CN105939315A - Method and device for protecting against HTTP attack - Google Patents
Method and device for protecting against HTTP attack Download PDFInfo
- Publication number
- CN105939315A CN105939315A CN201510683460.3A CN201510683460A CN105939315A CN 105939315 A CN105939315 A CN 105939315A CN 201510683460 A CN201510683460 A CN 201510683460A CN 105939315 A CN105939315 A CN 105939315A
- Authority
- CN
- China
- Prior art keywords
- check value
- http request
- dynamic check
- dynamic
- http
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a method and a device for protecting against an HTTP attack. The method is applied to a network protection device, and comprises the steps of when receiving an http request sent by a client, judging whether the http request carries a dynamic check value, if yes, finding the generated dynamic check value corresponding to the http request in the local; comparing the dynamic check value carried by the http request is the same as the stored dynamic check value; and if yes, forwarding the http request to a server. Therefore, the HTTP attack can be avoided, and the network security can be improved.
Description
Technical field
The present invention relates to communication technical field, particularly relate to a kind of HTTP attack guarding method and device.
Background technology
HTTP CC attack is the one way in which that HTTP attacks, and common HTTP CC attacks and is
Assailant needs the long period to process by multiple proxy servers to destination server transmission in a large number
URL request, makes destination server reach the disposal ability limit because needs calculate in a large number, thus leads
The service request causing a large amount of normal users is refused.
Summary of the invention
In view of this, the present invention provides a kind of message control method and device to solve between node because handling up
The problem that transmission performance that ability difference causes is poor.
Specifically, the present invention is achieved through the following technical solutions:
A kind of HTTP attack guarding method, described method is applied to network protection equipment, described method bag
Include:
When receiving the http request that client sends, it is judged that whether described http request carries dynamic check value;
If carrying, then search the dynamic check value generated that described http request is corresponding in this locality;
The dynamic check value that relatively described http request is carried and the described dynamic check value deposited whether phase
With;
If identical, then described http request is forwarded to server.
Further, if described http request does not carries dynamic check value, described method also includes:
Dynamic check value is generated for described http request;
Described dynamic check value is added to http redirection message and returned to client;
Described dynamic check value is saved in this locality.
Further, described for described http request generate dynamic check value, including:
Extract the feature field in described http request;
Stochastic variable corresponding with described http request for described feature field is generated dynamically by preset algorithm
Check value.
Further, described stochastic variable, including: time variable and/or random function.
Further, if the dynamic check value carried of described http request and the described dynamic check generated
Value difference, described method also includes:
Dynamic check value is regenerated for described http request;
Described dynamic check value is added to http redirection message and returned to client;
Described dynamic check value is replaced the dynamic check that the local described http request formerly preserved is corresponding
Value.
Based on identical design, the present invention also provides for a kind of HTTP and attacks preventer, and described device should
For network protection equipment, described device includes:
Judging unit, during for receiving the http request of client transmission, it is judged that whether described http request
Carry dynamic check value;
Search unit, for when described http request carries dynamic check value, search described http in this locality
The dynamic check value generated that request is corresponding;
Comparing unit, the dynamic check value carried for relatively described http request with described deposited dynamic
Check value is the most identical;
Retransmission unit, for dynamic check value and the described dynamic school deposited carried when described http request
Test value identical time, described http request is forwarded to server.
Further, if described http request does not carries dynamic check value, described device also includes:
Redirect unit, for generating dynamic check value for described http request, by described dynamic check value
Add http redirection message to and return to client, and described dynamic check value is saved in this locality.
Further, described for described http request generate dynamic check value, specifically include:
Extract the feature field in described http request;
Stochastic variable corresponding with described http request for described feature field is generated dynamically by preset algorithm
Check value.
Further, described stochastic variable, including: time variable and/or random function.
Further, if the dynamic check value carried of described http request and the described dynamic check generated
Value difference, described device also includes:
Secondary authentication unit, for regenerating dynamic check value for described http request;
Described dynamic check value is added to http redirection message and returned to client;
Described dynamic check value is replaced the dynamic check that the local described http request formerly preserved is corresponding
Value.
As can be seen here, the present invention can be the most legal, due to dynamically by dynamic check value checking client
Verification scheme can avoid assailant to forge check value, and HTTP therefore can be avoided to attack, and improves network
Safety.
Accompanying drawing explanation
Fig. 1 is the process of a kind of HTTP attack guarding method in a kind of illustrative embodiments of the present invention
Flow chart;
Fig. 2 is the place of the another kind of HTTP attack guarding method in a kind of illustrative embodiments of the present invention
Reason flow chart;
HTTP in a kind of illustrative embodiments of Fig. 3 present invention attacks the network at preventer place and prevents
Protect the hardware structure diagram of equipment;
A kind of HTTP in a kind of illustrative embodiments of Fig. 4 present invention attacks the logic knot of preventer
Composition.
Detailed description of the invention
The feature attacked in view of HTTP CC, present stage most-often used HTTP CC means of defence is
Carrying out cookie checking, its cardinal principle is to carry out certification http request data according to the specification of http protocol
Whether bag is from a legal client.When client sends request, network is prevented
The equipment that protects intercepts and captures this request from centre, and then the head at URI or http adds cookie value, then
This request is redirected, so that after client receives redirection request, can again carry cookie
Value request Redirect Address, when network protection equipment obtains this http request again, can verify this request
In carry the correctness of cookie value, if being verified, then can delete the cookie value in http request also
Give back-end server http request to process.Owing to assailant generally can disconnect after sending http request
Connecting, therefore assailant cannot respond to the redirection request of network protection equipment, thus cannot ask attacking
Ask and be sent to server end.
In prior art, the cookie value in this protection method is generally by certain field in message
Calculate, such as URI, IP address, port numbers etc., then for each field, cookie
Value is constant.For example, a cookie is calculated as network protection equipment utilization URI/main.js
During value, if assailant utilizes this URI to attack, then the http sent due to this assailant please
The URI asked is constant, and the cookie value causing its correspondence is also constant, then assailant will utilize and grab
The method of bag obtains cookie value, then http request message is recorded and be filled into cookie value
Appointment position, thus can simulate normal http request message and remove honeypot preventer, from
And cause HTTP to protect unsuccessfully.
In order to solve the problem that prior art exists, the present invention provide a kind of HTTP attack guarding method and
Device, can be the most legal, owing to dynamic check mechanism can be kept away by dynamic check value checking client
Exempt from assailant and forge check value, HTTP therefore can be avoided to attack, improve internet security.
Refer to Fig. 1, be that a kind of HTTP in a kind of illustrative embodiments of the present invention attacks protection side
The process chart of method, the method is commonly used to network protection equipment, and so-called network protection equipment leads to
It can be often the network equipment of the responsible network securitys such as gateway firewall.Described method includes:
Step 101, receive client send http request time, it is judged that whether described http request carries
Dynamic check value;
In the present embodiment, when network protection equipment receives the http request that client sends, network is prevented
The equipment of protecting first determines whether whether to carry in this http request dynamic check value, and described dynamic check value is typically
Dynamic cookie value.
If step 102 is carried, then search the dynamic school generated that described http request is corresponding in this locality
Test value;
If it is determined that http request carries dynamic check value, then network protection equipment is it is believed that this http please
The message that Seeking Truth returns after network protection device redirection.
When network protection equipment receives this http request first, this http request can be redirected,
Redirect during, this network protection equipment can for this http request generation dynamic check value, and
Local this dynamic check value of preservation.Therefore when network protection equipment receives the http request that client returns,
The dynamic check value generated can be found by this http request, and dynamic with generate when redirecting
State check value compares.It should be noted that this locality is the dynamic check value that each http request generates
It is engraved in change time not, but there is in this locality certain resting period, in order to realize and redirect report
The dynamic check value comparison process of literary composition.The concrete resting period can be set according to practical situation by manager
Put.
In optional embodiment of the present invention, network protection equipment, when generating dynamic check value, first can
Extract the feature field in described http request, such as URI, IP address etc.;Again by described tagged word
The section stochastic variable corresponding with described http request is by hash algorithm generation dynamic check value.Described at random
Variable can be time variable or random function.For example, stochastic variable can obtain current message
The reception time, in order to avoid assailant forges check value by time value, generally can obtain and be accurate to
The time of nanosecond;Or can also is that and calling the system function of Linux to obtain stochastic variable.And pass
The cookie value of system is only generated by feature field such as URI, does not include stochastic variable, therefore professional
Assailant is easy to be attacked by forgery cookie value.The check value of the present invention is dynamic variable,
Therefore can effectively solve assailant and attack by forging cookie value, thus improve network security
Property.
Step 103, the dynamic check value that relatively described http request is carried and the described dynamic check deposited
It is worth the most identical;
After network protection equipment finds, by this http request, the dynamic check value generated, should
The dynamic check value generated during the redirection that the dynamic check value in http request and this locality preserve compares
Relatively.
If step 104 is identical, then described http request is forwarded to server.
If the dynamic check generated during the redirection that the dynamic check value in this http request and this locality preserve
Be worth identical, then it is believed that this client is validated user, therefore this http can be asked by network protection equipment
It is forwarded to server after seeking removal dynamic check value.
As can be seen here, the present invention can be the most legal, due to dynamically by dynamic check value checking client
Verification scheme can avoid assailant to forge check value, and HTTP therefore can be avoided to attack, and improves network
Safety.
If it addition, network protection equipment judges that the dynamic check value that described http request is carried is the most raw with described
The dynamic check value become is different, then can suspect the legal identity of this http request sender, but in order to
Avoiding erroneous judgement, network protection equipment can also regenerate dynamic check value for described http request, by institute
State dynamic check value add http redirection message to and return to client, then by described dynamic check
Value replaces the dynamic check value that the local described http request formerly preserved is corresponding, to carry out client again
Secondary checking.
For making the purpose of the present invention, technical scheme and advantage clearer, below to the party of the present invention
Case is described in further detail.
Refer to Fig. 2, be that the another kind of HTTP in a kind of illustrative embodiments of the present invention attacks protection
The process chart of method, the method may be used for firewall box, including:
Step 201, firewall box receive the http request that client sends;
Step 202, judging whether this http request carries dynamic check value, if carrying, then going to step 203,
Otherwise go to step 207;
Step 203, obtain the dynamic check value that this http request is carried;
Step 204, search the dynamic check value generated that this http request is corresponding in this locality;
Step 205, to compare this dynamic check value the most identical with the dynamic check value generated, if identical,
Then go to step 206, otherwise go to step 207;
Step 206, after deleting the dynamic check value in this http request, is forwarded to clothes by this http request
Business device, and terminate;
Step 207, generate dynamic check value for this http request, and add in redirection message;
Step 208, this redirection message is sent to client.
Based on identical design, the present invention also provides for a kind of HTTP and attacks preventer, and this device is permissible
Realized by software, it is also possible to realize by the way of hardware or software and hardware combining.Implemented in software it is
Example, the HTTP attack preventer of the present invention, as the device on a logical meaning, is by its institute
Run after computer program instructions corresponding in memorizer is read by the CPU of equipment and form.
Refer to Fig. 3 and Fig. 4, be that a kind of HTTP in a kind of illustrative embodiments of the present invention attacks
Preventer 400, described device is applied to network protection equipment, and the basic running environment of this device includes
CPU, memorizer and other hardware, from logic level, this device 400 includes:
Judging unit 401, during for receiving the http request of client transmission, it is judged that described http request
Whether carry dynamic check value;
Search unit 402, for when described http request carries dynamic check value, search institute in this locality
State the dynamic check value generated that http request is corresponding;
Comparing unit 403, the dynamic check value carried for relatively described http request has been deposited with described
Dynamic check value is the most identical;
Retransmission unit 404, for the dynamic check value carried when described http request with described deposited dynamic
When state check value is identical, described http request is forwarded to server.
Optionally, if described http request does not carries dynamic check value, described device also includes:
Redirect unit 405, for generating dynamic check value for described http request, by described dynamic school
Test value add http redirection message to and return to client, and described dynamic check value is saved in this
Ground.
Optionally, described for described http request generate dynamic check value, specifically include:
Extract the feature field in described http request;
Stochastic variable corresponding with described http request for described feature field is generated dynamically by preset algorithm
Check value.
Optionally, described stochastic variable, including: time variable and/or random function.
Optionally, if the dynamic check value carried of described http request and the described dynamic check value generated
Difference, described device also includes, secondary authentication unit 406 is used for:
Dynamic check value is regenerated for described http request;
Described dynamic check value is added to http redirection message and returned to client;
Described dynamic check value is replaced the dynamic check that the local described http request formerly preserved is corresponding
Value.
As can be seen here, the present invention can be the most legal, due to dynamically by dynamic check value checking client
Verification scheme can avoid assailant to forge check value, and HTTP therefore can be avoided to attack, and improves network
Safety.
The foregoing is only presently preferred embodiments of the present invention, not in order to limit the present invention, all at this
Within the spirit of invention and principle, any modification, equivalent substitution and improvement etc. done, should be included in
Within the scope of protection of the invention.
Claims (10)
1. a HTTP attack guarding method, it is characterised in that described method is applied to network protection and sets
Standby, described method includes:
When receiving the http request that client sends, it is judged that whether described http request carries dynamic check value;
If carrying, then search the dynamic check value generated that described http request is corresponding in this locality;
The dynamic check value that relatively described http request is carried and the described dynamic check value deposited whether phase
With;
If identical, then described http request is forwarded to server.
Method the most according to claim 1, it is characterised in that if described http request is not carried
Dynamic check value, described method also includes:
Dynamic check value is generated for described http request;
Described dynamic check value is added to http redirection message and returned to client;
Described dynamic check value is saved in this locality.
Method the most according to claim 2, it is characterised in that described raw for described http request
Become dynamic check value, including:
Extract the feature field in described http request;
Stochastic variable corresponding with described http request for described feature field is generated dynamically by preset algorithm
Check value.
Method the most according to claim 3, it is characterised in that
Described stochastic variable, including: time variable and/or random function.
Method the most according to claim 1, it is characterised in that if what described http request was carried
Dynamic check value is different from the described dynamic check value generated, and described method also includes:
Dynamic check value is regenerated for described http request;
Described dynamic check value is added to http redirection message and returned to client;
Described dynamic check value is replaced the dynamic check that the local described http request formerly preserved is corresponding
Value.
6. a HTTP attacks preventer, it is characterised in that described device is applied to network protection and sets
Standby, described device includes:
Judging unit, during for receiving the http request of client transmission, it is judged that whether described http request
Carry dynamic check value;
Search unit, for when described http request carries dynamic check value, search described http in this locality
The dynamic check value generated that request is corresponding;
Comparing unit, the dynamic check value carried for relatively described http request with described deposited dynamic
Check value is the most identical;
Retransmission unit, for dynamic check value and the described dynamic school deposited carried when described http request
Test value identical time, described http request is forwarded to server.
Device the most according to claim 6, it is characterised in that if described http request is not carried
Dynamic check value, described device also includes:
Redirect unit, for generating dynamic check value for described http request, by described dynamic check value
Add http redirection message to and return to client, and described dynamic check value is saved in this locality.
Device the most according to claim 7, it is characterised in that described raw for described http request
Become dynamic check value, specifically include:
Extract the feature field in described http request;
Stochastic variable corresponding with described http request for described feature field is generated dynamically by preset algorithm
Check value.
Device the most according to claim 8, it is characterised in that
Described stochastic variable, including: time variable and/or random function.
Device the most according to claim 6, it is characterised in that if what described http request was carried
Dynamic check value is different from the described dynamic check value generated, and described device also includes:
Secondary authentication unit, for regenerating dynamic check value for described http request;
Described dynamic check value is added to http redirection message and returned to client;
Described dynamic check value is replaced the dynamic check that the local described http request formerly preserved is corresponding
Value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510683460.3A CN105939315A (en) | 2015-10-20 | 2015-10-20 | Method and device for protecting against HTTP attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510683460.3A CN105939315A (en) | 2015-10-20 | 2015-10-20 | Method and device for protecting against HTTP attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105939315A true CN105939315A (en) | 2016-09-14 |
Family
ID=57153007
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510683460.3A Pending CN105939315A (en) | 2015-10-20 | 2015-10-20 | Method and device for protecting against HTTP attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105939315A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108833410A (en) * | 2018-06-19 | 2018-11-16 | 网宿科技股份有限公司 | A kind of means of defence and system for HTTP Flood attack |
| CN109391600A (en) * | 2017-08-10 | 2019-02-26 | 东软集团股份有限公司 | Distributed denial of service attack means of defence, device, system, medium and equipment |
| CN110046500A (en) * | 2019-03-11 | 2019-07-23 | 刘勇 | A kind of dynamic cookie verification method and device for network protection |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101572700A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Method for defending HTTP Flood distributed denial-of-service attack |
| CN101707598A (en) * | 2009-11-10 | 2010-05-12 | 成都市华为赛门铁克科技有限公司 | Method, device and system for identifying flood attack |
| US20120014387A1 (en) * | 2010-05-28 | 2012-01-19 | Futurewei Technologies, Inc. | Virtual Layer 2 and Mechanism to Make it Scalable |
| CN104079629A (en) * | 2014-06-06 | 2014-10-01 | 汉柏科技有限公司 | HTTP request message monitoring method and gateway based on cookie information |
| CN104618404A (en) * | 2015-03-10 | 2015-05-13 | 网神信息技术(北京)股份有限公司 | Processing method, device and system for preventing network attack to Web server |
-
2015
- 2015-10-20 CN CN201510683460.3A patent/CN105939315A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101572700A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Method for defending HTTP Flood distributed denial-of-service attack |
| CN101707598A (en) * | 2009-11-10 | 2010-05-12 | 成都市华为赛门铁克科技有限公司 | Method, device and system for identifying flood attack |
| US20120014387A1 (en) * | 2010-05-28 | 2012-01-19 | Futurewei Technologies, Inc. | Virtual Layer 2 and Mechanism to Make it Scalable |
| CN104079629A (en) * | 2014-06-06 | 2014-10-01 | 汉柏科技有限公司 | HTTP request message monitoring method and gateway based on cookie information |
| CN104618404A (en) * | 2015-03-10 | 2015-05-13 | 网神信息技术(北京)股份有限公司 | Processing method, device and system for preventing network attack to Web server |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109391600A (en) * | 2017-08-10 | 2019-02-26 | 东软集团股份有限公司 | Distributed denial of service attack means of defence, device, system, medium and equipment |
| CN108833410A (en) * | 2018-06-19 | 2018-11-16 | 网宿科技股份有限公司 | A kind of means of defence and system for HTTP Flood attack |
| US11159562B2 (en) | 2018-06-19 | 2021-10-26 | Wangsu Science & Technology Co., Ltd. | Method and system for defending an HTTP flood attack |
| CN110046500A (en) * | 2019-03-11 | 2019-07-23 | 刘勇 | A kind of dynamic cookie verification method and device for network protection |
| CN110046500B (en) * | 2019-03-11 | 2022-04-15 | 刘勇 | Dynamic cookie verification method and device for network protection |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11075885B2 (en) | Methods and systems for API deception environment and API traffic control and security | |
| US10270792B1 (en) | Methods for detecting malicious smart bots to improve network security and devices thereof | |
| CN105827646B (en) | The method and device of ssyn attack protection | |
| Cambiaso et al. | Slow DoS attacks: definition and categorisation | |
| US10097520B2 (en) | Method and apparatus for causing delay in processing requests for internet resources received from client devices | |
| US8561188B1 (en) | Command and control channel detection with query string signature | |
| CN109194680B (en) | Network attack identification method, device and equipment | |
| US12088623B2 (en) | Edge network-based account protection service | |
| US20170359349A1 (en) | Method and apparatus for causing a delay in processing requests for internet resources received from client devices | |
| US20150213449A1 (en) | Risk-based control of application interface transactions | |
| CN104396220A (en) | Method and device for secure content retrieval | |
| CN101572700A (en) | Method for defending HTTP Flood distributed denial-of-service attack | |
| WO2020037781A1 (en) | Anti-attack method and device for server | |
| CN108881233A (en) | anti-attack processing method, device, equipment and storage medium | |
| US9680950B1 (en) | Method and apparatus for causing delay in processing requests for internet resources received from client devices | |
| CN106487807A (en) | A kind of means of defence of domain name mapping and device | |
| CN106789858B (en) | Access control method and device and server | |
| CN106789882A (en) | Defence method and system that a kind of domain name request is attacked | |
| CN112968910A (en) | Replay attack prevention method and device | |
| CN105939315A (en) | Method and device for protecting against HTTP attack | |
| US11102239B1 (en) | Client device identification on a network | |
| Qwasmi et al. | simulation of ddos attacks on p2p networks | |
| CN117176659A (en) | Load balancing method and device based on zero trust environment | |
| Bani-Hani et al. | SYN flooding attacks and countermeasures: a survey | |
| US8001243B2 (en) | Distributed denial of service deterrence using outbound packet rewriting |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant after: Hangzhou Dipu Polytron Technologies Inc Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant before: Hangzhou Dipu Technology Co., Ltd. |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160914 |