CN113556343B - DDoS attack defense method and device based on browser fingerprint identification - Google Patents
DDoS attack defense method and device based on browser fingerprint identification Download PDFInfo
- Publication number
- CN113556343B CN113556343B CN202110827021.0A CN202110827021A CN113556343B CN 113556343 B CN113556343 B CN 113556343B CN 202110827021 A CN202110827021 A CN 202110827021A CN 113556343 B CN113556343 B CN 113556343B
- Authority
- CN
- China
- Prior art keywords
- browser
- browser fingerprint
- fingerprint
- statistical period
- accept
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
The DDoS attack defense method and equipment based on browser fingerprint identification are characterized in that network security equipment is erected at the front end of a Web server, and HTTP requests sent to the Web server are filtered through the network security equipment; when the network security equipment receives the HTTP request, fingerprint extraction is carried out on the browser sending the HTTP request according to a preset counting period, and a browser fingerprint ID is obtained; when each statistical period is finished, HTTP request feature calculation is carried out to obtain feature scores, and the feature scores are sorted from high to low to obtain browser fingerprint IDs of N before ranking; and performing man-machine identification authentication and request rate limitation on the browser fingerprint ID of the top N in each statistical period. The invention solves the problems that the prior art can not distinguish attack flow, is easy to cause serious influence on other users in the same source IP and has poor defense effect.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a DDoS attack defense method and device based on browser fingerprint identification.
Background
HTTP is short for Hypertext transfer protocol, i.e. Hypertext transfer protocol, and is a data transfer protocol that specifies the rules for communication between a browser and a web server and transfers web documents via the internet.
NAT is the abbreviation of Network Address Translation, i.e. Network Address Translation, belongs to the access Wide Area Network (WAN) technology, is a Translation technology for translating private or reserved IP Address into legal IP Address of wide area Network, and is widely applied to various Internet access modes and various networks. NAT not only perfectly solves the problem of insufficient lP address, but also can effectively avoid the attack from the outside of the network, and hide and protect the computer inside the network.
DoS is a short term for Denial of Service, i.e., Denial of Service, and the attack behavior of DoS is called DoS attack, which aims to make a computer or a network unable to provide normal services. Because the bandwidth resources of the computer network and the concurrent connection quantity of the network services are limited, as long as any one of the resources is exhausted, normal users cannot use the computer network services.
DDoS is a short for Distributed Denial of Service attack, that is, a Distributed Denial of Service attack, and refers to a method of initiating a DoS attack on one or more targets by combining a plurality of computers as an attack platform by means of a client/server technology, thereby exponentially improving the power of Denial of Service attack.
Unlike DoS attacks that use only one computer to launch the attack, DDoS uses a large number of computers to launch the attack simultaneously, and these computers are often scattered across different networks. The computers organized to launch DDoS attacks are uniformly controlled by a DDoS attack initiator to form an attack platform, often referred to as Botnet, i.e., a Botnet.
The HTTP DDoS attack is a DDoS attack which achieves the purpose of attack based on an HTTP protocol. The HTTP protocol bears most of Web services on the Internet at present, and any computer can be connected due to the openness of the Web services, so that the HTTP DDoS attack defense method has very important significance.
At present, two main defense methods for HTTP DDoS attack in network security equipment are available:
firstly, limiting the HTTP request rate of a source IP to defend HTTP DDoS attack:
the technology is mainly based on the limitation of the threshold value of the HTTP request rate, and when the request rate reaches the threshold value set by a user, the subsequent request data are discarded. If the threshold set by the user is N (times)/second, when the number of HTTP requests flowing through the network security device reaches N times/second, the network security device discards HTTP requests exceeding the threshold; because the attack traffic and the normal traffic under the same source IP cannot be distinguished, the proportion of the filtered attack traffic is still large, the normal traffic is small, and the defense effect is poor.
Secondly, the HTTP DDoS attack is defended by carrying out man-machine identification authentication on the source IP:
because an automation tool or script is needed to initiate the HTTP DDoS attack, if response messages (usually a javascript script) which cannot be processed by some attackers but can be processed by normal users are sent to the automation tool or script, the attack traffic and the normal traffic can be distinguished. For example, in the network security device, instead of responding to the HTTP message by the Web Server, the message content is a javascript statement that prompts a manual click and initiates an HTTP request with verification information again after the click, and the automation tool or script cannot process the content, and only a normal user can process the content. The network safety equipment confirms the verification information after receiving the HTTP request message with the verification information, if the HTTP request message is legal, the HTTP request is forwarded to the Web Server, and if not, the HTTP request is discarded. Therefore, the HTTP requests initiated by normal users and the HTTP requests initiated by the automation tool or the script are distinguished, and the HTTP DDoS attack can be defended by discarding the HTTP requests initiated by the automation tool or the script.
In the actual engineering implementation, in order to prevent each request from responding to an authentication message, thereby causing great consumption of network bandwidth and network security equipment computing resources, no response message operation is performed on all HTTP requests from a certain source IP, but only response message operation is performed on HTTP requests from a certain source IP which fails to pass authentication, after authentication is successful, the source IP is added into a white list, and subsequent HTTP requests of the source IP are directly forwarded by the network security equipment without authentication. If the man-machine identification authentication mechanism is not combined with the source IP white list for use, all HTTP requests need to be authenticated, so that the network security equipment needs to send authentication traffic equal to attack traffic, network bandwidth is easy to jam, a large amount of computing resources of the network security equipment are consumed, and large-scale HTTP DDoS attacks cannot be resisted. If the man-machine identification authentication mechanism is used in combination with the source IP white list, the attack traffic under the same source IP can be easily forwarded to the Web Server after the authentication is passed, and the defense effect is poor.
Both the two defense methods limit the source IP, and due to the existence of a large number of NAT network environments, serious influence is easily caused on other users in the same source IP, such as other users under the same source IP are easily blocked. A new DDoS attack defense technical scheme is urgently needed.
Disclosure of Invention
Therefore, the invention provides a DDoS attack defense method and device based on browser fingerprint identification, and aims to solve the problems that attack flow cannot be distinguished, other users in the same source IP are easily affected seriously and the defense effect is poor in the prior art.
In order to achieve the above purpose, the invention provides the following technical scheme: a DDoS attack defense method based on browser fingerprint identification comprises the following steps:
the method comprises the steps that network security equipment is erected at the front end of a Web server, and HTTP requests sent to the Web server are filtered through the network security equipment;
when the network security equipment receives the HTTP request, fingerprint extraction is carried out on the browser sending the HTTP request according to a preset counting period, and a browser fingerprint ID is obtained;
when each statistical period is finished, performing HTTP request feature calculation to obtain feature scores, and sequencing the feature scores from high to low to obtain browser fingerprint IDs of N before ranking;
and performing man-machine identification authentication and request rate limitation on the browser fingerprint ID of the top N in each statistical period.
As a preferable scheme of the DDoS attack defense method based on browser fingerprint identification, the browser fingerprint ID comprises a source IP, User-Agent field content, Accept-Language field content, Accept-Encoding field content and Accept-Charset field content in an HTTP request header.
As a preferable scheme of the DDoS attack defense method based on browser fingerprint identification, the method comprises the steps of carrying out character string connection operation on User-Agent field content, Accept-Languge field content, Accept-Encoding field content and Accept-Charset field content in the head of a source IP and an HTTP request, and carrying out hash function processing on the character string after the connection operation.
As a preferable scheme of the DDoS attack defense method based on browser fingerprint identification, when the Accept field content, Accept-Languge field content, Accept-Encoding field content or Accept-Charset field content in an HTTP request header does not exist, the non-existing field content is represented by adopting a character string 0.
As an optimal scheme of a DDoS attack defense method based on browser fingerprint identification, the scoring formula of the characteristic score is as follows:
Score=(avg1/avg2)*a+(self/total)*100
in the formula, Score is Score,/is arithmetic division, + is arithmetic multiplication, and + is arithmetic addition;
avg1 is the arithmetic average of the number of HTTP requests per second for the browser fingerprint over a statistical period;
avg2 is the average difference of the number of HTTP requests per second of the browser fingerprint in the statistical period;
a is an integer coefficient;
self is the sum of HTTP requests of the fingerprint of the browser in a statistical period;
total is the sum of the number of HTTP requests in a statistical period for all browser fingerprints.
As a preferable scheme of the DDoS attack defense method based on the browser fingerprint identification, the characteristic score is updated in each statistical period, and browser fingerprint IDs of N before ranking, which are ranked from high to low after the characteristic score is updated, are obtained.
As a preferred scheme of a DDoS attack defense method based on browser fingerprint identification, the determination method of N in N before ranking is as follows: the number of the browser fingerprint IDs of which the characteristic scores of the fingerprint IDs of a certain browser are larger than the average value of the characteristic scores of the fingerprint IDs of all browsers.
As a preferable scheme of the DDoS attack defense method based on the browser fingerprint identification, the feature score of the browser fingerprint ID newly generated in each statistical period is configured to be the highest value of the feature score of the current statistical period.
As an optimal scheme of a DDoS attack defense method based on browser fingerprint identification, in a statistical period, when browser fingerprint ID authentication after ranking is in the top N passes, man-machine identification authentication is not carried out any more.
The invention also provides DDoS attack defense equipment based on the browser fingerprint identification, and the DDoS attack defense method based on the browser fingerprint identification comprises the following steps:
the network security equipment is erected at the front end of the Web server and is used for filtering the HTTP request sent to the Web server;
the browser fingerprint acquisition module is used for extracting the fingerprint of the browser sending the HTTP request according to a preset statistical period to acquire a browser fingerprint ID when the network security equipment receives the HTTP request;
the characteristic score acquisition module is used for calculating the characteristic of the HTTP request when each statistical period is finished to acquire a characteristic score;
the characteristic score sorting module is used for sorting the characteristic scores from high to low to obtain browser fingerprint IDs of N before ranking;
and the attack defense module is used for performing man-machine identification authentication and request rate limitation on the browser fingerprint ID of the N-th place before the ranking in each statistical period.
The invention has the following advantages: the network security equipment is erected at the front end of the Web server, and the HTTP request sent to the Web server is filtered through the network security equipment; when the network security equipment receives the HTTP request, fingerprint extraction is carried out on the browser sending the HTTP request according to a preset counting period, and a browser fingerprint ID is obtained; when each statistical period is finished, HTTP request feature calculation is carried out to obtain feature scores, and the feature scores are sorted from high to low to obtain browser fingerprint IDs of N before ranking; and performing man-machine identification authentication and request rate limitation on the browser fingerprint ID of the top N in each statistical period. Compared with the traditional request rate limitation based on the source IP, the method is easy to cause that the attack traffic and the normal traffic are mixed together to carry out rate limitation under the NAT environment, so that a large amount of attack traffic cannot be filtered. The method and the system make request rate limitation on the basis of fingerprint identification and ranking of the browser, can effectively distinguish attack flow, have fine control granularity, hardly have influence on normal users, and have strong network adaptability; compared with the traditional human-computer identification authentication based on the source IP, the method responds to all request messages, and easily consumes the network bandwidth and computer resources of the browser, and the method performs the human-computer identification authentication on the basis of fingerprint identification and ranking of the browser, can selectively respond to the authentication messages, and reduces the network bandwidth and computer resource consumption of the browser; compared with the traditional man-machine identification authentication based on the source IP, if the method is used by combining a white list of the source IP, the attack flow under the same source IP can be easily transmitted to the Web Server after the authentication is passed, and particularly, the defense effect is poor under the NAT network environment.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It should be apparent that the drawings in the following description are merely exemplary, and that other embodiments can be derived from the drawings provided by those of ordinary skill in the art without inventive effort.
The structures, ratios, sizes, and the like shown in the present specification are only used for matching with the contents disclosed in the specification, so that those skilled in the art can understand and read the present invention, and do not limit the conditions for implementing the present invention, so that the present invention has no technical significance, and any structural modifications, changes in the ratio relationship, or adjustments of the sizes, without affecting the functions and purposes of the present invention, should still fall within the scope of the present invention.
Fig. 1 is a schematic flowchart of a DDoS attack defense method based on browser fingerprint identification according to embodiment 1 of the present invention;
fig. 2 is a schematic diagram of DDoS attack defense deployment based on browser fingerprint identification according to embodiment 1 of the present invention;
fig. 3 is a schematic diagram of a DDoS attack defense system based on browser fingerprint identification according to embodiment 2 of the present invention.
Detailed Description
The present invention is described in terms of particular embodiments, other advantages and features of the invention will become apparent to those skilled in the art from the following disclosure, and it is to be understood that the described embodiments are merely exemplary of the invention and that it is not intended to limit the invention to the particular embodiments disclosed. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
Referring to fig. 1 and 2, a DDoS attack defense method based on browser fingerprint identification is provided, which includes the following steps:
the method comprises the steps that network security equipment is erected at the front end of a Web server, and HTTP requests sent to the Web server are filtered through the network security equipment;
when the network security equipment receives the HTTP request, fingerprint extraction is carried out on the browser sending the HTTP request according to a preset counting period, and a browser fingerprint ID is obtained;
when each statistical period is finished, performing HTTP request feature calculation to obtain feature scores, and sequencing the feature scores from high to low to obtain browser fingerprint IDs of N before ranking;
and performing man-machine identification authentication and request rate limitation on the browser fingerprint ID of the top N in each statistical period.
In this embodiment, the browser fingerprint ID includes a source IP, User-Agent field content in an HTTP request header, Accept field content, Accept-Language field content, Accept-Encoding field content, and Accept-Charset field content. And carrying out character string connection operation on the User-Agent field content, the Accept-Language field content, the Accept-Encoding field content and the Accept-Charset field content in the source IP and HTTP request headers, and carrying out hash function processing on the character string after the connection operation. When the content of the Accept field, the content of the Accept-Language field, the content of the Accept-Encoding field or the content of the Accept-Charset field in the HTTP request header does not exist, the non-existing field content is represented by adopting a character string 0.
Specifically, the algorithm formula of the browser fingerprint ID is as follows:
ID=hash(ip+agent+accept+lang+enc+char)
in the formula, ID is fingerprint; the Hash is some Hash function, such as MD5, SHA1, etc.;
+ is a string join operation;
IP is a source IP character string;
agent is a User-Agent field content character string in the HTTP request header;
the Accept is an Accept field content character string in the HTTP request header, and if the field does not exist, the field is a character '0';
lang is the content character string of the Accept-Language field in the HTTP request header, and if the field does not exist, the field is a character '0';
enc is an Accept-Encoding field content character string in the HTTP request header, and if the field does not exist, the field is a character '0';
char is the content string of Accept-Charset field in HTTP request header, and if the field does not exist, the character is '0'.
Although the above formula has the condition that the fingerprint IDs of two browsers are the same with small probability, in an actual network environment, the physical distribution condition among the browsers accessing the same web server is more dispersed, the formula can be used for distinguishing most browsers, and the small probability conflict has no influence on the protection effect of the HTTP DDoS.
In this embodiment, the scoring formula of the feature score is as follows:
Score=(avg1/avg2)*a+(self/total)*100
in the formula, Score is Score,/is arithmetic division, + is arithmetic multiplication, and + is arithmetic addition;
avg1 is the arithmetic average of the number of HTTP requests per second for the browser fingerprint over a statistical period;
avg2 is the average difference of the number of HTTP requests per second of the browser fingerprint in the statistical period;
a is an integer coefficient;
self is the sum of HTTP requests of the fingerprint of the browser in a statistical period;
total is the sum of the number of HTTP requests in a statistical period for all browser fingerprints.
In this embodiment, the feature score is updated in each statistical period, and the browser fingerprint IDs of top-ranked N sorted from high to low after the feature score is updated are obtained. The determination mode of N in the N before ranking is as follows: the number of the browser fingerprint IDs of which the characteristic scores of the fingerprint IDs of a certain browser are larger than the average value of the characteristic scores of the fingerprint IDs of all browsers.
Specifically, each browser fingerprint ID corresponds to a feature Score, and the top N browser fingerprints with the highest Score can be calculated by updating the feature Score every minute for one minute as an example of the statistical period. N is an integer less than the total number of the browser fingerprints and is adjustable. The N value is automatically adjusted, and the number of the browser fingerprint IDs with the Score values larger than the average value of all Score values is set.
As can be seen from the scoring formula, the larger the number of HTTP requests per second of a certain browser fingerprint is, the larger the avg1 and self values are, the larger the Score is; the smaller the direct difference in the number of HTTP requests per second in one minute, the smaller the avg2, the larger the Score. For an automation tool or a browser for starting control of an HTTP DDoS attacker, the number of HTTP requests per second is large, the number of HTTP requests per second in a long time is close, and the Score value is large. The normal users have small HTTP requests per second, the difference between the HTTP requests per second in one minute is large, and the Score value is small. Therefore, the attack traffic is almost all ranked on the front of the Score, and the normal traffic is almost all ranked on the back of the Score, so that the attack traffic is distinguished from the normal traffic, and the request rate limitation and the man-machine identification authentication on the browser fingerprint with a larger Score value are more targeted and accurate.
In this embodiment, the feature score of the browser fingerprint ID newly generated in each statistical period is configured as the highest feature score of the current statistical period. And in a statistical period, when the browser fingerprint ID authentication ranked at the top N and the back is passed, the man-machine identification authentication is not carried out any more.
Specifically, the calculation of the HTTP request features is finished once every minute, the feature Score is obtained, and the top N browser fingerprint IDs with higher feature Score scores are obtained by sorting from high to low according to the feature Score. The newly generated browser fingerprint ID cannot acquire information required to calculate its feature Score because its HTTP request is less than one minute, so its Score is set to the highest value of all Score scores.
Specifically, a selection process of a defense method is carried out, all the browser fingerprint IDs are subjected to man-machine identification, authentication is carried out once per minute, other requests in the minute are discarded if the authentication fails, and the amount of authentication response messages is reduced; however, the first N browser fingerprint IDs must be authenticated once every minute, and other browser fingerprint IDs are not authenticated any more by human-machine identification as long as the authentication is passed. And all HTTP request traffic authenticated through man-machine identification is subjected to request rate limitation.
In summary, the network security device is arranged at the front end of the Web server, and the HTTP request sent to the Web server is filtered by the network security device; when the network security equipment receives the HTTP request, fingerprint extraction is carried out on the browser sending the HTTP request according to a preset counting period, and a browser fingerprint ID is obtained; when each statistical period is finished, HTTP request feature calculation is carried out to obtain feature scores, and the feature scores are sorted from high to low to obtain browser fingerprint IDs of N before ranking; and performing man-machine identification authentication and request rate limitation on the browser fingerprint ID of the top N in each statistical period. Compared with the traditional request rate limitation based on the source IP, the method is easy to cause that the attack traffic and the normal traffic are mixed together to carry out rate limitation under the NAT environment, so that a large amount of attack traffic cannot be filtered. The method and the system make request rate limitation on the basis of fingerprint identification and ranking of the browser, can effectively distinguish attack flow, have fine control granularity, hardly have influence on normal users, and have strong network adaptability; compared with the traditional human-computer identification authentication based on the source IP, the method responds to all request messages, and easily consumes the network bandwidth and computer resources of the browser, and the method performs the human-computer identification authentication on the basis of fingerprint identification and ranking of the browser, can selectively respond to the authentication messages, and reduces the network bandwidth and computer resource consumption of the browser; compared with the traditional man-machine identification authentication based on the source IP, if the method is used by combining a white list of the source IP, the attack flow under the same source IP can be easily transmitted to the Web Server after the authentication is passed, and particularly, the defense effect is poor under the NAT network environment.
After a Web server of a certain company is frequently attacked by HTTP DDoS, normal service interruption is caused, after traditional HTTP DDoS attack prevention equipment is deployed, part of users still cannot normally access the server, and uplink network bandwidth consumption of the Web service after the man-machine identification authentication is started is too large. The requirements are as follows:
1) the HTTP DDoS attack aiming at the Web server is effectively prevented;
2) the misjudgment rate of the protection product is reduced, and the access of normal users is not influenced;
3) the uplink network bandwidth of the Web service is not influenced, and the consumption of the network bandwidth cost is reduced.
After the technical scheme of the invention is adopted for deployment, the requirements are effectively solved.
Example 2
The invention also provides DDoS attack defense equipment based on browser fingerprint identification, and the DDoS attack defense method based on browser fingerprint identification adopting the first aspect or any possible implementation mode thereof comprises the following steps:
the network security device 1 is erected at the front end of the Web server and is used for filtering the HTTP request sent to the Web server;
the browser fingerprint acquisition module 2 is configured to, when the network security device receives the HTTP request, perform fingerprint extraction on a browser that sends the HTTP request according to a preset statistical period, and obtain a browser fingerprint ID;
a feature score obtaining module 3, configured to calculate the HTTP request feature to obtain a feature score when each statistical period is finished;
the characteristic score sorting module 4 is used for sorting the characteristic scores from high to low to obtain the browser fingerprint IDs of N before ranking;
and the attack defense module 5 is used for performing man-machine identification authentication and request rate limitation on the browser fingerprint ID of the N-th rank in each statistical period.
It should be noted that, for the information interaction, execution process, and other contents between the modules/units of the above-mentioned device, because the same concept is based on the method embodiment in embodiment 1 of the present application, the technical effect brought by the above-mentioned method embodiment is the same as that of the present application, and specific contents may refer to the description in the foregoing method embodiment of the present application, and are not described herein again.
Example 3
The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
Example 4
Embodiment 4 of the present invention provides an electronic device, where the electronic device includes a processor, the processor is coupled to a storage medium, and when the processor executes an instruction in the storage medium, the electronic device is enabled to execute the DDoS attack defense method based on browser fingerprint identification according to embodiment 1 or any possible implementation manner thereof.
Specifically, the processor may be implemented by hardware or software, and when implemented by hardware, the processor may be a logic circuit, an integrated circuit, or the like; when implemented in software, the processor may be a general-purpose processor implemented by reading software code stored in a memory, which may be integrated in the processor, located external to the processor, or stand-alone.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.).
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
Although the invention has been described in detail above with reference to a general description and specific examples, it will be apparent to one skilled in the art that modifications or improvements may be made thereto based on the invention. Accordingly, such modifications and improvements are intended to be within the scope of the invention as claimed.
Claims (9)
1. A DDoS attack defense method based on browser fingerprint identification is characterized by comprising the following steps:
the method comprises the steps that network security equipment is erected at the front end of a Web server, and HTTP requests sent to the Web server are filtered through the network security equipment;
when the network security equipment receives the HTTP request, fingerprint extraction is carried out on the browser sending the HTTP request according to a preset counting period, and a browser fingerprint ID is obtained;
when each statistical period is finished, performing HTTP request feature calculation to obtain feature scores, and sequencing the feature scores from high to low to obtain browser fingerprint IDs of N before ranking;
performing man-machine identification authentication and request rate limitation on the browser fingerprint ID of N before the ranking in each statistical period;
the scoring formula of the feature score is as follows:
Score=(avg1/avg2)*a+(self/total)*100
in the formula, Score is Score,/is arithmetic division, + is arithmetic multiplication, and + is arithmetic addition;
avg1 is the arithmetic average of the number of HTTP requests per second for the browser fingerprint over a statistical period;
avg2 is the average difference of the number of HTTP requests per second of the browser fingerprint in the statistical period;
a is an integer coefficient;
self is the sum of HTTP requests of the fingerprint of the browser in a statistical period;
total is the sum of the number of HTTP requests in a statistical period for all browser fingerprints.
2. The DDoS attack defense method based on browser fingerprint identification according to claim 1, wherein the browser fingerprint ID comprises a source IP, User-Agent field content in HTTP request header, Accept field content, Accept-Languge field content, Accept-Encoding field content and Accept-Charset field content.
3. The DDoS attack defense method based on browser fingerprint identification as claimed in claim 2, wherein the source IP, User-Agent field content, Accept-Language field content, Accept-Encoding field content and Accept-Charset field content in HTTP request header are subjected to character string connection operation, and the character string after connection operation is subjected to hash function processing.
4. The DDoS attack defense method based on browser fingerprint identification as claimed in claim 2, wherein when the Accept field content, Accept-Languge field content, Accept-Encoding field content or Accept-Charset field content in HTTP request header is not existed, the non-existed field content is represented by using character string 0.
5. A DDoS attack defense method based on browser fingerprint identification according to claim 1, wherein the feature score is updated in each statistical period, and the top N browser fingerprint IDs ranked from high to low after updating the feature score are obtained.
6. A DDoS attack defense method based on browser fingerprint identification according to claim 1, wherein N of the top N is determined by: the number of the browser fingerprint IDs of which the characteristic scores of the fingerprint IDs of a certain browser are larger than the average value of the characteristic scores of the fingerprint IDs of all browsers.
7. A DDoS attack defense method based on browser fingerprint identification according to claim 1, wherein the feature score of the newly generated browser fingerprint ID in each statistical period is configured as the highest value of the feature score of the current statistical period.
8. A DDoS attack defense method based on browser fingerprint identification according to claim 1, wherein in a statistical period, when the browser fingerprint ID authentication ranked before N and after N passes, the man-machine identification authentication is not performed.
9. DDoS attack defense equipment based on browser fingerprint identification, which adopts the DDoS attack defense method based on browser fingerprint identification of any one of claims 1 to 8, and is characterized by comprising the following steps:
the network security equipment is erected at the front end of the Web server and is used for filtering the HTTP request sent to the Web server;
the browser fingerprint acquisition module is used for extracting the fingerprint of the browser sending the HTTP request according to a preset statistical period to acquire a browser fingerprint ID when the network security equipment receives the HTTP request;
the characteristic score acquisition module is used for calculating the characteristic of the HTTP request when each statistical period is finished to acquire a characteristic score;
the characteristic score sorting module is used for sorting the characteristic scores from high to low to obtain browser fingerprint IDs of N before ranking;
and the attack defense module is used for performing man-machine identification authentication and request rate limitation on the browser fingerprint ID of the N-th place before the ranking in each statistical period.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110827021.0A CN113556343B (en) | 2021-07-21 | 2021-07-21 | DDoS attack defense method and device based on browser fingerprint identification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110827021.0A CN113556343B (en) | 2021-07-21 | 2021-07-21 | DDoS attack defense method and device based on browser fingerprint identification |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113556343A CN113556343A (en) | 2021-10-26 |
| CN113556343B true CN113556343B (en) | 2022-01-11 |
Family
ID=78103926
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110827021.0A Active CN113556343B (en) | 2021-07-21 | 2021-07-21 | DDoS attack defense method and device based on browser fingerprint identification |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113556343B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115102744A (en) * | 2022-06-16 | 2022-09-23 | 京东科技信息技术有限公司 | Data access method and device |
| CN114866347B (en) * | 2022-07-06 | 2022-09-30 | 浙江御安信息技术有限公司 | Network security early warning method for DDoS attack recognition based on artificial intelligence |
| CN115589340A (en) * | 2022-12-12 | 2023-01-10 | 国网山东省电力公司泰安供电公司 | Data robot detection method, device and medium based on RASP technology |
Family Cites Families (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103618721A (en) * | 2013-12-03 | 2014-03-05 | 彭岸峰 | XSS preventing security service |
| US9380030B2 (en) * | 2014-05-20 | 2016-06-28 | Avay Inc. | Firewall traversal for web real-time communications |
| CN104092665A (en) * | 2014-06-19 | 2014-10-08 | 小米科技有限责任公司 | Access request filtering method, device and facility |
| US9986058B2 (en) * | 2015-05-21 | 2018-05-29 | Shape Security, Inc. | Security systems for mitigating attacks from a headless browser executing on a client computer |
| US10033702B2 (en) * | 2015-08-05 | 2018-07-24 | Intralinks, Inc. | Systems and methods of secure data exchange |
| CN105430011B (en) * | 2015-12-25 | 2019-02-26 | 杭州朗和科技有限公司 | A kind of method and apparatus detecting distributed denial of service attack |
| US20200084225A1 (en) * | 2017-12-01 | 2020-03-12 | Trusted Knight Corporation | In-stream malware protection |
| CN109309664B (en) * | 2018-08-14 | 2021-03-23 | 中国科学院数据与通信保护研究教育中心 | Browser fingerprint detection behavior monitoring method |
| CN111181912B (en) * | 2019-08-27 | 2021-10-15 | 腾讯科技(深圳)有限公司 | Browser identifier processing method and device, electronic equipment and storage medium |
| CN111786966A (en) * | 2020-06-15 | 2020-10-16 | 中国建设银行股份有限公司 | Method and device for browsing webpage |
| CN112003873B (en) * | 2020-08-31 | 2022-04-19 | 成都安恒信息技术有限公司 | HTTP (hyper text transport protocol) traffic defense method and system for resisting DDoS (distributed denial of service) attack |
| CN112685682B (en) * | 2021-03-16 | 2021-07-09 | 连连(杭州)信息技术有限公司 | Method, device, equipment and medium for identifying forbidden object of attack event |
-
2021
- 2021-07-21 CN CN202110827021.0A patent/CN113556343B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN113556343A (en) | 2021-10-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113556343B (en) | DDoS attack defense method and device based on browser fingerprint identification | |
| US11503044B2 (en) | Method computing device for detecting malicious domain names in network traffic | |
| US10623376B2 (en) | Qualifying client behavior to mitigate attacks on a host | |
| EP2863611B1 (en) | Device for detecting cyber attack based on event analysis and method thereof | |
| US11212305B2 (en) | Web application security methods and systems | |
| CN109194680B (en) | Network attack identification method, device and equipment | |
| US9602525B2 (en) | Classification of malware generated domain names | |
| US8893278B1 (en) | Detecting malware communication on an infected computing device | |
| US8949978B1 (en) | Efficient web threat protection | |
| RU2680736C1 (en) | Malware files in network traffic detection server and method | |
| Al-Hammadi et al. | DCA for bot detection | |
| US20150350174A1 (en) | Controlling application programming interface transactions based on content of earlier transactions | |
| JP2019021294A (en) | SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS | |
| US20210075790A1 (en) | Attacker detection via fingerprinting cookie mechanism | |
| JP5832951B2 (en) | Attack determination device, attack determination method, and attack determination program | |
| US9237143B1 (en) | User authentication avoiding exposure of information about enumerable system resources | |
| EP3270317A1 (en) | Dynamic security module server device and operating method thereof | |
| CN112839017B (en) | Network attack detection method and device, equipment and storage medium thereof | |
| CN111327615A (en) | CC attack protection method and system | |
| US20230412591A1 (en) | Traffic processing method and protection system | |
| Mishra et al. | Intelligent phishing detection system using similarity matching algorithms | |
| CN113518064A (en) | Defense method and device for challenging black hole attack, computer equipment and storage medium | |
| CN115802357B (en) | 5G distribution network feeder automation control method, device and storage medium | |
| Oo et al. | Enhancement of preventing application layer based on DDoS attacks by using hidden semi-Markov model | |
| CN114726579B (en) | Method, device, equipment, storage medium and program product for defending network attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: DDoS attack defense methods and devices based on browser fingerprint recognition Effective date of registration: 20230526 Granted publication date: 20220111 Pledgee: Haidian Beijing science and technology enterprise financing Company limited by guarantee Pledgor: JIANG NAN INFORMATION SECURITY (BEIJING) TECHNOLOGY CO.,LTD. Registration number: Y2023110000206 |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right |