CN107026839A - A kind of query-attack treating method and apparatus - Google Patents
A kind of query-attack treating method and apparatus Download PDFInfo
- Publication number
- CN107026839A CN107026839A CN201611034464.XA CN201611034464A CN107026839A CN 107026839 A CN107026839 A CN 107026839A CN 201611034464 A CN201611034464 A CN 201611034464A CN 107026839 A CN107026839 A CN 107026839A
- Authority
- CN
- China
- Prior art keywords
- fusing
- business interface
- factor
- value
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/133—Protocols for remote procedure calls [RPC]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of query-attack treating method and apparatus, and wherein method includes:When receiving the service request for calling business interface, the time interval of adjacent Twice requests is obtained;Fusing value is determined according to fusing factor and the time interval;Wherein, with the increase of service request number of times, the fusing be worth to fusing condition value it is close, and the fusing factor be service end feedback according to the performance data of the business interface generate coefficient;When the fusing value counted within the unit interval meets the fusing condition value, then determine request under attack, block the service request to the business interface, wherein, the fusing be worth to it is described fusing condition value it is close during, arbitrarily the time interval of service request is respectively less than predetermined space twice.The present invention is it is possible to prevente effectively from the load of aggravation service end.
Description
Technical field
The present invention relates to computer technology, more particularly to a kind of query-attack treating method and apparatus.
Background technology
With Mobile solution APP gradually popularization, the moment all suffers from the potential threat of various malicious manners.Such as, it is objective
Family end can suffer from being directed to RPC (Remote Procedure Call Protocol, remote procedure call protocol) interface requests
When malicious attack, the attack can service request is continuously transmitted with higher frequency, cause the load of service end to increase, when serious
Even cause service end operation exception.Accordingly, it would be desirable to know to this continuous malicious attack for frequently carrying out service request
Other and blocking.
In correlation technique, a kind of control mode that can be taken is to ask white list in business interface built in client, should
The business interface for needing to monitor and corresponding request number of times threshold value can be set on list, and client was monitored in the unit interval
When exceeding threshold value to the request number of times of the interface, the service request of the interface can be shielded.But the defect of this mode is, name
Single changes relys more on the edition upgrading of client application, underaction and quickly.Another way is can be supervised in service end
Control, when service end monitors that the request number of times of some business interface exceedes threshold value, shields all service requests to the interface.
The defect of which is all clients that may influence to access the interface because of the malicious requests of a client.
The content of the invention
In view of this, the present invention provides a kind of query-attack treating method and apparatus, to cause the business to malicious attack
The control of request is more flexible, quick and accurate.
Specifically, the present invention is achieved through the following technical solutions:
First aspect includes there is provided a kind of query-attack processing method, methods described:
When receiving the service request for calling business interface, the time interval of adjacent Twice requests is obtained;
Fusing value is determined according to fusing factor and the time interval;Wherein, it is described with the increase of service request number of times
Fusing be worth to fusing condition value it is close, and the fusing factor be service end feedback the performance data according to the business interface
The coefficient of generation;
When the fusing value counted within the unit interval meets the fusing condition value, it is determined that under attack to ask
Ask, block to the service request of the business interface, wherein, the fusing is worth to during the fusing condition value is close,
Arbitrarily the time interval of service request is respectively less than predetermined space twice.
Second aspect includes there is provided a kind of query-attack processing method, methods described:
According to the corresponding performance data of business interface, fusing factor is generated;
The fusing factor is sent to client, to cause client to be determined to be used for obstruction pair according to the fusing factor
The fusing value of the query-attack of the business interface.
The third aspect includes there is provided a kind of query-attack processing unit, described device:
Time-obtaining module, for when receiving the service request for calling business interface, obtaining adjacent Twice requests
Time interval;
Numerical value determining module, for determining fusing value according to fusing factor and the time interval;Wherein, as business please
Ask the increase of number of times, the fusing is worth close to fusing condition value, and the fusing factor is described in the basis of service end feedback
The coefficient of the performance data generation of business interface;
Request processing module, for meeting the fusing condition value when the fusing value counted within the unit interval
When, it is determined that request under attack, block the service request to the business interface, wherein, the fusing is worth to the fusing
Condition value is during, and arbitrarily the time interval of service request is respectively less than predetermined space twice.
Fourth aspect includes there is provided a kind of query-attack processing unit, described device:
Coefficient generation module, for according to the corresponding performance data of business interface, generating fusing factor;
Coefficient sending module, for the fusing factor to be sent to client, to cause client according to the fusing
Coefficient is determined for blocking the fusing value to the query-attack of the business interface.
The query-attack treating method and apparatus of the present invention, by utilizing mechanism identification and the blocking malice of fusing in client
Attack, relative in the control of service side, will not be impacted, if some client to the normal request of other clients substantially
End receives the query-attack of docking port, blocks and asks in the client-side, and other clients still can be called as usual
The interface conducts interviews;Also, relative to the mode individually controlled in traditional approach in client according to list and threshold value, we
The characteristics of case meets query-attack using fusing mechanism, query-attack can be recognized faster, and this method has also combined
The fusing factor that side is provided is serviced, the negative of service end has also been considered on the basis of the characteristics of considering query-attack itself
Load situation, when service end poor-performing, can cause client-side to fuse faster, so as to be prevented effectively from by fusing factor
Aggravate the load of service end.
Brief description of the drawings
Fig. 1 is a kind of attack form of expression provided in an embodiment of the present invention;
Fig. 2 is a kind of attack form of expression provided in an embodiment of the present invention;
Fig. 3 is a kind of flow chart of query-attack processing method provided in an embodiment of the present invention;
Fig. 4 is a kind of handling process of service side provided in an embodiment of the present invention;
Fig. 5 is a kind of handling process of client-side provided in an embodiment of the present invention;
Fig. 6 is a kind of structural representation of query-attack processing unit provided in an embodiment of the present invention;
Fig. 7 is a kind of structural representation of query-attack processing unit provided in an embodiment of the present invention.
Embodiment
Mobile solution generally supports it normally to run by client and service end, for example, logical refer to of client is arranged on intelligence
Application software in terminal, service end then leads to the system for referring to and installing that support client application software is normally run on the server.
Client can call the business interface that service end is provided by RPC protocol remotes so that the miscellaneous service rule of service end operation
Client can be then presented in use.Some malicious attacks frequently continuously can call business to connect with the operation of simulant-client
Mouthful, so as to cause the interface pressure of service end larger, cause operation exception, or even machine of delaying, such as, under normal circumstances, during unit
In as in 1s user send service request 1 time, and the query-attack of malice be likely to be breached in 1s send service request it is thousands of on
Ten thousand times.
The query-attack processing method that the application is provided, can be used for recognizing the business called for some business interface
Whether request is query-attack, and when being defined as query-attack, the request is blocked in time.
Incorporated by reference to shown in Figure 1, according to experimental verification, if client-side there occurs malicious attack, i.e. unit interval
Interior intensive completion interface interchange, then a kind of form of under-damped motion will be presented.Such as Fig. 1 example, the longitudinal axis represents amplitude, horizontal
Axle represents the time, if service request were carried out continuously in the unit interval, and the time interval between any Twice requests would be respectively less than
Predetermined space t_interval, then with the increase of service request number of times, final amplitude is up to 0.And with continued reference to Fig. 2, it is false
It is located at amplitude and during constantly declining, the time interval of two service requests occurs once as service request number of times increases
T_interval is exceeded, then amplitude is restored to initial value.
According to the characteristics of Fig. 1 and Fig. 2, damping formula can be borrowed to recognize query-attack.For example, damping formula can be with
It is:X=Ae-δtCos (ω t), wherein, Ae-δtFor amplitude, A can be damped coefficient by 1.5, δ of value according to practical experience, can
Think 1;It is 0 that ω, which represents angular frequency value,;T accumulates with the increase of the service request number of times in the unit interval, often receives one
Secondary service request, can produce a cumulative increment, the increment can be between this service request and last request when
Between be spaced.
According to above-mentioned damping formula, if within the unit interval of statistics (can be 1s, even more small timeslice),
Arbitrarily the time interval of service request is respectively less than t_interval twice, then t can accumulate always, when lasting click reaches necessarily
During amount, x will be less than or equal to 0.In the present processes, x can be less than or equal to 0 as the condition for determining query-attack,
It is less than or equal to 0 in the event of x, then shows to have occurred in that a certain amount of frequently business that continues is asked within the unit interval
Ask, it is believed that be the query-attack of malice.Certainly, in other examples, it would however also be possible to employ the other modes of non-damping formula.
In addition, still so that above-mentioned client determines query-attack using the calculating for damping formula as an example, the attack of the application
In request processing method, client can be combined with a parameter " fusing factor ", the fusing factor when using damping formula
It can be that service end feeds back to client, and can be the performance number for the business interface that service end is called according to service request
Calculate and obtain according to (for example, CPU, internal memory etc.), the current loading condition of business interface can be reflected.If for example, business interface
Load is larger, and EMS memory occupation is more, then fusing factor can be higher, whereas if business interface load is relatively low, fusing factor can
With relatively low.The fusing factor can be used as the accumulation radix t_dumping for damping the t in formula, then can obtain, it is assumed that single
Equally carried out in the time of position it is a certain amount of continue frequent service request, different accumulation radixes, the x in damping formula reaches critical
The time of value 0 is different, if accumulation radix t_dumping is higher, x will drop to 0 faster.If it is determined that after query-attack
The processing for the service request for blocking docking port is taken in time, the blocking that business interface is asked " can referred to as be fused " by this
(that is, carrying out current limliting to the interface), accordingly, as described above, accumulation radix is higher, service request is more frequent, then will more
Fast fusing.
Above-mentioned processing can be by Fig. 3 of example query-attack processing method flow, as shown in figure 3, this method can be with
With between client and service end, service end provides fusing factor to client, and client is controlled with reference to the fusing factor
Whether is the blocking of business interface request.This method can include:
In step 301, service end generates fusing factor according to the corresponding performance data of business interface.
For example, the performance data can include:The TPS (Transaction per Second) of business interface, internal memory,
CPU occupancy etc..This example is not intended to limit the mode that fusing factor is generated according to performance data, it is for instance possible to use multiple factors
The mode of weighted sum, it is exemplary, can using memory usage as a factor, using the TPS of interface as another because
Son, and corresponding Factor Weight is set according to the importance of each factor, then the summation of each Factors Weighting is obtained into fusing factor.
In step 302, service end sends fusing factor to client.
For example, fusing factor can be encapsulated in the response message sent to client by service end.
In step 303, client obtains the time interval of adjacent Twice requests.
For example, client is after fusing factor is received, the fusing factor can be used for the follow-up judgement whether fused
In.In this step, client can receive the service request for calling business interface, it is possible to obtain adjacent Twice requests when
Between be spaced.
In step 304, client determines fusing value according to fusing factor and the time interval.
For example, fusing value can be calculated according to damping formula above-mentioned, when using formula is damped, time interval can
To be to damp the cumulative increment in formula, and fusing factor can be used as the accumulation radix in formula.
In this step, whenever receiving a service request, once fusing value is just calculated, and it is possible to receive industry
During business request, it is that this asks the time interval with last request whether to be more than predetermined space t_ to judge lower neighbor request
interval.For example, when generally normally asking, the time interval of Twice requests is greater than t_interval, the predetermined space
It can based on experience value set, such as can be 100ms.If it is determined that result for neighbor request interval be less than t_
Interval, the then t for continuing to calculate in fusing value, damping formula will increase cumulative increment;If it is determined that result for it is adjacent please
The interval asked is more than or equal to t_interval, then can reset fusing value, next time is recalculated.
If running into query-attack within the unit interval of statistics, the query-attack is continuously frequently to ask, arbitrarily
The time interval of Twice requests is less than t_interval, then this step will accumulate calculating fusing value always.With service request time
Several increases, the fusing value will to fusing condition value it is close, the fusing condition value can be limited in fusing condition should
The fusing value condition to be met, for example, can be that the x in damping formula mentioned above is less than or equal to 0, that is, receive
The request number of times of query-attack is more, the fusing value just constantly reduction of calculating.
In step 305, when the fusing value counted within the unit interval meets fusing condition value, it is determined that attacked
Hit request.
For example, the scene assumed in this example is, in the fusing value by initial calculation, until meeting the fusing condition
During value, arbitrarily the time interval of service request is respectively less than predetermined space twice.So with the increasing of service request number of times
Plus, fusing value will be gradually reduced until less than or equal to 0, now meeting fusing condition value, showing now determine that this is
The continuous frequently service request of row is defined as the query-attack of malice.
It should be noted that in this example fuse condition judgement can be within a unit interval of statistics (for example,
1s), if being still not up to fusing condition beyond a unit interval, next unit interval will restart to calculate fusing
Value, former fusing value will be reset.
Within step 306, service request of the obstruction to the business interface.
For example, after query-attack is defined as in step 305, can block the business called to the business interface please
Ask, discard request, so as to reduce the load of service end.
The query-attack processing method of this example, by recognizing and blocking malicious attack using the mechanism that fuses in client,
Relative to service side control, the normal request of other clients will not be impacted substantially, if some client by
The query-attack of docking port has been arrived, has blocked and asks in the client-side, other clients still can call this to connect as usual
Mouth conducts interviews;Also, relative to the mode individually controlled in traditional approach in client according to list and threshold value, this programme is adopted
The characteristics of meeting query-attack with fusing mechanism, query-attack can be recognized faster, and this method has also combined service
The fusing factor that side is provided, has also considered the load feelings of service end on the basis of the characteristics of considering query-attack itself
Condition, when service end poor-performing, can cause client-side to fuse faster, so as to be prevented effectively from aggravation by fusing factor
The load of service end.
In another example, with reference to Fig. 4 and Fig. 5, to describe the present processes, wherein, Fig. 4 description services side
Handling process, Fig. 5 describes the handling process of client-side.
As shown in figure 4, in step 401, service end obtains business interface list.
For example, service end can by DRM (Distributed Resource Management, distributed resource management,
For dynamically adjusting service parameter configuration during system operation, and come into force immediately) read fusing mechanism enable switch.If fusing
Mechanism switch is opened, then can be read by DRM and progress stream control in need is recorded on RPC business interface gray lists, the gray list
Each business interface, subsequently if client sends the request of some interface called on the gray list to service end, then takes
Business end by should the fusing factor of interface send to client, to cause client to control the stream of the interface according to fusing factor
Amount, carries out the processing of query-attack.
In step 402, service end obtains the performance threshold of correspondence business interface.
For example, service end can be obtained the corresponding performance threshold of each interface on business interface gray list by DRM.
In step 403, the performance data of service end capturing service interface.
For example, service end can be obtained the performance data of interface by performance monitoring platform, for example, CPU, internal memory etc..Performance
Monitor supervision platform can be used for monitoring business running status, and monitoring information includes but is not limited to operating-system resources (e.g., CPU, internal memory
Deng) service condition, chain-circuit time delay information, all kinds of alarms of operation system etc. during service operation.
In step 404, service end judges whether the performance data of collection is higher than performance threshold.
If performance data is less than performance threshold, shows the heavier loads of the current service end business interface, then perform step
Rapid 405;Otherwise, step 406 is performed.
In step 405, service request of the service end shield to the business interface.
In this step, all RPC call requests to the business interface can be masked by service end.
In a step 406, service end calculates the corresponding fusing factor of business interface according to performance data.
For example, fusing factor can be represented with t_dumping, can calculate this according to parameters such as CPU, internal memory, TPS is
Number;If CPU, internal memory even load are larger, the numerical value of the fusing factor of calculating is higher.
In addition, service end can periodically perform step 403 to 406, you can with periodicity collecting performance data, according to property
Energy data update fusing factor, and can be updated and replaced with newly-generated fusing factor by fusing factor storage in the buffer
Fall original fusing factor, newly-generated fusing factor can characterize the service end load in the unit interval.
In step 407, service end sends fusing factor to client.
In this example, service end periodically can send fusing factor to client, such as, service end is receiving visitor
Family end send for some business interface RPC call requests when, if distance to the client last time send fusing factor
Predetermined fixed intervals (for example, 3 seconds) are reached, then in response is called to the RPC of the client feedback, encapsulation carries newest
The fusing factor of calculating.In another example, service end is can also be when receiving the interface requests congestion notification of client transmission, to
Client sends fusing factor, and described interface requests congestion notification is used to show that client determines query-attack and blocked to industry
The call request of business interface.
In above-mentioned Fig. 4 flow, needed to flow the interface of control and corresponding according to the acquisition of business interface gray list by service end
Performance threshold, so when needing change gray list just relatively easily, without being relied on the list as built in client
Edition upgrading is realized;In addition, service end generates fusing factor according to performance data, regulate and control to flow according to the coefficient for client
Amount so that situation is born in the load that the stream control of client-side has considered service end, it is possible to achieve more accurate and effective control
System.
Service end sends fusing factor to client, and client carries out the stream of query-attack processing according to the coefficient
Journey, may refer to exemplified by Fig. 5.
In step 501, client receives the service request for calling business interface.
In step 502, client judges whether the time interval of neighbor request twice is less than predetermined space.
For example, based on experience value, the interval time of normal Twice requests is more than t_interval, can be by predetermined space
T_interval is set to, can be 100ms.
If the time interval of neighbor request is less than t_interval twice, 503 are continued executing with;Otherwise, in statistics
In unit interval, it if the interval time for Twice requests occur is more than t_interval, can determine it is not malicious attack, perform
Step 504.
In step 503, client calculates fusing value according to fusing factor and time interval.
For example, it is possible to use damping formula calculates fusing value x.
In step 504, fusing value is reset.
After fusing value is reset, the interval time for occurring Twice requests next time again is less than t_interval, then opens again
Begin to calculate fusing value, judge into fusing next time.
In step 505, client judges whether fusing value meets fusing condition value.
For example, it can be determined that whether be less than or equal to 0 using the x for damping formula calculating.It is less than or equal to 0 if meeting, can
To confirm to meet fusing condition value, step 506 is continued executing with;Otherwise, if being unsatisfactory for the condition value that fuses, step 510 is performed.
In step 506, service request of the client obstruction to business interface.
For example, client can be by the call request discarding to the business interface, to reduce service end load.
In step 507, client asks congestion notification to service end transmission interface.
The interface requests congestion notification can be used for informing service end, and client is determined by attacking for business interface
Request is hit, and has blocked the call request to the business interface.
In step 508, client receives the fusing time that service end is sent and the fusing factor updated.
For example, fusing time can be N hours, N is the Arbitrary Digit more than 0, and service end can also be by newest fusing system
Number is sent to client in the lump.
In step 509, client stops the obstruction to the interface requests after fusing time.
For example, after N hours, client is received for the business interface when calling again, it can be allowed to adjust
With request, and send this request to service end.
In step 510, client sends the service request to service end processing.
In step 511, client receives response of the service end to request.
Fig. 6 provides a kind of query-attack processing unit, and the device can apply to client, as shown in fig. 6, the device
It can include:Time-obtaining module 61, numerical value determining module 62 and request processing module 63.
Time-obtaining module 61, for when receiving the service request for calling business interface, obtaining adjacent Twice requests
Time interval;
Numerical value determining module 62, for determining fusing value according to fusing factor and the time interval;Wherein, with business
The increase of request number of times, the fusing be worth to fusing condition value it is close, and the fusing factor be service end feedback according to institute
State the coefficient of the performance data generation of business interface;
Request processing module 63, for meeting the fusing condition value when the fusing value counted within the unit interval
When, it is determined that request under attack, block the service request to the business interface, wherein, the fusing is worth to the fusing
Condition value is during, and arbitrarily the time interval of service request is respectively less than predetermined space twice.
In one example, numerical value determining module 62, be additionally operable to the time-obtaining module get it is adjacent twice
When the time interval of request is more than predetermined space, the fusing value is reset.
In one example, request processing module 63, are additionally operable to after the service request to the business interface is blocked,
Congestion notification is asked to service end transmission interface;
The numerical value determining module 62, is additionally operable to receive the fusing factor of the renewal of the service end feedback.
Fig. 7 provides a kind of query-attack processing unit, and the device can apply to service end, as shown in fig. 7, the device
It can include:Coefficient generation module 71 and coefficient sending module 72.
Coefficient generation module 71, for according to the corresponding performance data of business interface, generating fusing factor;
Coefficient sending module 72, for the fusing factor to be sent to client, to cause client according to described molten
Disconnected coefficient is determined for blocking the fusing value to the query-attack of the business interface.
In one example, Coefficient generation module 71, be additionally operable to obtain in business interface gray list the business interface,
And the performance threshold of the correspondence business interface;Gather the performance data of the business interface;Judging the performance data is
It is no to be higher than the performance threshold, and judged result is yes.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present invention
God is with principle, and any modification, equivalent substitution and improvements done etc. should be included within the scope of protection of the invention.
Claims (15)
1. a kind of query-attack processing method, it is characterised in that methods described includes:
When receiving the service request for calling business interface, the time interval of adjacent Twice requests is obtained;
Fusing value is determined according to fusing factor and the time interval;Wherein, with the increase of service request number of times, the fusing
Be worth to fusing condition value it is close, and the fusing factor be service end feedback according to the performance data of the business interface generate
Coefficient;
When the fusing value counted within the unit interval meets the fusing condition value, it is determined that request under attack,
Block to the service request of the business interface, wherein, the fusing is worth to during the fusing condition value is close, arbitrarily
The time interval of service request is respectively less than predetermined space twice.
2. according to the method described in claim 1, it is characterised in that methods described also includes:
If the time interval of the adjacent Twice requests got is more than predetermined space, the fusing value is reset.
3. according to the method described in claim 1, it is characterised in that described to determine to melt according to fusing factor and the time interval
Disconnected value, including:
The fusing value is calculated according to damping formula, wherein, the time interval is the cumulative increment in the damping formula, institute
It is the accumulation radix in the damping formula to state fusing factor.
4. according to the method described in claim 1, it is characterised in that after the service request to the business interface is blocked,
Methods described also includes:
Congestion notification is asked to service end transmission interface;
Receive the fusing factor of the renewal of the service end feedback.
5. according to the method described in claim 1, it is characterised in that after the service request to the business interface is blocked,
Methods described also includes:
Congestion notification is asked to service end transmission interface;
Receive the fusing time that the service end is sent, and the stopping obstruction after the fusing time.
6. a kind of query-attack processing method, it is characterised in that methods described includes:
According to the corresponding performance data of business interface, fusing factor is generated;
The fusing factor is sent to client, to cause client to determine to be used to block to described according to the fusing factor
The fusing value of the query-attack of business interface.
7. method according to claim 6, it is characterised in that described according to the corresponding performance data of business interface, generation
Fusing factor, also includes before:
The performance threshold of the business interface and correspondence business interface is obtained in business interface gray list;
Gather the performance data of the business interface;
Judge that whether the performance data is higher than the performance threshold, and judged result is yes.
8. method according to claim 7, it is characterised in that methods described also includes:
If the performance data is less than the performance threshold, the service request for the business interface is shielded.
9. method according to claim 6, it is characterised in that described according to the corresponding performance data of business interface, generation
Fusing factor, including:
Fusing factor is periodically generated according to the corresponding performance data of business interface, and replaced using newly-generated fusing factor renewal
Change former fusing factor.
10. method according to claim 6, it is characterised in that described to send the fusing factor to client, bag
Include:
Periodically send the fusing factor;
Or, when receiving the interface requests congestion notification of client, send the fusing factor.
11. a kind of query-attack processing unit, it is characterised in that described device includes:
Time-obtaining module, for when receiving the service request for calling business interface, obtaining the time of adjacent Twice requests
Interval;
Numerical value determining module, for determining fusing value according to fusing factor and the time interval;Wherein, with service request time
Several increases, the fusing be worth to fusing condition value it is close, and the fusing factor be service end feedback according to the business
The coefficient of the performance data generation of interface;
Request processing module, for when the fusing value counted within the unit interval meet it is described fusing condition value when, then
Request under attack is determined, blocks the service request to the business interface, wherein, the fusing is worth to the fusing condition value
In close process, arbitrarily the time interval of service request is respectively less than predetermined space twice.
12. device according to claim 11, it is characterised in that
The numerical value determining module, the time interval of adjacent Twice requests for being additionally operable to get in the time-obtaining module is big
When predetermined space, the fusing value is reset.
13. device according to claim 11, it is characterised in that
The request processing module, is additionally operable to after the service request to the business interface is blocked, and sends and connects to service end
Mouth request congestion notification;
The numerical value determining module, is additionally operable to receive the fusing factor of the renewal of the service end feedback.
14. a kind of query-attack processing unit, it is characterised in that described device includes:
Coefficient generation module, for according to the corresponding performance data of business interface, generating fusing factor;
Coefficient sending module, for the fusing factor to be sent to client, to cause client according to the fusing factor
It is determined that for blocking the fusing value to the query-attack of the business interface.
15. device according to claim 14, it is characterised in that
The Coefficient generation module, is additionally operable to obtain the business interface and the correspondence industry in business interface gray list
The performance threshold of business interface;Gather the performance data of the business interface;Judge whether the performance data is higher than the performance
Threshold value, and judged result is yes.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611034464.XA CN107026839B (en) | 2016-11-16 | 2016-11-16 | Attack request processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611034464.XA CN107026839B (en) | 2016-11-16 | 2016-11-16 | Attack request processing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107026839A true CN107026839A (en) | 2017-08-08 |
| CN107026839B CN107026839B (en) | 2020-08-04 |
Family
ID=59525295
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611034464.XA Active CN107026839B (en) | 2016-11-16 | 2016-11-16 | Attack request processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107026839B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108009075A (en) * | 2017-11-27 | 2018-05-08 | 南京联创信息科技有限公司 | Dynamic fusing determination methods based on Hystrix frames |
| CN110400031A (en) * | 2018-04-25 | 2019-11-01 | 阿里巴巴集团控股有限公司 | A kind of blowout method and server |
| CN110704220A (en) * | 2019-09-02 | 2020-01-17 | 东软集团股份有限公司 | Method, device and equipment for adjusting fusing parameters |
| CN111786934A (en) * | 2019-08-26 | 2020-10-16 | 北京京东尚科信息技术有限公司 | Method and device for detecting normal user of client |
| CN111866156A (en) * | 2020-07-27 | 2020-10-30 | 网易(杭州)网络有限公司 | Fusing processing method and device |
| CN113419892A (en) * | 2021-07-05 | 2021-09-21 | 山东云缦智能科技有限公司 | Method for implementing automatic fusing and service recovery |
| CN114697060A (en) * | 2020-12-29 | 2022-07-01 | 广州腾讯科技有限公司 | Service control method, device and electronic equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040059944A1 (en) * | 2002-09-25 | 2004-03-25 | Rainer Stademann | System and method for repelling attack data streams on network nodes in a communications network |
| CN101034421A (en) * | 2006-03-07 | 2007-09-12 | 上海新致软件有限公司 | Control method for preventing indulging network game and device thereof |
| CN101902438A (en) * | 2009-05-25 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Method and device for automatically identifying web crawlers |
| CN102045319A (en) * | 2009-10-21 | 2011-05-04 | 中国移动通信集团山东有限公司 | Method and device for detecting SQL (Structured Query Language) injection attack |
| CN104202297A (en) * | 2014-07-30 | 2014-12-10 | 杭州华三通信技术有限公司 | Anti-attack method and device dynamically adapting to server performance |
-
2016
- 2016-11-16 CN CN201611034464.XA patent/CN107026839B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040059944A1 (en) * | 2002-09-25 | 2004-03-25 | Rainer Stademann | System and method for repelling attack data streams on network nodes in a communications network |
| CN101034421A (en) * | 2006-03-07 | 2007-09-12 | 上海新致软件有限公司 | Control method for preventing indulging network game and device thereof |
| CN101902438A (en) * | 2009-05-25 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Method and device for automatically identifying web crawlers |
| CN102045319A (en) * | 2009-10-21 | 2011-05-04 | 中国移动通信集团山东有限公司 | Method and device for detecting SQL (Structured Query Language) injection attack |
| CN104202297A (en) * | 2014-07-30 | 2014-12-10 | 杭州华三通信技术有限公司 | Anti-attack method and device dynamically adapting to server performance |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108009075A (en) * | 2017-11-27 | 2018-05-08 | 南京联创信息科技有限公司 | Dynamic fusing determination methods based on Hystrix frames |
| CN108009075B (en) * | 2017-11-27 | 2018-10-09 | 南京联创信息科技有限公司 | Dynamic fusing judgment method based on Hystrix frames |
| CN110400031A (en) * | 2018-04-25 | 2019-11-01 | 阿里巴巴集团控股有限公司 | A kind of blowout method and server |
| CN111786934A (en) * | 2019-08-26 | 2020-10-16 | 北京京东尚科信息技术有限公司 | Method and device for detecting normal user of client |
| CN110704220A (en) * | 2019-09-02 | 2020-01-17 | 东软集团股份有限公司 | Method, device and equipment for adjusting fusing parameters |
| CN110704220B (en) * | 2019-09-02 | 2023-03-24 | 东软集团股份有限公司 | Method, device and equipment for adjusting fusing parameters |
| CN111866156A (en) * | 2020-07-27 | 2020-10-30 | 网易(杭州)网络有限公司 | Fusing processing method and device |
| CN114697060A (en) * | 2020-12-29 | 2022-07-01 | 广州腾讯科技有限公司 | Service control method, device and electronic equipment |
| CN114697060B (en) * | 2020-12-29 | 2024-05-07 | 广州腾讯科技有限公司 | Service control method and device and electronic equipment |
| CN113419892A (en) * | 2021-07-05 | 2021-09-21 | 山东云缦智能科技有限公司 | Method for implementing automatic fusing and service recovery |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107026839B (en) | 2020-08-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107026839A (en) | A kind of query-attack treating method and apparatus | |
| CN106161511B (en) | Service request processing method, related device and system | |
| CN108429651B (en) | Flow data detection method and device, electronic equipment and computer readable medium | |
| US8590054B2 (en) | Methods, devices and computer program products for regulating network activity using a subscriber scoring system | |
| JP5418250B2 (en) | Abnormality detection apparatus, program, and abnormality detection method | |
| US7206845B2 (en) | Method, system and program product for monitoring and controlling access to a computer system resource | |
| KR101853676B1 (en) | Appratus and method for detecting vehicle intrusion | |
| EP1244248A1 (en) | Method and apparatus for efficient reactive monitoring | |
| KR20160132394A (en) | Behavioral analysis for securing peripheral devices | |
| US20220201490A1 (en) | Method and device for processing an alert message indicating the detection of an anomaly in traffic transmitted via a network | |
| CN106713216A (en) | Flow processing method, device and system | |
| US9350616B1 (en) | Bandwidth prediction using a past available bandwidth value and a slope calculated from past available bandwidth values | |
| CN110892675B (en) | Method and apparatus for monitoring block chains | |
| CN108183950A (en) | A kind of network equipment establishes the method and device of connection | |
| CN106357685A (en) | Method and device for defending distributed denial of service attack | |
| CN111414828B (en) | Abnormal aggregation identification method and device | |
| JP2020135816A (en) | Fraud communication detection device, and fraud communication detection program | |
| CN102694678A (en) | Method, system, network management server and network element device for alarm message transmission | |
| CN105847377A (en) | Cluster network's request congestion and overload processing method and system | |
| CN111949421B (en) | SDK calling method, device, electronic equipment and computer readable storage medium | |
| CN107911229B (en) | Running state change reminding method and device, electronic equipment and storage medium | |
| CN109862016B (en) | Countermeasure method for cloud computing automatic expansion Yo-Yo attack | |
| CN112820062B (en) | Fire occurrence probability prediction method and system | |
| US8924547B1 (en) | Systems and methods for managing network devices based on server capacity | |
| CN111338297B (en) | Industrial control safety framework system based on industrial cloud |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20200924 Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands Patentee after: Innovative advanced technology Co.,Ltd. Address before: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands Patentee before: Advanced innovation technology Co.,Ltd. Effective date of registration: 20200924 Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands Patentee after: Advanced innovation technology Co.,Ltd. Address before: A four-storey 847 mailbox in Grand Cayman Capital Building, British Cayman Islands Patentee before: Alibaba Group Holding Ltd. |
|
| TR01 | Transfer of patent right |