Embodiment
Mobile solution generally supports it normally to run by client and service end, for example, logical refer to of client is arranged on intelligence
Application software in terminal, service end then leads to the system for referring to and installing that support client application software is normally run on the server.
Client can call the business interface that service end is provided by RPC protocol remotes so that the miscellaneous service rule of service end operation
Client can be then presented in use.Some malicious attacks frequently continuously can call business to connect with the operation of simulant-client
Mouthful, so as to cause the interface pressure of service end larger, cause operation exception, or even machine of delaying, such as, under normal circumstances, during unit
In as in 1s user send service request 1 time, and the query-attack of malice be likely to be breached in 1s send service request it is thousands of on
Ten thousand times.
The query-attack processing method that the application is provided, can be used for recognizing the business called for some business interface
Whether request is query-attack, and when being defined as query-attack, the request is blocked in time.
Incorporated by reference to shown in Figure 1, according to experimental verification, if client-side there occurs malicious attack, i.e. unit interval
Interior intensive completion interface interchange, then a kind of form of under-damped motion will be presented.Such as Fig. 1 example, the longitudinal axis represents amplitude, horizontal
Axle represents the time, if service request were carried out continuously in the unit interval, and the time interval between any Twice requests would be respectively less than
Predetermined space t_interval, then with the increase of service request number of times, final amplitude is up to 0.And with continued reference to Fig. 2, it is false
It is located at amplitude and during constantly declining, the time interval of two service requests occurs once as service request number of times increases
T_interval is exceeded, then amplitude is restored to initial value.
According to the characteristics of Fig. 1 and Fig. 2, damping formula can be borrowed to recognize query-attack.For example, damping formula can be with
It is:X=Ae-δtCos (ω t), wherein, Ae-δtFor amplitude, A can be damped coefficient by 1.5, δ of value according to practical experience, can
Think 1;It is 0 that ω, which represents angular frequency value,;T accumulates with the increase of the service request number of times in the unit interval, often receives one
Secondary service request, can produce a cumulative increment, the increment can be between this service request and last request when
Between be spaced.
According to above-mentioned damping formula, if within the unit interval of statistics (can be 1s, even more small timeslice),
Arbitrarily the time interval of service request is respectively less than t_interval twice, then t can accumulate always, when lasting click reaches necessarily
During amount, x will be less than or equal to 0.In the present processes, x can be less than or equal to 0 as the condition for determining query-attack,
It is less than or equal to 0 in the event of x, then shows to have occurred in that a certain amount of frequently business that continues is asked within the unit interval
Ask, it is believed that be the query-attack of malice.Certainly, in other examples, it would however also be possible to employ the other modes of non-damping formula.
In addition, still so that above-mentioned client determines query-attack using the calculating for damping formula as an example, the attack of the application
In request processing method, client can be combined with a parameter " fusing factor ", the fusing factor when using damping formula
It can be that service end feeds back to client, and can be the performance number for the business interface that service end is called according to service request
Calculate and obtain according to (for example, CPU, internal memory etc.), the current loading condition of business interface can be reflected.If for example, business interface
Load is larger, and EMS memory occupation is more, then fusing factor can be higher, whereas if business interface load is relatively low, fusing factor can
With relatively low.The fusing factor can be used as the accumulation radix t_dumping for damping the t in formula, then can obtain, it is assumed that single
Equally carried out in the time of position it is a certain amount of continue frequent service request, different accumulation radixes, the x in damping formula reaches critical
The time of value 0 is different, if accumulation radix t_dumping is higher, x will drop to 0 faster.If it is determined that after query-attack
The processing for the service request for blocking docking port is taken in time, the blocking that business interface is asked " can referred to as be fused " by this
(that is, carrying out current limliting to the interface), accordingly, as described above, accumulation radix is higher, service request is more frequent, then will more
Fast fusing.
Above-mentioned processing can be by Fig. 3 of example query-attack processing method flow, as shown in figure 3, this method can be with
With between client and service end, service end provides fusing factor to client, and client is controlled with reference to the fusing factor
Whether is the blocking of business interface request.This method can include:
In step 301, service end generates fusing factor according to the corresponding performance data of business interface.
For example, the performance data can include:The TPS (Transaction per Second) of business interface, internal memory,
CPU occupancy etc..This example is not intended to limit the mode that fusing factor is generated according to performance data, it is for instance possible to use multiple factors
The mode of weighted sum, it is exemplary, can using memory usage as a factor, using the TPS of interface as another because
Son, and corresponding Factor Weight is set according to the importance of each factor, then the summation of each Factors Weighting is obtained into fusing factor.
In step 302, service end sends fusing factor to client.
For example, fusing factor can be encapsulated in the response message sent to client by service end.
In step 303, client obtains the time interval of adjacent Twice requests.
For example, client is after fusing factor is received, the fusing factor can be used for the follow-up judgement whether fused
In.In this step, client can receive the service request for calling business interface, it is possible to obtain adjacent Twice requests when
Between be spaced.
In step 304, client determines fusing value according to fusing factor and the time interval.
For example, fusing value can be calculated according to damping formula above-mentioned, when using formula is damped, time interval can
To be to damp the cumulative increment in formula, and fusing factor can be used as the accumulation radix in formula.
In this step, whenever receiving a service request, once fusing value is just calculated, and it is possible to receive industry
During business request, it is that this asks the time interval with last request whether to be more than predetermined space t_ to judge lower neighbor request
interval.For example, when generally normally asking, the time interval of Twice requests is greater than t_interval, the predetermined space
It can based on experience value set, such as can be 100ms.If it is determined that result for neighbor request interval be less than t_
Interval, the then t for continuing to calculate in fusing value, damping formula will increase cumulative increment;If it is determined that result for it is adjacent please
The interval asked is more than or equal to t_interval, then can reset fusing value, next time is recalculated.
If running into query-attack within the unit interval of statistics, the query-attack is continuously frequently to ask, arbitrarily
The time interval of Twice requests is less than t_interval, then this step will accumulate calculating fusing value always.With service request time
Several increases, the fusing value will to fusing condition value it is close, the fusing condition value can be limited in fusing condition should
The fusing value condition to be met, for example, can be that the x in damping formula mentioned above is less than or equal to 0, that is, receive
The request number of times of query-attack is more, the fusing value just constantly reduction of calculating.
In step 305, when the fusing value counted within the unit interval meets fusing condition value, it is determined that attacked
Hit request.
For example, the scene assumed in this example is, in the fusing value by initial calculation, until meeting the fusing condition
During value, arbitrarily the time interval of service request is respectively less than predetermined space twice.So with the increasing of service request number of times
Plus, fusing value will be gradually reduced until less than or equal to 0, now meeting fusing condition value, showing now determine that this is
The continuous frequently service request of row is defined as the query-attack of malice.
It should be noted that in this example fuse condition judgement can be within a unit interval of statistics (for example,
1s), if being still not up to fusing condition beyond a unit interval, next unit interval will restart to calculate fusing
Value, former fusing value will be reset.
Within step 306, service request of the obstruction to the business interface.
For example, after query-attack is defined as in step 305, can block the business called to the business interface please
Ask, discard request, so as to reduce the load of service end.
The query-attack processing method of this example, by recognizing and blocking malicious attack using the mechanism that fuses in client,
Relative to service side control, the normal request of other clients will not be impacted substantially, if some client by
The query-attack of docking port has been arrived, has blocked and asks in the client-side, other clients still can call this to connect as usual
Mouth conducts interviews;Also, relative to the mode individually controlled in traditional approach in client according to list and threshold value, this programme is adopted
The characteristics of meeting query-attack with fusing mechanism, query-attack can be recognized faster, and this method has also combined service
The fusing factor that side is provided, has also considered the load feelings of service end on the basis of the characteristics of considering query-attack itself
Condition, when service end poor-performing, can cause client-side to fuse faster, so as to be prevented effectively from aggravation by fusing factor
The load of service end.
In another example, with reference to Fig. 4 and Fig. 5, to describe the present processes, wherein, Fig. 4 description services side
Handling process, Fig. 5 describes the handling process of client-side.
As shown in figure 4, in step 401, service end obtains business interface list.
For example, service end can by DRM (Distributed Resource Management, distributed resource management,
For dynamically adjusting service parameter configuration during system operation, and come into force immediately) read fusing mechanism enable switch.If fusing
Mechanism switch is opened, then can be read by DRM and progress stream control in need is recorded on RPC business interface gray lists, the gray list
Each business interface, subsequently if client sends the request of some interface called on the gray list to service end, then takes
Business end by should the fusing factor of interface send to client, to cause client to control the stream of the interface according to fusing factor
Amount, carries out the processing of query-attack.
In step 402, service end obtains the performance threshold of correspondence business interface.
For example, service end can be obtained the corresponding performance threshold of each interface on business interface gray list by DRM.
In step 403, the performance data of service end capturing service interface.
For example, service end can be obtained the performance data of interface by performance monitoring platform, for example, CPU, internal memory etc..Performance
Monitor supervision platform can be used for monitoring business running status, and monitoring information includes but is not limited to operating-system resources (e.g., CPU, internal memory
Deng) service condition, chain-circuit time delay information, all kinds of alarms of operation system etc. during service operation.
In step 404, service end judges whether the performance data of collection is higher than performance threshold.
If performance data is less than performance threshold, shows the heavier loads of the current service end business interface, then perform step
Rapid 405;Otherwise, step 406 is performed.
In step 405, service request of the service end shield to the business interface.
In this step, all RPC call requests to the business interface can be masked by service end.
In a step 406, service end calculates the corresponding fusing factor of business interface according to performance data.
For example, fusing factor can be represented with t_dumping, can calculate this according to parameters such as CPU, internal memory, TPS is
Number;If CPU, internal memory even load are larger, the numerical value of the fusing factor of calculating is higher.
In addition, service end can periodically perform step 403 to 406, you can with periodicity collecting performance data, according to property
Energy data update fusing factor, and can be updated and replaced with newly-generated fusing factor by fusing factor storage in the buffer
Fall original fusing factor, newly-generated fusing factor can characterize the service end load in the unit interval.
In step 407, service end sends fusing factor to client.
In this example, service end periodically can send fusing factor to client, such as, service end is receiving visitor
Family end send for some business interface RPC call requests when, if distance to the client last time send fusing factor
Predetermined fixed intervals (for example, 3 seconds) are reached, then in response is called to the RPC of the client feedback, encapsulation carries newest
The fusing factor of calculating.In another example, service end is can also be when receiving the interface requests congestion notification of client transmission, to
Client sends fusing factor, and described interface requests congestion notification is used to show that client determines query-attack and blocked to industry
The call request of business interface.
In above-mentioned Fig. 4 flow, needed to flow the interface of control and corresponding according to the acquisition of business interface gray list by service end
Performance threshold, so when needing change gray list just relatively easily, without being relied on the list as built in client
Edition upgrading is realized;In addition, service end generates fusing factor according to performance data, regulate and control to flow according to the coefficient for client
Amount so that situation is born in the load that the stream control of client-side has considered service end, it is possible to achieve more accurate and effective control
System.
Service end sends fusing factor to client, and client carries out the stream of query-attack processing according to the coefficient
Journey, may refer to exemplified by Fig. 5.
In step 501, client receives the service request for calling business interface.
In step 502, client judges whether the time interval of neighbor request twice is less than predetermined space.
For example, based on experience value, the interval time of normal Twice requests is more than t_interval, can be by predetermined space
T_interval is set to, can be 100ms.
If the time interval of neighbor request is less than t_interval twice, 503 are continued executing with;Otherwise, in statistics
In unit interval, it if the interval time for Twice requests occur is more than t_interval, can determine it is not malicious attack, perform
Step 504.
In step 503, client calculates fusing value according to fusing factor and time interval.
For example, it is possible to use damping formula calculates fusing value x.
In step 504, fusing value is reset.
After fusing value is reset, the interval time for occurring Twice requests next time again is less than t_interval, then opens again
Begin to calculate fusing value, judge into fusing next time.
In step 505, client judges whether fusing value meets fusing condition value.
For example, it can be determined that whether be less than or equal to 0 using the x for damping formula calculating.It is less than or equal to 0 if meeting, can
To confirm to meet fusing condition value, step 506 is continued executing with;Otherwise, if being unsatisfactory for the condition value that fuses, step 510 is performed.
In step 506, service request of the client obstruction to business interface.
For example, client can be by the call request discarding to the business interface, to reduce service end load.
In step 507, client asks congestion notification to service end transmission interface.
The interface requests congestion notification can be used for informing service end, and client is determined by attacking for business interface
Request is hit, and has blocked the call request to the business interface.
In step 508, client receives the fusing time that service end is sent and the fusing factor updated.
For example, fusing time can be N hours, N is the Arbitrary Digit more than 0, and service end can also be by newest fusing system
Number is sent to client in the lump.
In step 509, client stops the obstruction to the interface requests after fusing time.
For example, after N hours, client is received for the business interface when calling again, it can be allowed to adjust
With request, and send this request to service end.
In step 510, client sends the service request to service end processing.
In step 511, client receives response of the service end to request.
Fig. 6 provides a kind of query-attack processing unit, and the device can apply to client, as shown in fig. 6, the device
It can include:Time-obtaining module 61, numerical value determining module 62 and request processing module 63.
Time-obtaining module 61, for when receiving the service request for calling business interface, obtaining adjacent Twice requests
Time interval;
Numerical value determining module 62, for determining fusing value according to fusing factor and the time interval;Wherein, with business
The increase of request number of times, the fusing be worth to fusing condition value it is close, and the fusing factor be service end feedback according to institute
State the coefficient of the performance data generation of business interface;
Request processing module 63, for meeting the fusing condition value when the fusing value counted within the unit interval
When, it is determined that request under attack, block the service request to the business interface, wherein, the fusing is worth to the fusing
Condition value is during, and arbitrarily the time interval of service request is respectively less than predetermined space twice.
In one example, numerical value determining module 62, be additionally operable to the time-obtaining module get it is adjacent twice
When the time interval of request is more than predetermined space, the fusing value is reset.
In one example, request processing module 63, are additionally operable to after the service request to the business interface is blocked,
Congestion notification is asked to service end transmission interface;
The numerical value determining module 62, is additionally operable to receive the fusing factor of the renewal of the service end feedback.
Fig. 7 provides a kind of query-attack processing unit, and the device can apply to service end, as shown in fig. 7, the device
It can include:Coefficient generation module 71 and coefficient sending module 72.
Coefficient generation module 71, for according to the corresponding performance data of business interface, generating fusing factor;
Coefficient sending module 72, for the fusing factor to be sent to client, to cause client according to described molten
Disconnected coefficient is determined for blocking the fusing value to the query-attack of the business interface.
In one example, Coefficient generation module 71, be additionally operable to obtain in business interface gray list the business interface,
And the performance threshold of the correspondence business interface;Gather the performance data of the business interface;Judging the performance data is
It is no to be higher than the performance threshold, and judged result is yes.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present invention
God is with principle, and any modification, equivalent substitution and improvements done etc. should be included within the scope of protection of the invention.