CN113949581A - Address blocking method, device and system, storage medium and electronic equipment - Google Patents
Address blocking method, device and system, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN113949581A CN113949581A CN202111233338.8A CN202111233338A CN113949581A CN 113949581 A CN113949581 A CN 113949581A CN 202111233338 A CN202111233338 A CN 202111233338A CN 113949581 A CN113949581 A CN 113949581A
- Authority
- CN
- China
- Prior art keywords
- address
- access request
- product
- attack
- safety detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 230000000903 blocking effect Effects 0.000 title claims abstract description 42
- 238000001514 detection method Methods 0.000 claims abstract description 263
- 238000001914 filtration Methods 0.000 claims abstract description 30
- 238000012545 processing Methods 0.000 claims abstract description 23
- 238000007789 sealing Methods 0.000 claims description 18
- 230000008569 process Effects 0.000 claims description 9
- 239000000047 product Substances 0.000 description 185
- 230000002457 bidirectional effect Effects 0.000 description 10
- 230000001133 acceleration Effects 0.000 description 6
- 230000006399 behavior Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 239000000243 solution Substances 0.000 description 5
- 230000006870 function Effects 0.000 description 3
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 3
- 238000005336 cracking Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 238000001363 water suppression through gradient tailored excitation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application provides an address blocking method, an address blocking device, an address blocking system, a storage medium and electronic equipment, multiple safety detection is carried out on the access request by utilizing a plurality of preset safety detection products to obtain a safety detection result, and further under the condition that the security detection result represents that the access request does not pass multiple security detections, acquiring address information of the access request, wherein the address information comprises a destination address or a source address, the source address comprises an attack source address and an address corresponding to a preset field in the access request, address filtering is carried out on the CDN address and the local service address included in the address information, thereby realizing accurate acquisition of the attack address, sending the attack address to the local side forbidden product and the CDN side forbidden product for forbidden, the CDN address and the local service address cannot be forbidden, so that the influence on service processing is reduced while the attack behavior is effectively resisted.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to an address blocking method, an address blocking device, an address blocking system, a storage medium, and an electronic device.
Background
The CDN scheme is favored by system designers in the current network environment due to its advantages of low cost, saving server resources, and reducing latency, but the associated security problem cannot be ignored.
In the prior art, an attack interception access request is deployed on a CDN side, most of the attacks are transmitted from the CDN side to a local side, a block product on the local side blocks a source ip of the access request, but since the CDN performs address translation when forwarding the access request, and a source address received by a server side is a CDN address, the CDN address is blocked, and after all CDN addresses are blocked, normal traffic cannot be transmitted to the server side, thereby affecting normal processing of the traffic.
Disclosure of Invention
The application provides an address blocking method, an address blocking device, an address blocking system, a storage medium and electronic equipment, and aims to solve the problem that the normal processing of services is influenced by the blocking of CDN addresses in the existing address blocking scheme.
In order to achieve the above object, the present application provides the following technical solutions:
an address blocking method, comprising:
when an access request is received, performing multiple security detection on the access request by using a preset security detection product set to obtain a security detection result; the safety detection product set comprises a plurality of safety detection products;
if the safety detection result represents that the access request does not pass the multiple safety detections, acquiring address information of the access request; the address information comprises a destination address or a source address of the access request, and the source address comprises an attack source address for sending the access request and an address corresponding to a preset field in the access request;
address filtering is carried out on the CDN address and the local service address included in the address information to obtain an attack address;
and sending the attack address to a local side forbidden product and a CDN side forbidden product so that the local side forbidden product and the CDN side forbidden product can carry out forbidden processing on the attack address.
Optionally, in the method, the performing multiple security detections on the access request by using a preset security detection product set to obtain a security detection result includes:
sequentially calling each safety detection product in the safety detection product set to perform safety detection on the access request according to a preset calling sequence;
in the process of calling any one safety detection product, if the access request does not pass the safety detection of the safety detection product, stopping calling other safety detection products in a safety detection product set when the confidence score output by the safety detection product is greater than a preset forbidden threshold corresponding to the safety detection product, and generating a safety detection result representing that the access request does not pass multiple safety detections;
if the access request passes the security detection of all security detection products, or the access request does not pass the security detection of a target security detection product, but the confidence score output by the target security detection product is not greater than a preset blocking threshold corresponding to the target security detection product, generating a security detection result representing that the access request passes multiple security detections; the target safety detection product is any one safety detection product in the safety detection product set.
Optionally, the obtaining address information of the access request includes:
judging whether the access request is attacked or not;
if the access request is an incoming attack, acquiring an attack source address for sending the access request and an address corresponding to a preset field in the access request;
and if the access request is not an incoming attack, acquiring a destination address of the access request.
Optionally, the above method, performing address filtering on the CDN address and the local service address included in the address information to obtain the attack address, includes:
and aiming at each address included by the address information, if a CDN address matched with the address exists in a preset CDN address list, filtering the address, and if a local service address matched with the address exists in a preset local service address, filtering the address.
Optionally, the sending the attack address to the local-side forbidden product and the CDN-side forbidden product includes:
calling an Application Programming Interface (API) of a local side forbidden product, and sending the attack address to the local side forbidden product;
and calling an API of the CDN side forbidden product, and sending the attack address to a local side forbidden product.
An address blocking device, comprising:
the detection unit is used for carrying out multiple security detection on the access request by utilizing a preset security detection product set when the access request is received to obtain a security detection result; the safety detection product set comprises a plurality of safety detection products;
the obtaining unit is used for obtaining the address information of the access request if the safety detection result represents that the access request does not pass the multiple safety detections; the address information comprises a destination address or a source address of the access request, and the source address comprises an attack source address for sending the access request and an address corresponding to a preset field in the access request;
the filtering unit is used for carrying out address filtering on the CDN address and the local service address included in the address information to obtain an attack address;
and the sending unit is used for sending the attack address to a local side forbidden product and a CDN side forbidden product so as to facilitate the local side forbidden product and the CDN side forbidden product to carry out forbidden processing on the attack address.
An address blocking system comprising:
the system comprises a safety detection module, a transit forbidding module and a forbidding module;
the safety detection module is used for performing multiple safety detections on the access request by using a preset safety detection product set to obtain a safety detection result, and when the safety detection result indicates that the access request does not pass the multiple safety detections, acquiring address information of the access request and sending the address information to the transit block; the address information comprises a destination address or a source address of the access request, and the source address comprises an attack source address for sending the access request and an address corresponding to a preset field in the access request;
the transit block is used for carrying out address filtering on the CDN address and the local service address included in the address information to obtain an attack address, and sending the attack address to the transit block;
and the blocking module is used for carrying out blocking processing on the target address.
The above system, optionally, the blocking module includes:
a local side block product and a CDN side block product;
the local side sealing product is used for sealing the attack address;
and the CDN side seal product is used for carrying out seal processing on the attack address.
A storage medium storing a set of instructions, wherein the set of instructions, when executed by a processor, implements an address blocking method as described above.
An electronic device, comprising:
a memory for storing at least one set of instructions;
and the processor is used for executing the instruction set stored in the memory, and the address blocking method is realized by executing the instruction set.
Compared with the prior art, the method has the following advantages:
the application provides an address blocking method, an address blocking device, an address blocking system, a storage medium and electronic equipment, wherein the method comprises the following steps: when an access request is received, performing multiple security detection on the access request by using a preset security detection product set to obtain a security detection result; the safety detection product set comprises a plurality of safety detection products; if the safety detection result represents that the access request does not pass multiple safety detections, acquiring address information of the access request; the address information comprises a destination address or a source address of the access request, and the source address comprises an attack source address for sending the access request and an address corresponding to a preset field in the access request; address filtering is carried out on the CDN address and the local service address included in the address information to obtain an attack address; and sending the attack address to a local side forbidden product and a CDN side forbidden product so as to carry out forbidden processing on the attack address by the local side forbidden product and the CDN side forbidden product. Therefore, according to the method and the device, the access request is subjected to security detection by using a plurality of security detection products, the CDN address and the local service address are filtered by filtering the address, the attack address is accurately obtained, the attack address is forbidden, the CDN address and the local service address cannot be forbidden, and the influence on service processing is reduced while the attack behavior is effectively resisted.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a method of an address block method provided in the present application;
FIG. 2 is a flowchart of another method of an address blocking method provided herein;
fig. 3 is a flowchart of another method of an address block method provided in the present application;
fig. 4 is a flowchart of another method of an address block method provided in the present application;
fig. 5 is a schematic structural diagram of an address block device provided in the present application;
fig. 6 is a schematic structural diagram of an address blocking system provided in the present application;
fig. 7 is a schematic structural diagram of an electronic device provided in the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The term "include" and variations thereof as used herein are open-ended, i.e., "including but not limited to". The term "based on" is "based, at least in part, on". The term "one embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one additional embodiment"; the term "some embodiments" means "at least some embodiments". Relevant definitions for other terms will be given in the following description.
It should be noted that the terms "first", "second", and the like in the disclosure of the present application are only used for distinguishing different devices, modules or units, and are not used for limiting the order or interdependence relationship of the functions performed by the devices, modules or units.
It is noted that references to "a", "an", and "the" modifications in the disclosure herein are exemplary rather than limiting, and those skilled in the art will understand that "one or more" will be understood unless the context clearly dictates otherwise.
The application is operational with numerous general purpose or special purpose computing device environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet-type devices, multi-processor apparatus, distributed computing environments that include any of the above devices or equipment, and the like.
Referring to fig. 1, a flowchart of a method of an address block method is shown in fig. 1, and specifically includes:
s101, when an access request is received, multiple security detections are carried out on the access request by using a preset security detection product set to obtain a security detection result.
In this embodiment, when an access request is received, multiple security detections are performed on the access request by using a preset security detection product set. The security detection product set includes a plurality of security detection products, including but not limited to APT (Advanced Persistent Threat) products, bidirectional IDS (intrusion detection system), WAF (Web Application security), and host security products.
It should be noted that each security product adopts a multi-layer water gate type defense architecture, and the WAF product is a serial blocking product and focuses on web application attacks; an APT product and a bidirectional IDS are bypass detection products, and pay attention to various vulnerability exploitation, APT attack and the like; the host security is a host security product and pays attention to brute force cracking of the host, Trojan file attacks and the like. Each safety product supplements the detection ability mutually, avoids the cask effect problem.
Referring to fig. 2, the process of performing multiple security detections on an access request by using a preset security detection product set to obtain a security detection result specifically includes the following steps:
s201, sequentially calling each safety detection product in the safety detection product set according to a preset calling sequence to perform safety detection on the access request.
In this embodiment, according to a preset calling sequence, each security detection product included in the security detection product set is sequentially called to perform security detection on the access request, that is, each security detection product included in the security detection product set sequentially performs security detection on the access request according to the preset sequence.
S202, in the process of calling any one safety detection product, if the access request does not pass the safety detection of the safety detection product, when the confidence score output by the safety detection product is larger than a preset sealing threshold corresponding to the safety detection product, stopping calling other safety detection products in the safety detection product set, and generating a safety detection result representing that the access request does not pass multiple safety detections.
In this embodiment, in the process of calling any one of the security detection products, it is determined whether the access request passes the security detection of the security detection product, and if the access request passes the security detection of the security detection product, the next security detection product is continuously called to perform security detection on the access request until no non-called security detection product exists in the security detection product set; and if the access request does not pass the safety detection of the safety detection product, obtaining the confidence score output by the safety detection product, stopping calling other safety detection products in the safety detection product set when the confidence score is larger than a preset sealing threshold corresponding to the safety detection product, and generating a safety detection result representing that the access request does not pass multiple safety detections.
It should be noted that different security detection products may correspond to different block thresholds.
In the embodiment, the APT product can timely discover intrusion behavior or unknown threats by restoring and analyzing session contents and files, and provide APT detection capability. The bidirectional IDS outputs the security event of successful intrusion in real time accurately by flow mirroring and analyzing bidirectional session flow. And the WAF detects the WEB application attack by analyzing each field of the HTTP request and utilizing a refined rule. The host safety product is deployed at the host side, and can effectively realize safety functions of intrusion detection, login audit, brute force cracking detection, malicious file searching and killing and the like.
S203, if the access request passes through the safety detection of all safety detection products, or the access request does not pass through the safety detection of the target safety detection product, but the confidence score output by the target safety detection product is not greater than the preset forbidden threshold corresponding to the target safety detection product, generating a safety detection result representing that the access request passes through multiple safety detections.
In this embodiment, under the condition that all the security detection products included in the security detection product set are called, that is, under the condition that all the security detection products included in the security detection product set perform security detection on the access request, if the access request passes through the security detection of all the security detection products, or the access request does not pass through the security detection of the target security detection product, but the confidence score output by the target security detection product is not greater than the preset forbidden threshold corresponding to the target security detection product, a security detection result representing that the access request passes through multiple security detections is generated; the target safety detection product is any one safety detection product in the safety detection product set.
In this embodiment, the above-mentioned process of performing multiple security detections on an access request by using a preset security detection product set to obtain a security detection result is illustrated as follows:
the safety detection product set comprises an APT product, a bidirectional IDS, a WAF and a host safety product, wherein the calling sequence of each safety detection product is that the APT product, the bidirectional IDS, the WAF and the host safety product are connected, firstly, the APT product is called to carry out safety detection on an access request, if the access request does not pass the safety detection of the APT product, when the confidence score output by the APT product is greater than the preset sealing threshold corresponding to the APT product, a safety detection result representing that the access request does not pass multiple safety detections is generated, and the calling is finished, otherwise, the bidirectional IDS is continuously called to carry out safety detection on the access request, if the access request does not pass the safety detection of the bidirectional IDS, when the confidence score output by the bidirectional IDS is greater than the preset sealing threshold corresponding to the bidirectional IDS, a safety detection result representing that the access request does not pass multiple safety detections is generated, and the calling is finished, if not, continuing to call the WAF to perform security detection on the access request, if the access request does not pass the security detection of the WAF, generating a security detection result representing that the access request does not pass multiple security detections when the confidence score output by the WAF is greater than a preset forbidden threshold corresponding to the WAF, and ending the call, otherwise, continuing to call the host security product to perform security detection on the access request, if the access request does not pass the security detection of the host security product, if the confidence score output by the host security product is greater than the preset forbidden threshold corresponding to the host security product, generating a security detection result representing that the access request does not pass multiple security detections, and ending the call, otherwise, generating a security detection result representing that the access request passes multiple security detections, and ending the call.
And S102, judging whether the safety detection result represents that the access request passes multiple safety detections, if so, directly ending, and if not, executing S103.
S103, acquiring address information of the access request.
In this embodiment, under the condition that the security detection result indicates that the access request does not pass multiple security detections, address information of the access request is obtained, where the address information includes a destination address and a source address of the access request, and the source address includes an attack source address of the access request and an address of a preset field in the access request.
Specifically, referring to fig. 3, the process of obtaining the address information of the access request includes the following steps:
s301, judging whether the access request is attacked or not, if so, executing S302, and if not, executing S303.
In this embodiment, whether the access request is an inbound attack is determined, and it should be noted that if the access request is not an inbound attack, the access request is determined to be an outbound attack, where the inbound attack refers to an attacker on the internet attacking the system, for example, an internet hacker sends an sql (Structured Query Language) injection attack to www.xxx.com; outbound attacks refer to actions in which a system has been compromised for some reason, and Trojan horses are brought out or other systems are attacked, such as actions in which a system is brought out of a mine pool after a mining Trojan is implanted.
S302, obtaining an attack source address for sending the access request and an address corresponding to a preset field in the access request.
In this embodiment, if the access request is an incoming attack, the access request is analyzed, specifically, each field included in the access request is analyzed, an attack source address in the access request is obtained, and an address corresponding to a preset field in the access request is obtained, that is, an address corresponding to the preset field in the access request is extracted, where the preset field is an x-forward-for field.
It should be noted that the attack source address at least includes one of a CDN address, an attack address, and a local service address, and the address of the preset field at least includes one of the local service address and the attack address.
S303, acquiring the destination address of the access request.
In this embodiment, if the access request is an outbound attack, the access request is analyzed to obtain a destination address in the access request.
It should be noted that, when the service adopts a CDN acceleration scheme, the received attack source address is a CDN address, and the real attack source address is written into the x-forward-for field of the request, so that the real attack source address can be obtained by extracting an address in the x-forward-for field.
It should be noted that the CDN acceleration scheme can be generally divided into a four-layer acceleration scheme and a seven-layer acceleration scheme, and by using the seven-layer acceleration scheme, the CDN side can unpack to seven layers and fill the real client address in the X-Forward-For field. By adopting a four-layer acceleration scheme, the CDN side can only unpack to four layers, and the real client address can be filled in a TCP-option field. The safety detection product focuses on a seven-layer protocol more, fields of the four-layer protocol cannot be automatically acquired, and the value of the four-layer TCP-option field is filled into the seven-layer X-Forward-For field when the flow reaches load balancing equipment such as F5, so that each product can acquire real attack address information.
S104, address filtering is carried out on the CDN address and the local service address included in the address information, and an attack address is obtained.
In this embodiment, the CDN address and the local service address included in the address information are subjected to address filtering, that is, the CDN address and the local service address included in the address information are deleted, so that a real attack address is obtained.
Specifically, referring to fig. 4, the process of performing address filtering on the CDN address and the local service address included in the address information to obtain the attack address includes the following steps:
s401, judging whether a CDN address matched with each address exists in a CDN address list or not according to each address included in the address information, if so, executing S402, and if not, executing S403.
S402, filtering the address.
In this embodiment, for each address included in the address information, if a CDN address matching the address exists in a preset CDN address list, the address is filtered, that is, the address is deleted from the address information.
In this embodiment, for each address included in the address information, if a local service address matching the address exists in the local service address list, the address is filtered, that is, the address is deleted from the address information.
And S403, judging whether a local service address matched with the address exists in the local service address list, if so, executing S402, and ending directly.
In this embodiment, for each address included in the address information, if a CDN address matching the address does not exist in the CDN address list, it is further determined whether a local service address matching the address exists in the local service address list, where a preset local service address is stored in the local service address list.
S105, the attack address is sent to a local side forbidden product and a CDN side forbidden product, so that the local side forbidden product and the CDN side forbidden product can conveniently carry out forbidden processing on the attack address.
In this embodiment, the attack address is sent to the local side forbidden product and the CDN side forbidden product. Specifically, an attack address is sent to the local side forbidden product by calling an Application Programming Interface (API) of the local side forbidden product; and calling an API of the CDN side forbidden product, and sending the attack address to the CDN side forbidden product.
In this embodiment, the CDN side block product and the local side block product block the attack address, specifically, the CDN side block product issues an address block task to all CDN accelerated services, and the local block product performs blacklist matching on addresses accessing all local services.
It should be noted that, in the present application, the attack address is all sent to the local side banning product and the CDN side banning product, and the local side banning product and the CDN side banning product all perform banning processing on the attack address, so that when an attacker scans a series of domain names, no matter whether the CDN side system or the local side system is scanned first, because of the full-scale banning, the system on the other side is protected.
According to the address sealing method provided by the embodiment of the application, the access request is subjected to security detection by using a plurality of security detection products, the CDN address and the local service address are filtered by filtering the address, the attack address is accurately obtained, the attack address is sealed, the CDN address and the local service address cannot be sealed, and the attack behavior is effectively resisted while the influence on service processing is reduced. And, the deployment of a plurality of safety detection products has very big promotion whole security ability to and high API integrates, make things convenient for subsequent safety detection product and the extension of banning the product.
It should be noted that while operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order. Under certain circumstances, multitasking and parallel processing may be advantageous.
It should be understood that the various steps recited in the method embodiments disclosed herein may be performed in a different order and/or performed in parallel. Moreover, method embodiments may include additional steps and/or omit performing the illustrated steps. The scope of the disclosure is not limited in this respect.
Corresponding to the method described in fig. 1, an embodiment of the present application further provides an address blocking apparatus, which is used for implementing the method in fig. 1 specifically, and a schematic structural diagram of the address blocking apparatus is shown in fig. 5, and specifically includes:
the system comprises a detection unit 501, a security detection unit and a processing unit, wherein the detection unit 501 is used for performing multiple security detections on an access request by using a preset security detection product set when the access request is received, so as to obtain a security detection result; the safety detection product set comprises a plurality of safety detection products;
an obtaining unit 502, configured to obtain address information of the access request if the security detection result indicates that the access request fails to pass the multiple security detections; the address information comprises a destination address or a source address of the access request, and the source address comprises an attack source address for sending the access request and an address corresponding to a preset field in the access request;
a filtering unit 503, configured to perform address filtering on the CDN address and the local service address included in the address information to obtain an attack address;
a sending unit 504, configured to send the attack address to a local side banned product and a CDN side banned product, so that the local side banned product and the CDN side banned product perform banned processing on the attack address.
The address sealing device provided by the embodiment of the application carries out security detection on an access request by utilizing a plurality of security detection products, filters the CDN address and the local service address by filtering the address, and realizes accurate acquisition of an attack address, thereby sealing the attack address without sealing the CDN address and the local service address, and reducing the influence on service processing while effectively resisting attack behaviors. And, the deployment of a plurality of safety detection products has very big promotion whole security ability to and high API integrates, make things convenient for subsequent safety detection product and the extension of banning the product.
In an embodiment of the present application, based on the foregoing scheme, the detecting unit 501 is specifically configured to:
sequentially calling each safety detection product in the safety detection product set to perform safety detection on the access request according to a preset calling sequence;
in the process of calling any one safety detection product, if the access request does not pass the safety detection of the safety detection product, stopping calling other safety detection products in a safety detection product set when the confidence score output by the safety detection product is greater than a preset forbidden threshold corresponding to the safety detection product, and generating a safety detection result representing that the access request does not pass multiple safety detections;
if the access request passes the security detection of all security detection products, or the access request does not pass the security detection of a target security detection product, but the confidence score output by the target security detection product is not greater than a preset blocking threshold corresponding to the target security detection product, generating a security detection result representing that the access request passes multiple security detections; the target safety detection product is any one safety detection product in the safety detection product set.
In an embodiment of the present application, based on the foregoing scheme, the obtaining unit 502 is specifically configured to:
judging whether the access request is attacked or not;
if the access request is an incoming attack, acquiring an attack source address for sending the access request and an address corresponding to a preset field in the access request;
and if the access request is not an incoming attack, acquiring a destination address of the access request.
In an embodiment of the present application, based on the foregoing solution, the filtering unit 503 is specifically configured to:
and aiming at each address included by the address information, if a CDN address matched with the address exists in a preset CDN address list, filtering the address, and if a local service address matched with the address exists in a preset local service address, filtering the address.
In an embodiment of the present application, based on the foregoing scheme, when sending the attack address to the local-side forbidden product and the CDN-side forbidden product, the sending unit 504 is specifically configured to:
calling an Application Programming Interface (API) of a local side forbidden product, and sending the attack address to the local side forbidden product;
and calling an API of the CDN side forbidden product, and sending the attack address to a local side forbidden product.
Referring to fig. 6, an embodiment of the present application further provides an address blocking system, which specifically includes:
a security detection module 601, a transit block transfer module 602 and a block module 603;
the security detection module 601 is configured to perform multiple security detections on the access request by using a preset security detection product set to obtain a security detection result, and when the security detection result indicates that the access request does not pass the multiple security detections, obtain address information of the access request, and send the address information to the transit block for forbidding 602; the address information comprises a destination address or a source address of the access request, and the source address comprises an attack source address for sending the access request and an address corresponding to a preset field in the access request;
a transit block module 602, configured to perform address filtering on the CDN address and the local service address included in the address information to obtain an attack address, and send the attack address to a block module 603;
and a block module 603 configured to perform block processing on the target address.
In this embodiment, the sealing module 603 includes a local side sealing product and a CDN side sealing product; the local side sealing product is used for sealing the attack address; and the CDN side seal product is used for carrying out seal processing on the attack address.
The address sealing system provided by the embodiment of the application carries out security detection on the access request by utilizing a plurality of security detection products, and filters the CDN address and the local service address by filtering the address, so that the attack address is accurately obtained, the attack address is sealed, the CDN address and the local service address are not sealed, and the attack behavior is effectively resisted, and meanwhile, the influence on service processing is reduced. And, the deployment of a plurality of safety detection products has very big promotion whole security ability to and high API integrates, make things convenient for subsequent safety detection product and the extension of banning the product.
The embodiment of the present application further provides a storage medium, where the storage medium stores an instruction set, and when the instruction set runs, the address blocking method disclosed in any of the above embodiments is executed.
An electronic device is further provided in the embodiments of the present application, and a schematic structural diagram of the electronic device is shown in fig. 7, and specifically includes a memory 701 configured to store at least one set of instruction sets; a processor 702 configured to execute the instruction set stored in the memory, and to implement the address blocking method disclosed in any of the above embodiments by executing the instruction set.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.
While several specific implementation details are included in the above discussion, these should not be construed as limitations on the scope of the disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.
The foregoing description is only exemplary of the preferred embodiments disclosed herein and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the disclosure herein is not limited to the particular combination of features described above, but also encompasses other arrangements formed by any combination of the above features or their equivalents without departing from the spirit of the disclosure. For example, the above features and (but not limited to) technical features having similar functions disclosed in the present disclosure are mutually replaced to form the technical solution.
Claims (10)
1. An address blocking method, comprising:
when an access request is received, performing multiple security detection on the access request by using a preset security detection product set to obtain a security detection result; the safety detection product set comprises a plurality of safety detection products;
if the safety detection result represents that the access request does not pass the multiple safety detections, acquiring address information of the access request; the address information comprises a destination address or a source address of the access request, and the source address comprises an attack source address for sending the access request and an address corresponding to a preset field in the access request;
address filtering is carried out on the CDN address and the local service address included in the address information to obtain an attack address;
and sending the attack address to a local side forbidden product and a CDN side forbidden product so that the local side forbidden product and the CDN side forbidden product can carry out forbidden processing on the attack address.
2. The method of claim 1, wherein performing multiple security checks on the access request using a predefined set of security check products to obtain a security check result comprises:
sequentially calling each safety detection product in the safety detection product set to perform safety detection on the access request according to a preset calling sequence;
in the process of calling any one safety detection product, if the access request does not pass the safety detection of the safety detection product, stopping calling other safety detection products in a safety detection product set when the confidence score output by the safety detection product is greater than a preset forbidden threshold corresponding to the safety detection product, and generating a safety detection result representing that the access request does not pass multiple safety detections;
if the access request passes the security detection of all security detection products, or the access request does not pass the security detection of a target security detection product, but the confidence score output by the target security detection product is not greater than a preset blocking threshold corresponding to the target security detection product, generating a security detection result representing that the access request passes multiple security detections; the target safety detection product is any one safety detection product in the safety detection product set.
3. The method of claim 1, wherein the obtaining the address information of the access request comprises:
judging whether the access request is attacked or not;
if the access request is an incoming attack, acquiring an attack source address for sending the access request and an address corresponding to a preset field in the access request;
and if the access request is not an incoming attack, acquiring a destination address of the access request.
4. The method of claim 1, wherein the address filtering the CDN address and the local service address included in the address information to obtain an attack address includes:
and aiming at each address included by the address information, if a CDN address matched with the address exists in a preset CDN address list, filtering the address, and if a local service address matched with the address exists in a preset local service address, filtering the address.
5. The method of claim 1, wherein sending the attack address to a local-side containment product and a CDN-side containment product comprises:
calling an Application Programming Interface (API) of a local side forbidden product, and sending the attack address to the local side forbidden product;
and calling an API of the CDN side forbidden product, and sending the attack address to a local side forbidden product.
6. An address blocking device, comprising:
the detection unit is used for carrying out multiple security detection on the access request by utilizing a preset security detection product set when the access request is received to obtain a security detection result; the safety detection product set comprises a plurality of safety detection products;
the obtaining unit is used for obtaining the address information of the access request if the safety detection result represents that the access request does not pass the multiple safety detections; the address information comprises a destination address or a source address of the access request, and the source address comprises an attack source address for sending the access request and an address corresponding to a preset field in the access request;
the filtering unit is used for carrying out address filtering on the CDN address and the local service address included in the address information to obtain an attack address;
and the sending unit is used for sending the attack address to a local side forbidden product and a CDN side forbidden product so as to facilitate the local side forbidden product and the CDN side forbidden product to carry out forbidden processing on the attack address.
7. An address blocking system, comprising:
the system comprises a safety detection module, a transit forbidding module and a forbidding module;
the safety detection module is used for performing multiple safety detections on the access request by using a preset safety detection product set to obtain a safety detection result, and when the safety detection result indicates that the access request does not pass the multiple safety detections, acquiring address information of the access request and sending the address information to the transit block; the address information comprises a destination address or a source address of the access request, and the source address comprises an attack source address for sending the access request and an address corresponding to a preset field in the access request;
the transit block is used for carrying out address filtering on the CDN address and the local service address included in the address information to obtain an attack address, and sending the attack address to the transit block;
and the blocking module is used for carrying out blocking processing on the target address.
8. The system of claim 7, wherein the containment module comprises:
a local side block product and a CDN side block product;
the local side sealing product is used for sealing the attack address;
and the CDN side seal product is used for carrying out seal processing on the attack address.
9. A storage medium storing a set of instructions, wherein the set of instructions, when executed by a processor, implement the address blocking method of any one of claims 1 to 5.
10. An electronic device, comprising:
a memory for storing at least one set of instructions;
a processor for executing a set of instructions stored in the memory, the set of instructions being executable to implement the address blocking method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111233338.8A CN113949581A (en) | 2021-10-22 | 2021-10-22 | Address blocking method, device and system, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111233338.8A CN113949581A (en) | 2021-10-22 | 2021-10-22 | Address blocking method, device and system, storage medium and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113949581A true CN113949581A (en) | 2022-01-18 |
Family
ID=79332162
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111233338.8A Pending CN113949581A (en) | 2021-10-22 | 2021-10-22 | Address blocking method, device and system, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113949581A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117061590A (en) * | 2023-10-10 | 2023-11-14 | 联通在线信息科技有限公司 | Method and equipment for CDN to seal and customize seal content for URL |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102158568A (en) * | 2011-04-20 | 2011-08-17 | 北京蓝汛通信技术有限责任公司 | Method and device for banning IP (Internet Protocol) addresses and content distribution network server |
| CN103595827A (en) * | 2013-11-29 | 2014-02-19 | 北京奇虎科技有限公司 | IP address identifying method and device for CDN (Content Distribution Network) source station |
| CN110535857A (en) * | 2019-08-29 | 2019-12-03 | 中国工商银行股份有限公司 | The method and apparatus of protecting network attack |
| WO2020207490A1 (en) * | 2019-04-12 | 2020-10-15 | Huawei Technologies Co., Ltd. | System, apparatus and method to support data server selection |
| CN112272164A (en) * | 2020-09-30 | 2021-01-26 | 新华三信息安全技术有限公司 | Message processing method and device |
-
2021
- 2021-10-22 CN CN202111233338.8A patent/CN113949581A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102158568A (en) * | 2011-04-20 | 2011-08-17 | 北京蓝汛通信技术有限责任公司 | Method and device for banning IP (Internet Protocol) addresses and content distribution network server |
| CN103595827A (en) * | 2013-11-29 | 2014-02-19 | 北京奇虎科技有限公司 | IP address identifying method and device for CDN (Content Distribution Network) source station |
| WO2020207490A1 (en) * | 2019-04-12 | 2020-10-15 | Huawei Technologies Co., Ltd. | System, apparatus and method to support data server selection |
| CN110535857A (en) * | 2019-08-29 | 2019-12-03 | 中国工商银行股份有限公司 | The method and apparatus of protecting network attack |
| CN112272164A (en) * | 2020-09-30 | 2021-01-26 | 新华三信息安全技术有限公司 | Message processing method and device |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117061590A (en) * | 2023-10-10 | 2023-11-14 | 联通在线信息科技有限公司 | Method and equipment for CDN to seal and customize seal content for URL |
| CN117061590B (en) * | 2023-10-10 | 2024-02-27 | 联通在线信息科技有限公司 | Method and equipment for CDN to seal and customize seal content for URL |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105409164B (en) | Rootkit detection by using hardware resources to detect inconsistencies in network traffic | |
| US9319382B2 (en) | System, apparatus, and method for protecting a network using internet protocol reputation information | |
| AU2011271157B2 (en) | System and method for identifying unauthorized activities on a computer system using a data structure model | |
| US20140259172A1 (en) | Multilayered Deception for Intrusion Detection and Prevention | |
| CN111737696A (en) | Method, system and equipment for detecting malicious file and readable storage medium | |
| US20150074807A1 (en) | Discovery of Suspect IP Addresses | |
| US8955138B1 (en) | Systems and methods for reevaluating apparently benign behavior on computing devices | |
| US11636208B2 (en) | Generating models for performing inline malware detection | |
| US11799876B2 (en) | Web crawler systems and methods to efficiently detect malicious sites | |
| US11374946B2 (en) | Inline malware detection | |
| US8533778B1 (en) | System, method and computer program product for detecting unwanted effects utilizing a virtual machine | |
| CN103067384B (en) | Threaten processing method and system, linkage client, safety equipment and main frame | |
| RU2761542C1 (en) | System and method for forming a system of trap resources | |
| KR100769221B1 (en) | Confrontation system preparing for zeroday attack and confrontation method thereof | |
| CN108737332B (en) | Man-in-the-middle attack prediction method based on machine learning | |
| Pandey et al. | A lifecycle based approach for malware analysis | |
| CN113949581A (en) | Address blocking method, device and system, storage medium and electronic equipment | |
| CN104796386A (en) | Detection method, device and system of botnet | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| US10237287B1 (en) | System and method for detecting a malicious activity in a computing environment | |
| US20230328081A1 (en) | System and methods for automatic detection of distributed attacks in iot devices using decentralized deep learning | |
| Takata et al. | Analysis of redirection caused by web-based malware | |
| CN114598546B (en) | Application defense method, device, apparatus, medium and program product | |
| CN109842587B (en) | Method and device for monitoring system safety | |
| WO2023141103A1 (en) | Deep learning pipeline to detect malicious command and control traffic |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |