CN110213208A - A kind of method and apparatus and storage medium of processing request - Google Patents

A kind of method and apparatus and storage medium of processing request Download PDF

Info

Publication number
CN110213208A
CN110213208A CN201810438832.XA CN201810438832A CN110213208A CN 110213208 A CN110213208 A CN 110213208A CN 201810438832 A CN201810438832 A CN 201810438832A CN 110213208 A CN110213208 A CN 110213208A
Authority
CN
China
Prior art keywords
field contents
statistical
occurrence
threshold value
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810438832.XA
Other languages
Chinese (zh)
Other versions
CN110213208B (en
Inventor
洪旭升
胡珀
郑兴
陈剑
牛保龙
刘志颖
李相垚
易楠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201810438832.XA priority Critical patent/CN110213208B/en
Publication of CN110213208A publication Critical patent/CN110213208A/en
Application granted granted Critical
Publication of CN110213208B publication Critical patent/CN110213208B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the present invention discloses the method and apparatus and storage medium of a kind of processing request, for realizing effective strike of the access request to malice.Wherein, a method of processing request, it include: that at least two statistical dimensions are determined from preset various dimensions strategy according to the access request that client is sent, various dimensions strategy includes: a variety of different statistical dimensions and the corresponding strike rule of every kind of statistical dimension, and statistical dimension is used to indicate the field for needing to count;At least two field contents are extracted respectively out from access request, and at least two field contents and at least two statistical dimensions correspond, and every kind of field contents can be used for unique identification access request;Judge the respective frequency of occurrence of at least two field contents in preset measurement period, if be more than corresponding threshold value;When the respective frequency of occurrence of at least two field contents is above corresponding threshold value, access request is hit according at least two statistical dimensions corresponding strike rule.

Description

A kind of method and apparatus and storage medium of processing request
Technical field
The present invention relates to the method and apparatus and storage of field of computer technology more particularly to a kind of processing request to be situated between Matter.
Background technique
It attacks and develops early period at distributed denial of service (Distributed Denial of Service, DDoS), it is big absolutely Part can be protected by well-known " black hole " (Collapsar) the anti-Denial of Service attack system of industry, and then hackers study Out after a kind of novel DDOS attack for hypertext transfer protocol (HyperText Transfer Protocol, HTTP), It is named as Challenge Collapsar, claims that black hole equipment can not defend, this title of later CC adopts so far.CC is attacked Hit be DDOS attack one kind, occur in layer 7 application layer, what it is different from network layer DDOS is transmission control protocol (Transmission Control Protocol, TCP) connection is it has been established that attack Internet protocol (Internet Protocol, IP) it is real IP address, mainly the page of some consumption resources is constantly requested, causes to consume source station money Source and regular traffic request are defined fuzzy, and good effect is not achieved always in current existing industry Protection Product.
Industry is generally hit by identifying IP address to client, when the request of the IP address of some client exists Request is more than some preset threshold in certain time, is taken as malicious IP addresses, can hit at this time the IP address.
There are many mature attack modes at present, such as use a large amount of proxy servers, and control puppet's machine is attacked to hide The real IP address for the person of hitting, when client, which constantly changes IP address, to be made requests, the IP address-based strike side of the prior art Formula will fail.
Summary of the invention
The embodiment of the invention provides the method and apparatus and storage medium of a kind of processing request, for realizing to malice Access request effective strike.
In order to solve the above technical problems, the embodiment of the present invention the following technical schemes are provided:
In a first aspect, the embodiment of the present invention provides a kind of method of processing request, comprising:
At least two statistical dimensions, institute are determined from preset various dimensions strategy according to the access request that client is sent Stating various dimensions strategy includes: a variety of different statistical dimensions and the corresponding strike rule of every kind of statistical dimension, the statistical dimension It is used to indicate the field for needing to count;
Extract at least two field contents respectively out from the access request, at least two field contents with it is described At least two statistical dimensions correspond, wherein every kind of field contents can be used to uniquely identify the access and ask It asks;
Judge the respective frequency of occurrence of at least two field contents in preset measurement period, if be more than corresponding Threshold value;
When the respective frequency of occurrence of at least two field contents is above corresponding threshold value, according to described at least two The corresponding strike rule of kind statistical dimension hits the access request.
Second aspect, the embodiment of the present invention also provide a kind of device of processing request, comprising:
Various dimensions determining module, the access request for being sent according to client are determined from preset various dimensions strategy At least two statistical dimensions, the various dimensions strategy includes: a variety of different statistical dimensions and every kind of statistical dimension is corresponding beats Rule is hit, the statistical dimension is used to indicate the field for needing to count;
Requirement analysis module, for extracting at least two field contents respectively out from the access request, it is described at least Two kinds of field contents and at least two statistical dimension correspond, wherein every kind of field contents can be used for only The one mark access request;
Judgment module, for judging the respective occurrence out of at least two field contents in preset measurement period Number, if be more than corresponding threshold value;
Request processing module, for being above corresponding threshold value when the respective frequency of occurrence of at least two field contents When, the access request is hit according at least two statistical dimension corresponding strike rule.
In second aspect, handle the device of request comprising modules can also be performed aforementioned first aspect and it is various can The step of described in the implementation of energy, it is detailed in aforementioned explanation to first aspect and in various possible implementations.
The third aspect, the embodiment of the present invention provide a kind of device of processing request, and the device of processing request includes: processing Device, memory;Memory is for storing instruction;Processor is used to execute the instruction in memory, so that the device of processing request Execute the method such as any one of aforementioned first aspect.
Fourth aspect, the embodiment of the invention provides a kind of computer readable storage medium, the computer-readable storage Instruction is stored in medium, when run on a computer, so that computer executes method described in above-mentioned various aspects.
5th aspect, the embodiment of the invention provides a kind of computer program products comprising instruction, when it is in computer When upper operation, so that computer executes method described in above-mentioned various aspects.
As can be seen from the above technical solutions, the embodiment of the present invention has the advantage that
In embodiments of the present invention, the access request sent first according to client is determined from preset various dimensions strategy At least two statistical dimension out, various dimensions strategy include: a variety of different statistical dimensions and the corresponding strike of every kind of statistical dimension Rule, statistical dimension are used to indicate the field for needing to count.Then it is extracted at least two fields respectively out from access request Hold, at least two field contents and at least two statistical dimensions correspond, and every kind of field contents can be used to uniquely mark Know access request.Judge the respective frequency of occurrence of at least two field contents in preset measurement period, if be more than corresponding Threshold value.When the respective frequency of occurrence of at least two field contents is above corresponding threshold value, tieed up according at least two statistics Corresponding strike rule is spent to hit access request.Various dimensions strategy is provided in the embodiment of the present invention, it can be according to visit It asks that at least two statistical dimensions are determined in request, access request is parsed by least two statistical dimensions, from the access request At least two field contents are extracted, the frequency of occurrence for every kind of field contents is to determine whether be more than threshold value, at least two When the kind respective frequency of occurrence of field contents is above corresponding threshold value, access request is hit using strike rule.It is logical It crosses and extracts and judge while a variety of statistical dimensions and a variety of field contents are set, may be implemented effectively to distinguish access request And the purpose of effective strike attacker.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for For those skilled in the art, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is system architecture schematic diagram applied by the method for processing request provided in an embodiment of the present invention;
Fig. 2 is the process blocks schematic diagram of the method for processing request provided by one embodiment of the present invention;
Fig. 3 is the process blocks schematic diagram of the method for the processing request that another embodiment of the present invention provides;
Fig. 4 is the process blocks schematic diagram of the method for the processing request that another embodiment of the present invention provides;
Fig. 5 is the application scenarios schematic diagram of the method for processing request provided in an embodiment of the present invention;
Fig. 6 is the interface schematic diagram of strategy setting provided in an embodiment of the present invention;
Fig. 7-a is a kind of composed structure schematic diagram of the device of processing request provided in an embodiment of the present invention;
Fig. 7-b is a kind of composed structure schematic diagram of judgment module provided in an embodiment of the present invention;
Fig. 8 is that the method for processing request provided in an embodiment of the present invention is applied to the composed structure schematic diagram of server.
Specific embodiment
The embodiment of the invention provides the method and apparatus and storage medium of a kind of processing request, for realizing to malice Access request effective strike.
In order to make the invention's purpose, features and advantages of the invention more obvious and easy to understand, below in conjunction with the present invention Attached drawing in embodiment, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that disclosed below Embodiment be only a part of the embodiment of the present invention, and not all embodiments.Based on the embodiments of the present invention, this field Technical staff's every other embodiment obtained, shall fall within the protection scope of the present invention.
Term " includes " in description and claims of this specification and above-mentioned attached drawing and " having " and they Any deformation, it is intended that covering non-exclusive includes so as to a series of process, method comprising units, system, product or to set It is standby to be not necessarily limited to those units, but be not clearly listed or these process, methods, product or equipment are consolidated The other units having.
Referring to FIG. 1, it illustrates the structures of system applied by the method for processing request provided in an embodiment of the present invention Schematic diagram.System applied by the method for processing request includes server 110 and terminal 120.
Server 110 is a server, or by several servers or a virtual platform, either One cloud computing service center, the server 110 can be used for terminal send access request identify, so that it is determined that by CC attack is arrived.
Optionally, server 110 includes providing the background server of network (web) application firewall;Optionally, server 110 include providing the background server of various dimensions strategy.
Server 110 is extracted the access based on various dimensions strategy and asked for receiving the access request of the transmission of terminal 120 At least two field contents asked determine whether to hit the visit by the judgement of the frequency of occurrence at least two field contents Ask request.
It is connected between server 110 and terminal 120 by communication network.Optionally, communication network is cable network or nothing Gauze network.
Terminal 120 can be mobile phone, tablet computer, E-book reader, MP3 player (Moving Picture Experts Group Audio Layer III, dynamic image expert's compression standard audio level 3), MP4 (Moving Picture Experts Group Audio Layer IV, dynamic image expert's compression standard audio level 4) player, knee Mo(u)ld top half portable computer and desktop computer etc..
Optionally, also operation has browser client in terminal 120, which is used to pass through server 110 It initiates to access to network, and downloads to Internet resources from network.
It is described in detail separately below.
One embodiment of the method for present invention processing request, specifically can be applied to server-side and sends to client Access request identification scene in, please refer to shown in Fig. 2, it is provided by one embodiment of the present invention processing request method, can To include the following steps:
201, determine that at least two statistics are tieed up from preset various dimensions strategy according to the access request that client is sent Degree, various dimensions strategy include: a variety of different statistical dimensions and the corresponding strike rule of every kind of statistical dimension, and statistical dimension is used for Indicate the field for needing to count.
In embodiments of the present invention, various dimensions strategy has can be set in server, in the various dimensions strategy there are many settings Different statistical dimensions and the corresponding strike rule of every kind of statistical dimension, wherein statistical dimension is used to indicate the word for needing to count Section, can be set a variety of statistical dimensions according to the request type of access request, such as the IP address of client can be used as one kind The device identification of statistical dimension, the user carried in access request can be used as a kind of statistical dimension.It is tieed up by different statistics Degree can indicate the different field for needing to count, as long as these fields can uniquely identification access request, can be set as Statistical dimension.
In some embodiments of the invention, various dimensions strategy includes at least following any two kinds of statistical dimension: HTTP The type field of request, the key (key) for obtaining (get) parameter, the key of request header, browser rs cache (cookie) key.
Wherein, in the embodiment of the present invention, the access request that client is sent can be HTTP request, root in HTPP request It all can serve as statistical dimension according to the field of the specific actual conditions extraction energy unique identification request of the business of request.HTTP request Type field can there are many, according to the field for being used to indicate request type in HTTP request.For another example, get parameter is any Any key of key, request header any key, cookie can be separately as a kind of statistical dimension.
Further, the type field of HTTP request, comprising: domain name addresses, the IP address of client, user identity mark Know, common gateway interface (Common Gateway Interface, CGI), service identifiers, the IP address of server, Yong Hudai Manage parameter.For example, domain name addresses refers to that the host value in HTTP request, the IP address of client refer in HTTP request Client_ip, User Identity can be the uin in HTTP request, and CGI can be the access address of HTTP request, clothes Business mark can be the SID in HTTP request, and the IP address of server can be the srv_ip of HTTP request, user agent's parameter It can be UA (user agent) parameter in HTTP request.
It should be noted that other scenes can extract energy according to the specific actual conditions of business uniquely in the embodiment of the present invention The field of identification request all can serve as statistical dimension, and be not limited to the example above situation, only need in the embodiment of the present invention At least two statistical dimensions are selected from various dimensions strategy, usually can choose in practical application scene 3 kinds it is different Statistical dimension.
202, at least two field contents, at least two field contents and at least two are extracted respectively out from access request Statistical dimension corresponds, wherein every kind of field contents can be used for unique identification access request.
In embodiments of the present invention, access request is parsed according at least two statistical dimensions determined, then according to every Kind statistical dimension can extract a kind of field contents from access request, wherein at least two field contents and at least two Kind statistical dimension corresponds, and every kind of field contents can be used for unique identification access request.It is illustrated below, determines At least two statistical dimensions out are as follows: client_ip, uin, srv_ip, then it can be according to client_ip, uin, srv_ip points Client_ip field contents, uin field contents, srv_ip field contents are not extracted from access request.
203, judge the respective frequency of occurrence of at least two field contents in preset measurement period, if be more than corresponding Threshold value.
In embodiments of the present invention, it after extracting at least two field contents, is counted respectively in preset measurement period The respective frequency of occurrence of at least two field contents generates statistical result, and the duration of measurement period can be according to concrete scene come really It is fixed.In the measurement period, the respective frequency of occurrence of at least two field contents is counted respectively and generates statistical result, for example, The field contents are every in measurement period occurs once, then the value of frequency of occurrence adds one automatically, is distinguished according at least two fields Pre-set threshold value is obtained, to judge whether the frequency of occurrence of each field contents is more than corresponding threshold value.It illustrates such as Under, extract client_ip field contents from access request respectively, uin field contents, after srv_ip field contents, system Count the frequency of occurrence of the client_ip field contents in measurement period, the frequency of occurrence of uin field contents, in srv_ip field The frequency of occurrence of appearance obtains the threshold value for the setting of client_ip field contents, for the threshold value of uin field contents setting, needle To the threshold value of srv_ip field contents setting.
204, when the respective frequency of occurrence of at least two field contents is above corresponding threshold value, according at least two systems The corresponding strike rule of meter dimension hits access request.
In embodiments of the present invention, by judging the respective frequency of occurrence of at least two field contents in step 203, if More than corresponding threshold value, can determine whether the frequency of occurrence of every kind of field contents at least two field contents is more than corresponding Threshold value.In the case where the respective frequency of occurrence of at least two field contents is above corresponding threshold value, illustrate that step 201 connects The access request received meets the requirement that frequency console keyboard is hit, can be according to the corresponding strike rule of at least two statistical dimensions to visit Ask that request is hit.Wherein, strike rule can there are many, such as forbid accessing or title etc..
In some embodiments of the invention, step 204 is according to the corresponding strike rule of at least two statistical dimensions to visit Ask that request is hit, comprising:
Access request is beaten according at least two statistical dimensions corresponding strike rule by Web application firewall It hits.
For example, Web application firewall can be used in the embodiment of the present invention, it is based on by the Web application firewall default Strike rule access request is hit.The Web application firewall is referred to as Web application guard system (Web Application Firewall, referred to as: WAF), also referred to as website application layer intrusion prevention system.
In some embodiments of the invention, step 203 judges at least two field contents in preset measurement period Respective frequency of occurrence, if be more than after corresponding threshold value, in addition to executing aforementioned step 204, the embodiment of the present invention is provided Processing request method following steps can also be performed:
It, will when the frequency of occurrence of at least one field contents at least two field contents is less than corresponding threshold value Access request is sent to network application server.
Wherein, when the frequency of occurrence of at least one field contents at least two field contents is less than corresponding threshold value When, illustrate that the access request that step 201 receives is unsatisfactory for the requirement that frequency console keyboard is hit, the access request can be carried out just at this time Often forwarding, such as it is sent to network application server, business processing is carried out to the access request by the network application server.
By above embodiments to the description of the embodiment of the present invention it is found that being provided with various dimensions plan in the embodiment of the present invention Slightly, at least two statistical dimensions can be determined according to access request, parse access request by least two statistical dimensions, from At least two field contents are extracted in the access request, the frequency of occurrence for every kind of field contents is to determine whether be more than threshold Value, when the respective frequency of occurrence of at least two field contents is above corresponding threshold value, using strike rule to access request It is hit.It extracts and judges while by the way that a variety of statistical dimensions and a variety of field contents are arranged, may be implemented effectively Distinguish the purpose of access request and effective strike attacker.
Referring to FIG. 3, the flow chart for the method requested it illustrates the processing that another embodiment of the present invention provides, such as schemes Shown in 3, in some embodiments of the invention, step 203 judges that at least two field contents are each in preset measurement period From frequency of occurrence, if be more than corresponding threshold value, comprising:
2031, the respective frequency of occurrence of at least two field contents is counted respectively in preset first measurement period, it is raw At the first statistical result;
2032, the respective frequency of occurrence of at least two field contents is counted respectively in preset second measurement period, it is raw At the second statistical result, wherein the cycle length of the second measurement period is greater than the cycle length of the first measurement period;
2033, when the first statistical result be more than corresponding first threshold, and the second statistical result be more than corresponding second threshold When value, determination meets following condition: the respective frequency of occurrence of at least two field contents is above corresponding threshold value;Or,
2034, when the first statistical result is less than corresponding first threshold and/or the second statistical result is less than accordingly When second threshold, determination is unsatisfactory for following condition: the respective frequency of occurrence of at least two field contents is above corresponding threshold value.
Wherein, for attacker when carrying out CC attack, IP address is real IP, using more agencies or puppet's machine offensive attack When, although constantly converting IP, total amount can not increase without limitation, Infinite Cyclic can start to attack inside an IP address pond It hits, recycles the mode of offensive attack, the request of single IP also will increase.Server can be set two kinds not in the embodiment of the present invention Same measurement period, the first measurement period and the second measurement period, the cycle length of the second measurement period were greater than for the first statistics week The cycle length of phase.Server can design that a kind of analysis model for identification more to be acted on behalf of IP attack and ask in the embodiment of the present invention Topic, designing two measurement periods, one is long and the other is short, and analysis triggering judges the frequency of occurrence of the field contents in different measurement periods It whether is more than corresponding threshold value, the analysis model used in the embodiment of the present invention is referred to as slow analysis model.Server is set Setting corresponding threshold value in the first measurement period is first threshold, and corresponding threshold value is second threshold in the second measurement period, then root The threshold value of respective counts magnitude can be set in the length in period according to statistics.
After completing above-mentioned slow analysis model setting, server can unite respectively in preset first measurement period The respective frequency of occurrence of at least two field contents is counted, the first statistical result is generated.Similarly, in preset second measurement period The respective frequency of occurrence of at least two field contents is inside counted respectively, generates the second statistical result.According to the first system got Result and the second statistical result are counted, respectively the threshold decision process of trigger model, specifically, when the first statistical result is more than corresponding First threshold, and the second statistical result be more than corresponding second threshold when, determination meet following condition: at least two fields Hold respective frequency of occurrence and is above corresponding threshold value.When the first statistical result is less than corresponding first threshold and/or second When statistical result is less than corresponding second threshold, illustrate to count at least a kind of period in short cycle and long period Statistical result is not above corresponding threshold value, and determination is unsatisfactory for following condition: the respective appearance of at least two field contents at this time Number is above corresponding threshold value.
Referring to FIG. 4, the flow chart for the method requested it illustrates the processing that another embodiment of the present invention provides, such as schemes Shown in 4, in some embodiments of the invention, step 203 judges that at least two field contents are each in preset measurement period From frequency of occurrence, if it is provided in an embodiment of the present invention in addition to executing aforementioned step 204 after being more than corresponding threshold value Following steps can also be performed in the method for processing request:
205, when the respective frequency of occurrence of at least two field contents is above corresponding threshold value, determine that client is to adopt The malicious client attacked with CC.
Wherein, the method for processing request provided in an embodiment of the present invention can be applied to the field that client initiates CC attack Scape, step 203 judge the respective frequency of occurrence of at least two field contents in preset measurement period, if are more than corresponding After threshold value, in the case where the respective frequency of occurrence of at least two field contents is above corresponding threshold value, server can be with Determination is currently attacked by CC, is determined that client is the malicious client attacked using CC, is then executed in step 204 again Strike mode.It is that malicious client has initiated CC attack since server can identify, server can be attacked for the CC It hits using corresponding defensive measure, to prevent the malicious act of malicious client.
In order to facilitate a better understanding and implementation of the above scheme of the embodiment of the present invention, corresponding application scenarios of illustrating below come It is specifically described.
In the embodiment of the present invention, as shown in figure 5, the application scenarios of the method for processing request provided in an embodiment of the present invention Schematic diagram.Handling system applied by the method for request may include: WAF guard system, CC analysis system and tactical management system System, the embodiment of the present invention mainly by application layer protecting wall WAF, provide user configuration various dimensions strategy, carry out malicious client Identification, and regular real-time protection is issued by WAF and is hit.
In the prior art, IP address is identified by the client to query-attack, is hit to set frequency console keyboard, but if IP address is the gateway IP of uniform outlet, and the unit time is also huge to the request amount of business under normal circumstances, therefore existing skill It is difficult to setting reasonable threshold value in art, is easy to produce and manslaughters, influence regular traffic.In addition, in the prior art, dependent on to visitor The identification at family end, but when client constantly changes IP and makes requests, be just easy to around the frequency of this this single IP address Limitation.
Therefore, solution provided in an embodiment of the present invention can unite according to the flexible setting frequency control of service request concrete condition Dimension is counted, the normal uniform outlet IP problem of strike is evaded.In addition, the embodiment of the present invention is evaded and being attacked by the way that slow analysis model is arranged The person of hitting changes IP constantly using broker machines to bypass the frequency limit of single IP.Wherein, which can be used to identify more IP attack problem is acted on behalf of, designing two measurement periods, one is long and the other is short, respectively the judgement of activation threshold value.
It specifically can be applied in the embodiment of the present invention in CC strike Protection Product, user can be specific according to service request Situation, flexible configuration frequency control statistical dimension and statistical model, realize the purpose of effectively differentiation and strike attacker.
As shown in fig. 6, being the interface schematic diagram of strategy setting provided in an embodiment of the present invention.
In strategy setting interface provided in an embodiment of the present invention, alarm user can be set, block duration, statistics mould Type, statistical dimension, period, threshold value, durations, duration threshold, strike dimension and strike mode.Wherein, statistical dimension refers to The dimension field for needing to count.
Using a variety of statistical dimensions in the embodiment of the present invention, the type field for example including http request packet, such as Client_ip, uin, srv_ip, sid, UA, a variety of statistical dimensions can also include: any key of GET parameter, and request header is appointed Anticipate key, any key of cookie.
Slow analysis model is used in the embodiment of the present invention, it can two measurement periods are set and threshold value is respectively set, Two measurement periods refer to period and durations in Fig. 6, include in two measurement periods shorter period time and when Between longer durations.
System provided in an embodiment of the present invention mainly includes three parts:
WAF guard system is mainly responsible for forwarding request and protection block function, forwards the request to CC analysis system in real time and does Analysis, hits the strike rule that CC analysis system issues.Final rule are done in WAF guard system and the cooperation of CC analysis system Then hit.
CC analysis system unites to preset statistical dimension and threshold value for receiving the strategy that policy management system issues Meter analysis issues the strike rule of specified dimension to WAF guard system more than the request of threshold value.
The strategy user interface as shown in FIG. 6 that policy management system generates, user can be with customized Provisioning Policy, to cc Strategy, which is managed, issues operation.
Next the detailed process of the embodiment of the present invention is illustrated:
Scene one: it supports various dimensions statistics strike, evades gateway IP Percussion Problems.
It is illustrated with real case, when use limits single IP statistic frequency, since the amount of access of gateway IP is the same It is very big, occur being difficult to differentiate between the boundary of gateway IP and malice IP, the characteristics of for service request, the URL attacked can be with only One identification field uin, can be set using uin as statistical dimension and frequency limit is arranged, wherein Uin is to refer in particular to band in cookie The middle unique identification field for indicating User Identity.Other scenes can be extracted according to the specific actual conditions of business can be unique The field of identification request, the statistical dimension field of support include: client_ip, uin, srv_ip, sid, UA, times of GET parameter Anticipate key, any key of request header any key, cookie.
Statistical dimension, host, cgi are added first, and predetermined threshold is arranged in uin, and strike dimension is host, cgi, uin, submits Strategy., according to the flow of practical business come preset threshold, it can specifically be passed through depending on the actual conditions of access request Multiple online observing and nursing carrys out continuous tuning threshold value, achievees the purpose that last really distinguishing attack person.
When malicious user carries a large amount of request cgi of the same uin, CC analysis system is analyzed and counted, firing level Value generates the rule for hitting uin access cgi.
Finally, carrying out malicious user request strike to the uin strike rule issued by WAF guard system.
Scene two: slow analysis model statistics evades constantly variation IP to bypass the frequency limit of single IP.
For attacker when carrying out CC attack, IP address is real IP, when using more agencies or puppet's machine offensive attack, though So continuous transformation IP, but total amount can not increase without limitation, meeting Infinite Cyclic offensive attack inside an IP address pond, such as 10000 Agent IPs start 200000 attacks, and average each IP starts 20 times, if circulation lays the request of single IP Also it will increase.
In slow analysis model provided in an embodiment of the present invention, two time windows, a short week are arranged to specified dimension Phase, a long period, statistical service is in a short-period amount of access and macrocyclic amount of access respectively, if the two statistics knot Whether fruit is more than preset threshold, blocked according to blocking/observing pattern setting, wherein can be by administrator/client in configuration CC The blocking way that setting uses when tactful.
Statistical dimension is added first, and a short cycle statistical time and threshold value, a long period statistical time and threshold are set Value submits strategy.
Malicious user uses a large amount of Agent IPs, rotation offensive attack, when the short cycle of some IP and a macrocyclic visit It asks value all activation threshold values, issues and hit IP rule.
Finally, carrying out malicious user request strike to the strike rule issued by WAF guard system.
The embodiment of the present invention solves the frequency strike of list IP dimension in the prior art, is arranged according to service request actual conditions Multiple statistical dimensions.The embodiment of the present invention efficiently solves the CC attack that attacker constantly changes IP.For other CC attack Means of defence provides thinking and reference frame.
It should be noted that for the various method embodiments described above, for simple description, therefore, it is stated as a series of Combination of actions, but those skilled in the art should understand that, the present invention is not limited by the sequence of acts described because According to the present invention, some steps may be performed in other sequences or simultaneously.Secondly, those skilled in the art should also know It knows, the embodiments described in the specification are all preferred embodiments, and related actions and modules is not necessarily of the invention It is necessary.
For the above scheme convenient for the better implementation embodiment of the present invention, phase for implementing the above scheme is also provided below Close device.
It please refers to shown in Fig. 7-a, a kind of device 700 of processing request provided in an embodiment of the present invention, may include: multidimensional Spend determining module 701, requirement analysis module 702, judgment module 703, request processing module 704, wherein
Various dimensions determining module 701, the access request for being sent according to client are true from preset various dimensions strategy At least two statistical dimensions are made, the various dimensions strategy includes: that a variety of different statistical dimensions and every kind of statistical dimension are corresponding Strike rule, the statistical dimension, which is used to indicate, needs the field that counts;
Requirement analysis module 702, for extracting at least two field contents respectively out from the access request, it is described extremely Few two kinds of field contents and at least two statistical dimension correspond, wherein every kind of field contents can be used for Uniquely identify the access request;
Judgment module 703, for judging the respective appearance of at least two field contents in preset measurement period Number, if be more than corresponding threshold value;
Request processing module 704, it is above corresponding for working as the respective frequency of occurrence of at least two field contents When threshold value, the access request is hit according at least two statistical dimension corresponding strike rule.
In some embodiments of the invention, it please refers to shown in Fig. 7-b, the judgment module 703, comprising:
Statistic unit 7031, it is each for counting at least two field contents respectively in preset first measurement period From frequency of occurrence, generate the first statistical result;Count at least two field respectively in preset second measurement period The respective frequency of occurrence of content generates the second statistical result, wherein the cycle length of second measurement period is greater than described the The cycle length of one measurement period;
Analysis of statistical results unit 7032, for being more than corresponding first threshold when first statistical result, and it is described When second statistical result is more than corresponding second threshold, determination meets following condition: at least two field contents are respective Frequency of occurrence is above corresponding threshold value;Or, when first statistical result is less than corresponding first threshold and/or described When second statistical result is less than corresponding second threshold, determination is unsatisfactory for following condition: at least two field contents are each From frequency of occurrence be above corresponding threshold value.
In some embodiments of the invention, the various dimensions strategy includes at least following any two kinds of statistical dimension: The type field of HTTP request obtains the key key of get parameter, the key of request header, browser rs cache The key of cookie.
In some embodiments of the invention, the type field of the HTTP request, comprising: domain name addresses, client Internet protocol address, User Identity, common gateway interface CGI, service identifiers, the IP address of server, Yong Hudai Manage parameter.
In some embodiments of the invention, the request processing module 704 is specifically used for anti-by network Web application Wall with flues hits the access request according to the corresponding strike rule of at least two statistical dimension.
In some embodiments of the invention, the request processing module 704 is also used to the judgment module and judges pre- If measurement period in the respective frequency of occurrence of at least two field contents, if be more than corresponding threshold value after, work as institute When stating the frequency of occurrence of at least one field contents at least two field contents and being less than corresponding threshold value, by the access Request is sent to network application server.
In some embodiments of the invention, the request processing module 704 is also used to the judgment module and judges pre- If measurement period in the respective frequency of occurrence of at least two field contents, if be more than corresponding threshold value after, work as institute When stating the respective frequency of occurrence of at least two field contents and being above corresponding threshold value, determine that the client is to attack using CC Malicious client.
It, can be with by above to the description of the embodiment of the present invention it is found that be provided with various dimensions strategy in the embodiment of the present invention At least two statistical dimensions are determined according to access request, access request are parsed by least two statistical dimensions, from the access At least two field contents are extracted in request, the frequency of occurrence for every kind of field contents to determine whether be more than threshold value, When the respective frequency of occurrence of at least two field contents is above corresponding threshold value, access request is beaten using strike rule It hits.It extracts and judges while by the way that a variety of statistical dimensions and a variety of field contents are arranged, may be implemented effectively to distinguish and visit Ask the purpose of request and effective strike attacker.
Fig. 8 is a kind of server architecture schematic diagram provided in an embodiment of the present invention, which can be because of configuration or property Energy is different and generates bigger difference, may include one or more central processing units (central processing Units, CPU) 1122 (for example, one or more processors) and memory 1132, one or more storage applications The storage medium 1130 (such as one or more mass memory units) of program 1142 or data 1144.Wherein, memory 1132 and storage medium 1130 can be of short duration storage or persistent storage.The program for being stored in storage medium 1130 may include one A or more than one module (diagram does not mark), each module may include to the series of instructions operation in server.More into One step, central processing unit 1122 can be set to communicate with storage medium 1130, execute storage medium on server 1100 Series of instructions operation in 1130.
Server 1100 can also include one or more power supplys 1126, one or more wired or wireless nets Network interface 1150, one or more input/output interfaces 1158, and/or, one or more operating systems 1141, example Such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM etc..
The step as performed by server can be based on the server architecture shown in Fig. 8 in above-described embodiment.
In addition it should be noted that, the apparatus embodiments described above are merely exemplary, wherein described as separation The unit of part description may or may not be physically separated, component shown as a unit can be or It can not be physical unit, it can it is in one place, or may be distributed over multiple network units.It can be according to reality Border needs to select some or all of the modules therein to achieve the purpose of the solution of this embodiment.In addition, provided by the invention In Installation practice attached drawing, the connection relationship between module indicates there is communication connection between them, specifically can be implemented as one Item or a plurality of communication bus or signal wire.Those of ordinary skill in the art are without creative efforts, it can It understands and implements.
Through the above description of the embodiments, it is apparent to those skilled in the art that the present invention can borrow Help software that the mode of required common hardware is added to realize, naturally it is also possible to by specialized hardware include specific integrated circuit, specially It is realized with CPU, private memory, special components and parts etc..Under normal circumstances, all functions of being completed by computer program are ok It is easily realized with corresponding hardware, moreover, being used to realize that the specific hardware structure of same function is also possible to a variety of more Sample, such as analog circuit, digital circuit or special circuit etc..But software program is real in situations more for the purpose of the present invention It is now more preferably embodiment.Based on this understanding, technical solution of the present invention substantially in other words makes the prior art The part of contribution can be embodied in the form of software products, which is stored in the storage medium that can be read In, such as the floppy disk of computer, USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory Device (RAM, Random Access Memory), magnetic or disk etc., including some instructions are with so that a computer is set Standby (can be personal computer, server or the network equipment etc.) executes method described in each embodiment of the present invention.
In conclusion the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although referring to upper Stating embodiment, invention is explained in detail, those skilled in the art should understand that: it still can be to upper Technical solution documented by each embodiment is stated to modify or equivalent replacement of some of the technical features;And these It modifies or replaces, the spirit and scope for technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution.

Claims (15)

1. a kind of method of processing request characterized by comprising
At least two statistical dimensions are determined from preset various dimensions strategy according to the access request that client is sent, it is described more Dimension strategy includes: a variety of different statistical dimensions and the corresponding strike rule of every kind of statistical dimension, and the statistical dimension is used for Indicate the field for needing to count;
Extract at least two field contents respectively out from the access request, at least two field contents and it is described at least Two kinds of statistical dimensions correspond, wherein every kind of field contents can be used to uniquely identify the access request;
Judge the respective frequency of occurrence of at least two field contents in preset measurement period, if be more than corresponding threshold Value;
When the respective frequency of occurrence of at least two field contents is above corresponding threshold value, according at least two system The corresponding strike rule of meter dimension hits the access request.
2. the method according to claim 1, wherein the judgement is described at least two in preset measurement period The kind respective frequency of occurrence of field contents, if be more than corresponding threshold value, comprising:
It counts the respective frequency of occurrence of at least two field contents respectively in preset first measurement period, generates first Statistical result;
It counts the respective frequency of occurrence of at least two field contents respectively in preset second measurement period, generates second Statistical result, wherein the cycle length of second measurement period is greater than the cycle length of first measurement period;
When first statistical result be more than corresponding first threshold, and second statistical result be more than corresponding second threshold When, determination meets following condition: the respective frequency of occurrence of at least two field contents is above corresponding threshold value;Or,
When first statistical result is less than corresponding first threshold and/or second statistical result is less than accordingly When second threshold, determination is unsatisfactory for following condition: the respective frequency of occurrence of at least two field contents is above corresponding Threshold value.
3. the method according to claim 1, wherein the various dimensions strategy includes at least following any two kinds Statistical dimension: the type field of HTTP request, the key key for obtaining get parameter, the key of request header, browsing The key of device caching cookie.
4. according to the method described in claim 3, it is characterized in that, the type field of the HTTP request, comprising: domain name Location, the internet protocol address of client, User Identity, common gateway interface CGI, service identifiers, server IP Address, user agent's parameter.
5. method according to claim 1 to 4, which is characterized in that described according at least two statistics The corresponding strike rule of dimension hits the access request, comprising:
By network Web application firewall according to the corresponding strike rule of at least two statistical dimension to the access request It is hit.
6. method according to claim 1 to 4, which is characterized in that the judgement is in preset measurement period The interior respective frequency of occurrence of at least two field contents, if be more than corresponding threshold value after, the method also includes:
It, will when the frequency of occurrence of at least one field contents at least two field contents is less than corresponding threshold value The access request is sent to network application server.
7. method according to claim 1 to 4, which is characterized in that the judgement is in preset measurement period The interior respective frequency of occurrence of at least two field contents, if be more than corresponding threshold value after, the method also includes:
When the respective frequency of occurrence of at least two field contents is above corresponding threshold value, determine that the client is to adopt The malicious client attacked with CC.
8. a kind of device of processing request characterized by comprising
Various dimensions determining module, the access request for being sent according to client are determined at least from preset various dimensions strategy Two kinds of statistical dimensions, the various dimensions strategy include: a variety of different statistical dimensions and the corresponding strike rule of every kind of statistical dimension Then, the statistical dimension is used to indicate the field for needing to count;
Requirement analysis module, for extracting at least two field contents respectively out from the access request, described at least two Field contents and at least two statistical dimension correspond, wherein every kind of field contents can be used for uniquely Identify the access request;
Judgment module is used to judge the respective frequency of occurrence of at least two field contents in preset measurement period, is No is more than corresponding threshold value;
Request processing module, for when the respective frequency of occurrence of at least two field contents is above corresponding threshold value, The access request is hit according at least two statistical dimension corresponding strike rule.
9. device according to claim 8, which is characterized in that the judgment module, comprising:
Statistic unit, for counting the respective appearance of at least two field contents respectively in preset first measurement period Number generates the first statistical result;Count at least two field contents respectively in preset second measurement period respectively Frequency of occurrence, generate the second statistical result, wherein the cycle length of second measurement period be greater than it is described first statistics week The cycle length of phase;
Analysis of statistical results unit, for being more than corresponding first threshold when first statistical result, and described second counts When being as a result more than corresponding second threshold, determination meets following condition: the respective frequency of occurrence of at least two field contents Above corresponding threshold value;Or, when first statistical result is less than corresponding first threshold and/or second statistics When being as a result less than corresponding second threshold, determination is unsatisfactory for following condition: the respective appearance of at least two field contents Number is above corresponding threshold value.
10. device according to claim 8, which is characterized in that the various dimensions strategy includes at least any two kinds following Statistical dimension: the type field of HTTP request, the key key for obtaining get parameter, request header key, clear The key of device of looking at caching cookie.
11. device according to claim 10, which is characterized in that the type field of the HTTP request, comprising: domain name Location, the internet protocol address of client, User Identity, common gateway interface CGI, service identifiers, server IP Address, user agent's parameter.
12. the device according to any one of claim 8 to 11, which is characterized in that the request processing module is specific to use In by network Web application firewall according to the corresponding strike of at least two statistical dimension it is regular to the access request into Row strike.
13. the device according to any one of claim 8 to 11, which is characterized in that the request processing module is also used to The judgment module judges the respective frequency of occurrence of at least two field contents in preset measurement period, if is more than After corresponding threshold value, when the frequency of occurrence of at least one field contents at least two field contents is less than accordingly Threshold value when, the access request is sent to network application server.
14. the device according to any one of claim 8 to 11, which is characterized in that the request processing module is also used to The judgment module judges the respective frequency of occurrence of at least two field contents in preset measurement period, if is more than After corresponding threshold value, when the respective frequency of occurrence of at least two field contents is above corresponding threshold value, institute is determined Stating client is the malicious client attacked using CC.
15. a kind of computer readable storage medium, including instruction, when run on a computer, so that computer executes such as Method described in claim 1 to 7 any one.
CN201810438832.XA 2018-05-09 2018-05-09 Method and device for processing request and storage medium Active CN110213208B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810438832.XA CN110213208B (en) 2018-05-09 2018-05-09 Method and device for processing request and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810438832.XA CN110213208B (en) 2018-05-09 2018-05-09 Method and device for processing request and storage medium

Publications (2)

Publication Number Publication Date
CN110213208A true CN110213208A (en) 2019-09-06
CN110213208B CN110213208B (en) 2021-11-09

Family

ID=67778826

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810438832.XA Active CN110213208B (en) 2018-05-09 2018-05-09 Method and device for processing request and storage medium

Country Status (1)

Country Link
CN (1) CN110213208B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110650142A (en) * 2019-09-25 2020-01-03 腾讯科技(深圳)有限公司 Access request processing method, device, system, storage medium and computer equipment
CN111046379A (en) * 2019-12-06 2020-04-21 支付宝(杭州)信息技术有限公司 Anti-attack monitoring method and device
CN111131250A (en) * 2019-12-24 2020-05-08 杭州迪普科技股份有限公司 Client identification method and device
CN111352967A (en) * 2020-02-27 2020-06-30 携程旅游网络技术(上海)有限公司 Frequency control method, system, device and medium for sliding window algorithm
CN114039778A (en) * 2021-11-09 2022-02-11 深信服科技股份有限公司 Request processing method, device, equipment and readable storage medium
CN114338064A (en) * 2020-09-30 2022-04-12 腾讯科技(深圳)有限公司 Method, device, equipment and storage medium for identifying network traffic type
CN114928452A (en) * 2022-05-17 2022-08-19 壹沓科技(上海)有限公司 Access request verification method, device, storage medium and server
CN115473789A (en) * 2022-09-16 2022-12-13 深信服科技股份有限公司 Alarm processing method and related equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103179132A (en) * 2013-04-09 2013-06-26 中国信息安全测评中心 Method and device for detecting and defending CC (challenge collapsar)
CN104580222A (en) * 2015-01-12 2015-04-29 山东大学 DDoS attack distributed detection and response system and method based on information entropy
US20170374098A1 (en) * 2016-06-24 2017-12-28 Fortinet, Inc. Denial-of-service (dos) mitigation approach based on connection characteristics
CN107528812A (en) * 2016-06-21 2017-12-29 北京金山云网络技术有限公司 A kind of attack detection method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103179132A (en) * 2013-04-09 2013-06-26 中国信息安全测评中心 Method and device for detecting and defending CC (challenge collapsar)
CN104580222A (en) * 2015-01-12 2015-04-29 山东大学 DDoS attack distributed detection and response system and method based on information entropy
CN107528812A (en) * 2016-06-21 2017-12-29 北京金山云网络技术有限公司 A kind of attack detection method and device
US20170374098A1 (en) * 2016-06-24 2017-12-28 Fortinet, Inc. Denial-of-service (dos) mitigation approach based on connection characteristics

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110650142A (en) * 2019-09-25 2020-01-03 腾讯科技(深圳)有限公司 Access request processing method, device, system, storage medium and computer equipment
CN111046379A (en) * 2019-12-06 2020-04-21 支付宝(杭州)信息技术有限公司 Anti-attack monitoring method and device
CN111046379B (en) * 2019-12-06 2021-06-18 支付宝(杭州)信息技术有限公司 Anti-attack monitoring method and device
CN111131250B (en) * 2019-12-24 2022-04-26 杭州迪普科技股份有限公司 Client identification method and device
CN111131250A (en) * 2019-12-24 2020-05-08 杭州迪普科技股份有限公司 Client identification method and device
CN111352967A (en) * 2020-02-27 2020-06-30 携程旅游网络技术(上海)有限公司 Frequency control method, system, device and medium for sliding window algorithm
CN111352967B (en) * 2020-02-27 2024-02-06 携程旅游网络技术(上海)有限公司 Frequency control method, system, equipment and medium of sliding window algorithm
CN114338064A (en) * 2020-09-30 2022-04-12 腾讯科技(深圳)有限公司 Method, device, equipment and storage medium for identifying network traffic type
CN114338064B (en) * 2020-09-30 2023-07-07 腾讯科技(深圳)有限公司 Method, device, system, equipment and storage medium for identifying network traffic type
CN114039778A (en) * 2021-11-09 2022-02-11 深信服科技股份有限公司 Request processing method, device, equipment and readable storage medium
CN114928452A (en) * 2022-05-17 2022-08-19 壹沓科技(上海)有限公司 Access request verification method, device, storage medium and server
CN114928452B (en) * 2022-05-17 2024-02-13 壹沓科技(上海)有限公司 Access request verification method, device, storage medium and server
CN115473789A (en) * 2022-09-16 2022-12-13 深信服科技股份有限公司 Alarm processing method and related equipment
CN115473789B (en) * 2022-09-16 2024-02-27 深信服科技股份有限公司 Alarm processing method and related equipment

Also Published As

Publication number Publication date
CN110213208B (en) 2021-11-09

Similar Documents

Publication Publication Date Title
CN110213208A (en) A kind of method and apparatus and storage medium of processing request
CN107465651B (en) Network attack detection method and device
US11122067B2 (en) Methods for detecting and mitigating malicious network behavior and devices thereof
CN109951500A (en) Network attack detecting method and device
Li et al. RTVD: A real-time volumetric detection scheme for DDoS in the Internet of Things
US8516595B2 (en) Method and system for estimating the reliability of blacklists of botnet-infected computers
CN102291390B (en) Method for defending against denial of service attack based on cloud computation platform
CN104065644B (en) CC attack recognition method and apparatus based on log analysis
CN105577608B (en) Network attack behavior detection method and device
CN107645478B (en) Network attack defense system, method and device
CN105763561B (en) A kind of attack defense method and device
TW201824047A (en) Attack request determination method, apparatus and server
Xu et al. An SDNFV-based DDoS defense technology for smart cities
Clark et al. A game-theoretic approach to IP address randomization in decoy-based cyber defense
EP2661049A2 (en) System and method for malware detection
CN106357685A (en) Method and device for defending distributed denial of service attack
CN110381041B (en) Distributed denial of service attack situation detection method and device
CN107666473A (en) The method and controller of a kind of attack detecting
CN107517200B (en) Malicious crawler defense strategy selection method for Web server
CN111970261B (en) Network attack identification method, device and equipment
CN105577670A (en) Warning system of database-hit attack
CN108234516B (en) Method and device for detecting network flooding attack
Jia et al. Micro-honeypot: using browser fingerprinting to track attackers
Sultana et al. Detecting and preventing ip spoofing and local area network denial (land) attack for cloud computing with the modification of hop count filtering (hcf) mechanism
CN107528859B (en) Defense method and device for DDoS attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant