CN113556343A - DDoS attack defense method and device based on browser fingerprint identification - Google Patents

DDoS attack defense method and device based on browser fingerprint identification Download PDF

Info

Publication number
CN113556343A
CN113556343A CN202110827021.0A CN202110827021A CN113556343A CN 113556343 A CN113556343 A CN 113556343A CN 202110827021 A CN202110827021 A CN 202110827021A CN 113556343 A CN113556343 A CN 113556343A
Authority
CN
China
Prior art keywords
browser
browser fingerprint
fingerprint
statistical period
accept
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110827021.0A
Other languages
Chinese (zh)
Other versions
CN113556343B (en
Inventor
白锦龙
刘瑞全
张超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiang Nan Information Security Beijing Technology Co ltd
Original Assignee
Jiang Nan Information Security Beijing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiang Nan Information Security Beijing Technology Co ltd filed Critical Jiang Nan Information Security Beijing Technology Co ltd
Priority to CN202110827021.0A priority Critical patent/CN113556343B/en
Publication of CN113556343A publication Critical patent/CN113556343A/en
Application granted granted Critical
Publication of CN113556343B publication Critical patent/CN113556343B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The DDoS attack defense method and equipment based on browser fingerprint identification are characterized in that network security equipment is erected at the front end of a Web server, and HTTP requests sent to the Web server are filtered through the network security equipment; when the network security equipment receives the HTTP request, fingerprint extraction is carried out on the browser sending the HTTP request according to a preset counting period, and a browser fingerprint ID is obtained; when each statistical period is finished, HTTP request feature calculation is carried out to obtain feature scores, and the feature scores are sorted from high to low to obtain browser fingerprint IDs of N before ranking; and performing man-machine identification authentication and request rate limitation on the browser fingerprint ID of the top N in each statistical period. The invention solves the problems that the prior art can not distinguish attack flow, is easy to cause serious influence on other users in the same source IP and has poor defense effect.

Description

DDoS attack defense method and device based on browser fingerprint identification
Technical Field
The invention relates to the technical field of network security, in particular to a DDoS attack defense method and device based on browser fingerprint identification.
Background
HTTP is short for Hypertext transfer protocol, i.e. Hypertext transfer protocol, and is a data transfer protocol that specifies the rules for communication between a browser and a web server and transfers web documents via the internet.
NAT is the abbreviation of Network Address Translation, i.e. Network Address Translation, belongs to the access Wide Area Network (WAN) technology, is a Translation technology for translating private or reserved IP Address into legal IP Address of wide area Network, and is widely applied to various Internet access modes and various networks. NAT not only perfectly solves the problem of insufficient lP address, but also can effectively avoid the attack from the outside of the network, and hide and protect the computer inside the network.
DoS is a short term for Denial of Service, i.e., Denial of Service, and the attack behavior of DoS is called DoS attack, which aims to make a computer or a network unable to provide normal services. Because the bandwidth resources of the computer network and the concurrent connection quantity of the network services are limited, as long as any one of the resources is exhausted, normal users cannot use the computer network services.
DDoS is a short for Distributed Denial of Service attack, that is, a Distributed Denial of Service attack, and refers to a method of initiating a DoS attack on one or more targets by combining a plurality of computers as an attack platform by means of a client/server technology, thereby exponentially improving the power of Denial of Service attack.
Unlike DoS attacks that use only one computer to launch the attack, DDoS uses a large number of computers to launch the attack simultaneously, and these computers are often scattered across different networks. The computers organized to launch DDoS attacks are uniformly controlled by a DDoS attack initiator to form an attack platform, often referred to as Botnet, i.e., a Botnet.
The HTTP DDoS attack is a DDoS attack which achieves the purpose of attack based on an HTTP protocol. The HTTP protocol bears most of Web services on the Internet at present, and any computer can be connected due to the openness of the Web services, so that the HTTP DDoS attack defense method has very important significance.
At present, two main defense methods for HTTP DDoS attack in network security equipment are available:
firstly, limiting the HTTP request rate of a source IP to defend HTTP DDoS attack:
the technology is mainly based on the limitation of the threshold value of the HTTP request rate, and when the request rate reaches the threshold value set by a user, the subsequent request data are discarded. If the threshold set by the user is N (times)/second, when the number of HTTP requests flowing through the network security device reaches N times/second, the network security device discards HTTP requests exceeding the threshold; because the attack traffic and the normal traffic under the same source IP cannot be distinguished, the proportion of the filtered attack traffic is still large, the normal traffic is small, and the defense effect is poor.
Secondly, the HTTP DDoS attack is defended by carrying out man-machine identification authentication on the source IP:
because an automation tool or script is needed to initiate the HTTP DDoS attack, if response messages (usually a javascript script) which cannot be processed by some attackers but can be processed by normal users are sent to the automation tool or script, the attack traffic and the normal traffic can be distinguished. For example, in the network security device, instead of responding to the HTTP message by the Web Server, the message content is a javascript statement that prompts a manual click and initiates an HTTP request with verification information again after the click, and the automation tool or script cannot process the content, and only a normal user can process the content. The network safety equipment confirms the verification information after receiving the HTTP request message with the verification information, if the HTTP request message is legal, the HTTP request is forwarded to the Web Server, and if not, the HTTP request is discarded. Therefore, the HTTP requests initiated by normal users and the HTTP requests initiated by the automation tool or the script are distinguished, and the HTTP DDoS attack can be defended by discarding the HTTP requests initiated by the automation tool or the script.
In the actual engineering implementation, in order to prevent each request from responding to an authentication message, thereby causing great consumption of network bandwidth and network security equipment computing resources, no response message operation is performed on all HTTP requests from a certain source IP, but only response message operation is performed on HTTP requests from a certain source IP which fails to pass authentication, after authentication is successful, the source IP is added into a white list, and subsequent HTTP requests of the source IP are directly forwarded by the network security equipment without authentication. If the man-machine identification authentication mechanism is not combined with the source IP white list for use, all HTTP requests need to be authenticated, so that the network security equipment needs to send authentication traffic equal to attack traffic, network bandwidth is easy to jam, a large amount of computing resources of the network security equipment are consumed, and large-scale HTTP DDoS attacks cannot be resisted. If the man-machine identification authentication mechanism is used in combination with the source IP white list, the attack traffic under the same source IP can be easily forwarded to the Web Server after the authentication is passed, and the defense effect is poor.
Both the two defense methods limit the source IP, and due to the existence of a large number of NAT network environments, serious influence is easily caused on other users in the same source IP, such as other users under the same source IP are easily blocked. A new DDoS attack defense technical scheme is urgently needed.
Disclosure of Invention
Therefore, the invention provides a DDoS attack defense method and device based on browser fingerprint identification, and aims to solve the problems that attack flow cannot be distinguished, other users in the same source IP are easily affected seriously and the defense effect is poor in the prior art.
In order to achieve the above purpose, the invention provides the following technical scheme: a DDoS attack defense method based on browser fingerprint identification comprises the following steps:
the method comprises the steps that network security equipment is erected at the front end of a Web server, and HTTP requests sent to the Web server are filtered through the network security equipment;
when the network security equipment receives the HTTP request, fingerprint extraction is carried out on the browser sending the HTTP request according to a preset counting period, and a browser fingerprint ID is obtained;
when each statistical period is finished, performing HTTP request feature calculation to obtain feature scores, and sequencing the feature scores from high to low to obtain browser fingerprint IDs of N before ranking;
and performing man-machine identification authentication and request rate limitation on the browser fingerprint ID of the top N in each statistical period.
As a preferable scheme of the DDoS attack defense method based on browser fingerprint identification, the browser fingerprint ID comprises a source IP, User-Agent field content, Accept-Language field content, Accept-Encoding field content and Accept-Charset field content in an HTTP request header.
As a preferable scheme of the DDoS attack defense method based on browser fingerprint identification, the method comprises the steps of carrying out character string connection operation on User-Agent field content, Accept-Languge field content, Accept-Encoding field content and Accept-Charset field content in the head of a source IP and an HTTP request, and carrying out hash function processing on the character string after the connection operation.
As a preferable scheme of the DDoS attack defense method based on browser fingerprint identification, when the Accept field content, Accept-Languge field content, Accept-Encoding field content or Accept-Charset field content in an HTTP request header does not exist, the non-existing field content is represented by adopting a character string 0.
As an optimal scheme of a DDoS attack defense method based on browser fingerprint identification, the scoring formula of the characteristic score is as follows:
Score=(avg1/avg2)*a+(self/total)*100
in the formula, Score is Score,/is arithmetic division, + is arithmetic multiplication, and + is arithmetic addition;
avg1 is the arithmetic average of the number of HTTP requests per second for the browser fingerprint over a statistical period;
avg2 is the average difference of the number of HTTP requests per second of the browser fingerprint in the statistical period;
a is an integer coefficient;
self is the sum of HTTP requests of the fingerprint of the browser in a statistical period;
total is the sum of the number of HTTP requests in a statistical period for all browser fingerprints.
As a preferable scheme of the DDoS attack defense method based on the browser fingerprint identification, the characteristic score is updated in each statistical period, and browser fingerprint IDs of N before ranking, which are ranked from high to low after the characteristic score is updated, are obtained.
As a preferred scheme of a DDoS attack defense method based on browser fingerprint identification, the determination method of N in N before ranking is as follows: the number of the browser fingerprint IDs of which the characteristic scores of the fingerprint IDs of a certain browser are larger than the average value of the characteristic scores of the fingerprint IDs of all browsers.
As a preferable scheme of the DDoS attack defense method based on the browser fingerprint identification, the feature score of the browser fingerprint ID newly generated in each statistical period is configured to be the highest value of the feature score of the current statistical period.
As an optimal scheme of a DDoS attack defense method based on browser fingerprint identification, in a statistical period, when browser fingerprint ID authentication after ranking is in the top N passes, man-machine identification authentication is not carried out any more.
The invention also provides DDoS attack defense equipment based on the browser fingerprint identification, and the DDoS attack defense method based on the browser fingerprint identification comprises the following steps:
the network security equipment is erected at the front end of the Web server and is used for filtering the HTTP request sent to the Web server;
the browser fingerprint acquisition module is used for extracting the fingerprint of the browser sending the HTTP request according to a preset statistical period to acquire a browser fingerprint ID when the network security equipment receives the HTTP request;
the characteristic score acquisition module is used for calculating the characteristic of the HTTP request when each statistical period is finished to acquire a characteristic score;
the characteristic score sorting module is used for sorting the characteristic scores from high to low to obtain browser fingerprint IDs of N before ranking;
and the attack defense module is used for performing man-machine identification authentication and request rate limitation on the browser fingerprint ID of the N-th place before the ranking in each statistical period.
The invention has the following advantages: the network security equipment is erected at the front end of the Web server, and the HTTP request sent to the Web server is filtered through the network security equipment; when the network security equipment receives the HTTP request, fingerprint extraction is carried out on the browser sending the HTTP request according to a preset counting period, and a browser fingerprint ID is obtained; when each statistical period is finished, HTTP request feature calculation is carried out to obtain feature scores, and the feature scores are sorted from high to low to obtain browser fingerprint IDs of N before ranking; and performing man-machine identification authentication and request rate limitation on the browser fingerprint ID of the top N in each statistical period. Compared with the traditional request rate limitation based on the source IP, the method is easy to cause that the attack traffic and the normal traffic are mixed together to carry out rate limitation under the NAT environment, so that a large amount of attack traffic cannot be filtered. The method and the system make request rate limitation on the basis of fingerprint identification and ranking of the browser, can effectively distinguish attack flow, have fine control granularity, hardly have influence on normal users, and have strong network adaptability; compared with the traditional human-computer identification authentication based on the source IP, the method responds to all request messages, and easily consumes the network bandwidth and computer resources of the browser, and the method performs the human-computer identification authentication on the basis of fingerprint identification and ranking of the browser, can selectively respond to the authentication messages, and reduces the network bandwidth and computer resource consumption of the browser; compared with the traditional man-machine identification authentication based on the source IP, if the method is used by combining a white list of the source IP, the attack flow under the same source IP can be easily transmitted to the Web Server after the authentication is passed, and particularly, the defense effect is poor under the NAT network environment.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It should be apparent that the drawings in the following description are merely exemplary, and that other embodiments can be derived from the drawings provided by those of ordinary skill in the art without inventive effort.
The structures, ratios, sizes, and the like shown in the present specification are only used for matching with the contents disclosed in the specification, so that those skilled in the art can understand and read the present invention, and do not limit the conditions for implementing the present invention, so that the present invention has no technical significance, and any structural modifications, changes in the ratio relationship, or adjustments of the sizes, without affecting the functions and purposes of the present invention, should still fall within the scope of the present invention.
Fig. 1 is a schematic flowchart of a DDoS attack defense method based on browser fingerprint identification according to embodiment 1 of the present invention;
fig. 2 is a schematic diagram of DDoS attack defense deployment based on browser fingerprint identification according to embodiment 1 of the present invention;
fig. 3 is a schematic diagram of a DDoS attack defense system based on browser fingerprint identification according to embodiment 2 of the present invention.
Detailed Description
The present invention is described in terms of particular embodiments, other advantages and features of the invention will become apparent to those skilled in the art from the following disclosure, and it is to be understood that the described embodiments are merely exemplary of the invention and that it is not intended to limit the invention to the particular embodiments disclosed. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
Referring to fig. 1 and 2, a DDoS attack defense method based on browser fingerprint identification is provided, which includes the following steps:
the method comprises the steps that network security equipment is erected at the front end of a Web server, and HTTP requests sent to the Web server are filtered through the network security equipment;
when the network security equipment receives the HTTP request, fingerprint extraction is carried out on the browser sending the HTTP request according to a preset counting period, and a browser fingerprint ID is obtained;
when each statistical period is finished, performing HTTP request feature calculation to obtain feature scores, and sequencing the feature scores from high to low to obtain browser fingerprint IDs of N before ranking;
and performing man-machine identification authentication and request rate limitation on the browser fingerprint ID of the top N in each statistical period.
In this embodiment, the browser fingerprint ID includes a source IP, User-Agent field content in an HTTP request header, Accept field content, Accept-Language field content, Accept-Encoding field content, and Accept-Charset field content. And carrying out character string connection operation on the User-Agent field content, the Accept-Language field content, the Accept-Encoding field content and the Accept-Charset field content in the source IP and HTTP request headers, and carrying out hash function processing on the character string after the connection operation. When the content of the Accept field, the content of the Accept-Language field, the content of the Accept-Encoding field or the content of the Accept-Charset field in the HTTP request header does not exist, the non-existing field content is represented by adopting a character string 0.
Specifically, the algorithm formula of the browser fingerprint ID is as follows:
ID=hash(ip+agent+accept+lang+enc+char)
in the formula, ID is fingerprint; the Hash is some Hash function, such as MD5, SHA1, etc.;
+ is a string join operation;
IP is a source IP character string;
agent is a User-Agent field content character string in the HTTP request header;
the Accept is an Accept field content character string in the HTTP request header, and if the field does not exist, the field is a character '0';
lang is the content character string of the Accept-Language field in the HTTP request header, and if the field does not exist, the field is a character '0';
enc is an Accept-Encoding field content character string in the HTTP request header, and if the field does not exist, the field is a character '0';
char is the content string of Accept-Charset field in HTTP request header, and if the field does not exist, the character is '0'.
Although the above formula has the condition that the fingerprint IDs of two browsers are the same with small probability, in an actual network environment, the physical distribution condition among the browsers accessing the same web server is more dispersed, the formula can be used for distinguishing most browsers, and the small probability conflict has no influence on the protection effect of the HTTP DDoS.
In this embodiment, the scoring formula of the feature score is as follows:
Score=(avg1/avg2)*a+(self/total)*100
in the formula, Score is Score,/is arithmetic division, + is arithmetic multiplication, and + is arithmetic addition;
avg1 is the arithmetic average of the number of HTTP requests per second for the browser fingerprint over a statistical period;
avg2 is the average difference of the number of HTTP requests per second of the browser fingerprint in the statistical period;
a is an integer coefficient;
self is the sum of HTTP requests of the fingerprint of the browser in a statistical period;
total is the sum of the number of HTTP requests in a statistical period for all browser fingerprints.
In this embodiment, the feature score is updated in each statistical period, and the browser fingerprint IDs of top-ranked N sorted from high to low after the feature score is updated are obtained. The determination mode of N in the N before ranking is as follows: the number of the browser fingerprint IDs of which the characteristic scores of the fingerprint IDs of a certain browser are larger than the average value of the characteristic scores of the fingerprint IDs of all browsers.
Specifically, each browser fingerprint ID corresponds to a feature Score, and the top N browser fingerprints with the highest Score can be calculated by updating the feature Score every minute for one minute as an example of the statistical period. N is an integer less than the total number of the browser fingerprints and is adjustable. The N value is automatically adjusted, and the number of the browser fingerprint IDs with the Score values larger than the average value of all Score values is set.
As can be seen from the scoring formula, the larger the number of HTTP requests per second of a certain browser fingerprint is, the larger the avg1 and self values are, the larger the Score is; the smaller the direct difference in the number of HTTP requests per second in one minute, the smaller the avg2, the larger the Score. For an automation tool or a browser for starting control of an HTTP DDoS attacker, the number of HTTP requests per second is large, the number of HTTP requests per second in a long time is close, and the Score value is large. The normal users have small HTTP requests per second, the difference between the HTTP requests per second in one minute is large, and the Score value is small. Therefore, the attack traffic is almost all ranked on the front of the Score, and the normal traffic is almost all ranked on the back of the Score, so that the attack traffic is distinguished from the normal traffic, and the request rate limitation and the man-machine identification authentication on the browser fingerprint with a larger Score value are more targeted and accurate.
In this embodiment, the feature score of the browser fingerprint ID newly generated in each statistical period is configured as the highest feature score of the current statistical period. And in a statistical period, when the browser fingerprint ID authentication ranked at the top N and the back is passed, the man-machine identification authentication is not carried out any more.
Specifically, the calculation of the HTTP request features is finished once every minute, the feature Score is obtained, and the top N browser fingerprint IDs with higher feature Score scores are obtained by sorting from high to low according to the feature Score. The newly generated browser fingerprint ID cannot acquire information required to calculate its feature Score because its HTTP request is less than one minute, so its Score is set to the highest value of all Score scores.
Specifically, a selection process of a defense method is carried out, all the browser fingerprint IDs are subjected to man-machine identification, authentication is carried out once per minute, other requests in the minute are discarded if the authentication fails, and the amount of authentication response messages is reduced; however, the first N browser fingerprint IDs must be authenticated once every minute, and other browser fingerprint IDs are not authenticated any more by human-machine identification as long as the authentication is passed. And all HTTP request traffic authenticated through man-machine identification is subjected to request rate limitation.
In summary, the network security device is arranged at the front end of the Web server, and the HTTP request sent to the Web server is filtered by the network security device; when the network security equipment receives the HTTP request, fingerprint extraction is carried out on the browser sending the HTTP request according to a preset counting period, and a browser fingerprint ID is obtained; when each statistical period is finished, HTTP request feature calculation is carried out to obtain feature scores, and the feature scores are sorted from high to low to obtain browser fingerprint IDs of N before ranking; and performing man-machine identification authentication and request rate limitation on the browser fingerprint ID of the top N in each statistical period. Compared with the traditional request rate limitation based on the source IP, the method is easy to cause that the attack traffic and the normal traffic are mixed together to carry out rate limitation under the NAT environment, so that a large amount of attack traffic cannot be filtered. The method and the system make request rate limitation on the basis of fingerprint identification and ranking of the browser, can effectively distinguish attack flow, have fine control granularity, hardly have influence on normal users, and have strong network adaptability; compared with the traditional human-computer identification authentication based on the source IP, the method responds to all request messages, and easily consumes the network bandwidth and computer resources of the browser, and the method performs the human-computer identification authentication on the basis of fingerprint identification and ranking of the browser, can selectively respond to the authentication messages, and reduces the network bandwidth and computer resource consumption of the browser; compared with the traditional man-machine identification authentication based on the source IP, if the method is used by combining a white list of the source IP, the attack flow under the same source IP can be easily transmitted to the Web Server after the authentication is passed, and particularly, the defense effect is poor under the NAT network environment.
After a Web server of a certain company is frequently attacked by HTTP DDoS, normal service interruption is caused, after traditional HTTP DDoS attack prevention equipment is deployed, part of users still cannot normally access the server, and uplink network bandwidth consumption of the Web service after the man-machine identification authentication is started is too large. The requirements are as follows:
1) the HTTP DDoS attack aiming at the Web server is effectively prevented;
2) the misjudgment rate of the protection product is reduced, and the access of normal users is not influenced;
3) the uplink network bandwidth of the Web service is not influenced, and the consumption of the network bandwidth cost is reduced.
After the technical scheme of the invention is adopted for deployment, the requirements are effectively solved.
Example 2
The invention also provides DDoS attack defense equipment based on browser fingerprint identification, and the DDoS attack defense method based on browser fingerprint identification adopting the first aspect or any possible implementation mode thereof comprises the following steps:
the network security device 1 is erected at the front end of the Web server and is used for filtering the HTTP request sent to the Web server;
the browser fingerprint acquisition module 2 is configured to, when the network security device receives the HTTP request, perform fingerprint extraction on a browser that sends the HTTP request according to a preset statistical period, and obtain a browser fingerprint ID;
a feature score obtaining module 3, configured to calculate the HTTP request feature to obtain a feature score when each statistical period is finished;
the characteristic score sorting module 4 is used for sorting the characteristic scores from high to low to obtain the browser fingerprint IDs of N before ranking;
and the attack defense module 5 is used for performing man-machine identification authentication and request rate limitation on the browser fingerprint ID of the N-th rank in each statistical period.
It should be noted that, for the information interaction, execution process, and other contents between the modules/units of the above-mentioned device, because the same concept is based on the method embodiment in embodiment 1 of the present application, the technical effect brought by the above-mentioned method embodiment is the same as that of the present application, and specific contents may refer to the description in the foregoing method embodiment of the present application, and are not described herein again.
Example 3
Embodiment 3 of the present invention provides a computer-readable storage medium, where a program code of a DDoS attack defense method based on browser fingerprint identification is stored in the computer-readable storage medium, where the program code includes an instruction for executing the DDoS attack defense method based on browser fingerprint identification of embodiment 1 or any possible implementation manner thereof.
The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
Example 4
Embodiment 4 of the present invention provides an electronic device, where the electronic device includes a processor, the processor is coupled to a storage medium, and when the processor executes an instruction in the storage medium, the electronic device is enabled to execute the DDoS attack defense method based on browser fingerprint identification according to embodiment 1 or any possible implementation manner thereof.
Specifically, the processor may be implemented by hardware or software, and when implemented by hardware, the processor may be a logic circuit, an integrated circuit, or the like; when implemented in software, the processor may be a general-purpose processor implemented by reading software code stored in a memory, which may be integrated in the processor, located external to the processor, or stand-alone.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.).
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
Although the invention has been described in detail above with reference to a general description and specific examples, it will be apparent to one skilled in the art that modifications or improvements may be made thereto based on the invention. Accordingly, such modifications and improvements are intended to be within the scope of the invention as claimed.

Claims (10)

1. A DDoS attack defense method based on browser fingerprint identification is characterized by comprising the following steps:
the method comprises the steps that network security equipment is erected at the front end of a Web server, and HTTP requests sent to the Web server are filtered through the network security equipment;
when the network security equipment receives the HTTP request, fingerprint extraction is carried out on the browser sending the HTTP request according to a preset counting period, and a browser fingerprint ID is obtained;
when each statistical period is finished, performing HTTP request feature calculation to obtain feature scores, and sequencing the feature scores from high to low to obtain browser fingerprint IDs of N before ranking;
and performing man-machine identification authentication and request rate limitation on the browser fingerprint ID of the top N in each statistical period.
2. The DDoS attack defense method based on browser fingerprint identification according to claim 1, wherein the browser fingerprint ID comprises a source IP, User-Agent field content in HTTP request header, Accept field content, Accept-Languge field content, Accept-Encoding field content and Accept-Charset field content.
3. The DDoS attack defense method based on browser fingerprint identification as claimed in claim 2, wherein the source IP, User-Agent field content, Accept-Language field content, Accept-Encoding field content and Accept-Charset field content in HTTP request header are subjected to character string connection operation, and the character string after connection operation is subjected to hash function processing.
4. The DDoS attack defense method based on browser fingerprint identification as claimed in claim 2, wherein when the Accept field content, Accept-Languge field content, Accept-Encoding field content or Accept-Charset field content in HTTP request header is not existed, the non-existed field content is represented by using character string 0.
5. A DDoS attack defense method based on browser fingerprint identification according to claim 1, wherein said scoring formula of feature score is:
Score=(avg1/avg2)*a+(self/total)*100
in the formula, Score is Score,/is arithmetic division, + is arithmetic multiplication, and + is arithmetic addition;
avg1 is the arithmetic average of the number of HTTP requests per second for the browser fingerprint over a statistical period;
avg2 is the average difference of the number of HTTP requests per second of the browser fingerprint in the statistical period;
a is an integer coefficient;
self is the sum of HTTP requests of the fingerprint of the browser in a statistical period;
total is the sum of the number of HTTP requests in a statistical period for all browser fingerprints.
6. A DDoS attack defense method based on browser fingerprint identification according to claim 1, wherein the feature score is updated in each statistical period, and the top N browser fingerprint IDs ranked from high to low after updating the feature score are obtained.
7. A DDoS attack defense method based on browser fingerprint identification according to claim 1, wherein N of the top N is determined by: the number of the browser fingerprint IDs of which the characteristic scores of the fingerprint IDs of a certain browser are larger than the average value of the characteristic scores of the fingerprint IDs of all browsers.
8. A DDoS attack defense method based on browser fingerprint identification according to claim 1, wherein the feature score of the newly generated browser fingerprint ID in each statistical period is configured as the highest value of the feature score of the current statistical period.
9. A DDoS attack defense method based on browser fingerprint identification according to claim 1, wherein in a statistical period, when the browser fingerprint ID authentication ranked before N and after N passes, the man-machine identification authentication is not performed.
10. DDoS attack defense device based on browser fingerprint identification, which adopts the DDoS attack defense method based on browser fingerprint identification according to any one of claims 1 to 9, characterized by comprising:
the network security equipment is erected at the front end of the Web server and is used for filtering the HTTP request sent to the Web server;
the browser fingerprint acquisition module is used for extracting the fingerprint of the browser sending the HTTP request according to a preset statistical period to acquire a browser fingerprint ID when the network security equipment receives the HTTP request;
the characteristic score acquisition module is used for calculating the characteristic of the HTTP request when each statistical period is finished to acquire a characteristic score;
the characteristic score sorting module is used for sorting the characteristic scores from high to low to obtain browser fingerprint IDs of N before ranking;
and the attack defense module is used for performing man-machine identification authentication and request rate limitation on the browser fingerprint ID of the N-th place before the ranking in each statistical period.
CN202110827021.0A 2021-07-21 2021-07-21 DDoS attack defense method and device based on browser fingerprint identification Active CN113556343B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110827021.0A CN113556343B (en) 2021-07-21 2021-07-21 DDoS attack defense method and device based on browser fingerprint identification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110827021.0A CN113556343B (en) 2021-07-21 2021-07-21 DDoS attack defense method and device based on browser fingerprint identification

Publications (2)

Publication Number Publication Date
CN113556343A true CN113556343A (en) 2021-10-26
CN113556343B CN113556343B (en) 2022-01-11

Family

ID=78103926

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110827021.0A Active CN113556343B (en) 2021-07-21 2021-07-21 DDoS attack defense method and device based on browser fingerprint identification

Country Status (1)

Country Link
CN (1) CN113556343B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114866347A (en) * 2022-07-06 2022-08-05 浙江御安信息技术有限公司 Network security early warning method for DDoS attack recognition based on artificial intelligence
CN115102744A (en) * 2022-06-16 2022-09-23 京东科技信息技术有限公司 Data access method and device
CN115589340A (en) * 2022-12-12 2023-01-10 国网山东省电力公司泰安供电公司 Data robot detection method, device and medium based on RASP technology
WO2024141796A1 (en) * 2022-12-28 2024-07-04 Radware Ltd. Techniques for generating application-layer signatures characterizing advanced application-layer flood attack tools

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103618721A (en) * 2013-12-03 2014-03-05 彭岸峰 XSS preventing security service
CN104092665A (en) * 2014-06-19 2014-10-08 小米科技有限责任公司 Access request filtering method, device and facility
US20150341312A1 (en) * 2014-05-20 2015-11-26 Avaya, Inc. Firewall traversal for web real-time communications
CN105430011A (en) * 2015-12-25 2016-03-23 杭州朗和科技有限公司 Method and device for detecting distributed denial of service attack
US20180367506A1 (en) * 2015-08-05 2018-12-20 Intralinks, Inc. Systems and methods of secure data exchange
CN109309664A (en) * 2018-08-14 2019-02-05 中国科学院数据与通信保护研究教育中心 A kind of browser fingerprint detection behavior monitoring method
US20190327325A1 (en) * 2015-05-21 2019-10-24 Shape Security, Inc. Security systems for mitigating attacks from a headless browser executing on a client computer
CN111181912A (en) * 2019-08-27 2020-05-19 腾讯科技(深圳)有限公司 Browser identifier processing method and device, electronic equipment and storage medium
CN111786966A (en) * 2020-06-15 2020-10-16 中国建设银行股份有限公司 Method and device for browsing webpage
CN112003873A (en) * 2020-08-31 2020-11-27 成都安恒信息技术有限公司 HTTP (hyper text transport protocol) traffic defense method and system for resisting DDoS (distributed denial of service) attack
US20210014245A1 (en) * 2017-12-01 2021-01-14 Trusted Knight Corporation In-stream malware protection
CN112685682A (en) * 2021-03-16 2021-04-20 连连(杭州)信息技术有限公司 Method, device, equipment and medium for identifying forbidden object of attack event

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103618721A (en) * 2013-12-03 2014-03-05 彭岸峰 XSS preventing security service
US20150341312A1 (en) * 2014-05-20 2015-11-26 Avaya, Inc. Firewall traversal for web real-time communications
CN104092665A (en) * 2014-06-19 2014-10-08 小米科技有限责任公司 Access request filtering method, device and facility
US20190327325A1 (en) * 2015-05-21 2019-10-24 Shape Security, Inc. Security systems for mitigating attacks from a headless browser executing on a client computer
US20180367506A1 (en) * 2015-08-05 2018-12-20 Intralinks, Inc. Systems and methods of secure data exchange
CN105430011A (en) * 2015-12-25 2016-03-23 杭州朗和科技有限公司 Method and device for detecting distributed denial of service attack
US20210014245A1 (en) * 2017-12-01 2021-01-14 Trusted Knight Corporation In-stream malware protection
CN109309664A (en) * 2018-08-14 2019-02-05 中国科学院数据与通信保护研究教育中心 A kind of browser fingerprint detection behavior monitoring method
CN111181912A (en) * 2019-08-27 2020-05-19 腾讯科技(深圳)有限公司 Browser identifier processing method and device, electronic equipment and storage medium
CN111786966A (en) * 2020-06-15 2020-10-16 中国建设银行股份有限公司 Method and device for browsing webpage
CN112003873A (en) * 2020-08-31 2020-11-27 成都安恒信息技术有限公司 HTTP (hyper text transport protocol) traffic defense method and system for resisting DDoS (distributed denial of service) attack
CN112685682A (en) * 2021-03-16 2021-04-20 连连(杭州)信息技术有限公司 Method, device, equipment and medium for identifying forbidden object of attack event

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
MARTIN LASTOVICKA;TOMAS JIRSIK;PAVEL CELEDA,STANISLAV SPACEK,DAN: "passive os fingerpringt methods in the jungle of wireless networks", 《IEEE》 *
刘泽宇等: "基于Web行为轨迹的应用层DDoS攻击防御模型", 《计算机应用》 *
张梦媛: "浏览器的安全访问及指纹识别技术", 《中国优秀硕士学位论文全文数据库信息科技辑》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115102744A (en) * 2022-06-16 2022-09-23 京东科技信息技术有限公司 Data access method and device
CN114866347A (en) * 2022-07-06 2022-08-05 浙江御安信息技术有限公司 Network security early warning method for DDoS attack recognition based on artificial intelligence
CN115589340A (en) * 2022-12-12 2023-01-10 国网山东省电力公司泰安供电公司 Data robot detection method, device and medium based on RASP technology
WO2024141796A1 (en) * 2022-12-28 2024-07-04 Radware Ltd. Techniques for generating application-layer signatures characterizing advanced application-layer flood attack tools

Also Published As

Publication number Publication date
CN113556343B (en) 2022-01-11

Similar Documents

Publication Publication Date Title
CN113556343B (en) DDoS attack defense method and device based on browser fingerprint identification
US20190222589A1 (en) Method computing device for detecting malicious domain names in network traffic
US10623376B2 (en) Qualifying client behavior to mitigate attacks on a host
US11212305B2 (en) Web application security methods and systems
EP2863611B1 (en) Device for detecting cyber attack based on event analysis and method thereof
US9386078B2 (en) Controlling application programming interface transactions based on content of earlier transactions
CN109194680B (en) Network attack identification method, device and equipment
US8893278B1 (en) Detecting malware communication on an infected computing device
US9602525B2 (en) Classification of malware generated domain names
US8661522B2 (en) Method and apparatus for probabilistic matching to authenticate hosts during distributed denial of service attack
JP2019021294A (en) SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS
JP5832951B2 (en) Attack determination device, attack determination method, and attack determination program
CN103428224A (en) Method and device for intelligently defending DDoS attacks
CN112839017B (en) Network attack detection method and device, equipment and storage medium thereof
EP3270317A1 (en) Dynamic security module server device and operating method thereof
Mishra et al. Intelligent phishing detection system using similarity matching algorithms
US20230412591A1 (en) Traffic processing method and protection system
US11128639B2 (en) Dynamic injection or modification of headers to provide intelligence
CN113518064A (en) Defense method and device for challenging black hole attack, computer equipment and storage medium
US9465921B1 (en) Systems and methods for selectively authenticating queries based on an authentication policy
Niu et al. Using XGBoost to discover infected hosts based on HTTP traffic
WO2024036822A1 (en) Method and apparatus for determining malicious domain name, device, and medium
CN115802357B (en) 5G distribution network feeder automation control method, device and storage medium
CN114726579B (en) Method, device, equipment, storage medium and program product for defending network attack
CN115001839A (en) Information security protection system and method based on Internet big data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: DDoS attack defense methods and devices based on browser fingerprint recognition

Effective date of registration: 20230526

Granted publication date: 20220111

Pledgee: Haidian Beijing science and technology enterprise financing Company limited by guarantee

Pledgor: JIANG NAN INFORMATION SECURITY (BEIJING) TECHNOLOGY CO.,LTD.

Registration number: Y2023110000206

PE01 Entry into force of the registration of the contract for pledge of patent right