CN106656912A - Method and device for detecting denial of service attack - Google Patents

Method and device for detecting denial of service attack Download PDF

Info

Publication number
CN106656912A
CN106656912A CN201510715982.7A CN201510715982A CN106656912A CN 106656912 A CN106656912 A CN 106656912A CN 201510715982 A CN201510715982 A CN 201510715982A CN 106656912 A CN106656912 A CN 106656912A
Authority
CN
China
Prior art keywords
server
access request
time period
request message
resource access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510715982.7A
Other languages
Chinese (zh)
Other versions
CN106656912B (en
Inventor
蒋武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201510715982.7A priority Critical patent/CN106656912B/en
Publication of CN106656912A publication Critical patent/CN106656912A/en
Application granted granted Critical
Publication of CN106656912B publication Critical patent/CN106656912B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application discloses a method and device for detecting denial of a service attack, relates to the field of communication, and is used for solving the technical problem in the prior art that detection of denial of a service attack is not accurate enough. The method includes the following steps: a gateway device receives a response message sent by a server based on an application layer protocol; the response message is used for responding to a resource access request message based on an application layer protocol from a client, and the resource access request message carries a uniform resource locator (URL) of a resource provided by the server; feature information of the response message is obtained; and whether the server is subjected to denial of the service attack is determined according to the feature information. The method is used for detecting denial of the service attack.

Description

A kind of method and device of detection Denial of Service attack
Technical field
The application is related to the communications field, more particularly to a kind of method and device of detection Denial of Service attack.
Background technology
Refusal service (English full name:Distributed Denial of Service, referred to as:DOS) attack and refer to Attacker to server initiates substantial amounts of Internet Control Message agreement (English full name:Internet Control Message Protocol, referred to as:ICMP), synchronous (English full name:Synchronous, referred to as:SYN) Signal, UDP (English full name:User Datagram Protocol, referred to as:UDP) etc. even Connect request so that server be busy with process these uprush request and cannot normal response validated user request, from And cause the attack meanses of servers go down.
More serious, attacker can trespass some main frames, using these main frames as master hosts, attack The person of hitting is in master hosts specific program installed above so that it is special that master hosts can receive that attacker sends Instruction, and these orders can be sent on other infected main frames, that is to say, that attacker can To make springboard using master hosts, a large amount of infected and controlled main frame composition attacking networks of control come to clothes Business device carries out large-scale dos attack.This attack is referred to as distributed denial of service (English full name: Distributed Denial of Service, referred to as:DDOS) attack, it tends to attacking single attacker Hit effect to be amplified, so as to cause significant impact to server, heavy congestion will also result in network.
Prior art comes true typically by Traffic anomaly detection technology or frequency anomaly detection technique of giving out a contract for a project Determine whether server is denied service attack.Specifically, the flow threshold or frequency of giving out a contract for a project of server are set Rate threshold value, when server present flow rate is detected flow threshold is more than, or detects current frequency of giving out a contract for a project During more than frequency threshold, then it is assumed that server have received Denial of Service attack.But, under low discharge It is not especially big that Denial of Service attack, the flow of server and frequency of giving out a contract for a project change in a short time, therefore, flow The Denial of Service attack that abnormality detection technology and frequency anomaly detection technique of giving out a contract for a project can not be detected accurately under low discharge Hit, easily occur failing to report.In addition, for the normal request of some validated users, for example, proxy requests or Network address translation (English full name:Network Address Translation, abbreviation NAT) service request, It is also possible to flow at short notice and frequency of giving out a contract for a project is very big, now, Traffic anomaly detection technology and frequency of giving out a contract for a project Easily there is wrong report in rate abnormality detection technology.It follows that prior art to the detection of Denial of Service attack not It is enough accurate.
The content of the invention
The purpose of the application is to provide a kind of method and device of detection Denial of Service attack, existing for solving There is not accurate enough the technical problem of detection of the technology to Denial of Service attack.
In order to achieve the above object, the embodiment of the present application is adopted the following technical scheme that:
A kind of first aspect, there is provided method of detection Denial of Service attack, including:
The response message based on application layer protocol that gateway device the reception server sends;The response message is used In to coming from responding based on the resource access request message of application layer protocol for client, the resource Access request message carries the uniform resource position mark URL of the resource that the server is provided;
Obtain the characteristic information of the response message;
Determine whether the server is denied service attack according to the characteristic information.
Using such scheme, gateway device determines whether server is denied based on application layer services quality Service attack, what deserves to be explained is, the spy of the response message based on application layer protocol that the server sends Reference breath can be shown that the service quality of application layer, and for example, server is accessed the resource for accessing same URL The response time of request message, or, in preset time period, come from the request failure of the server Message.Because server is when service attack is denied, the service quality of its application layer necessarily changes, And the correlation between the Denial of Service attack that server is subject to and the service quality of application layer, is better than service Correlation between the Denial of Service attack that device is subject to and transport layer or the flow of Internet.Accordingly, with respect to Prior art determines whether server is denied service attack, the application based on the flow detection of transport layer Determine whether server is denied service attack and improves to refusal service based on the service quality of application layer The accuracy that attack is detected.
In the first the possible implementation with reference to first aspect, the characteristic information is response time;
The characteristic information for obtaining the response message, including:
It is determined that in preset time period, the resource access request message of server URL same to access The response time that responded simultaneously is recorded;
It is described to determine whether the server is denied service attack according to the characteristic information, including:
Determine in the preset time period, response time is more than the same URL's of access of the first duration threshold value The number of resource access request message;
If the number is not less than first threshold, it is determined that the server is denied service attack.
The explanation of value, when service attack is denied, server is directed to the visitor for launching a offensive to server The response time that the resource access request message of family end access URL is responded will necessarily quickly increase.Using Such scheme, gateway device in preset time period, it is determined that response time more than the first duration threshold value visit When asking that the number of the resource access request message of same URL is not less than first threshold, you can determine the clothes Business device is denied service attack.Wherein, the initial setting up of the first duration threshold value is to guarantee server Will not be denied what is carried out under the scene of service attack, the first threshold can be advance according to practical application It is configured.So, judged by the total flow of detection service device or packet sending speed compared to existing technology be It is no to be denied service attack, when being denied service attack due to server, the total flow of server or Packet sending speed not necessarily quickly increases, therefore, such scheme improves what Denial of Service attack was detected Accuracy.
With reference to the first possible implementation of first aspect or first aspect, the second of first aspect In planting possible implementation, in preset time period, the server is to accessing same URL for the determination The response time that responded of resource access request message, including:
In the preset time period, every resource access request message for accessing same URL is held OK:
Record receives the first moment of the resource access request message, and the resource access request is disappeared Breath is sent to the server;
Record receives the server for the sound that the resource access request message is responded and sent Answer the second moment of message;
According to first moment and second moment, determine that the server is accessed the resource and ask Seek the response time of message.
Such scheme determines a kind of implementation of response time there is provided gateway device, specifically by the net First moment described in the equipment self record of pass and second moment simultaneously determine the response time by calculating. Alternatively, in another kind of implementation, server record receives the moment of resource access request message, And carry the server in the response message responded to the resource access request message and receive institute State the moment of resource access request message, and the moment of the transmission response message, so, gateway device After the response message is received, it is also possible to receive the resource access request according to the server and disappear The moment of breath, and send moment of the response message and be calculated response time.
With reference to any one the possible realization in second possible implementation of first aspect to first aspect Mode, in the third possible implementation of first aspect, the preset time period includes being linked in sequence And the mutual at least two misaligned sub- time periods;
It is described to determine in preset time period, every resource access request of server URL same to access Response time that message is responded simultaneously is recorded, and is also included:
Every resource access request message for accessing same URL, the gateway device record is received The moment of the resource access request message responds with the server to the resource access request message Response time corresponding relation;
It is described to determine that response time is same more than the access of the first duration threshold value in the preset time period The number of the resource access request message of URL, including:
For each sub- time period that the preset time period includes, perform:
From corresponding relation of the sub- time period for prestoring with the second duration threshold value, the son is found Time period corresponding second duration threshold value;
The moment for receiving resource access request message and the corresponding relation of response time according to record, It is determined that in all resource access request message received within the sub- time period, response time exceedes The number of the resource access request message of the same URL of access of the second duration threshold value;
Response time is exceeded the resource of the same URL of access of corresponding second duration threshold value of each sub- time period The number of access request message is sued for peace, using the result of summation as response time in the preset time period The number of the resource access request message more than the same URL of access of the first duration threshold value.
Such scheme indicates corresponding second duration threshold value of different sub- time periods can be with difference.Illustrate below Illustrate the technique effect that such scheme can reach:If server is in the case where Denial of Service attack is not affected by, Client in the morning 9:00~10:00,10:00~11:00,11:00~12:00 3 time periods, send out to server The frequency for sending the resource access request message for accessing same URL rises successively.In this case, The preset time period of initial setting up can be 9:00~12:00, it includes 9:00~10:00,10:00~11:00, 11:00~12:00 3 sub- time periods, and sub- time period 9:00~10:00 corresponding second duration threshold value is less than The sub- time period 10:00~11:00 corresponding second duration threshold value, sub- time period 10:00~11:00 corresponding second Duration threshold value is less than the sub- time period 11:00~12:00 corresponding second duration threshold value.Compare three sub- time periods The second equal duration threshold value is set, and such scheme is based on different sub- time period clients to same URL's Different access situation, is respectively provided with the second duration threshold value of each sub- time period of correspondence, can more accurately reflect visitor Family end accesses the situation of URL.
With reference to any one the possible realization in the third possible implementation of first aspect to first aspect Mode, in the 4th kind of possible implementation of first aspect, also includes:
If the number is less than the first threshold, for each sub- time that the preset time period includes Section, performs:
At the moment for receiving resource access request message and the corresponding relation of response time according to record, calculate The mean value of the response time of all resource access request message received in the sub- time period;
Corresponding second duration threshold value of the sub- time period is adjusted according to the mean value.
That is, when the number is less than the first threshold, the gateway device thinks the clothes Business device is not affected by Denial of Service attack, and now, the gateway device can be utilized in the preset time period Response time, adjust the first duration threshold value, i.e., described first duration threshold value after being initially set, Not keep constant, but be dynamically adjusted during detecting to Denial of Service attack, so as to So that the first duration threshold value arranges more reasonable.
With reference to any one the possible realization in the 4th kind of possible implementation of first aspect to first aspect Mode, in the 5th kind of possible implementation of first aspect, the response message comes from the clothes The request failure message of business device, the characteristic information is the number of response message in preset time period;
The characteristic information for obtaining the response message, including:
In the preset time period, calculating receives the number of the request failure message for coming from the server Mesh;
It is described to determine whether the server is denied service attack according to the characteristic information, including:
If the number is not less than Second Threshold, it is determined that the server is denied service attack.
The explanation of value, when service attack is denied, the server is busy with processing these server Uprush request and cannot normal response validated user send resource access request message, in this case, The request failure message based on application layer protocol that server sends will necessarily quickly increase, compared to existing technology Judge whether to be denied service attack by the total flow of detection service device or packet sending speed, due to service When device is denied service attack, the total flow or packet sending speed of server not necessarily quickly increase, therefore, Such scheme improves the accuracy detected to Denial of Service attack.
In a kind of possible embodiment of the application, gateway device is it is determined that the server is denied service After attack, send to the server and close service message, the closing service message is used to indicate the clothes Business device closes the connection with client.Avoid the server to continue to be denied service attack.
Further, the gateway device receives the resource access request message that client sends, the resource The mark of access request message including the client, the gateway device according to the mark of the client, When it is determined that the client is not the client in white list, sends checking to the client and indicate message; The gateway device receives the client and indicates the checking request message that message sends according to the checking, and After being verified, the client is added into the white list.
What deserves to be explained is, server, can be by original after the closing service message for receiving gateway device transmission The corresponding resource transfers of URL to another URL, therefore, further, the gateway device is will be described Client is added after the white list, and to the client redirection message, the redirection message bag are sent Described another URL is included, the gateway device is receiving another URL described in the carrying that client sends Resource access request message after, however, it is determined that the client is the client in the white list, then by institute State resource access request message to send to the server.
So, the gateway device is after it is determined that server is denied service attack, to asking access service The client of device is verified, and only will be visited by the resource of the client transmission in white list of checking Ask that request message is sent to server, it is to avoid not verified client is to refusing that server may be carried out Exhausted service attack.
A kind of second aspect, there is provided gateway device, including:
Receiving unit, for the response message based on application layer protocol that the reception server sends;The response Message is used for being responded based on the resource access request message of application layer protocol from client, described Resource access request message carries the uniform resource position mark URL of the resource that the server is provided;
Acquiring unit, for obtaining the characteristic information of the response message that the receiving unit is received;
Determining unit, the characteristic information for being got according to the acquiring unit determines the server Whether service attack is denied.
In the first the possible implementation with reference to second aspect, the characteristic information is response time;
The acquiring unit is specifically for it is determined that in preset time period, the server is same to accessing Response time that the resource access request message of URL is responded simultaneously is recorded;
The determining unit is specifically for determining that in the preset time period, response time is more than the first duration The number of the resource access request message of the same URL of access of threshold value, and it is not less than first in the number During threshold value, determine that the server is denied service attack.
With reference to the first possible implementation of second aspect or second aspect, the second of second aspect In planting possible implementation, the acquiring unit is specifically in the preset time period, for visiting Every resource access request message of same URL is asked, is performed:
Record receives the first moment of the resource access request message, and the resource access request is disappeared Breath is sent to the server;
Record receives the server for the sound that the resource access request message is responded and sent Answer the second moment of message;
According to first moment and second moment, determine that the server is accessed the resource and ask Seek the response time of message.
With reference to any one the possible realization in second possible implementation of second aspect to second aspect Mode, in the third possible implementation of second aspect, the preset time period includes being linked in sequence And the mutual at least two misaligned sub- time periods;
The acquiring unit specifically for, every resource access request message for accessing same URL, The gateway device records the moment for receiving the resource access request message with the server to the money The corresponding relation of the response time that source access request message is responded;
The determining unit is specifically for for each sub- time period that the preset time period includes, holding OK:
From corresponding relation of the sub- time period for prestoring with the second duration threshold value, the sub- time is found The corresponding second duration threshold value of section;
The moment for receiving resource access request message and the corresponding relation of response time according to record, it is determined that In all resource access request message received within the sub- time period, response time exceedes described second The number of the resource access request message of the same URL of access of duration threshold value;
The determining unit is additionally operable to, and response time is exceeded into corresponding second duration threshold value of each sub- time period The number for accessing the resource access request message of same URL is sued for peace, using the result of summation as described Response time is accessed more than the resource of the same URL of access of the first duration threshold value and asked in preset time period Seek the number of message.
With reference to any one the possible realization in the third possible implementation of second aspect to second aspect Mode, in the 4th kind of possible implementation of second aspect, the gateway device also includes adjustment unit, For when the number is less than the first threshold, for each period of the day from 11 p.m. to 1 a.m that the preset time period includes Between section, perform:
At the moment for receiving resource access request message and the corresponding relation of response time according to record, calculate The mean value of the response time of all resource access request message received in the sub- time period;
Corresponding second duration threshold value of the sub- time period is adjusted according to the mean value.
With reference to any one the possible realization in the 4th kind of possible implementation of second aspect to second aspect Mode, in the 5th kind of possible implementation of second aspect, the response message comes from the clothes The request failure message of business device, the characteristic information is the number of response message in preset time period;
The acquiring unit is specifically in the preset time period, calculating is received and comes from the clothes The number of the request failure message of business device;
The determining unit is specifically for when the number is not less than Second Threshold, determining the server It is denied service attack.
Above to the dividing elements of gateway device, only a kind of division of logic function can be with when actually realizing There is other dividing mode, also, the specific Physical realization the application of each unit is not construed as limiting, for example, In specific implementation process, the receiving unit can be a receiver, and the acquiring unit can be a fortune Device is calculated, the determining unit can be central processing unit, and those skilled in the art is pushed away by rational analysis Reason it is conceivable that other implementations fall within the protection domain of the application.
The third aspect, there is provided another kind of gateway device, including:Processor, memory, emitter is received Machine and communication bus;Wherein, the processor, the memory, the emitter and the receiver lead to Cross the communication bus and complete mutual communication;
The memory is used for, store program codes;
The processor calls the described program code of the memory storage to be used for:
The response message based on application layer protocol that the reception server sends;The response message be used for from Being responded based on the resource access request message of application layer protocol in client, the resource access request Message carries the uniform resource position mark URL of the resource that the server is provided;
Obtain the characteristic information of the response message;
Determine whether the server is denied service attack according to the characteristic information.
In the first the possible implementation with reference to the third aspect, the characteristic information is response time; The processor calls the described program code of the memory storage to be additionally operable to:
It is determined that in preset time period, the resource access request message of server URL same to access The response time that responded simultaneously is recorded;
Determine in the preset time period, response time is more than the same URL's of access of the first duration threshold value The number of resource access request message;
If the number is not less than first threshold, it is determined that the server is denied service attack.
With reference to the first possible implementation of the third aspect or the third aspect, the second of the third aspect In planting possible implementation, the processor calls the described program code of the memory storage also to use In:
In the preset time period, every resource access request message for accessing same URL is held OK:
Record receives the first moment of the resource access request message, and the resource access request is disappeared Breath is sent to the server;
Record receives the server for the sound that the resource access request message is responded and sent Answer the second moment of message;
According to first moment and second moment, determine that the server is accessed the resource and ask Seek the response time of message.
With reference to any one the possible realization in second possible implementation of the third aspect to the third aspect Mode, in the third possible implementation of the third aspect, the preset time period includes being linked in sequence And the mutual at least two misaligned sub- time periods;The processor calls the journey of the memory storage Sequence code is additionally operable to:
Every resource access request message for accessing same URL, the gateway device record is received The moment of the resource access request message responds with the server to the resource access request message Response time corresponding relation;
For each sub- time period that the preset time period includes, perform:
From corresponding relation of the sub- time period for prestoring with the second duration threshold value, the son is found Time period corresponding second duration threshold value;
The moment for receiving resource access request message and the corresponding relation of response time according to record, It is determined that in all resource access request message received within the sub- time period, response time exceedes The number of the resource access request message of the same URL of access of the second duration threshold value;
Response time is exceeded the resource of the same URL of access of corresponding second duration threshold value of each sub- time period The number of access request message is sued for peace, using the result of summation as response time in the preset time period The number of the resource access request message more than the same URL of access of the first duration threshold value.
With reference to any one the possible realization in the third possible implementation of the third aspect to the third aspect Mode, in the 4th kind of possible implementation of the third aspect, the processor calls the memory to deposit The described program code of storage is additionally operable to:
If the number is less than the first threshold, for each sub- time that the preset time period includes Section, performs:
At the moment for receiving resource access request message and the corresponding relation of response time according to record, calculate The mean value of the response time of all resource access request message received in the sub- time period;
Corresponding second duration threshold value of the sub- time period is adjusted according to the mean value.
With reference to any one the possible realization in second possible implementation of the third aspect to the third aspect Mode, in the third possible implementation of the third aspect, the response message comes from the clothes The request failure message of business device, the characteristic information is the number of response message in preset time period;The place Reason device calls the described program code of the memory storage to be additionally operable to:
In the preset time period, calculating receives the number of the request failure message for coming from the server Mesh;
If the number is not less than Second Threshold, it is determined that the server is denied service attack.
Description of the drawings
In order to be illustrated more clearly that the embodiment of the present application or technical scheme of the prior art, below will be to implementing The accompanying drawing to be used needed for example description is briefly described, it should be apparent that, drawings in the following description It is some embodiments of the present application, for those of ordinary skill in the art, is not paying creative work On the premise of, can be with according to these other accompanying drawings of accompanying drawings acquisition.
A kind of schematic diagram of network system architecture that Fig. 1 is provided for the embodiment of the present application;
Fig. 2 is the schematic diagram that network system architecture figure shown in Fig. 1 is denied service attack;
A kind of one example of the method for detection Denial of Service attack that Fig. 3 is provided for the embodiment of the present application;
The information exchange schematic diagram of the client access server that Fig. 4 is provided for the embodiment of the present application;
A kind of schematic flow sheet of the method for setting the first duration threshold value that Fig. 5 is provided for the embodiment of the present application;
The schematic diagram of the first duration threshold value that Fig. 6 is provided for the embodiment of the present application;
Fig. 7 is the example that Denial of Service attack detection is carried out based on the first duration threshold value shown in Fig. 6;
A kind of another example of the method for detection Denial of Service attack that Fig. 8 is provided for the embodiment of the present application;
A kind of structural representation of gateway device that Fig. 9 is provided for the embodiment of the present application;
The structural representation of another kind of gateway device that Figure 10 is provided for the embodiment of the present application.
Specific embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present application clearer, below in conjunction with the application Accompanying drawing in embodiment, is clearly and completely described to the technical scheme in the embodiment of the present application, it is clear that Described embodiment is some embodiments of the present application, rather than the embodiment of whole.Based in the application Embodiment, those of ordinary skill in the art obtained under the premise of creative work is not made it is all its His embodiment, belongs to the scope of the application protection.
First, the application following examples can be applicable to net of the client by gateway device access server Network system architecture.Wherein, the client can be notebook computer, panel computer, the terminal such as smart mobile phone Equipment, the server can be website (English full name:Web) server, (English is complete for FTP Claim:File Transfer Protocol, abbreviation FTP) server etc. provides the server of network service.Also, For the different type of server, the gateway device is matched.For example, as shown in figure 1, the network system Client in system framework specifically includes notebook computer 11, panel computer 12, desktop computer 13, intelligent hand Machine 14, the network system architecture also includes Web server 16, and the net supporting with the Web server Pass equipment 15.Wherein, any client can send resource access request message, the resource to gateway device Access request message carries URL (English full name:Uniform Resoure Locator, referred to as: URL), the resource access request message is sent to server by gateway device, realizes client to the service The access of the resource that device is provided.
The embodiment of the present application provides a kind of method of detection Denial of Service attack, it is possible to increase to Denial of Service attack Hit the accuracy for being detected.In order to enable those skilled in the art to be easier to understand what this programme reached Technique effect, is simply introduced distributed Denial of Service attack first below:
Fig. 2 shows that network system architecture as shown in Figure 1 is being illustrated by distributed denial of service attack Figure.Wherein, the attacker shown in Fig. 2 can control notebook computer 11, flat board electricity by master hosts Brain 12, desktop computer 13, smart mobile phone 14 sends a large amount of requests as puppet's machine is attacked to server 16 Message, fills up the buffering area of the reception request message of the server 16, causes the server 16 to receive The request message that normal client sends, so as to normal service cannot be provided.
The embodiment of the present application provide a kind of detection Denial of Service attack method an example as shown in figure 3, The method includes:
The response message based on application layer protocol that S301, gateway device the reception server send.
Wherein, the response message is used for the resource access request based on application layer protocol to coming from client Message is responded, and the resource access request message carries the unified resource positioning of the resource that the server is provided Symbol URL.
S302, the gateway device obtain the characteristic information of the response message.
S303, the gateway device determine whether the server is denied service attack according to this feature information.
Using such scheme, gateway device determines whether server is denied based on application layer services quality Service attack, what deserves to be explained is, the spy of the response message based on application layer protocol that the server sends Reference breath can be shown that the service quality of application layer, and for example, this feature information can be that server is same to accessing The response time of the resource access request message of one URL, or in preset time period, comes from institute State the number of the request failure message of server.Because server is when service attack is denied, its application The service quality of layer necessarily changes, and the Denial of Service attack that is subject to of server and application layer are serviced Correlation between quality, is better than Denial of Service attack and transport layer or the flow of Internet that server is subject to Between correlation.Determine that server is based on the flow detection of transport layer accordingly, with respect to prior art No to be denied service attack, the application determines whether server is refused based on the service quality of application layer Service attack absolutely improves the accuracy detected to Denial of Service attack.
Below the resource access request message for accessing same URL is carried out by server of above-mentioned characteristic information As a example by the response time of response, a kind of method of the detection Denial of Service attack provided the embodiment of the present application is entered Row is described in detail.
Specifically, gateway device determined in preset time period, and server is to accessing the resource of same URL Response time that access request message is responded simultaneously is recorded, further, when gateway device determines that this is default Between in section, resource access request message of the response time more than the same URL of access of the first duration threshold value Number, if the number is not less than first threshold, it is determined that the server is denied service attack.
Wherein, the resource access request message for accessing same URL may come from different clients.
The explanation of value, the above-mentioned resource access request message based on application layer protocol can be that hypertext is passed Defeated agreement (English full name:Hyper Text Transfer Protocol, referred to as:HTTP) GET message, is based on The response message of application layer protocol can be 200OK, for representing that server successfully returns resource.Such as Fig. 4 Shown, for multiple clients such as clients 1 to client N, N is greater than 1 positive integer, each visitor Family end can send HTTP GET messages by gateway device to server, and server to client is sent to this The 200OK that HTTP GET messages are responded.
So, because server is when service attack is denied, server is directed to the client launched a offensive The response time that the resource access request message of access URL is responded will necessarily quickly increase, so, by When server is denied service attack, the total flow or packet sending speed of server not necessarily quickly increase, Therefore, by the total flow of detection service device or packet sending speed judge whether to be denied compared to existing technology Service attack, such scheme improves the accuracy detected to Denial of Service attack.
Illustratively, gateway device initial setting up the first duration threshold value method as shown in figure 5, including:
S501, gateway device receive the HTTP GET messages of the carrying URL that client sends, and record connects Receive the first moment of the HTTP GET messages.
S502, the gateway device send the HTTP Get request message to server.
S503, the gateway device receive that the server sends for being responded to the HTTP GET messages 200OK, and record receives second moment of the 200OK.
S504, the gateway device are using the duration difference between first moment and second moment as client This is held to access the response time of the URL.
S505, the gateway device determine in preset time period that client accesses every time the response time of the URL.
Specifically, the gateway device repeats above-mentioned steps S501 to step S504 in the preset time period, The response time of the URL is accessed every time.
The preset time period is divided into and is linked in sequence and mutually misaligned at least two by S506, the gateway device The sub- time period, and for each sub- time period execution step S507.
It should be noted that the duration of each time period may be identical, it is also possible to different, the application to this not Limit.
S507, the gateway device were calculated in the sub- time period, HTTP Get of the server to all access URL The mean value of the response time of message, and using the mean value as to should sub- time section the second duration threshold value.
Illustratively, if the preset time period includes m sub- time period, m is the positive integer more than 1, so, The gateway device can record the response time that client accesses every time the URL within first sub- time period, And the mean value of each response time for accessing of calculating, for example, within first sub- time period, client is visited Ask that the URL is common n time, n is greater than 0 positive integer, the response time that the URL is accessed every time is respectively t1, t2, t3……tn, then within first sub- time period, the mean value for accessing the response time of the URL is (t1+t2+t3+……+tn)/n, then the second duration threshold value in the mean value as the first sub- time period of correspondence, By that analogy, each the sub- time period corresponding second duration threshold value that can obtain that the preset time period includes.
Alternatively, in step S507, the gateway device can also be to the flat of the response time of each sub- time period Average be multiplied by a coefficient as to should sub- time section the second duration threshold value, wherein, the coefficient it is concrete Value can be configured according to network delay during actual enforcement, to avoid the response that network delay causes Duration is reported by mistake caused by increasing.
What deserves to be explained is, the gateway device can will not be denied the field of service attack server is guaranteed The learning process of the first duration threshold value is run under scape, i.e., above-mentioned steps S501 are to step S507.For example, user Can be in the case of it is determined that there is no Denial of Service attack in current network, initial start net in a network Pass equipment, and when the gateway device runs above-mentioned learning process, carry out monitor in real time, it is ensured that the gateway sets It is standby to be not affected by Denial of Service attack during initial setting up the first duration threshold value.
Such scheme indicates corresponding second duration threshold value of different sub- time periods can be with difference.Illustrate below Illustrate the technique effect that such scheme can reach:If server is in the case where Denial of Service attack is not affected by, Client in the morning 9:00~10:00,10:00~11:00,11:00~12:00 3 time periods, send out to server The frequency for sending the resource access request message for accessing same URL rises successively.In this case, The preset time period of initial setting up can be 9:00~12:00, it includes 9:00~10:00,10:00~11:00, 11:00~12:00 3 sub- time periods, and sub- time period 9:00~10:00 corresponding second duration threshold value is less than The sub- time period 10:00~11:00 corresponding second duration threshold value, sub- time period 10:00~11:00 corresponding second Duration threshold value is less than the sub- time period 11:00~12:00 corresponding second duration threshold value.Compare three sub- time periods The second equal duration threshold value is set, and such scheme is based on different sub- time period clients to same URL's Different access situation, is respectively provided with the second duration threshold value of each sub- time period of correspondence, can more accurately reflect visitor Family end accesses the situation of URL.
Above-mentioned is only a kind of preferred implementation of the embodiment of the present application, in specific implementation process, gateway Equipment can also in the preset time period all response times calculate mean value, and using the mean value as The first duration threshold value.The application is not limited this.
Illustratively, the first duration threshold value for being obtained by method shown in Fig. 5 as shown in fig. 6, with reference to Fig. 6, in advance If the time period includes being linked in sequence and the mutually misaligned sub- time period 1 is to the sub- time period 5, this when Long baselines include Corresponding second duration threshold value T1 of sub- time period 1, corresponding second duration threshold value T2 of sub- time period 2, the period of the day from 11 p.m. to 1 a.m Between corresponding second duration threshold value T3 of section 3, corresponding second duration threshold value T4 of sub- time period 4, the sub- time period 5 corresponding second duration threshold values T5.
Further, based on the first duration threshold value shown in Fig. 6, the gateway device is in the preset time period The method of Denial of Service attack detection is carried out as shown in fig. 7, the method includes:
S701, gateway device determine that client accesses for the first time the response time of URL in preset time period.
Specifically, the mode of gateway device calculating response time is referred to step S501 shown in Fig. 5 to step Rapid S504, here is omitted.
Whether S702, the gateway device determine the response time more than the correspondence of sub- time period residing for current time The second duration threshold value.
Illustratively, if as shown in fig. 6, the gateway device receives the client access of transmission URL for the first time Resource access request message be within the sub- time period 1, then the gateway device it is determined that this access response After duration tt, response time tt second duration threshold values T1 corresponding with the sub- time period 1 are carried out into numeric ratio Compared with determining response time tt whether more than T1.
The explanation of value, when the current time being somebody's turn to do in above-mentioned steps S702 is that gateway device calculates acquisition response The long moment.In alternatively possible implementation, the gateway device can be for accessing same URL Every resource access request message, record receives moment of the resource access request message and the server The corresponding relation of the response time that the resource access request message is responded.So, the gateway device exists After being calculated response time, the corresponding gateway device record of the response time is determined according to the corresponding relation The moment for receiving resource access request message, and from sub- time period for prestoring and the second duration threshold value Corresponding relation in determine the moment institute virgin for receiving the resource access request message of gateway device record Time period corresponding second duration threshold value, and by the response time and the second duration threshold value carry out numeric ratio compared with, Determine the response time whether more than the second duration threshold value.
Response time is exceeded the access of corresponding second duration threshold value of each sub- time period for S703, the gateway device The number of the resource access request message of same URL is sued for peace, using the result of summation as presetting at this Response time exceedes the resource access request message of the same URL of access of the first duration threshold value in time period Number.
Alternatively, in the preset time period, the gateway device receives every time the access of client transmission should During the resource access request message of URL, above-mentioned steps S701 and step S702 are performed both by, and are being rung every time When answering duration to exceed corresponding second duration threshold value of residing sub- time period, to during the response of gateway device record The number of the resource access request message of the long same URL of access more than the first duration threshold value adds one, until The preset time period terminates, and obtains in the preset time period, and response time exceedes the first duration threshold value Access total number of the resource access request message of same URL.
If S704, the number are not less than default first threshold, it is determined that the server is denied service and attacks Hit.
Wherein, the first threshold can in advance be configured according to actual situation about implementing.
If S705, the number are less than the first threshold, for each period of the day from 11 p.m. to 1 a.m that the preset time period includes Between section, execution step S706 is to step S707.
The moment and the response time that receive resource access request message of S706, the gateway device according to record Corresponding relation, calculate the response time of all resource access request message received in the sub- time period Mean value.
S707, the gateway device adjust sub- time period corresponding second duration threshold value according to the mean value.
Specifically, gateway device, can directly by the sub- time period when being adjusted to the second duration threshold value Corresponding former second duration threshold value is directly adjusted to the mean value, it is also possible to which the mean value is multiplied by into a coefficient Afterwards as the second duration threshold value after sub- time period corresponding adjustment, wherein, the concrete value of the coefficient can To be configured according to network delay during actual enforcement.
That is, when the number is less than the first threshold, the gateway device thinks that the server is not received To Denial of Service attack, now, the gateway device can utilize the response time in the preset time period, The first duration threshold value is adjusted, i.e., the first duration threshold value keeps constant after being initially set, not, and It is dynamically adjusted during detecting to Denial of Service attack, so that the first duration threshold It is more reasonable that value is arranged.
It should be noted that step is merely illustrative shown in Fig. 7, in order to be briefly described, therefore by its all table State as a series of combination of actions, but those skilled in the art should know, and the application is by described Sequence of movement restriction, secondly, those skilled in the art also should know, reality described in this description Apply example and belong to preferred embodiment, necessary to involved action not necessarily the embodiment of the present application.
Below with characteristic information as preset time period in, the number for coming from the request failure message of server is A kind of example, the method for the detection Denial of Service attack provided the embodiment of the present application is described in detail.
Specifically, in preset time period, calculating receives the request failure for coming from server to gateway device The number of message, if the number is not less than Second Threshold, it is determined that the server is denied service and attacks Hit.
Wherein, the request failure message can be that server disappears to the resource access request that different clients send Breath carries out response and sends to the gateway device.
Illustratively, when the server is Web server, for the resource that the client that cannot respond to sends Access request message, the Web server can send 503 conditional codes to the gateway device.503 conditional codes are A kind of return state of Server Error, shows that server cannot process request message due to safeguarding or transshipping, That is, the request failure message can be 503 conditional codes.
Because server is when service attack is denied, the server be busy with process these uprush request and nothing Method normal response validated user is asked, and its request failure message for sending will necessarily increase, because server is received During to Denial of Service attack, the total flow or packet sending speed of server not necessarily quickly increase, therefore, phase Judge whether to be denied service attack by the total flow of detection service device or packet sending speed than prior art, Such scheme improves the accuracy detected to Denial of Service attack.
Below to gateway device after it is determined that server is denied service attack, the method protected is carried out It is simple to introduce, including:
S801, the gateway device send to the server closes service message, and the closing service message is used to refer to Show the connection of the server closing and client.
The explanation of value, if the server is Web server, the closing service message can be transmission Control protocol (English full name:Transmission Control Protocol, referred to as:TCP the termination FIN in) Message resets RST message, and the server is closed and visitor after FIN message or RST message is received The connection at family end.
S802, the gateway device receive the first resource access request of the URL of carrying that client sends and disappear Breath.
It should be noted that for convenience, Fig. 8 illustrate only a client, but this area Technical staff is it should be appreciated that the client shown in Fig. 8 can represent any client being connected with server.
S803, the gateway device determine according to the client identification that the first resource access request message is carried should Whether client is in white list.
Specifically, if including the mark of the client, execution step S804, if the white name in the white list Do not include the mark of the client in single, then execution step S805 and its subsequent step.
S804, the gateway device send the first resource access request message to the server.
S805, the gateway device send checking and indicate message to the client.
S806, the gateway device receive the client and indicate the checking request message that message sends according to the checking.
After S807, the gateway device are verified according to the checking request message to the client, by this Client adds the white list.
S808, the gateway device to the client sends redirection message, and the redirection message includes the 2nd URL.
The explanation of value, if the server is Web server, the Web server is receiving gateway The webpage of the first URL can be transferred to this by equipment after the closing service message that step S801 sends 2nd URL, the attack initiated with a URL with avoiding attacker from continuing.In the case, the redirection Message can include 301 conditional codes and the 2nd URL, and 301 conditional code is used to represent that this webpage is permanent Property is transferred to the 2nd URL.
S809, the gateway device receive the Secondary resource access request message that the client sends, second money Source access request message includes the 2nd URL.
S810, the gateway device send the Secondary resource access request message to the server.
Specifically, gateway device is after it is determined that server is denied service attack, to asking access server Client verified, and will only pass through the resource that the client in white list of checking sends and access Request message is sent to server, it is to avoid the refusal that not verified client may be carried out to server Service attack.
The embodiment of the present application also provides a kind of gateway device 90, for implementing the inspection shown in said method embodiment The method for surveying Denial of Service attack, as shown in figure 9, the gateway device 90 includes:
Receiving unit 91, for the response message based on application layer protocol that the reception server sends.
Wherein, the response message is used for being disappeared based on the resource access request of application layer protocol from client Breath is responded, and the resource access request message carries the URL of the resource that the server is provided URL。
Acquiring unit 92, for obtaining the characteristic information of the response message that the receiving unit 91 is received.
Determining unit 93, this feature information for being got according to the acquiring unit 92 determines that the server is It is no to be denied service attack.
Using above-mentioned gateway device, the gateway device is whether to determine server based on application layer services quality Service attack is denied, what deserves to be explained is, the sound based on application layer protocol that the server sends The characteristic information for answering message can be shown that the service quality of application layer, and for example, server is to accessing same URL Resource access request message response time, or, in preset time period, come from the server Request failure message.Because server is when service attack is denied, the service quality of its application layer must So change, and it is related between the Denial of Service attack that is subject to of server and the service quality of application layer Property, the correlation being better than between the Denial of Service attack and the flow of transport layer that server is subject to.Therefore, phase For prior art determines whether server is denied service attack based on the flow detection of transport layer, this The gateway device that application is provided determines whether server is denied service and attacks based on the service quality of application layer Hit and improve the accuracy detected to Denial of Service attack.
Alternatively, this feature information is response time, and the acquiring unit 92 is specifically for it is determined that when default Between in section, the response time that the server is responded to the resource access request message for accessing same URL And record;The determining unit 93 is specifically for determining in the preset time period, when response time is more than first The number of the resource access request message of the same URL of access of long threshold value, and it is not less than first in the number During threshold value, determine that the server is denied service attack.
Wherein, the initial setting up of the first duration threshold value is to guarantee that server will not be denied service and attack Carry out under the scene hit, the first threshold can in advance be configured according to practical application.
Alternatively, the acquiring unit 92 is additionally operable to, in the preset time period, for accessing same URL Every resource access request message, perform:
Record receives the first moment of the resource access request message, and the resource access request message is sent out Deliver to the server;Record receives the server for being responded to the resource access request message and being sent out Second moment of the response message for sending;According to first moment and second moment, the server pair is determined The response time of the resource access request message.
Alternatively, the preset time period includes being linked in sequence and at least two mutually misaligned sub- time periods;Should Acquiring unit 92 is additionally operable to, every resource access request message for accessing same URL, the gateway Equipment record receives the moment of the resource access request message and the server to the resource access request message The corresponding relation of the response time for being responded;The determining unit 93 is specifically for for the preset time period Each the sub- time period for including, perform:
From corresponding relation of the sub- time period for prestoring with the second duration threshold value, the sub- time period is found Corresponding second duration threshold value;According to the moment and the response time that receive resource access request message of record Corresponding relation, it is determined that in all resource access request message received within the sub- time period, during response The number of the resource access request message of the long same URL of access more than the second duration threshold value;
The determining unit 93 is additionally operable to, and response time is exceeded into corresponding second duration threshold value of each sub- time period The number for accessing the resource access request message of same URL is sued for peace, and the result of summation is preset as this Response time exceedes the resource access request message of the same URL of access of the first duration threshold value in time period Number.
The explanation of value, when service attack is denied, server is directed to the visitor for launching a offensive to server The response time that the resource access request message of family end access URL is responded will necessarily quickly increase.So, When being denied service attack due to server, the total flow or packet sending speed of server not necessarily quickly increase Plus, therefore, judge whether to be subject to by the total flow of detection service device or packet sending speed compared to existing technology Denial of Service attack, such scheme improves the accuracy detected to Denial of Service attack.
Alternatively, the gateway device 90 also includes adjustment unit 94, for being less than the first threshold in the number When, for each sub- time period that the preset time period includes, perform:
At the moment for receiving resource access request message and the corresponding relation of response time according to record, calculate The mean value of the response time of all resource access request message received in the sub- time period;It is flat according to this Average adjusts sub- time period corresponding second duration threshold value.
That is, when the number is less than the first threshold, the gateway device thinks the clothes Business device is not affected by Denial of Service attack, and now, the gateway device can be utilized in the preset time period Response time, adjust the first duration threshold value, i.e., described first duration threshold value after being initially set, Not keep constant, but be dynamically adjusted during detecting to Denial of Service attack, so as to So that the first duration threshold value arranges more reasonable.
Alternatively, the response message comes from the request failure message of the server, and this feature information is pre- If the number of response message in the time period;The acquiring unit 92 is specifically in the preset time period, counting Calculation receives the number of the request failure message for coming from the server;The determining unit 93 specifically for, if The number is not less than Second Threshold, it is determined that the server is denied service attack.
The explanation of value, when service attack is denied, the server is busy with processing these server Uprush request and cannot normal response validated user send resource access request message, in this case, The request failure message based on application layer protocol that server sends will necessarily quickly increase, because server is received During to Denial of Service attack, the total flow or packet sending speed of server not necessarily quickly increase, therefore, phase Judge whether to be denied service attack by the total flow of detection service device or packet sending speed than prior art, Such scheme improves the accuracy detected to Denial of Service attack.
In addition, dividing elements of the above to gateway device, only a kind of division of logic function, actual realization When can have other dividing mode, also, the specific Physical realization the application of each unit is not construed as limiting, For example, in specific implementation process, the receiving unit 91 can be a receiver, and the acquiring unit 92 can To be an arithmetic unit, the determining unit 93 can be central processing unit, and those skilled in the art is by reasonable Analysis ratiocination it is conceivable that other implementations fall within the protection domain of the application.
Affiliated those skilled in the art can be understood that, for convenience and simplicity of description, on The specific work process of the gateway device of description is stated, corresponding in preceding method embodiment is may be referred to Journey, will not be described here.
The embodiment of the present application provides another gateway device 10, and as shown in Figure 10, the gateway device 10 includes:
Processor (processor) 101, emitter (Communications Interface) 102, receiver 103rd, memory (memory) 104 and communication bus 105;Wherein, the processor 101, described Penetrate machine 102, the receiver 103 and the memory 104 to complete each other by the communication bus 105 Communication.
The possibly multi-core central processing unit CPU of processor 101, or specific integrated circuit ASIC (Application Specific Integrated Circuit), or be arranged to implement the embodiment of the present application One or more integrated circuits.
Memory 104 is used to deposit program code, and described program code includes computer-managed instruction and network Flow graph.Memory 104 may include high-speed RAM memory, it is also possible to also including nonvolatile memory (non-volatile memory), for example, at least one magnetic disc store.Memory 104 can also be memory Array.Memory 104 is also possible to by piecemeal, and described piece can be combined into virtual volume by certain rule.
The emitter 102 and the receiver 103, for realizing the connection communication between these devices.
The processor 101 is used to perform the program code in the memory 104, to realize following operation:
The response message based on application layer protocol that the reception server sends;The response message be used for from Being responded based on the resource access request message of application layer protocol in client, the resource access request Message carries the uniform resource position mark URL of the resource that the server is provided;
Obtain the characteristic information of the response message;
Determine whether the server is denied service attack according to the characteristic information.
Alternatively, the characteristic information is response time;
The characteristic information for obtaining the response message, including:
It is determined that in preset time period, the resource access request message of server URL same to access The response time that responded simultaneously is recorded;
It is described to determine whether the server is denied service attack according to the characteristic information, including:
Determine in the preset time period, response time is more than the same URL's of access of the first duration threshold value The number of resource access request message;
If the number is not less than first threshold, it is determined that the server is denied service attack.
Alternatively, it is described to determine in preset time period, the resource of server URL same to access The response time that access request message is responded, including:
In the preset time period, every resource access request message for accessing same URL is held OK:
Record receives the first moment of the resource access request message, and the resource access request is disappeared Breath is sent to the server;
Record receives the server for the sound that the resource access request message is responded and sent Answer the second moment of message;
According to first moment and second moment, determine that the server is accessed the resource and ask Seek the response time of message.
Alternatively, the preset time period includes being linked in sequence and at least two mutually misaligned sub- time periods;
It is described to determine in preset time period, every resource access request of server URL same to access Response time that message is responded simultaneously is recorded, and the operation also includes:
Every resource access request message for accessing same URL, the gateway device record is received The moment of the resource access request message responds with the server to the resource access request message Response time corresponding relation;
It is described to determine in the preset time period, access same URL of the response time more than the first duration threshold value Resource access request message number, including:
For each sub- time period that the preset time period includes, perform:
From corresponding relation of the sub- time period for prestoring with the second duration threshold value, the son is found Time period corresponding second duration threshold value;
The moment for receiving resource access request message and the corresponding relation of response time according to record, It is determined that in all resource access request message received within the sub- time period, response time exceedes The number of the resource access request message of the same URL of access of the second duration threshold value;
The resource that response time is exceeded the same URL of access of corresponding second duration threshold value of each sub- time period is visited The number for asking request message is sued for peace, and is surpassed the result of summation as response time in the preset time period Cross the number of the resource access request message of the same URL of access of the first duration threshold value.
Alternatively, the operation also includes:
If the number is less than the first threshold, for each sub- time that the preset time period includes Section, performs:
At the moment for receiving resource access request message and the corresponding relation of response time according to record, calculate The mean value of the response time of all resource access request message received in the sub- time period;
Corresponding second duration threshold value of the sub- time period is adjusted according to the mean value.
Alternatively, the response message comes from the request failure message of the server, the feature letter Cease for the number of response message in preset time period;
The characteristic information for obtaining the response message, including:
In the preset time period, calculating receives the number of the request failure message for coming from the server Mesh;
It is described to determine whether the server is denied service attack according to the characteristic information, including:
If the number is not less than Second Threshold, it is determined that the server is denied service attack.
In several embodiments provided herein, it should be understood that disclosed system, device and side Method, can realize by another way.For example, device embodiment described above is only schematic , for example, the division of the unit, only a kind of division of logic function can have another when actually realizing Outer dividing mode, such as multiple units or component can with reference to or be desirably integrated into another system, or Some features can be ignored, or not perform.Another, shown or discussed coupling each other or straight It can be INDIRECT COUPLING or communication connection by some interfaces, device or unit to connect coupling or communication connection, Can be electrical, mechanical or other forms.
It is described as separating component explanation unit can be or may not be it is physically separate, as The part that unit shows can be or may not be physical location, you can with positioned at a place, or Can also be distributed on multiple NEs.Can select according to the actual needs therein some or all of Unit is realizing the purpose of this embodiment scheme.
In addition, each functional unit in the application each embodiment can be integrated in a processing unit, Can also be that unit is individually physically present, it is also possible to which two or more units are integrated in a unit In.Above-mentioned integrated unit both can be realized in the form of hardware, it would however also be possible to employ hardware adds software function The form of unit is realized.
The above-mentioned integrated unit realized in the form of SFU software functional unit, can be stored in a computer can In reading storage medium.Above-mentioned SFU software functional unit is stored in a storage medium, including some instructions are used So that a computer equipment (can be personal computer, server, or network equipment etc.) performs The part steps of the application each embodiment methods described.And aforesaid storage medium includes:USB flash disk, movement Hard disk, read-only storage (English full name:Read-Only Memory, referred to as:ROM), arbitrary access is deposited Reservoir (English full name:Random Access Memory, referred to as:RAM), magnetic disc or CD etc. are various Can be with the medium of store program codes.
The above, the protection domain of the only specific embodiment of the application, but the application is not limited to This, any those familiar with the art can readily occur in the technical scope that the application is disclosed Change or replacement, all should cover within the protection domain of the application.Therefore, the protection domain of the application Should be defined by scope of the claims.

Claims (12)

1. it is a kind of detection Denial of Service attack method, it is characterised in that include:
The response message based on application layer protocol that gateway device the reception server sends;The response message is used In to coming from responding based on the resource access request message of application layer protocol for client, the resource Access request message carries the uniform resource position mark URL of the resource that the server is provided;
Obtain the characteristic information of the response message;
Determine whether the server is denied service attack according to the characteristic information.
2. method according to claim 1, it is characterised in that the characteristic information is response time;
The characteristic information for obtaining the response message, including:
It is determined that in preset time period, the resource access request message of server URL same to access The response time that responded simultaneously is recorded;
It is described to determine whether the server is denied service attack according to the characteristic information, including:
Determine in the preset time period, response time is more than the same URL's of access of the first duration threshold value The number of resource access request message;
If the number is not less than first threshold, it is determined that the server is denied service attack.
3. method according to claim 2, it is characterised in that the determination in preset time period, The response time that the server is responded to the resource access request message for accessing same URL, including:
In the preset time period, every resource access request message for accessing same URL is held OK:
Record receives the first moment of the resource access request message, and the resource access request is disappeared Breath is sent to the server;
Record receives the server for the sound that the resource access request message is responded and sent Answer the second moment of message;
According to first moment and second moment, determine that the server is accessed the resource and ask Seek the response time of message.
4. according to the method in claim 2 or 3, it is characterised in that the preset time period includes suitable Sequence connects and at least two mutually misaligned sub- time periods;
It is described to determine in preset time period, every resource access request of server URL same to access Response time that message is responded simultaneously is recorded, and is also included:
Every resource access request message for accessing same URL, the gateway device record is received The moment of the resource access request message responds with the server to the resource access request message Response time corresponding relation;
It is described to determine that response time is same more than the access of the first duration threshold value in the preset time period The number of the resource access request message of URL, including:
For each sub- time period that the preset time period includes, perform:
From corresponding relation of the sub- time period for prestoring with the second duration threshold value, the son is found Time period corresponding second duration threshold value;
The moment for receiving resource access request message and the corresponding relation of response time according to record, It is determined that in all resource access request message received within the sub- time period, response time exceedes The number of the resource access request message of the same URL of access of the second duration threshold value;
Response time is exceeded the resource of the same URL of access of corresponding second duration threshold value of each sub- time period The number of access request message is sued for peace, using the result of summation as response time in the preset time period The number of the resource access request message more than the same URL of access of the first duration threshold value.
5. method according to claim 4, it is characterised in that also include:
If the number is less than the first threshold, for each sub- time that the preset time period includes Section, performs:
At the moment for receiving resource access request message and the corresponding relation of response time according to record, calculate The mean value of the response time of all resource access request message received in the sub- time period;
Corresponding second duration threshold value of the sub- time period is adjusted according to the mean value.
6. method according to claim 1, it is characterised in that the response message comes from described The request failure message of server, the characteristic information is the number of response message in preset time period;
The characteristic information for obtaining the response message, including:
In the preset time period, calculating receives the number of the request failure message for coming from the server Mesh;
It is described to determine whether the server is denied service attack according to the characteristic information, including:
If the number is not less than Second Threshold, it is determined that the server is denied service attack.
7. a kind of gateway device, it is characterised in that include:
Receiving unit, for the response message based on application layer protocol that the reception server sends;The response Message is used for being responded based on the resource access request message of application layer protocol from client, described Resource access request message carries the uniform resource position mark URL of the resource that the server is provided;
Acquiring unit, for obtaining the characteristic information of the response message that the receiving unit is received;
Determining unit, the characteristic information for being got according to the acquiring unit determines the server Whether service attack is denied.
8. gateway device according to claim 7, it is characterised in that the characteristic information is for during response It is long;
The acquiring unit is specifically for it is determined that in preset time period, the server is same to accessing Response time that the resource access request message of URL is responded simultaneously is recorded;
The determining unit is specifically for determining that in the preset time period, response time is more than the first duration The number of the resource access request message of the same URL of access of threshold value, and it is not less than first in the number During threshold value, determine that the server is denied service attack.
9. gateway device according to claim 8, it is characterised in that
The acquiring unit is specifically in the preset time period, for accessing the every of same URL Bar resource access request message, performs:
Record receives the first moment of the resource access request message, and the resource access request is disappeared Breath is sent to the server;
Record receives the server for the sound that the resource access request message is responded and sent Answer the second moment of message;
According to first moment and second moment, determine that the server is accessed the resource and ask Seek the response time of message.
10. gateway device according to claim 8 or claim 9, it is characterised in that the preset time period Including being linked in sequence and at least two mutually misaligned sub- time periods;The acquiring unit specifically for:
Every resource access request message for accessing same URL, the gateway device record is received The moment of the resource access request message responds with the server to the resource access request message Response time corresponding relation;
The determining unit is specifically for for each sub- time period that the preset time period includes, holding OK:
From corresponding relation of the sub- time period for prestoring with the second duration threshold value, the sub- time is found The corresponding second duration threshold value of section;
The moment for receiving resource access request message and the corresponding relation of response time according to record, it is determined that In all resource access request message received within the sub- time period, response time exceedes described second The number of the resource access request message of the same URL of access of duration threshold value;
The determining unit is additionally operable to, and response time is exceeded into corresponding second duration threshold value of each sub- time period The number for accessing the resource access request message of same URL is sued for peace, using the result of summation as described Response time is accessed more than the resource of the same URL of access of the first duration threshold value and asked in preset time period Seek the number of message.
11. gateway devices according to claim 10, it is characterised in that also including adjustment unit, use In when the number is less than the first threshold, for each sub- time that the preset time period includes Section, performs:
At the moment for receiving resource access request message and the corresponding relation of response time according to record, calculate The mean value of the response time of all resource access request message received in the sub- time period;
Corresponding second duration threshold value of the sub- time period is adjusted according to the mean value.
12. gateway devices according to claim 7, it is characterised in that the response message be from In the request failure message of the server, the characteristic information is the number of response message in preset time period;
The acquiring unit is specifically in the preset time period, calculating is received and comes from the clothes The number of the request failure message of business device;
The determining unit is specifically for when the number is not less than Second Threshold, determining the server It is denied service attack.
CN201510715982.7A 2015-10-28 2015-10-28 Method and device for detecting denial of service attack Active CN106656912B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510715982.7A CN106656912B (en) 2015-10-28 2015-10-28 Method and device for detecting denial of service attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510715982.7A CN106656912B (en) 2015-10-28 2015-10-28 Method and device for detecting denial of service attack

Publications (2)

Publication Number Publication Date
CN106656912A true CN106656912A (en) 2017-05-10
CN106656912B CN106656912B (en) 2020-03-20

Family

ID=58830759

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510715982.7A Active CN106656912B (en) 2015-10-28 2015-10-28 Method and device for detecting denial of service attack

Country Status (1)

Country Link
CN (1) CN106656912B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108810014A (en) * 2018-06-29 2018-11-13 北京奇虎科技有限公司 Attack alarm method and device
CN109831459A (en) * 2019-03-22 2019-05-31 百度在线网络技术(北京)有限公司 Method, apparatus, storage medium and the terminal device of secure access
CN113806131A (en) * 2021-09-23 2021-12-17 深圳市元征软件开发有限公司 Access control method and device for fault code library, electronic equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101267313A (en) * 2008-04-23 2008-09-17 华为技术有限公司 Flooding attack detection method and detection device
CN101437030A (en) * 2008-11-29 2009-05-20 成都市华为赛门铁克科技有限公司 Method for preventing server from being attacked, detection device and monitoring device
CN101572609A (en) * 2008-04-29 2009-11-04 成都市华为赛门铁克科技有限公司 Method and device for detecting and refusing service attack
US20100235632A1 (en) * 2006-05-12 2010-09-16 International Business Machines Corporation Protecting against denial of service attacks using trust, quality of service, personalization, and hide port messages
CN103179132A (en) * 2013-04-09 2013-06-26 中国信息安全测评中心 Method and device for detecting and defending CC (challenge collapsar)
CN104113525A (en) * 2014-05-23 2014-10-22 中国电子技术标准化研究院 Method and apparatus for defending resource consumption type Web attacks

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100235632A1 (en) * 2006-05-12 2010-09-16 International Business Machines Corporation Protecting against denial of service attacks using trust, quality of service, personalization, and hide port messages
CN101267313A (en) * 2008-04-23 2008-09-17 华为技术有限公司 Flooding attack detection method and detection device
CN101572609A (en) * 2008-04-29 2009-11-04 成都市华为赛门铁克科技有限公司 Method and device for detecting and refusing service attack
CN101437030A (en) * 2008-11-29 2009-05-20 成都市华为赛门铁克科技有限公司 Method for preventing server from being attacked, detection device and monitoring device
CN103179132A (en) * 2013-04-09 2013-06-26 中国信息安全测评中心 Method and device for detecting and defending CC (challenge collapsar)
CN104113525A (en) * 2014-05-23 2014-10-22 中国电子技术标准化研究院 Method and apparatus for defending resource consumption type Web attacks

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108810014A (en) * 2018-06-29 2018-11-13 北京奇虎科技有限公司 Attack alarm method and device
CN108810014B (en) * 2018-06-29 2021-06-04 北京奇虎科技有限公司 Attack event warning method and device
CN109831459A (en) * 2019-03-22 2019-05-31 百度在线网络技术(北京)有限公司 Method, apparatus, storage medium and the terminal device of secure access
CN113806131A (en) * 2021-09-23 2021-12-17 深圳市元征软件开发有限公司 Access control method and device for fault code library, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN106656912B (en) 2020-03-20

Similar Documents

Publication Publication Date Title
US11399010B1 (en) Private network request forwarding
US10097520B2 (en) Method and apparatus for causing delay in processing requests for internet resources received from client devices
US9843590B1 (en) Method and apparatus for causing a delay in processing requests for internet resources received from client devices
Hsu et al. Fast-flux bot detection in real time
CN105940655B (en) System for preventing DDos attack
EP2472822A2 (en) Method and system for estimating the reliability of blacklists of botnet-infected computers
US10547636B2 (en) Method and system for detecting and mitigating denial-of-service attacks
CN100589489C (en) Carry out defence method and the equipment that DDOS attacks at the web server
US10904288B2 (en) Identifying and deceiving adversary nodes and maneuvers for attack deception and mitigation
JP4373306B2 (en) Method and apparatus for preventing distributed service denial attack against TCP server by TCP stateless hog
US9961066B1 (en) Method and apparatus for limiting traffic rate to an origin server
US20180219882A1 (en) Systems and methods for ip source address spoof detection
EP3340568A2 (en) Anycast-based spoofed traffic detection and mitigation
US9680950B1 (en) Method and apparatus for causing delay in processing requests for internet resources received from client devices
CN108234516B (en) Method and device for detecting network flooding attack
CN106656912A (en) Method and device for detecting denial of service attack
US10721269B1 (en) Methods and system for returning requests with javascript for clients before passing a request to a server
Boppana et al. Analyzing the vulnerabilities introduced by ddos mitigation techniques for software-defined networks
JP2006279531A (en) Network processor, network processing method, and network processing program
CN110995763B (en) Data processing method and device, electronic equipment and computer storage medium
Lu et al. Detecting command and control channel of botnets in cloud
Boteanu et al. A comprehensive study of queue management as a DoS counter-measure
Smith et al. Comparison of operating system implementations of SYN flood defenses (cookies)
Danielsen Detecting Yo-Yo DoS attack in acontainer-based environment
CN117424711A (en) Network security management method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant