CN105991511A - Method and device for detecting CC attack - Google Patents
Method and device for detecting CC attack Download PDFInfo
- Publication number
- CN105991511A CN105991511A CN201510040959.2A CN201510040959A CN105991511A CN 105991511 A CN105991511 A CN 105991511A CN 201510040959 A CN201510040959 A CN 201510040959A CN 105991511 A CN105991511 A CN 105991511A
- Authority
- CN
- China
- Prior art keywords
- access request
- source
- request
- threshold value
- record
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a device for detecting a CC attack. The method comprises the steps of acquiring a preset number of access request records of a first source IP to a first target IP; conducting the statistics on the number of access request records among all the acquired access request records, wherein the page identifiers of request sources in the access request records taken into account are empty; based on the statistical number of the access request records with the page identifiers of request sources therein are empty, detecting the CC attack. The embodiment of the invention provides the method and the device for detecting the CC attack. According to the method and the device, the difference between a real user and the access behavior of a CC attacker is analyzed. Based on the difference, a determination value is calculated, so that the CC attack can be effectively detected.
Description
Technical field
The application relates to technical field of network security, detects, particularly to a kind of, the method and apparatus that CC attacks.
Background technology
Along with fast development and the drastically expansion of network size of network technology, the security breaches person of being hacked in network is increasingly
Many utilizes with the main frame in attacking network.The most popular CC (Challenge Collapsar) attacks and belongs to network attack
One.
CC attack belongs to a kind of distributed denial of service based on the page (DDOS:Distributed Denial of Service) and attacks
Hit.Assailant generally constantly can send the request message consuming destination server performance to destination server, causes destination service
Device constantly performs substantial amounts of calculating or operation, expends ample resources.When calculating or the operation of destination server execution reach self
During the processing limit of CPU, will cause accessing normally and be terminated process, machine of even delaying.
For above-mentioned situation, the method that existing a kind of CC of detection attacks can realize by redirecting detection.In the method,
Typically can add one before destination server and redirect the detection equipment message with detection transmission to described destination server.This jumping
Turning detection equipment can replace destination server to send a checking to request end before destination server receives request message
Message.This checking message may require that request end sends confirmation to destination server again, and needs to take in confirmation
Band only redirects the key that detection equipment is known.The checking message returned typically can be responded by normal request end, and can be according to
The requirement of checking message sends confirmation to destination server again.Detection equipment receives the confirmation letter that normal request end is sent
After ceasing and being verified, the access request of normal request of can letting pass end.And query-attack end tends not to the checking returned
Message responds, and is to continue with initiating new access request to destination server.Detection equipment does not receives query-attack end and sends out
The confirmation come, then the query-attack end access request to destination server of will not letting pass.So can reach to detect CC to attack
Purpose.
During implementing the application, inventor finds prior art, and at least there are the following problems:
Along with the development of CC attack pattern, assailant can be launched a offensive to destination server by broiler or proxy server.
The checking message redirecting the return of detection equipment can be responded, the most again to destination server by broiler or proxy server
Sending and carry the confirmation only redirecting the key that detection equipment is known, the most just can penetrate above-mentioned prior art redirects inspection
Survey mode.
Summary of the invention
The purpose of the embodiment of the present application is that providing a kind of detects the method and apparatus that CC attacks, effectively to detect CC attack.
The method and apparatus that a kind of CC of detection that the embodiment of the present application provides attacks is achieved in that
A kind of method detecting CC attack, including:
Obtain the access request record of the first source IP to first object IP of predetermined number;
Add up and the access request record of described acquisition is asked source page be designated the quantity of empty access request record;
Request source page based on described statistics is designated the quantity detection CC of the access request record of sky and attacks.
A kind of method detecting CC attack, including:
The access request of the first source IP to first object IP of monitoring predetermined number;
Add up and described access request is asked source page be designated the cumulative amount of empty access request;
Request source page based on described statistics is designated the cumulative amount detection CC of the access request of sky and attacks.
A kind of method detecting CC attack, including:
Obtain the access request record of the first source IP to first object IP of predetermined number;
Add up and the access request record of described acquisition is asked source page identify the quantity of mutually different access request record;
Request source page based on described statistics identifies the quantity detection CC of mutually different access request record and attacks.
A kind of method detecting CC attack, including:
The access request of the first source IP to first object IP of monitoring predetermined number;
Statistics request source page identifies the cumulative amount of mutually different access request;
Request source page based on described statistics identifies the cumulative amount detection CC of mutually different access request and attacks.
A kind of equipment detecting CC attack, described equipment is the third party device independent of request end and destination server, including
Access request record acquiring unit, the first statistic unit, the first identifying unit and the second identifying unit, wherein:
Described access request record acquiring unit, is used for obtaining the access request of the first source IP to first object IP of predetermined number
Record;
Described first statistic unit, is used for adding up in the access request record of described acquisition and asks source page to be designated the access of sky
The quantity of request record;
Described first identifying unit, is used for arranging detection threshold value;Ask when the request source page of described statistics is designated empty access
When the quantity seeking record is more than or equal to described detection threshold value, it is determined that the access request of the first source IP to first object IP is CC
Attack;When the request source page of described statistics is designated the quantity of the access request record of sky less than described detection threshold value, sentence
The access request of fixed first source IP to first object IP is not that CC attacks;
Described second identifying unit, for Set scale threshold value;Ask when the request source page of described statistics is designated empty access
When the quantity seeking record accounts for the ratio value of described predetermined number more than or equal to described proportion threshold value, it is determined that the first source IP to first
The access request of Target IP is that CC attacks;When the request source page of described statistics is designated the quantity of the access request record of sky
When accounting for the ratio value of described predetermined number less than described proportion threshold value, it is determined that the access request of the first source IP to first object IP is not
It is that CC attacks.
A kind of equipment detecting CC attack, described equipment is integrated in destination server as module, including monitoring unit, the
Two statistic units, the 3rd identifying unit and the 4th identifying unit, wherein:
Described monitoring unit, is used for monitoring the access request of the first source IP to first object IP of predetermined number;
Described second statistic unit, is used for adding up in described access request and asks source page to be designated the accumulation of empty access request
Quantity;
Described 3rd identifying unit, is used for arranging detection threshold value;Ask when the request source page of described statistics is designated empty access
When the cumulative amount asked is more than or equal to described detection threshold value, it is determined that the access request of the first source IP to first object IP is CC
Attack;When the request source page of described statistics is designated the cumulative amount of the access request of sky less than described detection threshold value, sentence
The access request of fixed first source IP to first object IP is not that CC attacks;
Described 4th identifying unit, for Set scale threshold value;Ask when the request source page of described statistics is designated empty access
When the cumulative amount asked accounts for the ratio value of described predetermined number more than or equal to described proportion threshold value, it is determined that the first source IP to first
The access request of Target IP is that CC attacks;When the request source page of described statistics is designated the cumulative amount of the access request of sky
When accounting for the ratio value of described predetermined number less than described proportion threshold value, it is determined that the access request of the first source IP to first object IP is not
It is that CC attacks.
A kind of equipment detecting CC attack, described equipment is the third party device independent of request end and destination server, including
Access request record acquiring unit, the 3rd statistic unit, the 5th identifying unit and the 6th identifying unit, wherein:
Described access request record acquiring unit, is used for obtaining the access request of the first source IP to first object IP of predetermined number
Record;
Described 3rd statistic unit, is used for adding up in the access request record of described acquisition and asks source page mark mutually different
The quantity of access request record;
Described 5th identifying unit, is used for arranging detection threshold value;When the request source page of described statistics identifies mutually different visit
When the quantity that the request of asking records is more than or equal to described detection threshold value, it is determined that the access request of the first source IP to first object IP
It not that CC attacks;When the request source page of described statistics identifies the quantity of mutually different access request record less than described inspection
When surveying threshold value, it is determined that the access request of the first source IP to first object IP is that CC attacks;
Described 6th identifying unit, for Set scale threshold value;When the request source page of described statistics identifies mutually different visit
When the quantity that the request of asking records accounts for the ratio value of described predetermined number more than or equal to described proportion threshold value, it is determined that the first source IP
Access request to first object IP is not that CC attacks;Ask when the request source page of described statistics identifies mutually different access
When the quantity seeking record accounts for the ratio value of described predetermined number less than described proportion threshold value, it is determined that the first source IP to first object IP
Access request be CC attack.
A kind of equipment detecting CC attack, described equipment is integrated in destination server as module, including monitoring unit, the
Four statistic units, the 7th identifying unit and the 8th identifying unit, wherein:
Described monitoring unit, is used for monitoring the access request of the first source IP to first object IP of predetermined number;
Described 4th statistic unit, is used for adding up request source page and identifies the cumulative amount of mutually different access request;
Described 7th identifying unit, is used for arranging detection threshold value;When the request source page of described statistics identifies mutually different visit
When asking the cumulative amount of request more than or equal to described detection threshold value, it is determined that the access request of the first source IP to first object IP
It not that CC attacks;When the request source page of described statistics identifies the cumulative amount of mutually different access request less than described inspection
When surveying threshold value, it is determined that the access request of the first source IP to first object IP is that CC attacks;
Described 8th identifying unit, for Set scale threshold value;When the request source page of described statistics identifies mutually different visit
When asking that ratio value that the cumulative amount of request accounts for described predetermined number is more than or equal to described proportion threshold value, it is determined that the first source IP
Access request to first object IP is not that CC attacks;Ask when the request source page of described statistics identifies mutually different access
When the cumulative amount asked accounts for the ratio value of described predetermined number less than described proportion threshold value, it is determined that the first source IP to first object IP
Access request be CC attack.
A kind of method and apparatus detecting CC attack that the embodiment of the present application provides, by analyzing real user and CC assailant's
The diversity of access behavior, and calculate judgement numerical value based on this diversity, it is possible to detection CC attacks effectively.
Accompanying drawing explanation
Fig. 1 is the schematic diagram that in one example of the application, normal request end initiates access request;
Fig. 2 is to attack end in one example of the application to initiate the schematic diagram of access request;
A kind of method flow diagram detecting CC attack that Fig. 3 provides for the application one embodiment;
A kind of method flow diagram detecting CC attack that Fig. 4 provides for another embodiment of the application;
A kind of method detecting CC attack that Fig. 5 provides for another embodiment of the application;
A kind of method flow diagram detecting CC attack that Fig. 6 provides for another embodiment of the application;
A kind of functions of the equipments module map detecting CC attack that Fig. 7 provides for the application one embodiment;
A kind of functions of the equipments module map detecting CC attack that Fig. 8 provides for another embodiment of the application;
A kind of functions of the equipments module map detecting CC attack that Fig. 9 provides for another embodiment of the application;
A kind of functions of the equipments module map detecting CC attack that Figure 10 provides for another embodiment of the application.
Detailed description of the invention
For the technical scheme making those skilled in the art be more fully understood that in the application, below in conjunction with in the embodiment of the present application
Accompanying drawing, the technical scheme in the embodiment of the present application is clearly and completely described, it is clear that described embodiment is only
It is some embodiments of the present application rather than whole embodiments.Based on the embodiment in the application, ordinary skill people
All other embodiments that member is obtained under not making creative work premise, all should belong to the scope of the application protection.
Fig. 1 is the schematic diagram that in one example of the application, normal request end initiates access request.As it is shown in figure 1, real user can
To input web page address, accession page 1 by browser.And then, real user can be clear by clicking on the link on the page 1
Look at other page jumped to, the page 2, the page 3, the page 4 or the page 5 that e.g. real user is interested.The most permissible
The page 1 is called header page.By the link in header page, other page can be jumped to.When real user is in browse page
During face 5, browsing pages 6 or the page 7 can be continued by clicking on the link on the page 5.When real user is at browsing pages 7
Time, browsing pages 8, the page 9 or the page 10 can be continued by clicking on the link on the page 7.It is similar to, the page 5, page
Face 7 can be header page, and these header page can provide the link jumping to other page.Visible, real user exists
When accessing website, typically can the most in depth browse other page based on an initial page.
Fig. 2 is to attack end in one example of the application to initiate the schematic diagram of access request.Can be continually as in figure 2 it is shown, attack end
Accession page 1 and the access request of the page 2 is initiated to destination server.Attack end typically directly by the page 1 and the page 2
Web page address initiates access request to destination server.Such attack pattern, access a certain page time, this page and other
Linking relationship is the most there is not between the page.
Above-mentioned real user is distinct with the access behavior of assailant.Real user, when browsing pages, the most first accesses one
A little header page, the links and accesses next one page that can be provided by header page subsequently.And assailant is to destination server
When launching a offensive, the most directly access target pages by web page address.The application one embodiment can based on real user with
The diversity accessing behavior between assailant is attacked to detect CC.
A kind of method flow diagram detecting CC attack that Fig. 3 provides for the application one embodiment.As it is shown on figure 3, described method
Including:
S100: obtain the access request record of the first source IP to first object IP of predetermined number.
In the embodiment of the present application, request end and destination server may be at, in the network environment of backbone network, being used for detecting CC
The detection equipment attacked can be independently of the third party device of request end and destination server.Described source IP can represent initiation
The IP address of the request end accessed, described Target IP can represent the IP address being accessed for destination server.Source IP is to mesh
The access request that mark IP initiates can produce access request record in backbone network.Detection equipment can obtain from backbone network to be preset
The access request record of the first source IP to first object IP of quantity is attacked with detection CC.In order to accurately test access please
Ask and whether record exist CC aggressive behavior, bigger predetermined number can be set, such as, predetermined number can be set to 1000,
The access request record of these 1000 the first source IP to first object IP can be detected by detection equipment.
The access request record of each acquisition can comprise the source IP of this access behavior, Target IP and the access request page.
Such as, access request record 1 describes source IP1 and initiates the request of accession page 1 to Target IP 1, and access request record 2 is remembered
Carry IP2 and initiate the request of accession page 2 to Target IP 2.Access request record also comprises request source page mark.Please
Source page mark is asked to can be used to indicate the header page address of this access request.Such as, the first source IP is to first object IP
Initiate the request of accession page 2, and the request of this accession page 2 is to be initiated by the link clicking on the page 1.So exist
In the request source page mark of this access request record, can write the address of the page 1, indicating this access request is from the page 1
Chain is taken over.In the application specific embodiment, described request source page mark can be the referer in access request
Field.This referer field has indicated the page address of the request source page of this access request.Walk below the embodiment of the present application
Suddenly all illustrate with referer field.
S200: add up and ask source page to be designated the quantity of empty access request record in the access request record of described acquisition.
Table 1 is the access request record signal table of real user in one example of the application.As it can be seen from table 1 access request
Record can include source IP, Target IP, accession page and referer field.Wherein, referer field can be used to note
The address of the header page of this access request bright, shows this access request from which page link comes.Such as, the page 2
With the referer field of the page 3 is the address of the page 1, illustrate that accession page 2 is from the page 1 with the request of the page 3
Chain is taken over.The referer field of the page 1 is empty, illustrates that the request of accession page 1 is that the address by the page 1 is direct
Initiate.For example, it may be the URL that user directly inputs the page 1 in a browser initiates access request to destination server.
The access request record signal table of real user in one example of table 1 the application
| Source IP | Target IP | Accession page | Referer field |
| First source IP | First object IP | The page 1 | |
| First source IP | First object IP | The page 2 | The page 1 |
| First source IP | First object IP | The page 3 | The page 1 |
| First source IP | First object IP | The page 4 | The page 3 |
| First source IP | First object IP | The page 5 | The page 4 |
| First source IP | First object IP | The page 6 | The page 4 |
Table 2 is the access request record signal table of CC assailant in one example of the application.CC assailant is often through automatization
Script, directly initiate access request to destination server continually by the address of the page.From Table 2, it can be seen that
CC assailant is in the access request that destination server is initiated, and referer field is sky.This explanation CC assailant is
It is directly to initiate access request by the address of the page to destination server.In the page that CC assailant accesses, the page and page
The most there is not linking relationship between face, this results in referer field essentially sky in the access request record of CC assailant.
The access request record signal table of CC assailant in one example of table 2 the application
| Source IP | Target IP | Accession page | Referer field |
| First source IP | First object IP | The page 1 | |
| First source IP | First object IP | The page 1 | |
| First source IP | First object IP | The page 1 | |
| First source IP | First object IP | The page 2 |
| First source IP | First object IP | The page 2 | |
| First source IP | First object IP | The page 2 |
The embodiment of the present application can be by analyzing the access request of the first source IP to first object IP of the predetermined number of described acquisition
Referer field in record detects whether the first source IP belongs to CC attack to the access request that first object IP initiates.
Specifically, during the embodiment of the present application can add up the access request record of described acquisition, referer field is empty access request note
The quantity of record.Such as, can obtain the quantity that referer field is empty access request record from table 1 is 1, and from table
Can obtain the quantity that referer field is empty access request record in 2 is 6.It can be seen that the access of real user please
The quantity asking referer field in record to be empty access request record is significantly less than in the access request record of CC assailant
Referer field is the quantity of empty access request record.
When implementing, the detection device interior in the embodiment of the present application can comprise an enumerator.This detection equipment is permissible
Detect the referer field in the access request record of described acquisition.When the referer field in a certain access request record is
Time empty, the enumerator of detection device interior just can add 1.After detection equipment travels through the access request record of described acquisition, described
It is the number of empty access request record that numeral in enumerator can represent referer field in the access request record of described acquisition
Amount.
S300: the quantity detection CC of the access request record being designated sky based on described request source page attacks.
After detection equipment gets the quantity that described referer field is empty access request record, can quantity based on this acquisition
Whether the access request detecting the first source IP to first object IP belongs to CC attack.Specifically, described referer can be calculated
Field is the ratio that the quantity of empty access request record accounts for described predetermined number.Such as, in table 1, referer field is empty
The quantity of access request record is 1, and predetermined number is 6, then referer field is that the quantity of empty access request record accounts for pre-
If the ratio of quantity is 1/6.In table 2 referer field be the quantity of empty access request record be 6, predetermined number is 6,
So referer field is that to account for the ratio of predetermined number be 6/6=1 for the quantity of empty access request record.The embodiment of the present application is permissible
Pre-set the first proportion threshold value, when the quantity that the referer field of described calculating is empty access request record accounts for described present count
When the ratio of amount is more than or equal to this first proportion threshold value, decide that the access request of the first source IP to first object IP is CC
Attack;The embodiment of the present application can pre-set the second proportion threshold value, when the referer field of described calculating is empty access request
When the quantity of record accounts for the ratio of described predetermined number less than this second proportion threshold value, decide that the first source IP to first object IP
Access request be not CC attack.Generally, described first proportion threshold value and the second proportion threshold value can be equal;
At some in particular cases, described first proportion threshold value can be more than the second proportion threshold value.Such as, the first proportion threshold value is 0.95,
Second proportion threshold value is 0.8, and situation between 0.8 to 0.95 needs to judge whether to belong to CC aggressive behavior by manually carrying out.
During actually detected, described proportion threshold value can be set to 0.95, when the referer field calculated is empty access
When the quantity of request record accounts for the ratio of described predetermined number more than or equal to 0.95, decide that the first source IP is to first object
The access request of IP is that CC attacks.
It addition, the embodiment of the present application can also arrange the first detection threshold value, when the referer field of described statistics is that empty access please
When the quantity seeking record detects threshold value more than or equal to described first, it is determined that the access request of the first source IP to first object IP
Attack for CC;The embodiment of the present application can also arrange the second detection threshold value, when the referer field of described statistics is empty access
When the quantity of request record is less than described second detection threshold value, it is determined that the access request of the first source IP to first object IP is not CC
Attack.Same, the first detection threshold value can be equal with the second detection threshold value.At some in particular cases, the first detection threshold value
Can be more than the second detection threshold value.
During actually detected, predetermined number can be set to 1000, and detection threshold value can be set to 950, when
Article 1000, in access request the referer field of statistics be the cumulative amount of empty access request more than or equal to 950 time, it is determined that
The access request of the first source IP to first object IP is that CC attacks.
In another embodiment of the application, detection equipment is also used as a functional module and is integrated on destination server, this inspection
Measurement equipment can in real time monitoring transmission to the access request of this destination server.The one that Fig. 4 provides for another embodiment of the application
The method flow diagram that detection CC attacks.As shown in Figure 4, described method includes:
S110: the access request of the first source IP to first object IP of monitoring predetermined number.
S210: add up and ask source page to be designated the cumulative amount of empty access request in described access request.
The detection equipment being integrated on destination server can monitor in real time and be positioned at the request end transmission at the first source IP to being positioned at
The access request of this destination server at first object IP.By step S200 it can be seen that real user and CC assailant
In the access request that destination server is initiated, referer field differs greatly.In the access request of real user, referer
Field is empty access request negligible amounts, and in the access request of CC assailant, referer field is empty access request number
Measure quite a lot of.Detection equipment in the embodiment of the present application can be by adding up the cumulative number that referer field is empty access request
Amount, thus judge whether the access request of the first source IP to first object IP is that CC attacks.In a particular embodiment, in order to
Accurately detection CC aggressive behavior, can arrange bigger predetermined number, such as, predetermined number can be set to 1000,
Detection equipment can monitor the access request of 1000 the first source IP to first object IP continuously, and adds up these 1000 access
In request, referer field is the cumulative amount of empty access request.
Specifically, the detection device interior in the embodiment of the present application can comprise the first enumerator and the second enumerator.Detection equipment
Monitoring the first source IP sends every access request to first object IP, often one access request of detection in real time, detection equipment
First timer just can add 1.When referer field access request being detected is empty, the second enumerator just can add 1.
When the first counters count reaches predetermined number, it is empty access that detection equipment can add up referer field in the second enumerator
The cumulative amount of request.
S310: request source page based on described statistics is designated the cumulative amount detection CC of the access request of sky and attacks.
The embodiment of the present application can pre-set the 3rd detection threshold value, when the referer field of described statistics is empty access request
When cumulative amount is more than or equal to described 3rd detection threshold value, it is determined that the access request of the first source IP to first object IP is CC
Attack;The embodiment of the present application can pre-set the 4th detection threshold value, when the referer field of described statistics is empty access request
Cumulative amount less than described 4th detection threshold value time, it is determined that the access request of the first source IP to first object IP is not that CC attacks
Hit.3rd detection threshold value can be equal with the 4th detection threshold value.At some in particular cases, the 3rd detection threshold value can be more than the
Four detection threshold values.
During actually detected, predetermined number can be set to 1000, and detection threshold value can be set to 950, when
Article 1000, in access request the referer field of statistics be the cumulative amount of empty access request more than or equal to 950 time, it is determined that
The access request of the first source IP to first object IP is that CC attacks.
Account for described pre-it addition, the application equally calculates the cumulative amount that the referer field of described statistics is empty access request
If the ratio of quantity detects CC and attacks.The embodiment of the present application can pre-set the 3rd proportion threshold value, when described calculating
Referer field is that the cumulative amount of empty access request accounts for the ratio of described predetermined number more than or equal to the 3rd proportion threshold value
Time, decide that the access request of the first source IP to first object IP is that CC attacks;The embodiment of the present application can pre-set
Four proportion threshold value, when the cumulative amount that the referer field of described calculating is empty access request, to account for the ratio of described predetermined number little
When four proportion threshold value, decide that the access request of the first source IP to first object IP is not that CC attacks.3rd ratio
Threshold value can be equal with the 4th proportion threshold value.At some in particular cases, the 3rd proportion threshold value can be more than the 4th proportion threshold value.
It should be noted that destination server is attacked by CC assailant often through proxy server.Such as CC attacks
Person is by being positioned at source IP1, and destination server is launched a offensive by three proxy servers at source IP2 and source IP3.Utilize above-mentioned
Technical scheme, can detect that source IP1, source IP2 and source IP3 all exist aggressive behavior, and follow-up can to source IP1,
Source IP2 and source IP3 closes, but real source IP of CC assailant cannot be detected and be closed.In consideration of it,
In the application one preferred embodiment, step S100 can specifically include:
Really establish rules then based on real source IP, obtain first real source IP access request note to first object IP of predetermined number
Record.Wherein, described real source IP is established rules really, specifically includes:
When the x-forward-for field of access request record is empty, using the IP address in the IP field of source as real source IP;
When the x-forward-for field of access request record is non-NULL, determine according to the IP address in x-forward-for field
Real source IP.
The preferred embodiment of the application can be identified very by the source IP field in access request and x-forward-for field
Real request source IP.The reference format of x-forward-for field can be:
x-forward-for:client1,proxy1
Wherein, client1 represents real IP address, and proxy1 represents the IP address of proxy server 1.Above-mentioned
When the reference format of x-forward-for field is it is to be understood that access request sends from client1, x-forward-for
Field is empty;The when that this access request being addressed to proxy1 and sent out by proxy1, client1 is added to
In x-forward-for field;The when that this access request being addressed to proxy2 and is sent out by proxy2 afterwards,
Proxy1 is added in x-forward-for field.Visible, when x-forward-for field is non-NULL,
First IP address in x-forward-for field is real source IP of this access request.When x-forward-for word
When section is empty, the IP address in the IP field of source in access request record is real source IP of this access request record.
Another being identified real source IP of access request record has the beneficial effects that: so that obtain access request note
The time of record shortens.For example, it is assumed that when not real source IP to access request record carries out identification, need from 10000 visits
Ask request record in just can filter out 5000 source IP1 to Target IP 1 access request record (other 5000 access ask
Seeking record is other source IP access request record to Target IP 1);When real source IP of access request record is carried out identification
Rear discovery, in these 10000 access request records, real source IP of source IP1 and source IP2 is source IP1, then this 10000
In bar access request record, it should the access request record of source IP2 to Target IP 1 is also divided in a steady stream IP1 to Target IP 1
Access request record in.If that need also exist for the access request record filtering out 5000 source IP1 to Target IP 1, can
(other 2000 access request records are that other source IP is to target with regard to permissible to have only to read 7000 access request records
The access request record of IP1).So can shorten the source IP time to the access request record of Target IP of acquisition predetermined number,
Can earlier detect CC aggressive behavior and earlier close.Same, in another preferred embodiment of the application,
Step S110 can specifically include:
Really establish rules then based on real source IP, the access request of the first real source IP of monitoring predetermined number to first object IP.
Wherein, described real source IP is established rules really, specifically includes:
When the x-forward-for field of access request is empty, using the IP address in the IP field of source as real source IP;
When the x-forward-for field of access request is non-NULL, determine truly according to the IP address in x-forward-for field
Source IP.
Access request to monitoring carries out the identification of real source IP, equally shortens the source IP of monitoring predetermined number to Target IP
Time of access request, thus earlier the source IP address residing for CC assailant is detected and closes.
In actual scene, CC assailant can also pretend the access behavior of real user by filling referer field.Example
As, when CC assailant prepares to launch a offensive to a certain Website server, can the referer field in access request fill
The address of the portal page of this website, thus pretend the linking relationship between the page and the page accessed.CC assailant is the most sharp
In bulk the referer field of access request is filled identical page address with script, as shown in table 3.Can from table 3
To find out, CC assailant has all inserted the page address of the page 1 in the referer field of each access request initiated.Should
The page 1 can be the portal page of website, it is also possible to be the false page.
In one example of table 3 the application, CC assailant fills the access request record signal table of referer field
| Source IP | Target IP | Accession page | Referer field |
| First source IP | First object IP | The page 1 | The page 1 |
| First source IP | First object IP | The page 2 | The page 1 |
| First source IP | First object IP | The page 2 | The page 1 |
| First source IP | First object IP | The page 2 | The page 1 |
| First source IP | First object IP | The page 2 | The page 1 |
| First source IP | First object IP | The page 2 | The page 1 |
| First source IP | First object IP | The page 3 | The page 1 |
| First source IP | First object IP | The page 3 | The page 1 |
| First source IP | First object IP | The page 3 | The page 1 |
Although CC assailant fills referer field by batch pretends the linking relationship between the page and the page, by contrast
Table 1 and table 3 are still it appeared that real user and CC assailant access the diversity of behavior.Real user accesses destination service
In the access request that device produces, the page address of referer field is the most different, such as in table 1, in the access request of real user
There are the page 1, the page 3 and the address of the page 4 in the page address of referer field.And CC attack access destination server produces
Access request in the page address of referer field the most identical, such as in table 3, referer in the access request of CC assailant
The page address of field only has the address of the page 1.It can be seen that in the access request of real user and assailant, referer word
The quantity property of there are differences of the mutually different access request of section.Such as, in table 1 in the access request of real user, referer
The quantity of the mutually different access request of field is 4, these four mutually different referer fields be respectively empty referer field,
The page 1, the page 3 and the page 4;And in the access request of assailant, owing to referer field is the most identical, therefore referer
The quantity of the mutually different access request of field is only 1.The embodiment of the present application can be carried out detection resources IP based on this point diversity and arrive
Whether the access request of Target IP belongs to CC is attacked.Fig. 5 for another embodiment of the application provide a kind of detect CC attack
Method.As it is shown in figure 5, described method includes:
S120: obtain the access request record of the first source IP to first object IP of predetermined number.
In the embodiment of the present application, request end and destination server may be at, in the network environment of backbone network, being used for detecting CC
The detection equipment attacked can be independently of the third party device of request end and destination server.This step is similar with S100, inspection
Measurement equipment can obtain the access request record of the first source IP to first object IP of predetermined number to detect CC from backbone network
Attack.In order to whether there is CC aggressive behavior during accurately test access request records, bigger predetermined number can be set,
Predetermined number such as can be set to 1000, and detection equipment can be to the visit of these 1000 the first source IP to first object IP
Ask that request record detects.
S220: add up and ask source page to identify the number of mutually different access request record in the access request record of described acquisition
Amount.
Detection equipment gets the first source IP of predetermined number to after the access request record of first object IP, can add up described
The quantity of referer field mutually different access request record in the access request record obtained.The application one embodiment detects
Equipment can comprise an enumerator.Detection equipment can obtain Article 1 access request note from the beginning of Article 1 access request record
A referer field in record, and a referer field is put into reference to queue, unison counter adds 1.Then detect
Equipment can obtain the 2nd referer field of Article 2 access request record, when a referer field and the 2nd referer word
When section is different, the 2nd referer field page can be put into reference to queue by detection equipment, adds 1 in unison counter.As a referer
When field is identical with the 2nd referer field, detection equipment does not do any operation.Process Article 2 access request record, detection
Equipment can continue to obtain the 3rd referer field of Article 3 access request record and by the 3rd referer field and with reference in queue
Each referer field contrasts, if the 3rd referer field is the most different, then from reference to each referer field in queue
3rd referer field is put into reference to queue by detection equipment, and unison counter adds 1;If the 3rd referer field and reference team
In row, certain referer field is identical, then detection equipment does not do any operation.Detection equipment can travel through the access of predetermined number please
Seeking in record each access request record and be above-mentioned identical contrast operation, the access that the most just can obtain described acquisition please
Seeking the quantity of referer field mutually different access request record in record, this quantity can be with reference to referer field in queue
Quantity, can also be simultaneously the quantity added up of enumerator.
If it is pointed out that, the referer field of certain access request record is sky, and this sky referer field is to go out for the first time
Existing, then this sky referer field can also be as with reference to a referer field in queue.The empty referer of follow-up appearance
Field just can be considered as the field identical with reference to this sky referer field in queue, no longer includes scope of statistics in.
S320: the quantity detection CC identifying mutually different access request record based on described request source page attacks.
The embodiment of the present application can pre-set the 5th detection threshold value, when described referer field mutually different access request record
Quantity less than described 5th detection threshold value time, it is determined that the access request of the first source IP to first object IP be CC attack;This
Application embodiment can pre-set the 6th detection threshold value, when the quantity of referer field mutually different access request record is more than
Or during equal to described 6th detection threshold value, it is determined that the access request of the first source IP to first object IP is not that CC attacks.The
Five detection threshold values can be equal with the 6th detection threshold value.At some in particular cases, the 5th detection threshold value can be less than the 6th detection
Threshold value.
During actually detected, predetermined number can be set to 1000, and detection threshold value can be set to 50, when
Article 1000, when in access request, the quantity of the referer field mutually different access request record of statistics is less than 50, it is determined that first
The access request of source IP to first object IP is that CC attacks.
Same, the embodiment of the present application can also be by calculating the referer field mutually different access request record of described statistics
Quantity account for the ratio of described predetermined number and attack to detect CC.The embodiment of the present application can pre-set the 5th proportion threshold value,
When the quantity of the referer field mutually different access request record of described calculating accounts for the ratio of described predetermined number less than the 5th
During proportion threshold value, decide that the access request of the first source IP to first object IP is that CC attacks;The embodiment of the present application can be pre-
6th proportion threshold value is first set, when the quantity of the referer field mutually different access request record of described calculating accounts for described presetting
When the ratio of quantity is more than or equal to six proportion threshold value, decide that the access request of the first source IP to first object IP not
It is that CC attacks.5th proportion threshold value can be equal with the 6th proportion threshold value.At some in particular cases, the 5th proportion threshold value can
With less than the 6th proportion threshold value.
During actually detected, described predetermined number can be set to 1000, and described proportion threshold value is set to 0.05,
When the quantity of the referer field mutually different access request record calculated accounts for the ratio of described predetermined number less than 0.05, just
Judge that the access request of the first source IP to first object IP is attacked as CC.
Similarly, in the application one preferred embodiment, real source IP of access request record can be carried out identification.In this Shen
Please be in a preferred embodiment, step S120 can specifically may include that
Really establish rules then based on real source IP, obtain first real source IP access request note to first object IP of predetermined number
Record.Wherein, described real source IP is established rules really, specifically includes:
When the x-forward-for field of access request record is empty, using the IP address in the IP field of source as real source IP;
When the x-forward-for field of access request record is non-NULL, determine according to the IP address in x-forward-for field
Real source IP.
In another embodiment of the application, detection equipment is also used as a functional module and is integrated on destination server, this inspection
Measurement equipment can in real time monitoring transmission to the access request of this destination server.The one that Fig. 6 provides for another embodiment of the application
The method flow diagram that detection CC attacks.As shown in Figure 6, described method includes:
S130: the access request of the first source IP to first object IP of monitoring predetermined number.
S230: add up and ask source page to identify the cumulative amount of mutually different access request in described access request.
The detection equipment being integrated on destination server can monitor in real time and be positioned at the request end transmission at the first source IP to being positioned at
The access request of this destination server at first object IP.Detection equipment in the embodiment of the present application can be preset by monitoring
The access request of the first source IP to first object IP of quantity, and it is different to add up referer field in described access request
The cumulative amount of access request, thus judge whether the access request of the first source IP to first object IP is that CC attacks.?
In specific embodiment, in order to accurately detect CC aggressive behavior, bigger predetermined number can be set, such as can be by pre-
If quantity is set to 1000, detection equipment can monitor the access request of 1000 the first source IP to first object IP continuously,
And add up the cumulative amount of the mutually different access request of referer field in these 1000 access request.
Specifically, the detection device interior in the embodiment of the present application can comprise the first enumerator and the second enumerator.Detection equipment
Monitoring the first source IP sends every access request to first object IP, often one access request of detection in real time, detection equipment
First timer just can add 1.Detection equipment can obtain Article 1 access request note from the beginning of Article 1 access request record
A referer field in record, and a referer field is put into reference to queue, the second enumerator adds 1 simultaneously.Then
Detection equipment can obtain the 2nd referer field of Article 2 access request record, as a referer field and the 2nd referer
During field difference, the 2nd referer field page can be put into reference to queue by detection equipment, and the second enumerator adds 1 simultaneously.When
When one referer field is identical with the 2nd referer field, detection equipment does not do any operation.Process Article 2 access request note
Record, detection equipment can continue to obtain the 3rd referer field of Article 3 access request record and by the 3rd referer field and ginseng
Examine each referer field in queue to contrast, if the 3rd referer field is equal with reference to each referer field in queue
Difference, then the 3rd referer field is put into reference to queue by detection equipment, and the second enumerator adds 1 simultaneously;If the 3rd referer
Field is identical with reference to certain referer field in queue, then detection equipment does not do any operation.Detection equipment can be to monitoring
Every access request is above-mentioned identical contrast operation.When the first counters count reaches predetermined number, detection equipment can obtain
The cumulative amount of the mutually different access request of referer field in the access request of described predetermined number, this cumulative amount is permissible
For with reference to the quantity of referer field in queue, can also be the quantity added up of the second enumerator simultaneously.
If it is pointed out that, the referer field of certain access request is sky, and this sky referer field is to occur for the first time,
So this sky referer field can also be as with reference to a referer field in queue.The empty referer field of follow-up appearance
Just can be considered as the field identical with reference to this sky referer field in queue, no longer include scope of statistics in.
S330: request source page based on described statistics identifies the cumulative amount detection CC of mutually different access request and attacks.
The embodiment of the present application can pre-set the 7th detection threshold value, when tiring out of the described mutually different access request of referer field
When product amount is less than described 7th detection threshold value, it is determined that the access request of the first source IP to first object IP is that CC attacks;This
Application embodiment can pre-set the 8th detection threshold value, when the cumulative amount of the mutually different access request of referer field is more than
Or during equal to described 8th detection threshold value, it is determined that the access request of the first source IP to first object IP is not that CC attacks.The
Seven detection threshold values can be equal with the 8th detection threshold value.At some in particular cases, the 7th detection threshold value can be less than the 8th detection
Threshold value.
During actually detected, predetermined number can be set to 1000, and detection threshold value can be set to 50, when
Article 1000, when in access request, the cumulative amount of the mutually different access request of referer field of statistics is less than 50, it is determined that first
The access request of source IP to first object IP is that CC attacks.
Same, the embodiment of the present application can also be by calculating the tired of the mutually different access request of referer field of described statistics
Product amount accounts for the ratio of described predetermined number and attacks to detect CC.The embodiment of the present application can pre-set the 7th proportion threshold value,
When the cumulative amount of the mutually different access request of referer field of described calculating accounts for the ratio of described predetermined number less than the 7th
During proportion threshold value, decide that the access request of the first source IP to first object IP is that CC attacks;The embodiment of the present application can set
Put the 8th proportion threshold value, when the cumulative amount of the mutually different access request of referer field of described calculating accounts for described predetermined number
Ratio more than or equal to eight proportion threshold value time, decide that the access request of the first source IP to first object IP is not CC
Attack.7th proportion threshold value can be equal with the 8th proportion threshold value.At some in particular cases, the 7th proportion threshold value can be less than
8th proportion threshold value.
During actually detected, described predetermined number can be set to 1000, and described proportion threshold value is set to 0.05,
When the cumulative amount of the mutually different access request of referer field calculated accounts for the ratio of described predetermined number less than 0.05, just
Judge that the access request of the first source IP to first object IP is attacked as CC.
Same, in the application one preferred embodiment, real source IP of access request can be carried out identification.In the application one
In preferred embodiment, step S130 specifically may include that
Really establish rules then based on real source IP, the access request of the first real source IP of monitoring predetermined number to first object IP.
Wherein, described real source IP is established rules really, specifically includes:
When the x-forward-for field of access request is empty, using the IP address in the IP field of source as real source IP;
When the x-forward-for field of access request is non-NULL, determine truly according to the IP address in x-forward-for field
Source IP.
The embodiment of the present application also provides for a kind of equipment detecting CC attack.A kind of detection that Fig. 7 provides for the application one embodiment
The functions of the equipments module map that CC attacks.As it is shown in fig. 7, described equipment includes:
Access request record acquiring unit 100, is used for obtaining the access request of the first source IP to first object IP of predetermined number
Record;
First statistic unit 200, is used for adding up in the access request record of described acquisition and asks source page to be designated the access of sky
The quantity of request record;
First identifying unit 300, is used for arranging detection threshold value;Ask when the request source page of described statistics is designated empty access
When the quantity seeking record is more than or equal to described detection threshold value, it is determined that the access request of the first source IP to first object IP is CC
Attack;When the request source page of described statistics is designated the quantity of the access request record of sky less than described detection threshold value, sentence
The access request of fixed first source IP to first object IP is not that CC attacks;
Second identifying unit 400, for Set scale threshold value;Ask when the request source page of described statistics is designated empty access
When the quantity seeking record accounts for the ratio value of described predetermined number more than or equal to described proportion threshold value, it is determined that the first source IP to first
The access request of Target IP is that CC attacks;When the request source page of described statistics is designated the quantity of the access request record of sky
When accounting for the ratio value of described predetermined number less than described proportion threshold value, it is determined that the access request of the first source IP to first object IP is not
It is that CC attacks.
Described equipment can be the third party device independent of request end and destination server.
In the application one preferred embodiment, described access request record acquiring unit 100 specifically includes:
Real source IP access request record acquisition module 101, is used for really establishing rules then based on real source IP, obtains predetermined number
The first real source IP to the access request record of first object IP.
A kind of functions of the equipments module map detecting CC attack that Fig. 8 provides for another embodiment of the application.As shown in Figure 8, institute
The equipment of stating includes:
Monitoring unit 110, is used for monitoring the access request of the first source IP to first object IP of predetermined number;
Second statistic unit 210, is used for adding up in described access request and asks source page to be designated the accumulation of empty access request
Quantity;
3rd identifying unit 310, is used for arranging detection threshold value;Ask when the request source page of described statistics is designated empty access
When the cumulative amount asked is more than or equal to described detection threshold value, it is determined that the access request of the first source IP to first object IP is CC
Attack;When the request source page of described statistics is designated the cumulative amount of the access request of sky less than described detection threshold value, sentence
The access request of fixed first source IP to first object IP is not that CC attacks;
4th identifying unit 410, for Set scale threshold value;Ask when the request source page of described statistics is designated empty access
When the cumulative amount asked accounts for the ratio value of described predetermined number more than or equal to described proportion threshold value, it is determined that the first source IP to first
The access request of Target IP is that CC attacks;When the request source page of described statistics is designated the cumulative amount of the access request of sky
When accounting for the ratio value of described predetermined number less than described proportion threshold value, it is determined that the access request of the first source IP to first object IP is not
It is that CC attacks.
Described equipment can be integrated in destination server as a module.
In the application one preferred embodiment, described monitoring unit 110 specifically includes:
Real source IP access request monitoring module 111, is used for really establishing rules then based on real source IP, the of monitoring predetermined number
One real source IP is to the access request of first object IP.
A kind of functions of the equipments module map detecting CC attack that Fig. 9 provides for another embodiment of the application.As it is shown in figure 9, institute
The equipment of stating includes:
Access request record acquiring unit 120, is used for obtaining the access request of the first source IP to first object IP of predetermined number
Record;
3rd statistic unit 220, is used for adding up in the access request record of described acquisition and asks source page mark mutually different
The quantity of access request record;
5th identifying unit 320, is used for arranging detection threshold value;When the request source page of described statistics identifies mutually different visit
When the quantity that the request of asking records is more than or equal to described detection threshold value, it is determined that the access request of the first source IP to first object IP
It not that CC attacks;When the request source page of described statistics identifies the quantity of mutually different access request record less than described inspection
When surveying threshold value, it is determined that the access request of the first source IP to first object IP is that CC attacks;
6th identifying unit 420, for Set scale threshold value;When the request source page of described statistics identifies mutually different visit
When the quantity that the request of asking records accounts for the ratio value of described predetermined number more than or equal to described proportion threshold value, it is determined that the first source IP
Access request to first object IP is not that CC attacks;Ask when the request source page of described statistics identifies mutually different access
When the quantity seeking record accounts for the ratio value of described predetermined number less than described proportion threshold value, it is determined that the first source IP to first object IP
Access request be CC attack.
Described equipment can be the third party device independent of request end and destination server.
In the application one preferred embodiment, described access request record acquiring unit 120 specifically includes:
Real source IP access request record acquisition module 121, is used for really establishing rules then based on real source IP, obtains predetermined number
The first real source IP to the access request record of first object IP.
A kind of functions of the equipments module map detecting CC attack that Figure 10 provides for another embodiment of the application.As shown in Figure 10,
Described equipment includes:
Monitoring unit 130, is used for monitoring the access request of the first source IP to first object IP of predetermined number;
4th statistic unit 230, is used for adding up request source page and identifies the cumulative amount of mutually different access request;
7th identifying unit 330, is used for arranging detection threshold value;When the request source page of described statistics identifies mutually different visit
When asking the cumulative amount of request more than or equal to described detection threshold value, it is determined that the access request of the first source IP to first object IP
It not that CC attacks;When the request source page of described statistics identifies the cumulative amount of mutually different access request less than described inspection
When surveying threshold value, it is determined that the access request of the first source IP to first object IP is that CC attacks;
8th identifying unit 430, for Set scale threshold value;When the request source page of described statistics identifies mutually different visit
When asking that ratio value that the cumulative amount of request accounts for described predetermined number is more than or equal to described proportion threshold value, it is determined that the first source IP
Access request to first object IP is not that CC attacks;Ask when the request source page of described statistics identifies mutually different access
When the cumulative amount asked accounts for the ratio value of described predetermined number less than described proportion threshold value, it is determined that the first source IP to first object IP
Access request be CC attack.
Described equipment can be integrated in destination server as a module.
In the application one preferred embodiment, described monitoring unit 130 specifically includes:
Real source IP access request monitoring module 131, is used for really establishing rules then based on real source IP, the of monitoring predetermined number
One real source IP is to the access request of first object IP.
A kind of method and apparatus detecting CC attack that the embodiment of the present application provides, by analyzing real user and CC assailant's
The diversity of access behavior, and calculate judgement numerical value based on this diversity, it is possible to detection CC attacks effectively.
In the nineties in 20th century, can clearly distinguish for the improvement of a technology is that the improvement on hardware is (such as, to two
The improvement of the circuit structures such as pole pipe, transistor, switch) or software on improvement (for the improvement of method flow).But,
Along with the development of technology, the improvement of current a lot of method flows can be considered as directly improving of hardware circuit.Design
Personnel nearly all obtain corresponding hardware circuit by being programmed in hardware circuit by the method flow of improvement.Therefore, no
Can say that the improvement of a method flow cannot realize by hardware entities module.Such as, PLD
(Programmable Logic Device, PLD) (such as field programmable gate array (Field Programmable Gate
Array, FPGA)) it is exactly such a integrated circuit, device programming is determined by its logic function by user.By designer
Member's programming voluntarily comes a digital display circuit " integrated " on a piece of PLD, without chip maker please designing and make
Make special IC chip 2.And, nowadays, replacing and manually make IC chip, this programming changes the most mostly
Realize with " logic compiler (logic compiler) " software, software compiler phase used when it is write with program development
Similar, and the most handy specific programming language of source code before compiling is write, this is referred to as hardware description language
(Hardware Description Language, HDL), and HDL the most not only has one, but have many kinds, such as ABEL
(Advanced Boolean Expression Language)、AHDL(Altera Hardware Description Language)、
Confluence、CUPL(Cornell University Programming Language)、HDCal、JHDL(Java Hardware
Description Language)、Lava、Lola、MyHDL、PALASM、RHDL(Ruby Hardware Description
Language) etc., that commonly use most is VHDL (Very-High-Speed Integrated Circuit Hardware
Description Language) and Verilog2.Those skilled in the art also it should also be apparent that, it is only necessary to by method flow with above-mentioned
Several hardware description languages are slightly made programming in logic and are programmed in integrated circuit, it is possible to be readily available and realize this logical method stream
The hardware circuit of journey.
Controller can be implemented in any suitable manner, such as, controller can take such as microprocessor or processor and
Storage can by this (micro-) processor perform computer readable program code (such as software or firmware) computer-readable medium,
Gate, switch, special IC (Application Specific Integrated Circuit, ASIC), FPGA
Controller and the form of embedding microcontroller, the example of controller includes but not limited to following microcontroller: ARC 625D, Atmel
AT91SAM, Microchip PIC18F26K20 and Silicone Labs C8051F320, Memory Controller can also quilt
It is embodied as a part for the control logic of memorizer.
It is also known in the art that in addition to realizing controller in pure computer readable program code mode, the most permissible
Make controller with gate, switch, special IC, FPGA control by method step carries out programming in logic
The form of device processed and embedding microcontroller etc. realizes identical function.The most this controller is considered a kind of Hardware Subdivision
Part, and the structure in hardware component can also be considered as to include in it for the device realizing various function.Or even, may be used
To be considered as the device being used for realizing various function being not only the software module of implementation method but also can be the knot in hardware component
Structure.
System, device, module or the unit that above-described embodiment illustrates, specifically can be realized by computer chip or entity, or
Realized by the product with certain function.
For convenience of description, it is divided into various unit to be respectively described with function when describing apparatus above.Certainly, the application is being implemented
Time the function of each unit can be realized in same or multiple softwares and/or hardware.
As seen through the above description of the embodiments, those skilled in the art it can be understood that to the application can be by soft
Part adds the mode of required general hardware platform and realizes.Based on such understanding, the technical scheme of the application is the most in other words
The part contributing prior art can embody with the form of software product, and this computer software product can be stored in
In storage medium, such as ROM/RAM, magnetic disc, CD etc., use so that a computer equipment is (permissible including some instructions
It is personal computer, server, or the network equipment etc.) perform each embodiment of the application or some part institute of embodiment
The method stated.
Each embodiment in this specification all uses the mode gone forward one by one to describe, and between each embodiment, identical similar part is mutual
Seeing, what each embodiment stressed is the difference with other embodiments.Especially for system embodiment
Speech, owing to it is substantially similar to embodiment of the method, so describe is fairly simple, relevant part sees the part of embodiment of the method
Illustrate.
The application can be used in numerous general or special purpose computing system environments or configuration.Such as: personal computer, server
Computer, handheld device or portable set, laptop device, multicomputer system, system based on microprocessor, top set
Box, programmable consumer-elcetronics devices, network PC, minicomputer, mainframe computer, include any of the above system or equipment
Distributed computing environment etc..
The application can be described in the general context of computer executable instructions, such as program module.
Usually, program module include perform particular task or realize the routine of particular abstract data type, program, object, assembly,
Data structure etc..The application can also be put into practice in a distributed computing environment, in these distributed computing environment, by passing through
Communication network and connected remote processing devices performs task.In a distributed computing environment, program module may be located at bag
Include storage device in interior local and remote computer-readable storage medium.
Although depicting the application by embodiment, it will be appreciated by the skilled addressee that the application have many deformation and a change and
Without departing from spirit herein, it is desirable to appended claim includes that these deformation and change are without deviating from spirit herein.
Claims (36)
1. one kind is detected the method that CC attacks, it is characterised in that including:
Obtain the access request record of the first source IP to first object IP of predetermined number;
Add up and the access request record of described acquisition is asked source page be designated the quantity of empty access request record;
Request source page based on described statistics is designated the quantity detection CC of the access request record of sky and attacks.
The most as claimed in claim 1 a kind of detect the method that CC attacks, it is characterised in that the of described acquisition predetermined number
The access request record of one source IP to first object IP specifically includes:
Really establish rules then based on real source IP, obtain first real source IP access request note to first object IP of predetermined number
Record.
A kind of method detecting CC attack the most as claimed in claim 2, it is characterised in that the determination of described real source IP
Rule specifically includes:
When the x-forward-for field of access request record is empty, using the IP address in the IP field of source as real source IP;
When the x-forward-for field of access request record is non-NULL, determine truly according to the IP address in x-forward-for field
Source IP.
The most as claimed in claim 1 a kind of detect CC attack method, it is characterised in that described based on described statistics please
The quantity detection CC asking source page to be designated empty access request record attacks and specifically includes:
First detection threshold value is set;
When the request source page of described statistics is designated the quantity of the access request record of sky more than or equal to described first inspection
When surveying threshold value, it is determined that the access request of the first source IP to first object IP is that CC attacks.
The most as claimed in claim 1 a kind of detect CC attack method, it is characterised in that described based on described statistics please
The quantity detection CC asking source page to be designated empty access request record attacks and specifically includes:
Second detection threshold value is set;
When the request source page of described statistics is designated the quantity of the access request record of sky less than described second detection threshold value,
Judge that the access request of the first source IP to first object IP is not that CC attacks.
The most as claimed in claim 1 a kind of detect CC attack method, it is characterised in that described based on described statistics please
The quantity detection CC asking source page to be designated empty access request record attacks and specifically includes:
First proportion threshold value is set;
The ratio value of described predetermined number is accounted for when the request source page of described statistics is designated the quantity of access request record of sky
During more than or equal to described proportion threshold value, it is determined that the access request of the first source IP to first object IP is that CC attacks.
The most as claimed in claim 1 a kind of detect CC attack method, it is characterised in that described based on described statistics please
The quantity detection CC asking source page to be designated empty access request record attacks and specifically includes:
Second proportion threshold value is set;
The ratio value of described predetermined number is accounted for when the request source page of described statistics is designated the quantity of access request record of sky
During less than described second proportion threshold value, it is determined that the access request of the first source IP to first object IP is not that CC attacks.
8. one kind is detected the method that CC attacks, it is characterised in that including:
The access request of the first source IP to first object IP of monitoring predetermined number;
Add up and described access request is asked source page be designated the cumulative amount of empty access request;
Request source page based on described statistics is designated the cumulative amount detection CC of the access request of sky and attacks.
The most as claimed in claim 8 a kind of detect the method that CC attacks, it is characterised in that the of described monitoring predetermined number
The access request of one source IP to first object IP specifically includes:
Really establish rules then based on real source IP, the access request of the first real source IP of monitoring predetermined number to first object IP.
A kind of method detecting CC attack the most as claimed in claim 9, it is characterised in that the determination of described real source IP
Rule specifically includes:
When the x-forward-for field of access request is empty, using the IP address in the IP field of source as real source IP;
When the x-forward-for field of access request is non-NULL, determine truly according to the IP address in x-forward-for field
Source IP.
11. a kind of methods detecting CC attack as claimed in claim 8, it is characterised in that described based on described statistics
Request source page is designated the cumulative amount detection CC attack of the access request of sky and specifically includes:
3rd detection threshold value is set;
When the request source page of described statistics is designated the cumulative amount of the access request of sky more than or equal to described 3rd inspection
When surveying threshold value, it is determined that the access request of the first source IP to first object IP is that CC attacks.
12. a kind of methods detecting CC attack as claimed in claim 8, it is characterised in that described based on described statistics
Request source page is designated the cumulative amount detection CC attack of the access request of sky and specifically includes:
4th detection threshold value is set;
When the request source page of described statistics is designated the cumulative amount of the access request of sky less than described 4th detection threshold value,
Judge that the access request of the first source IP to first object IP is not that CC attacks.
13. a kind of methods detecting CC attack as claimed in claim 8, it is characterised in that described based on described statistics
Request source page is designated the cumulative amount detection CC attack of the access request of sky and specifically includes:
3rd proportion threshold value is set;
The ratio value of described predetermined number is accounted for when the request source page of described statistics is designated the cumulative amount of access request of sky
During more than or equal to described three proportion threshold value, it is determined that the access request of the first source IP to first object IP is that CC attacks.
14. a kind of methods detecting CC attack as claimed in claim 8, it is characterised in that described based on described statistics
Request source page is designated the cumulative amount detection CC attack of the access request of sky and specifically includes:
4th proportion threshold value is set;
The ratio value of described predetermined number is accounted for when the request source page of described statistics is designated the cumulative amount of access request of sky
During less than described four proportion threshold value, it is determined that the access request of the first source IP to first object IP is not that CC attacks.
15. 1 kinds are detected the method that CC attacks, it is characterised in that including:
Obtain the access request record of the first source IP to first object IP of predetermined number;
Add up and the access request record of described acquisition is asked source page identify the quantity of mutually different access request record;
Request source page based on described statistics identifies the quantity detection CC of mutually different access request record and attacks.
16. a kind of methods detecting CC attack as claimed in claim 15, it is characterised in that described acquisition predetermined number
The access request record of the first source IP to first object IP specifically includes:
Really establish rules then based on real source IP, obtain first real source IP access request note to first object IP of predetermined number
Record.
17. a kind of methods detecting CC attack as claimed in claim 16, it is characterised in that described real source IP is really
Set pattern then specifically includes:
When the x-forward-for field of access request record is empty, using the IP address in the IP field of source as real source IP;
When the x-forward-for field of access request record is non-NULL, determine according to the IP address in x-forward-for field
Real source IP.
18. a kind of methods detecting CC attack as claimed in claim 15, it is characterised in that described based on described statistics
Request source page identifies the quantity detection CC attack of mutually different access request record and specifically includes:
5th detection threshold value is set;
When the request source page of described statistics identifies the quantity of mutually different access request record less than described 5th detection threshold
During value, it is determined that the access request of the first source IP to first object IP is that CC attacks.
19. a kind of methods detecting CC attack as claimed in claim 15, it is characterised in that described based on described statistics
Request source page identifies the quantity detection CC attack of mutually different access request record and specifically includes:
6th detection threshold value is set
When the request source page of described statistics identifies the quantity of mutually different access request record more than or equal to described the
During six detection threshold values, it is determined that the access request of the first source IP to first object IP is not that CC attacks.
20. a kind of methods detecting CC attack as claimed in claim 15, it is characterised in that described based on described statistics
Request source page identifies the quantity detection CC attack of mutually different access request record and specifically includes:
5th proportion threshold value is set;
When the quantity of the request source page mutually different access request record of mark of described statistics accounts for the ratio of described predetermined number
When example value is less than described five proportion threshold value, it is determined that the access request of the first source IP to first object IP is that CC attacks.
21. a kind of methods detecting CC attack as claimed in claim 15, it is characterised in that described based on described statistics
Request source page identifies the quantity detection CC attack of mutually different access request record and specifically includes:
6th proportion threshold value is set;
When the quantity of the request source page mutually different access request record of mark of described statistics accounts for the ratio of described predetermined number
When example value is more than or equal to described six proportion threshold value, it is determined that the access request of the first source IP to first object IP is not CC
Attack.
22. 1 kinds are detected the method that CC attacks, it is characterised in that including:
The access request of the first source IP to first object IP of monitoring predetermined number;
Statistics request source page identifies the cumulative amount of mutually different access request;
Request source page based on described statistics identifies the cumulative amount detection CC of mutually different access request and attacks.
23. a kind of methods detecting CC attack as claimed in claim 22, it is characterised in that described monitoring predetermined number
The access request of the first source IP to first object IP specifically includes:
Really establish rules then based on real source IP, the access request of the first real source IP of monitoring predetermined number to first object IP.
24. a kind of methods detecting CC attack as claimed in claim 23, it is characterised in that described real source IP is really
Set pattern then specifically includes:
When the x-forward-for field of access request is empty, using the IP address in the IP field of source as real source IP;
When the x-forward-for field of access request is non-NULL, determine truly according to the IP address in x-forward-for field
Source IP.
25. a kind of methods detecting CC attack as claimed in claim 22, it is characterised in that described based on described statistics
Request source page identifies the cumulative amount detection CC attack of mutually different access request and specifically includes:
7th detection threshold value is set;
When the request source page of described statistics identifies the cumulative amount of mutually different access request less than described 7th detection threshold
During value, it is determined that the access request of the first source IP to first object IP is that CC attacks.
26. a kind of methods detecting CC attack as claimed in claim 22, it is characterised in that described based on described statistics
Request source page identifies the cumulative amount detection CC attack of mutually different access request and specifically includes:
8th detection threshold value is set;
When the request source page of described statistics identifies the cumulative amount of mutually different access request more than or equal to described the
During eight detection threshold values, it is determined that the access request of the first source IP to first object IP is not that CC attacks.
27. a kind of methods detecting CC attack as claimed in claim 22, it is characterised in that described based on described statistics
Request source page identifies the cumulative amount detection CC attack of mutually different access request and specifically includes:
7th proportion threshold value is set;
When the cumulative amount of the request source page mutually different access request of mark of described statistics accounts for the ratio of described predetermined number
When example value is less than described seven proportion threshold value, it is determined that the access request of the first source IP to first object IP is that CC attacks.
28. a kind of methods detecting CC attack as claimed in claim 22, it is characterised in that described based on described statistics
Request source page identifies the cumulative amount detection CC attack of mutually different access request and specifically includes:
8th proportion threshold value is set;
When the cumulative amount of the request source page mutually different access request of mark of described statistics accounts for the ratio of described predetermined number
When example value is more than or equal to described eight proportion threshold value, it is determined that the access request of the first source IP to first object IP is not CC
Attack.
29. 1 kinds are detected the equipment that CC attacks, it is characterised in that described equipment is independent of request end and destination server
Third party device, including access request record acquiring unit, the first statistic unit, the first identifying unit and the second identifying unit,
Wherein:
Described access request record acquiring unit, is used for obtaining the access request of the first source IP to first object IP of predetermined number
Record;
Described first statistic unit, is used for adding up in the access request record of described acquisition and asks source page to be designated the access of sky
The quantity of request record;
Described first identifying unit, is used for arranging detection threshold value;Ask when the request source page of described statistics is designated empty access
When the quantity seeking record is more than or equal to described detection threshold value, it is determined that the access request of the first source IP to first object IP is CC
Attack;When the request source page of described statistics is designated the quantity of the access request record of sky less than described detection threshold value, sentence
The access request of fixed first source IP to first object IP is not that CC attacks;
Described second identifying unit, for Set scale threshold value;Ask when the request source page of described statistics is designated empty access
When the quantity seeking record accounts for the ratio value of described predetermined number more than or equal to described proportion threshold value, it is determined that the first source IP to first
The access request of Target IP is that CC attacks;When the request source page of described statistics is designated the quantity of the access request record of sky
When accounting for the ratio value of described predetermined number less than described proportion threshold value, it is determined that the access request of the first source IP to first object IP is not
It is that CC attacks.
30. a kind of equipment detecting CC attack as claimed in claim 29, it is characterised in that described access request record obtains
Take unit to specifically include:
Real source IP access request record acquisition module, is used for really establishing rules then based on real source IP, obtains the of predetermined number
One real source IP is to the access request record of first object IP.
31. 1 kinds are detected the equipment that CC attacks, it is characterised in that described equipment is integrated in destination server as module,
Including monitoring unit, the second statistic unit, the 3rd identifying unit and the 4th identifying unit, wherein:
Described monitoring unit, is used for monitoring the access request of the first source IP to first object IP of predetermined number;
Described second statistic unit, is used for adding up in described access request and asks source page to be designated the accumulation of empty access request
Quantity;
Described 3rd identifying unit, is used for arranging detection threshold value;Ask when the request source page of described statistics is designated empty access
When the cumulative amount asked is more than or equal to described detection threshold value, it is determined that the access request of the first source IP to first object IP is CC
Attack;When the request source page of described statistics is designated the cumulative amount of the access request of sky less than described detection threshold value, sentence
The access request of fixed first source IP to first object IP is not that CC attacks;
Described 4th identifying unit, for Set scale threshold value;Ask when the request source page of described statistics is designated empty access
When the cumulative amount asked accounts for the ratio value of described predetermined number more than or equal to described proportion threshold value, it is determined that the first source IP to first
The access request of Target IP is that CC attacks;When the request source page of described statistics is designated the cumulative amount of the access request of sky
When accounting for the ratio value of described predetermined number less than described proportion threshold value, it is determined that the access request of the first source IP to first object IP is not
It is that CC attacks.
32. a kind of equipment detecting CC attack as claimed in claim 31, it is characterised in that described monitoring unit specifically wraps
Include:
Real source IP access request monitoring module, is used for really establishing rules then based on real source IP, and the first of monitoring predetermined number is true
Actual source IP is to the access request of first object IP.
33. 1 kinds are detected the equipment that CC attacks, it is characterised in that described equipment is independent of request end and destination server
Third party device, including access request record acquiring unit, the 3rd statistic unit, the 5th identifying unit and the 6th identifying unit,
Wherein:
Described access request record acquiring unit, is used for obtaining the access request of the first source IP to first object IP of predetermined number
Record;
Described 3rd statistic unit, is used for adding up in the access request record of described acquisition and asks source page mark mutually different
The quantity of access request record;
Described 5th identifying unit, is used for arranging detection threshold value;When the request source page of described statistics identifies mutually different visit
When the quantity that the request of asking records is more than or equal to described detection threshold value, it is determined that the access request of the first source IP to first object IP
It not that CC attacks;When the request source page of described statistics identifies the quantity of mutually different access request record less than described inspection
When surveying threshold value, it is determined that the access request of the first source IP to first object IP is that CC attacks;
Described 6th identifying unit, for Set scale threshold value;When the request source page of described statistics identifies mutually different visit
When the quantity that the request of asking records accounts for the ratio value of described predetermined number more than or equal to described proportion threshold value, it is determined that the first source IP
Access request to first object IP is not that CC attacks;Ask when the request source page of described statistics identifies mutually different access
When the quantity seeking record accounts for the ratio value of described predetermined number less than described proportion threshold value, it is determined that the first source IP to first object IP
Access request be CC attack.
34. a kind of equipment detecting CC attack as claimed in claim 33, it is characterised in that described access request record obtains
Take unit to specifically include:
Real source IP access request record acquisition module, is used for really establishing rules then based on real source IP, obtains the of predetermined number
One real source IP is to the access request record of first object IP.
35. 1 kinds are detected the equipment that CC attacks, it is characterised in that described equipment is integrated in destination server as module,
Including monitoring unit, the 4th statistic unit, the 7th identifying unit and the 8th identifying unit, wherein:
Described monitoring unit, is used for monitoring the access request of the first source IP to first object IP of predetermined number;
Described 4th statistic unit, is used for adding up request source page and identifies the cumulative amount of mutually different access request;
Described 7th identifying unit, is used for arranging detection threshold value;When the request source page of described statistics identifies mutually different visit
When asking the cumulative amount of request more than or equal to described detection threshold value, it is determined that the access request of the first source IP to first object IP
It not that CC attacks;When the request source page of described statistics identifies the cumulative amount of mutually different access request less than described inspection
When surveying threshold value, it is determined that the access request of the first source IP to first object IP is that CC attacks;
Described 8th identifying unit, for Set scale threshold value;When the request source page of described statistics identifies mutually different visit
When asking that ratio value that the cumulative amount of request accounts for described predetermined number is more than or equal to described proportion threshold value, it is determined that the first source IP
Access request to first object IP is not that CC attacks;Ask when the request source page of described statistics identifies mutually different access
When the cumulative amount asked accounts for the ratio value of described predetermined number less than described proportion threshold value, it is determined that the first source IP to first object IP
Access request be CC attack.
36. a kind of equipment detecting CC attack as claimed in claim 35, it is characterised in that described monitoring unit specifically wraps
Include:
Real source IP access request monitoring module, is used for really establishing rules then based on real source IP, and the first of monitoring predetermined number is true
Actual source IP is to the access request of first object IP.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510040959.2A CN105991511A (en) | 2015-01-27 | 2015-01-27 | Method and device for detecting CC attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510040959.2A CN105991511A (en) | 2015-01-27 | 2015-01-27 | Method and device for detecting CC attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105991511A true CN105991511A (en) | 2016-10-05 |
Family
ID=57036350
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510040959.2A Pending CN105991511A (en) | 2015-01-27 | 2015-01-27 | Method and device for detecting CC attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105991511A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107743113A (en) * | 2016-11-23 | 2018-02-27 | 腾讯科技(深圳)有限公司 | A kind of detection method and system of website attack |
| CN108632050A (en) * | 2017-03-15 | 2018-10-09 | 阿里巴巴集团控股有限公司 | A kind of method and apparatus of record web log |
| CN108650274A (en) * | 2018-05-21 | 2018-10-12 | 中国科学院计算机网络信息中心 | A kind of network inbreak detection method and system |
| CN110535857A (en) * | 2019-08-29 | 2019-12-03 | 中国工商银行股份有限公司 | The method and apparatus of protecting network attack |
| US10505974B2 (en) | 2016-07-22 | 2019-12-10 | Alibaba Group Holding Limited | Network attack defense system and method |
| US10715546B2 (en) | 2016-11-23 | 2020-07-14 | Tencent Technology (Shenzhen) Company Limited | Website attack detection and protection method and system |
| CN113760664A (en) * | 2021-09-10 | 2021-12-07 | 哈尔滨工业大学 | Two-stage threshold attack detection method, computer and storage medium |
| US11323453B2 (en) | 2018-08-23 | 2022-05-03 | Alibaba Group Holding Limited | Data processing method, device, access control system, and storage media |
| CN116760649A (en) * | 2023-08-23 | 2023-09-15 | 智联信通科技股份有限公司 | Data security protection and early warning method based on big data |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080320567A1 (en) * | 2007-06-20 | 2008-12-25 | Imperva, Inc. | System and method for preventing web frauds committed using client-scripting attacks |
| CN102281298A (en) * | 2011-08-10 | 2011-12-14 | 深信服网络科技(深圳)有限公司 | Method and device for detecting and defending challenge collapsar (CC) attack |
| CN103179132A (en) * | 2013-04-09 | 2013-06-26 | 中国信息安全测评中心 | Method and device for detecting and defending CC (challenge collapsar) |
| CN104092665A (en) * | 2014-06-19 | 2014-10-08 | 小米科技有限责任公司 | Access request filtering method, device and facility |
| CN104113525A (en) * | 2014-05-23 | 2014-10-22 | 中国电子技术标准化研究院 | Method and apparatus for defending resource consumption type Web attacks |
-
2015
- 2015-01-27 CN CN201510040959.2A patent/CN105991511A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080320567A1 (en) * | 2007-06-20 | 2008-12-25 | Imperva, Inc. | System and method for preventing web frauds committed using client-scripting attacks |
| CN102281298A (en) * | 2011-08-10 | 2011-12-14 | 深信服网络科技(深圳)有限公司 | Method and device for detecting and defending challenge collapsar (CC) attack |
| CN103179132A (en) * | 2013-04-09 | 2013-06-26 | 中国信息安全测评中心 | Method and device for detecting and defending CC (challenge collapsar) |
| CN104113525A (en) * | 2014-05-23 | 2014-10-22 | 中国电子技术标准化研究院 | Method and apparatus for defending resource consumption type Web attacks |
| CN104092665A (en) * | 2014-06-19 | 2014-10-08 | 小米科技有限责任公司 | Access request filtering method, device and facility |
Non-Patent Citations (1)
| Title |
|---|
| 肖军 等: "基于会话异常度模型的应用层分布式拒绝服务攻击过滤", 《计算机学报》 * |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10505974B2 (en) | 2016-07-22 | 2019-12-10 | Alibaba Group Holding Limited | Network attack defense system and method |
| US11184387B2 (en) | 2016-07-22 | 2021-11-23 | Alibaba Group Holding Limited | Network attack defense system and method |
| CN107743113A (en) * | 2016-11-23 | 2018-02-27 | 腾讯科技(深圳)有限公司 | A kind of detection method and system of website attack |
| US10715546B2 (en) | 2016-11-23 | 2020-07-14 | Tencent Technology (Shenzhen) Company Limited | Website attack detection and protection method and system |
| CN108632050A (en) * | 2017-03-15 | 2018-10-09 | 阿里巴巴集团控股有限公司 | A kind of method and apparatus of record web log |
| CN108632050B (en) * | 2017-03-15 | 2021-03-02 | 阿里巴巴集团控股有限公司 | Method and device for recording website access log |
| CN108650274A (en) * | 2018-05-21 | 2018-10-12 | 中国科学院计算机网络信息中心 | A kind of network inbreak detection method and system |
| CN108650274B (en) * | 2018-05-21 | 2021-07-27 | 中国科学院计算机网络信息中心 | Network intrusion detection method and system |
| US11323453B2 (en) | 2018-08-23 | 2022-05-03 | Alibaba Group Holding Limited | Data processing method, device, access control system, and storage media |
| CN110535857A (en) * | 2019-08-29 | 2019-12-03 | 中国工商银行股份有限公司 | The method and apparatus of protecting network attack |
| CN110535857B (en) * | 2019-08-29 | 2022-07-22 | 中国工商银行股份有限公司 | Method and device for protecting network attack |
| CN113760664A (en) * | 2021-09-10 | 2021-12-07 | 哈尔滨工业大学 | Two-stage threshold attack detection method, computer and storage medium |
| CN116760649A (en) * | 2023-08-23 | 2023-09-15 | 智联信通科技股份有限公司 | Data security protection and early warning method based on big data |
| CN116760649B (en) * | 2023-08-23 | 2023-10-24 | 智联信通科技股份有限公司 | Data security protection and early warning method based on big data |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105991511A (en) | Method and device for detecting CC attack | |
| CN104391979B (en) | Network malice reptile recognition methods and device | |
| CN108304410A (en) | A kind of detection method, device and the data analysing method of the abnormal access page | |
| KR20140101697A (en) | Automatic detection of fraudulent ratings/comments related to an application store | |
| CN104143008B (en) | The method and device of fishing webpage is detected based on picture match | |
| CN102739653B (en) | Detection method and device aiming at webpage address | |
| CN108334774A (en) | A kind of method, first server and the second server of detection attack | |
| CN107403251A (en) | Risk checking method and device | |
| CN103530336B (en) | The identification equipment and method of Invalid parameter in uniform resource position mark URL | |
| CN105868256A (en) | Method and system for processing user behavior data | |
| CN110474900B (en) | Game protocol testing method and device | |
| CN109981415A (en) | Condition judgement method, electronic equipment, system and medium | |
| CN103701779B (en) | Method and device for accessing website for second time and firewall equipment | |
| CN106534062A (en) | Crawler prevention method | |
| CN103530337B (en) | Identify the device and method of Invalid parameter in uniform resource position mark URL | |
| CN104156487B (en) | Web data statistical method and device | |
| CN105681124B (en) | A kind of wire-speed detection method and device | |
| CN105578434B (en) | A kind of method and server detecting pseudo-base station motion profile | |
| US11314795B2 (en) | User navigation in a target portal | |
| CN104468459B (en) | A kind of leak detection method and device | |
| CN103581321B (en) | A kind of creation method of refer chains, device and safety detection method and client | |
| CN107018039B (en) | Method and device for testing performance bottleneck of server cluster | |
| CN109450853B (en) | Malicious website determination method and device, terminal and server | |
| CN107026854A (en) | Validating vulnerability method and device | |
| CN109361674A (en) | Bypass stream data detection method, device and the electronic equipment of access |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161005 |