CN103618730A - Website DDOS attack defense system and method based on integral strategy - Google Patents
Website DDOS attack defense system and method based on integral strategy Download PDFInfo
- Publication number
- CN103618730A CN103618730A CN201310651436.2A CN201310651436A CN103618730A CN 103618730 A CN103618730 A CN 103618730A CN 201310651436 A CN201310651436 A CN 201310651436A CN 103618730 A CN103618730 A CN 103618730A
- Authority
- CN
- China
- Prior art keywords
- attack
- user
- ddos
- web server
- website
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a website DDOS attack defense system and method based on an integral strategy. The system comprises a client side, a firewall, an intrusion detection system and a Web server, an attack IP filtering unit is arranged between the intrusion detection system and the Web server, the firewall is used for defending the known network attack and can also conduct defense according to a filtering order of the attack IP filtering unit, and the intrusion detection system regards the defense processing result of the firewall as the input and is used for detecting the known DDOS attack. The attack IP filtering unit is used for filtering the user IP with the judged attack behavior, the filtering is used for stopping the normal access to the Web server of the user IP, the judgment results are accumulated and cached through integrals, the cache result is dynamically assessed, and whether the user IP needs to be filtered or to obtain the logging-in qualification again or not is judged according to the assessment result. The website DDOS attach defense system is easy and convenient to apply, the normal user access can be guaranteed to the maximum extent, and the attack can be fast shielded.
Description
Technical field
The present invention relates to the defence method that a kind of Enterprise Portal Website Development is attacked, particularly relate to a kind of system of defense and method of attacking for application layer DDOS.
Background technology
DDOS full name is distributed denial of service.DDOS attack shows as assailant's utilization and makes someway the system resource of destination host be taken in a large number, or the network bandwidth of destination host is congested, finally makes validated user can not get service.To adopt the DDOS of flood attack mode to attack different from tradition, and APP-DDOS is generally that the mode by normal access sends legitimate request and takies a large amount of Service Sources, thereby validated user cannot be accessed, and the attack of its representative is CC attack, HTTP storm attack etc.When launching a offensive, assailant constantly asks the page that computing cost is larger, as Query Database, download file etc.Due to what service was provided, be all generally common server, as long as request is abundant, just can make servers go down, website is forced to close.
Now widely used defence method tends to disturb the normal access of visitor to server, and the user who affects user experiences; Or can not effectively suppress at short notice to attack, cause server before identifying validated user to collapse.
Summary of the invention
The problem existing in order to overcome prior art, the present invention proposes a kind of auth method based on challenge response and fingerprint recognition, during authentication, between main frame and user, by challenge response, fingerprint recognition and asymmetric encryption techniques, realize identification, each identification all needs to carry out " challenge ", " replying ", " scramble " and " encryption ", and each challenge word string sending does not repeat, can not calculate, " replying " that listener is intercepted and captured when once identifying is not suitable for next identification, effectively prevented from pretending to be the generation of identity.
The present invention proposes a kind of website DDOS attack defending system based on " Integration Strategy ", this system comprises client, fire compartment wall, intruding detection system and Web server, between described intruding detection system and web server, also comprise and attack IP filter element, wherein:
Described fire compartment wall, except for defending known network attacks, in this system of defense also for the processing that is on the defensive according to the filtering instructions of attacking IP filter element;
Described intruding detection system, usings the defence result of described fire compartment wall as input, for detection of going out known DDOS, attacks;
Described attack IP filter element, for there is the User IP of attack to being judged as, filter, specifically being treated to of described filtration stops the normal access of this User IP to Web server, result of determination is through score accumulation and buffer memory, for integration buffered results, realize dynamic evaluation, assessment result judges whether this User IP needs to be filtered or to regain the qualification that login enters system accordingly.
The invention allows for a kind of website DDOS attack defense method based on " Integration Strategy ", the method comprises the following steps:
By fire compartment wall, realize defence known network and attack, and according to the processing that is on the defensive of the filtering instructions of attacking IP filter element;
By intruding detection system, using the defence result of described fire compartment wall as input, be further used for detecting known DDOS and attack;
The User IP to being judged as by attack IP filter element with attack filters, specifically being treated to of described filtration stops the normal access of this User IP to Web server, result of determination is through score accumulation and buffer memory, for integration buffered results, realize dynamic evaluation, assessment result judges whether this User IP needs to be filtered or to regain the qualification that login enters system accordingly.
Compared with prior art, the present invention applies easy, compares with traditional scheme, not only can guarantee to greatest extent the access of normal users, can also go out to attack by Rapid shielding.
Accompanying drawing explanation
Fig. 1 is a kind of website defence DDOS attacking system structured flowchart based on " Integration Strategy " of the present invention;
Browsing process figure when Fig. 2 is a kind of website defence DDOS attack method operation based on " Integration Strategy " of the present invention.
Embodiment
Below in conjunction with drawings and Examples, further describe the specific embodiment of the present invention.
As shown in Figure 1-2, for a kind of website based on " Integration Strategy " of the present invention, defend structured flowchart and the operation browsing process of DDOS attacking system.
1, related definition.
(1) service price: this value has represented that user uses certain service or accesses the integrated value that certain page need be paid, wherein each service price X
i=C
iq
i, C
irepresent the income weight (data base querying is provided is that the main shared weight of its database service of website is maximum as, other the like minimizing) of each service or the page, Q
ithe resources costs that representative service is required, combines the value that CPU computing cost that each service or the page consume, internal memory, bandwidth, I/O speed etc. draw.
(2) integration: this value is the running stores of serving or accessing certain page for obtaining, if service or the page are considered as to commodity, integration is exactly the currency of buying commodity.Whether the number of integrated value is still weighed a user is the important symbol of normal users.
2, concrete grammar
System of the present invention is comprised of following module:
(1) fire compartment wall: fire compartment wall not only can be defendd outside known, common attack, also carries out packet filtering by receiving the blacklist IP safeguarding in the inner queue module of model.Fire compartment wall also has log recording function, can record network access data etc., for analyzing network attack, has certain help.
(2) intruding detection system: this system operation rule matcher, the DDOS that can detect known regimes attacks, and alleviates the burden of server.
(3) integral and calculating module:
If request IP not in the white list in user's control module time, regards as new user by this IP; For the new IP of new user, each IP initialization integrated value is that a(should be worth enough normal users and in the sufficiently long time, completes access or enjoy service, but is nowhere near for the attack IP of high-frequency access); When one of each request is served or accesses a page, can deduct corresponding integrated value according to the service price table in consumption module, and return to integral and calculating module and settle accounts; When user passes through some test of reward module, for this User IP adds corresponding reward points;
When score accumulation surpasses threshold values B
maxtime, think normal users, this IP is put into user's control module, and various services or the page of request afterwards no longer consume integration; If integrated value is less than minimum threshold values B
mintime, this IP is put into queue module and do further processing; The integration of certain IP in queue module is greater than threshold values B again
minin time, retrieves and puts into integral and calculating module consumption qualification is provided for it.
(4) reward module: this module is the key modules that determines whether normal users, if but this IP authenticated be normal users, this module is inoperative.It is responsible for sending some tests (such as turing test or the test of some simple logic) to client, and collects the response of client, according to client performance reward points.
(5) consumption module: this module is responsible for safeguarding a service (or being the page) price list, whenever receiving while asking, this module is found corresponding service price and then pricing information is passed to integral and calculating module and carry out integral and calculating from show.When the user of request is authenticated to be normal users, the service price that this module passes in integral and calculating module is 0 without exception.
(6) queue module: this module is responsible for safeguarding a doubtful blacklist table of integrals, is responsible for the doubtful attack IP that acceptance is transmitted from integral and calculating module.IP in queue module cannot send service request, but the little page (successfully directly authenticating if log in is normal users) that there will be a prompting login/to register, thereby or detect scene acquisition reward points with certain probability acquisition user.When integration surpasses threshold values B
mintime this IP is returned to integral and calculating module again.This module is also responsible for the life period of IP of record in blacklist, and life period is longer, shows that this IP is more suspicious, and the IP that finally time accumulated value is surpassed to threshold values T is dealt into fire compartment wall and filters.
(7) user's control module: safeguarding an authenticated user table (being white list) in this module.The user of white list can enjoy the treatment of free consumption.
When a kind of website defence DDOS attack method operation based on " Integration Strategy " of the present invention:
1. for the new IP of new user, each IP initialization integrated value is a;
2. user can run into the test of different user behavior with different probability before accessed web page or request service, and during these tests by reward module, system can add corresponding reward points for this User IP;
If 3. integrated value is less than minimum threshold values B
mintime, this IP is put into queue module;
4. the IP in queue module can not obtain service, but other tests of the prompting that can be logged in/register or reward module, thereby obtain the authentication of normal users or obtain a little reward points;
5. the integration of certain IP in queue module is greater than threshold values B again
minin time, retrieves and puts into integral and calculating module, can regain consumption qualification.
6. when score accumulation surpasses threshold values B
maxtime, think normal users, this IP is added to the white list in access customer control module, and various services or the page of request afterwards no longer consume integration;
7. ask a service at every turn or access a page and can deduct corresponding service price, and being back to integral and calculating module and settling accounts;
8. queue module surpasses T by time accumulated value
badiP as blacklist, be dealt into fire compartment wall and filter.
Claims (2)
1. the website DDOS attack defending system based on " Integration Strategy ", this system comprises client, fire compartment wall, intruding detection system and Web server, it is characterized in that, between described intruding detection system and web server, also comprise and attack IP filter element, wherein:
Described fire compartment wall, except for defending known network attacks, in this system of defense also for the processing that is on the defensive according to the filtering instructions of attacking IP filter element;
Described intruding detection system, usings the defence result of described fire compartment wall as input, for detection of going out known DDOS, attacks;
Described attack IP filter element, for there is the User IP of attack to being judged as, filter, specifically being treated to of described filtration stops the normal access of this User IP to Web server, result of determination is through score accumulation and buffer memory, for integration buffered results, realize dynamic evaluation, assessment result judges whether this User IP needs to be filtered or to regain the qualification that login enters system accordingly.
2. the website DDOS attack defense method based on " Integration Strategy ", is characterized in that, the method comprises the following steps:
By fire compartment wall, realize defence known network and attack, and according to the processing that is on the defensive of the filtering instructions of attacking IP filter element;
By intruding detection system, using the defence result of described fire compartment wall as input, be further used for detecting known DDOS and attack; ;
The User IP to being judged as by attack IP filter element with attack filters, specifically being treated to of described filtration stops the normal access of this User IP to Web server, result of determination is through score accumulation and buffer memory, for integration buffered results, realize dynamic evaluation, assessment result judges whether this User IP needs to be filtered or to regain the qualification that login enters system accordingly.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310651436.2A CN103618730A (en) | 2013-12-04 | 2013-12-04 | Website DDOS attack defense system and method based on integral strategy |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310651436.2A CN103618730A (en) | 2013-12-04 | 2013-12-04 | Website DDOS attack defense system and method based on integral strategy |
Publications (1)
Publication Number | Publication Date |
---|---|
CN103618730A true CN103618730A (en) | 2014-03-05 |
Family
ID=50169434
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310651436.2A Pending CN103618730A (en) | 2013-12-04 | 2013-12-04 | Website DDOS attack defense system and method based on integral strategy |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103618730A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105262757A (en) * | 2015-10-29 | 2016-01-20 | 武汉光迅科技股份有限公司 | Data access method on the basis of IP protection |
CN106209902A (en) * | 2016-08-03 | 2016-12-07 | 常熟高新技术创业服务有限公司 | A kind of network safety system being applied to intellectual property operation platform and detection method |
CN107483484A (en) * | 2017-09-13 | 2017-12-15 | 北京椰子树信息技术有限公司 | One kind attack protection drilling method and device |
CN108667783A (en) * | 2017-04-01 | 2018-10-16 | 贵州白山云科技有限公司 | A kind of Accurate Interception methods, devices and systems for IP address |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101414927A (en) * | 2008-11-20 | 2009-04-22 | 浙江大学 | Alarm and response system for inner-mesh network aggression detection |
CN101631026A (en) * | 2008-07-18 | 2010-01-20 | 北京启明星辰信息技术股份有限公司 | Method and device for defending against denial-of-service attacks |
CN102438026A (en) * | 2012-01-12 | 2012-05-02 | 冶金自动化研究设计院 | Industrial control network security protection method and system |
-
2013
- 2013-12-04 CN CN201310651436.2A patent/CN103618730A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101631026A (en) * | 2008-07-18 | 2010-01-20 | 北京启明星辰信息技术股份有限公司 | Method and device for defending against denial-of-service attacks |
CN101414927A (en) * | 2008-11-20 | 2009-04-22 | 浙江大学 | Alarm and response system for inner-mesh network aggression detection |
CN102438026A (en) * | 2012-01-12 | 2012-05-02 | 冶金自动化研究设计院 | Industrial control network security protection method and system |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105262757A (en) * | 2015-10-29 | 2016-01-20 | 武汉光迅科技股份有限公司 | Data access method on the basis of IP protection |
CN106209902A (en) * | 2016-08-03 | 2016-12-07 | 常熟高新技术创业服务有限公司 | A kind of network safety system being applied to intellectual property operation platform and detection method |
CN108667783A (en) * | 2017-04-01 | 2018-10-16 | 贵州白山云科技有限公司 | A kind of Accurate Interception methods, devices and systems for IP address |
CN108667783B (en) * | 2017-04-01 | 2019-05-17 | 北京数安鑫云信息技术有限公司 | A kind of Accurate Interception methods, devices and systems for IP address |
CN107483484A (en) * | 2017-09-13 | 2017-12-15 | 北京椰子树信息技术有限公司 | One kind attack protection drilling method and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10623376B2 (en) | Qualifying client behavior to mitigate attacks on a host | |
Vinayakumar et al. | Scalable framework for cyber threat situational awareness based on domain name systems data analysis | |
US10560471B2 (en) | Detecting web exploit kits by tree-based structural similarity search | |
US11388193B2 (en) | Systems and methods for detecting online fraud | |
CN107483488B (en) | Malicious Http detection method and system | |
Zhang et al. | Arrow: Generating signatures to detect drive-by downloads | |
CN110071941B (en) | Network attack detection method, equipment, storage medium and computer equipment | |
CN102291390B (en) | Method for defending against denial of service attack based on cloud computation platform | |
Bin et al. | A DNS based anti-phishing approach | |
US8850567B1 (en) | Unauthorized URL requests detection | |
US20160269442A1 (en) | Methods and systems for improving analytics in distributed networks | |
CN103139138B (en) | A kind of application layer denial of service means of defence based on client detection and system | |
US9311485B2 (en) | Device reputation management | |
TW201324223A (en) | Phishing site processing method, system and computer readable storage medium storing the method | |
CN111327615A (en) | CC attack protection method and system | |
CN103618730A (en) | Website DDOS attack defense system and method based on integral strategy | |
US8266704B1 (en) | Method and apparatus for securing sensitive data from misappropriation by malicious software | |
Tiwari et al. | User-profile-based analytics for detecting cloud security breaches | |
CN112702349B (en) | Network attack defense method and device and electronic bidding transaction platform | |
CN112637171A (en) | Data traffic processing method, device, equipment, system and storage medium | |
Lin et al. | Access log generator for analyzing malicious website browsing behaviors | |
Kim et al. | HAS-Analyzer: Detecting HTTP-based C&C based on the Analysis of HTTP Activity Sets | |
Wang et al. | Co-occurrence Relation of DNS Queries Based Research on Botnet Activities | |
US20220247750A1 (en) | Evaluating access requests using assigned common actor identifiers | |
Hill et al. | Quantifying and classifying covert communications on Android |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140305 |