CN115174243A - Malicious IP address blocking processing method, device, equipment and storage medium - Google Patents

Malicious IP address blocking processing method, device, equipment and storage medium Download PDF

Info

Publication number
CN115174243A
CN115174243A CN202210833404.3A CN202210833404A CN115174243A CN 115174243 A CN115174243 A CN 115174243A CN 202210833404 A CN202210833404 A CN 202210833404A CN 115174243 A CN115174243 A CN 115174243A
Authority
CN
China
Prior art keywords
address
real
plugging
blocking
access request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210833404.3A
Other languages
Chinese (zh)
Inventor
张宏斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ucloud Technology Co ltd
Original Assignee
Ucloud Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ucloud Technology Co ltd filed Critical Ucloud Technology Co ltd
Priority to CN202210833404.3A priority Critical patent/CN115174243A/en
Publication of CN115174243A publication Critical patent/CN115174243A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of computer networks and discloses a malicious IP address blocking processing method, device, equipment and storage medium. The malicious IP address blocking processing method comprises the following steps: establishing an IP address information base and configuring a plugging strategy; when an access request is received, acquiring a real IP address of a source client of the access request; and based on the blocking strategy, carrying out blocking processing on the real IP address. The invention blocks the real client IP address, can flexibly configure the blocking strategy and avoids the condition that the proxy server IP address cannot be accessed in a large area due to blocking.

Description

Malicious IP address blocking processing method, device, equipment and storage medium
Technical Field
The present invention relates to the field of computer networks, and in particular, to a malicious IP address blocking method, device, and apparatus, and a storage medium.
Background
With the high-speed development of the internet, the scale of the internet is increasingly large, the security problem of the internet is increasingly complex, a large website system is often illegally attacked, a large number of malicious IP addresses are accessed, server resources are crowded, or computer network broadband and connectivity are attacked, so that the normal access of the website is influenced. In order to quickly cut off the influence of the illegal attack on the network, the access of an illegal user or an illegal attack source to the network needs to be prohibited in time, and the IP address blocking is to block a specific IP address and refuse the access through a network technology so as to achieve the aim of resisting the attack.
In the prior art, a Web server runs in an application layer in a network, and an automatic plugging device for a malicious IP address of the existing application layer mainly plugs based on an access behavior of the IP address or a threat information base. When the access behavior of an IP address triggers a high-frequency safety rule, the safety rule is blocked by the blocking device; or a malicious IP address in a threat information library is imported, and the plugging device is used for directly plugging. The safety rules of the existing plugging device need to be manually created after safety personnel analyze information such as network flow, logs and the like, and the follow-up rules also need to be manually maintained, updated and the like by personnel; meanwhile, a threat information base needs to be updated frequently to obtain the latest malicious IP address information, the error sealing rate is too high when the same sealing strategy is directly adopted for treating different malicious IP addresses, most of the existing sealing devices seal the malicious IP addresses at a network layer, the existing sealing devices are not flexible enough, and if an agent is arranged in front of a Web server, the Web server cannot be accessed in a large area, and the service is influenced.
Disclosure of Invention
The invention mainly aims to provide a malicious IP address blocking processing method, device, equipment and storage medium, and aims to solve the technical problems that in the prior art, a malicious IP blocking device is single in blocking strategy and is easy to block by mistake.
The first aspect of the present invention provides a method for blocking a malicious IP address, including:
establishing an IP address information base and configuring a plugging strategy;
when an access request is received, acquiring a real IP address of a source client of the access request;
and based on the blocking strategy, carrying out blocking processing on the real IP address.
Optionally, in a first implementation manner of the first aspect of the present invention, the establishing an IP address information base includes:
acquiring various labels and IP address information corresponding to the labels, wherein the label categories comprise one or more of addresses, ISPs (internet service providers), IDCs (internet data centers), anycast, threat intelligence and self definition;
and establishing an IP address information base based on each label and each IP address information.
Optionally, in a second implementation manner of the first aspect of the present invention, the configuring the blocking policy includes:
acquiring IP address information of a matched object;
counting the number of times of requests for the matching object to access a certain path within a preset period number based on the IP address information of the matching object;
and acquiring a matching action, and configuring a plugging strategy for executing the matching action when the request times of the matching object meet a preset plugging condition.
Optionally, in a third implementation manner of the first aspect of the present invention, the configuring the blocking policy further includes:
and when a plurality of plugging strategies are configured, configuring the priority of each plugging strategy.
Optionally, in a fourth implementation manner of the first aspect of the present invention, the blocking, based on the blocking policy, the processing of blocking the real IP address includes:
based on the priority of each plugging strategy, sequentially judging whether the real IP address meets each preset plugging condition or not in the sequence from high priority to low priority;
and when the real IP address meets a certain preset plugging condition, executing corresponding matching action, and stopping judging each subsequent preset plugging condition.
Optionally, in a fifth implementation manner of the first aspect of the present invention, the obtaining, when receiving an access request, a real IP address of a client from which the access request originates includes:
when an access request is received, judging whether a proxy server exists in front of an application layer;
if no proxy server exists before the application layer, the IP address of the opposite end establishing the link is used as a real IP address;
if a proxy server is in front of the application layer, a preset analysis method is applied to obtain a real IP address.
Optionally, in a sixth implementation manner of the first aspect of the present invention, if there is a proxy server in front of the application layer, the obtaining the real IP address by applying the preset resolution method includes:
judging whether the opposite terminal IP address establishing the link is a trust IP;
if the opposite terminal IP address of the link is an untrusted IP, the opposite terminal IP address of the link is used as a real IP address;
if the IP address of the opposite end establishing the link is a trust IP, judging whether the proxy server is a network layer proxy server;
if the proxy server is a network layer proxy server, acquiring a real IP address from the TCP message;
if the proxy server is a non-network layer proxy server, judging whether the head field of the access request is a self-defined head field;
if the header field of the access request is a custom header field, taking the information in the header field as a real IP address;
and if the header field of the access request is a non-self-defined header field, taking the value of the X-Forwarded-For field of the header field of the access request as the real IP address.
A second aspect of the present invention provides a device for blocking a malicious IP address, including:
the configuration module is used for establishing an IP address information base and configuring a plugging strategy;
the processing module is used for acquiring the real IP address of the access request source client when receiving the access request;
and the plugging module is used for plugging the real IP address based on the plugging strategy.
Optionally, in a first implementation manner of the second aspect of the present invention, the configuration module is specifically configured to:
acquiring various labels and IP address information corresponding to the labels, wherein the label categories comprise one or more of addresses, ISPs (internet service providers), IDCs (internet data centers), anycast, threat intelligence and self definition;
and establishing an IP address information base based on each label and each IP address information.
Optionally, in a second implementation manner of the second aspect of the present invention, the configuration module is further specifically configured to:
acquiring IP address information of a matched object;
counting the number of times of requests for the matching object to access a certain path within a preset period number based on the IP address information of the matching object;
and acquiring a matching action, and configuring a plugging strategy for executing the matching action when the request times of the matching object meet a preset plugging condition.
Optionally, in a third implementation manner of the second aspect of the present invention, the configuration module is further specifically configured to:
and when a plurality of plugging strategies are configured, configuring the priority of each plugging strategy.
Optionally, in a fourth implementation manner of the second aspect of the present invention, the occlusion module is specifically configured to:
based on the priority of each plugging strategy, sequentially judging whether the real IP address meets each preset plugging condition or not in the sequence from high priority to low priority;
and when the real IP address meets a certain preset plugging condition, executing corresponding matching action, and stopping judging each subsequent preset plugging condition.
Optionally, in a fifth implementation manner of the second aspect of the present invention, the processing module includes:
the judging unit is used for judging whether a proxy server exists in front of an application layer or not when the access request is received;
the processing unit is used for taking the IP address of the opposite end establishing the link as a real IP address if no proxy server exists in front of the application layer;
and the analysis unit is used for acquiring the real IP address by applying a preset analysis method if the proxy server exists in front of the application layer.
Optionally, in a sixth implementation manner of the second aspect of the present invention, the parsing unit is specifically configured to:
judging whether the IP address of the opposite end establishing the link is a trust IP or not;
if the opposite terminal IP address of the established link is the untrusted IP, the opposite terminal IP address of the established link is used as a real IP address;
if the IP address of the opposite end for establishing the link is a trust IP, judging whether the proxy server is a network layer proxy server or not;
if the proxy server is a network layer proxy server, acquiring a real IP address from the TCP message;
if the proxy server is a non-network layer proxy server, judging whether the head field of the access request is a self-defined head field;
if the header field of the access request is a custom header field, taking the information in the header field as a real IP address;
and if the header field of the access request is a non-self-defined header field, taking the value of the X-Forwarded-For field of the header field of the access request as the real IP address.
A third aspect of the present invention provides an electronic device comprising: a memory and at least one processor, the memory having instructions stored therein; the at least one processor calls the instructions in the memory to enable the electronic equipment to execute the malicious IP address blocking processing method.
A fourth aspect of the present invention provides a computer-readable storage medium, which stores instructions that, when executed on a computer, cause the computer to execute the above-mentioned malicious IP address blocking processing method.
In the technical scheme provided by the invention, an IP address information base is established, and a plugging strategy is configured; when an access request is received, acquiring a real IP address of a source client of the access request; and based on the blocking strategy, carrying out blocking processing on the real IP address. The invention automatically acquires the real client IP address and blocks the real client IP address, thereby avoiding the condition that the proxy server IP address cannot be accessed in a large area due to blocking, and simultaneously flexibly configuring the blocking strategy according to the multidimensional information, thereby overcoming the defect that the traditional blocking device blocks only according to single IP address information.
Drawings
Fig. 1 is a schematic diagram of an embodiment of a method for blocking a malicious IP address according to an embodiment of the present invention;
fig. 2 is a schematic diagram of another embodiment of a malicious IP address blocking processing method according to an embodiment of the present invention;
fig. 3 is a schematic diagram of an embodiment of a blocking processing device for a malicious IP address in an embodiment of the present invention;
fig. 4 is a schematic diagram of an embodiment of an electronic device in an embodiment of the present invention.
Detailed Description
The embodiment of the invention provides a plugging processing method, a plugging processing device, malicious IP address equipment and a storage medium, which can automatically acquire a real client IP address and plug the real client IP address, thereby avoiding the situation that the IP address of a proxy server is plugged to cause large-area inaccessibility, and meanwhile, flexibly configuring a plugging strategy according to multi-dimensional information, and overcoming the defect that the existing plugging device only plugs according to single information of the IP address.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," or "having," and any variations thereof, are intended to cover non-exclusive inclusions, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
For convenience of understanding, a specific flow of the embodiment of the present invention is described below, and referring to fig. 1, an embodiment of a method for blocking a malicious IP address according to the embodiment of the present invention includes:
101. establishing an IP address information base and configuring a plugging strategy;
it can be understood that the execution subject of the present invention may be a blocking processing device for a malicious IP address, and may also be a terminal or a server, which is not limited herein. The embodiment of the present invention is described by taking a server as an execution subject.
In this embodiment, an IP (Internet Protocol, internet interconnection Protocol) is a network layer Protocol in a TCP/IP (Transmission Control Protocol/Internet Protocol ) address system, all devices on an IP-specified network must have a unique IP address, and an IP address information base is a basic IP address information base pre-established according to labels such as GeoIP, ISP, IDC, and the like, and stores various predefined labels and corresponding IP address information; the blocking strategy is to block a specific IP address and limit the access of the specific IP address.
Optionally, in an embodiment, the establishing an IP address information base includes:
acquiring various labels and IP address information corresponding to the labels, wherein the label category comprises one or more of address, ISP, IDC, anycast, threat information and self-definition;
and establishing an IP address information base based on each label and each IP address information.
Specifically, the IP address information refers to a certain IP address or a class of IP addresses; the GeoIP label contains the address information of the IP address, including longitude and latitude, city, province/state, country code, city code and postcode; an ISP (Internet Service Provider) label refers to a telecommunications operator facing public to access Internet Service, such as china telecom, china mobile, great wall broadband, etc.; an IDC (Internet Data Center) is a central platform which is used by telecommunication departments or enterprises to establish a standardized telecommunication professional computer room environment by utilizing the existing Internet communication lines and bandwidth resources and provide all-round services in the aspects of server hosting, renting, related value increment and the like for the enterprises and governments, such as a grand scotch Data Center, a beijing peng doctor Data Center and the like; anycast and identify a group of hosts providing specific services on an IP network through an Anycast address, meanwhile, a service access party does not care which host provides the specific services, messages accessing the address can be routed to any host in the group of targets by the IP network, most of the IP addresses are server IP addresses, and the hosts are rarely actively accessed to the outside; threat intelligence labels include but are not limited to labels such as scanner, zombie host, home-use broadband, host operating system, host service, etc., wherein, the scanner uses and uses this kind of IP address and utilizes programming language or tool to send TCP message automatically, in order to detect the host computer in the Internet network, record the open port situation of the host computer, will also detect operating system information, application layer protocol information, application layer service information, operating system or vulnerability information of the service, etc. sometimes; the zombie host refers to a computer device which is infected with a zombie program virus and is controlled by a hacker program, wherein the computer device can be a terminal device or a cloud device, and can carry out Denial of Service (DoS) attack or send junk information according to a command and a control instruction of a hacker at any time, so that a computer or a network cannot provide normal Service; home broadband refers to IP addresses provided by an ISP to individual, home users who can use the IP addresses to access the internet; the host operating system refers to a plurality of hosts in the internet, the hosts can be provided with operating systems, particularly hosts belonging to IDC, different operating systems can open some fixed ports or other characteristics, the operating systems provided with the hosts can be judged according to the information, for example, the hosts are scanned to obtain port information, or the operating systems of one host, such as Windows, linux and the like, can be judged according to different points of TCP messages processed by different operating systems; the host service means that a host belonging to the IDC is generally used as a service end of a certain service, port information of the host is usually scanned, according to the common port information, or different types of TCP messages are sent to a certain port of the host, the service provided by the host is judged according to returned information, and the IP address of the server host is rarely and actively accessed to the outside; the user-defined tags are user-defined tags, such as Shenzhen division office area export IP addresses, shanghai division office area export IP addresses and the like, a certain user-defined tag can be set according to a trigger rule of a certain IP address, a certain tag can be searched, and other tags can be set for the IP address under the tag.
Specifically, various labels and IP address information corresponding to the labels are obtained, merging is carried out, and a database, namely an IP address information database, corresponding to the labels and the IP address information in a correlation mode is established.
Optionally, in an embodiment, the configuring the blocking policy includes:
acquiring IP address information of a matched object;
counting the number of times of requests for the matching object to access a certain path within a preset period number based on the IP address information of the matching object;
and acquiring a matching action, and configuring a plugging strategy for executing the matching action when the request times of the matching object meet a preset plugging condition.
Specifically, the matching object is an object matched with the current blocking policy, and an action corresponding to the current blocking policy needs to be executed, where the matching object includes a single IP address, an IP address under a CIDR (class Inter-Domain Routing, no class Inter-Domain Routing) block, and an IP address having a certain label; single IP address N 1 .N 2 .N 3 .N 4 Wherein, N is 1 、N 2 、N 3 、N 4 May be any number between 0 and 255; the IP address belongs to the IP under a certain CIDR block A.B.C.D/N, wherein A, B, C and D cannot be set and represent a decimal representation IP address, N can be any number from 0 to 32 and represents the digit number of a prefix which identifies the network in A.B.C.D and is converted into binary number, for example, 192.168.10.1/16 represents that the prefix which identifies the network has 16 bits, namely 192.168 is the prefix, 10.1 is the address of a specific host in the network, all IP addresses can be matched when N is 0, and the IP address is equivalent to a single IP address when N is 32.
Specifically, the number of times of requests of the matching object to access/attack a certain path or file in N M-second periods is counted, for example, the number of times of requests of the matching object to access a certain path or file in three consecutive 60-second periods counted is 5, 3, or 5; or counting the number of times that the matching object accesses/attacks a certain path or file within N M-second periods and the HTTP header field equals/contains/regularizes the number of requests for matching a certain string, for example, the matching object accesses a certain path or file within three consecutive 60-second periods, and the header field of these access requests contains a specific From field (setting the email address of the user sending the request), and counting the number of times of requests to be 5, 2, 5.
Specifically, the matching action includes, but is not limited to, intercepting such a request, enabling a verification code, limiting a request rate, returning a custom response code and custom response content, and not processing, but only recording a log; the matching action also comprises direct block, and when the matching action of the matching object is the direct block, the request times of the matching object do not need to be counted. Matching actions may also add additional actions such as: additionally intercepting the matched object and the IP address under a CIDR block A.B.C.D/N belonging to the same object, and adding a certain label (such as a scanner IP, an IDC machine room IP and a crawler pool IP) to the matched object (and the IP address under the CIDR block A.B.C.D/N belonging to the same object).
Optionally, in an embodiment, the configuring the blocking policy further includes:
and when a plurality of plugging strategies are configured, configuring the priority of each plugging strategy.
Specifically, different plugging strategies can set different plugging time and plugging modes, network segments can be plugged according to needs, a plurality of plugging strategies are configured at the same time, the priority of each plugging strategy is configured, and plugging processing is performed from high priority to low priority.
102. When an access request is received, acquiring a real IP address of a source client of the access request;
in this embodiment, the true IP address of the access request source client is obtained according to the header information of the access request.
103. And based on the blocking strategy, carrying out blocking processing on the real IP address.
In this embodiment, based on each configured blocking policy, the number of times of requests for access requests is counted, and whether blocking processing is required is determined, and if so, a corresponding matching action is executed to perform blocking.
In the embodiment of the invention, an IP address information base is established, and a plugging strategy is configured; when an access request is received, acquiring a real IP address of a source client of the access request; and based on the blocking strategy, carrying out blocking processing on the real IP address. The invention automatically acquires the real client IP address and blocks the real client IP address, thereby avoiding the condition that the proxy server IP address cannot be accessed in a large area, flexibly configuring the blocking strategy according to multi-dimensional information and overcoming the defect that the traditional blocking device blocks only according to single information of the IP address.
Referring to fig. 2, another embodiment of the method for blocking a malicious IP address according to the embodiment of the present invention includes:
201. establishing an IP address information base and configuring a plugging strategy;
optionally, in an embodiment, a black-and-white list label is established, an IP address of the white list label is directly released without being subjected to blocking detection, and an IP address of the black list label is directly subjected to blocking processing.
Optionally, in an embodiment, when the IP address information base is updated, an IP address having a certain label in the IP address information base before updating but not having the label in the IP address information base after updating is removed.
202. When an access request is received, judging whether a proxy server exists in front of an application layer;
in this embodiment, the application layer is the highest layer in the OSI reference model of the network, provides services for users, has a user interface function for network transmission, and is mainly responsible for communication between users and applications or between applications and applications over the network, the application layer is an entry point for users or application interfaces and protocols to access the network, and the proxy server is a server for acting on network users to obtain network information, and is an intermediate proxy mechanism between a personal network and an Internet service provider, and is responsible for forwarding legal network information and controlling and registering forwarding.
203. If no proxy server exists before the application layer, the IP address of the opposite end establishing the link is used as a real IP address;
in this embodiment, if there is no proxy server before the application layer, the peer IP address for establishing the connection is the real IP address of the host sending the access request.
204. If a proxy server exists in front of the application layer, a preset analysis method is applied to obtain a real IP address;
optionally, in an embodiment, the step 204 includes:
judging whether the opposite terminal IP address establishing the link is a trust IP;
if the opposite terminal IP address of the link is an untrusted IP, the opposite terminal IP address of the link is used as a real IP address;
if the IP address of the opposite end establishing the link is a trust IP, judging whether the proxy server is a network layer proxy server;
if the proxy server is a network layer proxy server, acquiring a real IP address from the TCP message;
if the proxy server is a non-network layer proxy server, judging whether the head field of the access request is a self-defined head field;
if the header field of the access request is a custom header field, taking the information in the header field as a real IP address;
and if the header field of the access request is a non-self-defined header field, taking the value of the X-Forwarded-For field of the header field of the access request as the real IP address.
Specifically, to prevent request forgery of malicious IP addresses, a trusted IP address list may be configured, only IP addresses in the trusted IP address list extract the transferred information to obtain the real IP address of the client, and IP addresses not in the trusted IP address list are uniformly regarded as the real IP address of the client.
Specifically, for the IP Address in the trusted IP Address list, it is determined whether the proxy server is a network layer proxy server, and if the proxy server is a network layer proxy server, the real IP Address of the client is obtained through TOA (Type of Address, which is a method for placing the IP Address and the port in the option field of the last packet message in the TCP specified 3-way handshake process); otherwise (the proxy server is not a network layer proxy server), judging whether the header field of the access request contains a request header field of a customized transfer IP address, if so, taking the IP address in the field of the customized transfer IP address in the header field as a real IP address, and if not, taking the value of an X-Forwarded-For field in the header field of the access request as the real IP address, wherein the X-Forwarded-For (XFF) is an HTTP request header field used For identifying the most original IP address of a client connected to the Web server in an HTTP proxy or load balancing mode.
205. And based on the blocking strategy, carrying out blocking processing on the real IP address.
Optionally, in an embodiment, the load condition of the host is correspondingly adjusted, and when the load is too large, coarse-grained plugging is performed, for example: when the load of the host is greater than a preset threshold value, the matched object is expanded to the IP address under a certain CIDR block A.B.C.D/N, the malicious IP address is blocked to the maximum extent, the resource consumption of the host is reduced, and when the load of the host is normal, the original blocking strategy is recovered.
Optionally, in an embodiment, the blocked malicious IP address is synchronized to a network layer firewall or a front proxy server, and the request is intercepted at the network layer, so that resource consumption is reduced.
Optionally, in an embodiment, the step 205 includes:
based on the priority of each plugging strategy, sequentially judging whether the real IP address meets each preset plugging condition or not in the sequence from high priority to low priority;
and when the real IP address meets a certain preset plugging condition, executing corresponding matching action, and stopping judging each subsequent preset plugging condition.
For ease of understanding, the following example illustrates the flow of the plugging process:
in this embodiment, the following 4 plugging strategies are provided, and the priority thereof is (1) > (2) > (3) > (4):
(1) in a GeoIP label in a forbidden IP address information base, the national information is the IP address of the United states;
(2) if the access times of any IP address in a 60-second period reach 100 times, the IP address is automatically blocked for 1 hour;
(3) if the attack triggering times of any IP address in a 10-second period exceed 10 times, all IP addresses under the CIDR block A.B.C.D/24 to which the IP address belongs are automatically blocked for 24 hours;
(4) and if the access times of any IP address in three continuous 60-second periods do not exceed 10 times, automatically blocking the IP address for 1 hour and adding a scanner label to the IP address.
At this time, if an IP address (1.1.1.1) accesses the application, the GeoIP of the IP address is queried first, if the national information of the IP address is the united states, the terminal is regarded as triggering the blocking policy (1) to block, and the terminal stops to continue to judge the blocking policies (2), (3) and (4); otherwise, counting the access condition of the IP address:
if the IP address is accessed 110 times within 60 seconds, wherein 20 times of attack behaviors exist, and the attack behaviors are 1 time in 3 seconds (matching with the blocking strategy (2)), the IP address 1.1.1.1 is regarded as a trigger rule (2) by the blocking device to be blocked for 1 hour;
if the IP address is visited for 100 times within 60 seconds, wherein, there are 10 attack behaviors, and the attack behaviors are within continuous 10 seconds (matching the plugging strategies (2) and (3)), the IP address 1.1.1.1 is regarded as the trigger rule (2) by the plugging device and plugged for 1 hour (the priority of the plugging strategy (2) is higher, and corresponding matching actions are executed after the plugging strategy (2) is judged to be satisfied, and the plugging strategies (3) and (4) do not need to be judged);
if the IP address is accessed 50 times within 10 seconds, wherein there are 10 attack behaviors, the CIDR block 1.1.1.0/24 to which the IP address belongs will be regarded as a trigger rule (3) by the blocking device to block for 24 hours;
if the IP address is accessed 5 times in 1 minute, 1 time in the next 1 minute and 5 times in the next 1 minute, the IP address 1.1.1.1 will be blocked by the blocking device as a trigger rule (4) for 1 hour and the IP address will be added to the scanner tag.
In the embodiment of the invention, an IP address information base is established, and a plugging strategy is configured; when an access request is received, judging whether a proxy server exists in front of an application layer; if no proxy server exists before the application layer, the IP address of the opposite end establishing the link is used as a real IP address; if a proxy server exists in front of the application layer, a preset analysis method is applied to obtain a real IP address; and based on the blocking strategy, carrying out blocking processing on the real IP address. The invention obtains the real client IP address by the preset analysis method, blocks the real client IP address, avoids the condition that the proxy server IP address cannot be accessed in a large area due to blocking, blocks according to the accurate IP address access behavior, can count the access request with excessive/insufficient IP address, can block the IP address with too less access amount compared with the normal access compared with the existing blocking device, can resist the slow CC attack of a large number of IP addresses, can count various HTTP head fields of the IP address access request and count the times and the proportion of response codes, realizes automatic blocking of the malicious IP with abnormal access behavior, can flexibly configure the blocking strategy according to multi-dimensional information, can perform coarse-grained blocking, and improves the efficiency.
With reference to fig. 3, the method for blocking a malicious IP address in the embodiment of the present invention is described above, and a device for blocking a malicious IP address in the embodiment of the present invention is described below, where an embodiment of the device for blocking a malicious IP address in the embodiment of the present invention includes:
the configuration module 301 is configured to establish an IP address information base and configure a blocking policy;
a processing module 302, configured to, when receiving an access request, obtain a real IP address of a client from which the access request originates;
and the blocking module 303 is configured to perform blocking processing on the real IP address based on the blocking policy.
Optionally, the configuration module 301 is specifically configured to:
acquiring various labels and IP address information corresponding to the labels, wherein the label categories comprise one or more of addresses, ISPs (internet service providers), IDCs (internet data centers), anycast, threat intelligence and self definition;
and establishing an IP address information base based on each label and each IP address information.
Optionally, the configuration module 301 may be further specifically configured to:
acquiring IP address information of a matched object;
counting the number of times of requests for the matching object to access a certain path within a preset period number based on the IP address information of the matching object;
and acquiring a matching action, and configuring a plugging strategy for executing the matching action when the request times of the matching object meet a preset plugging condition.
Optionally, the configuration module 301 may be further specifically configured to:
when a plurality of plugging strategies are configured, the priority of each plugging strategy is configured.
Optionally, the blocking module 303 is specifically configured to:
based on the priority of each plugging strategy, sequentially judging whether the real IP address meets each preset plugging condition or not in the sequence from high priority to low priority;
and when the real IP address meets a certain preset plugging condition, executing corresponding matching action, and stopping judging each subsequent preset plugging condition.
Optionally, the processing module 302 includes:
a judging unit 3021 configured to, when receiving the access request, judge whether there is a proxy server in front of the application layer;
a processing unit 3022, configured to, if there is no proxy server in front of the application layer, use the peer IP address for establishing the link as a real IP address;
and the parsing unit 3023 is configured to, if there is a proxy server in front of the application layer, apply a preset parsing method to obtain the real IP address.
Optionally, the parsing unit 3023 is specifically configured to:
judging whether the IP address of the opposite end establishing the link is a trust IP or not;
if the opposite terminal IP address of the link is an untrusted IP, the opposite terminal IP address of the link is used as a real IP address;
if the IP address of the opposite end for establishing the link is a trust IP, judging whether the proxy server is a network layer proxy server or not;
if the proxy server is a network layer proxy server, acquiring a real IP address from the TCP message;
if the proxy server is a non-network layer proxy server, judging whether the head field of the access request is a self-defined head field;
if the header field of the access request is a custom header field, taking the information in the header field as a real IP address;
and if the header field of the access request is a non-self-defined header field, taking the value of the X-Forwarded-For field of the header field of the access request as the real IP address.
In the embodiment of the invention, an IP address information base is established, and a plugging strategy is configured; when an access request is received, acquiring a real IP address of a source client of the access request; and based on the blocking strategy, carrying out blocking processing on the real IP address. The invention automatically acquires the real client IP address and blocks the real client IP address, thereby avoiding the condition that the proxy server IP address cannot be accessed in a large area due to blocking, and simultaneously flexibly configuring the blocking strategy according to the multidimensional information, thereby overcoming the defect that the traditional blocking device blocks only according to single IP address information.
Fig. 3 describes in detail the blocking processing apparatus for a malicious IP address in the embodiment of the present invention from the perspective of a modular functional entity, and describes in detail electronic equipment in the embodiment of the present invention from the perspective of hardware processing.
Fig. 4 is a schematic structural diagram of an electronic device 500 according to an embodiment of the present invention, where the electronic device 500 may have a relatively large difference due to different configurations or performances, and may include one or more processors (CPUs) 510 (e.g., one or more processors) and a memory 520, and one or more storage media 530 (e.g., one or more mass storage devices) for storing applications 533 or data 532. Memory 520 and storage media 530 may be, among other things, transient or persistent storage. The program stored in the storage medium 530 may include one or more modules (not shown), each of which may include a sequence of instructions operating on the electronic device 500. Further, the processor 510 may be configured to communicate with the storage medium 530 to execute a series of instruction operations in the storage medium 530 on the electronic device 500.
The electronic device 500 may also include one or more power supplies 540, one or more wired or wireless network interfaces 550, one or more input-output interfaces 560, and/or one or more operating systems 531, such as Windows Server, mac OS X, unix, linux, freeBSD, and so forth. Those skilled in the art will appreciate that the electronic device configuration shown in fig. 4 does not constitute a limitation of the electronic device and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
The present invention further provides an electronic device, where the electronic device includes a memory and a processor, where the memory stores computer readable instructions, and when the computer readable instructions are executed by the processor, the processor executes the steps of the malicious IP address blocking processing method in the foregoing embodiments.
The present invention also provides a computer-readable storage medium, which may be a non-volatile computer-readable storage medium, and may also be a volatile computer-readable storage medium, where instructions are stored, and when the instructions are executed on a computer, the instructions cause the computer to execute the steps of the method for blocking the malicious IP address.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A malicious IP address blocking processing method is characterized in that the malicious IP address blocking processing method comprises the following steps:
establishing an IP address information base and configuring a plugging strategy;
when an access request is received, acquiring a real IP address of a source client of the access request;
and based on the blocking strategy, carrying out blocking processing on the real IP address.
2. The method according to claim 1, wherein the creating an IP address information base comprises:
acquiring various labels and IP address information corresponding to the labels, wherein the label category comprises one or more of address, ISP, IDC, anycast, threat information and self-definition;
and establishing an IP address information base based on each label and each IP address information.
3. The method according to claim 1, wherein the configuring the blocking policy comprises:
acquiring IP address information of a matched object;
counting the number of times of requests for the matching object to access a certain path within a preset period number based on the IP address information of the matching object;
and acquiring a matching action, and configuring a plugging strategy for executing the matching action when the request times of the matching object meet a preset plugging condition.
4. The method according to claim 3, wherein the configuring the blocking policy further comprises:
and when a plurality of plugging strategies are configured, configuring the priority of each plugging strategy.
5. The method according to claim 4, wherein the blocking the real IP address based on the blocking policy comprises:
based on the priority of each plugging strategy, sequentially judging whether the real IP address meets each preset plugging condition or not in the sequence from high priority to low priority;
and when the real IP address meets a certain preset plugging condition, executing corresponding matching action, and stopping judging each subsequent preset plugging condition.
6. The method according to claim 1, wherein the obtaining a real IP address of a client from which the access request originates when receiving the access request comprises:
when an access request is received, judging whether a proxy server exists in front of an application layer;
if no proxy server exists before the application layer, the IP address of the opposite end establishing the link is used as a real IP address;
if a proxy server exists in front of the application layer, a preset analysis method is applied to obtain the real IP address.
7. The method according to claim 6, wherein if there is a proxy server in front of the application layer, the obtaining the real IP address by applying a preset resolution method includes:
judging whether the opposite terminal IP address establishing the link is a trust IP;
if the opposite terminal IP address of the link is an untrusted IP, the opposite terminal IP address of the link is used as a real IP address;
if the IP address of the opposite end establishing the link is a trust IP, judging whether the proxy server is a network layer proxy server;
if the proxy server is a network layer proxy server, acquiring a real IP address from the TCP message;
if the proxy server is a non-network layer proxy server, judging whether the head field of the access request is a self-defined head field;
if the header field of the access request is a custom header field, taking the information in the header field as a real IP address;
and if the header field of the access request is a non-self-defined header field, taking the value of the X-Forwarded-For field of the header field of the access request as the real IP address.
8. A malicious IP address blocking processing device is characterized in that the malicious IP address blocking processing device comprises:
the configuration module is used for establishing an IP address information base and configuring a plugging strategy;
the processing module is used for acquiring the real IP address of the access request source client when receiving the access request;
and the plugging module is used for plugging the real IP address based on the plugging strategy.
9. An electronic device, characterized in that the electronic device comprises: a memory and at least one processor, the memory having instructions stored therein;
the at least one processor invokes the instructions in the memory to cause the electronic device to perform the method of blocking malicious IP addresses of any of claims 1-7.
10. A computer-readable storage medium having instructions stored thereon, wherein the instructions, when executed by a processor, implement the blocking processing method for a malicious IP address according to any one of claims 1 to 7.
CN202210833404.3A 2022-07-15 2022-07-15 Malicious IP address blocking processing method, device, equipment and storage medium Pending CN115174243A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210833404.3A CN115174243A (en) 2022-07-15 2022-07-15 Malicious IP address blocking processing method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210833404.3A CN115174243A (en) 2022-07-15 2022-07-15 Malicious IP address blocking processing method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115174243A true CN115174243A (en) 2022-10-11

Family

ID=83494219

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210833404.3A Pending CN115174243A (en) 2022-07-15 2022-07-15 Malicious IP address blocking processing method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115174243A (en)

Similar Documents

Publication Publication Date Title
US9729655B2 (en) Managing transfer of data in a data network
CN101589595B (en) A containment mechanism for potentially contaminated end systems
US7463590B2 (en) System and method for threat detection and response
US9369434B2 (en) Whitelist-based network switch
EP3297248B1 (en) System and method for generating rules for attack detection feedback system
US6487666B1 (en) Intrusion detection signature analysis using regular expressions and logical operators
US20050229246A1 (en) Programmable context aware firewall with integrated intrusion detection system
US11362998B2 (en) Reduction and acceleration of a deterministic finite automaton
JP4829982B2 (en) Detection and control of peer-to-peer communication
CN112468518B (en) Access data processing method and device, storage medium and computer equipment
JP7388613B2 (en) Packet processing method and apparatus, device, and computer readable storage medium
US11729134B2 (en) In-line detection of algorithmically generated domains
CN110266650B (en) Identification method of Conpot industrial control honeypot
CN115174243A (en) Malicious IP address blocking processing method, device, equipment and storage medium
CN113328976B (en) Security threat event identification method, device and equipment
US20230370482A1 (en) Method for identifying successful attack and protection device
Hong Research on Advanced Management of Network Traffic
Mikki et al. NetworkMonitoring System (NMS)
CN118157885A (en) Remote access processing method, device, equipment and storage medium
CN116781303A (en) DDoS attack protection method and related device
Krishnamurthy et al. Stateful intrusion detection system (sids)
Dam Usable Privacy with ARP Spoofing
Westall A Simple, Configurable, and Adaptive Network Firewall for Linux
IL230407A (en) System and method for providing network and computer firewall protection with dynamic address isolation to a device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination