CN113489739B - CDN-based service stability method and device for resisting DDoS attack - Google Patents
CDN-based service stability method and device for resisting DDoS attack Download PDFInfo
- Publication number
- CN113489739B CN113489739B CN202110805639.7A CN202110805639A CN113489739B CN 113489739 B CN113489739 B CN 113489739B CN 202110805639 A CN202110805639 A CN 202110805639A CN 113489739 B CN113489739 B CN 113489739B
- Authority
- CN
- China
- Prior art keywords
- domain name
- address
- configuration
- current service
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000012544 monitoring process Methods 0.000 claims abstract description 28
- 230000004044 response Effects 0.000 claims description 15
- 230000015556 catabolic process Effects 0.000 claims description 9
- 238000006731 degradation reaction Methods 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 6
- 230000000593 degrading effect Effects 0.000 claims description 3
- 230000000694 effects Effects 0.000 abstract description 4
- 238000004891 communication Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000007123 defense Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/30—Managing network names, e.g. use of aliases or nicknames
- H04L61/3015—Name registration, generation or assignment
- H04L61/3025—Domain name generation or assignment
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a CDN-based service stability method and device for resisting DDoS attack, which relate to the technical field of network security, and comprise the following steps: firstly, based on the failure information of the current service request, sending a configuration request to a CDN interface, then sending the configuration request to an Nginx server through the CDN interface, and requesting a domain name configuration strategy from a service monitoring alarm system; configuring a domain name policy to include a plurality of spare addresses; if the address of the current service request meets the configuration domain name strategy, switching the address of the current service request to a standby address; and resending the current service request based on the standby address to complete the service flow of the current service request. The method relieves the technical problems of service unavailability and influence on service stability caused by DDoS attack in the prior art, and achieves the effect of improving the attack resistance and the availability of the service.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a CDN-based service stability method and device for resisting DDoS attack.
Background
The distributed denial of service (Distributed Denial of Service, DDoS) attack is a distributed and collaborative large-scale attack mode, the expression forms of the distributed denial of service (DDoS) attack are mainly two, and the distributed denial of service (DDoS) attack is a traffic attack, and the traffic attack is mainly aimed at network bandwidth attack, namely, a large number of attack packets cause the network bandwidth to be blocked, and legal network packets are submerged by false attack packets and cannot reach a host; the other is a resource exhaustion attack, which is mainly aimed at a server host, namely, network service cannot be provided due to the fact that the memory of the host is exhausted or the CPU is occupied by a kernel and an application program through a large number of attack packets. In either form of attack, the service stability of the service system is greatly affected.
At present, a plurality of defense technologies and related devices are used for resisting DDoS attacks in a form of refusing to provide services, but the DDoS attacks which cannot be successfully resisted still cause damage to a network, so that services are not available, service stability is affected, and larger losses are caused.
Disclosure of Invention
The invention aims to provide a CDN-based service stability method and device for resisting DDoS attack, which are used for solving the technical problems that service is unavailable and service stability is affected due to DDoS attack in the prior art.
In order to achieve the above object, the technical scheme adopted by the embodiment of the invention is as follows:
in a first aspect, an embodiment of the present invention provides a method for service stability against DDoS attack based on CDN, where the method includes: based on the information of failure of the current service request, sending a configuration request to a CDN interface; the configuration request is sent to an Nginx server through the CDN interface, and a domain name configuration strategy is requested to a service monitoring alarm system; the configuration domain name policy comprises a plurality of standby addresses; if the address of the current service request meets the configuration domain name policy, switching the address of the current service request to the standby address; and resending the current service request based on the standby address to complete the service flow of the current service request.
In some possible embodiments, the configuring domain name policy includes: configuring a domain name degradation strategy and a domain name switching strategy; and if the address of the current service request meets the configuration domain name policy, switching the address of the current service request to the standby address, wherein the step comprises the following steps: and if the address of the current service request meets the configuration domain name switching strategy, switching the address of the current service request to the standby address.
In some possible embodiments, the above method further comprises: and if the current service request resent based on the standby address is a request failure and the address of the current service request meets the configuration domain name degradation policy, degrading the address of the current service request to the standby address and executing the service flow of the service corresponding to the standby address.
In some possible embodiments, the step of sending the configuration request to the nginnx server through the CDN interface and requesting the service monitoring alarm system to configure a domain name policy includes: sending a configuration request to an Nginx server through the CDN interface; the Nginx server requests the service monitoring alarm system to configure domain name strategy through a domain name strategy configuration interface.
In some possible embodiments, after the step of sending the configuration request to the nginnx server through the CDN interface and requesting the service monitoring alarm system to configure the domain name policy, the method further includes: the service monitoring alarm system sends the configuration domain name strategy to the Nginx server through the configuration domain name strategy interface; the Nginx server forwards the configuration domain name strategy to the CDN interface; and the CDN interface receives the configuration domain name strategy and judges whether the address of the current service request meets the configuration domain name strategy.
In some possible embodiments, after the step of sending the configuration request to the nginnx server through the CDN interface and requesting the service monitoring alarm system to configure the domain name policy, the method further includes: the service monitoring alarm system sends a configuration domain name policy file to the Nginx server; the Nginx server forwards the configuration domain name policy file to the CDN interface; and the CDN interface receives the configuration domain name policy file and judges whether the address of the current service request meets the configuration domain name policy.
In some possible embodiments, the method further comprises: and if the address of the current service request does not meet the domain name configuration strategy, returning the current service request to the service flow with failed request.
In a second aspect, an embodiment of the present invention provides a CDN-based service stability device for resisting DDoS attack, where the device includes: the sending module is used for sending a configuration request to the CDN interface based on the information of failure of the current service request; the request module is used for sending the configuration request to the Nginx server through the CDN interface and requesting to configure domain name policies from the service monitoring alarm system; the configuration domain name policy comprises a plurality of standby addresses; a switching module, configured to switch the address of the current service request to the standby address if the address of the current service request meets the configured domain name policy; and the execution module is used for resending the current service request based on the standby address so as to complete the service flow of the current service request.
In a third aspect, an embodiment of the present invention provides an electronic device, including a memory, and a processor, where the memory stores a computer program executable on the processor, and the processor implements the steps of the method according to any one of the first aspects when the processor executes the computer program.
In a fourth aspect, embodiments of the present invention provide a computer-readable storage medium storing machine-executable instructions which, when invoked and executed by a processor, cause the processor to perform the method of any one of the first aspects.
The invention provides a service stability method and a device for resisting DDoS attack based on CDN, wherein the method comprises the following steps: firstly, based on the failure information of the current service request, sending a configuration request to a CDN interface, then sending the configuration request to an Nginx server through the CDN interface, and requesting a domain name configuration strategy from a service monitoring alarm system; configuring a domain name policy to include a plurality of spare addresses; if the address of the current service request meets the configuration domain name strategy, switching the address of the current service request to a standby address; and resending the current service request based on the standby address to complete the service flow of the current service request. The method combines the high-flow access resistance of CDN, and performs domain name switching or degradation on the service under the condition of DDoS attack, so as to solve the technical problems of service unavailability and influence on service stability caused by DDoS attack in the prior art, and realize the effect of improving the attack resistance and the availability of the service.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a method for service stability against DDoS attack based on CDN according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a service stability system for resisting DDoS attack based on CDN according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a service stability device for resisting DDoS attack based on CDN according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. The components of the embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the invention, as presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The content delivery network (Content Delivery Network, CDN) is an intelligent virtual network constructed on the basis of the existing network, and by means of the edge servers deployed in various places, users can obtain required content nearby through load balancing, content delivery, scheduling and other functional modules of the center platform, network congestion is reduced, and user access response speed and hit rate are improved. The CDN can redirect the user's request to the service node nearest to the user in real time according to the network flow, the connection of each node, the load condition, the distance to the user, the response time and other comprehensive information, and the purpose is to select the node relatively nearer to the user to send the content required by the user to the user, thereby relieving the network congestion condition and improving the response speed of the website.
Because the WEB service system is easy to be attacked by DDoS, a plurality of defense technologies and related devices are available for the DDoS attack at present, the DDoS attack is resisted in a form of refusing to provide service, but the network is still damaged by the DDoS attack which cannot be successfully resisted, so that the service is not available, the service stability is affected, and a large loss is caused.
Based on the above, the embodiment of the invention provides a method and a device for resisting DDoS attack service stability based on CDN, so as to solve the technical problems in the prior art that service is unavailable and service stability is affected due to DDoS attack.
For the convenience of understanding the present embodiment, first, a method for service stability against DDoS attack based on CDN disclosed in the present embodiment will be described in detail, and referring to a schematic flow diagram of a method for service stability against DDoS attack based on CDN shown in fig. 1, the method may be applied to a system shown in fig. 2.
Generally, a successful service request response includes: firstly, a server receives a service request sent by a client; if the request is successful, the server returns response content to the client; the client then enters the corresponding business process based on the response content. The service request may be any HTTP service request, for example: acquire resources, delete resources, submit data, and so forth.
If the system encounters DDoS attack, the request fails, the server will not return response content to the client, but the client directly enters a corresponding business flow based on the result of the request failure, namely, the business is not available due to the DDoS attack, and the business stability is affected.
The case where the request fails may include the following: the request times out (i.e., no response results are returned within a specified time), the returned data is erroneous, and no data is returned. Either of these situations can result in service logic not continuing, so new domain names can be found through the CDN.
The embodiment of the application provides a service stability method for resisting DDoS attack based on CDN, which mainly comprises the following steps of S110 to S140:
s110: based on the information of failure of the current service request, sending a configuration request to a CDN interface;
s120: the configuration request is sent to an Nginx server through a CDN interface, and a domain name configuration strategy is requested to a service monitoring alarm system; configuring a domain name policy to include a plurality of spare addresses;
nginx (engine x) is a high-performance HTTP and reverse proxy web server, among other things.
S130: if the address of the current service request meets the configuration domain name strategy, switching the address of the current service request to a standby address;
s140: and resending the current service request based on the standby address to complete the service flow of the current service request.
In one embodiment, the step S120 includes:
step (1): sending a configuration request to an Nginx server through a CDN interface;
step (2): the Nginx server requests the service monitoring alarm system to configure domain name policy through a configured domain name policy interface.
The service monitoring alarm system can be a system for monitoring the failure condition of the current domain name occurrence request on the client, and can be generally realized by monitoring a service log.
When the domain name strategy is configured as an interface, the interface can be updated through the service monitoring alarm system, so that the domain name strategy is updated; the domain name configuration policy may also be a response file preconfigured by the service monitoring alarm system.
As a specific example, the above method may further include: firstly, a service monitoring alarm system sends a configuration domain name strategy to an Nginx server through a configuration domain name strategy interface; then the Nginx server forwards the configured domain name strategy to the CDN interface; and then the CDN interface receives the configuration domain name strategy and judges whether the address of the current service request meets the configuration domain name strategy.
Alternatively, as a specific example, the method may further include: firstly, a service monitoring alarm system sends a domain name configuration policy file to an Nginx server; then the Nginx server forwards the configuration domain name policy file to a CDN interface; and then the CDN interface receives the configuration domain name policy file and judges whether the address of the current service request meets the configuration domain name policy.
If the address of the current service request meets the configuration domain name policy, continuing to execute the step S130; and if the address of the current service request does not meet the configuration domain name policy, returning the current service request to the service flow with failed request.
Wherein configuring the domain name policy may include: configuring a domain name downgrade strategy and configuring a domain name switching strategy. In one embodiment, the step S130 includes:
step (1): and if the address of the current service request meets the configuration domain name switching strategy, switching the address of the current service request to a standby address.
Step (2): if the current service request resent based on the standby address is a request failure and the address of the current service request meets the configuration domain name degradation policy, the address of the current service request is degraded to the standby address, and a service flow of a service corresponding to the standby address is executed.
That is, in the case that the current service request fails, the domain name switching configuration may be received when the CDN interface is requested, and then the server may be re-requested to switch to another standby domain name, and still a response result may be obtained. If the re-request still fails, or the address of the current service request does not meet the configured domain name switching policy, the local policy may be executed, and a null or degraded response is directly returned, so as to ensure that the service flow is not blocked.
According to the DDoS attack-resistant service stability method based on the CDN, the anti-large-flow access characteristic of the CDN is combined through active service degradation and domain name switching, and the service is actively degraded or domain name switched under the condition of DDoS attack, so that the DDoS attack is bypassed, the capability of actively resisting the DDoS attack is improved, the usability of the service under the condition of being attacked is improved, and the service stability is integrally improved. The service unavailability time under the DDoS attack condition can be effectively reduced, the user experience is improved, and the attack resistance and the availability of the service are obviously improved.
The embodiment of the invention provides a service stability device for resisting DDoS attack based on CDN, referring to fig. 3, the device comprises:
a sending module 310, configured to send a configuration request to the CDN interface based on information that the current service request fails;
the request module 320 is configured to send a configuration request to the nmginx server through the CDN interface, and request a domain name configuration policy to the service monitoring alarm system; configuring a domain name policy to include a plurality of spare addresses;
a switching module 330, configured to switch the address of the current service request to a standby address if the address of the current service request meets the configured domain name policy;
and the execution module 340 is configured to resend the current service request based on the standby address, so as to complete the service flow of the current service request.
The service stability device for resisting DDoS attack based on CDN provided in the embodiments of the present application may be specific hardware on a device or software or firmware installed on a device. The device provided in the embodiments of the present application has the same implementation principle and technical effects as those of the foregoing method embodiments, and for a brief description, reference may be made to corresponding matters in the foregoing method embodiments where the device embodiment section is not mentioned. It will be clear to those skilled in the art that, for convenience and brevity, the specific operation of the system, apparatus and unit described above may refer to the corresponding process in the above method embodiment, which is not described in detail herein. The service stability device for resisting DDoS attack based on CDN provided by the embodiment of the application has the same technical characteristics as the service stability method for resisting DDoS attack based on CDN provided by the embodiment, so that the same technical problems can be solved, and the same technical effects can be achieved.
The embodiment of the application also provides electronic equipment, which specifically comprises a processor and a storage device; the storage means has stored thereon a computer program which, when executed by the processor, performs the method of any of the embodiments described above.
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application, where the electronic device 400 includes: a processor 40, a memory 41, a bus 42 and a communication interface 43, the processor 40, the communication interface 43 and the memory 41 being connected by the bus 42; the processor 40 is arranged to execute executable modules, such as computer programs, stored in the memory 41.
The memory 41 may include a high-speed random access memory (RAM, random Access Memory), and may further include a non-volatile memory (non-volatile memory), such as at least one magnetic disk memory. The communication connection between the system network element and the at least one other network element is achieved via at least one communication interface 43 (which may be wired or wireless), which may use the internet, a wide area network, a local network, a metropolitan area network, etc.
Bus 42 may be an ISA bus, a PCI bus, an EISA bus, or the like. The buses may be classified as address buses, data buses, control buses, etc. For ease of illustration, only one bi-directional arrow is shown in FIG. 4, but not only one bus or type of bus.
The memory 41 is configured to store a program, and the processor 40 executes the program after receiving an execution instruction, and the method executed by the apparatus for flow defining disclosed in any of the foregoing embodiments of the present invention may be applied to the processor 40 or implemented by the processor 40.
The processor 40 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuitry in hardware or instructions in software in processor 40. The processor 40 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but may also be a digital signal processor (Digital Signal Processing, DSP for short), application specific integrated circuit (Application Specific Integrated Circuit, ASIC for short), off-the-shelf programmable gate array (Field-Programmable Gate Array, FPGA for short), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in a memory 41 and the processor 40 reads the information in the memory 41 and in combination with its hardware performs the steps of the method described above.
Corresponding to the above method, the embodiments of the present application also provide a computer readable storage medium storing machine executable instructions, which when invoked and executed by a processor, cause the processor to execute the steps of the above method.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments provided in the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, an electronic device, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
It should be noted that: like reference numerals and letters in the various figures refer to like items and, thus, once an item is defined in one figure, no further definition or explanation of that in the subsequent figure is necessary, and furthermore, the terms "first," "second," "third," etc. are used merely to distinguish between descriptions and are not to be construed as indicating or implying relative importance.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the invention.
Claims (8)
1. The service stability method for resisting DDoS attack based on CDN is characterized by comprising the following steps:
based on the information of failure of the current service request, sending a configuration request to a CDN interface;
the configuration request is sent to an Nginx server through the CDN interface, and a domain name configuration strategy is requested to a service monitoring alarm system; the configuration domain name policy includes a plurality of backup addresses;
if the address of the current service request meets the configuration domain name policy, switching the address of the current service request to the standby address;
resending the current service request based on the standby address to complete the service flow of the current service request;
the configuration domain name policy includes: configuring a domain name degradation strategy and a domain name switching strategy;
and if the address of the current service request meets the configuration domain name policy, switching the address of the current service request to the standby address, wherein the step comprises the following steps:
if the address of the current service request meets the configuration domain name switching strategy, switching the address of the current service request to the standby address;
if the current service request resent based on the standby address is a request failure, executing a local strategy and directly returning an empty or degraded response;
if the current service request resent based on the standby address is a request failure and the address of the current service request meets the configuration domain name degradation policy, degrading the address of the current service request to the standby address and executing a service flow of a service corresponding to the standby address;
and if the address of the current service request does not meet the configuration domain name switching strategy, executing the local strategy, and directly returning a null or degraded response.
2. The DDoS attack resistant service stability method of claim 1 wherein the step of sending the configuration request to a nginnx server through the CDN interface and requesting configuration domain name policies from a service monitoring alarm system comprises:
sending a configuration request to an Nginx server through the CDN interface;
and the Nginx server requests the service monitoring alarm system for configuring the domain name strategy through a domain name strategy configuration interface.
3. The DDoS attack resistant service stability method according to claim 2, wherein after the step of sending the configuration request to the nginnx server through the CDN interface and requesting the service monitoring and alarm system to configure the domain name policy, further comprising:
the service monitoring alarm system sends the configuration domain name strategy to the Nginx server through the configuration domain name strategy interface;
the Nginx server forwards the configuration domain name strategy to the CDN interface;
and the CDN interface receives the configuration domain name strategy and judges whether the address of the current service request meets the configuration domain name strategy.
4. The DDoS attack resistant service stability method of claim 1 wherein after the step of sending the configuration request to a nginnx server through the CDN interface and requesting a configuration domain name policy from a service monitoring and alerting system, further comprising:
the service monitoring alarm system sends a configuration domain name policy file to the Nginx server;
the Nginx server forwards the configuration domain name policy file to the CDN interface;
and the CDN interface receives the configuration domain name policy file and judges whether the address of the current service request meets the configuration domain name policy.
5. The CDN-based traffic stability method against DDoS attacks of claim 1, further comprising:
and if the address of the current service request does not meet the configuration domain name policy, returning the current service request to the service flow with failed request.
6. A CDN-based traffic stability device for combating DDoS attacks, comprising:
the sending module is used for sending a configuration request to the CDN interface based on the information of failure of the current service request;
the request module is used for sending the configuration request to an Nginx server through the CDN interface and requesting the configuration domain name strategy from a service monitoring alarm system; the configuration domain name policy includes a plurality of backup addresses;
a switching module, configured to switch the address of the current service request to the standby address if the address of the current service request meets the configured domain name policy;
the execution module is used for resending the current service request based on the standby address so as to complete the service flow of the current service request;
the configuration domain name policy includes: configuring a domain name degradation strategy and a domain name switching strategy; the switching module is further configured to: if the address of the current service request meets the configuration domain name switching strategy, switching the address of the current service request to the standby address;
the execution module is further configured to: if the current service request resent based on the standby address is a request failure, executing a local strategy and directly returning an empty or degraded response; if the current service request resent based on the standby address is a request failure and the address of the current service request meets the configuration domain name degradation policy, degrading the address of the current service request to the standby address and executing a service flow of a service corresponding to the standby address; and if the address of the current service request does not meet the configuration domain name switching strategy, executing the local strategy, and directly returning a null or degraded response.
7. An electronic device comprising a memory, a processor, the memory having stored therein a computer program executable on the processor, characterized in that the processor, when executing the computer program, implements the steps of the method of any of the preceding claims 1 to 5.
8. A computer readable storage medium storing machine executable instructions which, when invoked and executed by a processor, cause the processor to perform the method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110805639.7A CN113489739B (en) | 2021-07-16 | 2021-07-16 | CDN-based service stability method and device for resisting DDoS attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110805639.7A CN113489739B (en) | 2021-07-16 | 2021-07-16 | CDN-based service stability method and device for resisting DDoS attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113489739A CN113489739A (en) | 2021-10-08 |
| CN113489739B true CN113489739B (en) | 2024-03-08 |
Family
ID=77939836
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110805639.7A Active CN113489739B (en) | 2021-07-16 | 2021-07-16 | CDN-based service stability method and device for resisting DDoS attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113489739B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103023924A (en) * | 2012-12-31 | 2013-04-03 | 网宿科技股份有限公司 | Content distribution network based DDoS (distributed denial of service) attack protecting method and content distribution network based DDoS attack protecting system for cloud distribution platform |
| CN107294922A (en) * | 2016-03-31 | 2017-10-24 | 阿里巴巴集团控股有限公司 | A kind of network address dispatching method and device for tackling network attack |
| WO2018112759A1 (en) * | 2016-12-20 | 2018-06-28 | 华为技术有限公司 | Resource access method, apparatus and system |
| CN109951426A (en) * | 2017-12-21 | 2019-06-28 | 阿里巴巴集团控股有限公司 | Abnormal domain name determines method, abnormal flow processing method, apparatus and system |
| CN110166526A (en) * | 2019-04-15 | 2019-08-23 | 中国平安人寿保险股份有限公司 | More CDN access management methods, device, computer equipment and storage medium |
| CN110505155A (en) * | 2019-08-13 | 2019-11-26 | 北京达佳互联信息技术有限公司 | Request degradation processing method, device, electronic equipment and storage medium |
| CN111988387A (en) * | 2020-08-11 | 2020-11-24 | 北京达佳互联信息技术有限公司 | Interface request processing method, device, server, equipment and storage medium |
| CN112260853A (en) * | 2020-09-17 | 2021-01-22 | 北京大米科技有限公司 | Disaster recovery switching method and device, storage medium and electronic equipment |
| CN112491869A (en) * | 2020-11-25 | 2021-03-12 | 上海七牛信息技术有限公司 | Application layer DDOS attack detection and protection method and system based on IP credit |
| CN113037716A (en) * | 2021-02-07 | 2021-06-25 | 杭州又拍云科技有限公司 | Attack defense method based on content distribution network |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170155678A1 (en) * | 2015-12-01 | 2017-06-01 | Fastly, Inc. | Attack mitigation in content delivery networks using stenographic network addressing |
-
2021
- 2021-07-16 CN CN202110805639.7A patent/CN113489739B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103023924A (en) * | 2012-12-31 | 2013-04-03 | 网宿科技股份有限公司 | Content distribution network based DDoS (distributed denial of service) attack protecting method and content distribution network based DDoS attack protecting system for cloud distribution platform |
| CN107294922A (en) * | 2016-03-31 | 2017-10-24 | 阿里巴巴集团控股有限公司 | A kind of network address dispatching method and device for tackling network attack |
| WO2018112759A1 (en) * | 2016-12-20 | 2018-06-28 | 华为技术有限公司 | Resource access method, apparatus and system |
| CN109951426A (en) * | 2017-12-21 | 2019-06-28 | 阿里巴巴集团控股有限公司 | Abnormal domain name determines method, abnormal flow processing method, apparatus and system |
| CN110166526A (en) * | 2019-04-15 | 2019-08-23 | 中国平安人寿保险股份有限公司 | More CDN access management methods, device, computer equipment and storage medium |
| CN110505155A (en) * | 2019-08-13 | 2019-11-26 | 北京达佳互联信息技术有限公司 | Request degradation processing method, device, electronic equipment and storage medium |
| CN111988387A (en) * | 2020-08-11 | 2020-11-24 | 北京达佳互联信息技术有限公司 | Interface request processing method, device, server, equipment and storage medium |
| CN112260853A (en) * | 2020-09-17 | 2021-01-22 | 北京大米科技有限公司 | Disaster recovery switching method and device, storage medium and electronic equipment |
| CN112491869A (en) * | 2020-11-25 | 2021-03-12 | 上海七牛信息技术有限公司 | Application layer DDOS attack detection and protection method and system based on IP credit |
| CN113037716A (en) * | 2021-02-07 | 2021-06-25 | 杭州又拍云科技有限公司 | Attack defense method based on content distribution network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113489739A (en) | 2021-10-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11405417B2 (en) | Distributed denial of service (DDoS) defense techniques for applications hosted in cloud computing platforms | |
| CN106453669B (en) | Load balancing method and server | |
| CN105940655B (en) | System for preventing DDos attack | |
| US8856924B2 (en) | Mitigating a denial-of-service attack in a cloud-based proxy service | |
| US8209748B1 (en) | Protecting network sites during adverse network conditions | |
| US9141449B2 (en) | Managing remote procedure calls when a server is unavailable | |
| US10785257B2 (en) | Data center redundancy in a network | |
| US8402112B2 (en) | Inter-cache communication using HTTP resource | |
| US20060236390A1 (en) | Method and system for detecting malicious wireless applications | |
| CN110636068B (en) | Method and device for identifying unknown CDN node in CC attack protection | |
| CN106713378B (en) | Method and system for providing service by multiple application servers | |
| CN111698158A (en) | Method and device for electing master equipment and machine-readable storage medium | |
| US10567492B1 (en) | Methods for load balancing in a federated identity environment and devices thereof | |
| CN111641522A (en) | Method, system and computer equipment for node switching | |
| CN113726683A (en) | Access current limiting method, device, equipment, storage medium and computer program product | |
| US10645183B2 (en) | Redirection of client requests to multiple endpoints | |
| CN113489739B (en) | CDN-based service stability method and device for resisting DDoS attack | |
| CN111786940A (en) | Data processing method and device | |
| CN113886291B (en) | Path disabling method and system | |
| US20170279771A1 (en) | Packet processing method, network server, and virtual private network system | |
| JP3560552B2 (en) | Method and apparatus for preventing a flood attack on a server | |
| CN113242210B (en) | DDoS (distributed denial of service) preventing method and system based on user grade distribution | |
| KR101717697B1 (en) | Intrusion Tolerant System and Method Therefor in Virtualized Environment | |
| CN111800472A (en) | Block link point load balancing method, device, medium and equipment | |
| CA2544036C (en) | Method and system for detecting and handling malicious wireless applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |