CN114389900A - OpenResty-based abnormal traffic capturing and intercepting method and system - Google Patents
OpenResty-based abnormal traffic capturing and intercepting method and system Download PDFInfo
- Publication number
- CN114389900A CN114389900A CN202210291504.8A CN202210291504A CN114389900A CN 114389900 A CN114389900 A CN 114389900A CN 202210291504 A CN202210291504 A CN 202210291504A CN 114389900 A CN114389900 A CN 114389900A
- Authority
- CN
- China
- Prior art keywords
- openresty
- client
- access
- flow
- abnormal traffic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of computers, in particular to a method and a system for capturing and intercepting abnormal traffic based on OpenResty. The method comprises the following steps: filtering and cleaning received service traffic based on the OpenResty gateway; acquiring a client IP of a corresponding network packet according to the filtered service flow and recording access time; judging whether the access times of the acquired client IP in a set threshold time exceeds an access threshold; and performing IP blocking on the client IP exceeding the access threshold, and reversely proxying the flow to the corresponding service systems of the normal client IP according to the distribution rule defined by the user. The method and the system utilize OpenResty to block abnormal traffic, and code intrusion caused by writing codes into respective service systems is not needed; and the IP abnormal access judgment rule is automatically added, manual processing is not needed when the flow is attacked, and the system automatically blocks, so that the whole system is more highly available and automatic.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method and a system for capturing and intercepting abnormal traffic based on OpenResty.
Background
With the rapid development and wide application of the internet, great wealth and convenience are brought to people, and meanwhile, a very serious problem of network information safety is brought, so that the network information safety also becomes an important research field which is concerned about. The internet is extremely vulnerable due to the defects in design and openness of the internet. With the advent of the super network weapon virus, cyberspace security has entered a higher level cyberspace technology countermeasure phase. The network security threats in these new stages have the characteristics of continuous attack process, complex attack technology, exquisite attack means, hidden attack behaviors, huge attack resources and accurate attack objects, and pose serious threats to the security of network facilities and important information systems of users.
When higher-level network security technology countermeasure is carried out, most applications need to be exposed on a public network to carry out service flow conversion, network attack is easy to happen at the time, and in many cases, services are affected due to manual processing after monitoring and finding, and unnecessary loss is caused.
In order to realize traffic monitoring distribution, abnormal traffic capture and automatic addition of an IP blocking list according to rules without manual intervention when a network attack occurs, a new method for capturing abnormal traffic by using a new technology is required to meet the network security requirements.
Disclosure of Invention
Aiming at the problem that when an application network attack of business traffic flow conversion is exposed on a public network, the manual processing causes the influence on the business and causes unnecessary loss, the invention provides a method and a system for capturing and intercepting abnormal traffic based on OpenResty, which can realize the purposes of not invading business system codes, realizing traffic monitoring distribution and abnormal traffic capturing, automatically adding an IP blocking list according to rules and not needing manual intervention.
In order to achieve the above purpose, the embodiment of the present invention provides the following technical solutions:
in a first aspect, in an embodiment provided by the present invention, a method for capturing and intercepting abnormal traffic based on OpenResty is provided, which includes the following steps:
filtering and cleaning received service traffic based on the OpenResty gateway;
acquiring a client IP of a corresponding network packet according to the filtered service flow and recording access time;
judging whether the access times of the acquired client IP in a set threshold time exceeds an access threshold;
and performing IP blocking on the client IP exceeding the access threshold, and reversely proxying the flow to the corresponding service systems of the normal client IP according to the distribution rule defined by the user.
In some embodiments provided in the present invention, the method for filtering and cleaning received service traffic based on an OpenResty gateway includes:
the OpenResty gateway integrates the nginx module and the lua script language by using an ngx _ lua module;
using a Lua scripting language to call a C development module supported by a Nginx module and a Lua module to compile a flow filtering rule;
and filtering and cleaning the received service flow based on the flow filtering rule.
In some embodiments provided by the present invention, acquiring a client IP corresponding to a network packet, traversing a blacklist between recording access times, comparing and searching whether the acquired client IP is in the blacklist;
when the obtained client IP is in the blacklist, failure is returned;
and when the acquired client IP is not in the blacklist, recording the time of the client IP access.
In some embodiments provided by the present invention, the method for obtaining the client IP corresponding to the network packet includes: and when the flow is received to enter, acquiring the client IP of the network packet through the http Hader X-read-IP.
In some embodiments provided by the invention, when IP blocking is performed on the client IP exceeding the access threshold, the IP blocking is performed by using iptables-I INPUT-s IP-j DROP.
In some embodiments provided by the present invention, a method for reverse-proxying traffic to respective corresponding service systems for normal client IPs according to user-defined distribution rules, includes:
configuring a reverse proxy rule according to nginx of the OpenResty gateway;
and matching the flow corresponding to the IP of the normal client to a corresponding service system based on the Lua script, and routing to the nginx upstream of the user-defined back-end service.
In some embodiments provided by the present invention, the nginx upstream allocation manner is a polling manner, and is alternately allocated to different backend servers according to a time sequence.
In a second aspect, in another embodiment provided by the present invention, a system for capturing and intercepting exception traffic based on OpenResty includes:
the traffic cleaning module is used for filtering and cleaning the received service traffic based on the OpenResty gateway;
the IP recording module is used for recording the client IP of the network packet corresponding to the obtained filtered service flow and recording the access time;
the judging module is used for judging whether the obtained access times of the client IP in the set threshold time exceed an access threshold;
the blocking module is used for carrying out IP blocking on the client IP exceeding the access threshold; and
and the distribution module is used for reversely proxying the flow to the corresponding service systems for the normal client IP which does not exceed the access threshold according to the distribution rule defined by the user.
In a third aspect, in a further embodiment provided by the present invention, an electronic device is provided, which includes a memory and a processor, where the memory stores a computer program, and the processor implements the steps of the OpenResty-based abnormal traffic capturing and intercepting-based method when loading and executing the computer program.
In a fourth aspect, in a further embodiment provided by the present invention, a storage medium is provided, where a computer program is stored, and when the computer program is loaded and executed by a processor, the steps of the OpenResty exception traffic capture and interception based method are implemented.
The technical scheme provided by the invention has the following beneficial effects:
according to the method and the system for capturing and intercepting the abnormal traffic based on the OpenResty, the abnormal traffic is blocked by utilizing the OpenResty, and codes do not need to be written into respective business systems to cause code intrusion; the IP abnormal access judgment rule is automatically added, manual processing is not needed when the flow is attacked, and the system automatically blocks, so that the whole system is more highly available and automatic, flow monitoring distribution, abnormal flow capture and automatic IP blocking list adding according to the rule are realized, and manual intervention is not needed.
These and other aspects of the invention are apparent from and will be elucidated with reference to the embodiments described hereinafter. It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:
fig. 1 is a flowchart of a method for capturing and intercepting abnormal traffic based on OpenResty according to the present invention.
Fig. 2 is a flowchart of flow filtering and cleaning in a sample of a method for capturing and intercepting an OpenResty-based abnormal flow according to an embodiment of the present invention.
Fig. 3 is an architecture diagram of a method for capturing and intercepting an OpenResty-based abnormal traffic according to an embodiment of the present invention.
Fig. 4 is a system block diagram of a system for capturing and intercepting traffic based on OpenResty exception in an embodiment of the present invention.
Fig. 5 is a block diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1, fig. 1 is a flowchart of a method for capturing and intercepting abnormal traffic based on OpenResty according to the present invention. The invention provides a method for capturing and intercepting abnormal traffic based on OpenResty, which comprises the following steps:
s1, filtering and cleaning the received service traffic based on the OpenResty gateway;
s2, acquiring the client IP of the corresponding network packet according to the filtered service flow and recording the access time;
s3, judging whether the access times of the acquired client IP in the set threshold time exceeds an access threshold;
and S4, performing IP blocking on the client IP exceeding the access threshold, and reversely proxying the flow to the corresponding service systems of the normal client IP according to the distribution rule defined by the user.
The method for capturing and intercepting abnormal traffic based on OpenResty in this embodiment is implemented by the four main steps, where an OpenResty gateway is an entrance responsible for receiving traffic and is a functional gateway with an OpenResty extension in nginx, and the traffic can be filtered through the OpenResty characteristic, and a logic code is written in the gateway, so that the traffic is cleaned and distributed without modifying a code of a service system.
When filtering and cleaning received service traffic, the traffic is filtered by using the OpenResty characteristic, and a corresponding traffic rule can be written in the nginx gateway so as to achieve the effect of filtering the traffic.
In an embodiment of the present invention, referring to fig. 2, the method for filtering and cleaning received service traffic based on an OpenResty gateway includes:
s11, the OpenResty gateway integrates the nginx module and the lua script language by using a ngx _ lua module;
s12, calling a C development module supported by the Nginx module and compiling a flow filtering rule by using a Lua script language;
and S13, filtering and cleaning the received service traffic based on the traffic filtering rule.
It should be noted that the OpenResty gateway uses the ngx _ lua module to integrate nginx and lua. ngx _ Lua is to embed the Lua scripting language into Nginx, let Nginx execute the Lua script, and handle various requests with high concurrency, non-blocking. The built-in protocol of the Lua script can well convert asynchronous call-back into a sequential calling form. ngx _ Lua all IO operations in the Lua scripting language are delegated to the Nginx's event model, thereby enabling non-blocking calls.
Since the Nginx module must conform to a series of complex rules when developing using the C development module, the most important C development module must be familiar with the source code of the Nginx, so that the developer is daunting. Aiming at the development problem of the Nginx, the framework of the Nginx and the lua script language is integrated by adopting the mode, and the obtained OpenResty can help developers to realize the standard development of the lua script language.
Moreover, with continuous upgrading and optimization of a system architecture, OpenResty is also widely applied, OpenResty is a strong Web application server, and Web developers can use Lua scripting language to invoke various C development modules and Lua modules supported by Nginx, so that in terms of performance, OpenResty can rapidly construct an ultrahigh-performance Web application system capable of meeting concurrent connection responses of more than 10K.
In this embodiment, the method includes acquiring a client IP corresponding to a network packet, traversing a blacklist between recording access times, and comparing and searching whether the acquired client IP is in the blacklist;
when the obtained client IP is in the blacklist, failure is returned;
and when the acquired client IP is not in the blacklist, recording the time of the client IP access.
In this embodiment, referring to fig. 1, whether the client IP is in the blacklist is checked, and the IP that has been added to the IP blacklist can be filtered and removed in advance, so that time and workload for subsequent exception capture are saved.
In this embodiment, the method for acquiring the client IP corresponding to the network packet includes: and when the flow is received to enter, acquiring the client IP of the network packet through the http Hader X-read-IP.
In this embodiment, when the IP blocking is performed on the client IP exceeding the access threshold, the IP blocking is performed by using iptables-I INPUT-s IP-j DROP.
When flow enters, a client IP of a network packet is obtained through http Hader X-read-IP, time is recorded, and whether the access frequency of the IP in the set threshold time exceeds an access threshold or not is inquired after the time is recorded, for example: the number of visits reached 10 times in 5 seconds. If the access threshold is exceeded, the traffic is regarded as abnormal traffic, and IP blocking is achieved through iptables-I INPUT-s IP-j DROP.
It should be noted that iptables is handled according to rules, which are predefined conditions by a network administrator, and when a header of a packet meets certain conditions, the packet is processed according to the corresponding rules. These rules are stored in the kernel-space packet filter table and specify the source address, destination address, transport protocol (e.g., TCP, UDP, ICMP, etc.), and type of service (e.g., HTTP, FTP, SMTP), respectively. When packets match a rule, iptables processes the packets according to the method defined by the rule, such as: let go (accept), reject (reject), and drop (drop), etc.
When iptables is a method defined by a rule, the predefined rule comprises the following steps:
1. discarding;
2. refusing;
3. receiving;
4. translation based on the original address;
5. the original address is specified.
For example, in a Linux system, iptables is a user interface for operating a Linux kernel netfilter system, in the Linux system, after a data packet of an external network enters a kernel, the data packet is transmitted through a predefined flow of the Linux system, and in the transmission process, the Linux kernel exposes a series of interfaces to a user, so that the user is allowed to discard, modify and the like the data packet at different points of data packet transmission.
In this embodiment, when the access times do not exceed the access threshold, that is, the client IP is normal, the traffic is reverse-proxied to the respective service systems according to the distribution rule defined by the user, such as HASH, IP, balance, and the like.
In one embodiment of the present invention, a method for reverse-proxying traffic to respective corresponding service systems for normal client IP according to user-defined distribution rules comprises:
configuring a reverse proxy rule according to nginx of the OpenResty gateway;
and matching the flow corresponding to the IP of the normal client to a corresponding service system based on the Lua script, and routing to the nginx upstream of the user-defined back-end service.
Preferably, the upstream of nginx is allocated to different back-end servers in turn according to a time sequence in a polling mode.
It should be particularly noted that, in the embodiment of the present invention, when a distribution rule is proxied to a respective service system, a reverse proxy rule is configured first in nginx, for example, the reverse proxy rule is configured as follows:
upstream unettool-proxy-cn-bj1-01{
server 172.X.X.X:2003;
}。
the Lua script is routed to the self-defined back-end service upstream only by matching with the self business rule
The specific codes are as follows:
ngx.var.backend = _upstream
in the invention, OpenResty is used for blocking abnormal traffic, and codes are not required to be written into respective service systems to cause code intrusion; the IP abnormal access rule is automatically added, manual processing is not needed when the flow is attacked, and the system automatically blocks, so that the whole system is higher in availability and automation, flow monitoring distribution, abnormal flow capture and automatic IP blocking list adding according to the rule are realized, and manual intervention is not needed.
It should be understood that although the steps are described above in a certain order, the steps are not necessarily performed in the order described. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, some steps of the present embodiment may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the steps or stages is not necessarily sequential, but may be performed alternately or in turns with other steps or at least a part of the steps or stages in other steps.
In one embodiment, as shown in fig. 4, an embodiment of the present invention provides a system for capturing and intercepting an OpenResty-based abnormal traffic, where the system includes a traffic cleaning module 100, an IP recording module 200, a determining module 300, a blocking module 400, and a distributing module 500.
The traffic cleansing module 100 is configured to cleanse the received service traffic based on OpenResty gateway filtering. In this embodiment, the OpenResty gateway is an entry responsible for receiving traffic, and is a nginx functional gateway with an OpenResty extension, and the traffic can be filtered through the OpenResty characteristic, and a logic code written in the gateway does not need to modify a code of a service system, so that traffic cleaning and distribution are realized. When filtering and cleaning received service traffic, the traffic is filtered by using the OpenResty characteristic, and a corresponding traffic rule can be written in the nginx gateway so as to achieve the effect of filtering the traffic.
The OpenResty gateway integrates nginx with lua using ngx _ lua module. ngx _ Lua is to embed the Lua scripting language into Nginx, let Nginx execute the Lua script, and handle various requests with high concurrency, non-blocking. The built-in protocol of the Lua script can well convert asynchronous call-back into a sequential calling form. ngx _ Lua all IO operations in the Lua scripting language are delegated to the Nginx's event model, thereby enabling non-blocking calls.
The IP recording module 200 is configured to record a client IP of the network packet corresponding to the obtained filtered service traffic and record access time. And when the flow is received to enter, acquiring the client IP of the network packet through the http Hader X-read-IP.
The determining module 300 is configured to determine whether the obtained access times of the client IP within a set threshold time exceeds an access threshold; when flow enters, a client IP of a network packet is obtained through http Hader X-read-IP, time is recorded, and whether the access frequency of the IP in the set threshold time exceeds an access threshold or not is inquired after the time is recorded, for example: the number of visits reached 10 times in 5 seconds.
The blocking module 400 is configured to perform IP blocking on the client IP exceeding the access threshold. And when IP blocking is carried out on the client IP exceeding the access threshold, IP blocking is carried out by adopting iptables-I INPUT-s IP-j DROP. iptables is handled according to rules, which are predefined conditions by a network administrator, and when the header of a packet meets certain conditions, the packet is processed according to the corresponding rules. These rules are stored in the kernel-space packet filter table and specify the source address, destination address, transport protocol (e.g., TCP, UDP, ICMP, etc.), and type of service (e.g., HTTP, FTP, SMTP), respectively. When packets match a rule, iptables processes the packets according to the method defined by the rule, such as: let go (accept), reject (reject), and drop (drop), etc.
The distribution module 500 is configured to reverse proxy traffic to the respective corresponding service systems for the normal client IPs that do not exceed the access threshold according to the distribution rules defined by the user. And when the access times do not exceed the access threshold, namely the client IP is normal, reversely proxying the flow to the respective service system according to the distribution rule defined by the user, such as HASH, IP, balance and the like.
In this embodiment, when a normal client IP reverse proxies traffic to its corresponding service system according to a distribution rule defined by a user, a reverse proxy rule is configured according to nginx of an OpenResty gateway; and matching the flow corresponding to the IP of the normal client to a corresponding service system based on the Lua script, and routing to the nginx upstream of the user-defined back-end service.
In this embodiment, the method for capturing and intercepting the OpenResty-based abnormal traffic is adopted in the execution of the system based on the OpenResty-based abnormal traffic capturing and intercepting, and therefore, in this embodiment, a detailed description of an operation process of the system based on the OpenResty-based abnormal traffic capturing and intercepting is not described.
In one embodiment, FIG. 5 illustrates a block diagram of an electronic device according to an embodiment of the invention. In one possible design, as shown in fig. 5, an electronic device 1000 is provided in an embodiment of the present invention, where the electronic device 1000 includes a memory 1001 and a processor 1002, the memory 1001 stores a computer program therein, and the processor 1002 is configured to execute the computer program stored in the memory 1001. The memory 1001 is used for storing one or more computer instructions, wherein the one or more computer instructions are executed by the processor 1002 to implement the steps of the above-described method embodiments:
filtering and cleaning received service traffic based on the OpenResty gateway;
acquiring a client IP of a corresponding network packet according to the filtered service flow and recording access time;
judging whether the access times of the acquired client IP in a set threshold time exceeds an access threshold;
and performing IP blocking on the client IP exceeding the access threshold, and reversely proxying the flow to the corresponding service systems of the normal client IP according to the distribution rule defined by the user.
It should be noted that, according to the embodiment of the present invention, the method described above with reference to the drawings may be implemented as a computer software program. For example, embodiments of the invention include a computer program product comprising a computer program tangibly embodied on a medium readable thereby, the computer program comprising program code for performing the methods of the figures. In such an embodiment, the computer program may be downloaded and installed from a network via the communication section, and/or installed from a removable medium.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowcharts or block diagrams may represent a module, a program segment, or a portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In an embodiment of the present invention, a storage medium is provided, on which a computer program is stored, which computer program, when being executed by a processor, realizes the steps of the above-mentioned method embodiments:
filtering and cleaning received service traffic based on the OpenResty gateway;
acquiring a client IP of a corresponding network packet according to the filtered service flow and recording access time;
judging whether the access times of the acquired client IP in a set threshold time exceeds an access threshold;
and performing IP blocking on the client IP exceeding the access threshold, and reversely proxying the flow to the corresponding service systems of the normal client IP according to the distribution rule defined by the user.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program represented by computer instructions and instructing associated hardware, and the computer program can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory.
Non-volatile memory may include read-only memory, magnetic tape, floppy disk, flash memory, optical storage, or the like. Volatile memory may include random access memory or external cache memory. By way of illustration, and not limitation, RAM can take many forms, such as static random access memory, dynamic random access memory, and the like.
In summary, the method and system for capturing and intercepting abnormal traffic based on OpenResty of the present invention utilize OpenResty to block abnormal traffic without writing codes into respective service systems to cause code intrusion; the IP abnormal access rule is automatically added, manual processing is not needed when the flow is attacked, and the system automatically blocks, so that the whole system is higher in availability and automation, flow monitoring distribution, abnormal flow capture and automatic IP blocking list adding according to the rule are realized, and manual intervention is not needed.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.
Claims (10)
1. A method for capturing and intercepting abnormal traffic based on OpenResty is characterized by comprising the following steps:
filtering and cleaning received service traffic based on the OpenResty gateway;
acquiring a client IP of a corresponding network packet according to the filtered service flow and recording access time;
judging whether the access times of the acquired client IP in a set threshold time exceeds an access threshold;
and performing IP blocking on the client IP exceeding the access threshold, and reversely proxying the flow to the corresponding service systems of the normal client IP according to the distribution rule defined by the user.
2. The OpenResty-based abnormal traffic capturing and intercepting method of claim 1, wherein: the method for filtering and cleaning the received service traffic based on the OpenResty gateway comprises the following steps:
the OpenResty gateway integrates the nginx module and the lua script language by using an ngx _ lua module;
using a Lua scripting language to call a C development module supported by a Nginx module and a Lua module to compile a flow filtering rule;
and filtering and cleaning the received service flow based on the flow filtering rule.
3. The method for OpenResty-based abnormal traffic capture and interception as claimed in claim 1 or 2, wherein: acquiring a client IP corresponding to the network packet, traversing a blacklist between the recorded access times, comparing and searching whether the acquired client IP is in the blacklist or not;
when the obtained client IP is in the blacklist, failure is returned;
and when the acquired client IP is not in the blacklist, recording the time of the client IP access.
4. The OpenResty-based abnormal traffic capture and interception method of claim 3, wherein: the method for acquiring the client IP corresponding to the network packet comprises the following steps: and when the flow is received to enter, acquiring the client IP of the network packet through the http Hader X-read-IP.
5. The OpenResty-based abnormal traffic capturing and intercepting method of claim 1, wherein: and when IP blocking is carried out on the client IP exceeding the access threshold, IP blocking is carried out by adopting iptables-I INPUT-s IP-j DROP.
6. The OpenResty-based abnormal traffic capture and interception method of claim 5, wherein: the method for normal client IP to reverse proxy flow to each corresponding service system according to the distribution rule defined by the user includes:
configuring a reverse proxy rule according to nginx of the OpenResty gateway;
and matching the flow corresponding to the IP of the normal client to a corresponding service system based on the Lua script, and routing to the nginx upstream of the user-defined back-end service.
7. The OpenResty-based abnormal traffic capture and interception method of claim 6, wherein: and the upstream distribution mode of the nginx adopts a polling mode and distributes to different back-end servers in turn according to the time sequence.
8. A system for capturing and intercepting abnormal traffic based on OpenResty is characterized in that: the system for capturing and intercepting abnormal traffic based on OpenResty performs abnormal traffic capturing by adopting the method for capturing and intercepting abnormal traffic based on OpenResty as claimed in any one of claims 1 to 7; the system for capturing and intercepting abnormal traffic based on OpenResty comprises:
the traffic cleaning module is used for filtering and cleaning the received service traffic based on the OpenResty gateway;
the IP recording module is used for recording the client IP of the network packet corresponding to the obtained filtered service flow and recording the access time;
the judging module is used for judging whether the obtained access times of the client IP in the set threshold time exceed an access threshold;
the blocking module is used for carrying out IP blocking on the client IP exceeding the access threshold; and
and the distribution module is used for reversely proxying the flow to the corresponding service systems for the normal client IP which does not exceed the access threshold according to the distribution rule defined by the user.
9. An electronic device comprising a memory and a processor, the memory storing a computer program, wherein the steps of the method of any one of claims 1 to 7 are implemented when the computer program is loaded and executed by the processor.
10. A storage medium storing a computer program, characterized in that the computer program, when loaded and executed by a processor, implements the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210291504.8A CN114389900A (en) | 2022-03-23 | 2022-03-23 | OpenResty-based abnormal traffic capturing and intercepting method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210291504.8A CN114389900A (en) | 2022-03-23 | 2022-03-23 | OpenResty-based abnormal traffic capturing and intercepting method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114389900A true CN114389900A (en) | 2022-04-22 |
Family
ID=81205009
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210291504.8A Pending CN114389900A (en) | 2022-03-23 | 2022-03-23 | OpenResty-based abnormal traffic capturing and intercepting method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114389900A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115242535A (en) * | 2022-07-28 | 2022-10-25 | 深圳奇迹智慧网络有限公司 | Firewall defense method and device based on OpenResty, computer equipment and storage medium |
| CN115296959A (en) * | 2022-07-25 | 2022-11-04 | 紫光云技术有限公司 | Method for replacing SpringCloudGateway gateway by using Nginx + Lua script |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107908748A (en) * | 2017-11-17 | 2018-04-13 | 南京感度信息技术有限责任公司 | Website user's behavioral data acquisition method, system and application based on big data |
| CN109951500A (en) * | 2019-04-29 | 2019-06-28 | 宜人恒业科技发展(北京)有限公司 | Network attack detecting method and device |
| WO2019242455A1 (en) * | 2018-06-19 | 2019-12-26 | Beijing Elex Technology Co., Ltd | Method and apparatus for user request forwarding, reverse proxy and computer readable storage medium |
| CN110875885A (en) * | 2018-08-31 | 2020-03-10 | 武汉斗鱼网络科技有限公司 | Message processing method, server, terminal, system and storage medium |
| CN110944000A (en) * | 2019-12-05 | 2020-03-31 | 美味不用等(上海)信息科技股份有限公司 | OpenResty gateway feature anti-brushing method based on multi-Agent cluster |
| CN113542384A (en) * | 2021-07-08 | 2021-10-22 | 平安科技(深圳)有限公司 | Access request access control method, device, computer equipment and storage medium |
| CN113612816A (en) * | 2021-07-06 | 2021-11-05 | 深圳市酷开网络科技股份有限公司 | Data acquisition method, system, terminal and computer readable storage medium |
| CN113630310A (en) * | 2020-05-06 | 2021-11-09 | 北京农信互联科技集团有限公司 | Distributed high-availability gateway system |
-
2022
- 2022-03-23 CN CN202210291504.8A patent/CN114389900A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107908748A (en) * | 2017-11-17 | 2018-04-13 | 南京感度信息技术有限责任公司 | Website user's behavioral data acquisition method, system and application based on big data |
| WO2019242455A1 (en) * | 2018-06-19 | 2019-12-26 | Beijing Elex Technology Co., Ltd | Method and apparatus for user request forwarding, reverse proxy and computer readable storage medium |
| CN110875885A (en) * | 2018-08-31 | 2020-03-10 | 武汉斗鱼网络科技有限公司 | Message processing method, server, terminal, system and storage medium |
| CN109951500A (en) * | 2019-04-29 | 2019-06-28 | 宜人恒业科技发展(北京)有限公司 | Network attack detecting method and device |
| CN110944000A (en) * | 2019-12-05 | 2020-03-31 | 美味不用等(上海)信息科技股份有限公司 | OpenResty gateway feature anti-brushing method based on multi-Agent cluster |
| CN113630310A (en) * | 2020-05-06 | 2021-11-09 | 北京农信互联科技集团有限公司 | Distributed high-availability gateway system |
| CN113612816A (en) * | 2021-07-06 | 2021-11-05 | 深圳市酷开网络科技股份有限公司 | Data acquisition method, system, terminal and computer readable storage medium |
| CN113542384A (en) * | 2021-07-08 | 2021-10-22 | 平安科技(深圳)有限公司 | Access request access control method, device, computer equipment and storage medium |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115296959A (en) * | 2022-07-25 | 2022-11-04 | 紫光云技术有限公司 | Method for replacing SpringCloudGateway gateway by using Nginx + Lua script |
| CN115242535A (en) * | 2022-07-28 | 2022-10-25 | 深圳奇迹智慧网络有限公司 | Firewall defense method and device based on OpenResty, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9787700B1 (en) | System and method for offloading packet processing and static analysis operations | |
| EP3619903B1 (en) | Non-protocol specific system and method for classifying suspect ip addresses as sources of non-targeted attacks on cloud based machines | |
| JP6785225B2 (en) | Distributed traffic management system and technology | |
| CN117321966A (en) | Method and system for efficient threat context aware packet filtering for network protection | |
| CN114389900A (en) | OpenResty-based abnormal traffic capturing and intercepting method and system | |
| US11290424B2 (en) | Methods and systems for efficient network protection | |
| CN114041276B (en) | Security policy enforcement and visibility of network architecture that masks external source addresses | |
| US20040030931A1 (en) | System and method for providing enhanced network security | |
| CN113783885B (en) | Honeypot network proxy method and related device | |
| US20230362131A1 (en) | Systems and methods for monitoring and securing networks using a shared buffer | |
| CN115499241A (en) | Method and system for draining fluid from intranet to honeypot based on eBPF XDP | |
| US11936748B1 (en) | Continuous scanning engine with automatic protocol detection | |
| US11558352B2 (en) | Cyber security protection system and related proactive suspicious domain alert system | |
| CN110995763B (en) | Data processing method and device, electronic equipment and computer storage medium | |
| RU2514137C1 (en) | Method for automatic adjustment of security means | |
| CN114629714B (en) | Malicious program behavior processing method and system for mutual reinforcement of honeypot and sandbox | |
| US11470099B2 (en) | Cyber security protection system and related proactive suspicious domain alert system | |
| US20220311791A1 (en) | Systems and methods for low latency stateful threat detection and mitigation | |
| US20120324569A1 (en) | Rule compilation in a firewall | |
| Nife et al. | Multi-level stateful firewall mechanism for software defined networks | |
| CN112202922A (en) | Information communication safety access management method, system and storage medium | |
| WO2020084222A1 (en) | Technique for gathering information relating to a stream routed in a network | |
| CN114390088B (en) | Interaction method and device of EDPS (electronic data transfer protocol) through OPC UA client and OPC UA server | |
| EP4310708A2 (en) | Methods and systems for efficient threat context-aware packet filtering for network protection | |
| Gheorghe et al. | Attack evaluation and mitigation framework |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220422 |