CN102137111A - Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server - Google Patents
Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server Download PDFInfo
- Publication number
- CN102137111A CN102137111A CN2011100994901A CN201110099490A CN102137111A CN 102137111 A CN102137111 A CN 102137111A CN 2011100994901 A CN2011100994901 A CN 2011100994901A CN 201110099490 A CN201110099490 A CN 201110099490A CN 102137111 A CN102137111 A CN 102137111A
- Authority
- CN
- China
- Prior art keywords
- request message
- visitor logs
- blacklist
- address
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a method and a device for preventing CC (Challenge Collapsar) attack and a content delivery network server, which are used for solving the problem that in the prior art, when the CC attack is prevented, targeted prevention can not be carried out by referring to the actual processing conditions of a server, and the prevention effect is not ideal. The method comprises the following steps: the server receives a request message transmitted by a client, and determines the identification information of the request message; a stored blacklist is queried, and the request message is lost when the identification information is determined to belong to the blacklist, wherein the blacklist is generated according to the access records of the server. By the method and the device for preventing CC attack and the content delivery network server, the blacklist can be generated according to the access records of the server, so that the request message is filtered according to the blacklist, and further, the targeted prevention can be carried out according to the actual processing conditions of the server, so that the prevention effect is more ideal.
Description
Technical field
The present invention relates to communication technical field, particularly a kind of method, device and content distributing network server of defending CC to attack.
Background technology
Along with developing rapidly of information technology, computer networking technology has obtained extensively popularizing in global all trades and professions, yet, the fast development of network application and expansion of network scales, make that the security breaches in the network are ubiquitous, these security breaches provide the soil that grows for network attack, and (Challenge Collapsar, CC) attack is a kind of in the network attack to popular in recent years Challenging black hole.
It is a kind of distributed denial of service attack based on the page that CC attacks, and consumes server resource by the hypertext transfer protocol requests that sends the consumption energy.Attack main frame and initiate access request, cause destination host to calculate in a large number, reach the disposal ability limit very soon, thereby refuse all users' service request by the page that repeatedly expense is bigger on destination host.Here, destination host also can be called victim host.
With content distributing network (Content Delivery Network, CDN) be example, in the CDN network, the method that existing defence CC attacks, mainly be the Network Security Device of disposing defensive attack at the front end of CDN server separately, attack traffic can be drawn on the cleaning node of having disposed this Network Security Device.Therefore, all attack traffics are all passed through the detection and the filtration of Network Security Device earlier, and then give CDN server process.The common means that adopt mainly contained when Network Security Device defence CC attacked: the linking number of restriction source IP; Perhaps, all requests are added up and detected; Perhaps, request is redirected etc.
By foregoing description as can be seen, mainly there are following 2 deficiencies in existing solution:
At first, the Network Security Device and the equipment that the CDN business is provided of defence CC function, promptly the CDN server is separated.And a large amount of servers is arranged in the network usually, in case wherein some the servers that are distributed on the different nodes are subjected to the CC attack, the difficulty of on-premise network safety means will increase respectively, and then causes handling attack fast.In addition, the mode of this defence CC belongs to centralized defence, in case problem has appearred in Network Security Device, then can cause relative all CDN servers all can not normal service.
Secondly, in the measure of concrete defence CC, no matter be restriction source IP linking number, still request added up and detected or redirect request, all is the general defensive measures of Network Security Device.These measures do not take into full account the result of CDN server reality, therefore, can't defend targetedly with reference to the actual treatment situation of CDN server, cause protection effect to be tending towards extensive, and it is very accurate to accomplish.
Summary of the invention
The invention provides method, device and content distributing network server that a kind of CC of defence attacks, can't defend targetedly with reference to the actual treatment situation of server when defence CC attacks in the prior art, cause the unfavorable problem of protection effect in order to solve.
A kind of method of defending CC to attack may further comprise the steps:
Server receives the request message that client sends, and determines the identification information of this request message;
Search the blacklist of preservation, when determining that described identification information belongs to described blacklist, abandon this request message, wherein, described blacklist generates according to the Visitor Logs of this server.
A kind of device of defending CC to attack comprises:
Receiving element is used to receive the request message that client sends, and determines the identification information of this request message;
Determining unit is used to search the blacklist of preservation, when determining that described identification information belongs to described blacklist, abandons this request message;
Generation unit is used for generating described blacklist according to the Visitor Logs of this device place server.
A kind of content distributing network server comprises the device that above-mentioned arbitrary described defence CC attacks.
Method, device and content distributing network server that defence CC in the embodiment of the invention attacks, can generate a blacklist according to the Visitor Logs of server, thereby request message is filtered according to this blacklist, thereby can defend targetedly according to the actual treatment situation of server, make the protection effect ideal.
Description of drawings
Fig. 1 is the method flow diagram that defence CC attacks in the embodiment of the invention;
Fig. 2 is the structure drawing of device that defence CC attacks in the embodiment of the invention.
Embodiment
Method, device and content distributing network server that the embodiment of the invention provides a kind of CC of defence to attack, can solve when defence CC attacks in the prior art and can't defend targetedly, cause the unfavorable problem of protection effect with reference to the actual treatment situation of server.
The method that the embodiment of the invention provides a kind of CC of defence to attack as shown in Figure 1, may further comprise the steps:
S101: server receives the request message that client sends, and determines the identification information of this request message;
S102: search the blacklist of preservation, when determining that described identification information belongs to described blacklist, abandon this request message, wherein, described blacklist generates according to the Visitor Logs of this server.
Preferable, described Visitor Logs comprises: source IP address, URL address and the visit result sign of visiting all request message correspondences of this server, described identification information comprises source IP address, and then the generating mode of described blacklist comprises: the source IP address that the frequency of occurrences in Visitor Logs is higher than the first threshold of setting adds in the described blacklist; And/or, determine that the visit result is designated unusually, and the Visitor Logs frequency of occurrences that comprises same source IP address is added described source IP address in the described blacklist to when being higher than second threshold value of setting.
Preferable, described definite visit result is designated unusual step and specifically comprises: the URL address of determining visit is illegal Visitor Logs, this URL address is kept in the Access Control List (ACL), when receiving the request message that comprises this URL address, the visit result with this request message in Visitor Logs is designated unusually when follow-up.Here, the URL address of visit is in the illegal situation, to be meant that mainly the URL address of visit is actually non-existent at server end.
Perhaps, when described Visitor Logs also comprises browser version information, described definite visit result is designated unusual step and can also comprises: determine that the identical Visitor Logs frequency of occurrences of URL address and browser version information is higher than after the 3rd threshold value of setting, when receiving the request message that comprises this URL address and browser version information, the visit result with this request message in Visitor Logs is designated unusually when follow-up.
And in conjunction with the actual treatment situation of server, described blacklist can dynamically update according to the situation of change of Visitor Logs for better.
The method that defence CC in the embodiment of the invention attacks, can generate a blacklist according to the Visitor Logs of server, thereby according to this blacklist request message is filtered, thereby can defend targetedly, make the protection effect ideal according to the actual treatment situation of server.
Describing the method that defence CC provided by the invention attacks in detail with a preferred embodiment below, in the present embodiment, is that example describes with the CDN server in the CDN network, and certainly, this method also can be applied to other network environments.The CDN server specifically refers to the Reverse Proxy for the source station service, this server and common distinguish to some extent for the forward proxy server of subscriber terminal service, generally speaking, forward proxy server is deployed in end side, and Reverse Proxy is deployed in network side.Method in the present embodiment is mainly used on the CDN server as reverse proxy, thereby can be so that every CDN server all possesses the ability that defence CC attacks.This method specifically may further comprise the steps:
Step 1, enable after the function that CDN server defence CC attacks, read the Visitor Logs of this CDN server, and generate blacklist according to these Visitor Logs.
Concrete, the pairing Visitor Logs of all request messages of in store this server of visit on the CDN server, in every Visitor Logs, generally comprise following several information: receive this visit result sign of the time of this request message, the source IP address of this request message, the URL address that will visit and this request message.Wherein, visit result sign generally comprises the visit results abnormity or visits information such as the result is normal.
Blacklist mainly generates according to Visitor Logs, can generate according to following dual mode:
First kind of mode is: analyze in the all-access record, the frequency of occurrences is higher than the source IP address of the first threshold of setting, and the more frequent source IP address that just sends a request message adds these source IP addresss in the blacklist to, wherein, the big I of first threshold is adjusted as required.For example, can analyze the Visitor Logs in a period of time, add in the blacklist several the highest IP addresses of ratio or occurrence number occurring.Because the main frame of the source IP address correspondence that frequently sends a request message at short notice is exactly to attack main frame probably.
The second way is: analyze the all-access record, when the visit result is designated the Visitor Logs frequency of occurrences unusual and that comprise same source IP address and is higher than second threshold value of setting, this source IP address is added in the blacklist.Because the result is for illustrating that unusually then this request message is illegal in visit, more if same IP address sends illegal request message number of times in a period of time, then the main frame of this IP address correspondence is exactly to attack main frame probably.
Above-mentioned dual mode can use separately also and can be used in combination.The source IP address that the needs of determining by above-mentioned dual mode add in the blacklist need be closed in follow-up processing procedure, then directly abandon this message when promptly receiving the request message that the source IP address that comprises in the blacklist sends once more, during specific implementation, can after entering network layer or application layer, inquire about request message this blacklist, the message that IP address in the blacklist is sent abandons then, perhaps, also can be by arranging access control list or the purpose that adopts mode such as iptables instrument to realize closing these source IP addresss.
For definite visit result is unusual request message, thereby carry out the processing of the above-mentioned second way, can adopt following two kinds of methods:
First method: the Visitor Logs of determining the URL address error of visit, and preserve this wrong URL address, follow-up when receiving the request message that comprises this URL address again, directly refuse this request message, and in Visitor Logs, the visit result of this request message is designated unusually.Here the URL address error is meant that mainly the URL address is for illegal.When specific implementation, can be by in Access Control List (ACL), being configured, thereby after the request message that comprises this URL address enters application layer, realize the purpose that refusal conducts interviews to this URL by Access Control List (ACL), and in Visitor Logs, the visit result of this request message is designated unusually; Perhaps, also can adopt other modes, for example, preserve a url list that is used for storage errors URL address separately, after receiving request message, directly inquire about this url list, when belonging to this url list, the URL address that comprises in the request message then abandons this request message.Wherein, inquire about this url list and determine whether that the operation that abandons this request message can realize by a plurality of protocol layers in ISO/OSI seven layer network architectures, for example can carry out in network layer or application layer, certainly, in order to improve treatment effeciency, abandoning does not as early as possible need the request handled, can realize this operation in network layer.
Second method: in Visitor Logs, can also comprise browser version information, after determining that then the URL address and the identical Visitor Logs frequency of occurrences of browser version information are higher than the 3rd threshold value of setting, then this URL address and this this combination of browser version information are preserved, the URL address is identical with this URL address in the follow-up request message that receives, and when browser version information is also identical with this browser version information, then abandon this request message, and in Visitor Logs, the visit result of this request message is designated unusually.Because the identical browser of this employing is exactly to attack main frame at the pairing main frame of source IP address that same URL visits in a large number probably.Concrete, in order to abandon such request message, also can be by in Access Control List (ACL), being configured, after thereby the request message that comprises this URL address and this browser version information at the same time enters application layer, realize abandoning the purpose of this request message by Access Control List (ACL), and in Visitor Logs, the visit result of this request message is designated unusually; Perhaps, also can adopt other modes, for example, preserving separately one is used to store the frequency of occurrences and is higher than the URL address of the 3rd threshold value of setting and the Assembly Listing of these two combined informations of browser version information, after receiving request message, directly this Assembly Listing of inquiry then abandons this request message when the URL address that comprises in the request message and this combined information of browser version information belong to this Assembly Listing.Wherein, inquire about this Assembly Listing and determine whether that the operation that abandons this request message can realize by a plurality of protocol layers in ISO/OSI seven layer network architectures, for example can carry out in network layer or application layer, certainly, in order to improve treatment effeciency, abandoning does not as early as possible need the request handled, can realize this operation in network layer.
These two kinds of methods also can be used separately or be used in combination.By these two kinds of methods, can be in follow-up processing procedure, by checking Visitor Logs, identify the visit result and be unusual request message, and then the second way that adopts when generating blacklist, promptly " analyze the all-access record, when the visit result is designated the Visitor Logs frequency of occurrences unusual and that comprise same source IP address and is higher than second threshold value of setting, this source IP address is added in the blacklist " this mode and generate blacklist.Concrete, if wrong URL address in the too much visit url list in some IP address, and/or too much transmission comprises the URL address of storing in the Assembly Listing and the request message of browser version information, then can add in the blacklist with this source IP address as suspicious source IP address.
Generally speaking, when generating blacklist in this step, at first, determine that by above-mentioned two kinds of methods the visit result is unusual request message, then in the next round message processing procedure, then these request messages can be defined as unusually, and then can find to send the visit result for the unusual more source IP address of request message, thereby these source IP addresss are closed.And in order to improve protection effect, the blacklist in the present embodiment can also regular or irregular the renewal, promptly analyzes again according to the situation of change of Visitor Logs in the server, thereby upgrades blacklist, makes protection effect desirable more.
Step 2, receive after the request message, the inquiry blacklist when determining that the source IP address that comprises in this request message belongs to blacklist, abandons this request message.
Perhaps, in another preferred embodiment of the present invention, also can be directly with the url list of the above-mentioned preservation mistake URL address of mentioning, and preserve the frequency of occurrences and be higher than the URL address of the 3rd threshold value of setting and the Assembly Listing of these two combined informations of browser version information, also be increased in the blacklist as the content in the blacklist, like this, after receiving request message, also can be directly according to the identification information that comprises in the request message, be the URL address, perhaps these two combined informations of URL address and browser version information determine whether and need close this request message.
By the method that adopts the embodiment of the invention to provide, can generate a blacklist according to the Visitor Logs of server, thereby according to this blacklist request message is filtered, and then can defend targetedly, make the protection effect ideal according to the actual treatment situation of server.Concrete, can make the CDN server possess the function that defence CC attacks, thereby the detection that CC attacks and the buffer memory application function of defense function and CDN server can be realized linking efficiently, refinforce each other.Because the professional function integration of attacking with defence CC of CDN, be more suitable for buffer memory in the testing result that CC can be attacked and use and handle, in time feed back to buffer memory and use and handle, and buffer memory use handle after, can strengthen the protection effect that CC attacks again.And because the function that defence CC attacks is integrated on the CDN server, therefore concrete detection and defensive measure can be with the visit result of user's reality as foundations.It is more accurate to detect the suspicious source IP and the illegal URL that obtain like this.
The device that the embodiment of the invention also provides a kind of CC of defence to attack as shown in Figure 2, comprising:
Receiving element 21 is used to receive the request message that client sends, and determines the identification information of this request message;
Determining unit 22 is used to search the blacklist of preservation, when determining that described identification information belongs to described blacklist, abandons this request message;
Generation unit 23 is used for generating described blacklist according to the Visitor Logs of this device place server.
Preferable, described Visitor Logs comprises: source IP address, URL address and the visit result sign of visiting all request message correspondences of this device place server, described identification information comprises source IP address, then described generation unit specifically is used for: the source IP address that is higher than the first threshold of setting in the Visitor Logs frequency of occurrences is added in the described blacklist; And/or, determine that the visit result is designated unusually, and the Visitor Logs frequency of occurrences that comprises same source IP address is added described source IP address in the described blacklist to when being higher than second threshold value of setting.
Preferable, described generation unit, specifically be used for: the URL address of determining visit is illegal Visitor Logs, this URL address is kept in the Access Control List (ACL), when receiving the request message that comprises this URL address, the visit result with this request message in Visitor Logs is designated unusually when follow-up.
Preferable, described Visitor Logs also comprises: browser version information, then described generation unit, also be used for: determine that the identical Visitor Logs frequency of occurrences of URL address and browser version information is higher than after the 3rd threshold value of setting, when receiving the request message that comprises this URL address and browser version information, the visit result with this request message in Visitor Logs is designated unusually when follow-up.
Preferable, described generation unit also is used for dynamically updating described blacklist according to the situation of change of Visitor Logs.
By the device that adopts the embodiment of the invention to provide, can generate a blacklist according to the Visitor Logs of server, thereby according to this blacklist request message is filtered, thereby can defend targetedly, make the protection effect ideal according to the actual treatment situation of server.
The embodiment of the invention also provides a kind of content distributing network server, comprises the device that above-mentioned defence CC attacks.
By the content distributing network server that adopts the embodiment of the invention to provide, can generate a blacklist according to the Visitor Logs of server, thereby request message is filtered according to this blacklist, thereby can defend targetedly according to the actual treatment situation of server, make the protection effect ideal.And,, therefore, when many CDN servers, also needn't be respectively it and dispose the equipment that defence CC attacks separately, thereby greatly reduce the difficulty of network design owing to be the function that directly integrated defence CC attacks on the CDN server in the present embodiment.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (11)
1. a method of defending CC to attack is characterized in that, may further comprise the steps:
Server receives the request message that client sends, and determines the identification information of this request message;
Search the blacklist of preservation, when determining that described identification information belongs to described blacklist, abandon this request message, wherein, described blacklist generates according to the Visitor Logs of this server.
2. the method for claim 1, it is characterized in that, described Visitor Logs comprises: visit source IP address, URL address and the visit result sign of all request message correspondences of this server, described identification information comprises source IP address, and then the generating mode of described blacklist comprises:
The source IP address that the frequency of occurrences in Visitor Logs is higher than the first threshold of setting adds in the described blacklist; And/or, determine that the visit result is designated unusually, and the Visitor Logs frequency of occurrences that comprises same source IP address is added described source IP address in the described blacklist to when being higher than second threshold value of setting.
3. method as claimed in claim 2 is characterized in that, described definite visit result is designated unusual step and specifically comprises:
The URL address of determining visit is illegal Visitor Logs, and this URL address is kept in the Access Control List (ACL), and when receiving the request message that comprises this URL address, the visit result with this request message in Visitor Logs is designated unusually when follow-up.
4. as claim 2 or 3 described methods, it is characterized in that described Visitor Logs also comprises: browser version information, then described definite visit result is designated unusual step and specifically comprises:
Determine that the identical Visitor Logs frequency of occurrences of URL address and browser version information is higher than after the 3rd threshold value of setting, when receiving the request message that comprises this URL address and browser version information, the visit result with this request message in Visitor Logs is designated unusually when follow-up.
5. the method for claim 1 is characterized in that, described blacklist dynamically updates according to the situation of change of Visitor Logs.
6. a device of defending CC to attack is characterized in that, comprising:
Receiving element is used to receive the request message that client sends, and determines the identification information of this request message;
Determining unit is used to search the blacklist of preservation, when determining that described identification information belongs to described blacklist, abandons this request message;
Generation unit is used for generating described blacklist according to the Visitor Logs of this device place server.
7. device as claimed in claim 6, it is characterized in that described Visitor Logs comprises: visit source IP address, URL address and the visit result sign of all request message correspondences of this device place server, described identification information comprises source IP address, then described generation unit specifically is used for:
The source IP address that the frequency of occurrences in Visitor Logs is higher than the first threshold of setting adds in the described blacklist; And/or, determine that the visit result is designated unusually, and the Visitor Logs frequency of occurrences that comprises same source IP address is added described source IP address in the described blacklist to when being higher than second threshold value of setting.
8. device as claimed in claim 7 is characterized in that, described generation unit specifically is used for:
The URL address of determining visit is illegal Visitor Logs, and this URL address is kept in the Access Control List (ACL), and when receiving the request message that comprises this URL address, the visit result with this request message in Visitor Logs is designated unusually when follow-up.
9. as claim 7 or 8 described devices, it is characterized in that described Visitor Logs also comprises: browser version information, then described generation unit also is used for:
Determine that the identical Visitor Logs frequency of occurrences of URL address and browser version information is higher than after the 3rd threshold value of setting, when receiving the request message that comprises this URL address and browser version information, the visit result with this request message in Visitor Logs is designated unusually when follow-up.
10. device as claimed in claim 6 is characterized in that, described generation unit also is used for dynamically updating described blacklist according to the situation of change of Visitor Logs.
11. a content distributing network server is characterized in that, comprises as the arbitrary described device of claim 6 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100994901A CN102137111A (en) | 2011-04-20 | 2011-04-20 | Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100994901A CN102137111A (en) | 2011-04-20 | 2011-04-20 | Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102137111A true CN102137111A (en) | 2011-07-27 |
Family
ID=44296766
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011100994901A Pending CN102137111A (en) | 2011-04-20 | 2011-04-20 | Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102137111A (en) |
Cited By (32)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571812A (en) * | 2011-12-31 | 2012-07-11 | 成都市华为赛门铁克科技有限公司 | Tracking and identification method and apparatus for network threats |
| CN102932380A (en) * | 2012-11-30 | 2013-02-13 | 网宿科技股份有限公司 | Distributed method and distributed system for preventing malicious attacks based on content distribution network |
| CN103036910A (en) * | 2013-01-05 | 2013-04-10 | 北京网康科技有限公司 | Method and device for controlling user web access behaviors |
| CN103281288A (en) * | 2013-02-05 | 2013-09-04 | 武汉安天信息技术有限责任公司 | Mobile phone firewall system and mobile phone firewall method |
| CN103607410A (en) * | 2013-11-27 | 2014-02-26 | 中国联合网络通信集团有限公司 | Content access method and equipment |
| CN103701793A (en) * | 2013-12-20 | 2014-04-02 | 北京奇虎科技有限公司 | Method and device for identifying server broiler chicken |
| CN104065657A (en) * | 2014-06-26 | 2014-09-24 | 北京思特奇信息技术股份有限公司 | Method for dynamically controlling user behavior based on IP access and system thereof |
| CN104333529A (en) * | 2013-07-22 | 2015-02-04 | 中国电信股份有限公司 | Detection method and system of HTTP DOS (Denial of Service) attack under cloud computing environment |
| CN105282047A (en) * | 2015-09-25 | 2016-01-27 | 小米科技有限责任公司 | Access request processing method and device |
| CN105391692A (en) * | 2015-10-19 | 2016-03-09 | 广州车行易信息科技有限公司 | Detection identification method and device for performing batched attack on APP and gateway communication |
| CN105592075A (en) * | 2015-11-27 | 2016-05-18 | 杭州华三通信技术有限公司 | Method and device of message processing of security gateway |
| CN105897674A (en) * | 2015-11-25 | 2016-08-24 | 乐视云计算有限公司 | DDoS attack protection method applied to CDN server group and system |
| CN105915510A (en) * | 2016-04-12 | 2016-08-31 | 北京小米移动软件有限公司 | Method and device for controlling service traffic |
| CN106534042A (en) * | 2015-09-09 | 2017-03-22 | 阿里巴巴集团控股有限公司 | Server invasion identifying method and apparatus based on data analysis and cloud safety system |
| CN106657024A (en) * | 2016-11-29 | 2017-05-10 | 珠海市魅族科技有限公司 | Method and device for preventing cookie from being tampered |
| CN106789868A (en) * | 2016-09-05 | 2017-05-31 | 中国人民财产保险股份有限公司 | A kind of website user's Activity recognition and managing and control system |
| CN106789983A (en) * | 2016-12-08 | 2017-05-31 | 北京安普诺信息技术有限公司 | A kind of CC attack defense methods and its system of defense |
| CN106980545A (en) * | 2016-01-15 | 2017-07-25 | 阿里巴巴集团控股有限公司 | remote invocation method and device |
| CN107516044A (en) * | 2016-06-15 | 2017-12-26 | 阿里巴巴集团控股有限公司 | A kind of recognition methods, device and system |
| CN108040039A (en) * | 2017-11-28 | 2018-05-15 | 深信服科技股份有限公司 | A kind of method, apparatus, equipment and system for identifying attack source information |
| CN103379090B (en) * | 2012-04-12 | 2018-10-30 | 腾讯科技(北京)有限公司 | A kind of control method for frequency and system, frequency server of open platform access |
| CN109951500A (en) * | 2019-04-29 | 2019-06-28 | 宜人恒业科技发展(北京)有限公司 | Network attack detecting method and device |
| CN109981656A (en) * | 2019-03-29 | 2019-07-05 | 成都知道创宇信息技术有限公司 | A kind of CC means of defence based on CDN node log |
| CN110177110A (en) * | 2019-06-04 | 2019-08-27 | 湖北五五互联科技有限公司 | Contents access method, equipment and computer readable storage medium |
| CN110351219A (en) * | 2018-04-02 | 2019-10-18 | 蓝盾信息安全技术有限公司 | A kind of database security access technique based on Net Strobe System |
| CN111031054A (en) * | 2019-12-19 | 2020-04-17 | 紫光云(南京)数字技术有限公司 | CC protection method |
| CN111343212A (en) * | 2020-05-22 | 2020-06-26 | 腾讯科技(深圳)有限公司 | Message processing method, device, equipment and storage medium |
| CN112615875A (en) * | 2020-12-24 | 2021-04-06 | 中国农业银行股份有限公司 | User access control method and device |
| CN113037716A (en) * | 2021-02-07 | 2021-06-25 | 杭州又拍云科技有限公司 | Attack defense method based on content distribution network |
| CN114124511A (en) * | 2021-11-17 | 2022-03-01 | 北京天融信网络安全技术有限公司 | Ipsec negotiation method, network device and readable storage medium |
| CN114338233A (en) * | 2022-02-28 | 2022-04-12 | 北京安帝科技有限公司 | Network attack detection method and system based on flow analysis |
| CN116866051A (en) * | 2023-07-23 | 2023-10-10 | 深圳市锐速云计算有限公司 | CC (control and communication) defense system of multiple application scenes |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO1999021340A1 (en) * | 1997-10-23 | 1999-04-29 | At & T Wireless Services, Inc. | A method and apparatus for filtering packets using a dedicated processor |
| CN1588879A (en) * | 2004-08-12 | 2005-03-02 | 复旦大学 | Internet content filtering system and method |
| CN101150586A (en) * | 2007-11-20 | 2008-03-26 | 杭州华三通信技术有限公司 | CC attack prevention method and device |
| CN101242294A (en) * | 2008-03-14 | 2008-08-13 | 江新 | Network evidence fixing and reservation method |
| CN101478540A (en) * | 2008-12-31 | 2009-07-08 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for defending and challenge collapsar attack |
| CN101572701A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Security gateway system for resisting DDoS attack for DNS service |
| CN101702723A (en) * | 2009-10-30 | 2010-05-05 | 曙光信息产业(北京)有限公司 | Method and device for filtering IP message |
| CN101969445A (en) * | 2010-11-03 | 2011-02-09 | 中国电信股份有限公司 | Method and device for defensing DDoS (Distributed Denial of Service) and CC (Connections Flood) attacks |
-
2011
- 2011-04-20 CN CN2011100994901A patent/CN102137111A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO1999021340A1 (en) * | 1997-10-23 | 1999-04-29 | At & T Wireless Services, Inc. | A method and apparatus for filtering packets using a dedicated processor |
| CN1588879A (en) * | 2004-08-12 | 2005-03-02 | 复旦大学 | Internet content filtering system and method |
| CN101150586A (en) * | 2007-11-20 | 2008-03-26 | 杭州华三通信技术有限公司 | CC attack prevention method and device |
| CN101242294A (en) * | 2008-03-14 | 2008-08-13 | 江新 | Network evidence fixing and reservation method |
| CN101478540A (en) * | 2008-12-31 | 2009-07-08 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for defending and challenge collapsar attack |
| CN101572701A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Security gateway system for resisting DDoS attack for DNS service |
| CN101702723A (en) * | 2009-10-30 | 2010-05-05 | 曙光信息产业(北京)有限公司 | Method and device for filtering IP message |
| CN101969445A (en) * | 2010-11-03 | 2011-02-09 | 中国电信股份有限公司 | Method and device for defensing DDoS (Distributed Denial of Service) and CC (Connections Flood) attacks |
Cited By (48)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571812A (en) * | 2011-12-31 | 2012-07-11 | 成都市华为赛门铁克科技有限公司 | Tracking and identification method and apparatus for network threats |
| CN102571812B (en) * | 2011-12-31 | 2014-11-05 | 华为数字技术(成都)有限公司 | Tracking and identification method and apparatus for network threats |
| CN103379090B (en) * | 2012-04-12 | 2018-10-30 | 腾讯科技(北京)有限公司 | A kind of control method for frequency and system, frequency server of open platform access |
| CN102932380A (en) * | 2012-11-30 | 2013-02-13 | 网宿科技股份有限公司 | Distributed method and distributed system for preventing malicious attacks based on content distribution network |
| CN102932380B (en) * | 2012-11-30 | 2016-06-29 | 网宿科技股份有限公司 | The distributed preventing malicious attack method and system of content-based distribution network |
| CN103036910B (en) * | 2013-01-05 | 2015-10-07 | 北京网康科技有限公司 | A kind of user's web access Behavior-Based control method and device |
| CN103036910A (en) * | 2013-01-05 | 2013-04-10 | 北京网康科技有限公司 | Method and device for controlling user web access behaviors |
| CN103281288A (en) * | 2013-02-05 | 2013-09-04 | 武汉安天信息技术有限责任公司 | Mobile phone firewall system and mobile phone firewall method |
| CN103281288B (en) * | 2013-02-05 | 2016-01-13 | 武汉安天信息技术有限责任公司 | A kind of SMSCallFilter system and method |
| CN104333529A (en) * | 2013-07-22 | 2015-02-04 | 中国电信股份有限公司 | Detection method and system of HTTP DOS (Denial of Service) attack under cloud computing environment |
| CN104333529B (en) * | 2013-07-22 | 2017-12-12 | 中国电信股份有限公司 | The detection method and system of HTTP dos attacks under a kind of cloud computing environment |
| CN103607410A (en) * | 2013-11-27 | 2014-02-26 | 中国联合网络通信集团有限公司 | Content access method and equipment |
| CN103607410B (en) * | 2013-11-27 | 2017-04-05 | 中国联合网络通信集团有限公司 | A kind of contents access method and equipment |
| CN103701793A (en) * | 2013-12-20 | 2014-04-02 | 北京奇虎科技有限公司 | Method and device for identifying server broiler chicken |
| CN104065657A (en) * | 2014-06-26 | 2014-09-24 | 北京思特奇信息技术股份有限公司 | Method for dynamically controlling user behavior based on IP access and system thereof |
| CN106534042A (en) * | 2015-09-09 | 2017-03-22 | 阿里巴巴集团控股有限公司 | Server invasion identifying method and apparatus based on data analysis and cloud safety system |
| CN105282047A (en) * | 2015-09-25 | 2016-01-27 | 小米科技有限责任公司 | Access request processing method and device |
| CN105391692A (en) * | 2015-10-19 | 2016-03-09 | 广州车行易信息科技有限公司 | Detection identification method and device for performing batched attack on APP and gateway communication |
| CN105391692B (en) * | 2015-10-19 | 2018-08-07 | 广州车行易信息科技有限公司 | The detection recognition method and device of batch attack are carried out to APP and gateway communication |
| WO2017088397A1 (en) * | 2015-11-25 | 2017-06-01 | 乐视控股(北京)有限公司 | Ddos attack protection method and system for cdn server group |
| CN105897674A (en) * | 2015-11-25 | 2016-08-24 | 乐视云计算有限公司 | DDoS attack protection method applied to CDN server group and system |
| CN105592075B (en) * | 2015-11-27 | 2019-03-15 | 新华三技术有限公司 | The message processing method and device of security gateway |
| CN105592075A (en) * | 2015-11-27 | 2016-05-18 | 杭州华三通信技术有限公司 | Method and device of message processing of security gateway |
| CN106980545B (en) * | 2016-01-15 | 2021-03-23 | 创新先进技术有限公司 | Remote calling method and device |
| CN106980545A (en) * | 2016-01-15 | 2017-07-25 | 阿里巴巴集团控股有限公司 | remote invocation method and device |
| CN105915510A (en) * | 2016-04-12 | 2016-08-31 | 北京小米移动软件有限公司 | Method and device for controlling service traffic |
| CN107516044A (en) * | 2016-06-15 | 2017-12-26 | 阿里巴巴集团控股有限公司 | A kind of recognition methods, device and system |
| CN106789868A (en) * | 2016-09-05 | 2017-05-31 | 中国人民财产保险股份有限公司 | A kind of website user's Activity recognition and managing and control system |
| CN106657024B (en) * | 2016-11-29 | 2020-04-21 | 珠海市魅族科技有限公司 | Method and device for preventing cookie from being tampered |
| CN106657024A (en) * | 2016-11-29 | 2017-05-10 | 珠海市魅族科技有限公司 | Method and device for preventing cookie from being tampered |
| CN106789983A (en) * | 2016-12-08 | 2017-05-31 | 北京安普诺信息技术有限公司 | A kind of CC attack defense methods and its system of defense |
| CN106789983B (en) * | 2016-12-08 | 2019-09-06 | 北京安普诺信息技术有限公司 | A kind of CC attack defense method and its system of defense |
| CN108040039A (en) * | 2017-11-28 | 2018-05-15 | 深信服科技股份有限公司 | A kind of method, apparatus, equipment and system for identifying attack source information |
| CN110351219A (en) * | 2018-04-02 | 2019-10-18 | 蓝盾信息安全技术有限公司 | A kind of database security access technique based on Net Strobe System |
| CN109981656B (en) * | 2019-03-29 | 2021-03-19 | 成都知道创宇信息技术有限公司 | CC protection method based on CDN node log |
| CN109981656A (en) * | 2019-03-29 | 2019-07-05 | 成都知道创宇信息技术有限公司 | A kind of CC means of defence based on CDN node log |
| CN109951500A (en) * | 2019-04-29 | 2019-06-28 | 宜人恒业科技发展(北京)有限公司 | Network attack detecting method and device |
| CN109951500B (en) * | 2019-04-29 | 2021-10-26 | 宜人恒业科技发展(北京)有限公司 | Network attack detection method and device |
| CN110177110A (en) * | 2019-06-04 | 2019-08-27 | 湖北五五互联科技有限公司 | Contents access method, equipment and computer readable storage medium |
| CN111031054A (en) * | 2019-12-19 | 2020-04-17 | 紫光云(南京)数字技术有限公司 | CC protection method |
| CN111343212A (en) * | 2020-05-22 | 2020-06-26 | 腾讯科技(深圳)有限公司 | Message processing method, device, equipment and storage medium |
| WO2021233109A1 (en) * | 2020-05-22 | 2021-11-25 | 腾讯科技(深圳)有限公司 | Blockchain-based message processing method and apparatus, and device and storage medium |
| CN112615875A (en) * | 2020-12-24 | 2021-04-06 | 中国农业银行股份有限公司 | User access control method and device |
| CN113037716A (en) * | 2021-02-07 | 2021-06-25 | 杭州又拍云科技有限公司 | Attack defense method based on content distribution network |
| CN113037716B (en) * | 2021-02-07 | 2021-12-21 | 杭州又拍云科技有限公司 | Attack defense method based on content distribution network |
| CN114124511A (en) * | 2021-11-17 | 2022-03-01 | 北京天融信网络安全技术有限公司 | Ipsec negotiation method, network device and readable storage medium |
| CN114338233A (en) * | 2022-02-28 | 2022-04-12 | 北京安帝科技有限公司 | Network attack detection method and system based on flow analysis |
| CN116866051A (en) * | 2023-07-23 | 2023-10-10 | 深圳市锐速云计算有限公司 | CC (control and communication) defense system of multiple application scenes |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102137111A (en) | Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server | |
| CN104219200B (en) | A kind of apparatus and method for taking precautions against DNS cache attack | |
| WO2018121331A1 (en) | Attack request determination method, apparatus and server | |
| US9654494B2 (en) | Detecting and marking client devices | |
| EP2408166B1 (en) | Filtering method, system and network device therefor | |
| US9258289B2 (en) | Authentication of IP source addresses | |
| KR101217647B1 (en) | Method and apparatus for defending against denial of service attacks in IP networks based on specified source/destination IP address pairs | |
| US10135785B2 (en) | Network security system to intercept inline domain name system requests | |
| US20130312081A1 (en) | Malicious code blocking system | |
| KR101067781B1 (en) | Method and apparatus for defending against denial of service attacks in IP networks by target victim self-identification and control | |
| JP2008177714A (en) | Network system, server, ddns server, and packet relay device | |
| US11271963B2 (en) | Defending against domain name system based attacks | |
| CN104506525A (en) | Method for preventing malicious grabbing and protection device | |
| CN102739683A (en) | Network attack filtering method and device | |
| JP2013009185A (en) | Communication monitoring system and method, communication monitoring device, virtual host device, and communication monitoring program | |
| CN102404318A (en) | Method and device for prevention of DNS (Domain Name Server) cathe attack | |
| JP2007200323A (en) | Method for protecting sip-based application | |
| Alhisnawi et al. | Detecting and mitigating DDoS attack in named data networking | |
| Alsaawy et al. | Swap obfuscation technique for preserving privacy of LBS | |
| JP2007011628A (en) | Signature distribution device and signature distribution system | |
| Dakhane et al. | Active warden for TCP sequence number base covert channel | |
| Liu et al. | Virus infection control in online social networks based on probabilistic communities | |
| CN105939321A (en) | DNS (Domain Name System) attack detection method and device | |
| CN103916489A (en) | Method and system for resolving single-domain-name multi-IP domain name | |
| CN101312465B (en) | Abnormal packet access point discovering method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent of invention or patent application | ||
| CB03 | Change of inventor or designer information |
Inventor after: Zhao Wei Inventor after: Bai Jin Inventor after: Wang Xinghua Inventor after: Zong Jie Inventor before: Zhao Wei Inventor before: Wang Xinghua Inventor before: Zong Jie |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: ZHAO WEI WANG XINGHUA ZONG JIE TO: ZHAO WEI BAI JIN WANG XINGHUA ZONG JIE |
|
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20110727 |