CN112351006A - Website access attack interception method and related components - Google Patents

Website access attack interception method and related components Download PDF

Info

Publication number
CN112351006A
CN112351006A CN202011163719.9A CN202011163719A CN112351006A CN 112351006 A CN112351006 A CN 112351006A CN 202011163719 A CN202011163719 A CN 202011163719A CN 112351006 A CN112351006 A CN 112351006A
Authority
CN
China
Prior art keywords
access
client
attack
detection
website
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011163719.9A
Other languages
Chinese (zh)
Other versions
CN112351006B (en
Inventor
郭文玉
范渊
杨勃
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
Hangzhou Dbappsecurity Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dbappsecurity Technology Co Ltd filed Critical Hangzhou Dbappsecurity Technology Co Ltd
Priority to CN202011163719.9A priority Critical patent/CN112351006B/en
Publication of CN112351006A publication Critical patent/CN112351006A/en
Application granted granted Critical
Publication of CN112351006B publication Critical patent/CN112351006B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Technology Law (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application discloses a website access attack interception method, which distinguishes tool attack and artificial access by artificially verifying intercepted access requests in human-computer detection of website access, and reduces artificial access error interception; the anti-escape detection is further carried out after the manual verification is divided into the white list states, secondary attack behaviors behind the IP white list can be prevented, risks caused by manual attacks and tool attacks are effectively improved and simultaneously bypassed, the protection of website security access is realized, the website protection accuracy and the website protection efficiency can be effectively improved, meanwhile, the mistaken interception is maximally reduced, and the user experience is optimized. The application also provides a website access attack intercepting device, equipment and a readable storage medium, and has the beneficial effects.

Description

Website access attack interception method and related components
Technical Field
The present application relates to the field of computer software technologies, and in particular, to a method, an apparatus, a device, and a readable storage medium for intercepting a website access attack.
Background
China has entered an information-based era, and the informatization brings convenience and troubles to people.
In the past, the monitoring shows that the attack (CC attack means that an attacker generates a legal request pointing to a victim host by means of a proxy server to realize high-rate DDOS (denial of service attack) and disguise) events aiming at the CC (challenge Collapsar) attack of the important website in China. An attacker utilizes the public proxy server to launch a large amount of accesses to a target website, wherein the access content comprises nonexistent pages, large website files, dynamic pages and the like, so that CDN nodes (also called edge nodes, Cache nodes and the like and referring to high-speed servers for caching) configured by the website are bypassed to directly attack a website source station, and the aim of using less attack resources to cause slow access and even paralysis of the target website is achieved. In addition to CC attacks, there are other types of attacks on websites or web pages, such as scanning attacks, which pose serious security threats to the secure operation of the website.
The web page is damaged due to the paralysis of the website caused by the attack, and in order to respond to the attack, the enterprise needs to improve the website protection capability and turn down the protection threshold value to improve the protection level. In the related technology, the protection modes for website scanning and CC attack are wide, the defense threshold value can be adjusted (increased) in real time after the website scanning and CC attack is suffered, or the protection is improved by pushing a man-machine detection page through cloud protection, so that misjudgment interception behaviors are endless, for example, high-frequency access of normal service users can be blocked by misinterception after the defense threshold value is increased midway; meanwhile, the phenomenon that the website is directly attacked for the second time by bypassing the protection means exists, for example, the secondary attack behavior is bypassed after the white list of the human-computer detection interface passes, and the normal access and operation of the website are hindered.
Therefore, how to improve the precision and efficiency of website protection and simultaneously maximize the reduction of false interception is a problem that needs to be solved urgently by those skilled in the art.
Disclosure of Invention
The method can improve the accuracy and the efficiency of website protection and simultaneously maximally reduce the false interception; another object of the present application is to provide a website access attack intercepting apparatus, a device and a readable storage medium.
In order to solve the above technical problem, the present application provides a method for intercepting a website access attack, including:
starting man-machine detection aiming at website access, and acquiring an intercepted access request in the man-machine detection;
invoking artificial verification in the human-computer detection to perform request verification on the access request;
if the verification is passed, the client IP of the access request is divided into a white list state within a preset time length so as to respond to the access of the client IP;
performing escape-prevention detection on the website access behavior of the client IP within the preset time length;
and if the client IP is judged to have violation behaviors through the anti-escape detection, carrying out blacklist blocking processing on the client IP.
Optionally, performing escape-prevention detection on the website access behavior of the client IP within the preset duration includes:
calling an IP credit library to carry out IP matching verification on the client IP entering the white list state;
if the matching is successful, judging that the client IP has violation behaviors;
if the matching fails, auditing the client IP with the abnormal access behavior, and judging that the client IP with the abnormal access behavior has the violation behavior;
if the client IP does not have abnormal access behavior, judging whether the access time of the client IP reaches the preset duration or not;
if yes, executing the step of obtaining the intercepted access request in the human-computer detection;
and if not, executing the step of judging whether the access time of the client IP reaches the preset time length.
Optionally, the auditing the client IP with abnormal access behavior includes:
the times of auditing the access initiation are arranged in the client IP with the preset number;
and if the client IP hits two or more modules attacked by the web, judging that the client IP has abnormal access behaviors.
Optionally, after the initiating human-machine detection for website access, the method further includes:
and recording the detection process corresponding to the client IP and generating a detection log.
Optionally, after recording the detection process corresponding to the client IP, the method further includes:
and carrying out attack detection on the operation behaviors recorded in the detection log.
The present application further provides a website access attack intercepting apparatus, which includes:
the detection starting unit is used for starting man-machine detection aiming at website access and acquiring an intercepted access request in the man-machine detection;
the artificial verification unit is used for calling artificial verification in the human-computer detection to carry out request verification on the access request; if the verification is passed, triggering a white list state unit;
the white list state unit is used for dividing the client IP of the access request into a white list state within a preset time length so as to respond to the access of the client IP;
the escape prevention detection unit is used for carrying out escape prevention detection on the website access behavior of the client IP within the preset time length;
and the seal-forbidden processing unit is used for carrying out blacklist seal-forbidden processing on the client IP if the client IP is judged to have violation behaviors through the anti-escape detection.
Optionally, the anti-escape detection unit includes:
a credit library verification subunit, configured to invoke an IP credit library to perform IP matching verification on the client IP entering the white list state; if the matching is successful, triggering a judgment subunit; if the matching fails, triggering an attack audit subunit;
the judging subunit is used for judging that the client IP has violation behaviors;
the attack auditing subunit is used for auditing the client IP with the abnormal access behavior and judging that the client IP with the abnormal access behavior has the violation behavior; if the client IP has no abnormal access behavior, triggering a judgment subunit;
the judging subunit is configured to judge whether the access time of the client IP reaches the preset duration; if so, triggering a first skip subunit; if not, triggering a second jumping subunit;
the first skip subunit is configured to perform the step of acquiring the intercepted access request in the human-computer detection;
and the second skip subunit is configured to execute a step of judging whether the access time of the client IP reaches the preset duration.
Optionally, the attack auditing subunit includes:
the frequency auditing subunit is used for auditing the times of initiating access and ranking the client end IPs with the preset number;
and the attack auditing subunit is used for judging that the client IP has abnormal access behaviors if the client IP hits two or more modules of web attack.
The present application also provides a website access attack intercepting apparatus, including:
a memory for storing a computer program;
and the processor is used for realizing the steps of the website access attack interception method when the computer program is executed.
The application also provides a readable storage medium, wherein the readable storage medium stores a program, and the program realizes the steps of the website access attack interception method when being executed by a processor.
According to the website access attack interception method, through artificial verification of the intercepted access request in the man-machine detection of website access, tool attack and artificial access are distinguished, and artificial access error interception is reduced; the anti-escape detection is further carried out after the manual verification is divided into the white list states, secondary attack behaviors behind the IP white list can be prevented, risks caused by manual attacks and tool attacks are effectively improved and simultaneously bypassed, the protection of website security access is realized, the website protection accuracy and the website protection efficiency can be effectively improved, meanwhile, the mistaken interception is maximally reduced, and the user experience is optimized.
The application also provides a website access attack intercepting device, equipment and a readable storage medium, which have the beneficial effects and are not described herein again.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a website access attack intercepting method according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a website access attack intercepting method according to an embodiment of the present application;
fig. 3 is a block diagram illustrating a structure of a website access attack intercepting apparatus according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of a website access attack intercepting device according to an embodiment of the present application.
Detailed Description
The core of the application is to provide a website access attack interception method, which can improve the accuracy and the efficiency of website protection and simultaneously maximally reduce the false interception; the other core of the application is to provide a website access attack intercepting device, equipment and a readable storage medium.
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the prior art, two attack means, namely website scanning and CC attack, are mainly implemented through the following two protection measures: the method comprises the steps of firstly, intercepting high-frequency requests by setting a protection threshold value, and secondly, intercepting non-user access by pushing a man-machine detection page through cloud protection.
Scanning and CC attack threshold dynamic adjustment can be configured daily according to actual requirements when the request is intercepted by setting a protection threshold, the mistaken interception threshold is increased according to client feedback in real time, the threshold is decreased during major protection guarantee, the protection level is improved, but the setting of the threshold is difficult to meet the interception rules under all different types of requests, the mistaken interception condition is easy to occur, and the normal service request of the system is hindered. The prior art has no effective scheme to meet the requirement of reducing the false interception.
The interception of non-user access is realized by pushing the human-computer detection page through cloud protection, mainly the human-computer detection page is pushed through the cloud protection, a white list passes after a verification code or a sliding window is input, and the access can be freely carried out within a long time without interception detection. But the IP gapping phase may bypass the continuing attack on the web server. For example, under the condition of higher protection level, when sub-link resources of some websites are more, a certain IP single access service is mistakenly intercepted and identified as scanning or CC behavior is forbidden, a man-machine detection mode is started to trigger manual detection click to confirm continuous access, if a tool generates scanning or CC behavior, the IP white list state is in a state that hackers can bypass continuous secondary attack behavior if the hackers manually monitor the behavior, and the websites are attacked.
Therefore, in the related website protection technology at present, the situation that normal access service is intercepted by mistake easily occurs, and secondary attack behaviors bypassing human-computer detection easily occur, which can cause great obstruction to the security and the continuity of website service.
In order to solve the problems, the application provides a website access attack interception method which can improve the website protection accuracy and efficiency and simultaneously reduce the false interception to the maximum extent. Referring to fig. 1, fig. 1 is a flowchart of a website access attack intercepting method according to this embodiment, where the method mainly includes the following steps:
step s110, starting human-computer detection aiming at website access, and acquiring an intercepted access request in the human-computer detection;
it should be noted that the human-computer detection in this embodiment mainly aims at two attack modes, namely a scanning attack and a CC attack, the scanning attack is an attack behavior with a high single IP access frequency, a high response error rate, a fixed access resource, and the like, the CC attack generally has the characteristics of a high access frequency, a high concentration ratio, and the like, hereinafter, the human-computer detection tool is also mainly described for the two modes, and if the human-computer detection is started for other types of attacks, reference may also be made to the description of this embodiment, and details are not described here again.
scanning/CC man-machine detection is started to realize detection of scanning/CC attack behaviors, if man-machine detection is judged to be an attack behavior in the detection process of website access behaviors, the access behaviors are intercepted, the intercepted access behaviors possibly comprise real attack behaviors and normal access behaviors, in order to avoid false interception of normal access behaviors, the intercepted behaviors are further detected (triggering step s120), and if the further detection shows that non-attack behaviors are not detected, access rights can be given to the behaviors, so that normal access and operation of websites are guaranteed, and user experience is improved; if further detection shows that the attack behavior is an attack behavior, blacklist blocking processing can be carried out so as to guarantee the safety of website operation.
The specific implementation steps of the human-computer detection for website access may refer to implementation manners in related technologies, which are not limited in this embodiment and are not described herein again.
Step s120, invoking artificial verification in the man-machine detection page to perform request verification on the access request;
in order to avoid that the client accesses the web resource and is intercepted by mistake, in the embodiment, human-machine detection is performed to push, and the human-machine detection is mainly used for verifying whether a request initiating party is a user or not, but not automatically initiated by a machine, so that the user request and the machine attack request are identified and distinguished. In this embodiment, the human verification means in the human-computer detection page is not limited, and may be verification code verification or dragging verification, and specifically refer to the human-computer detection process in the related art.
Step s130, if the verification is passed, dividing the client IP of the access request into a white list state within a preset time length so as to respond to the access of the client IP;
after the artificial verification is passed (after the verification passes within two or more times, the artificial verification can be determined to pass, and other verification passing modes are not described in detail, and refer to the description of this embodiment), the client enters the preset time length for the white list to take effect, and is not restricted to access, so as to respond to the access of the client IP, where the preset time length is the effective time length of the white list, and the general effective time length is between 300 and 600 seconds, and in this embodiment, specific value setting of the preset time length is not limited.
If the white list validation time is over, the present embodiment does not limit the situation, and if the IP white list is validated and released, the original protection loop step may be initiated, that is, the step s110 is skipped to execute the step of obtaining the intercepted access request in the human-computer detection, and the original protection blocking process of the client is executed.
If the man-machine authentication fails (or is overtime) for more than or equal to 3 times, or the man-machine authentication cannot be performed, that is, when it is determined that the authentication fails, the processing method for the situation is not limited in this embodiment, and an original protection blocking process may be performed, for example, black list blocking processing is performed on the client IP.
It should be noted that the white list state in this application is a white list for the protection module with human-computer detection (such as scanning and CC) after the human-computer detection is passed, and other modules without human-computer verification function do not have protection attributes, rather than a white list for the global protection function module.
Step s140, performing escape-prevention detection on the website access behavior of the client IP within a preset time length;
in general, after entering the white list, the client IP has an access right, and in order to prevent directly performing an attack action on the website by bypassing the artificial verification, and further improve the security of website access, in this embodiment, after entering the white list, the client IP is further subjected to anti-escape detection, which is mainly used for detecting the attack action on the client IP within the effective time of the white list, so as to avoid bypassing the attack.
The specific detection item of the escape detection specifically performed on the website access behavior of the client IP after entering the white list is not limited in this embodiment, and may be one item or multiple items, and may be specifically configured according to the actual attack behavior type, which is not described herein again.
And step s150, if the client IP is judged to have the violation behavior through the escape-proof detection, carrying out blacklist sealing treatment on the client IP.
And if the client IP is judged to have the violation behavior through the escape-proof detection, the client IP immediately enters a blacklist to be sealed and forbidden to process so as to avoid the threat of the violation behavior to the website security. For a specific blocking process, reference may be made to the description of related art, and details are not described herein.
If it is determined through the escape-proof detection that there is no violation behavior in the client IP, this embodiment does not limit this situation, and the client IP can be set to completely enter a white list state (only for scan/CC attack), and the other modules still perform protection.
Based on the introduction, in the website access attack interception method provided by the embodiment, the intercepted access request in the human-computer detection of website access is artificially verified, so that tool attack and artificial access are distinguished, and artificial access error interception is reduced; the anti-escape detection is further carried out after the manual verification is divided into the white list states, secondary attack behaviors behind the IP white list can be prevented, risks caused by manual attacks and tool attacks are effectively improved and simultaneously bypassed, the protection of website security access is realized, the website protection accuracy and the website protection efficiency can be effectively improved, meanwhile, the mistaken interception is maximally reduced, and the user experience is optimized.
In the above embodiment, a specific implementation process of the escape detection for the website access behavior of the client IP within the preset time is not limited, and in order to deepen understanding, in order to overcome the problems of a false alarm rate and a high false interception rate, a technical scheme of the escape detection after the false interception of the human-computer detection is provided, which is relatively stable and has high accuracy.
The method comprises the following concrete steps:
(1) calling an IP credit library to carry out IP matching verification on the client IP entering the white list state;
the IP reputation library is a pre-configured and sorted list of dangerous clients IP (having historical website attack records), and the source of the IP reputation library is not limited in this embodiment, for example, the IP reputation library may be configured and sorted for a company, a national reputation library, or a public reputation library for other platforms such as microsteps, etc.
Entering first escape-prevention detection after the IP white list, wherein the first escape-prevention detection is to cooperate with a credit library to carry out IP matching, match successfully, judge that the client IP has violation behaviors, enter the black list immediately, and also adopt other sealing treatment modes without limitation; and entering a second escape prevention detection which is a detection method based on the IP behavior of the client side when the next process is not entered in the IP credit database.
(2) If the matching is successful, judging that the client IP has an illegal behavior;
(3) if the matching fails, auditing the client IP with the abnormal access behavior, and judging that the client IP with the abnormal access behavior has the violation behavior;
by auditing the access behavior, if the client IP has abnormal access behavior in the white list stage, the existence of illegal behavior can be judged. Specifically, the determination rule of the abnormal access behavior is not limited in this embodiment, for example, when the access frequency of the website is higher than a certain threshold, it may be determined that the abnormal access behavior exists, or when the time interval between the initiation of a plurality of access requests is lower than a certain threshold, it may be determined that the abnormal access behavior exists, for example. Optionally, one way to audit the client IP with abnormal access behavior is as follows:
(3.1) auditing the times of initiating access to arrange the client end IPs in the preset number;
and (3.2) if the client IP hits two or more modules attacked by the web, judging that the client IP has abnormal access behaviors.
The IP matching audit initiating access ranking is located within the former preset number (such as the former 10) of IPs, the initiating access ranking can be obtained through equipment such as a security firewall, and the IP hits a web attack more than two modules (such as SQL, XSS and the like), and then the blacklist blocking processing is immediately carried out; if the two conditions are not met, the IP completely enters a white list state (only for scanning/CC), and other modules still protect.
(4) If the client IP has no abnormal access behavior, judging whether the access time of the client IP reaches a preset time length;
(5) if so, executing the step of acquiring the intercepted access request in the human-computer detection;
and after the IP white list is released effectively, initializing and entering the original protection circulation step.
(6) And if not, executing a step of judging whether the access time of the client IP reaches a preset time length.
The escape-proof detection scheme introduced in this embodiment provides an overall implementation flow diagram based on matching of four dimensions, namely, an IP white list, an IP reputation base, a web attack behavior and a web audit after human-computer detection, and as shown in fig. 2, in the method, an IP is processed according to a set IP reputation base, a web attack and audit matching result, and a corresponding forbidden flow is entered according to different matching results, so that effective monitoring of an access behavior of a client IP entering the white list can be guaranteed, and effective escape-proof attack interception is realized.
Based on the above embodiment, further, after the human-machine detection for website access is started, the following steps may be further performed: and recording the detection process corresponding to the client IP and generating a detection log.
The platform website records a human-computer detection white list log, and performs log alarm recording according to detection behaviors after human-computer detection, such as pushing human-computer detection page time, verification success/failure, verification times success/failure, verification overtime success/failure, IP white list effective time recording, IP white list release record recording, IP black list seal log record, and generation of a detection log, so as to further perform interception optimization or other processing according to the detection log.
Optionally, after recording the detection process corresponding to the client IP, attack detection may be further performed on the operation behavior recorded in the detection log. And log audit can be further performed after the log is generated, so that validity detection of operation behavior is performed according to the log, the attack interception accuracy is further improved, and the website access safety is guaranteed.
It should be noted that the website access attack interception method introduced in the present application can be implemented based on a cloud protection platform, where the cloud protection platform is used to cover various Web application attacks, provide security protection such as attack prevention, tamper prevention, paralysis prevention, and leakage prevention for users, and perform large-screen visualization on network security situation in combination with large data traffic processing, so that the security situation is sensible, and meanwhile, an abnormal website can be alerted in the form of short messages, mails, and the like. In the present application, only the above implementation platform is described as an example, and other implementation platforms are not described in detail in this embodiment.
Referring to fig. 3, fig. 3 is a block diagram of a website access attack intercepting apparatus according to the present embodiment; the device mainly includes: a detection start unit 110, a human verification unit 120, a white list state unit 130, an escape-proof detection unit 140, and a block processing unit 150. The website access attack intercepting device provided by the embodiment can be mutually contrasted with the website access attack intercepting method.
The detection starting unit 110 is mainly used for starting human-computer detection for website access and acquiring an intercepted access request in the human-computer detection;
the artificial verification unit 120 is mainly used for invoking artificial verification in a human-computer detection page to perform request verification on the access request; if the verification is passed, triggering a white list state unit 130;
the white list state unit 130 is mainly configured to divide the client IP of the access request into a white list state within a preset time duration to respond to the access of the client IP;
the escape prevention detection unit 140 is mainly used for performing escape prevention detection on the website access behavior of the client IP within a preset time length;
the forbidden processing unit 150 is mainly used for performing blacklist forbidden processing on the client IP if it is determined that the client IP has an illegal behavior through escape prevention detection.
Alternatively, the escape prevention detection unit may mainly include:
the credit library verification subunit is used for calling the IP credit library to perform IP matching verification on the client IP entering the white list state; if the matching is successful, triggering a judgment subunit; if the matching fails, triggering an attack audit subunit;
the judging subunit is used for judging that the client IP has violation behaviors;
the attack auditing subunit is used for auditing the client IP with the abnormal access behavior and judging that the client IP with the abnormal access behavior has the violation behavior; if the client IP has no abnormal access behavior, triggering a judgment subunit;
the judging subunit is used for judging whether the access time of the client IP reaches a preset time length; if so, triggering a first skip subunit; if not, triggering a second jumping subunit;
the first skip subunit is used for executing the step of acquiring the intercepted access request in the man-machine detection;
and the second skip subunit is used for executing the step of judging whether the access time of the client IP reaches the preset time length.
Optionally, the attack auditing subunit may mainly include:
the frequency auditing subunit is used for auditing the times of initiating access and ranking the client end IPs with the preset number;
and the attack auditing subunit is used for judging that the client IP has abnormal access behaviors if the client IP hits two or more modules attacked by the web.
The embodiment provides a website access attack intercepting device, which mainly comprises: a memory and a processor.
Wherein, the memory is used for storing programs;
when the processor is used to execute a program, the steps of the website access attack blocking method described in the above embodiments may be implemented, and specific reference may be made to the description of the website access attack blocking method.
Referring to fig. 4, a schematic structural diagram of the website access attack blocking apparatus provided in this embodiment is shown, where the website access attack blocking apparatus may generate a relatively large difference due to different configurations or performances, and may include one or more processors (CPUs) 322 (e.g., one or more processors) and a memory 332, where the memory 332 stores one or more computer applications 342 or data 344. Memory 332 may be, among other things, transient or persistent storage. The program stored in memory 332 may include one or more modules (not shown), each of which may include a sequence of instructions operating on a data processing device. Still further, the central processor 322 may be configured to communicate with the memory 332 to execute a series of instruction operations in the storage medium 330 on the website access attack blocking apparatus 301.
The website access attack blocking apparatus 301 may also include one or more power supplies 326, one or more wired or wireless network interfaces 350, one or more input/output interfaces 358, and/or one or more operating systems 341, such as Windows Server, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.
The steps in the website access attack intercepting method described in fig. 1 above may be implemented by the structure of the website access attack intercepting apparatus introduced in this embodiment.
The present embodiment discloses a readable storage medium, on which a program is stored, and when the program is executed by a processor, the steps of the website access attack interception method described in the foregoing embodiment are implemented, which may specifically refer to the description of the website access attack interception method in the foregoing embodiment.
The readable storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and various other readable storage media capable of storing program codes.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The website access attack interception method, device, equipment and readable storage medium provided by the application are described in detail above. The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.

Claims (10)

1. A website access attack interception method is characterized by comprising the following steps:
starting man-machine detection aiming at website access, and acquiring an intercepted access request in the man-machine detection;
invoking artificial verification in the human-computer detection to perform request verification on the access request;
if the verification is passed, the client IP of the access request is divided into a white list state within a preset time length so as to respond to the access of the client IP;
performing escape-prevention detection on the website access behavior of the client IP within the preset time length;
and if the client IP is judged to have violation behaviors through the anti-escape detection, carrying out blacklist blocking processing on the client IP.
2. The method for intercepting website access attack according to claim 1, wherein performing escape-proof detection on website access behavior of the client IP within the preset duration comprises:
calling an IP credit library to carry out IP matching verification on the client IP entering the white list state;
if the matching is successful, judging that the client IP has violation behaviors;
if the matching fails, auditing the client IP with the abnormal access behavior, and judging that the client IP with the abnormal access behavior has the violation behavior;
if the client IP does not have abnormal access behavior, judging whether the access time of the client IP reaches the preset duration or not;
if yes, executing the step of obtaining the intercepted access request in the human-computer detection;
and if not, executing the step of judging whether the access time of the client IP reaches the preset time length.
3. The method for intercepting website access attack according to claim 2, wherein the auditing of the client IP having abnormal access behavior comprises:
the times of auditing the access initiation are arranged in the client IP with the preset number;
and if the client IP hits two or more modules attacked by the web, judging that the client IP has abnormal access behaviors.
4. The website access attack intercepting method according to claim 1, further comprising, after the initiating of the human-machine detection for website access:
and recording the detection process corresponding to the client IP and generating a detection log.
5. The website access attack interception method according to claim 4, further comprising, after recording the detection procedure corresponding to the client IP:
and carrying out attack detection on the operation behaviors recorded in the detection log.
6. An interception apparatus of a website access attack, the apparatus comprising:
the detection starting unit is used for starting man-machine detection aiming at website access and acquiring an intercepted access request in the man-machine detection;
the artificial verification unit is used for calling artificial verification in the human-computer detection to carry out request verification on the access request; if the verification is passed, triggering a white list state unit;
the white list state unit is used for dividing the client IP of the access request into a white list state within a preset time length so as to respond to the access of the client IP;
the escape prevention detection unit is used for carrying out escape prevention detection on the website access behavior of the client IP within the preset time length;
and the seal-forbidden processing unit is used for carrying out blacklist seal-forbidden processing on the client IP if the client IP is judged to have violation behaviors through the anti-escape detection.
7. The website access attack intercepting apparatus according to claim 6, wherein the escape prevention detecting unit includes:
a credit library verification subunit, configured to invoke an IP credit library to perform IP matching verification on the client IP entering the white list state; if the matching is successful, triggering a judgment subunit; if the matching fails, triggering an attack audit subunit;
the judging subunit is used for judging that the client IP has violation behaviors;
the attack auditing subunit is used for auditing the client IP with the abnormal access behavior and judging that the client IP with the abnormal access behavior has the violation behavior; if the client IP has no abnormal access behavior, triggering a judgment subunit;
the judging subunit is configured to judge whether the access time of the client IP reaches the preset duration; if so, triggering a first skip subunit; if not, triggering a second jumping subunit;
the first skip subunit is configured to perform the step of acquiring the intercepted access request in the human-computer detection;
and the second skip subunit is configured to execute a step of judging whether the access time of the client IP reaches the preset duration.
8. The website access attack intercepting apparatus according to claim 7, wherein the attack audit subunit includes:
the frequency auditing subunit is used for auditing the times of initiating access and ranking the client end IPs with the preset number;
and the attack auditing subunit is used for judging that the client IP has abnormal access behaviors if the client IP hits two or more modules of web attack.
9. A website access attack intercepting apparatus, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the website access attack interception method according to any one of claims 1 to 5 when executing said computer program.
10. A readable storage medium, having a program stored thereon, which when executed by a processor, performs the steps of the website access attack interception method according to any one of claims 1 to 5.
CN202011163719.9A 2020-10-27 2020-10-27 Website access attack interception method and related components Active CN112351006B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011163719.9A CN112351006B (en) 2020-10-27 2020-10-27 Website access attack interception method and related components

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011163719.9A CN112351006B (en) 2020-10-27 2020-10-27 Website access attack interception method and related components

Publications (2)

Publication Number Publication Date
CN112351006A true CN112351006A (en) 2021-02-09
CN112351006B CN112351006B (en) 2022-04-26

Family

ID=74358679

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011163719.9A Active CN112351006B (en) 2020-10-27 2020-10-27 Website access attack interception method and related components

Country Status (1)

Country Link
CN (1) CN112351006B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140373139A1 (en) * 2013-06-13 2014-12-18 Alibaba Group Holding Limited Method and system of distinguishing between human and machine
CN107330311A (en) * 2017-06-29 2017-11-07 苏州锦佰安信息技术有限公司 A kind of method and apparatus of man-machine identification
WO2018028430A1 (en) * 2016-08-08 2018-02-15 阿里巴巴集团控股有限公司 Method, apparatus and system for identification and auxiliary identification of fake traffic
CN108055241A (en) * 2017-11-15 2018-05-18 滨州市工商行政管理局 A kind of defence method and system of CC attacks
CN109413023A (en) * 2018-08-24 2019-03-01 阿里巴巴集团控股有限公司 The training of machine recognition model and machine identification method, device, electronic equipment
CN110120933A (en) * 2018-02-07 2019-08-13 阿里巴巴集团控股有限公司 Air control, man-machine identification and data processing method, equipment and system
CN110147659A (en) * 2019-05-15 2019-08-20 四川长虹电器股份有限公司 Noninductive verification method based on machine learning
CN110912874A (en) * 2019-11-07 2020-03-24 苏宁云计算有限公司 Method and system for effectively identifying machine access behaviors
US20200097643A1 (en) * 2018-09-24 2020-03-26 Georgia Tech Research Corporation rtCaptcha: A Real-Time Captcha Based Liveness Detection System
CN111314323A (en) * 2020-01-21 2020-06-19 江苏艾佳家居用品有限公司 DDOS (distributed denial of service) accurate identification method based on application layer
CN111327615A (en) * 2020-02-21 2020-06-23 浙江德迅网络安全技术有限公司 CC attack protection method and system

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140373139A1 (en) * 2013-06-13 2014-12-18 Alibaba Group Holding Limited Method and system of distinguishing between human and machine
WO2018028430A1 (en) * 2016-08-08 2018-02-15 阿里巴巴集团控股有限公司 Method, apparatus and system for identification and auxiliary identification of fake traffic
CN107330311A (en) * 2017-06-29 2017-11-07 苏州锦佰安信息技术有限公司 A kind of method and apparatus of man-machine identification
CN108055241A (en) * 2017-11-15 2018-05-18 滨州市工商行政管理局 A kind of defence method and system of CC attacks
CN110120933A (en) * 2018-02-07 2019-08-13 阿里巴巴集团控股有限公司 Air control, man-machine identification and data processing method, equipment and system
CN109413023A (en) * 2018-08-24 2019-03-01 阿里巴巴集团控股有限公司 The training of machine recognition model and machine identification method, device, electronic equipment
US20200097643A1 (en) * 2018-09-24 2020-03-26 Georgia Tech Research Corporation rtCaptcha: A Real-Time Captcha Based Liveness Detection System
CN110147659A (en) * 2019-05-15 2019-08-20 四川长虹电器股份有限公司 Noninductive verification method based on machine learning
CN110912874A (en) * 2019-11-07 2020-03-24 苏宁云计算有限公司 Method and system for effectively identifying machine access behaviors
CN111314323A (en) * 2020-01-21 2020-06-19 江苏艾佳家居用品有限公司 DDOS (distributed denial of service) accurate identification method based on application layer
CN111327615A (en) * 2020-02-21 2020-06-23 浙江德迅网络安全技术有限公司 CC attack protection method and system

Also Published As

Publication number Publication date
CN112351006B (en) 2022-04-26

Similar Documents

Publication Publication Date Title
US10503904B1 (en) Ransomware detection and mitigation
Alwan et al. Detection and prevention of SQL injection attack: a survey
US10073970B2 (en) System and method for reverse command shell detection
EP3225009B1 (en) Systems and methods for malicious code detection
CN107211016B (en) Session security partitioning and application profiler
US8752180B2 (en) Behavioral engine for identifying patterns of confidential data use
CN110290148B (en) Defense method, device, server and storage medium for WEB firewall
Setiawan et al. Web vulnerability analysis and implementation
CN110602032A (en) Attack identification method and device
CN113315637B (en) Security authentication method, device and storage medium
CN110968872A (en) File vulnerability detection processing method and device, electronic equipment and storage medium
CN112532631A (en) Equipment safety risk assessment method, device, equipment and medium
Deng et al. Lexical analysis for the webshell attacks
CN113746781A (en) Network security detection method, device, equipment and readable storage medium
Dewar Active cyber defense
KR20170091989A (en) System and method for managing and evaluating security in industry control network
CN112671736B (en) Attack flow determination method, device, equipment and storage medium
US10757118B2 (en) Method of aiding the detection of infection of a terminal by malware
Alnabulsi et al. Protecting code injection attacks in intelligent transportation system
CN112351006B (en) Website access attack interception method and related components
Alosaimi et al. Denial of service attacks mitigation in the cloud
CN116415300A (en) File protection method, device, equipment and medium based on eBPF
CN114726579A (en) Method, apparatus, device, storage medium and program product for defending against network attacks
CN113542287A (en) Network request management method and device
Simmons et al. Preventing unauthorized islanding: cyber-threat analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant