CN108600145A - A kind of method and device of determining ddos attack equipment - Google Patents

A kind of method and device of determining ddos attack equipment Download PDF

Info

Publication number
CN108600145A
CN108600145A CN201711421274.8A CN201711421274A CN108600145A CN 108600145 A CN108600145 A CN 108600145A CN 201711421274 A CN201711421274 A CN 201711421274A CN 108600145 A CN108600145 A CN 108600145A
Authority
CN
China
Prior art keywords
client
ddos attack
characteristic value
application
characteristic information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711421274.8A
Other languages
Chinese (zh)
Other versions
CN108600145B (en
Inventor
张磊
叶晓虎
何坤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
NSFOCUS Information Technology Co Ltd
Beijing NSFocus Information Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NSFOCUS Information Technology Co Ltd, Beijing NSFocus Information Security Technology Co Ltd filed Critical NSFOCUS Information Technology Co Ltd
Priority to CN201711421274.8A priority Critical patent/CN108600145B/en
Publication of CN108600145A publication Critical patent/CN108600145A/en
Application granted granted Critical
Publication of CN108600145B publication Critical patent/CN108600145B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the present invention provides a kind of method and device of determining ddos attack equipment, for solve to determine in the prior art the method for ddos attack equipment there is technical issues that None- identified have the ddos attack equipment of complete protocol stack behavior and.The method includes:When receiving the HTTP request that N number of client is sent, the characteristic value of each client in N number of client is obtained, the characteristic value client initiates the feature of the hardware of the running environment and/or client of application and/or the application of HTTP request;The identical each client of characteristic value is divided in the same classification, flow of the client of each classification within the predetermined time is counted;When determining that flow of the other client of any sort within the predetermined time is more than first threshold, the other client of any sort is determined as ddos attack equipment.

Description

A kind of method and device of determining ddos attack equipment
Technical field
The present invention relates to field of computer technology, more particularly to a kind of method and device of determining ddos attack equipment.
Background technology
Distributed denial of service (Distributed Denial of Service, DDoS) attack, refer to by means of client/ Server technology, multiple computers are joined together as Attack Platform, start ddos attack to one or more targets, to Double up the power of Denial of Service attack.
The technical solution for carrying out protection use to ddos attack in the prior art is generally the browser energy for examining client Whether power is complete, for example using verification modes such as JavaScript, cookie, it is normal whether verification client has JavaScript computing capabilitys, normal hypertext transfer protocol (HyperText Transfer Protocol, HTTP) response Behavior etc..But these existing methods can only detect the ddos attack equipment with imperfect protocol stack behavior, and to having The ddos attack equipment of complete protocol stack behavior is helpless, for example attacker simulates legal HTTP request using browser, A large amount of Internet resources are occupied, achieve the purpose that network of paralysing;Also, it is authenticated that this kind of detection method usually also needs to user's participation Journey, such as input identifying code, dragging verification picture etc., can interrupt the viewing experience of user.As it can be seen that determining DDoS in the prior art There are None- identifieds to have the ddos attack equipment of complete protocol stack behavior and the technology of poor user experience for the method for attack equipment Problem.
Invention content
The embodiment of the present invention provides a kind of method and device of determining ddos attack equipment, true in the prior art for solving Determining the method for ddos attack equipment, there are ddos attack equipment and poor user experience that None- identified has complete protocol stack behavior The technical issues of.
First aspect of the embodiment of the present invention provides a kind of method of determining ddos attack equipment, including:
When receiving the HTTP request that N number of client is sent, the feature of each client in N number of client is obtained Value, the characteristic value client initiate the running environment and/or client of application and/or the application of HTTP request The feature of hardware;
The identical each client of characteristic value is divided in the same classification, counts the client of each classification in pre- timing Between flow in range;
It, will be described any when determining that flow of the other client of any sort within the predetermined time is more than first threshold The client of classification is determined as ddos attack equipment.
It in the above scheme, can will be by the same DDoS by the judgement of the flow to the identical client of characteristic value The ddos attack flow that attacking network is initiated, which all identifies, to be come, and solves prior art None- identified and has complete protocol stack row For ddos attack equipment the technical issues of.
Optionally, the characteristic value for obtaining each client in N number of client, including:To N number of client In each client send first instruction, it is described first instruction be used to indicate client:According at least one feature of itself Information generates characteristic value, and returns to the characteristic value of generation;Wherein, each characteristic information of client characterizes the client and initiates One feature of the running environment of the application of HTTP request or the application;Receive the characteristic value that each client returns.
By the method, can the corresponding characteristic value of each client directly be obtained from each client, and then realize base In characteristic value to client-classification, ddos attack equipment is identified.
Optionally, the characteristic value for obtaining each client in N number of client, including:To N number of client In each client send second instruction, it is described second instruction be used to indicate client:Return at least one feature of itself Information;Wherein, each characteristic information of client characterizes the fortune that the client initiates application or the application of HTTP request One feature of row environment;Receive the characteristic information that each client returns;Believed respectively according to the feature that each client returns Breath generates the corresponding characteristic value of each client.
By the method, the characteristic information of each client can be obtained from each client, is then based on to each visitor The calculating of the characteristic information at family end obtains the corresponding characteristic value of each client, and then realizes feature based value to client point Class identifies ddos attack equipment.
Optionally, the characteristic information include the type of operating system, the version of browser, browser Window state, The extension information of browser, the setting information of browser, the historical requests of browser record, the video card information of client, client At least one of in the sound card information at end.
By the method, can be initiated according to client application and/or the application of HTTP request running environment and/ Or the feature of the hardware of client determines the corresponding characteristic value of client, and then realize that feature based value to client-classification, is known Other ddos attack equipment.
Optionally, after the other client of any sort is determined as ddos attack equipment, the method further includes: The flow for each ddos attack equipment determined is limited;Or each ddos attack equipment determined is added black List.
By the method, can effective defending DDoS (Distributed Denial of Service) attacks, guarantee network security.
Second aspect of the embodiment of the present invention provides a kind of device of determining ddos attack equipment, including:Receiving unit is used for Receive the HTTP request that N number of client is sent;Processing unit, the feature for obtaining each client in N number of client Value, the characteristic value client initiate the running environment and/or client of application and/or the application of HTTP request The feature of hardware;The identical each client of characteristic value is divided in the same classification, counts each other client predetermined Flow in time range;When determining that flow of the other client of any sort within the predetermined time is more than first threshold, The other client of any sort is determined as ddos attack device.
Optionally, described device further includes the first transmission unit;First transmission is applied alone in into N number of client Each client send first instruction, it is described first instruction be used to indicate client according to itself at least one of characteristic information Characteristic value is generated, and returns to the characteristic value of generation;Wherein, each characteristic information of client characterizes the client and initiates HTTP One feature of the running environment of the application of request or the application;The receiving unit is additionally operable to:Each client is received to return The characteristic value returned.
Optionally, described device further includes the second transmission unit;Second transmission unit is used for N number of client In each client send second instruction, it is described second instruction be used to indicate client return itself at least one of feature letter Breath;Wherein, each characteristic information of client characterizes the operation that the client initiates application or the application of HTTP request One feature of environment;The receiving unit is additionally operable to:Receive the characteristic information that each client returns;The processing unit is also For:The corresponding characteristic value of each client is generated according to the characteristic information that each client returns respectively.
Optionally, the characteristic information include the type of operating system, the version of browser, browser Window state, The extension information of browser, the setting information of browser, the historical requests of browser record, the video card information of client, client At least one of in the sound card information at end.
Optionally, the processing unit is additionally operable to:The other client of any sort is being determined as ddos attack equipment Later, the flow for each ddos attack equipment determined is limited, alternatively, each ddos attack equipment that will be determined Blacklist is added.
The third aspect of the embodiment of the present invention also provides a kind of equipment of determining ddos attack equipment, including:At least one place Manage device, and connect at least one processor communication memory, communication interface;Wherein, the memory is stored with The instruction that can be executed by least one processor, the finger that at least one processor is stored by executing the memory It enables, the method described in first aspect of the embodiment of the present invention is executed using the communication interface.
Fourth aspect of the embodiment of the present invention also provides a kind of computer readable storage medium, the computer-readable storage medium Matter is stored with computer instruction, when the computer instruction is run on computers so that computer, which executes the present invention, to be implemented Method described in example first aspect.
The one or more technical solutions provided in the embodiment of the present invention, have at least the following technical effects or advantages:
The running environment and/or client of application and/or the application of HTTP request are initiated according to each client The feature of hardware obtains the characteristic value of each client, and the identical client of characteristic value is identified as same class client, When detecting that total flow of any sort client within the predetermined time is more than first threshold, determine that such client is all Ddos attack equipment.This programme can will be attacked by the judgement of the flow to the identical client of characteristic value by the same DDoS The ddos attack flow for hitting network initiation all identifies, and solves prior art None- identified and has complete protocol stack behavior Ddos attack equipment the technical issues of;And it is possible to which not needing user participates in verification process, the browsing body of user will not be interrupted It tests, improves user experience.
Description of the drawings
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly introduced, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this For the those of ordinary skill in field, without having to pay creative labor, it can also be obtained according to these attached drawings His attached drawing.
Fig. 1 is the schematic diagram of CC attacks in the prior art;
Fig. 2 is the flow diagram for the method that ddos attack equipment is determined in the embodiment of the present invention;
Fig. 3 is the structural schematic diagram for the device that ddos attack equipment is determined in the embodiment of the present invention;
Fig. 4 is the structural schematic diagram for the equipment that ddos attack equipment is determined in the embodiment of the present invention.
Specific implementation mode
Technical solution of the present invention is described in detail below by attached drawing and specific embodiment, it should be understood that the present invention Specific features in embodiment and embodiment are the detailed description to technical solution of the present invention, rather than to the technology of the present invention The restriction of scheme, in the absence of conflict, the technical characteristic in the embodiment of the present invention and embodiment can be combined with each other.
It is to be appreciated that in the description of the embodiment of the present invention, the vocabulary such as " first ", " second " are only used for distinguishing and retouch The purpose stated, is not understood to indicate or imply relative importance, can not be interpreted as instruction or hint sequence.In the present invention Refer to two or more in the description of embodiment " multiple ".
Term "and/or" in the embodiment of the present invention, a kind of only incidence relation of description affiliated partner, expression can be with There are three kinds of relationships, for example, A and/or B, can indicate:Individualism A exists simultaneously A and B, these three feelings of individualism B Condition.In addition, character "/" herein, it is a kind of relationship of "or" to typically represent forward-backward correlation object.
By the continuous deleterious effects of security status situation in global range, ddos attack grows in intensity, wherein CC (Challenge Collapsar) attack is in apparent ascendant trend.So-called CC attacks, refer to that attacker gives birth to by proxy server At the legitimate request for being directed toward victim host, DDOS and camouflage are realized.For example, referring to Fig. 1, hacker attacks software by being equipped with CC Main controller control multiple puppet's machines (ddos attack equipment) while sending a large amount of legal nets to a server (being hit equipment) Page request, occupies server resource so that server is difficult to respond the HTTP request service of normal client initiation.
For defending DDoS (Distributed Denial of Service) attacks, existing solution has following 4 kinds:
Mode 1:When there is the HTTP request that client initiates GET types, returns to 302 and redirect to client, client is rung It answers 302 to redirect, interrupts this connection, access new address.If client can take correct cookie when accessing new address, The client is then determined as the client of normal users, and the request at customer in response end, otherwise abandons the HTTP request of client;
Mode 2:When there is the HTTP request that client initiates GET types, returns to JavaScript and execute code to client End, client calculate the JavaScript code received, can be computed correctly and then determine that the client is normal users Client, the request at customer in response end, otherwise abandon client HTTP request;
Mode 3:When there is the HTTP request that client initiates GET types, identifying code picture is returned to client, it is desirable that use Family manual operation inputs identifying code.If input by user is correct identifying code, it is determined that the client is normal users Otherwise client, and the request at customer in response end abandon the HTTP request of client;
Mode 4:Limit the address single source procotol (Internet Protocol, IP) within the unit interval with service Hold the flow of communication.
Wherein, aforesaid way 1, mode 2 can only detect the attack source with imperfect protocol stack behavior, complete to having The attack source of protocol interaction behavior is helpless, for example, attacker using browser simulate legal HTTP request to server-side into Row ddos attack;Although 3 interception rate highest of aforesaid way, needs user manually to carry out the input of identifying code, can interrupt visitor The viewing experience at family, poor user experience;And aforesaid way 4, as ddos attack technology continues to develop, the prior art can be with Accomplish to make the request rate of separate unit DDoS equipment very low, be maintained within the scope of normal access rate, then relies on huge DDoS Attack number of devices achievees the effect that carry out accumulation attack to being hit equipment, therefore this speed-limiting proposal does not only differentiate between DDoS Equipment is attacked, or even is also possible to impact the communication service of the client of normal users.
Embodiment one
The embodiment of the present invention one provides a kind of method of determining ddos attack equipment, is determined in the prior art for solving There are ddos attack equipment and poor user experience that None- identified has complete protocol stack behavior for the method for ddos attack equipment Technical problem.This method, which can be applied, is being hit equipment (such as server-side) itself, can also be applied to be hit front equipment end special In the safeguard of setting, the embodiment of the present invention is not particularly limited.
With reference to Fig. 2, the method for the determination ddos attack equipment includes:
Step 101:When receiving the HTTP request that N number of client is sent, each client in N number of client is obtained The characteristic value at end.
Specifically, each client is only there are one characteristic value, the characteristic value client of client initiates HTTP request Application and/or the application running environment and/or client hardware feature.The characteristic value is according to client Multinomial characteristic information, which calculates, to be obtained.The characteristic information of client includes but not limited to following three types:Client initiates HTTP The characteristic information of the application of request, client initiate the characteristic information of the running environment of the application of HTTP request, client it is hard The characteristic information of part.Wherein, the characteristic information of the application can be the version of browser, browser Window state (including Window is hidden/activates, the position of the size dimension of window, window), the extension information of browser, the setting information of browser, The characteristic information of historical requests record of browser etc., the running environment can be the version of operating system, operating system The hardware characteristics information of setting information etc., the client can be video card information, sound card information of client etc..
In specific implementation process, the specific implementation of the characteristic value of client is determined according to the multinomial characteristic information of client Mode can be:Hash calculation is carried out to the multinomial characteristic information of each client respectively using hash algorithm, and then is obtained every The corresponding cryptographic Hash of a client, the cryptographic Hash of acquisition is the characteristic value of client, and this feature value is also referred to as client Identity (identification, ID) number.
Step 102:The identical each client of characteristic value is divided in the same classification, the client of each classification is counted Flow within the predetermined time.
In general, the ddos attack initiated from the same attacking network, each DDoS equipment suffer from identical work Has feature, i.e. the characteristic information of client is identical.In consideration of it, client can be initiated to the application of HTTP request and/or described The running environment of application and/or the identical client of the feature of the hardware of client are identified as same class client, i.e., by feature It is worth identical each client and is identified as the client that the same attacker uses, and counts the corresponding whole clients of each characteristic value Hold the flow within the predetermined time.
Step 103:It, will when determining that flow of the other client of any sort within the predetermined time is more than first threshold The other client of any sort is determined as ddos attack equipment.
In the above scheme, the running environment of application and/or the application of HTTP request is initiated according to each client And/or the feature of the hardware of client obtains the characteristic value of each client, and the identical client of characteristic value is identified as together A kind of client, when detecting that total flow of any sort client within the predetermined time is more than first threshold, determining should The all ddos attack equipment of class client.This programme can be incited somebody to action by the judgement of the flow to the identical client of characteristic value The ddos attack flow initiated by the same ddos attack network all identifies to solve prior art None- identified and provide The technical issues of for the ddos attack equipment of complete protocol stack behavior, separate unit flow small ddos attack equipment, and do not need User interacts formula verification in client, improves user experience.
Optionally, the specific implementation of the characteristic value of each client in N number of client is obtained in above-mentioned steps 101 Mode, it is including but not limited to following two:
Mode 1:Each client into N number of client sends the first instruction, and first instruction is used to indicate Client:Characteristic value is generated according at least one characteristic information of client, and returns to the characteristic value of generation;Wherein, client Each characteristic information characterize the client initiate HTTP request application or the application running environment a feature; Receive the characteristic value that each client returns.
Wherein, first instruction is specifically as follows the response page for carrying JavaScript code, and client passes through The characteristic information of itself and feature based information generation characteristic value can be obtained by executing the JavaScript code.
Mode 2:Each client into N number of client sends the second instruction, and second instruction is used to indicate Client:Return at least one characteristic information of client;Wherein, each characteristic information of client characterizes the client hair Play a feature of the running environment of application or the application of HTTP request;Receive the characteristic information that each client returns; The corresponding characteristic value of each client is generated according to the characteristic information that each client returns respectively.
Wherein, second instruction is specifically as follows the response page for carrying JavaScript code, and client passes through The characteristic information of itself can be obtained by executing the JavaScript code.
It is distinguished with mode 1, what the method client returned is characteristic information, and client return in mode 1 It is characteristic value, the work that mode 1 calculates characteristic information is directly completed by client.
By the method, the characteristic information of each client can be obtained from each client, is then based on to each visitor The calculating of the characteristic information at family end obtains the corresponding characteristic value of each client, can also directly be obtained from each client each The corresponding characteristic value of client, and then realize that feature based value to client-classification, identifies the technique effect of ddos attack equipment.
Optionally, after the other client of any sort is determined as ddos attack equipment, can also include:To true The flow for each ddos attack equipment made is limited;Alternatively, black name is added in each ddos attack equipment determined It is single.
For example, if some flow of ddos attack equipment within the unit interval is more than predetermined value, by the ddos attack The packet loss that equipment is sent;In another example as long as recognizing the message of ddos attack equipment transmission, abandoned.
By the method, can effective defending DDoS (Distributed Denial of Service) attacks, guarantee network security.
Embodiment two
Second embodiment of the present invention provides a kind of method of determining ddos attack equipment, this method and the whole invention of embodiment one Conceive identical.Unlike, the characteristic value of client refers to just the characteristic information of client in embodiment two, each client Characteristic value (i.e. characteristic information) can be multiple;And the characteristic value in above-described embodiment one is believed according to the multinomial feature of client A value being calculated is ceased, only there are one characteristic values for a client.Below to the full implementation stream of the embodiment of the present invention two Journey is introduced:
Step 1:When receiving the HTTP request that N number of client is sent, each client in N number of client is obtained At least one characteristic value at end.
Wherein, a characteristic value of client is a characteristic information of client, including but not limited to three kinds following Type:The characteristic information of the application of client initiation HTTP request, client initiate the running environment of the application of HTTP request Characteristic information, client hardware characteristic information, for example characteristic information is specifically as follows the window of the version of browser, browser Mouthful hide/state of activation, the size dimension of window of browser, the position of window of browser, browser extension information, clear Look at the setting information of device, the historical requests of browser record, the video card information of client, the sound card information of client etc..
Step 2:The identical each client of characteristic value is divided in the same classification, the client of each classification is counted Flow within the predetermined time.
Specifically, the characteristic value that more each client is sent, if there are two all characteristic values that client is sent are complete Portion is consistent, then the two clients is divided into the same classification.The client of each classification is counted in predetermined time range Interior total flow.
It should be noted that in specific implementation process, if most of characteristic value of certain two client is identical, but have Only a few characteristic value has differences, and can also be divided into the two clients in the same classification.For example, customer end A and visitor The version of the browser of family end B, the window of browser hide/state of activation, the size dimension of window of browser, browser The position of window, the extension information of browser, the setting information of browser are all identical, but customer end A browses certain website pages The number that the number in face browses certain Website page than customer end B is few primary, then can also divide customer end A and customer end B In the same classification.
Step 3:It, will when determining that flow of the other client of any sort within the predetermined time is more than first threshold The other client of any sort is determined as ddos attack equipment.
Through the above technical solutions, the ddos attack flow that initiated by the same ddos attack network all can be identified Out, solving prior art None- identified, to provide the ddos attack equipment of standby complete protocol stack behavior, separate unit flow small The technical issues of ddos attack equipment, and do not need user and interact formula verification in client, improve user experience.
Embodiment three
The embodiment of the present invention three provides a kind of device of determining ddos attack equipment, and with reference to Fig. 3, which includes:
Receiving unit 201, the HTTP request sent for receiving N number of client;
Processing unit 202, the characteristic value for obtaining each client in N number of client, the characteristic value Client initiates the feature of the hardware of the running environment and/or client of application and/or the application of HTTP request;By feature It is worth identical each client to be divided in the same classification, counts flow of each other client within the predetermined time; When determining that flow of the other client of any sort within the predetermined time is more than first threshold, by the other visitor of any sort Family end is determined as ddos attack device.
Optionally, described device further includes the first transmission unit 203;
First transmission unit 203 sends the first instruction for each client into N number of client, described One instruction is used to indicate client and generates characteristic value according at least one characteristic information of itself, and returns to the characteristic value of generation; Wherein, each characteristic information of client characterizes the running environment that the client initiates application or the application of HTTP request A feature;
The receiving unit 201 is additionally operable to:Receive the characteristic value that each client returns.
Optionally, described device further includes the second transmission unit 203;
Second transmission unit 203 sends the second instruction for each client into N number of client, described Second instruction is used to indicate client and returns at least one characteristic information of itself;Wherein, each characteristic information table of client Levy a feature of the running environment of application or the application of the client initiation HTTP request;
The receiving unit 201 is additionally operable to:Receive the characteristic information that each client returns;
The processing unit 202 is additionally operable to:Each client is generated according to the characteristic information that each client returns respectively Corresponding characteristic value.
Optionally, the characteristic information include the type of operating system, the version of browser, browser Window state, The extension information of browser, the setting information of browser, the historical requests of browser record, the video card information of client, client At least one of in the sound card information at end.
Optionally, the processing unit 202 is additionally operable to:
After the other client of any sort is determined as ddos attack equipment, to each ddos attack determined The flow of equipment is limited, alternatively, blacklist is added in each ddos attack equipment determined.
The performed specific implementation operated of the above each unit can be to determine that DDoS is attacked described in the embodiment of the present invention one The correspondence step of the method for equipment is hit, the embodiment of the present invention repeats no more.
Example IV
The embodiment of the present invention four provides a kind of equipment of determining ddos attack equipment, and with reference to Fig. 4, which includes:
At least one processor 301, and
Memory 302, communication interface 303 at least one processor 301 communication connection;
Wherein, the memory 302 is stored with the instruction that can be executed by least one processor 301, it is described at least The instruction that one processor 301 is stored by executing the memory 302 is executed of the invention real using the communication interface 303 The method for applying the determining ddos attack equipment in example one or embodiment two.
Embodiment five
The embodiment of the present invention five provides a kind of computer readable storage medium, and the computer-readable recording medium storage has Computer instruction, when the computer instruction is run on computers so that computer executes the embodiment of the present invention one or real The method for applying the determining ddos attack equipment in example two.
It should be understood by those skilled in the art that, the embodiment of the present invention can be provided as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention Apply the form of example.Moreover, the present invention can be used in one or more wherein include computer usable program code computer The computer program production implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) The form of product.
The present invention be with reference to according to the method for the embodiment of the present invention, the flow of equipment (system) and computer program product Figure and/or block diagram describe.It should be understood that can be realized by computer program instructions every first-class in flowchart and/or the block diagram The combination of flow and/or box in journey and/or box and flowchart and/or the block diagram.These computer programs can be provided Instruct the processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine so that the instruction executed by computer or the processor of other programmable data processing devices is generated for real The device for the function of being specified in present one flow of flow chart or one box of multiple flows and/or block diagram or multiple boxes.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art God and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies Within, then the present invention is also intended to include these modifications and variations.

Claims (12)

1. a kind of method of determining distributed denial of service ddos attack equipment, which is characterized in that including:
When receiving the HTTP request that N number of client is sent, each visitor in N number of client is obtained The characteristic value at family end, the characteristic value client initiate application and/or the application of HTTP request running environment and/ Or the feature of the hardware of client;
The identical each client of characteristic value is divided in the same classification, counts the client of each classification in predetermined time model Enclose interior flow;
When determining that flow of the other client of any sort within the predetermined time is more than first threshold, by any classification Client be determined as ddos attack equipment.
2. the method as described in claim 1, which is characterized in that the spy for obtaining each client in N number of client Value indicative, including:
Each client into N number of client sends the first instruction, first instruction be used to indicate client according to At least one characteristic information of itself generates characteristic value, and returns to the characteristic value of generation;Wherein, each characteristic information of client Characterize a feature of the running environment of application or the application of the client initiation HTTP request;
Receive the characteristic value that each client returns.
3. the method as described in claim 1, which is characterized in that the spy for obtaining each client in N number of client Value indicative, including:
Each client into N number of client sends the second instruction, and second instruction is used to indicate client return At least one characteristic information of itself;Wherein, each characteristic information of client characterizes the client and initiates HTTP request Using or the application running environment a feature;
Receive the characteristic information that each client returns;
The corresponding characteristic value of each client is generated according to the characteristic information that each client returns respectively.
4. method as claimed in claim 2 or claim 3, which is characterized in that the characteristic information includes the type of operating system, browsing The version of device, the Window state of browser, the extension information of browser, the setting information of browser, the historical requests of browser At least one of in record, the video card information of client, the sound card information of client.
5. method as described in any one of claims 1-3, which is characterized in that be determined as by the other client of any sort After ddos attack equipment, the method further includes:
The flow for each ddos attack equipment determined is limited;Or
Blacklist is added in each ddos attack equipment determined.
6. a kind of device of determining ddos attack equipment, which is characterized in that including:
Receiving unit, the HTTP request sent for receiving N number of client;
Processing unit, the characteristic value for obtaining each client in N number of client, the characteristic value client hair Play the feature of the hardware of the running environment and/or client of application and/or the application of HTTP request;Characteristic value is identical each A client is divided in the same classification, counts flow of each other client within the predetermined time;Appoint determining When flow of a kind of other client within the predetermined time is more than first threshold, the other client of any sort is determined For ddos attack device.
7. device as claimed in claim 6, which is characterized in that described device further includes the first transmission unit;
First transmission unit is used for:Each client into N number of client sends the first instruction, and described first refers to At least one characteristic information generation characteristic value for being used to indicate client according to itself is enabled, and returns to the characteristic value of generation;Wherein, Each characteristic information of client characterizes the one of the running environment of application or the application of the client initiation HTTP request Item feature;
The receiving unit is additionally operable to:Receive the characteristic value that each client returns.
8. device as claimed in claim 6, which is characterized in that described device further includes the second transmission unit;
Second transmission unit is used for:Each client into N number of client sends the second instruction, and described second refers to Order is used to indicate client and returns at least one characteristic information of itself;Wherein, described in each characteristic information characterization of client Client initiates a feature of the running environment of application or the application of HTTP request;
The receiving unit is additionally operable to:Receive the characteristic information that each client returns;
The processing unit is additionally operable to:The corresponding spy of each client is generated according to the characteristic information that each client returns respectively Value indicative.
9. device as claimed in claim 7 or 8, which is characterized in that the characteristic information includes the type of operating system, browsing The version of device, the Window state of browser, the extension information of browser, the setting information of browser, the historical requests of browser At least one of in record, the video card information of client, the sound card information of client.
10. such as claim 6-8 any one of them devices, which is characterized in that the processing unit is additionally operable to:
After the other client of any sort is determined as ddos attack equipment, to each ddos attack equipment determined Flow limited, alternatively, by each ddos attack equipment determined be added blacklist.
11. a kind of equipment of determining ddos attack equipment, which is characterized in that including:
At least one processor, and
The memory that is connect at least one processor communication, communication interface;
Wherein, the memory is stored with the instruction that can be executed by least one processor, at least one processor By executing the instruction of the memory storage, the side described in any one of 1-5 is required using the communication interface perform claim Method.
12. a kind of computer readable storage medium, which is characterized in that the computer-readable recording medium storage has computer to refer to It enables, when the computer instruction is run on computers so that computer perform claim requires the side described in any one of 1-5 Method.
CN201711421274.8A 2017-12-25 2017-12-25 Method and device for determining DDoS attack equipment Active CN108600145B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711421274.8A CN108600145B (en) 2017-12-25 2017-12-25 Method and device for determining DDoS attack equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711421274.8A CN108600145B (en) 2017-12-25 2017-12-25 Method and device for determining DDoS attack equipment

Publications (2)

Publication Number Publication Date
CN108600145A true CN108600145A (en) 2018-09-28
CN108600145B CN108600145B (en) 2020-12-25

Family

ID=63633172

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711421274.8A Active CN108600145B (en) 2017-12-25 2017-12-25 Method and device for determining DDoS attack equipment

Country Status (1)

Country Link
CN (1) CN108600145B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110505232A (en) * 2019-08-27 2019-11-26 百度在线网络技术(北京)有限公司 The detection method and device of network attack, electronic equipment, storage medium
CN112333045A (en) * 2020-11-03 2021-02-05 国家工业信息安全发展研究中心 Intelligent flow baseline learning method, equipment and computer readable storage medium
CN112751815A (en) * 2019-10-31 2021-05-04 华为技术有限公司 Message processing method, device, equipment and computer readable storage medium
CN113364723A (en) * 2020-03-05 2021-09-07 奇安信科技集团股份有限公司 DDoS attack monitoring method and device, storage medium and computer equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105430011A (en) * 2015-12-25 2016-03-23 杭州朗和科技有限公司 Method and device for detecting distributed denial of service attack
CN105553974A (en) * 2015-12-14 2016-05-04 中国电子信息产业集团有限公司第六研究所 Prevention method of HTTP slow attack
CN106778260A (en) * 2016-12-31 2017-05-31 网易无尾熊(杭州)科技有限公司 Attack detection method and device
US20170324757A1 (en) * 2016-05-04 2017-11-09 University Of North Carolina At Charlotte Multiple detector methods and systems for defeating low and slow application ddos attacks
CN107465648A (en) * 2016-06-06 2017-12-12 腾讯科技(深圳)有限公司 The recognition methods of warping apparatus and device
CN108111472A (en) * 2016-11-24 2018-06-01 腾讯科技(深圳)有限公司 A kind of attack signature detection method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105553974A (en) * 2015-12-14 2016-05-04 中国电子信息产业集团有限公司第六研究所 Prevention method of HTTP slow attack
CN105430011A (en) * 2015-12-25 2016-03-23 杭州朗和科技有限公司 Method and device for detecting distributed denial of service attack
US20170324757A1 (en) * 2016-05-04 2017-11-09 University Of North Carolina At Charlotte Multiple detector methods and systems for defeating low and slow application ddos attacks
CN107465648A (en) * 2016-06-06 2017-12-12 腾讯科技(深圳)有限公司 The recognition methods of warping apparatus and device
CN108111472A (en) * 2016-11-24 2018-06-01 腾讯科技(深圳)有限公司 A kind of attack signature detection method and device
CN106778260A (en) * 2016-12-31 2017-05-31 网易无尾熊(杭州)科技有限公司 Attack detection method and device

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110505232A (en) * 2019-08-27 2019-11-26 百度在线网络技术(北京)有限公司 The detection method and device of network attack, electronic equipment, storage medium
CN112751815A (en) * 2019-10-31 2021-05-04 华为技术有限公司 Message processing method, device, equipment and computer readable storage medium
CN112751815B (en) * 2019-10-31 2021-11-19 华为技术有限公司 Message processing method, device, equipment and computer readable storage medium
CN113364723A (en) * 2020-03-05 2021-09-07 奇安信科技集团股份有限公司 DDoS attack monitoring method and device, storage medium and computer equipment
CN112333045A (en) * 2020-11-03 2021-02-05 国家工业信息安全发展研究中心 Intelligent flow baseline learning method, equipment and computer readable storage medium

Also Published As

Publication number Publication date
CN108600145B (en) 2020-12-25

Similar Documents

Publication Publication Date Title
US11122067B2 (en) Methods for detecting and mitigating malicious network behavior and devices thereof
US10049209B2 (en) Device, method, and system of differentiating between virtual machine and non-virtualized device
CN107426181B (en) The hold-up interception method and device of malice web access request
US11019383B2 (en) Internet anti-attack method and authentication server
Chonka et al. Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks
JP6432210B2 (en) Security system, security method, security device, and program
US11973768B2 (en) Method and system for detecting malicious payloads
CN108600145A (en) A kind of method and device of determining ddos attack equipment
US10270792B1 (en) Methods for detecting malicious smart bots to improve network security and devices thereof
US10366217B2 (en) Continuous user authentication
CN106549980B (en) Malicious C & C server determination method and device
JP2019021294A (en) SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS
EP3887981B1 (en) Verifying user interactions on a content platform
US10701179B2 (en) Adaptive scoring of service requests and determining whether to fulfill service requests
CN108521405B (en) Risk control method and device and storage medium
CN107517200B (en) Malicious crawler defense strategy selection method for Web server
WO2019063389A1 (en) Method of processing web requests directed to a website
Acar et al. A privacy‐preserving multifactor authentication system
Saravanan et al. A new framework to alleviate DDoS vulnerabilities in cloud computing.
CN111478892A (en) Attacker portrait multi-dimensional analysis method based on browser fingerprints
CN107046516B (en) Wind control method and device for identifying mobile terminal identity
WO2019114246A1 (en) Identity authentication method, server and client device
Aljawarneh et al. A web client authentication system using smart card for e-systems: initial testing and evaluation
WO2016195090A1 (en) Detection system, detection device, detection method and detection program
CN109495471A (en) A kind of pair of WEB attack result determination method, device, equipment and readable storage medium storing program for executing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Patentee after: NSFOCUS Technologies Group Co.,Ltd.

Patentee after: NSFOCUS TECHNOLOGIES Inc.

Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd.

Patentee before: NSFOCUS TECHNOLOGIES Inc.

CP01 Change in the name or title of a patent holder