CN112311776B - System and method for preventing flooding attack of API gateway - Google Patents
System and method for preventing flooding attack of API gateway Download PDFInfo
- Publication number
- CN112311776B CN112311776B CN202011131859.8A CN202011131859A CN112311776B CN 112311776 B CN112311776 B CN 112311776B CN 202011131859 A CN202011131859 A CN 202011131859A CN 112311776 B CN112311776 B CN 112311776B
- Authority
- CN
- China
- Prior art keywords
- api
- key
- request
- bloom filter
- filter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 28
- 238000012423 maintenance Methods 0.000 claims abstract description 16
- 238000001914 filtration Methods 0.000 claims abstract description 10
- 230000004044 response Effects 0.000 claims description 6
- 239000000284 extract Substances 0.000 claims description 3
- 230000015572 biosynthetic process Effects 0.000 claims description 2
- 238000003786 synthesis reaction Methods 0.000 claims description 2
- 230000006870 function Effects 0.000 description 29
- 238000010586 diagram Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 3
- 206010033799 Paralysis Diseases 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 239000000203 mixture Substances 0.000 description 2
- 239000013598 vector Substances 0.000 description 2
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000000116 mitigating effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/32—Flooding
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02A—TECHNOLOGIES FOR ADAPTATION TO CLIMATE CHANGE
- Y02A10/00—TECHNOLOGIES FOR ADAPTATION TO CLIMATE CHANGE at coastal zones; at river basins
- Y02A10/40—Controlling or monitoring, e.g. of flood or hurricane; Forecasting, e.g. risk assessment or mapping
Abstract
The invention discloses a system and a method for preventing an API gateway flooding attack, and belongs to the technical field of network security. The system for preventing the flooding attack of the API gateway comprises the API gateway, an API gateway database and an API key filter, wherein the API key filter comprises a key resolver, a bloom filter and a request interceptor; the key parser is used for extracting an API key from a request requesting API service and judging whether the length of the API key is valid or not, the bloom filter is used for filtering unauthorized API keys and transferring the request judged to be unauthorized to the request interceptor, and the request interceptor intercepts invalid requests; the API gateway further includes a filter maintenance module for maintaining the API key filter. The system for preventing the flooding attack of the API gateway efficiently filters and intercepts the flooding attack of the authentication service of the API gateway, and has good popularization and application values.
Description
Technical Field
The invention relates to the technical field of network security, and particularly provides a system and a method for preventing an API gateway from flooding attacks.
Background
An Application Programming Interface (API) is a computing Interface that specifies the interaction behavior between various software systems. It defines the types of calls or requests that can be made, how the calls are made, the data format that should be used, and the constraints that both parties should follow for the software interaction, etc. It may also provide an extension mechanism so that a user can extend existing functionality in various ways. To a different extent. The API can be fully customized, component specific, or designed based on industry standards to ensure interoperability. Through information hiding, the API supports modular programming, allowing users to use the interface independently of the implementation.
The microservice architecture is a variant of the Service Oriented Architecture (SOA) style of architecture, arranging applications as a set of loosely coupled services. In the microservice architecture, services are fine-grained and protocols are lightweight. Microservices have no single definition. Over time, the industry has become aware. Some defining features that are often referenced include:
1. in a microservice architecture (MSA) service, which is typically a program, more than one communication network is required to satisfy the use of technology independent target protocols (e.g., HTTP).
2. Services in the microservice architecture may be deployed independently.
3. Services are organized around business functions.
4. Services may be implemented using different programming languages, databases, hardware and software environments, depending on the most appropriate language.
5. The service scale is small, message transfer is supported, the system is limited by context, independent development can be realized, independent deployment and decentralization can be realized, and the system is constructed and released through an automatic process.
An API Gateway (Application Programming Interface Gateway) receives all client requests and routes these requests to the appropriate microservices through request routing, request composition, and protocol conversion. The typical application scenario is that the API gateway processes a request by calling multiple microservices, and returns the combined processing result to the calling party of the microservice through an optimal path. The API gateway may translate between web protocols and web-unfriendly internal protocol types.
A typical application of an API gateway is an e-commerce web site. The e-commerce site uses the API gateway to provide the mobile client with a portal through which all product information can be obtained using a single request. The API gateway calls different services, such as product information and product evaluation, and finally combines the response results of the services together and returns the combined result to the caller.
Flooding attacks are one type of denial-of-service attack (DoS attacks, hereinafter). A denial-of-service attack is a network attack in which a perpetrator attempts to make a machine or network resource unavailable to its intended user by temporarily or indefinitely interrupting the service of a host connected to the Internet. Denial of service is typically accomplished by injecting redundant requests into the target machine or resource to overload the system and prevent some or all legitimate requests from being satisfied.
In a distributed denial-of-service attack (DDoS attack), incoming traffic flooding a victim comes from many different sources. This effectively makes it impossible to block an attack by blocking only a single source.
DoS or DDoS attacks resemble the entrance of a crowded store with a group of people, making it difficult for legitimate customers to enter, thereby disrupting the transaction. Criminals of denial of service (DoS) attacks typically target sites or services on well-known Web servers, such as banks or credit card payment gateways.
In general, DDoS attacks can be isolated at the level of the Open Systems Interconnection (OSI) model they attack. Attacks occur most often at the network layer (layer 3), the transport layer (layer 4), the presentation layer (layer 6), and the application layer (layer 7).
When considering mitigation techniques to combat these attacks, it is very useful to separate the attacks into an infrastructure layer (layers 3 and 4) and an application layer (layers 6 and 7).
Infrastructure layer attacks
Layer 3 and layer 4 attacks are generally categorized as infrastructure layer attacks. These are also the most common types of DDoS attacks, including vectors such as Synchronization (SYN) flooding attacks and other reflection attacks, such as User Datagram Packet (UDP) flooding. These attacks are typically large in number, aiming at overloading the capacity of the network or application server. Fortunately, these are also attack types that have clear identification and are easier to detect.
Application layer attacks
Layer 6 and layer 7 attacks are generally classified as application-layer attacks. While these attacks are less common, they also tend to be more complex. These attacks are typically small in number compared to infrastructure layer attacks, but tend to focus on certain expensive parts of the application, thereby making the application unusable by real users. For example, a large number of HTTP requests to login pages, expensive search APIs, and even Wordpress XML-RPC flooding (also known as a Wordpress pingback attack).
Aiming at the application layer flooding attack of the API gateway, a large number of unauthorized API requests (generally, an API key is forged and is used for consuming the calculation power of authentication service, and a hacker operates a plurality of controlled hosts to distributively initiate the requests by combining a DDoS means) are mainly used for trying to paralyze the API key authentication component of the API gateway, so that the aims of paralyzing the API gateway service and enabling a legal identity user to be incapable of using the API gateway service are fulfilled. Protection of API gateway services can typically be achieved by limiting the number of calls to the API it requests for authenticated requests. However, for an unauthenticated request, identity authentication needs to be performed first, so that it is difficult to prevent a flooding attack initiated against an authentication service by the method of limiting the number of calls (since an attacker aims to make the service unavailable, the purpose of the attack is achieved as long as a legitimate identity user is prevented from using the service regardless of paralysis of the authentication service or exhaustion of the number of calls). Usually, the source IP of the malicious request can be tracked and filtered through a blacklist, but an attacker can also avoid tracking through a DDoS means and an IP identity counterfeiting technology, so that a prevention means for flooding attacks of unauthorized requests is more difficult to realize.
Disclosure of Invention
The technical task of the invention is to provide a system for preventing the flooding attack of the API gateway, which can efficiently filter and intercept the flooding attack of the API gateway authentication service and protect the API gateway from being paralyzed by the unauthorized flooding request of an application layer, aiming at the existing problems.
A further technical task of the present invention is to provide a method for protecting against API gateway flooding attacks.
In order to achieve the purpose, the invention provides the following technical scheme:
a system for preventing the flooding attack of an API gateway comprises the API gateway and an API gateway database, wherein the API gateway comprises an API key authentication unit, an API rule engine, a request distribution unit and a response synthesis unit; the key parser is used for extracting an API key from a request requesting API service and judging whether the length of the API key is valid or not, the bloom filter is used for filtering unauthorized API keys and transferring the request judged to be unauthorized to the request interceptor, and the request interceptor intercepts invalid requests; the API gateway further includes a filter maintenance module for maintaining the API key filter.
Preferably, the API key filter includes a bloom filter a, a bloom filter B, and a bloom filter C, and the bloom filter a, the bloom filter B, and the bloom filter C work in turn.
A method for preventing the flooding attack of API gateway includes extracting API key from request of API service by key analyzer and judging whether the length of API key is valid or not, filtering unauthorized API key by bloom filter and forwarding the request judged to be unauthorized to request interceptor for intercepting invalid request by request interceptor.
Preferably, when an unauthorized request reaches the API key filter, the key parser extracts the API key from the request and verifies the length, which does not match the valid API key length, and passes the request to the interceptor for interception.
Preferably, the length of the API key is consistent with the length of the effective API key, a function which is used for judging whether the element exists is called a bloom filter to filter the API key, if the API key does not exist, the request is transmitted to a request interceptor to be intercepted, otherwise, the request is transmitted to an API gateway to provide gateway service, and corresponding content is returned to a service caller.
Preferably, the bloom filter A, the bloom filter B and the bloom filter C work in turn, the filter maintenance module calls a reset function of the bloom filter to reset the bit array in the bloom filter to 0, calls a seed generation function to regenerate the pseudorandom seed of the hash function, and stores all effective API keys in the API gateway database into the bloom filter through the hash function again in sequence.
Preferably, when determining whether the requested API key exists in the bloom filter, the requested API key is operated by using the same seed and hash function, the obtained hash value and the data in the bit array of the current bloom filter are subjected to bitwise and operation, and then subjected to bitwise xor operation with the original API key, if the result is 0, the requested API key is valid, and if the result is not 0, the requested API key does not exist.
Compared with the prior art, the method for preventing the flooding attack of the API gateway has the following outstanding beneficial effects: according to the method for preventing the flooding attack of the API gateway, the API key filter is placed in front of the API gateway service, so that the unauthorized request can be efficiently filtered, the right of a legal user for requesting the API gateway service is guaranteed, the robustness of the API gateway service is greatly improved, compared with the traditional API gateway protection means, the method has the characteristics of accuracy and high efficiency, and has good popularization and application values.
Drawings
FIG. 1 is an architecture diagram of a system for protecting against API gateway flooding attacks in accordance with the present invention;
FIG. 2 is a schematic diagram of the operation of a bloom filter in the system for protecting against the API gateway flooding attack according to the present invention;
FIG. 3 is a flowchart illustrating the operation of a bloom filter in the system for protecting against the API gateway flooding attack according to the present invention;
FIG. 4 is a flow chart of the implementation of the Hash function in the system bloom filter for preventing the API gateway flooding attack according to the present invention;
FIG. 5 is a diagram of the bloom filter maintenance architecture of the system for protecting against API gateway flooding attacks of the present invention;
FIG. 6 is a flowchart illustrating the maintenance of bloom filters in the system for protecting against API gateway flooding attacks according to the present invention;
FIG. 7 is a flowchart illustrating unauthorized request interception performed by the method for preventing flooding attacks of the API gateway according to the present invention;
FIG. 8 is a flowchart of the authorization request release of the method for preventing the API gateway flooding attack according to the present invention;
fig. 9 is a schematic diagram of request filtering of the method for preventing API gateway flooding attack according to the present invention.
Detailed Description
The system and method for protecting against API gateway flooding attacks of the present invention will be described in further detail with reference to the accompanying drawings and embodiments.
Examples
As shown in fig. 1, the system for protecting against API gateway flooding attacks of the present invention includes an API gateway, an API gateway database, and an API key filter.
The API gateway includes API key authentication, an API rules engine, request distribution, a filter maintenance module, and response composition. The filter maintenance module is used for maintaining the API key filter.
The API gateway database comprises an API key and an API rule, the API key corresponds to API key authentication, and the API rule corresponds to an API rule engine.
The API key filter comprises a key parser, a bloom filter A, a bloom filter B, a bloom filter C and a request interceptor. The key analyzer is used for extracting an API key from a request requesting API service and judging whether the length of the API key is valid or not, the bloom filter is used for filtering unauthorized API keys and transferring the request which is judged to be unauthorized to the request interceptor, and the request interceptor intercepts invalid requests.
A bloom filter is a long binary vector and a series of random mapping functions. A bloom filter may be used to retrieve whether an element is in a collection. The working principle of the bloom filter is a Hash algorithm. A Hash algorithm (Hash, which is generally translated as a Hash, or transliteration into a Hash) transforms an input of arbitrary length (also called a pre-mapped pre-image) into a fixed-length output, which is a Hash value, by a Hash algorithm. This transformation is a kind of compression mapping, i.e. the space of hash values is usually much smaller than the space of inputs, different inputs may hash to the same output, so it is not possible to determine a unique input value from a hash value. In short, it is a function that compresses a message of arbitrary length to a message digest of some fixed length. A Hash table (also called Hash table) is a data structure that maps an element to one or several points in a Bit array (Bit array) by a Hash function. By comparing whether the value (0 or 1) at the point of the bit array in the hash table matches the corresponding bit of the bit array after the hash function hash of the element to be determined, it can be determined whether the element is not present in the known hash table. Both bloom filter storage space and insert/query time are constants. In addition, the Hash functions have no relation with each other, and are conveniently realized by hardware in parallel. Bloom filters do not require storage elements themselves and are advantageous in certain situations where privacy requirements are very stringent. When the bloom filter determines that a value exists, the value may not exist; when the bloom filter judges that a certain value does not exist, the certain value does not exist.
As shown in FIG. 2, the data structure of the bloom filter is an extremely large array of bits, where each bit can hold a binary 0 or 1. element1 and element2 are two elements that require the use of the Hash algorithm to store an array of bits. f, (e), g, (e) and h, (e) are three Hash functions (hereinafter referred to as Hash functions), elements to be hashed are provided to the Hash functions as input parameters, different values are obtained through a blind Hash algorithm, the values are finally mapped to different positions in a bit array, and the corresponding position is set to be 1, namely, the value obtained after the elements are calculated through the Hash functions is represented. When the bit array is extremely large, the points located in the bit array obtained after different elements are mapped by the hash function are very sparse, and therefore the probability that different elements are mapped to the same point after hashing is greatly reduced.
When elements are added to the bloom filter, a plurality of hash functions are used for hash of the elements to obtain an integer index value, then modulo operation is carried out on the length of the bit array to obtain a position, and each hash function can obtain a different position. And setting all the bits of the bit array to be 1, the adding operation is completed.
When the bloom filter is inquired whether an element exists, as well as the addition, the hash positions are calculated, whether the positions in the bit array are all 1 is seen, and as long as one bit is 0, the element does not exist in the bloom filter. If the positions are all 1, it cannot be said that the element is always present, but is most likely to be present, because the positions set to 1 may be due to the presence of other keys. If the bit array is large enough, the stored bits are sparse, the probability of judging the correctness is very high, otherwise, the probability is low.
The method for preventing the flooding attack of the API gateway is realized by the system for preventing the flooding attack of the API gateway.
As shown in fig. 3, the API key filter consists of a key parser, bloom filter a, bloom filter B, bloom filter C, and a request interceptor. The key resolver is used for extracting the API key from the request requesting the API service and judging whether the API key length is valid or not. The bloom filter A, the bloom filter B and the bloom filter C are in charge of filtering unauthorized API keys in turn, and forward the request which is judged to be unauthorized to the request interceptor, and the request interceptor intercepts invalid requests (rejects service or discards non-response).
The bloom filter needs to be updated to account for possible expiration and deregistration of the API key. The bloom filter has the disadvantage that data cannot be updated or deleted, and to overcome this disadvantage, three bloom filters are used in the API key filter, one bloom filter is used each time, the filters are rotated every 8 hours, and the filters that are to be used next time are "warmed up" 4 hours earlier. The 'preheating' means that the filter maintenance service calls a reset function of the bloom filter to reset all bits of the bit array in the bloom filter to be 0, then calls a seed generation function to regenerate a pseudorandom seed of a Hash function, and stores all effective API keys in a database into the bloom filter through the Hash function again in sequence. For example, 8: when API key filtering is started using bloom filter a at 00, 12: start "preheating" bloom filter B at 00 and start at 16: the filter used to filter the API key is switched to bloom filter B by the filter maintenance service at 00, and then at 20: at 00 "preheat" the bloom filter C, and so on.
In a scene with higher requirement on the timeliness of the API key, the number of bloom filters can be increased to accelerate the preheating frequency and improve the timeliness of the API key filter. For example, still assuming 4 hours of preheating, 8: 00 start using bloom filter a, 10: 00 as soon as the preheating bloom filter B, 14: 00 switches to filter B, the filter content can be updated 2 hours in advance, so that changes in the API key can be updated more timely.
As shown in fig. 4, there may be a plurality of Hash functions in the bloom filter, and this patent only exemplifies an implementation method, and may be modified as needed in practical application. Firstly, a seed (such as 4Byte or 8Byte) with a fixed length is generated by using a pseudorandom sequence, then an API key needing to be Hash is divided into a plurality of data blocks according to the length of the seed, and a cyclic traversal is carried out: when the data block is the first block, carrying out bitwise XOR operation on the data block and the seed, and then carrying out multiplication or shift operation; when the data block is a block except the first block and the last block, carrying out bitwise XOR operation on the database and the Hash value obtained by the last operation, and then carrying out multiplication or shift operation which is the same as the previous operation; when the data block is the last block, if the bit number of the data block is smaller than the length of the seed, the data block and the seed are supplemented with 1 from left to right, otherwise, the bitwise XOR operation is directly carried out, and then the multiplication or the shift operation which is the same as the previous multiplication or shift operation is carried out. And storing a Hash value generated by the last block of data through Hash function operation into a bit array of the bloom filter, wherein the Hash value is called one-time loading. In order to avoid being attacked by collision, the seeds are randomly generated during preheating every time, and meanwhile, the operation can be carried out by using a multiple Hash method.
When judging whether a certain API key exists in the bloom filter, carrying out Hash operation on the API key by using the same seeds and Hash functions, carrying out bitwise AND operation on the obtained Hash value and the numerical value in the bit array of the current bloom filter, carrying out bitwise XOR operation on the obtained Hash value and the original API key, wherein if the result is 0, the API key is possibly valid, and if the result is not 0, the API key does not exist and is an invalid API key.
As shown in fig. 5, the filter maintenance module is responsible for preheating and switching the bloom filter. When the filter is preheated, the filter maintenance module firstly finds the filter needing to be preheated according to the currently used filter, then the digit group in the filter needing to be preheated is subjected to position 0-by-position (stored into 0), and the seeds of the Hash function are regenerated. The filter maintenance service then queries all API keys from the API gateway database and loads the filters in turn that need to be warmed up. When the time point for switching the filter is reached, the filter maintenance service switches the filter pointed to by the key parsing component to the "preheated" bloom filter. The flow of the filter maintenance module is shown in FIG. 6.
As shown in fig. 7 and 8, when an unauthorized request reaches the API key filter, the key parsing component extracts the API key from the request and checks its length. When the length of the extracted API key is not consistent with that of the effective API key, the request is directly transmitted to an interceptor to be intercepted (the request is rejected or ignored); otherwise, calling a function of the bloom filter to judge whether the element exists to filter the API key, if the API key does not exist, directly transmitting the request to an interceptor to intercept, otherwise, sending the request to an API gateway to provide gateway service, and finally returning response content to the service caller. The request filtering process is shown in fig. 9.
The above-described embodiments are merely preferred embodiments of the present invention, and general changes and substitutions by those skilled in the art within the technical scope of the present invention are included in the protection scope of the present invention.
Claims (7)
1. The utility model provides a take precautions against system of API gateway flooding attack, includes API gateway, API gateway database, and the API gateway includes API key authentication subassembly, API rule engine, request distribution module and response synthesis module, and API gateway database includes API key and API rule, and the API key corresponds API key authentication subassembly, and the API rule corresponds API rule engine, its characterized in that: the system also comprises an API key filter, wherein the API key filter comprises a key resolver, a bloom filter and a request interceptor; the key resolver is used for extracting an API key from a request requesting API service and judging whether the length of the API key is valid or not, the bloom filter is used for filtering unauthorized API keys and transferring the request judged to be unauthorized to the request interceptor, and the request interceptor intercepts an invalid request; the API gateway further includes a filter maintenance module for maintaining the API key filter.
2. The system for protecting against API gateway flooding attacks of claim 1, wherein: the API key filter comprises a bloom filter A, a bloom filter B and a bloom filter C, and the bloom filter A, the bloom filter B and the bloom filter C work in turn.
3. A method for preventing the flooding attack of an API gateway is characterized in that: the method is realized by the system for preventing the flooding attack of the API gateway as claimed in any one of claims 1-2, wherein the key parser is used for extracting the API key from the request of the API service and judging whether the length of the API key is valid, the bloom filter is used for filtering the unauthorized API key and forwarding the request judged to be unauthorized to the request interceptor, and the request interceptor intercepts the invalid request.
4. The method of claim 3 for protecting against API gateway flooding attacks, wherein: when an unauthorized request reaches the API key filter, the key resolver extracts an API key from the request and verifies the length, and the length of the API key is not consistent with the length of the effective API key, and transmits the request to the request interceptor for interception.
5. The method of claim 4 for protecting against API gateway flooding attacks, wherein: and if the API key does not exist, the request is transmitted to a request interceptor to be intercepted, otherwise, the request is transmitted to an API gateway to provide gateway service, and corresponding content is returned to a service caller.
6. The method of claim 5 for protecting against API gateway flooding attacks, wherein: the bloom filter A, the bloom filter B and the bloom filter C work in turn, the filter maintenance module calls a reset function of the bloom filter to reset the bit array in the bloom filter to 0, calls a seed generation function to regenerate the pseudorandom seeds of the hash function, and stores all effective API keys in the API gateway database into the bloom filter through the hash function again in sequence.
7. The method of claim 6, wherein the method further comprises: and when judging whether the requested API key exists in the bloom filter, operating the requested API key by using the same seed and hash function, performing bitwise AND operation on the obtained hash value and data in the bit array of the current bloom filter, and performing bitwise XOR operation on the obtained hash value and the original API key, wherein if the result is 0, the requested API key is valid, and if the result is not 0, the requested API key does not exist.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011131859.8A CN112311776B (en) | 2020-10-21 | 2020-10-21 | System and method for preventing flooding attack of API gateway |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011131859.8A CN112311776B (en) | 2020-10-21 | 2020-10-21 | System and method for preventing flooding attack of API gateway |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112311776A CN112311776A (en) | 2021-02-02 |
| CN112311776B true CN112311776B (en) | 2022-08-30 |
Family
ID=74328602
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011131859.8A Active CN112311776B (en) | 2020-10-21 | 2020-10-21 | System and method for preventing flooding attack of API gateway |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112311776B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114138357A (en) * | 2021-10-29 | 2022-03-04 | 北京达佳互联信息技术有限公司 | Request processing method and device, electronic equipment, storage medium and product |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101072106A (en) * | 2006-05-12 | 2007-11-14 | 国际商业机器公司 | Method and system for protecting against denial of service attacks |
| CN103595525A (en) * | 2013-11-18 | 2014-02-19 | 北京邮电大学 | Desynchronization resistant lightweight RFID bidirectional authentication protocol |
| CN107911219A (en) * | 2017-11-09 | 2018-04-13 | 成都知道创宇信息技术有限公司 | A kind of anti-CC methods of API based on key signature |
| CN108156154A (en) * | 2017-12-25 | 2018-06-12 | 北京工业大学 | Name the access control method based on encryption and Bloom filter in data network |
| US10148493B1 (en) * | 2015-06-08 | 2018-12-04 | Infoblox Inc. | API gateway for network policy and configuration management with public cloud |
-
2020
- 2020-10-21 CN CN202011131859.8A patent/CN112311776B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101072106A (en) * | 2006-05-12 | 2007-11-14 | 国际商业机器公司 | Method and system for protecting against denial of service attacks |
| CN103595525A (en) * | 2013-11-18 | 2014-02-19 | 北京邮电大学 | Desynchronization resistant lightweight RFID bidirectional authentication protocol |
| US10148493B1 (en) * | 2015-06-08 | 2018-12-04 | Infoblox Inc. | API gateway for network policy and configuration management with public cloud |
| CN107911219A (en) * | 2017-11-09 | 2018-04-13 | 成都知道创宇信息技术有限公司 | A kind of anti-CC methods of API based on key signature |
| CN108156154A (en) * | 2017-12-25 | 2018-06-12 | 北京工业大学 | Name the access control method based on encryption and Bloom filter in data network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112311776A (en) | 2021-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7814546B1 (en) | Method and system for integrated computer networking attack attribution | |
| Goodrich | Efficient packet marking for large-scale IP traceback | |
| CN103581363B (en) | To malice domain name and the control method and device of unauthorized access | |
| CN101572700B (en) | Method for defending HTTP Flood distributed denial-of-service attack | |
| JP3459183B2 (en) | Packet verification method | |
| US20110047610A1 (en) | Modular Framework for Virtualization of Identity and Authentication Processing for Multi-Factor Authentication | |
| US20060191008A1 (en) | Apparatus and method for accelerating intrusion detection and prevention systems using pre-filtering | |
| Li et al. | Capability-based security enforcement in named data networking | |
| US8549581B1 (en) | Distributed network security system deploying guard tables | |
| CN101116052A (en) | Network interface and firewall device | |
| Patgiri et al. | Preventing ddos using bloom filter: A survey | |
| Panchenko et al. | NISAN: network information service for anonymization networks | |
| Rajendran | DNS amplification & DNS tunneling attacks simulation, detection and mitigation approaches | |
| Aljifri et al. | IP traceback using header compression | |
| CN112311776B (en) | System and method for preventing flooding attack of API gateway | |
| CN113507483B (en) | Instant messaging method, device, server and storage medium | |
| Pandiaraja et al. | Web proxy based detection and protection mechanisms against client based HTTP attacks | |
| CN111490977A (en) | DAG block chain-based ARP spoofing attack prevention method and platform terminal | |
| Sunitha et al. | Key Observation to Prevent IP Spoofing in DDoS Attack on Cloud Environment | |
| RU2314562C1 (en) | Method for processing network traffic datagrams for delimiting access to informational and computing resources of computer networks | |
| US11290426B2 (en) | Block chain network and hash-based cuckoo filter | |
| Wang et al. | An on-demand defense scheme against dns cache poisoning attacks | |
| CN113765858A (en) | Method and device for realizing high-performance state firewall | |
| Cao et al. | A selective re-query case sensitive encoding scheme against DNS cache poisoning attacks | |
| CN114553452B (en) | Attack defense method and protection equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |