WO2016188294A1 - Network attack processing method and device - Google Patents

Network attack processing method and device Download PDF

Info

Publication number
WO2016188294A1
WO2016188294A1 PCT/CN2016/080311 CN2016080311W WO2016188294A1 WO 2016188294 A1 WO2016188294 A1 WO 2016188294A1 CN 2016080311 W CN2016080311 W CN 2016080311W WO 2016188294 A1 WO2016188294 A1 WO 2016188294A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
source
threshold
equal
connections
Prior art date
Application number
PCT/CN2016/080311
Other languages
French (fr)
Chinese (zh)
Inventor
张倩
孙磊
Original Assignee
阿里巴巴集团控股有限公司
张倩
孙磊
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里巴巴集团控股有限公司, 张倩, 孙磊 filed Critical 阿里巴巴集团控股有限公司
Publication of WO2016188294A1 publication Critical patent/WO2016188294A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Definitions

  • the present application relates to the field of communications technologies, and in particular, to a network attack processing method and a network attack processing device.
  • a virtual host also called “web space” divides a server running on the Internet into a plurality of hard disk spaces of a certain size, each of which is given the corresponding FTP (File Transfer Protocol) permission and Web access rights for use in website publishing.
  • FTP File Transfer Protocol
  • the firewall of the server monitors the network attack on each virtual host. Once the firewall determines that the attack size reaches a certain threshold, the firewall automatically masks the IP address of the attacked virtual host.
  • the shielding of the attack target IP address can ensure the overall stability of the server and the network.
  • the service of the IP address is also affected, which affects website access.
  • the technical problem to be solved by the embodiments of the present application is to provide a network attack processing method, which can reduce the impact of network attacks on the attacked IP address.
  • the embodiment of the present application further provides a network attack device to ensure implementation and application of the foregoing method.
  • a network attack processing method including:
  • the source IP address connected to the first IP address is masked.
  • the shielding is connected to the source IP address of the first IP address, including:
  • the source IP address whose number of connections is greater than or equal to the second threshold is masked.
  • the method further includes:
  • the first IP address is masked when there is no source IP address in the source IP address that is greater than or equal to the second threshold.
  • the masking the source IP address that the number of connections is greater than or equal to the second threshold includes:
  • the source IP address whose number of connections is greater than or equal to the second threshold is masked.
  • the method further includes:
  • the first IP address is masked when a sum of the number of connections corresponding to the source IP address whose number of connections is greater than or equal to the second threshold is less than the first threshold.
  • the method further includes:
  • the masking of the first IP address is stopped when the preset condition is satisfied.
  • the embodiment of the present application further discloses a network attack processing apparatus, including:
  • An obtaining unit configured to acquire a first IP address of the connection server and a connection number corresponding to the first IP address
  • the determining unit is configured to determine whether the number of connections corresponding to the first IP address is greater than or equal to a first threshold
  • the processing unit is configured to block the source IP address connected to the first IP address when the determining unit determines that the number of connections corresponding to the first IP address is greater than or equal to the first threshold.
  • processing unit includes:
  • Obtaining a subunit configured to obtain each source IP address connected to the first IP address and a connection number corresponding to each source IP address;
  • a determining subunit configured to determine whether the number of connections in the source IP addresses is greater than or a source IP address equal to the second threshold
  • the masking subunit is configured to, when the determining subunit determines that the source IP address of the source IP address is greater than or equal to the second threshold, masking the source IP whose connection number is greater than or equal to the second threshold address.
  • processing unit is further configured to block the first IP address when there is no source IP address in the source IP address that is greater than or equal to the second threshold.
  • the shielding subunit includes:
  • a lower layer determining subunit configured to determine whether a sum of the number of connections corresponding to the source IP address whose connection number is greater than or equal to the second threshold is greater than or equal to the first threshold;
  • a lower layer masking subunit configured to: when the lower layer determining subunit determines that the sum of the number of connections corresponding to the source IP address whose number of connections is greater than or equal to the second threshold is greater than or equal to the first threshold, The source IP address whose number of connections is greater than or equal to the second threshold.
  • the lower layer masking subunit is further configured to block the first IP address when a sum of the number of connections corresponding to the source IP address whose number of connections is greater than or equal to the second threshold is less than the first threshold.
  • the embodiments of the present application include the following advantages:
  • the number of connections of the IP address of the connection server is detected, and when the number of connections exceeds a certain threshold, the IP address is confirmed to be attacked by the network, and then all or part of the source IP addresses connected to the attacked IP address are blocked. Not only ensures the overall stability of the server and the network, but also reduces the impact on the attacked IP address by shielding the source IP address, and reduces the impact on the website access.
  • the method can detect the attacked IP address by monitoring the number of connections, and can more accurately determine the object of the network attack, and is more suitable for the virtual host itself, compared with the monitoring methods of the hardware firewall and the black hole in the prior art. Network attack protection.
  • FIG. 1 is a flow chart of steps of an embodiment of a network attack processing method according to the present application.
  • FIG. 2 is a flow chart of steps of another embodiment of a network attack processing method of the present application.
  • FIG. 3 is a structural block diagram of an embodiment of a network attack processing apparatus of the present application.
  • FIG. 4 is a structural block diagram of a processing unit in an embodiment of the present application.
  • FIG. 5 is a structural block diagram of a mask subunit in the embodiment of the present application.
  • FIG. 1 a flow chart of steps of an embodiment of a network attack processing method of the present application is shown, which may specifically include the following steps:
  • Step 101 Obtain a first IP address of the connection server and a connection number corresponding to the first IP address.
  • multiple virtual hosts can be divided on the server, and the server can be connected to each virtual host through a public port such as port 80.
  • the network attack processing device may be the server itself, or a device disposed in the server, or a device that is independent of the server but can communicate with the server.
  • the device is different from the server's firewall in detecting cyber attacks on each virtual host through metrics such as bandwidth.
  • the device acquires the IP address of each virtual host connected to the server, and the number of connections corresponding to each IP address.
  • the first IP address is the IP address of any virtual host connected to the server, and the “first” is merely for convenience of presentation, and is not specifically for an IP address.
  • the number of connections corresponding to the first IP address refers to the number of connections of all the source IP addresses to the first IP address.
  • the device can periodically acquire the first IP address and the number of connections, and can also monitor and acquire the first IP address and the number of connections in real time.
  • Step 102 Determine whether the number of connections corresponding to the first IP address is greater than or equal to a first threshold.
  • the device After obtaining the first IP address and the corresponding number of connections, the device determines whether the number of connections is greater than or equal to a preset first threshold.
  • the first threshold may be set according to the size of the server, the application scenario of the virtual host, and the experience value of the connection.
  • the first IP address is subjected to a network attack, and then step 103 is performed; if the first threshold is smaller than the first threshold, the first IP address is not received by the network. Attack, in a safe state.
  • Step 103 Shield the source IP address connected to the first IP address.
  • the first IP address is directly masked, and some or all of the source IP addresses connected to the first IP address are masked. Specifically, the device may determine the source IP address to be masked according to the number of connections of the source IP address connected to the first IP address.
  • the device can detect and process the IP addresses of all virtual hosts connected to the server according to the above method.
  • the number of connections of the IP address of the connection server is detected, and when the number of connections exceeds a certain threshold, the IP address is confirmed to be attacked by the network, and then all or part of the source IP addresses connected to the attacked IP address are blocked. Not only ensures the overall stability of the server and the network, but also reduces the impact on the attacked IP address by shielding the source IP address, and reduces the impact on the website access.
  • the method can detect the attacked IP address by monitoring the number of connections, and can more accurately determine the object of the network attack, and is more suitable for the virtual host itself, compared with the monitoring methods of the hardware firewall and the black hole in the prior art. Network attack protection.
  • FIG. 2 a flow chart of steps of another embodiment of the network attack processing method of the present application is shown, which may specifically include the following steps:
  • Step 201 Acquire a first IP address of the connection server and a connection number corresponding to the first IP address.
  • Step 202 Determine whether the number of connections corresponding to the first IP address is greater than or equal to a first threshold.
  • the steps 201 to 202 are similar to the steps 101 to 102 in the foregoing embodiment, and are not described herein again.
  • the network attack processing apparatus confirms that the first IP address is not attacked by the network.
  • the network attack processing device needs to block the source IP address that is connected to the first IP address, and the process may specifically include the following steps:
  • Step 203 Acquire each source IP address connected to the first IP address and the number of connections corresponding to each source IP address.
  • the device further obtains each source IP address connected to the first IP address and its corresponding connection number, such as source IP address 1, connection number is 10; source IP address 2, connection number is 100; source IP address 3, connection The number is 1000;
  • Step 204 Determine whether a source having a connection number greater than or equal to a second threshold exists in each source IP address. IP address.
  • the device checks, from the result obtained in the previous step, whether there is a source IP address whose connection number is greater than or equal to the second threshold, and the setting method of the second threshold is similar to the first threshold.
  • the second threshold may be less than the first threshold.
  • the device may consider that the first IP address is subjected to a large-scale attack by multiple source IP addresses, and the source cannot be determined. In this case, all the source IP addresses may be directly blocked according to the specific situation, and step 205 may also be performed.
  • the device may directly block the source IP addresses whose connection number is greater than or equal to the second threshold, or may first record that the number of connections is greater than or equal to the second.
  • the source IP address of the threshold and its corresponding number of connections such as IP N1 connection number Y1; IP N2 connection number Y2; IP N3 connection number Y3, and then step 206 is performed.
  • Step 205 masking the first IP address.
  • the user may be further notified that the first IP address is attacked and wait for the attack to end.
  • the masking of the first IP address can be automatically stopped.
  • Step 206 Determine whether the sum of the number of connections corresponding to the source IP address whose connection number is greater than or equal to the second threshold is greater than or equal to the first threshold.
  • the device calculates a sum of the number of connections corresponding to the source IP address whose connection number is greater than or equal to the second threshold, for example, Y1+Y2+Y3, and then determines whether the sum is greater than or equal to the first threshold.
  • Step 207 can be performed.
  • the first IP address is subjected to a large-scale attack by multiple source IP addresses, and the source cannot be determined. In this case, all the source IP addresses may be directly blocked according to the specific situation, and step 205 may also be performed.
  • Step 207 masking the source IP address whose connection number is greater than or equal to the second threshold.
  • the user can be notified that the attack protection is successful. The user can continue to access the first IP address.
  • the number of network connections is monitored, and the network attack is determined according to the number of connections.
  • the size and source, and according to different network attacks, respectively, the source IP address of the attack or the attacked IP address is shielded.
  • the method of shielding this part of IP can be adopted.
  • Defense is provided; for attacks that cannot be judged to be initiated by a small number of IPs, the attacked IP is shielded, the server and the overall network are protected, thereby achieving the purpose of protecting the overall stability and security of the server.
  • the attacked IP address is not simply shielded from the firewall side of the virtual host, but is analyzed according to the quantitative source of the attack source. This method can more accurately determine the object of the network attack and perform corresponding protection processing.
  • FIG. 3 a structural block diagram of an embodiment of a network attack processing apparatus of the present application is shown, which may specifically include the following units:
  • the obtaining unit 301 is configured to acquire a first IP address of the connection server and a connection number corresponding to the first IP address.
  • the determining unit 302 is configured to determine whether the number of connections corresponding to the first IP address is greater than or equal to a first threshold.
  • the processing unit 303 is configured to block the source IP address connected to the first IP address when the determining unit 302 determines that the number of connections corresponding to the first IP address is greater than or equal to the first threshold.
  • the device detects the number of connections of the IP address of the connection server through the above unit, and confirms that the IP address is attacked by the network when the number of connections exceeds a certain threshold, and then blocks all or part of the source IP address of the IP address connected to the attacked IP address. Not only ensures the overall stability of the server and the network, but also reduces the impact on the attacked IP address by shielding the source IP address, and reduces the impact on the website access. Moreover, the device can confirm the attacked IP address by monitoring the number of connections, and can more accurately determine the object of the network attack, and is more suitable for the virtual host itself, compared with the monitoring methods of the hardware firewall and the black hole in the prior art. Network attack protection.
  • the processing unit 303 may further include:
  • the obtaining sub-unit 401 is configured to obtain each source IP address connected to the first IP address and a connection number corresponding to each source IP address;
  • the determining sub-unit 402 is configured to determine whether the source IP address of the source IP address is greater than or equal to a second threshold.
  • the masking sub-unit 403 is configured to: when the determining sub-unit 402 determines that the source IP address of the source IP address is greater than or equal to the second threshold, the number of the connections is greater than or equal to the second threshold. Source IP address.
  • processing unit 303 is further configured to mask the first IP address when there is no source IP address in the source IP address that is greater than or equal to the second threshold.
  • the shielding subunit 403 may further include:
  • the lower layer determining subunit 501 is configured to determine whether the sum of the number of connections corresponding to the source IP address whose number of connections is greater than or equal to the second threshold is greater than or equal to the first threshold;
  • the lower layer masking sub-unit 502 is configured to, when the lower layer determining sub-unit 501 determines that the sum of the number of connections corresponding to the source IP address whose number of connections is greater than or equal to the second threshold is greater than or equal to the first threshold, The source IP address is greater than or equal to the second threshold.
  • the lower layer masking sub-unit 502 may be further configured to mask the first IP address when the sum of the number of connections corresponding to the source IP address whose number of connections is greater than or equal to the second threshold is less than the first threshold.
  • the device monitors the number of network connections, determines the size and source of the network attack according to the number of connections, and performs masking operations on the source IP address or the attacked IP address according to different network attacks. For a large-scale attack initiated by a small number of IPs, it can be defended by blocking the part of the IP; for attacks that cannot be judged to be initiated by a small number of IPs, the attacked IP is shielded, the server and the overall network are protected, thereby protecting the entire server. Stable and safe for the purpose.
  • the device is not only shielded from the firewall end of the virtual host, but is analyzed according to the source of the attack. The device can more accurately determine the object of the network attack and perform corresponding protection processing.
  • the embodiment of the present application also discloses a server, which includes a memory and a processor.
  • the processor and the memory are connected to each other through a bus; the bus may be an ISA bus, a PCI bus, or EISA bus, etc.
  • the bus can be divided into an address bus, a data bus, a control bus, and the like.
  • the memory is used to store a program, and specifically, the program may include program code, and the program code includes computer operation instructions.
  • the memory may include a high speed RAM memory and may also include a non-volatile memory such as at least one disk memory.
  • the processor is used to read the program code in the memory and perform the following steps:
  • the source IP address connected to the first IP address is masked.
  • the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
  • embodiments of the embodiments of the present application can be provided as a method, apparatus, or computer program product. Therefore, the embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware. Moreover, embodiments of the present application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • the computer device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
  • the memory may include non-persistent memory, random access memory (RAM), and/or non-volatile memory in a computer readable medium, such as read only memory (ROM) or flash memory.
  • RAM random access memory
  • ROM read only memory
  • Memory is an example of a computer readable medium.
  • Computer readable media includes both permanent and non-persistent, removable and non-removable media.
  • Information storage can be implemented by any method or technology. The information can be computer readable instructions, data structures, modules of programs, or other data.
  • Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory Memory (DRAM), other types of random access memory (RAM), read only memory (ROM), electrically erasable programmable read only memory (EEPROM), flash memory or other memory technology, read only CD only Read memory (CD-ROM), digital versatile disc (DVD) or other optical storage, magnetic cassette, magnetic tape storage or other magnetic storage device or any other non-transportable medium that can be used to store access that can be accessed by a computing device. information.
  • computer readable media does not include non-persistent computer readable media, such as modulated data signals and carrier waves.
  • Embodiments of the present application are described with reference to flowcharts and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the present application. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG.
  • These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing terminal device to produce a machine such that instructions are executed by a processor of a computer or other programmable data processing terminal device
  • Means are provided for implementing the functions specified in one or more of the flow or in one or more blocks of the flow chart.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing terminal device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the instruction device implements the functions specified in one or more blocks of the flowchart or in a flow or block of the flowchart.

Abstract

Embodiments of the present application provide a network attack processing method and device. The network attack processing method comprises: acquiring a first IP address connected to a server and a connection number corresponding to the first IP address; determining whether the connection number corresponding to the first IP address is greater than or equal to a first threshold value or not; and if so, shielding a source IP address connected to the first IP address. The embodiments of the present application not only ensure overall stability of a server and a network, but also reduce service influence on an attacked IP address by shielding a source IP address, thereby reducing the influence on website visiting.

Description

一种网络攻击处理方法和装置Network attack processing method and device 技术领域Technical field
本申请涉及通信技术领域,特别是涉及一种网络攻击处理方法和一种网络攻击处理装置。The present application relates to the field of communications technologies, and in particular, to a network attack processing method and a network attack processing device.
背景技术Background technique
虚拟主机,也叫“网站空间”,是把一台运行在互联网上的服务器划分成多个具有一定大小的硬盘空间,每个空间都给予相应的FTP(File Transfer Protocol,文件传输协议)权限和Web访问权限,以用于网站发布。A virtual host, also called "web space", divides a server running on the Internet into a plurality of hard disk spaces of a certain size, each of which is given the corresponding FTP (File Transfer Protocol) permission and Web access rights for use in website publishing.
为了保护服务器整体的稳定和安全,服务器的防火墙会监测对各虚拟主机的网络攻击,防火墙一旦判断攻击规模达到一定的阈值后,会自动对被攻击的虚拟主机的IP地址做屏蔽处理。To protect the stability and security of the server as a whole, the firewall of the server monitors the network attack on each virtual host. Once the firewall determines that the attack size reaches a certain threshold, the firewall automatically masks the IP address of the attacked virtual host.
然而,该对攻击目标IP地址的屏蔽虽然能够保证服务器和网络的整体稳定性,但对被攻击的IP地址屏蔽后,也会影响该IP地址所在的业务,影响网站访问。However, the shielding of the attack target IP address can ensure the overall stability of the server and the network. However, after the IP address of the attacked IP address is blocked, the service of the IP address is also affected, which affects website access.
因此,目前需要本领域技术人员迫切解决的一个技术问题就是:如何能减少网络攻击对被攻击IP地址的业务影响。Therefore, a technical problem that needs to be solved urgently by those skilled in the art is how to reduce the business impact of network attacks on the attacked IP address.
发明内容Summary of the invention
本申请实施例所要解决的技术问题是提供一种网络攻击处理方法,能够减少网络攻击对被攻击IP地址的业务影响。The technical problem to be solved by the embodiments of the present application is to provide a network attack processing method, which can reduce the impact of network attacks on the attacked IP address.
相应的,本申请实施例还提供了一种网络攻击装置,用以保证上述方法的实现及应用。Correspondingly, the embodiment of the present application further provides a network attack device to ensure implementation and application of the foregoing method.
为了解决上述问题,本申请公开了一种网络攻击处理方法,包括:In order to solve the above problem, the present application discloses a network attack processing method, including:
获取连接服务器的第一IP地址及所述第一IP地址对应的连接数;Obtaining a first IP address of the connection server and a connection number corresponding to the first IP address;
判断所述第一IP地址对应的连接数是否大于或等于第一阈值;Determining whether the number of connections corresponding to the first IP address is greater than or equal to a first threshold;
若是,则屏蔽连接至所述第一IP地址的源IP地址。If yes, the source IP address connected to the first IP address is masked.
进一步,所述屏蔽连接至所述第一IP地址的源IP地址,包括: Further, the shielding is connected to the source IP address of the first IP address, including:
获取连接至所述第一IP地址的各源IP地址及所述各源IP地址对应的连接数;Obtaining, by the source IP addresses connected to the first IP address, the number of connections corresponding to the source IP addresses;
判断所述各源IP地址中是否存在连接数大于或等于第二阈值的源IP地址;Determining whether there is a source IP address in the source IP address that is greater than or equal to a second threshold;
若存在,则屏蔽所述连接数大于或等于第二阈值的源IP地址。If yes, the source IP address whose number of connections is greater than or equal to the second threshold is masked.
进一步,所述方法还包括:Further, the method further includes:
当所述各源IP地址中不存在连接数大于或等于所述第二阈值的源IP地址时,屏蔽所述第一IP地址。The first IP address is masked when there is no source IP address in the source IP address that is greater than or equal to the second threshold.
进一步,所述屏蔽所述连接数大于或等于第二阈值的源IP地址,包括:Further, the masking the source IP address that the number of connections is greater than or equal to the second threshold includes:
判断所述连接数大于或等于第二阈值的源IP地址所对应的连接数的和是否大于或等于所述第一阈值;Determining whether a sum of the number of connections corresponding to the source IP address whose connection number is greater than or equal to the second threshold is greater than or equal to the first threshold;
若是,则屏蔽所述连接数大于或等于第二阈值的源IP地址。If yes, the source IP address whose number of connections is greater than or equal to the second threshold is masked.
进一步,所述方法还包括:Further, the method further includes:
当所述连接数大于或等于第二阈值的源IP地址所对应的连接数的和小于所述第一阈值时,屏蔽所述第一IP地址。The first IP address is masked when a sum of the number of connections corresponding to the source IP address whose number of connections is greater than or equal to the second threshold is less than the first threshold.
进一步,所述方法还包括:Further, the method further includes:
当满足预置条件时,停止对所述第一IP地址的屏蔽。The masking of the first IP address is stopped when the preset condition is satisfied.
本申请实施例还公开了一种网络攻击处理装置,包括:The embodiment of the present application further discloses a network attack processing apparatus, including:
获取单元,被配置为获取连接服务器的第一IP地址及所述第一IP地址对应的连接数;An obtaining unit, configured to acquire a first IP address of the connection server and a connection number corresponding to the first IP address;
判断单元,被配置为判断所述第一IP地址对应的连接数是否大于或等于第一阈值;The determining unit is configured to determine whether the number of connections corresponding to the first IP address is greater than or equal to a first threshold;
处理单元,被配置为当所述判断单元判定所述第一IP地址对应的连接数大于或等于第一阈值时,屏蔽连接至所述第一IP地址的源IP地址。The processing unit is configured to block the source IP address connected to the first IP address when the determining unit determines that the number of connections corresponding to the first IP address is greater than or equal to the first threshold.
进一步,所述处理单元包括:Further, the processing unit includes:
获取子单元,被配置为获取连接至所述第一IP地址的各源IP地址及所述各源IP地址对应的连接数;Obtaining a subunit, configured to obtain each source IP address connected to the first IP address and a connection number corresponding to each source IP address;
判断子单元,被配置为判断所述各源IP地址中是否存在连接数大于或 等于第二阈值的源IP地址;a determining subunit configured to determine whether the number of connections in the source IP addresses is greater than or a source IP address equal to the second threshold;
屏蔽子单元,被配置为当所述判断子单元判定所述各源IP地址中存在连接数大于或等于第二阈值的源IP地址时,屏蔽所述连接数大于或等于第二阈值的源IP地址。The masking subunit is configured to, when the determining subunit determines that the source IP address of the source IP address is greater than or equal to the second threshold, masking the source IP whose connection number is greater than or equal to the second threshold address.
进一步,所述处理单元还被配置为当所述各源IP地址中不存在连接数大于或等于所述第二阈值的源IP地址时,屏蔽所述第一IP地址。Further, the processing unit is further configured to block the first IP address when there is no source IP address in the source IP address that is greater than or equal to the second threshold.
进一步,所述屏蔽子单元包括:Further, the shielding subunit includes:
下层判断子单元,被配置为判断所述连接数大于或等于第二阈值的源IP地址所对应的连接数的和是否大于或等于所述第一阈值;a lower layer determining subunit, configured to determine whether a sum of the number of connections corresponding to the source IP address whose connection number is greater than or equal to the second threshold is greater than or equal to the first threshold;
下层屏蔽子单元,被配置为当所述下层判断子单元判定所述连接数大于或等于第二阈值的源IP地址所对应的连接数的和大于或等于所述第一阈值时,屏蔽所述连接数大于或等于第二阈值的源IP地址。a lower layer masking subunit, configured to: when the lower layer determining subunit determines that the sum of the number of connections corresponding to the source IP address whose number of connections is greater than or equal to the second threshold is greater than or equal to the first threshold, The source IP address whose number of connections is greater than or equal to the second threshold.
进一步,所述下层屏蔽子单元,还被配置为当所述连接数大于或等于第二阈值的源IP地址所对应的连接数的和小于所述第一阈值时,屏蔽所述第一IP地址。Further, the lower layer masking subunit is further configured to block the first IP address when a sum of the number of connections corresponding to the source IP address whose number of connections is greater than or equal to the second threshold is less than the first threshold. .
与现有技术相比,本申请实施例包括以下优点:Compared with the prior art, the embodiments of the present application include the following advantages:
本申请实施例通过检测连接服务器的IP地址的连接数,并在连接数超过一定阈值时,确认该IP地址受到网络攻击,然后对连接该受攻击的IP地址的全部或部分源IP地址进行屏蔽,不仅保证了服务器和网络的整体稳定性,而且,通过屏蔽源IP地址减小了对受攻击IP地址的业务影响,减小了对网站访问的影响。并且,该方法通过监测连接数来确认受攻击的IP地址,相对于现有技术中硬件防火墙、黑洞等的监测手段,可以更加准确的确定出网络攻击的对象,也更适应于虚拟主机本身的网络攻击防护。In the embodiment of the present application, the number of connections of the IP address of the connection server is detected, and when the number of connections exceeds a certain threshold, the IP address is confirmed to be attacked by the network, and then all or part of the source IP addresses connected to the attacked IP address are blocked. Not only ensures the overall stability of the server and the network, but also reduces the impact on the attacked IP address by shielding the source IP address, and reduces the impact on the website access. Moreover, the method can detect the attacked IP address by monitoring the number of connections, and can more accurately determine the object of the network attack, and is more suitable for the virtual host itself, compared with the monitoring methods of the hardware firewall and the black hole in the prior art. Network attack protection.
附图说明DRAWINGS
图1是本申请的一种网络攻击处理方法实施例的步骤流程图;1 is a flow chart of steps of an embodiment of a network attack processing method according to the present application;
图2是本申请的另一种网络攻击处理方法实施例的步骤流程图;2 is a flow chart of steps of another embodiment of a network attack processing method of the present application;
图3是本申请的一种网络攻击处理装置实施例的结构框图;3 is a structural block diagram of an embodiment of a network attack processing apparatus of the present application;
图4是本申请实施例中一种处理单元的结构框图; 4 is a structural block diagram of a processing unit in an embodiment of the present application;
图5是本申请实施例中一种屏蔽子单元的结构框图。FIG. 5 is a structural block diagram of a mask subunit in the embodiment of the present application.
具体实施方式detailed description
为使本申请的上述目的、特征和优点能够更加明显易懂,下面结合附图和具体实施方式对本申请作进一步详细的说明。The above described objects, features and advantages of the present application will become more apparent and understood.
参照图1,示出了本申请的一种网络攻击处理方法实施例的步骤流程图,具体可以包括如下步骤:Referring to FIG. 1 , a flow chart of steps of an embodiment of a network attack processing method of the present application is shown, which may specifically include the following steps:
步骤101,获取连接服务器的第一IP地址及第一IP地址对应的连接数。Step 101: Obtain a first IP address of the connection server and a connection number corresponding to the first IP address.
本申请实施例中,服务器上可以划分出多个虚拟主机,服务器可以通过公开的端口如80端口与各虚拟主机连接。In this embodiment, multiple virtual hosts can be divided on the server, and the server can be connected to each virtual host through a public port such as port 80.
网络攻击处理装置可以是服务器本身,也可以是设置在服务器中的一装置,或者独立于服务器但可以与服务器进行通信的装置。The network attack processing device may be the server itself, or a device disposed in the server, or a device that is independent of the server but can communicate with the server.
该装置不同于服务器的防火墙通过带宽等指标来检测各虚拟主机受到的网络攻击。本步骤中,该装置要获取连接在服务器上的各虚拟主机的IP地址,及各IP地址对应的连接数。其中,第一IP地址为其中任一连接在服务器上的虚拟主机的IP地址,“第一”仅为了表述方便,并非特指某一IP地址。第一IP地址对应的连接数是指所有源IP地址连接该第一IP地址的连接次数。The device is different from the server's firewall in detecting cyber attacks on each virtual host through metrics such as bandwidth. In this step, the device acquires the IP address of each virtual host connected to the server, and the number of connections corresponding to each IP address. The first IP address is the IP address of any virtual host connected to the server, and the “first” is merely for convenience of presentation, and is not specifically for an IP address. The number of connections corresponding to the first IP address refers to the number of connections of all the source IP addresses to the first IP address.
该装置可以定时获取该第一IP地址及其连接数,也可以实时监测获取该第一IP地址及其连接数。The device can periodically acquire the first IP address and the number of connections, and can also monitor and acquire the first IP address and the number of connections in real time.
步骤102,判断第一IP地址对应的连接数是否大于或等于第一阈值。Step 102: Determine whether the number of connections corresponding to the first IP address is greater than or equal to a first threshold.
该装置在获得第一IP地址及其对应的连接数后,判断该连接数是否大于或等于预先设定的第一阈值。该第一阈值可以根据服务器的规模、虚拟主机的应用场景,及连接数经验值等设置,此处不做限定。After obtaining the first IP address and the corresponding number of connections, the device determines whether the number of connections is greater than or equal to a preset first threshold. The first threshold may be set according to the size of the server, the application scenario of the virtual host, and the experience value of the connection.
若该第一IP地址对应的连接数大于或等于第一阈值,则说明该第一IP地址受到网络攻击,进而执行步骤103;若小于该第一阈值,则说明该第一IP地址未受到网络攻击,处于安全状态。If the number of connections corresponding to the first IP address is greater than or equal to the first threshold, the first IP address is subjected to a network attack, and then step 103 is performed; if the first threshold is smaller than the first threshold, the first IP address is not received by the network. Attack, in a safe state.
步骤103,屏蔽连接至第一IP地址的源IP地址。Step 103: Shield the source IP address connected to the first IP address.
当第一IP地址对应的连接数大于或等于第一阈值时,在本实施例中不 是直接对该第一IP地址进行屏蔽,而是对连接至该第一IP地址的部分或全部源IP地址进行屏蔽。具体的,该装置可以根据连接至该第一IP地址的源IP地址的连接数来确定需要屏蔽的源IP地址。When the number of connections corresponding to the first IP address is greater than or equal to the first threshold, in this embodiment, The first IP address is directly masked, and some or all of the source IP addresses connected to the first IP address are masked. Specifically, the device may determine the source IP address to be masked according to the number of connections of the source IP address connected to the first IP address.
该装置可以按照上述方法对所有连接在服务器上的虚拟主机的IP地址进行检测和处理。The device can detect and process the IP addresses of all virtual hosts connected to the server according to the above method.
本申请实施例通过检测连接服务器的IP地址的连接数,并在连接数超过一定阈值时,确认该IP地址受到网络攻击,然后对连接该受攻击的IP地址的全部或部分源IP地址进行屏蔽,不仅保证了服务器和网络的整体稳定性,而且,通过屏蔽源IP地址减小了对受攻击IP地址的业务影响,减小了对网站访问的影响。并且,该方法通过监测连接数来确认受攻击的IP地址,相对于现有技术中硬件防火墙、黑洞等的监测手段,可以更加准确的确定出网络攻击的对象,也更适应于虚拟主机本身的网络攻击防护。In the embodiment of the present application, the number of connections of the IP address of the connection server is detected, and when the number of connections exceeds a certain threshold, the IP address is confirmed to be attacked by the network, and then all or part of the source IP addresses connected to the attacked IP address are blocked. Not only ensures the overall stability of the server and the network, but also reduces the impact on the attacked IP address by shielding the source IP address, and reduces the impact on the website access. Moreover, the method can detect the attacked IP address by monitoring the number of connections, and can more accurately determine the object of the network attack, and is more suitable for the virtual host itself, compared with the monitoring methods of the hardware firewall and the black hole in the prior art. Network attack protection.
参照图2,示出了本申请的另一种网络攻击处理方法实施例的步骤流程图,具体可以包括如下步骤:Referring to FIG. 2, a flow chart of steps of another embodiment of the network attack processing method of the present application is shown, which may specifically include the following steps:
步骤201,获取连接服务器的第一IP地址及第一IP地址对应的连接数。Step 201: Acquire a first IP address of the connection server and a connection number corresponding to the first IP address.
步骤202,判断第一IP地址对应的连接数是否大于或等于第一阈值。Step 202: Determine whether the number of connections corresponding to the first IP address is greater than or equal to a first threshold.
步骤201~202与前述实施例中的步骤101~102类似,此处不再赘述。The steps 201 to 202 are similar to the steps 101 to 102 in the foregoing embodiment, and are not described herein again.
在本实施例中,当第一IP地址对应的连接数小于第一阈值时,该网络攻击处理装置确认该第一IP地址未受到网络攻击。In this embodiment, when the number of connections corresponding to the first IP address is less than the first threshold, the network attack processing apparatus confirms that the first IP address is not attacked by the network.
当第一IP地址对应的连接数大于或等于第一阈值时,该网络攻击处理装置需要屏蔽连接至第一IP地址的源IP地址,该过程具体可以包括以下步骤:When the number of connections corresponding to the first IP address is greater than or equal to the first threshold, the network attack processing device needs to block the source IP address that is connected to the first IP address, and the process may specifically include the following steps:
步骤203,获取连接至第一IP地址的各源IP地址及各源IP地址对应的连接数。Step 203: Acquire each source IP address connected to the first IP address and the number of connections corresponding to each source IP address.
该装置进一步获取连接至该第一IP地址的各源IP地址及其对应的连接数,如源IP地址1,连接数为10;源IP地址2,连接数为100;源IP地址3,连接数为1000;……The device further obtains each source IP address connected to the first IP address and its corresponding connection number, such as source IP address 1, connection number is 10; source IP address 2, connection number is 100; source IP address 3, connection The number is 1000;
步骤204,判断各源IP地址中是否存在连接数大于或等于第二阈值的源 IP地址。Step 204: Determine whether a source having a connection number greater than or equal to a second threshold exists in each source IP address. IP address.
该装置从上步骤获取的结果中,查看是否存在连接数大于或等于第二阈值的源IP地址,该第二阈值的设置方法与第一阈值类似。该第二阈值可以小于第一阈值。The device checks, from the result obtained in the previous step, whether there is a source IP address whose connection number is greater than or equal to the second threshold, and the setting method of the second threshold is similar to the first threshold. The second threshold may be less than the first threshold.
若结果为不存在连接数大于或等于第二阈值的源IP地址,则该装置可以认为该第一IP地址遭到多个源IP地址的大规模攻击,无法判断来源。该情况下根据具体情况,可以直接屏蔽所有的源IP地址,也可以执行步骤205。If the result is that there is no source IP address whose connection number is greater than or equal to the second threshold, the device may consider that the first IP address is subjected to a large-scale attack by multiple source IP addresses, and the source cannot be determined. In this case, all the source IP addresses may be directly blocked according to the specific situation, and step 205 may also be performed.
若结果为存在连接数大于或等于第二阈值的源IP地址,则该装置可以直接屏蔽这些连接数大于或等于第二阈值的源IP地址,也可以首先记录下这些连接数大于或等于第二阈值的源IP地址及其对应的连接数,如IP N1连接数Y1;IP N2连接数Y2;IP N3连接数Y3,然后执行步骤206。If the result is that the source IP address is greater than or equal to the second threshold, the device may directly block the source IP addresses whose connection number is greater than or equal to the second threshold, or may first record that the number of connections is greater than or equal to the second. The source IP address of the threshold and its corresponding number of connections, such as IP N1 connection number Y1; IP N2 connection number Y2; IP N3 connection number Y3, and then step 206 is performed.
步骤205,屏蔽第一IP地址。 Step 205, masking the first IP address.
在屏蔽第一IP地址后,可以进一步通知用户该第一IP地址被攻击,等待攻击结束。当检测到攻击结束后,或者满足预置条件时,可以自动停止对第一IP地址的屏蔽。After the first IP address is masked, the user may be further notified that the first IP address is attacked and wait for the attack to end. When the detection of the end of the attack, or when the preset condition is met, the masking of the first IP address can be automatically stopped.
步骤206,判断连接数大于或等于第二阈值的源IP地址所对应的连接数的和是否大于或等于第一阈值。Step 206: Determine whether the sum of the number of connections corresponding to the source IP address whose connection number is greater than or equal to the second threshold is greater than or equal to the first threshold.
该装置计算连接数大于或等于第二阈值的源IP地址所对应的连接数的和,例如Y1+Y2+Y3,然后判断该和是否大于或等于第一阈值。The device calculates a sum of the number of connections corresponding to the source IP address whose connection number is greater than or equal to the second threshold, for example, Y1+Y2+Y3, and then determines whether the sum is greater than or equal to the first threshold.
若连接数的和大于或等于第一阈值,则说明该第一IP地址受到的网络攻击为少数源IP地址发起的网络攻击,此时可以执行步骤207。If the sum of the number of connections is greater than or equal to the first threshold, the cyber attack on the first IP address is a network attack initiated by a few source IP addresses. Step 207 can be performed.
若连接数的和小于该第一阈值,则说明该第一IP地址遭到多个源IP地址的大规模攻击,无法判断来源。该情况下根据具体情况,可以直接屏蔽所有的源IP地址,也可以执行步骤205。If the sum of the number of connections is less than the first threshold, the first IP address is subjected to a large-scale attack by multiple source IP addresses, and the source cannot be determined. In this case, all the source IP addresses may be directly blocked according to the specific situation, and step 205 may also be performed.
步骤207,屏蔽连接数大于或等于第二阈值的源IP地址。 Step 207, masking the source IP address whose connection number is greater than or equal to the second threshold.
在屏蔽了源IP地址后,可以通知用户攻击防护成功,用户可以继续访问该第一IP地址。After the source IP address is blocked, the user can be notified that the attack protection is successful. The user can continue to access the first IP address.
本实施例通过对网络连接数进行监控,根据连接数的情况确定网络攻击 的规模与来源,并根据不同的网络攻击情况,分别对发起攻击的源IP地址或被攻击的IP地址做屏蔽操作,如对于少量IP发起的大规模攻击,可以通过采取屏蔽这部分IP的方式予以防御;对于不能判断是由少量IP发起的攻击则对被攻击IP进行屏蔽,保护服务器和整体网络,从而达到保护服务器整体稳定和安全的目的。该方法对被攻击的IP地址不是单纯的从虚拟主机的防火墙端屏蔽,而是根据攻击来源定量的进行分析处理,该方法可以更加准确的确定出网络攻击的对象并进行对应的防护处理。In this embodiment, the number of network connections is monitored, and the network attack is determined according to the number of connections. The size and source, and according to different network attacks, respectively, the source IP address of the attack or the attacked IP address is shielded. For example, for a large-scale attack initiated by a small number of IPs, the method of shielding this part of IP can be adopted. Defense is provided; for attacks that cannot be judged to be initiated by a small number of IPs, the attacked IP is shielded, the server and the overall network are protected, thereby achieving the purpose of protecting the overall stability and security of the server. In this method, the attacked IP address is not simply shielded from the firewall side of the virtual host, but is analyzed according to the quantitative source of the attack source. This method can more accurately determine the object of the network attack and perform corresponding protection processing.
需要说明的是,对于方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本申请实施例并不受所描述的动作顺序的限制,因为依据本申请实施例,某些步骤可以采用其他顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作并不一定是本申请实施例所必须的。It should be noted that, for the method embodiments, for the sake of simple description, they are all expressed as a series of action combinations, but those skilled in the art should understand that the embodiments of the present application are not limited by the described action sequence, because In accordance with embodiments of the present application, certain steps may be performed in other sequences or concurrently. In the following, those skilled in the art should also understand that the embodiments described in the specification are all preferred embodiments, and the actions involved are not necessarily required in the embodiments of the present application.
参照图3,示出了本申请一种网络攻击处理装置实施例的结构框图,具体可以包括如下单元:Referring to FIG. 3, a structural block diagram of an embodiment of a network attack processing apparatus of the present application is shown, which may specifically include the following units:
获取单元301,被配置为获取连接服务器的第一IP地址及所述第一IP地址对应的连接数。The obtaining unit 301 is configured to acquire a first IP address of the connection server and a connection number corresponding to the first IP address.
判断单元302,被配置为判断所述第一IP地址对应的连接数是否大于或等于第一阈值。The determining unit 302 is configured to determine whether the number of connections corresponding to the first IP address is greater than or equal to a first threshold.
处理单元303,被配置为当所述判断单元302判定所述第一IP地址对应的连接数大于或等于第一阈值时,屏蔽连接至所述第一IP地址的源IP地址。The processing unit 303 is configured to block the source IP address connected to the first IP address when the determining unit 302 determines that the number of connections corresponding to the first IP address is greater than or equal to the first threshold.
该装置通过上述单元检测连接服务器的IP地址的连接数,并在连接数超过一定阈值时,确认该IP地址受到网络攻击,然后对连接该受攻击的IP地址的全部或部分源IP地址进行屏蔽,不仅保证了服务器和网络的整体稳定性,而且,通过屏蔽源IP地址减小了对受攻击IP地址的业务影响,减小了对网站访问的影响。并且,该装置通过监测连接数来确认受攻击的IP地址,相对于现有技术中硬件防火墙、黑洞等的监测手段,可以更加准确的确定出网络攻击的对象,也更适应于虚拟主机本身的网络攻击防护。The device detects the number of connections of the IP address of the connection server through the above unit, and confirms that the IP address is attacked by the network when the number of connections exceeds a certain threshold, and then blocks all or part of the source IP address of the IP address connected to the attacked IP address. Not only ensures the overall stability of the server and the network, but also reduces the impact on the attacked IP address by shielding the source IP address, and reduces the impact on the website access. Moreover, the device can confirm the attacked IP address by monitoring the number of connections, and can more accurately determine the object of the network attack, and is more suitable for the virtual host itself, compared with the monitoring methods of the hardware firewall and the black hole in the prior art. Network attack protection.
在另一实施例中,如图4所示,处理单元303可以进一步包括: In another embodiment, as shown in FIG. 4, the processing unit 303 may further include:
获取子单元401,被配置为获取连接至所述第一IP地址的各源IP地址及所述各源IP地址对应的连接数;The obtaining sub-unit 401 is configured to obtain each source IP address connected to the first IP address and a connection number corresponding to each source IP address;
判断子单元402,被配置为判断所述各源IP地址中是否存在连接数大于或等于第二阈值的源IP地址;The determining sub-unit 402 is configured to determine whether the source IP address of the source IP address is greater than or equal to a second threshold.
屏蔽子单元403,被配置为当所述判断子单元402判定所述各源IP地址中存在连接数大于或等于第二阈值的源IP地址时,屏蔽所述连接数大于或等于第二阈值的源IP地址。The masking sub-unit 403 is configured to: when the determining sub-unit 402 determines that the source IP address of the source IP address is greater than or equal to the second threshold, the number of the connections is greater than or equal to the second threshold. Source IP address.
在另一实施例中,该处理单元303还被配置为当所述各源IP地址中不存在连接数大于或等于所述第二阈值的源IP地址时,屏蔽所述第一IP地址。In another embodiment, the processing unit 303 is further configured to mask the first IP address when there is no source IP address in the source IP address that is greater than or equal to the second threshold.
在另一实施例中,如图5所示,该屏蔽子单元403可以进一步包括:In another embodiment, as shown in FIG. 5, the shielding subunit 403 may further include:
下层判断子单元501,被配置为判断所述连接数大于或等于第二阈值的源IP地址所对应的连接数的和是否大于或等于所述第一阈值;The lower layer determining subunit 501 is configured to determine whether the sum of the number of connections corresponding to the source IP address whose number of connections is greater than or equal to the second threshold is greater than or equal to the first threshold;
下层屏蔽子单元502,被配置为当所述下层判断子单元501判定所述连接数大于或等于第二阈值的源IP地址所对应的连接数的和大于或等于所述第一阈值时,屏蔽所述连接数大于或等于第二阈值的源IP地址。The lower layer masking sub-unit 502 is configured to, when the lower layer determining sub-unit 501 determines that the sum of the number of connections corresponding to the source IP address whose number of connections is greater than or equal to the second threshold is greater than or equal to the first threshold, The source IP address is greater than or equal to the second threshold.
该下层屏蔽子单元502,还可以被配置为当所述连接数大于或等于第二阈值的源IP地址所对应的连接数的和小于所述第一阈值时,屏蔽所述第一IP地址。The lower layer masking sub-unit 502 may be further configured to mask the first IP address when the sum of the number of connections corresponding to the source IP address whose number of connections is greater than or equal to the second threshold is less than the first threshold.
该装置通过对网络连接数进行监控,根据连接数的情况确定网络攻击的规模与来源,并根据不同的网络攻击情况,分别对发起攻击的源IP地址或被攻击的IP地址做屏蔽操作,如对于少量IP发起的大规模攻击,可以通过采取屏蔽这部分IP的方式予以防御;对于不能判断是由少量IP发起的攻击则对被攻击IP进行屏蔽,保护服务器和整体网络,从而达到保护服务器整体稳定和安全的目的。该装置对被攻击的IP地址不是单纯的从虚拟主机的防火墙端屏蔽,而是根据攻击来源定量的进行分析处理,该装置可以更加准确的确定出网络攻击的对象并进行对应的防护处理。The device monitors the number of network connections, determines the size and source of the network attack according to the number of connections, and performs masking operations on the source IP address or the attacked IP address according to different network attacks. For a large-scale attack initiated by a small number of IPs, it can be defended by blocking the part of the IP; for attacks that cannot be judged to be initiated by a small number of IPs, the attacked IP is shielded, the server and the overall network are protected, thereby protecting the entire server. Stable and safe for the purpose. The device is not only shielded from the firewall end of the virtual host, but is analyzed according to the source of the attack. The device can more accurately determine the object of the network attack and perform corresponding protection processing.
本申请实施例还公开了一种服务器,包括存储器和处理器。The embodiment of the present application also discloses a server, which includes a memory and a processor.
处理器与存储器通过总线相互连接;总线可以是ISA总线、PCI总线或 EISA总线等。所述总线可以分为地址总线、数据总线、控制总线等。The processor and the memory are connected to each other through a bus; the bus may be an ISA bus, a PCI bus, or EISA bus, etc. The bus can be divided into an address bus, a data bus, a control bus, and the like.
其中,存储器用于存储一段程序,具体地,程序可以包括程序代码,所述程序代码包括计算机操作指令。存储器可能包含高速RAM存储器,也可能还包括非易失性存储器(non-volatile memory),例如至少一个磁盘存储器。Wherein, the memory is used to store a program, and specifically, the program may include program code, and the program code includes computer operation instructions. The memory may include a high speed RAM memory and may also include a non-volatile memory such as at least one disk memory.
处理器用于读取存储器中的程序代码,执行以下步骤:The processor is used to read the program code in the memory and perform the following steps:
获取连接服务器的第一IP地址及所述第一IP地址对应的连接数;Obtaining a first IP address of the connection server and a connection number corresponding to the first IP address;
判断所述第一IP地址对应的连接数是否大于或等于第一阈值;Determining whether the number of connections corresponding to the first IP address is greater than or equal to a first threshold;
若是,则屏蔽连接至所述第一IP地址的源IP地址。If yes, the source IP address connected to the first IP address is masked.
对于装置实施例而言,由于其与方法实施例基本相似,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。For the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
本说明书中的各个实施例均采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似的部分互相参见即可。The various embodiments in the present specification are described in a progressive manner, and each embodiment focuses on differences from other embodiments, and the same similar parts between the various embodiments can be referred to each other.
本领域内的技术人员应明白,本申请实施例的实施例可提供为方法、装置、或计算机程序产品。因此,本申请实施例可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请实施例可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the embodiments of the present application can be provided as a method, apparatus, or computer program product. Therefore, the embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware. Moreover, embodiments of the present application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
在一个典型的配置中,所述计算机设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存 取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括非持续性的电脑可读媒体(transitory media),如调制的数据信号和载波。In a typical configuration, the computer device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory. The memory may include non-persistent memory, random access memory (RAM), and/or non-volatile memory in a computer readable medium, such as read only memory (ROM) or flash memory. Memory is an example of a computer readable medium. Computer readable media includes both permanent and non-persistent, removable and non-removable media. Information storage can be implemented by any method or technology. The information can be computer readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory Memory (DRAM), other types of random access memory (RAM), read only memory (ROM), electrically erasable programmable read only memory (EEPROM), flash memory or other memory technology, read only CD only Read memory (CD-ROM), digital versatile disc (DVD) or other optical storage, magnetic cassette, magnetic tape storage or other magnetic storage device or any other non-transportable medium that can be used to store access that can be accessed by a computing device. information. As defined herein, computer readable media does not include non-persistent computer readable media, such as modulated data signals and carrier waves.
本申请实施例是参照根据本申请实施例的方法、终端设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理终端设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理终端设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。Embodiments of the present application are described with reference to flowcharts and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the present application. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing terminal device to produce a machine such that instructions are executed by a processor of a computer or other programmable data processing terminal device Means are provided for implementing the functions specified in one or more of the flow or in one or more blocks of the flow chart.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理终端设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing terminal device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The instruction device implements the functions specified in one or more blocks of the flowchart or in a flow or block of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理终端设备上,使得在计算机或其他可编程终端设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程终端设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing terminal device such that a series of operational steps are performed on the computer or other programmable terminal device to produce computer-implemented processing, such that the computer or other programmable terminal device The instructions executed above provide steps for implementing the functions specified in one or more blocks of the flowchart or in a block or blocks of the flowchart.
尽管已描述了本申请实施例的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例做出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本申请实施例范围的所有变更和修改。 While a preferred embodiment of the embodiments of the present application has been described, those skilled in the art can make further changes and modifications to the embodiments once they are aware of the basic inventive concept. Therefore, the appended claims are intended to be interpreted as including all the modifications and the modifications
最后,还需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者终端设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者终端设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者终端设备中还存在另外的相同要素。Finally, it should also be noted that in this context, relational terms such as first and second are used merely to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply these entities. There is any such actual relationship or order between operations. Furthermore, the terms "comprises" or "comprising" or "comprising" or any other variations are intended to encompass a non-exclusive inclusion, such that a process, method, article, or terminal device that includes a plurality of elements includes not only those elements but also Other elements that are included, or include elements inherent to such a process, method, article, or terminal device. An element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article, or terminal device that comprises the element, without further limitation.
以上对本申请所提供的一种网络攻击处理方法和一种网络攻击处理装置,进行了详细介绍,本文中应用了具体个例对本申请的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本申请的方法及其核心思想;同时,对于本领域的一般技术人员,依据本申请的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本申请的限制。 The foregoing describes a network attack processing method and a network attack processing device provided by the present application in detail. In this paper, a specific example is applied to explain the principle and implementation manner of the present application. The description of the above embodiment is only used. To help understand the method of the present application and its core ideas; at the same time, for those of ordinary skill in the art, in accordance with the idea of the present application, there will be changes in the specific embodiments and application scope. The content should not be construed as limiting the application.

Claims (11)

  1. 一种网络攻击处理方法,其特征在于,包括:A network attack processing method, comprising:
    获取连接服务器的第一IP地址及所述第一IP地址对应的连接数;Obtaining a first IP address of the connection server and a connection number corresponding to the first IP address;
    判断所述第一IP地址对应的连接数是否大于或等于第一阈值;Determining whether the number of connections corresponding to the first IP address is greater than or equal to a first threshold;
    若是,则屏蔽连接至所述第一IP地址的源IP地址。If yes, the source IP address connected to the first IP address is masked.
  2. 根据权利要求1所述的方法,其特征在于,所述屏蔽连接至所述第一IP地址的源IP地址,包括:The method according to claim 1, wherein the shielding is connected to a source IP address of the first IP address, including:
    获取连接至所述第一IP地址的各源IP地址及所述各源IP地址对应的连接数;Obtaining, by the source IP addresses connected to the first IP address, the number of connections corresponding to the source IP addresses;
    判断所述各源IP地址中是否存在连接数大于或等于第二阈值的源IP地址;Determining whether there is a source IP address in the source IP address that is greater than or equal to a second threshold;
    若存在,则屏蔽所述连接数大于或等于第二阈值的源IP地址。If yes, the source IP address whose number of connections is greater than or equal to the second threshold is masked.
  3. 根据权利要求2所述的方法,其特征在于,所述方法还包括:The method of claim 2, wherein the method further comprises:
    当所述各源IP地址中不存在连接数大于或等于所述第二阈值的源IP地址时,屏蔽所述第一IP地址。The first IP address is masked when there is no source IP address in the source IP address that is greater than or equal to the second threshold.
  4. 根据权利要求2所述的方法,其特征在于,所述屏蔽所述连接数大于或等于第二阈值的源IP地址,包括:The method according to claim 2, wherein the masking the source IP address whose number of connections is greater than or equal to the second threshold comprises:
    判断所述连接数大于或等于第二阈值的源IP地址所对应的连接数的和是否大于或等于所述第一阈值;Determining whether a sum of the number of connections corresponding to the source IP address whose connection number is greater than or equal to the second threshold is greater than or equal to the first threshold;
    若是,则屏蔽所述连接数大于或等于第二阈值的源IP地址。If yes, the source IP address whose number of connections is greater than or equal to the second threshold is masked.
  5. 根据权利要求4所述的方法,其特征在于,所述方法还包括:The method of claim 4, wherein the method further comprises:
    当所述连接数大于或等于第二阈值的源IP地址所对应的连接数的和小于所述第一阈值时,屏蔽所述第一IP地址。The first IP address is masked when a sum of the number of connections corresponding to the source IP address whose number of connections is greater than or equal to the second threshold is less than the first threshold.
  6. 根据权利要求3或5所述的方法,其特征在于,所述方法还包括:The method according to claim 3 or 5, wherein the method further comprises:
    当满足预置条件时,停止对所述第一IP地址的屏蔽。The masking of the first IP address is stopped when the preset condition is satisfied.
  7. 一种网络攻击处理装置,其特征在于,包括:A network attack processing device, comprising:
    获取单元,被配置为获取连接服务器的第一IP地址及所述第一IP地址 对应的连接数;An obtaining unit configured to acquire a first IP address of the connection server and the first IP address Corresponding number of connections;
    判断单元,被配置为判断所述第一IP地址对应的连接数是否大于或等于第一阈值;The determining unit is configured to determine whether the number of connections corresponding to the first IP address is greater than or equal to a first threshold;
    处理单元,被配置为当所述判断单元判定所述第一IP地址对应的连接数大于或等于第一阈值时,屏蔽连接至所述第一IP地址的源IP地址。The processing unit is configured to block the source IP address connected to the first IP address when the determining unit determines that the number of connections corresponding to the first IP address is greater than or equal to the first threshold.
  8. 根据权利要求7所述的装置,其特征在于,所述处理单元包括:The device according to claim 7, wherein the processing unit comprises:
    获取子单元,被配置为获取连接至所述第一IP地址的各源IP地址及所述各源IP地址对应的连接数;Obtaining a subunit, configured to obtain each source IP address connected to the first IP address and a connection number corresponding to each source IP address;
    判断子单元,被配置为判断所述各源IP地址中是否存在连接数大于或等于第二阈值的源IP地址;a determining subunit, configured to determine whether the source IP address of the source IP address is greater than or equal to a second threshold;
    屏蔽子单元,被配置为当所述判断子单元判定所述各源IP地址中存在连接数大于或等于第二阈值的源IP地址时,屏蔽所述连接数大于或等于第二阈值的源IP地址。The masking subunit is configured to, when the determining subunit determines that the source IP address of the source IP address is greater than or equal to the second threshold, masking the source IP whose connection number is greater than or equal to the second threshold address.
  9. 根据权利要求8所述的装置,其特征在于,The device of claim 8 wherein:
    所述处理单元还被配置为当所述各源IP地址中不存在连接数大于或等于所述第二阈值的源IP地址时,屏蔽所述第一IP地址。The processing unit is further configured to mask the first IP address when there is no source IP address in the source IP address that is greater than or equal to the second threshold.
  10. 根据权利要求8所述的装置,其特征在于,所述屏蔽子单元包括:The device according to claim 8, wherein the shielding subunit comprises:
    下层判断子单元,被配置为判断所述连接数大于或等于第二阈值的源IP地址所对应的连接数的和是否大于或等于所述第一阈值;a lower layer determining subunit, configured to determine whether a sum of the number of connections corresponding to the source IP address whose connection number is greater than or equal to the second threshold is greater than or equal to the first threshold;
    下层屏蔽子单元,被配置为当所述下层判断子单元判定所述连接数大于或等于第二阈值的源IP地址所对应的连接数的和大于或等于所述第一阈值时,屏蔽所述连接数大于或等于第二阈值的源IP地址。a lower layer masking subunit, configured to: when the lower layer determining subunit determines that the sum of the number of connections corresponding to the source IP address whose number of connections is greater than or equal to the second threshold is greater than or equal to the first threshold, The source IP address whose number of connections is greater than or equal to the second threshold.
  11. 根据权利要求10所述的装置,其特征在于,The device of claim 10 wherein:
    所述下层屏蔽子单元,还被配置为当所述连接数大于或等于第二阈值的源IP地址所对应的连接数的和小于所述第一阈值时,屏蔽所述第一IP地址。 The lower layer masking subunit is further configured to mask the first IP address when a sum of the number of connections corresponding to the source IP address whose number of connections is greater than or equal to the second threshold is less than the first threshold.
PCT/CN2016/080311 2015-05-28 2016-04-27 Network attack processing method and device WO2016188294A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510284470.X 2015-05-28
CN201510284470.XA CN106302347B (en) 2015-05-28 2015-05-28 A kind of network attack treating method and apparatus

Publications (1)

Publication Number Publication Date
WO2016188294A1 true WO2016188294A1 (en) 2016-12-01

Family

ID=57392586

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/080311 WO2016188294A1 (en) 2015-05-28 2016-04-27 Network attack processing method and device

Country Status (2)

Country Link
CN (1) CN106302347B (en)
WO (1) WO2016188294A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI707565B (en) * 2019-04-19 2020-10-11 國立中央大學 Network attacker identifying method and network system
CN112738089A (en) * 2020-12-29 2021-04-30 中国建设银行股份有限公司 Method and device for automatically backtracking source ip under complex network environment

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108965336B (en) * 2018-09-10 2021-03-23 杭州迪普科技股份有限公司 Attack detection method and device
CN111669359A (en) * 2019-03-09 2020-09-15 深圳市锐速云计算有限公司 Novel network attack processing method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014116A (en) * 2009-09-03 2011-04-13 丛林网络公司 Protecting against distributed network flood attacks
CN103001972A (en) * 2012-12-25 2013-03-27 苏州山石网络有限公司 Identification method and identification device and firewall for DDOS (distributed denial of service) attack
CN103701795A (en) * 2013-12-20 2014-04-02 北京奇虎科技有限公司 Identification method and device for attack source of denial of service attack
CN104243223A (en) * 2013-06-06 2014-12-24 天津蜀都科技有限公司 High accuracy application identification method and device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101594269B (en) * 2009-06-29 2012-05-02 成都市华为赛门铁克科技有限公司 Method, device and gateway device for detecting abnormal connection
KR20130030086A (en) * 2011-09-16 2013-03-26 한국전자통신연구원 Method and apparatus for defending distributed denial of service attack through abnomal terminated session
EP2790382B1 (en) * 2012-09-17 2017-05-03 Huawei Technologies Co., Ltd. Protection method and device against attacks
CN104601542A (en) * 2014-12-05 2015-05-06 国云科技股份有限公司 DDOS (distributed denial of service) active protection method applicable to virtual machine

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014116A (en) * 2009-09-03 2011-04-13 丛林网络公司 Protecting against distributed network flood attacks
CN103001972A (en) * 2012-12-25 2013-03-27 苏州山石网络有限公司 Identification method and identification device and firewall for DDOS (distributed denial of service) attack
CN104243223A (en) * 2013-06-06 2014-12-24 天津蜀都科技有限公司 High accuracy application identification method and device
CN103701795A (en) * 2013-12-20 2014-04-02 北京奇虎科技有限公司 Identification method and device for attack source of denial of service attack

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI707565B (en) * 2019-04-19 2020-10-11 國立中央大學 Network attacker identifying method and network system
CN112738089A (en) * 2020-12-29 2021-04-30 中国建设银行股份有限公司 Method and device for automatically backtracking source ip under complex network environment
CN112738089B (en) * 2020-12-29 2023-03-28 中国建设银行股份有限公司 Method and device for automatically backtracking source ip under complex network environment

Also Published As

Publication number Publication date
CN106302347A (en) 2017-01-04
CN106302347B (en) 2019-11-05

Similar Documents

Publication Publication Date Title
US10412107B2 (en) Detecting domain name system (DNS) tunneling based on DNS logs and network data
US20210019411A1 (en) Mitigation of ransomware
JP6101408B2 (en) System and method for detecting attacks on computing systems using event correlation graphs
US8839426B1 (en) Fight-through nodes with disposable virtual machines and rollback of persistent state
US9514309B1 (en) Systems and methods for protecting files from malicious encryption attempts
WO2017041666A1 (en) Processing method and device directed at access request
WO2016188294A1 (en) Network attack processing method and device
US11108793B2 (en) Preemptive alerts in a connected environment
US20160269442A1 (en) Methods and systems for improving analytics in distributed networks
US20140059688A1 (en) Detection and mitigation of side-channel attacks
US20170155667A1 (en) Systems and methods for detecting malware infections via domain name service traffic analysis
US10200369B1 (en) Systems and methods for dynamically validating remote requests within enterprise networks
JP6306265B2 (en) Malware detection method and malware detection device
US9721095B2 (en) Preventing re-patching by malware on a computer
US10055579B2 (en) System resources for sandboxing
WO2019033973A1 (en) Privilege escalation prevention detection method and device
EP3864821A1 (en) Methods and apparatus to detect and prevent host firewall bypass threats through a data link layer
US11627145B2 (en) Determining a reputation of data using a data visa including information indicating a reputation
US10242180B2 (en) Component protection frameworks using defensive patterns
JP2017522637A (en) System and method for mitigating malicious calls
US9900343B1 (en) Distributed denial of service cellular signaling
US11496284B2 (en) Detection of unauthorized encryption using key length evaluation
JP2021064358A (en) Systems and methods for preventing destruction of digital forensics information by malicious software
US11936622B1 (en) Techniques for cybersecurity risk-based firewall configuration
US20220398313A1 (en) Threat aware data protection

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16799183

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16799183

Country of ref document: EP

Kind code of ref document: A1