CN106656912A - Method and device for detecting denial of service attack - Google Patents
Method and device for detecting denial of service attack Download PDFInfo
- Publication number
- CN106656912A CN106656912A CN201510715982.7A CN201510715982A CN106656912A CN 106656912 A CN106656912 A CN 106656912A CN 201510715982 A CN201510715982 A CN 201510715982A CN 106656912 A CN106656912 A CN 106656912A
- Authority
- CN
- China
- Prior art keywords
- server
- access request
- time period
- request message
- resource access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses a method and device for detecting denial of a service attack, relates to the field of communication, and is used for solving the technical problem in the prior art that detection of denial of a service attack is not accurate enough. The method includes the following steps: a gateway device receives a response message sent by a server based on an application layer protocol; the response message is used for responding to a resource access request message based on an application layer protocol from a client, and the resource access request message carries a uniform resource locator (URL) of a resource provided by the server; feature information of the response message is obtained; and whether the server is subjected to denial of the service attack is determined according to the feature information. The method is used for detecting denial of the service attack.
Description
Technical field
The application is related to the communications field, more particularly to a kind of method and device of detection Denial of Service attack.
Background technology
Refusal service (English full name:Distributed Denial of Service, referred to as:DOS) attack and refer to
Attacker to server initiates substantial amounts of Internet Control Message agreement (English full name:Internet Control
Message Protocol, referred to as:ICMP), synchronous (English full name:Synchronous, referred to as:SYN)
Signal, UDP (English full name:User Datagram Protocol, referred to as:UDP) etc. even
Connect request so that server be busy with process these uprush request and cannot normal response validated user request, from
And cause the attack meanses of servers go down.
More serious, attacker can trespass some main frames, using these main frames as master hosts, attack
The person of hitting is in master hosts specific program installed above so that it is special that master hosts can receive that attacker sends
Instruction, and these orders can be sent on other infected main frames, that is to say, that attacker can
To make springboard using master hosts, a large amount of infected and controlled main frame composition attacking networks of control come to clothes
Business device carries out large-scale dos attack.This attack is referred to as distributed denial of service (English full name:
Distributed Denial of Service, referred to as:DDOS) attack, it tends to attacking single attacker
Hit effect to be amplified, so as to cause significant impact to server, heavy congestion will also result in network.
Prior art comes true typically by Traffic anomaly detection technology or frequency anomaly detection technique of giving out a contract for a project
Determine whether server is denied service attack.Specifically, the flow threshold or frequency of giving out a contract for a project of server are set
Rate threshold value, when server present flow rate is detected flow threshold is more than, or detects current frequency of giving out a contract for a project
During more than frequency threshold, then it is assumed that server have received Denial of Service attack.But, under low discharge
It is not especially big that Denial of Service attack, the flow of server and frequency of giving out a contract for a project change in a short time, therefore, flow
The Denial of Service attack that abnormality detection technology and frequency anomaly detection technique of giving out a contract for a project can not be detected accurately under low discharge
Hit, easily occur failing to report.In addition, for the normal request of some validated users, for example, proxy requests or
Network address translation (English full name:Network Address Translation, abbreviation NAT) service request,
It is also possible to flow at short notice and frequency of giving out a contract for a project is very big, now, Traffic anomaly detection technology and frequency of giving out a contract for a project
Easily there is wrong report in rate abnormality detection technology.It follows that prior art to the detection of Denial of Service attack not
It is enough accurate.
The content of the invention
The purpose of the application is to provide a kind of method and device of detection Denial of Service attack, existing for solving
There is not accurate enough the technical problem of detection of the technology to Denial of Service attack.
In order to achieve the above object, the embodiment of the present application is adopted the following technical scheme that:
A kind of first aspect, there is provided method of detection Denial of Service attack, including:
The response message based on application layer protocol that gateway device the reception server sends;The response message is used
In to coming from responding based on the resource access request message of application layer protocol for client, the resource
Access request message carries the uniform resource position mark URL of the resource that the server is provided;
Obtain the characteristic information of the response message;
Determine whether the server is denied service attack according to the characteristic information.
Using such scheme, gateway device determines whether server is denied based on application layer services quality
Service attack, what deserves to be explained is, the spy of the response message based on application layer protocol that the server sends
Reference breath can be shown that the service quality of application layer, and for example, server is accessed the resource for accessing same URL
The response time of request message, or, in preset time period, come from the request failure of the server
Message.Because server is when service attack is denied, the service quality of its application layer necessarily changes,
And the correlation between the Denial of Service attack that server is subject to and the service quality of application layer, is better than service
Correlation between the Denial of Service attack that device is subject to and transport layer or the flow of Internet.Accordingly, with respect to
Prior art determines whether server is denied service attack, the application based on the flow detection of transport layer
Determine whether server is denied service attack and improves to refusal service based on the service quality of application layer
The accuracy that attack is detected.
In the first the possible implementation with reference to first aspect, the characteristic information is response time;
The characteristic information for obtaining the response message, including:
It is determined that in preset time period, the resource access request message of server URL same to access
The response time that responded simultaneously is recorded;
It is described to determine whether the server is denied service attack according to the characteristic information, including:
Determine in the preset time period, response time is more than the same URL's of access of the first duration threshold value
The number of resource access request message;
If the number is not less than first threshold, it is determined that the server is denied service attack.
The explanation of value, when service attack is denied, server is directed to the visitor for launching a offensive to server
The response time that the resource access request message of family end access URL is responded will necessarily quickly increase.Using
Such scheme, gateway device in preset time period, it is determined that response time more than the first duration threshold value visit
When asking that the number of the resource access request message of same URL is not less than first threshold, you can determine the clothes
Business device is denied service attack.Wherein, the initial setting up of the first duration threshold value is to guarantee server
Will not be denied what is carried out under the scene of service attack, the first threshold can be advance according to practical application
It is configured.So, judged by the total flow of detection service device or packet sending speed compared to existing technology be
It is no to be denied service attack, when being denied service attack due to server, the total flow of server or
Packet sending speed not necessarily quickly increases, therefore, such scheme improves what Denial of Service attack was detected
Accuracy.
With reference to the first possible implementation of first aspect or first aspect, the second of first aspect
In planting possible implementation, in preset time period, the server is to accessing same URL for the determination
The response time that responded of resource access request message, including:
In the preset time period, every resource access request message for accessing same URL is held
OK:
Record receives the first moment of the resource access request message, and the resource access request is disappeared
Breath is sent to the server;
Record receives the server for the sound that the resource access request message is responded and sent
Answer the second moment of message;
According to first moment and second moment, determine that the server is accessed the resource and ask
Seek the response time of message.
Such scheme determines a kind of implementation of response time there is provided gateway device, specifically by the net
First moment described in the equipment self record of pass and second moment simultaneously determine the response time by calculating.
Alternatively, in another kind of implementation, server record receives the moment of resource access request message,
And carry the server in the response message responded to the resource access request message and receive institute
State the moment of resource access request message, and the moment of the transmission response message, so, gateway device
After the response message is received, it is also possible to receive the resource access request according to the server and disappear
The moment of breath, and send moment of the response message and be calculated response time.
With reference to any one the possible realization in second possible implementation of first aspect to first aspect
Mode, in the third possible implementation of first aspect, the preset time period includes being linked in sequence
And the mutual at least two misaligned sub- time periods;
It is described to determine in preset time period, every resource access request of server URL same to access
Response time that message is responded simultaneously is recorded, and is also included:
Every resource access request message for accessing same URL, the gateway device record is received
The moment of the resource access request message responds with the server to the resource access request message
Response time corresponding relation;
It is described to determine that response time is same more than the access of the first duration threshold value in the preset time period
The number of the resource access request message of URL, including:
For each sub- time period that the preset time period includes, perform:
From corresponding relation of the sub- time period for prestoring with the second duration threshold value, the son is found
Time period corresponding second duration threshold value;
The moment for receiving resource access request message and the corresponding relation of response time according to record,
It is determined that in all resource access request message received within the sub- time period, response time exceedes
The number of the resource access request message of the same URL of access of the second duration threshold value;
Response time is exceeded the resource of the same URL of access of corresponding second duration threshold value of each sub- time period
The number of access request message is sued for peace, using the result of summation as response time in the preset time period
The number of the resource access request message more than the same URL of access of the first duration threshold value.
Such scheme indicates corresponding second duration threshold value of different sub- time periods can be with difference.Illustrate below
Illustrate the technique effect that such scheme can reach:If server is in the case where Denial of Service attack is not affected by,
Client in the morning 9:00~10:00,10:00~11:00,11:00~12:00 3 time periods, send out to server
The frequency for sending the resource access request message for accessing same URL rises successively.In this case,
The preset time period of initial setting up can be 9:00~12:00, it includes 9:00~10:00,10:00~11:00,
11:00~12:00 3 sub- time periods, and sub- time period 9:00~10:00 corresponding second duration threshold value is less than
The sub- time period 10:00~11:00 corresponding second duration threshold value, sub- time period 10:00~11:00 corresponding second
Duration threshold value is less than the sub- time period 11:00~12:00 corresponding second duration threshold value.Compare three sub- time periods
The second equal duration threshold value is set, and such scheme is based on different sub- time period clients to same URL's
Different access situation, is respectively provided with the second duration threshold value of each sub- time period of correspondence, can more accurately reflect visitor
Family end accesses the situation of URL.
With reference to any one the possible realization in the third possible implementation of first aspect to first aspect
Mode, in the 4th kind of possible implementation of first aspect, also includes:
If the number is less than the first threshold, for each sub- time that the preset time period includes
Section, performs:
At the moment for receiving resource access request message and the corresponding relation of response time according to record, calculate
The mean value of the response time of all resource access request message received in the sub- time period;
Corresponding second duration threshold value of the sub- time period is adjusted according to the mean value.
That is, when the number is less than the first threshold, the gateway device thinks the clothes
Business device is not affected by Denial of Service attack, and now, the gateway device can be utilized in the preset time period
Response time, adjust the first duration threshold value, i.e., described first duration threshold value after being initially set,
Not keep constant, but be dynamically adjusted during detecting to Denial of Service attack, so as to
So that the first duration threshold value arranges more reasonable.
With reference to any one the possible realization in the 4th kind of possible implementation of first aspect to first aspect
Mode, in the 5th kind of possible implementation of first aspect, the response message comes from the clothes
The request failure message of business device, the characteristic information is the number of response message in preset time period;
The characteristic information for obtaining the response message, including:
In the preset time period, calculating receives the number of the request failure message for coming from the server
Mesh;
It is described to determine whether the server is denied service attack according to the characteristic information, including:
If the number is not less than Second Threshold, it is determined that the server is denied service attack.
The explanation of value, when service attack is denied, the server is busy with processing these server
Uprush request and cannot normal response validated user send resource access request message, in this case,
The request failure message based on application layer protocol that server sends will necessarily quickly increase, compared to existing technology
Judge whether to be denied service attack by the total flow of detection service device or packet sending speed, due to service
When device is denied service attack, the total flow or packet sending speed of server not necessarily quickly increase, therefore,
Such scheme improves the accuracy detected to Denial of Service attack.
In a kind of possible embodiment of the application, gateway device is it is determined that the server is denied service
After attack, send to the server and close service message, the closing service message is used to indicate the clothes
Business device closes the connection with client.Avoid the server to continue to be denied service attack.
Further, the gateway device receives the resource access request message that client sends, the resource
The mark of access request message including the client, the gateway device according to the mark of the client,
When it is determined that the client is not the client in white list, sends checking to the client and indicate message;
The gateway device receives the client and indicates the checking request message that message sends according to the checking, and
After being verified, the client is added into the white list.
What deserves to be explained is, server, can be by original after the closing service message for receiving gateway device transmission
The corresponding resource transfers of URL to another URL, therefore, further, the gateway device is will be described
Client is added after the white list, and to the client redirection message, the redirection message bag are sent
Described another URL is included, the gateway device is receiving another URL described in the carrying that client sends
Resource access request message after, however, it is determined that the client is the client in the white list, then by institute
State resource access request message to send to the server.
So, the gateway device is after it is determined that server is denied service attack, to asking access service
The client of device is verified, and only will be visited by the resource of the client transmission in white list of checking
Ask that request message is sent to server, it is to avoid not verified client is to refusing that server may be carried out
Exhausted service attack.
A kind of second aspect, there is provided gateway device, including:
Receiving unit, for the response message based on application layer protocol that the reception server sends;The response
Message is used for being responded based on the resource access request message of application layer protocol from client, described
Resource access request message carries the uniform resource position mark URL of the resource that the server is provided;
Acquiring unit, for obtaining the characteristic information of the response message that the receiving unit is received;
Determining unit, the characteristic information for being got according to the acquiring unit determines the server
Whether service attack is denied.
In the first the possible implementation with reference to second aspect, the characteristic information is response time;
The acquiring unit is specifically for it is determined that in preset time period, the server is same to accessing
Response time that the resource access request message of URL is responded simultaneously is recorded;
The determining unit is specifically for determining that in the preset time period, response time is more than the first duration
The number of the resource access request message of the same URL of access of threshold value, and it is not less than first in the number
During threshold value, determine that the server is denied service attack.
With reference to the first possible implementation of second aspect or second aspect, the second of second aspect
In planting possible implementation, the acquiring unit is specifically in the preset time period, for visiting
Every resource access request message of same URL is asked, is performed:
Record receives the first moment of the resource access request message, and the resource access request is disappeared
Breath is sent to the server;
Record receives the server for the sound that the resource access request message is responded and sent
Answer the second moment of message;
According to first moment and second moment, determine that the server is accessed the resource and ask
Seek the response time of message.
With reference to any one the possible realization in second possible implementation of second aspect to second aspect
Mode, in the third possible implementation of second aspect, the preset time period includes being linked in sequence
And the mutual at least two misaligned sub- time periods;
The acquiring unit specifically for, every resource access request message for accessing same URL,
The gateway device records the moment for receiving the resource access request message with the server to the money
The corresponding relation of the response time that source access request message is responded;
The determining unit is specifically for for each sub- time period that the preset time period includes, holding
OK:
From corresponding relation of the sub- time period for prestoring with the second duration threshold value, the sub- time is found
The corresponding second duration threshold value of section;
The moment for receiving resource access request message and the corresponding relation of response time according to record, it is determined that
In all resource access request message received within the sub- time period, response time exceedes described second
The number of the resource access request message of the same URL of access of duration threshold value;
The determining unit is additionally operable to, and response time is exceeded into corresponding second duration threshold value of each sub- time period
The number for accessing the resource access request message of same URL is sued for peace, using the result of summation as described
Response time is accessed more than the resource of the same URL of access of the first duration threshold value and asked in preset time period
Seek the number of message.
With reference to any one the possible realization in the third possible implementation of second aspect to second aspect
Mode, in the 4th kind of possible implementation of second aspect, the gateway device also includes adjustment unit,
For when the number is less than the first threshold, for each period of the day from 11 p.m. to 1 a.m that the preset time period includes
Between section, perform:
At the moment for receiving resource access request message and the corresponding relation of response time according to record, calculate
The mean value of the response time of all resource access request message received in the sub- time period;
Corresponding second duration threshold value of the sub- time period is adjusted according to the mean value.
With reference to any one the possible realization in the 4th kind of possible implementation of second aspect to second aspect
Mode, in the 5th kind of possible implementation of second aspect, the response message comes from the clothes
The request failure message of business device, the characteristic information is the number of response message in preset time period;
The acquiring unit is specifically in the preset time period, calculating is received and comes from the clothes
The number of the request failure message of business device;
The determining unit is specifically for when the number is not less than Second Threshold, determining the server
It is denied service attack.
Above to the dividing elements of gateway device, only a kind of division of logic function can be with when actually realizing
There is other dividing mode, also, the specific Physical realization the application of each unit is not construed as limiting, for example,
In specific implementation process, the receiving unit can be a receiver, and the acquiring unit can be a fortune
Device is calculated, the determining unit can be central processing unit, and those skilled in the art is pushed away by rational analysis
Reason it is conceivable that other implementations fall within the protection domain of the application.
The third aspect, there is provided another kind of gateway device, including:Processor, memory, emitter is received
Machine and communication bus;Wherein, the processor, the memory, the emitter and the receiver lead to
Cross the communication bus and complete mutual communication;
The memory is used for, store program codes;
The processor calls the described program code of the memory storage to be used for:
The response message based on application layer protocol that the reception server sends;The response message be used for from
Being responded based on the resource access request message of application layer protocol in client, the resource access request
Message carries the uniform resource position mark URL of the resource that the server is provided;
Obtain the characteristic information of the response message;
Determine whether the server is denied service attack according to the characteristic information.
In the first the possible implementation with reference to the third aspect, the characteristic information is response time;
The processor calls the described program code of the memory storage to be additionally operable to:
It is determined that in preset time period, the resource access request message of server URL same to access
The response time that responded simultaneously is recorded;
Determine in the preset time period, response time is more than the same URL's of access of the first duration threshold value
The number of resource access request message;
If the number is not less than first threshold, it is determined that the server is denied service attack.
With reference to the first possible implementation of the third aspect or the third aspect, the second of the third aspect
In planting possible implementation, the processor calls the described program code of the memory storage also to use
In:
In the preset time period, every resource access request message for accessing same URL is held
OK:
Record receives the first moment of the resource access request message, and the resource access request is disappeared
Breath is sent to the server;
Record receives the server for the sound that the resource access request message is responded and sent
Answer the second moment of message;
According to first moment and second moment, determine that the server is accessed the resource and ask
Seek the response time of message.
With reference to any one the possible realization in second possible implementation of the third aspect to the third aspect
Mode, in the third possible implementation of the third aspect, the preset time period includes being linked in sequence
And the mutual at least two misaligned sub- time periods;The processor calls the journey of the memory storage
Sequence code is additionally operable to:
Every resource access request message for accessing same URL, the gateway device record is received
The moment of the resource access request message responds with the server to the resource access request message
Response time corresponding relation;
For each sub- time period that the preset time period includes, perform:
From corresponding relation of the sub- time period for prestoring with the second duration threshold value, the son is found
Time period corresponding second duration threshold value;
The moment for receiving resource access request message and the corresponding relation of response time according to record,
It is determined that in all resource access request message received within the sub- time period, response time exceedes
The number of the resource access request message of the same URL of access of the second duration threshold value;
Response time is exceeded the resource of the same URL of access of corresponding second duration threshold value of each sub- time period
The number of access request message is sued for peace, using the result of summation as response time in the preset time period
The number of the resource access request message more than the same URL of access of the first duration threshold value.
With reference to any one the possible realization in the third possible implementation of the third aspect to the third aspect
Mode, in the 4th kind of possible implementation of the third aspect, the processor calls the memory to deposit
The described program code of storage is additionally operable to:
If the number is less than the first threshold, for each sub- time that the preset time period includes
Section, performs:
At the moment for receiving resource access request message and the corresponding relation of response time according to record, calculate
The mean value of the response time of all resource access request message received in the sub- time period;
Corresponding second duration threshold value of the sub- time period is adjusted according to the mean value.
With reference to any one the possible realization in second possible implementation of the third aspect to the third aspect
Mode, in the third possible implementation of the third aspect, the response message comes from the clothes
The request failure message of business device, the characteristic information is the number of response message in preset time period;The place
Reason device calls the described program code of the memory storage to be additionally operable to:
In the preset time period, calculating receives the number of the request failure message for coming from the server
Mesh;
If the number is not less than Second Threshold, it is determined that the server is denied service attack.
Description of the drawings
In order to be illustrated more clearly that the embodiment of the present application or technical scheme of the prior art, below will be to implementing
The accompanying drawing to be used needed for example description is briefly described, it should be apparent that, drawings in the following description
It is some embodiments of the present application, for those of ordinary skill in the art, is not paying creative work
On the premise of, can be with according to these other accompanying drawings of accompanying drawings acquisition.
A kind of schematic diagram of network system architecture that Fig. 1 is provided for the embodiment of the present application;
Fig. 2 is the schematic diagram that network system architecture figure shown in Fig. 1 is denied service attack;
A kind of one example of the method for detection Denial of Service attack that Fig. 3 is provided for the embodiment of the present application;
The information exchange schematic diagram of the client access server that Fig. 4 is provided for the embodiment of the present application;
A kind of schematic flow sheet of the method for setting the first duration threshold value that Fig. 5 is provided for the embodiment of the present application;
The schematic diagram of the first duration threshold value that Fig. 6 is provided for the embodiment of the present application;
Fig. 7 is the example that Denial of Service attack detection is carried out based on the first duration threshold value shown in Fig. 6;
A kind of another example of the method for detection Denial of Service attack that Fig. 8 is provided for the embodiment of the present application;
A kind of structural representation of gateway device that Fig. 9 is provided for the embodiment of the present application;
The structural representation of another kind of gateway device that Figure 10 is provided for the embodiment of the present application.
Specific embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present application clearer, below in conjunction with the application
Accompanying drawing in embodiment, is clearly and completely described to the technical scheme in the embodiment of the present application, it is clear that
Described embodiment is some embodiments of the present application, rather than the embodiment of whole.Based in the application
Embodiment, those of ordinary skill in the art obtained under the premise of creative work is not made it is all its
His embodiment, belongs to the scope of the application protection.
First, the application following examples can be applicable to net of the client by gateway device access server
Network system architecture.Wherein, the client can be notebook computer, panel computer, the terminal such as smart mobile phone
Equipment, the server can be website (English full name:Web) server, (English is complete for FTP
Claim:File Transfer Protocol, abbreviation FTP) server etc. provides the server of network service.Also,
For the different type of server, the gateway device is matched.For example, as shown in figure 1, the network system
Client in system framework specifically includes notebook computer 11, panel computer 12, desktop computer 13, intelligent hand
Machine 14, the network system architecture also includes Web server 16, and the net supporting with the Web server
Pass equipment 15.Wherein, any client can send resource access request message, the resource to gateway device
Access request message carries URL (English full name:Uniform Resoure Locator, referred to as:
URL), the resource access request message is sent to server by gateway device, realizes client to the service
The access of the resource that device is provided.
The embodiment of the present application provides a kind of method of detection Denial of Service attack, it is possible to increase to Denial of Service attack
Hit the accuracy for being detected.In order to enable those skilled in the art to be easier to understand what this programme reached
Technique effect, is simply introduced distributed Denial of Service attack first below:
Fig. 2 shows that network system architecture as shown in Figure 1 is being illustrated by distributed denial of service attack
Figure.Wherein, the attacker shown in Fig. 2 can control notebook computer 11, flat board electricity by master hosts
Brain 12, desktop computer 13, smart mobile phone 14 sends a large amount of requests as puppet's machine is attacked to server 16
Message, fills up the buffering area of the reception request message of the server 16, causes the server 16 to receive
The request message that normal client sends, so as to normal service cannot be provided.
The embodiment of the present application provide a kind of detection Denial of Service attack method an example as shown in figure 3,
The method includes:
The response message based on application layer protocol that S301, gateway device the reception server send.
Wherein, the response message is used for the resource access request based on application layer protocol to coming from client
Message is responded, and the resource access request message carries the unified resource positioning of the resource that the server is provided
Symbol URL.
S302, the gateway device obtain the characteristic information of the response message.
S303, the gateway device determine whether the server is denied service attack according to this feature information.
Using such scheme, gateway device determines whether server is denied based on application layer services quality
Service attack, what deserves to be explained is, the spy of the response message based on application layer protocol that the server sends
Reference breath can be shown that the service quality of application layer, and for example, this feature information can be that server is same to accessing
The response time of the resource access request message of one URL, or in preset time period, comes from institute
State the number of the request failure message of server.Because server is when service attack is denied, its application
The service quality of layer necessarily changes, and the Denial of Service attack that is subject to of server and application layer are serviced
Correlation between quality, is better than Denial of Service attack and transport layer or the flow of Internet that server is subject to
Between correlation.Determine that server is based on the flow detection of transport layer accordingly, with respect to prior art
No to be denied service attack, the application determines whether server is refused based on the service quality of application layer
Service attack absolutely improves the accuracy detected to Denial of Service attack.
Below the resource access request message for accessing same URL is carried out by server of above-mentioned characteristic information
As a example by the response time of response, a kind of method of the detection Denial of Service attack provided the embodiment of the present application is entered
Row is described in detail.
Specifically, gateway device determined in preset time period, and server is to accessing the resource of same URL
Response time that access request message is responded simultaneously is recorded, further, when gateway device determines that this is default
Between in section, resource access request message of the response time more than the same URL of access of the first duration threshold value
Number, if the number is not less than first threshold, it is determined that the server is denied service attack.
Wherein, the resource access request message for accessing same URL may come from different clients.
The explanation of value, the above-mentioned resource access request message based on application layer protocol can be that hypertext is passed
Defeated agreement (English full name:Hyper Text Transfer Protocol, referred to as:HTTP) GET message, is based on
The response message of application layer protocol can be 200OK, for representing that server successfully returns resource.Such as Fig. 4
Shown, for multiple clients such as clients 1 to client N, N is greater than 1 positive integer, each visitor
Family end can send HTTP GET messages by gateway device to server, and server to client is sent to this
The 200OK that HTTP GET messages are responded.
So, because server is when service attack is denied, server is directed to the client launched a offensive
The response time that the resource access request message of access URL is responded will necessarily quickly increase, so, by
When server is denied service attack, the total flow or packet sending speed of server not necessarily quickly increase,
Therefore, by the total flow of detection service device or packet sending speed judge whether to be denied compared to existing technology
Service attack, such scheme improves the accuracy detected to Denial of Service attack.
Illustratively, gateway device initial setting up the first duration threshold value method as shown in figure 5, including:
S501, gateway device receive the HTTP GET messages of the carrying URL that client sends, and record connects
Receive the first moment of the HTTP GET messages.
S502, the gateway device send the HTTP Get request message to server.
S503, the gateway device receive that the server sends for being responded to the HTTP GET messages
200OK, and record receives second moment of the 200OK.
S504, the gateway device are using the duration difference between first moment and second moment as client
This is held to access the response time of the URL.
S505, the gateway device determine in preset time period that client accesses every time the response time of the URL.
Specifically, the gateway device repeats above-mentioned steps S501 to step S504 in the preset time period,
The response time of the URL is accessed every time.
The preset time period is divided into and is linked in sequence and mutually misaligned at least two by S506, the gateway device
The sub- time period, and for each sub- time period execution step S507.
It should be noted that the duration of each time period may be identical, it is also possible to different, the application to this not
Limit.
S507, the gateway device were calculated in the sub- time period, HTTP Get of the server to all access URL
The mean value of the response time of message, and using the mean value as to should sub- time section the second duration threshold value.
Illustratively, if the preset time period includes m sub- time period, m is the positive integer more than 1, so,
The gateway device can record the response time that client accesses every time the URL within first sub- time period,
And the mean value of each response time for accessing of calculating, for example, within first sub- time period, client is visited
Ask that the URL is common n time, n is greater than 0 positive integer, the response time that the URL is accessed every time is respectively t1,
t2, t3……tn, then within first sub- time period, the mean value for accessing the response time of the URL is
(t1+t2+t3+……+tn)/n, then the second duration threshold value in the mean value as the first sub- time period of correspondence,
By that analogy, each the sub- time period corresponding second duration threshold value that can obtain that the preset time period includes.
Alternatively, in step S507, the gateway device can also be to the flat of the response time of each sub- time period
Average be multiplied by a coefficient as to should sub- time section the second duration threshold value, wherein, the coefficient it is concrete
Value can be configured according to network delay during actual enforcement, to avoid the response that network delay causes
Duration is reported by mistake caused by increasing.
What deserves to be explained is, the gateway device can will not be denied the field of service attack server is guaranteed
The learning process of the first duration threshold value is run under scape, i.e., above-mentioned steps S501 are to step S507.For example, user
Can be in the case of it is determined that there is no Denial of Service attack in current network, initial start net in a network
Pass equipment, and when the gateway device runs above-mentioned learning process, carry out monitor in real time, it is ensured that the gateway sets
It is standby to be not affected by Denial of Service attack during initial setting up the first duration threshold value.
Such scheme indicates corresponding second duration threshold value of different sub- time periods can be with difference.Illustrate below
Illustrate the technique effect that such scheme can reach:If server is in the case where Denial of Service attack is not affected by,
Client in the morning 9:00~10:00,10:00~11:00,11:00~12:00 3 time periods, send out to server
The frequency for sending the resource access request message for accessing same URL rises successively.In this case,
The preset time period of initial setting up can be 9:00~12:00, it includes 9:00~10:00,10:00~11:00,
11:00~12:00 3 sub- time periods, and sub- time period 9:00~10:00 corresponding second duration threshold value is less than
The sub- time period 10:00~11:00 corresponding second duration threshold value, sub- time period 10:00~11:00 corresponding second
Duration threshold value is less than the sub- time period 11:00~12:00 corresponding second duration threshold value.Compare three sub- time periods
The second equal duration threshold value is set, and such scheme is based on different sub- time period clients to same URL's
Different access situation, is respectively provided with the second duration threshold value of each sub- time period of correspondence, can more accurately reflect visitor
Family end accesses the situation of URL.
Above-mentioned is only a kind of preferred implementation of the embodiment of the present application, in specific implementation process, gateway
Equipment can also in the preset time period all response times calculate mean value, and using the mean value as
The first duration threshold value.The application is not limited this.
Illustratively, the first duration threshold value for being obtained by method shown in Fig. 5 as shown in fig. 6, with reference to Fig. 6, in advance
If the time period includes being linked in sequence and the mutually misaligned sub- time period 1 is to the sub- time period 5, this when Long baselines include
Corresponding second duration threshold value T1 of sub- time period 1, corresponding second duration threshold value T2 of sub- time period 2, the period of the day from 11 p.m. to 1 a.m
Between corresponding second duration threshold value T3 of section 3, corresponding second duration threshold value T4 of sub- time period 4, the sub- time period
5 corresponding second duration threshold values T5.
Further, based on the first duration threshold value shown in Fig. 6, the gateway device is in the preset time period
The method of Denial of Service attack detection is carried out as shown in fig. 7, the method includes:
S701, gateway device determine that client accesses for the first time the response time of URL in preset time period.
Specifically, the mode of gateway device calculating response time is referred to step S501 shown in Fig. 5 to step
Rapid S504, here is omitted.
Whether S702, the gateway device determine the response time more than the correspondence of sub- time period residing for current time
The second duration threshold value.
Illustratively, if as shown in fig. 6, the gateway device receives the client access of transmission URL for the first time
Resource access request message be within the sub- time period 1, then the gateway device it is determined that this access response
After duration tt, response time tt second duration threshold values T1 corresponding with the sub- time period 1 are carried out into numeric ratio
Compared with determining response time tt whether more than T1.
The explanation of value, when the current time being somebody's turn to do in above-mentioned steps S702 is that gateway device calculates acquisition response
The long moment.In alternatively possible implementation, the gateway device can be for accessing same URL
Every resource access request message, record receives moment of the resource access request message and the server
The corresponding relation of the response time that the resource access request message is responded.So, the gateway device exists
After being calculated response time, the corresponding gateway device record of the response time is determined according to the corresponding relation
The moment for receiving resource access request message, and from sub- time period for prestoring and the second duration threshold value
Corresponding relation in determine the moment institute virgin for receiving the resource access request message of gateway device record
Time period corresponding second duration threshold value, and by the response time and the second duration threshold value carry out numeric ratio compared with,
Determine the response time whether more than the second duration threshold value.
Response time is exceeded the access of corresponding second duration threshold value of each sub- time period for S703, the gateway device
The number of the resource access request message of same URL is sued for peace, using the result of summation as presetting at this
Response time exceedes the resource access request message of the same URL of access of the first duration threshold value in time period
Number.
Alternatively, in the preset time period, the gateway device receives every time the access of client transmission should
During the resource access request message of URL, above-mentioned steps S701 and step S702 are performed both by, and are being rung every time
When answering duration to exceed corresponding second duration threshold value of residing sub- time period, to during the response of gateway device record
The number of the resource access request message of the long same URL of access more than the first duration threshold value adds one, until
The preset time period terminates, and obtains in the preset time period, and response time exceedes the first duration threshold value
Access total number of the resource access request message of same URL.
If S704, the number are not less than default first threshold, it is determined that the server is denied service and attacks
Hit.
Wherein, the first threshold can in advance be configured according to actual situation about implementing.
If S705, the number are less than the first threshold, for each period of the day from 11 p.m. to 1 a.m that the preset time period includes
Between section, execution step S706 is to step S707.
The moment and the response time that receive resource access request message of S706, the gateway device according to record
Corresponding relation, calculate the response time of all resource access request message received in the sub- time period
Mean value.
S707, the gateway device adjust sub- time period corresponding second duration threshold value according to the mean value.
Specifically, gateway device, can directly by the sub- time period when being adjusted to the second duration threshold value
Corresponding former second duration threshold value is directly adjusted to the mean value, it is also possible to which the mean value is multiplied by into a coefficient
Afterwards as the second duration threshold value after sub- time period corresponding adjustment, wherein, the concrete value of the coefficient can
To be configured according to network delay during actual enforcement.
That is, when the number is less than the first threshold, the gateway device thinks that the server is not received
To Denial of Service attack, now, the gateway device can utilize the response time in the preset time period,
The first duration threshold value is adjusted, i.e., the first duration threshold value keeps constant after being initially set, not, and
It is dynamically adjusted during detecting to Denial of Service attack, so that the first duration threshold
It is more reasonable that value is arranged.
It should be noted that step is merely illustrative shown in Fig. 7, in order to be briefly described, therefore by its all table
State as a series of combination of actions, but those skilled in the art should know, and the application is by described
Sequence of movement restriction, secondly, those skilled in the art also should know, reality described in this description
Apply example and belong to preferred embodiment, necessary to involved action not necessarily the embodiment of the present application.
Below with characteristic information as preset time period in, the number for coming from the request failure message of server is
A kind of example, the method for the detection Denial of Service attack provided the embodiment of the present application is described in detail.
Specifically, in preset time period, calculating receives the request failure for coming from server to gateway device
The number of message, if the number is not less than Second Threshold, it is determined that the server is denied service and attacks
Hit.
Wherein, the request failure message can be that server disappears to the resource access request that different clients send
Breath carries out response and sends to the gateway device.
Illustratively, when the server is Web server, for the resource that the client that cannot respond to sends
Access request message, the Web server can send 503 conditional codes to the gateway device.503 conditional codes are
A kind of return state of Server Error, shows that server cannot process request message due to safeguarding or transshipping,
That is, the request failure message can be 503 conditional codes.
Because server is when service attack is denied, the server be busy with process these uprush request and nothing
Method normal response validated user is asked, and its request failure message for sending will necessarily increase, because server is received
During to Denial of Service attack, the total flow or packet sending speed of server not necessarily quickly increase, therefore, phase
Judge whether to be denied service attack by the total flow of detection service device or packet sending speed than prior art,
Such scheme improves the accuracy detected to Denial of Service attack.
Below to gateway device after it is determined that server is denied service attack, the method protected is carried out
It is simple to introduce, including:
S801, the gateway device send to the server closes service message, and the closing service message is used to refer to
Show the connection of the server closing and client.
The explanation of value, if the server is Web server, the closing service message can be transmission
Control protocol (English full name:Transmission Control Protocol, referred to as:TCP the termination FIN in)
Message resets RST message, and the server is closed and visitor after FIN message or RST message is received
The connection at family end.
S802, the gateway device receive the first resource access request of the URL of carrying that client sends and disappear
Breath.
It should be noted that for convenience, Fig. 8 illustrate only a client, but this area
Technical staff is it should be appreciated that the client shown in Fig. 8 can represent any client being connected with server.
S803, the gateway device determine according to the client identification that the first resource access request message is carried should
Whether client is in white list.
Specifically, if including the mark of the client, execution step S804, if the white name in the white list
Do not include the mark of the client in single, then execution step S805 and its subsequent step.
S804, the gateway device send the first resource access request message to the server.
S805, the gateway device send checking and indicate message to the client.
S806, the gateway device receive the client and indicate the checking request message that message sends according to the checking.
After S807, the gateway device are verified according to the checking request message to the client, by this
Client adds the white list.
S808, the gateway device to the client sends redirection message, and the redirection message includes the 2nd URL.
The explanation of value, if the server is Web server, the Web server is receiving gateway
The webpage of the first URL can be transferred to this by equipment after the closing service message that step S801 sends
2nd URL, the attack initiated with a URL with avoiding attacker from continuing.In the case, the redirection
Message can include 301 conditional codes and the 2nd URL, and 301 conditional code is used to represent that this webpage is permanent
Property is transferred to the 2nd URL.
S809, the gateway device receive the Secondary resource access request message that the client sends, second money
Source access request message includes the 2nd URL.
S810, the gateway device send the Secondary resource access request message to the server.
Specifically, gateway device is after it is determined that server is denied service attack, to asking access server
Client verified, and will only pass through the resource that the client in white list of checking sends and access
Request message is sent to server, it is to avoid the refusal that not verified client may be carried out to server
Service attack.
The embodiment of the present application also provides a kind of gateway device 90, for implementing the inspection shown in said method embodiment
The method for surveying Denial of Service attack, as shown in figure 9, the gateway device 90 includes:
Receiving unit 91, for the response message based on application layer protocol that the reception server sends.
Wherein, the response message is used for being disappeared based on the resource access request of application layer protocol from client
Breath is responded, and the resource access request message carries the URL of the resource that the server is provided
URL。
Acquiring unit 92, for obtaining the characteristic information of the response message that the receiving unit 91 is received.
Determining unit 93, this feature information for being got according to the acquiring unit 92 determines that the server is
It is no to be denied service attack.
Using above-mentioned gateway device, the gateway device is whether to determine server based on application layer services quality
Service attack is denied, what deserves to be explained is, the sound based on application layer protocol that the server sends
The characteristic information for answering message can be shown that the service quality of application layer, and for example, server is to accessing same URL
Resource access request message response time, or, in preset time period, come from the server
Request failure message.Because server is when service attack is denied, the service quality of its application layer must
So change, and it is related between the Denial of Service attack that is subject to of server and the service quality of application layer
Property, the correlation being better than between the Denial of Service attack and the flow of transport layer that server is subject to.Therefore, phase
For prior art determines whether server is denied service attack based on the flow detection of transport layer, this
The gateway device that application is provided determines whether server is denied service and attacks based on the service quality of application layer
Hit and improve the accuracy detected to Denial of Service attack.
Alternatively, this feature information is response time, and the acquiring unit 92 is specifically for it is determined that when default
Between in section, the response time that the server is responded to the resource access request message for accessing same URL
And record;The determining unit 93 is specifically for determining in the preset time period, when response time is more than first
The number of the resource access request message of the same URL of access of long threshold value, and it is not less than first in the number
During threshold value, determine that the server is denied service attack.
Wherein, the initial setting up of the first duration threshold value is to guarantee that server will not be denied service and attack
Carry out under the scene hit, the first threshold can in advance be configured according to practical application.
Alternatively, the acquiring unit 92 is additionally operable to, in the preset time period, for accessing same URL
Every resource access request message, perform:
Record receives the first moment of the resource access request message, and the resource access request message is sent out
Deliver to the server;Record receives the server for being responded to the resource access request message and being sent out
Second moment of the response message for sending;According to first moment and second moment, the server pair is determined
The response time of the resource access request message.
Alternatively, the preset time period includes being linked in sequence and at least two mutually misaligned sub- time periods;Should
Acquiring unit 92 is additionally operable to, every resource access request message for accessing same URL, the gateway
Equipment record receives the moment of the resource access request message and the server to the resource access request message
The corresponding relation of the response time for being responded;The determining unit 93 is specifically for for the preset time period
Each the sub- time period for including, perform:
From corresponding relation of the sub- time period for prestoring with the second duration threshold value, the sub- time period is found
Corresponding second duration threshold value;According to the moment and the response time that receive resource access request message of record
Corresponding relation, it is determined that in all resource access request message received within the sub- time period, during response
The number of the resource access request message of the long same URL of access more than the second duration threshold value;
The determining unit 93 is additionally operable to, and response time is exceeded into corresponding second duration threshold value of each sub- time period
The number for accessing the resource access request message of same URL is sued for peace, and the result of summation is preset as this
Response time exceedes the resource access request message of the same URL of access of the first duration threshold value in time period
Number.
The explanation of value, when service attack is denied, server is directed to the visitor for launching a offensive to server
The response time that the resource access request message of family end access URL is responded will necessarily quickly increase.So,
When being denied service attack due to server, the total flow or packet sending speed of server not necessarily quickly increase
Plus, therefore, judge whether to be subject to by the total flow of detection service device or packet sending speed compared to existing technology
Denial of Service attack, such scheme improves the accuracy detected to Denial of Service attack.
Alternatively, the gateway device 90 also includes adjustment unit 94, for being less than the first threshold in the number
When, for each sub- time period that the preset time period includes, perform:
At the moment for receiving resource access request message and the corresponding relation of response time according to record, calculate
The mean value of the response time of all resource access request message received in the sub- time period;It is flat according to this
Average adjusts sub- time period corresponding second duration threshold value.
That is, when the number is less than the first threshold, the gateway device thinks the clothes
Business device is not affected by Denial of Service attack, and now, the gateway device can be utilized in the preset time period
Response time, adjust the first duration threshold value, i.e., described first duration threshold value after being initially set,
Not keep constant, but be dynamically adjusted during detecting to Denial of Service attack, so as to
So that the first duration threshold value arranges more reasonable.
Alternatively, the response message comes from the request failure message of the server, and this feature information is pre-
If the number of response message in the time period;The acquiring unit 92 is specifically in the preset time period, counting
Calculation receives the number of the request failure message for coming from the server;The determining unit 93 specifically for, if
The number is not less than Second Threshold, it is determined that the server is denied service attack.
The explanation of value, when service attack is denied, the server is busy with processing these server
Uprush request and cannot normal response validated user send resource access request message, in this case,
The request failure message based on application layer protocol that server sends will necessarily quickly increase, because server is received
During to Denial of Service attack, the total flow or packet sending speed of server not necessarily quickly increase, therefore, phase
Judge whether to be denied service attack by the total flow of detection service device or packet sending speed than prior art,
Such scheme improves the accuracy detected to Denial of Service attack.
In addition, dividing elements of the above to gateway device, only a kind of division of logic function, actual realization
When can have other dividing mode, also, the specific Physical realization the application of each unit is not construed as limiting,
For example, in specific implementation process, the receiving unit 91 can be a receiver, and the acquiring unit 92 can
To be an arithmetic unit, the determining unit 93 can be central processing unit, and those skilled in the art is by reasonable
Analysis ratiocination it is conceivable that other implementations fall within the protection domain of the application.
Affiliated those skilled in the art can be understood that, for convenience and simplicity of description, on
The specific work process of the gateway device of description is stated, corresponding in preceding method embodiment is may be referred to
Journey, will not be described here.
The embodiment of the present application provides another gateway device 10, and as shown in Figure 10, the gateway device 10 includes:
Processor (processor) 101, emitter (Communications Interface) 102, receiver
103rd, memory (memory) 104 and communication bus 105;Wherein, the processor 101, described
Penetrate machine 102, the receiver 103 and the memory 104 to complete each other by the communication bus 105
Communication.
The possibly multi-core central processing unit CPU of processor 101, or specific integrated circuit ASIC
(Application Specific Integrated Circuit), or be arranged to implement the embodiment of the present application
One or more integrated circuits.
Memory 104 is used to deposit program code, and described program code includes computer-managed instruction and network
Flow graph.Memory 104 may include high-speed RAM memory, it is also possible to also including nonvolatile memory
(non-volatile memory), for example, at least one magnetic disc store.Memory 104 can also be memory
Array.Memory 104 is also possible to by piecemeal, and described piece can be combined into virtual volume by certain rule.
The emitter 102 and the receiver 103, for realizing the connection communication between these devices.
The processor 101 is used to perform the program code in the memory 104, to realize following operation:
The response message based on application layer protocol that the reception server sends;The response message be used for from
Being responded based on the resource access request message of application layer protocol in client, the resource access request
Message carries the uniform resource position mark URL of the resource that the server is provided;
Obtain the characteristic information of the response message;
Determine whether the server is denied service attack according to the characteristic information.
Alternatively, the characteristic information is response time;
The characteristic information for obtaining the response message, including:
It is determined that in preset time period, the resource access request message of server URL same to access
The response time that responded simultaneously is recorded;
It is described to determine whether the server is denied service attack according to the characteristic information, including:
Determine in the preset time period, response time is more than the same URL's of access of the first duration threshold value
The number of resource access request message;
If the number is not less than first threshold, it is determined that the server is denied service attack.
Alternatively, it is described to determine in preset time period, the resource of server URL same to access
The response time that access request message is responded, including:
In the preset time period, every resource access request message for accessing same URL is held
OK:
Record receives the first moment of the resource access request message, and the resource access request is disappeared
Breath is sent to the server;
Record receives the server for the sound that the resource access request message is responded and sent
Answer the second moment of message;
According to first moment and second moment, determine that the server is accessed the resource and ask
Seek the response time of message.
Alternatively, the preset time period includes being linked in sequence and at least two mutually misaligned sub- time periods;
It is described to determine in preset time period, every resource access request of server URL same to access
Response time that message is responded simultaneously is recorded, and the operation also includes:
Every resource access request message for accessing same URL, the gateway device record is received
The moment of the resource access request message responds with the server to the resource access request message
Response time corresponding relation;
It is described to determine in the preset time period, access same URL of the response time more than the first duration threshold value
Resource access request message number, including:
For each sub- time period that the preset time period includes, perform:
From corresponding relation of the sub- time period for prestoring with the second duration threshold value, the son is found
Time period corresponding second duration threshold value;
The moment for receiving resource access request message and the corresponding relation of response time according to record,
It is determined that in all resource access request message received within the sub- time period, response time exceedes
The number of the resource access request message of the same URL of access of the second duration threshold value;
The resource that response time is exceeded the same URL of access of corresponding second duration threshold value of each sub- time period is visited
The number for asking request message is sued for peace, and is surpassed the result of summation as response time in the preset time period
Cross the number of the resource access request message of the same URL of access of the first duration threshold value.
Alternatively, the operation also includes:
If the number is less than the first threshold, for each sub- time that the preset time period includes
Section, performs:
At the moment for receiving resource access request message and the corresponding relation of response time according to record, calculate
The mean value of the response time of all resource access request message received in the sub- time period;
Corresponding second duration threshold value of the sub- time period is adjusted according to the mean value.
Alternatively, the response message comes from the request failure message of the server, the feature letter
Cease for the number of response message in preset time period;
The characteristic information for obtaining the response message, including:
In the preset time period, calculating receives the number of the request failure message for coming from the server
Mesh;
It is described to determine whether the server is denied service attack according to the characteristic information, including:
If the number is not less than Second Threshold, it is determined that the server is denied service attack.
In several embodiments provided herein, it should be understood that disclosed system, device and side
Method, can realize by another way.For example, device embodiment described above is only schematic
, for example, the division of the unit, only a kind of division of logic function can have another when actually realizing
Outer dividing mode, such as multiple units or component can with reference to or be desirably integrated into another system, or
Some features can be ignored, or not perform.Another, shown or discussed coupling each other or straight
It can be INDIRECT COUPLING or communication connection by some interfaces, device or unit to connect coupling or communication connection,
Can be electrical, mechanical or other forms.
It is described as separating component explanation unit can be or may not be it is physically separate, as
The part that unit shows can be or may not be physical location, you can with positioned at a place, or
Can also be distributed on multiple NEs.Can select according to the actual needs therein some or all of
Unit is realizing the purpose of this embodiment scheme.
In addition, each functional unit in the application each embodiment can be integrated in a processing unit,
Can also be that unit is individually physically present, it is also possible to which two or more units are integrated in a unit
In.Above-mentioned integrated unit both can be realized in the form of hardware, it would however also be possible to employ hardware adds software function
The form of unit is realized.
The above-mentioned integrated unit realized in the form of SFU software functional unit, can be stored in a computer can
In reading storage medium.Above-mentioned SFU software functional unit is stored in a storage medium, including some instructions are used
So that a computer equipment (can be personal computer, server, or network equipment etc.) performs
The part steps of the application each embodiment methods described.And aforesaid storage medium includes:USB flash disk, movement
Hard disk, read-only storage (English full name:Read-Only Memory, referred to as:ROM), arbitrary access is deposited
Reservoir (English full name:Random Access Memory, referred to as:RAM), magnetic disc or CD etc. are various
Can be with the medium of store program codes.
The above, the protection domain of the only specific embodiment of the application, but the application is not limited to
This, any those familiar with the art can readily occur in the technical scope that the application is disclosed
Change or replacement, all should cover within the protection domain of the application.Therefore, the protection domain of the application
Should be defined by scope of the claims.
Claims (12)
1. it is a kind of detection Denial of Service attack method, it is characterised in that include:
The response message based on application layer protocol that gateway device the reception server sends;The response message is used
In to coming from responding based on the resource access request message of application layer protocol for client, the resource
Access request message carries the uniform resource position mark URL of the resource that the server is provided;
Obtain the characteristic information of the response message;
Determine whether the server is denied service attack according to the characteristic information.
2. method according to claim 1, it is characterised in that the characteristic information is response time;
The characteristic information for obtaining the response message, including:
It is determined that in preset time period, the resource access request message of server URL same to access
The response time that responded simultaneously is recorded;
It is described to determine whether the server is denied service attack according to the characteristic information, including:
Determine in the preset time period, response time is more than the same URL's of access of the first duration threshold value
The number of resource access request message;
If the number is not less than first threshold, it is determined that the server is denied service attack.
3. method according to claim 2, it is characterised in that the determination in preset time period,
The response time that the server is responded to the resource access request message for accessing same URL, including:
In the preset time period, every resource access request message for accessing same URL is held
OK:
Record receives the first moment of the resource access request message, and the resource access request is disappeared
Breath is sent to the server;
Record receives the server for the sound that the resource access request message is responded and sent
Answer the second moment of message;
According to first moment and second moment, determine that the server is accessed the resource and ask
Seek the response time of message.
4. according to the method in claim 2 or 3, it is characterised in that the preset time period includes suitable
Sequence connects and at least two mutually misaligned sub- time periods;
It is described to determine in preset time period, every resource access request of server URL same to access
Response time that message is responded simultaneously is recorded, and is also included:
Every resource access request message for accessing same URL, the gateway device record is received
The moment of the resource access request message responds with the server to the resource access request message
Response time corresponding relation;
It is described to determine that response time is same more than the access of the first duration threshold value in the preset time period
The number of the resource access request message of URL, including:
For each sub- time period that the preset time period includes, perform:
From corresponding relation of the sub- time period for prestoring with the second duration threshold value, the son is found
Time period corresponding second duration threshold value;
The moment for receiving resource access request message and the corresponding relation of response time according to record,
It is determined that in all resource access request message received within the sub- time period, response time exceedes
The number of the resource access request message of the same URL of access of the second duration threshold value;
Response time is exceeded the resource of the same URL of access of corresponding second duration threshold value of each sub- time period
The number of access request message is sued for peace, using the result of summation as response time in the preset time period
The number of the resource access request message more than the same URL of access of the first duration threshold value.
5. method according to claim 4, it is characterised in that also include:
If the number is less than the first threshold, for each sub- time that the preset time period includes
Section, performs:
At the moment for receiving resource access request message and the corresponding relation of response time according to record, calculate
The mean value of the response time of all resource access request message received in the sub- time period;
Corresponding second duration threshold value of the sub- time period is adjusted according to the mean value.
6. method according to claim 1, it is characterised in that the response message comes from described
The request failure message of server, the characteristic information is the number of response message in preset time period;
The characteristic information for obtaining the response message, including:
In the preset time period, calculating receives the number of the request failure message for coming from the server
Mesh;
It is described to determine whether the server is denied service attack according to the characteristic information, including:
If the number is not less than Second Threshold, it is determined that the server is denied service attack.
7. a kind of gateway device, it is characterised in that include:
Receiving unit, for the response message based on application layer protocol that the reception server sends;The response
Message is used for being responded based on the resource access request message of application layer protocol from client, described
Resource access request message carries the uniform resource position mark URL of the resource that the server is provided;
Acquiring unit, for obtaining the characteristic information of the response message that the receiving unit is received;
Determining unit, the characteristic information for being got according to the acquiring unit determines the server
Whether service attack is denied.
8. gateway device according to claim 7, it is characterised in that the characteristic information is for during response
It is long;
The acquiring unit is specifically for it is determined that in preset time period, the server is same to accessing
Response time that the resource access request message of URL is responded simultaneously is recorded;
The determining unit is specifically for determining that in the preset time period, response time is more than the first duration
The number of the resource access request message of the same URL of access of threshold value, and it is not less than first in the number
During threshold value, determine that the server is denied service attack.
9. gateway device according to claim 8, it is characterised in that
The acquiring unit is specifically in the preset time period, for accessing the every of same URL
Bar resource access request message, performs:
Record receives the first moment of the resource access request message, and the resource access request is disappeared
Breath is sent to the server;
Record receives the server for the sound that the resource access request message is responded and sent
Answer the second moment of message;
According to first moment and second moment, determine that the server is accessed the resource and ask
Seek the response time of message.
10. gateway device according to claim 8 or claim 9, it is characterised in that the preset time period
Including being linked in sequence and at least two mutually misaligned sub- time periods;The acquiring unit specifically for:
Every resource access request message for accessing same URL, the gateway device record is received
The moment of the resource access request message responds with the server to the resource access request message
Response time corresponding relation;
The determining unit is specifically for for each sub- time period that the preset time period includes, holding
OK:
From corresponding relation of the sub- time period for prestoring with the second duration threshold value, the sub- time is found
The corresponding second duration threshold value of section;
The moment for receiving resource access request message and the corresponding relation of response time according to record, it is determined that
In all resource access request message received within the sub- time period, response time exceedes described second
The number of the resource access request message of the same URL of access of duration threshold value;
The determining unit is additionally operable to, and response time is exceeded into corresponding second duration threshold value of each sub- time period
The number for accessing the resource access request message of same URL is sued for peace, using the result of summation as described
Response time is accessed more than the resource of the same URL of access of the first duration threshold value and asked in preset time period
Seek the number of message.
11. gateway devices according to claim 10, it is characterised in that also including adjustment unit, use
In when the number is less than the first threshold, for each sub- time that the preset time period includes
Section, performs:
At the moment for receiving resource access request message and the corresponding relation of response time according to record, calculate
The mean value of the response time of all resource access request message received in the sub- time period;
Corresponding second duration threshold value of the sub- time period is adjusted according to the mean value.
12. gateway devices according to claim 7, it is characterised in that the response message be from
In the request failure message of the server, the characteristic information is the number of response message in preset time period;
The acquiring unit is specifically in the preset time period, calculating is received and comes from the clothes
The number of the request failure message of business device;
The determining unit is specifically for when the number is not less than Second Threshold, determining the server
It is denied service attack.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510715982.7A CN106656912B (en) | 2015-10-28 | 2015-10-28 | Method and device for detecting denial of service attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510715982.7A CN106656912B (en) | 2015-10-28 | 2015-10-28 | Method and device for detecting denial of service attack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106656912A true CN106656912A (en) | 2017-05-10 |
CN106656912B CN106656912B (en) | 2020-03-20 |
Family
ID=58830759
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510715982.7A Active CN106656912B (en) | 2015-10-28 | 2015-10-28 | Method and device for detecting denial of service attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106656912B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108810014A (en) * | 2018-06-29 | 2018-11-13 | 北京奇虎科技有限公司 | Attack alarm method and device |
CN109831459A (en) * | 2019-03-22 | 2019-05-31 | 百度在线网络技术(北京)有限公司 | Method, apparatus, storage medium and the terminal device of secure access |
CN113806131A (en) * | 2021-09-23 | 2021-12-17 | 深圳市元征软件开发有限公司 | Access control method and device for fault code library, electronic equipment and storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101267313A (en) * | 2008-04-23 | 2008-09-17 | 华为技术有限公司 | Flooding attack detection method and detection device |
CN101437030A (en) * | 2008-11-29 | 2009-05-20 | 成都市华为赛门铁克科技有限公司 | Method for preventing server from being attacked, detection device and monitoring device |
CN101572609A (en) * | 2008-04-29 | 2009-11-04 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting and refusing service attack |
US20100235632A1 (en) * | 2006-05-12 | 2010-09-16 | International Business Machines Corporation | Protecting against denial of service attacks using trust, quality of service, personalization, and hide port messages |
CN103179132A (en) * | 2013-04-09 | 2013-06-26 | 中国信息安全测评中心 | Method and device for detecting and defending CC (challenge collapsar) |
CN104113525A (en) * | 2014-05-23 | 2014-10-22 | 中国电子技术标准化研究院 | Method and apparatus for defending resource consumption type Web attacks |
-
2015
- 2015-10-28 CN CN201510715982.7A patent/CN106656912B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100235632A1 (en) * | 2006-05-12 | 2010-09-16 | International Business Machines Corporation | Protecting against denial of service attacks using trust, quality of service, personalization, and hide port messages |
CN101267313A (en) * | 2008-04-23 | 2008-09-17 | 华为技术有限公司 | Flooding attack detection method and detection device |
CN101572609A (en) * | 2008-04-29 | 2009-11-04 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting and refusing service attack |
CN101437030A (en) * | 2008-11-29 | 2009-05-20 | 成都市华为赛门铁克科技有限公司 | Method for preventing server from being attacked, detection device and monitoring device |
CN103179132A (en) * | 2013-04-09 | 2013-06-26 | 中国信息安全测评中心 | Method and device for detecting and defending CC (challenge collapsar) |
CN104113525A (en) * | 2014-05-23 | 2014-10-22 | 中国电子技术标准化研究院 | Method and apparatus for defending resource consumption type Web attacks |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108810014A (en) * | 2018-06-29 | 2018-11-13 | 北京奇虎科技有限公司 | Attack alarm method and device |
CN108810014B (en) * | 2018-06-29 | 2021-06-04 | 北京奇虎科技有限公司 | Attack event warning method and device |
CN109831459A (en) * | 2019-03-22 | 2019-05-31 | 百度在线网络技术(北京)有限公司 | Method, apparatus, storage medium and the terminal device of secure access |
CN113806131A (en) * | 2021-09-23 | 2021-12-17 | 深圳市元征软件开发有限公司 | Access control method and device for fault code library, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN106656912B (en) | 2020-03-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11399010B1 (en) | Private network request forwarding | |
US10097520B2 (en) | Method and apparatus for causing delay in processing requests for internet resources received from client devices | |
US9843590B1 (en) | Method and apparatus for causing a delay in processing requests for internet resources received from client devices | |
Hsu et al. | Fast-flux bot detection in real time | |
CN105940655B (en) | System for preventing DDos attack | |
EP2472822A2 (en) | Method and system for estimating the reliability of blacklists of botnet-infected computers | |
US10547636B2 (en) | Method and system for detecting and mitigating denial-of-service attacks | |
CN100589489C (en) | Carry out defence method and the equipment that DDOS attacks at the web server | |
US10904288B2 (en) | Identifying and deceiving adversary nodes and maneuvers for attack deception and mitigation | |
JP4373306B2 (en) | Method and apparatus for preventing distributed service denial attack against TCP server by TCP stateless hog | |
US9961066B1 (en) | Method and apparatus for limiting traffic rate to an origin server | |
US20180219882A1 (en) | Systems and methods for ip source address spoof detection | |
EP3340568A2 (en) | Anycast-based spoofed traffic detection and mitigation | |
US9680950B1 (en) | Method and apparatus for causing delay in processing requests for internet resources received from client devices | |
CN108234516B (en) | Method and device for detecting network flooding attack | |
CN106656912A (en) | Method and device for detecting denial of service attack | |
US10721269B1 (en) | Methods and system for returning requests with javascript for clients before passing a request to a server | |
Boppana et al. | Analyzing the vulnerabilities introduced by ddos mitigation techniques for software-defined networks | |
JP2006279531A (en) | Network processor, network processing method, and network processing program | |
CN110995763B (en) | Data processing method and device, electronic equipment and computer storage medium | |
Lu et al. | Detecting command and control channel of botnets in cloud | |
Boteanu et al. | A comprehensive study of queue management as a DoS counter-measure | |
Smith et al. | Comparison of operating system implementations of SYN flood defenses (cookies) | |
Danielsen | Detecting Yo-Yo DoS attack in acontainer-based environment | |
CN117424711A (en) | Network security management method, device, computer equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |