CN101030860A - Method and apparatus for preventing server from being attacked by automatic software - Google Patents
Method and apparatus for preventing server from being attacked by automatic software Download PDFInfo
- Publication number
- CN101030860A CN101030860A CN 200710079316 CN200710079316A CN101030860A CN 101030860 A CN101030860 A CN 101030860A CN 200710079316 CN200710079316 CN 200710079316 CN 200710079316 A CN200710079316 A CN 200710079316A CN 101030860 A CN101030860 A CN 101030860A
- Authority
- CN
- China
- Prior art keywords
- user
- described user
- connection request
- server
- defence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention is used for solving issue that is the currently-used technology can't effectively defend the attack to the Web server. The method thereof comprises: setting an intermediate device at server end; after receiving the connection request from user, the request is send to the authentication mechanism to authenticate the user; if the user is legal, the user establishes connection with the server; if not, rejecting the connection request. The invention also reveals an apparatus for preventing server from the attack from automatic software, which comprises: a receiving and notice module, an authentication module and a connection request processing module.
Description
Technical field
The present invention relates to network communication field, the method and apparatus that server is attacked that particularly a kind of defence is initiated by the computer automatic software.
Background technology
When user's web browser obtains the network information on the Internet website, be directly to connect Web server generally speaking, webpage sent read request, after Web server is received the request of reading, the user is responded, send information to user.In addition, the user also can be connected with Web server by acting server.
Acting server is the station server between user network browser and Web server.When using acting server, browser does not directly read webpage to the Web server request, but sends request to acting server, and request can be delivered to acting server earlier, by the request of acting server initiation to Web server, and the webpage that Web server is responded sends user browser to.And, most of acting server all has the function of Cache (high-speed cache), it has very big memory space, constantly the data storing that will newly obtain is to the memory of acting server, if the data that user browser is asked have existed on the memory of its this machine and have been up-to-date, it does not just fetch data from Web server again so, and directly the data on the memory is sent to user's browser, so just can significantly improve surfing and efficient.
Utilize the above-mentioned characteristic of acting server, a kind of novel attack pattern at Web server has appearred on the network, this attack pattern is called as DDoS (Distribute Deny of Serviee, distributed denial of service) attack pattern, its principle are to utilize a large amount of user capture of numerous acting server simulations, to server dynamic page (asp, php.aspx, the pages such as jsp) send request in a large number, these pages can be the pages that exists, and also can be the non-existent pages.The assailant hides its real IP address by acting server, and finishes three-way handshake, therefore is difficult to real assailant is on the defensive.For non-existent webpage, acting server does not have data in buffer, assailant's request can only be issued server process.And the expense of these requests of server process is bigger; usually can carry out operations very consuming time such as data base querying; because these operations can not be finished at once; Web server will be gone into the formation buffer memory to the request of failing to handle; to take the linking number of Web server application layer services very soon like this, can only refuse the normal user capture in back.For example, it is 512 or 1024 that the linking number that a lot of apache servers in the Web server can be handled and send is no more than, by this ddos attack, be easy to cause DoS (Deny of Service, denial of service), even can cause Web server to handle overload, cause the Web server paralysis.
Connect the process that interactive information is described ddos attack with TCP (Transmission Control Protocol, transmission control protocol).Detailed process is as follows:
The assailant by acting server in same TCP connects constantly to non-existent page of Web server request, if starting a plurality of attacks simultaneously, the assailant connects, can make Web server be busy with handling the request that the assailant initiates, thereby seize the linking number of Web server application layer services, finally cause Web server DoS.
The assailant also might adopt following form to attack in addition: the assailant visits the normal page, and submits relevant query requests to, and this request consumes the Web server resource very much, as: consume cpu resource, memory source, database resource etc.Web server will be busy with handling these requests and can't accept new query requests.This class is attacked by present technology and is difficult to take precautions against.Main cause is: at first, this attack is the full connected reference of initiating by Proxy, is a real visit, and middle anti-DDos equipment and Web server can't make a distinction real user and assailant.Secondly, this attack can be initiated by a large amount of Proxy, and Web server and middle anti-DDos equipment can't be discerned the assailant by the mode of restriction linking number.Its three, this attack can be attack at a slow speed, and only needs lower speed and less the connection just can successful attack.
Because this type of attacks the visit behavior of simulation normal users, so SynFlood defense technique commonly used, TCP agency can not effectively be taken precautions against it.
Usually can on each acting server, initiate the feature of some connection requests at this attack; can on firewall class equipment, manage by the flow to the user; limit the bandwidth of certain IP; perhaps carry out the restriction of linking number, can defend this type of attack to a certain extent at each IP address.
Manage by the flow to the user, limiting the bandwidth of certain IP or limiting the linking number of initiating each IP address has following limitation:
(1) this type of attack is initiated by a large amount of acting servers, and the attack that each acting server is initiated connects may be seldom.If limit the linking number of each IP, linking number need be limited in just may be effectively in the very little scope.May limit real user like this connects.Simultaneously, if the acting server quantity that the assailant uses is a lot, the connection of attack server is still a lot of so.The method that manages by flow can not reach good protection effect;
(2) this type of attack is primarily aimed at the performance bottleneck of Web server when handling dynamic web page, rather than the bandwidth that consumes Web server, and therefore less attack traffic still can consume a large amount of server resources, thereby reaches the purpose of attack;
(3) user's flow is managed to influence the normal visit of normal users, cause networking speed to wait problem slowly, influence the use of normal users Web server.
In addition, the visit of this attack simulation normal users all needs to finish by acting server, so by some technology, detect and whether to have some the special information that can represent by proxy access in request (request) message of http, and determine that with this information this is a proxy access, to it and do corresponding the filtration.This method possesses certain anti-attack ability, but there are the following problems:
Can form erroneous judgement to the request of really visiting external network by acting server, influence the use of normal users at internal network;
The behavior of acting server is unpredictable, can't discern and filter for those requests of not carrying specific information, can not play defense function effectively.
Summary of the invention
In order to solve the problem that effectively to defend in the prior art the attack of Web server, the method and apparatus that the embodiment of the invention provides a kind of defence by automatic software server to be attacked.Described technical scheme is as follows:
The method that a kind of defence is attacked server by automatic software, described method comprises:
At server end intermediate equipment is set;
After described intermediate equipment is received the connection request that the user sends, described connection request is directed in the authentication mechanism that computer can not finish automatically, described authentication mechanism verifies whether described user is legal, if legal, described user's connection request is transferred to described server; Otherwise, refuse described user's connection request.
The equipment that the embodiment of the invention also provides a kind of defence by automatic software server to be attacked, described equipment comprises:
Receive and notification module, be used to receive the connection request that the user sends, and described connection request is directed in the authentication mechanism that computer can not finish automatically;
Authentication module after being used for described reception and notification module described connection request being directed to described authentication mechanism, verifies by described authentication mechanism whether described user is legal;
The connection request processing module is used for when described authentication module verifies that described user is legal, and described user's connection request is transferred to described server; When described user is illegal, refuse described user's connection request.
The beneficial effect that the technical scheme of the embodiment of the invention is brought is:
By intermediate equipment being set at the Web server end, connection request is redirected in the authentication mechanism that computer can not finish automatically, authentication by this mechanism, can defend effectively by of the attack of computer automatic software the Web server initiation, alleviate the burden of Web server, make normal users can be connected to Web server.
Description of drawings
Fig. 1 is the method flow diagram that defence that the embodiment of the invention 1 provides is attacked server by automatic software;
Fig. 2 is the equipment schematic diagram that defence that the embodiment of the invention 2 provides is attacked server by automatic software.
Embodiment
The invention will be further described below in conjunction with the drawings and specific embodiments, but the present invention is not limited to following examples.
Embodiment of the invention employing is provided with intermediate equipment at the Web server end server is protected, the attack that defence is carried out server by the computer automatic software.
The full connection that automatic software is initiated Web server is attacked, can initiate by Proxy, also can be that computer self is initiated, a common feature is all arranged: accept software and handle automatically, at this feature, the method and apparatus that the embodiment of the invention provides a kind of defence by the computer automatic software server to be attacked.
Embodiment 1
Referring to Fig. 1, be the method flow diagram that defence that the embodiment of the invention 1 provides is attacked server by automatic software, the method that present embodiment provides a kind of defence by automatic software server to be attacked, specific as follows:
Step 101: intermediate equipment is set at the Web server end; This equipment can be actual physical equipment, such as firewall box, also can be virtual equipment, the software that has redirected, checking or linkage function such as a cover that is installed on server.If software, this software can be stored in the physical medium of embodied on computer readable, as hard disk or CD etc.
Present embodiment is that example describes with the firewall box, and the request of all Connection Service devices arrives firewall box earlier;
Step 102: after firewall box is received the connection request that the user sends, described connection request is directed in the authentication mechanism that computer can not finish automatically.
Step 103: authentication mechanism verifies whether this user is legal, if legal, execution in step 104, otherwise execution in step 105.
Step 104: this user's connection request is transferred to Web server, this user and Web server are connected.
Step 105: refuse this user's connection request, this user can not be connected with Web server.
Wherein, authentication mechanism can be the artificial interface that computer can't participate in, such as: the graphical display interface, notify user's input authentication information, the authentication information of checking user input; It also can be an authenticate-acknowledge window, by this window, notify the user to select whether to confirm above-mentioned connection request, if this user selects, then this user is by checking, if this user does not select or selects not, then this user is illegal, because automatic software does not have the ability of information interaction, can not do any response to the notice that authentication mechanism provides, so can defend effectively Web server to be attacked by automatic software by this authentication mechanism.
Embodiment 2
Referring to Fig. 2, be the equipment schematic diagram that defence that the embodiment of the invention provides is attacked server by automatic software.The equipment that the embodiment of the invention also provides a kind of defence by the computer automatic software server to be attacked, this equipment can be in esse physical equipments, also can be virtual equipment.Comprise following a few part:
Receive and notification module, be used to receive the connection request that the user sends, and this connection request is directed in the authentication mechanism that computer can not finish automatically;
Authentication module, be used for receiving with notification module connection request is directed to authentication mechanism after, verify by this authentication mechanism whether this user legal;
The connection request processing module is used for when this user of checking of authentication module is legal, sends this user's connection request to server; When this user is illegal, refuse this user's connection request.
Wherein, authentication mechanism can be the artificial interface that computer can't participate in, such as: can be the graphical display interface.Authentication module requires user's input authentication information by this graphical display interface, the authentication information of checking user input; Also can be an authentication window, authentication module be clicked the affirmation in the authentication window by the user or is cancelled the operation of dialog box, checking user's identity.
When adopting the graphical display interface to verify, authentication module can comprise:
Information notification unit is used to notify user's input authentication information;
Authentication unit, be used for user's input authentication information after, whether authentication verification information correct, if correct, this user is legal, otherwise this user is illegal.
When adopting authentication window to authenticate, authentication module can comprise:
The confirmation notification unit is used to notify the user to select whether to confirm connection request;
The user responds processing unit, is used for when the user confirms described connection request, and this user is by checking, and when the user did not select or cancels connection request, this user was illegal.
By above embodiment, at the Web server end intermediate equipment is set, connection request is redirected in the authentication mechanism that computer can not finish automatically.By the authentication of this mechanism, can defend effectively to alleviate the burden of Web server by of the attack of computer automatic software to the Web server initiation, make normal users can be connected to Web server.
Above-described embodiment is a kind of more preferably embodiment of the present invention, and common variation that those skilled in the art carries out in the technical solution of the present invention scope and replacement all should be included in protection scope of the present invention.
Claims (10)
1. the method that defence is attacked server by automatic software is characterized in that, described method comprises:
At server end intermediate equipment is set;
After described intermediate equipment is received the connection request that the user sends, described connection request is directed in the authentication mechanism that computer can not finish automatically, described authentication mechanism verifies whether described user is legal, if legal, described user's connection request is transferred to described server; Otherwise, refuse described user's connection request.
2. the method that defence as claimed in claim 1 is attacked server by automatic software is characterized in that, whether the described user of described checking is legal specifically comprises:
Notify described user's input authentication information;
After described user's input authentication information, described intermediate equipment verifies whether described authentication information is correct, if correct, described user is legal, otherwise described user is illegal.
3. the method that defence as claimed in claim 1 is attacked server by automatic software is characterized in that, whether the described user of described checking is legal specifically comprises:
Notify described user to select whether confirm described connection request, if described user selection is that then described user passes through to verify that if described user does not select or selects not, then described user is illegal.
4. the method that defence as claimed in claim 1 is attacked server by automatic software is characterized in that described intermediate equipment is specially firewall box.
5. the method that defence as claimed in claim 1 is attacked server by automatic software is characterized in that, described intermediate equipment is specially the virtual unit with redirected, checking or linkage function.
6. the method that defence as claimed in claim 1 is attacked server by automatic software is characterized in that the authentication mechanism that described computer can not be finished automatically is specially the interface that computer can't participate in.
7. the method that defence as claimed in claim 6 is attacked server by automatic software is characterized in that described interface is specially the graphical display interface.
8. the equipment that defence is attacked server by automatic software is characterized in that, described equipment comprises:
Receive and notification module, be used to receive the connection request that the user sends, and described connection request is directed in the authentication mechanism that computer can not finish automatically;
Authentication module after being used for described reception and notification module described connection request being directed to described authentication mechanism, verifies by described authentication mechanism whether described user is legal;
The connection request processing module is used for when described authentication module verifies that described user is legal, sends described user's connection request to server; When described user is illegal, refuse described user's connection request.
9. the equipment that defence as claimed in claim 8 is attacked server by automatic software is characterized in that, described authentication module specifically comprises:
Information notification unit is used to notify described user's input authentication information;
Authentication unit, be used for described user's input authentication information after, verify whether described authentication information correct, if correct, described user is legal, otherwise described user is illegal.
10. the equipment that defence as claimed in claim 8 is attacked server by automatic software is characterized in that, described authentication module specifically comprises:
The confirmation notification unit is used to notify described user to select whether to confirm described connection request;
The user responds processing unit, is used for when described user confirms described connection request, and described user is by checking, and when described user did not select or cancels described connection request, described user was illegal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200710079316 CN101030860A (en) | 2007-02-15 | 2007-02-15 | Method and apparatus for preventing server from being attacked by automatic software |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200710079316 CN101030860A (en) | 2007-02-15 | 2007-02-15 | Method and apparatus for preventing server from being attacked by automatic software |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101030860A true CN101030860A (en) | 2007-09-05 |
Family
ID=38715960
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200710079316 Pending CN101030860A (en) | 2007-02-15 | 2007-02-15 | Method and apparatus for preventing server from being attacked by automatic software |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101030860A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102143177A (en) * | 2011-03-30 | 2011-08-03 | 北京星网锐捷网络技术有限公司 | Portal authentication method, Portal authentication device,Portal authentication equipment and Portal authentication system |
| CN103986690A (en) * | 2014-04-03 | 2014-08-13 | 北京京东尚科信息技术有限公司 | Method and device for processing client requests |
| CN105306494A (en) * | 2015-11-26 | 2016-02-03 | 上海斐讯数据通信技术有限公司 | Server and method for preventing DOS attacks |
| CN107733699A (en) * | 2017-09-28 | 2018-02-23 | 深信服科技股份有限公司 | Internet assets security management method, system, equipment and readable storage medium storing program for executing |
| CN108696400A (en) * | 2017-04-12 | 2018-10-23 | 北京京东尚科信息技术有限公司 | network monitoring method and device |
| CN110505212A (en) * | 2019-07-24 | 2019-11-26 | 武汉大学 | A kind of Internet of Things virtual secure equipment based on MiddleBox |
| RU2734027C2 (en) * | 2016-05-31 | 2020-10-12 | Алибаба Груп Холдинг Лимитед | Method and device for preventing an attack on a server |
| CN113079170A (en) * | 2021-04-13 | 2021-07-06 | 福建奇点时空数字科技有限公司 | SDN dynamic target defense method based on multistage interactive verification mechanism |
-
2007
- 2007-02-15 CN CN 200710079316 patent/CN101030860A/en active Pending
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102143177A (en) * | 2011-03-30 | 2011-08-03 | 北京星网锐捷网络技术有限公司 | Portal authentication method, Portal authentication device,Portal authentication equipment and Portal authentication system |
| CN102143177B (en) * | 2011-03-30 | 2013-11-20 | 北京星网锐捷网络技术有限公司 | Portal authentication method, Portal authentication device,Portal authentication equipment and Portal authentication system |
| CN103986690A (en) * | 2014-04-03 | 2014-08-13 | 北京京东尚科信息技术有限公司 | Method and device for processing client requests |
| CN105306494A (en) * | 2015-11-26 | 2016-02-03 | 上海斐讯数据通信技术有限公司 | Server and method for preventing DOS attacks |
| RU2734027C2 (en) * | 2016-05-31 | 2020-10-12 | Алибаба Груп Холдинг Лимитед | Method and device for preventing an attack on a server |
| US10965689B2 (en) | 2016-05-31 | 2021-03-30 | Advanced New Technologies Co., Ltd. | Method and device for preventing server from being attacked |
| US10986101B2 (en) | 2016-05-31 | 2021-04-20 | Advanced New Technologies Co., Ltd. | Method and device for preventing server from being attacked |
| CN108696400A (en) * | 2017-04-12 | 2018-10-23 | 北京京东尚科信息技术有限公司 | network monitoring method and device |
| CN107733699A (en) * | 2017-09-28 | 2018-02-23 | 深信服科技股份有限公司 | Internet assets security management method, system, equipment and readable storage medium storing program for executing |
| CN107733699B (en) * | 2017-09-28 | 2021-04-09 | 深信服科技股份有限公司 | Internet asset security management method, system, device and readable storage medium |
| CN110505212A (en) * | 2019-07-24 | 2019-11-26 | 武汉大学 | A kind of Internet of Things virtual secure equipment based on MiddleBox |
| CN113079170A (en) * | 2021-04-13 | 2021-07-06 | 福建奇点时空数字科技有限公司 | SDN dynamic target defense method based on multistage interactive verification mechanism |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101030860A (en) | Method and apparatus for preventing server from being attacked by automatic software | |
| US6823387B1 (en) | System and method for enhancing a server's ability to withstand a “SYN flood” denial of service attack | |
| JP5624973B2 (en) | Filtering device | |
| US9843590B1 (en) | Method and apparatus for causing a delay in processing requests for internet resources received from client devices | |
| US8661522B2 (en) | Method and apparatus for probabilistic matching to authenticate hosts during distributed denial of service attack | |
| US9112897B2 (en) | System and method for securing a network session | |
| CN100589489C (en) | Carry out defence method and the equipment that DDOS attacks at the web server | |
| US10097520B2 (en) | Method and apparatus for causing delay in processing requests for internet resources received from client devices | |
| US8613089B1 (en) | Identifying a denial-of-service attack in a cloud-based proxy service | |
| US8769681B1 (en) | Methods and system for DMA based distributed denial of service protection | |
| US8646038B2 (en) | Automated service for blocking malware hosts | |
| CN1684431A (en) | Method and device for server denial of service shield | |
| KR101200906B1 (en) | High Performance System and Method for Blocking Harmful Sites Access on the basis of Network | |
| CN1859409A (en) | Method and system for improving network dynamic host configuration DHCP safety | |
| WO2014048746A1 (en) | Device, system and method for reducing attacks on dns | |
| US9680950B1 (en) | Method and apparatus for causing delay in processing requests for internet resources received from client devices | |
| CN102510386B (en) | Distributed attack prevention method and device | |
| US20020129273A1 (en) | Secure content server apparatus and method | |
| CN102316082A (en) | Method and flow cleaning equipment for defensing website distributed denial of service (DDoS) attack | |
| CN1503952A (en) | Method and system for restricting access from external | |
| CN113315743B (en) | Defense processing method, device, equipment and storage medium | |
| CN110581843B (en) | Mimic Web gateway multi-application flow directional distribution method | |
| CN112702358A (en) | SYN Flood attack protection method and device, electronic device and storage medium | |
| CN111049754B (en) | Data communication method, device, equipment and computer readable storage medium | |
| CN108712451B (en) | DOS attack prevention method for recording login history |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20070905 |