CN110138789A - A kind of anti-scanning method and device based on hash algorithm - Google Patents
A kind of anti-scanning method and device based on hash algorithm Download PDFInfo
- Publication number
- CN110138789A CN110138789A CN201910418482.5A CN201910418482A CN110138789A CN 110138789 A CN110138789 A CN 110138789A CN 201910418482 A CN201910418482 A CN 201910418482A CN 110138789 A CN110138789 A CN 110138789A
- Authority
- CN
- China
- Prior art keywords
- address
- access
- hash algorithm
- scanning
- feature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This application discloses a kind of anti-scanning methods based on hash algorithm, comprising: obtains the access log of client record;Using the access feature of IP address and IP address in hash algorithm statistics access log;Judge to access whether feature has scanning behavior;If so, IP address is determined as to scan IP address, and block IP address.Hash algorithm in this method can count the access feature of IP address and IP address in a manner of linear data structure, so as to improve the statistical efficiency of access feature, reduce CPU usage, also can be improved computer performance.Correspondingly, a kind of anti-scanning means, equipment and readable storage medium storing program for executing based on hash algorithm disclosed in the present application, similarly has above-mentioned technique effect.
Description
Technical field
This application involves Internet technical field, in particular to a kind of anti-scanning method based on hash algorithm, is set device
Standby and readable storage medium storing program for executing.
Background technique
Scanning is one kind of attack, and common scanning behavior has port scan.So-called port scan, be exactly and
The certain port of destination host establishes TCP connection, thus find out destination host port whether be active, target master
Machine provides which service etc..
In the prior art, when a certain IP address accesses certain window, host can be responded with window in the statistical unit time
The accounting that code is 403 or 404, and determines whether IP address has scanning behavior according to the accounting, so that it is determined that IP address whether
To scan IP address.Wherein, count 403 or 404 accountings needed for computer resource it is more, therefore the occupancy of host CPU compared with
Height, can reduce computer performance, may cause host system delay machine when serious.
Therefore, the CPU usage in anti-scanning process how is reduced, computer performance is improved, is those skilled in the art
Problem to be solved.
Summary of the invention
In view of this, the application be designed to provide a kind of anti-scanning method based on hash algorithm, device, equipment and
Readable storage medium storing program for executing improves computer performance to reduce the CPU usage in anti-scanning process.Its concrete scheme is as follows:
In a first aspect, this application provides a kind of anti-scanning methods based on hash algorithm, comprising:
Obtain the access log of client record;
Using the access feature of IP address and IP address in hash algorithm statistics access log;
Judge to access whether feature has scanning behavior;
If so, IP address is determined as to scan IP address, and block IP address.
Preferentially, judge to access whether feature has before scan line is, further includes:
Judge that the first lock list is for recording the IP address being blocked with the presence or absence of IP address in the first lock list;
Judge to access whether feature has the step of scanning behavior if it is not, then executing.
Preferentially, IP address is blocked, comprising:
Judge that, with the presence or absence of IP address in the second lock list, the second lock list is used to record all previous IP address being blocked,
And the history of all previous IP address being blocked is blocked number;
If so, being blocked number according to the history of IP address calculates this block duration, and duration is blocked according to this
Block IP address;
If it is not, then blocking IP address according to default block duration.
Preferentially, number is blocked according to the history of IP address and calculates this block duration, comprising:
The history of IP address is blocked to the product of number and default block duration, is determined as this block duration.
Preferentially, IP address is blocked according to default block duration, comprising:
IP address is blocked in network layer, and IP address is added to the first lock list;
After default block duration, IP address is deleted from the first lock list, IP address is added to the second lock list,
And history of the more new IP address in the second lock list is blocked number.
Preferentially, using the access feature of IP address and IP address in hash algorithm statistics access log, comprising:
Count the access feature of the IP address and IP address in access log in a manner of Hash key-value pair, and by IP
Redis module of the access characteristic storage of address and IP address into memory;
Wherein, Hash key-value pair includes at least: access time, IP address and the corresponding value value of IP address.
Preferentially, after the access log for obtaining client record, further includes:
Access log is distributed to preset multiple processes, is counted with being executed using multiple task parallelisms using hash algorithm
The access feature of IP address and IP address in access log;Judge to access whether feature has scanning behavior;If so,
IP address is determined as to scan IP address, and the step of blocking IP address.
Second aspect, this application provides a kind of anti-scanning means based on hash algorithm, comprising:
Module is obtained, for obtaining the access log of client record;
Statistical module, for the access feature using IP address and IP address in hash algorithm statistics access log;
Judgment module accesses whether feature has scanning behavior for judging;
IP address is then determined as scanning IP address, and block by lockout module for having scanning behavior when access feature
IP address.
The third aspect, the anti-scanning device based on hash algorithm that this application provides a kind of, comprising:
Memory, for storing computer program;
Processor, for executing computer program, to realize the aforementioned disclosed anti-scanning method based on hash algorithm.
Fourth aspect, this application provides a kind of readable storage medium storing program for executing, for saving computer program, wherein computer
The aforementioned disclosed anti-scanning method based on hash algorithm is realized when program is executed by processor.
As it can be seen that the application is using in hash algorithm statistics access log after the access log for getting client record
IP address and IP address access feature, and then judge access feature whether there is scanning behavior;If so, by IP
Location is determined as scanning IP address, and blocks IP address.Wherein, hash algorithm can with counting IP in a manner of linear data structure
The access feature of location and IP address reduces CPU usage, can also mention so as to improve the statistical efficiency of access feature
High computer performance.
Correspondingly, a kind of anti-scanning means, equipment and readable storage medium storing program for executing based on hash algorithm provided by the present application,
Equally have above-mentioned technique effect.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
The embodiment of application for those of ordinary skill in the art without creative efforts, can also basis
The attached drawing of offer obtains other attached drawings.
Fig. 1 is the first anti-scanning method flow chart based on hash algorithm disclosed in the present application;
Fig. 2 is the second disclosed in the present application anti-scanning method flow chart based on hash algorithm;
Fig. 3 is the third anti-scanning method flow chart based on hash algorithm disclosed in the present application;
Fig. 4 is a kind of anti-scanning means schematic diagram based on hash algorithm disclosed in the present application;
Fig. 5 is a kind of anti-scanning device schematic diagram based on hash algorithm disclosed in the present application.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of embodiments of the present application, instead of all the embodiments.It is based on
Embodiment in the application, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall in the protection scope of this application.
In the prior art at present, the accounting that host can be 403 or 404 with window answer code in the statistical unit time, and
Determine whether IP address has scanning behavior according to the accounting, so that it is determined that whether IP address is scanning IP address.Wherein, it counts
Computer resource needed for 403 or 404 accountings is more, therefore the occupancy of host CPU is higher, can reduce computer performance, sternly
It may cause host system delay machine when weight.For this purpose, this application provides a kind of anti-sweeping scheme based on hash algorithm, can drop
Low CPU usage improves computer performance.
Shown in Figure 1, the embodiment of the present application discloses the first anti-scanning method based on hash algorithm, comprising:
S101, the access log for obtaining client record.
It should be noted that the present embodiment is applied to server-side, which is used for management client.Client record
Access log are as follows: itself accessed log information of client record.
S102, using hash algorithm statistics access log in IP address and IP address access feature.
In the present embodiment, the access feature of the IP address and IP address in access log is counted using hash algorithm,
It include: that the access feature of IP address and IP address in access log is counted in a manner of Hash key-value pair, and by IP
Redis module of the access characteristic storage of location and IP address into memory;Wherein, Hash key-value pair includes at least: IP address
Access time, IP address and corresponding value value.
In Hash key assignments pair, access time carries out Hash as key value, and value value is the access feature of IP address, tool
The accounting for the answer code 403 or 404 that the value value of body can return in the time to current IP address as unit of.Specific Hash
Key-value pair structure can be with are as follows: key value-IP address-value value.
It should be noted that using the access feature of IP address and IP address in hash algorithm statistics access log,
That is: the access feature of IP address and IP address by the way of Hash key-value pair in record access log, records in this way
The data arrived are linear data structure, and inquiry and processing effect can be improved compared to table and queue etc. in linear data structure
Rate.Therefore the statistical efficiency of access feature can be improved in hash algorithm, reduces CPU usage, also can be improved computer performance.
Redis module is log type memory-based, Key-Value database, can provide the API of multilingual,
With good versatility.Certainly, Redis module may also be arranged on the disk of persistence.
S103, judge to access whether feature has scanning behavior;If so, executing S104;If it is not, then executing S105.
Specifically, judging to access the method whether feature has scanning behavior specifically: use bayesian algorithm or support
Vector machine algorithm (Support Vector Machine, SVM) identification access feature, or the response that statistics is returned to IP address
403 or 404 accountings of code.
It should be noted that then show access errors when returning to 403 or 404 to IP address, and the reason of mistake may be
IP address does not install respective certificate, certificate expired etc. without access authority,.Therefore statistics is returned to IP address answer code 403 or
404 accountings can determine the abuse frequency of current IP address, when the abuse frequency is higher, then it is believed that current IP
There are the abnormal behaviours such as scanning in location.
S104, IP address is determined as to scan IP address, and blocks IP address;
S105, label IP address are normal IP address.
In the present embodiment, the specific method for blocking IP address can be with are as follows: intercepts IP address, or the IP address is forbidden to exist
Forbid accessing active client in specific duration.The specific duration can be adjusted flexibly, such as: when determine IP address for scanning
IP address then starts timing, forbids the IP address access client in next 24 hours.It is of course also possible to permanent envelope
Lock the IP address.
In order to improve treatment effeciency, server-side can also will access after the access log for getting client record
Log is distributed to preset multiple processes, with the step of using multiple task parallelisms execution S102-S105.
Specifically, server-side can distribute access log according to IP address.Such as: if in the access log of client record
There are three different IP address, the respectively address A, the address B and the address C for record;And server-side is default that there are three processes, then just
Access log in relation to the address A can be sent to process 1, the access log in relation to the address C is sent to process 2, related C
The access log of location is sent to process 3, and such process 1, process 2 and process 3 can execute parallel, so that processing effect can be improved
Rate.Wherein, when different task parallelisms handle data, data interaction can be carried out with Redis module.
As it can be seen that the embodiment of the present application after the access log for getting client record, is counted using hash algorithm and is accessed
The access feature of IP address and IP address in log, and then judge to access whether feature has scanning behavior;If so,
IP address is determined as to scan IP address, and blocks IP address.Wherein, hash algorithm can be united in a manner of linear data structure
The access feature of IP address and IP address is counted, so as to improve the statistical efficiency of access feature, reduces CPU usage,
It can be improved computer performance.
Shown in Figure 2, the embodiment of the present application discloses second of anti-scanning method based on hash algorithm, comprising:
S201, the access log for obtaining client record;
S202, using hash algorithm statistics access log in IP address and IP address access feature;
S203, judge that the first lock list is for recording the IP being blocked with the presence or absence of IP address in the first lock list
Address;If so, without operation;If it is not, then executing S204;
S204, judge to access whether feature has scanning behavior;If so, executing S205;If it is not, then executing S206;
S205, IP address is determined as to scan IP address, and blocks IP address;
S206, label IP address are normal IP address.
In the present embodiment, it is preset with the first lock list of the IP address that record is being blocked, therefore when statistics visiting
After asking the IP address in log, can first it judge in the first lock list with the presence or absence of the IP address;If it exists, then show the IP address
It is the scanning IP address being blocked, then judges without the access feature to the IP address, therefore can directly return,
So as to reduce the data processing amount of CPU, improve efficiency.If it does not exist, then the access feature of the IP address is judged,
To determine whether IP address has scanning behavior.
Certainly, if blocking IP address according to duration, and there are IP address in the first lock list, can further extend the IP
The block duration of address.Such as: it is 100 minutes a length of when such as block to scanning IP address under normal conditions, when counting on again
The IP address, and the IP address is present in the first lock list, then IP address block duration can be extended, such as: it is further added by
100 minutes.
It should be noted that other in the present embodiment realize that step is same as the previously described embodiments or similar, therefore this implementation
Details are not described herein for example.
Therefore the present embodiment is counted using hash algorithm and is accessed after the access log for getting client record
The access feature of IP address and IP address in log, and then judge in the first lock list with the presence or absence of IP address;If it is not,
Then judge to access whether feature has scanning behavior;If so, IP address is determined as to scan IP address, and block IP address.
Wherein, hash algorithm can count the access feature of IP address and IP address in a manner of linear data structure, so as to
The statistical efficiency of access feature is improved, CPU usage is reduced, also can be improved computer performance.
Shown in Figure 3, the embodiment of the present application discloses the third anti-scanning method based on hash algorithm, comprising:
S301, the access log for obtaining client record;
S302, using hash algorithm statistics access log in IP address and IP address access feature;
S303, judge that the first lock list is for recording the IP being blocked with the presence or absence of IP address in the first lock list
Address;If so, without operation;If it is not, then executing S304;
S304, judge to access whether feature has scanning behavior;If so, executing S305;If it is not, then executing S309;
S305, IP address is determined as to scan IP address, and executes S306;
S306, judge in the second lock list with the presence or absence of IP address;If so, executing S307;If it is not, then executing S308;
Wherein, the second lock list is used to record going through for all previous IP address being blocked and all previous IP address being blocked
History is blocked number;
S307, be blocked according to the history of IP address number calculate this block duration, and according to this block duration envelope
Lock IP address;
S308, IP address is blocked according to default block duration;
S309, label IP address are normal IP address.
In the present embodiment, it is not only preset with the first lock list of the IP address that record is being blocked, is also preset with note
The history for recording all previous IP address being blocked and all previous IP address being blocked is blocked the second lock list of number, can root
The block duration of IP address is flexibly determined according to the second lock list.First lock list and the second lock list are Hash table, and also
It is to say, the first lock list and the second lock list record data in a manner of Hash key-value pair.
Specifically, being then blocked number when there are IP address in the second lock list according to the history of IP address and calculating this
Block duration, specific calculation are as follows: the history of IP address is blocked to the product of number and default block duration, is determined as this
Secondary block duration.The mode flexibly changing of this block duration is calculated, such as: it calculates history and is blocked number and default block
The sum of the default block duration of the sum of products is blocked duration as this by the product of duration.
When IP address is not present in the second lock list, then IP address is blocked according to default block duration.According to default block
Duration blocks IP address specifically: blocks IP address in network layer, and IP address is added to the first lock list;In default block
After duration, IP address is deleted from the first lock list, IP address is added to the second lock list, and more new IP address is second
History in lock list is blocked number.It should be noted that wherein, default block duration can be adjusted flexibly.
It should be noted that other in the present embodiment realize that step is same as the previously described embodiments or similar, therefore this implementation
Details are not described herein for example.
Therefore the present embodiment is counted using hash algorithm and is accessed after the access log for getting client record
The access feature of IP address and IP address in log, and then judge in the first lock list with the presence or absence of IP address;If it is not,
Then judge to access whether feature has scanning behavior;If so, IP address is determined as to scan IP address, and judge the second block
It whether there is IP address in table;When there are IP address in the second lock list, then number is blocked according to the history of IP address and calculated
This block duration, and IP address is blocked according to this block duration;When IP address is not present in the second lock list, then according to pre-
If blocking duration blocks IP address.Wherein, hash algorithm be with can counting IP address and IP in a manner of linear data structure
The access feature of location reduces CPU usage, also can be improved computer so as to improve the statistical efficiency of access feature
Energy.
A kind of anti-scanning means based on hash algorithm provided by the embodiments of the present application is introduced below, is described below
A kind of anti-scanning means based on hash algorithm can phase with a kind of above-described anti-scanning method based on hash algorithm
Mutual reference.
Shown in Figure 4, the embodiment of the present application discloses a kind of anti-scanning means based on hash algorithm, comprising:
Module 401 is obtained, for obtaining the access log of client record;
Statistical module 402, it is special for the access using IP address and IP address in hash algorithm statistics access log
Sign;
Judgment module 403 accesses whether feature has scanning behavior for judging;
Lockout module 404, for when accessing feature with scanning behavior, then IP address being determined as scanning IP address, and
Block IP address.
In a specific embodiment, the anti-scanning means based on hash algorithm further include:
First lock list judgment module, for judging that, with the presence or absence of IP address in the first lock list, the first lock list is used for
Record the IP address being blocked;
Execution module, if executing the step in judgment module for IP address to be not present in the first lock list.
In a specific embodiment, lockout module includes:
Judging unit, for judging that the second lock list is for recording all previous quilt with the presence or absence of IP address in the second lock list
The history of the IP address of block and all previous IP address being blocked is blocked number;
First block unit, if being blocked according to the history of IP address secondary for there are IP address in the second lock list
Number calculates this block duration, and blocks IP address according to this block duration;
Second block unit, if blocking IP according to default block duration for IP address to be not present in the second lock list
Address.
In a specific embodiment, the first block unit is specifically used for:
The history of IP address is blocked to the product of number and default block duration, is determined as this block duration.
In a specific embodiment, the second block unit includes:
Subelement is blocked, for blocking IP address in network layer, and IP address is added to the first lock list;
Subelement is executed, for IP address being deleted from the first lock list, IP address being added after default block duration
The second lock list is added to, and history of the more new IP address in the second lock list is blocked number.
In a specific embodiment, statistical module is specifically used for:
Count the access feature of the IP address and IP address in access log in a manner of Hash key-value pair, and by IP
Redis module of the access characteristic storage of address and IP address into memory;Wherein, Hash key-value pair includes at least: IP
Access time, IP address and the corresponding value value of location.
In a specific embodiment, the anti-scanning means based on hash algorithm further include:
Access log is distributed to preset multiple processes, is counted with being executed using multiple task parallelisms using hash algorithm
The access feature of IP address and IP address in access log;Judge to access whether feature has scanning behavior;If so,
IP address is determined as to scan IP address, and the step of blocking IP address.
Wherein, previous embodiment can be referred to by closing the more specifical course of work of modules, unit in this present embodiment
Disclosed in corresponding contents, no longer repeated herein.
As it can be seen that present embodiments providing a kind of anti-scanning means based on hash algorithm, comprising: obtain module, statistics mould
Block, judgment module and lockout module.The access log of client record is obtained by acquisition module first;Then statistical module is adopted
With the access feature of IP address and IP address in hash algorithm statistics access log;And then judgment module judgement access is special
Whether sign has scanning behavior;When access feature has scanning behavior, then IP address is determined as scanning IP address by lockout module,
And block IP address.Share out the work and help one another between such modules, Each performs its own functions, so as to improve the statistics effect of access feature
Rate reduces CPU usage, also can be improved computer performance.
A kind of anti-scanning device based on hash algorithm provided by the embodiments of the present application is introduced below, is described below
A kind of anti-scanning device based on hash algorithm and a kind of above-described anti-scanning method and device based on hash algorithm
It can be cross-referenced.
Shown in Figure 5, the embodiment of the present application discloses a kind of anti-scanning device based on hash algorithm, comprising:
Memory 501, for saving computer program;
Processor 502, for executing the computer program, to perform the steps of
Obtain the access log of client record;IP address and the IP in access log are counted using hash algorithm
The access feature of location;Judge to access whether feature has scanning behavior;If so, IP address is determined as to scan IP address, and
Block IP address.
It in the present embodiment, can be specific when the processor executes the computer subprogram saved in the memory
It performs the steps of and judges that the first lock list is for recording the IP being blocked with the presence or absence of IP address in the first lock list
Address;Judge to access whether feature has the step of scanning behavior if it is not, then executing.
It in the present embodiment, can be specific when the processor executes the computer subprogram saved in the memory
It performs the steps of and judges that the second lock list is for recording all previous IP being blocked with the presence or absence of IP address in the second lock list
The history of address and all previous IP address being blocked is blocked number;If so, the history according to IP address is blocked number
This block duration is calculated, and blocks IP address according to this block duration;If it is not, then according to default block duration block IP
Location.
It in the present embodiment, can be specific when the processor executes the computer subprogram saved in the memory
The product that the history of IP address is blocked to number and default block duration is performed the steps of, this block duration is determined as.
It in the present embodiment, can be specific when the processor executes the computer subprogram saved in the memory
It performs the steps of and blocks IP address in network layer, and IP address is added to the first lock list;Default block duration it
Afterwards, IP address is deleted from the first lock list, IP address is added to the second lock list, and more new IP address is in the second lock list
In history be blocked number.
It in the present embodiment, can be specific when the processor executes the computer subprogram saved in the memory
The access feature that IP address and IP address in access log are counted in a manner of Hash key-value pair is performed the steps of, and
By Redis module of the access characteristic storage of IP address and IP address into memory;Wherein, Hash key-value pair includes at least:
Access time, IP address and the corresponding value value of IP address.
A kind of readable storage medium storing program for executing provided by the embodiments of the present application is introduced below, one kind described below is readable to deposit
Storage media can be cross-referenced with a kind of above-described anti-scanning method based on hash algorithm, device and equipment.
A kind of readable storage medium storing program for executing, for saving computer program, wherein when the computer program is executed by processor
Realize the anti-scanning method based on hash algorithm disclosed in previous embodiment.Specific steps about this method can refer to aforementioned
Corresponding contents disclosed in embodiment, are no longer repeated herein.
This application involves " first ", " second ", " third ", the (if present)s such as " the 4th " be for distinguishing similar right
As without being used to describe a particular order or precedence order.It should be understood that the data used in this way in the appropriate case can be with
It exchanges, so that the embodiments described herein can be implemented with the sequence other than the content for illustrating or describing herein.In addition,
Term " includes " and " having " and their any deformation, it is intended that cover it is non-exclusive include, for example, containing a system
The process, method or equipment of column step or unit those of are not necessarily limited to be clearly listed step or unit, but may include not having
There are other step or units being clearly listed or intrinsic for these process, methods or equipment.
It should be noted that the description for being related to " first ", " second " etc. in this application is used for description purposes only, and cannot
It is interpreted as its relative importance of indication or suggestion or implicitly indicates the quantity of indicated technical characteristic.Define as a result, " the
One ", the feature of " second " can explicitly or implicitly include at least one of the features.In addition, the skill between each embodiment
Art scheme can be combined with each other, but must be based on can be realized by those of ordinary skill in the art, when technical solution
Will be understood that the combination of this technical solution is not present in conjunction with there is conflicting or cannot achieve when, also not this application claims
Protection scope within.
Each embodiment in this specification is described in a progressive manner, the highlights of each of the examples are with it is other
The difference of embodiment, same or similar part may refer to each other between each embodiment.For being filled disclosed in embodiment
For setting, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, related place is referring to method part
Explanation.
The step of method described in conjunction with the examples disclosed in this document or algorithm, can directly be held with hardware, processor
The combination of capable software module or the two is implemented.Software module can be placed in random access memory (RAM), memory, read-only deposit
Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology
In any other form of storage readable storage medium storing program for executing well known in field.
Specific examples are used herein to illustrate the principle and implementation manner of the present application, and above embodiments are said
It is bright to be merely used to help understand the present processes and its core concept;At the same time, for those skilled in the art, foundation
The thought of the application, there will be changes in the specific implementation manner and application range, in conclusion the content of the present specification is not
It is interpreted as the limitation to the application.
Claims (10)
1. a kind of anti-scanning method based on hash algorithm characterized by comprising
Obtain the access log of client record;
The access feature of the IP address and the IP address in the access log is counted using hash algorithm;
Judge whether the access feature has scanning behavior;
If so, the IP address is determined as to scan IP address, and block the IP address.
2. the anti-scanning method according to claim 1 based on hash algorithm, which is characterized in that the judgement access
Whether feature has before scan line is, further includes:
Judge that first lock list is for recording the IP being blocked with the presence or absence of the IP address in the first lock list
Location;
Described judge whether the access feature has the step of scanning behavior if it is not, then executing.
3. the anti-scanning method according to claim 2 based on hash algorithm, which is characterized in that the block IP
Location, comprising:
Judge that second lock list is for recording all previous IP being blocked with the presence or absence of the IP address in the second lock list
The history of location and all previous IP address being blocked is blocked number;
If so, being blocked number according to the history of the IP address calculates this block duration, and according to this described block
Duration blocks the IP address;
If it is not, then blocking the IP address according to default block duration.
4. the anti-scanning method according to claim 3 based on hash algorithm, which is characterized in that it is described according to the IP
The history of location is blocked number and calculates this block duration, comprising:
The history of the IP address is blocked to the product of number and the default block duration, when being determined as this described block
It is long.
5. the anti-scanning method according to claim 3 based on hash algorithm, which is characterized in that described according to default block
Duration blocks the IP address, comprising:
The IP address is blocked in network layer, and the IP address is added to first lock list;
After the default block duration, the IP address is deleted from first lock list, the IP address is added
Extremely second lock list, and update history of the IP address in second lock list and be blocked number.
6. the anti-scanning method according to claim 1 based on hash algorithm, which is characterized in that described to use hash algorithm
Count the access feature of the IP address and the IP address in the access log, comprising:
The access feature of the IP address and the IP address in the access log is counted in a manner of Hash key-value pair, and
By Redis module of the access characteristic storage of the IP address and the IP address into memory;
Wherein, the Hash key-value pair includes at least: the access time of the IP address, the IP address and corresponding value
Value.
7. the anti-scanning method based on hash algorithm described in -6 any one according to claim 1, which is characterized in that obtain visitor
After the access log of family end record, further includes:
The access log is distributed to preset multiple processes, it is described using Hash to be executed using the multiple task parallelism
Algorithm counts the access feature of IP address and the IP address in the access log;Whether judge the access feature
With scanning behavior;If so, the IP address is determined as to scan IP address, and the step of blocking the IP address.
8. a kind of anti-scanning means based on hash algorithm characterized by comprising
Module is obtained, for obtaining the access log of client record;
Statistical module, for counting the access of IP address and the IP address in the access log using hash algorithm
Feature;
Judgment module, for judging whether the access feature has scanning behavior;
The IP address is then determined as scanning IP address for having scanning behavior when the access feature by lockout module, and
Block the IP address.
9. a kind of anti-scanning device based on hash algorithm characterized by comprising
Memory, for storing computer program;
Processor, it is as described in any one of claim 1 to 7 based on Hash calculation to realize for executing the computer program
The anti-scanning method of method.
10. a kind of readable storage medium storing program for executing, which is characterized in that for saving computer program, wherein the computer program is located
Reason device realizes the anti-scanning method as described in any one of claim 1 to 7 based on hash algorithm when executing.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910418482.5A CN110138789A (en) | 2019-05-20 | 2019-05-20 | A kind of anti-scanning method and device based on hash algorithm |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910418482.5A CN110138789A (en) | 2019-05-20 | 2019-05-20 | A kind of anti-scanning method and device based on hash algorithm |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110138789A true CN110138789A (en) | 2019-08-16 |
Family
ID=67571521
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910418482.5A Pending CN110138789A (en) | 2019-05-20 | 2019-05-20 | A kind of anti-scanning method and device based on hash algorithm |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110138789A (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105939326A (en) * | 2016-01-18 | 2016-09-14 | 杭州迪普科技有限公司 | Message processing method and device |
CN108259473A (en) * | 2017-12-29 | 2018-07-06 | 西安交大捷普网络科技有限公司 | Web server scan protection method |
CN108549688A (en) * | 2018-04-11 | 2018-09-18 | 上海达梦数据库有限公司 | A kind of optimization method of data manipulation, device, equipment and storage medium |
US20180351984A1 (en) * | 2011-12-20 | 2018-12-06 | International Business Machines Corporation | Identifying requests that invalidate user sessions |
CN108989294A (en) * | 2018-06-28 | 2018-12-11 | 杭州安恒信息技术股份有限公司 | A kind of method and system for the malicious user accurately identifying website visiting |
CN109587117A (en) * | 2018-11-09 | 2019-04-05 | 杭州安恒信息技术股份有限公司 | A kind of anti-replay-attack method of the whole network udp port scanning |
-
2019
- 2019-05-20 CN CN201910418482.5A patent/CN110138789A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180351984A1 (en) * | 2011-12-20 | 2018-12-06 | International Business Machines Corporation | Identifying requests that invalidate user sessions |
CN105939326A (en) * | 2016-01-18 | 2016-09-14 | 杭州迪普科技有限公司 | Message processing method and device |
CN108259473A (en) * | 2017-12-29 | 2018-07-06 | 西安交大捷普网络科技有限公司 | Web server scan protection method |
CN108549688A (en) * | 2018-04-11 | 2018-09-18 | 上海达梦数据库有限公司 | A kind of optimization method of data manipulation, device, equipment and storage medium |
CN108989294A (en) * | 2018-06-28 | 2018-12-11 | 杭州安恒信息技术股份有限公司 | A kind of method and system for the malicious user accurately identifying website visiting |
CN109587117A (en) * | 2018-11-09 | 2019-04-05 | 杭州安恒信息技术股份有限公司 | A kind of anti-replay-attack method of the whole network udp port scanning |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108494703B (en) | Access frequency control method, device and storage medium | |
CN102915374B (en) | A kind of method, Apparatus and system of resource access of controlling database | |
CN104978335B (en) | Data access control method and device | |
CN108400963A (en) | Electronic device, access request control method and computer readable storage medium | |
CN106981024B (en) | Transaction limit calculation processing system and processing method thereof | |
CN102769549A (en) | Network security monitoring method and device | |
CN104572727A (en) | Data querying method and device | |
CN108829782B (en) | Data table cleaning method, server and computer readable storage medium | |
US11003367B2 (en) | Data storage, reading, and cleansing method and device, and cloud storage system | |
CN107273195A (en) | A kind of batch processing method of big data, device and computer system | |
CN112364311A (en) | Method and device for managing identity on block chain | |
CN108462687A (en) | Method, apparatus, terminal device and the storage medium that anti-brush logs in | |
CN104639650A (en) | Fine granularity distributive interface access control method and device | |
CN102609466A (en) | Method and system for controlling shared memory | |
CN110471749A (en) | Task processing method, device, computer readable storage medium and computer equipment | |
CN101562558A (en) | Method, system and device for terminal grade classification | |
CN110515706A (en) | A kind of request processing method, device, equipment and readable storage medium storing program for executing | |
CN101057219A (en) | Method and system for local authority partitioning of client resources | |
CN112748867A (en) | Method, electronic device and computer program product for storage management | |
CN102413201B (en) | Processing method and equipment for domain name system (DNS) query request | |
CN104657216B (en) | The resource allocation methods and device of a kind of resource pool | |
CN106650501A (en) | Database access control method and apparatus | |
CN110138789A (en) | A kind of anti-scanning method and device based on hash algorithm | |
CN109905407B (en) | Management method, system, equipment and medium for accessing intranet based on VPN server | |
CN106656522A (en) | Data calculation method and system of cross-data center |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190816 |
|
RJ01 | Rejection of invention patent application after publication |