CN101478387B - Defense method, apparatus and system for hyper text transmission protocol attack - Google Patents
Defense method, apparatus and system for hyper text transmission protocol attack Download PDFInfo
- Publication number
- CN101478387B CN101478387B CN2008102421796A CN200810242179A CN101478387B CN 101478387 B CN101478387 B CN 101478387B CN 2008102421796 A CN2008102421796 A CN 2008102421796A CN 200810242179 A CN200810242179 A CN 200810242179A CN 101478387 B CN101478387 B CN 101478387B
- Authority
- CN
- China
- Prior art keywords
- http request
- redirected
- request
- new
- http
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The embodiment of the invention discloses a redirection-based hypertext transport protocol (HTTP) attack defense method. The method comprises the following steps: responding an HTTP request of a client terminal, transmitting a redirection command, re-directing the HTTP request to a virtual address, and cutting off a network connection required for the HTTP request, wherein the virtual address can reach a server; receiving a new HTTP request of the client terminal, judging a redirected HTTP request according to the virtual address information, and judging a HTTP request with legal data packet; modifying the virtual address in the HTTP request with legal data packet to the original address, and transmitting to the server. Accordingly, the embodiment of the invention also discloses a redirection-based HTTP attack defense device and a system thereof. The technical scheme of the redirection-based HTTP attack defense method effectively identifies the attack after source network address translation (SNAT) with low misjudgment rat, doesn't need to record a large amount of internet protocol (IP) address information, and reduces the consumption of the system memory.
Description
Technical field
The present invention relates to network safety filed, particularly a kind of hyper text transmission protocol attack defence method, device and system.
Background technology
HTTP (Hyper Text Transfer Protocol; HTTP) agreement is one of most widely used agreement on the present the Internet; Also be one of target of attack of paying close attention to most of hacker, varied to the attack method of WEB website, the attack pattern based on transport layer is arranged; Such as: SYN Flood (Synchronize Sequence Numbers Flood, synchronizing sequence numbering flood attack); Attack pattern based on application layer is also arranged, such as: HTTP Flood (the HTTP flood attack comprises Get Flood, Post Flood etc.), CC (Challenge Collapsar evades the black hole) attack etc.
A normal HTTP request process is as shown in Figure 1; At first initiate a TCP (Transmission Control Protocol by user end to server; Transmission control protocol) connect, after TCP connected foundation, client was initiated a HTTP request; Server sends to client with corresponding contents after receiving the HTTP request.Mainly utilize real single or multiple source IP some relative fixed URL (Uniform Resource Location based on the attack HTTP Flood of application layer to target of attack WEB website; URL) initiates repeatedly request; This attack often implements to initiate repeatedly request by the zombie attack instrument; To consume target WEB server resource, cause the denial of service situation to take place.
The defence method that HTTP Flood attacks mainly contains based on the defence method of statistics with based on the redirected defence method of trusting IP at present.Based on the defence method cardinal principle of statistics is the request number, keyword statistics etc. of request number, the statistical objects URL of statistics source IP; These statistics points at first are provided with threshold value; Whether surpass threshold value according to statistics then and judge whether attack takes place,, then think to attack and take place if surpass threshold value; Trigger defense mechanism, these defence methods are referred to as the defence method based on statistics.As shown in Figure 2, if certain source IP asks linking number to surpass threshold value, then adopt the method that limits this IP request linking number or refuse this IP request connection to be on the defensive; If the request number to certain URL surpasses threshold value, then adopt the method that limits this URL request number to be on the defensive; If the HTTP request that has " X-forward-for " or " Via " etc. in a large amount of request headers is arranged, then think the CC attack has taken place, refuse these requests then.Among Fig. 2,, then this data message is abandoned, and send TCP RST (TCP RESET connects reset request) packet, let server discharge the TCP connection resource to server if a HTTP request is identified as the request of attack.
The redirected defence method that another kind of reply HTTP flood attacks based on trust IP, as shown in Figure 3.Protector utilizes classical SYN Flood defence method, carries out the source detection earlier, if source IP is real, then this IP is added to and trusts the IP tabulation, then the HTTP request URL that arrives is redirected to same URL, and breaks off this TCP connection; When new TCP request arrived, search source IP in trusting the IP table if source IP exists, then directly carried out TCP with server and is connected, and the request of the HTTP after letting pass.
Although above method can play certain defense reaction; But there is erroneous judgement in SNAT (source network address trans lation, source address Target Transformation) IP afterwards, also there is erroneous judgement in popular URL; Need a large amount of record IP address informations in addition, the internal memory of consumption systems.
Summary of the invention
It is a kind of based on the hyper text transmission protocol attack defence method, device and the system that are redirected that the embodiment of the invention provides, to reduce False Rate and the consumption that reduces Installed System Memory.
One embodiment of the invention provides a kind of hyper text transmission protocol attack defence method, comprising:
The customer in response end sends to the HTTP request of server; Send redirect command to said client; Be broken as the network connection that said HTTP request is set up; Said redirect command is used for said HTTP request is redirected to a virtual address, and said virtual address can arrive server, and said virtual address is added virtual directory after through last catalogue among the original URL that sends in client or in original URL, increased the address variables manner and makes up and form; Said virtual directory is to be made up by virtual route to form;
Receive the new HTTP request of client; Judge that according to said virtual address whether said new HTTP request is the HTTP request after being redirected; If said new HTTP request is the HTTP request after said being redirected, in said new HTTP request, judge HTTP request with legal data packet;
Virtual address in the said HTTP request with legal data packet is revised as original address; Be employed in URL front end or rear end in the HTTP request protocol order line; Perhaps between version number in HTTP request protocol order line and the new line symbol; The message length of the HTTP request after the mode in interpolation space guarantees to reduce does not change with respect to the length of the HTTP request message after being redirected through virtual URL; And after the HTTP request after will passing through virtual URL and being redirected is revised as normal request, calculate the TCP head check of revising the back message with, and amended HTTP request sent to said server.
One embodiment of the invention provides a kind of hyper text transmission protocol attack defence installation, comprising:
Releasing unit is used for sending the connection reset request to server, breaks off network and connects;
Receiving element is used to receive the HTTP request that sends to server from client;
Be redirected the unit; Be used to respond the HTTP request of said client; Send redirect command to said client; And be broken as the network that said HTTP request sets up through said releasing unit and connect; Said redirect command is used for said HTTP request is redirected to a virtual address, and said virtual address can arrive server, and said virtual address is added virtual directory after through last catalogue among the original URL that sends in client or in original URL, increased the address variables manner and makes up and form; Said virtual directory is to be made up by virtual route to form;
Judging unit; Be used for the new HTTP request that said receiving element receives is judged; Judging is the new HTTP request of the HTTP request after being redirected; And to said be that the judgement of legal data packet is carried out in the new HTTP request of the HTTP request after being redirected, obtain having the HTTP request of legal data packet;
Reduction unit; Be used for said judgment unit judges is gone out; The virtual address that has in the HTTP request of legal data packet is revised as original address, is employed in URL front end or rear end in the HTTP request protocol order line, perhaps between version number in HTTP request protocol order line and the new line symbol; The message length of the HTTP request after the mode in interpolation space guarantees to reduce does not change with respect to the length of the HTTP request message after being redirected through virtual URL; And after the HTTP request after will passing through virtual URL and being redirected is revised as normal request, calculate the TCP head check of revising the back message with, and amended HTTP request sent to said server.
One embodiment of the invention provides a kind of hyper text transmission protocol attack system of defense, comprises being used for customer in response end HTTP requested service device, also comprises HTTP attack defending device, and said HTTP attack defending device comprises:
Releasing unit is used for sending connection reset request TCP RST to server, breaks off TCP and connects;
Receiving element is used to receive the HTTP request that sends to said server from client;
Be redirected the unit; Be used to respond the HTTP request of the client that said receiving element receives; Send redirect command to said client; Be broken as the network connection that said HTTP request is set up through said releasing unit; Said redirect command is used for said HTTP request is redirected to a virtual address, and said virtual address can arrive server, and said virtual address is added virtual directory after through last catalogue among the original URL that sends in client or in original URL, increased the address variables manner and makes up and form; Said virtual directory is to be made up by virtual route to form;
Judging unit; Be used for the new HTTP request that said receiving element receives is judged; Judging is the new HTTP request of the HTTP request after being redirected; And to said be that the judgement of legal data packet is carried out in the new HTTP request of the HTTP request after being redirected, obtain having the HTTP request of legal data packet;
Reduction unit; Be used for said judgment unit judges is gone out; The virtual address that has in the HTTP request of legal data packet is revised as original address, is employed in URL front end or rear end in the HTTP request protocol order line, perhaps between version number in HTTP request protocol order line and the new line symbol; The message length of the HTTP request after the mode in interpolation space guarantees to reduce does not change with respect to the length of the HTTP request message after being redirected through virtual URL; And after the HTTP request after will passing through virtual URL and being redirected is revised as normal request, calculate the TCP head check of revising the back message with, and amended HTTP request sent to said server.
Through above technical scheme, the HTTP request is redirected to a virtual address, new HTTP request is judged; Obtain resetting after ringing, have the HTTP request of legal data packet, can effectively discern SNAT attack afterwards; False Rate is low, reduces the consumption of Installed System Memory.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art; To do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below; Obviously, the accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work property, can also obtain other accompanying drawing according to these accompanying drawings.
The normal HTTP request-reply of Fig. 1 sketch map;
In Fig. 2 prior art based on the statistics HTTP attack defense method sketch map;
In Fig. 3 prior art based on the redirected HTTP attack defense method sketch map of trusting IP;
The HTTP attack defense method flow chart that Fig. 4 embodiment of the invention provides;
The HTTP attack defense method sketch map that Fig. 5 embodiment of the invention provides;
The HTTP attack defending device sketch map that Fig. 6 embodiment of the invention provides;
The HTTP attack defending system sketch map that Fig. 7 embodiment of the invention provides.
Embodiment
To combine the accompanying drawing in the embodiment of the invention below, the technical scheme in the embodiment of the invention is carried out clear, intactly description, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all belong to the scope of the present invention's protection.
As shown in Figure 4, one embodiment of the invention provides a kind of HTTP attack defense method flow chart, comprising:
S310; Redirect command is sent in the HTTP HTTP request of customer in response end, and said HTTP request is redirected to a virtual address; (the virtual address here is virtual URL; All describe among present embodiment and other embodiment with virtual URL) be broken as the network connection that the HTTP request is set up, (the network here is connected to TCP and connects, and all connects with TCP among present embodiment and other embodiment and describes) said virtual URL can arrive server; And comprising predetermined time-delay, this time-delay is used to calculate the theoretical value of the HTTP request time of advent after being redirected.Need to prove that virtual URL can or obtain through the URL variables manner for virtual route.
S320; Receive new HTTP request; Through virtual URL information, judge whether said new HTTP request is the HTTP request after being redirected, if new HTTP request is the HTTP request after being redirected; According to the time of advent of new HTTP request and the difference of the scheduled time, judge HTTP request with legal data packet;
S330, the virtual URL that will have in the HTTP request of legal data packet is revised as original URL, and sends to server.
The embodiment of the invention is through above technical scheme; The HTTP request is redirected to a virtual URL; Can judge the HTTP request after being redirected through virtual URL information, and judge the HTTP request after the redirect response with legal data packet, and can effectively discern the attack after the SNAT; False Rate is low, reduces the consumption of Installed System Memory
As shown in Figure 5, one embodiment of the invention provides a kind of HTTP attack defense method sketch map, comprising:
S410 according to the TCP connection request, sets up TCP and connects.Protector is monitored the TCP connection request packet from client; The TCP connection request packet that listens to is carried out the defence of TCP layer attacks; For example using the address state monitoring technique to carry out source IP surveys; Allow client and server to set up TCP if source IP is really and be connected, if not then refuse the TCP connection request really.
S420, after TCP connected foundation, protector received the HTTP request of initiating from user end to server.
S430; Protector replaces server to reply, the virtual URL of HTTP request carrying out from client that receives is redirected, with its be redirected to one non-existent; Through the URL of certain coding, why the certain coding of process is to guarantee that virtual URL can reach server.
Virtual URL request after here requiring to be redirected can arrive server, and can restore real URL through virtual URL, in redirection process, needs certain delay.Can use the method for VDIR (virtual directory, virtual route) to carry out virtual URL in the present embodiment and be redirected, for example can be designed as: VDIR={AT|R|H}; Wherein AT (Arrival Time) is expressed as redirect request (time with protector is as the criterion the time of advent; Be system time), require to account for 8 bytes, the AT theoretical value is that HTTP asks the time of advent, is redirected time-delay and round-trip delay three sum; R is a random number; H is the cryptographic hash of former three, and R and H can respectively account for 4 bytes, and VDIR need take 16 bytes altogether like this.Also just calculated the theoretical value of AT, and added the packet of redirect request when virtual URL is redirected in that the HTTP that arrives is carried out like this, promptly AT be the HTTP request the time of advent, be redirected time-delay and round-trip delay sum.
For the image explanation, the reorientation method example is following, suppose that the HTTP request that client is initiated is:
GET?http://www.huawei.com/index.htm?HTTP/1.1
Protector replaces server to carry out normal response, and the head part of replying html file comprises following statement:
<meta?http-equiv=″refreSh″content=“0.5;
url=http://www.huawei.com/VDIR/index.htm”>
This statement representes that client initiates the HTTP request after waiting for 0.5 second, and request URL be " ht tp: //www.huawei.com/VDIR/index.htm ", wherein a virtual directory (requirement is described in step S430) of VDIR structure when being redirected.With this redirected example, the theoretical value time of advent that client correctly responds the new HTTP request of redirect request should be AT, i.e. the time of advent of the HTTP of last time request and redirected time-delay 0.5 second and round-trip delay sum.
0.5 second, expression was redirected time-delay herein, also can be 0.6 second, 0.4 second or other numerical value in another embodiment.
S440, protector sends TCP RST to server, breaks off TCP and connects.
S450 rebulids TCP and connects, and method such as step S410 are said.
S460, protector receive the new HTTP request from client, and judge whether it is the HTTP request after being redirected.Protector is to the URL characteristic judgement of the new HTTP request of client, and the existence through inspection VDIR whether, correctness judges whether it is the HTTP request through being redirected.
S470~S480; If VDIR does not exist or be incorrect, protector judges that new HTTP request is not the request (the HTTP request after promptly being redirected does not arrive) after being redirected, and explains that last HTTP request is the request of attacking; Because after being redirected, having broken off initial TCP connects; Last aggressive HTTP request is dropped, and this moment, protector was redirected the new virtual URL of HTTP request carrying out, and sent TCP RST to server; Break off TCP and connect, reorientation method such as step S430 are said.
S490; If VDIR exists and correct, protector judges that current HTTP request is the request (the HTTP request after promptly being redirected arrives) after being redirected, and this moment also need be according to the theoretical value of time of advent of redirect request; It is the value of the AT among the step S430; With time of current protector to having judged whether that recently zombie attack takes place, if the difference of the time of the theoretical value of the time of advent of redirect request and current protector is then thought legal data packet near the value of regulation (promptly the theoretical value of redirected arrival time approximates the time of current protector greatly); If time migration is more; Then think to attack packet, protector sends TCP RST to server and breaks off the TCP connection, abandons the attack packet.
In S490, the request after HTTP request that protector judge to arrive is to be redirected, and when being legal data packet is revised as initial URL with the URL of the HTTP request after being redirected, and sends to server.Still describe the amending method of URL with the example among the step S430: the HTTP request after being redirected through virtual URL is:
GET?http://www.huawei.com/VDIR/index.htm?HTTP/1.1(1)
This request is revised as normal request, and amended request is:
Revise the HTTP request may have influence on IP head length degree in this data message, an IP verification and, a TCP verification and, field such as TCP header sequence number; In order to drop to these influences minimum; The embodiment of the invention adopts " space filling " method to guarantee that this IP message length is constant; So just can only need to revise TCP verification with, other field need not made an amendment.In the example (1) formula the unblank byte length that has more of (2) formula be assumed to be LEN for the length of "/VDIR ", carry out polishing in (2) formula (a) position with the space of LEN length, also can (b) or (c) position carry out polishing with the space.Revise the request back calculate TCP verification with, will revise back HTTP and ask to send to server.
Need to prove in the embodiment of the invention that the method that adopts virtual route carries out virtual URL and be redirected, in another embodiment, can be redirected with URL variable mode, for example, the request in the example,
" http://www.huawei.com/index.html " can be redirected and be:
" http://www.huawei.com/index.html? VDIR " or
" http://www.huawei.com/index.html? a=VDIR " etc. form.
The embodiment of the invention is through above scheme; The HTTP request is redirected to a virtual URL; Information through virtual URL carries can be discerned the request after being redirected; And judge the HTTP request after the redirect response with legal data packet, can effectively resist various HTTP flood and attack (like GET flood, CC attack etc.); False Rate is low, can effectively discern SNAT attack afterwards; Do not need protector to store a large amount of IP address list, reduce the memory consumption of protector.
As shown in Figure 6; One embodiment of the invention provides a kind of HTTP attack defending device sketch map; Comprise, monitoring unit 510, set up unit 520, receiving element 530, be redirected unit 540, judging unit 550, releasing unit 560 and reduction unit 570, specifically:
Set up unit 520; The TCP connection request packet that listens to is carried out the defence of TCP layer attacks; For example use the address state monitoring technique to carry out source IP and survey, allow client and server to set up TCP if source IP is really and be connected, if not then refuse the TCP connection request really.
Receiving element 530 after setting up the unit and setting up TCP and connect, receives the HTTP request from client;
Be redirected unit 540, after TCP connects foundation, the virtual URL of HTTP request carrying out from client be redirected; With its be redirected to one non-existent; Through the URL of certain coding, and pass through releasing unit and send TCP RST, break off TCP and connect to server.
Require URL through certain coding here, be for the virtual URL request after guaranteeing to be redirected can arrive server, and can restore real URL through virtual URL.In redirection process, need certain delay in addition.Can use VDIR (virtual directory in the present embodiment; Virtual route) method is carried out virtual URL and is redirected, and for example can be designed as: VDIR={AT|R|H}, and wherein AT (Arrival Time) is expressed as the redirect request time of advent (time with protector is as the criterion); Requirement accounts for 8 bytes; The AT theoretical value should be that HTTP asks the time of advent, is redirected time-delay and round-trip delay three sum, and R is a random number, and H is the cryptographic hash of former three; R and H can respectively account for 4 bytes, and VDIR need take 16 bytes altogether like this.
For the image explanation, the reorientation method example is following, suppose that the HTTP request that client is initiated is: GET http://www.huawei.com/index.htm HTTP/1.1
Protector replaces server to carry out normal response, and the head part of replying html file comprises following statement: < meta http-equiv=" refresh " content=" 0.5;
url=http://www.huawei.com/VDIR/index.htm”>
Client initiation HTTP request after waiting for 0.5 second represented in this statement, and request URL is " http://www.huawei.com/VDIR/index.htm ", a virtual directory of structure when wherein VDIR is redirected.With this redirected example, the theoretical value time of advent that client correctly responds the new HTTP request of redirect request should be AT, i.e. the time of advent of the HTTP of last time request and redirected time-delay 0.5 second and round-trip delay sum.
0.5 second, expression was redirected time-delay herein, also can be 0.6 second, 0.4 second or other numerical value in another embodiment.
Judging unit 550; Comprise first judgment sub-unit 5501 and second judgment sub-unit 5502, be used for the new HTTP request from client is judged, judge whether new HTTP request is legal HTTP request; Before client is initiated new HTTP request; Need to set up new TCP connection by setting up the unit earlier, specifically set up mode, in setting up unit 520, describe.Specifically:
If VDIR does not exist or is incorrect; Then new HTTP request is not the request (the HTTP request after promptly being redirected does not arrive) after being redirected; Explain that last HTTP request is the request of attacking, this moment, protector was redirected the new virtual URL of HTTP request carrying out, and sent TCP RST to server; Break off new TCP and connect, reorientation method is as being redirected described in the unit 540.
If VDIR exists and is correct; Be the request (the HTTP request after promptly being redirected arrives) after being redirected then from the new HTTP request of client; Then second judgment sub-unit 5502 also needs according to the theoretical value that is redirected the arrival time, is AT and the difference of current protector time; The HTTP packet is carried out aggressiveness judge, if the difference of the time of the theoretical value AT of redirected arrival time and current protector is then thought legal data packet near the value of regulation (AT approximates the time of current protector greatly); Ratio deviation is more mutually if the theoretical value AT of redirected arrival time is with the time of current protector; Then think to attack packet, send TCP RST through releasing unit 550 to server this moment and break off the TCP connection, abandon aggressive HTTP request.
When releasing unit 560, HTTP request after HTTP request that judging unit 550 is judged client is not to be redirected, explain that last HTTP request is the request of attacking, at this moment releasing unit 560 sends the TCP connection of TCP RST before breaking off to server; HTTP request after HTTP request that judging unit 550 is judged client is to be redirected, but the HTTP request after being redirected judged is when attacking packet, releasing unit 560 are sent the TCP of TCP RST before breaking off to server and are connected.
Need to prove in the embodiment of the invention that the method that adopts virtual route carries out virtual URL and be redirected; In another embodiment; Can be redirected with URL variable mode; For example, the request in the example, " http://www.huawei.com/index.html " can be redirected and be: " http://www.huawei.com/index.html? VDIR " or
" http://www.huawei.com/index.html? a=VDIR " etc. form.
GET?http://www.huawei.com/VDIR/index.htm?HTTP/1.1(1)
Revise the HTTP request may have influence on IP head length degree in this data message, an IP verification and, a TCP verification and, field such as TCP header sequence number; In order to drop to these influences minimum; The embodiment of the invention adopts " space filling " method to guarantee that this IP message length is constant; So just can only need to revise TCP verification with, other field need not made an amendment.In the example (1) formula the unblank byte length that has more of (2) formula be assumed to be LEN for the length of "/VDIR ", carry out polishing in (2) formula (a) position with the space of LEN length, also can (b) or (c) position carry out polishing with the space.Revise the request back calculate TCP verification with, will revise back HTTP and ask to send to server.
The embodiment of the invention is through above scheme; To be redirected to a virtual URL from the HTTP request of client through being redirected the unit; Information through virtual URL carries can be discerned the HTTP request after being redirected; And judge the HTTP request after the redirect response with legal data packet, can effectively resist various HTTP flood and attack (like GET flood, CC attack etc.); False Rate is low, can effectively discern SNAT attack afterwards; Do not need protector to store a large amount of IP address list, reduce the memory consumption of protector.
As shown in Figure 7; In the one embodiment of the invention; HTTP attack defending device with among Fig. 5 is applied in the concrete environment, constitutes a kind of HTTP attack defending system sketch map; Be used for the HTTP request that client 610 is initiated to server 630 is detected, have aggressive HTTP request and be on the defensive detected.Specifically comprise: HTTP attack defending device 620 and server 630.
HTTP attack defending device 620; Be used for the TCP connection request that client 610 is initiated is carried out the defence of TCP layer attacks; For example using the address state monitoring technique to carry out source IP surveys; Allow client and server to set up TCP if source IP is really and be connected, if not then refuse the TCP connection request really; Identification is judged in HTTP request to client 610 is initiated, through the virtual URL of HTTP request carrying out is redirected, identifies aggressive HTTP request, is on the defensive; The legal HTTP that lets pass asks to server 630.
Among the concrete structure of HTTP attack defending device 620 and detailed functions and Fig. 5 to be redirected HTTP attack defending device based on virtual URL identical, repeat no more at this.
Need to prove that the mode that in the embodiment of the invention the virtual URL of HTTP request carrying out is redirected includes but are not limited to URL variable mode and virtual route mode.
The embodiment of the invention is through above scheme; HTTP attack defending device is applied in the concrete environment, forms a system of defense, through being redirected to a virtual URL from the HTTP request of client; Information through virtual URL carries can be discerned the HTTP request after being redirected; And judge the HTTP request after the redirect response with legal data packet, can effectively resist various HTTP flood and attack (like GET flood, CC attack etc.); False Rate is low, can effectively discern SNAT attack afterwards; Do not need protector to store a large amount of IP address list, reduce the memory consumption of protector.
One of ordinary skill in the art will appreciate that all or part of flow process that realizes in the foregoing description method; Be to instruct relevant hardware to accomplish through computer program; Described program can be stored in the computer read/write memory medium; This program can comprise the flow process like the embodiment of above-mentioned each side method when carrying out.Wherein, described storage medium can be magnetic disc, CD, read-only storage memory body (Read-Only Memory, ROM) or at random store memory body (Random Access Memory, RAM) etc.
The above is merely several embodiments of the present invention, and those skilled in the art can carry out various changes or modification to the present invention and do not break away from the spirit and scope of the present invention according to application documents are disclosed.
Claims (12)
1. a hyper text transmission protocol attack defence method is characterized in that, comprising:
The customer in response end sends to the HTTP HTTP request of server; Send redirect command to said client; Be broken as the network connection that said HTTP request is set up; Said redirect command is used for said HTTP request is redirected to a virtual address, and said virtual address can arrive server, and said virtual address is added virtual directory after through last catalogue among the original URL that sends in client or in original URL, increased the address variables manner and makes up and form; Said virtual directory is to be made up by virtual route to form;
Receive the new HTTP request of client; Judge that according to said virtual address whether said new HTTP request is the HTTP request after being redirected; If said new HTTP request is the HTTP request after said being redirected, in said new HTTP request, judge HTTP request with legal data packet;
Virtual address in the said HTTP request with legal data packet is revised as original address; Be employed in URL front end or rear end in the HTTP request protocol order line; Perhaps between version number in HTTP request protocol order line and the new line symbol; The message length of the HTTP request after the mode in interpolation space guarantees to reduce does not change with respect to the length of the HTTP request message after being redirected through virtual URL; And after the HTTP request after will passing through virtual URL and being redirected is revised as normal request, calculate the TCP head check of revising the back message with, and amended HTTP request sent to said server.
2. hyper text transmission protocol attack defence method as claimed in claim 1 is characterized in that said redirect command comprises predetermined time-delay, and said predetermined time-delay is used to calculate the theoretical value of the HTTP request time of advent after being redirected.
3. hyper text transmission protocol attack defence method as claimed in claim 2; It is characterized in that, said through virtual address, judge that whether said new HTTP request is that HTTP request after being redirected comprises; Constitute the virtual route or the address variable of said virtual address through inspection; Whether exist and whether judge correctly that whether said new HTTP request is the HTTP request after being redirected, if said virtual route or address variable exist and be correct, said new HTTP request is the HTTP request after being redirected; If said virtual route or address variable do not exist or be incorrect, said new HTTP request is not the HTTP request after being redirected.
4. hyper text transmission protocol attack defence method as claimed in claim 3; It is characterized in that; Said if said new HTTP request is the HTTP request after said being redirected, in said new HTTP request, judge HTTP request with legal data packet, comprising:
If the difference that the theoretical value of the time of advent that said new HTTP asks is compared said system time is in predetermined deviation; Then said new HTTP request has legal data packet; If the theoretical value of the time of advent that said new HTTP asks is compared the difference of said system time not in predetermined deviation; Then said new HTTP request has aggressive packet, is broken as said new HTTP request and the network connection of foundation.
5. hyper text transmission protocol attack defence method as claimed in claim 3; It is characterized in that; If said new HTTP request is not the HTTP request after being redirected; Again said new HTTP request is redirected to a virtual address, is broken as the network connection that said new HTTP request is set up, said virtual address can arrive server.
6. hyper text transmission protocol attack defence method as claimed in claim 1 is characterized in that, said network is connected to TCP and connects, and said TCP establishment of connection comprises:
Monitor transmission control protocol TCP request data package;
The said TCP request data package that listens to is detected, detect the legal TCP request that obtains, set up TCP according to legal TCP request and connect.
7. a hyper text transmission protocol attack defence installation is characterized in that, also comprises:
Releasing unit is used for sending the connection reset request to server, breaks off network and connects;
Receiving element is used to receive the HTTP request that sends to server from client;
Be redirected the unit; Be used to respond the HTTP request of said client; Send redirect command to said client; And be broken as the network that said HTTP request sets up through said releasing unit and connect; Said redirect command is used for said HTTP request is redirected to a virtual address, and said virtual address can arrive server, and said virtual address is added virtual directory after through last catalogue among the original URL that sends in client or in original URL, increased the address variables manner and makes up and form; Said virtual directory is to be made up by virtual route to form;
Judging unit; Be used for the new HTTP request that said receiving element receives is judged; Judging is the new HTTP request of the HTTP request after being redirected; And to said be that the judgement of legal data packet is carried out in the new HTTP request of the HTTP request after being redirected, obtain having the HTTP request of legal data packet;
Reduction unit; Be used for the virtual address of said judgment unit judges HTTP request that go out, that have legal data packet is revised as original address; Be employed in URL front end or rear end in the HTTP request protocol order line; Perhaps between version number in HTTP request protocol order line and the new line symbol, the message length of the HTTP request after the mode of adding the space guarantees to reduce does not change with respect to the length of the HTTP request message after being redirected through virtual URL, and after the HTTP request after virtual URL is redirected will passed through is revised as normal request; TCP head check that calculate to revise the back message with, and amended HTTP request sent to said server.
8. hyper text transmission protocol attack defence installation as claimed in claim 7 is characterized in that, also comprises:
Monitoring unit is used for listens for network connection request packet;
Detecting unit, the TCP request data package that is used for said monitoring unit is listened to detects, and through legal network connecting request, sets up network and connects.
9. hyper text transmission protocol attack defence installation as claimed in claim 7 is characterized in that, said judging unit comprises:
First judgment sub-unit; Be used to check virtual route or the address variable that constitutes said virtual address; Judge whether said new HTTP request is the HTTP request after being redirected; If said virtual route or address variable exist and are correct; Said new HTTP request is for the HTTP request after being redirected, if said virtual route or address variable do not exist or be incorrect, said new HTTP request is not the HTTP request after being redirected; The said redirected unit of the said first judgment sub-unit request is to being that the new HTTP request of the HTTP request after being redirected is redirected, and is broken as the network that said new HTTP request sets up through said releasing unit and connects;
Second judgment sub-unit; What be used for said first judgment sub-unit is judged is the new HTTP request of the HTTP request after being redirected; Carrying out aggressiveness judges; If the theoretical value of the time of advent that the said new HTTP that is the HTTP after being redirected asks asks is compared the said scheduled time in predetermined deviation, then said new HTTP request has legal data packet; If the theoretical value of the time of advent that the said new HTTP that is the HTTP after being redirected asks asks; Compare the said scheduled time not in predetermined deviation, then said new HTTP request has aggressive packet, and is broken as the network connection that said new HTTP request is set up through said releasing unit.
10. a hyper text transmission protocol attack system of defense comprises being used for customer in response end HTTP requested service device, and it is characterized in that, also comprise HTTP attack defending device, said HTTP attack defending device comprises:
Releasing unit is used for sending the connection reset request to server, breaks off network and connects;
Receiving element is used to receive the HTTP request that sends to said server from client;
Be redirected the unit; Be used to respond the HTTP request of the client that said receiving element receives; Send redirect command to said client; And be broken as the network that said HTTP request sets up through said releasing unit and connect; Said redirect command is used for said HTTP request is redirected to a virtual address, and said virtual address can arrive server, and said virtual address is added virtual directory after through last catalogue among the original URL that sends in client or in original URL, increased the address variables manner and makes up and form; Said virtual directory is to be made up by virtual route to form;
Judging unit; Be used for the new HTTP request that said receiving element receives is judged; Judging is the new HTTP request of the HTTP request after being redirected; And to said be that the judgement of legal data packet is carried out in the new HTTP request of the HTTP request after being redirected, obtain having the HTTP request of legal data packet;
Reduction unit; Be used for said judgment unit judges is gone out; The virtual URL that has in the HTTP request of legal data packet is revised as original URL, is employed in URL front end or rear end in the HTTP request protocol order line, perhaps between version number in HTTP request protocol order line and the new line symbol; The message length of the HTTP request after the mode in interpolation space guarantees to reduce does not change with respect to the length of the HTTP request message after being redirected through virtual URL; And after the HTTP request after will passing through virtual URL and being redirected is revised as normal request, calculate the TCP head check of revising the back message with, and amended HTTP request sent to said server.
11. hyper text transmission protocol attack system of defense as claimed in claim 10 is characterized in that, also comprises:
Monitoring unit is used for listens for network connection request packet;
Detecting unit, the TCP request data package that is used for said monitoring unit is listened to detects, and through legal network connecting request, sets up network and connects;
12. hyper text transmission protocol attack system of defense as claimed in claim 10 is characterized in that, said judging unit comprises:
First judgment sub-unit; Be used to check virtual route or the address variable that constitutes said virtual address; Judge whether said new HTTP request is the HTTP request after being redirected; If said virtual route or address variable exist and are correct; Said new HTTP request is for the HTTP request after being redirected, if said virtual route or address variable do not exist or be incorrect, said new HTTP request is not the HTTP request after being redirected; The said redirected unit of the said first judgment sub-unit request is to being that the new HTTP request of the HTTP request after being redirected is redirected, and is broken as the network that said new HTTP request sets up through said releasing unit and connects;
Second judgment sub-unit; What be used for said first judgment sub-unit is judged is the new HTTP request of the HTTP request after being redirected; Carrying out aggressiveness judges; If the theoretical value of the time of advent that the said new HTTP that is the HTTP after being redirected asks asks is compared the said scheduled time in predetermined deviation, then said new HTTP request has legal data packet; If the theoretical value of the time of advent that the said new HTTP that is the HTTP after being redirected asks asks; Compare the said scheduled time not in predetermined deviation, then said new HTTP request has aggressive packet, and is broken as the network connection that said new HTTP request is set up through said releasing unit.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008102421796A CN101478387B (en) | 2008-12-31 | 2008-12-31 | Defense method, apparatus and system for hyper text transmission protocol attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008102421796A CN101478387B (en) | 2008-12-31 | 2008-12-31 | Defense method, apparatus and system for hyper text transmission protocol attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101478387A CN101478387A (en) | 2009-07-08 |
| CN101478387B true CN101478387B (en) | 2012-02-15 |
Family
ID=40839022
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008102421796A Expired - Fee Related CN101478387B (en) | 2008-12-31 | 2008-12-31 | Defense method, apparatus and system for hyper text transmission protocol attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101478387B (en) |
Families Citing this family (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101707598B (en) * | 2009-11-10 | 2012-12-19 | 成都市华为赛门铁克科技有限公司 | Method, device and system for identifying flood attack |
| CN101989985B (en) * | 2010-10-09 | 2013-08-28 | 北京工商大学 | Hardware-based core router TCP connection sate maintenance module design scheme |
| CN103916389B (en) * | 2014-03-19 | 2017-08-08 | 汉柏科技有限公司 | Defend the method and fire wall of HttpFlood attacks |
| CN104378359A (en) * | 2014-10-23 | 2015-02-25 | 河北省电力建设调整试验所 | Link depletion type CC attack prevention method |
| CN104954384B (en) * | 2015-06-24 | 2018-04-27 | 浙江大学 | A kind of url mimicry methods of protection Web applications safety |
| CN106550001B (en) * | 2015-09-23 | 2021-02-23 | 中兴通讯股份有限公司 | Redirection method and device |
| CN105227559A (en) * | 2015-10-13 | 2016-01-06 | 南京联成科技发展有限公司 | The information security management framework that a kind of automatic detection HTTP actively attacks |
| CN106656922A (en) * | 2015-10-30 | 2017-05-10 | 阿里巴巴集团控股有限公司 | Flow analysis based protective method and device against network attack |
| CN106888181B (en) * | 2015-12-15 | 2021-04-02 | 北京明略昭辉科技有限公司 | Data acquisition method and system capable of defending DDoS |
| CN108123916B (en) * | 2016-11-28 | 2021-10-29 | 中国移动通信集团辽宁有限公司 | Network security protection method, device, server and system |
| CN106657044B (en) * | 2016-12-12 | 2019-09-06 | 杭州电子科技大学 | It is a kind of for improving the web page address jump method of web station system Prevention-Security |
| CN107087007A (en) * | 2017-05-25 | 2017-08-22 | 腾讯科技(深圳)有限公司 | A kind of defence method of network attack, relevant device and system |
| CN108712492A (en) * | 2018-05-17 | 2018-10-26 | 中兴通讯股份有限公司 | A kind of HTTP redirection method, apparatus, routing device and computer storage media |
| CN108810008B (en) * | 2018-06-28 | 2020-06-30 | 腾讯科技(深圳)有限公司 | Transmission control protocol flow filtering method, device, server and storage medium |
| CN109525553B (en) * | 2018-10-12 | 2021-06-11 | 网络通信与安全紫金山实验室 | Transmission protection method, intermediate device, server and system for URL (Uniform resource locator) request |
| CN109889475B (en) * | 2018-12-05 | 2021-08-06 | 苏州蜗牛数字科技股份有限公司 | Method and system for preventing TCP connection from being sniffed by bypass equipment |
| CN112153001B (en) * | 2020-08-21 | 2023-06-23 | 杭州安恒信息技术股份有限公司 | WAF-based network communication method, WAF-based network communication system, electronic device and storage medium |
| CN112134960B (en) * | 2020-09-24 | 2022-03-22 | 新华三信息安全技术有限公司 | Data request method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1588851A (en) * | 2004-09-09 | 2005-03-02 | 杭州中正生物认证技术有限公司 | Biological identifying device and method for proofing replay attach |
| CN101030889A (en) * | 2007-04-18 | 2007-09-05 | 杭州华为三康技术有限公司 | Method and apparatus against attack |
| CN101272251A (en) * | 2007-03-22 | 2008-09-24 | 华为技术有限公司 | Authentication and cryptographic key negotiation method, authentication method, system and equipment |
-
2008
- 2008-12-31 CN CN2008102421796A patent/CN101478387B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1588851A (en) * | 2004-09-09 | 2005-03-02 | 杭州中正生物认证技术有限公司 | Biological identifying device and method for proofing replay attach |
| CN101272251A (en) * | 2007-03-22 | 2008-09-24 | 华为技术有限公司 | Authentication and cryptographic key negotiation method, authentication method, system and equipment |
| CN101030889A (en) * | 2007-04-18 | 2007-09-05 | 杭州华为三康技术有限公司 | Method and apparatus against attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101478387A (en) | 2009-07-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101478387B (en) | Defense method, apparatus and system for hyper text transmission protocol attack | |
| CN101789947B (en) | Method and firewall for preventing HTTP POST flooding attacks | |
| US8844034B2 (en) | Method and apparatus for detecting and defending against CC attack | |
| US8661522B2 (en) | Method and apparatus for probabilistic matching to authenticate hosts during distributed denial of service attack | |
| US7162740B2 (en) | Denial of service defense by proxy | |
| CN101123492B (en) | Method and device for detecting scanning attack | |
| CN103916389A (en) | Method for preventing HttpFlood attack and firewall | |
| CN100589489C (en) | Carry out defence method and the equipment that DDOS attacks at the web server | |
| CN106936791B (en) | Method and device for intercepting malicious website access | |
| KR20130014226A (en) | Dns flooding attack detection method on the characteristics by attack traffic type | |
| CN104468554A (en) | Attack detection method and device based on IP and HOST | |
| CN103139138A (en) | Application layer denial of service (DoS) protective method and system based on client detection | |
| WO2020037781A1 (en) | Anti-attack method and device for server | |
| CN110266650A (en) | The recognition methods of Conpot industry control honey jar | |
| CN106487807A (en) | A kind of means of defence of domain name mapping and device | |
| KR101200906B1 (en) | High Performance System and Method for Blocking Harmful Sites Access on the basis of Network | |
| CN104486361A (en) | Online game connection building method, game terminal and system | |
| CN111447201A (en) | Scanning behavior recognition method and device, electronic equipment and storage medium | |
| CN113242260A (en) | Attack detection method and device, electronic equipment and storage medium | |
| CN111786990B (en) | Defense method and system for WEB active push skip page | |
| CN102316082A (en) | Method and flow cleaning equipment for defensing website distributed denial of service (DDoS) attack | |
| US8001243B2 (en) | Distributed denial of service deterrence using outbound packet rewriting | |
| CN103516703A (en) | Method and device for detecting data messages | |
| CN109818912B (en) | Method and device for preventing flooding attack, load balancing equipment and storage medium | |
| CN105939315A (en) | Method and device for protecting against HTTP attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD. Free format text: FORMER NAME: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee after: Huawei Symantec Technologies Co., Ltd. Address before: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee before: Chengdu Huawei Symantec Technologies Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120215 Termination date: 20171231 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |