CN105337966A - Processing method for network attacks and device - Google Patents

Processing method for network attacks and device Download PDF

Info

Publication number
CN105337966A
CN105337966A CN201510673219.2A CN201510673219A CN105337966A CN 105337966 A CN105337966 A CN 105337966A CN 201510673219 A CN201510673219 A CN 201510673219A CN 105337966 A CN105337966 A CN 105337966A
Authority
CN
China
Prior art keywords
monitored
access request
time period
judge
data bag
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510673219.2A
Other languages
Chinese (zh)
Other versions
CN105337966B (en
Inventor
朱峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN201510673219.2A priority Critical patent/CN105337966B/en
Publication of CN105337966A publication Critical patent/CN105337966A/en
Application granted granted Critical
Publication of CN105337966B publication Critical patent/CN105337966B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a processing method for network attacks and a device. The method comprises steps of by obtaining related information of received access requests in a to-be-monitored period, judging whether the network has been attacked in the to-be-monitored period; if the network has been attacked, obtaining times of the access requests corresponding to identifications of client ends and/or size of access data packages in the access requests in the to-be-monitored period; and obtaining client ends which are suspected to be attacked and abandoning the access requests sent by the client ends according to the times of the access requests corresponding to identifications of client ends and/or size of access data packages in the access requests in the to-be-monitored period. Thus, whether the network has been attacked can be determined by combining the received access requests of all client ends in the to-be-monitored period; the attacks can be precisely identified and defense can be performed; detection precision degree of DDOS attacks is improved; and detection efficiency and defense effects are improved.

Description

For processing method and the device of network attack
Technical field
The present invention relates to communication technical field, particularly relate to a kind of processing method for network attack and device.
Background technology
At present for carrier interconnect network data center (InternetDataCenter, IDC) in network attack, flooding distributed denial of service attack (DistributedDenialofService, DDOS) be modal attack means, especially for the DDOS attack of application layer, such as HTTPflooding attacks or HTML (Hypertext Markup Language) (HyperTextTransferProtocol, HTTP) host resource depleted is attacked.HTTPflooding attacks to refer to and attacks side direction and attacked side and send a large amount of request and ask, and comprises the content such as normal request, redirectedpage, headerinformation and attacks.HTTP host resource depleted attack refer to attack side direction by attacked side send request big data quantity response bag or ask the request of high complexity operational capability to ask, exhaust to realize host resource.
In prior art, processing method for the DDOS attack of application layer is, add up the quantity of asking from the request of each client, if the quantity of the request request of certain client exceedes predetermined threshold value in preset time period, then determine to be subject to DDOS attack, and determine that this client is for attacking side, abandon a large amount of request requests from client.
But in prior art, DDOS attack is generally realize attack by a multiple request request of wrapping to the response being sent a large amount of request requests or request big data quantity by attack side from client of primary client control simultaneously, the quantity of only asking according to the request of single client determines whether client is attack side, part DDOS attack may be judged as normal access, or the part in DDOS attack is judged as normal client from client, be difficult to effectively defend DDOS attack, cause the accuracy in detection of DDOS attack lower, detection efficiency is poor, protection effect is poor.
Summary of the invention
The invention provides a kind of processing method for network attack and device, lower for solving the accuracy in detection of DDOS attack in prior art, detection efficiency is poor, the problem that protection effect is poor.
First aspect of the present invention is to provide a kind of processing method for network attack, comprising:
Obtain the relevant information of the access request received in the time period to be monitored;
According to described relevant information, judge whether be subject to network attack in the described time period to be monitored;
If be subject to network attack, according to the mark of client in described relevant information, obtain within the described time period to be monitored, the size of visit data bag in the number of times of the access request of the mark correspondence of each client and/or access request;
According to the size of visit data bag in the number of times of the access request of the mark correspondence of each client and/or access request, obtain doubtful attack client;
Discard processing is carried out to the access request that described doubtful attack client sends again.
Further, described according to described relevant information, judge whether be subject to network attack in the described time period to be monitored, comprising:
If described relevant information is the number of times of the access request received within the described time period to be monitored and corresponding time point, then according to number of times and the corresponding time point of the described access request received within the described time period to be monitored, judge within the described time period to be monitored, that puts in time increases progressively, the number of times of the access request of its correspondence whether continuous increasing;
If within the described time period to be monitored, that puts in time increases progressively, the number of times continuous increasing of the access request of its correspondence, then judge to be subject to network attack in the described time period to be monitored;
If within the described time period to be monitored, along with increasing progressively of time point, the number of times of the access request of its correspondence is not continuous increasing, then judge not to be subject to network attack in the described time period to be monitored.
Further, described according to described relevant information, judge whether be subject to network attack in the described time period to be monitored, comprising:
If described relevant information is the size of visit data bag in the access request received within the described time period to be monitored, then obtain the undulating value of the size of each described visit data bag and the size of pre-configured visit data bag successively;
Judge whether the quantity that undulating value is greater than the visit data bag of predetermined threshold value is more than or equal to predetermined number;
If judge, the quantity that undulating value is greater than the visit data bag of described predetermined threshold value is more than or equal to described predetermined number, then judge to be subject to network attack in the described time period to be monitored;
If judge, the quantity that undulating value is greater than the visit data bag of described predetermined threshold value is less than described predetermined number, then judge not to be subject to network attack in the described time period to be monitored.
Further, described according to described relevant information, judge whether be subject to network attack in the described time period to be monitored, comprising:
If described relevant information is the size of visit data bag in the number of times of the access request received within the described time period to be monitored, corresponding time point and access request, then according to number of times and the corresponding time point of the described access request received within the described time period to be monitored, judge within the described time period to be monitored, that puts in time increases progressively, the number of times of the access request of its correspondence whether continuous increasing; And obtain the undulating value of the size of each described visit data bag and the size of pre-configured visit data bag successively; Judge whether the quantity that undulating value is greater than the visit data bag of predetermined threshold value is more than or equal to predetermined number;
If within the described time period to be monitored, that puts in time increases progressively, the number of times continuous increasing of the access request of its correspondence, and judge that the quantity that undulating value is greater than the visit data bag of described predetermined threshold value is more than or equal to described predetermined number, then judge to be subject to network attack in the described time period to be monitored.
Another aspect of the present invention provides a kind of processing unit for network attack, comprising:
Acquisition module, for obtaining the relevant information of the access request received in the time period to be monitored;
Judge module, for according to described relevant information, judges whether be subject to network attack in the described time period to be monitored;
Described acquisition module, also for when being subject to network attack, according to the mark of client in described relevant information, obtain within the described time period to be monitored, the size of visit data bag in the number of times of the access request of the mark correspondence of each client and/or access request;
Described acquisition module, also for the size of visit data bag in the number of times of the access request of the mark correspondence according to each client and/or access request, obtains doubtful attack client;
Discard module, carries out discard processing for the access request again sent described doubtful attack client.
Further, described judge module specifically for,
If described relevant information is the number of times of the access request received within the described time period to be monitored and corresponding time point, then according to number of times and the corresponding time point of the described access request received within the described time period to be monitored, judge within the described time period to be monitored, that puts in time increases progressively, the number of times of the access request of its correspondence whether continuous increasing;
If within the described time period to be monitored, that puts in time increases progressively, the number of times continuous increasing of the access request of its correspondence, then judge to be subject to network attack in the described time period to be monitored;
If within the described time period to be monitored, along with increasing progressively of time point, the number of times of the access request of its correspondence is not continuous increasing, then judge not to be subject to network attack in the described time period to be monitored.
Further, described judge module specifically for,
If described relevant information is the size of visit data bag in the access request received within the described time period to be monitored, then obtain the undulating value of the size of each described visit data bag and the size of pre-configured visit data bag successively;
Judge whether the quantity that undulating value is greater than the visit data bag of predetermined threshold value is more than or equal to predetermined number;
If judge, the quantity that undulating value is greater than the visit data bag of described predetermined threshold value is more than or equal to described predetermined number, then judge to be subject to network attack in the described time period to be monitored;
If judge, the quantity that undulating value is greater than the visit data bag of described predetermined threshold value is less than described predetermined number, then judge not to be subject to network attack in the described time period to be monitored.
Further, described judge module specifically for,
If described relevant information is the size of visit data bag in the number of times of the access request received within the described time period to be monitored, corresponding time point and access request, then according to number of times and the corresponding time point of the described access request received within the described time period to be monitored, judge within the described time period to be monitored, that puts in time increases progressively, the number of times of the access request of its correspondence whether continuous increasing; And obtain the undulating value of the size of each described visit data bag and the size of pre-configured visit data bag successively; Judge whether the quantity that undulating value is greater than the visit data bag of predetermined threshold value is more than or equal to predetermined number;
If within the described time period to be monitored, that puts in time increases progressively, the number of times continuous increasing of the access request of its correspondence, and judge that the quantity that undulating value is greater than the visit data bag of described predetermined threshold value is more than or equal to described predetermined number, then judge to be subject to network attack in the described time period to be monitored.
In the present invention, by obtaining the relevant information of the access request received in the time period to be monitored, according to relevant information, judge whether be subject to network attack in the time period to be monitored, if be subject to network attack, according to the mark of client in relevant information, obtain within the time period to be monitored, the size of visit data bag in the number of times of the access request of the mark correspondence of each client and/or access request; According to the size of visit data bag in the number of times of the access request of the mark correspondence of each client and/or access request, obtain doubtful attack client; Discard processing is carried out to the access request that doubtful attack client sends again, thus can be under attack to determine whether in conjunction with the access request of all clients received in the time period to be detected, can control in primary client multiplely identify this attack exactly and be on the defensive when client carries out DDOS attack, thus improve the accuracy in detection of DDOS attack, improve detection efficiency and protection effect.
Accompanying drawing explanation
Fig. 1 is the flow chart of the processing method embodiment for network attack provided by the invention;
Fig. 2 is the distribution map of the number of times of the access request that IDC machine room receives in different time sections;
Fig. 3 is the distribution map of the fluctuation size of visit data bag;
Fig. 4 is the flow chart of another embodiment of processing method for network attack provided by the invention;
The distribution map of Fig. 5 is the part client of access IDC machine room when the being assailant number of times of the access request that IDC machine room receives.
Fig. 6 is the flow chart of another embodiment of processing method for network attack provided by the invention;
Fig. 7 is the flow chart of another embodiment of processing method for network attack provided by the invention;
Fig. 8 is the structural representation of the processing unit embodiment for network attack provided by the invention.
Embodiment
For making the object of the embodiment of the present invention, technical scheme and advantage clearly, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Fig. 1 is the flow chart of the processing method embodiment for network attack provided by the invention, as shown in Figure 1, specifically comprises the following steps:
101, the relevant information of the access request received in the time period to be monitored is obtained.
The executive agent of the processing method for network attack provided by the invention is the processing unit for network attack, the access request that processing unit for network attack can be carrier interconnect network data center (InternetDataCenter, IDC), server, the terminal etc. that realizes server capability can receive multiple client the packet etc. of client being accessed return to the equipment of client.Access request can for Client browse webpage, use application, foradownloaded video, picture or other resources time the request that sends.Can carry in access request: client identification, request time, the size of packet of asking, access destination etc.Wherein, client identification is specifically as follows the numbering etc. of the IP address of client or main frame corresponding to client.Access destination can for the purpose of IP address.
The size etc. of visit data bag in the access request that the quantity of the access request that the relevant information of access request can receive for IDC machine room, IDC machine room receive.Time period to be monitored can be random time section, such as every day 9:00-10:00, every day 12:00-14:00,12:05-12:45 etc., can as required or the quantity of access request that receives in each time period of IDC machine room set, do not limit herein.
102, according to relevant information, judge whether be subject to network attack in the time period to be monitored.
When the client of accessing IDC machine room is normal users, the number of times of the access request that IDC machine room receives in different time sections generally presents Gaussian Profile, as shown in Figure 2.And when the part client of access IDC machine room is assailant, simple access request that is that mostly send stochastic generation due to assailant or that repeat is to form attack stream, therefore, the number of times of the access request that the access request that assailant sends can cause IDC machine room to receive is in rising trend, until IDC machine room resource exhaustion or almost exhaust, therefore, the tendency of the number of times of the access request received within the time period to be monitored according to IDC machine room can judge whether be subject to network attack in the time period to be monitored.
In addition, when the client of accessing IDC machine room is normal users, in the size of the visit data bag in the access request that IDC machine room receives in different time sections, normal visit data bag size mean value is set as δ, each visit data bag size is assumed to be α (n), then each data package size fluctuation is (δ-α (n)), and being distributed in large sample of this fluctuation size also meets Gaussian Profile, as shown in Figure 3.And when the part client of access IDC machine room is assailant, in order to exhaust the resource of IDC machine room, assailant sends the access request of accessing great packet mostly, make IDC machine room that great packet is fed back to assailant, therefore, in the access request that the access request of the great packet of access that assailant sends can cause IDC machine room to receive, the size of most of visit data bag is far longer than normal visit data bag size, makes being distributed in large sample of size of fluctuation not meet Gaussian Profile.Therefore, in the access request received within the time period to be monitored according to IDC machine room, the size of visit data bag can judge whether be subject to network attack in the time period to be monitored.
In addition, the tendency of the number of times of the access request received within the time period to be monitored in conjunction with IDC machine room, and in the access request that receives within the time period to be monitored of IDC machine room, the size of visit data bag better can judge whether be subject to network attack in the time period to be monitored.
If 103 are subject to network attack, according to the mark of client in relevant information, obtain within the time period to be monitored, the size of visit data bag in the number of times of the access request of the mark correspondence of each client and/or access request.
104, according to the size of visit data bag in the number of times of the access request of the mark correspondence of each client and/or access request, doubtful attack client is obtained.
Wherein, when client is assailant, the number of times of the access request that client is corresponding can exceed normal frequency threshold value, and in the access request that client sends, the size of most of visit data bag also can the size of paranormal visit data bag.Which according to any point in above-mentioned 2 or 2 points, can judge to access client of IDC machine room as assailant.
Further, judge whether client is in the process of assailant at the number of times of the access request corresponding according to client, can obtain client within a second, in one minute, the number of times of access request that sends in a few minutes, if when the quantity that the number of times of the access request of correspondence is greater than the time period of preset times threshold value exceedes normal quantity, or when the ratio of total length and the length of time period to be monitored that the number of times of the access request of correspondence is greater than the time period of preset times threshold value is greater than preset ratio, can judge to know that this client of access IDC machine room is as assailant.
Further, in the access request sent according to client, the size of visit data bag judges whether client is in the process of assailant, client can be obtained within a second, in one minute, the size of visit data bag in the access request sent in a few minutes, and the undulating value obtained between visit data bag and normal visit data bag, if undulating value is greater than quantity when exceeding normal quantity presetting fluctuation threshold value, or when the ratio that undulating value is greater than the total quantity presetting the access request that the fluctuation quantity of threshold value and client send is greater than preset ratio, can judge to know that this client of access IDC machine room is as assailant.
105, discard processing is carried out to the access request that doubtful attack client sends again.
Wherein, discard processing herein can refer to: all carry out discard processing to all access request that doubtful attack client sends again, or carries out discard processing to most of access request that doubtful attack client sends again.9 one-tenth that are such as discarded into that doubtful attack client sends again above access request.
In the present embodiment, by obtaining the relevant information of the access request received in the time period to be monitored, according to relevant information, judge whether be subject to network attack in the time period to be monitored, if be subject to network attack, according to the mark of client in relevant information, obtain within the time period to be monitored, the size of visit data bag in the number of times of the access request of the mark correspondence of each client and/or access request; According to the size of visit data bag in the number of times of the access request of the mark correspondence of each client and/or access request, obtain doubtful attack client; Discard processing is carried out to the access request that doubtful attack client sends again, thus can be under attack to determine whether in conjunction with the access request of all clients received in the time period to be detected, can control in primary client multiplely identify this attack exactly and be on the defensive when client carries out DDOS attack, thus improve the accuracy in detection of DDOS attack, improve detection efficiency and protection effect.
Fig. 4 is the flow chart of another embodiment of processing method for network attack provided by the invention, and as shown in Figure 4, on basis embodiment illustrated in fig. 1, step 102 specifically can comprise:
If 1021 relevant informations are the number of times of the access request received within the time period to be monitored and the time point of correspondence, then according to number of times and the corresponding time point of the access request received within the time period to be monitored, judge within the time period to be monitored, that puts in time increases progressively, the number of times of the access request of its correspondence whether continuous increasing.
Wherein, as shown in Figure 5, the distribution map of the number of times of the access request received for IDC machine room when the part client of access IDC machine room is assailant.What needs were described is, due to the part normal client in addition of access IDC machine room, therefore, that puts in time increases progressively, the number of times of corresponding access request can have small fluctuation in the process increased progressively, such as reduce by a small margin, under the circumstances, the continuous increasing in the present embodiment comprises above-mentioned appearance and increases progressively situation in minor fluctuations situation.
If 1022 within the time period to be monitored, that puts in time increases progressively, the number of times continuous increasing of the access request of its correspondence, then judge to be subject to network attack in the time period to be monitored.
If 1023 within the time period to be monitored, along with increasing progressively of time point, the number of times of the access request of its correspondence is not continuous increasing, then judge not to be subject to network attack in the time period to be monitored.
In the present embodiment, by obtaining the relevant information of the access request received in the time period to be monitored, in relevant information be the number of times of the access request received within the time period to be monitored and corresponding time point, according to number of times and the corresponding time point of the access request received within the time period to be monitored, judge within the time period to be monitored, that puts in time increases progressively, the number of times of the access request of its correspondence whether continuous increasing, if continuous increasing, then judge to be subject to network attack in the time period to be monitored, according to the mark of client in relevant information, obtain within the time period to be monitored, the size of visit data bag in the number of times of the access request of the mark correspondence of each client and/or access request, according to the size of visit data bag in the number of times of the access request of the mark correspondence of each client and/or access request, obtain doubtful attack client, discard processing is carried out to the access request that doubtful attack client sends again, thus can be under attack to determine whether in conjunction with the access request of all clients received in the time period to be detected, can control in primary client multiplely identify this attack exactly and be on the defensive when client carries out DDOS attack, thus improve the accuracy in detection of DDOS attack, improve detection efficiency and protection effect.
Fig. 6 is the flow chart of another embodiment of processing method for network attack provided by the invention, and as shown in Figure 6, on basis embodiment illustrated in fig. 1, step 102 specifically can comprise:
If 1024 relevant informations are the size of visit data bag in the access request received within the time period to be monitored, then obtain the undulating value of the size of each visit data bag and the size of pre-configured visit data bag successively.
Wherein, the size of pre-configured visit data bag can be the size of normal visit data bag, when the size of normal visit data bag can be normal client according to the client of access IDC machine room, in the access request that IDC machine room receives, the mean value of visit data bag size is determined.
1025, judge whether the quantity that undulating value is greater than the visit data bag of predetermined threshold value is more than or equal to predetermined number.
If 1026 judge that the quantity that undulating value is greater than the visit data bag of predetermined threshold value is more than or equal to predetermined number, then judge to be subject to network attack in the time period to be monitored.
If 1027 judge that the quantity that undulating value is greater than the visit data bag of predetermined threshold value is less than predetermined number, then judge not to be subject to network attack in the time period to be monitored.
In the present embodiment, by obtaining the relevant information of the access request received in the time period to be monitored, when in relevant information being the size of visit data bag in the access request received within the time period to be monitored, obtain the undulating value of the size of each visit data bag and the size of pre-configured visit data bag successively, judge whether the quantity that undulating value is greater than the visit data bag of predetermined threshold value is more than or equal to predetermined number, if judge, the quantity that undulating value is greater than the visit data bag of predetermined threshold value is more than or equal to predetermined number, then judge to be subject to network attack in the time period to be monitored, according to the mark of client in relevant information, obtain within the time period to be monitored, the size of visit data bag in the number of times of the access request of the mark correspondence of each client and/or access request, according to the size of visit data bag in the number of times of the access request of the mark correspondence of each client and/or access request, obtain doubtful attack client, discard processing is carried out to the access request that doubtful attack client sends again, thus can be under attack to determine whether in conjunction with the access request of all clients received in the time period to be detected, can control in primary client multiplely identify this attack exactly and be on the defensive when client carries out DDOS attack, thus improve the accuracy in detection of DDOS attack, improve detection efficiency and protection effect.
Fig. 7 is the flow chart of another embodiment of processing method for network attack provided by the invention, and as shown in Figure 7, on basis embodiment illustrated in fig. 1, step 102 specifically can comprise:
If 1028 relevant informations are the size of visit data bag in the number of times of the access request received within the time period to be monitored, corresponding time point and access request, then according to number of times and the corresponding time point of the access request received within the time period to be monitored, judge within the time period to be monitored, that puts in time increases progressively, the number of times of the access request of its correspondence whether continuous increasing; And obtain the undulating value of the size of each visit data bag and the size of pre-configured visit data bag successively; Judge whether the quantity that undulating value is greater than the visit data bag of predetermined threshold value is more than or equal to predetermined number.
If 1029 within the time period to be monitored, that puts in time increases progressively, the number of times continuous increasing of the access request of its correspondence, and judge that the quantity that undulating value is greater than the visit data bag of predetermined threshold value is more than or equal to predetermined number, then judge to be subject to network attack in the time period to be monitored.
In the present embodiment, by obtaining the relevant information of the access request received in the time period to be monitored, when in relevant information being the size of visit data bag in the number of times of the access request received within the time period to be monitored, corresponding time point and access request, then according to number of times and the corresponding time point of the access request received within the time period to be monitored, judge within the time period to be monitored, that puts in time increases progressively, the number of times of the access request of its correspondence whether continuous increasing, and obtain the undulating value of the size of each visit data bag and the size of pre-configured visit data bag successively, judge whether the quantity that undulating value is greater than the visit data bag of predetermined threshold value is more than or equal to predetermined number, if within the time period to be monitored, that puts in time increases progressively, the number of times continuous increasing of the access request of its correspondence, and judge that the quantity that undulating value is greater than the visit data bag of predetermined threshold value is more than or equal to predetermined number, then judge to be subject to network attack in the time period to be monitored, according to the mark of client in relevant information, obtain within the time period to be monitored, the size of visit data bag in the number of times of the access request of the mark correspondence of each client and/or access request, according to the size of visit data bag in the number of times of the access request of the mark correspondence of each client and/or access request, obtain doubtful attack client, discard processing is carried out to the access request that doubtful attack client sends again, thus can be under attack to determine whether in conjunction with the access request of all clients received in the time period to be detected, can control in primary client multiplely identify this attack exactly and be on the defensive when client carries out DDOS attack, thus improve the accuracy in detection of DDOS attack, improve detection efficiency and protection effect.
One of ordinary skill in the art will appreciate that: all or part of step realizing above-mentioned each embodiment of the method can have been come by the hardware that program command is relevant.Aforesaid program can be stored in a computer read/write memory medium.This program, when performing, performs the step comprising above-mentioned each embodiment of the method; And aforesaid storage medium comprises: ROM, RAM, magnetic disc or CD etc. various can be program code stored medium.
Fig. 8 is the structural representation figure of the processing unit embodiment for network attack provided by the invention, as shown in Figure 8, comprising:
Acquisition module 81, for obtaining the relevant information of the access request received in the time period to be monitored;
Judge module 82, for according to relevant information, judges whether be subject to network attack in the time period to be monitored;
Acquisition module 81, also for when being subject to network attack, according to the mark of client in relevant information, obtains within the time period to be monitored, the size of visit data bag in the number of times of the access request of the mark correspondence of each client and/or access request;
Acquisition module 81, also for the size of visit data bag in the number of times of the access request of the mark correspondence according to each client and/or access request, obtains doubtful attack client;
Discard module 83, carries out discard processing for the access request again sent doubtful attack client.
Further, under the first implements scene, judge module 82 specifically may be used for,
If relevant information is the number of times of the access request received within the time period to be monitored and corresponding time point, then according to number of times and the corresponding time point of the access request received within the time period to be monitored, judge within the time period to be monitored, that puts in time increases progressively, the number of times of the access request of its correspondence whether continuous increasing;
If within the time period to be monitored, that puts in time increases progressively, the number of times continuous increasing of the access request of its correspondence, then judge to be subject to network attack in the time period to be monitored;
If within the time period to be monitored, along with increasing progressively of time point, the number of times of the access request of its correspondence is not continuous increasing, then judge not to be subject to network attack in the time period to be monitored.
Further, under the second implements scene, judge module 82 specifically may be used for,
If relevant information is the size of visit data bag in the access request received within the time period to be monitored, then obtain the undulating value of the size of each visit data bag and the size of pre-configured visit data bag successively;
Judge whether the quantity that undulating value is greater than the visit data bag of predetermined threshold value is more than or equal to predetermined number;
If judge, the quantity that undulating value is greater than the visit data bag of predetermined threshold value is more than or equal to predetermined number, then judge to be subject to network attack in the time period to be monitored;
If judge, the quantity that undulating value is greater than the visit data bag of predetermined threshold value is less than predetermined number, then judge not to be subject to network attack in the time period to be monitored.
Further, under the third implements scene, judge module 82 specifically may be used for,
If relevant information is the size of visit data bag in the number of times of the access request received within the time period to be monitored, corresponding time point and access request, then according to number of times and the corresponding time point of the access request received within the time period to be monitored, judge within the time period to be monitored, that puts in time increases progressively, the number of times of the access request of its correspondence whether continuous increasing; And obtain the undulating value of the size of each visit data bag and the size of pre-configured visit data bag successively; Judge whether the quantity that undulating value is greater than the visit data bag of predetermined threshold value is more than or equal to predetermined number;
If within the time period to be monitored, that puts in time increases progressively, the number of times continuous increasing of the access request of its correspondence, and judge that the quantity that undulating value is greater than the visit data bag of predetermined threshold value is more than or equal to predetermined number, then judge to be subject to network attack in the time period to be monitored.
In the present embodiment, by obtaining the relevant information of the access request received in the time period to be monitored, according to relevant information, judge whether be subject to network attack in the time period to be monitored, if be subject to network attack, according to the mark of client in relevant information, obtain within the time period to be monitored, the size of visit data bag in the number of times of the access request of the mark correspondence of each client and/or access request; According to the size of visit data bag in the number of times of the access request of the mark correspondence of each client and/or access request, obtain doubtful attack client; Discard processing is carried out to the access request that doubtful attack client sends again, thus can be under attack to determine whether in conjunction with the access request of all clients received in the time period to be detected, can control in primary client multiplely identify this attack exactly and be on the defensive when client carries out DDOS attack, thus improve the accuracy in detection of DDOS attack, improve detection efficiency and protection effect.
Last it is noted that above each embodiment is only in order to illustrate technical scheme of the present invention, be not intended to limit; Although with reference to foregoing embodiments to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein some or all of technical characteristic; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme.

Claims (8)

1. for a processing method for network attack, it is characterized in that, comprising:
Obtain the relevant information of the access request received in the time period to be monitored;
According to described relevant information, judge whether be subject to network attack in the described time period to be monitored;
If be subject to network attack, according to the mark of client in described relevant information, obtain within the described time period to be monitored, the size of visit data bag in the number of times of the access request of the mark correspondence of each client and/or access request;
According to the size of visit data bag in the number of times of the access request of the mark correspondence of each client and/or access request, obtain doubtful attack client;
Discard processing is carried out to the access request that described doubtful attack client sends again.
2. method according to claim 1, is characterized in that, described according to described relevant information, judges whether be subject to network attack in the described time period to be monitored, comprising:
If described relevant information is the number of times of the access request received within the described time period to be monitored and corresponding time point, then according to number of times and the corresponding time point of the described access request received within the described time period to be monitored, judge within the described time period to be monitored, that puts in time increases progressively, the number of times of the access request of its correspondence whether continuous increasing;
If within the described time period to be monitored, that puts in time increases progressively, the number of times continuous increasing of the access request of its correspondence, then judge to be subject to network attack in the described time period to be monitored;
If within the described time period to be monitored, along with increasing progressively of time point, the number of times of the access request of its correspondence is not continuous increasing, then judge not to be subject to network attack in the described time period to be monitored.
3. method according to claim 1, is characterized in that, described according to described relevant information, judges whether be subject to network attack in the described time period to be monitored, comprising:
If described relevant information is the size of visit data bag in the access request received within the described time period to be monitored, then obtain the undulating value of the size of each described visit data bag and the size of pre-configured visit data bag successively;
Judge whether the quantity that undulating value is greater than the visit data bag of predetermined threshold value is more than or equal to predetermined number;
If judge, the quantity that undulating value is greater than the visit data bag of described predetermined threshold value is more than or equal to described predetermined number, then judge to be subject to network attack in the described time period to be monitored;
If judge, the quantity that undulating value is greater than the visit data bag of described predetermined threshold value is less than described predetermined number, then judge not to be subject to network attack in the described time period to be monitored.
4. method according to claim 1, is characterized in that, described according to described relevant information, judges whether be subject to network attack in the described time period to be monitored, comprising:
If described relevant information is the size of visit data bag in the number of times of the access request received within the described time period to be monitored, corresponding time point and access request, then according to number of times and the corresponding time point of the described access request received within the described time period to be monitored, judge within the described time period to be monitored, that puts in time increases progressively, the number of times of the access request of its correspondence whether continuous increasing; And obtain the undulating value of the size of each described visit data bag and the size of pre-configured visit data bag successively; Judge whether the quantity that undulating value is greater than the visit data bag of predetermined threshold value is more than or equal to predetermined number;
If within the described time period to be monitored, that puts in time increases progressively, the number of times continuous increasing of the access request of its correspondence, and judge that the quantity that undulating value is greater than the visit data bag of described predetermined threshold value is more than or equal to described predetermined number, then judge to be subject to network attack in the described time period to be monitored.
5. for a processing unit for network attack, it is characterized in that, comprising:
Acquisition module, for obtaining the relevant information of the access request received in the time period to be monitored;
Judge module, for according to described relevant information, judges whether be subject to network attack in the described time period to be monitored;
Described acquisition module, also for when being subject to network attack, according to the mark of client in described relevant information, obtain within the described time period to be monitored, the size of visit data bag in the number of times of the access request of the mark correspondence of each client and/or access request;
Described acquisition module, also for the size of visit data bag in the number of times of the access request of the mark correspondence according to each client and/or access request, obtains doubtful attack client;
Discard module, carries out discard processing for the access request again sent described doubtful attack client.
6. device according to claim 5, is characterized in that, described judge module specifically for,
If described relevant information is the number of times of the access request received within the described time period to be monitored and corresponding time point, then according to number of times and the corresponding time point of the described access request received within the described time period to be monitored, judge within the described time period to be monitored, that puts in time increases progressively, the number of times of the access request of its correspondence whether continuous increasing;
If within the described time period to be monitored, that puts in time increases progressively, the number of times continuous increasing of the access request of its correspondence, then judge to be subject to network attack in the described time period to be monitored;
If within the described time period to be monitored, along with increasing progressively of time point, the number of times of the access request of its correspondence is not continuous increasing, then judge not to be subject to network attack in the described time period to be monitored.
7. device according to claim 5, is characterized in that, described judge module specifically for,
If described relevant information is the size of visit data bag in the access request received within the described time period to be monitored, then obtain the undulating value of the size of each described visit data bag and the size of pre-configured visit data bag successively;
Judge whether the quantity that undulating value is greater than the visit data bag of predetermined threshold value is more than or equal to predetermined number;
If judge, the quantity that undulating value is greater than the visit data bag of described predetermined threshold value is more than or equal to described predetermined number, then judge to be subject to network attack in the described time period to be monitored;
If judge, the quantity that undulating value is greater than the visit data bag of described predetermined threshold value is less than described predetermined number, then judge not to be subject to network attack in the described time period to be monitored.
8. device according to claim 5, is characterized in that, described judge module specifically for,
If described relevant information is the size of visit data bag in the number of times of the access request received within the described time period to be monitored, corresponding time point and access request, then according to number of times and the corresponding time point of the described access request received within the described time period to be monitored, judge within the described time period to be monitored, that puts in time increases progressively, the number of times of the access request of its correspondence whether continuous increasing; And obtain the undulating value of the size of each described visit data bag and the size of pre-configured visit data bag successively; Judge whether the quantity that undulating value is greater than the visit data bag of predetermined threshold value is more than or equal to predetermined number;
If within the described time period to be monitored, that puts in time increases progressively, the number of times continuous increasing of the access request of its correspondence, and judge that the quantity that undulating value is greater than the visit data bag of described predetermined threshold value is more than or equal to described predetermined number, then judge to be subject to network attack in the described time period to be monitored.
CN201510673219.2A 2015-10-16 2015-10-16 For the treating method and apparatus of network attack Active CN105337966B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510673219.2A CN105337966B (en) 2015-10-16 2015-10-16 For the treating method and apparatus of network attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510673219.2A CN105337966B (en) 2015-10-16 2015-10-16 For the treating method and apparatus of network attack

Publications (2)

Publication Number Publication Date
CN105337966A true CN105337966A (en) 2016-02-17
CN105337966B CN105337966B (en) 2018-10-02

Family

ID=55288249

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510673219.2A Active CN105337966B (en) 2015-10-16 2015-10-16 For the treating method and apparatus of network attack

Country Status (1)

Country Link
CN (1) CN105337966B (en)

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106603555A (en) * 2016-12-29 2017-04-26 杭州迪普科技股份有限公司 Method and device for preventing library-hit attacks
WO2017071551A1 (en) * 2015-10-30 2017-05-04 北京奇虎科技有限公司 Method and device for preventing malicious access to login/registration interface
CN106850687A (en) * 2017-03-29 2017-06-13 北京百度网讯科技有限公司 Method and apparatus for detecting network attack
CN107104926A (en) * 2016-02-22 2017-08-29 华为技术有限公司 Attack guard system, method, device and the network equipment
CN107360122A (en) * 2016-05-10 2017-11-17 北京京东尚科信息技术有限公司 The method and apparatus for preventing malicious requests
CN107528815A (en) * 2016-06-22 2017-12-29 腾讯科技(深圳)有限公司 A kind of method and server of protection net site attack
CN107689967A (en) * 2017-10-23 2018-02-13 中国联合网络通信集团有限公司 A kind of ddos attack detection method and device
CN107948197A (en) * 2017-12-26 2018-04-20 北京星河星云信息技术有限公司 Defend the method and half-connection attack defending platform of half-connection attack
CN108632205A (en) * 2017-03-17 2018-10-09 贵州白山云科技有限公司 A kind of intelligent intercept method and system for various attacks
CN109299049A (en) * 2018-10-11 2019-02-01 郑州云海信息技术有限公司 A kind of processing method and processing device of file access request
CN109842587A (en) * 2017-11-27 2019-06-04 北京京东尚科信息技术有限公司 The method and apparatus of monitoring system safety
CN110505232A (en) * 2019-08-27 2019-11-26 百度在线网络技术(北京)有限公司 The detection method and device of network attack, electronic equipment, storage medium
CN110535808A (en) * 2018-05-24 2019-12-03 华为技术有限公司 A kind of monitoring of tools, deregistering method and device
CN110602135A (en) * 2019-09-25 2019-12-20 北京金山安全软件有限公司 Network attack processing method and device and electronic equipment
CN110730195A (en) * 2019-12-18 2020-01-24 腾讯科技(深圳)有限公司 Data processing method and device and computer readable storage medium
WO2020051862A1 (en) * 2018-09-14 2020-03-19 华为技术有限公司 Broadcast storm prevention method and apparatus
CN111224980A (en) * 2019-12-31 2020-06-02 奇安信科技集团股份有限公司 Detection method and device for denial of service attack, electronic equipment and medium
CN114422240A (en) * 2022-01-19 2022-04-29 湖南警察学院 Internet of things cross-layer attack path identification method based on attack behavior analysis
CN114553543A (en) * 2022-02-23 2022-05-27 安天科技集团股份有限公司 Network attack detection method, hardware chip and electronic equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101656634A (en) * 2008-12-31 2010-02-24 暨南大学 Intrusion detection system and method based on IPv6 network environment
CN101686235A (en) * 2008-09-26 2010-03-31 中联绿盟信息技术(北京)有限公司 Device and method for analyzing abnormal network flow
CN101741847A (en) * 2009-12-22 2010-06-16 北京锐安科技有限公司 Detecting method of DDOS (distributed denial of service) attacks

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101686235A (en) * 2008-09-26 2010-03-31 中联绿盟信息技术(北京)有限公司 Device and method for analyzing abnormal network flow
CN101656634A (en) * 2008-12-31 2010-02-24 暨南大学 Intrusion detection system and method based on IPv6 network environment
CN101741847A (en) * 2009-12-22 2010-06-16 北京锐安科技有限公司 Detecting method of DDOS (distributed denial of service) attacks

Cited By (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017071551A1 (en) * 2015-10-30 2017-05-04 北京奇虎科技有限公司 Method and device for preventing malicious access to login/registration interface
CN107104926A (en) * 2016-02-22 2017-08-29 华为技术有限公司 Attack guard system, method, device and the network equipment
CN107104926B (en) * 2016-02-22 2019-10-18 华为技术有限公司 Attack guard system, method, apparatus and the network equipment
CN107360122B (en) * 2016-05-10 2020-11-03 北京京东尚科信息技术有限公司 Method and device for preventing malicious request
CN107360122A (en) * 2016-05-10 2017-11-17 北京京东尚科信息技术有限公司 The method and apparatus for preventing malicious requests
CN107528815A (en) * 2016-06-22 2017-12-29 腾讯科技(深圳)有限公司 A kind of method and server of protection net site attack
CN106603555A (en) * 2016-12-29 2017-04-26 杭州迪普科技股份有限公司 Method and device for preventing library-hit attacks
CN108632205A (en) * 2017-03-17 2018-10-09 贵州白山云科技有限公司 A kind of intelligent intercept method and system for various attacks
CN108632205B (en) * 2017-03-17 2019-04-05 北京数安鑫云信息技术有限公司 A kind of intelligent intercept method and system for various attacks
CN106850687A (en) * 2017-03-29 2017-06-13 北京百度网讯科技有限公司 Method and apparatus for detecting network attack
CN107689967A (en) * 2017-10-23 2018-02-13 中国联合网络通信集团有限公司 A kind of ddos attack detection method and device
CN107689967B (en) * 2017-10-23 2020-03-03 中国联合网络通信集团有限公司 DDoS attack detection method and device
CN109842587A (en) * 2017-11-27 2019-06-04 北京京东尚科信息技术有限公司 The method and apparatus of monitoring system safety
CN107948197A (en) * 2017-12-26 2018-04-20 北京星河星云信息技术有限公司 Defend the method and half-connection attack defending platform of half-connection attack
US11689565B2 (en) 2018-05-24 2023-06-27 Huawei Technologies Co., Ltd. Device monitoring method and apparatus and deregistration method and apparatus
CN110535808A (en) * 2018-05-24 2019-12-03 华为技术有限公司 A kind of monitoring of tools, deregistering method and device
CN110535808B (en) * 2018-05-24 2021-03-30 华为技术有限公司 Equipment monitoring and de-registration method and device
WO2020051862A1 (en) * 2018-09-14 2020-03-19 华为技术有限公司 Broadcast storm prevention method and apparatus
CN109299049A (en) * 2018-10-11 2019-02-01 郑州云海信息技术有限公司 A kind of processing method and processing device of file access request
CN110505232A (en) * 2019-08-27 2019-11-26 百度在线网络技术(北京)有限公司 The detection method and device of network attack, electronic equipment, storage medium
CN110602135B (en) * 2019-09-25 2022-04-29 北京金山安全软件有限公司 Network attack processing method and device and electronic equipment
CN110602135A (en) * 2019-09-25 2019-12-20 北京金山安全软件有限公司 Network attack processing method and device and electronic equipment
CN110730195B (en) * 2019-12-18 2020-03-31 腾讯科技(深圳)有限公司 Data processing method and device and computer readable storage medium
CN110730195A (en) * 2019-12-18 2020-01-24 腾讯科技(深圳)有限公司 Data processing method and device and computer readable storage medium
CN111224980A (en) * 2019-12-31 2020-06-02 奇安信科技集团股份有限公司 Detection method and device for denial of service attack, electronic equipment and medium
CN114422240A (en) * 2022-01-19 2022-04-29 湖南警察学院 Internet of things cross-layer attack path identification method based on attack behavior analysis
CN114422240B (en) * 2022-01-19 2024-03-15 湖南警察学院 Internet of things cross-layer attack path identification method based on attack behavior analysis
CN114553543A (en) * 2022-02-23 2022-05-27 安天科技集团股份有限公司 Network attack detection method, hardware chip and electronic equipment

Also Published As

Publication number Publication date
CN105337966B (en) 2018-10-02

Similar Documents

Publication Publication Date Title
CN105337966A (en) Processing method for network attacks and device
CN107341160B (en) Crawler intercepting method and device
CN101815033B (en) Method, device and system for load balancing
CN104640114B (en) A kind of verification method and device of access request
CN107624233B (en) VPN transmission tunnel scheduling method and device and VPN client server
JP2004507908A5 (en)
CN103297270A (en) Application type recognition method and network equipment
CN104348798B (en) A kind of method, apparatus, dispatch server and system for distributing network
CN107341395A (en) A kind of method for intercepting reptile
CN107347015B (en) Method, device and system for identifying content distribution network
CN107395553B (en) Network attack detection method, device and storage medium
CN106713242B (en) Data request processing method and processing device
CN105227348A (en) A kind of Hash storage means based on IP five-tuple
CN114640504B (en) CC attack protection method, device, equipment and storage medium
EP3096492A1 (en) Page push method, device, server and system
CN109413022B (en) Method and device for detecting HTTP FLOOD attack based on user behavior
CN106888192A (en) The method and device that a kind of resistance DNS is attacked
CN106789450B (en) message feature statistical method and device
KR102172056B1 (en) Control method, apparatus and program of token-based caching system including icn router and content provider terminal
CN103986616B (en) Method and device for recognizing number of machines having access to internet through proxy
CN108696509B (en) Access processing method and device for terminal
CN103795651A (en) Distribution method, device and system for network resources
Rajam et al. A novel traceback algorithm for DDoS attack with marking scheme for online system
CN106803830B (en) Method, device and system for identifying internet access terminal and User Identity Module (UIM) card
Yang et al. A study on low-rate DDoS attacks in real networks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant