack is carried out, this is right The attacking and defending of DDoS brings new challenge.
CC attacks are a types of ddos attack, are a kind of attacks of the FLOOD specifically for Web application layers, attack Person sends destination Web server the request of a large amount of seeming legitimacies, causes Web by the meat machine on proxy server or network Server resource exhausts, until machine of delaying runs quickly and bursts, so as to cannot respond to the request of normal users.
The common method of detection CC attacks is to judge to ask by asking the threshold value that IP asks server mostly at present Whether it is attack, when the number of the request server of some IP certain time exceedes threshold value, it is CC to decide that the request Attack.But the mode of CC attacks now, usually it is forged into normally using distributed proxy server or Botnet Request accesses server, and the frequency that each agency or corpse IP send request to server is not very high, when what is attacked When agency or corpse IP reach certain quantity, it equally will also result in server resource and exhaust, therefore by client ip to clothes Whether the frequency threshold of business device request is CC attacks to judge to ask, and often causes to fail to report.Simultaneously because client accesses clothes The characteristics of business end API, can be appreciated that the similar features request of a large amount of high concurrents, such as browser feature User-Agent mono- in server-side Cause, client operating system is consistent, request URL highly similar (same URL, different URL parameters) etc., this and agency or corpse The query-attack that network initiates server is extremely similar, when the anti-CC systems of general Web are detected, it is difficult to effectively detect Go out the type CC attacks, normal request may be determined as that CC is attacked, produce wrong report, influence the normal use of server-side API.
Relational language
API(Application Programming Interface):Application programming interfaces, are software systems difference groups Into the interface of part linking;
CC (Challenge Collapsar, Challenging black hole) is attacked:A type of ddos attack, using constantly it is right Server, which sends a large amount of legitimate connection requests, to be made to form refusal service;
MD5(MD5Message-Digest Algorithm):It is a kind of widely used Cryptographic Hash Function, can produces The hashed value of 128 (16 byte) is born, for ensuring that information transmission is complete consistent;
SHA-1 (Secure Hash Algorithm, secure hash method 1):It is a kind of Cryptographic Hash Function, can generates One 160 (20 byte) hashed value for being referred to as eap-message digest, hashed value common appearance form position 40 hexadecimal number.
The content of the invention
The technical problems to be solved by the invention are to provide a kind of anti-CC methods of API based on key signature, according to client End accesses the feature of server request, and client is used the key that system generates, raw requests are signed using signature algorithm Name, after system receives request, verifies the request after signature with key, and the request that verification passes through of letting pass, intercepts verification and lose The request lost, can more accurately and effectively detect that CC is attacked.
In order to solve the above technical problems, the technical solution adopted by the present invention is:
A kind of anti-CC methods of API based on key signature, comprise the following steps:
Step 1:System increases the anti-CC functional configuration entrances of API for user;
Step 2:The anti-CC functions of API are opened, system generates key A UTH_TOKEN for active user automatically;
Step 3:User enters the anti-CC rule settings pages of API, checks the key A UTH_TOKEN that system is user's generation, The anti-CC rules of API are set;
Step 4:When client accesses API, by the key A UTH_TOKEN generated in signature algorithm ALGO, step 2, request Expired time EXP_TIME, random string NONCE, request address URL arrive character string according to ASCII orders with ' | ' splicing PARAMS_A;
Step 5:Client signs the character string PARAMS_A obtained in step 4 according to signature algorithm ALGO, obtains To signature character string SIGNATURE_A;
Step 6:Client uses ' | ' by ALGO, EXP_TIME, NONCE, SIGNATURE_A according to ASCII sequential concatenations Obtain character string API_AUTH;
Step 7:It is the API_AUTH in step 6 that client, which sets the self-defined head X-API_AUTH values of HTTP request, is sent Request;
Step 8:When system receives request, the anti-CC rules of the API whether URL of request is set in matching step 3 judged, If mismatch, it is allowed to which request accesses Web server, the request of Web server normal response;If it does, carry out step 9;
Step 9:System analysis HTTP headers, extract information from self-defined head X-API_AUTH, including ALGO, EXP_TIME, NONCE, URL, SIGNATURE_A, extract the key A UTH_TOKEN generated in step 2 in being configured from website;
Step 10:System uses ' | ' to spell ALGO, AUTH_TOKEN, EXP_TIME, NONCE, URL according to ASCII orders Connect to obtain character string PARAMS_B;
Step 11:Signature character string SIGNATURE_B is calculated using signature algorithm ALGO;
Step 12:Verified, if SIGNATYRE_A and SIGNATURE_B is identical and EXP_TIME is more than current Between, then allow request to access Web server, otherwise, verification failure, the direct interception request of system, returns to 403 conditional codes.
Specifically, the signature algorithm ALGO in the step 4 is MD5.
Specifically, the signature algorithm ALGO in the step 4 is SHA-1.
Compared with prior art, the beneficial effects of the invention are as follows:1) user can independently choose whether to open in step 2 The anti-CC functions of API, temporary closing function is selected when server request flow is less, can be subtracted to a certain extent The expense that few protection produces;2) user can protect rule with self-defined URL in step 3, be on the defensive for specific URL, than As user can protect login page, prevent from logging in explosion;3) in step 4, the specific ginseng of raw requests can be increased Number, prevents the request of user to be tampered;4) signed by key to raw requests, can when user meets with CC attacks More accurately and effectively detect that CC is attacked, implement to intercept, reduce wrong report, ensure user's API server normal operation.
Brief description of the drawings
The anti-CC method flow schematic diagrams of API of Fig. 1 present invention based on key signature.
Embodiment
The present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.
A kind of anti-CC methods of API based on key signature, comprise the following steps:
Step 1:System increases the anti-CC functional configuration entrances of API for user;
Step 2:The anti-CC functions of API are opened, system generates key A UTH_TOKEN for active user automatically;
Step 3:User enters the anti-CC rule settings pages of API, checks the key A UTH_TOKEN that system is user's generation, The anti-CC rules of API are set;
Step 4:It is close by being generated in signature algorithm ALGO (including MD5 and SHA-1), step 2 when client accesses API Key AUTH_TOKEN, request expired time EXP_TIME, random string NONCE, request address URL are used according to ASCII orders Character string PARAMS_A is arrived in ' | ' splicing;
Step 5:Client signs the character string PARAMS_A obtained in step 4 according to signature algorithm ALGO, obtains To signature character string SIGNATURE_A;
Step 6:Client uses ' | ' by ALGO, EXP_TIME, NONCE, SIGNATURE_A according to ASCII sequential concatenations Obtain character string API_AUTH;
Step 7:It is the API_AUTH in step 6 that client, which sets the self-defined head X-API_AUTH values of HTTP request, is sent Request;
Step 8:When system receives request, the anti-CC rules of the API whether URL of request is set in matching step 3 judged, If mismatch, it is allowed to which request accesses Web server, the request of Web server normal response;If it does, carry out step 9;
Step 9:System analysis HTTP headers, extract information from self-defined head X-API_AUTH, including ALGO, EXP_TIME, NONCE, URL, SIGNATURE_A, extract the key A UTH_TOKEN generated in step 2 in being configured from website;
Step 10:System uses ' | ' to spell ALGO, AUTH_TOKEN, EXP_TIME, NONCE, URL according to ASCII orders Connect to obtain character string PARAMS_B;
Step 11:Signature character string SIGNATURE_B is calculated using signature algorithm ALGO;
Step 12:Verified, if SIGNATYRE_A and SIGNATURE_B is identical and EXP_TIME is more than current Between, then allow request to access Web server, otherwise, verification failure, the direct interception request of system, returns to 403 conditional codes.
Wherein, the anti-CC rules of API represent set of URL conjunction, and rule can be regular expression;System refers to the anti-CC systems of API, bag Include foreground user configuration entrance and CC detection guard systems.PARAMS_A in step 4 can increase the specific of client request Parameter, can prevent the request of client to be tampered;Client can be according to pair of the URL protection rule selectivity oneself set Raw requests are signed.In addition, if raw requests expired time is included in signature, if after system node receives signature Request, contrasts expired time earlier than current time, then direct interception request after parsing.

Claims (3)

1. a kind of anti-CC methods of API based on key signature, it is characterised in that comprise the following steps:
Step 1:System increases the anti-CC functional configuration entrances of API for user;
Step 2:The anti-CC functions of API are opened, system generates key A UTH_TOKEN for active user automatically;
Step 3:User enters the anti-CC rule settings pages of API, checks the key A UTH_TOKEN that system is user's generation, sets The anti-CC rules of API;
Step 4:It is when client accesses API, the key A UTH_TOKEN generated in signature algorithm ALGO, step 2, request is expired Time EXP_TIME, random string NONCE, request address URL arrive character string according to ASCII orders with ' | ' splicing PARAMS_A;
Step 5:Client signs the character string PARAMS_A obtained in step 4 according to signature algorithm ALGO, is signed Name character string SIGNATURE_A;
Step 6:Client uses ' | ' to obtain ALGO, EXP_TIME, NONCE, SIGNATURE_A according to ASCII sequential concatenations Character string API_AUTH;
Step 7:It is the API_AUTH in step 6 that client, which sets the self-defined head X-API_AUTH values of HTTP request, sends request;
Step 8:When system receives request, the anti-CC rules of the API whether URL of request is set in matching step 3 judged, if Mismatch, it is allowed to which request accesses Web server, the request of Web server normal response;If it does, carry out step 9;
Step 9:System analysis HTTP headers, information, including ALGO, EXP_ are extracted from self-defined head X-API_AUTH TIME, NONCE, URL, SIGNATURE_A, extract the key A UTH_TOKEN generated in step 2 in being configured from website;
Step 10:System uses ' | ' to obtain ALGO, AUTH_TOKEN, EXP_TIME, NONCE, URL according to ASCII sequential concatenations To character string PARAMS_B;
Step 11:Signature character string SIGNATURE_B is calculated using signature algorithm ALGO;
Step 12:Verified, if SIGNATYRE_A and SIGNATURE_B is identical and EXP_TIME is more than current time, Request is allowed to access Web server, otherwise, verification failure, the direct interception request of system, returns to 403 conditional codes.
2. the anti-CC methods of a kind of API based on key signature as claimed in claim 1, it is characterised in that in the step 4 Signature algorithm ALGO is MD5.
3. the anti-CC methods of a kind of API based on key signature as claimed in claim 1, it is characterised in that in the step 4 Signature algorithm ALGO is SHA-1.
CN201711097536.XA 2017-11-09 2017-11-09 A kind of anti-CC methods of API based on key signature Pending CN107911219A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711097536.XA CN107911219A (en) 2017-11-09 2017-11-09 A kind of anti-CC methods of API based on key signature

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711097536.XA CN107911219A (en) 2017-11-09 2017-11-09 A kind of anti-CC methods of API based on key signature

Publications (1)

Publication Number Publication Date
CN107911219A true CN107911219A (en) 2018-04-13

Family

ID=61844546

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711097536.XA Pending CN107911219A (en) 2017-11-09 2017-11-09 A kind of anti-CC methods of API based on key signature

Country Status (1)

Country Link
CN (1) CN107911219A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109413105A (en) * 2018-12-12 2019-03-01 深圳市丰巢科技有限公司 A kind of network request processing method, device, computer equipment and storage medium
CN110611564A (en) * 2019-07-30 2019-12-24 云南昆钢电子信息科技有限公司 System and method for defending API replay attack based on timestamp
CN112311776A (en) * 2020-10-21 2021-02-02 浪潮云信息技术股份公司 System and method for preventing flooding attack of API gateway
CN112699374A (en) * 2020-12-28 2021-04-23 山东鲁能软件技术有限公司 Integrity checking vulnerability security protection method and system
WO2021137769A1 (en) * 2019-12-31 2021-07-08 Envision Digital International Pte. Ltd. Method and apparatus for sending and verifying request, and device thereof
CN114301708A (en) * 2021-12-30 2022-04-08 金蝶智慧科技(深圳)有限公司 Identity authentication method, identity authentication server and related device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110214157A1 (en) * 2000-09-25 2011-09-01 Yevgeny Korsunsky Securing a network with data flow processing
CN103701946A (en) * 2013-12-20 2014-04-02 珠海金山网络游戏科技有限公司 Method and system for client-side to be in communication with server through URL (Universal Resource Locator)
CN104994108A (en) * 2015-07-14 2015-10-21 中国联合网络通信集团有限公司 URL filtering method, device and system
CN105187430A (en) * 2015-09-18 2015-12-23 浪潮通用软件有限公司 Reverse proxy server, reverse proxy system and reverse proxy method
KR101672791B1 (en) * 2015-10-26 2016-11-07 고려대학교 산학협력단 Method and system for detection of vulnerability on html5 mobile web application
CN106571923A (en) * 2016-10-21 2017-04-19 天津海量信息技术股份有限公司 User data signature verification method with time effectiveness

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110214157A1 (en) * 2000-09-25 2011-09-01 Yevgeny Korsunsky Securing a network with data flow processing
CN103701946A (en) * 2013-12-20 2014-04-02 珠海金山网络游戏科技有限公司 Method and system for client-side to be in communication with server through URL (Universal Resource Locator)
CN104994108A (en) * 2015-07-14 2015-10-21 中国联合网络通信集团有限公司 URL filtering method, device and system
CN105187430A (en) * 2015-09-18 2015-12-23 浪潮通用软件有限公司 Reverse proxy server, reverse proxy system and reverse proxy method
KR101672791B1 (en) * 2015-10-26 2016-11-07 고려대학교 산학협력단 Method and system for detection of vulnerability on html5 mobile web application
CN106571923A (en) * 2016-10-21 2017-04-19 天津海量信息技术股份有限公司 User data signature verification method with time effectiveness

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109413105A (en) * 2018-12-12 2019-03-01 深圳市丰巢科技有限公司 A kind of network request processing method, device, computer equipment and storage medium
CN110611564A (en) * 2019-07-30 2019-12-24 云南昆钢电子信息科技有限公司 System and method for defending API replay attack based on timestamp
WO2021137769A1 (en) * 2019-12-31 2021-07-08 Envision Digital International Pte. Ltd. Method and apparatus for sending and verifying request, and device thereof
CN112311776A (en) * 2020-10-21 2021-02-02 浪潮云信息技术股份公司 System and method for preventing flooding attack of API gateway
CN112311776B (en) * 2020-10-21 2022-08-30 浪潮云信息技术股份公司 System and method for preventing flooding attack of API gateway
CN112699374A (en) * 2020-12-28 2021-04-23 山东鲁能软件技术有限公司 Integrity checking vulnerability security protection method and system
CN114301708A (en) * 2021-12-30 2022-04-08 金蝶智慧科技(深圳)有限公司 Identity authentication method, identity authentication server and related device

Similar Documents

Publication Publication Date Title
CN107911219A (en) A kind of anti-CC methods of API based on key signature
US9386078B2 (en) Controlling application programming interface transactions based on content of earlier transactions
Bringer et al. A survey: Recent advances and future trends in honeypot research
CN104052734B (en) It the attack detecting that is identified using global device-fingerprint and prevents
Wurzinger et al. Automatically generating models for botnet detection
US9705895B1 (en) System and methods for classifying internet devices as hostile or benign
Zarras et al. Automated generation of models for fast and precise detection of HTTP-based malware
JP7388613B2 (en) Packet processing method and apparatus, device, and computer readable storage medium
JP2019021294A (en) SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS
JP5832951B2 (en) Attack determination device, attack determination method, and attack determination program
Latha et al. A survey on network attacks and Intrusion detection systems
Huang et al. An authentication scheme to defend against UDP DrDoS attacks in 5G networks
Mishra et al. Intelligent phishing detection system using similarity matching algorithms
Atighetchi et al. Attribute-based prevention of phishing attacks
Vidal et al. Evolutions of evasion techniques aigainst network intrusion detection systems
CN107294994B (en) CSRF protection method and system based on cloud platform
Yin et al. Optimal remote access Trojans detection based on network behavior.
CN113328976B (en) Security threat event identification method, device and equipment
Czyczyn-Egird et al. The effectiveness of data mining techniques in the detection of DDoS attacks
Sharma et al. Detection of ARP Spoofing: A command line execution method
Zarras et al. Hiding behind the shoulders of giants: Abusing crawlers for indirect Web attacks
Adamov et al. Discovering new indicators for botnet traffic detection
CN114553452B (en) Attack defense method and protection equipment
Khan et al. Security Tradeoff in Network Virtualization and Their Countermeasures
Pondkule et al. Botshark—detection and prevention of peer-to-peer botnets by tracking conversation using cart

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180413

RJ01 Rejection of invention patent application after publication