CN101572700A - Method for defending HTTP Flood distributed denial-of-service attack - Google Patents

Method for defending HTTP Flood distributed denial-of-service attack Download PDF

Info

Publication number
CN101572700A
CN101572700A CNA2009100088581A CN200910008858A CN101572700A CN 101572700 A CN101572700 A CN 101572700A CN A2009100088581 A CNA2009100088581 A CN A2009100088581A CN 200910008858 A CN200910008858 A CN 200910008858A CN 101572700 A CN101572700 A CN 101572700A
Authority
CN
China
Prior art keywords
gateway
client
tcp
server
web server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2009100088581A
Other languages
Chinese (zh)
Other versions
CN101572700B (en
Inventor
翟征德
魏冰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongke Information Security Common Technology National Engineering Research Center Co., Ltd.
Original Assignee
Zhongke Zhengyang Information Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongke Zhengyang Information Security Technology Co Ltd filed Critical Zhongke Zhengyang Information Security Technology Co Ltd
Priority to CN2009100088581A priority Critical patent/CN101572700B/en
Publication of CN101572700A publication Critical patent/CN101572700A/en
Application granted granted Critical
Publication of CN101572700B publication Critical patent/CN101572700B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a method and a device for protecting a Web server from an HTTP Flood distributed denial-of-service attack. The method is deployed on gateway equipment, and the gateway equipment is positioned between a client and the Web server. The method is realized on a network layer, carries out IP fragmentation reassembly and TCP stream reassembly on data packages entering and exiting the network, and carries out HTTP request analysis. A legal request and a malicious request are identified by using a mechanism based on Cookie and port redirection, the legal request successfully identified can be automatically transmitted to the server via a gateway, and the malicious request unsuccessfully identified can be filtered by the gateway. The method achieves transparency of the client and low resource consumption of a service end, and can effectively identify and filter the malicious request to achieve good defense effect.

Description

A kind of HTTP Flood distributed refusal service attack defending method
Technical field
Relate generally to refusal service attack defending of the present invention field.More specifically, the present invention relates to a kind of method and apparatus of protecting Web server to avoid the HTTPFlood distributed denial of service attack.
Background technology
Distributed refusal clothes attack (DDos:Distributed Deny of Service) because its potential destructiveness is strong, and are difficult to prevent and trace, and more and more become common attack pattern, are seriously threatening the availability of network.Modal DDos attacks, be exactly the assailant at short notice, produce large-scale junk data or illegal request by the computer that is distributed in all over the world, flood destination server or objective network.DDos to detect and filters in order to hide, and self constantly develops, and changes attack at application layer into by simple traffic attacks such as early stage SYN Flood, UDP Flood, Ping of Death.The Denial of Service attack of application layer hit comparison significant a kind of be that HTTP Flood towards Web server attacks.The assailant often at the costliness operation of Web service, consumes CPU, database and the disk resources of destination servers with this in a large number.For example, some specific URL of visit Web server, server must carry out lot of data library searching, query manipulation for the response page request, with these a large amount of host resources that consume Web server, makes the request of normal users be rejected.Attack towards the HTTP Flood of Web and not possess obvious characteristic, the burst flow that can disguise oneself as well utilizes traditional technology to be difficult to defence, and the assailant often only need pay less relatively cost, just can obtain tangible attack effect.
At present, exist some technology and method to be used for detection and defence that HTTP Flood attacks, but its ability is also very limited.The Srikanth Kandula of Massachusetts Polytechnics designs and has realized Kill-Bots, and this system adopts graphics test identification illegal request, it is filtered, but Kill-Bots is the expansion to the Web server kernel, only is applicable to middle-size and small-size website.The Juan M.E-T of Spain Carlos III university propose to adopt the Markovian model to Http load analyze, set up the Markovian model of normal discharge, and calculate the irrelevance of real-time traffic and normal discharge.The choosing of Markovian model parameter can greatly influence verification and measurement ratio and the alert rate of mistake, but in actual application environment definite relatively difficulty of parameter.
Summary of the invention
The invention provides a kind of method and apparatus of protecting Web server to avoid HTTP Flood distributed denial of service attack.This method is deployed on the gateway device, and gateway device is positioned at network edge, is used for all Web servers in the protecting network.Gateway device detects the TCP connection status of HTTP between client and Web server, use based on the mechanism of Cookie and port redirection and differentiate legitimate request and illegal request.Legitimate request can be automatically via gateway forwards to server, and illegally ask the connection meeting to be closed by gateway.
Cookie is the one section ASCII character text of Web server to user's browser transmission.In case receive Cookie, browser can and keep session status Cookie request tracing client.Cookie is kept at the http protocol request or replys head and transmit between server and client.General browser all can resolve and handle Cookie, and most of attack tool or network worm do not possess the ability of identification and processing Cookie.Utilize this point, gateway can be differentiated most of legitimate request and malicious requests.
Simultaneously, in order to strengthen the robustness that the gateway opposing is attacked, method port redirection is machine-processed and based on Cookie is used in combination.The open port of Web service is fixed port (being generally 80), when gateway is received from the HTTP of client unauthenticated request, request can be redirected on the port that gateway generates at random.Client has only the correct redirected semanteme of having handled, and just can be identified as validated user by gateway.
The gateway monitor client connects to all TCP of service, and IP fragmentation reorganization and stream reorganization are carried out in connection.Earlier through gateway, gateway is in order to differentiate that this request is from legal users or attack tool can replace server that request is responded to the request of server for client.Gateway utilizes 301 answer codes of http protocol, and response contents as shown in Figure 1.301 answer codes represent that the data of asking permanently move to new position.Gateway is inserted new URL Location field, and the Port value that changes among the URL is Auth_Port, and Path partly remains unchanged.For the ease of handling, the Auth_Port value is random value between 1024 to 65536, can not equal 80.Specify the Cookie value that generates at random by gateway Set-Cookie field simultaneously.Connection field assignment is close, and this connection is closed in expression, and client need rebulid and connect the HTTP request that sends.The respond packet IP source address of gateway structure is changed to the address of Web server, so from the angle of client, its all packets of receiving are all from server, gateway is transparent to the user.
Validated user is received 301 responses, and browser can be handled response automatically.Client is done two operations:
1. send the TCP bag of being with the FIN flag bit to Web server and close this connection.After gateway is received the FIN packet, replace Web server to send the ACK bag to client.Gateway is made as server address with the source IP address in the ACK bag, and inserts a suitable TCP field, comprise sequence number, confirm number, verification and etc.
2. set up new connection by three-way handshake, and the URL in replying 301 initiates request, use Cookie field in request package, the value of field is identical with the value of Set-Cookie field in the response packet.
Since client send once more the request before can close original connection, and gateway as the go-between replaced web server response the connection close, Web server is not also known.Therefore, gateway need send the bag of band RST sign to Web server, and what notice connected closes, and the IP source address of this RST bag is made as the IP address of client.
Client is set up new connection to Web server, and gateway is received the SYN bag of newly-built connection, checks whether the destination interface value is the port value that feeds back to client before, if not, directly with this data packet discarding; If, packet is forwarded to 80 ports of server, finish three-way handshake.After this, all packets are gone up in this connection all needs to carry out the port forwarding through gateway.
After connecting foundation, gateway is received the HTTP request that the user sends, and checks whether Cookie field of HTTP bag comprises the Cookie value that originally fed back to client.If the Cookie value meets the requirements, show that this request is legal, is transmitted to Web server with request.Otherwise, abandoning this request, and send the bag that band RST indicates to server, announcement server is with connection closed.Because of gateway is transparent to server as the go-between, RST bag IP source address is set to the IP address of client.
When attack tool or network worm are initiated distributed denial of service attack usually, just send a large amount of HTTP requests, the response of server is not handled to Web server.When gateway returns 301 when inserting Cookie in replying and replying, attack tool or network worm can not correctly be resolved the semanteme of replying, and are presented as to be redirected on default port, and can comprise default Cookie value in the HTTP request.Gateway utilizes this point can distinguish legitimate request effectively and attacks request.Attack request data package and can not given Web server, thereby avoided consumption server resource by gateway forwards.
Accompanying drawing 2 has represented that validated user receives web server response from issuing a request to, with the reciprocal process of gateway and Web server.
Accompanying drawing 3 has been represented the reciprocal process that attack tool or network worm are blocked by gateway the attack request of Web server initiation.
The realization of gateway is based on the hardware and the operating system of customization, and employing aims at the hardware platform of fire compartment wall design and the Liunx operating system of reduction, and the realization of above-mentioned algorithm is based on Liunx Netfilter framework.Netfilter is the structuring bottom frame that is used to expand various network services in a kind of Liunx kernel, and it is that IPv4, IPv6 have defined a cover Hook Function, and Hook Function is called in the several Key Points that datagram flows through protocol stack.Netfilter provides 5 Hook Function mount points, is respectively NF_IP_PRE_ROUTING, NF_IP_FORWARD, NF_IP_LOCAL_IN, NF_IP_LOCAL_OUT, NF_IP_POST_ROUTING.Kernel module can be registered one or more hooks of every kind of agreement, realizes articulating.When certain packet was delivered to the Netfilter framework, whether kernel detects had module that the Hook Function of this agreement is registered, if registered, and the call back function that uses when then calling this module registration.In call back function, realize user-defined function.
The algorithm that the present invention proposes is realized by the Hook Function that is articulated in NF_IP_PRE_ROUTING, is articulated a little but be not limited to NF_IP_PRE_ROUTING.This algorithm can be divided into 4 modules according to logic function: stream recombination module, port authorization module, HTTP requests verification module, port forwarding module.Accompanying drawing 5 has represented that data packet stream is through the process of gateway and the relation between each logic module.
The stream recombination module uses the storage of Hash table connecting and the TCP stream that has been connected, as shown in Figure 4.The Hash table is made of array, the doubly linked list of each the element directed tcp_stream structure in the array, and the corresponding TCP of tcp_stream structure connects.The key data structure of operation Hash table is tuple, and tuple is 4 tuples of source address, destination address, source port number, destination slogan.When gateway receives a new packet, at first call linux system function ip_defrag and carry out the IP fragmentation reorganization.After reorganization is finished, tuple is done the Hash computing obtain corresponding Hash table array index, travel through the tcp_stream structure doubly linked list that this array element points to, search packet and whether belong to the TCP connection that gateway has been safeguarded.If do not find, tuple is done inverse operation, promptly change source address and destination address, source port number and destination slogan and obtain reverse_tuple, use reverse_tuple to repeat above-mentioned Hash table search procedure.
The tcp_stream structrual description all information of connecting of TCP, crucial variable comprises that 2 half_stream structures describe client, server info respectively; A verifier construction packages HTTP requests verification function; Whether reassem_stop flag bit sign TCP reorganization is proceeded; A data buffering area is preserved ordering application layer data.When a new SYN packet is received by system, and its any one TCP that does not belong to system maintenance shows that it is the SYN bag of TCP three-way handshake when connecting.Call the port authorization module, check open port or redirected Auth_Port port that its destination interface is not served for protection, if, then, this TCP adds the Hash table for connecting new tcp_stream structure of initialization, otherwise, directly abandon the SYN bag.If destination interface is the Auth_Port port of expection, then call 80 ports that the port forwarding module forwards it to server.Registration verifier structure during initialization tcp_stream structure, can call corresponding HTTP requests verification function the proper time of TCP reorganization according to verifier.Using the benefit of verifier structure is the inspection modularization that makes application layer, when needs add new verifying logic, only needs the new checking function of registration in the verifier structure.
This algorithm only is concerned about that client mails to the application layer data of server, deposits ordering application layer data in the data buffering area of tcp_stream structure, safeguards out-of-sequence TCP bag chained list in the half_stream of client structure.Arrive as new TCP bag, judge TCP reorganization condition: if the complete header data of not obtaining first HTTP request, and the data packet length of having recombinated or packet number do not reach the upper limit, then carries out the TCP reorganization; Otherwise, stop reorganization, directly carry out packet and transmit.Carry out TCP when reorganization, checking sequence number adds the data buffering area with the bag that arrives in proper order, and as the input of HTTP requests verification function, out-of-sequence packet deposits the TCP bag chained list of half_stream in, for follow-up TCP reorganization use.
Whenever there being new data to add the data buffering area, can call HTTP requests verification module.Authentication module judges whether the data buffering area has comprised complete HTTP header data, if carry out the validity checking of Cookie value; Otherwise, stop this and check, wait for that complete HTTP header data arrives.Http protocol 1.1 versions acquiescences is taked lasting connection, promptly can carry out repeatedly the HTTP request and reply in a TCP connects.Only need in lasting the connection first HTTP request is checked.After the so complete field of obtaining first HTTP request, with the set of reassem_top flag bit, represent that the follow-up data that this TCP connects need not reorganization, follow-up packet is directly transmitted or is abandoned according to check result.Version was not supported lasting connection before http protocol 1.0 reached, and sent a HTTP request during a TCP connects only.Gateway is similar to its processing and 1.1 versions, is not repeated.
The port authorization module is called when gateway is received the SYN bag of TCP three-way handshake.If destination interface is 80, the connection that expression is about to set up is not to be redirected to connect, for this connects initialization tcp_stream structure.If destination interface is non-80, show that the connection that is about to set up is the connection that is redirected through gateway, check whether port numbers is corresponding with source IP address, if corresponding,, this packet transferred to the port forwarding module transmit for this connects initialization tcp_stream structure; If not corresponding, with this data packet discarding.
HTTP requests verification module is called when first complete HTTP asks head in obtaining the TCP connection.Cookie field in this module check request header according to the difference of packet content, following 4 kinds of situations may occur:
1.HTTP do not have the Cookie field in the request header, and the TCP destination interface is 80, then gateway sends 301 to client and replys, and inserts new URL address in 301 reply, and inserts the port value Auth_Port that generates at random for this client among the new URL.Reply head 301 and add the Set-Cookie field, insert the Cookie value that generates at random.Port numbers, Cookie value, and clients corresponding IP address can go on record, for after the checking use.Simultaneously, 301 reply head Connection field is made as close, and this connection is closed in expression.Because gateway is transparent to client, 301 source IP addresss of replying are made as the address of Web server, and from client's angle, this is replied from Web server and sends.Simultaneously, gateway need send the TCP bag of band RST sign to Web server, and announcement server is with this connection closed.The source address of same RST bag is made as the IP address of client.
2.HTTP do not have the Cookie field in the request header, and TCP destination interface non-80.Because have only the packet that is redirected through gateway just can mail to non-80 ports, but do not have the Cookie field in the request header this moment, show that this request is illegal request.Gateway directly abandons packet, and sends the bag of band RST flag bit to Web server, and the connection closed that the notice Web server will have been set up reduces the resource consumption of Web server.
3.HTTP comprise the Cookie field in the request header, and the TCP destination interface is 80.Because of destination interface is 80, show that this connection is not redirected through gateway, the Cookie in the request header is the agreement between server and the client, is not to be specified by gateway.Be similar to the situation in 1, gateway replaces Web server to reply to client transmission 301, inserts new port numbers and Cookie value in replying.The Cookie that generated at random by gateway this moment is attached to the back of source Cookie value, can not destroy the semanteme of former Cookie.Simultaneously, gateway need send the TCP bag of band RST sign to Web server, and announcement server is with this connection closed.
4.HTTP comprise the Cookie field in the request header, and TCP destination interface non-80.Non-80 because of destination interface, show that this connection passed through gateway and be redirected, need further to check the legitimacy of Cookie value this moment.Search the Cookie value that gateway generates for this client according to source IP address, check whether the Cookie value of storage is the substring of Cookie value in the current request bag, if, show that the HTTP request is legal, call the port forwarding module and transmit; Otherwise, this request is abandoned, and sends the bag of being with the RST flag bit, the connection closed that the notice Web server will have been set up to Web server.
Under above-mentioned 1 and 3 the situation, it is close that gateway is replied a mid-Connection field value 301, and the notice client is closed connection.Subsequently, gateway is received the tcp data bag from the band FIN sign of client, and gateway need replace Web server that this FIN bag is carried out the ACK response.
Gateway is described below generation, maintenance, the renewal of port numbers and Cookie value.Port numbers and Cookie value are woven to a binary sort tree according to client source IP group of addresses, as shown in Figure 6.Each node has been preserved the storage organization of IP source address and this IP address correspondence in the tree.Each storage organization comprises port numbers, Cookie value, temporal information.Port numbers and Cookie value all have ageing, and port numbers and Cookie value that life period surpasses certain value can lose efficacy.In the binary sort tree, if root node the left subtree non-NULL, then in the left subtree IP source address of all nodes less than the IP source address value of root node; If the right subtree non-NULL of root node, then in the right subtree IP source address of all nodes greater than the IP source address value of root node.Left and right subtree respectively is again a binary sort tree.Gateway generates and is redirected when replying, and generates port numbers and Cookie value at random, and notes the rise time, according to the source IP address of client, inserts storage organization in the appropriate location of binary tree.When gateway is received the SYN bag of newly-built connection or obtained a complete HTTP header data, search binary sort tree, judge whether destination slogan or Cookie value meet, and the rise time above time delay, carry out follow-up operation according to the result who searches.During the TCP connection closed, the node of deletion source IP address correspondence.
Description of drawings
Fig. 1 is the schematic diagram that gateway utilizes http protocol 301 answer codes to reply.
Fig. 2 is that validated user is from issuing a request to the schematic diagram of reception web server response and gateway, Web server reciprocal process.
Fig. 3 reciprocal process schematic diagram that to be attack tool or network worm launch a offensive and blocked by gateway Web server.
Fig. 4 is a data structure schematic diagram of realizing the TCP connection tracking.
Fig. 5 is the flow through schematic diagram of gateway defence logic module of network packet.
Fig. 6 is the data structure schematic diagram of gateway maintenance port number and Cookies value.

Claims (10)

1. a gateway protects Web server to avoid the defence method of HTTP Flood distributed denial of service attack, and described gateway is arranged on the network edge at Web server place, and described method comprises step:
Client connects the open port of Web server, sets up three-way handshake, and gateway receives the HTTP request that user end to server sends.
Gateway replaces Web server to reply to client transmission 301.For this client generates the overall situation unique Cookie and port value; Use newly-generated port numbers to replace open port, construct new URL, the Cookie value is replied head with new URL 301 return to client.It is close that 301 heads of replying are provided with the Connection field value, and the notice client is closed this connection.
Gateway receives the TCP bag of the band FIN sign that client sends, and this packet is that client is used for announcement server and closes this connection, and gateway sends closing that the TCP bag response of band ACK sign connect with the server name to client as the go-between.
Gateway wraps to the TCP that server sends band RST sign with the client name, and announcement server is closed connection.
Client connects the non-open port of Web server.Gateway receives the SYN packet of setting up three-way handshake, and whether checking destination interface value is the value of expection, if, packet is carried out port transmit, allow the TCP establishment of connection; If not, abandon the SYN packet.
After non-open port connected, gateway received the HTTP request that user end to server sends, and whether gateway checking HTTP request head comprises the Cookie value of expection, if comprise, the HTTP request is transmitted to Web server; If do not comprise, the HTTP request is abandoned, and send the TCP bag that band RST indicates to server with the client name, announcement server is closed connection.
2. the method for claim 1 is characterized in that gateway between client and Web server, comprises the device that the IP message of all processes is carried out the IP fragmentation reorganization.
3. the method for claim 1 is characterized in that gateway comprises the device that the tcp data bag of all processes is flowed reorganization.
4. the method for claim 1 is characterized in that gateway comprises identification HTTP request, and the device to asking head to be resolved.
5. the method for claim 1 is characterized in that gateway comprises the replacement Web server device that request is replied to client side HTTP.
6. the method for claim 1 is characterized in that gateway comprises to obtain correct TCP header sequence number, confirm number the device that the band FIN sign TCP bag that replaces Web server that client is sent is replied.
7. the method for claim 1 is characterized in that gateway comprises that instead of client sends the device of band RST sign TCP bag to server.
8. the method for claim 1 is characterized in that gateway comprises that whether legal checking TCP connect destination interface device, comprises the device that all client port values are generated, safeguard, upgrade.
9. the method for claim 1 is characterized in that gateway comprises the device that packet is carried out the port forwarding.
10. the method for claim 1 is characterized in that gateway comprises the device that the Cookie to each client generates, safeguards, upgrades; Comprise and check whether effectively device of Cookie.
CN2009100088581A 2009-02-10 2009-02-10 Method for defending HTTP Flood distributed denial-of-service attack Active CN101572700B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009100088581A CN101572700B (en) 2009-02-10 2009-02-10 Method for defending HTTP Flood distributed denial-of-service attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009100088581A CN101572700B (en) 2009-02-10 2009-02-10 Method for defending HTTP Flood distributed denial-of-service attack

Publications (2)

Publication Number Publication Date
CN101572700A true CN101572700A (en) 2009-11-04
CN101572700B CN101572700B (en) 2012-05-23

Family

ID=41231937

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009100088581A Active CN101572700B (en) 2009-02-10 2009-02-10 Method for defending HTTP Flood distributed denial-of-service attack

Country Status (1)

Country Link
CN (1) CN101572700B (en)

Cited By (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102065017A (en) * 2010-12-31 2011-05-18 成都市华为赛门铁克科技有限公司 Message processing method and device
CN102088465A (en) * 2011-03-16 2011-06-08 中国科学院软件研究所 Hyper text transport protocol (HTTP) Cookie protection method based on preposed gateway
WO2011079669A1 (en) * 2009-12-28 2011-07-07 成都市华为赛门铁克科技有限公司 Method, device and system for network attack protection
CN102291441A (en) * 2011-08-02 2011-12-21 杭州迪普科技有限公司 Method and security agent device for protecting against attack of synchronize (SYN) Flood
CN102316082A (en) * 2010-07-06 2012-01-11 杭州华三通信技术有限公司 Method and flow cleaning equipment for defensing website distributed denial of service (DDoS) attack
CN102404345A (en) * 2011-12-26 2012-04-04 山石网科通信技术(北京)有限公司 Distributed attack prevention method and device
CN102469069A (en) * 2010-11-02 2012-05-23 杭州华三通信技术有限公司 Method and device for preventing portal authentication attack
CN102685165A (en) * 2011-03-16 2012-09-19 中兴通讯股份有限公司 Method and device for controlling access request on basis of proxy gateway
CN101707598B (en) * 2009-11-10 2012-12-19 成都市华为赛门铁克科技有限公司 Method, device and system for identifying flood attack
CN102857917A (en) * 2012-08-24 2013-01-02 北京拓明科技有限公司 Method for identifying internet access of mobile phone through personal computer (PC) based on signaling analysis
CN102868693A (en) * 2012-09-17 2013-01-09 苏州迈科网络安全技术股份有限公司 URL (Uniform Resource Locator) filtering method and URL (Uniform Resource Locator) filtering system aiming at HTTP (Hyper Text Transport Protocol) segment request
CN103095676A (en) * 2011-11-04 2013-05-08 株式会社日立制作所 Filtrating system and filtrating method
CN103491061A (en) * 2012-06-13 2014-01-01 华为技术有限公司 Attack mitigation method, serial number providing method and equipment
CN103634284A (en) * 2012-08-24 2014-03-12 阿里巴巴集团控股有限公司 Network flood attack detecting method and device
CN104378357A (en) * 2014-10-23 2015-02-25 河北省电力建设调整试验所 Protection method for HTTP Get Flood attack
CN104519008A (en) * 2013-09-26 2015-04-15 北大方正集团有限公司 Cross-site scripting attack defense method and device and application server
CN104618404A (en) * 2015-03-10 2015-05-13 网神信息技术(北京)股份有限公司 Processing method, device and system for preventing network attack to Web server
CN104935592A (en) * 2015-06-16 2015-09-23 上海斐讯数据通信技术有限公司 System and method for preventing DoS (Denial of Service) attacks
CN104967589A (en) * 2014-05-27 2015-10-07 腾讯科技(深圳)有限公司 Security detection method, apparatus and system
CN105100084A (en) * 2015-07-07 2015-11-25 中国科学院计算技术研究所 Method and system for preventing cross-site request forgery attack
CN105430011A (en) * 2015-12-25 2016-03-23 杭州朗和科技有限公司 Method and device for detecting distributed denial of service attack
CN105635058A (en) * 2014-10-30 2016-06-01 中国科学院声学研究所 Man-in-the-middle processing method aiming at TCP in non-protocol stack mode
CN105939315A (en) * 2015-10-20 2016-09-14 杭州迪普科技有限公司 Method and device for protecting against HTTP attack
CN106487919A (en) * 2016-11-10 2017-03-08 新浪网技术(中国)有限公司 HTTP request processing method based on PaaS platform, apparatus and system
CN106656922A (en) * 2015-10-30 2017-05-10 阿里巴巴集团控股有限公司 Flow analysis based protective method and device against network attack
CN107800723A (en) * 2017-12-06 2018-03-13 中盈优创资讯科技有限公司 CC attack guarding methods and equipment
CN107911336A (en) * 2017-10-09 2018-04-13 西安交大捷普网络科技有限公司 A kind of WEB steals chain means of defence
CN108718369A (en) * 2018-05-03 2018-10-30 冼钇冰 A kind of gateway accessing method, apparatus and computer storage media
CN109587117A (en) * 2018-11-09 2019-04-05 杭州安恒信息技术股份有限公司 A kind of anti-replay-attack method of the whole network udp port scanning
CN110472414A (en) * 2019-07-23 2019-11-19 中国平安人寿保险股份有限公司 Detection method, device, terminal device and the medium of system vulnerability
CN110635972A (en) * 2019-10-17 2019-12-31 南京中孚信息技术有限公司 Network testing method, network testing device, network tester and computer readable storage medium
CN110995715A (en) * 2019-12-06 2020-04-10 杭州顺网科技股份有限公司 Dialysis access method and system for intranet https service
CN111901288A (en) * 2019-12-26 2020-11-06 长扬科技(北京)有限公司 Network security protection method aiming at BACnet
CN112165447A (en) * 2020-08-21 2021-01-01 杭州安恒信息技术股份有限公司 WAF equipment-based network security monitoring method, system and electronic device
CN112612855A (en) * 2020-12-29 2021-04-06 天津南大通用数据技术股份有限公司 High-availability database log receiving queue, synchronization method and device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1510872A (en) * 2002-12-24 2004-07-07 中联绿盟信息技术(北京)有限公司 Method for opposing refuse service attack with DNS and applied agency combination
CN1630248A (en) * 2003-12-19 2005-06-22 北京航空航天大学 SYN flooding attack defence method based on connection request authentication
CN100380871C (en) * 2005-01-26 2008-04-09 北京大学 Protecting system and method aimed at distributing reject service attack
US7948977B2 (en) * 2006-05-05 2011-05-24 Broadcom Corporation Packet routing with payload analysis, encapsulation and service module vectoring
CN101163041B (en) * 2007-08-17 2013-10-16 中兴通讯股份有限公司 Method of preventing syn flood and router equipment

Cited By (58)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101707598B (en) * 2009-11-10 2012-12-19 成都市华为赛门铁克科技有限公司 Method, device and system for identifying flood attack
WO2011079669A1 (en) * 2009-12-28 2011-07-07 成都市华为赛门铁克科技有限公司 Method, device and system for network attack protection
US9088607B2 (en) 2009-12-28 2015-07-21 Huawei Digital Technologies (Cheng Du) Co., Limited Method, device, and system for network attack protection
CN102316082A (en) * 2010-07-06 2012-01-11 杭州华三通信技术有限公司 Method and flow cleaning equipment for defensing website distributed denial of service (DDoS) attack
CN102469069B (en) * 2010-11-02 2014-10-29 杭州华三通信技术有限公司 Method and device for preventing portal authentication attack
CN102469069A (en) * 2010-11-02 2012-05-23 杭州华三通信技术有限公司 Method and device for preventing portal authentication attack
CN102065017A (en) * 2010-12-31 2011-05-18 成都市华为赛门铁克科技有限公司 Message processing method and device
CN102065017B (en) * 2010-12-31 2013-08-28 华为数字技术(成都)有限公司 Message processing method and device
WO2012122773A1 (en) * 2011-03-16 2012-09-20 中兴通讯股份有限公司 Method and apparatus for controlling an access request based on a proxy gateway
CN102685165B (en) * 2011-03-16 2015-01-28 中兴通讯股份有限公司 Method and device for controlling access request on basis of proxy gateway
CN102088465A (en) * 2011-03-16 2011-06-08 中国科学院软件研究所 Hyper text transport protocol (HTTP) Cookie protection method based on preposed gateway
CN102685165A (en) * 2011-03-16 2012-09-19 中兴通讯股份有限公司 Method and device for controlling access request on basis of proxy gateway
CN102088465B (en) * 2011-03-16 2014-04-16 中国科学院软件研究所 Hyper text transport protocol (HTTP) Cookie protection method based on preposed gateway
CN102291441A (en) * 2011-08-02 2011-12-21 杭州迪普科技有限公司 Method and security agent device for protecting against attack of synchronize (SYN) Flood
CN102291441B (en) * 2011-08-02 2015-01-28 杭州迪普科技有限公司 Method and security agent device for protecting against attack of synchronize (SYN) Flood
CN103095676A (en) * 2011-11-04 2013-05-08 株式会社日立制作所 Filtrating system and filtrating method
CN102404345A (en) * 2011-12-26 2012-04-04 山石网科通信技术(北京)有限公司 Distributed attack prevention method and device
CN103491061B (en) * 2012-06-13 2017-02-15 华为技术有限公司 Attack mitigation method, serial number providing method and equipment
CN103491061A (en) * 2012-06-13 2014-01-01 华为技术有限公司 Attack mitigation method, serial number providing method and equipment
CN103634284A (en) * 2012-08-24 2014-03-12 阿里巴巴集团控股有限公司 Network flood attack detecting method and device
CN102857917B (en) * 2012-08-24 2015-06-03 北京拓明科技有限公司 Method for identifying internet access of mobile phone through personal computer (PC) based on signaling analysis
CN103634284B (en) * 2012-08-24 2017-08-25 阿里巴巴集团控股有限公司 The method for detecting and device of a kind of network flood attack
CN102857917A (en) * 2012-08-24 2013-01-02 北京拓明科技有限公司 Method for identifying internet access of mobile phone through personal computer (PC) based on signaling analysis
CN102868693A (en) * 2012-09-17 2013-01-09 苏州迈科网络安全技术股份有限公司 URL (Uniform Resource Locator) filtering method and URL (Uniform Resource Locator) filtering system aiming at HTTP (Hyper Text Transport Protocol) segment request
CN104519008A (en) * 2013-09-26 2015-04-15 北大方正集团有限公司 Cross-site scripting attack defense method and device and application server
CN104519008B (en) * 2013-09-26 2018-05-15 北大方正集团有限公司 Cross-site scripting attack defence method and device, application server
CN104967589A (en) * 2014-05-27 2015-10-07 腾讯科技(深圳)有限公司 Security detection method, apparatus and system
CN104967589B (en) * 2014-05-27 2019-02-05 腾讯科技(深圳)有限公司 A kind of safety detecting method, device and system
CN104378357A (en) * 2014-10-23 2015-02-25 河北省电力建设调整试验所 Protection method for HTTP Get Flood attack
CN105635058B (en) * 2014-10-30 2019-05-17 中国科学院声学研究所 Go-between's processing method of TCP is directed under a kind of no-protocol mode stack
CN105635058A (en) * 2014-10-30 2016-06-01 中国科学院声学研究所 Man-in-the-middle processing method aiming at TCP in non-protocol stack mode
CN104618404A (en) * 2015-03-10 2015-05-13 网神信息技术(北京)股份有限公司 Processing method, device and system for preventing network attack to Web server
CN104935592A (en) * 2015-06-16 2015-09-23 上海斐讯数据通信技术有限公司 System and method for preventing DoS (Denial of Service) attacks
CN105100084A (en) * 2015-07-07 2015-11-25 中国科学院计算技术研究所 Method and system for preventing cross-site request forgery attack
CN105100084B (en) * 2015-07-07 2018-03-30 中国科学院计算技术研究所 It is a kind of to prevent the method and system across station request forgery attack
CN105939315A (en) * 2015-10-20 2016-09-14 杭州迪普科技有限公司 Method and device for protecting against HTTP attack
CN106656922A (en) * 2015-10-30 2017-05-10 阿里巴巴集团控股有限公司 Flow analysis based protective method and device against network attack
CN105430011A (en) * 2015-12-25 2016-03-23 杭州朗和科技有限公司 Method and device for detecting distributed denial of service attack
CN105430011B (en) * 2015-12-25 2019-02-26 杭州朗和科技有限公司 A kind of method and apparatus detecting distributed denial of service attack
CN106487919A (en) * 2016-11-10 2017-03-08 新浪网技术(中国)有限公司 HTTP request processing method based on PaaS platform, apparatus and system
CN106487919B (en) * 2016-11-10 2019-07-05 新浪网技术(中国)有限公司 HTTP request processing method based on PaaS platform, apparatus and system
CN107911336A (en) * 2017-10-09 2018-04-13 西安交大捷普网络科技有限公司 A kind of WEB steals chain means of defence
CN107911336B (en) * 2017-10-09 2022-02-25 西安交大捷普网络科技有限公司 WEB hotlinking protection method
CN107800723A (en) * 2017-12-06 2018-03-13 中盈优创资讯科技有限公司 CC attack guarding methods and equipment
CN108718369A (en) * 2018-05-03 2018-10-30 冼钇冰 A kind of gateway accessing method, apparatus and computer storage media
CN108718369B (en) * 2018-05-03 2021-09-24 上海旺链信息科技有限公司 Gateway access method, device and computer storage medium
CN109587117A (en) * 2018-11-09 2019-04-05 杭州安恒信息技术股份有限公司 A kind of anti-replay-attack method of the whole network udp port scanning
CN109587117B (en) * 2018-11-09 2021-03-30 杭州安恒信息技术股份有限公司 Replay attack prevention method for whole network UDP port scanning
CN110472414A (en) * 2019-07-23 2019-11-19 中国平安人寿保险股份有限公司 Detection method, device, terminal device and the medium of system vulnerability
CN110635972A (en) * 2019-10-17 2019-12-31 南京中孚信息技术有限公司 Network testing method, network testing device, network tester and computer readable storage medium
CN110635972B (en) * 2019-10-17 2020-12-29 南京中孚信息技术有限公司 Network testing method, network testing device, network tester and computer readable storage medium
CN110995715B (en) * 2019-12-06 2021-11-19 杭州顺网科技股份有限公司 Dialysis access method and system for intranet https service
CN110995715A (en) * 2019-12-06 2020-04-10 杭州顺网科技股份有限公司 Dialysis access method and system for intranet https service
CN111901288A (en) * 2019-12-26 2020-11-06 长扬科技(北京)有限公司 Network security protection method aiming at BACnet
CN112165447A (en) * 2020-08-21 2021-01-01 杭州安恒信息技术股份有限公司 WAF equipment-based network security monitoring method, system and electronic device
CN112165447B (en) * 2020-08-21 2023-12-19 杭州安恒信息技术股份有限公司 WAF equipment-based network security monitoring method, system and electronic device
CN112612855A (en) * 2020-12-29 2021-04-06 天津南大通用数据技术股份有限公司 High-availability database log receiving queue, synchronization method and device
CN112612855B (en) * 2020-12-29 2023-01-24 天津南大通用数据技术股份有限公司 High-availability database log receiving queue, synchronization method and device

Also Published As

Publication number Publication date
CN101572700B (en) 2012-05-23

Similar Documents

Publication Publication Date Title
CN101572700B (en) Method for defending HTTP Flood distributed denial-of-service attack
CN101175013B (en) Refused service attack protection method, network system and proxy server
Dayal et al. Research trends in security and DDoS in SDN
US7620733B1 (en) DNS anti-spoofing using UDP
US8881281B1 (en) Application and network abuse detection with adaptive mitigation utilizing multi-modal intelligence data
Gupta et al. Defending against distributed denial of service attacks: issues and challenges
US7647623B2 (en) Application layer ingress filtering
US20150350229A1 (en) Network Threat Detection and Mitigation Using a Domain Name Service and Network Transaction Data
Yu et al. Discriminating DDoS flows from flash crowds using information distance
US20130067560A1 (en) Multi-method gateway-based network security systems and methods
KR101812403B1 (en) Mitigating System for DoS Attacks in SDN
Sanmorino et al. DDoS attack detection method and mitigation using pattern of the flow
CN101674307A (en) Hierarchical application of security services with a computer network
KR20130014226A (en) Dns flooding attack detection method on the characteristics by attack traffic type
CN109327426A (en) A kind of firewall attack defense method
KR20080028381A (en) Method for defending against denial of service attacks in ip networks by target victim self-identification and control
Arafat et al. A practical approach and mitigation techniques on application layer DDoS attack in web server
Huang et al. An authentication scheme to defend against UDP DrDoS attacks in 5G networks
Al‐Hammouri et al. ReCAP: a distributed CAPTCHA service at the edge of the network to handle server overload
Atighetchi et al. Attribute-based prevention of phishing attacks
Mahale et al. Alleviation of DDoS attack using advance technique
Hong Efficient and secure DNS cyber shelter on DDoS attacks
Farhat Protecting TCP services from denial of service attacks
US20100121903A1 (en) Distributed denial of service deterrence using outbound packet rewriting
Fang et al. A Comprehensive Analysis of DDoS attacks based on DNS

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C56 Change in the name or address of the patentee

Owner name: NERCIS

Free format text: FORMER NAME: ZHONGKE ZHENGYANG INFORMATION SECURITY TECHNOLOGY CO., LTD.

CP01 Change in the name or title of a patent holder

Address after: 100080 Beijing City, Haidian District Zhongguancun No. 19 Building, the North Wing building B block 16 layer

Patentee after: Zhongke Information Security Common Technology National Engineering Research Center Co., Ltd.

Address before: 100080 Beijing City, Haidian District Zhongguancun No. 19 Building, the North Wing building B block 16 layer

Patentee before: Zhongke Zhengyang Information Security Technology Co., Ltd.