CN106656912B - Method and device for detecting denial of service attack - Google Patents

Method and device for detecting denial of service attack Download PDF

Info

Publication number
CN106656912B
CN106656912B CN201510715982.7A CN201510715982A CN106656912B CN 106656912 B CN106656912 B CN 106656912B CN 201510715982 A CN201510715982 A CN 201510715982A CN 106656912 B CN106656912 B CN 106656912B
Authority
CN
China
Prior art keywords
access request
resource access
server
response
time period
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510715982.7A
Other languages
Chinese (zh)
Other versions
CN106656912A (en
Inventor
蒋武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201510715982.7A priority Critical patent/CN106656912B/en
Publication of CN106656912A publication Critical patent/CN106656912A/en
Application granted granted Critical
Publication of CN106656912B publication Critical patent/CN106656912B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application discloses a method and a device for detecting denial of service attack, relates to the field of communication, and is used for solving the technical problem that the detection of denial of service attack in the prior art is not accurate enough. The method comprises the following steps: the gateway equipment receives a response message based on an application layer protocol sent by a server; the response message is used for responding to a resource access request message based on an application layer protocol from a client, and the resource access request message carries a Uniform Resource Locator (URL) of a resource provided by the server; acquiring characteristic information of the response message; and determining whether the server is attacked by the denial of service according to the characteristic information. The method is used for detecting denial of service attacks.

Description

Method and device for detecting denial of service attack
Technical Field
The present application relates to the field of communications, and in particular, to a method and an apparatus for detecting a denial of service attack.
Background
Denial of Service (DOS) attack refers to an attack means that an attacker sends a large number of connection requests such as Internet Control Message Protocol (ICMP), Synchronization (SYN) signals, User Datagram Protocol (UDP) and the like to a server, so that the server is busy processing the burst requests and cannot normally respond to legal User requests, thereby causing server paralysis.
More seriously, an attacker can illegally break into some hosts, the hosts are used as main hosts, and the attacker installs a specific program on the main hosts, so that the main hosts can receive special instructions sent by the attacker and can send the instructions to other infected hosts, that is, the attacker can use the main hosts as a jumper board to control a large number of infected and controlled hosts to form an attack network to carry out large-scale DOS attack on the server. The attack is called Distributed Denial of Service (DDOS) attack, and it can amplify the attack effect of a single attacker, which may cause significant impact on the server and serious congestion on the network.
In the prior art, whether a server is attacked by denial of service is generally determined by a traffic anomaly detection technology or a packet sending frequency anomaly detection technology. Specifically, a traffic threshold or a packet sending frequency threshold of the server is set, and when it is detected that the current traffic of the server is greater than the traffic threshold or the current packet sending frequency is greater than the frequency threshold, the server is considered to receive the denial of service attack. However, for the denial of service attack at a small flow, the traffic and the packet frequency of the server do not change very much in a short period, so the traffic anomaly detection technology and the packet frequency anomaly detection technology cannot accurately detect the denial of service attack at a small flow, and are prone to report failure. In addition, for some normal requests of legitimate users, for example, proxy requests or Network Address Translation (NAT) service requests, the traffic and packet transmission frequency may be very high in a short time, and at this time, false reports are likely to occur in the traffic anomaly detection technology and the packet transmission frequency anomaly detection technology. It can be seen that the prior art is not accurate enough to detect denial of service attacks.
Disclosure of Invention
The application aims to provide a method and a device for detecting denial of service attack, which are used for solving the technical problem that the detection of denial of service attack in the prior art is not accurate enough.
In order to achieve the above purpose, the embodiments of the present application adopt the following technical solutions:
in a first aspect, a method for detecting a denial of service attack is provided, including:
the gateway equipment receives a response message based on an application layer protocol sent by a server; the response message is used for responding to a resource access request message based on an application layer protocol from a client, and the resource access request message carries a Uniform Resource Locator (URL) of a resource provided by the server;
acquiring characteristic information of the response message;
and determining whether the server is attacked by the denial of service according to the characteristic information.
By adopting the above scheme, the gateway device determines whether the server is under a denial of service attack based on the service quality of the application layer, and it is worth to say that the characteristic information of the response message based on the application layer protocol sent by the server can indicate the service quality of the application layer, for example, the response time of the server to the resource access request message for accessing the same URL, or the request failure message from the server within a preset time period. The service quality of the application layer of the server is necessarily changed when the server is subjected to the denial of service attack, and the correlation between the denial of service attack on the server and the service quality of the application layer is stronger than the correlation between the denial of service attack on the server and the traffic of a transmission layer or a network layer. Therefore, compared with the prior art that whether the server is attacked by the denial of service is determined based on the traffic detection of the transmission layer, the accuracy of detecting the denial of service attack is improved by determining whether the server is attacked by the denial of service based on the service quality of the application layer.
In a first possible implementation manner in combination with the first aspect, the characteristic information is a response duration;
the obtaining of the feature information of the response packet includes:
determining and recording the response time length of the server responding to the resource access request message accessing the same URL in a preset time period;
the determining whether the server is under a denial of service attack according to the characteristic information includes:
determining the number of resource access request messages which have response time length exceeding a first time length threshold value and access the same URL in the preset time period;
and if the number is not less than a first threshold value, determining that the server is attacked by the denial of service.
It should be noted that, when the server is under a denial of service attack, the response time length of the server responding to the resource access request message of the client accessing the URL which initiates the attack inevitably increases rapidly. By adopting the scheme, the gateway equipment can determine that the server is attacked by denial of service when determining that the number of the resource access request messages for accessing the same URL with the response time length exceeding the first time length threshold is not less than the first threshold within the preset time period. The initial setting of the first time threshold is performed in a scenario that the server is not attacked by denial of service, and the first threshold may be set in advance according to actual applications. Therefore, compared with the prior art that whether the server is attacked by denial of service is judged by detecting the total traffic or the packet sending rate of the server, the total traffic or the packet sending rate of the server is not necessarily increased rapidly when the server is attacked by denial of service, so that the scheme improves the accuracy of detecting the denial of service attack.
With reference to the first aspect or the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the determining a response duration for the server to respond to the resource access request message for accessing the same URL within a preset time period includes:
in the preset time period, aiming at each resource access request message accessing the same URL, executing:
recording a first moment when the resource access request message is received, and sending the resource access request message to the server;
recording a second moment of receiving a response message sent by the server for responding to the resource access request message;
and determining the response time length of the server to the resource access request message according to the first time and the second time.
The above-mentioned scheme provides an implementation manner for the gateway device to determine the response time, specifically, the gateway device itself records the first time and the second time and determines the response time through calculation. Optionally, in another implementation manner, the server records a time when the resource access request message is received, and a response message responding to the resource access request message carries the time when the server receives the resource access request message and the time when the response message is sent, so that after receiving the response message, the gateway device may also calculate a response duration according to the time when the server receives the resource access request message and the time when the response message is sent.
With reference to any one possible implementation manner of the first aspect to the second possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, the preset time period includes at least two sub-time periods that are sequentially connected and do not overlap with each other;
the determining and recording the response duration of the server responding to each resource access request message accessing the same URL within the preset time period further includes:
for each resource access request message accessing the same URL, the gateway equipment records the corresponding relation between the time when the resource access request message is received and the response time length for the server to respond to the resource access request message;
the determining the number of resource access request messages with response duration exceeding a first duration threshold and accessing the same URL within the preset time period includes:
for each sub-period included in the preset period, performing:
searching a second duration threshold corresponding to a sub-time period from a pre-stored corresponding relation between the sub-time period and the second duration threshold;
determining the number of resource access request messages which have response time length exceeding the second time length threshold value and access to the same URL in all the resource access request messages received in the sub-time period according to the recorded corresponding relation between the time of receiving the resource access request messages and the response time length;
and summing the number of the resource access request messages which access the same URL and have response time length exceeding a second time length threshold value corresponding to each sub-time period, and taking the summed result as the number of the resource access request messages which access the same URL and have response time length exceeding the first time length threshold value in the preset time period.
The above scheme shows that the second duration thresholds corresponding to different sub-time periods may be different. The following illustrates the technical effects that can be achieved by the above scheme: if the server is not attacked by denial of service, the frequency of sending resource access request messages for accessing the same URL to the server by the client is increased in sequence in three time periods of 9: 00-10: 00, 10: 00-11: 00 and 11: 00-12: 00 in the morning. In this case, the preset time period set initially may be 9:00 to 12:00, which includes three sub-time periods of 9:00 to 10:00, 10:00 to 11:00, and 11:00 to 12:00, and the second time period threshold corresponding to the sub-time period of 9:00 to 10:00 is smaller than the second time period threshold corresponding to the sub-time period of 10:00 to 11:00, and the second time period threshold corresponding to the sub-time period of 10:00 to 11:00 is smaller than the second time period threshold corresponding to the sub-time period of 11:00 to 12: 00. Compared with the method that the identical second time length threshold values are set in the three sub-time periods, the scheme is that the second time length threshold values corresponding to the sub-time periods are respectively set based on different access conditions of the clients to the same URL in different sub-time periods, and the conditions that the clients access the URL can be more accurately reflected.
With reference to any one possible implementation manner of the first aspect to the third possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect, the method further includes:
if the number is smaller than the first threshold, for each sub-time period included in the preset time period, executing:
calculating the average value of the response durations of all the resource access request messages received in the sub-time period according to the recorded corresponding relation between the time of receiving the resource access request messages and the response durations;
and adjusting a second duration threshold corresponding to the sub-time period according to the average value.
That is to say, when the number is smaller than the first threshold, the gateway device considers that the server is not under a denial of service attack, and at this time, the gateway device may adjust the first time threshold by using the response time duration within the preset time period, where the first time threshold is not kept unchanged after being initially set, but is dynamically adjusted in the process of detecting a denial of service attack, so that the first time threshold is set more reasonably.
With reference to any one possible implementation manner of the first aspect to the fourth possible implementation manner of the first aspect, in a fifth possible implementation manner of the first aspect, the response message is a request failure message from the server, and the feature information is a number of response messages in a preset time period;
the obtaining of the feature information of the response message includes:
in the preset time period, calculating the number of received request failure messages from the server;
the determining whether the server is under a denial of service attack according to the characteristic information includes:
and if the number is not less than a second threshold value, determining that the server is attacked by the denial of service.
It should be noted that, when the server is attacked by denial of service, the server is busy processing these sudden increase requests and cannot normally respond to the resource access request message sent by a legitimate user, in this case, the request failure message based on the application layer protocol sent by the server is inevitably and rapidly increased.
In a possible embodiment of the present application, after determining that the server is under a denial-of-service attack, the gateway device sends a close service message to the server, where the close service message is used to instruct the server to close a connection with a client. The server is prevented from continuing to be attacked by denial of service.
Further, the gateway device receives a resource access request message sent by a client, where the resource access request message includes an identifier of the client, and the gateway device sends a verification indication message to the client when determining that the client is not a client in a white list according to the identifier of the client; and the gateway equipment receives a verification request message sent by the client according to the verification indication message, and adds the client into the white list after the verification is passed.
It should be noted that, after receiving a service shutdown message sent by a gateway device, a server may transfer a resource corresponding to an original URL to another URL, so that, further, after adding the client to the white list, the gateway device sends a redirection message to the client, where the redirection message includes the another URL, and after receiving a resource access request message carrying the another URL sent by the client, if it is determined that the client is a client in the white list, the gateway device sends the resource access request message to the server.
Therefore, after the gateway device determines that the server is attacked by denial of service, the gateway device verifies the client requesting for accessing the server, and only sends the resource access request message sent by the client which passes the verification and is in the white list to the server, thereby avoiding possible denial of service attack on the server by the client which does not pass the verification.
In a second aspect, there is provided a gateway device, comprising:
the receiving unit is used for receiving a response message based on an application layer protocol sent by the server; the response message is used for responding to a resource access request message based on an application layer protocol from a client, and the resource access request message carries a Uniform Resource Locator (URL) of a resource provided by the server;
an obtaining unit, configured to obtain feature information of the response message received by the receiving unit;
and the determining unit is used for determining whether the server is attacked by denial of service according to the characteristic information acquired by the acquiring unit.
In a first possible implementation manner combined with the second aspect, the characteristic information is a response duration;
the acquisition unit is specifically configured to determine and record a response duration for the server to respond to the resource access request message for accessing the same URL within a preset time period;
the determining unit is specifically configured to determine, within the preset time period, the number of resource access request messages for accessing the same URL, for which response time exceeds a first time threshold, and determine that the server is under a denial of service attack when the number is not less than the first threshold.
With reference to the second aspect or the first possible implementation manner of the second aspect, in a second possible implementation manner of the second aspect, the obtaining unit is specifically configured to, in the preset time period, execute, for each resource access request message that accesses the same URL:
recording a first moment when the resource access request message is received, and sending the resource access request message to the server;
recording a second moment of receiving a response message sent by the server for responding to the resource access request message;
and determining the response time length of the server to the resource access request message according to the first time and the second time.
With reference to any one possible implementation manner of the second aspect to the second possible implementation manner of the second aspect, in a third possible implementation manner of the second aspect, the preset time period includes at least two sub-time periods that are sequentially connected and do not overlap with each other;
the acquiring unit is specifically configured to, for each resource access request message that accesses the same URL, record, by the gateway device, a correspondence between a time at which the resource access request message is received and a response duration for which the server responds to the resource access request message;
the determining unit is specifically configured to, for each sub-period included in the preset period, perform:
searching a second duration threshold corresponding to a sub-time period from a pre-stored corresponding relation between the sub-time period and the second duration threshold;
determining the number of resource access request messages which have response time length exceeding the second time length threshold value and access to the same URL in all the resource access request messages received in the sub-time period according to the recorded corresponding relation between the time of receiving the resource access request messages and the response time length;
the determining unit is further configured to sum the number of resource access request messages accessing the same URL, of which the response time length exceeds the second time length threshold corresponding to each sub-time period, and take the sum result as the number of resource access request messages accessing the same URL, of which the response time length exceeds the first time length threshold in the preset time period.
With reference to any one possible implementation manner of the second aspect to the third possible implementation manner of the second aspect, in a fourth possible implementation manner of the second aspect, the gateway device further includes an adjusting unit, configured to, when the number is smaller than the first threshold, perform, for each sub-time period included in the preset time period:
calculating the average value of the response durations of all the resource access request messages received in the sub-time period according to the recorded corresponding relation between the time of receiving the resource access request messages and the response durations;
and adjusting a second duration threshold corresponding to the sub-time period according to the average value.
With reference to any one possible implementation manner of the second aspect to the fourth possible implementation manner of the second aspect, in a fifth possible implementation manner of the second aspect, the response message is a request failure message from the server, and the feature information is the number of response messages in a preset time period;
the obtaining unit is specifically configured to calculate, within the preset time period, the number of received request failure messages from the server;
the determining unit is specifically configured to determine that the server is under a denial of service attack when the number is not less than a second threshold.
The above element division of the gateway device is only a logical function division, and there may be another division manner in actual implementation, and a specific physical implementation manner of each element is not limited in this application, for example, in a specific implementation process, the receiving unit may be a receiver, the obtaining unit may be an arithmetic unit, the determining unit may be a central processing unit, and other implementation manners that may be thought of by a person skilled in the art through reasonable analysis and reasoning also belong to the protection scope of this application.
In a third aspect, another gateway device is provided, including: a processor, a memory, a transmitter, a receiver, and a communication bus; wherein the processor, the memory, the transmitter and the receiver communicate with each other via the communication bus;
the memory is used for storing program codes;
the processor calls the program code stored by the memory to:
receiving a response message based on an application layer protocol sent by a server; the response message is used for responding to a resource access request message based on an application layer protocol from a client, and the resource access request message carries a Uniform Resource Locator (URL) of a resource provided by the server;
acquiring characteristic information of the response message;
and determining whether the server is attacked by the denial of service according to the characteristic information.
In a first possible implementation manner in combination with the third aspect, the characteristic information is a response duration; the processor invoking the program code stored by the memory is further for:
determining and recording the response time length of the server responding to the resource access request message accessing the same URL in a preset time period;
determining the number of resource access request messages which have response time length exceeding a first time length threshold value and access the same URL in the preset time period;
and if the number is not less than a first threshold value, determining that the server is attacked by the denial of service.
With reference to the third aspect or the first possible implementation manner of the third aspect, in a second possible implementation manner of the third aspect, the processor calls the program code stored in the memory, and the program code is further configured to:
in the preset time period, aiming at each resource access request message accessing the same URL, executing:
recording a first moment when the resource access request message is received, and sending the resource access request message to the server;
recording a second moment of receiving a response message sent by the server for responding to the resource access request message;
and determining the response time length of the server to the resource access request message according to the first time and the second time.
With reference to any one possible implementation manner of the third aspect to the second possible implementation manner of the third aspect, in a third possible implementation manner of the third aspect, the preset time period includes at least two sub-time periods that are sequentially connected and do not overlap with each other; the processor invoking the program code stored by the memory is further for:
for each resource access request message accessing the same URL, the gateway equipment records the corresponding relation between the time when the resource access request message is received and the response time length for the server to respond to the resource access request message;
for each sub-period included in the preset period, performing:
searching a second duration threshold corresponding to a sub-time period from a pre-stored corresponding relation between the sub-time period and the second duration threshold;
determining the number of resource access request messages which have response time length exceeding the second time length threshold value and access to the same URL in all the resource access request messages received in the sub-time period according to the recorded corresponding relation between the time of receiving the resource access request messages and the response time length;
and summing the number of the resource access request messages which access the same URL and have response time length exceeding a second time length threshold value corresponding to each sub-time period, and taking the summed result as the number of the resource access request messages which access the same URL and have response time length exceeding the first time length threshold value in the preset time period.
With reference to any one possible implementation manner of the third aspect to the third possible implementation manner of the third aspect, in a fourth possible implementation manner of the third aspect, the processor calls the program code stored in the memory, and the program code is further configured to:
if the number is smaller than the first threshold, for each sub-time period included in the preset time period, executing:
calculating the average value of the response durations of all the resource access request messages received in the sub-time period according to the recorded corresponding relation between the time of receiving the resource access request messages and the response durations;
and adjusting a second duration threshold corresponding to the sub-time period according to the average value.
With reference to any one possible implementation manner of the third aspect to the second possible implementation manner of the third aspect, in a third possible implementation manner of the third aspect, the response message is a request failure message from the server, and the feature information is a number of response messages in a preset time period; the processor invoking the program code stored by the memory is further for:
in the preset time period, calculating the number of received request failure messages from the server;
and if the number is not less than a second threshold value, determining that the server is attacked by the denial of service.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic diagram of a network system architecture according to an embodiment of the present application;
FIG. 2 is a schematic diagram of the network system architecture diagram of FIG. 1 under a denial of service attack;
fig. 3 is an example of a method for detecting a denial of service attack according to an embodiment of the present application;
fig. 4 is a schematic diagram of information interaction of a client accessing a server according to an embodiment of the present application;
fig. 5 is a flowchart illustrating a method for setting a first duration threshold according to an embodiment of the present application;
fig. 6 is a schematic diagram of a first time length threshold according to an embodiment of the present application;
FIG. 7 is an example of denial of service attack detection based on the first time period threshold shown in FIG. 6;
fig. 8 is a further example of a method for detecting a denial of service attack according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of a gateway device according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of another gateway device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
First, the following embodiments of the present application are all applicable to a network system architecture in which a client accesses a server through a gateway device. The client may be a terminal device such as a notebook computer, a tablet computer, a smart phone, and the like, and the server may be a server providing network services such as a website (Web) server, a File Transfer Protocol (FTP) server, and the like. And, for different types of servers, the gateway device is matched with the server. For example, as shown in fig. 1, the client in the network system architecture specifically includes a notebook computer 11, a tablet computer 12, a desktop computer 13, and a smart phone 14, and the network system architecture further includes a Web server 16, and a gateway device 15 configured with the Web server. Any client can send a resource access request message to the gateway device, where the resource access request message carries a Uniform Resource Locator (URL), and the gateway device sends the resource access request message to the server, so as to implement access of the client to the resource provided by the server.
The embodiment of the application provides a method for detecting denial of service attack, which can improve the accuracy of detecting the denial of service attack. In order to make it easier for those skilled in the art to understand the technical effect achieved by the present solution, first, a brief description is given of a distributed denial of service attack:
fig. 2 is a schematic diagram illustrating the network system architecture shown in fig. 1 under a distributed denial of service attack. The attacker shown in fig. 2 may control the notebook computer 11, the tablet computer 12, the desktop computer 13, and the smartphone 14 as an attacking puppet computer to send a large number of request messages to the server 16, so as to plug the buffer of the server 16 for receiving the request messages, so that the server 16 cannot receive the request messages sent by a normal client, and thus cannot provide normal services.
An example of a method for detecting a denial of service attack provided in an embodiment of the present application is shown in fig. 3, where the method includes:
s301, the gateway device receives a response message based on the application layer protocol sent by the server.
The response message is used for responding to a resource access request message based on an application layer protocol from a client, and the resource access request message carries a Uniform Resource Locator (URL) of a resource provided by the server.
S302, the gateway device acquires the characteristic information of the response message.
S303, the gateway device determines whether the server is attacked by the denial of service according to the characteristic information.
By adopting the above scheme, the gateway device determines whether the server is under a denial of service attack based on the service quality of the application layer, and it should be noted that the characteristic information of the response message based on the application layer protocol sent by the server can indicate the service quality of the application layer, for example, the characteristic information may be the response duration of the server to the resource access request message for accessing the same URL, or the number of request failure messages from the server within a preset time period. The service quality of the application layer of the server is necessarily changed when the server is subjected to the denial of service attack, and the correlation between the denial of service attack on the server and the service quality of the application layer is stronger than the correlation between the denial of service attack on the server and the traffic of a transmission layer or a network layer. Therefore, compared with the prior art that whether the server is attacked by the denial of service is determined based on the traffic detection of the transmission layer, the accuracy of detecting the denial of service attack is improved by determining whether the server is attacked by the denial of service based on the service quality of the application layer.
The following describes in detail a method for detecting a denial of service attack provided by the embodiment of the present application, by taking the above-mentioned feature information as an example of a response duration of a response from a server to a resource access request message for accessing the same URL.
Specifically, the gateway device determines and records a response time length for the server to respond to the resource access request messages accessing the same URL within a preset time period, and further determines the number of the resource access request messages accessing the same URL, of which the response time length exceeds a first time length threshold, within the preset time period, and if the number is not less than the first threshold, determines that the server is attacked by the denial of service.
Wherein, the resource access request messages accessing the same URL can come from different clients.
It should be noted that the resource access request message based on the application layer Protocol may be a hypertext transfer Protocol (HTTP) Get message, and the response message based on the application layer Protocol may be 200OK, which is used to indicate that the server successfully returns the resource. As shown in fig. 4, for a plurality of clients, i.e., client 1 to client N, where N is a positive integer greater than 1, each client may send an HTTP Get message to the server through the gateway device, and the server sends a 200OK response to the HTTP Get message to the client.
Therefore, when the server is attacked by the denial of service attack, the response time length of the server responding to the resource access request message of the client side which initiates the attack to access the URL is inevitably and rapidly increased, and thus, when the server is attacked by the denial of service attack, the total flow or the packet sending rate of the server is not necessarily and rapidly increased, and compared with the prior art that whether the server is attacked by the denial of service attack is judged by detecting the total flow or the packet sending rate of the server, the scheme improves the accuracy of detecting the denial of service attack.
Illustratively, the method for the gateway device to initially set the first duration threshold is shown in fig. 5, and includes:
s501, the gateway device receives an HTTP Get message which is sent by a client and carries a URL, and records the first moment when the HTTP Get message is received.
S502, the gateway device sends the HTTP Get request message to a server.
S503, the gateway device receives the 200OK message sent by the server and used for responding to the HTTP Get message, and records a second time when the 200OK message is received.
And S504, the gateway device takes the time length difference between the first time and the second time as the response time length of the client for visiting the URL at this time.
And S505, the gateway device determines the response time of the client accessing the URL each time in a preset time period.
Specifically, the gateway device repeatedly executes the steps S501 to S504 within the preset time period, so that the response time for accessing the URL each time can be obtained.
S506, the gateway device divides the preset time period into at least two sub-time periods which are sequentially connected and do not overlap with each other, and executes step S507 for each sub-time period.
It should be noted that the duration of each time period may be the same or different, and this is not limited in this application.
And S507, the gateway device calculates an average value of response time lengths of the server to all HTTP Get messages accessing the URL in the sub-time period, and takes the average value as a second time length threshold corresponding to the sub-time period.
For example, if the preset time period includes m sub-time periods, m is a positive integer greater than 1, so that the gateway device may record the response duration of each access of the URL by the client in the first sub-time period, and calculate an average value of the response duration of each access, for example, n times, n is a positive integer greater than 0, and the response duration of each access to the URL is t times respectively in the first sub-time period1,t2,t3……tnThen, in the first sub-period, the average value of the response time for accessing the URL is (t)1+t2+t3+……+tn) And/n, the average value is the second duration threshold value in the corresponding first sub-time period, and so on, the second duration threshold value corresponding to each sub-time period included in the preset time period can be obtained.
Optionally, in step S507, the gateway device may further multiply an average value of the response time of each sub-time period by a coefficient as a second time threshold corresponding to the sub-time period, where a specific value of the coefficient may be set according to a network delay in actual implementation, so as to avoid false alarm caused by an increase in the response time due to the network delay.
It should be noted that the gateway device may run the learning process of the first duration threshold in a scenario that ensures that the server is not attacked by the denial of service, i.e., the above steps S501 to S507. For example, the user may initially start the gateway device in the network when determining that the denial of service attack does not exist in the current network, and perform real-time monitoring when the gateway device runs the learning process, so as to ensure that the gateway device is not attacked by the denial of service attack during the initial setting of the first time threshold.
The above scheme shows that the second duration thresholds corresponding to different sub-time periods may be different. The following illustrates the technical effects that can be achieved by the above scheme: if the server is not attacked by denial of service, the frequency of sending resource access request messages for accessing the same URL to the server by the client is increased in sequence in three time periods of 9: 00-10: 00, 10: 00-11: 00 and 11: 00-12: 00 in the morning. In this case, the preset time period set initially may be 9:00 to 12:00, which includes three sub-time periods of 9:00 to 10:00, 10:00 to 11:00, and 11:00 to 12:00, and the second time period threshold corresponding to the sub-time period of 9:00 to 10:00 is smaller than the second time period threshold corresponding to the sub-time period of 10:00 to 11:00, and the second time period threshold corresponding to the sub-time period of 10:00 to 11:00 is smaller than the second time period threshold corresponding to the sub-time period of 11:00 to 12: 00. Compared with the method that the identical second time length threshold values are set in the three sub-time periods, the scheme is that the second time length threshold values corresponding to the sub-time periods are respectively set based on different access conditions of the clients to the same URL in different sub-time periods, and the conditions that the clients access the URL can be more accurately reflected.
In a specific implementation process, the gateway device may also calculate an average value of all response durations in the preset time period, and use the average value as the first time threshold. This is not limited in this application.
Illustratively, the first duration threshold obtained by the method shown in fig. 5 is shown in fig. 6, and referring to fig. 6, the preset time period includes sub-time periods 1 to 5 that are sequentially connected and do not overlap with each other, and the duration baseline includes a second duration threshold T1 corresponding to the sub-time period 1, a second duration threshold T2 corresponding to the sub-time period 2, a second duration threshold T3 corresponding to the sub-time period 3, a second duration threshold T4 corresponding to the sub-time period 4, and a second duration threshold T5 corresponding to the sub-time period 5.
Further, based on the first time threshold shown in fig. 6, the method for the gateway device to perform the denial of service attack detection within the preset time period is shown in fig. 7, and the method includes:
s701, the gateway device determines the response time of the client accessing the URL for the first time in a preset time period.
Specifically, the manner of calculating the response duration by the gateway device may refer to step S501 to step S504 shown in fig. 5, which is not described herein again.
S702, the gateway device determines whether the response time length is greater than a second time length threshold corresponding to the sub-time period where the current time is located.
For example, as shown in fig. 6, if the gateway device receives that the resource access request message for accessing the URL sent by the client for the first time is in the sub-period 1, after determining the response duration tt of the current access, the gateway device compares the response duration tt with the second duration threshold T1 corresponding to the sub-period 1, and determines whether the response duration tt is greater than T1.
It should be noted that the current time in step S702 is the time when the gateway device calculates the obtained response time duration. In another possible implementation manner, the gateway device may record, for each resource access request message that accesses the same URL, a correspondence between a time when the resource access request message is received and a response duration for the server to respond to the resource access request message. In this way, after the gateway device calculates the response time length, the time of receiving the resource access request message recorded by the gateway device corresponding to the response time length is determined according to the corresponding relation, the second time length threshold corresponding to the sub-time period of the time of receiving the resource access request message recorded by the gateway device is determined from the corresponding relation between the pre-stored sub-time period and the second time length threshold, and the response time length is compared with the second time length threshold to determine whether the response time length is greater than the second time length threshold.
And S703, the gateway device sums the number of the resource access request messages which access the same URL and have response time lengths exceeding the second time length threshold corresponding to each sub-time period, and the sum result is used as the number of the resource access request messages which access the same URL and have response time lengths exceeding the first time length threshold in the preset time period.
Optionally, in the preset time period, each time the gateway device receives a resource access request message sent by the client to access the URL, the steps S701 and S702 are performed, and when each response duration exceeds a second duration threshold corresponding to the sub-time period, the number of resource access request messages for accessing the same URL, of which the response duration exceeds the first duration threshold, recorded by the gateway device is increased by one until the preset time period is ended, so as to obtain the total number of resource access request messages for accessing the same URL, of which the response duration exceeds the first duration threshold, in the preset time period.
S704, if the number is not less than a preset first threshold value, determining that the server is attacked by the denial of service.
The first threshold value may be preset according to actual implementation.
S705, if the number is smaller than the first threshold, executing steps S706 to S707 for each sub-time period included in the preset time period.
S706, the gateway device calculates the average value of the response time lengths of all the resource access request messages received in the sub-time period according to the recorded corresponding relation between the time of receiving the resource access request messages and the response time lengths.
And S707, the gateway device adjusts a second duration threshold corresponding to the sub-period according to the average value.
Specifically, when the gateway device adjusts the second duration threshold, the original second duration threshold corresponding to the sub-period may be directly adjusted to the average value, or the average value may be multiplied by a coefficient and used as the adjusted second duration threshold corresponding to the sub-period, where a specific value of the coefficient may be set according to the network delay in actual implementation.
That is to say, when the number is smaller than the first threshold, the gateway device considers that the server is not under the denial of service attack, and at this time, the gateway device may adjust the first duration threshold by using the response duration within the preset time period, where the first duration threshold is not kept unchanged after being initially set, but is dynamically adjusted in the process of detecting the denial of service attack, so that the first duration threshold is set more reasonably.
It should be noted that the steps shown in fig. 7 are only for illustration and are all described as a series of actions for simplicity of description, but those skilled in the art should understand that the present application is not limited by the described action sequence, and secondly those skilled in the art should also understand that the embodiments described in the specification belong to the preferred embodiment, and the actions involved are not necessarily required by the embodiments of the present application.
The following describes in detail a method for detecting a denial of service attack provided in the embodiment of the present application, by taking the number of request failure messages from a server in a preset time period as an example.
Specifically, the gateway device calculates the number of received request failure messages from the server within a preset time period, and determines that the server is under a denial of service attack if the number is not less than a second threshold.
The request failure message may be sent to the gateway device by the server in response to a resource access request message sent by a different client.
Illustratively, when the server is a Web server, the Web server sends 503 a status code to the gateway device for a resource access request message sent by an unresponsive client. The 503 status code is a return status of a server error indicating that the server is unable to process the request message due to maintenance or overload, i.e., the request failure message may be the 503 status code.
When the server is attacked by the denial of service, the server is busy processing the sudden increase requests and cannot normally respond to the legal user requests, the request failure message sent by the server is inevitably increased, and the total flow or the packet sending rate of the server is not necessarily increased rapidly when the server is attacked by the denial of service, so that compared with the prior art that whether the server is attacked by the denial of service is judged by detecting the total flow or the packet sending rate of the server, the scheme improves the accuracy of detecting the denial of service attack.
The following briefly introduces a method for protecting a gateway device after determining that a server is attacked by a denial of service, including:
s801, the gateway device sends a close service message to the server, where the close service message is used to instruct the server to close the connection with the client.
It should be noted that, if the server is a Web server, the close service message may be a FIN termination message or a RST reset message in a Transmission Control Protocol (TCP), and the server closes the connection with the client after receiving the FIN message or the RST message.
S802, the gateway equipment receives a first resource access request message which is sent by a client and carries a first URL.
It should be noted that fig. 8 shows only one client for convenience of description, but those skilled in the art should understand that the client shown in fig. 8 may represent any client connected to the server.
And S803, the gateway device determines whether the client is in a white list according to the client identifier carried by the first resource access request message.
Specifically, if the white list includes the identifier of the client, step S804 is executed, and if the white list does not include the identifier of the client, step S805 and the subsequent steps are executed.
S804, the gateway device sends the first resource access request message to the server.
S805, the gateway device sends a verification indication message to the client.
S806, the gateway device receives the verification request message sent by the client according to the verification indication message.
And S807, after the gateway device verifies the client according to the verification request message, adding the client into the white list.
S808, the gateway device sends a redirection message to the client, wherein the redirection message comprises a second URL.
It should be noted that, if the server is a Web server, after receiving the service closing message sent by the gateway device in step S801, the Web server may transfer the Web page of the first URL to the second URL, so as to prevent the attacker from continuing the attack initiated by the first URL. In this case, the redirection message may include a 301 status code and the second URL, where the 301 status code is used to indicate that the home page is permanently transferred to the second URL.
S809, the gateway device receives a second resource access request message sent by the client, where the second resource access request message includes the second URL.
And S810, the gateway device sends the second resource access request message to the server.
Specifically, after determining that the server is attacked by denial of service, the gateway device verifies the client requesting access to the server, and only sends the resource access request message sent by the verified client in the white list to the server, thereby avoiding possible denial of service attack on the server by the client which fails to pass verification.
An embodiment of the present application further provides a gateway device 90, configured to implement the method for detecting a denial of service attack shown in the foregoing method embodiment, as shown in fig. 9, where the gateway device 90 includes:
a receiving unit 91, configured to receive a response message based on an application layer protocol sent by the server.
The response message is used for responding to a resource access request message based on an application layer protocol from a client, and the resource access request message carries a Uniform Resource Locator (URL) of a resource provided by the server.
An obtaining unit 92, configured to obtain the feature information of the response message received by the receiving unit 91.
A determining unit 93, configured to determine whether the server is attacked by denial of service according to the feature information acquired by the acquiring unit 92.
With the above gateway device, the gateway device determines whether the server is under a denial of service attack based on the service quality of the application layer, and it should be noted that the characteristic information of the response message based on the application layer protocol sent by the server may indicate the service quality of the application layer, for example, the response time of the server to the resource access request message for accessing the same URL, or the request failure message from the server within a preset time period. The service quality of the application layer of the server is necessarily changed when the server is subjected to the denial of service attack, and the correlation between the denial of service attack on the server and the service quality of the application layer is stronger than the correlation between the denial of service attack on the server and the traffic of the transmission layer. Therefore, compared with the prior art that whether the server is attacked by the denial of service is determined based on the traffic detection of the transport layer, the gateway device provided by the application determines whether the server is attacked by the denial of service based on the service quality of the application layer, so that the accuracy of detecting the denial of service attack is improved.
Optionally, the feature information is a response duration, and the obtaining unit 92 is specifically configured to determine and record a response duration in which the server responds to the resource access request message for accessing the same URL within a preset time period; the determining unit 93 is specifically configured to determine, within the preset time period, the number of resource access request messages for accessing the same URL, of which response time duration exceeds a first time duration threshold, and determine that the server is under a denial of service attack when the number is not less than the first threshold.
The initial setting of the first time threshold is performed in a scenario that the server is not attacked by denial of service, and the first threshold may be set in advance according to actual applications.
Optionally, the obtaining unit 92 is further configured to, in the preset time period, perform, for each resource access request message that accesses the same URL:
recording a first moment when the resource access request message is received, and sending the resource access request message to the server; recording a second moment of receiving a response message sent by the server for responding to the resource access request message; and determining the response time length of the server to the resource access request message according to the first time and the second time.
Optionally, the preset time period includes at least two sub-time periods that are sequentially connected and do not overlap with each other; the obtaining unit 92 is further configured to, for each resource access request message that accesses the same URL, record, by the gateway device, a correspondence between a time at which the resource access request message is received and a response duration for which the server responds to the resource access request message; the determining unit 93 is specifically configured to, for each sub-period included in the preset period, perform:
searching a second duration threshold corresponding to the sub-time period from a pre-stored corresponding relation between the sub-time period and the second duration threshold; determining the number of resource access request messages which access the same URL and have response time length exceeding the second time length threshold in all the resource access request messages received in the sub-time period according to the recorded corresponding relation between the time of receiving the resource access request messages and the response time length;
the determining unit 93 is further configured to sum the number of the resource access request messages accessing the same URL, of which the response time length exceeds the second time length threshold corresponding to each sub-time period, and take the sum result as the number of the resource access request messages accessing the same URL, of which the response time length exceeds the first time length threshold in the preset time period.
It should be noted that, when the server is under a denial of service attack, the response time length of the server responding to the resource access request message of the client accessing the URL which initiates the attack inevitably increases rapidly. Therefore, when the server is attacked by the denial of service attack, the total flow or the packet sending rate of the server is not necessarily increased rapidly, and compared with the prior art that whether the server is attacked by the denial of service attack is judged by detecting the total flow or the packet sending rate of the server, the scheme improves the accuracy of detecting the denial of service attack.
Optionally, the gateway device 90 further includes an adjusting unit 94, configured to, when the number is smaller than the first threshold, perform, for each sub-time period included in the preset time period:
calculating the average value of the response durations of all the resource access request messages received in the sub-time period according to the recorded corresponding relation between the time of receiving the resource access request messages and the response durations; and adjusting a second duration threshold corresponding to the sub-time period according to the average value.
That is to say, when the number is smaller than the first threshold, the gateway device considers that the server is not under a denial of service attack, and at this time, the gateway device may adjust the first time threshold by using the response time duration within the preset time period, where the first time threshold is not kept unchanged after being initially set, but is dynamically adjusted in the process of detecting a denial of service attack, so that the first time threshold is set more reasonably.
Optionally, the response message is a request failure message from the server, and the characteristic information is the number of response messages in a preset time period; the obtaining unit 92 is specifically configured to calculate, within the preset time period, the number of received request failure messages from the server; the determining unit 93 is specifically configured to determine that the server is under a denial of service attack if the number is not less than the second threshold.
It should be noted that, when the server is under a denial of service attack, the server is busy processing these sudden increase requests and cannot normally respond to the resource access request message sent by a legitimate user, in this case, a request failure message based on an application layer protocol sent by the server is inevitably and rapidly increased, and because the total traffic or packet sending rate of the server is not necessarily and rapidly increased when the server is under a denial of service attack, compared with the prior art that whether the server is under a denial of service attack is determined by detecting the total traffic or packet sending rate of the server, the above-mentioned scheme improves the accuracy of detecting the denial of service attack.
In addition, the above unit division of the gateway device is only a logic function division, and there may be another division manner in actual implementation, and the specific physical implementation manner of each unit is not limited in this application, for example, in the specific implementation process, the receiving unit 91 may be a receiver, the obtaining unit 92 may be an arithmetic unit, the determining unit 93 may be a central processing unit, and other implementation manners that may be thought of by those skilled in the art through reasonable analysis and reasoning also fall within the protection scope of the present application.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the gateway device described above may refer to the corresponding process in the foregoing method embodiment, and is not described herein again.
An embodiment of the present application provides another gateway device 10, as shown in fig. 10, where the gateway device 10 includes:
a processor (processor)101, a transmitter (Communications Interface)102, a receiver 103, a memory (memory)104, and a communication bus 105; wherein the processor 101, the transmitter 102, the receiver 103 and the memory 104 are configured to communicate with each other via the communication bus 105.
The processor 101 may be a multi-core central processing unit CPU, or an application Specific Integrated circuit asic, or one or more Integrated circuits configured to implement embodiments of the present application.
The memory 104 is used to store program code, including computer operating instructions and network flow diagrams. The memory 104 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory. The memory 104 may also be a memory array. The storage 104 may also be partitioned, and the blocks may be combined into virtual volumes according to certain rules.
The transmitter 102 and the receiver 103 are used for realizing connection communication between the devices.
The processor 101 is configured to execute the program code in the memory 104 to implement the following operations:
receiving a response message based on an application layer protocol sent by a server; the response message is used for responding to a resource access request message based on an application layer protocol from a client, and the resource access request message carries a Uniform Resource Locator (URL) of a resource provided by the server;
acquiring characteristic information of the response message;
and determining whether the server is attacked by the denial of service according to the characteristic information.
Optionally, the feature information is a response duration;
the obtaining of the feature information of the response packet includes:
determining and recording the response time length of the server responding to the resource access request message accessing the same URL in a preset time period;
the determining whether the server is under a denial of service attack according to the characteristic information includes:
determining the number of resource access request messages which have response time length exceeding a first time length threshold value and access the same URL in the preset time period;
and if the number is not less than a first threshold value, determining that the server is attacked by the denial of service.
Optionally, the determining, in a preset time period, a response duration for the server to respond to the resource access request message for accessing the same URL includes:
in the preset time period, aiming at each resource access request message accessing the same URL, executing:
recording a first moment when the resource access request message is received, and sending the resource access request message to the server;
recording a second moment of receiving a response message sent by the server for responding to the resource access request message;
and determining the response time length of the server to the resource access request message according to the first time and the second time.
Optionally, the preset time period includes at least two sub-time periods that are sequentially connected and do not overlap with each other;
determining a response duration of a response of the server to each resource access request message accessing the same URL within a preset time period, and recording the response duration, wherein the operation further comprises:
for each resource access request message accessing the same URL, the gateway equipment records the corresponding relation between the time when the resource access request message is received and the response time length for the server to respond to the resource access request message;
the determining the number of resource access request messages with response duration exceeding a first duration threshold for accessing the same URL in the preset time period includes:
for each sub-period included in the preset period, performing:
searching a second duration threshold corresponding to a sub-time period from a pre-stored corresponding relation between the sub-time period and the second duration threshold;
determining the number of resource access request messages which have response time length exceeding the second time length threshold value and access the same URL in all the resource access request messages received in the sub-time period according to the recorded corresponding relation between the time of receiving the resource access request messages and the response time length;
and summing the number of the resource access request messages which access the same URL and have response time length exceeding a second time length threshold value corresponding to each sub-time period, and taking the summed result as the number of the resource access request messages which access the same URL and have response time length exceeding the first time length threshold value in the preset time period.
Optionally, the operations further comprise:
if the number is smaller than the first threshold, for each sub-time period included in the preset time period, executing:
calculating the average value of the response durations of all the resource access request messages received in the sub-time period according to the recorded corresponding relation between the time of receiving the resource access request messages and the response durations;
and adjusting a second duration threshold corresponding to the sub-time period according to the average value.
Optionally, the response message is a request failure message from the server, and the feature information is the number of response messages in a preset time period;
the obtaining of the feature information of the response message includes:
in the preset time period, calculating the number of received request failure messages from the server;
the determining whether the server is under a denial of service attack according to the characteristic information includes:
and if the number is not less than a second threshold value, determining that the server is attacked by the denial of service.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute some steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U disk, a removable hard disk, a Read-only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other media capable of storing program codes.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (6)

1. A method of detecting a denial of service attack comprising:
the gateway equipment receives a response message based on an application layer protocol sent by a server; the response message is used for responding to a resource access request message based on an application layer protocol from a client, and the resource access request message carries a Uniform Resource Locator (URL) of a resource provided by the server;
acquiring characteristic information of the response message;
determining whether the server is attacked by denial of service according to the characteristic information;
wherein the characteristic information is response duration, and the acquiring the characteristic information of the response message includes: determining and recording the response time length of the server responding to the resource access request message accessing the same URL in a preset time period;
the determining whether the server is under a denial of service attack according to the characteristic information includes: determining the number of resource access request messages which have response time length exceeding a first time length threshold value and access the same URL in the preset time period; if the number is not less than a first threshold value, determining that the server is attacked by the denial of service;
the preset time period includes at least two sub-time periods which are sequentially connected and do not coincide with each other, and the response duration of the server responding to each resource access request message accessing the same URL in the preset time period is determined and recorded, and the method further includes:
for each resource access request message accessing the same URL, the gateway equipment records the corresponding relation between the time when the resource access request message is received and the response time length for the server to respond to the resource access request message;
the determining the number of resource access request messages with response duration exceeding a first duration threshold and accessing the same URL within the preset time period includes:
for each sub-period included in the preset period, performing:
searching a second duration threshold corresponding to a sub-time period from a pre-stored corresponding relation between the sub-time period and the second duration threshold;
determining the number of resource access request messages which have response time length exceeding the second time length threshold value and access to the same URL in all the resource access request messages received in the sub-time period according to the recorded corresponding relation between the time of receiving the resource access request messages and the response time length;
and summing the number of the resource access request messages which access the same URL and have response time length exceeding a second time length threshold value corresponding to each sub-time period, and taking the summed result as the number of the resource access request messages which access the same URL and have response time length exceeding the first time length threshold value in the preset time period.
2. The method of claim 1, wherein determining a response duration for the server to respond to the resource access request message for accessing the same URL within a preset time period comprises:
in the preset time period, aiming at each resource access request message accessing the same URL, executing:
recording a first moment when the resource access request message is received, and sending the resource access request message to the server;
recording a second moment of receiving a response message sent by the server for responding to the resource access request message;
and determining the response time length of the server to the resource access request message according to the first time and the second time.
3. The method of claim 1, further comprising:
if the number is smaller than the first threshold, for each sub-time period included in the preset time period, executing:
calculating the average value of the response durations of all the resource access request messages received in the sub-time period according to the recorded corresponding relation between the time of receiving the resource access request messages and the response durations;
and adjusting a second duration threshold corresponding to the sub-time period according to the average value.
4. A gateway device, comprising:
the receiving unit is used for receiving a response message based on an application layer protocol sent by the server; the response message is used for responding to a resource access request message based on an application layer protocol from a client, and the resource access request message carries a Uniform Resource Locator (URL) of a resource provided by the server;
an obtaining unit, configured to obtain feature information of the response message received by the receiving unit;
a determining unit, configured to determine whether the server is attacked by denial of service according to the feature information acquired by the acquiring unit;
the acquisition unit is specifically configured to determine and record a response duration for the server to respond to the resource access request message for accessing the same URL within a preset time period; the determining unit is specifically configured to determine, within the preset time period, the number of resource access request messages for accessing the same URL, for which response time exceeds a first time threshold, and determine that the server is under a denial of service attack when the number is not less than the first threshold;
the preset time period comprises at least two sub-time periods which are sequentially connected and do not coincide with each other, and the acquisition unit is specifically configured to: for each resource access request message accessing the same URL, the gateway equipment records the corresponding relation between the time when the resource access request message is received and the response time length for the server to respond to the resource access request message; the determining unit is specifically configured to, for each sub-period included in the preset period, perform:
searching a second duration threshold corresponding to a sub-time period from a pre-stored corresponding relation between the sub-time period and the second duration threshold;
determining the number of resource access request messages which have response time length exceeding the second time length threshold value and access to the same URL in all the resource access request messages received in the sub-time period according to the recorded corresponding relation between the time of receiving the resource access request messages and the response time length;
the determining unit is further configured to sum the number of resource access request messages accessing the same URL, of which the response time length exceeds the second time length threshold corresponding to each sub-time period, and take the sum result as the number of resource access request messages accessing the same URL, of which the response time length exceeds the first time length threshold in the preset time period.
5. The gateway device of claim 4,
the obtaining unit is specifically configured to, in the preset time period, execute, for each resource access request message that accesses the same URL:
recording a first moment when the resource access request message is received, and sending the resource access request message to the server;
recording a second moment of receiving a response message sent by the server for responding to the resource access request message;
and determining the response time length of the server to the resource access request message according to the first time and the second time.
6. The gateway device according to claim 4, further comprising an adjusting unit configured to, when the number is smaller than the first threshold, perform, for each sub-period included in the preset period:
calculating the average value of the response durations of all the resource access request messages received in the sub-time period according to the recorded corresponding relation between the time of receiving the resource access request messages and the response durations;
and adjusting a second duration threshold corresponding to the sub-time period according to the average value.
CN201510715982.7A 2015-10-28 2015-10-28 Method and device for detecting denial of service attack Active CN106656912B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510715982.7A CN106656912B (en) 2015-10-28 2015-10-28 Method and device for detecting denial of service attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510715982.7A CN106656912B (en) 2015-10-28 2015-10-28 Method and device for detecting denial of service attack

Publications (2)

Publication Number Publication Date
CN106656912A CN106656912A (en) 2017-05-10
CN106656912B true CN106656912B (en) 2020-03-20

Family

ID=58830759

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510715982.7A Active CN106656912B (en) 2015-10-28 2015-10-28 Method and device for detecting denial of service attack

Country Status (1)

Country Link
CN (1) CN106656912B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108810014B (en) * 2018-06-29 2021-06-04 北京奇虎科技有限公司 Attack event warning method and device
CN109831459B (en) * 2019-03-22 2022-02-25 百度在线网络技术(北京)有限公司 Method, device, storage medium and terminal equipment for secure access
CN113806131A (en) * 2021-09-23 2021-12-17 深圳市元征软件开发有限公司 Access control method and device for fault code library, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101437030A (en) * 2008-11-29 2009-05-20 成都市华为赛门铁克科技有限公司 Method for preventing server from being attacked, detection device and monitoring device
CN101572609A (en) * 2008-04-29 2009-11-04 成都市华为赛门铁克科技有限公司 Method and device for detecting and refusing service attack
CN103179132A (en) * 2013-04-09 2013-06-26 中国信息安全测评中心 Method and device for detecting and defending CC (challenge collapsar)
CN104113525A (en) * 2014-05-23 2014-10-22 中国电子技术标准化研究院 Method and apparatus for defending resource consumption type Web attacks

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7721091B2 (en) * 2006-05-12 2010-05-18 International Business Machines Corporation Method for protecting against denial of service attacks using trust, quality of service, personalization, and hide port messages
CN101267313B (en) * 2008-04-23 2010-10-27 成都市华为赛门铁克科技有限公司 Flooding attack detection method and detection device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101572609A (en) * 2008-04-29 2009-11-04 成都市华为赛门铁克科技有限公司 Method and device for detecting and refusing service attack
CN101437030A (en) * 2008-11-29 2009-05-20 成都市华为赛门铁克科技有限公司 Method for preventing server from being attacked, detection device and monitoring device
CN103179132A (en) * 2013-04-09 2013-06-26 中国信息安全测评中心 Method and device for detecting and defending CC (challenge collapsar)
CN104113525A (en) * 2014-05-23 2014-10-22 中国电子技术标准化研究院 Method and apparatus for defending resource consumption type Web attacks

Also Published As

Publication number Publication date
CN106656912A (en) 2017-05-10

Similar Documents

Publication Publication Date Title
US11122067B2 (en) Methods for detecting and mitigating malicious network behavior and devices thereof
US20220045990A1 (en) Methods and systems for api deception environment and api traffic control and security
US10097520B2 (en) Method and apparatus for causing delay in processing requests for internet resources received from client devices
US8844034B2 (en) Method and apparatus for detecting and defending against CC attack
US9843590B1 (en) Method and apparatus for causing a delay in processing requests for internet resources received from client devices
US9817969B2 (en) Device for detecting cyber attack based on event analysis and method thereof
KR101061375B1 (en) JR type based DDoS attack detection and response device
US10270792B1 (en) Methods for detecting malicious smart bots to improve network security and devices thereof
US20160234230A1 (en) System and method for preventing dos attacks utilizing invalid transaction statistics
CN107645478B (en) Network attack defense system, method and device
CA3159619C (en) Packet processing method and apparatus, device, and computer-readable storage medium
WO2018066000A1 (en) System and method to detect and block bot traffic
CN106656912B (en) Method and device for detecting denial of service attack
US10129277B1 (en) Methods for detecting malicious network traffic and devices thereof
CN108234516B (en) Method and device for detecting network flooding attack
US10855704B1 (en) Neutralizing malicious locators
US9680950B1 (en) Method and apparatus for causing delay in processing requests for internet resources received from client devices
CN114143071A (en) Brute force cracking detection method and device, electronic equipment and storage medium
CN107819739B (en) Method and server for determining whether long-link connection exists in terminal
KR101686472B1 (en) Network security apparatus and method of defending an malicious behavior
US20240169061A1 (en) Techniques for accurate learning of baselines for the detection of advanced application layer flood attack tools
US20240171607A1 (en) Techniques for detecting advanced application layer flood attack tools
KR101137828B1 (en) Method, system and computer-readable recording medium for defending against denial of service attack
US11616806B1 (en) Methods for protecting web based resources from D/DoS attacks and devices thereof
CN117424711A (en) Network security management method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant