CN108600145B - Method and device for determining DDoS attack equipment - Google Patents
Method and device for determining DDoS attack equipment Download PDFInfo
- Publication number
- CN108600145B CN108600145B CN201711421274.8A CN201711421274A CN108600145B CN 108600145 B CN108600145 B CN 108600145B CN 201711421274 A CN201711421274 A CN 201711421274A CN 108600145 B CN108600145 B CN 108600145B
- Authority
- CN
- China
- Prior art keywords
- client
- clients
- characteristic
- ddos attack
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Abstract
The embodiment of the invention provides a method and a device for determining DDoS attack equipment, which are used for solving the technical problems that the method for determining the DDoS attack equipment in the prior art cannot identify the DDoS attack equipment with complete protocol stack behaviors and is poor in user experience. The method comprises the following steps: when receiving HTTP requests sent by N clients, obtaining a characteristic value of each client in the N clients, wherein the characteristic value represents an application of the HTTP request initiated by the client and/or the running environment of the application and/or the characteristics of hardware of the client; dividing all clients with the same characteristic value into the same category, and counting the flow of the clients in each category within a preset time range; and when determining that the flow of any type of client in a preset time range exceeds a first threshold value, determining the any type of client as a DDoS attack device.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method and a device for determining DDoS attack equipment.
Background
Distributed Denial of Service (DDoS) attacks refer to the joint use of multiple computers as an attack platform by means of client/server technology to launch DDoS attacks on one or more targets, thereby exponentially improving the power of Denial of Service attacks.
In the prior art, a technical scheme adopted for protecting against DDoS attacks generally includes checking whether browser capabilities of a client are complete, for example, checking whether the client has normal JavaScript computing capability, normal HyperText Transfer Protocol (HTTP) response behavior, and the like by using JavaScript, cookie, and other verification methods. However, the existing methods can only detect DDoS attack devices with incomplete protocol stack behaviors, but cannot do nothing to DDoS attack devices with complete protocol stack behaviors, for example, an attacker uses a browser to simulate a legal HTTP request, occupies a large amount of network resources, and achieves the purpose of network paralysis; moreover, such detection methods also generally require the user to participate in the verification process, such as inputting a verification code, dragging a verification picture, etc., which may interrupt the browsing experience of the user. Therefore, the method for determining the DDoS attack device in the prior art has the technical problems that the DDoS attack device with complete protocol stack behaviors cannot be identified, and the user experience is poor.
Disclosure of Invention
The embodiment of the invention provides a method and a device for determining DDoS attack equipment, which are used for solving the technical problems that the method for determining the DDoS attack equipment in the prior art cannot identify the DDoS attack equipment with complete protocol stack behaviors and is poor in user experience.
A first aspect of an embodiment of the present invention provides a method for determining a DDoS attack device, including:
when receiving HTTP requests sent by N clients, obtaining a characteristic value of each client in the N clients, wherein the characteristic value represents an application of the HTTP request initiated by the client and/or the running environment of the application and/or the characteristics of hardware of the client;
dividing all clients with the same characteristic value into the same category, and counting the flow of the clients in each category within a preset time range;
and when determining that the flow of any type of client in a preset time range exceeds a first threshold value, determining the any type of client as a DDoS attack device.
In the above scheme, by determining the flows of the clients with the same characteristic value, DDoS attack flows initiated by the same DDoS attack network can be identified, so that the technical problem that DDoS attack equipment with complete protocol stack behaviors cannot be identified in the prior art is solved.
Optionally, the obtaining the feature value of each of the N clients includes: sending a first instruction to each of the N clients, the first instruction being used for instructing the client to: generating a characteristic value according to at least one item of characteristic information of the user, and returning the generated characteristic value; each item of characteristic information of the client represents one characteristic of an application of the client initiating the HTTP request or the running environment of the application; and receiving the characteristic values returned by the clients.
By the method, the characteristic values corresponding to the clients can be directly obtained from the clients, and classification of the clients based on the characteristic values is realized to identify the DDoS attack equipment.
Optionally, the obtaining the feature value of each of the N clients includes: sending a second instruction to each of the N clients, the second instruction being used for instructing the client to: returning at least one item of characteristic information of the user; each item of characteristic information of the client represents one characteristic of an application of the client initiating the HTTP request or the running environment of the application; receiving characteristic information returned by each client; and respectively generating a characteristic value corresponding to each client according to the characteristic information returned by each client.
By the method, the characteristic information of each client can be obtained from each client, then the characteristic value corresponding to each client is obtained based on the calculation of the characteristic information of each client, and further classification of the clients based on the characteristic values is realized, and DDoS attack equipment is identified.
Optionally, the feature information includes at least one of a type of an operating system, a version of a browser, a window state of the browser, extension information of the browser, setting information of the browser, a history request record of the browser, video card information of the client, and sound card information of the client.
By the method, the characteristic value corresponding to the client can be determined according to the application of the HTTP request initiated by the client and/or the running environment of the application and/or the characteristics of the hardware of the client, so that the client is classified based on the characteristic value, and the DDoS attack equipment is identified.
Optionally, after determining the client of any category as a DDoS attack device, the method further includes: limiting the determined flow of each DDoS attack device; or adding each determined DDoS attack device into a blacklist.
By the method, DDoS attack can be effectively defended, and network security is guaranteed.
A second aspect of the embodiments of the present invention provides an apparatus for determining a DDoS attack device, including: the receiving unit is used for receiving HTTP requests sent by the N clients; the processing unit is used for acquiring a characteristic value of each client in the N clients, wherein the characteristic value represents an application of an HTTP request initiated by the client and/or a running environment of the application and/or characteristics of hardware of the client; dividing the clients with the same characteristic value into the same category, and counting the flow of each individual client within a preset time range; and when determining that the traffic of any type of client in a preset time range exceeds a first threshold value, determining the client in any type as a DDoS attack device.
Optionally, the apparatus further includes a first sending unit; the first sending unit is used for sending a first instruction to each client in the N clients, and the first instruction is used for indicating the client to generate a characteristic value according to at least one item of characteristic information of the client and returning the generated characteristic value; each item of characteristic information of the client represents one characteristic of an application of the client initiating the HTTP request or the running environment of the application; the receiving unit is further configured to: and receiving the characteristic values returned by the clients.
Optionally, the apparatus further includes a second sending unit; the second sending unit is configured to send a second instruction to each of the N clients, where the second instruction is used to instruct the client to return at least one item of feature information of the client; each item of characteristic information of the client represents one characteristic of an application of the client initiating the HTTP request or the running environment of the application; the receiving unit is further configured to: receiving characteristic information returned by each client; the processing unit is further to: and respectively generating a characteristic value corresponding to each client according to the characteristic information returned by each client.
Optionally, the feature information includes at least one of a type of an operating system, a version of a browser, a window state of the browser, extension information of the browser, setting information of the browser, a history request record of the browser, video card information of the client, and sound card information of the client.
Optionally, the processing unit is further configured to: and after the client side of any category is determined as the DDoS attack equipment, limiting the flow of each determined DDoS attack equipment, or adding each determined DDoS attack equipment into a blacklist.
A third aspect of the embodiments of the present invention further provides an apparatus for determining a DDoS attack apparatus, including: the system comprises at least one processor, a memory and a communication interface, wherein the memory and the communication interface are in communication connection with the at least one processor; wherein the memory stores instructions executable by the at least one processor, and the at least one processor performs the method of the first aspect of the embodiments of the present invention using the communication interface by executing the instructions stored by the memory.
The fourth aspect of the embodiments of the present invention also provides a computer-readable storage medium, which stores computer instructions that, when executed on a computer, cause the computer to perform the method according to the first aspect of the embodiments of the present invention.
One or more technical solutions provided in the embodiments of the present invention have at least the following technical effects or advantages:
the method comprises the steps of obtaining characteristic values of various clients according to applications of HTTP requests initiated by the various clients and/or running environments of the applications and/or characteristics of hardware of the clients, identifying the clients with the same characteristic values as the same type of clients, and determining all the clients as DDoS attack equipment when detecting that total flow of any type of clients in a preset time range exceeds a first threshold value. The method and the system can identify all the DDoS attack flows initiated by the same DDoS attack network by judging the flows of the clients with the same characteristic value, and solve the technical problem that the prior art cannot identify DDoS attack equipment with complete protocol stack behaviors; in addition, the user does not need to participate in the verification process, the browsing experience of the user is not interrupted, and the user experience degree is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
FIG. 1 is a diagram illustrating a CC attack in the prior art;
fig. 2 is a flowchart illustrating a method for determining DDoS attack devices in an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an apparatus for determining a DDoS attack device in an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a device for determining DDoS attack devices in the embodiment of the present invention.
Detailed Description
The technical solutions of the present invention are described in detail below with reference to the drawings and the specific embodiments, and it should be understood that the specific features in the embodiments and the embodiments of the present invention are not intended to limit the technical solutions of the present invention, but may be combined with each other without conflict.
It is to be understood that the terms first, second, and the like in the description of the embodiments of the invention are used for distinguishing between the descriptions and not necessarily for describing a sequential or chronological order. "plurality" in the description of the embodiments of the present invention means two or more.
The term "and/or" in the embodiment of the present invention is only one kind of association relationship describing an associated object, and indicates that three relationships may exist, for example, a and/or B may indicate: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
DDoS attacks are becoming increasingly strong, with a significant upward trend in cc (challenge collapsar) attacks, subject to the ever-worsening situation of network security conditions around the globe. The CC attack means that an attacker generates a legitimate request directed to a victim host through a proxy server to implement DDOS and masquerading. For example, referring to fig. 1, a hacker controls multiple puppet machines (DDoS attack devices) to send a large number of legal web page requests to one server (attacked device) through a master controller installed with CC attack software, and occupies server resources, so that it is difficult for the server to respond to HTTP request services initiated by a normal client.
In order to defend against DDoS attacks, the existing solutions are 4 kinds:
mode 1: when a client initiates a GET type HTTP request, the client returns to 302 to jump to the client, and the client responds to the 302 jump to interrupt the connection and access a new address. If the client can bring the correct cookie when accessing the new address, determining that the client is the client of the normal user, responding to the request of the client, and otherwise discarding the HTTP request of the client;
mode 2: when a client initiates a GET-type HTTP request, a JavaScript execution code is returned to the client, the client calculates the received JavaScript code, and if the calculation is correct, the client is determined to be the client of a normal user, the request of the client is responded, otherwise, the HTTP request of the client is discarded;
mode 3: when a client initiates a GET type HTTP request, a verification code picture is returned to the client, and a user is required to manually input a verification code. If the user inputs the correct verification code, the client is determined to be the client of the normal user, the request of the client is responded, and otherwise, the HTTP request of the client is discarded;
mode 4: traffic of a single source network Protocol (IP) address communicating with a server in a unit time is restricted.
The above modes 1 and 2 can only detect an attack source with an incomplete protocol stack behavior, and have no effect on an attack source with a complete protocol interaction behavior, for example, an attacker uses a browser to simulate a legal HTTP request to perform DDoS attack on a server; although the interception rate is highest in the mode 3, the user needs to input the verification code manually, so that the browsing experience of the client is interrupted, and the user experience is poor; in the above mode 4, with the continuous development of the DDoS attack technology, the prior art can make the request rate of a single DDoS device very low, and keep the request rate within the normal access rate range, and then achieve the effect of cumulative attack on the attacked device by means of the huge number of DDoS attack devices, so that the speed-limiting scheme cannot distinguish the DDoS attack devices, and even can affect the communication service of the client of the normal user.
Example one
The embodiment of the invention provides a method for determining DDoS attack equipment, which is used for solving the technical problems that the method for determining the DDoS attack equipment in the prior art cannot identify the DDoS attack equipment with complete protocol stack behaviors and is poor in user experience. The method can be applied to the attacked device (such as a server) itself, and can also be applied to the protection device specially arranged at the front end of the attacked device, and the embodiment of the invention is not particularly limited.
Referring to fig. 2, the method for determining DDoS attack equipment includes:
step 101: when receiving HTTP requests sent by N clients, obtaining the characteristic value of each client in the N clients.
Specifically, each client has only one feature value, and the feature value of the client characterizes an application of the client initiating the HTTP request and/or a running environment of the application and/or features of hardware of the client. The characteristic value is obtained by calculation according to a plurality of items of characteristic information of the client. The characteristic information of the client includes, but is not limited to, the following three types: the characteristic information of the application of the client initiating the HTTP request, the characteristic information of the running environment of the application of the client initiating the HTTP request and the characteristic information of the hardware of the client. The feature information of the application may be a version of the browser, a window state of the browser (including a window being hidden/activated, a size of the window, a position of the window), extension information of the browser, setting information of the browser, a history request record of the browser, and the like, the feature information of the operating environment may be a version of an operating system, setting information of the operating system, and the like, and the hardware feature information of the client may be video card information, sound card information, and the like of the client.
In a specific implementation process, the specific implementation manner of determining the feature value of the client according to the multiple items of feature information of the client may be: the hash algorithm is adopted to perform hash calculation on the multiple items of characteristic information of each client, so as to obtain a hash value corresponding to each client, wherein the obtained hash value is the characteristic value of the client, and the characteristic value can also be called an Identification (ID) number of the client.
Step 102: and dividing the clients with the same characteristic value into the same category, and counting the flow of the clients in each category within a preset time range.
Generally, in a DDoS attack initiated from the same attack network, each DDoS device has the same tool features, that is, the feature information of the client is the same. In view of this, the clients with the same characteristics of the application and/or the running environment of the application and/or the hardware of the client, where the client initiates the HTTP request, may be identified as the same type of client, that is, the clients with the same characteristic value are identified as the clients used by the same attacker, and the traffic of all the clients corresponding to each characteristic value within the predetermined time range is counted.
Step 103: and when determining that the flow of any type of client in a preset time range exceeds a first threshold value, determining the any type of client as a DDoS attack device.
In the above scheme, the characteristic values of the clients are obtained according to the application of the HTTP request initiated by each client and/or the running environment of the application and/or the characteristics of the hardware of the client, the clients with the same characteristic values are identified as the same type of client, and when it is detected that the total flow of any type of client in a predetermined time range exceeds a first threshold, all the types of clients are determined to be DDoS attack devices. According to the scheme, the DDoS attack flows initiated by the same DDoS attack network can be identified completely by judging the flows of the clients with the same characteristic values, the technical problems that DDoS attack equipment with complete protocol stack behaviors and DDoS attack equipment with small single flow cannot be identified in the prior art are solved, interactive verification is not required to be carried out on the clients by users, and user experience is improved.
Optionally, specific implementation manners of obtaining the feature value of each of the N clients in step 101 include, but are not limited to, the following two types:
mode 1: sending a first instruction to each of the N clients, the first instruction being used for instructing the client to: generating a characteristic value according to at least one item of characteristic information of the client, and returning the generated characteristic value; each item of characteristic information of the client represents one characteristic of an application of the client initiating the HTTP request or the running environment of the application; and receiving the characteristic values returned by the clients.
The first instruction may specifically be a response page carrying a JavaScript code, and the client may obtain its own feature information by executing the JavaScript code and generate a feature value based on the feature information.
Mode 2: sending a second instruction to each of the N clients, the second instruction being used for instructing the client to: returning at least one item of characteristic information of the client; each item of characteristic information of the client represents one characteristic of an application of the client initiating the HTTP request or the running environment of the application; receiving characteristic information returned by each client; and respectively generating a characteristic value corresponding to each client according to the characteristic information returned by each client.
The second instruction may specifically be a response page carrying a JavaScript code, and the client may obtain its own feature information by executing the JavaScript code.
What is different from the mode 1 is that the client in the mode returns the feature information, while the client in the mode 1 returns the feature value, and the work of the mode 1 on calculating the feature information is directly completed by the client.
By the method, the characteristic information of each client can be obtained from each client, then the characteristic value corresponding to each client is obtained based on the calculation of the characteristic information of each client, the characteristic value corresponding to each client can also be directly obtained from each client, and the technical effects of classifying the clients and identifying the DDoS attack equipment based on the characteristic values are further achieved.
Optionally, after determining the client of any category as a DDoS attack device, the method may further include: limiting the determined flow of each DDoS attack device; or adding each determined DDoS attack device into a blacklist.
For example, if the flow rate of a certain DDoS attack device in unit time exceeds a predetermined value, a message sent by the DDoS attack device is discarded; for another example, as long as a message sent by the DDoS attack device is identified, the message is discarded.
By the method, DDoS attack can be effectively defended, and network security is guaranteed.
Example two
The second embodiment of the invention provides a method for determining DDoS attack equipment, and the method has the same overall inventive concept as the first embodiment. In the second embodiment, the characteristic value of the client refers to the characteristic information of the client, and a plurality of characteristic values (i.e., characteristic information) may be provided for each client; the feature value in the first embodiment is a value calculated according to a plurality of items of feature information of the client, and one client has only one feature value. The following describes a complete implementation flow of the second embodiment of the present invention:
the method comprises the following steps: when receiving HTTP requests sent by N clients, acquiring at least one characteristic value of each client in the N clients.
Wherein, a feature value of the client is a feature information of the client, including but not limited to the following three types: the feature information of the application of the HTTP request initiated by the client, the feature information of the running environment of the application of the HTTP request initiated by the client, the feature information of the hardware of the client, for example, the feature information may be specifically a version of the browser, a window hiding/activating state of the browser, a size of a window of the browser, a position of the window of the browser, extension information of the browser, setting information of the browser, a history request record of the browser, video card information of the client, sound card information of the client, and the like.
Step two: and dividing the clients with the same characteristic value into the same category, and counting the flow of the clients in each category within a preset time range.
Specifically, the characteristic values sent by each client are compared, and if all the characteristic values sent by two clients are all consistent, the two clients are divided into the same category. And counting the total flow of the clients of each category in a preset time range.
It should be noted that, in the implementation process, if most of the feature values of two clients are the same, but there are few differences in feature values, the two clients may also be classified into the same category. For example, the versions of the browsers of the client a and the client B, the window hiding/activating states of the browsers, the size of the windows of the browsers, the positions of the windows of the browsers, the extension information of the browsers, and the setting information of the browsers are all the same, but the number of times that the client a browses a certain website page is less than the number of times that the client B browses a certain website page, so that the client a and the client B may be divided into the same category.
Step three: and when determining that the flow of any type of client in a preset time range exceeds a first threshold value, determining the any type of client as a DDoS attack device.
By the technical scheme, all DDoS attack flows initiated by the same DDoS attack network can be identified, the technical problems that DDoS attack equipment with complete protocol stack behaviors and single DDoS attack equipment with small flow cannot be identified in the prior art are solved, interactive verification is not required to be carried out on a client by a user, and user experience is improved.
EXAMPLE III
An embodiment of the present invention provides a device for determining DDoS attack equipment, and with reference to fig. 3, the device includes:
a receiving unit 201, configured to receive HTTP requests sent by N clients;
a processing unit 202, configured to obtain a feature value of each of the N clients, where the feature value represents an application that the client initiates an HTTP request, and/or a running environment of the application, and/or a feature of hardware of the client; dividing the clients with the same characteristic value into the same category, and counting the flow of each individual client within a preset time range; and when determining that the traffic of any type of client in a preset time range exceeds a first threshold value, determining the client in any type as a DDoS attack device.
Optionally, the apparatus further includes a first sending unit 203;
the first sending unit 203 is configured to send a first instruction to each of the N clients, where the first instruction is used to instruct the client to generate a characteristic value according to at least one item of characteristic information of the client, and return the generated characteristic value; each item of characteristic information of the client represents one characteristic of an application of the client initiating the HTTP request or the running environment of the application;
the receiving unit 201 is further configured to: and receiving the characteristic values returned by the clients.
Optionally, the apparatus further includes a second sending unit 203;
the second sending unit 203 is configured to send a second instruction to each of the N clients, where the second instruction is used to instruct a client to return at least one item of feature information of the client; each item of characteristic information of the client represents one characteristic of an application of the client initiating the HTTP request or the running environment of the application;
the receiving unit 201 is further configured to: receiving characteristic information returned by each client;
the processing unit 202 is further configured to: and respectively generating a characteristic value corresponding to each client according to the characteristic information returned by each client.
Optionally, the feature information includes at least one of a type of an operating system, a version of a browser, a window state of the browser, extension information of the browser, setting information of the browser, a history request record of the browser, video card information of the client, and sound card information of the client.
Optionally, the processing unit 202 is further configured to:
and after the client side of any category is determined as the DDoS attack equipment, limiting the flow of each determined DDoS attack equipment, or adding each determined DDoS attack equipment into a blacklist.
The specific implementation manner of the operations executed by the above units may be the corresponding steps of the method for determining DDoS attack equipment in the first embodiment of the present invention, and the embodiments of the present invention are not described in detail again.
Example four
An embodiment of the present invention provides an apparatus for determining a DDoS attack apparatus, and with reference to fig. 4, the apparatus includes:
at least one processor 301, and
a memory 302, a communication interface 303 communicatively coupled to the at least one processor 301;
the memory 302 stores instructions executable by the at least one processor 301, and the at least one processor 301 executes the instructions stored in the memory 302, and executes the method for determining a DDoS attack apparatus according to the first embodiment or the second embodiment of the present invention by using the communication interface 303.
EXAMPLE five
An embodiment five of the present invention provides a computer-readable storage medium, where the computer-readable storage medium stores a computer instruction, and when the computer instruction runs on a computer, the computer is enabled to execute the method for determining a DDoS attack device in the first embodiment or the second embodiment of the present invention.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (10)
1. A method for determining distributed denial of service (DDoS) attack equipment is characterized by comprising the following steps:
when receiving hypertext transfer protocol (HTTP) requests sent by N clients, sending a first instruction to each client in the N clients, wherein the first instruction is used for instructing the clients to generate a characteristic value according to at least one item of characteristic information of the clients and returning the generated characteristic value; each item of characteristic information of the client characterizes one characteristic of the application which initiates the HTTP request by the client or the running environment of the application, and the characteristic value characterizes the characteristic of the application which initiates the HTTP request by the client and/or the running environment of the application and/or the hardware of the client;
receiving a characteristic value returned by each client, dividing the clients with the same characteristic value into the same category, and counting the flow of the clients in each category within a preset time range;
and when determining that the flow of any type of client in a preset time range exceeds a first threshold value, determining the any type of client as a DDoS attack device.
2. The method of claim 1, wherein upon receiving hypertext transfer protocol (HTTP) requests sent by N clients, the method further comprises:
sending a second instruction to each client in the N clients, wherein the second instruction is used for indicating the client to return at least one item of characteristic information of the client; each item of characteristic information of the client represents one characteristic of an application of the client initiating the HTTP request or the running environment of the application;
receiving characteristic information returned by each client;
and respectively generating a characteristic value corresponding to each client according to the characteristic information returned by each client.
3. The method according to claim 1 or 2, wherein the feature information includes at least one of a type of an operating system, a version of a browser, a window state of the browser, extension information of the browser, setting information of the browser, a history request record of the browser, video card information of the client, and sound card information of the client.
4. The method of any of claims 1-2, wherein after determining the client of any category as a DDoS attack device, the method further comprises:
limiting the determined flow of each DDoS attack device; or
And adding each determined DDoS attack device into a blacklist.
5. An apparatus for determining a DDoS attack device, comprising:
the receiving unit is used for receiving HTTP requests sent by the N clients;
the first sending unit is used for sending a first instruction to each client in the N clients, wherein the first instruction is used for indicating the client to generate a characteristic value according to at least one item of characteristic information of the client and returning the generated characteristic value; each item of characteristic information of the client characterizes one characteristic of the application which initiates the HTTP request by the client or the running environment of the application, and the characteristic value characterizes the characteristic of the application which initiates the HTTP request by the client and/or the running environment of the application and/or the hardware of the client;
the processing unit is used for receiving the characteristic values returned by the clients, dividing the clients with the same characteristic values into the same category, and counting the flow of each individual client within a preset time range; and when determining that the traffic of any type of client in a preset time range exceeds a first threshold value, determining the client in any type as a DDoS attack device.
6. The apparatus of claim 5, wherein the apparatus further comprises a second transmitting unit;
the second sending unit is configured to: sending a second instruction to each client in the N clients, wherein the second instruction is used for indicating the client to return at least one item of characteristic information of the client; each item of characteristic information of the client represents one characteristic of an application of the client initiating the HTTP request or the running environment of the application;
the receiving unit is further configured to: receiving characteristic information returned by each client;
the processing unit is further to: and respectively generating a characteristic value corresponding to each client according to the characteristic information returned by each client.
7. The apparatus according to claim 5 or 6, wherein the feature information includes at least one of a type of an operating system, a version of a browser, a window state of the browser, extension information of the browser, setting information of the browser, a history request record of the browser, video card information of the client, and sound card information of the client.
8. The apparatus of any of claims 5-6, wherein the processing unit is further to:
and after the client side of any category is determined as the DDoS attack equipment, limiting the flow of each determined DDoS attack equipment, or adding each determined DDoS attack equipment into a blacklist.
9. An apparatus for determining a DDoS attack apparatus, comprising:
at least one processor, and
a memory communicatively coupled to the at least one processor, a communication interface;
wherein the memory stores instructions executable by the at least one processor, the at least one processor performing the method of any of claims 1-4 with the communications interface by executing the instructions stored by the memory.
10. A computer-readable storage medium having stored thereon computer instructions which, when executed on a computer, cause the computer to perform the method of any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711421274.8A CN108600145B (en) | 2017-12-25 | 2017-12-25 | Method and device for determining DDoS attack equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711421274.8A CN108600145B (en) | 2017-12-25 | 2017-12-25 | Method and device for determining DDoS attack equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108600145A CN108600145A (en) | 2018-09-28 |
| CN108600145B true CN108600145B (en) | 2020-12-25 |
Family
ID=63633172
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711421274.8A Active CN108600145B (en) | 2017-12-25 | 2017-12-25 | Method and device for determining DDoS attack equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108600145B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110505232A (en) * | 2019-08-27 | 2019-11-26 | 百度在线网络技术(北京)有限公司 | The detection method and device of network attack, electronic equipment, storage medium |
| CN112751815B (en) * | 2019-10-31 | 2021-11-19 | 华为技术有限公司 | Message processing method, device, equipment and computer readable storage medium |
| CN113364723A (en) * | 2020-03-05 | 2021-09-07 | 奇安信科技集团股份有限公司 | DDoS attack monitoring method and device, storage medium and computer equipment |
| CN112333045A (en) * | 2020-11-03 | 2021-02-05 | 国家工业信息安全发展研究中心 | Intelligent flow baseline learning method, equipment and computer readable storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105430011A (en) * | 2015-12-25 | 2016-03-23 | 杭州朗和科技有限公司 | Method and device for detecting distributed denial of service attack |
| CN105553974A (en) * | 2015-12-14 | 2016-05-04 | 中国电子信息产业集团有限公司第六研究所 | Prevention method of HTTP slow attack |
| CN106778260A (en) * | 2016-12-31 | 2017-05-31 | 网易无尾熊(杭州)科技有限公司 | Attack detection method and device |
| CN107465648A (en) * | 2016-06-06 | 2017-12-12 | 腾讯科技(深圳)有限公司 | The recognition methods of warping apparatus and device |
| CN108111472A (en) * | 2016-11-24 | 2018-06-01 | 腾讯科技(深圳)有限公司 | A kind of attack signature detection method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10284580B2 (en) * | 2016-05-04 | 2019-05-07 | The University Of North Carolina At Charlotte | Multiple detector methods and systems for defeating low and slow application DDoS attacks |
-
2017
- 2017-12-25 CN CN201711421274.8A patent/CN108600145B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105553974A (en) * | 2015-12-14 | 2016-05-04 | 中国电子信息产业集团有限公司第六研究所 | Prevention method of HTTP slow attack |
| CN105430011A (en) * | 2015-12-25 | 2016-03-23 | 杭州朗和科技有限公司 | Method and device for detecting distributed denial of service attack |
| CN107465648A (en) * | 2016-06-06 | 2017-12-12 | 腾讯科技(深圳)有限公司 | The recognition methods of warping apparatus and device |
| CN108111472A (en) * | 2016-11-24 | 2018-06-01 | 腾讯科技(深圳)有限公司 | A kind of attack signature detection method and device |
| CN106778260A (en) * | 2016-12-31 | 2017-05-31 | 网易无尾熊(杭州)科技有限公司 | Attack detection method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108600145A (en) | 2018-09-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3577589B1 (en) | Prevention of malicious automation attacks on a web service | |
| US10009381B2 (en) | System and method for threat-driven security policy controls | |
| CN108600145B (en) | Method and device for determining DDoS attack equipment | |
| JP6432210B2 (en) | Security system, security method, security device, and program | |
| CN109194680B (en) | Network attack identification method, device and equipment | |
| US10298598B1 (en) | Countering service enumeration through imposter-driven response | |
| WO2016160595A1 (en) | System and method for threat-driven security policy controls | |
| KR101388090B1 (en) | Apparatus for detecting cyber attack based on analysis of event and method thereof | |
| CN107547495B (en) | System and method for protecting a computer from unauthorized remote management | |
| TWI727060B (en) | Network attack defense system, method and device | |
| US20160191551A1 (en) | Method and system for detecting threats using metadata vectors | |
| US20190132353A1 (en) | Service overload attack protection based on selective packet transmission | |
| CN109347882B (en) | Webpage Trojan horse monitoring method, device, equipment and storage medium | |
| JP7388613B2 (en) | Packet processing method and apparatus, device, and computer readable storage medium | |
| US11258812B2 (en) | Automatic characterization of malicious data flows | |
| EP3252647B1 (en) | System and method of detecting malicious files on a virtual machine in a distributed network | |
| CN111049781A (en) | Detection method, device, equipment and storage medium for rebound network attack | |
| CN102404345A (en) | Distributed attack prevention method and device | |
| CN111131309A (en) | Distributed denial of service detection method and device and model creation method and device | |
| CN102510386B (en) | Distributed attack prevention method and device | |
| CN108595957A (en) | Main browser page altering detecting method, device and storage medium | |
| CN106209748A (en) | The means of defence of internet interface and device | |
| CN105592070B (en) | Application layer DDoS defence methods and system | |
| CN109120579A (en) | Detection method, device and the computer readable storage medium of malice domain name | |
| CN114003904B (en) | Information sharing method, device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Patentee after: NSFOCUS Technologies Group Co.,Ltd. Patentee after: NSFOCUS TECHNOLOGIES Inc. Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. Patentee before: NSFOCUS TECHNOLOGIES Inc. |
|
| CP01 | Change in the name or title of a patent holder |