CN115766201B - Solution for quick blocking of large number of IP addresses - Google Patents
Solution for quick blocking of large number of IP addresses Download PDFInfo
- Publication number
- CN115766201B CN115766201B CN202211415091.6A CN202211415091A CN115766201B CN 115766201 B CN115766201 B CN 115766201B CN 202211415091 A CN202211415091 A CN 202211415091A CN 115766201 B CN115766201 B CN 115766201B
- Authority
- CN
- China
- Prior art keywords
- address
- abnormal
- access
- identification module
- addresses
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of network data processing, in particular to a solution method for rapidly blocking a large number of IP addresses, which comprises the following steps: the identification module is used for marking the IP address of the abnormal access and/or abnormal operation as an abnormal iP address, converting the abnormal IP address into a corresponding hash value, judging according to the access frequency, and sealing the hash value of the corresponding abnormal IP address or transmitting the IP address to the processing module; when the access IP address is obtained, comparing the hash value in the storage module, and sealing and forbidden the IP address corresponding to the abnormal IP address; when a new abnormal access and/or abnormal operation IP address is identified, the abnormal IP address list is updated. The method for identifying the abnormal IP addresses is continuously updated, and the abnormal IP addresses are blocked before the buffer storage of the network protocol, so that the network security is effectively improved, and meanwhile, the processing efficiency of the system for blocking the massive abnormal IP addresses is effectively improved.
Description
Technical Field
The invention relates to the technical field of network data processing, in particular to a solution method for rapidly blocking a large number of IP addresses
Background
With the continuous development of network technology, the attack and defense technical means for the system are also continuously developed, and for the blocking technology of abnormal IP addresses, the existing IP address blocking is mostly combined by using the ipset and the iptables, and the searching and matching are slow due to the fact that the protocol stack, the network security framework and the iptables strategy are adopted, so that the system can be slow aiming at massive abnormal IP scenes. Chinese patent publication No.: CN113709005a discloses a custom IP traffic statistical method and system based on IPtables, which uses custom IP and makes statistics to display the instantaneous network traffic, thus realizing traffic display and statistics; chinese patent publication No.: CN113315791a discloses a host protecting method and an electronic device based on a proxy module, which solve the problem that when the number of times of a plurality of IP attempts to log in does not reach the threshold set by the script, the host is blasted, thereby realizing the technical effect of improving the network security; chinese patent publication No.: CN114598525a discloses a method and apparatus for automatically blocking IP against network attack, by acquiring log data of a plurality of network security devices, resolving the acquired log data into a unified format, performing risk assessment on each access IP address, determining whether each access IP address is high risk, and blocking access IP addresses with high risk.
It can be seen that the above technical solution has the following problems: when the number of blocked IPs reaches a certain number, the blocking policy itself causes a problem that the overall operation speed of the system is slow.
Disclosure of Invention
Therefore, the invention provides a solution for rapidly blocking a large number of IP addresses, which is used for solving the problem that when the number of blocked IP addresses reaches a certain number in the prior art, the blocking strategy itself can cause the whole running speed of the system to be reduced, so that the processing efficiency of blocking a large number of abnormal IP addresses by the system is reduced.
In order to achieve the above object, the present invention provides a solution for fast blocking a large number of IP addresses, comprising:
step S1, using an identification module to record the IP address of abnormal access and/or abnormal operation as abnormal IP, and transmitting the IP address to a processing module;
step S2, when the processing module obtains the abnormal IP address, converting the abnormal IP address into a corresponding hash value, and storing the hash value into a storage module and the identification module;
step S3, when the identification module identifies a plurality of access IP addresses to access, judging according to the access frequency, and sealing or transmitting the IP addresses to the processing module according to the hash value of the abnormal IP address;
s4, when the processing module obtains the access IP address, the processing module compares the hash value in the storage module and seals the IP address corresponding to the abnormal IP address;
and S5, when the identification module identifies the new IP address of the abnormal access and/or abnormal operation, marking the corresponding IP address as an abnormal IP address and transmitting the abnormal IP address to the processing module.
Further, when the identification module acquires a plurality of continuous access requests of a plurality of IP addresses, the identification module determines according to the access request frequency of each IP address, for the ith IP address, the interval time of sending the access request is ti, where i=1, 2,3, …, n, n is the maximum number of IP addresses, a first preset duration interval tα and a second preset duration interval tβ are set in the identification module, where 0 < tα < tβ, where the first preset duration interval tα is the minimum normal time interval, the second preset duration interval tβ is the maximum continuous time interval, the identification module compares ti with tα and tβ to determine the rationality of continuous access of the corresponding IP address,
if ti is less than tα, the identification module determines that the ith IP address is abnormal, and transmits the corresponding IP address as an abnormal IP to the processing module;
if tα is less than or equal to ti is less than or equal to tβ, the identification module judges that the ith IP address has abnormal probability, and further judges according to the continuous access times of the ith IP address;
if tβ is smaller than ti, the identification module determines that the ith IP address is normal, and releases the corresponding IP address.
Further, when the identification module determines that the ith IP address has abnormal probability, the identification module judges the continuous access times Ti of the ith IP address to determine the rationality of the continuous access of the ith IP address, the identification module is provided with preset continuous access times Tα, wherein 0 is less than T0, the preset continuous access times Tα is the maximum normal continuous access times, the identification module compares Ti with Tα to determine the access rationality of the ith IP address,
if Ti is less than or equal to T alpha, the identification module judges that the ith IP address is normal, and releases the corresponding IP address;
if T alpha is less than Ti, the identification module judges that the ith IP address is abnormal, and transmits the corresponding IP address to the processing module as abnormal IP.
Further, when the processing module obtains the abnormal IP address transmitted by the identification module, the processing module converts the abnormal IP into a corresponding abnormal hash value, and transmits the corresponding abnormal hash value to the identification module and the storage module.
Further, when the identification module receives a plurality of IP address application accesses within a preset time period, the identification module judges the total access density, and for the jth preset time period, the IP address access application amount received by the identification module is Fj, wherein j=1, 2,3, …, m and m are the maximum number of the preset time periods, a first preset access application amount Fα and a second preset access application amount Fβ are stored in the identification module, wherein 0 < Fα < Fβ, the first preset access application amount Fα is the maximum normal access application amount, the second preset access application amount Fβ is the maximum access application amount threshold, the identification module compares Fj with Fα and Fβ to determine the access density within the jth preset time period,
if Fj is less than or equal to Fα, the identification module judges that the total access density is normal within the j-th preset time period, and transmits each access IP address to the processing module so as to judge the access rationality of the corresponding IP address;
if Fα is smaller than Fj and smaller than or equal to Fβ, the identification module judges that the total access density is large in the jth preset time period, a large number of IP addresses exist and simultaneously sends out access requests, the identification module converts each access IP address into a corresponding hash value, and the corresponding IP address is blocked according to the abnormal hash value;
and if Fbeta is smaller than Fj, the identification module judges that the network is attacked, and disconnects the network connection to fuse.
Further, when the identification module transmits each IP address to which access is applied to the processing module, the processing module converts each IP address into a hash value, compares the hash value with the abnormal hash value stored in the storage module, and seals the IP address corresponding to the abnormal hash value.
Further, when the processing module releases a single IP address and accesses the internal network, a plurality of information access operations performed by the processing module are identified by the internal network, and when the internal network identifies that the single IP address has destructive operation, the processing module transmits the corresponding IP address to the processing module, and meanwhile, the processing module converts the IP address into a hash value and transmits the hash value to the storage module and the identification module for updating.
Further, when the number of the IP addresses stored in the storage module reaches a preset number, the storage module sequentially removes the added abnormal IP addresses from small to large according to the order of the added abnormal IP addresses corresponding to the abnormal IP addresses.
Further, when the identification module determines that the access density is high, the identification module directly blocks the corresponding abnormal IP address according to the abnormal hash value of the abnormal IP address stored in the identification module, and simultaneously releases the rest IP addresses.
Further, when the identification module determines that the access density is high, the identification module does not update the abnormal hash value transmitted by the processing module when the identification module seals each abnormal IP address.
Compared with the prior art, the method has the beneficial effects that the method for identifying the abnormal IP addresses is used, the abnormal IP addresses are blocked before the network protocol is buffered, so that the network security is effectively improved, and meanwhile, the processing efficiency of the system for blocking and blocking the massive abnormal IP addresses is effectively improved.
Furthermore, the abnormal IP addresses are identified by utilizing the access frequency of the IP addresses, so that the identification efficiency of the abnormal IP addresses is effectively improved, and the processing efficiency of the system for sealing and banning the massive abnormal IP addresses is further improved.
Further, the abnormal IP addresses are identified by judging the continuous access times of the IP addresses, so that the identification accuracy of the abnormal IP addresses is effectively improved, and meanwhile, the processing efficiency of sealing and banning the massive abnormal IP addresses by the system is further improved.
Furthermore, by converting the abnormal IP address into the abnormal hash value, the system can further improve the processing efficiency of sealing and banning the massive abnormal IP addresses while effectively simplifying the storage mode of the abnormal IP address.
Furthermore, the number of abnormal accesses and the fusing mode are defined by setting the simultaneous access quantity, so that the recognition accuracy for large-scale network attacks is effectively improved, and the processing efficiency of the system for blocking massive abnormal IP addresses is further improved.
Furthermore, by converting the IP address into the hash value for storage, the storage capacity is effectively improved, and meanwhile, the processing efficiency of the system for sealing and banning the massive abnormal IP addresses is further improved.
Furthermore, by means of continuously updating the abnormal IP address list, the pertinence of the abnormal IP addresses is effectively improved, and meanwhile, the processing efficiency of the system for blocking and banning the massive abnormal IP addresses is further improved.
Furthermore, by continuously clearing useless data to keep available storage space, the storage space utilization rate is effectively improved, and meanwhile, the retrieval list is reduced, so that the processing efficiency of the system for blocking and banning massive abnormal IP addresses is further improved.
Furthermore, by adopting a mode of clearing the abnormal IP addresses before calling and storing, the defending capability of the massive IP addresses is effectively improved, and meanwhile, the processing efficiency of sealing and banning the massive abnormal IP addresses by the system is further improved.
Further, by stopping updating, the main resources are used for clearing the abnormal IP, so that the resource utilization rate is effectively improved, and meanwhile, the processing efficiency of the system for sealing and banning the massive abnormal IP addresses is further improved.
Drawings
FIG. 1 is a flow chart of a solution for fast blocking of a large number of IP addresses according to the present invention;
FIG. 2 is a schematic diagram of a system architecture according to an embodiment of the present invention.
Detailed Description
In order that the objects and advantages of the invention will become more apparent, the invention will be further described with reference to the following examples; it should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Preferred embodiments of the present invention are described below with reference to the accompanying drawings. It should be understood by those skilled in the art that these embodiments are merely for explaining the technical principles of the present invention, and are not intended to limit the scope of the present invention.
It should be noted that, in the description of the present invention, terms such as "upper," "lower," "left," "right," "inner," "outer," and the like indicate directions or positional relationships based on the directions or positional relationships shown in the drawings, which are merely for convenience of description, and do not indicate or imply that the apparatus or elements must have a specific orientation, be constructed and operated in a specific orientation, and thus should not be construed as limiting the present invention.
Furthermore, it should be noted that, in the description of the present invention, unless explicitly specified and limited otherwise, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be either fixedly connected, detachably connected, or integrally connected, for example; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The specific meaning of the above terms in the present invention can be understood by those skilled in the art according to the specific circumstances.
Referring to fig. 1, a flowchart of a solution for fast blocking a large number of IP addresses according to the present invention is shown, which includes:
step S1, using an identification module to record the IP address of abnormal access and/or abnormal operation as abnormal IP, and transmitting the IP address to a processing module;
step S2, when the processing module acquires the abnormal IP address, converting the abnormal IP address into a corresponding hash value, and storing the hash value into the storage module and the identification module;
step S3, when the identification module identifies a plurality of access IP addresses to access, judging according to the access frequency, and sealing or transmitting the IP addresses to the processing module according to the hash value of the corresponding abnormal IP address;
s4, when the processing module obtains the access IP, the processing module compares the hash value in the storage module and seals the IP address corresponding to the abnormal IP address;
and S5, when the identification module identifies the new IP address of the abnormal access and/or abnormal operation, marking the corresponding IP address as an abnormal IP address and transmitting the abnormal IP address to the processing module.
The method for identifying the abnormal IP addresses is continuously updated, and the abnormal IP addresses are blocked before the buffer storage of the network protocol, so that the network security is effectively improved, and meanwhile, the processing efficiency of the system for blocking the massive abnormal IP addresses is effectively improved.
Fig. 2 is a schematic diagram of a system architecture according to an embodiment of the invention.
Specifically, when the identification module acquires a plurality of continuous access requests of a plurality of IP addresses, the identification module judges according to the access request frequency of each IP address, for the ith IP address, the interval time of the access request is ti, wherein i=1, 2,3, …, n and n are the maximum IP quantity, a first preset duration interval tα and a second preset duration interval tβ are arranged in the identification module, wherein 0 < tα < tβ, the first preset duration interval tα is the minimum normal time interval, the second preset duration interval tβ is the maximum continuous time interval, the identification module compares ti with tα and tβ to determine the rationality of continuous access of the corresponding IP address,
if ti is less than tα, the identification module judges that the ith IP address is abnormal, and transmits the corresponding IP address as an abnormal IP to the processing module;
if tα is less than or equal to ti is less than or equal to tβ, the identification module judges that the ith IP address has abnormal probability, and further judges according to the continuous access times of the ith IP address;
if tβ is smaller than ti, the identification module determines that the ith IP address is normal, and releases the corresponding IP address.
By utilizing the method for identifying the abnormal IP addresses by the IP address access frequency, the identification efficiency of the abnormal IP addresses is effectively improved, and the processing efficiency of the system for sealing and banning the massive abnormal IP addresses is further improved.
Specifically, when the recognition module judges that the ith IP address has abnormal probability, the recognition module judges the continuous access times Ti of the ith IP address to determine the rationality of the continuous access of the ith IP address, the recognition module is provided with preset continuous access times Talpha, wherein 0 is less than T0, the preset continuous access times Talpha is the maximum normal continuous access times, the recognition module compares Ti with Talpha to determine the access rationality of the ith IP address,
if Ti is less than or equal to T alpha, the identification module judges that the ith IP address is normal, and releases the corresponding IP address;
if T alpha is less than Ti, the identification module judges that the ith IP address is abnormal, and transmits the corresponding IP address to the processing module as abnormal IP.
Further, the abnormal IP addresses are identified by judging the continuous access times of the IP addresses, so that the identification accuracy of the abnormal IP addresses is effectively improved, and meanwhile, the processing efficiency of sealing and banning the massive abnormal IP addresses by the system is further improved.
Specifically, when the processing module obtains the abnormal IP address transmitted by the identification module, the processing module converts the abnormal IP into a corresponding abnormal hash value and transmits the corresponding abnormal hash value to the identification module and the storage module.
Furthermore, by converting the abnormal IP address into the abnormal hash value, the system can further improve the processing efficiency of sealing and banning the massive abnormal IP addresses while effectively simplifying the storage mode of the abnormal IP address.
Specifically, when the identification module receives a plurality of IP address application accesses within a preset time period, the identification module judges the total access density, and for the j-th preset time period, the IP address access application amount received by the identification module is Fj, wherein j=1, 2,3, …, m and m are the maximum number of the preset time periods, a first preset access application amount Fα and a second preset access application amount Fβ are stored in the identification module, wherein 0 < Fα < Fβ, the first preset access application amount Fα is the maximum normal access application amount, the second preset access application amount Fβ is the maximum access application amount threshold, the identification module compares Fj with Fα and Fβ to determine the access density within the j-th preset time period,
if Fj is less than or equal to Fα, the identification module judges that the total access density is normal within the j preset time period, and transmits each access IP address to the processing module so as to judge the access rationality of the corresponding IP address;
if Falpha is smaller than Fj and smaller than or equal to Fbeta, the identification module judges that the total access density is large in the j preset time period, a large number of IP addresses exist and simultaneously sends out access requests, the identification module converts each access IP into a corresponding hash value, and the corresponding IP is blocked according to the abnormal hash value;
if Fbeta is smaller than Fj, the identification module judges that the network is attacked, and disconnects the network connection to fuse.
Furthermore, the number of abnormal accesses and the fusing mode are defined by setting the simultaneous access quantity, so that the recognition accuracy for large-scale network attacks is effectively improved, and the processing efficiency of the system for blocking massive abnormal IP addresses is further improved.
Specifically, when the identification module transmits each IP address to which access is applied to the processing module, the processing module converts each IP address into a hash value, compares the hash value with the abnormal hash value stored in the storage module, and seals and disables the IP address corresponding to the abnormal hash value.
Furthermore, by converting the IP address into the hash value for storage, the storage capacity is effectively improved, and meanwhile, the processing efficiency of the system for sealing and banning the massive abnormal IP addresses is further improved.
Specifically, when the processing module releases a single IP address and accesses the internal network, a plurality of information access operations performed by the processing module are identified by the internal network, and when the internal network identifies that the single IP address has destructive operations, the processing module transmits the corresponding IP address to the processing module, and meanwhile, the processing module converts the IP address into a hash value and transmits the hash value to the storage module and the identification module for updating.
Furthermore, by means of continuously updating the abnormal IP address list, the pertinence of the abnormal IP addresses is effectively improved, and meanwhile, the processing efficiency of the system for blocking and banning the massive abnormal IP addresses is further improved.
Specifically, when the IP addresses stored in the storage module reach a preset number, the storage module sequentially removes the IP addresses from small to large according to the order of adding the abnormal IP addresses corresponding to the abnormal IP addresses.
Furthermore, by continuously clearing useless data to keep available storage space, the storage space utilization rate is effectively improved, and meanwhile, the retrieval list is reduced, so that the processing efficiency of the system for blocking and banning massive abnormal IP addresses is further improved.
Specifically, when the identification module determines that the access density is large, the identification module directly blocks the corresponding abnormal IP address according to the abnormal hash value of the abnormal IP address stored therein, and simultaneously passes the rest of the IP addresses.
Furthermore, by adopting a mode of clearing the abnormal IP addresses before calling and storing, the defending capability of the massive IP addresses is effectively improved, and meanwhile, the processing efficiency of sealing and banning the massive abnormal IP addresses by the system is further improved.
Specifically, when the identification module determines that the access density is high, the identification module does not update the abnormal hash value transmitted by the processing module when the identification module seals each abnormal IP address.
Further, by stopping updating, the main resources are used for clearing the abnormal IP, so that the resource utilization rate is effectively improved, and meanwhile, the processing efficiency of the system for sealing and banning the massive abnormal IP addresses is further improved.
The method for sealing and banning a large number of I addresses by utilizing the technical scheme of the invention comprises the following steps:
training and sorting abnormal IP addresses for a period of time, and transmitting a hash value of the corresponding IP address to the ipset and the identification module, wherein the identification module starts to operate at the moment;
when the identification module judges that the network packet is in a normal state, the identification module transmits the received network packets sent by each IP address to the ipset, at the moment, the ipset sorts and seals the network packets with the abnormal IP addresses according to the stored abnormal IP address hash value matrix and the protocol stack contrast corresponding network packets, and the rest network packets are processed normally.
When the identification module identifies that a large number of IP addresses send network packets, the identification module enters a mode of clearing a large number of abnormal IP addresses, directly sealing the corresponding IP addresses according to the hash values of the abnormal IP addresses, bypassing a protocol stack and an abnormal IP storage matrix, and processing other network packets normally.
Thus far, the technical solution of the present invention has been described in connection with the preferred embodiments shown in the drawings, but it is easily understood by those skilled in the art that the scope of protection of the present invention is not limited to these specific embodiments. Equivalent modifications and substitutions for related technical features may be made by those skilled in the art without departing from the principles of the present invention, and such modifications and substitutions will be within the scope of the present invention.
The foregoing description is only of the preferred embodiments of the invention and is not intended to limit the invention; various modifications and variations of the present invention will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (9)
1. A solution for rapid blocking of a plurality of IP addresses, comprising:
step S1, using an identification module to record an IP address of abnormal access and/or abnormal operation as an abnormal IP address, and transmitting the abnormal IP address to a processing module;
step S2, when the processing module obtains the abnormal IP address, converting the abnormal IP address into a corresponding hash value, and storing the hash value into a storage module and the identification module;
step S3, when the identification module identifies a plurality of access IP addresses to access, judging according to the access frequency, and sealing or transmitting the IP addresses to the processing module according to the hash value of the abnormal IP address;
s4, when the processing module obtains the access IP address, the processing module compares the hash value in the storage module and seals the IP address corresponding to the abnormal IP address;
step S5, when the identification module identifies the new IP address of the abnormal access and/or abnormal operation, marking the corresponding IP address as an abnormal IP address and transmitting the abnormal IP address to the processing module;
wherein, when the identification module obtains a plurality of continuous access requests of a plurality of IP addresses, the identification module judges according to the access request frequency of each IP address, for the ith IP address, the interval time of sending the access request is ti, i=1, 2,3, …, n and n are the maximum IP address number, a first preset time interval tα and a second preset time interval tβ are arranged in the identification module, wherein, 0 < tα < tβ, the first preset time interval tα is the minimum normal time interval, the second preset time interval tβ is the maximum continuous time interval, the identification module compares ti with tα and tβ to determine the rationality of the continuous access of the corresponding IP address,
if ti is less than tα, the identification module determines that the ith IP address is abnormal, and transmits the corresponding IP address as an abnormal IP address to the processing module;
if tα is less than or equal to ti is less than or equal to tβ, the identification module judges that the ith IP address has abnormal probability, and further judges according to the continuous access times of the ith IP address;
if tβ is smaller than ti, the identification module determines that the ith IP address is normal, and releases the corresponding IP address.
2. The method for rapidly blocking a plurality of IP addresses according to claim 1, wherein when the recognition module determines that the ith IP address has an abnormal probability, the recognition module determines the continuous access times Ti of the ith IP address to determine the rationality of the continuous access of the ith IP address, wherein the recognition module is provided with a preset continuous access times Tα,0 < T0, the preset continuous access times Tα is the maximum normal continuous access times, compares Ti with Tα to determine the access rationality of the ith IP address,
if Ti is less than or equal to T alpha, the identification module judges that the ith IP address is normal, and releases the corresponding IP address;
if T alpha is less than Ti, the identification module judges that the ith IP address is abnormal, and transmits the corresponding IP address to the processing module as an abnormal IP address.
3. The method according to claim 2, wherein when the processing module obtains the abnormal IP address transmitted by the identifying module, the processing module converts the abnormal IP address into a corresponding abnormal hash value, and transmits the corresponding abnormal hash value to the identifying module and the storing module.
4. The method for rapidly blocking a plurality of IP addresses according to claim 3, wherein when the identification module receives a plurality of IP address applications within a preset time period, the identification module determines the total access density, and for a j-th preset time period, the IP address application received by the identification module is Fj, where j=1, 2,3, …, m, m is the maximum number of preset time periods, a first preset access application fα and a second preset access application fβ are stored in the identification module, where 0 < fα < fβ, the first preset access application fα is the maximum normal access application, the second preset access application fβ is the maximum access application threshold, the identification module compares Fj with fα and fβ to determine the access density within the j-th preset time period,
if Fj is less than or equal to Fα, the identification module judges that the total access density is normal within the j-th preset time period, and transmits each access IP address to the processing module so as to judge the access rationality of the corresponding IP address;
if Fα is smaller than Fj and smaller than or equal to Fβ, the identification module judges that the total access density is large in the jth preset time period, a large number of IP addresses exist and simultaneously sends out access requests, the identification module converts each access IP address into a corresponding hash value, and the corresponding IP address is blocked according to the abnormal hash value;
and if Fbeta is smaller than Fj, the identification module judges that the network is attacked, and disconnects the network connection to fuse.
5. The method according to claim 4, wherein when the identification module transmits each IP address to which access is applied to the processing module, the processing module converts each IP address into a hash value, compares the hash value with an abnormal hash value stored in the storage module, and seals the IP address corresponding to the abnormal hash value.
6. The method according to claim 5, wherein when the processing module releases a single IP address and accesses the internal network, a plurality of information access operations performed by the processing module are identified by the internal network, and when the internal network identifies that the single IP address has destructive operation, the processing module transfers the corresponding IP address to the processing module, and simultaneously, the processing module converts the IP address to a hash value and transfers the hash value to the storage module and the identification module for updating.
7. The method according to claim 6, wherein when the number of the IP addresses stored in the storage module reaches a predetermined number, the storage module sequentially removes the added abnormal IP addresses in the order of the added abnormal IP addresses corresponding to the abnormal IP addresses from small to large.
8. The method according to claim 7, wherein when the identification module determines that the access density is high, the identification module directly blocks the corresponding abnormal IP address according to the abnormal hash value of the abnormal IP address stored therein while letting the remaining IP addresses pass.
9. The method according to claim 8, wherein when the identification module determines that the access density is high, the identification module does not update the abnormal hash value transmitted by the processing module when the identification module blocks each of the abnormal IP addresses.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211415091.6A CN115766201B (en) | 2022-11-11 | 2022-11-11 | Solution for quick blocking of large number of IP addresses |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211415091.6A CN115766201B (en) | 2022-11-11 | 2022-11-11 | Solution for quick blocking of large number of IP addresses |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115766201A CN115766201A (en) | 2023-03-07 |
| CN115766201B true CN115766201B (en) | 2023-07-18 |
Family
ID=85369912
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211415091.6A Active CN115766201B (en) | 2022-11-11 | 2022-11-11 | Solution for quick blocking of large number of IP addresses |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115766201B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116545645A (en) * | 2023-03-20 | 2023-08-04 | 中国华能集团有限公司北京招标分公司 | IP address blocking method |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2010102454A (en) * | 2008-10-22 | 2010-05-06 | Fuji Xerox Co Ltd | Information processing apparatus and information processing program |
| KR20140074635A (en) * | 2012-12-10 | 2014-06-18 | 한국전자통신연구원 | The network apparatus and the operating method |
| CN105306436B (en) * | 2015-09-16 | 2016-08-24 | 广东睿江云计算股份有限公司 | A kind of anomalous traffic detection method |
| CN111597419A (en) * | 2020-04-29 | 2020-08-28 | 北京七麦智投科技有限公司 | Abnormal access detection method and device |
| CN114598525A (en) * | 2022-03-09 | 2022-06-07 | 中国医学科学院阜外医院 | IP automatic blocking method and device for network attack |
-
2022
- 2022-11-11 CN CN202211415091.6A patent/CN115766201B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN115766201A (en) | 2023-03-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101425107B1 (en) | Apparatus for sharing security information among network domains and method for the same | |
| US8918875B2 (en) | System and method for ARP anti-spoofing security | |
| US10432650B2 (en) | System and method to protect a webserver against application exploits and attacks | |
| CN109831461B (en) | Distributed denial of service (DDoS) attack defense method and device | |
| CN108173812B (en) | Method, device, storage medium and equipment for preventing network attack | |
| CN108737447B (en) | User datagram protocol flow filtering method, device, server and storage medium | |
| US20020032854A1 (en) | Distributed denial of service attack defense method and device | |
| US20100095351A1 (en) | Method, device for identifying service flows and method, system for protecting against deny of service attack | |
| KR20140022975A (en) | Apparatus and method for controlling traffic based on captcha | |
| JP2001217834A (en) | System for tracking access chain, network system, method and recording medium | |
| Ricciulli et al. | TCP SYN flooding defense | |
| US7200105B1 (en) | Systems and methods for point of ingress traceback of a network attack | |
| CN1175621C (en) | Method of detecting and monitoring malicious user host machine attack | |
| CN115766201B (en) | Solution for quick blocking of large number of IP addresses | |
| WO2017035717A1 (en) | Distributed denial of service attack detection method and associated device | |
| CN101997830A (en) | Distributed intrusion detection method, device and system | |
| CN112965970B (en) | Hash algorithm-based abnormal flow parallel detection method and system | |
| CN107241297A (en) | Communicate hold-up interception method and device, server | |
| EP4199444A1 (en) | Connection control method, system and apparatus, and electronic device | |
| KR20030016500A (en) | Policy-based Network Security System and Method for Security and Security Policy | |
| Lrt et al. | Capturing collusive interest flooding attacks signal: A novel Malaysia's state named-data networking topology (MY-NDN) | |
| US20100157806A1 (en) | Method for processing data packet load balancing and network equipment thereof | |
| KR20070060869A (en) | Method and apparatus for detecting of abnormal packet | |
| KR102046612B1 (en) | The system for defending dns amplification attacks in software-defined networks and the method thereof | |
| KR101253615B1 (en) | Security system on 3g wcdma networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |