CN106656922A

CN106656922A - Flow analysis based protective method and device against network attack

Info

Publication number: CN106656922A
Application number: CN201510729059.9A
Authority: CN
Inventors: 张钊
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2015-10-30
Filing date: 2015-10-30
Publication date: 2017-05-10

Abstract

The invention discloses a flow analysis based protective method against a network attack. The method comprises that a network flow between a network server and a network router is collected; a network access parameter in the network flow is analyzed; a target network access parameter corresponding to the network flow generated when a network attack source accesses the network server is searched by matching a preset rule; and according to the target network access parameter, the network attack source is forbidden establishing connection to the network server. According to schemes of the invention, no operation needs to be carried out on a client or an external server, and the learning cost of a user is reduced; and compared with a traditional manner in which an WAF server needs to be connected, the method and device aim at clients or external servers of all access network servers, safety detection can be carried out needless of connecting the WAF server, 100% safety protection is provided for the network server, and the total safety of the cloud computing network is improved.

Description

A kind of network attack protection method and device based on flow analysis

Technical field

The application is related to networking technology area, and in particular to a kind of network attack based on flow analysis is prevented Maintaining method, and a kind of network attack protector based on flow analysis.

Background technology

While Web applications are increasingly enriched, web server has been increasingly becoming main target of attack, The security incidents such as SQL injections, webpage tamper, web page horse hanging also frequently occur.

Generally using WAF (Web Application Firewall, web application firewalls) as access Control device is right by parsing the request that web client is initiated strengthening the safety of web server Content therein is detected, it is ensured that the legitimacy of request, blocks illegal request, and web can be taken Business device is effectively protected.

The WAF of early stage is typically a kind of hardware device, and by series connection or bypass mode network is linked into In, apply in general to IDC (Internet Data Center, Internet data center) machine rooms or enterprise uses Family.In the currently prevailing system for cloud computing, there is provided be typically cloud WAF to the WAF of user, i.e. institute Some WAF functions are provided by high in the clouds, it is not necessary in local disposition product.Its implementation is By NS (Name Serve, the name server) records or CNAME records of changing user terminal The WAF servers that (canonical name) imports network traffics.

There is following drawback in existing WAF：

1st, because the protection rule of the WAF of example, in hardware is predefined, there is rear defence in new leak Shield Policy Updates are difficult.And the complexity of its deployment way and higher maintenance cost determine it not Suitable for system for cloud computing environment.

2nd, need user oneself change NS records or CNAME records to realize security protection, increase The learning cost of user is added；Also, the user terminal for not accessing WAF servers, it is impossible to right Web server provides security protection, and 100% protection can not be reached in system for cloud computing, reduces cloud The overall security of calculating network.

3rd, the process of existing WAF usually first completes to be determined again after the matching of network request and strictly all rules The fixed request is intercepted or let slip, and increased the time delay that user accesses Web server.

4th, existing WAF is directed to the protection of single website or single Web service, for being directed to The extensive vulnerability scanning perception of whole network is poor, for same attacker is to the big of system for cloud computing Good linked protection is not made in scale scanning.

The content of the invention

The embodiment of the present application technical problem to be solved is to provide one kind and partly or entirely solves above-mentioned asking The network attack protection method based on flow analysis of topic.

Accordingly, the embodiment of the present application additionally provides a kind of network attack protection dress based on flow analysis Put, to the realization and application that ensure said method.

In order to solve the above problems, this application discloses a kind of network attack protection side based on flow analysis Method, including：

Network traffics of the collection between the webserver and network routing device；

Parse the network access parameters in the network traffics；

By matching with presetting rule, the network flow produced by Attack Source access network services device is searched Measure corresponding objective network and access parameter；

Accessing parameter according to the objective network forbids the Attack Source to build with the webserver Vertical connection.

Preferably, network traffics bag of the collection between the webserver and network routing device Include：

Using the network optical splitter, the net that are connected between the webserver and the network routing device Network switch or hub, replicate the Network Provider servers and are sent to the network routing device Network traffics.

Preferably, network traffics of the collection between the webserver and network routing device are also wrapped Include：

The network traffics belonged to a network access are divided by network shunt device.

Preferably, the network traffics are TCP message, the net in the parsing network traffics Network is accessed before parameter, and methods described also includes：

Determine the Http data that the TCP message is the once complete network access procedure of record.

Preferably, before the network access parameters in the parsing network traffics, methods described is also Including：

If the Http data of the TCP message and the once complete network access procedure of non-recorded, root According to the numbering that the TCP message is carried, the multiple TCP messages restructuring with a network access will be belonged to For the Http data that record is accessed through the primary network of seven layer network transmission structures.

Preferably, the network access parameters include Uniform Resource Identifier, access originator IP, access purpose At least one in IP, Host field, access link source, user agent, cookie and access request parameters Kind.

Preferably, it is described by matching with presetting rule, search by Attack Source access network services device The corresponding objective network of network traffics of generation accesses parameter to be included：

It is for the network traffics of the same network access of correspondence, the network access parameters are preset with described Rule match, the presetting rule indicates that the Attack Source accesses what is carried during the webserver At least one characteristic, the presetting rule includes a plurality of sub-rule；

If the network access parameters are matched with sub-rule described at least one, it is determined that corresponding network flow Measure and access the network traffics that the webserver is produced for the Attack Source, and by corresponding network Access parameter and access parameter as objective network.

Preferably, it is described that the Attack Source is forbidden with the net according to objective network access parameter Network server is set up and is connected as, and according to parameter is accessed with the objective network a same network access is belonged to Other at least one network access parameters, forbid the Attack Source to set up with the webserver and connect Connect.

Preferably, the objective network accesses parameter includes the uniform resource identifier of the Attack Source Symbol；The Attack Source is forbidden with the network service according to objective network access parameter described Device is set up before connection, and methods described also includes：

In the network traffics with a network access corresponding with the Uniform Resource Identifier, extract described The access originator IP of Attack Source.

Preferably, the basis and the objective network access parameter belong to network access other At least one network access parameters, forbid the Attack Source to set up with the webserver and are connected bag Include：

The webserver described in Real-time Collection is sent to the network traffics of the network routing device；

If access originator IP of access originator IP and the Attack Source recorded in the network traffics Match somebody with somebody, then by sending connection reset message to interrupt to the Attack Source or the webserver State the connection between Attack Source and the webserver.

The access originator IP of the Attack Source is notified in network cluster residing for the webserver Including multiple webservers, with by each webserver in the visit for receiving the Attack Source When asking the network access request of source IP, interrupt and the connection between the Attack Source.

Present invention also provides a kind of network attack protector based on flow analysis, including：

Flow collection module, for network flow of the collection between the webserver and network routing device Amount；

Parameter analysis of electrochemical module, for parsing the network traffics in network access parameters；

Parameter searching modul, for by matching with presetting rule, lookup to access network by Attack Source The corresponding objective network of network traffics that server is produced accesses parameter；

Connection disabled module, for according to the objective network access parameter forbid the Attack Source with The webserver sets up connection.

Preferably, the flow collection module includes：

Flow replicates submodule, and the webserver is connected to the network routing device for adopting Between network optical splitter, the network switch or hub, replicate the Network Provider servers and send To the network traffics of the network routing device.

Preferably, the flow collection module also includes：

Traffic partition submodule, for passing through network shunt device to belonging to the net with a network access Network flow is divided.

Preferably, the network traffics are TCP message, and described device also includes：

Flow judge module, for the network access parameters in the parsing network traffics before, Determine the Http data that the TCP message is the once complete network access procedure of record.

Preferably, described device also includes：

Flow recombination module, for the network access parameters in the parsing network traffics before, If the Http data of the TCP message and the once complete network access procedure of non-recorded, according to institute The numbering of TCP message carrying is stated, the multiple TCP messages belonged to a network access are reassembled as into note Record the Http data of the primary network access through seven layer network transmission structures.

Preferably, the parameter searching modul includes：

Rule match submodule, for for the network traffics of the same network access of correspondence, by the net Network accesses parameter and matches with the presetting rule, and the presetting rule indicates that the Attack Source accesses institute At least one characteristic carried during the webserver is stated, the presetting rule includes a plurality of sub-rule；

Attack traffic determination sub-module, if for sub-rule described in the network access parameters and at least one Matching, it is determined that corresponding network traffics are that the Attack Source accesses what the webserver was produced Network traffics, and access parameter using corresponding network access parameters as objective network.

Preferably, the connection disabled module, specifically for basis and the objective network parameter category is accessed In other at least one network access parameters with a network access, forbid the Attack Source and institute State the webserver and set up connection.

Preferably, the objective network accesses parameter includes the uniform resource identifier of the Attack Source Symbol；Described device also includes：

IP extraction modules, for forbidding the network attack according to objective network access parameter described Source is set up before being connected with the webserver, corresponding with the Uniform Resource Identifier with once net In the network traffics that network is accessed, the access originator IP of the Attack Source is extracted.

Preferably, the connection disabled module includes：

Real-time traffic acquisition submodule, sends to the network road for the webserver described in Real-time Collection By the network traffics of equipment；

First disconnecting submodule, if in the network traffics record access originator IP with it is described The access originator IP matchings of Attack Source, then by the Attack Source or the webserver Send connection reset message to interrupt the connection between the Attack Source and the webserver.

Preferably, the connection disabled module includes：

Second disconnecting submodule, for the access originator IP of the Attack Source to be notified into described Multiple webservers that network cluster residing for the webserver includes, to be existed by each webserver When receiving the network access request of access originator IP of the Attack Source, interruption is attacked with the network The connection hit between source.

Compared with prior art, the embodiment of the present application includes advantages below：

According to the embodiment of the present application, the network flow between the webserver and network routing device is gathered Amount, and the network access parameters of correlation are therefrom parsed, further by matching with presetting rule, search The corresponding objective network of network traffics produced by Attack Source access network services device accesses parameter, and The network attack of attack source is monitored on this basis, forbids Attack Source to set up with the webserver Connection.Using the scheme of the embodiment of the present application, without the need for carrying out any setting to client or external server Operation, reduces the learning cost of user；The mode for accessing WAF servers is needed compared to tradition, The embodiment of the present application is directed to the client or external server of all access network services devices, without the need for accessing WAF servers, can be carried out safety detection, for the security protection that the webserver provides 100%, Improve the overall security of system for cloud computing.

Also, the embodiment of the present application accesses ginseng by the objective network that rule match excavates Attack Source Real-time network traffics are monitored on this basis by number, interim to network request compared to traditional Carry out the mode that rule match is detected, it is possible to reduce user accesses the time delay of Web server, contracting Short user obtains the stand-by period of network service.

The corresponding system of the embodiment of the present application can be deployed in a software form any suitable server or Hardware unit, is protected by the way of rule, new leakage compared to the WAF of example, in hardware using predefined Hole is only updated after occurring to protection rule, and deployment is convenient and simple, greatly reduces and safeguards into This, can be preferably applied for system for cloud computing environment.

According to the embodiment of the present application, the objective network of the Attack Source of excavation can also be accessed parameter and be led to All-network server is known into network cluster, such that it is able to be directed to same Attack Source to cloud computing The large-scale scanning of network carries out linked protection.

Also, the application can also access parameter by identification objective network, and association is with a network access At least one of network access parameters, with the network access parameters for associating be according to carrying out attack protection, Such that it is able to more fully be protected Attack Source, it is to avoid rule match imperfection causes protection not Enough comprehensive problems.

Further, traditional firewall is operated in OSI (Open System Interconnect, open system System interconnection) seven layer model third and fourth layer, cannot meet at present web application seven layers of protection requirements. Can recombinate what record was accessed through the primary network of seven layer network transmission structures in the embodiment of the present application Http data, according to the multiple network of the Http data of seven layer network transmission structures parameter identification net is accessed Network attack source, to forbid its access network services device, compared to the tradition for being only operated at third and fourth layer Fire wall, the network protection of the embodiment of the present application more fully, preferably maintains the peace of the webserver Entirely.

Described above is only the general introduction of technical scheme, in order to better understand the application's Technological means, and being practiced according to the content of specification, and in order to allow the above-mentioned of the application and Other objects, features and advantages can become apparent, below especially exemplified by the specific embodiment party of the application Formula.

Description of the drawings

Fig. 1 is shown according to a kind of network attack protection method embodiment 1 based on flow analysis of the application The step of flow chart；

Fig. 2 is shown according to a kind of network attack protection method embodiment 2 based on flow analysis of the application The step of flow chart；

Fig. 3 shows hardware device connection diagram in the example of the embodiment of the present application；

Fig. 4 shows the schematic diagram of TCP message restructuring in the example of the embodiment of the present application；

Fig. 5 shows the schematic diagram that attack is blocked in the example of the embodiment of the present application；

Fig. 6 is shown according to a kind of network attack protector embodiment 1 based on flow analysis of the application Structured flowchart；

Fig. 7 is shown according to a kind of network attack protector embodiment 2 based on flow analysis of the application Structured flowchart.

Specific embodiment

It is understandable to enable the above-mentioned purpose of the application, feature and advantage to become apparent from, with reference to attached Figure and specific embodiment are described in further detail to the application.

With reference to Fig. 1, a kind of network attack protection method based on flow analysis for showing the application is implemented The step of example 1 flow chart, specifically may include steps of：

Step 101, gathers the network traffics between the webserver and network routing device.

When client or external server access the internet that Network Provider is provided, network access request Jing Network routing device is sent to the webserver of Network Provider offers, and the webserver is visited according to network Ask that request feedack is further sent to network routing device from the webserver, be further conveyed to Client or external server.

In the embodiment of the present application, the network traffics gathered between the webserver and network routing device, Both the network traffics sent to network routing device had been included from the webserver, and had also included from network route setting Preparation delivers to the network traffics of the webserver, and multiple client or outer is have recorded in the network traffics of collection Multiple access process of portion's server to the webserver, and in access process the webserver receive or The entire packet for sending.

Step 102, parses the network access parameters in the network traffics.

The parameter related to this access internet is have recorded in network traffics, network access parameters are designated as, Parsing parameter can be further used for the Attack Source of the analytical attack webserver, Attack Source Can be one end of the random access webserver, such as client or other external servers, network The various data that parameter can be that network traffics include are accessed, the application is not restricted to this.

In a preferred embodiment of the present application, the network access parameters for obtaining are parsed from network traffics can With including Uniform Resource Identifier URI, access originator IP, access purpose IP, Host field, access chain Fetch at least one of source, user agent (User Agent), cookie and access request parameters.

Wherein, URI is the web page address that network access request correspondence is accessed；Access originator IP is transmission net The IP address of the client of network access request；Access the IP that purpose IP is the server for preserving the webpage Address；The webpage domain name that the request of Host field identifications is accessed；Access link source (Refferer) to represent The previous webpage of the source of current web page, i.e. current accessed webpage is linked to, by taking picture as an example, Refferer refers to the webpage that the picture is located；User agent (User-Agent) is a kind of special string Head so that server is capable of identify that the operating system that client uses and version, cpu type, browses Device and version, browser renders engine, browser language, browser plug-in etc.；Access request parameters bag Include the corresponding structured data of such as GET, POST.

Specifically, when client accesses webpage, network access request is sent to the webserver, with The access request of Http (Hyper Text Transfer Protocol, HTTP) form is Example, access request is by an initial row, one or more header field, a sky that simply header field terminates Row and optional message body composition.Header field includes general head, request header, head response and entity head four Individual part, wherein, request header contain client or external server to the webserver transmit with regard to Access request or with regard to client place terminal or the additional information of external server.

Shown Http network access requests in the following example：

GET http://download.microtool.de:80/somedata.exe

Host:download.microtool.de

Accept:*/*

Pragma:no-cache

Cache-Control:no-cache

Referer:http://download.microtool.de/

User-Agent:Mozilla/4.04[en](Win95；I；Nav)

Range:Bytes=554554-

Wherein, URI is http://download.microtool.de:80/somedata.exe, Host are Download.microtool.de, Referer are http://download.microtool.de/, User-Agent For Mozilla/4.04 [en] (Win95；I；Nav).

Step 103, by matching with presetting rule, searches and is produced by Attack Source access network services device The corresponding objective network of raw network traffics accesses parameter.

Attack Source is analyzed in advance, in network access during the access internet of statistics network attack source The various features data carried in parameter, further set up according to these characteristic screening Attack Sources Corresponding objective network accesses the rule of parameter.

For example, presetting rule can be included or not comprising certain default spy in network access parameters Data (such as and) are levied, or the number of times that certain characteristic occurs exceedes or less than certain threshold value etc. Various situations.Presetting rule can be a rule, it is also possible to be made up of many rules, can set full Sufficient strictly all rules or a number of rule, then the network access parameters be defined as objective network access ginseng Number.In implementing, any suitable rule, the application can also be adopted not to be limited this.

Step 104, accesses parameter and forbids the Attack Source with the network according to the objective network Server sets up connection.

The corresponding objective network of Attack Source is parsed and analyzed from network traffics to access after parameter, When access behavior between client or external server and the webserver is monitored, can be according to mesh Mark network access parameters monitor the behavior of Attack Source, and then are finding Attack Source access network clothes During business device, forbid being connected with webserver foundation.

Specifically can for example find that carrying the objective network in network traffics accesses by monitoring traffic in network Network attack is prevented during parameter；Or, the three-way handshake in concrete monitoring traffic in network or four times Wave, by monitoring particular network access parameter therein network attack is prevented；It can also be selected His any suitable mode, the application is not limited to this.

To sum up, according to the embodiment of the present application, gather between the webserver and network routing device Network traffics, and the network access parameters of correlation are therefrom parsed, further by matching with presetting rule, Search the corresponding objective network of network traffics produced by Attack Source access network services device and access ginseng Number, and the network attack of attack source is monitored on this basis, forbid Attack Source with the network service Device sets up connection.Using the scheme of the embodiment of the present application, without the need for carrying out appointing to client or external server What arranges operation, reduces the learning cost of user；Need to access WAF servers compared to tradition Mode, the embodiment of the present application is directed to the client or external server of all access network services devices, without the need for WAF servers are accessed, safety detection is can be carried out, the safety for providing 100% for the webserver is prevented Shield, improves the overall security of system for cloud computing.

The corresponding system of the embodiment of the present application can be deployed in a software form any suitable server or Hardware unit, for example, can be deployed in and be connected to network flow between the webserver and network routing device On the collecting device of amount, or it is deployed on the webserver, or step 101-103 is deployed in adopts On collection equipment, step 104 is deployed in a certain layer in multiple protocol layers of the webserver, for example, for Using the webserver of OSI seven layer models, step 104 correspondence can be implemented in IP layer (three-layer networks Network layers), or TCP/UDP layers (four layers of transport layer) etc., for the protection of this layer.Compared to hardware shape By the way of predefined protection rule, new leak being updated i.e. rule the WAF of formula occurs Can, deployment is convenient and simple, greatly reduces maintenance cost, can be preferably applied for system for cloud computing ring Border.

In the embodiment of the present application, it is preferable that the step 101 can include：

Sub-step S1, employing are connected to the net between the webserver and the network routing device Network optical splitter, the network switch or hub, replicate the Network Provider servers and are sent to the net The network traffics of network routing device.

Net can be gathered by arranging network optical splitter between the webserver and network routing device The image file of network flow, network optical splitter is connected to Optical Fiber Transmission process, for by Optical Fiber Transmission Data replicated, i.e., original flow normal pass, while the flow of monitoring is copied to supply point Analysis is used.Can be with the setting network switch, hub between the webserver and network routing device Or other any suitable equipment are gathering the image file of network traffics, the application is not limited this System.Wherein, network optical splitter is connected to Optical Fiber Transmission process, for being entered by the data of Optical Fiber Transmission Row is replicated, i.e., original flow normal pass, while the flow of monitoring is copied to use for analysis； The network switch is the hardware for expanding network, more connectivity ports can be provided for sub-network, so as to expand The terminal device accessed in exhibition network；Hub plays the signal to receiving in network transmission and carries out again Raw shaping amplifies to expand the effect of the transmission range of network.Compared to the network switch and hub, lead to Cross optical splitter and obtain the impact that mirror image flow can avoid to switch or hub cpu performance.

In the embodiment of the present application, it is preferable that can also will be connected to the webserver with the network The equipment such as network optical splitter, the network switch or collector between routing device and network shunt device connect Connect, the step 101 can also include：By network shunt device to belonging to the institute with a network access State network traffics to be divided.

The link data of collection is further separated into acquisition interface by network shunt device, is that internet information is supervised safely Control system acquisition data.By to network shunt device input data, being replicated, being converged, being filtered, being assisted The steps such as view conversion, ensure that the all-network flow that consolidated network is accessed is defeated from same interface during output Go out.Specifically can according in network traffics packet carry IP address, access time, access originator IP, Access purpose IP etc.) network traffics of not homogeneous are divided, it is also possible to according to other default marks Divided.

In the embodiment of the present application, it is preferable that the step 103 can include：

Sub-step S2, the network traffics for corresponding to a same network access, by network access ginseng Number is matched with the presetting rule, and the presetting rule indicates that the Attack Source accesses the network clothes At least one characteristic carried during business device, the presetting rule includes a plurality of sub-rule；

If sub-step S3, the network access parameters are matched with sub-rule described at least one, it is determined that Corresponding network traffics are that the Attack Source accesses the network traffics that the webserver is produced, and Parameter is accessed using corresponding network access parameters as objective network.

The presetting rule for meeting Attack Source is pre-set, the network traffics matched with the presetting rule are then For Attack Source access network services device when the network traffics that produce.Presetting rule can be according to actual need Setting is asked, for example, preset rule can be arranged according to the characteristic in Attack Source map network flow Then.Specific rule match can in different ways, for example, and presetting rule is network access parameters Include that possessing the number of times that this feature data occur in certain characteristic, or network access parameters exceeds Certain threshold value etc., the application is not limited to this.

It is described that the Attack Source is forbidden according to objective network access parameter in the embodiment of the present application Set up with the webserver and be connected as, belong to once net according to parameter is accessed with the objective network Other at least one network access parameters that network is accessed, forbid the Attack Source with the network service Device sets up connection.

In implementing, the objective network of lookup can be accessed parameter and be added to blocking list, with this Objective network accesses parameter as the mark of monitoring Attack Source, and for example, identification URI includes " and " Afterwards, determine the URI and access network generation for attack source, network can be monitored and forbidden according to the URI Connection of the attack source to the webserver；Can be to access parameter according to the objective network, lookup belongs to therewith In other at least one network access parameters with a network access, the network access parameters of lookup are added Blocking list is added to, using the network access parameters as the mark of monitoring Attack Source.For example, recognize URI is that attack source accesses network generation including the URI after " and ", is determined, further searches for this In access after the IP of Attack Source, can according to demand be set, can both have been adopted URI, Connection of the Attack Source to the webserver can be monitored and forbidden according to the IP.

Therefore, parameter is accessed by recognizing objective network, and is associated with least in a network access Individual network access parameters, are according to attack protection is carried out, such that it is able to right with the network access parameters for associating Attack Source is more fully protected, it is to avoid rule match imperfection causes protection not enough comprehensively to be asked Topic.

It should be understood that in order to realize more fully protecting, can also be to as much as possible in network traffics Network access parameters are associated, and whether can determine network traffics before network access parameters are extracted For complete Http data, if it is not, can then carry out data recombination to obtain complete Http data.

Accordingly preferably, the objective network accesses parameter can include the unified money of the Attack Source Source identifier URI；The Attack Source and institute are forbidden according to objective network access parameter described State the webserver to set up before connection, methods described can also include：

Further, in a preferred embodiment of the present application, monitor in real time Attack Source can be passed through The network traffics of generation are connected forbidding Attack Source and the webserver to set up, and the step 104 can To include：

The webserver described in sub-step S5, Real-time Collection is sent to the network of the network routing device Flow；

If the visit of access originator IP and the Attack Source recorded in sub-step S6, the network traffics Ask that source IP is matched, then by sending connection reset report to the Attack Source or the webserver Text is interrupting the connection between the Attack Source and the webserver.

Whether by Real-time Collection network traffics, recognize in network traffics includes Attack Source to the application Access originator IP, if including, it is determined that for the network traffics that Attack Source is produced.Particularly preferably, may be used To recognize the access originator IP of Attack Source by three-way handshake information in parsing network traffics, when above-mentioned When step 104 is deployed in collecting device, can be carried out by the three-way handshake information in parsing network traffics Identification, when above-mentioned steps 104 are deployed in a certain layer of the webserver, can receive three in the layer During secondary handshaking information, the access originator IP of Attack Source is recognized.

Three-way handshake agreement refer to send data preparatory stage, there is provided the destination server of server and Need to carry out three interactions between client or external server：

Shake hands for the first time：Client or external server send SYN bags (SYN=j) to destination server, And into SYN_SEND states, wait target business device to confirm.

Second handshake：Destination server receives SYN bags, it is necessary to confirm SYN (ACK=j+1), together When oneself also send a SYN bag (SYN=k), i.e. SYN-ACK bags, now destination server enters Enter SYN_RECV states.

Third time is shaken hands：Client or external server receive the SYN-ACK bags of destination server, to Destination server sends and confirms bag ACK (ACK=k+1), and this bag is sent, client or external service Device and destination server enter ESTABLISHED states, complete three-way handshake.

After connection establishment, client or external server and destination server can just proceed by data biography It is defeated.

In the embodiment of the present application, destination server can be sent to by monitor client or external server SYN messages or destination server are sent to the SYN-ACK messages of client or external server, pass through Analytic message, recognizes the access originator IP of Attack Source, further can be by destination server or visitor Family end/external server sends connection reset message (RST messages) to interrupt Attack Source and network Connection between server.

Further, in another preferred embodiment of the present application, the webserver can be set and prevents net Network attack source access network services device, the step 104 can include：

Sub-step S7, the access originator IP of the Attack Source is notified residing for the webserver Multiple webservers that network cluster includes, to receive the network by each webserver During the network access request of the access originator IP of attack source, interrupt and the connection between the Attack Source.

Recognize that certain Attack Source is accessed after the network traffics that certain webserver is produced, can extract The access originator IP of the Attack Source, further reaches prevention network access by recognizing access originator IP The purpose that source accesses, the webserver that can specifically notify access originator IP to access to it, preventing should Attack Source accesses the webserver, or while access originator IP is sent to into the network of its access Multiple webservers in network cluster residing for server, prevent the Attack Source from accessing the network collection All-network server in group, such that it is able to be directed to same Attack Source to the big of system for cloud computing Scale scanning carries out linked protection.

With reference to Fig. 2, a kind of network attack protection method based on flow analysis for showing the application is implemented The step of example 2 flow chart, specifically may include steps of：

Step 201, gathers the network traffics between the webserver and network routing device, described Network traffics are TCP message.

Client or external server set up network connection in transport network layer and the webserver, further Carry out data transmission in application layer.The difference of the host-host protocol adopted according to transport network layer, network traffics Can be the data of the different-format under correspondence host-host protocol.The host-host protocol adopted with transport network layer for As a example by Transmission Control Protocol (Transmission Control Protocol transmission control protocols), correspondence is in application The host-host protocol that adopts of layer for Http (HyperText Transfer Protocol, HTTP), The network traffics of the application correspondence monitoring are TCP message.

Step 202, determines the Http that the TCP message is the once complete network access procedure of record Data.

Carry out data transmission through the layer network transmission structure of osi model seven in network access procedure, from it is low to Height is followed successively by application layer, expression layer, session layer, transport layer, Internet, data link layer and physical layer, Therefore, once complete network access procedure have recorded the Http numbers through this seven layer networks transmission structure According to.

It will be appreciated that the network traffics of complete network access process of record, including through many Layer network host-host protocol increases to many kinds of parameters in network traffics, such as complete http data, to planting The complete multiple network of class accesses parameter and carries out rule match, it is possible to achieve more fully protect, if network Flow is simultaneously imperfect, can be recombinated, for example, can carry out for the network traffics of osi model transmission Seven layers of restructuring.

Judge that whether TCP message is Http data and when have recorded once complete network access procedure, Can first by the way that whether judge can including HTTP, GET, PUT or POST field in TCP message To determine whether TCP message is Http requests, determine whether whether the message is that complete Http please Ask.It is preferred that can be by determining that HTTP request head terminate to be defined as complete Http requests, can be with By any suitable determination methods such as keyword judgement, message length judgements.To judge that request header terminates As a example by, for HTTP GET requests, if detect with r n r n ending, it is determined that the request header terminates； For HTTP POST request heads, if detect with r n r n ending, and data division length symbol Close the length that Content-Length fields are specified in request header, it is determined that the request header terminates.

Step 203, if the Http of the TCP message and the once complete network access procedure of non-recorded Data, the then numbering for being carried according to the TCP message will belong to the multiple TCP with a network access Packet reassembling is the Http data for recording the primary network access through seven layer network transmission structures.

If the TCP message is Http data and records once complete network access procedure, can be with Extracting directly network access parameters therein, if not recording once complete network access procedure, need Incomplete TCP message is recombinated.

Belonging to can carry the message numbering of association with the TCP message of a network access procedure, therefore, The TCP message combination of identical message numbering can be will be provided with, obtains recording once complete network access The Http data of process.Preferably, belong to and compiled with the message of the TCP message of a network access procedure Number can be incremented by units of byte, the message numbering of latter TCP message is previous TCP message Message numbering and the previous TCP message length sum, therefore, if detecting multiple TCP message symbols The coding rule is closed, then be can determine to belong to the multiple TCP messages with a network access procedure.

Step 204, parses the network access parameters in the network traffics.

Step 205, by matching with presetting rule, searches and is produced by Attack Source access network services device The corresponding objective network of raw network traffics accesses parameter.

Multiple network is have recorded in the Http data obtained after restructuring and accesses parameter, can be according to actual need Ask and be correspondingly arranged one or more rule and matched, carry out such that it is able to access parameter according to multiple network Identification, to monitoring Attack Source more fully.

Step 206, accesses parameter and forbids the Attack Source with the network according to the objective network Server sets up connection.

It is that foundation carries out network attack protection that specifically parameter can be accessed according to the objective network for finding, Can extract and record in the Http data of complete network access procedure many are recorded once after seven layers of restructuring Individual network access parameters, by the objective network for finding at least the one of parameter and record in Http data is accessed Individual network access parameters are associated, and are that foundation carries out network attack with the related network access parameters of institute Protection, specifically adopting which kind of network access parameters can be arranged according to the actual requirements for foundation, the application couple This is not limited.

The corresponding system of the embodiment of the present application can be deployed in a software form any suitable server or Hardware unit, is protected by the way of rule, new leakage compared to the WAF of example, in hardware using predefined Hole occurs being updated rule, and deployment is convenient and simple, greatly reduces maintenance cost, Ke Yigeng System for cloud computing environment is applied to well.

Further, traditional firewall is operated in OSI (Open System Interconnect, open system System interconnection) seven layer model third and fourth layer, cannot meet at present web application seven layers of protection requirements. Can recombinate what record was accessed through the primary network of seven layer network transmission structures in the embodiment of the present application Http data, according to the multiple network of the Http data of seven layer network transmission structures parameter identification net is accessed Network attack source, to forbid its access network services device, compared to the tradition for being only operated at third and fourth layer Traditional firewall, the network protection of the embodiment of the present application more fully, preferably maintains the webserver Safety.

It should be noted that for embodiment of the method, in order to be briefly described, therefore it is all expressed as one The combination of actions of series, but those skilled in the art should know, and the embodiment of the present application does not receive institute The restriction of the sequence of movement of description, because according to the embodiment of the present application, some steps can adopt other Order while is carried out.Secondly, those skilled in the art also should know, described in the specification Embodiment belong to preferred embodiment, involved action not necessarily the embodiment of the present application is musted Must.

To make those skilled in the art be better understood from the application, below by way of specific example to the application reality Apply illustrating based on the network attack protectiving scheme of flow analysis for example.

Hardware device connection diagram in an example of the embodiment of the present application is shown with reference to Fig. 3.

Server and core road in ISP (Internet Service Provider, ISP) By optical splitter and current divider is connected between device, flow carries out light splitting from carrier side, then by shunting Device, reaches collector, is distributed to collector 1 and collector 2.Collector is the reception clothes of mirror image flow Business device, is generally fitted with being applied to the Broadcom of network interface card ten thousand of process demand, runs and realizes the application reality The bypass WAF systems of example are applied, flow collection subsystem, HTTP restructuring subsystems, HTTP can be included Information extraction subsystem, rule match subsystem, bypass blocking subsystem and the part of daily record subsystem six.

The implementation process of application scheme is as follows：

Collector drives and receives after data traffic, chooses the data traffic of transmission to destination interface and replicates, Further seven layers of restructuring are carried out by HTTP restructuring subsystems.

Fig. 4 shows the schematic diagram of TCP message restructuring in the example of the embodiment of the present application.

HTTP restructuring subsystems are recombinated the TCP segment of same stream, obtain complete HTTP request, the process of restructuring includes：

For drive upload destination interface (being herein port 80) each TCP message, according to The keywords such as HTTP, GET, PUT or POST are defined as HTTP request, then further check Whether the message is complete HTTP request, is if so, then sent to HTTP information extraction subsystems, Otherwise cache the message；When being recombinated for the HTTP request in caching, caching the foundation of restructuring is TCP sequence numbers, after the completion of restructuring, most at last all complete HTTP requests are sent to HTTP information and carry Take subsystem.

HTTP information extractions subsystem is processed the HTTP information of end of recombinating, and is extracted therein The information such as URI, source IP, purpose IP, Host, Refferer, user agent, cookie, required parameter For rule match.

Rule match subsystem carries out all rule according to the relevant information that HTTP information extractions subsystem is extracted Matching then, if the match is successful is then considered attack for a wherein rule, and by the IP of attacker In being added to obstruct list, the IP is forbidden to access the Web server in all cloud computing clusters.WAF Rule for a plurality of sub-rule directly with or key logical expression.Every sub-rule is single HTTP It is a sub-rule that " and " is included in the feature description of information, such as URI, and URI is that HTTP information is carried Take a kind of HTTP information that subsystem is extracted.

Attacker is carried out intercepting to be implemented by bypass blocking subsystem.Bypass blocking principle is by mirror As flow monitors in real time the TCP three-way handshake information of malice IP, by sending TCP RST messages, make Malice IP cannot set up TCP and be connected with VM, so as to reach the purpose of VM in protection cloud computing cluster. Fig. 5 shows the schematic diagram that attack is blocked in the example of the embodiment of the present application, and specific flow process includes：

1st, the attacker IP for hitting rule is intercepted subsystem by rule match subsystem by calling bypass API is added to obstruct list.

2nd, external server sends SYN messages to cloud computing VM, and collector monitor in real time is by cloud computing Cluster inner machine is sent to the SYN-ACK messages of external server, purpose IP that message is included with Intercepting list carries out accurately mate.

If the 3, in list is intercepted, it is attacker IP to purpose IP, according to SYN-ACK's TCP sequence numbers, organize a TCP RST message to be sent to the server in cloud computing VM, the message Middle purpose IP is cloud computing cluster server IP, and source IP is attack IP.

4th, the company between attacker IP and cloud computing VM can be interrupted by transmission TCP RST messages Connect so that the attacker IP intercepted in list can not complete TCP three-way handshake, it is impossible to continue to attack cloud The server of computing cluster.

5th, the event that daily record subsystem record Web attacks and blocking are attacked, in record attack is had Person source IP, by attack IP, query-attack, attack hit rule numbers, intercept event source IP, source Mouth, purpose IP, Xining etc..

, wherein it is desired to explanation is, it is also possible to intercepted when SYN messages send and Match IP Operation, bypass blocking subsystem can also reach blocking and hold for three times to RST is sent by attacker Hand purpose.

Preferably, the driving packet receiving module in flow collection subsystem can have DPDK, pf_ring, Libpcap, ixgbe drive the accomplished in many ways such as modification；Realize the generation of the embodiment of the present application methods described Code can be write using any suitable language, such as C language；Can be using any in implementing Applicable processor architecture, (The X86architecture, microprocessor is held can preferably to adopt X86 Capable computer language instruction set) framework.

With reference to Fig. 6, a kind of network attack protector embodiment based on flow analysis of the application is shown 1 structured flowchart, specifically can include such as lower module：

Flow collection module 301, for net of the collection between the webserver and network routing device Network flow.

Parameter analysis of electrochemical module 302, for parsing the network traffics in network access parameters.

Parameter searching modul 303, for by matching with presetting rule, searching and being accessed by Attack Source The corresponding objective network of network traffics that the webserver is produced accesses parameter.

Connection disabled module 304, for accessing parameter according to the objective network network attack is forbidden Source is set up with the webserver and is connected.

In the embodiment of the present application, it is preferable that the flow collection module can include：

It is further preferred that the flow collection module can also include：

In the embodiment of the present application, it is preferable that the network access parameters include Uniform Resource Identifier, visit Source IP is asked, purpose IP, Host field is accessed, is accessed link source, user agent, cookie and visit Ask at least one of required parameter.

In the embodiment of the present application, it is preferable that the parameter searching modul includes：

In the embodiment of the present application, it is preferable that the connection disabled module, can be specifically for basis and institute State objective network and access other at least one network access parameters that parameter belongs to a same network access, prohibit Only the Attack Source is set up with the webserver and is connected.

In the embodiment of the present application, it is preferable that the objective network accesses parameter and can attack including the network Hit the Uniform Resource Identifier in source；Described device can also include：

In the embodiment of the present application, it is preferable that the connection disabled module includes：

The application can also access parameter by identification objective network, in the same network access of association extremely Few network access parameters, are according to carrying out attack protection, so as to can with the network access parameters for associating More fully to be protected Attack Source, it is to avoid rule match imperfection causes protection not comprehensive enough Problem.

Additionally, according to the embodiment of the present application, the objective network of the Attack Source for excavating can also be accessed Parameter notifies into network cluster all-network server, such that it is able to be directed to same Attack Source pair The large-scale scanning of system for cloud computing carries out linked protection.

With reference to Fig. 7, a kind of network attack protector embodiment based on flow analysis of the application is shown 2 structured flowchart, specifically can include such as lower module：

Flow collection module 401, for net of the collection between the webserver and network routing device Network flow, the network traffics are TCP message.

Flow judge module 402, for determining that the TCP message is the once complete network access of record The Http data of process.

Flow recombination module 403, if for the TCP message and the once complete network access of non-recorded The Http data of process, the then numbering for being carried according to the TCP message will belong to same primary network and visit The multiple TCP messages asked are reassembled as what record was accessed through the primary network of seven layer network transmission structures Http data.

Parameter analysis of electrochemical module 404, for parsing the network traffics in network access parameters.

Parameter searching modul 405, for by matching with presetting rule, searching and being accessed by Attack Source The corresponding objective network of network traffics that the webserver is produced accesses parameter.

Connection disabled module 406, for accessing parameter according to the objective network network attack is forbidden Source is set up with the webserver and is connected.

For device embodiment, due to itself and embodiment of the method basic simlarity, so the ratio of description Relatively simple, related part is illustrated referring to the part of embodiment of the method.

Each embodiment in this specification is described by the way of progressive, and each embodiment is stressed Be all difference with other embodiment, between each embodiment identical similar part mutually referring to .

Those skilled in the art are it should be appreciated that the embodiment of the embodiment of the present application can be provided as method, dress Put or computer program.Therefore, the embodiment of the present application can using complete hardware embodiment, completely Software implementation or the form with reference to the embodiment in terms of software and hardware.And, the embodiment of the present application Can adopt can be situated between in one or more computers for wherein including computer usable program code with storage The computer journey implemented in matter (including but not limited to magnetic disc store, CD-ROM, optical memory etc.) The form of sequence product.

In a typical configuration, the computer equipment includes one or more processors (CPU), input/output interface, network interface and internal memory.Internal memory potentially includes computer-readable medium In volatile memory, the shape such as random access memory (RAM) and/or Nonvolatile memory Formula, such as read-only storage (ROM) or flash memory (flash RAM).Internal memory is computer-readable medium Example.Computer-readable medium includes permanent and non-permanent, removable and non-removable media Information Store can be realized by any method or technique.Information can be computer-readable instruction, Data structure, the module of program or other data.The example of the storage medium of computer includes, but It is not limited to phase transition internal memory (PRAM), static RAM (SRAM), dynamic random to deposit Access to memory (DRAM), other kinds of random access memory (RAM), read-only storage (ROM), Electrically Erasable Read Only Memory (EEPROM), fast flash memory bank or other in Deposit technology, read-only optical disc read-only storage (CD-ROM), digital versatile disc (DVD) or other Optical storage, magnetic cassette tape, tape magnetic rigid disk storage other magnetic storage apparatus or it is any its His non-transmission medium, can be used to store the information that can be accessed by a computing device.According to herein Define, computer-readable medium does not include the computer readable media (transitory media) of non-standing, Such as the data-signal and carrier wave of modulation.

The embodiment of the present application is with reference to the method according to the embodiment of the present application, terminal device (system) and meter The flow chart and/or block diagram of calculation machine program product is describing.It should be understood that can be by computer program instructions Each flow process and/or square frame and flow chart and/or square frame in flowchart and/or block diagram The combination of flow process and/or square frame in figure.Can provide these computer program instructions to all-purpose computer, The processor of special-purpose computer, Embedded Processor or other programmable data processing terminal equipments is producing One machine so that by the computing device of computer or other programmable data processing terminal equipments Instruction produce for realizing in one flow process of flow chart or one square frame of multiple flow processs and/or block diagram or The device of the function of specifying in multiple square frames.

These computer program instructions may be alternatively stored in can guide computer or other programmable datas to process In the computer-readable memory that terminal device works in a specific way so that be stored in the computer-readable Instruction in memory is produced and includes the manufacture of command device, and command device realization is in flow chart one The function of specifying in flow process or one square frame of multiple flow processs and/or block diagram or multiple square frames.

These computer program instructions can also be loaded into computer or other programmable data processing terminals set It is standby upper so that execution series of operation steps is in terms of producing on computer or other programmable terminal equipments The process that calculation machine is realized, so as to the instruction performed on computer or other programmable terminal equipments provides use In realization in one flow process of flow chart or one square frame of multiple flow processs and/or block diagram or multiple square frames The step of function of specifying.

Although having been described for the preferred embodiment of the embodiment of the present application, those skilled in the art are once Basic creative concept is known, then other change and modification can be made to these embodiments.So, Claims are intended to be construed to include preferred embodiment and fall into the institute of the embodiment of the present application scope Have altered and change.

Finally, in addition it is also necessary to explanation, herein, such as first and second or the like relation art Language is used merely to make a distinction an entity or operation with another entity or operation, and not necessarily Requirement either to be implied and there is any this actual relation or order between these entities or operation.And And, term " including ", "comprising" or its any other variant are intended to including for nonexcludability, from And the process, method, article or the terminal device that include a series of key elements are not only wanted including those Element, but also including other key elements being not expressly set out, or also include for this process, side The intrinsic key element of method, article or terminal device.In the absence of more restrictions, by sentence The key element that "including a ..." is limited, it is not excluded that in process, method, thing including the key element Also there is other identical element in product or terminal device.

Above to a kind of network attack protection method and one kind based on flow analysis provided herein Based on the network attack protector of flow analysis, it is described in detail, it is used herein specifically Individual example is set forth to the principle and embodiment of the application, and the explanation of above example is only intended to Help understands the present processes and its core concept；Simultaneously for the general technology people of this area Member, according to the thought of the application, will change in specific embodiments and applications, In sum, this specification content should not be construed as the restriction to the application.

Claims

1. a kind of network attack protection method based on flow analysis, it is characterised in that include：

Parse the network access parameters in the network traffics；

2. the method for claim 1, it is characterised in that the collection is through the webserver Network traffics between network routing device include：

3. the method for claim 1, it is characterised in that the collection is through the webserver Network traffics between network routing device also include：

4. the method for claim 1, it is characterised in that the network traffics are TCP message, Before network access parameters in the parsing network traffics, methods described also includes：

5. method as claimed in claim 4, it is characterised in that in the parsing network traffics In network access parameters before, methods described also includes：

6. the method for claim 1, it is characterised in that the network access parameters include system One resource identifier, access originator IP, access purpose IP, Host field, access link source, user At least one of agency, cookie and access request parameters.

7. the method for claim 1, it is characterised in that described by matching with presetting rule, Search the corresponding objective network of network traffics produced by Attack Source access network services device and access ginseng Number includes：

8. the method for claim 1, it is characterised in that described to be visited according to the objective network Ask that parameter is forbidden the Attack Source and the webserver to set up and is connected as, according to the target Network access parameters belong to other at least one network access parameters with a network access, forbid described Attack Source is set up with the webserver and is connected.

9. method as claimed in claim 8, it is characterised in that the objective network accesses parameter bag Include the Uniform Resource Identifier of the Attack Source；Parameter taboo is accessed according to the objective network described Before only the Attack Source is set up with the webserver and is connected, methods described also includes：

10. method as claimed in claim 9, it is characterised in that the basis and the objective network Other at least one network access parameters that parameter belongs to a same network access are accessed, forbids the network Attack source set up with the webserver be connected including：

11. methods as claimed in claim 9, it is characterised in that the basis and the objective network Other at least one network access parameters that parameter belongs to a same network access are accessed, forbids the network Attack source set up with the webserver be connected including：

12. a kind of network attack protectors based on flow analysis, it is characterised in that include：

13. devices as claimed in claim 12, it is characterised in that the flow collection module includes：

14. devices as claimed in claim 12, it is characterised in that the flow collection module is also wrapped Include：

15. devices as claimed in claim 12, it is characterised in that the network traffics are TCP reports Text, described device also includes：

16. devices as claimed in claim 15, it is characterised in that described device also includes：

17. devices as claimed in claim 12, it is characterised in that the network access parameters include Uniform Resource Identifier, access originator IP, access purpose IP, Host field, access link source, use At least one of family agency, cookie and access request parameters.

18. devices as claimed in claim 12, it is characterised in that the parameter searching modul includes：

19. devices as claimed in claim 12, it is characterised in that the connection disabled module, tool Body be used for according to and the objective network access parameter belong to network access other at least one Network access parameters, forbid the Attack Source to set up with the webserver and are connected.

20. devices as claimed in claim 12, it is characterised in that the objective network accesses parameter Including the Uniform Resource Identifier of the Attack Source；Described device also includes：

21. devices as claimed in claim 20, it is characterised in that the connection disabled module includes：

22. devices as claimed in claim 20, it is characterised in that the connection disabled module includes：