CN108600145A - A kind of method and device of determining ddos attack equipment - Google Patents
A kind of method and device of determining ddos attack equipment Download PDFInfo
- Publication number
- CN108600145A CN108600145A CN201711421274.8A CN201711421274A CN108600145A CN 108600145 A CN108600145 A CN 108600145A CN 201711421274 A CN201711421274 A CN 201711421274A CN 108600145 A CN108600145 A CN 108600145A
- Authority
- CN
- China
- Prior art keywords
- client
- ddos attack
- characteristic value
- application
- characteristic information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the present invention provides a kind of method and device of determining ddos attack equipment, for solve to determine in the prior art the method for ddos attack equipment there is technical issues that None- identified have the ddos attack equipment of complete protocol stack behavior and.The method includes:When receiving the HTTP request that N number of client is sent, the characteristic value of each client in N number of client is obtained, the characteristic value client initiates the feature of the hardware of the running environment and/or client of application and/or the application of HTTP request;The identical each client of characteristic value is divided in the same classification, flow of the client of each classification within the predetermined time is counted;When determining that flow of the other client of any sort within the predetermined time is more than first threshold, the other client of any sort is determined as ddos attack equipment.
Description
Technical field
The present invention relates to field of computer technology, more particularly to a kind of method and device of determining ddos attack equipment.
Background technology
Distributed denial of service (Distributed Denial of Service, DDoS) attack, refer to by means of client/
Server technology, multiple computers are joined together as Attack Platform, start ddos attack to one or more targets, to
Double up the power of Denial of Service attack.
The technical solution for carrying out protection use to ddos attack in the prior art is generally the browser energy for examining client
Whether power is complete, for example using verification modes such as JavaScript, cookie, it is normal whether verification client has
JavaScript computing capabilitys, normal hypertext transfer protocol (HyperText Transfer Protocol, HTTP) response
Behavior etc..But these existing methods can only detect the ddos attack equipment with imperfect protocol stack behavior, and to having
The ddos attack equipment of complete protocol stack behavior is helpless, for example attacker simulates legal HTTP request using browser,
A large amount of Internet resources are occupied, achieve the purpose that network of paralysing;Also, it is authenticated that this kind of detection method usually also needs to user's participation
Journey, such as input identifying code, dragging verification picture etc., can interrupt the viewing experience of user.As it can be seen that determining DDoS in the prior art
There are None- identifieds to have the ddos attack equipment of complete protocol stack behavior and the technology of poor user experience for the method for attack equipment
Problem.
Invention content
The embodiment of the present invention provides a kind of method and device of determining ddos attack equipment, true in the prior art for solving
Determining the method for ddos attack equipment, there are ddos attack equipment and poor user experience that None- identified has complete protocol stack behavior
The technical issues of.
First aspect of the embodiment of the present invention provides a kind of method of determining ddos attack equipment, including:
When receiving the HTTP request that N number of client is sent, the feature of each client in N number of client is obtained
Value, the characteristic value client initiate the running environment and/or client of application and/or the application of HTTP request
The feature of hardware;
The identical each client of characteristic value is divided in the same classification, counts the client of each classification in pre- timing
Between flow in range;
It, will be described any when determining that flow of the other client of any sort within the predetermined time is more than first threshold
The client of classification is determined as ddos attack equipment.
It in the above scheme, can will be by the same DDoS by the judgement of the flow to the identical client of characteristic value
The ddos attack flow that attacking network is initiated, which all identifies, to be come, and solves prior art None- identified and has complete protocol stack row
For ddos attack equipment the technical issues of.
Optionally, the characteristic value for obtaining each client in N number of client, including:To N number of client
In each client send first instruction, it is described first instruction be used to indicate client:According at least one feature of itself
Information generates characteristic value, and returns to the characteristic value of generation;Wherein, each characteristic information of client characterizes the client and initiates
One feature of the running environment of the application of HTTP request or the application;Receive the characteristic value that each client returns.
By the method, can the corresponding characteristic value of each client directly be obtained from each client, and then realize base
In characteristic value to client-classification, ddos attack equipment is identified.
Optionally, the characteristic value for obtaining each client in N number of client, including:To N number of client
In each client send second instruction, it is described second instruction be used to indicate client:Return at least one feature of itself
Information;Wherein, each characteristic information of client characterizes the fortune that the client initiates application or the application of HTTP request
One feature of row environment;Receive the characteristic information that each client returns;Believed respectively according to the feature that each client returns
Breath generates the corresponding characteristic value of each client.
By the method, the characteristic information of each client can be obtained from each client, is then based on to each visitor
The calculating of the characteristic information at family end obtains the corresponding characteristic value of each client, and then realizes feature based value to client point
Class identifies ddos attack equipment.
Optionally, the characteristic information include the type of operating system, the version of browser, browser Window state,
The extension information of browser, the setting information of browser, the historical requests of browser record, the video card information of client, client
At least one of in the sound card information at end.
By the method, can be initiated according to client application and/or the application of HTTP request running environment and/
Or the feature of the hardware of client determines the corresponding characteristic value of client, and then realize that feature based value to client-classification, is known
Other ddos attack equipment.
Optionally, after the other client of any sort is determined as ddos attack equipment, the method further includes:
The flow for each ddos attack equipment determined is limited;Or each ddos attack equipment determined is added black
List.
By the method, can effective defending DDoS (Distributed Denial of Service) attacks, guarantee network security.
Second aspect of the embodiment of the present invention provides a kind of device of determining ddos attack equipment, including:Receiving unit is used for
Receive the HTTP request that N number of client is sent;Processing unit, the feature for obtaining each client in N number of client
Value, the characteristic value client initiate the running environment and/or client of application and/or the application of HTTP request
The feature of hardware;The identical each client of characteristic value is divided in the same classification, counts each other client predetermined
Flow in time range;When determining that flow of the other client of any sort within the predetermined time is more than first threshold,
The other client of any sort is determined as ddos attack device.
Optionally, described device further includes the first transmission unit;First transmission is applied alone in into N number of client
Each client send first instruction, it is described first instruction be used to indicate client according to itself at least one of characteristic information
Characteristic value is generated, and returns to the characteristic value of generation;Wherein, each characteristic information of client characterizes the client and initiates HTTP
One feature of the running environment of the application of request or the application;The receiving unit is additionally operable to:Each client is received to return
The characteristic value returned.
Optionally, described device further includes the second transmission unit;Second transmission unit is used for N number of client
In each client send second instruction, it is described second instruction be used to indicate client return itself at least one of feature letter
Breath;Wherein, each characteristic information of client characterizes the operation that the client initiates application or the application of HTTP request
One feature of environment;The receiving unit is additionally operable to:Receive the characteristic information that each client returns;The processing unit is also
For:The corresponding characteristic value of each client is generated according to the characteristic information that each client returns respectively.
Optionally, the characteristic information include the type of operating system, the version of browser, browser Window state,
The extension information of browser, the setting information of browser, the historical requests of browser record, the video card information of client, client
At least one of in the sound card information at end.
Optionally, the processing unit is additionally operable to:The other client of any sort is being determined as ddos attack equipment
Later, the flow for each ddos attack equipment determined is limited, alternatively, each ddos attack equipment that will be determined
Blacklist is added.
The third aspect of the embodiment of the present invention also provides a kind of equipment of determining ddos attack equipment, including:At least one place
Manage device, and connect at least one processor communication memory, communication interface;Wherein, the memory is stored with
The instruction that can be executed by least one processor, the finger that at least one processor is stored by executing the memory
It enables, the method described in first aspect of the embodiment of the present invention is executed using the communication interface.
Fourth aspect of the embodiment of the present invention also provides a kind of computer readable storage medium, the computer-readable storage medium
Matter is stored with computer instruction, when the computer instruction is run on computers so that computer, which executes the present invention, to be implemented
Method described in example first aspect.
The one or more technical solutions provided in the embodiment of the present invention, have at least the following technical effects or advantages:
The running environment and/or client of application and/or the application of HTTP request are initiated according to each client
The feature of hardware obtains the characteristic value of each client, and the identical client of characteristic value is identified as same class client,
When detecting that total flow of any sort client within the predetermined time is more than first threshold, determine that such client is all
Ddos attack equipment.This programme can will be attacked by the judgement of the flow to the identical client of characteristic value by the same DDoS
The ddos attack flow for hitting network initiation all identifies, and solves prior art None- identified and has complete protocol stack behavior
Ddos attack equipment the technical issues of;And it is possible to which not needing user participates in verification process, the browsing body of user will not be interrupted
It tests, improves user experience.
Description of the drawings
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly introduced, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this
For the those of ordinary skill in field, without having to pay creative labor, it can also be obtained according to these attached drawings
His attached drawing.
Fig. 1 is the schematic diagram of CC attacks in the prior art;
Fig. 2 is the flow diagram for the method that ddos attack equipment is determined in the embodiment of the present invention;
Fig. 3 is the structural schematic diagram for the device that ddos attack equipment is determined in the embodiment of the present invention;
Fig. 4 is the structural schematic diagram for the equipment that ddos attack equipment is determined in the embodiment of the present invention.
Specific implementation mode
Technical solution of the present invention is described in detail below by attached drawing and specific embodiment, it should be understood that the present invention
Specific features in embodiment and embodiment are the detailed description to technical solution of the present invention, rather than to the technology of the present invention
The restriction of scheme, in the absence of conflict, the technical characteristic in the embodiment of the present invention and embodiment can be combined with each other.
It is to be appreciated that in the description of the embodiment of the present invention, the vocabulary such as " first ", " second " are only used for distinguishing and retouch
The purpose stated, is not understood to indicate or imply relative importance, can not be interpreted as instruction or hint sequence.In the present invention
Refer to two or more in the description of embodiment " multiple ".
Term "and/or" in the embodiment of the present invention, a kind of only incidence relation of description affiliated partner, expression can be with
There are three kinds of relationships, for example, A and/or B, can indicate:Individualism A exists simultaneously A and B, these three feelings of individualism B
Condition.In addition, character "/" herein, it is a kind of relationship of "or" to typically represent forward-backward correlation object.
By the continuous deleterious effects of security status situation in global range, ddos attack grows in intensity, wherein CC
(Challenge Collapsar) attack is in apparent ascendant trend.So-called CC attacks, refer to that attacker gives birth to by proxy server
At the legitimate request for being directed toward victim host, DDOS and camouflage are realized.For example, referring to Fig. 1, hacker attacks software by being equipped with CC
Main controller control multiple puppet's machines (ddos attack equipment) while sending a large amount of legal nets to a server (being hit equipment)
Page request, occupies server resource so that server is difficult to respond the HTTP request service of normal client initiation.
For defending DDoS (Distributed Denial of Service) attacks, existing solution has following 4 kinds:
Mode 1:When there is the HTTP request that client initiates GET types, returns to 302 and redirect to client, client is rung
It answers 302 to redirect, interrupts this connection, access new address.If client can take correct cookie when accessing new address,
The client is then determined as the client of normal users, and the request at customer in response end, otherwise abandons the HTTP request of client;
Mode 2:When there is the HTTP request that client initiates GET types, returns to JavaScript and execute code to client
End, client calculate the JavaScript code received, can be computed correctly and then determine that the client is normal users
Client, the request at customer in response end, otherwise abandon client HTTP request;
Mode 3:When there is the HTTP request that client initiates GET types, identifying code picture is returned to client, it is desirable that use
Family manual operation inputs identifying code.If input by user is correct identifying code, it is determined that the client is normal users
Otherwise client, and the request at customer in response end abandon the HTTP request of client;
Mode 4:Limit the address single source procotol (Internet Protocol, IP) within the unit interval with service
Hold the flow of communication.
Wherein, aforesaid way 1, mode 2 can only detect the attack source with imperfect protocol stack behavior, complete to having
The attack source of protocol interaction behavior is helpless, for example, attacker using browser simulate legal HTTP request to server-side into
Row ddos attack;Although 3 interception rate highest of aforesaid way, needs user manually to carry out the input of identifying code, can interrupt visitor
The viewing experience at family, poor user experience;And aforesaid way 4, as ddos attack technology continues to develop, the prior art can be with
Accomplish to make the request rate of separate unit DDoS equipment very low, be maintained within the scope of normal access rate, then relies on huge DDoS
Attack number of devices achievees the effect that carry out accumulation attack to being hit equipment, therefore this speed-limiting proposal does not only differentiate between DDoS
Equipment is attacked, or even is also possible to impact the communication service of the client of normal users.
Embodiment one
The embodiment of the present invention one provides a kind of method of determining ddos attack equipment, is determined in the prior art for solving
There are ddos attack equipment and poor user experience that None- identified has complete protocol stack behavior for the method for ddos attack equipment
Technical problem.This method, which can be applied, is being hit equipment (such as server-side) itself, can also be applied to be hit front equipment end special
In the safeguard of setting, the embodiment of the present invention is not particularly limited.
With reference to Fig. 2, the method for the determination ddos attack equipment includes:
Step 101:When receiving the HTTP request that N number of client is sent, each client in N number of client is obtained
The characteristic value at end.
Specifically, each client is only there are one characteristic value, the characteristic value client of client initiates HTTP request
Application and/or the application running environment and/or client hardware feature.The characteristic value is according to client
Multinomial characteristic information, which calculates, to be obtained.The characteristic information of client includes but not limited to following three types:Client initiates HTTP
The characteristic information of the application of request, client initiate the characteristic information of the running environment of the application of HTTP request, client it is hard
The characteristic information of part.Wherein, the characteristic information of the application can be the version of browser, browser Window state (including
Window is hidden/activates, the position of the size dimension of window, window), the extension information of browser, the setting information of browser,
The characteristic information of historical requests record of browser etc., the running environment can be the version of operating system, operating system
The hardware characteristics information of setting information etc., the client can be video card information, sound card information of client etc..
In specific implementation process, the specific implementation of the characteristic value of client is determined according to the multinomial characteristic information of client
Mode can be:Hash calculation is carried out to the multinomial characteristic information of each client respectively using hash algorithm, and then is obtained every
The corresponding cryptographic Hash of a client, the cryptographic Hash of acquisition is the characteristic value of client, and this feature value is also referred to as client
Identity (identification, ID) number.
Step 102:The identical each client of characteristic value is divided in the same classification, the client of each classification is counted
Flow within the predetermined time.
In general, the ddos attack initiated from the same attacking network, each DDoS equipment suffer from identical work
Has feature, i.e. the characteristic information of client is identical.In consideration of it, client can be initiated to the application of HTTP request and/or described
The running environment of application and/or the identical client of the feature of the hardware of client are identified as same class client, i.e., by feature
It is worth identical each client and is identified as the client that the same attacker uses, and counts the corresponding whole clients of each characteristic value
Hold the flow within the predetermined time.
Step 103:It, will when determining that flow of the other client of any sort within the predetermined time is more than first threshold
The other client of any sort is determined as ddos attack equipment.
In the above scheme, the running environment of application and/or the application of HTTP request is initiated according to each client
And/or the feature of the hardware of client obtains the characteristic value of each client, and the identical client of characteristic value is identified as together
A kind of client, when detecting that total flow of any sort client within the predetermined time is more than first threshold, determining should
The all ddos attack equipment of class client.This programme can be incited somebody to action by the judgement of the flow to the identical client of characteristic value
The ddos attack flow initiated by the same ddos attack network all identifies to solve prior art None- identified and provide
The technical issues of for the ddos attack equipment of complete protocol stack behavior, separate unit flow small ddos attack equipment, and do not need
User interacts formula verification in client, improves user experience.
Optionally, the specific implementation of the characteristic value of each client in N number of client is obtained in above-mentioned steps 101
Mode, it is including but not limited to following two:
Mode 1:Each client into N number of client sends the first instruction, and first instruction is used to indicate
Client:Characteristic value is generated according at least one characteristic information of client, and returns to the characteristic value of generation;Wherein, client
Each characteristic information characterize the client initiate HTTP request application or the application running environment a feature;
Receive the characteristic value that each client returns.
Wherein, first instruction is specifically as follows the response page for carrying JavaScript code, and client passes through
The characteristic information of itself and feature based information generation characteristic value can be obtained by executing the JavaScript code.
Mode 2:Each client into N number of client sends the second instruction, and second instruction is used to indicate
Client:Return at least one characteristic information of client;Wherein, each characteristic information of client characterizes the client hair
Play a feature of the running environment of application or the application of HTTP request;Receive the characteristic information that each client returns;
The corresponding characteristic value of each client is generated according to the characteristic information that each client returns respectively.
Wherein, second instruction is specifically as follows the response page for carrying JavaScript code, and client passes through
The characteristic information of itself can be obtained by executing the JavaScript code.
It is distinguished with mode 1, what the method client returned is characteristic information, and client return in mode 1
It is characteristic value, the work that mode 1 calculates characteristic information is directly completed by client.
By the method, the characteristic information of each client can be obtained from each client, is then based on to each visitor
The calculating of the characteristic information at family end obtains the corresponding characteristic value of each client, can also directly be obtained from each client each
The corresponding characteristic value of client, and then realize that feature based value to client-classification, identifies the technique effect of ddos attack equipment.
Optionally, after the other client of any sort is determined as ddos attack equipment, can also include:To true
The flow for each ddos attack equipment made is limited;Alternatively, black name is added in each ddos attack equipment determined
It is single.
For example, if some flow of ddos attack equipment within the unit interval is more than predetermined value, by the ddos attack
The packet loss that equipment is sent;In another example as long as recognizing the message of ddos attack equipment transmission, abandoned.
By the method, can effective defending DDoS (Distributed Denial of Service) attacks, guarantee network security.
Embodiment two
Second embodiment of the present invention provides a kind of method of determining ddos attack equipment, this method and the whole invention of embodiment one
Conceive identical.Unlike, the characteristic value of client refers to just the characteristic information of client in embodiment two, each client
Characteristic value (i.e. characteristic information) can be multiple;And the characteristic value in above-described embodiment one is believed according to the multinomial feature of client
A value being calculated is ceased, only there are one characteristic values for a client.Below to the full implementation stream of the embodiment of the present invention two
Journey is introduced:
Step 1:When receiving the HTTP request that N number of client is sent, each client in N number of client is obtained
At least one characteristic value at end.
Wherein, a characteristic value of client is a characteristic information of client, including but not limited to three kinds following
Type:The characteristic information of the application of client initiation HTTP request, client initiate the running environment of the application of HTTP request
Characteristic information, client hardware characteristic information, for example characteristic information is specifically as follows the window of the version of browser, browser
Mouthful hide/state of activation, the size dimension of window of browser, the position of window of browser, browser extension information, clear
Look at the setting information of device, the historical requests of browser record, the video card information of client, the sound card information of client etc..
Step 2:The identical each client of characteristic value is divided in the same classification, the client of each classification is counted
Flow within the predetermined time.
Specifically, the characteristic value that more each client is sent, if there are two all characteristic values that client is sent are complete
Portion is consistent, then the two clients is divided into the same classification.The client of each classification is counted in predetermined time range
Interior total flow.
It should be noted that in specific implementation process, if most of characteristic value of certain two client is identical, but have
Only a few characteristic value has differences, and can also be divided into the two clients in the same classification.For example, customer end A and visitor
The version of the browser of family end B, the window of browser hide/state of activation, the size dimension of window of browser, browser
The position of window, the extension information of browser, the setting information of browser are all identical, but customer end A browses certain website pages
The number that the number in face browses certain Website page than customer end B is few primary, then can also divide customer end A and customer end B
In the same classification.
Step 3:It, will when determining that flow of the other client of any sort within the predetermined time is more than first threshold
The other client of any sort is determined as ddos attack equipment.
Through the above technical solutions, the ddos attack flow that initiated by the same ddos attack network all can be identified
Out, solving prior art None- identified, to provide the ddos attack equipment of standby complete protocol stack behavior, separate unit flow small
The technical issues of ddos attack equipment, and do not need user and interact formula verification in client, improve user experience.
Embodiment three
The embodiment of the present invention three provides a kind of device of determining ddos attack equipment, and with reference to Fig. 3, which includes:
Receiving unit 201, the HTTP request sent for receiving N number of client;
Processing unit 202, the characteristic value for obtaining each client in N number of client, the characteristic value
Client initiates the feature of the hardware of the running environment and/or client of application and/or the application of HTTP request;By feature
It is worth identical each client to be divided in the same classification, counts flow of each other client within the predetermined time;
When determining that flow of the other client of any sort within the predetermined time is more than first threshold, by the other visitor of any sort
Family end is determined as ddos attack device.
Optionally, described device further includes the first transmission unit 203;
First transmission unit 203 sends the first instruction for each client into N number of client, described
One instruction is used to indicate client and generates characteristic value according at least one characteristic information of itself, and returns to the characteristic value of generation;
Wherein, each characteristic information of client characterizes the running environment that the client initiates application or the application of HTTP request
A feature;
The receiving unit 201 is additionally operable to:Receive the characteristic value that each client returns.
Optionally, described device further includes the second transmission unit 203;
Second transmission unit 203 sends the second instruction for each client into N number of client, described
Second instruction is used to indicate client and returns at least one characteristic information of itself;Wherein, each characteristic information table of client
Levy a feature of the running environment of application or the application of the client initiation HTTP request;
The receiving unit 201 is additionally operable to:Receive the characteristic information that each client returns;
The processing unit 202 is additionally operable to:Each client is generated according to the characteristic information that each client returns respectively
Corresponding characteristic value.
Optionally, the characteristic information include the type of operating system, the version of browser, browser Window state,
The extension information of browser, the setting information of browser, the historical requests of browser record, the video card information of client, client
At least one of in the sound card information at end.
Optionally, the processing unit 202 is additionally operable to:
After the other client of any sort is determined as ddos attack equipment, to each ddos attack determined
The flow of equipment is limited, alternatively, blacklist is added in each ddos attack equipment determined.
The performed specific implementation operated of the above each unit can be to determine that DDoS is attacked described in the embodiment of the present invention one
The correspondence step of the method for equipment is hit, the embodiment of the present invention repeats no more.
Example IV
The embodiment of the present invention four provides a kind of equipment of determining ddos attack equipment, and with reference to Fig. 4, which includes:
At least one processor 301, and
Memory 302, communication interface 303 at least one processor 301 communication connection;
Wherein, the memory 302 is stored with the instruction that can be executed by least one processor 301, it is described at least
The instruction that one processor 301 is stored by executing the memory 302 is executed of the invention real using the communication interface 303
The method for applying the determining ddos attack equipment in example one or embodiment two.
Embodiment five
The embodiment of the present invention five provides a kind of computer readable storage medium, and the computer-readable recording medium storage has
Computer instruction, when the computer instruction is run on computers so that computer executes the embodiment of the present invention one or real
The method for applying the determining ddos attack equipment in example two.
It should be understood by those skilled in the art that, the embodiment of the present invention can be provided as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention
Apply the form of example.Moreover, the present invention can be used in one or more wherein include computer usable program code computer
The computer program production implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
The form of product.
The present invention be with reference to according to the method for the embodiment of the present invention, the flow of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that can be realized by computer program instructions every first-class in flowchart and/or the block diagram
The combination of flow and/or box in journey and/or box and flowchart and/or the block diagram.These computer programs can be provided
Instruct the processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine so that the instruction executed by computer or the processor of other programmable data processing devices is generated for real
The device for the function of being specified in present one flow of flow chart or one box of multiple flows and/or block diagram or multiple boxes.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
God and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.
Claims (12)
1. a kind of method of determining distributed denial of service ddos attack equipment, which is characterized in that including:
When receiving the HTTP request that N number of client is sent, each visitor in N number of client is obtained
The characteristic value at family end, the characteristic value client initiate application and/or the application of HTTP request running environment and/
Or the feature of the hardware of client;
The identical each client of characteristic value is divided in the same classification, counts the client of each classification in predetermined time model
Enclose interior flow;
When determining that flow of the other client of any sort within the predetermined time is more than first threshold, by any classification
Client be determined as ddos attack equipment.
2. the method as described in claim 1, which is characterized in that the spy for obtaining each client in N number of client
Value indicative, including:
Each client into N number of client sends the first instruction, first instruction be used to indicate client according to
At least one characteristic information of itself generates characteristic value, and returns to the characteristic value of generation;Wherein, each characteristic information of client
Characterize a feature of the running environment of application or the application of the client initiation HTTP request;
Receive the characteristic value that each client returns.
3. the method as described in claim 1, which is characterized in that the spy for obtaining each client in N number of client
Value indicative, including:
Each client into N number of client sends the second instruction, and second instruction is used to indicate client return
At least one characteristic information of itself;Wherein, each characteristic information of client characterizes the client and initiates HTTP request
Using or the application running environment a feature;
Receive the characteristic information that each client returns;
The corresponding characteristic value of each client is generated according to the characteristic information that each client returns respectively.
4. method as claimed in claim 2 or claim 3, which is characterized in that the characteristic information includes the type of operating system, browsing
The version of device, the Window state of browser, the extension information of browser, the setting information of browser, the historical requests of browser
At least one of in record, the video card information of client, the sound card information of client.
5. method as described in any one of claims 1-3, which is characterized in that be determined as by the other client of any sort
After ddos attack equipment, the method further includes:
The flow for each ddos attack equipment determined is limited;Or
Blacklist is added in each ddos attack equipment determined.
6. a kind of device of determining ddos attack equipment, which is characterized in that including:
Receiving unit, the HTTP request sent for receiving N number of client;
Processing unit, the characteristic value for obtaining each client in N number of client, the characteristic value client hair
Play the feature of the hardware of the running environment and/or client of application and/or the application of HTTP request;Characteristic value is identical each
A client is divided in the same classification, counts flow of each other client within the predetermined time;Appoint determining
When flow of a kind of other client within the predetermined time is more than first threshold, the other client of any sort is determined
For ddos attack device.
7. device as claimed in claim 6, which is characterized in that described device further includes the first transmission unit;
First transmission unit is used for:Each client into N number of client sends the first instruction, and described first refers to
At least one characteristic information generation characteristic value for being used to indicate client according to itself is enabled, and returns to the characteristic value of generation;Wherein,
Each characteristic information of client characterizes the one of the running environment of application or the application of the client initiation HTTP request
Item feature;
The receiving unit is additionally operable to:Receive the characteristic value that each client returns.
8. device as claimed in claim 6, which is characterized in that described device further includes the second transmission unit;
Second transmission unit is used for:Each client into N number of client sends the second instruction, and described second refers to
Order is used to indicate client and returns at least one characteristic information of itself;Wherein, described in each characteristic information characterization of client
Client initiates a feature of the running environment of application or the application of HTTP request;
The receiving unit is additionally operable to:Receive the characteristic information that each client returns;
The processing unit is additionally operable to:The corresponding spy of each client is generated according to the characteristic information that each client returns respectively
Value indicative.
9. device as claimed in claim 7 or 8, which is characterized in that the characteristic information includes the type of operating system, browsing
The version of device, the Window state of browser, the extension information of browser, the setting information of browser, the historical requests of browser
At least one of in record, the video card information of client, the sound card information of client.
10. such as claim 6-8 any one of them devices, which is characterized in that the processing unit is additionally operable to:
After the other client of any sort is determined as ddos attack equipment, to each ddos attack equipment determined
Flow limited, alternatively, by each ddos attack equipment determined be added blacklist.
11. a kind of equipment of determining ddos attack equipment, which is characterized in that including:
At least one processor, and
The memory that is connect at least one processor communication, communication interface;
Wherein, the memory is stored with the instruction that can be executed by least one processor, at least one processor
By executing the instruction of the memory storage, the side described in any one of 1-5 is required using the communication interface perform claim
Method.
12. a kind of computer readable storage medium, which is characterized in that the computer-readable recording medium storage has computer to refer to
It enables, when the computer instruction is run on computers so that computer perform claim requires the side described in any one of 1-5
Method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711421274.8A CN108600145B (en) | 2017-12-25 | 2017-12-25 | Method and device for determining DDoS attack equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711421274.8A CN108600145B (en) | 2017-12-25 | 2017-12-25 | Method and device for determining DDoS attack equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108600145A true CN108600145A (en) | 2018-09-28 |
CN108600145B CN108600145B (en) | 2020-12-25 |
Family
ID=63633172
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711421274.8A Active CN108600145B (en) | 2017-12-25 | 2017-12-25 | Method and device for determining DDoS attack equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108600145B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110505232A (en) * | 2019-08-27 | 2019-11-26 | 百度在线网络技术(北京)有限公司 | The detection method and device of network attack, electronic equipment, storage medium |
CN112333045A (en) * | 2020-11-03 | 2021-02-05 | 国家工业信息安全发展研究中心 | Intelligent flow baseline learning method, equipment and computer readable storage medium |
CN112751815A (en) * | 2019-10-31 | 2021-05-04 | 华为技术有限公司 | Message processing method, device, equipment and computer readable storage medium |
CN113364723A (en) * | 2020-03-05 | 2021-09-07 | 奇安信科技集团股份有限公司 | DDoS attack monitoring method and device, storage medium and computer equipment |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105430011A (en) * | 2015-12-25 | 2016-03-23 | 杭州朗和科技有限公司 | Method and device for detecting distributed denial of service attack |
CN105553974A (en) * | 2015-12-14 | 2016-05-04 | 中国电子信息产业集团有限公司第六研究所 | Prevention method of HTTP slow attack |
CN106778260A (en) * | 2016-12-31 | 2017-05-31 | 网易无尾熊(杭州)科技有限公司 | Attack detection method and device |
US20170324757A1 (en) * | 2016-05-04 | 2017-11-09 | University Of North Carolina At Charlotte | Multiple detector methods and systems for defeating low and slow application ddos attacks |
CN107465648A (en) * | 2016-06-06 | 2017-12-12 | 腾讯科技(深圳)有限公司 | The recognition methods of warping apparatus and device |
CN108111472A (en) * | 2016-11-24 | 2018-06-01 | 腾讯科技(深圳)有限公司 | A kind of attack signature detection method and device |
-
2017
- 2017-12-25 CN CN201711421274.8A patent/CN108600145B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105553974A (en) * | 2015-12-14 | 2016-05-04 | 中国电子信息产业集团有限公司第六研究所 | Prevention method of HTTP slow attack |
CN105430011A (en) * | 2015-12-25 | 2016-03-23 | 杭州朗和科技有限公司 | Method and device for detecting distributed denial of service attack |
US20170324757A1 (en) * | 2016-05-04 | 2017-11-09 | University Of North Carolina At Charlotte | Multiple detector methods and systems for defeating low and slow application ddos attacks |
CN107465648A (en) * | 2016-06-06 | 2017-12-12 | 腾讯科技(深圳)有限公司 | The recognition methods of warping apparatus and device |
CN108111472A (en) * | 2016-11-24 | 2018-06-01 | 腾讯科技(深圳)有限公司 | A kind of attack signature detection method and device |
CN106778260A (en) * | 2016-12-31 | 2017-05-31 | 网易无尾熊(杭州)科技有限公司 | Attack detection method and device |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110505232A (en) * | 2019-08-27 | 2019-11-26 | 百度在线网络技术(北京)有限公司 | The detection method and device of network attack, electronic equipment, storage medium |
CN112751815A (en) * | 2019-10-31 | 2021-05-04 | 华为技术有限公司 | Message processing method, device, equipment and computer readable storage medium |
CN112751815B (en) * | 2019-10-31 | 2021-11-19 | 华为技术有限公司 | Message processing method, device, equipment and computer readable storage medium |
CN113364723A (en) * | 2020-03-05 | 2021-09-07 | 奇安信科技集团股份有限公司 | DDoS attack monitoring method and device, storage medium and computer equipment |
CN112333045A (en) * | 2020-11-03 | 2021-02-05 | 国家工业信息安全发展研究中心 | Intelligent flow baseline learning method, equipment and computer readable storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN108600145B (en) | 2020-12-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11122067B2 (en) | Methods for detecting and mitigating malicious network behavior and devices thereof | |
US10049209B2 (en) | Device, method, and system of differentiating between virtual machine and non-virtualized device | |
CN107426181B (en) | The hold-up interception method and device of malice web access request | |
US11019383B2 (en) | Internet anti-attack method and authentication server | |
Chonka et al. | Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks | |
JP6432210B2 (en) | Security system, security method, security device, and program | |
US11973768B2 (en) | Method and system for detecting malicious payloads | |
CN108600145A (en) | A kind of method and device of determining ddos attack equipment | |
US10270792B1 (en) | Methods for detecting malicious smart bots to improve network security and devices thereof | |
US10366217B2 (en) | Continuous user authentication | |
CN106549980B (en) | Malicious C & C server determination method and device | |
JP2019021294A (en) | SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS | |
EP3887981B1 (en) | Verifying user interactions on a content platform | |
US10701179B2 (en) | Adaptive scoring of service requests and determining whether to fulfill service requests | |
CN108521405B (en) | Risk control method and device and storage medium | |
CN107517200B (en) | Malicious crawler defense strategy selection method for Web server | |
WO2019063389A1 (en) | Method of processing web requests directed to a website | |
Acar et al. | A privacy‐preserving multifactor authentication system | |
Saravanan et al. | A new framework to alleviate DDoS vulnerabilities in cloud computing. | |
CN111478892A (en) | Attacker portrait multi-dimensional analysis method based on browser fingerprints | |
CN107046516B (en) | Wind control method and device for identifying mobile terminal identity | |
WO2019114246A1 (en) | Identity authentication method, server and client device | |
Aljawarneh et al. | A web client authentication system using smart card for e-systems: initial testing and evaluation | |
WO2016195090A1 (en) | Detection system, detection device, detection method and detection program | |
CN109495471A (en) | A kind of pair of WEB attack result determination method, device, equipment and readable storage medium storing program for executing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP01 | Change in the name or title of a patent holder |
Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Patentee after: NSFOCUS Technologies Group Co.,Ltd. Patentee after: NSFOCUS TECHNOLOGIES Inc. Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. Patentee before: NSFOCUS TECHNOLOGIES Inc. |
|
CP01 | Change in the name or title of a patent holder |