CN111031054A - CC protection method - Google Patents
CC protection method Download PDFInfo
- Publication number
- CN111031054A CN111031054A CN201911317611.8A CN201911317611A CN111031054A CN 111031054 A CN111031054 A CN 111031054A CN 201911317611 A CN201911317611 A CN 201911317611A CN 111031054 A CN111031054 A CN 111031054A
- Authority
- CN
- China
- Prior art keywords
- protection
- threshold
- reaches
- log
- threshold value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/29—Flow control; Congestion control using a combination of thresholds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a CC protection method, which comprises a protection stage and a cleaning stage; in the protection stage, if the service request does not reach the performance bottleneck of the server, the IP information under the protection domain name does not need to be recorded; and when the flow reaches the set protection threshold, entering a cleaning stage, recording and analyzing the IP and path flow under the protection domain name, limiting the speed and adding a safety log. The invention has lower false killing rate and better user experience; in addition, the invention can save resources and effectively improve the performance of the engine.
Description
Technical Field
The invention relates to the field of CC protection, in particular to a CC protection method.
Background
The CC attack (challenge Collapsar) is one of DDOS and is a common website attack method, and the CC attack seems to be more technical than other DDOS attacks. The attacker generates a legal request pointing to the victim host by means of the proxy server, thereby realizing DDOS and disguise. CC attacks mainly involve sending a large amount of data or accessing pages to a server continuously until the server goes down, whereas traditional CC protection only supports blocking requests.
Disclosure of Invention
In view of this, the present invention provides a CC protection method with lower false killing rate and better user experience, which is used to solve the problem of high protection false killing rate in the prior art.
In order to achieve the aim, the invention provides a CC protection method, which comprises a protection stage and a cleaning stage; in the protection stage, if the service request does not reach the performance bottleneck of the server, the IP information under the protection domain name does not need to be recorded; and when the flow reaches the set protection threshold, entering a cleaning stage, recording and analyzing the IP and path flow under the protection domain name, limiting the speed and adding a safety log.
Optionally, in the protection stage, whether the protection switch is turned on is judged, and if the protection switch is turned on, protection detection is performed; and if the protection switch is turned off, performing subsequent protection.
Optionally, the protection detection includes the following steps: and judging whether the flow rate requested every second reaches a first threshold value, and entering a cleaning stage if the flow rate requested every second reaches the first threshold value.
Optionally, if the request flow per second does not reach the first threshold, determining whether the request flow per second reaches a second threshold; if the request amount per second reaches a second threshold value, entering a cleaning stage; and if the request quantity per second does not reach the second threshold value, marking the request quantity as safe access, and performing subsequent protection.
Optionally, the cleaning phase comprises the following steps: and judging whether the number of newly-built connections per second of the single source IP reaches a third threshold value, if so, adding a log mark and adding a safety log.
Optionally, if the number of newly established connections per second of the single-source IP does not reach the third threshold, it is determined whether the total number of connections within the single-source IP protection period reaches the fourth threshold, and if the total number of connections within the single-source IP protection period reaches the fourth threshold, a log flag is added, and a security log is added.
Optionally, if the total number of connections in the single-source IP protection period does not reach the fourth threshold, it is determined whether the total number of requests per second of the single-source IP reaches the fifth threshold, and if the total number of requests per second of the single-source IP reaches the fifth threshold, a log flag is added, and a security log is added.
Optionally, if the total number of the requests per second of the single source IP does not reach the fifth threshold, determining whether the total number of the requests per second of the single path reaches the sixth threshold, and if the total number of the requests per second of the single path reaches the sixth threshold, adding a log flag and adding a security log; and if the total number of the requests per second of the single path does not reach the sixth threshold value, performing subsequent protection.
Optionally, within the threshold time of adding the security log, if the server is attacked again, it is shown as a CC attack, and the security log is added after the threshold time.
Compared with the prior art, the technical scheme of the invention has the following advantages: in the protection stage, if the service request does not reach the performance bottleneck of the server, the IP information under the protection domain name does not need to be recorded; and when the flow reaches the set protection threshold, entering a cleaning stage, recording and analyzing the IP and path flow under the protection domain name, limiting the speed and adding a safety log. The invention has lower false killing rate and better user experience; the invention is divided into two stages for protection, thereby saving resources and effectively improving the performance of the engine.
Drawings
FIG. 1 is a flow chart of a CC guard method of the present invention;
Detailed Description
Preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings, but the present invention is not limited to only these embodiments. The invention is intended to cover alternatives, modifications, equivalents and alternatives which may be included within the spirit and scope of the invention.
In the following description of the preferred embodiments of the present invention, specific details are set forth in order to provide a thorough understanding of the present invention, and it will be apparent to those skilled in the art that the present invention may be practiced without these specific details.
The invention is described in more detail in the following paragraphs by way of example with reference to the accompanying drawings. It should be noted that the drawings are in simplified form and are not to precise scale, which is only used for convenience and clarity to assist in describing the embodiments of the present invention.
As shown in fig. 1, which illustrates a flowchart of the CC protection method of the present invention, after acquiring the configuration of the CC protection module, enter a protection phase and a cleaning phase; in the protection stage, if the service request does not reach the performance bottleneck of the server, the IP information under the protection domain name does not need to be recorded; and when the flow reaches the set protection threshold, entering a cleaning stage, recording and analyzing the IP and path flow under the protection domain name, limiting the speed and adding a safety log.
In the protection stage, judging whether a protection switch is started or not, and if the protection switch is started, carrying out protection detection; and if the protection switch is turned off, performing subsequent protection. The guard detection comprises the following steps: and judging whether the flow rate requested every second reaches a first threshold value, and entering a cleaning stage if the flow rate requested every second reaches the first threshold value. If the request flow per second does not reach the first threshold, judging whether the request flow per second reaches a second threshold; if the request amount per second reaches a second threshold value, entering a cleaning stage; and if the request quantity per second does not reach the second threshold value, marking the request quantity as safe access, and performing subsequent protection.
The cleaning phase comprises the following steps: and judging whether the number of newly-built connections per second of the single source IP reaches a third threshold value, if so, adding a log mark and adding a safety log. If the number of newly-built connections per second of the single-source IP does not reach the third threshold, judging whether the total number of connections in the single-source IP protection period reaches the fourth threshold, if so, adding a log mark and adding a safety log. If the total number of the connections in the single source IP protection period does not reach the fourth threshold value, whether the total number of the requests per second of the single source IP reaches the fifth threshold value or not is judged, and if the total number of the requests per second of the single source IP reaches the fifth threshold value, a log mark is added, and a safety log is added. If the total number of the requests per second of the single source IP does not reach the fifth threshold, judging whether the total number of the requests per second of the single path reaches a sixth threshold, if so, adding a log mark and adding a safety log; and if the total number of the requests per second of the single path does not reach the sixth threshold value, performing subsequent protection. And within the threshold time of adding the security log, if the server is attacked again, displaying the attack as CC attack, and adding the security log after the threshold time.
Although the embodiments have been described and illustrated separately, it will be apparent to those skilled in the art that some common techniques may be substituted and integrated between the embodiments, and reference may be made to one of the embodiments not explicitly described, or to another embodiment described.
The above-described embodiments do not limit the scope of the present invention. Any modification, equivalent replacement, and improvement made within the spirit and principle of the above-described embodiments should be included in the protection scope of the technical solution.
Claims (9)
1. A CC protection method is characterized in that: comprises a protection stage and a cleaning stage; in the protection stage, if the service request does not reach the performance bottleneck of the server, the IP information under the protection domain name does not need to be recorded; and when the flow reaches the set protection threshold, entering a cleaning stage, recording and analyzing the IP and path flow under the protection domain name, limiting the speed and adding a safety log.
2. The CC guard method of claim 1, wherein: in the protection stage, judging whether a protection switch is started or not, and if the protection switch is started, carrying out protection detection; and if the protection switch is turned off, performing subsequent protection.
3. The CC guard method of claim 2, wherein: the guard detection comprises the following steps: and judging whether the flow rate requested every second reaches a first threshold value, and entering a cleaning stage if the flow rate requested every second reaches the first threshold value.
4. The CC guard method of claim 3, wherein: if the request flow per second does not reach the first threshold, judging whether the request flow per second reaches a second threshold; if the request amount per second reaches a second threshold value, entering a cleaning stage; and if the request quantity per second does not reach the second threshold value, marking the request quantity as safe access, and performing subsequent protection.
5. The CC guard method of claim 3 or 4, wherein: the cleaning phase comprises the following steps: and judging whether the number of newly-built connections per second of the single source IP reaches a third threshold value, if so, adding a log mark and adding a safety log.
6. The CC guard method of claim 5, wherein: if the number of newly-built connections per second of the single-source IP does not reach the third threshold, judging whether the total number of connections in the single-source IP protection period reaches the fourth threshold, if so, adding a log mark and adding a safety log.
7. The CC guard method of claim 6, wherein: if the total number of the connections in the single source IP protection period does not reach the fourth threshold value, whether the total number of the requests per second of the single source IP reaches the fifth threshold value or not is judged, and if the total number of the requests per second of the single source IP reaches the fifth threshold value, a log mark is added, and a safety log is added.
8. The CC guard method of claim 7, wherein: if the total number of the requests per second of the single source IP does not reach the fifth threshold, judging whether the total number of the requests per second of the single path reaches a sixth threshold, if so, adding a log mark and adding a safety log; and if the total number of the requests per second of the single path does not reach the sixth threshold value, performing subsequent protection.
9. The CC protection method of claim 8, wherein: and within the threshold time of adding the security log, if the server is attacked again, displaying the attack as CC attack, and adding the security log after the threshold time.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911317611.8A CN111031054A (en) | 2019-12-19 | 2019-12-19 | CC protection method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911317611.8A CN111031054A (en) | 2019-12-19 | 2019-12-19 | CC protection method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111031054A true CN111031054A (en) | 2020-04-17 |
Family
ID=70210067
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911317611.8A Pending CN111031054A (en) | 2019-12-19 | 2019-12-19 | CC protection method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111031054A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114465756A (en) * | 2021-12-20 | 2022-05-10 | 中盈优创资讯科技有限公司 | Optimized DDOS (distributed denial of service) safety protection method and device |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101834866A (en) * | 2010-05-05 | 2010-09-15 | 北京来安科技有限公司 | CC (Communication Center) attack protective method and system thereof |
CN102137111A (en) * | 2011-04-20 | 2011-07-27 | 北京蓝汛通信技术有限责任公司 | Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server |
US20130042319A1 (en) * | 2011-08-10 | 2013-02-14 | Sangfor Networks Company Limited | Method and apparatus for detecting and defending against cc attack |
US20140325648A1 (en) * | 2012-09-17 | 2014-10-30 | Huawei Technologies Co., Ltd. | Attack Defense Method and Device |
CN105450619A (en) * | 2014-09-28 | 2016-03-30 | 腾讯科技(深圳)有限公司 | Method, device and system of protection of hostile attacks |
CN105991637A (en) * | 2015-06-15 | 2016-10-05 | 杭州迪普科技有限公司 | Network attack protection method and network attack protection device |
CN107426230A (en) * | 2017-08-03 | 2017-12-01 | 上海优刻得信息科技有限公司 | Server scheduling method, apparatus, system, storage medium and equipment |
CN107743118A (en) * | 2017-09-25 | 2018-02-27 | 北京奇安信科技有限公司 | A kind of stagewise network safety protection method and device |
CN108270600A (en) * | 2016-12-30 | 2018-07-10 | 中国移动通信集团黑龙江有限公司 | A kind of processing method and associated server to malicious attack flow |
CN109688242A (en) * | 2018-12-27 | 2019-04-26 | 深信服科技股份有限公司 | A kind of cloud guard system and method |
-
2019
- 2019-12-19 CN CN201911317611.8A patent/CN111031054A/en active Pending
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101834866A (en) * | 2010-05-05 | 2010-09-15 | 北京来安科技有限公司 | CC (Communication Center) attack protective method and system thereof |
CN102137111A (en) * | 2011-04-20 | 2011-07-27 | 北京蓝汛通信技术有限责任公司 | Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server |
US20130042319A1 (en) * | 2011-08-10 | 2013-02-14 | Sangfor Networks Company Limited | Method and apparatus for detecting and defending against cc attack |
US20140325648A1 (en) * | 2012-09-17 | 2014-10-30 | Huawei Technologies Co., Ltd. | Attack Defense Method and Device |
CN105450619A (en) * | 2014-09-28 | 2016-03-30 | 腾讯科技(深圳)有限公司 | Method, device and system of protection of hostile attacks |
CN105991637A (en) * | 2015-06-15 | 2016-10-05 | 杭州迪普科技有限公司 | Network attack protection method and network attack protection device |
CN108270600A (en) * | 2016-12-30 | 2018-07-10 | 中国移动通信集团黑龙江有限公司 | A kind of processing method and associated server to malicious attack flow |
CN107426230A (en) * | 2017-08-03 | 2017-12-01 | 上海优刻得信息科技有限公司 | Server scheduling method, apparatus, system, storage medium and equipment |
CN107743118A (en) * | 2017-09-25 | 2018-02-27 | 北京奇安信科技有限公司 | A kind of stagewise network safety protection method and device |
CN109688242A (en) * | 2018-12-27 | 2019-04-26 | 深信服科技股份有限公司 | A kind of cloud guard system and method |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114465756A (en) * | 2021-12-20 | 2022-05-10 | 中盈优创资讯科技有限公司 | Optimized DDOS (distributed denial of service) safety protection method and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11405359B2 (en) | Network firewall for mitigating against persistent low volume attacks | |
US8893278B1 (en) | Detecting malware communication on an infected computing device | |
US10270792B1 (en) | Methods for detecting malicious smart bots to improve network security and devices thereof | |
KR101010708B1 (en) | Method and apparatus for preventing web page attacks | |
Bin et al. | A DNS based anti-phishing approach | |
CN104580249B (en) | A kind of compacted network analysis method of deadlock wood and system based on log | |
US20160366176A1 (en) | High-level reputation scoring architecture | |
US10757135B2 (en) | Bot characteristic detection method and apparatus | |
CN107743118B (en) | Hierarchical network security protection method and device | |
CA2671183A1 (en) | System and method of analyzing web addresses | |
US8713674B1 (en) | Systems and methods for excluding undesirable network transactions | |
WO2018099206A1 (en) | Apt detection method, system, and device | |
RU2653241C1 (en) | Detecting a threat of a zero day with the use of comparison of a leading application/program with a user agent | |
CN103701816B (en) | Perform the scan method and scanning means of the server of Denial of Service attack | |
US20100306184A1 (en) | Method and device for processing webpage data | |
US11785044B2 (en) | System and method for detection of malicious interactions in a computer network | |
CN111585956B (en) | Website anti-brushing verification method and device | |
CN108156270B (en) | Domain name request processing method and device | |
Almutairi et al. | Innovative signature based intrusion detection system: Parallel processing and minimized database | |
Steadman et al. | Dnsxd: Detecting data exfiltration over dns | |
CN109327451A (en) | A kind of method, system, device and medium that the upload verifying of defence file bypasses | |
WO2014114127A1 (en) | Method, apparatus and system for webpage access control | |
CN111031054A (en) | CC protection method | |
EP2348683A1 (en) | A method, system and gateway for preventing the network attack | |
CN114301696B (en) | Malicious domain name detection method, malicious domain name detection device, computer equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200417 |
|
RJ01 | Rejection of invention patent application after publication |