CN116455636A - DDOS attack defense method, device, equipment and storage medium - Google Patents
DDOS attack defense method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN116455636A CN116455636A CN202310411322.4A CN202310411322A CN116455636A CN 116455636 A CN116455636 A CN 116455636A CN 202310411322 A CN202310411322 A CN 202310411322A CN 116455636 A CN116455636 A CN 116455636A
- Authority
- CN
- China
- Prior art keywords
- preset
- data access
- access request
- flow
- ddos attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 55
- 230000007123 defense Effects 0.000 title claims abstract description 49
- 238000005516 engineering process Methods 0.000 claims abstract description 23
- 230000000903 blocking effect Effects 0.000 claims abstract description 18
- 238000012545 processing Methods 0.000 claims abstract description 16
- 238000004590 computer program Methods 0.000 claims description 15
- 238000012216 screening Methods 0.000 claims description 6
- 238000004891 communication Methods 0.000 description 5
- 230000002159 abnormal effect Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000005856 abnormality Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 3
- 238000007789 sealing Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a DDOS attack defense method, a device, equipment and a storage medium, which relate to the technical field of computer networks and comprise the following steps: if a data access request is received currently, judging whether the flow of the data access request meets a preset flow overload condition or not; if the flow of the data access request meets the preset flow overload condition, performing a preset dynamic capacity expansion operation by using a containerization technology so as to update the number of Web firewall nodes in the current Web firewall group; judging whether the data access request meets preset DDOS attack characteristic conditions or not by using a preset characteristic analysis rule; and if the data access request meets the DDOS preset attack characteristic conditions, performing firewall blocking processing on the data access request. Therefore, the flexibility of DDOS attack defense can be improved, the technical cost and the operation cost are reduced, and the security of DDOS attack defense is improved.
Description
Technical Field
The present invention relates to the field of computer networks, and in particular, to a method, an apparatus, a device, and a storage medium for defending DDOS attack.
Background
In today's network environment, attacks of network servers by DDOS (Distributed Denial Of Service ) have been frequent, and government websites, educational websites, and the like are deeply compromised. The current defense scheme for DDOS attack often depends on a large number of machines, ultra-high bandwidth and current-limiting and shunting technology, and the scheme has high cost and great technical difficulty. This is a significant expense for small and medium enterprises, as well as service providers that do not have corresponding resources.
For example, a firewall may be purchased in a hardware server version provided by a traditional service provider, or defensed against an online firewall. However, the firewall of the hardware server version is expensive, difficult to maintain and is limited by the site, technology and other reasons, so that the cost is high; the online firewall is subject to the service provider of the online firewall after purchase, and is difficult to analyze attack characteristics in a targeted manner, so that the flexibility is poor. Therefore, how to improve the flexibility and save the cost of the DDOS attack defense scheme is a problem that needs to be solved in the field at present.
Disclosure of Invention
In view of the above, the present invention aims to provide a DDOS attack defense method, a device and a storage medium, which can improve flexibility of the DDOS attack defense method, reduce technical cost and operation cost, and improve security of DDOS attack defense. The specific scheme is as follows:
in a first aspect, the present application provides a DDOS attack defense method applied to a Web firewall group, including:
if a data access request is received currently, judging whether the flow of the data access request meets a preset flow overload condition or not;
if the flow of the data access request meets the preset flow overload condition, performing a preset dynamic capacity expansion operation by using a containerization technology so as to update the number of Web firewall nodes in the current Web firewall group;
judging whether the data access request meets preset DDOS attack characteristic conditions or not by using a preset characteristic analysis rule;
and if the data access request meets the DDOS preset attack characteristic conditions, performing firewall blocking processing on the data access request.
Optionally, the determining whether the flow of the data access request meets a preset flow overload condition includes:
judging whether the flow of the data access request is larger than a preset flow threshold value or not;
and if the flow rate of the data access request is larger than the preset flow rate overload condition, judging that the flow rate of the data access request meets the preset flow rate overload condition.
Optionally, before determining whether the flow of the data access request meets the preset flow overload condition, the method further includes:
and carrying out flow prediction based on the flow of the historical data access request to determine the number of Web firewall nodes in the current Web firewall group.
Optionally, the performing a preset dynamic capacity expansion operation by using a containerization technology includes:
and adding a plurality of nodes of the new Web firewall into the current Web firewall group from the cloud by using a containerization technology.
Optionally, after the determining, by using a preset feature analysis rule, whether the data access request meets a preset DDOS attack feature condition, the method further includes:
if the data access request does not meet the DDOS preset attack characteristic conditions, judging whether the flow of the data access request meets preset service flow limiting conditions or not;
and if the flow of the data access request meets the preset service flow limit condition, returning preset reply information and prohibiting access.
Optionally, before the determining, by using a preset feature analysis rule, whether the data access request meets a preset DDOS attack feature condition, the method further includes:
screening a plurality of requests to be blocked from the data access requests; the request to be blocked is a request of an access address existing in a preset address blacklist;
and performing firewall blocking processing on the request to be blocked.
Optionally, before the selecting a plurality of to-be-blocked requests from the data access requests, the method further includes:
performing feature analysis on the historical data access request by utilizing the preset feature analysis rule so as to screen out a plurality of attack party requests meeting the preset DDOS attack feature conditions from the historical data access request;
and adding the access address requested by the attacker to the preset address blacklist.
In a second aspect, the present application provides a DDOS attack defense device, applied to a Web firewall group, including:
the flow overload judging module is used for judging whether the flow of the data access request meets a preset flow overload condition or not if the data access request is received currently;
the firewall group updating module is used for executing preset dynamic capacity expansion operation by utilizing a containerization technology if the flow of the data access request meets the preset flow overload condition so as to update the number of Web firewall nodes in the current Web firewall group;
the attack characteristic judging module is used for judging whether the data access request meets the preset DDOS attack characteristic conditions or not by utilizing a preset characteristic analysis rule;
and the attack request blocking module is used for performing firewall blocking processing on the data access request if the data access request meets the DDOS preset attack characteristic conditions.
In a third aspect, the present application provides an electronic device, including:
a memory for storing a computer program;
and the processor is used for executing the computer program to realize the DDOS attack defense method.
In a fourth aspect, the present application provides a computer readable storage medium storing a computer program which, when executed by a processor, implements the DDOS attack defense method described above.
In the application, if a data access request is received currently, judging whether the flow of the data access request meets a preset flow overload condition or not; if the flow of the data access request meets the preset flow overload condition, performing a preset dynamic capacity expansion operation by using a containerization technology so as to update the number of Web firewall nodes in the current Web firewall group; judging whether the data access request meets preset DDOS attack characteristic conditions or not by using a preset characteristic analysis rule; and if the data access request meets the DDOS preset attack characteristic conditions, performing firewall blocking processing on the data access request. Through the scheme, the flow of the data access request can be judged after the data access request is received, if the preset flow overload condition is met, the current Web firewall group is updated to prevent system abnormality caused by overlarge flow, then whether the data access request meets the preset DDOS attack characteristic condition is judged, and the data access request meeting the preset DDOS attack characteristic condition is blocked. In this way, the method and the device can determine whether to execute the preset dynamic capacity expansion operation according to the flow of the data access request, avoid abnormal system operation caused by flow overload, dynamically update the number of Web firewall nodes in the current Web firewall group, improve the flexibility of DDOS attack defense, reduce the technical cost and the operation cost, perform feature analysis on the data access request, seal the data access request meeting the preset DDOS attack feature condition, and improve the security of DDOS attack defense.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a DDOS attack defense method provided in the present application;
FIG. 2 is a flowchart of another DDOS attack defense method provided in the present application;
fig. 3 is a schematic flow chart of a specific DDOS attack defense method provided in the present application;
fig. 4 is a schematic structural diagram of a DDOS attack defending device provided in the present application;
fig. 5 is a block diagram of an electronic device provided in the present application.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The current defense scheme for DDOS attack often depends on a large number of machines, ultra-high bandwidth and current-limiting and shunting technology, and the scheme has high cost, great technical difficulty and poor flexibility. Therefore, the application discloses a DDOS attack defense method, which can improve the flexibility of DDOS attack defense, reduce the technical cost and the operation cost, and improve the security of DDOS attack defense.
Referring to fig. 1, the embodiment of the invention discloses a DDOS attack defending method, which is applied to a Web firewall group and comprises the following steps:
and S11, if a data access request is received currently, judging whether the flow of the data access request meets a preset flow overload condition.
In this embodiment, after receiving a data access request for accessing a service system, first, determining whether a flow of the data access request meets a preset flow overload condition, and if the flow of the data access request meets the preset flow overload condition, triggering step S12 to update the number of Web firewall nodes in a current Web firewall group; if the flow of the data access request does not meet the preset flow overload condition, the current Web firewall group is characterized in that the data access request can be loaded, and step S13 is triggered to judge whether the data access request meets the preset DDOS attack characteristic condition.
It may be appreciated that the determining whether the flow of the data access request meets a preset flow overload condition may specifically include: judging whether the flow of the data access request is larger than a preset flow threshold value or not; and if the flow rate of the data access request is larger than the preset flow rate overload condition, judging that the flow rate of the data access request meets the preset flow rate overload condition. For example, if the current Web firewall group can bear a data access request with a 1G flow, in a preset time window, when a flow peak exceeds 0.8G, it may be determined that the flow of the data access request is greater than a preset flow threshold, and at this time, it is determined that the flow of the data access request meets a preset flow overload condition.
And step S12, if the flow of the data access request meets the preset flow overload condition, executing a preset dynamic capacity expansion operation by utilizing a containerization technology so as to update the number of Web firewall nodes in the current Web firewall group.
In this embodiment, if the flow of the data access request meets the preset flow overload condition, the containerization technology is used to perform a preset dynamic capacity expansion operation, so as to update the number of Web firewall nodes in the current Web firewall group. It can be appreciated that the performing the preset dynamic capacity expansion operation by using the containerization technology may specifically include: and adding a plurality of nodes of the new Web firewall into the current Web firewall group from the cloud by using a containerization technology. Thus, the flexibility and convenience of the defense method for DDOS attack can be improved.
It should be noted that before the determining whether the flow of the data access request meets the preset flow overload condition, the method specifically further includes: and carrying out flow prediction based on the flow of the historical data access request to determine the number of Web firewall nodes in the current Web firewall group. For example, the current flow can be predicted according to the historical peak flow and the historical valley flow received in the previous day, so that the number of Web firewall nodes in the Web firewall group is dynamically increased or reduced in advance, dynamic capacity expansion or reduction is realized, the flexibility of a defense method for DDOS attack is improved, and the technical cost is reduced.
And S13, judging whether the data access request meets the preset DDOS attack characteristic conditions or not by using a preset characteristic analysis rule.
In this embodiment, whether the data access request meets a preset DDOS attack feature condition is determined by using a preset feature analysis rule. The preset feature analysis rule may be a rule determined according to features such as an access IP (Internet Protocol ) address, a MAC (Media Access Control, media access control) address, etc. of the data access request within a specific time window, and may be dynamically set according to requirements. For example, if a large number of data access requests are sent out by the same IP or MAC address, or if a large number of requests exceeding the usual traffic are suddenly sent out by an address in a certain area, the corresponding data access request may be determined to be a DDOS attack request meeting the preset DDOS attack feature condition, and then firewall blocking or access denial may be performed through the features of the DDOS attack request.
It should be noted that before the determining whether the data access request meets the preset DDOS attack feature condition by using the preset feature analysis rule, the method specifically further includes: screening a plurality of requests to be blocked from the data access requests; the request to be blocked is a request of an access address existing in a preset address blacklist; and performing firewall blocking processing on the request to be blocked. It may be appreciated that before the selecting a number of requests to be blocked from the data access requests, the method specifically further includes: performing feature analysis on the historical data access request by utilizing the preset feature analysis rule so as to screen out a plurality of attack party requests meeting the preset DDOS attack feature conditions from the historical data access request; and adding the access address requested by the attacker to the preset address blacklist. In this way, the embodiment can determine a plurality of aggressor requests meeting the preset DDOS attack characteristic conditions by using the preset characteristic analysis rule and the historical data access request, and add the access address of the aggressor request to the preset address blacklist, so that the request with the access address existing in the preset address blacklist in the data access request is blocked before judging whether the subsequently received data access request meets the preset DDOS attack characteristic conditions, and the efficiency of defending the DDOS attack is improved.
And step S14, if the data access request meets the DDOS preset attack characteristic conditions, performing firewall blocking processing on the data access request.
In this embodiment, if a data access request is currently received, whether the flow of the data access request meets a preset flow overload condition is determined; if the flow of the data access request meets the preset flow overload condition, performing a preset dynamic capacity expansion operation by using a containerization technology so as to update the number of Web firewall nodes in the current Web firewall group; judging whether the data access request meets preset DDOS attack characteristic conditions or not by using a preset characteristic analysis rule; and if the data access request meets the DDOS preset attack characteristic conditions, performing firewall blocking processing on the data access request. Through the scheme, the flow of the data access request can be judged after the data access request is received, if the preset flow overload condition is met, the current Web firewall group is updated to prevent system abnormality caused by overlarge flow, then whether the data access request meets the preset DDOS attack characteristic condition is judged, and the data access request meeting the preset DDOS attack characteristic condition is blocked. In this way, the method and the device can determine whether to execute the preset dynamic capacity expansion operation according to the flow of the data access request, avoid abnormal system operation caused by flow overload, dynamically update the number of Web firewall nodes in the current Web firewall group, improve the flexibility of DDOS attack defense, reduce the technical cost and the operation cost, perform feature analysis on the data access request, seal the data access request meeting the preset DDOS attack feature condition, and improve the security of DDOS attack defense.
Referring to fig. 2, the embodiment of the invention discloses another DDOS attack defending method, which is applied to a Web firewall group and comprises the following steps:
and S21, if a data access request is received currently, judging whether the flow of the data access request meets a preset flow overload condition.
And S22, if the flow of the data access request meets the preset flow overload condition, executing a preset dynamic capacity expansion operation by using a containerization technology so as to update the number of Web firewall nodes in the current Web firewall group.
And S23, judging whether the data access request meets the preset DDOS attack characteristic conditions or not by using a preset characteristic analysis rule.
And step S24, if the data access request does not meet the DDOS preset attack characteristic conditions, judging whether the flow of the data access request meets preset service flow limit conditions.
In this embodiment, if the data access request does not meet the DDOS preset attack feature condition, the data access request is characterized as a request for normally accessing the service system, and considering the operation of maintaining the service system, the flow limiting setting can be performed in advance for each interface level based on the traffic customized by the protected service system, so as to manage the traffic entering the service system, thereby determining whether the traffic of the data access request meets the preset service traffic limiting condition, and determining whether to allow access according to the determination result.
And step S25, if the flow of the data access request meets the preset service flow limit condition, returning preset reply information and prohibiting access.
In this embodiment, if the flow of the data access request meets the preset service flow limit condition, a preset reply message is returned and access is prohibited, where the preset reply message may be set by the user according to the requirement, for example, a prompt message of "service busy, please retry later" may be returned.
Reference may be made to the corresponding disclosure in the foregoing embodiments for the specific implementation of step S21 to step S23, and no further description is given here.
In this embodiment, if a data access request is currently received, whether the flow of the data access request meets a preset flow overload condition is determined; if the flow of the data access request meets the preset flow overload condition, performing a preset dynamic capacity expansion operation by using a containerization technology so as to update the number of Web firewall nodes in the current Web firewall group; judging whether the data access request meets preset DDOS attack characteristic conditions or not by using a preset characteristic analysis rule; if the data access request does not meet the DDOS preset attack characteristic conditions, judging whether the flow of the data access request meets preset service flow limiting conditions or not; and if the flow of the data access request meets the preset service flow limit condition, returning preset reply information and prohibiting access. In this way, the data access request can be limited based on the preset service flow limiting condition, so that the stability of the service system is improved, and the user experience is improved.
The following describes a specific implementation process of the DDOS attack defense method disclosed in the present application with reference to a flowchart of a specific DDOS attack defense method provided in fig. 3.
As shown in fig. 3, after a data access request is received, judging whether the flow of the data access request meets a preset flow overload condition, if the flow of the data access request meets the preset flow overload condition, executing a preset dynamic capacity expansion operation on a current Web firewall group by using a containerization technology so as to update the number of Web firewall nodes in the current Web firewall group, and then judging whether the data access request meets a preset DDOS attack characteristic condition by using a preset characteristic analysis rule; if the flow of the data access request does not meet the preset flow overload condition, judging whether the data access request meets the preset DDOS attack characteristic condition or not directly by using a preset characteristic analysis rule, and if the data access request meets the DDOS preset attack characteristic condition, characterizing that the data access request is a DDOS attack request, and performing firewall blocking processing on the data access request at the moment; if the data access request does not meet the DDOS preset attack characteristic conditions, the data access request is characterized as a normal access request aiming at a service system, at the moment, whether the flow of the data access request meets preset service flow limit conditions is judged, and if the flow of the data access request does not meet the preset service flow limit conditions, access is allowed; and if the flow of the data access request meets the preset service flow limit condition, returning preset reply information and prohibiting access. In this way, the method and the device can determine whether to execute the preset dynamic capacity expansion operation according to the flow of the received data access request, avoid abnormal system operation caused by flow overload, dynamically update the number of Web firewall nodes in the current Web firewall group, improve the flexibility of DDOS attack defense, reduce the technical cost and the operation cost, perform feature analysis on the data access request, seal the data access request meeting the preset DDOS attack feature condition, improve the security of DDOS attack defense, and limit the data access request based on the preset service flow limit condition after determining that the data access request is a normal access request, thereby improving the stability of a service system and improving the user experience.
Referring to fig. 4, the application discloses a DDOS attack defending device, which is applied to a Web firewall group, and includes:
the flow overload judging module 11 is configured to judge whether the flow of the data access request meets a preset flow overload condition if the data access request is currently received;
the firewall group updating module 12 is configured to execute a preset dynamic capacity expansion operation by using a containerization technology if the flow of the data access request meets the preset flow overload condition, so as to update the number of Web firewall nodes in the current Web firewall group;
an attack characteristic judging module 13, configured to judge whether the data access request meets a preset DDOS attack characteristic condition by using a preset characteristic analysis rule;
and the attack request blocking module 14 is configured to perform firewall blocking processing on the data access request if the data access request meets the DDOS preset attack characteristic condition.
In the application, if a data access request is received currently, judging whether the flow of the data access request meets a preset flow overload condition or not; if the flow of the data access request meets the preset flow overload condition, performing a preset dynamic capacity expansion operation by using a containerization technology so as to update the number of Web firewall nodes in the current Web firewall group; judging whether the data access request meets preset DDOS attack characteristic conditions or not by using a preset characteristic analysis rule; and if the data access request meets the DDOS preset attack characteristic conditions, performing firewall blocking processing on the data access request. Through the scheme, the flow of the data access request can be judged after the data access request is received, if the preset flow overload condition is met, the current Web firewall group is updated to prevent system abnormality caused by overlarge flow, then whether the data access request meets the preset DDOS attack characteristic condition is judged, and the data access request meeting the preset DDOS attack characteristic condition is blocked. In this way, the method and the device can determine whether to execute the preset dynamic capacity expansion operation according to the flow of the data access request, avoid abnormal system operation caused by flow overload, dynamically update the number of Web firewall nodes in the current Web firewall group, improve the flexibility of DDOS attack defense, reduce the technical cost and the operation cost, perform feature analysis on the data access request, seal the data access request meeting the preset DDOS attack feature condition, and improve the security of DDOS attack defense.
In some specific embodiments, the flow overload determining module 11 may specifically include:
the flow threshold judging unit is used for judging whether the flow of the data access request is larger than a preset flow threshold or not;
and the condition result judging unit is used for judging that the flow of the data access request meets the preset flow overload condition if the flow is larger than the preset flow overload condition.
In some specific embodiments, the DDOS attack defense apparatus may specifically further include:
and the flow prediction module is used for carrying out flow prediction based on the flow of the historical data access request so as to determine the number of Web firewall nodes in the current Web firewall group.
In some specific embodiments, the firewall group update module 12 may specifically include:
and the firewall node adding unit is used for adding a plurality of new Web firewall nodes into the current Web firewall group from the cloud by utilizing a containerization technology.
In some specific embodiments, the DDOS attack defense apparatus may specifically further include:
the service flow judging module is used for judging whether the flow of the data access request meets the preset service flow limiting condition or not if the data access request does not meet the DDOS preset attack characteristic condition;
and the access prohibition module is used for returning preset reply information and prohibiting access if the flow of the data access request meets the preset service flow limit condition.
In some specific embodiments, the DDOS attack defense apparatus may specifically further include:
the request to be blocked screening module is used for screening a plurality of requests to be blocked from the data access requests; the request to be blocked is a request of an access address existing in a preset address blacklist;
and the sealing and forbidden processing module is used for performing firewall sealing and forbidden processing on the request to be sealed and forbidden.
In some specific embodiments, the DDOS attack defense apparatus may specifically further include:
the characteristic analysis module is used for carrying out characteristic analysis on the historical data access request by utilizing the preset characteristic analysis rule so as to screen out a plurality of attacker requests meeting the preset DDOS attack characteristic conditions from the historical data access request;
and the address blacklist updating module is used for adding the access address requested by the attacker to the preset address blacklist.
Further, the embodiment of the present application further discloses an electronic device, and fig. 5 is a block diagram of the electronic device 20 according to an exemplary embodiment, where the content of the figure is not to be considered as any limitation on the scope of use of the present application.
Fig. 5 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present application. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input output interface 25, and a communication bus 26. The memory 22 is configured to store a computer program, where the computer program is loaded and executed by the processor 21 to implement relevant steps in the DDOS attack defense method disclosed in any of the foregoing embodiments. In addition, the electronic device 20 in the present embodiment may be specifically an electronic computer.
In this embodiment, the power supply 23 is configured to provide an operating voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and the communication protocol to be followed is any communication protocol applicable to the technical solution of the present application, which is not specifically limited herein; the input/output interface 25 is used for acquiring external input data or outputting external output data, and the specific interface type thereof may be selected according to the specific application requirement, which is not limited herein.
The memory 22 may be a carrier for storing resources, such as a read-only memory, a random access memory, a magnetic disk, or an optical disk, and the resources stored thereon may include an operating system 221, a computer program 222, and the like, and the storage may be temporary storage or permanent storage.
The operating system 221 is used for managing and controlling various hardware devices on the electronic device 20 and computer programs 222, which may be Windows Server, netware, unix, linux, etc. The computer program 222 may further include a computer program that can be used to perform other specific tasks in addition to the computer program that can be used to perform the DDOS attack defense method performed by the electronic device 20 disclosed in any of the foregoing embodiments.
Further, the application also discloses a computer readable storage medium for storing a computer program; the DDOS attack defense method disclosed by the prior art is realized when the computer program is executed by a processor. For specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and no further description is given here.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing has outlined the detailed description of the preferred embodiment of the present application, and the detailed description of the principles and embodiments of the present application has been provided herein by way of example only to facilitate the understanding of the method and core concepts of the present application; meanwhile, as those skilled in the art will have modifications in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.
Claims (10)
1. The DDOS attack defense method is characterized by being applied to a Web firewall group and comprising the following steps:
if a data access request is received currently, judging whether the flow of the data access request meets a preset flow overload condition or not;
if the flow of the data access request meets the preset flow overload condition, performing a preset dynamic capacity expansion operation by using a containerization technology so as to update the number of Web firewall nodes in the current Web firewall group;
judging whether the data access request meets preset DDOS attack characteristic conditions or not by using a preset characteristic analysis rule;
and if the data access request meets the DDOS preset attack characteristic conditions, performing firewall blocking processing on the data access request.
2. The DDOS attack defense method of claim 1, wherein the determining whether the traffic of the data access request satisfies a preset traffic overload condition comprises:
judging whether the flow of the data access request is larger than a preset flow threshold value or not;
and if the flow rate of the data access request is larger than the preset flow rate overload condition, judging that the flow rate of the data access request meets the preset flow rate overload condition.
3. The DDOS attack defense method of claim 1, wherein before determining whether the traffic of the data access request satisfies a preset traffic overload condition, further comprises:
and carrying out flow prediction based on the flow of the historical data access request to determine the number of Web firewall nodes in the current Web firewall group.
4. The DDOS attack defense method of claim 1, wherein the performing a preset dynamic capacity expansion operation using a containerization technique comprises:
and adding a plurality of nodes of the new Web firewall into the current Web firewall group from the cloud by using a containerization technology.
5. The DDOS attack defense method of claim 1, further comprising, after the determining whether the data access request meets a preset DDOS attack feature condition by using a preset feature analysis rule:
if the data access request does not meet the DDOS preset attack characteristic conditions, judging whether the flow of the data access request meets preset service flow limiting conditions or not;
and if the flow of the data access request meets the preset service flow limit condition, returning preset reply information and prohibiting access.
6. The DDOS attack defense method according to any one of claims 1 to 5, wherein before the determining whether the data access request satisfies a preset DDOS attack feature condition using a preset feature analysis rule, further comprising:
screening a plurality of requests to be blocked from the data access requests; the request to be blocked is a request of an access address existing in a preset address blacklist;
and performing firewall blocking processing on the request to be blocked.
7. The DDOS attack defense method of claim 6, further comprising, prior to the screening the number of to-be-blocked requests from the data access requests:
performing feature analysis on the historical data access request by utilizing the preset feature analysis rule so as to screen out a plurality of attack party requests meeting the preset DDOS attack feature conditions from the historical data access request;
and adding the access address requested by the attacker to the preset address blacklist.
8. A DDOS attack defending apparatus, applied to a Web firewall group, comprising:
the flow overload judging module is used for judging whether the flow of the data access request meets a preset flow overload condition or not if the data access request is received currently;
the firewall group updating module is used for executing preset dynamic capacity expansion operation by utilizing a containerization technology if the flow of the data access request meets the preset flow overload condition so as to update the number of Web firewall nodes in the current Web firewall group;
the attack characteristic judging module is used for judging whether the data access request meets the preset DDOS attack characteristic conditions or not by utilizing a preset characteristic analysis rule;
and the attack request blocking module is used for performing firewall blocking processing on the data access request if the data access request meets the DDOS preset attack characteristic conditions.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the DDOS attack defense method according to any one of claims 1 to 7.
10. A computer readable storage medium for storing a computer program which, when executed by a processor, implements a DDOS attack defense method according to any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310411322.4A CN116455636A (en) | 2023-04-10 | 2023-04-10 | DDOS attack defense method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310411322.4A CN116455636A (en) | 2023-04-10 | 2023-04-10 | DDOS attack defense method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116455636A true CN116455636A (en) | 2023-07-18 |
Family
ID=87135233
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310411322.4A Pending CN116455636A (en) | 2023-04-10 | 2023-04-10 | DDOS attack defense method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116455636A (en) |
-
2023
- 2023-04-10 CN CN202310411322.4A patent/CN116455636A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8949459B1 (en) | Methods and apparatus for distributed backbone internet DDOS mitigation via transit providers | |
| CN109831461B (en) | Distributed denial of service (DDoS) attack defense method and device | |
| US8255532B2 (en) | Metric-based monitoring and control of a limited resource | |
| KR101425107B1 (en) | Apparatus for sharing security information among network domains and method for the same | |
| US20050086502A1 (en) | Policy-based network security management | |
| US9392019B2 (en) | Managing cyber attacks through change of network address | |
| US20070118759A1 (en) | Undesirable email determination | |
| WO2007102720A1 (en) | System for stabilizing of web service and method thereof | |
| Satam et al. | Anomaly Behavior Analysis of DNS Protocol. | |
| CN114143265A (en) | Network flow current limiting method, device, equipment and storage medium | |
| US20190158501A1 (en) | Adaptive greylist processing | |
| CN112565307B (en) | Method and device for performing entrance management and control on DDoS attack | |
| CN108833450A (en) | A kind of realization server anti-attack method and device | |
| CN110191104A (en) | A kind of method and device of security protection | |
| Kantola | 6G network needs to support embedded trust | |
| CN105848149B (en) | Security authentication method for wireless local area network | |
| CN107547561B (en) | Method and device for carrying out DDOS attack protection processing | |
| CN112291204B (en) | Access request processing method and device and readable storage medium | |
| CN115811428B (en) | Defense method, system, equipment and storage medium for resisting DDoS attack | |
| Kamoun-Abid et al. | DVF-fog: distributed virtual firewall in fog computing based on risk analysis | |
| CN116455636A (en) | DDOS attack defense method, device, equipment and storage medium | |
| US20220345497A1 (en) | Adaptive sampling of security policy violations | |
| CN113852697B (en) | SDP terminal flow proxy method, device, equipment and storage medium | |
| US8683063B1 (en) | Regulating internet traffic that is communicated through anonymizing gateways | |
| CN114584558A (en) | Cloud edge cooperative distributed API gateway system and API calling method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |