CN114785552A - System and method for detecting and protecting CC attack based on nginx - Google Patents
System and method for detecting and protecting CC attack based on nginx Download PDFInfo
- Publication number
- CN114785552A CN114785552A CN202210295629.8A CN202210295629A CN114785552A CN 114785552 A CN114785552 A CN 114785552A CN 202210295629 A CN202210295629 A CN 202210295629A CN 114785552 A CN114785552 A CN 114785552A
- Authority
- CN
- China
- Prior art keywords
- response
- log
- attack
- slow
- nginx
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Abstract
The present disclosure relates to a system and a method for detecting and protecting CC attack based on nginx, the system includes: the response slow log adding module is used for adding a response slow log at the nginx, and information items of the response slow log comprise a log type, a client ip, a url, a host, a refer, a user-agent, a state code, a byte number, request time and a request response time difference field; the nginx configuration module is used for configuring a request response time difference threshold and a log uploading protocol; the response slow log generation module is used for generating an http request with the request response time difference exceeding a threshold value based on the information item composition of the response slow log and the request response time difference threshold value; the response slow log transmission module is used for uploading the response slow log by adopting a log uploading protocol; and the CC attack analysis platform is used for receiving the slow response logs in real time and analyzing the received slow response logs to detect the CC attack ip so as to issue the CC attack ip to a blacklist of the FW equipment to prevent the CC attack.
Description
Technical Field
The disclosure relates to the technical field of network security, in particular to a system and a method for detecting and protecting CC attack based on nginx.
Background
The CC is called Challenge Collapsar, meaning "Challenge black hole", and is one of the application layer DDOS (distributed denial of service). The CC attack simulates a large number of users to continuously access pages (such as applications accessing a database or applications requiring a large number of statistics) which need to consume a large number of server resources, so that the utilization rates of CPUs and IO of the Web server and the database server are increased dramatically, until the server resources are exhausted, and the normal Web service request cannot be responded to any more, thereby forming a denial of service attack. Because the CC attack is simulated by normal user access, the performance paralysis of the target server can be caused by a few zombie machines, and the normal user access is blocked, the CC attack has strong disguise and is difficult to detect, and the traditional security defense method can not effectively resist the CC attack.
In the conventional security defense method, all request sources ip can be counted and the request rates thereof can be calculated, so that the source ip (i.e. configured with a black-and-white list) is limited, and the connection number of the source ip is limited. However, most of the CC attacks usually employ a large number of puppet devices to initiate requests to the attacked server, and when the controlled puppet devices reach a certain number, the puppet devices may have different ip of the initiated requests, which makes the black-and-white list strategy difficult to work. In addition, when the number of requests sent by the puppet machine ip does not exceed the ip connection number threshold, the policy for setting the ip connection number threshold is also easily bypassed; when the requested rate of the puppet computer ip is lower than the requested rate threshold and the requested rate to each url of each website is not fixed, it is not practical to set an ip requested rate threshold suitable for all urls in the website.
Since the data volume of the user request during CC attack is very large, the attack characteristics are difficult to extract, so that the access to the website can not be blocked by configuring an ip blacklist strategy which accords with the attack characteristics on the firewall equipment through analyzing the CC attack characteristics.
In the traditional security defense method, a token mode can be adopted for protection. Specifically, a token is defined for each visitor, and is stored in cookies. When the user accesses, the server can be accessed only by the correct token. If the client is a normal browser, the set cookie in the http header and the 302 redirection instruction are supported, the correct token is taken to access the page again, and the server detects the correct token and then the page is released. The user can normally access the page by carrying the token in subsequent http requests. However, the token mode needs to modify the site server, modify the service code, and increase the maintenance cost. Meanwhile, because the CC attack accesses the page which needs to consume a large amount of server resources, but the CC attack only needs to control a small amount of servers, cookie setting is supported by part of the CC attack, and thus the cookie setting cannot be detected.
Therefore, a system and a method for detecting and protecting CC attacks based on nginx are needed, which can quickly detect CC attacks, does not need DDOS protection equipment, and has low cost.
Disclosure of Invention
In view of the above, the present disclosure provides a system and method for detecting and protecting CC attack based on nginx. According to an aspect of the present disclosure, a system for detecting and protecting CC attack based on nginx is provided, the system comprising: the response slow log adding module is used for adding a response slow log at the nginx, and information items of the response slow log comprise a log type, a client ip, a url, a host, a refer, a user-agent, a state code, a byte number, request time and a request response time difference field; the nginx configuration module is used for configuring a request response time difference threshold and a log uploading protocol; the response slow log generation module is used for generating a response slow log based on the information item composition of the response slow log and the request response time difference threshold so as to generate an http request with the request response time difference exceeding the request response time difference threshold; the response slow log transmission module is used for uploading the response slow log by adopting the log uploading protocol; and the CC attack analysis platform is used for receiving the response slow log in real time, analyzing the received response slow log to detect the CC attack ip and issuing the CC attack ip to a blacklist of the FW equipment to prevent the CC attack.
According to the system for detecting and protecting CC attack based on nginx, the response slow log generation module adopts syslog to generate the response slow log.
According to the system for detecting and protecting CC attack based on nginx, disclosed by the invention, a log uploading protocol configured by a nginx configuration module is an upd protocol.
According to the system for detecting and protecting CC attack based on nginx, when the CC attack analysis platform analyzes the received slow response log, the CC attack analysis platform receives a threshold value of the number of ip requests of a user in unit time configured by the user, detects ip with the number of ip requests of the user in unit time larger than the threshold value of the number of ip requests of the user in unit time based on the threshold value of the number of ip requests of the user in unit time, and judges that the ip is the CC attack ip and adds the ip into a black list if the ip is not in the white list.
According to the nginx-based system for detecting and protecting CC attacks, the CC attack analysis platform calls a blacklist interface of the FW equipment through a webservice interface or a restful interface, and the CC attacks ip are added to a blacklist of the FW equipment.
According to the disclosed system for detecting and protecting CC attack based on nginx, it also includes: and when the CC attack analysis platform analyzes the received response slow log, calculating the url response time in unit time and ranking the url response time in unit time.
According to the disclosed system for detecting and protecting CC attack based on nginx, it still includes: and after analyzing the received slow response log, the CC attack analysis platform performs web visualization on the slow response log, the ip request number and the ranking of the user in the unit time, and the url response time and the ranking of the user in the unit time, which are calculated according to the slow response log.
Another aspect of the present disclosure provides a method for detecting and protecting a CC attack based on nginx, which includes: adding a response slow log, wherein the information items of the response slow log comprise log types, client ip, url, host, refer, user-agent, state codes, byte numbers, request time and request response time difference fields; configuring a request response time difference threshold and a log uploading protocol; generating a response slow log based on the information item composition of the response slow log and the request response time difference threshold value so as to generate an http request with the request response time difference exceeding the request response time difference threshold value; uploading the response slow log by adopting the log uploading protocol; and receiving the slow response log in real time, analyzing the received slow response log to detect the CC attack ip, and issuing the CC attack ip to a blacklist of FW equipment to prevent the CC attack.
According to the method for detecting and protecting CC attack based on nginx, when the slow response log is generated, the slow response log is generated by adopting syslog.
According to the method for detecting and protecting CC attack based on nginx, when a log uploading protocol is configured, the log uploading protocol is configured to be an upd protocol.
According to the method for detecting and protecting CC attack based on nginx, when the received slow response log is analyzed, a threshold value of the number of user ip requests in unit time configured by a user is received, ip with the number of user ip requests in unit time larger than the threshold value of the number of user ip requests in unit time is detected based on the threshold value of the number of user ip requests in unit time, and if the ip is not in a white list, the ip is judged to be a CC attack ip and is added into the black list.
According to the method for detecting and preventing CC attack annoyance based on nginx, a blacklist interface of FW equipment is called through a webservice interface or a restful interface, and the CC attack ip is added into a blacklist of the FW equipment.
According to the method for detecting and protecting CC attack based on nginx disclosed by the invention, the method further comprises the following steps: when analyzing the received slow response log, calculating the url response time in unit time and ranking the url response time in unit time.
According to the method for detecting and protecting CC attack based on nginx disclosed by the invention, the method further comprises the following steps: and after analyzing the received slow response logs, performing web visualization on the slow response logs, the number and the rank of the ip requests of the users in the unit time, and the url response time and the rank of the url in the unit time, which are calculated according to the slow response logs, on data.
In summary, by adopting the nginx-based system and method for detecting and protecting the CC attack, an http response slow log is added at the nginx, the response slow log with the request time response time difference exceeding the threshold time is reported to the CC attack analysis platform, and most of invalid http requests can be filtered through the threshold value. And the CC attack analysis platform carries out statistical analysis on the slow response log after receiving the slow response log, searches the http request ip exceeding the threshold value of the user request ip in unit time configured by the user in a white list of the FW equipment based on the counted number of the user request ip in unit time, and judges the http request ip to be the CC attack ip if the http request ip is not in the white list. And the CC attack analysis platform is linked with the FW, a blacklist interface of the FW equipment is called through a webservice interface or a restful interface, the CC attack ip is added into the FW blacklist, the access of the CC attack ip to the web server is blocked, and the web server is protected. The system and the method for detecting and protecting CC attack based on nginx can quickly detect the CC attack object, and the protection attack does not need special hardware, thereby greatly reducing the cost; in addition, by counting the url response time and the top ranking in unit time, a basis is provided for improving the program performance of a user, and therefore the CC attack resistance is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings. The drawings described below are merely some embodiments of the present disclosure, and other drawings may be derived from those drawings by those of ordinary skill in the art without inventive effort.
Fig. 1 is an application scenario analogy diagram of a nginx-based system for detecting and protecting CC attacks according to an embodiment of the present disclosure.
Fig. 2 is a schematic diagram illustrating a system for nginx-based detection and protection of CC attacks according to an embodiment of the disclosure.
Fig. 3 is a schematic flow chart illustrating a method for detecting and protecting CC attack based on nginx according to an embodiment of the present disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The same reference numerals in the drawings denote the same or similar parts, and a repetitive description thereof will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known methods, systems, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the present disclosure.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
It is to be understood by those skilled in the art that the drawings are merely schematic representations of exemplary embodiments, and that the blocks or processes shown in the drawings are not necessarily required to practice the present disclosure and are, therefore, not intended to limit the scope of the present disclosure.
Nginx is a lightweight Web server/reverse proxy server and an electronic mail (IMAP/POP3) proxy server, and is characterized by small memory occupation, strong concurrency capability and wide application in the construction of Internet websites in the current society. Fig. 1 is an application scenario analogy diagram of a system for detecting and protecting CC attack based on nginx according to an embodiment of the present disclosure. As shown in fig. 1, there are sub-domain names below the a.com domain name: fine.a.com, marking.a.com, product.a.com. When the website is constructed, the nginx is adopted as the reverse proxy server, namely when the nginx reverse proxy server receives an access request facing to the domain name of A.COM, the user request proxy is forwarded to a finish.A.com, a marking.A.com or a product.A.com site.
Since the CC attack is very resource consuming, the http request time in the CC attack becomes longer than that in the normal request. According to the system for detecting and protecting CC attack based on nginx, a response slow log is added on the basis of the open source of the nginx code, the response slow log exceeding the threshold time is reported to a CC attack analysis platform, the CC attack analysis platform carries out statistical summary analysis on the response slow log, and the CC attack ip is quickly detected; and when the CC attack analysis platform detects the CC attack ip, issuing the CC attack ip to the FW equipment.
Fig. 2 is a schematic diagram illustrating a system for nginx-based detection and protection of CC attacks according to an embodiment of the disclosure.
As shown in fig. 2, the system for detecting and protecting CC attacks based on nginx of the embodiment of the present disclosure includes a response slow log adding module 202, a nginx configuration module 204, a response slow log generating module 206, a response slow log transmission module 208, and a CC attack analysis platform 210.
The response slow log adding module 202 is configured to add a response slow log at nginx, where information items of the response slow log include a log type, a client ip, a url, a host, a refer, a user-agent, a status code, a byte number, a request time, and a request response time difference field. The log type field is a response slow log, and the fields of the client ip, url, host, refer, user-agent, the status code, the number of bytes, the request time and the request response time difference are http request related information.
And the nginx configuration module 204 is used for configuring a request response time difference threshold and a log uploading protocol. More specifically, the request-response time difference threshold may be configured by nginx, such that a log is generated for requests whose request-response time difference exceeds the request-response time difference threshold or http requests for which no response is obtained. It can be seen that the number of generated logs can be adjusted by configuring the request response time difference threshold.
A response slow log generation module 206 for generating a response slow log based on the information item composition of the response slow log and the request response time difference threshold. More specifically, for http requests with request response time difference exceeding a request response time difference threshold value or http requests without responses, the response slow log is generated based on the information item composition of the response slow log.
And the response slow log transmission module 208 is configured to upload the response slow log by using the log upload protocol.
And the CC attack analysis platform 208 is configured to receive the slow response log in real time, and analyze the received slow response log to detect a CC attack ip, so as to issue the CC attack ip to a blacklist of the FW device to protect against CC attack.
According to the nginx-based CC attack detection and protection system, the response slow log generation module generates the response slow log by using syslog.
According to the detection and protection CC attack system based on nginx, the nginx configuration module configures the log uploading protocol to be the upd protocol, the advantages of timeliness in sending and high performance of the udp protocol can be fully utilized, and the performance of a nginx reverse proxy is prevented from being influenced.
According to the nginx-based detection and protection CC attack system, the CC attack analysis platform calls a blacklist interface of the FW equipment through a webservice interface or a restful interface, and the CC attack ip is added to a blacklist of the FW equipment. After receiving the blacklist issued by the CC attack analysis platform, the FW equipment blocks the access of the CC attack analysis platform to the web server, thereby protecting the web server.
Optionally, in the nginx-based detection and protection CC attack system of the embodiment of the present disclosure, when the CC attack analysis platform analyzes the received slow response log, the CC attack analysis platform receives a threshold of the number of ip requests of the user in a unit time configured by the user, and detects an ip, in which the number of ip requests of the user in the unit time is greater than the threshold of the number of ip requests of the user in the unit time, based on the threshold of the number of ip requests of the user in the unit time, and if the ip is not in the white list, determines that the ip is a CC attack ip and adds the ip to the black list.
More specifically, the CC attack analysis platform starts syslog log monitoring, analyzes response slow logs reported by nginx in real time, analyzes log types, client ip, url, host, refer, user-agent, state codes, byte numbers, request time and request response time difference fields contained in the received response slow logs, and stores the log types, client ip, url, host, refer, user-agent, state codes, byte numbers, request time and request response time difference fields in a database. The CC attack analysis platform counts the number of the user ip requests in unit time, carries out top ranking on the number of the user ip requests in unit time, compares the number with a user ip request threshold value in unit time configured by a user, firstly searches the ip in which the number of the user ip requests in unit time exceeds the user ip request threshold value in unit time according to a white list in FW equipment, judges that the ip is CC attack ip if the ip is not in the white list, and adds the ip into the black list in the FW equipment.
Optionally, in the nginx-based detection and protection CC attack system according to the embodiment of the present disclosure, when the CC attack analysis platform analyzes the received slow response log, it calculates the url response time per unit time and ranks the url response time per unit time. By counting the ranking of the url response time top in unit time, a basis is provided for a user to optimize a program, so that the performance of the program is improved, and the CC attack resistance of the program is improved.
Optionally, in the nginx-based detection and protection CC attack system of the embodiment of the present disclosure, after analyzing the received slow response log, the CC attack analysis platform performs web visualization on the slow response log, the number of ip requests of the user in unit time and the rank thereof, and the url response time in unit time and the rank thereof, which are calculated for the slow response log, on data. Specifically, a user can access the CC attack analysis platform through a browser and check the slow response log and a detailed statistical statement aiming at the slow response log in real time.
Fig. 3 is a schematic flow chart illustrating a method for detecting and protecting CC attack based on nginx according to an embodiment of the present disclosure. As shown in fig. 3, in step S302, a response slow log is added at nginx, and the information items of the response slow log are configured to include log type, client ip, url, host, refer, user-agent, status code, byte number, request time, and request response time difference fields.
In step S304, a request response time difference threshold and a log upload protocol are configured.
At step S306, it is determined whether the request-response time difference exceeds the request-response time difference threshold.
If it is determined in step S306 that the http request response time difference exceeds the request response time difference threshold value, the process proceeds to step S308. In step S308, the log is generated and sent to the CC attack analysis platform through a log upload protocol.
In step S310, the CC attack analysis platform analyzes and detects the received slow response log, so as to issue the detected CC attack ip to a blacklist of the FW device to protect against CC attack.
According to the method for detecting and protecting CC attack based on nginx, when the slow response log is generated, the slow response log is generated by adopting syslog.
According to the method for detecting and protecting CC attack based on nginx, disclosed by the embodiment of the disclosure, when a log uploading protocol is configured, the log uploading protocol is configured to be an upd protocol.
According to the method for detecting and preventing CC attack based on nginx, when the received slow response log is analyzed, a threshold value of the number of user ip requests in unit time configured by a user is received, ip with the number of user ip requests in unit time larger than the threshold value of the number of user ip requests in unit time is detected based on the threshold value of the number of user ip requests in unit time, and if the ip is not in a white list, the ip is judged to be a CC attack ip and is added into the black list.
According to the method for detecting and preventing CC attack based on nginx, a blacklist interface of the FW equipment is called through a webservice interface or a restful interface, and the CC attack ip is added into a blacklist of the FW equipment.
Optionally, in the method for detecting and protecting CC attack based on nginx according to the embodiment of the present disclosure, when analyzing the received slow response log, the IP request number of the user in unit time is calculated and ranked, and the url response time in unit time is calculated and ranked.
Optionally, in the nginx-based method for detecting and protecting CC attack in the embodiment of the present disclosure, after analyzing the received slow response log, the number of user IP requests and the rank thereof in the unit time, and the url response time and the rank thereof in the unit time, which are calculated for the slow response log, are subjected to web visualization of data.
In summary, by adopting the nginx-based detection and CC attack protection system and method, an http response slow log is added at the nginx, the response slow log with the request time response time difference exceeding the threshold time is reported to a CC attack analysis platform, and most of invalid http requests can be filtered through the threshold value. And the CC attack analysis platform carries out statistical analysis on the slow response log after receiving the slow response log, searches the http request ip exceeding the threshold value of the number of the user request ip in unit time configured by the user in a white list of the FW equipment based on the counted number of the user request ip in unit time, and judges the http request ip to be the CC attack ip if the http request ip is not in the white list. And the CC attack analysis platform is linked with the FW, a blacklist interface of the FW equipment is called through a webservice interface or a restful interface, the CC attack ip is added into the FW blacklist, the access of the CC attack ip to the web server is blocked, and the web server is protected. The system and the method for detecting and protecting CC attack based on nginx can quickly detect the CC attack object, and the protection attack does not need special hardware, thereby greatly reducing the cost; in addition, by counting the url response time and the top ranking in unit time, a basis is provided for improving the program performance of the user, and therefore the CC attack resistance is improved.
In general, according to the method and the device for detecting and protecting CC attack based on nginx, due to the fact that CC attack consumes resources very much, corresponding time of the CC attack is longer than that of a normal request, an HTTP response slow log is added to nginx, the response slow log exceeding threshold time is reported to a CC attack analysis platform, the CC attack analysis platform carries out statistical summary analysis on the HTTP response slow log, and CC attack IP is detected quickly; and when the CC attack analysis platform detects the CC attack IP, issuing the attack IP to the FW equipment. The FW device supports a black and white list feature, which supports providing a webservice interface or a restful interface for configuration. The CC attack analysis platform can call a blacklist interface of the FW equipment through a webservice interface or a restful interface, add the CC attack IP into the FW blacklist, and block the access of the CC attack IP to the server, so that the server is protected. Specifically, an HTTP response slow log is added on the basis of the nginx open source code, the request response time difference is recorded, and the support record comprises fields such as log type, client IP, url, host, refer, user-agent, status code, byte number, request time and request response time difference. The nginx configuration file is configured to respond to a time threshold of the slow log, and the number of the logs can be adjusted through the time threshold. And for the requests with the request response time difference exceeding the time threshold or the requests without responses, generating slow response logs, and immediately uploading the logs to a log analysis management platform through the syslog protocol. The HTTP response slow log is sent by the syslog in a UDP protocol mode, the advantages of timeliness and high performance of UDP protocol sending are fully utilized, and the performance of the nginx reverse proxy is prevented from being influenced. And the log analysis management platform starts syslog log monitoring, analyzes response slow logs reported by nginx in real time, analyzes log types, client IP, url, host, refer, user-agent, state codes, byte numbers, request time and request response time difference fields for the response slow logs, and stores the log types, the client IP, the url, the host, the refer, the user-agent, the state codes, the byte numbers, the request time and the request response time difference fields in a database. And counting TOP ranking of the IP request number of the user in unit time by the CC attack analysis platform, comparing the TOP ranking with a request number threshold value configured by the user, searching the IP in a white list if the TOP ranking exceeds the threshold value, judging that the IP is attacked if the TOP ranking is not in the white list, and adding the IP into a black list. And the CC attack analysis platform calls a blacklist interface of the FW equipment through a webservice interface or a restful interface, and adds the CC attack IP into the FW blacklist. In addition, the method provides the statistics of the TOP ranking of the URL response time in unit time for the user, provides a basis for optimizing the program, and therefore improves the performance of the program and the capability of resisting CC attack. In addition, the log analysis and management platform visualizes statistical data of multiple dimensions such as the TOP ranking of the IP request number of the user in unit time, the TOP ranking of the URL request number in unit time and the like, the user can access the CC attack analysis platform through a browser to access the CC attack analysis platform through web presentation, and the detail of the slow log response and the statistical form are checked in real time. And the FW equipment receives the issued blacklist of the CC attack analysis platform and blocks the access of the CC attack analysis platform to the server, so that the web server is protected. Therefore, according to the method and the device for detecting and protecting CC attack based on nginx, an HTTP response slow log is added in nginx, the response slow log exceeding a threshold time is reported to a CC attack analysis platform, so that most of invalid HTTP requests are filtered, the CC attack analysis platform carries out summary analysis on the HTTP response slow log in real time, a CC attack IP is analyzed according to the TOP ranking of the number of user IP requests in unit time, the CC attack analysis platform is linked with FW, a blacklist interface of FW equipment is called through a webservice interface or a restful interface, the CC attack IP is added into an FW blacklist, the access of the FW blacklist to a server is blocked, and a web server is protected. The method can quickly detect the CC attack object, and the protection attack does not need special hardware, thereby greatly reducing the cost. In addition, reference can be provided for optimizing the program according to the TOP ranking of the URL response time in unit time, and the performance of the program is improved, so that the CC attack resistance is improved.
The basic principles of the present disclosure have been described in connection with specific embodiments, but it should be noted that it will be understood by those skilled in the art that all or any of the steps or components of the method and apparatus of the present disclosure may be implemented in any computing device (including processors, storage media, etc.) or network of computing devices, in hardware, firmware, software, or a combination thereof, which can be implemented by those skilled in the art using their basic programming skills after reading the description of the present disclosure.
Thus, the objects of the present disclosure may also be achieved by running a program or a set of programs on any computing device. The computing device may be a general purpose device as is well known. Thus, the objects of the present disclosure can also be achieved merely by providing a program product containing program code for implementing the method or apparatus. That is, such a program product also constitutes the present disclosure, and a storage medium storing such a program product also constitutes the present disclosure. It is to be understood that such storage media can be any known storage media or any storage media developed in the future.
It is also noted that in the apparatus and methods of the present disclosure, it is apparent that the components or steps may be broken down and/or re-combined. Such decomposition and/or recombination should be considered as equivalents of the present disclosure. Also, the steps of executing the series of processes described above may naturally be executed chronologically in the order described, but need not necessarily be executed chronologically. Some steps may be performed in parallel or independently of each other.
The above detailed description should not be construed as limiting the scope of the disclosure. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may occur depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present disclosure should be included in the scope of protection of the present disclosure.
Claims (14)
1. A nginx-based system for detecting and protecting against CC attacks, comprising:
the response slow log adding module is used for adding a response slow log at the nginx, and the information items of the response slow log comprise log types, client ip, url, host, refer, user-agent, state codes, byte numbers, request time and request response time difference fields;
the nginx configuration module is used for configuring a request response time difference threshold and a log uploading protocol;
the response slow log generation module is used for generating a response slow log based on the information item composition of the response slow log and the request response time difference threshold so as to generate an http request with the request response time difference exceeding the request response time difference threshold;
the response slow log transmission module is used for uploading the response slow log by adopting the log uploading protocol;
and the CC attack analysis platform is used for receiving the slow response logs in real time and analyzing the received slow response logs to detect the CC attack ip so as to issue the CC attack ip to a blacklist of the FW equipment to prevent the CC attack.
2. The nginx-based system for detecting and safeguarding against CC attacks as claimed in claim 1, wherein,
the response slow log generation module generates a response slow log by using syslog.
3. The nginx-based system for detecting and safeguarding against CC attacks as claimed in claim 1, wherein,
and the nginx configuration module configures the log uploading protocol to be an upd protocol.
4. The nginx-based system for detection and prevention of CC attacks as claimed in claim 1, wherein,
when the CC attack analysis platform analyzes the received response slow log, the CC attack analysis platform receives a user ip request number threshold value in unit time configured by a user, detects ip with the user ip request number greater than the user ip request number threshold value in unit time based on the user ip request number threshold value in unit time, and judges that the ip is a CC attack ip and adds the ip into a black list if the ip is not in the white list.
5. The nginx-based system for detection and prevention of CC attacks as claimed in claim 1, wherein,
and the CC attack analysis platform calls a blacklist interface of the FW equipment through a webservice interface or a restful interface, and adds the CC attack ip into the blacklist of the FW equipment.
6. The nginx-based system for detection and prevention of CC attacks as set forth in claim 1, further comprising:
and when the CC attack analysis platform analyzes the received slow response log, calculating the url response time in unit time and ranking the url response time in unit time.
7. The nginx-based system for detecting and safeguarding against CC attacks as recited in claim 6, further comprising:
and after analyzing the received slow response log, the CC attack analysis platform performs web visualization on the slow response log, the ip request number and the ranking of the user in the unit time, and the url response time and the ranking of the user in the unit time, which are calculated according to the slow response log.
8. A method for detecting and protecting CC attack based on nginx comprises the following steps:
adding a response slow log, wherein the information items of the response slow log comprise log types, client ip, url, host, refer, user-agent, state codes, byte numbers, request time and request response time difference fields;
configuring a request response time difference threshold and a log uploading protocol;
generating a response slow log based on the information item composition of the response slow log and the request response time difference threshold value so as to generate an http request with the request response time difference exceeding the request response time difference threshold value;
uploading the response slow log by adopting the log uploading protocol;
and receiving the slow response log in real time, and analyzing the received slow response log to detect a CC attack ip so as to issue the CC attack ip to a blacklist of FW equipment to prevent the CC attack.
9. The nginx-based method for detecting and safeguarding against CC attacks as claimed in claim 8, wherein,
when the response slow log is generated, the response slow log is generated by adopting syslog.
10. The nginx-based method for detecting and safeguarding against CC attacks as claimed in claim 8, wherein,
and when the log uploading protocol is configured, configuring the log uploading protocol as an upd protocol.
11. The nginx-based method for detection and prevention of CC attacks as claimed in claim 8, wherein,
when the received slow response log is analyzed, receiving a user ip request number threshold value in unit time configured by a user, detecting an ip with the user ip request number in unit time being larger than the user ip request number threshold value in unit time based on the user ip request number threshold value in unit time, and if the ip is not in a white list, judging that the ip is a CC attack ip and adding the ip into a black list.
12. The nginx-based method for detection and prevention of CC attacks as claimed in claim 8, wherein,
calling a blacklist interface of the FW equipment through a webservice interface or a restful interface, and adding the CC attack ip into a blacklist of the FW equipment.
13. The nginx-based method for detecting and safeguarding against CC attacks as recited in claim 8, further comprising:
when analyzing the received slow response log, calculating the url response time in unit time and ranking the url response time in unit time.
14. The nginx-based detection and protection CC attack method of claim 13, further comprising:
and after analyzing the received response slow log, performing web visualization on the response slow log, the number of the ip requests of the user in the unit time and the ranking thereof calculated aiming at the response slow log, and the url response time and the ranking thereof in the unit time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210295629.8A CN114785552A (en) | 2022-03-23 | 2022-03-23 | System and method for detecting and protecting CC attack based on nginx |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210295629.8A CN114785552A (en) | 2022-03-23 | 2022-03-23 | System and method for detecting and protecting CC attack based on nginx |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114785552A true CN114785552A (en) | 2022-07-22 |
Family
ID=82425042
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210295629.8A Pending CN114785552A (en) | 2022-03-23 | 2022-03-23 | System and method for detecting and protecting CC attack based on nginx |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114785552A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105306465A (en) * | 2015-10-30 | 2016-02-03 | 新浪网技术(中国)有限公司 | Website secure access realization method and apparatus |
| CN109525551A (en) * | 2018-10-07 | 2019-03-26 | 杭州安恒信息技术股份有限公司 | A method of the CC based on statistical machine learning attacks protection |
| CN113987478A (en) * | 2021-10-29 | 2022-01-28 | 杭州迪普科技股份有限公司 | Method and system for detecting and protecting CC attack based on nginx server |
-
2022
- 2022-03-23 CN CN202210295629.8A patent/CN114785552A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105306465A (en) * | 2015-10-30 | 2016-02-03 | 新浪网技术(中国)有限公司 | Website secure access realization method and apparatus |
| CN109525551A (en) * | 2018-10-07 | 2019-03-26 | 杭州安恒信息技术股份有限公司 | A method of the CC based on statistical machine learning attacks protection |
| CN113987478A (en) * | 2021-10-29 | 2022-01-28 | 杭州迪普科技股份有限公司 | Method and system for detecting and protecting CC attack based on nginx server |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Choi et al. | A method of DDoS attack detection using HTTP packet pattern and rule engine in cloud computing environment | |
| EP3547635B1 (en) | Method and device for detecting webshell | |
| Yatagai et al. | Detection of HTTP-GET flood attack based on analysis of page access behavior | |
| EP3424178B1 (en) | Deterministic reproduction of client/server computer state or output sent to one or more client computers | |
| US9817969B2 (en) | Device for detecting cyber attack based on event analysis and method thereof | |
| CN109274637B (en) | System and method for determining distributed denial of service attacks | |
| Xie et al. | A large-scale hidden semi-Markov model for anomaly detection on user browsing behaviors | |
| US8549645B2 (en) | System and method for detection of denial of service attacks | |
| Xie et al. | A novel model for detecting application layer DDoS attacks | |
| US8856325B2 (en) | Network element failure detection | |
| US20020184362A1 (en) | System and method for extending server security through monitored load management | |
| US11411987B2 (en) | Methods and systems for detection of security threats on network resources based on referrer information | |
| US20130042319A1 (en) | Method and apparatus for detecting and defending against cc attack | |
| CN103701795A (en) | Identification method and device for attack source of denial of service attack | |
| JP2018503203A (en) | Determining acceptable activities based on acceptable activity rules | |
| EP1685458A2 (en) | Method and system for addressing intrusion attacks on a computer system | |
| CN104468554A (en) | Attack detection method and device based on IP and HOST | |
| CN103685294A (en) | Method and device for identifying attack sources of denial of service attack | |
| US20160142432A1 (en) | Resource classification using resource requests | |
| CN111756728B (en) | Vulnerability attack detection method and device, computing equipment and storage medium | |
| CN114244564B (en) | Attack defense method, device, equipment and readable storage medium | |
| CN113518077A (en) | Malicious web crawler detection method, device, equipment and storage medium | |
| CN110636068A (en) | Method and device for identifying unknown CDN node in CC attack protection | |
| CN105939320A (en) | Message processing method and device | |
| CN114640504A (en) | CC attack protection method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |