CN113037841B - Protection method for providing distributed denial of attack - Google Patents
Protection method for providing distributed denial of attack Download PDFInfo
- Publication number
- CN113037841B CN113037841B CN202110251352.4A CN202110251352A CN113037841B CN 113037841 B CN113037841 B CN 113037841B CN 202110251352 A CN202110251352 A CN 202110251352A CN 113037841 B CN113037841 B CN 113037841B
- Authority
- CN
- China
- Prior art keywords
- target server
- address
- request
- confidence
- http request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 23
- 238000012795 verification Methods 0.000 claims description 29
- 230000000694 effects Effects 0.000 claims description 16
- 230000007774 longterm Effects 0.000 claims description 9
- 230000008569 process Effects 0.000 claims description 7
- 238000004364 calculation method Methods 0.000 claims description 6
- 230000001960 triggered effect Effects 0.000 claims description 4
- 238000009825 accumulation Methods 0.000 claims description 3
- 238000001514 detection method Methods 0.000 abstract description 8
- 230000002159 abnormal effect Effects 0.000 abstract description 2
- 241000287828 Gallus gallus Species 0.000 description 3
- 238000011156 evaluation Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000003247 decreasing effect Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000004931 aggregating effect Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 235000013372 meat Nutrition 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a protection method for providing distributed denial of attack, which carries out quantitative scoring on an access IP (Internet protocol) through setting multiple protection rules, realizes accurate detection on an abnormal IP and effectively intercepts CC (challenge collapsar) attack.
Description
Technical Field
The invention relates to a protection method for providing distributed denial of attack, and belongs to the field of DDoS attack security.
Background
DDoS attacks are collectively called distributed denial of service, and the attack mode makes use of the network service function defects of a target system or directly consumes system resources thereof, so that the target system cannot provide normal services. An attacker performs denial of service attack, and actually enables a server to realize two effects: first, the server's buffer is forced to be full and no new requests are received; secondly, IP spoofing is used to force the server to reset the connection of the legal user, and the connection of the legal user is influenced. The CC attack is called Challenge Collapsar, belongs to an upgrading version of DDoS attack, and is characterized in that a large number of proxy servers or botnet networks are used for simulating normal users to access webpages, so that resources of the servers are exhausted. At present, the technology for detecting the CC attack is usually realized by a traffic statistic mode, the condition that the access traffic exceeds a threshold value is regarded as an attack behavior and is intercepted, however, high traffic and multi-user access are common characteristics of the CC attack and the current hot website, and therefore the real attack cannot be effectively detected only by the traffic statistic characteristics. Therefore, how to accurately and effectively protect against CC attacks is called a necessary security measure for WEB applications, especially for hot websites.
Disclosure of Invention
The invention provides a distributed attack denial protection method, which carries out quantitative scoring on an access IP through setting of multiple protection rules, realizes accurate detection on an abnormal IP and effectively intercepts a CC attack. The specific scheme is as follows:
step 1: receiving an HTTP request sent by a client;
step 2: analyzing the header information of the HTTP request;
and step 3: sending the analyzed information to a security component for verification, wherein the security component comprises multiple protection rules; the security component firstly checks whether the request is in an IP blacklist, and if the request is in the IP blacklist, the security component directly discards the request; if not, checking whether the request is in an IP white list, and if so, directly sending the HTTP request to a target server and responding; if not, further verification is performed.
And 4, step 4: and sending the HTTP request passing the verification to a target server, intercepting the HTTP request failing the verification, and recording a log.
Further, the process of establishing the multiple protection rules includes: recording the access times of each IP address, regularly calculating the confidence coefficient of the corresponding IP address by the system based on the condition of the access times of the IP address, establishing a corresponding trust level according to the confidence coefficient, and verifying the IP address according to different trust levels; wherein, the factors influencing the confidence include: the IP address sending request frequency, the possibility of the target server being attacked when the IP address accesses the target server, whether the last verification problem corresponding to the IP address passes the verification or not, the frequency of the IP address accessing the target server and the downloading flow per second.
Further, the trust level includes: suspicious trust, long-term trust, negative trust; adding the long-term trusted IP address into an IP white list, and adding the negative trusted IP address into an IP black list; the confidence level is updated with each confidence calculation, wherein the long-term confidence comprises the valid time, and the confidence calculation is restarted after the valid time is reached.
Further, for the authentication problem sent by the user sending the HTTP request corresponding to the IP address with the trust level being the suspicious trust level, the HTTP request passing the authentication is sent to the target server after the authentication is passed, and the HTTP request failing the authentication is intercepted and the log is recorded when the authentication is not passed.
Further, the process of establishing the multiple protection rules further includes: and calculating the average confidence of all IP addresses of the current access target server, and when the average confidence is smaller than a threshold value, considering that the target server is attacked by CC. Therefore, the system needs to collect the load condition of the target server in real time, and when the load of the target server is detected to exceed a preset value, the rule verification in the step 3 is triggered.
Further, the method also comprises the step 5: the target server receives the request and responds to the request. When detecting that the target server is attacked by the CC in the step 3, directly triggering the black hole effect, entering the step 5 to intercept the client request, so that the client cannot send the HTTP request to the target server within a period of time.
Further, the black hole effect can continuously intercept client requests according to user settings or default configurations.
Further, the system records the number of times of triggering the black hole effect by the client, and the duration of the black hole effect is gradually increased along with the accumulation of the number of times in unit time.
Has the advantages that:
according to the invention, through the steps, the confidence evaluation of the IP address is constructed based on the IP access condition, and the CC attack is detected by adopting two protection rules of the single confidence evaluation index and the average confidence evaluation index of the IP address, so that the normal high access amount and the CC attack to hot websites can be effectively distinguished, and the accuracy of DDoS attack detection of an application layer including the CC attack is improved.
Drawings
FIG. 1 is a flowchart illustrating the CC attack detection and protection;
FIGS. 2-3 are protection rule checking flow diagrams;
Detailed Description
In order to make the objects and technical solutions of the present invention more clear, embodiments of the present invention are described in further detail below with reference to the accompanying drawings.
The CC attack is an attack mode which depends on an HTTP protocol, leads a server to keep a connection waiting state by constructing a special HTTP request until resources such as a server CPU, a memory, a connection number and the like are filled, thereby causing denial of service, and belongs to a typical application layer DDoS attack. Since CC attacks are typical application layer DDoS attacks, traditional security devices, such as firewalls, operator cleaning, and the like, are difficult to protect well.
Example 1:
aiming at the protection of the detection of the CC attack, the invention provides a multiple detection and protection scheme based on IP confidence coefficient, as shown in the attached figure 1, and the method for the detection and protection of the CC attack comprises the following steps:
step 1: receiving an HTTP request sent by a client;
step 2: analyzing the header information of the HTTP request;
and 3, step 3: sending the analyzed information to a security component for verification, wherein the security component comprises multiple protection rules;
and 4, step 4: and sending the HTTP request passing the verification to a target server, intercepting the HTTP request failing the verification, and recording a log.
Further, after receiving the HTTP request, checking whether the request is in an IP blacklist, if the request is in the blacklist, directly discarding the request, if the request is not in the blacklist, checking whether the request is in an IP whitelist, and if the request is in the whitelist, directly sending the HTTP request to a target server and responding.
In a practical network environment, the occurrence of a data flood may not be due to a malicious attack, and may be a "burst flow" resulting from a large number of legitimate users concurrently sending access requests to a target server. The sudden increase of the flow caused by multiple concurrent accesses of the legitimate users can also prevent the target server from timely and effectively processing the normal request of each user, and at this time, the client will show the situations of increased packet loss rate, slow access speed, even no access, etc., which is a common unavoidable phenomenon in the network, but actually no CC attack occurs.
The traditional anomaly detection technology cannot accurately distinguish sudden increase flow and CC attack flow, so that false alarm can be generated, once the false alarm is generated to trigger the protection rule of a defense system, the connection of a normal user can be automatically disconnected, and the normal access behavior of the user is influenced. This can have a serious impact on the normal access of legitimate users, and therefore needs to be treated differently from CC attacks.
As can be known from research and analysis on CC attack flows and burst flows, burst flows are often formed by aggregating access requests of normal users, most users sending access requests are old users, new users may only occupy a small portion, and the initiator of CC attacks often has a precedent attack or is a new user who never accesses the target server. Aiming at the characteristic, the invention establishes the confidence coefficient aiming at the IP address, and can help screen out legal users and illegal users according to the confidence coefficient.
When the confidence coefficient is calculated, the indexes needing to be collected comprise:
IP address transmission request frequency (average number of transmission requests per minute): normally, the average number of requests sent per minute is below a threshold, and if the requests are sent too frequently, then a CC attack is likely.
Possibility of target server being attacked when IP address accesses target server: the number of times the server has been attacked marked/total number of accesses during the last week of access. The numerical value can intuitively reflect the direct correlation between the IP address and CC attack, and if the ratio is high, the IP is always accessed when the server is attacked, so that the attack is very suspicious.
Whether the last verification question verified: if the IP address triggers the verification problem and passes the verification or not when being accessed for the last time, whether the IP address is accessed normally or not in the near future can be reflected. The index mainly aims at the fact that the broiler chicken attacked by the CC before is taken as the 'broiler chicken' and is restored to the IP address of the normal user after being cleaned, and the confidence coefficient of the IP address is improved to help the user to normally access the target server.
Frequency of IP address access to destination server: the number of times the IP address has accessed the target server in the last month can objectively reflect whether the IP is an old user who often accesses the server. If the IP address is an old user who frequently accesses the target server, the corresponding confidence score will be higher accordingly.
Download traffic per second: the index can reflect the consumption degree of the IP to the network bandwidth and serve as a reference index for judging CC attack. If the download traffic per second far exceeds the size at normal access, the confidence of the IP is reduced accordingly.
The 5 scoring indexes cover common attack methods in CC attack and access recording habits of users, the distinguishing degrees of different indexes for judging CC attack are different, different weighted values are set according to the distinguishing degrees of the 5 scoring indexes for CC attack, and the specific setting of the index weighted values can be carried out by adopting the existing analytic hierarchy process and the like in the prior art, so that the method is not further described. The method for calculating the confidence according to the above scoring index may be a weighted sum or the like.
The process of establishing the protection rule in the step 3 comprises the following steps: and calculating respective confidence degrees for the IP addresses based on the 5 indexes and the respective weight values, and establishing corresponding trust levels according to the confidence degrees. The trust level includes: suspicious trust, long-term trust, negative trust; adding the long-term trusted IP address into an IP white list, and adding the negative trusted IP address into an IP black list; the confidence level is updated with each confidence calculation, wherein the long-term confidence comprises the valid time, and the confidence calculation is restarted after the valid time is reached.
As shown in fig. 2, the process of verifying by the security component in the specific step 3 includes sending a verification problem to a user sending an HTTP request corresponding to an IP address with a suspicious trust level, sending the HTTP request passing the verification to the target server after the verification passes, and intercepting the HTTP request failing the verification and recording a log when the verification fails.
Example 2:
in order to further effectively detect the CC attack, on the basis of the first embodiment, it may be determined whether the current server is in a situation where multiple normal users access concurrently or may be suffering from the CC attack according to a change situation of the access request of the target server.
Based on the access habit of the user, under normal conditions, the ratio of old users and new users accessing a certain target server is usually stable at a certain value, and even if the access amount is suddenly increased due to multiple concurrent users, the ratio does not change obviously. That is, the average confidence of the IP accessing the target server under normal conditions does not fluctuate much. However, when CC attack occurs, a great number of "meat chicken" will appear, the duty of old users will be seriously decreased, or IP addresses with low confidence will appear in a great number, which results in that the average confidence of the IP addresses accessing the target server will be decreased, causing the fluctuation of the average confidence. Therefore, in the present embodiment, whether a CC attack may be currently generated may be determined according to the fluctuation condition of the average confidence.
On the basis of example 1, assuming that all IP confidences have been stored in the database, firstly, reading and numbering a client IP connected with a server to obtain an IP ADDRESS set of ADDRESS = { Add = (ADDRESS) } 1 ,Add 2 ,…,Add N N representing the total number of clients currently connected to the server, addN representing the IP address numbered N, stores the elements of the set in an array ADD N]={ADD[0],ADD[1],…,ADD[N-1]In (c) }. The ADD [ N ]]The average of all elements represents the current system state, and a reasonable threshold is determined by observing the average of the normal case and the fluctuation case of the server access user. When the average value is smaller than the threshold value, the server can be judged to be under CC attack at the moment, the CC defense system is started in time, and when the average value is larger than the threshold value, the server is considered to be in burst flow at the moment.
Therefore, the scheme related to the embodiment comprises the following steps:
step 1: and receiving an HTTP request sent by a client.
Step 2: and resolving the header information of the HTTP request.
And step 3: the parsed information is sent to a security component for validation, wherein the security component contains multiple protection rules.
And 4, step 4: and sending the HTTP request passing the verification to a target server, intercepting the HTTP request failing the verification, and recording a log.
As shown in fig. 3, on the basis of the scheme disclosed in embodiment 1, the multiple protection rules in step 3 further include:
and (3) calculating the average confidence of all IP addresses of the current access target server, and when the average confidence is smaller than a threshold value, determining that the target server is attacked by CC (challenge collapsar), triggering a black hole effect and skipping to the step 5, so that the client cannot send the HTTP request to the target server within a period of time.
Specifically, the system detects the load condition of the target server in real time, and when detecting that the load of the target server exceeds a preset value, triggers the rule verification in step 3. That is, when the number of the HTTP requests sent to the target server is detected to be too large, a verification rule of the average confidence level of the IP address is entered, when the target server is considered to be attacked by CC, a black hole effect is directly triggered, and the step 5 is entered for intercepting the client request.
And 5: the target server receives the request and responds to the request.
Specifically, the black hole effect may be configured according to a user setting or a default configuration to continuously intercept the client request. When the target server modifies the protection rule or the black hole effect duration is reached, the black hole state is cancelled, and the client intercepted before the black hole state is requested successfully again. When the client side which cancels the black hole effect triggers the protection strategy threshold value again, the client side can still be intercepted again, the black hole effect is triggered again, and the duration of the black hole effect is gradually increased along with the accumulation of times in the unit period. Therefore, the high-frequency illegal requests can be intelligently intercepted, the efficiency of normal service requests is improved, and the usability of the server is ensured.
Finally, it should be noted that: it should be understood that the above examples are only for clearly illustrating the present application and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. And obvious variations or modifications of this type are intended to be covered by the present invention.
Claims (5)
1. A method of providing protection against distributed denial of attack, the method comprising the steps of:
step 1: receiving an HTTP request sent by a client;
step 2: analyzing header information of the HTTP request;
and step 3: sending the analyzed information to a security component for verification, wherein the security component comprises multiple protection rules; the affiliated security component firstly checks whether the request is in an IP blacklist, and if the request is in the IP blacklist, the request is directly discarded; if not, checking whether the request is in an IP white list, and if so, directly sending the HTTP request to a target server and responding; if not, further verification is carried out;
and 4, step 4: the HTTP request passing the verification is sent to a target server, the HTTP request failing the verification is intercepted, and a log is recorded;
the process of establishing the multiple protection rules comprises the steps of recording the access times of each IP address, calculating the confidence coefficient of the corresponding IP address by the system periodically based on the condition of the access times of the IP address, and establishing a corresponding trust level according to the confidence coefficient, wherein the trust level comprises the following steps: suspicious trust, long-term trust, negative trust; verifying the IP address according to different trust levels; adding the long-term trusted IP address into an IP white list, and adding the negative trusted IP address into an IP black list; the confidence level is updated along with each confidence calculation, wherein the long-term confidence comprises effective time, and the confidence calculation is restarted after the effective time is reached;
the factors influencing the confidence coefficient are extracted based on the characteristics of the distributed denial of attack and the access recording habits of the user, and comprise the following steps: the IP address sending request frequency, the possibility of the target server being attacked when the IP address accesses the target server, whether the last verification problem corresponding to the IP address passes the verification or not, the frequency of the IP address accessing the target server and the downloading flow per second;
the process of establishing the multiple protection rules further comprises: calculating the average confidence of all IP addresses of the current access target server, and when the average confidence is smaller than a threshold value, considering that the target server is attacked by CC; therefore, the system needs to collect the load condition of the target server in real time, and when the load of the target server is detected to exceed a preset value, the rule verification in the step 3 is triggered.
2. The shielding method according to claim 1, characterized in that: and for the authentication problem sent by the user sending the HTTP request corresponding to the IP address with the trust level being the suspicious trust level, after the authentication is passed, the HTTP request passing the authentication is sent to the target server, and when the authentication is not passed, the HTTP request failing the authentication is intercepted, and the log is recorded.
3. The shielding method according to claim 1, characterized in that: further comprising the step 5: the target server receives the request and responds to the request; when detecting that the target server is attacked by CC (challenge collapsar) in the step 3, directly triggering a black hole effect, and entering the step 5 to intercept the client request, so that the client cannot send the HTTP request to the target server within a period of time.
4. A method of safeguarding according to claim 3, characterized in that: the black hole effect can continuously intercept client requests according to user settings or default configurations.
5. The shielding method according to claim 4, wherein: the system records the times of triggering the black hole effect by the client, and the duration of the black hole effect is gradually increased along with the accumulation of the times in unit time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110251352.4A CN113037841B (en) | 2021-03-08 | 2021-03-08 | Protection method for providing distributed denial of attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110251352.4A CN113037841B (en) | 2021-03-08 | 2021-03-08 | Protection method for providing distributed denial of attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113037841A CN113037841A (en) | 2021-06-25 |
| CN113037841B true CN113037841B (en) | 2022-10-14 |
Family
ID=76466960
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110251352.4A Active CN113037841B (en) | 2021-03-08 | 2021-03-08 | Protection method for providing distributed denial of attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113037841B (en) |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017218031A1 (en) * | 2016-06-16 | 2017-12-21 | Level 3 Communications, Llc | Systems and methods for preventing denial of service attacks utilizing a proxy server |
| CN106789983B (en) * | 2016-12-08 | 2019-09-06 | 北京安普诺信息技术有限公司 | A kind of CC attack defense method and its system of defense |
| CN107295017A (en) * | 2017-08-10 | 2017-10-24 | 四川长虹电器股份有限公司 | CC means of defences based on user authentication |
| CN110858831B (en) * | 2018-08-22 | 2022-07-29 | 阿里巴巴集团控股有限公司 | Safety protection method and device and safety protection equipment |
| CN110808967B (en) * | 2019-10-24 | 2022-04-08 | 新华三信息安全技术有限公司 | Detection method for challenging black hole attack and related device |
| CN111327615A (en) * | 2020-02-21 | 2020-06-23 | 浙江德迅网络安全技术有限公司 | CC attack protection method and system |
-
2021
- 2021-03-08 CN CN202110251352.4A patent/CN113037841B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN113037841A (en) | 2021-06-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109951500B (en) | Network attack detection method and device | |
| US7478429B2 (en) | Network overload detection and mitigation system and method | |
| KR101077135B1 (en) | Apparatus for detecting and filtering application layer DDoS Attack of web service | |
| Yatagai et al. | Detection of HTTP-GET flood attack based on analysis of page access behavior | |
| KR101061375B1 (en) | JR type based DDoS attack detection and response device | |
| US20130031625A1 (en) | Cyber threat prior prediction apparatus and method | |
| Sivabalan et al. | A novel framework to detect and block DDoS attack at the application layer | |
| JP2019021294A (en) | SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS | |
| KR100973076B1 (en) | System for depending against distributed denial of service attack and method therefor | |
| KR101538374B1 (en) | Cyber threat prior prediction apparatus and method | |
| US10171492B2 (en) | Denial-of-service (DoS) mitigation based on health of protected network device | |
| JP6106861B1 (en) | Network security device, security system, network security method, and program | |
| KR101072981B1 (en) | Protection system against DDoS | |
| KR20200109875A (en) | Harmful ip determining method | |
| EP2112800B1 (en) | Method and system for enhanced recognition of attacks to computer systems | |
| US10757118B2 (en) | Method of aiding the detection of infection of a terminal by malware | |
| CN113037841B (en) | Protection method for providing distributed denial of attack | |
| Rajesh | Protection from application layer DDoS attacks for popular websites | |
| KR101231966B1 (en) | Server obstacle protecting system and method | |
| Xi et al. | Quantitative threat situation assessment based on alert verification | |
| EP1751651B1 (en) | Method and systems for computer security | |
| CN115622754B (en) | Method, system and device for detecting and preventing MQTT loopholes | |
| KR102401661B1 (en) | SYSTEM OF DETECTION AND DEFENSING AGAINST DDoS ATTACK AND METHOD THEREOF | |
| CN116865983A (en) | Attack detection method and network security device | |
| Kim et al. | Rule-based defense mechanism against distributed denial-of-service attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20220919 Address after: 350001 8th floor, block B, yinjiangshan, No. 528, Xihong Road, Gulou District, Fuzhou City, Fujian Province Applicant after: Xiamen Biebeyun Co.,Ltd. Address before: 3791, 3rd floor, building 6, 15 guangximen Beili, Chaoyang District, Beijing Applicant before: Beijing reliable spectrum cloud Technology Co.,Ltd. Applicant before: Xiamen Biebeyun Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 361000 3F-A317, Zone C, Innovation Building, Software Park, Torch High tech Zone, Xiamen City, Fujian Province Patentee after: Fujian Reliable Cloud Computing Technology Co.,Ltd. Country or region after: China Address before: 350001 8th floor, block B, yinjiangshan, No. 528, Xihong Road, Gulou District, Fuzhou City, Fujian Province Patentee before: Xiamen Biebeyun Co.,Ltd. Country or region before: China |