CN106790169B - Protection method and device for scanning of scanning equipment - Google Patents

Protection method and device for scanning of scanning equipment Download PDF

Info

Publication number
CN106790169B
CN106790169B CN201611248778.XA CN201611248778A CN106790169B CN 106790169 B CN106790169 B CN 106790169B CN 201611248778 A CN201611248778 A CN 201611248778A CN 106790169 B CN106790169 B CN 106790169B
Authority
CN
China
Prior art keywords
disguised
page
link
scanning
vulnerability
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611248778.XA
Other languages
Chinese (zh)
Other versions
CN106790169A (en
Inventor
王树太
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201611248778.XA priority Critical patent/CN106790169B/en
Publication of CN106790169A publication Critical patent/CN106790169A/en
Application granted granted Critical
Publication of CN106790169B publication Critical patent/CN106790169B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The application provides a protection method and a device for scanning of scanning equipment, wherein the method is applied to a WEB server and can comprise the following steps: receiving a page access request sent by a target user; if the page link accessed by the page access request is a preset disguised link, generating a disguised page aiming at the disguised link; wherein the disguised link is preset to be invisible to normal users of non-scanning devices; the disguised page comprises a disguised link linked to a next level disguised sub-page; and returning the disguised page to the target user to protect the scanning equipment from illegal vulnerability scanning of the WEB server. By using the method provided by the application, the practicability of inhibiting the scanning of the vulnerability scanning equipment can be effectively improved, and hackers can be more effectively prevented from attacking through the scanned vulnerabilities.

Description

Protection method and device for scanning of scanning equipment
Technical Field
The present application relates to the field of computer communications, and in particular, to a method and an apparatus for protecting scanning of a scanning device.
Background
With the rapid development of network security technology, vulnerability detection technology plays an important role in daily risk management and the like. For example, a common scanning device may perform vulnerability scanning on a server or a Web system, discover vulnerabilities, and perform a fix for vulnerabilities at that time.
However, some hackers may also use the scanning device to scan the server or the Web system for vulnerabilities, and obtain vulnerabilities in the server or the Web system to attack. Therefore, how to effectively inhibit the scanning of the vulnerability scanning device becomes an urgent problem to be solved.
Disclosure of Invention
In view of this, the present application provides a protection method and apparatus for scanning by a scanning device, so as to effectively improve the practicability of suppressing the scanning by a bug scanning device, and more effectively prevent a hacker from attacking through a scanned bug.
Specifically, the method is realized through the following technical scheme:
according to a first aspect of the present application, a protection method for scanning by a scanning device is provided, where the method is applied to a WEB service side, and the method includes:
receiving a page access request sent by a target user;
if the page link accessed by the page access request is a preset disguised link, generating a disguised page aiming at the disguised link; wherein the disguised link is preset to be invisible to normal users of non-scanning devices; the disguised page comprises a disguised link linked to a next level disguised sub-page;
and returning the disguised page to the target user to protect the scanning equipment from illegal vulnerability scanning of the WEB server.
According to a second aspect of the present application, a protection device for scanning by a scanning device is provided, where the device is applied to a WEB server, and the device includes:
the receiving unit is used for receiving a page access request sent by a target user;
a generating unit, configured to generate a masquerading page for a preset masquerading link if a page link accessed by the page access request is the preset masquerading link; wherein the disguised link is preset to be invisible to normal users of non-scanning devices; the disguised page comprises a disguised link linked to a next level disguised sub-page;
and the return unit is used for returning the disguised page to the target user so as to protect the scanning equipment from illegal vulnerability scanning of the WEB service side.
The application provides a protection method for scanning of scanning equipment, wherein a WEB server receives a page access request sent by a target user. If the page link accessed by the page access request is a preset disguised link, the WEB service end can generate a disguised page aiming at the disguised link; wherein the disguised link is preset to be invisible to normal users of non-scanning devices; the disguised page comprises a disguised link linked to a next level disguised sub-page; and the disguised page can be returned to the target user so as to protect the scanning equipment from illegal vulnerability scanning of the WEB service side.
On one hand, since the disguised link is not visible to normal users of the non-scanning device, normal users of the non-scanning device are not accidentally injured by accessing the link;
on the other hand, after accessing the disguised link, the WEB service end can automatically generate a disguised page corresponding to the disguised link, and the disguised page further comprises a disguised link linked to a disguised sub-page at the next level. Once the scanning device accesses the masquerading link, a large number of masquerading links are continuously acquired, so that a crawler module of the device scanning device can not continue to work or the scanning time exceeds the expected scanning time due to system crash caused by receiving the large masquerading links. In addition, the scanning of the scanning equipment to the real page with the bugs is seriously interfered due to the huge number of scanned disguised links, so that the scanned real bugs are very low.
In summary, the protection method for the scanning device according to the present application can effectively improve the practicability of suppressing the scanning of the vulnerability scanning device, and more effectively prevent hackers from attacking through the scanned vulnerabilities.
Drawings
FIG. 1 is a schematic diagram illustrating a method for safeguarding scanning by a scanning device according to an exemplary embodiment of the present application;
FIG. 2 is a flowchart illustrating a method for safeguarding against scanning by a scanning device according to an exemplary embodiment of the present application;
fig. 3 is a hardware structure diagram of a device where a guard for scanning by a scanning device is located according to an exemplary embodiment of the present application;
fig. 4 is a block diagram illustrating a guard scanned by a scanning device according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
With the rapid development of network security technology, vulnerability detection technology plays an important role in daily risk management and the like. For example, a common scanning device may perform vulnerability scanning on a server or a Web system, discover vulnerabilities, and perform a fix for vulnerabilities at that time.
However, some hackers may also use the scanning device to scan the server or the Web system for vulnerabilities, and obtain vulnerabilities in the server or the Web system to attack.
Some related arts propose solutions to the above-described problems, the solutions being as follows:
solution of related art 1: the WEB server can extract scanning fingerprints generated in the scanning process of different scanning devices, such as a head field, a request parameter value and the like. Through the extracted scanned fingerprint, the scanning device is identified, and then local access to the scanning device is prohibited.
However, the technique of scanning fingerprints by a scanning device is a comparatively open technique. Hackers usually hide the scanned fingerprint by various self-defined methods, even disguising the request sent by the scanning device as a normal browser request, so that the WEB server cannot identify the scanning device, and the method is poor in practicability.
Solution of related art 2: the hidden link of the hidden label is added into the page requested by the target user, and after the label of the added link is hidden, the link is not accessed because a normal user cannot see the link. And the hidden link is visible to the scanning device. At this point, the scanning device may access the hidden link. When the WEB server detects that the hidden link is accessed, it may be determined that a target user accessing the hidden link is a scanning device, and at this time, an IP address of the scanning device may be written in an access blacklist to prevent the scanning device from continuing to access the local.
However, this hiding method is relatively straightforward by hiding the label of the link, setting it as a hidden link that is not visible to normal users of non-scanning devices. The scanning device can protect against this type of approach by looking at the hidden linked DOM node.
In summary, the two methods have a common problem that the practicability is poor, and it is difficult to effectively inhibit the access of the scanning device to the WEB server.
The application provides a protection method for scanning of scanning equipment, wherein a WEB server receives a page access request sent by a target user. If the page link accessed by the page access request is a preset disguised link, the WEB service end can generate a disguised page aiming at the disguised link; wherein the disguised link is preset to be invisible to normal users of non-scanning devices; the disguised page comprises a disguised link linked to a next level disguised sub-page; and the disguised page can be returned to the target user so as to protect the scanning equipment from illegal vulnerability scanning of the WEB service side.
On one hand, since the disguised link is not visible to normal users of the non-scanning device, normal users of the non-scanning device are not accidentally injured by accessing the link;
on the other hand, after accessing the disguised link, the WEB service end can automatically generate a disguised page corresponding to the disguised link, and the disguised page further comprises a disguised link linked to a disguised sub-page at the next level. Once the scanning device accesses the masquerading link, a large number of masquerading links are continuously acquired, so that a crawler module of the device scanning device can not continue to work or the scanning time exceeds the expected scanning time due to system crash caused by receiving the large masquerading links. In addition, the scanning of the scanning equipment to the real page with the bugs is seriously interfered due to the huge number of scanned disguised links, so that the scanned real bugs are very low.
In summary, the protection method for the scanning device according to the present application can effectively improve the practicability of suppressing the scanning of the vulnerability scanning device, and more effectively prevent hackers from attacking through the scanned vulnerabilities.
In order to better understand the protection method of the scanning device proposed in the present application, the working principle of the vulnerability scanner is briefly introduced below.
A scanning device will typically contain a very important module, namely a web crawler module. The web crawler module is a web page automatic crawling program. Under a general condition, a WEB crawler module first captures a webpage of an initial link, then crawls the webpage of the initial link, analyzes a URL address on the webpage, then crawls the webpage corresponding to the analyzed URL address, and then analyzes and then crawls the webpage, so that a URL tree of a target WEB server is obtained.
And the scanning equipment analyzes and scans according to the URL tree captured by the WEB crawler module, so as to determine the vulnerability of the WEB server.
Therefore, the integrity of the URL of the WEB server side collected by the WEB crawler module can directly influence the detection coverage rate of the scanning tool. Thus, the web crawler module of the scanning device can crawl almost all links to a web page.
The protection method of the scanning device is related to a URL tree crawling mode based on a web crawler module of the scanning device, and aims to return a large number of disguised links to the web crawler module when the web crawler module crawls the URL tree, so that the scanning device cannot perform normal scanning.
Referring to fig. 1, fig. 1 is a schematic diagram illustrating a protection method for scanning by a scanning device according to an exemplary embodiment of the present application.
After the crawler module crawls the disguised link, the scanning device may access the disguised link. When the WEB service side detects that the target user accesses the link, the target user can be determined to be the scanning device. At this time, the WEB server will automatically generate a disguised page corresponding to the disguised link, and the disguised page further includes a disguised link linked to a next level disguised sub-page.
Once the scanning device accesses the masquerading link, a large number of masquerading links are continuously acquired, so that a crawler module of the scanning device cannot continue to work or the scanning time exceeds the expected scanning time due to system crash caused by receiving the huge masquerading links. In addition, the scanning of the scanning equipment to the real page with the bugs is seriously interfered due to the huge number of scanned disguised links, so that the scanned real bugs are very low.
The following describes a specific implementation of the protection method for a scanning device proposed in the present application in detail.
Referring to fig. 2, fig. 2 is a flowchart illustrating a protection method for scanning by a scanning device according to an exemplary embodiment of the present application. The method is applied to a WEB server and can specifically comprise the following steps:
step 201: receiving a page access request sent by a target user;
step 202: if the page link accessed by the page access request is a preset disguised link, generating a disguised page aiming at the disguised link; wherein the disguised link is preset to be invisible to normal users of non-scanning devices; the disguised page comprises a disguised link linked to a next level disguised sub-page;
step 203: and returning the disguised page to the target user to protect the scanning equipment from illegal vulnerability scanning of the WEB server.
The WEB server side is a WEB server cluster.
The disguised link refers to a link which actually exists on a page accessed by a non-target user. But a link that is automatically added at the WEB service side. The disguised link is not visible to normal users of the non-scanning device but is visible to the scanning device, and thus may also have the effect of distinguishing normal users of the scanning device from normal users of the non-scanning device.
In the embodiment of the application, the WEB service side can receive a page access request sent by a target user. After receiving a page access request sent by a target user, the WEB service side may determine whether the page access request is a first page access request for the target user.
If the page access request is the first page access request aiming at the target user, the WEB service terminal can add a disguised link in the page requested by the target user.
In order to prevent the normal user of the non-scanning device from receiving a large amount of disguised pages returned by the WEB server side due to accessing the disguised link. The Web service can hide the masquerading link so that the masquerading link is set to be invisible to normal users of non-scanning devices.
In an optional implementation manner, the WEB server may hide the DOM node corresponding to the disguised link added to the page requested by the target user, so that the disguised link is invisible to a normal user of the non-scanning device.
Certainly, the WEB service end can also hide the disguised link by adopting other methods according to actual conditions, so that the disguised link is invisible to normal users of the non-scanning device. Here, the description is omitted.
After adding the disguised link to the page requested by the target user and performing a hiding operation on the disguised link for a normal user of the non-scanning device, the WEB service end may return the page to the target user.
If the target user is a scanning device, a web crawler module of the scanning device crawls links on the page and accesses the crawled links for subsequent link crawling.
Since the masquerading link is set to be invisible for normal users of non-scanning devices, after receiving subsequent access requests for the target user, the WEB service terminal can distinguish whether the target user is a normal user or a scanning device according to whether the link of the page accessed by the access request is the masquerading link.
If the link of the page accessed by the subsequent access request of the target user is not the preset disguised link, the WEB service end can determine that the target user is a normal user, and then return the requested page to the normal user.
If the link of the page accessed by the subsequent access request of the target user is the preset disguised link, the WEB service end can determine that the target user is the scanning device. At this time, the WEB server may generate a disguised page for the disguised link and return the disguised page to the scanning device.
Because the disguised page comprises the disguised link linked to the lower level disguised sub-page, the network crawler module of the scanning device crawls the disguised link of the lower level disguised sub-page and accesses the disguised link of the lower level disguised sub-page.
When receiving an access request of a scanning device for the disguised link of the next-level disguised sub-page, the WEB server automatically regenerates the next-level disguised sub-page corresponding to the disguised link of the next-level disguised sub-page and returns the next-level disguised sub-page to the scanning device.
Because the next-level disguised sub-page comprises the link to the third-level disguised sub-page, the network crawler module of the scanning device crawls the disguised link of the third-level disguised sub-page and accesses the disguised link of the third-level disguised sub-page.
By analogy, the scanning device can continuously crawl a large number of disguised links, so that a crawler module of the scanning device receives the huge disguised links to cause system crash, and the scanning device cannot continue to work or the scanning time exceeds the expected scanning time.
Referring to fig. 1, in the embodiment of the present application, the automatically generated disguised page of each level may further include a link of a disguised vulnerability page, and the disguised vulnerability page includes a disguised vulnerability.
After crawling the link of the disguised vulnerability page, the scanning device can access the link of the disguised vulnerability page.
Once the WEB service side detects that the scanning device accesses the link of the disguised vulnerability page, the WEB service side can automatically generate a vulnerability response corresponding to the vulnerability type on the disguised vulnerability page, and then the disguised vulnerability response is returned to the scanning device, so that the scanning device can obtain the disguised vulnerability.
Since the vulnerability information carried in the disguised vulnerability response is not the real vulnerability information of the WEB server, the scanning device does not affect the WEB server when attacking the WEB server aiming at the disguised vulnerability, and therefore, the hacker can be effectively inhibited from attacking the WEB server through the scanned vulnerability.
It should be noted that the masquerading vulnerability is not a vulnerability that actually exists on the WEB service side, but a disguised vulnerability, and the masquerading vulnerability may be an injected SQL vulnerability, an XSS vulnerability, and the like, which are not specifically limited herein, but are only exemplarily described.
In addition, in order to suppress the scanning behavior of the scanning device more quickly, in the embodiment of the application, if the WEB service end detects that the target user accesses any one of the masquerading links, the IP address of the target user may also be written into an access blacklist, so as to prohibit the target user from accessing the local.
The application provides a protection method for scanning of scanning equipment, wherein a WEB server receives a page access request sent by a target user. If the page link accessed by the page access request is a preset disguised link, the WEB service end can generate a disguised page aiming at the disguised link; wherein the disguised link is preset to be invisible to normal users of non-scanning devices; the disguised page comprises a disguised link linked to a next level disguised sub-page; and the disguised page can be returned to the target user so as to protect the scanning equipment from illegal vulnerability scanning of the WEB service side.
On one hand, since the disguised link is not visible to normal users of the non-scanning device, normal users of the non-scanning device are not accidentally injured by accessing the link;
on the other hand, after accessing the disguised link, the WEB service end can automatically generate a disguised page corresponding to the disguised link, and the disguised page further comprises a disguised link linked to a disguised sub-page at the next level. Once the scanning device accesses the masquerading link, a large number of masquerading links are continuously acquired, so that a crawler module of the scanning device cannot continue to work or the scanning time exceeds the expected scanning time due to system crash caused by receiving the huge masquerading links. In addition, the scanning of the scanning equipment to the real page with the bugs is seriously interfered due to the huge number of scanned disguised links, so that the scanned real bugs are very low.
In addition, if the WEB service end detects that the target user accesses any one of the disguised links, the IP address of the target user can be written into an access blacklist to prohibit the target user from accessing the local, so that the scanning behavior of the scanning device on the local can be suppressed more quickly.
In summary, the protection method for the scanning device according to the present application can effectively improve the practicability of suppressing the scanning of the vulnerability scanning device, and more effectively prevent hackers from attacking through the scanned vulnerabilities.
Corresponding to the embodiment of the protection method for scanning by the scanning equipment, the application also provides an embodiment of a protection device for scanning by the scanning equipment.
The embodiment of the protective device for scanning by the scanning equipment can be applied to a WEB service end. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. Taking software implementation as an example, as a device in a logical sense, a processor of a WEB service side where the device is located reads corresponding computer program instructions in a nonvolatile memory into a memory for operation. In terms of hardware, as shown in fig. 3, the present application is a hardware structure diagram of a WEB service end where a protection device scanned by a scanning device is located, except for the processor, the memory, the network output interface, and the nonvolatile memory shown in fig. 3, in an embodiment, the WEB service end where the device is located may also include other hardware according to an actual function of the device, which is not described again.
Referring to fig. 4, fig. 4 is a block diagram illustrating a protection device scanned by a scanning apparatus according to an exemplary embodiment of the present application. The device is applied to a WEB server side, and the device comprises:
a receiving unit 410, configured to receive a page access request sent by a target user;
a generating unit 420, configured to generate a masquerading page for a preset masquerading link if a page link accessed by the page access request is the preset masquerading link; wherein the disguised link is preset to be invisible to normal users of non-scanning devices; the disguised page comprises a disguised link linked to a next level disguised sub-page;
a returning unit 430, configured to return the disguised page to the target user, so as to protect the scanning device from illegal bug scanning on the WEB service side.
In an optional implementation, the apparatus further includes:
an adding unit 440, configured to add the disguised link in the page requested by the target user if the received page access request is a first page access request for the target user.
In another optional implementation manner, the apparatus further includes:
a setting unit 450 for setting a DOM node corresponding to the disguised link to be invisible to a normal user of the non-scanning apparatus.
In another optional implementation manner, the disguised page further includes a link of the disguised vulnerability page; the disguise vulnerability page comprises a disguise vulnerability;
the generating unit 420 is further configured to generate a masquerading vulnerability response corresponding to the masquerading vulnerability page if the page link accessed by the page access request is a link for the masquerading vulnerability page;
the returning unit 430 is further configured to return the masquerading vulnerability response to the target user.
In another optional implementation manner, the apparatus further includes:
a writing unit 460, configured to write the IP address of the target user into an access blacklist if it is detected that the target user accesses any level of the masquerading link.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (10)

1. A protection method for scanning of scanning equipment is characterized in that the method is applied to a WEB server side, and comprises the following steps:
receiving a page access request sent by a target user;
if the page link accessed by the page access request is a preset disguised link, determining that the target user is scanning equipment, and generating a disguised page aiming at the disguised link; wherein the disguised link is preset to be invisible to normal users of non-scanning devices; the disguised page comprises a disguised link linked to a next level disguised sub-page;
returning the disguised page to the scanning device to protect the scanning device from illegal vulnerability scanning of the WEB server side;
the protecting the scanning device against the illegal vulnerability scanning of the WEB server side comprises the following steps:
and enabling the scanning equipment to continuously access the disguised link linked to the disguised sub-page at the next level, and returning to execute generation of the disguised page aiming at the disguised link.
2. The method of claim 1, further comprising:
and if the received page access request is the first page access request aiming at the target user, adding the disguised link in the page requested by the target user.
3. The method of claim 2, further comprising:
and setting the DOM node corresponding to the disguised link to be invisible for a normal user of the non-scanning device.
4. The method of claim 1, wherein the masquerading page further comprises a link to a masquerading vulnerability page; the disguise vulnerability page comprises a disguise vulnerability;
the method further comprises the following steps:
if the page link accessed by the page access request is a link aiming at the disguised vulnerability page, generating a disguised vulnerability response corresponding to the disguised vulnerability page;
and returning the disguised vulnerability response to the scanning device.
5. The method of claim 1, further comprising:
and if the target user is detected to access any level of the disguised link, writing the IP address of the target user into an access blacklist.
6. The utility model provides a protector of scanning equipment scanning which characterized in that, the device is applied to the WEB service end, the device includes:
the receiving unit is used for receiving a page access request sent by a target user;
a generating unit, configured to determine that the target user is a scanning device if a page link accessed by the page access request is a preset disguised link, and generate a disguised page for the disguised link; wherein the disguised link is preset to be invisible to normal users of non-scanning devices; the disguised page comprises a disguised link linked to a next level disguised sub-page;
the return unit is used for returning the disguised page to the scanning equipment so as to protect the scanning equipment from illegal vulnerability scanning of the WEB service side;
the protecting the scanning device against the illegal vulnerability scanning of the WEB server side comprises the following steps:
and enabling the scanning equipment to continuously access the disguised link linked to the disguised sub-page at the next level, and returning to execute generation of the disguised page aiming at the disguised link.
7. The apparatus of claim 6, further comprising:
and the adding unit is used for adding the disguised link in the page requested by the target user if the received page access request is the first page access request aiming at the target user.
8. The apparatus of claim 7, further comprising:
and the setting unit is used for setting the DOM node corresponding to the camouflage link to be invisible for a normal user of the non-scanning device.
9. The apparatus of claim 6, wherein the masquerading page further comprises a link to a masquerading vulnerability page; the disguise vulnerability page comprises a disguise vulnerability;
the generating unit is further configured to generate a masquerading vulnerability response corresponding to the masquerading vulnerability page if the page link accessed by the page access request is a link for the masquerading vulnerability page;
the returning unit is further configured to return the masquerading vulnerability response to the scanning device.
10. The apparatus of claim 6, further comprising:
and the writing unit is used for writing the IP address of the target user into an access blacklist if the target user is detected to access any one level of the disguised link.
CN201611248778.XA 2016-12-29 2016-12-29 Protection method and device for scanning of scanning equipment Active CN106790169B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611248778.XA CN106790169B (en) 2016-12-29 2016-12-29 Protection method and device for scanning of scanning equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611248778.XA CN106790169B (en) 2016-12-29 2016-12-29 Protection method and device for scanning of scanning equipment

Publications (2)

Publication Number Publication Date
CN106790169A CN106790169A (en) 2017-05-31
CN106790169B true CN106790169B (en) 2020-06-09

Family

ID=58927612

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611248778.XA Active CN106790169B (en) 2016-12-29 2016-12-29 Protection method and device for scanning of scanning equipment

Country Status (1)

Country Link
CN (1) CN106790169B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108038218B (en) * 2017-12-22 2022-04-22 联想(北京)有限公司 Distributed crawler method, electronic device and server
CN111586005B (en) * 2020-04-29 2022-12-27 杭州迪普科技股份有限公司 Scanner scanning behavior identification method and device

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101350822A (en) * 2008-09-08 2009-01-21 南开大学 Method for discovering and tracing Internet malevolence code
CN102104601A (en) * 2011-01-14 2011-06-22 无锡市同威科技有限公司 Web vulnerability scanning method and device based on infiltration technology
CN102685081A (en) * 2011-03-17 2012-09-19 腾讯科技(深圳)有限公司 Webpage request safe processing method and system
US8443076B2 (en) * 2009-12-17 2013-05-14 At&T Intellectual Property I, L.P. Prefix hijacking detection device and methods thereof
CN104144164A (en) * 2014-08-06 2014-11-12 武汉安问科技发展有限责任公司 Extension defense method based on network intrusion
CN105871845A (en) * 2016-03-31 2016-08-17 深圳市深信服电子科技有限公司 Method and device for detecting Web vulnerability scanning behavior
CN105871775A (en) * 2015-01-19 2016-08-17 中国移动通信集团公司 Security protection method and DPMA protection model

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9800608B2 (en) * 2000-09-25 2017-10-24 Symantec Corporation Processing data flows with a data flow processor

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101350822A (en) * 2008-09-08 2009-01-21 南开大学 Method for discovering and tracing Internet malevolence code
US8443076B2 (en) * 2009-12-17 2013-05-14 At&T Intellectual Property I, L.P. Prefix hijacking detection device and methods thereof
CN102104601A (en) * 2011-01-14 2011-06-22 无锡市同威科技有限公司 Web vulnerability scanning method and device based on infiltration technology
CN102685081A (en) * 2011-03-17 2012-09-19 腾讯科技(深圳)有限公司 Webpage request safe processing method and system
CN104144164A (en) * 2014-08-06 2014-11-12 武汉安问科技发展有限责任公司 Extension defense method based on network intrusion
CN105871775A (en) * 2015-01-19 2016-08-17 中国移动通信集团公司 Security protection method and DPMA protection model
CN105871845A (en) * 2016-03-31 2016-08-17 深圳市深信服电子科技有限公司 Method and device for detecting Web vulnerability scanning behavior

Also Published As

Publication number Publication date
CN106790169A (en) 2017-05-31

Similar Documents

Publication Publication Date Title
US9860270B2 (en) System and method for determining web pages modified with malicious code
CN103685294B (en) Method and device for identifying attack sources of denial of service attack
US20190132355A1 (en) Malicious script detection
US9531734B2 (en) Method and apparatus for intercepting or cleaning-up plugins
CN107612924B (en) Attacker positioning method and device based on wireless network intrusion
US9246937B2 (en) Network access control system and method
US20200014697A1 (en) Whitelisting of trusted accessors to restricted web pages
CN103856471B (en) cross-site scripting attack monitoring system and method
CN107465702B (en) Early warning method and device based on wireless network intrusion
CN107579997A (en) Wireless network intrusion detection system
US20100306184A1 (en) Method and device for processing webpage data
CN103701816B (en) Perform the scan method and scanning means of the server of Denial of Service attack
CN107566401A (en) The means of defence and device of virtualized environment
CN104967628A (en) Deceiving method of protecting web application safety
CN106790189B (en) intrusion detection method and device based on response message
US8978150B1 (en) Data recovery service with automated identification and response to compromised user credentials
CN113190839A (en) Web attack protection method and system based on SQL injection
CN106790169B (en) Protection method and device for scanning of scanning equipment
CN110674496A (en) Method and system for program to counter invading terminal and computer equipment
CN116015717A (en) Network defense method, device, equipment and storage medium
CN107509200A (en) Equipment localization method and device based on wireless network invasion
CN105930728A (en) Application examining method and device
CN108268774B (en) Method and device for judging attack request
McKenna Detection and classification of Web robots with honeypots
CN107682346B (en) System and method for rapidly positioning and identifying CSRF attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant