CN110138789A - A kind of anti-scanning method and device based on hash algorithm - Google Patents

A kind of anti-scanning method and device based on hash algorithm Download PDF

Info

Publication number
CN110138789A
CN110138789A CN201910418482.5A CN201910418482A CN110138789A CN 110138789 A CN110138789 A CN 110138789A CN 201910418482 A CN201910418482 A CN 201910418482A CN 110138789 A CN110138789 A CN 110138789A
Authority
CN
China
Prior art keywords
address
access
hash algorithm
scanning
feature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910418482.5A
Other languages
Chinese (zh)
Inventor
唐其彪
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
Hangzhou Dbappsecurity Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dbappsecurity Technology Co Ltd filed Critical Hangzhou Dbappsecurity Technology Co Ltd
Priority to CN201910418482.5A priority Critical patent/CN110138789A/en
Publication of CN110138789A publication Critical patent/CN110138789A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

This application discloses a kind of anti-scanning methods based on hash algorithm, comprising: obtains the access log of client record;Using the access feature of IP address and IP address in hash algorithm statistics access log;Judge to access whether feature has scanning behavior;If so, IP address is determined as to scan IP address, and block IP address.Hash algorithm in this method can count the access feature of IP address and IP address in a manner of linear data structure, so as to improve the statistical efficiency of access feature, reduce CPU usage, also can be improved computer performance.Correspondingly, a kind of anti-scanning means, equipment and readable storage medium storing program for executing based on hash algorithm disclosed in the present application, similarly has above-mentioned technique effect.

Description

A kind of anti-scanning method and device based on hash algorithm
Technical field
This application involves Internet technical field, in particular to a kind of anti-scanning method based on hash algorithm, is set device Standby and readable storage medium storing program for executing.
Background technique
Scanning is one kind of attack, and common scanning behavior has port scan.So-called port scan, be exactly and The certain port of destination host establishes TCP connection, thus find out destination host port whether be active, target master Machine provides which service etc..
In the prior art, when a certain IP address accesses certain window, host can be responded with window in the statistical unit time The accounting that code is 403 or 404, and determines whether IP address has scanning behavior according to the accounting, so that it is determined that IP address whether To scan IP address.Wherein, count 403 or 404 accountings needed for computer resource it is more, therefore the occupancy of host CPU compared with Height, can reduce computer performance, may cause host system delay machine when serious.
Therefore, the CPU usage in anti-scanning process how is reduced, computer performance is improved, is those skilled in the art Problem to be solved.
Summary of the invention
In view of this, the application be designed to provide a kind of anti-scanning method based on hash algorithm, device, equipment and Readable storage medium storing program for executing improves computer performance to reduce the CPU usage in anti-scanning process.Its concrete scheme is as follows:
In a first aspect, this application provides a kind of anti-scanning methods based on hash algorithm, comprising:
Obtain the access log of client record;
Using the access feature of IP address and IP address in hash algorithm statistics access log;
Judge to access whether feature has scanning behavior;
If so, IP address is determined as to scan IP address, and block IP address.
Preferentially, judge to access whether feature has before scan line is, further includes:
Judge that the first lock list is for recording the IP address being blocked with the presence or absence of IP address in the first lock list;
Judge to access whether feature has the step of scanning behavior if it is not, then executing.
Preferentially, IP address is blocked, comprising:
Judge that, with the presence or absence of IP address in the second lock list, the second lock list is used to record all previous IP address being blocked, And the history of all previous IP address being blocked is blocked number;
If so, being blocked number according to the history of IP address calculates this block duration, and duration is blocked according to this Block IP address;
If it is not, then blocking IP address according to default block duration.
Preferentially, number is blocked according to the history of IP address and calculates this block duration, comprising:
The history of IP address is blocked to the product of number and default block duration, is determined as this block duration.
Preferentially, IP address is blocked according to default block duration, comprising:
IP address is blocked in network layer, and IP address is added to the first lock list;
After default block duration, IP address is deleted from the first lock list, IP address is added to the second lock list, And history of the more new IP address in the second lock list is blocked number.
Preferentially, using the access feature of IP address and IP address in hash algorithm statistics access log, comprising:
Count the access feature of the IP address and IP address in access log in a manner of Hash key-value pair, and by IP Redis module of the access characteristic storage of address and IP address into memory;
Wherein, Hash key-value pair includes at least: access time, IP address and the corresponding value value of IP address.
Preferentially, after the access log for obtaining client record, further includes:
Access log is distributed to preset multiple processes, is counted with being executed using multiple task parallelisms using hash algorithm The access feature of IP address and IP address in access log;Judge to access whether feature has scanning behavior;If so, IP address is determined as to scan IP address, and the step of blocking IP address.
Second aspect, this application provides a kind of anti-scanning means based on hash algorithm, comprising:
Module is obtained, for obtaining the access log of client record;
Statistical module, for the access feature using IP address and IP address in hash algorithm statistics access log;
Judgment module accesses whether feature has scanning behavior for judging;
IP address is then determined as scanning IP address, and block by lockout module for having scanning behavior when access feature IP address.
The third aspect, the anti-scanning device based on hash algorithm that this application provides a kind of, comprising:
Memory, for storing computer program;
Processor, for executing computer program, to realize the aforementioned disclosed anti-scanning method based on hash algorithm.
Fourth aspect, this application provides a kind of readable storage medium storing program for executing, for saving computer program, wherein computer The aforementioned disclosed anti-scanning method based on hash algorithm is realized when program is executed by processor.
As it can be seen that the application is using in hash algorithm statistics access log after the access log for getting client record IP address and IP address access feature, and then judge access feature whether there is scanning behavior;If so, by IP Location is determined as scanning IP address, and blocks IP address.Wherein, hash algorithm can with counting IP in a manner of linear data structure The access feature of location and IP address reduces CPU usage, can also mention so as to improve the statistical efficiency of access feature High computer performance.
Correspondingly, a kind of anti-scanning means, equipment and readable storage medium storing program for executing based on hash algorithm provided by the present application, Equally have above-mentioned technique effect.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this The embodiment of application for those of ordinary skill in the art without creative efforts, can also basis The attached drawing of offer obtains other attached drawings.
Fig. 1 is the first anti-scanning method flow chart based on hash algorithm disclosed in the present application;
Fig. 2 is the second disclosed in the present application anti-scanning method flow chart based on hash algorithm;
Fig. 3 is the third anti-scanning method flow chart based on hash algorithm disclosed in the present application;
Fig. 4 is a kind of anti-scanning means schematic diagram based on hash algorithm disclosed in the present application;
Fig. 5 is a kind of anti-scanning device schematic diagram based on hash algorithm disclosed in the present application.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of embodiments of the present application, instead of all the embodiments.It is based on Embodiment in the application, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall in the protection scope of this application.
In the prior art at present, the accounting that host can be 403 or 404 with window answer code in the statistical unit time, and Determine whether IP address has scanning behavior according to the accounting, so that it is determined that whether IP address is scanning IP address.Wherein, it counts Computer resource needed for 403 or 404 accountings is more, therefore the occupancy of host CPU is higher, can reduce computer performance, sternly It may cause host system delay machine when weight.For this purpose, this application provides a kind of anti-sweeping scheme based on hash algorithm, can drop Low CPU usage improves computer performance.
Shown in Figure 1, the embodiment of the present application discloses the first anti-scanning method based on hash algorithm, comprising:
S101, the access log for obtaining client record.
It should be noted that the present embodiment is applied to server-side, which is used for management client.Client record Access log are as follows: itself accessed log information of client record.
S102, using hash algorithm statistics access log in IP address and IP address access feature.
In the present embodiment, the access feature of the IP address and IP address in access log is counted using hash algorithm, It include: that the access feature of IP address and IP address in access log is counted in a manner of Hash key-value pair, and by IP Redis module of the access characteristic storage of location and IP address into memory;Wherein, Hash key-value pair includes at least: IP address Access time, IP address and corresponding value value.
In Hash key assignments pair, access time carries out Hash as key value, and value value is the access feature of IP address, tool The accounting for the answer code 403 or 404 that the value value of body can return in the time to current IP address as unit of.Specific Hash Key-value pair structure can be with are as follows: key value-IP address-value value.
It should be noted that using the access feature of IP address and IP address in hash algorithm statistics access log, That is: the access feature of IP address and IP address by the way of Hash key-value pair in record access log, records in this way The data arrived are linear data structure, and inquiry and processing effect can be improved compared to table and queue etc. in linear data structure Rate.Therefore the statistical efficiency of access feature can be improved in hash algorithm, reduces CPU usage, also can be improved computer performance.
Redis module is log type memory-based, Key-Value database, can provide the API of multilingual, With good versatility.Certainly, Redis module may also be arranged on the disk of persistence.
S103, judge to access whether feature has scanning behavior;If so, executing S104;If it is not, then executing S105.
Specifically, judging to access the method whether feature has scanning behavior specifically: use bayesian algorithm or support Vector machine algorithm (Support Vector Machine, SVM) identification access feature, or the response that statistics is returned to IP address 403 or 404 accountings of code.
It should be noted that then show access errors when returning to 403 or 404 to IP address, and the reason of mistake may be IP address does not install respective certificate, certificate expired etc. without access authority,.Therefore statistics is returned to IP address answer code 403 or 404 accountings can determine the abuse frequency of current IP address, when the abuse frequency is higher, then it is believed that current IP There are the abnormal behaviours such as scanning in location.
S104, IP address is determined as to scan IP address, and blocks IP address;
S105, label IP address are normal IP address.
In the present embodiment, the specific method for blocking IP address can be with are as follows: intercepts IP address, or the IP address is forbidden to exist Forbid accessing active client in specific duration.The specific duration can be adjusted flexibly, such as: when determine IP address for scanning IP address then starts timing, forbids the IP address access client in next 24 hours.It is of course also possible to permanent envelope Lock the IP address.
In order to improve treatment effeciency, server-side can also will access after the access log for getting client record Log is distributed to preset multiple processes, with the step of using multiple task parallelisms execution S102-S105.
Specifically, server-side can distribute access log according to IP address.Such as: if in the access log of client record There are three different IP address, the respectively address A, the address B and the address C for record;And server-side is default that there are three processes, then just Access log in relation to the address A can be sent to process 1, the access log in relation to the address C is sent to process 2, related C The access log of location is sent to process 3, and such process 1, process 2 and process 3 can execute parallel, so that processing effect can be improved Rate.Wherein, when different task parallelisms handle data, data interaction can be carried out with Redis module.
As it can be seen that the embodiment of the present application after the access log for getting client record, is counted using hash algorithm and is accessed The access feature of IP address and IP address in log, and then judge to access whether feature has scanning behavior;If so, IP address is determined as to scan IP address, and blocks IP address.Wherein, hash algorithm can be united in a manner of linear data structure The access feature of IP address and IP address is counted, so as to improve the statistical efficiency of access feature, reduces CPU usage, It can be improved computer performance.
Shown in Figure 2, the embodiment of the present application discloses second of anti-scanning method based on hash algorithm, comprising:
S201, the access log for obtaining client record;
S202, using hash algorithm statistics access log in IP address and IP address access feature;
S203, judge that the first lock list is for recording the IP being blocked with the presence or absence of IP address in the first lock list Address;If so, without operation;If it is not, then executing S204;
S204, judge to access whether feature has scanning behavior;If so, executing S205;If it is not, then executing S206;
S205, IP address is determined as to scan IP address, and blocks IP address;
S206, label IP address are normal IP address.
In the present embodiment, it is preset with the first lock list of the IP address that record is being blocked, therefore when statistics visiting After asking the IP address in log, can first it judge in the first lock list with the presence or absence of the IP address;If it exists, then show the IP address It is the scanning IP address being blocked, then judges without the access feature to the IP address, therefore can directly return, So as to reduce the data processing amount of CPU, improve efficiency.If it does not exist, then the access feature of the IP address is judged, To determine whether IP address has scanning behavior.
Certainly, if blocking IP address according to duration, and there are IP address in the first lock list, can further extend the IP The block duration of address.Such as: it is 100 minutes a length of when such as block to scanning IP address under normal conditions, when counting on again The IP address, and the IP address is present in the first lock list, then IP address block duration can be extended, such as: it is further added by 100 minutes.
It should be noted that other in the present embodiment realize that step is same as the previously described embodiments or similar, therefore this implementation Details are not described herein for example.
Therefore the present embodiment is counted using hash algorithm and is accessed after the access log for getting client record The access feature of IP address and IP address in log, and then judge in the first lock list with the presence or absence of IP address;If it is not, Then judge to access whether feature has scanning behavior;If so, IP address is determined as to scan IP address, and block IP address. Wherein, hash algorithm can count the access feature of IP address and IP address in a manner of linear data structure, so as to The statistical efficiency of access feature is improved, CPU usage is reduced, also can be improved computer performance.
Shown in Figure 3, the embodiment of the present application discloses the third anti-scanning method based on hash algorithm, comprising:
S301, the access log for obtaining client record;
S302, using hash algorithm statistics access log in IP address and IP address access feature;
S303, judge that the first lock list is for recording the IP being blocked with the presence or absence of IP address in the first lock list Address;If so, without operation;If it is not, then executing S304;
S304, judge to access whether feature has scanning behavior;If so, executing S305;If it is not, then executing S309;
S305, IP address is determined as to scan IP address, and executes S306;
S306, judge in the second lock list with the presence or absence of IP address;If so, executing S307;If it is not, then executing S308;
Wherein, the second lock list is used to record going through for all previous IP address being blocked and all previous IP address being blocked History is blocked number;
S307, be blocked according to the history of IP address number calculate this block duration, and according to this block duration envelope Lock IP address;
S308, IP address is blocked according to default block duration;
S309, label IP address are normal IP address.
In the present embodiment, it is not only preset with the first lock list of the IP address that record is being blocked, is also preset with note The history for recording all previous IP address being blocked and all previous IP address being blocked is blocked the second lock list of number, can root The block duration of IP address is flexibly determined according to the second lock list.First lock list and the second lock list are Hash table, and also It is to say, the first lock list and the second lock list record data in a manner of Hash key-value pair.
Specifically, being then blocked number when there are IP address in the second lock list according to the history of IP address and calculating this Block duration, specific calculation are as follows: the history of IP address is blocked to the product of number and default block duration, is determined as this Secondary block duration.The mode flexibly changing of this block duration is calculated, such as: it calculates history and is blocked number and default block The sum of the default block duration of the sum of products is blocked duration as this by the product of duration.
When IP address is not present in the second lock list, then IP address is blocked according to default block duration.According to default block Duration blocks IP address specifically: blocks IP address in network layer, and IP address is added to the first lock list;In default block After duration, IP address is deleted from the first lock list, IP address is added to the second lock list, and more new IP address is second History in lock list is blocked number.It should be noted that wherein, default block duration can be adjusted flexibly.
It should be noted that other in the present embodiment realize that step is same as the previously described embodiments or similar, therefore this implementation Details are not described herein for example.
Therefore the present embodiment is counted using hash algorithm and is accessed after the access log for getting client record The access feature of IP address and IP address in log, and then judge in the first lock list with the presence or absence of IP address;If it is not, Then judge to access whether feature has scanning behavior;If so, IP address is determined as to scan IP address, and judge the second block It whether there is IP address in table;When there are IP address in the second lock list, then number is blocked according to the history of IP address and calculated This block duration, and IP address is blocked according to this block duration;When IP address is not present in the second lock list, then according to pre- If blocking duration blocks IP address.Wherein, hash algorithm be with can counting IP address and IP in a manner of linear data structure The access feature of location reduces CPU usage, also can be improved computer so as to improve the statistical efficiency of access feature Energy.
A kind of anti-scanning means based on hash algorithm provided by the embodiments of the present application is introduced below, is described below A kind of anti-scanning means based on hash algorithm can phase with a kind of above-described anti-scanning method based on hash algorithm Mutual reference.
Shown in Figure 4, the embodiment of the present application discloses a kind of anti-scanning means based on hash algorithm, comprising:
Module 401 is obtained, for obtaining the access log of client record;
Statistical module 402, it is special for the access using IP address and IP address in hash algorithm statistics access log Sign;
Judgment module 403 accesses whether feature has scanning behavior for judging;
Lockout module 404, for when accessing feature with scanning behavior, then IP address being determined as scanning IP address, and Block IP address.
In a specific embodiment, the anti-scanning means based on hash algorithm further include:
First lock list judgment module, for judging that, with the presence or absence of IP address in the first lock list, the first lock list is used for Record the IP address being blocked;
Execution module, if executing the step in judgment module for IP address to be not present in the first lock list.
In a specific embodiment, lockout module includes:
Judging unit, for judging that the second lock list is for recording all previous quilt with the presence or absence of IP address in the second lock list The history of the IP address of block and all previous IP address being blocked is blocked number;
First block unit, if being blocked according to the history of IP address secondary for there are IP address in the second lock list Number calculates this block duration, and blocks IP address according to this block duration;
Second block unit, if blocking IP according to default block duration for IP address to be not present in the second lock list Address.
In a specific embodiment, the first block unit is specifically used for:
The history of IP address is blocked to the product of number and default block duration, is determined as this block duration.
In a specific embodiment, the second block unit includes:
Subelement is blocked, for blocking IP address in network layer, and IP address is added to the first lock list;
Subelement is executed, for IP address being deleted from the first lock list, IP address being added after default block duration The second lock list is added to, and history of the more new IP address in the second lock list is blocked number.
In a specific embodiment, statistical module is specifically used for:
Count the access feature of the IP address and IP address in access log in a manner of Hash key-value pair, and by IP Redis module of the access characteristic storage of address and IP address into memory;Wherein, Hash key-value pair includes at least: IP Access time, IP address and the corresponding value value of location.
In a specific embodiment, the anti-scanning means based on hash algorithm further include:
Access log is distributed to preset multiple processes, is counted with being executed using multiple task parallelisms using hash algorithm The access feature of IP address and IP address in access log;Judge to access whether feature has scanning behavior;If so, IP address is determined as to scan IP address, and the step of blocking IP address.
Wherein, previous embodiment can be referred to by closing the more specifical course of work of modules, unit in this present embodiment Disclosed in corresponding contents, no longer repeated herein.
As it can be seen that present embodiments providing a kind of anti-scanning means based on hash algorithm, comprising: obtain module, statistics mould Block, judgment module and lockout module.The access log of client record is obtained by acquisition module first;Then statistical module is adopted With the access feature of IP address and IP address in hash algorithm statistics access log;And then judgment module judgement access is special Whether sign has scanning behavior;When access feature has scanning behavior, then IP address is determined as scanning IP address by lockout module, And block IP address.Share out the work and help one another between such modules, Each performs its own functions, so as to improve the statistics effect of access feature Rate reduces CPU usage, also can be improved computer performance.
A kind of anti-scanning device based on hash algorithm provided by the embodiments of the present application is introduced below, is described below A kind of anti-scanning device based on hash algorithm and a kind of above-described anti-scanning method and device based on hash algorithm It can be cross-referenced.
Shown in Figure 5, the embodiment of the present application discloses a kind of anti-scanning device based on hash algorithm, comprising:
Memory 501, for saving computer program;
Processor 502, for executing the computer program, to perform the steps of
Obtain the access log of client record;IP address and the IP in access log are counted using hash algorithm The access feature of location;Judge to access whether feature has scanning behavior;If so, IP address is determined as to scan IP address, and Block IP address.
It in the present embodiment, can be specific when the processor executes the computer subprogram saved in the memory It performs the steps of and judges that the first lock list is for recording the IP being blocked with the presence or absence of IP address in the first lock list Address;Judge to access whether feature has the step of scanning behavior if it is not, then executing.
It in the present embodiment, can be specific when the processor executes the computer subprogram saved in the memory It performs the steps of and judges that the second lock list is for recording all previous IP being blocked with the presence or absence of IP address in the second lock list The history of address and all previous IP address being blocked is blocked number;If so, the history according to IP address is blocked number This block duration is calculated, and blocks IP address according to this block duration;If it is not, then according to default block duration block IP Location.
It in the present embodiment, can be specific when the processor executes the computer subprogram saved in the memory The product that the history of IP address is blocked to number and default block duration is performed the steps of, this block duration is determined as.
It in the present embodiment, can be specific when the processor executes the computer subprogram saved in the memory It performs the steps of and blocks IP address in network layer, and IP address is added to the first lock list;Default block duration it Afterwards, IP address is deleted from the first lock list, IP address is added to the second lock list, and more new IP address is in the second lock list In history be blocked number.
It in the present embodiment, can be specific when the processor executes the computer subprogram saved in the memory The access feature that IP address and IP address in access log are counted in a manner of Hash key-value pair is performed the steps of, and By Redis module of the access characteristic storage of IP address and IP address into memory;Wherein, Hash key-value pair includes at least: Access time, IP address and the corresponding value value of IP address.
A kind of readable storage medium storing program for executing provided by the embodiments of the present application is introduced below, one kind described below is readable to deposit Storage media can be cross-referenced with a kind of above-described anti-scanning method based on hash algorithm, device and equipment.
A kind of readable storage medium storing program for executing, for saving computer program, wherein when the computer program is executed by processor Realize the anti-scanning method based on hash algorithm disclosed in previous embodiment.Specific steps about this method can refer to aforementioned Corresponding contents disclosed in embodiment, are no longer repeated herein.
This application involves " first ", " second ", " third ", the (if present)s such as " the 4th " be for distinguishing similar right As without being used to describe a particular order or precedence order.It should be understood that the data used in this way in the appropriate case can be with It exchanges, so that the embodiments described herein can be implemented with the sequence other than the content for illustrating or describing herein.In addition, Term " includes " and " having " and their any deformation, it is intended that cover it is non-exclusive include, for example, containing a system The process, method or equipment of column step or unit those of are not necessarily limited to be clearly listed step or unit, but may include not having There are other step or units being clearly listed or intrinsic for these process, methods or equipment.
It should be noted that the description for being related to " first ", " second " etc. in this application is used for description purposes only, and cannot It is interpreted as its relative importance of indication or suggestion or implicitly indicates the quantity of indicated technical characteristic.Define as a result, " the One ", the feature of " second " can explicitly or implicitly include at least one of the features.In addition, the skill between each embodiment Art scheme can be combined with each other, but must be based on can be realized by those of ordinary skill in the art, when technical solution Will be understood that the combination of this technical solution is not present in conjunction with there is conflicting or cannot achieve when, also not this application claims Protection scope within.
Each embodiment in this specification is described in a progressive manner, the highlights of each of the examples are with it is other The difference of embodiment, same or similar part may refer to each other between each embodiment.For being filled disclosed in embodiment For setting, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, related place is referring to method part Explanation.
The step of method described in conjunction with the examples disclosed in this document or algorithm, can directly be held with hardware, processor The combination of capable software module or the two is implemented.Software module can be placed in random access memory (RAM), memory, read-only deposit Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology In any other form of storage readable storage medium storing program for executing well known in field.
Specific examples are used herein to illustrate the principle and implementation manner of the present application, and above embodiments are said It is bright to be merely used to help understand the present processes and its core concept;At the same time, for those skilled in the art, foundation The thought of the application, there will be changes in the specific implementation manner and application range, in conclusion the content of the present specification is not It is interpreted as the limitation to the application.

Claims (10)

1. a kind of anti-scanning method based on hash algorithm characterized by comprising
Obtain the access log of client record;
The access feature of the IP address and the IP address in the access log is counted using hash algorithm;
Judge whether the access feature has scanning behavior;
If so, the IP address is determined as to scan IP address, and block the IP address.
2. the anti-scanning method according to claim 1 based on hash algorithm, which is characterized in that the judgement access Whether feature has before scan line is, further includes:
Judge that first lock list is for recording the IP being blocked with the presence or absence of the IP address in the first lock list Location;
Described judge whether the access feature has the step of scanning behavior if it is not, then executing.
3. the anti-scanning method according to claim 2 based on hash algorithm, which is characterized in that the block IP Location, comprising:
Judge that second lock list is for recording all previous IP being blocked with the presence or absence of the IP address in the second lock list The history of location and all previous IP address being blocked is blocked number;
If so, being blocked number according to the history of the IP address calculates this block duration, and according to this described block Duration blocks the IP address;
If it is not, then blocking the IP address according to default block duration.
4. the anti-scanning method according to claim 3 based on hash algorithm, which is characterized in that it is described according to the IP The history of location is blocked number and calculates this block duration, comprising:
The history of the IP address is blocked to the product of number and the default block duration, when being determined as this described block It is long.
5. the anti-scanning method according to claim 3 based on hash algorithm, which is characterized in that described according to default block Duration blocks the IP address, comprising:
The IP address is blocked in network layer, and the IP address is added to first lock list;
After the default block duration, the IP address is deleted from first lock list, the IP address is added Extremely second lock list, and update history of the IP address in second lock list and be blocked number.
6. the anti-scanning method according to claim 1 based on hash algorithm, which is characterized in that described to use hash algorithm Count the access feature of the IP address and the IP address in the access log, comprising:
The access feature of the IP address and the IP address in the access log is counted in a manner of Hash key-value pair, and By Redis module of the access characteristic storage of the IP address and the IP address into memory;
Wherein, the Hash key-value pair includes at least: the access time of the IP address, the IP address and corresponding value Value.
7. the anti-scanning method based on hash algorithm described in -6 any one according to claim 1, which is characterized in that obtain visitor After the access log of family end record, further includes:
The access log is distributed to preset multiple processes, it is described using Hash to be executed using the multiple task parallelism Algorithm counts the access feature of IP address and the IP address in the access log;Whether judge the access feature With scanning behavior;If so, the IP address is determined as to scan IP address, and the step of blocking the IP address.
8. a kind of anti-scanning means based on hash algorithm characterized by comprising
Module is obtained, for obtaining the access log of client record;
Statistical module, for counting the access of IP address and the IP address in the access log using hash algorithm Feature;
Judgment module, for judging whether the access feature has scanning behavior;
The IP address is then determined as scanning IP address for having scanning behavior when the access feature by lockout module, and Block the IP address.
9. a kind of anti-scanning device based on hash algorithm characterized by comprising
Memory, for storing computer program;
Processor, it is as described in any one of claim 1 to 7 based on Hash calculation to realize for executing the computer program The anti-scanning method of method.
10. a kind of readable storage medium storing program for executing, which is characterized in that for saving computer program, wherein the computer program is located Reason device realizes the anti-scanning method as described in any one of claim 1 to 7 based on hash algorithm when executing.
CN201910418482.5A 2019-05-20 2019-05-20 A kind of anti-scanning method and device based on hash algorithm Pending CN110138789A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910418482.5A CN110138789A (en) 2019-05-20 2019-05-20 A kind of anti-scanning method and device based on hash algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910418482.5A CN110138789A (en) 2019-05-20 2019-05-20 A kind of anti-scanning method and device based on hash algorithm

Publications (1)

Publication Number Publication Date
CN110138789A true CN110138789A (en) 2019-08-16

Family

ID=67571521

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910418482.5A Pending CN110138789A (en) 2019-05-20 2019-05-20 A kind of anti-scanning method and device based on hash algorithm

Country Status (1)

Country Link
CN (1) CN110138789A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105939326A (en) * 2016-01-18 2016-09-14 杭州迪普科技有限公司 Message processing method and device
CN108259473A (en) * 2017-12-29 2018-07-06 西安交大捷普网络科技有限公司 Web server scan protection method
CN108549688A (en) * 2018-04-11 2018-09-18 上海达梦数据库有限公司 A kind of optimization method of data manipulation, device, equipment and storage medium
US20180351984A1 (en) * 2011-12-20 2018-12-06 International Business Machines Corporation Identifying requests that invalidate user sessions
CN108989294A (en) * 2018-06-28 2018-12-11 杭州安恒信息技术股份有限公司 A kind of method and system for the malicious user accurately identifying website visiting
CN109587117A (en) * 2018-11-09 2019-04-05 杭州安恒信息技术股份有限公司 A kind of anti-replay-attack method of the whole network udp port scanning

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180351984A1 (en) * 2011-12-20 2018-12-06 International Business Machines Corporation Identifying requests that invalidate user sessions
CN105939326A (en) * 2016-01-18 2016-09-14 杭州迪普科技有限公司 Message processing method and device
CN108259473A (en) * 2017-12-29 2018-07-06 西安交大捷普网络科技有限公司 Web server scan protection method
CN108549688A (en) * 2018-04-11 2018-09-18 上海达梦数据库有限公司 A kind of optimization method of data manipulation, device, equipment and storage medium
CN108989294A (en) * 2018-06-28 2018-12-11 杭州安恒信息技术股份有限公司 A kind of method and system for the malicious user accurately identifying website visiting
CN109587117A (en) * 2018-11-09 2019-04-05 杭州安恒信息技术股份有限公司 A kind of anti-replay-attack method of the whole network udp port scanning

Similar Documents

Publication Publication Date Title
CN108494703B (en) Access frequency control method, device and storage medium
CN102915374B (en) A kind of method, Apparatus and system of resource access of controlling database
CN104978335B (en) Data access control method and device
CN108400963A (en) Electronic device, access request control method and computer readable storage medium
CN106981024B (en) Transaction limit calculation processing system and processing method thereof
CN102769549A (en) Network security monitoring method and device
CN104572727A (en) Data querying method and device
CN108829782B (en) Data table cleaning method, server and computer readable storage medium
US11003367B2 (en) Data storage, reading, and cleansing method and device, and cloud storage system
CN107273195A (en) A kind of batch processing method of big data, device and computer system
CN112364311A (en) Method and device for managing identity on block chain
CN108462687A (en) Method, apparatus, terminal device and the storage medium that anti-brush logs in
CN104639650A (en) Fine granularity distributive interface access control method and device
CN102609466A (en) Method and system for controlling shared memory
CN110471749A (en) Task processing method, device, computer readable storage medium and computer equipment
CN101562558A (en) Method, system and device for terminal grade classification
CN110515706A (en) A kind of request processing method, device, equipment and readable storage medium storing program for executing
CN101057219A (en) Method and system for local authority partitioning of client resources
CN112748867A (en) Method, electronic device and computer program product for storage management
CN102413201B (en) Processing method and equipment for domain name system (DNS) query request
CN104657216B (en) The resource allocation methods and device of a kind of resource pool
CN106650501A (en) Database access control method and apparatus
CN110138789A (en) A kind of anti-scanning method and device based on hash algorithm
CN109905407B (en) Management method, system, equipment and medium for accessing intranet based on VPN server
CN106656522A (en) Data calculation method and system of cross-data center

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190816

RJ01 Rejection of invention patent application after publication