Summary of the invention
It is a kind of based on the hyper text transmission protocol attack defence method, device and the system that are redirected that the embodiment of the invention provides, to reduce False Rate and the consumption that reduces Installed System Memory.
One embodiment of the invention provides a kind of hyper text transmission protocol attack defence method, comprising:
The customer in response end sends to the HTTP request of server; Send redirect command to said client; Be broken as the network connection that said HTTP request is set up; Said redirect command is used for said HTTP request is redirected to a virtual address, and said virtual address can arrive server, and said virtual address is added virtual directory after through last catalogue among the original URL that sends in client or in original URL, increased the address variables manner and makes up and form; Said virtual directory is to be made up by virtual route to form;
Receive the new HTTP request of client; Judge that according to said virtual address whether said new HTTP request is the HTTP request after being redirected; If said new HTTP request is the HTTP request after said being redirected, in said new HTTP request, judge HTTP request with legal data packet;
Virtual address in the said HTTP request with legal data packet is revised as original address; Be employed in URL front end or rear end in the HTTP request protocol order line; Perhaps between version number in HTTP request protocol order line and the new line symbol; The message length of the HTTP request after the mode in interpolation space guarantees to reduce does not change with respect to the length of the HTTP request message after being redirected through virtual URL; And after the HTTP request after will passing through virtual URL and being redirected is revised as normal request, calculate the TCP head check of revising the back message with, and amended HTTP request sent to said server.
One embodiment of the invention provides a kind of hyper text transmission protocol attack defence installation, comprising:
Releasing unit is used for sending the connection reset request to server, breaks off network and connects;
Receiving element is used to receive the HTTP request that sends to server from client;
Be redirected the unit; Be used to respond the HTTP request of said client; Send redirect command to said client; And be broken as the network that said HTTP request sets up through said releasing unit and connect; Said redirect command is used for said HTTP request is redirected to a virtual address, and said virtual address can arrive server, and said virtual address is added virtual directory after through last catalogue among the original URL that sends in client or in original URL, increased the address variables manner and makes up and form; Said virtual directory is to be made up by virtual route to form;
Judging unit; Be used for the new HTTP request that said receiving element receives is judged; Judging is the new HTTP request of the HTTP request after being redirected; And to said be that the judgement of legal data packet is carried out in the new HTTP request of the HTTP request after being redirected, obtain having the HTTP request of legal data packet;
Reduction unit; Be used for said judgment unit judges is gone out; The virtual address that has in the HTTP request of legal data packet is revised as original address, is employed in URL front end or rear end in the HTTP request protocol order line, perhaps between version number in HTTP request protocol order line and the new line symbol; The message length of the HTTP request after the mode in interpolation space guarantees to reduce does not change with respect to the length of the HTTP request message after being redirected through virtual URL; And after the HTTP request after will passing through virtual URL and being redirected is revised as normal request, calculate the TCP head check of revising the back message with, and amended HTTP request sent to said server.
One embodiment of the invention provides a kind of hyper text transmission protocol attack system of defense, comprises being used for customer in response end HTTP requested service device, also comprises HTTP attack defending device, and said HTTP attack defending device comprises:
Releasing unit is used for sending connection reset request TCP RST to server, breaks off TCP and connects;
Receiving element is used to receive the HTTP request that sends to said server from client;
Be redirected the unit; Be used to respond the HTTP request of the client that said receiving element receives; Send redirect command to said client; Be broken as the network connection that said HTTP request is set up through said releasing unit; Said redirect command is used for said HTTP request is redirected to a virtual address, and said virtual address can arrive server, and said virtual address is added virtual directory after through last catalogue among the original URL that sends in client or in original URL, increased the address variables manner and makes up and form; Said virtual directory is to be made up by virtual route to form;
Judging unit; Be used for the new HTTP request that said receiving element receives is judged; Judging is the new HTTP request of the HTTP request after being redirected; And to said be that the judgement of legal data packet is carried out in the new HTTP request of the HTTP request after being redirected, obtain having the HTTP request of legal data packet;
Reduction unit; Be used for said judgment unit judges is gone out; The virtual address that has in the HTTP request of legal data packet is revised as original address, is employed in URL front end or rear end in the HTTP request protocol order line, perhaps between version number in HTTP request protocol order line and the new line symbol; The message length of the HTTP request after the mode in interpolation space guarantees to reduce does not change with respect to the length of the HTTP request message after being redirected through virtual URL; And after the HTTP request after will passing through virtual URL and being redirected is revised as normal request, calculate the TCP head check of revising the back message with, and amended HTTP request sent to said server.
Through above technical scheme, the HTTP request is redirected to a virtual address, new HTTP request is judged; Obtain resetting after ringing, have the HTTP request of legal data packet, can effectively discern SNAT attack afterwards; False Rate is low, reduces the consumption of Installed System Memory.
Embodiment
To combine the accompanying drawing in the embodiment of the invention below, the technical scheme in the embodiment of the invention is carried out clear, intactly description, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all belong to the scope of the present invention's protection.
As shown in Figure 4, one embodiment of the invention provides a kind of HTTP attack defense method flow chart, comprising:
S310; Redirect command is sent in the HTTP HTTP request of customer in response end, and said HTTP request is redirected to a virtual address; (the virtual address here is virtual URL; All describe among present embodiment and other embodiment with virtual URL) be broken as the network connection that the HTTP request is set up, (the network here is connected to TCP and connects, and all connects with TCP among present embodiment and other embodiment and describes) said virtual URL can arrive server; And comprising predetermined time-delay, this time-delay is used to calculate the theoretical value of the HTTP request time of advent after being redirected.Need to prove that virtual URL can or obtain through the URL variables manner for virtual route.
S320; Receive new HTTP request; Through virtual URL information, judge whether said new HTTP request is the HTTP request after being redirected, if new HTTP request is the HTTP request after being redirected; According to the time of advent of new HTTP request and the difference of the scheduled time, judge HTTP request with legal data packet;
S330, the virtual URL that will have in the HTTP request of legal data packet is revised as original URL, and sends to server.
The embodiment of the invention is through above technical scheme; The HTTP request is redirected to a virtual URL; Can judge the HTTP request after being redirected through virtual URL information, and judge the HTTP request after the redirect response with legal data packet, and can effectively discern the attack after the SNAT; False Rate is low, reduces the consumption of Installed System Memory
As shown in Figure 5, one embodiment of the invention provides a kind of HTTP attack defense method sketch map, comprising:
S410 according to the TCP connection request, sets up TCP and connects.Protector is monitored the TCP connection request packet from client; The TCP connection request packet that listens to is carried out the defence of TCP layer attacks; For example using the address state monitoring technique to carry out source IP surveys; Allow client and server to set up TCP if source IP is really and be connected, if not then refuse the TCP connection request really.
S420, after TCP connected foundation, protector received the HTTP request of initiating from user end to server.
S430; Protector replaces server to reply, the virtual URL of HTTP request carrying out from client that receives is redirected, with its be redirected to one non-existent; Through the URL of certain coding, why the certain coding of process is to guarantee that virtual URL can reach server.
Virtual URL request after here requiring to be redirected can arrive server, and can restore real URL through virtual URL, in redirection process, needs certain delay.Can use the method for VDIR (virtual directory, virtual route) to carry out virtual URL in the present embodiment and be redirected, for example can be designed as: VDIR={AT|R|H}; Wherein AT (Arrival Time) is expressed as redirect request (time with protector is as the criterion the time of advent; Be system time), require to account for 8 bytes, the AT theoretical value is that HTTP asks the time of advent, is redirected time-delay and round-trip delay three sum; R is a random number; H is the cryptographic hash of former three, and R and H can respectively account for 4 bytes, and VDIR need take 16 bytes altogether like this.Also just calculated the theoretical value of AT, and added the packet of redirect request when virtual URL is redirected in that the HTTP that arrives is carried out like this, promptly AT be the HTTP request the time of advent, be redirected time-delay and round-trip delay sum.
For the image explanation, the reorientation method example is following, suppose that the HTTP request that client is initiated is:
GET?http://www.huawei.com/index.htm?HTTP/1.1
Protector replaces server to carry out normal response, and the head part of replying html file comprises following statement:
<meta?http-equiv=″refreSh″content=“0.5;
url=http://www.huawei.com/VDIR/index.htm”>
This statement representes that client initiates the HTTP request after waiting for 0.5 second, and request URL be " ht tp: //www.huawei.com/VDIR/index.htm ", wherein a virtual directory (requirement is described in step S430) of VDIR structure when being redirected.With this redirected example, the theoretical value time of advent that client correctly responds the new HTTP request of redirect request should be AT, i.e. the time of advent of the HTTP of last time request and redirected time-delay 0.5 second and round-trip delay sum.
0.5 second, expression was redirected time-delay herein, also can be 0.6 second, 0.4 second or other numerical value in another embodiment.
S440, protector sends TCP RST to server, breaks off TCP and connects.
S450 rebulids TCP and connects, and method such as step S410 are said.
S460, protector receive the new HTTP request from client, and judge whether it is the HTTP request after being redirected.Protector is to the URL characteristic judgement of the new HTTP request of client, and the existence through inspection VDIR whether, correctness judges whether it is the HTTP request through being redirected.
S470~S480; If VDIR does not exist or be incorrect, protector judges that new HTTP request is not the request (the HTTP request after promptly being redirected does not arrive) after being redirected, and explains that last HTTP request is the request of attacking; Because after being redirected, having broken off initial TCP connects; Last aggressive HTTP request is dropped, and this moment, protector was redirected the new virtual URL of HTTP request carrying out, and sent TCP RST to server; Break off TCP and connect, reorientation method such as step S430 are said.
S490; If VDIR exists and correct, protector judges that current HTTP request is the request (the HTTP request after promptly being redirected arrives) after being redirected, and this moment also need be according to the theoretical value of time of advent of redirect request; It is the value of the AT among the step S430; With time of current protector to having judged whether that recently zombie attack takes place, if the difference of the time of the theoretical value of the time of advent of redirect request and current protector is then thought legal data packet near the value of regulation (promptly the theoretical value of redirected arrival time approximates the time of current protector greatly); If time migration is more; Then think to attack packet, protector sends TCP RST to server and breaks off the TCP connection, abandons the attack packet.
In S490, the request after HTTP request that protector judge to arrive is to be redirected, and when being legal data packet is revised as initial URL with the URL of the HTTP request after being redirected, and sends to server.Still describe the amending method of URL with the example among the step S430: the HTTP request after being redirected through virtual URL is:
GET?http://www.huawei.com/VDIR/index.htm?HTTP/1.1(1)
This request is revised as normal request, and amended request is:
Revise the HTTP request may have influence on IP head length degree in this data message, an IP verification and, a TCP verification and, field such as TCP header sequence number; In order to drop to these influences minimum; The embodiment of the invention adopts " space filling " method to guarantee that this IP message length is constant; So just can only need to revise TCP verification with, other field need not made an amendment.In the example (1) formula the unblank byte length that has more of (2) formula be assumed to be LEN for the length of "/VDIR ", carry out polishing in (2) formula (a) position with the space of LEN length, also can (b) or (c) position carry out polishing with the space.Revise the request back calculate TCP verification with, will revise back HTTP and ask to send to server.
Need to prove in the embodiment of the invention that the method that adopts virtual route carries out virtual URL and be redirected, in another embodiment, can be redirected with URL variable mode, for example, the request in the example,
" http://www.huawei.com/index.html " can be redirected and be:
" http://www.huawei.com/index.html? VDIR " or
" http://www.huawei.com/index.html? a=VDIR " etc. form.
The embodiment of the invention is through above scheme; The HTTP request is redirected to a virtual URL; Information through virtual URL carries can be discerned the request after being redirected; And judge the HTTP request after the redirect response with legal data packet, can effectively resist various HTTP flood and attack (like GET flood, CC attack etc.); False Rate is low, can effectively discern SNAT attack afterwards; Do not need protector to store a large amount of IP address list, reduce the memory consumption of protector.
As shown in Figure 6; One embodiment of the invention provides a kind of HTTP attack defending device sketch map; Comprise, monitoring unit 510, set up unit 520, receiving element 530, be redirected unit 540, judging unit 550, releasing unit 560 and reduction unit 570, specifically:
Monitoring unit 510 is used to monitor the TCP connection request packet from client.
Set up unit 520; The TCP connection request packet that listens to is carried out the defence of TCP layer attacks; For example use the address state monitoring technique to carry out source IP and survey, allow client and server to set up TCP if source IP is really and be connected, if not then refuse the TCP connection request really.
Receiving element 530 after setting up the unit and setting up TCP and connect, receives the HTTP request from client;
Be redirected unit 540, after TCP connects foundation, the virtual URL of HTTP request carrying out from client be redirected; With its be redirected to one non-existent; Through the URL of certain coding, and pass through releasing unit and send TCP RST, break off TCP and connect to server.
Require URL through certain coding here, be for the virtual URL request after guaranteeing to be redirected can arrive server, and can restore real URL through virtual URL.In redirection process, need certain delay in addition.Can use VDIR (virtual directory in the present embodiment; Virtual route) method is carried out virtual URL and is redirected, and for example can be designed as: VDIR={AT|R|H}, and wherein AT (Arrival Time) is expressed as the redirect request time of advent (time with protector is as the criterion); Requirement accounts for 8 bytes; The AT theoretical value should be that HTTP asks the time of advent, is redirected time-delay and round-trip delay three sum, and R is a random number, and H is the cryptographic hash of former three; R and H can respectively account for 4 bytes, and VDIR need take 16 bytes altogether like this.
For the image explanation, the reorientation method example is following, suppose that the HTTP request that client is initiated is: GET http://www.huawei.com/index.htm HTTP/1.1
Protector replaces server to carry out normal response, and the head part of replying html file comprises following statement: < meta http-equiv=" refresh " content=" 0.5;
url=http://www.huawei.com/VDIR/index.htm”>
Client initiation HTTP request after waiting for 0.5 second represented in this statement, and request URL is " http://www.huawei.com/VDIR/index.htm ", a virtual directory of structure when wherein VDIR is redirected.With this redirected example, the theoretical value time of advent that client correctly responds the new HTTP request of redirect request should be AT, i.e. the time of advent of the HTTP of last time request and redirected time-delay 0.5 second and round-trip delay sum.
0.5 second, expression was redirected time-delay herein, also can be 0.6 second, 0.4 second or other numerical value in another embodiment.
Judging unit 550; Comprise first judgment sub-unit 5501 and second judgment sub-unit 5502, be used for the new HTTP request from client is judged, judge whether new HTTP request is legal HTTP request; Before client is initiated new HTTP request; Need to set up new TCP connection by setting up the unit earlier, specifically set up mode, in setting up unit 520, describe.Specifically:
First judgment sub-unit 5501, be used for the URL through checking new HTTP request VDIR existence whether, correctness, judge whether new HTTP request is to ask through the HTTP that is redirected.
If VDIR does not exist or is incorrect; Then new HTTP request is not the request (the HTTP request after promptly being redirected does not arrive) after being redirected; Explain that last HTTP request is the request of attacking, this moment, protector was redirected the new virtual URL of HTTP request carrying out, and sent TCP RST to server; Break off new TCP and connect, reorientation method is as being redirected described in the unit 540.
If VDIR exists and is correct; Be the request (the HTTP request after promptly being redirected arrives) after being redirected then from the new HTTP request of client; Then second judgment sub-unit 5502 also needs according to the theoretical value that is redirected the arrival time, is AT and the difference of current protector time; The HTTP packet is carried out aggressiveness judge, if the difference of the time of the theoretical value AT of redirected arrival time and current protector is then thought legal data packet near the value of regulation (AT approximates the time of current protector greatly); Ratio deviation is more mutually if the theoretical value AT of redirected arrival time is with the time of current protector; Then think to attack packet, send TCP RST through releasing unit 550 to server this moment and break off the TCP connection, abandon aggressive HTTP request.
When releasing unit 560, HTTP request after HTTP request that judging unit 550 is judged client is not to be redirected, explain that last HTTP request is the request of attacking, at this moment releasing unit 560 sends the TCP connection of TCP RST before breaking off to server; HTTP request after HTTP request that judging unit 550 is judged client is to be redirected, but the HTTP request after being redirected judged is when attacking packet, releasing unit 560 are sent the TCP of TCP RST before breaking off to server and are connected.
Need to prove in the embodiment of the invention that the method that adopts virtual route carries out virtual URL and be redirected; In another embodiment; Can be redirected with URL variable mode; For example, the request in the example, " http://www.huawei.com/index.html " can be redirected and be: " http://www.huawei.com/index.html? VDIR " or
" http://www.huawei.com/index.html? a=VDIR " etc. form.
Reduction unit 570, be used for when judgment unit judges go out be redirected after the HTTP request, and when being legal data packet, the HTTP request after being redirected is reduced, the URL of the HTTP request after being redirected is revised as initial URL, and sends to server.Be exemplified as profit with the request of the HTTP in the embodiment of the invention and be elaborated, the HTTP request in the embodiment of the invention after being redirected through the virtual URL that is redirected unit 540 is:
GET?http://www.huawei.com/VDIR/index.htm?HTTP/1.1(1)
Reduction unit 560 is revised as normal request with this request, and amended request is:
Revise the HTTP request may have influence on IP head length degree in this data message, an IP verification and, a TCP verification and, field such as TCP header sequence number; In order to drop to these influences minimum; The embodiment of the invention adopts " space filling " method to guarantee that this IP message length is constant; So just can only need to revise TCP verification with, other field need not made an amendment.In the example (1) formula the unblank byte length that has more of (2) formula be assumed to be LEN for the length of "/VDIR ", carry out polishing in (2) formula (a) position with the space of LEN length, also can (b) or (c) position carry out polishing with the space.Revise the request back calculate TCP verification with, will revise back HTTP and ask to send to server.
The embodiment of the invention is through above scheme; To be redirected to a virtual URL from the HTTP request of client through being redirected the unit; Information through virtual URL carries can be discerned the HTTP request after being redirected; And judge the HTTP request after the redirect response with legal data packet, can effectively resist various HTTP flood and attack (like GET flood, CC attack etc.); False Rate is low, can effectively discern SNAT attack afterwards; Do not need protector to store a large amount of IP address list, reduce the memory consumption of protector.
As shown in Figure 7; In the one embodiment of the invention; HTTP attack defending device with among Fig. 5 is applied in the concrete environment, constitutes a kind of HTTP attack defending system sketch map; Be used for the HTTP request that client 610 is initiated to server 630 is detected, have aggressive HTTP request and be on the defensive detected.Specifically comprise: HTTP attack defending device 620 and server 630.
Client 610 is used for initiating TCP to server 630 and connects the foundation request, when the TCP connection request of setting up is passed through, sends HTTP to server 630 and asks.
HTTP attack defending device 620; Be used for the TCP connection request that client 610 is initiated is carried out the defence of TCP layer attacks; For example using the address state monitoring technique to carry out source IP surveys; Allow client and server to set up TCP if source IP is really and be connected, if not then refuse the TCP connection request really; Identification is judged in HTTP request to client 610 is initiated, through the virtual URL of HTTP request carrying out is redirected, identifies aggressive HTTP request, is on the defensive; The legal HTTP that lets pass asks to server 630.
Server 630 is used to receive the TCP connection of client, the legal HTTP request of customer in response end.
Among the concrete structure of HTTP attack defending device 620 and detailed functions and Fig. 5 to be redirected HTTP attack defending device based on virtual URL identical, repeat no more at this.
Need to prove that the mode that in the embodiment of the invention the virtual URL of HTTP request carrying out is redirected includes but are not limited to URL variable mode and virtual route mode.
The embodiment of the invention is through above scheme; HTTP attack defending device is applied in the concrete environment, forms a system of defense, through being redirected to a virtual URL from the HTTP request of client; Information through virtual URL carries can be discerned the HTTP request after being redirected; And judge the HTTP request after the redirect response with legal data packet, can effectively resist various HTTP flood and attack (like GET flood, CC attack etc.); False Rate is low, can effectively discern SNAT attack afterwards; Do not need protector to store a large amount of IP address list, reduce the memory consumption of protector.
One of ordinary skill in the art will appreciate that all or part of flow process that realizes in the foregoing description method; Be to instruct relevant hardware to accomplish through computer program; Described program can be stored in the computer read/write memory medium; This program can comprise the flow process like the embodiment of above-mentioned each side method when carrying out.Wherein, described storage medium can be magnetic disc, CD, read-only storage memory body (Read-Only Memory, ROM) or at random store memory body (Random Access Memory, RAM) etc.
The above is merely several embodiments of the present invention, and those skilled in the art can carry out various changes or modification to the present invention and do not break away from the spirit and scope of the present invention according to application documents are disclosed.