Summary of the invention
It is a kind of based on the hyper text transmission protocol attack defence method, device and the system that are redirected that the embodiment of the invention provides, to reduce the consumption of False Rate and minimizing Installed System Memory.
One embodiment of the invention provides a kind of hyper text transmission protocol attack defence method, comprising:
The customer in response end sends to the HTTP request of server, send redirect command to described client, be broken as the network connection that described HTTP request is set up, described redirect command is used for described HTTP request is redirected to a virtual address, and described virtual address can arrive server;
Receive the new HTTP request of client, judge that according to described virtual address whether described new HTTP request is the HTTP request after being redirected, if described new HTTP request is the HTTP request after described being redirected, in described new HTTP request, judge HTTP request with legal data packet;
Virtual address in the described HTTP request with legal data packet is revised as original address, and sends to described server.
One embodiment of the invention provides a kind of hyper text transmission protocol attack defence installation, comprising:
Releasing unit is used for sending the connection reset request to server, disconnects network and connects;
Receiving element is used to receive the HTTP request that sends to server from client;
Be redirected the unit, be used to respond the HTTP request of described client, send redirect command to described client, and be broken as the network that described HTTP request sets up by described releasing unit and connect, described redirect command is used for described HTTP request is redirected to a virtual address, and described virtual address can arrive server;
Judging unit, be used for the new HTTP request that described receiving element receives is judged, judging is the new HTTP request of the HTTP request after being redirected, and to described be that the judgement of legal data packet is carried out in the new HTTP request of the HTTP request after being redirected, obtain having the HTTP request of legal data packet;
Reduction unit is used for described judgment unit judges is gone out, and the virtual address that has in the HTTP request of legal data packet is revised as original address, and sends to described server.
One embodiment of the invention provides a kind of hyper text transmission protocol attack system of defense, comprises being used for customer in response end HTTP requested service device, also comprises HTTP attack defending device, and described HTTP attack defending device comprises:
Releasing unit is used for sending connection reset request TCP RST to server, disconnects TCP and connects;
Receiving element is used to receive the HTTP request that sends to described server from client;
Be redirected the unit, be used to respond the HTTP request of the client that described receiving element receives, send redirect command to described client, be broken as the network connection that described HTTP request is set up by described releasing unit, described redirect command is used for described HTTP request is redirected to a virtual address, and described virtual address can arrive server;
Judging unit, be used for the new HTTP request that described receiving element receives is judged, judging is the new HTTP request of the HTTP request after being redirected, and to described be that the judgement of legal data packet is carried out in the new HTTP request of the HTTP request after being redirected, obtain having the HTTP request of legal data packet;
Reduction unit is used for described judgment unit judges is gone out, and the virtual address that has in the HTTP request of legal data packet is revised as original address, and sends to described server.
By above technical scheme, the HTTP request is redirected to a virtual address, new HTTP request is judged, obtain resetting after ringing, have the HTTP request of legal data packet, can effectively discern SNAT attack afterwards, False Rate is low, reduces the consumption of Installed System Memory.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
As shown in Figure 4, one embodiment of the invention provides a kind of HTTP attack defense method flow chart, comprising:
S310, the HTML (Hypertext Markup Language) HTTP request of customer in response end, send redirect command, described HTTP request is redirected to a virtual address, (the virtual address here is virtual URL, all describe among present embodiment and other embodiment with virtual URL) be broken as the network that HTTP request sets up and connect, (the network here is connected to TCP and connects, all connecting among present embodiment and other embodiment and describe with TCP) described virtual URL can arrive server, and comprising predetermined time-delay, this time-delay is used to calculate the theoretical value of the HTTP request time of advent after being redirected.Need to prove that virtual URL can obtain for virtual route or by the URL variables manner.
S320, receive new HTTP request, by virtual URL information, judge that whether described new HTTP request is the HTTP request after being redirected, if new HTTP request is the HTTP request after being redirected, according to the time of advent of new HTTP request and the difference of the scheduled time, judge HTTP request with legal data packet;
S330, the virtual URL that will have in the HTTP request of legal data packet is revised as original URL, and sends to server.
The embodiment of the invention is by above technical scheme, the HTTP request is redirected to a virtual URL, can judge that by virtual URL information the HTTP after being redirected asks, and the HTTP that judges after the redirect response with legal data packet asks, and can effectively discern SNAT attack afterwards, False Rate is low, reduces the consumption of Installed System Memory
As shown in Figure 5, one embodiment of the invention provides a kind of HTTP attack defense method schematic diagram, comprising:
S410 according to the TCP connection request, sets up TCP and connects.Protector is monitored the TCP connection request packet from client, the TCP connection request packet that listens to is carried out the defence of TCP layer attacks, for example using the address state monitoring technique to carry out source IP surveys, if source IP is really then allows client and server to set up TCP to be connected, if not then refuse the TCP connection request really.
S420, after TCP connected foundation, protector received the HTTP request of initiating from user end to server.
S430, protector replaces server to reply, the virtual URL of HTTP request carrying out from client that receives is redirected, with its be redirected to one non-existent, through the URL of certain coding, why the certain coding of process is to guarantee that virtual URL can reach server.
Virtual URL request after here requiring to be redirected can arrive server, and can restore real URL by virtual URL, needs certain time-delay in redirection process.Can use VDIR (virtual directory in the present embodiment, virtual route) method is carried out virtual URL and is redirected, for example can be designed as: VDIR={AT|R|H}, wherein AT (Arrival Time) is expressed as redirect request (time with protector is as the criterion the time of advent, be system time), requirement accounts for 8 bytes, the AT theoretical value is that HTTP asks the time of advent, is redirected time-delay and round-trip delay three sum, R is a random number, H is the cryptographic Hash of former three, R and H can respectively account for 4 bytes, and VDIR need take 16 bytes altogether like this.Also just the theoretical value of AT has been calculated, and has been added the packet of redirect request when virtual URL is redirected in that the HTTP that arrives is carried out like this, promptly AT be the HTTP request the time of advent, be redirected time-delay and round-trip delay sum.
For the image explanation, the reorientation method example is as follows, suppose that the HTTP request that client is initiated is:
GET?http://www.huawei.com/index.htm?HTTP/1.1
Protector replaces server to carry out normal response, and the head part of replying html file comprises following statement:
<meta?http-equiv="refresh"content=“0.5;
ur1=http://www.huawei.com/VDIR/index.htm”>
Client initiation HTTP request after waiting for 0.5 second represented in this statement, and request URL is " http://www.huawei.com/VDIR/index.htm ", a virtual directory of structure (requirement is described in step S430) when wherein VDIR is redirected.With this redirected example, the theoretical value time of advent that client correctly responds the new HTTP request of redirect request should be AT, i.e. the time of advent of the HTTP of last time request and redirected time-delay 0.5 second and round-trip delay sum.
0.5 second, expression was redirected time-delay herein, also can be 0.6 second, 0.4 second or other numerical value in another embodiment.
S440, protector sends TCP RST to server, disconnects TCP and connects.
S450 rebulids TCP and connects, and method is as described in the step S410.
S460, protector receive the new HTTP request from client, and judge whether it is HTTP request after being redirected.Protector is to the URL feature judgement of the new HTTP request of client, and the existence by checking VDIR whether, correctness judges whether it is HTTP request through being redirected.
S470~S480, if VDIR does not exist or is incorrect, protector judges that new HTTP request is not the request (the HTTP request after promptly being redirected does not arrive) after being redirected, illustrate that last HTTP request is the request of attacking, because having disconnected initial TCP after being redirected connects, last aggressive HTTP request is dropped, this moment, protector was redirected the new virtual URL of HTTP request carrying out, and to server transmission TCP RST, disconnect TCP and connect, reorientation method is as described in the step S430.
S490, if VDIR exists and is correct, protector judges that current HTTP request is the request (the HTTP request after promptly being redirected arrives) after being redirected, also need theoretical value this moment according to the time of advent of redirect request, it is the value of the AT among the step S430, with time of current protector to having judged whether that recently zombie attack takes place, if the difference of the theoretical value of the time of advent of redirect request and the time of current protector is near the value of regulation (promptly the theoretical value of redirected arrival time approximates the time of current protector greatly), then think legal data packet, if time migration is more, then think to attack packet, protector sends TCP RST to server and disconnects the TCP connection, abandons the attack packet.
In S490, the request after HTTP request that protector judge to arrive is to be redirected, and when being legal data packet is revised as initial URL with the URL of the HTTP request after being redirected, and sends to server.Still describe the amending method of URL with the example among the step S430:
HTTP request after the virtual URL of process is redirected is:
GET?http://www.huawei.com/VDIR/index.htm?HTTP/1.1 (1)
This request is revised as normal request, and amended request is:
Revise the HTTP request may have influence on IP head length degree in this data message, an IP verification and, a TCP verification and, field such as TCP header sequence number, in order to drop to these influences minimum, the embodiment of the invention adopts " space filling " method to guarantee that this IP message length is constant, so just can only need to revise TCP verification and, other field does not need to make an amendment.In the example (1) formula the unblank byte length that has more of (2) formula be assumed to be LEN for the length of "/VDIR ", carry out polishing in (2) formula (a) position with the space of LEN length, also can (b) or (c) position carry out polishing with the space.Revise the request back calculate TCP verification and, will revise back HTTP and ask to send to server.
Need to prove in the embodiment of the invention that the method that adopts virtual route carries out virtual URL and be redirected, in another embodiment, can be redirected with URL variable mode, for example, the request in the example,
" http://www.huawei.com/index.html " can be redirected and be:
" http://www.huawei.com/index.html? VDIR " or
" http://www.huawei.com/index.html? a=VDIR " etc. form.
The embodiment of the invention is by above scheme, the HTTP request is redirected to a virtual URL, can discern the request afterwards that is redirected by the information that virtual URL carries, and the HTTP that judges after the redirect response with legal data packet asks, can effectively resist various HTTP flood and attack (as GET flood, CC attack etc.); False Rate is low, can effectively discern SNAT attack afterwards; Do not need protector to store a large amount of IP address list, reduce the memory consumption of protector.
As shown in Figure 6, one embodiment of the invention provides a kind of HTTP attack defending device schematic diagram, comprise, monitoring unit 510, set up unit 520, receiving element 530, be redirected unit 540, judging unit 550, releasing unit 560 and reduction unit 570, specifically:
Monitoring unit 510 is used to monitor the TCP connection request packet from client.
Set up unit 520, the TCP connection request packet that listens to is carried out the defence of TCP layer attacks, for example use the address state monitoring technique to carry out source IP and survey, if source IP be really then allow client and server to set up TCP to be connected, if not then refuse the TCP connection request really.
Receiving element 530 after setting up the unit and setting up TCP and connect, receives the HTTP request from client;
Be redirected unit 540, after TCP connects foundation, the virtual URL of HTTP request carrying out from client be redirected, with its be redirected to one non-existent, process is the URL of coding necessarily, and sends TCP RST by releasing unit to server, disconnects the TCP connection.
Require URL through certain coding here, be for the virtual URL request after guaranteeing to be redirected can arrive server, and can restore real URL by virtual URL.In redirection process, need certain time-delay in addition.Can use VDIR (virtual directory in the present embodiment, virtual route) method is carried out virtual URL and is redirected, for example can be designed as: VDIR={AT|R|H}, wherein AT (Arrival Time) is expressed as the redirect request time of advent (time with protector is as the criterion), requirement accounts for 8 bytes, the AT theoretical value should be that HTTP asks the time of advent, is redirected time-delay and round-trip delay three sum, R is a random number, H is the cryptographic Hash of former three, R and H can respectively account for 4 bytes, and VDIR need take 16 bytes altogether like this.
For the image explanation, the reorientation method example is as follows, suppose that the HTTP request that client is initiated is: GET http://www.huawei.com/index.htm HTTP/1.1
Protector replaces server to carry out normal response, and the head part of replying html file comprises following statement:<meta http-equiv=" refresh " content=" 0.5;
ur1=http://www.huawei.com/VDIR/index.htm”>
Client initiation HTTP request after waiting for 0.5 second represented in this statement, and request URL is " http://www.huawei.com/VDIR/index.htm ", a virtual directory of structure when wherein VDIR is redirected.With this redirected example, the theoretical value time of advent that client correctly responds the new HTTP request of redirect request should be AT, i.e. the time of advent of the HTTP of last time request and redirected time-delay 0.5 second and round-trip delay sum.
0.5 second, expression was redirected time-delay herein, also can be 0.6 second, 0.4 second or other numerical value in another embodiment.
Judging unit 550, comprise first judgment sub-unit 5501 and second judgment sub-unit 5502, be used for the new HTTP request from client is judged, judge whether new HTTP request is legal HTTP request, before client is initiated new HTTP request, need to set up new TCP connection by setting up the unit earlier, specifically set up mode, in setting up unit 520, describe.Specifically:
First judgment sub-unit 5501, be used for the URL by checking new HTTP request VDIR existence whether, correctness, judge whether new HTTP request is to ask through the HTTP that is redirected.
If VDIR does not exist or is incorrect, then new HTTP request is not the request (the HTTP request after promptly being redirected does not arrive) after being redirected, illustrate that last HTTP request is the request of attacking, this moment, protector was redirected the new virtual URL of HTTP request carrying out, and to server transmission TCP RST, disconnect new TCP and connect, reorientation method is as being redirected described in the unit 540.
If VDIR exists and is correct, be request (the HTTP request after promptly being redirected arrives) after being redirected then from the new HTTP request of client, then second judgment sub-unit 5502 also needs according to the theoretical value that is redirected the arrival time, be AT and the difference of current protector time, the HTTP packet is carried out aggressiveness to be judged, if the difference of the theoretical value AT of redirected arrival time and the time of current protector is near the value of regulation (AT approximates the time of current protector greatly), then think legal data packet, ratio deviation is more mutually if the theoretical value AT of redirected arrival time is with the time of current protector, then think to attack packet, send TCP RST by releasing unit 550 to server this moment and disconnect the TCP connection, abandon aggressive HTTP request.
When releasing unit 560, HTTP request after HTTP request that judging unit 550 is judged client is not to be redirected, illustrate that last HTTP request is the request of attacking, at this moment releasing unit 560 sends the TCP connection of TCP RST before disconnecting to server; HTTP request after HTTP request that judging unit 550 is judged client is to be redirected, but the HTTP request after being redirected judged is when attacking packet, releasing unit 560 send the TCP of TCP RST before disconnecting to server and connect.
Need to prove in the embodiment of the invention that the method that adopts virtual route carries out virtual URL and be redirected, in another embodiment, can be redirected with URL variable mode, for example, the request in the example,
" http://www.huawei.com/index.html " can be redirected and be:
" http://www.huawei.com/index.html? VDIR " or
" http://www.huawei.com/index.html? a=VDIR " etc. form.
Reduction unit 570, be used for when judgment unit judges go out be redirected after the HTTP request, and when being legal data packet, the HTTP request after being redirected is reduced, the URL of the HTTP request after being redirected is revised as initial URL, and sends to server.Be exemplified as profit with the request of the HTTP in the embodiment of the invention and be elaborated, the HTTP request in the embodiment of the invention after being redirected through the virtual URL that is redirected unit 540 is:
GET?http://www.huawei.com/VDIR/index.htm?HTTP/1.1 (1)
Reduction unit 560 is revised as normal request with this request, and amended request is:
Revise the HTTP request may have influence on IP head length degree in this data message, an IP verification and, a TCP verification and, field such as TCP header sequence number, in order to drop to these influences minimum, the embodiment of the invention adopts " space filling " method to guarantee that this IP message length is constant, so just can only need to revise TCP verification and, other field does not need to make an amendment.In the example (1) formula the unblank byte length that has more of (2) formula be assumed to be LEN for the length of "/VDIR ", carry out polishing in (2) formula (a) position with the space of LEN length, also can (b) or (c) position carry out polishing with the space.Revise the request back calculate TCP verification and, will revise back HTTP and ask to send to server.
The embodiment of the invention is by above scheme, to be redirected to a virtual URL from the HTTP request of client by being redirected the unit, can discern the HTTP request that is redirected afterwards by the information that virtual URL carries, and the HTTP that judges after the redirect response with legal data packet asks, can effectively resist various HTTPflood and attack (as GET flood, CC attack etc.); False Rate is low, can effectively discern SNAT attack afterwards; Do not need protector to store a large amount of IP address list, reduce the memory consumption of protector.
As shown in Figure 7, in the one embodiment of the invention, with the HTTP attack defending device among Fig. 5, be applied in the concrete environment, constitute a kind of HTTP attack defending system schematic diagram, be used for the HTTP request that client 610 is initiated to server 630 is detected, have aggressive HTTP request and be on the defensive detected.Specifically comprise: HTTP attack defending device 620 and server 630.
Client 610 is used for initiating TCP to server 630 and connects the foundation request, when the TCP connection request of setting up is passed through, sends HTTP to server 630 and asks.
HTTP attack defending device 620, be used for the TCP connection request that client 610 is initiated is carried out the defence of TCP layer attacks, for example using the address state monitoring technique to carry out source IP surveys, if source IP is really then allows client and server to set up TCP to be connected, if not then refuse the TCP connection request really; Identification is judged in the HTTP request that client 610 is initiated,, identified aggressive HTTP request, be on the defensive by the virtual URL of HTTP request carrying out is redirected; The legal HTTP that lets pass asks to server 630.
Server 630 is used to receive the TCP connection of client, the legal HTTP request of customer in response end.
Among the concrete structure of HTTP attack defending device 620 and detailed functions and Fig. 5 to be redirected HTTP attack defending device based on virtual URL identical, do not repeat them here.
Need to prove that the mode that in the embodiment of the invention the virtual URL of HTTP request carrying out is redirected includes but are not limited to URL variable mode and virtual route mode.
The embodiment of the invention is by above scheme, HTTP attack defending device is applied in the concrete environment, form a system of defense, by being redirected to a virtual URL from the HTTP request of client, can discern the HTTP request that is redirected afterwards by the information that virtual URL carries, and judge HTTP request after the redirect response with legal data packet, can effectively resist various HTTP flood and attack (as GETflood, CC attack etc.); False Rate is low, can effectively discern SNAT attack afterwards; Do not need protector to store a large amount of IP address list, reduce the memory consumption of protector.
One of ordinary skill in the art will appreciate that all or part of flow process that realizes in the foregoing description method, be to instruct relevant hardware to finish by computer program, described program can be stored in the computer read/write memory medium, this program can comprise the flow process as the embodiment of above-mentioned each side method when carrying out.Wherein, described storage medium can be magnetic disc, CD, read-only storage memory body (Read-Only Memory, ROM) or at random store memory body (Random Access Memory, RAM) etc.
The above only is several embodiments of the present invention, and those skilled in the art can carry out various changes or modification to the present invention and do not break away from the spirit and scope of the present invention according to application documents are disclosed.