CN103701794A - Identification method and device for denial of service attack - Google Patents
Identification method and device for denial of service attack Download PDFInfo
- Publication number
- CN103701794A CN103701794A CN201310714511.5A CN201310714511A CN103701794A CN 103701794 A CN103701794 A CN 103701794A CN 201310714511 A CN201310714511 A CN 201310714511A CN 103701794 A CN103701794 A CN 103701794A
- Authority
- CN
- China
- Prior art keywords
- request
- amount
- denial
- destination host
- threshold value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an identification method and device for the denial of service attack. The identification method for the denial of service attack comprises the following steps of obtaining the total amount of access requests sent to a target host within a first preset time period, and recording as a first request amount; judging whether the first request mount exceeds a threshold value which is obtained by calculating the page view of the target host; and if so, determining that the target host is subjected to the denial of service attack. According to the technical scheme disclosed by the invention, the total amount of the access requests sent to the target host within the preset time is used as a judgment target, the threshold value is obtained by the page view statistics of the target host to serve as a criteria to judge whether denial of service attack is received, the denial of service attack phenomenon is concluded to identify the denial of service attack so as to bring convenience to take corresponding measures, the identification accuracy of the denial of service attack is greatly improved, and the safety protection of the host is realized.
Description
Technical field
The present invention relates to internet security field, particularly relate to a kind of recognition methods and device of Denial of Service attack.
Background technology
Denial of Service attack is that assailant tries every possible means to allow target machine stop providing service or resource access, is one of conventional attack means of hacker.Utilize the request exceed in a large number responding ability to consume the resource of a large amount of targets of attack, these resources comprise the even network bandwidth of disk space, internal memory, process, thereby stop the access of normal users.When serious, can make some service be suspended even main frame crashes.
A kind of as Denial of Service attack, CC attacks (Challenge Collapsar, Challenging black hole attack), is to utilize constantly website to send a kind of malicious attack means that connection request causes the object that forms denial of service.For a plurality of users of simulation ceaselessly conduct interviews, those need the page of mass data operation to its principle, cause destination host server resource to exhaust, until the machine collapse of delaying.
The attack pattern of attacking due to CC is the access request by analog subscriber, be difficult to distinguish, and the technical threshold that CC attacks is lower, utilize the Agent IP of some instruments and certain skilled quantity just can attack, and the attack effect that CC attacks is obvious.
In prior art for Denial of Service attack, the processing scheme that particularly CC attacks, mainly forbid website proxy access, restriction number of connection, website is made to the methods such as static page as far as possible and carry out, yet forbid that above the method for proxy access and restriction number of connection can affect normal users access websites, in addition due to the restriction of type and the content of webpage, also webpage all cannot be set to static page, and this mode can not be eliminated the effect that CC attacks.For cannot accurately identifying the problem of Denial of Service attack in prior art, effective solution is not yet proposed at present.
Summary of the invention
In view of the above problems, the present invention has been proposed to a kind of recognition methods of recognition device and corresponding Denial of Service attack of the Denial of Service attack that overcomes the problems referred to above or address the above problem is at least in part provided.Further object of the present invention is the Denial of Service attack that will identify for destination host.
According to one aspect of the present invention, provide a kind of recognition methods of Denial of Service attack.The recognition methods of this Denial of Service attack comprises the following steps: obtain the access request total amount of sending to destination host in the first predetermined amount of time, be designated as the first request amount; Judge whether the first request amount exceeds threshold value, threshold value is by adding up and draw the visit capacity of destination host; If so, determine that destination host is subject to Denial of Service attack.
Alternatively, the statistical computation step of threshold value comprises: at interval of first request amount of the first scheduled time segment record, obtain a plurality of the first request amount; From a plurality of the first request amount, according to preset rules, pick out a plurality of sample values; Calculate the mean value of a plurality of sample values, according to mean value setting threshold.
Alternatively, from a plurality of the first request amount, according to preset rules, picking out a plurality of sample values comprises: be chosen at a plurality of the first request amount that produce in the second predetermined amount of time, the second predetermined amount of time is the integral multiple of the first predetermined amount of time, and the maximum in a plurality of the first request amount that produce in the second predetermined amount of time is designated as to the second request amount; In continuous a plurality of the second predetermined amount of time, select respectively and draw a plurality of the second request amount, and after the data that filtering deviation is larger from a plurality of the second request amount, obtain a plurality of sample values.
Alternatively, according to mean value setting threshold, comprise: the product of calculating mean value and pre-determined factor, the span of pre-determined factor is: 1.05 to 1.3; Using product as threshold value.
Alternatively, obtaining the access request total amount of sending to destination host in the first predetermined amount of time comprises: the running log file that reads the web application guard system being connected with destination host data; The access request of sending to destination host that statistics records in running log file in the first predetermined amount of time, obtains the first request amount.
Alternatively, after definite destination host is subject to Denial of Service attack, also comprise: the requesting party that subtend destination host sends access request sends authorization information, and receive requesting party's subsequent request information; Judge that whether subsequent request information mates with authorization information, if so, sends to destination host by requesting party's access request.
Alternatively, after being subject to malicious attack, definite destination host also comprises: running log file is analyzed, shown that request amount exists the abnormal requesting party who sends access request to destination host; The access request that filter request side sends.
A kind of recognition device of Denial of Service attack is also provided according to another aspect of the present invention.The recognition device of this Denial of Service attack comprises: access request acquisition module, for obtain the access request total amount of sending to destination host in the first predetermined amount of time, is designated as the first request amount; Judge module, for judging whether the first request amount exceeds threshold value, threshold value is by adding up and draw the visit capacity of destination host; Identification module, in the situation that judge module is output as is to determine that destination host is subject to Denial of Service attack.
Alternatively, the recognition device of this Denial of Service attack also comprises: threshold value statistical module, at interval of first request amount of the first scheduled time segment record, obtains a plurality of the first request amount; From a plurality of the first request amount, according to preset rules, pick out a plurality of sample values; Calculate the mean value of a plurality of sample values, according to mean value setting threshold.
Threshold value statistical module is configured to: be chosen at a plurality of the first request amount that produce in the second predetermined amount of time, the second predetermined amount of time is the integral multiple of the first predetermined amount of time, and the maximum in a plurality of the first request amount that produce in the second predetermined amount of time is designated as to the second request amount; In continuous a plurality of the second predetermined amount of time, select respectively and draw a plurality of the second request amount, and after the data that filtering deviation is larger from a plurality of the second request amount, obtain a plurality of sample values; The product of calculating mean value and pre-determined factor, the span of pre-determined factor is: 1.05 to 1.3; Using product as threshold value.
Alternatively, access request acquisition module is configured to: the running log file that reads the web application guard system being connected with destination host data; The access request of sending to main frame that statistics records in running log file in the first predetermined amount of time, obtains the first request amount.
Alternatively, the recognition device of above Denial of Service attack also comprises: the first protection module, and the requesting party who sends access request for subtend destination host sends authorization information, and receives requesting party's subsequent request information; Judge whether subsequent request information mates with authorization information, if so, requesting party's access request is sent to destination host, and/or the second protection module, for running log file is analyzed, show that request amount exists the abnormal requesting party who sends access request to destination host; The access request that filter request side sends.
The recognition methods of Denial of Service attack of the present invention and device are because the access request total amount of sending to destination host within the scheduled time is as judgement target, utilize the visit capacity statistics of destination host to show that threshold value is as the criterion that whether is subject to Denial of Service attack, by summing up the phenomenon of Denial of Service attack, identify Denial of Service attack, to take corresponding measure, greatly improve the accuracy of the identification of Denial of Service attack, realized the security protection of main frame.
Further, threshold value draws according to certain statistic algorithm, and without carrying out human intervention, Auto-matching destination host is processed access request ability, thereby meets the requirement of shelter of different target main frame.
Again further, after identifying Denial of Service attack, open corresponding preventing mechanism, the safe operation of protection destination host, and can find out the attack source of carrying out Denial of Service attack according to recognition result, for follow-up safe handling provides Data support.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to better understand technological means of the present invention, and can be implemented according to the content of specification, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
According to the detailed description to the specific embodiment of the invention by reference to the accompanying drawings below, those skilled in the art will understand above-mentioned and other objects, advantage and feature of the present invention more.
Accompanying drawing explanation
By reading below detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing is only for the object of preferred implementation is shown, and do not think limitation of the present invention.And in whole accompanying drawing, by identical reference symbol, represent identical parts.In the accompanying drawings:
Fig. 1 is the schematic diagram of network application environment of the recognition device 200 of Denial of Service attack according to an embodiment of the invention;
Fig. 2 is the schematic diagram of the recognition device 200 of Denial of Service attack according to an embodiment of the invention;
Fig. 3 is the schematic diagram of the recognition methods of Denial of Service attack according to an embodiment of the invention;
Fig. 4 is the statistical chart of 5 minutes high accesses in continuous 30 days in the recognition methods of Denial of Service attack according to an embodiment of the invention; And
Fig. 5 is the statistical chart of the request amount that in the recognition methods of Denial of Service attack according to an embodiment of the invention, destination host receives.
Embodiment
The algorithm providing at this is intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with demonstration.Various general-purpose systems also can with based on using together with this teaching.According to description above, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.It should be understood that and can utilize various programming languages to realize content of the present invention described here, and the description of above language-specific being done is in order to disclose preferred forms of the present invention.
Fig. 1 is the schematic diagram of network application environment of the recognition device 200 of Denial of Service attack according to an embodiment of the invention, in the drawings, during webpage client 110 access destination website, need to the main frame 130 of targeted website, send access request by the Internet, between webpage client 110 and destination host 130, be provided with web application guard system (Web Application Firewall, be called for short WAF), the access request that webpage client 110 is sent must could arrive destination host 130 through WAF120.WAF120, as the website fire compartment wall of preventing fires, provides acceleration and the buffer memory service of website, can prevent that hacker from utilizing across leaks such as station injection with invasion website, and protection website is not tampered and invades, the fail safe of raising web host.The recognition device 200 of the Denial of Service attack of the embodiment of the present invention is connected with a plurality of WAF130 data, and the access request sending to destination host 130 of receiving according to WAF130 is carried out the identification of Denial of Service attack.
Fig. 2 is the schematic diagram of the recognition device 200 of Denial of Service attack according to an embodiment of the invention.The recognition device 200 of this Denial of Service attack can comprise in general manner: access request acquisition module 210, judge module 220, identification module 230 can also increase and be provided with threshold value statistical module 240, the first protection module 250 and the second protection module 260 in the scheme of some optimizations.
In with upper-part, access request acquisition module 210, for obtain the access request total amount of sending to destination host in the first predetermined amount of time, is designated as the first request amount; Judge module 220 is for judging whether the first request amount exceeds threshold value, and this threshold value is by adding up and draw the visit capacity of destination host; Identification module 230 is in the situation that judge module is output as is to determine that destination host is subject to Denial of Service attack.
The recognition device 200 of the Denial of Service attack of the present embodiment, because the access request total amount of sending to destination host within the scheduled time is as judgement target, identifies Denial of Service attack by summing up the phenomenon of Denial of Service attack, to take corresponding measure.
In the situation that being subject to Denial of Service attack, in the short period of time, the request amount that the destination host 130 of access request is received can be apparently higher than normal request amount, yet for different websites, its visit capacity is different.In order to make the threshold value of destination host 130 settings meet the access ability of destination host 130, in the recognition device 200 of the Denial of Service attack of the present embodiment, can also include threshold value statistical module 240.Threshold value statistical module 240, at interval of first request amount of the first scheduled time segment record, obtains a plurality of the first request amount; From a plurality of the first request amount, according to preset rules, pick out a plurality of sample values; Calculate the mean value of a plurality of sample values, according to mean value setting threshold.
A kind of configuration mode of realizing of threshold value statistical module 240 is: be chosen at a plurality of the first request amount that produce in the second predetermined amount of time, the second predetermined amount of time is the integral multiple of the first predetermined amount of time, and the maximum in a plurality of the first request amount that produce in the second predetermined amount of time is designated as to the second request amount; In continuous a plurality of the second predetermined amount of time, select respectively and draw a plurality of the second request amount, and after the data that filtering deviation is larger from a plurality of the second request amount, obtain a plurality of sample values; The product of calculating mean value and pre-determined factor, the span of pre-determined factor is: 1.05 to 1.3; Using product as threshold value.
In order to guarantee the accuracy of identification, above first scheduled time and second scheduled time have all passed through a large amount of time and have tested, if wherein first scheduled time was set too short, its fluctuation is larger, easily there is the situation of mistake identification, if set longly, its fluctuation is too level and smooth, cannot reflect the variation of request amount; Through the result of a large amount of tests, first scheduled time can be set to 3 to 8 minutes, and optimal value is 5 minutes, namely at interval of 5 minutes, determines that the access request total amount of sending to destination host 130 is as the first request amount in these 5 minutes.
In order to determine with upper threshold value, need to determine maximum access request amount in normal access situation, due to the access Dou Shitianwei unit fluctuation of general website, therefore, threshold value statistical module 240 is chosen the cycle of sample value, and second scheduled time can be used the time of one day, thereby the process of choosing sample value can be: obtain in the time, the first request amount every 5 minutes, thus in 288 first request amount of a day, select maximum as the second request amount.Because the second request amount may be subject to the impact of abnormal factors, can cause some value obviously to occur relatively large deviation, for example one day, statistics was made mistakes, and causing request amount is zero; Or within certain day, be subject to Denial of Service attack, visit capacity increases, and the data that this obvious deviation is larger abnormal access cause, and need to carry out filtering.The straightforward procedure of choosing sample value from the second request amount can be: select 30 second request amount in nearest 30 days, filter out maximum three data and three minimum data, using remaining 24 the second request amount as sample value.This mode is calculated simply, and validity is higher.From the second request amount, choose in addition the method for sample value and can also use the method for variance to add up, the second request amount that variance is greater than to certain predetermined value is deleted.
In the recognition device 200 of the Denial of Service attack of the present embodiment, threshold value statistical module 240 can be multiplied by pre-determined factor by the mean value of the sample value drawing and draw final threshold value, the effect of above pre-determined factor is in order to reserve certain abundant value to web site requests amount, prevent the situation of by mistake blocking, the span of pre-determined factor is: 1.05 to 1.3, and the optimal value of generally choosing can be 1.2.Namely using 20% the situation of maximum visit capacity that exceeds normal access as the condition of determining Denial of Service attack.
The threshold value that threshold value statistical module 240 is determined can be dynamically to adjust, for example regularly utilize every day the visit data of 30 days before this to carry out the calculating of threshold value, thereby judge more accurate, for example in the situation that the visit capacity of website increase gradually, dynamically increase threshold value, prevent because business changes and cause the situation that occurs Denial of Service attack identification error to occur.The computational process of threshold value is also not limited to adding with average sample value, as long as can reflect that the peaked statistical calculation method of the normal visit capacity in website all can be for the calculating to threshold value, the present embodiment preferably adds and is on average only a kind of mode that amount of calculation is less.
Above the first Preset Time, the second Preset Time, pre-determined factor are all the empirical values that draw according to the situation statistics of access to netwoks, can adjust flexibly according to the variation of Denial of Service attack.
The request amount data that access request acquisition module 210 obtains, it is the data basis that the present embodiment carries out Denial of Service attack, because general WAF120 preserves running log, record the access request through this WAF120, so access request acquisition module 210 can be configured to: the running log file that reads the WAF120 being connected with destination host data; The access request of sending to main frame that statistics records in running log file in the first predetermined amount of time, obtains the first request amount.For example access request acquisition module 210 obtains running log in real time from all WAF120, and running log is carried out to statistical analysis both can obtain needing access request data.
The recognition device 200 of Denial of Service attack, after identifying attack, can start preventing mechanism, and destination host is protected.In the case, can dispose the first protection module 250 and/or the second protection module 260.The requesting party that the first protection module 250 sends access request for subtend destination host sends authorization information, and receives requesting party's subsequent request information; Judge that whether subsequent request information mates with authorization information, if so, sends to destination host by requesting party's access request.Above verification msg can comprise browser client information cookie, script file JavaScript, image data.
When verification msg is browser client information cookie, request transmit leg obtains after browser client information cookie, normal running is for to resend to WAF120 the request that jumps to described host address with this cookie information, if the request that request transmit leg returns is not processed cookie, can illustrate that the request of request transmit leg is attack.
When verification msg is script file JavaScript, request transmit leg obtains after javascript, normal running is for carrying out this javascript, and return to the execution result of script, if javascript is not carried out in the request that request transmit leg returns, also can illustrate that the request of request transmit leg is attack.
Picture verification msg is also a kind of effective means of defence, for example current accessed amount exceeds threshold value, can send picture to all request transmit legs, be similar to the mode of identifying code, requesting party need to by the word comprising in picture or other guide be inputted and to destination host feedback, if the recognition result of picture is corresponding with picture, prove that current accessed is normal access.
Above picture verification mode can affect the experience of normal calling party to a certain extent, and therefore, the second protection module 260 can further be analyzed running log file, show that request amount exists the abnormal requesting party who sends access request to destination host; The access request that filter request side sends.The principle of analyzing can comprise whether analysis exists the ip of a certain request source obviously abnormal and obviously abnormal to the access of a certain url of destination host, by accurate identification, aligns the impact that frequentation is asked after can avoiding opening security protection.
The embodiment of the present invention also provides a kind of recognition methods of Denial of Service attack, and the recognition device 200 of the Denial of Service attack that the recognition methods of this Denial of Service attack can be in above embodiment is carried out, to identify the Denial of Service attack for destination host.Fig. 3 is the schematic diagram of the recognition methods of Denial of Service attack according to an embodiment of the invention, and the recognition methods of this Denial of Service attack comprises the following steps:
Step S302, obtains the access request total amount of sending to destination host in the first predetermined amount of time, is designated as the first request amount;
Step S304, judges whether the first request amount exceeds threshold value, and this threshold value is by adding up and draw the visit capacity of destination host;
Step S306, if so, determines that destination host is subject to Denial of Service attack.
Statistical computation step with upper threshold value can comprise: at interval of first request amount of the first scheduled time segment record, obtain a plurality of the first request amount; From a plurality of the first request amount, according to preset rules, pick out a plurality of sample values; Calculate the mean value of a plurality of sample values, according to mean value setting threshold.
Wherein, from a plurality of the first request amount, according to preset rules, picking out a plurality of sample values can comprise: be chosen at a plurality of the first request amount that produce in the second predetermined amount of time, the second predetermined amount of time is the integral multiple of the first predetermined amount of time, and the maximum in a plurality of the first request amount that produce in the second predetermined amount of time is designated as to the second request amount; In continuous a plurality of the second predetermined amount of time, select respectively and draw a plurality of the second request amount, and after the data that filtering deviation is larger from a plurality of the second request amount, obtain a plurality of sample values.According to the process of mean value setting threshold, can comprise: the product of calculating mean value and pre-determined factor, the span of pre-determined factor is: 1.05 to 1.3; Using product as threshold value.
The source that step S302 obtains data can be the running log file of web application guard system, thereby step S302 can comprise: the running log file that reads the web application guard system being connected with destination host data; The access request of sending to destination host that statistics records in running log file in the first predetermined amount of time, obtains the first request amount.
Computational process with upper threshold value can be dynamically to adjust, for example regularly utilize every day the daily record operating file of 30 days before this to calculate, thereby judge more accurate, for example in the situation that the visit capacity of website increase gradually, capable of dynamic is adjusted threshold value, prevents because business changes and causes the situation that occurs Denial of Service attack identification error to occur.The computational process of threshold value is also not limited to adding with average sample value, as long as can reflect that the peaked statistical calculation method of the normal visit capacity in website all can be for the calculating to threshold value, the present embodiment preferably adds and is on average only a kind of mode that amount of calculation is less.
Above the first Preset Time, the second Preset Time, pre-determined factor are all the empirical values that draw according to the situation statistics of access to netwoks, can adjust flexibly according to the variation of Denial of Service attack.For example, first scheduled time can be set to 3 to 8 minutes, and optimal value is 5 minutes, and second scheduled time can be used the time of one day, and the span of pre-determined factor is: 1.05 to 1.3, and the optimal value of generally choosing can be 1.2.
After identifying Denial of Service attack, can start corresponding preventing mechanism, concrete preventing mechanism can be: after step S306, the requesting party that subtend destination host sends access request sends authorization information, and receives requesting party's subsequent request information; Judge that whether subsequent request information mates with authorization information, if so, sends to destination host by requesting party's access request.
After opening security protection, align the impact that frequentation is asked, after step S306, can also analyze visiting running log file, show that request amount exists the abnormal requesting party who sends access request to destination host; The access request that filter request side sends.
Application example for the recognition methods of the Denial of Service attack of the above embodiment of application of a medium site is introduced below.
Fig. 4 is the statistical chart of 5 minutes high accesses in continuous 30 days in the recognition methods of Denial of Service attack according to an embodiment of the invention, and Fig. 5 is the statistical chart of the request amount that in the recognition methods of Denial of Service attack according to an embodiment of the invention, destination host receives.
In some day, the protection daily record of many WAF that this medium site is protected is added up, draw in 30 days before this, the 5 minutes the highest numerical value of visit capacity, Fig. 4 shows the broken line graph in this high access, as can be seen from the figure, there is significantly fluctuation, as there is unexpected peak on 8th, likely to have received CC attack, and the same day on the 15th without visit capacity, may be that periods of network disruption causes, 3 maximum numerical value in 30 the second visit capacities of threshold value filtering of calculating Denial of Service attack, and 3 numerical value of numerical value minimum, remaining 14 numerical value check that the numerical value on average obtaining is 300,000, shown generally, the peak value of 5 minutes visit capacities of this medium site is 300,000, thereby calculating the recognition threshold that carries out Denial of Service attack is 300,000 * 1.2 times=360,000.
Fig. 5 shows in 12 o'clock same day to 12 thirty the visit capacity statistical value of every 5 minutes, draw 6 the first visit capacities, wherein last visit capacity is 500,000, has surpassed the threshold value 360,000 calculating, in this case, can determine that current main frame is subject to Denial of Service attack.
Determine and suffer after Denial of Service attack, by WAF, open picture checking preventing mechanism, requesting party to all request access sends predetermined picture, only allows to contain the request access that matches with image content and to the server of this medium site, sends access request by WAF.The recognition device of Denial of Service attack is further analyzed refusing the request that protection produces in attack process, determines attack source, and the request of attack source is filtered, and in visit capacity, drops to 360,000 threshold value when following, closes protection.
Utilize recognition methods and the device of the Denial of Service attack of the present embodiment, the access request total amount of sending to destination host within the scheduled time is as judgement target, utilize the visit capacity statistics of destination host to show that threshold value is as the criterion that whether is subject to Denial of Service attack, by summing up the phenomenon of Denial of Service attack, identify Denial of Service attack, to take corresponding measure, the identification accuracy that has greatly improved Denial of Service attack, has realized the security protection of main frame.
Further, threshold value draws according to certain statistic algorithm, and without carrying out human intervention, Auto-matching destination host is processed access request ability, thereby meets the requirement of shelter of different target main frame.
Again further, after identifying Denial of Service attack, open corresponding preventing mechanism, the safe operation of protection destination host, and can find out the attack source of carrying out Denial of Service attack according to recognition result, for follow-up safe handling provides Data support.
Embodiments of the invention disclose:
A1. a recognition methods for Denial of Service attack, comprising:
Obtain the access request total amount of sending to destination host in the first predetermined amount of time, be designated as the first request amount;
Judge whether described the first request amount exceeds threshold value, and described threshold value is by adding up and draw the visit capacity of described destination host;
If so, determine that described destination host is subject to Denial of Service attack.
A2. according to the method described in A1, wherein, the statistical computation step of described threshold value comprises:
At interval of described the first scheduled time segment record described the first request amount once, obtain a plurality of described the first request amount;
From described a plurality of the first request amount, according to preset rules, pick out a plurality of sample values;
Calculate the mean value of described a plurality of sample values, according to described mean value, set described threshold value.
A3. according to the method described in A2, wherein, from described a plurality of the first request amount, according to preset rules, pick out a plurality of sample values and comprise:
Be chosen at a plurality of described the first request amount producing in the second predetermined amount of time, described the second predetermined amount of time is the integral multiple of described the first predetermined amount of time, and the maximum in a plurality of described the first request amount producing in described the second predetermined amount of time is designated as to the second request amount;
In continuous a plurality of described the second predetermined amount of time, select respectively and draw a plurality of described the second request amount, and after the data that filtering deviation is larger from described a plurality of the second request amount, obtain described a plurality of sample value.
A4. according to the method described in A2 or A3, wherein, according to described mean value, set described threshold value and comprise:
Calculate the product of described mean value and pre-determined factor, the span of described pre-determined factor is: 1.05 to 1.3;
Using described product as described threshold value.
A5. according to the method described in any one in A1 to A4, wherein, obtain the access request total amount of sending to destination host and comprise in the first predetermined amount of time:
Read the running log file of the web application guard system being connected with described destination host data;
The access request of sending to described destination host that statistics records in described running log file in described the first predetermined amount of time, obtains described the first request amount.
A6. according to the method described in A5, wherein, after being subject to Denial of Service attack, definite described destination host also comprises:
The requesting party that described in subtend, destination host sends access request sends authorization information, and receives the subsequent request information of described request side;
Judge that whether described subsequent request information mates with described authorization information, if so, sends to described destination host by the access request of described request side.
A7. according to the method described in A5, wherein, after being subject to malicious attack, definite described destination host also comprises:
Described running log file is analyzed, shown that request amount exists the abnormal requesting party who sends access request to described destination host;
Filter the access request that described request side sends.
B8. a recognition device for Denial of Service attack, comprising:
Access request acquisition module, for obtain the access request total amount of sending to destination host in the first predetermined amount of time, is designated as the first request amount;
Judge module, for judging whether described the first request amount exceeds threshold value, and described threshold value is by adding up and draw the visit capacity of described destination host;
Identification module, in the situation that described judge module is output as is to determine that described destination host is subject to Denial of Service attack.
B9. according to the device described in B8, wherein, also comprise:
Threshold value statistical module, at interval of described the first scheduled time segment record described the first request amount once, obtains a plurality of described the first request amount; From described a plurality of the first request amount, according to preset rules, pick out a plurality of sample values; Calculate the mean value of described a plurality of sample values, according to described mean value, set described threshold value.
B10. according to the device described in B9, wherein, described threshold value statistical module is configured to:
Be chosen at a plurality of described the first request amount producing in the second predetermined amount of time, described the second predetermined amount of time is the integral multiple of described the first predetermined amount of time, and the maximum in a plurality of described the first request amount producing in described the second predetermined amount of time is designated as to the second request amount;
In continuous a plurality of described the second predetermined amount of time, select respectively and draw a plurality of described the second request amount, and after the data that filtering deviation is larger from described a plurality of the second request amount, obtain described a plurality of sample value;
Calculate the product of described mean value and pre-determined factor, the span of described pre-determined factor is: 1.05 to 1.3;
Using described product as described threshold value.
B11. according to the device described in any one in B8 to B10, wherein, described access request acquisition module is configured to:
Read the running log file of the web application guard system being connected with described destination host data;
The access request of sending to described main frame that statistics records in described running log file in described the first predetermined amount of time, obtains described the first request amount.
B12. according to the device described in B11, wherein, also comprise:
The first protection module, the requesting party who sends access request for destination host described in subtend sends authorization information, and receives the subsequent request information of described request side; Judge whether described subsequent request information mates with described authorization information, if so, the access request of described request side is sent to described destination host, and/or
The second protection module, for described running log file is analyzed, show that request amount exists the abnormal requesting party who sends access request to described destination host;
Filter the access request that described request side sends.
In the specification that provided herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can not put into practice in the situation that there is no these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the above in the description of exemplary embodiment of the present invention, each feature of the present invention is grouped together into single embodiment, figure or sometimes in its description.Yet, the method for the disclosure should be construed to the following intention of reflection: the present invention for required protection requires than the more feature of feature of clearly recording in each claim.Or rather, as reflected in claims below, inventive aspect is to be less than all features of disclosed single embodiment above.Therefore, claims of following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can the module in the equipment in embodiment are adaptively changed and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and can put them into a plurality of submodules or subelement or sub-component in addition.At least some in such feature and/or process or unit are mutually repelling, and can adopt any combination to combine all processes or the unit of disclosed all features in this specification (comprising claim, summary and the accompanying drawing followed) and disclosed any method like this or equipment.Unless clearly statement in addition, in this specification (comprising claim, summary and the accompanying drawing followed) disclosed each feature can be by providing identical, be equal to or the alternative features of similar object replaces.
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included in other embodiment, the combination of the feature of different embodiment means within scope of the present invention and forms different embodiment.For example, in claims, the one of any of embodiment required for protection can be used with compound mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, or realizes with the software module moved on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that and can use in practice microprocessor or digital signal processor (DSP) to realize the some or all functions according to the some or all parts in the device of the Denial of Service attack of the embodiment of the present invention.The present invention for example can also be embodied as, for carrying out part or all equipment or device program (, computer program and computer program) of method as described herein.Realizing program of the present invention and can be stored on computer-readable medium like this, or can there is the form of one or more signal.Such signal can be downloaded and obtain from internet website, or provides on carrier signal, or provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation that do not depart from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed as element or step in the claims.Being positioned at word " " before element or " one " does not get rid of and has a plurality of such elements.The present invention can be by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to carry out imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title by these word explanations.
So far, those skilled in the art will recognize that, although detailed, illustrate and described a plurality of exemplary embodiment of the present invention herein, but, without departing from the spirit and scope of the present invention, still can directly determine or derive many other modification or the modification that meets the principle of the invention according to content disclosed by the invention.Therefore, scope of the present invention should be understood and regard as and cover all these other modification or modifications.
Claims (10)
1. a recognition methods for Denial of Service attack, comprising:
Obtain the access request total amount of sending to destination host in the first predetermined amount of time, be designated as the first request amount;
Judge whether described the first request amount exceeds threshold value, and described threshold value is by adding up and draw the visit capacity of described destination host;
If so, determine that described destination host is subject to Denial of Service attack.
2. method according to claim 1, wherein, the statistical computation step of described threshold value comprises:
At interval of described the first scheduled time segment record described the first request amount once, obtain a plurality of described the first request amount;
From described a plurality of the first request amount, according to preset rules, pick out a plurality of sample values;
Calculate the mean value of described a plurality of sample values, according to described mean value, set described threshold value.
3. method according to claim 2, wherein, from described a plurality of the first request amount, according to preset rules, pick out a plurality of sample values and comprise:
Be chosen at a plurality of described the first request amount producing in the second predetermined amount of time, described the second predetermined amount of time is the integral multiple of described the first predetermined amount of time, and the maximum in a plurality of described the first request amount producing in described the second predetermined amount of time is designated as to the second request amount;
In continuous a plurality of described the second predetermined amount of time, select respectively and draw a plurality of described the second request amount, and after the data that filtering deviation is larger from described a plurality of the second request amount, obtain described a plurality of sample value.
4. according to the method in claim 2 or 3, wherein, according to described mean value, set described threshold value and comprise:
Calculate the product of described mean value and pre-determined factor, the span of described pre-determined factor is: 1.05 to 1.3;
Using described product as described threshold value.
5. according to the method described in any one in claim 1 to 4, wherein, obtain the access request total amount of sending to destination host and comprise in the first predetermined amount of time:
Read the running log file of the web application guard system being connected with described destination host data;
The access request of sending to described destination host that statistics records in described running log file in described the first predetermined amount of time, obtains described the first request amount.
6. method according to claim 5 wherein, also comprises after definite described destination host is subject to Denial of Service attack:
The requesting party that described in subtend, destination host sends access request sends authorization information, and receives the subsequent request information of described request side;
Judge that whether described subsequent request information mates with described authorization information, if so, sends to described destination host by the access request of described request side.
7. method according to claim 5 wherein, also comprises after definite described destination host is subject to malicious attack:
Described running log file is analyzed, shown that request amount exists the abnormal requesting party who sends access request to described destination host;
Filter the access request that described request side sends.
8. a recognition device for Denial of Service attack, comprising:
Access request acquisition module, for obtain the access request total amount of sending to destination host in the first predetermined amount of time, is designated as the first request amount;
Judge module, for judging whether described the first request amount exceeds threshold value, and described threshold value is by adding up and draw the visit capacity of described destination host;
Identification module, in the situation that described judge module is output as is to determine that described destination host is subject to Denial of Service attack.
9. device according to claim 8, wherein, also comprises:
Threshold value statistical module, at interval of described the first scheduled time segment record described the first request amount once, obtains a plurality of described the first request amount; From described a plurality of the first request amount, according to preset rules, pick out a plurality of sample values; Calculate the mean value of described a plurality of sample values, according to described mean value, set described threshold value.
10. device according to claim 9, wherein, described threshold value statistical module is configured to:
Be chosen at a plurality of described the first request amount producing in the second predetermined amount of time, described the second predetermined amount of time is the integral multiple of described the first predetermined amount of time, and the maximum in a plurality of described the first request amount producing in described the second predetermined amount of time is designated as to the second request amount;
In continuous a plurality of described the second predetermined amount of time, select respectively and draw a plurality of described the second request amount, and after the data that filtering deviation is larger from described a plurality of the second request amount, obtain described a plurality of sample value;
Calculate the product of described mean value and pre-determined factor, the span of described pre-determined factor is: 1.05 to 1.3;
Using described product as described threshold value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310714511.5A CN103701794A (en) | 2013-12-20 | 2013-12-20 | Identification method and device for denial of service attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310714511.5A CN103701794A (en) | 2013-12-20 | 2013-12-20 | Identification method and device for denial of service attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103701794A true CN103701794A (en) | 2014-04-02 |
Family
ID=50363191
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310714511.5A Pending CN103701794A (en) | 2013-12-20 | 2013-12-20 | Identification method and device for denial of service attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103701794A (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105577608A (en) * | 2014-10-08 | 2016-05-11 | 腾讯科技(深圳)有限公司 | Network attack behavior detection method and network attack behavior detection device |
| CN105939361A (en) * | 2016-06-23 | 2016-09-14 | 杭州迪普科技有限公司 | Method and device for defensing CC (Challenge Collapsar) attack |
| CN106506547A (en) * | 2016-12-23 | 2017-03-15 | 北京奇虎科技有限公司 | Processing method, WAF, router and system for Denial of Service attack |
| CN107360148A (en) * | 2017-07-05 | 2017-11-17 | 深圳市卓讯信息技术有限公司 | Core design method and its system based on real time monitoring network safety |
| CN107483514A (en) * | 2017-10-13 | 2017-12-15 | 北京知道创宇信息技术有限公司 | Attack monitoring device and smart machine |
| CN107659454A (en) * | 2017-10-13 | 2018-02-02 | 上海添锡信息技术有限公司 | Server access method for early warning and device |
| CN108111472A (en) * | 2016-11-24 | 2018-06-01 | 腾讯科技(深圳)有限公司 | A kind of attack signature detection method and device |
| CN108961049A (en) * | 2018-05-30 | 2018-12-07 | 阿里巴巴集团控股有限公司 | Threshold and device, transaction monitoring method for fuzzy matching control |
| CN109391686A (en) * | 2018-09-27 | 2019-02-26 | 网宿科技股份有限公司 | The processing method and CDN node server of access request |
| CN110162409A (en) * | 2018-02-11 | 2019-08-23 | 北京京东尚科信息技术有限公司 | Control method and device |
| CN110365712A (en) * | 2019-08-22 | 2019-10-22 | 中国工商银行股份有限公司 | A kind of defence method and system of distributed denial of service attack |
| CN110505249A (en) * | 2019-09-30 | 2019-11-26 | 怀来斯达铭数据有限公司 | The recognition methods of ddos attack and device |
| CN113518057A (en) * | 2020-04-09 | 2021-10-19 | 腾讯科技(深圳)有限公司 | Detection method and device for distributed denial of service attack and computer equipment thereof |
| WO2023060881A1 (en) * | 2021-10-15 | 2023-04-20 | 华为技术有限公司 | Method and apparatus for identifying source address of message |
| CN116708013A (en) * | 2023-07-25 | 2023-09-05 | 深圳市锐速云计算有限公司 | DDoS protection method and device |
| CN116708013B (en) * | 2023-07-25 | 2024-06-11 | 深圳市锐速云计算有限公司 | DDoS protection method and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101437030A (en) * | 2008-11-29 | 2009-05-20 | 成都市华为赛门铁克科技有限公司 | Method for preventing server from being attacked, detection device and monitoring device |
| CN102291411A (en) * | 2011-08-18 | 2011-12-21 | 网宿科技股份有限公司 | Anti-DDOS (distributed denial of service) attack method and system against DNS (domain name system) service |
| CN102291390A (en) * | 2011-07-14 | 2011-12-21 | 南京邮电大学 | Method for defending against denial of service attack based on cloud computation platform |
| CN102882880A (en) * | 2012-10-10 | 2013-01-16 | 常州大学 | Detection method and detection system of distributed denial of service (DDoS) attack aiming at domain name server (DNS) service |
| KR20130030086A (en) * | 2011-09-16 | 2013-03-26 | 한국전자통신연구원 | Method and apparatus for defending distributed denial of service attack through abnomal terminated session |
| CN103379099A (en) * | 2012-04-19 | 2013-10-30 | 阿里巴巴集团控股有限公司 | Hostile attack identification method and system |
-
2013
- 2013-12-20 CN CN201310714511.5A patent/CN103701794A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101437030A (en) * | 2008-11-29 | 2009-05-20 | 成都市华为赛门铁克科技有限公司 | Method for preventing server from being attacked, detection device and monitoring device |
| CN102291390A (en) * | 2011-07-14 | 2011-12-21 | 南京邮电大学 | Method for defending against denial of service attack based on cloud computation platform |
| CN102291411A (en) * | 2011-08-18 | 2011-12-21 | 网宿科技股份有限公司 | Anti-DDOS (distributed denial of service) attack method and system against DNS (domain name system) service |
| KR20130030086A (en) * | 2011-09-16 | 2013-03-26 | 한국전자통신연구원 | Method and apparatus for defending distributed denial of service attack through abnomal terminated session |
| CN103379099A (en) * | 2012-04-19 | 2013-10-30 | 阿里巴巴集团控股有限公司 | Hostile attack identification method and system |
| CN102882880A (en) * | 2012-10-10 | 2013-01-16 | 常州大学 | Detection method and detection system of distributed denial of service (DDoS) attack aiming at domain name server (DNS) service |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105577608A (en) * | 2014-10-08 | 2016-05-11 | 腾讯科技(深圳)有限公司 | Network attack behavior detection method and network attack behavior detection device |
| CN105577608B (en) * | 2014-10-08 | 2020-02-07 | 腾讯科技(深圳)有限公司 | Network attack behavior detection method and device |
| CN105939361A (en) * | 2016-06-23 | 2016-09-14 | 杭州迪普科技有限公司 | Method and device for defensing CC (Challenge Collapsar) attack |
| CN105939361B (en) * | 2016-06-23 | 2019-06-07 | 杭州迪普科技股份有限公司 | Defend the method and device of CC attack |
| CN108111472A (en) * | 2016-11-24 | 2018-06-01 | 腾讯科技(深圳)有限公司 | A kind of attack signature detection method and device |
| CN106506547A (en) * | 2016-12-23 | 2017-03-15 | 北京奇虎科技有限公司 | Processing method, WAF, router and system for Denial of Service attack |
| CN107360148A (en) * | 2017-07-05 | 2017-11-17 | 深圳市卓讯信息技术有限公司 | Core design method and its system based on real time monitoring network safety |
| CN107483514A (en) * | 2017-10-13 | 2017-12-15 | 北京知道创宇信息技术有限公司 | Attack monitoring device and smart machine |
| CN107659454A (en) * | 2017-10-13 | 2018-02-02 | 上海添锡信息技术有限公司 | Server access method for early warning and device |
| CN107659454B (en) * | 2017-10-13 | 2020-10-02 | 上海大象金泰科技有限公司 | Server access early warning method and device |
| CN110162409A (en) * | 2018-02-11 | 2019-08-23 | 北京京东尚科信息技术有限公司 | Control method and device |
| CN108961049A (en) * | 2018-05-30 | 2018-12-07 | 阿里巴巴集团控股有限公司 | Threshold and device, transaction monitoring method for fuzzy matching control |
| CN109391686A (en) * | 2018-09-27 | 2019-02-26 | 网宿科技股份有限公司 | The processing method and CDN node server of access request |
| CN110365712A (en) * | 2019-08-22 | 2019-10-22 | 中国工商银行股份有限公司 | A kind of defence method and system of distributed denial of service attack |
| CN110505249A (en) * | 2019-09-30 | 2019-11-26 | 怀来斯达铭数据有限公司 | The recognition methods of ddos attack and device |
| CN113518057A (en) * | 2020-04-09 | 2021-10-19 | 腾讯科技(深圳)有限公司 | Detection method and device for distributed denial of service attack and computer equipment thereof |
| CN113518057B (en) * | 2020-04-09 | 2024-03-08 | 腾讯科技(深圳)有限公司 | Method and device for detecting distributed denial of service attack and computer equipment thereof |
| WO2023060881A1 (en) * | 2021-10-15 | 2023-04-20 | 华为技术有限公司 | Method and apparatus for identifying source address of message |
| CN116708013A (en) * | 2023-07-25 | 2023-09-05 | 深圳市锐速云计算有限公司 | DDoS protection method and device |
| CN116708013B (en) * | 2023-07-25 | 2024-06-11 | 深圳市锐速云计算有限公司 | DDoS protection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103701794A (en) | Identification method and device for denial of service attack | |
| CN103701795A (en) | Identification method and device for attack source of denial of service attack | |
| CN109831465B (en) | Website intrusion detection method based on big data log analysis | |
| CN108664793B (en) | Method and device for detecting vulnerability | |
| CN103685293A (en) | Protection method and device for denial of service attack | |
| WO2019133453A1 (en) | Platform and method for retroactive reclassification employing a cybersecurity-based global data store | |
| CN103685294A (en) | Method and device for identifying attack sources of denial of service attack | |
| US20160241574A1 (en) | Systems and methods for determining trustworthiness of the signaling and data exchange between network systems | |
| EP3557843B1 (en) | Content delivery network (cdn) bot detection using compound feature sets | |
| CN110417778B (en) | Access request processing method and device | |
| US11240275B1 (en) | Platform and method for performing cybersecurity analyses employing an intelligence hub with a modular architecture | |
| CN108989355B (en) | Vulnerability detection method and device | |
| KR102024142B1 (en) | A access control system for detecting and controlling abnormal users by users’ pattern of server access | |
| CN103701793A (en) | Method and device for identifying server broiler chicken | |
| CA2934627C (en) | Communications security | |
| CN110602032A (en) | Attack identification method and device | |
| KR20140113705A (en) | Method and System for Ensuring Authenticity of IP Data Served by a Service Provider | |
| CN113259392B (en) | Network security attack and defense method, device and storage medium | |
| CN103701816A (en) | Scanning method and scanning device of server executing DOS (Denial Of service) | |
| US8959629B2 (en) | Preserving web document integrity through web template learning | |
| CN110545269A (en) | Access control method, device and storage medium | |
| CN108282446A (en) | Identify the method and apparatus of scanner | |
| US10757118B2 (en) | Method of aiding the detection of infection of a terminal by malware | |
| CN114793171B (en) | Method and device for intercepting access request, storage medium and electronic device | |
| US11729145B2 (en) | User interface for web server risk awareness |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20161212 Address after: 100015 Jiuxianqiao Chaoyang District Beijing Road No. 10, building 15, floor 17, layer 1701-26, 3 Applicant after: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD. Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Applicant before: Beijing Qihoo Technology Co., Ltd. Applicant before: Qizhi Software (Beijing) Co., Ltd. |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140402 |