CN107454120A - The method of network attack defending system and defending against network attacks - Google Patents
The method of network attack defending system and defending against network attacks Download PDFInfo
- Publication number
- CN107454120A CN107454120A CN201610371336.8A CN201610371336A CN107454120A CN 107454120 A CN107454120 A CN 107454120A CN 201610371336 A CN201610371336 A CN 201610371336A CN 107454120 A CN107454120 A CN 107454120A
- Authority
- CN
- China
- Prior art keywords
- subsystem
- user
- load balancing
- message queue
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1001—Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
- H04L67/1036—Load balancing of requests to servers for services different from user content provisioning, e.g. load balancing across domain name servers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention discloses a kind of method of network attack defending system and defending against network attacks.The system includes:Application layer load balancing subsystem, it is configured as receiving user's request, holds host load balancing agency thereon, load balancing agency is configured as reading user's request from application layer load balancing subsystem, and user is asked into write-in message queue subsystem;Message queue subsystem, it is configured as caching the user's request for acting on behalf of write-in by load balancing;And real-time computing subsystem, it is configured as obtaining cached user's request from message queue subsystem, data in asking user are analyzed, and rule is closed according to analysis result generation, and rule write-in message queue subsystem will be closed, wherein, message queue subsystem is additionally configured to cache to closing rule, and load balancing agency be additionally configured to from message queue subsystem obtain cached close rule and by extracted close rule be applied to application layer load balancing subsystem.
Description
Technical field
The present invention relates to network safety filed, and system is defendd more particularly to network attack defending system and by network attack
The method of system defending against network attacks.
Background technology
With the rapid development of Internet, network security have become one it is increasingly notable the problem of, hacker is by stealing
Data or revenge attack, many companies are made to pay the cost of bitterness.For typical Internet firm, network is and its again
The basis instrument wanted, there is high requirement to the security of network, this is required when network security attacks occur will can
It is timely detected out in certain timeliness.
Detection for network attack, the detection of transport layer and the detection of application layer are broadly divided into, is nowadays generally adopted
Hardware firewall is more adapted to most of the attack-defending of transport layer, and its interception rule to be all based on production firm
Initial setting or the simple setting of administration interface, therefore it can not realize flexible logic judgment for application layer.
In addition, although hardware firewall itself possesses hardware-accelerated advantage, for large-scale computer room, it handles energy
Power still has bottleneck.
The content of the invention
In order to solve the above-mentioned problems in the prior art, the present invention propose a kind of network attack defending system and
The method of defending against network attacks.
According to an aspect of the present invention, it is proposed that a kind of network attack defending system.The system includes:Application layer is born
Equalization subsystem is carried, is configured as receiving user's request, holding place (host) on the application layer load balancing subsystem has load
Equilibrium agency, the load balancing agency are configured as reading user's request from the application layer load balancing subsystem,
And the user is asked into write-in message queue subsystem;Message queue subsystem, it is connected to application load balancing
System, it is configured as caching the user's request for acting on behalf of write-in by the load balancing;And real-time computing subsystem, even
The message queue subsystem is connected to, is configured as obtaining cached user's request from the message queue subsystem, to institute
The data stated in user's request are analyzed, and close rule according to analysis result generation, and close regular write-in by described
The message queue subsystem, wherein, the message queue subsystem is additionally configured to cache the rule of closing, with
And load balancing agency be additionally configured to obtain from the message queue subsystem cached close rule and will be carried
The rule of closing taken is applied to the application layer load balancing subsystem.
Preferably, the system also includes:Data storage subsystem, the real-time computing subsystem is connected to, is configured
To be carried out to the analysis result, the user's access history data closed rule and/or analyze to obtain from user's request
Storage.
Preferably, the system also includes:Management configuration server, be connected to the application layer load balancing subsystem,
In the message queue subsystem, the computing subsystem in real time, it is configured as to the application layer load balancing subsystem, institute
State load balancing agency, the message queue subsystem and the computing subsystem in real time and configuration data is provided.
Preferably, the application layer load balancing subsystem is configured as from described in the reception of transport layer load-balanced server
User asks.
Preferably, the load balancing agency is configured as being compressed user request, and by through overcompression
User asks write-in message queue subsystem.
Preferably, the analysis that computing subsystem asks to carry out to the user described in real time includes analysis of accounts, wherein, institute
Stating real-time computing subsystem asks corresponding source IP address to count the user obtained in the specified time cycle, works as pin
When counting to a source IP address exceedes the threshold value specified, the computing subsystem in real time, which adds the source IP address, closes rule
Then.
Preferably, the analysis that computing subsystem asks to carry out to the user described in real time includes analysis of accounts, wherein, institute
Stating real-time computing subsystem asks corresponding purpose IP address to count the user obtained in the specified time cycle, when
When exceeding the threshold value specified for the counting of purpose IP address, computing subsystem pair and the purpose IP address phase in real time
The corresponding source IP address of corresponding user's request is counted, and statistical magnitude highest one or more source IP address is added
Enter to close rule.
Preferably, the analysis that computing subsystem asks to carry out to the user described in real time includes the matching analysis, wherein, institute
The feature specified stated during real-time computing subsystem asks the user is matched with the feature list prestored, when depositing
In matching, ask corresponding IP address to add the user with the feature that matching be present and close rule.
Preferably, the management configuration server is additionally configured to:According to traffic conditions, trigger and the application layer is loaded
The degradation processing of equalization subsystem, the message queue subsystem and/or the computing subsystem in real time.
According to another aspect of the present invention, there is provided a kind of side by network attack defending system defending against network attacks
Method.The network attack defending system includes application layer load balancing subsystem, message queue subsystem and calculates subsystem in real time
System, wherein, hold on the application layer load balancing subsystem and host load balancing agency.Methods described includes:The application
Layer load balancing subsystem receives user's request;The load balancing agency reads institute from the application layer load balancing subsystem
User's request is stated, and the user is asked into the write-in message queue subsystem, to be carried out by the message queue subsystem
Caching;The computing subsystem in real time obtains cached user's request from the message queue subsystem;It is described to calculate in real time
Data during subsystem is asked the user are analyzed, to close rule according to analysis result generation;It is described to calculate in real time
The rule of closing is write the message queue subsystem by subsystem, to be cached by the message queue subsystem;With
And load balancing agency obtained from the message queue subsystem cached close rule and close rule by what is extracted
Then it is applied to the application layer load balancing subsystem.
Preferably, the system also includes data storage subsystem, and methods described also includes:Data storage
System is entered to the analysis result, the user's access history data closed rule and/or analyze to obtain from user's request
Row storage.
Preferably, the system also includes management configuration server, and methods described also includes:The management configuration server
To the application layer load balancing subsystem, load balancing agency, the message queue subsystem and the calculating in real time
Subsystem provides configuration data.
Preferably, user request is from transport layer load-balanced server by the application layer load balancing subsystem
Receive.
Preferably, the user is asked the write-in message queue subsystem to include by the load balancing agency:It is described
Load balancing agency is compressed to user request, and the user through overcompression is asked into write-in message queue subsystem.
Preferably, the analysis that computing subsystem asks to carry out to the user described in real time includes analysis of accounts, wherein, institute
Stating real-time computing subsystem asks corresponding source IP address to count the user obtained in the specified time cycle, works as pin
When counting to a source IP address exceedes the threshold value specified, the computing subsystem in real time, which adds the source IP address, closes rule
Then.
Preferably, the analysis that computing subsystem asks to carry out to the user described in real time includes analysis of accounts, wherein, institute
Stating real-time computing subsystem asks corresponding purpose IP address to count the user obtained in the specified time cycle, when
When exceeding the threshold value specified for the counting of purpose IP address, computing subsystem pair and the purpose IP address phase in real time
The corresponding source IP address of corresponding user's request is counted, and statistical magnitude highest one or more source IP address is added
Enter to close rule.
Preferably, the analysis that computing subsystem asks to carry out to the user described in real time includes the matching analysis, wherein, institute
The feature specified stated during real-time computing subsystem asks the user is matched with the feature list prestored, when depositing
In matching, ask corresponding IP address to add the user with the feature that matching be present and close rule.
Preferably, methods described also includes:The management configuration server is triggered to the application layer according to traffic conditions
The degradation processing of load balancing subsystem, the message queue subsystem and/or the computing subsystem in real time.
By using the method for network attack defending system and defending against network attacks proposed by the invention so that realize
More flexible, effective defence to the request of user's magnanimity.Thus, above-described the problems of the prior art are solved.
Brief description of the drawings
Fig. 1 shows the structured flowchart of network attack defending system according to an embodiment of the invention;
Fig. 2 shows the side according to an embodiment of the invention by network attack defending system defending against network attacks
The flow chart of method.
Embodiment
It is pointed out that in the description of the detailed description below of the present invention, for convenience's sake, partial content
It may be illustrated for specific procotol (for example, http protocol), it is understood that, embodiments of the invention
It is not limited to these specific agreements.
The term " subsystem " occurred in the present invention can be implemented as single computer or server, can also be embodied as
By multiple computers and/or server group into cluster, included whole collaborative computers realize identical in same cluster
Specific function.Specifically, " subsystem " can be by multiple x86 server groups into cluster.In addition, the art occurred in the present invention
A kind of explanation of language " load balancing " includes the front end forwarding carried out to balance backend services server access pressure.Should
Understanding, explanation of the above to the term of the present invention, which indicate that, to be easy to carry out details to technical scheme, and simultaneously
It is not used to limit the solution of the present invention.
The present invention is specifically described below with reference to accompanying drawing.
First, Fig. 1 shows the structured flowchart of network attack defending system 100 according to an embodiment of the invention.
The network attack defending system 100 includes application layer load balancing subsystem 110, message queue subsystem 120 and counted in real time
Operator Systems 130, load balancing agency 140 is hosted wherein holding on the application layer load balancing subsystem 110.
In one embodiment, the application layer load balancing subsystem 110 is configured as receiving user's request, holds thereon
The load balancing of place is acted on behalf of 140 (in one embodiment, being embodied as load balancer process) and is configured as from the application
Layer load balancing subsystem 110 reads user's request, and the user is asked into write-in message queue subsystem 120.
For the application layer load balancing subsystem 110 using x86 frameworks, it is more real by HAProxy or Nginx
It is existing.Both of which needs load balancing agency 140 therefrom duplicate requests data, packet of duplication in the form of plug-in unit or module
Include http header information, user browser Cookie and form data (except the binary file of upload).While in order to keep away
Exempt from load balancing agency and excessively occupy the resource of application layer load balancing subsystem 110, it is necessary to which load balancing agent binding is arrived
On specific core cpu, to prevent excessive CPU contexts switch from influenceing load balancer process self performance.
In a preferred embodiment, the application layer load balancing subsystem 110 is configured as equal from transport layer load
The server that weighs receives user's request.The transport layer load-balanced server is used to carry out load balancing in transport layer.Together
Sample, interception can be set thereon or close rule, as existing most of hardware firewalls, these intercept or closed
Often simply setting or set in advance, but might as well be used to better ensure that rear end as the supplement of technical scheme
Safety.
In a preferred embodiment, user is being asked write-in message queue subsystem by the load balancing agency 140
Before 120, user request is compressed first, the user through overcompression is then asked into write-in message queue subsystem
120.The purpose so done is, in practice, because load-balanced server requires higher to the throughput of network interface card, therefore is
Avoid influenceing the network throughput of load balancing agency 140, it is necessary to incoming message queue again after user's request is first compressed
System 120.
Specifically, compress mode includes:
A, IP address is converted into the storage of 4 byte integers;
B, using the binary mode serialized data such as ProtoBuf;
C, deep layer second compression is carried out (although the compression algorithm such as gzip can effectively reduce data using compression algorithms such as gzip
Transmission quantity, but more CPU can be consumed, if using needs to depend on hardware configuration situation).
In one embodiment, the message queue subsystem 120 is connected to the application load balancing subsystem 110,
It is configured as caching user's request by the write-in of load balancing agency 140.
In a preferred embodiment, the message queue subsystem 120 is that (one kind possesses big handling up property using Kafka
Can the Message Queuing system that increases income) etc. existing Message Queuing system's realization of increasing income.
Primary and foremost purpose using message queue subsystem 120 is in order to promote the decoupling between each subsystem, due to each subsystem
The process performance of system is simultaneously asynchronous, so if by the way of each subsystem direct interaction, process performance can be caused minimum
Subsystem ties down the operation of whole system.Designed, can made each by means of the increase income high-throughput of Message Queuing system such as Kafka
Subsystem is cooperated in a manner of non-obstruction.In addition, in order to ensure that mathematical logic is isolated in Kafka, it is necessary in message queue
Following 3 class Topic is set:HTTP raw requests data Topic, analysis result Topic and close rule T opic.
In one embodiment, it is described in real time computing subsystem 130 be connected to the message queue subsystem 120, by with
It is set to and cached user's request is obtained from the message queue subsystem 120, the data in asking the user is divided
Analysis, and rule is closed according to analysis result generation, and the rule of closing is write into the message queue subsystem 120.It is excellent
Selection of land, the rule of closing include the list for the IP address closed.
Preferably, the computing subsystem 130 in real time is to be based on a kind of Storm (the higher streaming computings of increasing income of real-time
Framework) or Spark Streaming etc. increase income what real-time Computational frame was realized.Preferably, the base of computing subsystem 130 in real time
User is asked to carry out analysis of accounts or the matching analysis in the Data analysis logic of customization, and given birth to according to the attack IP identified
Into closing rule.
Specifically, real-time analyzing subsystem 130 taken out from message queue subsystem 120 specify time cycle (such as
A period of time recently, such as 10 minutes) in user's request, be distributed to inner topology knot (if compressed) after decompression
Calculating analysis is carried out in structure.In addition, in order to ensure the ageing of data analysis, real-time analyzing subsystem 130 needs to be absorbed in most
Analysis in nearly a period of time, it is necessary to ensure to consume number since newest time point after real-time analyzing subsystem 130 is restarted
According to.Analysis is generally divided into analysis of accounts and the matching analysis.Analysis of accounts can be used for the scale attack for finding DDOS etc,
It can be used for finding the attack of the leak types such as SQL injection with analysis, attack IP address finally identified based on this two classes algorithm.
Preferably, the analysis that computing subsystem 130 asks to carry out to the user described in real time includes analysis of accounts, its
In, the computing subsystem 130 in real time asks corresponding source IP address to carry out the user obtained in the specified time cycle
Count, when the counting for a source IP address exceedes the threshold value specified, the computing subsystem 130 in real time is by the source IP
Location adds and closes rule.
Preferably, the analysis that computing subsystem 130 asks to carry out to the user described in real time includes analysis of accounts, its
In, the computing subsystem 130 in real time asks corresponding purpose IP address to be entered the user obtained in the specified time cycle
Row counting, when the counting for a purpose IP address exceedes the threshold value specified, 130 pairs of the computing subsystem in real time is with being somebody's turn to do
The corresponding source IP address of the corresponding user's request of purpose IP address is counted, and by statistical magnitude highest one or more
Individual source IP address adds and closes rule.
Preferably, the analysis that computing subsystem 130 asks to carry out to the user described in real time includes the matching analysis, its
In, the computing subsystem 130 in real time carries out the feature specified in user request and the feature list prestored
Matching, when there is a match, ask corresponding IP address to add the user with the feature that matching be present and close rule.
In one embodiment, the analysis result of real-time analyzing subsystem 130 can include:For envelope caused by attack IP
Prohibit regular data;User's access history data after analysis.Two parts are finally required for writing the corresponding data stream of message queue
In, and carry out persistent storage (such as by data storage subsystem described below).
In one embodiment, the message queue subsystem 120 is configured as caching the rule of closing.Institute
State load balancing agency 140 be additionally configured to obtain from the message queue subsystem 120 cached close rule and by institute
The rule of closing of extraction is applied to the application layer load balancing subsystem 110.
Specifically, load balancing agency 140 receives from message queue subsystem 120 closes rule, and is applied to application layer
On load balancing subsystem 110, application layer load balancing subsystem 110 is set to stop forwarding the IP closed packet, so as to
Realize the protection to backend services server.
In one embodiment, the system also includes data storage subsystem.The data storage subsystem is connected to
It is described in real time computing subsystem 130, and be configured as to the analysis result, it is described close rule and/or from user ask in
Obtained user's access history data is analyzed to be stored.
Preferably, the data storage subsystem can use the PostgreSQL databases such as MySQL as storage engines, and can be with
Used according to different analysis result datas and divide storehouse form data storage.Preferably, can be analyzed according to caused by the unit interval
Data volume hourly or daily carries out rolling table.Specifically, the data storage subsystem receives real-time analyzing subsystem 130 and produced
Analyze data, and according to data time stamp with divide sheet form write such as MySQL database.
Preferably, the system also includes management configuration server.The management configuration server is connected to the application
In layer load balancing subsystem 110, the message queue subsystem 120, the computing subsystem 130 in real time, be configured as to
The application layer load balancing subsystem 110, load balancing agency 140, the message queue subsystem 120 and the reality
When computing subsystem 130 provide configuration data.For example, the management configuration server is by real-time computing subsystem
130 provide configuration datas to regularly update the various analysis threshold values used in the computing subsystem 130 in real time or close threshold value.
For another example the management configuration server also provides management interface to keeper, each subsystem function is triggered by hand for its operation.
Such as triggering degrade switch, issue specific close rule etc. by hand.
In one embodiment, the management configuration server is additionally configured to trigger system degradation processing.Institute of the present invention
The network attack defending system being related to belongs to non-traffic system, therefore is designed to bypath system.In order in heavy traffic condition
Under (such as the big rush of electric business) ensure that the performance of operation system, and the normal operation of the system, system of the invention need to support
Multistage degradation processing, the processing of all degradations is by management configuration server triggers.
Specifically, degradation processing includes:
A) degradation of user's request data collection:Load balancing agency 140 stops collection form data or Cookie data,
Only retain the essential informations such as source IP, destination URL;The degradation schemes belong to source degradation, can slow down the place of all subsystems
Manage pressure.
B) calculate and degrade in real time:Real-time computing subsystem 130 reduces the dimension of data analysis;The reduction scheme is used to slow down
The processing pressure of real-time computing subsystem.
C) data storage degrades:Real-time computing subsystem 130 stops writing analysis result to message queue subsystem 120,
Only retain the write-in for closing rule;The degradation schemes are used to slow down database write-in pressure, while also slow down message queue subsystem
The pressure of system 120.
Next, referring to Fig. 2.Fig. 2, which is shown, according to an embodiment of the invention passes through network attack defending system
The flow chart of the method 200 of defending against network attacks.The network attack defending system includes application layer load balancing subsystem, disappeared
Queue subsystem and real-time computing subsystem are ceased, wherein, hold on the application layer load balancing subsystem and host load balancing
Agency.Methods described 200 starts from providing step S210, and the application layer load balancing subsystem receives user's request.Connect down
Come, in step S220, the load balancing agency reads user's request from the application layer load balancing subsystem, and
The user is asked to write the message queue subsystem, to be cached by the message queue subsystem.Next,
In step S230, the computing subsystem in real time obtains cached user's request from the message queue subsystem.Then, exist
In step S240, the computing subsystem in real time is analyzed the data in user request, to be given birth to according to analysis result
Into closing rule.Then, in step s 250, the rule of closing is write the message queue by the computing subsystem in real time
Subsystem, to be cached by the message queue subsystem.Finally, in step S260, the load balancing is acted on behalf of from institute
State message queue subsystem obtain cached close rule and by extracted close rule be applied to the application layer load
Equalization subsystem.
Preferably, the system also includes data storage subsystem, and methods described also includes:Data storage
System is entered to the analysis result, the user's access history data closed rule and/or analyze to obtain from user's request
Row storage.
Preferably, the system also includes management configuration server, and methods described also includes:The management configuration server
To the application layer load balancing subsystem, load balancing agency, the message queue subsystem and the calculating in real time
Subsystem provides configuration data.
Preferably, user request is from transport layer load-balanced server by the application layer load balancing subsystem
Receive.
Preferably, the user is asked the write-in message queue subsystem to include by the load balancing agency:It is described
Load balancing agency is compressed to user request, and the user through overcompression is asked into write-in message queue subsystem.
Preferably, the analysis that computing subsystem asks to carry out to the user described in real time includes analysis of accounts, wherein, institute
Stating real-time computing subsystem asks corresponding IP address to count the user that is obtained in the specified time cycle, when for
When the counting of one IP address exceedes the threshold value specified, the computing subsystem in real time, which adds the IP address, closes rule.
Preferably, the analysis that computing subsystem asks to carry out to the user described in real time includes the matching analysis, wherein, institute
The feature specified stated during real-time computing subsystem asks the user is matched with the feature list prestored, when depositing
In matching, ask corresponding IP address to add the user with the feature that matching be present and close rule.
Preferably, methods described also includes:The management configuration server is triggered to the application layer according to traffic conditions
The degradation processing of load balancing subsystem, the message queue subsystem and/or the computing subsystem in real time.
Preferably, methods described 200 is performed by the system 100 shown in Fig. 1.Enter above for the system 100 in Fig. 1
Capable various specific descriptions and explanation, are equally applicable to each step of method 200, will not be repeated here.
Although combined the preferred embodiments of the present invention show the present invention above, those skilled in the art will
It will be appreciated that without departing from the spirit and scope of the present invention, various modifications can be carried out to the present invention, replaces and changes
Become.Therefore, the present invention should not be limited by above-described embodiment, and should be limited by appended claims and its equivalent.
Claims (18)
1. a kind of network attack defending system, including:
Application layer load balancing subsystem, it is configured as receiving user's request, holds place on the application layer load balancing subsystem
Load balancing is acted on behalf of, and the load balancing agency is configured as
User's request is read from the application layer load balancing subsystem, and
The user is asked into write-in message queue subsystem;
The message queue subsystem, the application load balancing subsystem is connected to, is configured as to by the load balancing
User's request of agency's write-in is cached;And
Real-time computing subsystem, the message queue subsystem is connected to, is configured as
Cached user's request is obtained from the message queue subsystem,
Data in asking the user are analyzed, and close rule according to analysis result generation, and
The rule of closing is write into the message queue subsystem,
Wherein, the message queue subsystem is additionally configured to cache the rule of closing, and the load balancing
Agency be additionally configured to from the message queue subsystem obtain cached close rule and by extracted close rule should
For the application layer load balancing subsystem.
2. system according to claim 1, in addition to:
Data storage subsystem, the real-time computing subsystem is connected to, is configured as to the analysis result, described closes rule
The user's access history data for analyzing to obtain in asking then and/or from user is stored.
3. system according to claim 1, in addition to:
Management configuration server, be connected to the application layer load balancing subsystem, the message queue subsystem, it is described in real time
Computing subsystem, it is configured as to the application layer load balancing subsystem, load balancing agency, message queue
System and the computing subsystem in real time provide configuration data.
4. according to the system described in any one of claim 1-3, wherein, the application layer load balancing subsystem is configured
To receive user's request from transport layer load-balanced server.
5. according to the system described in any one of claim 1-3, wherein, the load balancing agency is configured as to described
User's request is compressed, and the user through overcompression is asked into write-in message queue subsystem.
6. according to the system described in any one of claim 1-3, wherein, the computing subsystem in real time please to the user
Asking the analysis of progress includes analysis of accounts, wherein, the computing subsystem in real time is to the user that is obtained in the specified time cycle
The corresponding source IP address of request is counted, when the counting for a source IP address exceedes the threshold value specified, the reality
When computing subsystem by the source IP address add close rule.
7. according to the system described in any one of claim 1-3, wherein, the computing subsystem in real time please to the user
Asking the analysis of progress includes analysis of accounts, wherein, the computing subsystem in real time is to the user that is obtained in the specified time cycle
The corresponding purpose IP address of request is counted, when the counting for a purpose IP address exceedes the threshold value specified, institute
The corresponding source IP address of the real-time computing subsystem pair user request corresponding with the purpose IP address is stated to count, and will
Statistical magnitude highest one or more source IP address adds and closes rule.
8. according to the system described in any one of claim 1-3, wherein, the computing subsystem in real time please to the user
Asking the analysis of progress includes the matching analysis, wherein, it is described in real time computing subsystem by the user ask in the feature specified
Matched with the feature list prestored, when there is a match, ask institute right the user with the feature that matching be present
The IP address answered adds and closes rule.
9. system according to claim 3, wherein, the management configuration server is additionally configured to:According to traffic conditions,
Trigger the drop to the application layer load balancing subsystem, the message queue subsystem and/or the computing subsystem in real time
Level processing.
10. a kind of method by network attack defending system defending against network attacks, the network attack defending system includes should
With layer load balancing subsystem, message queue subsystem and real-time computing subsystem, wherein, the application layer load balancing subsystem
Hold on system and host load balancing agency, methods described includes:
The application layer load balancing subsystem receives user's request;
The load balancing agency reads user's request from the application layer load balancing subsystem, and please by the user
The write-in message queue subsystem is sought, to be cached by the message queue subsystem;
The computing subsystem in real time obtains cached user's request from the message queue subsystem;
The computing subsystem in real time is analyzed the data in user request, to close rule according to analysis result generation
Then;
The rule of closing is write the message queue subsystem by the computing subsystem in real time, with by message queue
System is cached;And
Load balancing agency obtained from the message queue subsystem cached close rule and closed what is extracted
Rule is applied to the application layer load balancing subsystem.
11. according to the method for claim 10, wherein, the system also includes data storage subsystem, and methods described is also
Including:
The data storage subsystem to the analysis result, it is described close rule and/or from user ask in analysis obtain
User's access history data is stored.
12. according to the method for claim 10, wherein, the system also includes management configuration server, and methods described is also
Including:
The management configuration server to the application layer load balancing subsystem, the load balancing agency, the message team
Row subsystem and the computing subsystem in real time provide configuration data.
13. according to the method described in any one of claim 10-12, wherein, user's request is by the application layer
Load balancing subsystem receives from transport layer load-balanced server.
14. according to the method described in any one of claim 10-12, wherein, the load balancing is acted on behalf of the user
Request, which writes the message queue subsystem, to be included:
The load balancing agency is compressed to user request, and the user through overcompression is asked into write-in message queue
Subsystem.
15. according to the method described in any one of claim 10-12, wherein, the computing subsystem in real time is to the use
The analysis that family request is carried out includes analysis of accounts, wherein, the real-time computing subsystem in the specified time cycle to obtaining
The corresponding source IP address of user's request is counted, when the counting for a source IP address exceedes the threshold value specified, institute
State real-time computing subsystem and rule is closed into source IP address addition.
16. according to the method described in any one of claim 10-12, wherein, the computing subsystem in real time is to the use
The analysis that family request is carried out includes analysis of accounts, wherein, the real-time computing subsystem in the specified time cycle to obtaining
The corresponding purpose IP address of user's request is counted, when the counting for a purpose IP address exceedes the threshold value specified
When, the corresponding source IP address of the computing subsystem pair in real time user request corresponding with the purpose IP address is united
Meter, and statistical magnitude highest one or more source IP address is added and closes rule.
17. according to the method described in any one of claim 10-12, wherein, the computing subsystem in real time is to the use
The analysis that family request is carried out includes the matching analysis, wherein, the computing subsystem in real time is by specifying in user request
Feature is matched with the feature list prestored, and when there is a match, the user with the feature that matching be present is asked
Corresponding IP address adds and closes rule.
18. the method according to claim 11, in addition to:The management configuration server is triggered to institute according to traffic conditions
State the degradation processing of application layer load balancing subsystem, the message queue subsystem and/or the computing subsystem in real time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610371336.8A CN107454120A (en) | 2016-05-30 | 2016-05-30 | The method of network attack defending system and defending against network attacks |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610371336.8A CN107454120A (en) | 2016-05-30 | 2016-05-30 | The method of network attack defending system and defending against network attacks |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107454120A true CN107454120A (en) | 2017-12-08 |
Family
ID=60485729
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610371336.8A Pending CN107454120A (en) | 2016-05-30 | 2016-05-30 | The method of network attack defending system and defending against network attacks |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107454120A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108566363A (en) * | 2018-01-09 | 2018-09-21 | 网宿科技股份有限公司 | Method and system is determined based on the Brute Force of streaming computing |
| CN109194692A (en) * | 2018-10-30 | 2019-01-11 | 扬州凤凰网络安全设备制造有限责任公司 | Prevent the method that network is attacked |
| CN109547416A (en) * | 2018-10-30 | 2019-03-29 | 扬州凤凰网络安全设备制造有限责任公司 | Physical level security server |
| CN111200637A (en) * | 2019-12-20 | 2020-05-26 | 新浪网技术(中国)有限公司 | Cache processing method and device |
| CN111797352A (en) * | 2020-06-30 | 2020-10-20 | 广州市百果园信息技术有限公司 | Method and device for sealing account and sealing system |
| CN112217808A (en) * | 2020-09-27 | 2021-01-12 | 南京南瑞信息通信科技有限公司 | Message queue based linkage seal and unblock device and method for cascade architecture firewall |
| CN112929430A (en) * | 2021-01-29 | 2021-06-08 | 光控特斯联(上海)信息科技有限公司 | Data transmission method and system based on communication of Internet of things |
| CN114615073A (en) * | 2022-03-22 | 2022-06-10 | 广州方硅信息技术有限公司 | Access flow control method, device, equipment and medium |
| CN114640534A (en) * | 2022-03-29 | 2022-06-17 | 广州方硅信息技术有限公司 | Access interception control method, device, equipment and medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101431725A (en) * | 2007-11-08 | 2009-05-13 | 中兴通讯股份有限公司 | Apparatus and method for implementing right treatment of concurrent messages |
| CN102291394A (en) * | 2011-07-22 | 2011-12-21 | 网宿科技股份有限公司 | Security defense system based on network accelerating equipment |
| US20140373136A1 (en) * | 2013-06-14 | 2014-12-18 | Or Igelka | Proactive security system for distributed computer networks |
| CN104333529A (en) * | 2013-07-22 | 2015-02-04 | 中国电信股份有限公司 | Detection method and system of HTTP DOS (Denial of Service) attack under cloud computing environment |
| CN104580216A (en) * | 2015-01-09 | 2015-04-29 | 北京京东尚科信息技术有限公司 | System and method for limiting access requests |
| CN104580228A (en) * | 2015-01-16 | 2015-04-29 | 北京京东尚科信息技术有限公司 | System and method for generating blacklist for access requests from network |
-
2016
- 2016-05-30 CN CN201610371336.8A patent/CN107454120A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101431725A (en) * | 2007-11-08 | 2009-05-13 | 中兴通讯股份有限公司 | Apparatus and method for implementing right treatment of concurrent messages |
| CN102291394A (en) * | 2011-07-22 | 2011-12-21 | 网宿科技股份有限公司 | Security defense system based on network accelerating equipment |
| US20140373136A1 (en) * | 2013-06-14 | 2014-12-18 | Or Igelka | Proactive security system for distributed computer networks |
| CN104333529A (en) * | 2013-07-22 | 2015-02-04 | 中国电信股份有限公司 | Detection method and system of HTTP DOS (Denial of Service) attack under cloud computing environment |
| CN104580216A (en) * | 2015-01-09 | 2015-04-29 | 北京京东尚科信息技术有限公司 | System and method for limiting access requests |
| CN104580228A (en) * | 2015-01-16 | 2015-04-29 | 北京京东尚科信息技术有限公司 | System and method for generating blacklist for access requests from network |
Non-Patent Citations (1)
| Title |
|---|
| 中国支付清算协会: "《支付大讲堂 中国支付清算协会培训课程精选系列》", 31 December 2015 * |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108566363A (en) * | 2018-01-09 | 2018-09-21 | 网宿科技股份有限公司 | Method and system is determined based on the Brute Force of streaming computing |
| CN109194692A (en) * | 2018-10-30 | 2019-01-11 | 扬州凤凰网络安全设备制造有限责任公司 | Prevent the method that network is attacked |
| CN109547416A (en) * | 2018-10-30 | 2019-03-29 | 扬州凤凰网络安全设备制造有限责任公司 | Physical level security server |
| WO2020088144A1 (en) * | 2018-10-30 | 2020-05-07 | 扬州凤凰网络安全设备制造有限责任公司 | Physical-level security server |
| CN111200637A (en) * | 2019-12-20 | 2020-05-26 | 新浪网技术(中国)有限公司 | Cache processing method and device |
| CN111200637B (en) * | 2019-12-20 | 2022-07-08 | 新浪网技术(中国)有限公司 | Cache processing method and device |
| CN111797352A (en) * | 2020-06-30 | 2020-10-20 | 广州市百果园信息技术有限公司 | Method and device for sealing account and sealing system |
| CN112217808A (en) * | 2020-09-27 | 2021-01-12 | 南京南瑞信息通信科技有限公司 | Message queue based linkage seal and unblock device and method for cascade architecture firewall |
| CN112217808B (en) * | 2020-09-27 | 2023-10-24 | 南京南瑞信息通信科技有限公司 | Cascade architecture firewall linkage sealing and disabling device and method based on message queue |
| CN112929430A (en) * | 2021-01-29 | 2021-06-08 | 光控特斯联(上海)信息科技有限公司 | Data transmission method and system based on communication of Internet of things |
| CN114615073A (en) * | 2022-03-22 | 2022-06-10 | 广州方硅信息技术有限公司 | Access flow control method, device, equipment and medium |
| CN114640534A (en) * | 2022-03-29 | 2022-06-17 | 广州方硅信息技术有限公司 | Access interception control method, device, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107454120A (en) | The method of network attack defending system and defending against network attacks | |
| US10652265B2 (en) | Method and apparatus for network forensics compression and storage | |
| US9473380B1 (en) | Automatic parsing of binary-based application protocols using network traffic | |
| US9426046B2 (en) | Web page download time analysis | |
| US7864764B1 (en) | Accelerated packet processing in a network acceleration device | |
| WO2022083353A1 (en) | Abnormal network data detection method and apparatus, computer device, and storage medium | |
| WO2018121331A1 (en) | Attack request determination method, apparatus and server | |
| US10097464B1 (en) | Sampling based on large flow detection for network visibility monitoring | |
| CN104714965B (en) | Static resource De-weight method, static resource management method and device | |
| US9979624B1 (en) | Large flow detection for network visibility monitoring | |
| CN110198248B (en) | Method and device for detecting IP address | |
| US20070150584A1 (en) | Apparatus, system, and method for determining server utilization in hosted computing infrastructure | |
| US10536360B1 (en) | Counters for large flow detection | |
| WO2014026220A1 (en) | Analysis of time series data | |
| CN104252458B (en) | Data analysing method and device | |
| Lockwood et al. | Implementing ultra low latency data center services with programmable logic | |
| Sakakibara et al. | An fpga nic based hardware caching for blockchain | |
| CN111740868A (en) | Alarm data processing method and device and storage medium | |
| CN105407096A (en) | Message data detection method based on stream management | |
| US11140178B1 (en) | Methods and system for client side analysis of responses for server purposes | |
| Sakakibara et al. | A hardware-based caching system on FPGA NIC for Blockchain | |
| US11665187B1 (en) | Time bounded lossy counters for network data | |
| Shin et al. | A grand spread estimator using a graphics processing unit | |
| CN107277062B (en) | Parallel processing method and device for data packets | |
| CN110198294B (en) | Security attack detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171208 |
|
| RJ01 | Rejection of invention patent application after publication |