CN109040140B - Slow attack detection method and device - Google Patents
Slow attack detection method and device Download PDFInfo
- Publication number
- CN109040140B CN109040140B CN201811203799.9A CN201811203799A CN109040140B CN 109040140 B CN109040140 B CN 109040140B CN 201811203799 A CN201811203799 A CN 201811203799A CN 109040140 B CN109040140 B CN 109040140B
- Authority
- CN
- China
- Prior art keywords
- attack
- message
- value
- preset
- length
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A slow attack detection method and apparatus are disclosed. A slow attack detection method, the method comprising: determining a preset attack characteristic for calculating an attack value according to a preset attack value calculation rule; determining the value of each preset attack characteristic in a received message, and calculating the attack value of the message according to the characteristic value; comparing whether the calculated attack value is larger than a preset attack threshold value; determining the message as a slow attack message under the condition that the calculated attack value is larger than a preset attack threshold value, and calculating a new attack threshold value; the new attack threshold is used for subsequent slow attack detection, and the new attack threshold is not greater than the old attack threshold.
Description
Technical Field
The embodiment of the specification relates to the technical field of network communication, in particular to a slow attack detection method and device.
Background
With the rapid development of networks, the network security problem is increasing. DDoS (Distributed Denial of Service) attacks are one of the most powerful and difficult attacks to defend at present, and the main purpose of the DDoS attacks is to make a designated target unable to provide normal services. The traditional DDoS attack mainly takes large-flow attack of a single message as a main part, and has evolved into slow attack in recent years, the slow attack has more imperceptibility, is deformation of a normal network protocol and completely accords with the protocol requirement, and therefore, the protection of the slow attack is more difficult.
Slow attacks consume server resources primarily by maintaining a connection with the server at a lower data volume, lower rate. In the prior art, slow attack detection is mainly performed by detecting attributes such as request data size, server response time and rate, and the like, and whether slow attack is detected or not is judged, so that a certain false alarm rate exists.
Disclosure of Invention
In view of this, embodiments of the present disclosure provide a slow attack detection method and apparatus, and the technical solution is as follows:
a slow attack detection method, the method comprising:
determining a preset attack characteristic for calculating an attack value according to a preset attack value calculation rule;
determining the value of each preset attack characteristic in a received message, and calculating the attack value of the message according to the characteristic value;
comparing whether the calculated attack value is larger than a preset attack threshold value;
determining the message as a slow attack message under the condition that the calculated attack value is larger than a preset attack threshold value, and calculating a new attack threshold value; the new attack threshold is used for subsequent slow attack detection, and the new attack threshold is not greater than the old attack threshold.
A slow attack detection device, the device comprising:
the characteristic determining module is used for determining preset attack characteristics for calculating the attack value according to a preset attack value calculating rule;
the attack value calculation module is used for determining the value of each preset attack characteristic in the received message and calculating the attack value of the message according to the characteristic value;
the attack value comparison module is used for comparing whether the calculated attack value is greater than a preset attack threshold value or not;
the attack determining module is used for determining the message as a slow attack message under the condition that the calculated attack value is larger than a preset attack threshold value;
the threshold updating module is used for calculating a new attack threshold under the condition that the calculated attack value is greater than a preset attack threshold; the new attack threshold is used for subsequent slow attack detection, and the new attack threshold is not greater than the old attack threshold.
The technical scheme provided by the embodiment of the specification extracts the characteristics of various slow attacks in advance, calculates the attack value of the message according to whether the received message has the characteristics conforming to the slow attacks or not, so as to judge whether the received message is the slow attack message or not according to the attack value, and the attack value determined as the attack message is reduced along with the increase of the times of the attack message sent by the same sending end, thereby dynamically and flexibly detecting the slow attacks and reducing the false alarm rate.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of embodiments of the invention.
In addition, any one of the embodiments in the present specification is not required to achieve all of the effects described above.
Drawings
In order to more clearly illustrate the embodiments of the present specification or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the embodiments of the present specification, and other drawings can be obtained by those skilled in the art according to the drawings.
FIG. 1 is a schematic flow chart diagram illustrating a slow attack detection method according to an embodiment of the present disclosure;
FIG. 2 is a schematic structural diagram of a slow attack detection apparatus according to an embodiment of the present disclosure;
FIG. 3 is a schematic structural diagram of an attack value calculation module according to an embodiment of the present disclosure;
fig. 4 is another schematic structural diagram of an attack value calculation module according to an embodiment of the present disclosure;
fig. 5 is a schematic diagram of another structure of the attack value calculation module according to the embodiment of the present specification.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the embodiments of the present specification, the technical solutions in the embodiments of the present specification will be described in detail below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all the embodiments. All other embodiments that can be derived by one of ordinary skill in the art from the embodiments given herein are intended to be within the scope of protection.
Slow attacks consume server resources primarily by maintaining a connection with the server at a lower data volume, lower rate. Mainly comprises three types of Slow heads, Slow body and Slow read.
The principle of Slow headers attack is that, because the HTTP header contains important information that may be used by some applications, the server must receive all the HTTP header before it can process the data in the HTTP request. The server must receive 2 continuous r \ n, namely, when receiving "\\ \ r \ n \ r \ n", the server considers that the HTTP header is sent completely, and then starts processing. Therefore, the sending end as an attacker initiates an HTTP request and continuously sends an HTTP header, thereby consuming connection and memory resources of the server.
The principle of the Slow body attack is that the sender, as an attacker, sends an HTTP POST request to the server, the Content-Length header value of the request is large, so the server needs to send large data for the sender, and thus keeps the connection ready to receive data, but the attacker only sends a small amount of data at a time, so that the connection remains alive, and a large amount of resources of the server are consumed.
The principle of Slow read attack is that a sending end as an attacker establishes a connection with a server and sends an HTTP request to establish the connection, and then keeps the connection all the time, and reads response data of the server at a very low speed to consume the connection and memory resources of the server.
In the prior art, the detection scheme for the slow attack mainly comprises 2 schemes.
The first method is to configure the timeout TIME and the minimum rate for receiving the HTTP header and the HTTP body through a mod _ reqtieout module, and if the sender cannot send the header or body data within the configured TIME, the sender may take measures such as returning 408REQUEST TIME OUT error to protect.
The other is to configure an HTTP request threshold through a mod _ qos module, and if the request access amount is too large in a certain period and exceeds the threshold, a certain protection means can be adopted.
In the above 2 detection schemes, the configuration of the timeout time, the minimum rate, or the request threshold is single, if the configured value is strict, the false alarm rate is high, and if the configured value is loose, the attack cannot be effectively detected and protected.
In view of the above technical problem, an embodiment of the present disclosure provides a slow attack detection method, which may include the following steps, as shown in fig. 1:
s101, determining preset attack characteristics for calculating an attack value according to a preset attack value calculation rule;
according to the method of the 3 types of slow attacks described above, the characteristics of the attack needed in the detection can be determined. For example, for Slow headers attack, "\\ r \ n \ r \ n" can be preset as an attack characteristic; for another example, for the Slow body attack, "Content-Length" may be preset as an attack signature; and the like, it is understood that the specific preset attack characteristics in the embodiments of the present disclosure need not be limited, and those skilled in the art may select and set the attack characteristics according to actual needs.
S102, determining values of preset attack characteristics in a received message, and calculating attack values of the message according to the characteristic values;
in a specific implementation manner of the embodiments of the present specification, a length of a received packet may be determined first, and whether the determined length of the packet is a preset length value, for example, whether a length of the request packet data is 0 may be determined.
In the case that the determined message length is a preset length value, it may be further determined whether the message is an Acknowledgement (ACK) message. In addition, when data is transmitted, the data flow is controlled by the window size, so that whether the receiving window value of the message is a preset window value or not can be judged, and if the receiving window value is 0, the receiving window value of the message is judged.
And under the condition that the message is a confirmation message and the receiving window value is a preset window value, obtaining a corresponding value of the attack characteristic according to the preset length value, the confirmation message type and the preset window value.
And under the condition that the determined message length is not the preset length value, further judging whether the message comprises a preset character string. For example, whether the message comprises "\\ \ r \ n \ r \ n", if yes, the message can be determined not to be a Slow headers attack message; if not, other features may be further determined.
Specifically, under the condition that the message includes a preset character string, whether the message includes header information and a load is judged. Under the condition that the message only comprises header information, only a preset field value, such as a Content-Length field value, in the header information can be recorded, and the message can be determined not to be a slow attack message and not to be detected continuously; under the condition that the message comprises header information and load, recording a preset field value (such as a Content-Length field value) and a load Length value in the header information, and determining that the message is not a slow attack message without continuous detection.
Specifically, a previous request message corresponding to the message is determined, a total load Length is obtained according to the load Length of the message and the load Length of the previous request message, the total load Length is compared with a preset field value in header information of the previous request message, for example, the total load Length is compared with a Content-Length field value (recorded when the previous message is detected) in the header information of the previous request message, if the total load Length is smaller than the Content-Length field value, the server may be attacked by the Slow body, that is, a value of a corresponding attack characteristic is obtained according to a comparison result and the type of the request message.
In the case that the packet does not include the preset character string, other features may be further determined, specifically, the maximum segment length of the packet may be determined first, and then whether the packet length is smaller than the maximum segment length is compared, if so, a corresponding value of the attack feature may be obtained according to the packet length and the maximum segment length.
After the values of the preset attack characteristics in the received message are detected and determined, the attack value of the message can be calculated based on the preset attack value calculation rule according to the characteristic values.
For example, the possible attack type may be determined by detected features such as "packet Length is smaller than maximum fragment Length", "total payload Length is smaller than Content-Length field value", "includes a preset string", and the like. In the preset attack value calculation rule, corresponding weighted values or other calculation coefficients can be preset for various attack types, so that the total attack value can be obtained through type weighting operation or other operations.
For another example, in the preset attack value calculation rule, a calculation coefficient may be preset for each preset attack feature, so that the total attack value is obtained by combining the calculation coefficient according to the attack features that are met or included in the detected message.
S103, comparing whether the calculated attack value is larger than a preset attack threshold value;
s104, determining the message as a slow attack message under the condition that the calculated attack value is larger than a preset attack threshold value, and calculating a new attack threshold value; the new attack threshold is used for subsequent slow attack detection, and the new attack threshold is not greater than the old attack threshold.
In a specific implementation manner of the embodiment of this specification, under a condition that it is determined that the packet is a slow attack packet, a sending end identifier of the packet, such as an IP address and an MAC address of the sending end, is recorded.
Therefore, when a new attack threshold needs to be calculated each time, the sending end identifier of the message can be determined first, then the attack times of the sending end corresponding to the message are determined according to the sending end identifier recorded in advance, and the new attack threshold is calculated according to the attack times and the attack threshold, wherein the new attack threshold is in negative correlation with the attack times and in positive correlation with the old attack threshold.
For example, assuming that the number of times that a certain IP address is determined to be a slow attack packet is n times, the current attack threshold is Y, and a calculation base m (m >1) is preset, the calculation formula of the new attack threshold Y' may be:
by updating the attack threshold, the detection of whether the message is the slow attack message is positively correlated with the frequency of sending the slow attack message by an attacker, so that the slow attack is detected more flexibly and more accurately.
In a specific implementation of the embodiments of the present specification, the time interval and duration between multiple attacks may also be recorded and calculated. Specifically, under the condition that the message is determined to be a slow attack message, a sending end identifier of the message is recorded, the current time is recorded as attack time, whether the recorded attack time exists at the sending end corresponding to the message is determined according to the pre-recorded attack time and the sending end identifier, if yes, the time interval between the last attack time and the current attack time is calculated, and corresponding attack processing operation on the sending end is determined according to the relation between the time interval and a preset duration threshold.
For example, whether the time interval is not less than a preset duration threshold is judged, and if yes, the sending end identifier is added to a blacklist. The sealing time length of the blacklist can be preset, the time length for adding the blacklist is counted, and if the time length reaches the sealing time length, the sealing can be contacted.
For the record of the sending end identification and the attack time, the record can be carried out through a pre-established hash table, specifically, different sending ends can be used as a node to be stored into the hash table, and the attack time is stored into the corresponding node, so that the times and the time for sending the slow attack message to the server by different sending ends can be recorded and determined through the nodes in the hash table.
In addition, in order to reduce the burden of detecting the slow attack by the server, a detection period can be set, and if the time interval for sending the attack message determined to be sent to the server by the same sending end is too long and exceeds the detection period, operations such as updating the attack threshold value, adding a blacklist and forbidding are not performed.
In a specific implementation manner of the embodiment of the present specification, when it is determined that the packet is a slow attack packet, the attack type of the slow attack may be determined according to the determined values of the preset attack characteristics, and the protection action corresponding to the attack type may be taken according to a preset correspondence between the attack type and the protection action.
Wherein the safeguard action comprises: blocking actions and/or alarm actions; the blocking action is used for blocking the connection between the sending end and the home end of the message, such as sending an RST packet; the alarm action is used for sending an alarm subject to slow attack in a preset mode, such as sending a log at a security device.
It can be seen that, by applying the slow attack detection scheme provided by the present specification, the attack value of the received message can be calculated through the characteristics of various slow attacks, and compared with the preset attack threshold value, it is determined whether the message is likely to be a slow attack message, and if the same sending end sends the slow attack message for many times in a short period, the attack threshold value will be gradually reduced, that is, the detection on the message will be gradually strict, so as to implement more flexible and accurate slow attack detection, and achieve balance between reducing false alarm rate and improving detection strictness.
Corresponding to the foregoing method embodiment, an embodiment of the present specification further provides a slow attack detection apparatus, and referring to fig. 2, the apparatus may include:
a feature determining module 110, configured to determine a preset attack feature for calculating an attack value according to a preset attack value calculation rule;
an attack value calculation module 120, configured to determine values of preset attack features in a received packet, and calculate an attack value of the packet according to the feature values;
an attack value comparison module 130, configured to compare whether the calculated attack value is greater than a preset attack threshold value;
an attack determination module 140, configured to determine that the packet is a slow attack packet when the calculated attack value is greater than a preset attack threshold value;
a threshold updating module 150, configured to calculate a new attack threshold when the calculated attack value is greater than a preset attack threshold; the new attack threshold is used for subsequent slow attack detection, and the new attack threshold is not greater than the old attack threshold.
In a specific implementation manner of the embodiment of the present specification, referring to fig. 3, the attack value calculation module 120 may include:
a first determining submodule 121, configured to determine a length of a received message, and determine whether the determined length of the message is a preset length value;
a second determining sub-module 122, configured to determine whether the message is a confirmation message and whether a receiving window value of the message is a preset window value, when the determined message length is the preset length value;
the characteristic value determining submodule 123 is configured to, when the message is a confirmation message and the receiving window value is a preset window value, obtain a corresponding value of the attack characteristic according to the preset length value, the confirmation message type, and the preset window value.
In a specific implementation manner of the embodiment of the present specification, referring to fig. 4, the attack value calculation module 120 may further include:
a third determining sub-module 124, configured to determine whether the message includes a preset character string when the determined message length is not a preset length value;
a fourth determining submodule 125, configured to determine whether the message includes header information and a load when the message includes a preset character string;
the characteristic value determining submodule 123 is further configured to determine, when the message only includes a load, a previous request message corresponding to the message; obtaining the total load length according to the load length of the message and the load length of the last request message; and comparing the total load length with a preset field value in the header information of the last request message, and obtaining a corresponding value of the attack characteristic according to the comparison result and the preset character string.
In a specific implementation manner of the embodiment of the present specification, referring to fig. 5, the attack value calculation module 120 may further include:
a preset value recording sub-module 126, configured to record a preset field value in the header information when the header information is only included in the message; and/or recording a preset field value and a load length value in the header information under the condition that the header information and the load are included in the message.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution of the embodiments of the present specification. One of ordinary skill in the art can understand and implement it without inventive effort.
While this specification contains many specific implementation details, these should not be construed as limitations on the scope of any invention or of what may be claimed, but rather as descriptions of features specific to particular embodiments of particular inventions. Certain features that are described in this specification in the context of separate embodiments can also be implemented in combination in a single embodiment. In other instances, features described in connection with one embodiment may be implemented as discrete components or in any suitable subcombination. Moreover, although features may be described above as acting in certain combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed combination may be directed to a subcombination or variation of a subcombination.
Similarly, while operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In some cases, multitasking and parallel processing may be advantageous. Moreover, the separation of various system modules and components in the embodiments described above should not be understood as requiring such separation in all embodiments, and it should be understood that the described program components and systems can generally be integrated together in a single software product or packaged into multiple software products.
Thus, particular embodiments of the subject matter have been described. Other embodiments are within the scope of the following claims. In some cases, the actions recited in the claims can be performed in a different order and still achieve desirable results. Further, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some implementations, multitasking and parallel processing may be advantageous.
The above description is only a preferred embodiment of the present disclosure, and should not be taken as limiting the present disclosure, and any modifications, equivalents, improvements, etc. made within the spirit and principle of the present disclosure should be included in the scope of the present disclosure.
Claims (9)
1. A slow attack detection method, the method comprising:
determining a preset attack characteristic for calculating an attack value according to a preset attack value calculation rule;
determining the value of each preset attack characteristic in a received message, and calculating the attack value of the message according to the value of the preset attack characteristic;
the determining of the value of each preset attack characteristic in the received message comprises determining the length of the received message; judging whether the determined message length is a preset length value or not, and judging whether the message comprises a preset character string or not under the condition that the determined message length is not the preset length value; under the condition that the message comprises a preset character string, judging whether the message comprises header information and a load; under the condition that the message only comprises the load, determining a previous request message corresponding to the message; obtaining the total load length according to the load length of the message and the load length of the last request message; comparing the total load length with a preset field value in the header information of the previous request message, and obtaining a corresponding value of a preset attack characteristic according to a comparison result on the basis that the message contains a preset character string;
comparing whether the calculated attack value is larger than a preset attack threshold value;
determining the message as a slow attack message under the condition that the calculated attack value is larger than a preset attack threshold value, and calculating and updating the attack threshold value;
and the updated attack threshold is used for subsequent slow attack detection, and the updated attack threshold is not greater than the attack threshold before updating.
2. The method of claim 1, further comprising:
under the condition that the determined message length is a preset length value, judging whether the message is a confirmation message or not and whether a receiving window value of the message is a preset window value or not;
and under the condition that the message is a confirmation message and the receiving window value is a preset window value, obtaining a corresponding value of the attack characteristic according to the preset length value, the confirmation message type and the preset window value.
3. The method of claim 1, further comprising:
recording a preset field value in the header information under the condition that the header information is only included in the message;
and/or
And recording a preset field value and a load length value in the header information under the condition that the header information and the load are included in the message.
4. The method of claim 1, further comprising:
determining the maximum segment length of the message under the condition that the message does not comprise a preset character string;
and comparing whether the message length is smaller than the maximum segment length, and if so, obtaining a corresponding value of the attack characteristic according to the message length and the maximum segment length.
5. The method of claim 1, further comprising:
recording the sending end identification of the message under the condition of determining that the message is a slow attack message;
the calculating and updating the attack threshold includes:
determining the sending end identification of the message;
determining the attack times of the message corresponding to a sending end according to a pre-recorded sending end identifier;
and calculating and updating the attack threshold according to the attack times and the attack threshold, wherein the updated attack threshold is negatively correlated with the attack times and positively correlated with the attack threshold before updating.
6. The method of claim 1, further comprising:
under the condition that the message is determined to be a slow attack message, recording the sending end identification of the message, and recording the current time as the attack time;
determining whether the recorded attack time exists at a sending end corresponding to the message or not according to the pre-recorded attack time and the sending end identification;
and if so, calculating the time interval between the last attack time and the current attack time, and determining the corresponding attack processing operation on the sending end according to the relation between the time interval and a preset duration threshold.
7. The method according to claim 6, wherein the determining, according to the relationship between the time interval and a preset duration threshold, a corresponding attack processing operation on the sender includes:
judging whether the time interval is not less than a preset duration threshold value or not;
and if so, adding the sending end identifier into a blacklist.
8. The method of claim 1, further comprising:
under the condition that the message is determined to be a slow attack message, determining the attack type of the slow attack according to the determined values of all preset attack characteristics;
according to the preset corresponding relation between the attack type and the protection action, the protection action corresponding to the attack type is adopted;
wherein the safeguard action comprises: blocking actions and/or alarm actions;
the blocking action is used for blocking the connection between the sending end and the local end of the message;
and the alarm action is used for sending an alarm subjected to slow attack in a preset mode.
9. A slow attack detection device, the device comprising:
the characteristic determining module is used for determining preset attack characteristics for calculating the attack value according to a preset attack value calculating rule;
the attack value calculation module is used for determining the value of each preset attack characteristic in the received message and calculating the attack value of the message according to the value of the preset attack characteristic;
the determining of the value of each preset attack characteristic in the received message comprises determining the length of the received message; judging whether the determined message length is a preset length value or not, and judging whether the message comprises a preset character string or not under the condition that the determined message length is not the preset length value; under the condition that the message comprises a preset character string, judging whether the message comprises header information and a load; under the condition that the message only comprises the load, determining a previous request message corresponding to the message; obtaining the total load length according to the load length of the message and the load length of the last request message; comparing the total load length with a preset field value in the header information of the previous request message, and obtaining a corresponding value of a preset attack characteristic according to a comparison result on the basis that the message contains a preset character string;
the attack value comparison module is used for comparing whether the calculated attack value is larger than a preset attack threshold value or not;
the attack determination module is used for determining the message as a slow attack message under the condition that the calculated attack value is larger than a preset attack threshold value;
the threshold updating module is used for calculating and updating the attack threshold under the condition that the calculated attack value is larger than a preset attack threshold; and the updated attack threshold is used for subsequent slow attack detection, and the updated attack threshold is not greater than the attack threshold before updating.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811203799.9A CN109040140B (en) | 2018-10-16 | 2018-10-16 | Slow attack detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811203799.9A CN109040140B (en) | 2018-10-16 | 2018-10-16 | Slow attack detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109040140A CN109040140A (en) | 2018-12-18 |
| CN109040140B true CN109040140B (en) | 2021-03-23 |
Family
ID=64613344
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811203799.9A Active CN109040140B (en) | 2018-10-16 | 2018-10-16 | Slow attack detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109040140B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111478893B (en) * | 2020-04-02 | 2022-06-28 | 中核武汉核电运行技术股份有限公司 | Detection method for slow HTTP attack |
| CN112738099B (en) * | 2020-12-28 | 2022-07-12 | 北京天融信网络安全技术有限公司 | Method and device for detecting slow attack, storage medium and electronic equipment |
| CN112866233B (en) * | 2021-01-14 | 2022-05-24 | 华南理工大学 | Method, equipment and medium for protecting slow DDOS attack |
| CN113242260B (en) * | 2021-06-09 | 2023-02-21 | 中国银行股份有限公司 | Attack detection method and device, electronic equipment and storage medium |
| CN114422272B (en) * | 2022-03-28 | 2022-07-22 | 北京信安世纪科技股份有限公司 | Data processing system, method and server side equipment |
| CN115242551B (en) * | 2022-09-21 | 2022-12-06 | 北京中科网威信息技术有限公司 | Slow attack defense method and device, electronic equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101998400A (en) * | 2009-08-12 | 2011-03-30 | 中国移动通信集团天津有限公司 | Authentication random number detection method and SIM (Subscriber Identity Module) card |
| KR20130006750A (en) * | 2011-06-20 | 2013-01-18 | 한국전자통신연구원 | Method for identifying a denial of service attack and apparatus for the same |
| CN105991509A (en) * | 2015-01-27 | 2016-10-05 | 杭州迪普科技有限公司 | Session processing method and apparatus |
| CN106471778A (en) * | 2014-07-04 | 2017-03-01 | 日本电信电话株式会社 | Attack detecting device, attack detection method and attack detecting program |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8856913B2 (en) * | 2011-08-29 | 2014-10-07 | Arbor Networks, Inc. | Method and protection system for mitigating slow HTTP attacks using rate and time monitoring |
-
2018
- 2018-10-16 CN CN201811203799.9A patent/CN109040140B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101998400A (en) * | 2009-08-12 | 2011-03-30 | 中国移动通信集团天津有限公司 | Authentication random number detection method and SIM (Subscriber Identity Module) card |
| KR20130006750A (en) * | 2011-06-20 | 2013-01-18 | 한국전자통신연구원 | Method for identifying a denial of service attack and apparatus for the same |
| CN106471778A (en) * | 2014-07-04 | 2017-03-01 | 日本电信电话株式会社 | Attack detecting device, attack detection method and attack detecting program |
| CN105991509A (en) * | 2015-01-27 | 2016-10-05 | 杭州迪普科技有限公司 | Session processing method and apparatus |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109040140A (en) | 2018-12-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109040140B (en) | Slow attack detection method and device | |
| US10284594B2 (en) | Detecting and preventing flooding attacks in a network environment | |
| US6816910B1 (en) | Method and apparatus for limiting network connection resources | |
| US8108531B2 (en) | Securing an access provider | |
| US7266754B2 (en) | Detecting network denial of service attacks | |
| US20140283062A1 (en) | Apparatus, system and method for suppressing erroneous reporting of attacks on a wireless network | |
| US20150033343A1 (en) | Method, Apparatus, and Device for Detecting E-Mail Attack | |
| CN107395632B (en) | SYN Flood protection method, device, cleaning equipment and medium | |
| CN107547503B (en) | Session table item processing method and device, firewall equipment and storage medium | |
| JP7109391B2 (en) | Unauthorized communication detection device and unauthorized communication detection program | |
| US7404210B2 (en) | Method and apparatus for defending against distributed denial of service attacks on TCP servers by TCP stateless hogs | |
| CN108616488B (en) | Attack defense method and defense equipment | |
| CN105634660A (en) | Data packet detection method and system | |
| CN107454065B (en) | Method and device for protecting UDP Flood attack | |
| CN111756713A (en) | Network attack identification method and device, computer equipment and medium | |
| CN107360196B (en) | Attack detection method and device and terminal equipment | |
| CN105592055A (en) | Anti-attack method and device for TCP SYN FLOOD | |
| EP2109281A1 (en) | Method and system for server-load and bandwidth dependent mitigation of distributed denial of service attacks | |
| Bellaïche et al. | SYN flooding attack detection by TCP handshake anomalies | |
| JP5009200B2 (en) | Network attack detection device and defense device | |
| Kim et al. | How to make content centric network (CCN) more robust against DoS/DDoS attack | |
| KR20170011598A (en) | System, method and computer program for detecting and blocking the denial of service attack | |
| CN116455653A (en) | Data processing method and device | |
| CN115987666A (en) | Control plane protection method, device, exchange equipment and storage medium | |
| CN113347119A (en) | Method, device, equipment and storage medium for sending data packet |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210610 Address after: 310051 05, room A, 11 floor, Chung Cai mansion, 68 Tong Xing Road, Binjiang District, Hangzhou, Zhejiang. Patentee after: Hangzhou Dip Information Technology Co.,Ltd. Address before: 6 / F, Zhongcai building, 68 Tonghe Road, Binjiang District, Hangzhou City, Zhejiang Province Patentee before: Hangzhou DPtech Technologies Co.,Ltd. |
|
| TR01 | Transfer of patent right |