CN113242260B - Attack detection method and device, electronic equipment and storage medium - Google Patents
Attack detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN113242260B CN113242260B CN202110643746.4A CN202110643746A CN113242260B CN 113242260 B CN113242260 B CN 113242260B CN 202110643746 A CN202110643746 A CN 202110643746A CN 113242260 B CN113242260 B CN 113242260B
- Authority
- CN
- China
- Prior art keywords
- packet
- data
- target
- data packet
- target object
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
The invention provides an attack detection method, an attack detection device, electronic equipment and a storage medium, wherein the operating characteristic that a transmission layer has best effort transmission is considered, in the process of receiving an Http message, a target object serving as a comparison reference of a target data packet to be detected in a packet body can be determined from a packet header and other data packets in the packet body, and then whether the Http message is transmitted as best effort can be determined by comparing the data amount of the target data packet and the data amount of the target object, so that the detection of the low-speed Http denial of service attack is realized. Based on the invention, the slow Http denial of service attack can be accurately and rapidly detected, and the detection stability is improved.
Description
Technical Field
The present invention relates to the field of software technologies, and in particular, to an attack detection method and apparatus, an electronic device, and a storage medium.
Background
DDoS (Distributed Denial of Service) has become an important threat in the field of network security today. DDoS attacks typically occur without any precursor and the attacker can drain the resources of the target server with little effort.
As a system of rights in rows, information interaction is carried out between the system and the external service provider in a butt joint mode through an Http mode, and when the Http link is hijacked, the system is possibly attacked by Http Post flooding. And Slow Http Post (Slow Http denial of service attack) is one of them.
Therefore, how to effectively detect the Slow Http Post attack is an urgent problem to be solved.
Disclosure of Invention
In view of the above, to solve the above problems, the present invention provides an attack detection method, apparatus, electronic device and storage medium, and the technical solution is as follows:
one aspect of the present invention provides an attack detection method, including:
receiving an Http message in transmission, wherein the Http message comprises a packet header and a packet body, and the packet body comprises a plurality of data packets;
aiming at a target data packet to be detected, determining a target object serving as a comparison reference from the packet header and other data packets in the packet body;
and detecting whether the Http message has a slow Http denial of service attack by comparing the data volume of the target data packet with the data volume of the target object.
Preferably, the method further comprises:
extracting a field value of a target field in the packet header, wherein the target field is used for representing the whole data volume of the packet body;
and if the overall data volume corresponding to the field value is larger than a preset data volume threshold value, executing the step of determining a target object serving as a comparison reference of the target data packet aiming at the target data packet to be detected from the packet header and other data packets in the packet body.
Preferably, the type of the target data packet is a first data packet received for the first time;
correspondingly, the determining a target object as a reference for comparison from the packet header and other data packets in the packet body includes:
taking the packet header as a target object corresponding to the first data packet;
correspondingly, the detecting whether the Http message has a slow Http denial of service attack by comparing the data amount of the target data packet with the data amount of the target object includes:
and if the data volume of the first data packet is less than or equal to the data volume of the packet header, determining that the Http message has a slow Http denial of service attack.
Preferably, the type of the target data packet is a second data packet received non-first time and non-last time;
correspondingly, the determining a target object as a comparison reference from the packet header and other data packets in the packet body includes:
taking the first data packet received for the first time as a target object corresponding to the second data packet;
correspondingly, the detecting whether the Http message has a slow Http denial of service attack by comparing the data amount of the target data packet with the data amount of the target object includes:
and if the data volume of the second data packet is larger than that of the first data packet, or the data volume difference between the first data packet and the second data packet is larger than a preset data volume difference threshold value, determining that the Http message has a slow Http denial of service attack.
Another aspect of the present invention provides an attack detection apparatus, including:
the packet receiving module is used for receiving an Http message in transmission, wherein the Http message comprises a packet header and a packet body, and the packet body comprises a plurality of data packets;
the attack detection module is used for determining a target object serving as a comparison reference of the target data packet to be detected from the packet header and other data packets in the packet body aiming at the target data packet to be detected; and detecting whether the Http message has a slow Http denial of service attack by comparing the data volume of the target data packet with the data volume of the target object.
Preferably, the attack detection module is further configured to:
extracting a field value of a target field in the packet header, wherein the target field is used for representing the whole data volume of the packet body; and if the overall data volume corresponding to the field value is larger than a preset data volume threshold value, executing the step of determining a target object serving as a comparison reference of the target data packet aiming at the target data packet to be detected from the packet header and other data packets in the packet body.
Preferably, the type of the target data packet is a first data packet received for the first time;
correspondingly, the attack detection module, configured to determine a target object as a comparison reference from the packet header and other data packets in the packet body, is specifically configured to:
taking the packet header as a target object corresponding to the first data packet;
correspondingly, the attack detection module, configured to detect whether the Http message has a slow Http denial of service attack by comparing the data amount of the target data packet with the data amount of the target object, is specifically configured to:
and if the data volume of the first data packet is less than or equal to the data volume of the packet header, determining that the Http message has a slow Http denial of service attack.
Preferably, the type of the target data packet is a second data packet received non-first time and non-last time;
correspondingly, the attack detection module, configured to determine a target object as a comparison reference from the packet header and other data packets in the packet body, is specifically configured to:
taking the first data packet received for the first time as a target object corresponding to the second data packet;
correspondingly, the attack detection module, configured to detect whether the Http message has a slow Http denial of service attack by comparing the data amount of the target data packet with the data amount of the target object, is specifically configured to:
and if the data volume of the second data packet is larger than that of the first data packet, or the data volume difference between the first data packet and the second data packet is larger than a preset data volume difference threshold value, determining that the Http message has a slow Http denial of service attack.
Another aspect of the present invention provides an electronic device, including: at least one memory and at least one processor; the memory stores a program, and the processor calls the program stored in the memory, wherein the program is used for realizing any one of the attack detection methods.
Another aspect of the present invention provides a storage medium having stored therein computer-executable instructions for performing any one of the attack detection methods.
Compared with the prior art, the invention has the following beneficial effects:
the invention provides an attack detection method, an attack detection device, electronic equipment and a storage medium, wherein the operating characteristic that a transmission layer has best effort transmission is considered, in the process of receiving an Http message, a target object serving as a comparison reference of a target data packet to be detected in a packet body can be determined from a packet header and other data packets in the packet body, and then whether the Http message is transmitted as best effort can be determined by comparing the data amount of the target data packet and the data amount of the target object, so that the detection of the low-speed Http denial of service attack is realized. Based on the invention, the slow Http denial of service attack can be accurately and rapidly detected, and the detection stability is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic diagram of a transmission manner of an Http message according to an embodiment of the present invention;
fig. 2 is a flowchart of a method of an attack detection method according to an embodiment of the present invention;
fig. 3 is a flowchart of another method of an attack detection method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an attack detection apparatus provided in an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to make the aforementioned objects, features and advantages of the present invention more comprehensible, the present invention is described in detail with reference to the accompanying drawings and the detailed description thereof.
To facilitate understanding of the present invention, concepts related to the present invention are explained below:
DDoS: distributed Denial of Service, distributed Denial of attack. The method refers to that a plurality of attackers in different positions attack one or a plurality of targets at the same time, or one attacker controls a plurality of machines in different positions and uses the machines to attack victims at the same time. Since the attack launch points are distributed in different places, this type of attack is called a distributed denial of service attack, in which there may be multiple attackers.
And a Slow Http Post, which belongs to an application layer Slow Http denial of service attack, wherein an attacker uses a normal Post request to transmit data, but the Content-Length field value in the message header is set to a large value. However, in order to occupy the established request connection for a long time, an attacker sets a very small data transmission size in a transmission body (i.e. a packet body) which starts to be performed after a request header (i.e. a packet header) is confirmed, so that the WEB server considers that the request data is not completely transmitted, the request connection is reserved for a long time, and when a connection resource pool of the server is occupied by similar attack requests, a denial of service is caused.
At this stage, the usual defense against Slow Http Post is to respond according to TCP and UDP traffic or number of connections per hour. However, the related art is prone to errors in determination due to large changes in network traffic.
In contrast, the invention aims to establish a set of Slow Http Post attack detection scheme based on data packet inspection from an inline system, judge the detailed content of each request packet body, prevent the Slow Http Post attack by judging the size of the received data packet, and avoid the instability possibly occurring in the way of network flow.
To implement the present invention, the inventors first analyze the operation characteristics of the best-effort transmission that the transport layer has:
when a user on the network sends an HTTP POST request to the WEB server, the transport layer has a best effort operational characteristic in order to achieve the most efficient data transfer and to optimize the transmission performance. The HTTP POST request is transmitted in the form of an HTTP message, and when the HTTP message is split into a plurality of data packets, the HTTP POST request is split and transmitted according to the maximum transmission size, which is an embodiment of best effort transmission.
Referring to a schematic diagram of a transmission manner of an Http message shown in fig. 1, the Http message is divided into a packet header and a packet body, where the packet body is composed of N data packets, and the packet header is transmitted first during Http message transmission, and then the 1 st data packet, the 2 nd data packet, \ 8230, and the N data packet are sequentially transmitted. Of course, in some scenarios, a packet with the packet body and the 1 st packet attached together is sent first, and then the remaining packets are sent in sequence. Normally, the data size of the 1 st packet is matched to the maximum transmission size, and is larger than the header and other packets.
Based on this, in combination with the Slow Http Post attack principle, an embodiment of the present invention provides an attack detection method for Slow Http Post, where the method may be applied to a WEB server, and with reference to a method flowchart shown in fig. 2, the method includes the following steps:
and S10, receiving an Http message in transmission, wherein the Http message comprises a packet header and a packet body, and the packet body comprises a plurality of data packets.
In the embodiment of the invention, the Http message in transmission is received through the gateway, and the Http message is sequentially received according to the header, the 1 st data packet, the 2 nd data packet, \ 8230 \ 8230, and the Nth data packet, with reference to fig. 1.
And S20, aiming at the target data packet to be detected, determining a target object serving as a comparison reference from the packet header and other data packets in the packet body.
In the embodiment of the present invention, with continuing reference to fig. 1, considering that the transport layer has the best-effort operation characteristic, the target packet may select one of the 1 st packet or the 2 nd to N-1 st packets. Since the nth packet is the last packet, which is likely to be the remainder after being split according to the maximum transmission size, the probability that the data amount meets the best-effort operation characteristic is low, and therefore the nth packet is not selected by the target packet.
Further, if the target data packet is the 1 st data packet, the target object serving as the comparison reference of the target data packet is the packet header; if the target data packet is one of the 2 nd to N-1 st data packets, the target object as the comparison reference is the 1 st data packet.
And S30, detecting whether the Http message has a slow Http denial of service attack by comparing the data volume of the target data packet with the data volume of the target object.
1) Referring to fig. 1, the 1 st data packet is the first data packet received for the first time, and the target object is the packet header.
Correspondingly, in step S30, "detecting whether there is a slow Http denial of service attack in the Http message by comparing the data amount of the target data packet and the data amount of the target object" may adopt the following steps:
and if the data volume of the first data packet is less than or equal to the data volume of the packet header, determining that the Http message has a slow Http denial of service attack.
In the embodiment of the present invention, with reference to fig. 1, the data amount of the 1 st data packet is larger than the data amount of the packet header under a normal condition, and therefore, once the data amount of the 1 st data packet is smaller than or equal to the data amount of the packet header, it may be determined that the Http message has a Slow Http Post attack.
Of course, if the data amount of the 1 st packet is greater than the data amount of the packet header, it is determined that there is no Slow Http Post attack currently receiving the 1 st packet, and further, the Slow Http Post attack may be continuously detected by subsequently processing the 2 nd to N-1 st packets as target packets.
2) With reference to fig. 1, the ith data packet of the 2 nd to N-1 th data packets is the second data packet received non-first time and non-last time, and the target object is the 1 st data packet.
Correspondingly, in step S30, "detecting whether there is a slow Http denial of service attack in the Http message by comparing the data amount of the target data packet and the data amount of the target object" may adopt the following steps:
and if the data volume of the second data packet is larger than that of the first data packet or the data volume difference between the first data packet and the second data packet is larger than a preset data volume difference threshold value, determining that the Http message has a slow Http denial of service attack.
In the embodiment of the present invention, with reference to fig. 1, as for the ith packet, under a normal condition, the data size of the packet is not greater than the data size of the 1 st packet, so that once the data size of the ith packet is greater than the data size of the 1 st packet, it indicates that the Http message does not exhibit the best-effort operation characteristic during transmission, and it may be determined that the Http message has a Slow Http Post attack.
In addition, compared with the data amount of the 1 st data packet, if the data amount of the ith data packet is too small, the data transmission size of the ith data packet is set to be very small, so that the fact that the Http message has a Slow Http Post attack can be determined. Specifically, the embodiment of the present invention may set the data amount difference threshold according to an actual application scenario, where the threshold is a positive value, and when the data amount difference between the 1 st data packet and the ith data packet is greater than the threshold, it indicates that the data amount of the ith data packet is too small.
Of course, if the data amount of the ith packet is less than or equal to the data amount of the 1 st packet, it is determined that there is no Slow Http Post attack currently receiving the ith packet, and further, the Slow Http Post attack may be continuously detected by subsequently processing other packets received after the ith packet as target packets.
In addition, if the data amount difference between the 1 st data packet and the ith data packet is less than or equal to the data amount difference threshold, it is determined that there is no Slow Http Post attack at the time when the ith data packet is received, and further, the Slow Http Post attack can be continuously detected by processing other data packets received after the ith data packet as target data packets.
It should be noted that, in the embodiment of the present invention, each data packet in the packet body of the Http message may be sequentially used as a target data packet to be detected, so as to implement Slow Http Post detection on detailed contents in the message. In addition, a data packet which meets a certain rule can be selected from the packet body of the Http message as a target data packet according to the certain rule, such as random extraction, a certain time interval or a certain sampling frequency, so as to reduce the processing amount of Slow Http Post detection. The method and the device can be set by combining with an actual application scene, and the method and the device are not limited in the embodiment of the invention.
It should be further noted that, in the embodiment of the present invention, the detection of the packet header or the data amount of the data packet in the Http message may be obtained by using the prior art, for example, in an analysis manner, which is not limited in the embodiment of the present invention.
In other embodiments, in order to improve the Slow Http Post attack detection efficiency, on the basis of the attack detection method shown in fig. 1, an embodiment of the present invention further includes the following steps, and a flowchart of the method is shown in fig. 3, and includes:
s40, extracting the field value of a target field in the packet header, wherein the target field is used for representing the whole data volume of the packet body; if the overall data amount corresponding to the field value is greater than the preset data amount threshold, step S20 is executed.
In the embodiment of the invention, the target field in the packet header is the Content-Length field, and the transmission layer sets the Content-Length field value to a numerical value matched with the overall data volume (namely the sum of the data volumes) of all the data packets in the packet body before the transmission of the Http message is started. Therefore, the overall data volume of the subsequent bag body can be determined by extracting the field value of the target field in the packet header, and if the overall data volume is larger than the data volume threshold value, the possibility that the Http message belongs to the Slow Http Post is considered to be extremely high, and the attack detection of the subsequent Slow Http Post is started at the moment.
Of course, if the overall data amount corresponding to the field value is less than or equal to the data amount threshold, no operation is performed to reduce the data processing amount, and the subsequent Slow Http Post attack detection is not performed. Therefore, the speed of processing the data packet is improved, the efficiency is improved, and the influence on normal post request transaction is avoided.
It should be noted that, for the data amount delta threshold and the data amount threshold in the embodiment of the present invention, an appropriate value may be obtained by a simulation training mode of the present invention, so as to improve the accuracy of attack detection.
In the attack detection method provided by the embodiment of the invention, considering that the transmission layer has the best transmission operating characteristic, in the process of receiving the Http message, the target data packet to be detected in the packet body can determine the target object serving as the comparison reference from the packet header and other data packets in the packet body, and then whether the Http message is transmitted as best as possible can be determined by comparing the data amounts of the target data packet and the target object, so that the detection of the slow Http denial of service attack is realized. Based on the invention, the slow Http denial of service attack can be accurately and rapidly detected, and the detection stability is improved.
Based on the attack detection method provided by the above embodiment, an embodiment of the present invention correspondingly provides a device for executing the attack detection method, where a schematic structural diagram of the device is shown in fig. 4, and the device includes:
the message receiving module 10 is configured to receive an Http message during transmission, where the Http message includes a packet header and a packet body, and the packet body includes multiple data packets;
an attack detection module 20, configured to determine, for a target data packet to be detected, a target object serving as a comparison reference from a packet header and other data packets in a packet body; and detecting whether the Http message has a slow Http denial of service attack by comparing the data amount of the target data packet with the data amount of the target object.
Optionally, the attack detection module 20 is further configured to:
extracting the field value of a target field in the packet header, wherein the target field is used for representing the whole data volume of the packet body; and if the overall data volume corresponding to the field value is larger than a preset data volume threshold value, determining a target object serving as a comparison reference of the target data packet from the packet header and other data packets in the packet body aiming at the target data packet to be detected.
Optionally, the type of the target data packet is a first data packet received for the first time;
correspondingly, the attack detection module 20 for determining the target object as the comparison reference from the packet header and other data packets in the packet body is specifically configured to:
taking the packet header as a target object corresponding to the first data packet;
correspondingly, the attack detection module 20, configured to detect whether the Http message has a slow Http denial of service attack by comparing the data amount of the target data packet with the data amount of the target object, is specifically configured to:
and if the data volume of the first data packet is less than or equal to the data volume of the packet header, determining that the Http message has a slow Http denial of service attack.
Optionally, the type of the target data packet is a second data packet received non-first time and non-last time;
correspondingly, the attack detection module 20 for determining the target object as the comparison reference from the packet header and other data packets in the packet body is specifically configured to:
taking the first data packet received for the first time as a target object corresponding to the second data packet;
correspondingly, the attack detection module 20 is configured to detect whether the Http message has a slow Http denial of service attack by comparing the data amount of the target data packet with the data amount of the target object, and specifically configured to:
and if the data volume of the second data packet is larger than that of the first data packet or the data volume difference between the first data packet and the second data packet is larger than a preset data volume difference threshold value, determining that the Http message has a slow Http denial of service attack.
It should be noted that, for the detailed functions of each module in the embodiment of the present invention, reference may be made to the corresponding disclosure of the embodiment of the attack detection method, and details are not described herein again.
Based on the attack detection method provided by the above embodiment, an embodiment of the present invention further provides an electronic device, where the electronic device includes: at least one memory and at least one processor; the memory stores a program, the processor calls the program stored in the memory, and the program is used for realizing the attack detection method.
Based on the attack detection method provided by the above embodiment, an embodiment of the present invention further provides a storage medium, where the storage medium stores computer-executable instructions, and the computer-executable instructions are used to execute the attack detection method.
The attack detection method, the attack detection device, the electronic device and the storage medium provided by the invention are described in detail, specific examples are applied in the description to explain the principle and the implementation mode of the invention, and the description of the above embodiments is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, the specific embodiments and the application range may be changed, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. The device disclosed in the embodiment corresponds to the method disclosed in the embodiment, so that the description is simple, and the relevant points can be referred to the description of the method part.
It is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include or include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (8)
1. An attack detection method, the method comprising:
receiving an Http message in transmission, wherein the Http message comprises a packet header and a packet body, and the packet body comprises a plurality of data packets;
determining a target object serving as a comparison reference of the target data packet to be detected from the packet header and other data packets in the packet body aiming at the target data packet to be detected;
detecting whether the Http message has a slow Http denial of service attack by comparing the data volume of the target data packet with the data volume of the target object;
wherein, if the type of the target data packet is the first data packet received for the first time,
correspondingly, the determining a target object as a comparison reference from the packet header and other data packets in the packet body includes:
taking the packet header as a target object corresponding to the first data packet;
correspondingly, the detecting whether the Http message has a slow Http denial of service attack by comparing the data amount of the target data packet with the data amount of the target object includes:
and if the data volume of the first data packet is less than or equal to the data volume of the packet header, determining that the Http message has a slow Http denial of service attack.
2. The method of claim 1, further comprising:
extracting a field value of a target field in the packet header, wherein the target field is used for representing the whole data volume of the packet body;
and if the overall data volume corresponding to the field value is larger than a preset data volume threshold value, executing the step of determining a target object serving as a comparison reference of the target data packet aiming at the target data packet to be detected from the packet header and other data packets in the packet body.
3. The method of claim 1, wherein if the type of the target packet is a second packet received non-first time and non-last time,
correspondingly, the determining a target object as a reference for comparison from the packet header and other data packets in the packet body includes:
taking the first data packet received for the first time as a target object corresponding to the second data packet;
correspondingly, the detecting whether the Http message has a slow Http denial of service attack by comparing the data amount of the target data packet with the data amount of the target object includes:
and if the data volume of the second data packet is larger than that of the first data packet, or the data volume difference between the first data packet and the second data packet is larger than a preset data volume difference threshold value, determining that the Http message has a slow Http denial of service attack.
4. An attack detection apparatus, characterized in that the apparatus comprises:
the message receiving module is used for receiving an Http message in transmission, wherein the Http message comprises a packet header and a packet body, and the packet body comprises a plurality of data packets;
the attack detection module is used for determining a target object serving as a comparison reference of the target data packet to be detected from the packet header and other data packets in the packet body aiming at the target data packet to be detected; detecting whether the Http message has a slow Http denial of service attack by comparing the data amount of the target data packet with the data amount of the target object;
if the type of the target data packet is the first data packet received for the first time,
correspondingly, the attack detection module, configured to determine a target object as a comparison reference from the packet header and other data packets in the packet body, is specifically configured to:
taking the packet header as a target object corresponding to the first data packet;
correspondingly, the attack detection module, configured to detect whether the Http message has a slow Http denial of service attack by comparing the data amount of the target data packet with the data amount of the target object, is specifically configured to:
and if the data volume of the first data packet is less than or equal to the data volume of the packet header, determining that the Http message has a slow Http denial of service attack.
5. The apparatus of claim 4, wherein the attack detection module is further configured to:
extracting a field value of a target field in the packet header, wherein the target field is used for representing the whole data volume of the packet body; and if the overall data volume corresponding to the field value is larger than a preset data volume threshold value, executing the step of determining a target object serving as a comparison reference of the target data packet to be detected from the packet header and other data packets in the packet body.
6. The apparatus of claim 4, wherein if the type of the target packet is a second packet received non-first time and non-last time,
correspondingly, the attack detection module, configured to determine a target object as a comparison reference from the packet header and other data packets in the packet body, is specifically configured to:
taking the first data packet received for the first time as a target object corresponding to the second data packet;
correspondingly, the attack detection module, configured to detect whether the Http message has a slow Http denial of service attack by comparing the data amount of the target data packet with the data amount of the target object, is specifically configured to:
and if the data volume of the second data packet is larger than that of the first data packet, or the data volume difference between the first data packet and the second data packet is larger than a preset data volume difference threshold value, determining that the Http message has a slow Http denial of service attack.
7. An electronic device, characterized in that the electronic device comprises: at least one memory and at least one processor; the memory stores a program, and the processor calls the program stored in the memory, and the program is used for realizing the attack detection method of any one of claims 1 to 3.
8. A storage medium having stored thereon computer-executable instructions for performing the attack detection method of any one of claims 1-3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110643746.4A CN113242260B (en) | 2021-06-09 | 2021-06-09 | Attack detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110643746.4A CN113242260B (en) | 2021-06-09 | 2021-06-09 | Attack detection method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113242260A CN113242260A (en) | 2021-08-10 |
| CN113242260B true CN113242260B (en) | 2023-02-21 |
Family
ID=77139391
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110643746.4A Active CN113242260B (en) | 2021-06-09 | 2021-06-09 | Attack detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113242260B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114448661B (en) * | 2021-12-16 | 2023-05-05 | 北京邮电大学 | Method for detecting slow denial of service attack and related equipment |
| CN116074083B (en) * | 2023-01-28 | 2023-06-23 | 天翼云科技有限公司 | Method and device for identifying slow attack, electronic equipment and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106471778A (en) * | 2014-07-04 | 2017-03-01 | 日本电信电话株式会社 | Attack detecting device, attack detection method and attack detecting program |
| CN109040140A (en) * | 2018-10-16 | 2018-12-18 | 杭州迪普科技股份有限公司 | A kind of attack detection method and device at a slow speed |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20130017333A (en) * | 2011-08-10 | 2013-02-20 | 한국전자통신연구원 | Attack decision system of slow distributed denial of service based application layer and method of the same |
-
2021
- 2021-06-09 CN CN202110643746.4A patent/CN113242260B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106471778A (en) * | 2014-07-04 | 2017-03-01 | 日本电信电话株式会社 | Attack detecting device, attack detection method and attack detecting program |
| CN109040140A (en) * | 2018-10-16 | 2018-12-18 | 杭州迪普科技股份有限公司 | A kind of attack detection method and device at a slow speed |
Non-Patent Citations (1)
| Title |
|---|
| 基于数据包检查的Slow HTTP POST攻击检测方法;邓诗琪等;《网络空间安全》;20180228;正文第60-63页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113242260A (en) | 2021-08-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109194680B (en) | Network attack identification method, device and equipment | |
| US8966627B2 (en) | Method and apparatus for defending distributed denial-of-service (DDoS) attack through abnormally terminated session | |
| CN108173812B (en) | Method, device, storage medium and equipment for preventing network attack | |
| US8661522B2 (en) | Method and apparatus for probabilistic matching to authenticate hosts during distributed denial of service attack | |
| CN100588201C (en) | Defense method aiming at DDoS attack | |
| CN113242260B (en) | Attack detection method and device, electronic equipment and storage medium | |
| CN107395632B (en) | SYN Flood protection method, device, cleaning equipment and medium | |
| CN110784464B (en) | Client verification method, device and system for flooding attack and electronic equipment | |
| US20120324573A1 (en) | Method for determining whether or not specific network session is under denial-of-service attack and method for the same | |
| Cambiaso et al. | Slowcomm: Design, development and performance evaluation of a new slow DoS attack | |
| CN111565203B (en) | Method, device and system for protecting service request and computer equipment | |
| CN110719256A (en) | IP fragment attack defense method and device and network attack defense equipment | |
| CN107454065B (en) | Method and device for protecting UDP Flood attack | |
| CN113179280A (en) | Deception defense method and device based on malicious code external connection behaviors and electronic equipment | |
| CN109474623B (en) | Network security protection and parameter determination method, device, equipment and medium thereof | |
| CN108418844B (en) | Application layer attack protection method and attack protection terminal | |
| CN112565307B (en) | Method and device for performing entrance management and control on DDoS attack | |
| CN113765849B (en) | Abnormal network flow detection method and device | |
| US11178177B1 (en) | System and method for preventing session level attacks | |
| CN101795277A (en) | Flow detection method and equipment in unidirectional flow detection mode | |
| CN110233838B (en) | Pulse type attack defense method, device and equipment | |
| CN112738110A (en) | Bypass blocking method and device, electronic equipment and storage medium | |
| CN108471427B (en) | Method and device for defending attack | |
| CN108551461A (en) | It is a kind of to detect the method that WAF is disposed, the method for calculating WAF support IPV6 degree | |
| CN112087464B (en) | SYN Flood attack cleaning method and device, electronic device and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |