WO2017041666A1 - Processing method and device directed at access request - Google Patents

Processing method and device directed at access request Download PDF

Info

Publication number
WO2017041666A1
WO2017041666A1 PCT/CN2016/097854 CN2016097854W WO2017041666A1 WO 2017041666 A1 WO2017041666 A1 WO 2017041666A1 CN 2016097854 W CN2016097854 W CN 2016097854W WO 2017041666 A1 WO2017041666 A1 WO 2017041666A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
access request
client
forwarding
address
Prior art date
Application number
PCT/CN2016/097854
Other languages
French (fr)
Chinese (zh)
Inventor
刘岩
赵洪涛
Original Assignee
阿里巴巴集团控股有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里巴巴集团控股有限公司 filed Critical 阿里巴巴集团控股有限公司
Publication of WO2017041666A1 publication Critical patent/WO2017041666A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Definitions

  • the present application relates to the technical field of computer processing, and in particular, to a processing method for an access request and a processing device for an access request.
  • each IP (Internet Protocol) protocol address can have a host name.
  • DNS Domain Name System
  • IP address corresponding to the host name is finally resolved by the host name, which makes it easier for users to access the Internet. Intuitive and meaningful domain names are all right, without having to remember the IP addresses that can be read directly by the machine.
  • the jump server is configured for the DNS server, and the user who currently accesses the domain name is directed to another specified network address through the special settings of the server.
  • the forwarding server has a hard limit on the traffic that is accessed. If the traffic limit is exceeded, access will be restricted. Even normal access will be restricted, the error rate is high, and the efficiency is low.
  • embodiments of the present application have been made in order to provide a processing method for an access request and a corresponding processing device for an access request that overcomes the above problems or at least partially solves the above problems.
  • the embodiment of the present application discloses a processing method for an access request, including:
  • the DNS server When receiving the access request of the client, the DNS server forwards the access request of the client to the first jump server for the jump access;
  • the DNS server receives the notification message sent by the first transfer server when determining the abnormal access
  • the DNS server forwards the access request of the client to the second jump server for traffic cleaning according to the notification message.
  • the source address is included in the access request of the client
  • the step of forwarding the client's access request to the first transfer server for the jump access includes:
  • the step of forwarding the access request of the client to the second forwarding server for performing traffic cleaning includes:
  • the notification message is generated by the first forwarding server when determining that the traffic of the client's access request exceeds a preset traffic threshold.
  • the access request is performed by the second forwarding server by using the traffic cleaning access request
  • the access request that failed to pass the traffic cleaning is rejected by the second transfer server.
  • the embodiment of the present application further discloses a processing method for an access request, including:
  • the first jump server receives the access request of the client forwarded by the DNS server;
  • the first jump server determines whether the client's access request is abnormal access
  • the client's access request is forwarded to the specified page.
  • it also includes:
  • the access request of the client includes a source address
  • the step of the first forwarding server receiving the access request forwarded by the DNS server and the client includes:
  • the first transfer server receives the access request sent by the client through the first transfer address
  • the first forwarding address is obtained by the NDS server when the access request of the client is received, and the address record data corresponding to the source address is obtained, and the first jump of the first jump server is recorded in the address record data. Ground site.
  • the step of determining, by the first jump server, whether the access request of the client is abnormal access includes:
  • the traffic of the client's access request is determined to exceed the preset traffic threshold; if yes, the client's access request is determined to be abnormal access, and if not, the client's access request is determined to be normal access.
  • the step of sending the notification message to the DNS server to forward the access request of the client to the second forwarding server for traffic cleaning includes:
  • the access request is performed by the second forwarding server by using the traffic cleaning access request
  • the access request that failed to pass the traffic cleaning is rejected by the second transfer server.
  • the step of forwarding the client's access request to the specified page :
  • the destination address is sent to the client for loading to display the specified page.
  • the embodiment of the present application further discloses a processing device for an access request, which is applied to a DNS server, and the device includes:
  • the first forwarding module is configured to: when receiving the access request of the client, forward the access request of the client to the first forwarding server for the jump access;
  • a notification message receiving module configured to receive a notification message sent by the first transition server when determining an abnormal access
  • the second forwarding module is configured to forward the access request of the client to the second forwarding server for performing traffic cleaning according to the notification message.
  • the source address is included in the access request of the client
  • the first forwarding module includes:
  • An address record data search sub-module configured to search for address record data corresponding to the source address, where the first transfer address of the first jump server is recorded in the address record data;
  • the first forwarding address sending submodule is configured to send the first forwarding address to the client, to obtain the destination address corresponding to the source address from the first forwarding server for loading.
  • the second forwarding module includes:
  • An address record data modification submodule configured to modify a first forwarding address of the first jump server in the address record data to a second jump address of the second jump server;
  • the second forwarding address sending submodule is configured to send the second forwarding address to the client to access the second forwarding server and perform traffic cleaning on the access request.
  • the notification message is generated by the first forwarding server when determining that the traffic of the client's access request exceeds a preset traffic threshold.
  • the access request is performed by the second forwarding server by using the traffic cleaning access request
  • the access request that failed to pass the traffic cleaning is rejected by the second transfer server.
  • the embodiment of the present application further discloses a processing device for an access request, which is applied to a first jump server, and the device includes:
  • An access request receiving module configured to receive a client access request forwarded by a DNS server
  • the abnormal access judging module is configured to determine whether the access request of the client is abnormal access; if yes, the notification message sending module is called, and if not, the jump module is called;
  • a notification sending module configured to send a notification message to the DNS server, to forward the access request of the client to the second forwarding server for traffic cleaning;
  • the jump module is used to jump the client's access request to the specified page.
  • it also includes:
  • An alarm module for sending an abnormally accessed alarm information from a preset interface.
  • the source address is included in the access request of the client, where the access request receiving module includes:
  • An address access submodule configured to receive an access request sent by the client by using the first forwarding address
  • the first forwarding address is obtained by the NDS server when the access request of the client is received, and the address record data corresponding to the source address is obtained, and the first jump of the first jump server is recorded in the address record data. address.
  • the abnormal access judgment module includes:
  • the traffic judgment sub-module is configured to determine that the traffic of the client's access request exceeds a preset traffic threshold; if yes, the first determining sub-module is invoked, and if not, the second determining sub-module is invoked;
  • a first determining submodule configured to determine that the access request of the client is an abnormal access
  • the second determining submodule is configured to determine that the client access request is a normal access.
  • the notification message sending module includes:
  • a notification sub-module configured to send a notification message to the DNS server, to notify that the first forwarding address of the first jump server in the address record data is modified to the second forwarding address of the second transfer server,
  • the second forwarding address is sent to the client, accesses the second forwarding server, and performs traffic cleaning on the access request.
  • the access request is performed by the second forwarding server by using the traffic cleaning access request
  • the access request that failed to pass the traffic cleaning is rejected by the second transfer server.
  • the jump module includes:
  • the destination address is searched for the sub-module, and the destination address corresponding to the source address is searched for;
  • the destination address sending submodule sends the destination address to the client for loading to display the specified page.
  • the client accesses the DNS server to the first jump server for jump access, and the client accesses the abnormality of the DNS server to the second jump server for traffic cleaning, for individual access.
  • Defense while ensuring the security of the first jump server, while ensuring that other normal access is not affected, reducing the error rate and improving efficiency.
  • Embodiment 1 is a flow chart of the steps of Embodiment 1 of a processing method for an access request according to the present application;
  • Embodiment 2 is a flow chart of steps of Embodiment 2 of a processing method for an access request according to the present application;
  • Embodiment 3 is a structural block diagram of Embodiment 1 of a processing apparatus for an access request according to the present application;
  • FIG. 4 is a structural block diagram of Embodiment 2 of a processing apparatus for an access request according to the present application.
  • FIG. 1 a flow chart of a step 1 of a processing method for an access request according to the present application is shown. Specifically, the method may include the following steps:
  • Step 101 When receiving the access request of the client, the DNS server forwards the access request of the client to the first jump server for the jump access;
  • a first source server (host name or domain name) may be added to the first server (also referred to as a URL (Uniform Resource Locator) forwarding server).
  • the address record data of the transfer address (such as the IP address), that is, the first transfer address of the first jump server recorded in the A (Address) record data.
  • a record data will be different according to the line configured by the user, that is, the user can select different lines corresponding to different A record data, different search engines correspond to different A record data, and the like.
  • a source address such as a domain name
  • a client such as a browser
  • an access request is sent to the DNS server, that is, the source address is included in the access request.
  • the DNS server searches for the address record data corresponding to the source address (that is, the A record data), and sends the first jump address (such as the IP address) pointed to by the A record data to the client, and the client loads the first jump address (eg, IP address), access the first jump server.
  • the first jump address such as the IP address
  • the first jump server returns a corresponding jump record to the client, and the client obtains the destination address corresponding to the source address from the first jump server to load, and requests the display page.
  • Step 102 The DNS server receives a notification message sent by the first forwarding server when determining an abnormal access.
  • the first forwarding server may identify the source IP address, the destination IP address, the input interface, the output interface, the Socket source port, the destination port, the protocol, the TOS, etc. based on protocols such as Netflow, sFlow, and Netstream.
  • a flow collects and analyzes traffic data to determine whether the client's access request is abnormal.
  • the detection of abnormal traffic is usually divided into three steps, the calculation of the measured value of the detection index, the calculation of the baseline value of the detection index, and the comparison of the measured value with the baseline value.
  • Each type of detection indicator corresponds to one or more possible attacks. That is to say, some detection indicators are specifically for detecting a specific abnormal flow, and when some detection indicators are abnormal, only one can be judged to exist. Several possible abnormal traffic, this indicator is a non-specific indicator.
  • Each test has its own baseline, but the baseline algorithm is similar.
  • baseline algorithms There are usually two types of baseline algorithms, one is a periodic baseline and the other is a moving window baseline.
  • a periodic baseline can be used.
  • the moving window baseline can be used.
  • the first jump server considers an abnormal access when it determines that the traffic of the client's access request exceeds a preset traffic threshold.
  • attack types for DNS servers include domain name hijacking, DDoS attacks, DNS cache poisoning attacks, DNS spoofing, and the like.
  • the URL forwarding resolution request is only one of them.
  • the URL forwarding server ie, the first jump server
  • a notification message may be generated, and the notification message is sent to the DNS server to forward the access request of the client to the second jump server for traffic cleaning.
  • the URL forwarding resolution of the source address (such as the domain name or host name) will be aborted, and this process does not affect the URL forwarding resolution of other domain names or host names.
  • the first jump server may also send an abnormal access alarm information from a preset interface, which may be a mail interface to send an email, or an instant messaging interface to send an instant messaging message, and the like.
  • a preset interface which may be a mail interface to send an email, or an instant messaging interface to send an instant messaging message, and the like.
  • the policy analysis of the black hole URL forwarding server can be restored to normal by some policies, or used to monitor the current server status to ensure the normal operation of the system.
  • the client's access request is forwarded to the specified page, that is, the first jump server returns the corresponding jump record to the client, and the client obtains the destination address corresponding to the source address from the first jump server. Load, request to display the page.
  • Step 103 The DNS server forwards the access request of the client to the second forwarding server for traffic cleaning according to the notification message.
  • the DNS server may modify the first forwarding address of the first forwarding server in the address record data to the second forwarding address of the second forwarding server.
  • the function of the second jump server and the URL forwarding server is basically the same, but an additional function for traffic cleaning and filtering is added, which can be called a black hole URL forwarding server.
  • the DNS server can send the second forwarding address to the client to access the second forwarding server and perform traffic cleaning on the access request.
  • the access request flows through a filter created according to a pre-configured defense policy and a threshold that then transmits the traffic to each analysis detection module. After detection, the flow is transmitted to an identification module that extracts the refined data and continuously adjusts the filter to apply the characteristics of the constantly changing abnormal flow.
  • the Black Hole URL Forwarding Server can combine various authentication, analysis, and implementation techniques to identify and isolate malicious traffic based on a Multiple Authentication Process (MVP) structure.
  • MVP Multiple Authentication Process
  • the flow cleaning process can be roughly divided into five parts:
  • the packet used to verify the entry into the black hole URL forwarding server has no spoofing information.
  • An execution option is provided to prevent illicit traffic from attacking the target.
  • the access request of the traffic cleaning is performed by the second transfer server, that is, the second jump server returns the corresponding jump record to the client, and the client obtains the destination address corresponding to the source address from the second transfer server. Load, request to display the page.
  • the access request that failed to pass the traffic cleaning is rejected by the second transfer server.
  • the client accesses the DNS server to the first jump server for jump access, and the client accesses the abnormality of the DNS server to the second jump server for traffic cleaning, for individual access.
  • Defense while ensuring the security of the first jump server, while ensuring that other normal access is not affected, reducing the error rate and improving efficiency.
  • FIG. 2 a flow chart of the steps of the second embodiment of the processing method for the access request of the present application is shown, which may specifically include the following steps:
  • Step 201 The first transfer server receives the access request of the client forwarded by the DNS server.
  • Step 202 the first jump server determines whether the client's access request is abnormal access; if yes, step 203 is performed, and if not, step 204 is performed;
  • Step 203 Send a notification message to the DNS server to forward the client's access request to the second forwarding service.
  • Server for traffic cleaning
  • Step 204 Jump the client's access request to the specified page.
  • the method may further include the following steps:
  • Step 205 Send an abnormal access alarm information from a preset interface.
  • the client's access request includes a source address
  • step 201 may include the following sub-steps:
  • Sub-step S11 the first transfer server receives an access request sent by the client through the first transfer address
  • the first forwarding address is obtained by the NDS server when the access request of the client is received, and the address record data corresponding to the source address is obtained, and the first jump of the first jump server is recorded in the address record data. address.
  • step 202 may include the following sub-steps:
  • Sub-step S21 it is determined that the traffic of the client's access request exceeds a preset traffic threshold; if so, sub-step S22 is performed, and if not, sub-step S23 is performed;
  • Sub-step S22 determining that the client's access request is an abnormal access
  • Sub-step S23 determining that the client's access request is a normal access.
  • step 203 may include the following sub-steps:
  • Sub-step S31 sending a notification message to the DNS server, notifying that the first forwarding address of the first jump server in the address record data is modified to the second forwarding address of the second jump server, to The second forwarding address is sent to the client, accesses the second forwarding server, and performs traffic cleaning on the access request.
  • the access request of the traffic cleaning is performed by the second transfer server
  • the access request that failed to pass the traffic cleaning is rejected by the second transfer server.
  • step 204 may include the following sub-steps:
  • Sub-step S41 searching for a destination address corresponding to the source address
  • Sub-step S42 the destination address is sent to the client for loading to display the specified page.
  • the client accesses the DNS server to the first jump server for jump access, and the client accesses the abnormality of the DNS server to the second jump server for traffic cleaning, for individual access.
  • Defense while ensuring the security of the first jump server, while ensuring that other normal access is not affected, reducing the error rate and improving efficiency.
  • FIG. 3 a structural block diagram of a processing apparatus for an access request according to an application of the present application is shown in the DNS server. Specifically, the following modules may be included:
  • the first forwarding module 301 is configured to: when receiving the access request of the client, forward the access request of the client to the first forwarding server for the jump access;
  • the notification message receiving module 302 is configured to receive a notification message sent by the first transition server when determining an abnormal access
  • the second forwarding module 303 is configured to forward the access request of the client to the second forwarding server for traffic cleaning according to the notification message.
  • the source address is included in the access request of the client
  • the first forwarding module 301 can include the following submodules:
  • An address record data search sub-module configured to search for address record data corresponding to the source address, where the first transfer address of the first jump server is recorded in the address record data;
  • the first forwarding address sending submodule is configured to send the first forwarding address to the client, to obtain the destination address corresponding to the source address from the first forwarding server for loading.
  • the second forwarding module 303 may include the following submodules:
  • An address record data modification submodule configured to modify a first forwarding address of the first jump server in the address record data to a second jump address of the second jump server;
  • the second forwarding address sending submodule is configured to send the second forwarding address to the client to access the second forwarding server and perform traffic cleaning on the access request.
  • the notification message is generated by the first forwarding server when determining that the traffic of the client's access request exceeds a preset traffic threshold.
  • the access request of the traffic cleaning is performed by the second transfer server
  • the access request that failed to pass the traffic cleaning is rejected by the second transfer server.
  • Embodiment 2 of a processing device for an access request is shown, which is applied to a first jump server, and specifically includes the following modules:
  • the access request receiving module 401 is configured to receive an access request of the client forwarded by the DNS server;
  • the abnormal access judging module 402 is configured to determine whether the access request of the client is abnormal access; if yes, the notification message sending module 403 is invoked, and if not, the jump module 404 is invoked;
  • the notification message sending module 403 is configured to send a notification message to the DNS server, to forward the access request of the client to the second jump server for traffic cleaning;
  • the jump module 404 is configured to jump the client's access request to the specified page.
  • the apparatus may further include the following modules:
  • An alarm module for sending an abnormally accessed alarm information from a preset interface.
  • the access request of the client includes a source address
  • the access request receiving module 401 may include the following submodules:
  • An address access submodule configured to receive an access request sent by the client by using the first forwarding address
  • the first forwarding address is obtained by the NDS server when the access request of the client is received, and the address record data corresponding to the source address is obtained, and the first jump of the first jump server is recorded in the address record data. address.
  • the abnormal access judging module 402 may include the following sub-modules:
  • the traffic judgment sub-module is configured to determine that the traffic of the client's access request exceeds a preset traffic threshold; if yes, the first determining sub-module is invoked, and if not, the second determining sub-module is invoked;
  • a first determining submodule configured to determine that the access request of the client is an abnormal access
  • the second determining submodule is configured to determine that the client access request is a normal access.
  • the notification message sending module 403 may include the following sub-modules:
  • a notification sub-module configured to send a notification message to the DNS server, to notify that the first forwarding address of the first jump server in the address record data is modified to the second forwarding address of the second transfer server,
  • the second forwarding address is sent to the client, accesses the second forwarding server, and performs traffic cleaning on the access request.
  • the access request of the traffic cleaning is performed by the second transfer server
  • the access request that failed to pass the traffic cleaning is rejected by the second transfer server.
  • the jump module 404 can include the following sub-modules:
  • the destination address is searched for the sub-module, and the destination address corresponding to the source address is searched for;
  • the destination address sending submodule sends the destination address to the client for loading to display the specified page.
  • the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
  • embodiments of the embodiments of the present application can be provided as a method, apparatus, or computer program product. Therefore, the embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware. Moreover, embodiments of the present application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • the computer device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
  • the memory may include non-persistent memory, random access memory (RAM), and/or non-volatile memory in a computer readable medium, such as read only memory (ROM) or flash memory.
  • RAM random access memory
  • ROM read only memory
  • Memory is an example of a computer readable medium.
  • Computer readable media includes both permanent and non-persistent, removable and non-removable media.
  • Information storage can be implemented by any method or technology. The information can be computer readable instructions, data structures, modules of programs, or other data.
  • Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory. (ROM), electrically erasable programmable read only memory (EEPROM), flash memory or other memory technology, compact disk read only memory (CD-ROM), digital versatile disk (DVD) or other optical storage, Magnetic tape cartridges, magnetic tape storage or other magnetic storage devices or any other non-transportable media can be used to store information that can be accessed by a computing device.
  • computer readable media does not include non-persistent computer readable media, such as modulated data signals and carrier waves.
  • Embodiments of the present application are described with reference to flowcharts and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the present application. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG.
  • These computer program instructions can be provided to a processor of a general purpose computer, a special purpose computer, an embedded processor or other programmable data processing terminal device to produce a machine such that it is provided by a computer or other programmable data processing terminal
  • the instructions executed by the processor of the processor generate means for implementing the functions specified in one or more blocks of the flowchart or in a block or blocks of the flowchart.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing terminal device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the instruction device implements the functions specified in one or more blocks of the flowchart or in a flow or block of the flowchart.

Abstract

Provided are a processing method and device directed at an access request. The method comprises: when receiving an access request of a client, a DNS server forwarding the access request of the client to a first jump server for jump accessing; the DNS receiving a notification message sent by the first skip server when an abnormal access is determined; and the DNS server forwarding an access request of the client to a second skip server for traffic cleaning according to the notification message. In the embodiments of the application, defence is conducted directed at a single access; while ensuring the security of a first skip server, it is ensured that other normal accesses are not affected, thereby reducing error rate and improving the efficiency.

Description

一种针对访问请求的处理方法和装置Processing method and device for access request
本申请要求2015年09月11日递交的申请号为201510580405.1、发明名称为“一种针对访问请求的处理方法和装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application Serial No. No. No. No. No. No. No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No
技术领域Technical field
本申请涉及计算机处理的技术领域,特别是涉及一种针对访问请求的处理方法和一种针对访问请求的处理装置。The present application relates to the technical field of computer processing, and in particular, to a processing method for an access request and a processing device for an access request.
背景技术Background technique
在互联网中,每个IP(Internet Protocol,网络之间互连的协议)地址都可以有一个主机名。In the Internet, each IP (Internet Protocol) protocol address can have a host name.
DNS(Domain Name System,域名系统),作为域名和IP地址相互映射的一个分布式数据库,通过主机名最终解析得到该主机名对应的IP地址,能够使用户更方便的访问互联网,只要记住相对直观有意义的域名就行了,而不用去记住能够被机器直接读取的IP地址。DNS (Domain Name System), a distributed database that maps domain names and IP addresses to each other. The IP address corresponding to the host name is finally resolved by the host name, which makes it easier for users to access the Internet. Intuitive and meaningful domain names are all right, without having to remember the IP addresses that can be read directly by the machine.
在某些情况下,会对DNS服务器配置跳转服务器,通过服务器的特殊设置,将当前访问域名的用户引导到指定的另一个网络地址。In some cases, the jump server is configured for the DNS server, and the user who currently accesses the domain name is directed to another specified network address through the special settings of the server.
在DNS服务器受到攻击的时候,被攻击的域名如果需要跳转访问,大量的转发解析请求汇集到跳转服务器,使得转发服务器受到连带的大流量攻击,导致无法使用。When the DNS server is attacked, if the attacked domain name needs to be redirected, a large number of forwarding resolution requests are collected into the jump server, causing the forwarding server to be subjected to a large-scale traffic attack, which may render it unusable.
目前,转发服务器对访问的流量有硬性限制,如果超过流量限制,就会限制访问,即使是正常的访问也会被限制,错误率很高,效率很低。Currently, the forwarding server has a hard limit on the traffic that is accessed. If the traffic limit is exceeded, access will be restricted. Even normal access will be restricted, the error rate is high, and the efficiency is low.
发明内容Summary of the invention
鉴于上述问题,提出了本申请实施例以便提供一种克服上述问题或者至少部分地解决上述问题的一种针对访问请求的处理方法和相应的一种针对访问请求的处理装置。In view of the above problems, embodiments of the present application have been made in order to provide a processing method for an access request and a corresponding processing device for an access request that overcomes the above problems or at least partially solves the above problems.
为了解决上述问题,本申请实施例公开了一种针对访问请求的处理方法,包括:In order to solve the above problem, the embodiment of the present application discloses a processing method for an access request, including:
DNS服务器在接收到客户端的访问请求时,将客户端的访问请求转发至第一转跳服务器进行转跳访问;When receiving the access request of the client, the DNS server forwards the access request of the client to the first jump server for the jump access;
DNS服务器接收第一转跳服务器在判断异常访问时发送的通知消息; The DNS server receives the notification message sent by the first transfer server when determining the abnormal access;
DNS服务器依据所述通知消息,将客户端的访问请求转发至第二转跳服务器进行流量清洗。The DNS server forwards the access request of the client to the second jump server for traffic cleaning according to the notification message.
可选地,客户端的访问请求中包括源地址;Optionally, the source address is included in the access request of the client;
所述将客户端的访问请求转发至第一转跳服务器进行转跳访问的步骤包括:The step of forwarding the client's access request to the first transfer server for the jump access includes:
查找所述源地址对应的地址记录数据;所述地址记录数据中记录有第一转跳服务器的第一转跳地址;Searching for address record data corresponding to the source address; the first record hopping address of the first jump server is recorded in the address record data;
将所述第一转跳地址发送至客户端,以从第一转跳服务器获取所述源地址对应的目的地址进行加载。Sending the first forwarding address to the client, and acquiring the destination address corresponding to the source address from the first forwarding server for loading.
可选地,所述将客户端的访问请求转发至第二转跳服务器进行流量清洗的步骤包括:Optionally, the step of forwarding the access request of the client to the second forwarding server for performing traffic cleaning includes:
将所述地址记录数据中的第一转跳服务器的第一转跳地址修改为第二转跳服务器的第二转跳地址;Modifying, by the first forwarding address of the first forwarding server in the address record data, a second forwarding address of the second forwarding server;
将所述第二转跳地址发送至客户端,以访问第二转跳服务器、对访问请求进行流量清洗。Sending the second forwarding address to the client to access the second forwarding server and performing traffic cleaning on the access request.
可选地,所述通知消息由第一转跳服务器在判断客户端的访问请求的流量超过预设的流量阈值时生成。Optionally, the notification message is generated by the first forwarding server when determining that the traffic of the client's access request exceeds a preset traffic threshold.
可选地,通过流量清洗的访问请求,由第二转跳服务器进行转跳访问;Optionally, the access request is performed by the second forwarding server by using the traffic cleaning access request;
未通过流量清洗的访问请求,由第二转跳服务器拒绝转跳访问。The access request that failed to pass the traffic cleaning is rejected by the second transfer server.
本申请实施例还公开了一种针对访问请求的处理方法,包括:The embodiment of the present application further discloses a processing method for an access request, including:
第一转跳服务器接收DNS服务器转发的、客户端的访问请求;The first jump server receives the access request of the client forwarded by the DNS server;
第一转跳服务器判断客户端的访问请求是否为异常访问;The first jump server determines whether the client's access request is abnormal access;
若是,则发送通知消息至DNS服务器,以将客户端的访问请求转发至第二转跳服务器进行流量清洗;If yes, sending a notification message to the DNS server to forward the client's access request to the second forwarding server for traffic cleaning;
若否,则将客户端的访问请求转跳至指定的页面。If not, the client's access request is forwarded to the specified page.
可选地,还包括:Optionally, it also includes:
从预设的接口发送异常访问的警报信息。Sends an alert message for abnormal access from a preset interface.
可选地,客户端的访问请求中包括源地址,所述第一转跳服务器接收DNS服务器转发的、客户端的访问请求的步骤包括:Optionally, the access request of the client includes a source address, and the step of the first forwarding server receiving the access request forwarded by the DNS server and the client includes:
第一转跳服务器接收客户端通过第一转跳地址发送的访问请求;The first transfer server receives the access request sent by the client through the first transfer address;
其中,所述第一转跳地址为NDS服务器接收到客户端的访问请求时,查找所述源地址对应的地址记录数据获得,所述地址记录数据中记录有第一转跳服务器的第一转跳地 址。The first forwarding address is obtained by the NDS server when the access request of the client is received, and the address record data corresponding to the source address is obtained, and the first jump of the first jump server is recorded in the address record data. Ground site.
可选地,所述第一转跳服务器判断客户端的访问请求是否为异常访问的步骤包括:Optionally, the step of determining, by the first jump server, whether the access request of the client is abnormal access includes:
判断客户端的访问请求的流量超过预设的流量阈值;若是,则判定客户端的访问请求为异常访问,若否,则判断客户端的访问请求为正常访问。The traffic of the client's access request is determined to exceed the preset traffic threshold; if yes, the client's access request is determined to be abnormal access, and if not, the client's access request is determined to be normal access.
可选地,所述发送通知消息至DNS服务器,以将客户端的访问请求转发至第二转跳服务器进行流量清洗的步骤包括:Optionally, the step of sending the notification message to the DNS server to forward the access request of the client to the second forwarding server for traffic cleaning includes:
发送通知消息至DNS服务器,通知将所述地址记录数据中的第一转跳服务器的第一转跳地址修改为第二转跳服务器的第二转跳地址,以将所述第二转跳地址发送至客户端,访问第二转跳服务器、对访问请求进行流量清洗。Sending a notification message to the DNS server, and notifying that the first forwarding address of the first jump server in the address record data is modified to the second forwarding address of the second jump server, so that the second forwarding address is Send to the client, access the second transfer server, and perform traffic cleaning on the access request.
可选地,通过流量清洗的访问请求,由第二转跳服务器进行转跳访问;Optionally, the access request is performed by the second forwarding server by using the traffic cleaning access request;
未通过流量清洗的访问请求,由第二转跳服务器拒绝转跳访问。The access request that failed to pass the traffic cleaning is rejected by the second transfer server.
可选地,所述将客户端的访问请求转跳至指定的页面的步骤:Optionally, the step of forwarding the client's access request to the specified page:
查找所述源地址对应的目的地址;Finding a destination address corresponding to the source address;
将所述目的地址发送至客户端进行加载,以显示指定的页面。The destination address is sent to the client for loading to display the specified page.
本申请实施例还公开了一种针对访问请求的处理装置,应用于DNS服务器中,所述装置包括:The embodiment of the present application further discloses a processing device for an access request, which is applied to a DNS server, and the device includes:
第一转发模块,用于在接收到客户端的访问请求时,将客户端的访问请求转发至第一转跳服务器进行转跳访问;The first forwarding module is configured to: when receiving the access request of the client, forward the access request of the client to the first forwarding server for the jump access;
通知消息接收模块,用于接收第一转跳服务器在判断异常访问时发送的通知消息;a notification message receiving module, configured to receive a notification message sent by the first transition server when determining an abnormal access;
第二转发模块,用于依据所述通知消息,将客户端的访问请求转发至第二转跳服务器进行流量清洗。The second forwarding module is configured to forward the access request of the client to the second forwarding server for performing traffic cleaning according to the notification message.
可选地,客户端的访问请求中包括源地址;Optionally, the source address is included in the access request of the client;
所述第一转发模块包括:The first forwarding module includes:
地址记录数据查找子模块,用于查找所述源地址对应的地址记录数据;所述地址记录数据中记录有第一转跳服务器的第一转跳地址;An address record data search sub-module, configured to search for address record data corresponding to the source address, where the first transfer address of the first jump server is recorded in the address record data;
第一转跳地址发送子模块,用于将所述第一转跳地址发送至客户端,以从第一转跳服务器获取所述源地址对应的目的地址进行加载。The first forwarding address sending submodule is configured to send the first forwarding address to the client, to obtain the destination address corresponding to the source address from the first forwarding server for loading.
可选地,所述第二转发模块包括:Optionally, the second forwarding module includes:
地址记录数据修改子模块,用于将所述地址记录数据中的第一转跳服务器的第一转跳地址修改为第二转跳服务器的第二转跳地址; An address record data modification submodule, configured to modify a first forwarding address of the first jump server in the address record data to a second jump address of the second jump server;
第二转跳地址发送子模块,用于将所述第二转跳地址发送至客户端,以访问第二转跳服务器、对访问请求进行流量清洗。The second forwarding address sending submodule is configured to send the second forwarding address to the client to access the second forwarding server and perform traffic cleaning on the access request.
可选地,所述通知消息由第一转跳服务器在判断客户端的访问请求的流量超过预设的流量阈值时生成。Optionally, the notification message is generated by the first forwarding server when determining that the traffic of the client's access request exceeds a preset traffic threshold.
可选地,通过流量清洗的访问请求,由第二转跳服务器进行转跳访问;Optionally, the access request is performed by the second forwarding server by using the traffic cleaning access request;
未通过流量清洗的访问请求,由第二转跳服务器拒绝转跳访问。The access request that failed to pass the traffic cleaning is rejected by the second transfer server.
本申请实施例还公开了一种针对访问请求的处理装置,应用于第一转跳服务器中,所述装置包括:The embodiment of the present application further discloses a processing device for an access request, which is applied to a first jump server, and the device includes:
访问请求接收模块,用于接收DNS服务器转发的、客户端的访问请求;An access request receiving module, configured to receive a client access request forwarded by a DNS server;
异常访问判断模块,用于判断客户端的访问请求是否为异常访问;若是,则调用通知消息发送模块,若否,则调用转跳模块;The abnormal access judging module is configured to determine whether the access request of the client is abnormal access; if yes, the notification message sending module is called, and if not, the jump module is called;
通知消息发送模块,用于发送通知消息至DNS服务器,以将客户端的访问请求转发至第二转跳服务器进行流量清洗;a notification sending module, configured to send a notification message to the DNS server, to forward the access request of the client to the second forwarding server for traffic cleaning;
转跳模块,用于将客户端的访问请求转跳至指定的页面。The jump module is used to jump the client's access request to the specified page.
可选地,还包括:Optionally, it also includes:
警报模块,用于从预设的接口发送异常访问的警报信息。An alarm module for sending an abnormally accessed alarm information from a preset interface.
可选地,客户端的访问请求中包括源地址,所述访问请求接收模块包括:Optionally, the source address is included in the access request of the client, where the access request receiving module includes:
地址访问子模块,用于接收客户端通过第一转跳地址发送的访问请求;An address access submodule, configured to receive an access request sent by the client by using the first forwarding address;
其中,所述第一转跳地址为NDS服务器接收到客户端的访问请求时,查找所述源地址对应的地址记录数据获得,所述地址记录数据中记录有第一转跳服务器的第一转跳地址。The first forwarding address is obtained by the NDS server when the access request of the client is received, and the address record data corresponding to the source address is obtained, and the first jump of the first jump server is recorded in the address record data. address.
可选地,所述异常访问判断模块包括:Optionally, the abnormal access judgment module includes:
流量判断子模块,用于判断客户端的访问请求的流量超过预设的流量阈值;若是,则调用第一判断子模块,若否,则调用第二判断子模块;The traffic judgment sub-module is configured to determine that the traffic of the client's access request exceeds a preset traffic threshold; if yes, the first determining sub-module is invoked, and if not, the second determining sub-module is invoked;
第一判断子模块,用于判定客户端的访问请求为异常访问;a first determining submodule, configured to determine that the access request of the client is an abnormal access;
第二判断子模块,用于判断客户端的访问请求为正常访问。The second determining submodule is configured to determine that the client access request is a normal access.
可选地,所述通知消息发送模块包括:Optionally, the notification message sending module includes:
通知子模块,用于发送通知消息至DNS服务器,通知将所述地址记录数据中的第一转跳服务器的第一转跳地址修改为第二转跳服务器的第二转跳地址,以将所述第二转跳地址发送至客户端,访问第二转跳服务器、对访问请求进行流量清洗。 a notification sub-module, configured to send a notification message to the DNS server, to notify that the first forwarding address of the first jump server in the address record data is modified to the second forwarding address of the second transfer server, The second forwarding address is sent to the client, accesses the second forwarding server, and performs traffic cleaning on the access request.
可选地,通过流量清洗的访问请求,由第二转跳服务器进行转跳访问;Optionally, the access request is performed by the second forwarding server by using the traffic cleaning access request;
未通过流量清洗的访问请求,由第二转跳服务器拒绝转跳访问。The access request that failed to pass the traffic cleaning is rejected by the second transfer server.
可选地,所述转跳模块包括:Optionally, the jump module includes:
目的地址查找子模块,查找所述源地址对应的目的地址;The destination address is searched for the sub-module, and the destination address corresponding to the source address is searched for;
目的地址发送子模块,将所述目的地址发送至客户端进行加载,以显示指定的页面。The destination address sending submodule sends the destination address to the client for loading to display the specified page.
本申请实施例包括以下优点:Embodiments of the present application include the following advantages:
本申请实施例客户端对于DNS服务器的正常访问,转发至第一跳转服务器进行跳转访问,客户端对于DNS服务器的异常访问,转发至第二跳转服务器进行流量清洗,针对单独的访问进行防御,在保证第一跳转服务器的安全性的同时,保证了其他的正常访问的不受影响,降低了错误率,提高了效率。In the embodiment of the present application, the client accesses the DNS server to the first jump server for jump access, and the client accesses the abnormality of the DNS server to the second jump server for traffic cleaning, for individual access. Defense, while ensuring the security of the first jump server, while ensuring that other normal access is not affected, reducing the error rate and improving efficiency.
附图说明DRAWINGS
图1是本申请的一种针对访问请求的处理方法实施例1的步骤流程图;1 is a flow chart of the steps of Embodiment 1 of a processing method for an access request according to the present application;
图2是本申请的一种针对访问请求的处理方法实施例2的步骤流程图;2 is a flow chart of steps of Embodiment 2 of a processing method for an access request according to the present application;
图3是本申请的一种针对访问请求的处理装置实施例1的结构框图;3 is a structural block diagram of Embodiment 1 of a processing apparatus for an access request according to the present application;
图4是本申请的一种针对访问请求的处理装置实施例2的结构框图。FIG. 4 is a structural block diagram of Embodiment 2 of a processing apparatus for an access request according to the present application.
具体实施方式detailed description
为使本申请的上述目的、特征和优点能够更加明显易懂,下面结合附图和具体实施方式对本申请作进一步详细的说明。The above described objects, features and advantages of the present application will become more apparent and understood.
参照图1,示出了本申请的一种针对访问请求的处理方法实施例1的步骤流程图,具体可以包括如下步骤:Referring to FIG. 1 , a flow chart of a step 1 of a processing method for an access request according to the present application is shown. Specifically, the method may include the following steps:
步骤101,DNS服务器在接收到客户端的访问请求时,将客户端的访问请求转发至第一转跳服务器进行转跳访问;Step 101: When receiving the access request of the client, the DNS server forwards the access request of the client to the first jump server for the jump access;
应用本申请实施例,可以在DNS服务器中为某个源地址(主机名或域名)添加一条指向第一跳转服务器(又称URL(Uniform Resource Locator,统一资源定位符)转发服务器)的第一转跳地址(如IP地址)的地址记录数据,即A(Address)记录数据中记录有第一转跳服务器的第一转跳地址。Applying the embodiment of the present application, a first source server (host name or domain name) may be added to the first server (also referred to as a URL (Uniform Resource Locator) forwarding server). The address record data of the transfer address (such as the IP address), that is, the first transfer address of the first jump server recorded in the A (Address) record data.
并且,向第一跳转服务器的数据库(如tair)中添加一条跳转记录,该跳转记录中 记录了源地址和目的地址。And, adding a jump record to the database (such as tair) of the first jump server, where the jump record is The source address and destination address are recorded.
例如,带www的域名www.abc.com(源地址)通过301重定向跳转到不带www的域名abc.com(目的地址)。For example, the domain name www.abc.com (source address) with www is redirected via 301 redirect to the domain name abc.com (destination address) without www.
需要说明的是,A记录数据会根据用户配置的线路不同而不同,即用户可以选择不同线路对应不同的A记录数据,不同搜索引擎对应不同的A记录数据等等。It should be noted that the A record data will be different according to the line configured by the user, that is, the user can select different lines corresponding to different A record data, different search engines correspond to different A record data, and the like.
当用户通过客户端(如浏览器)访问源地址(如域名)时,向DNS服务器发送访问请求,即访问请求中包括源地址。When a user accesses a source address (such as a domain name) through a client (such as a browser), an access request is sent to the DNS server, that is, the source address is included in the access request.
DNS服务器会查找源地址对应的地址记录数据(即A记录数据),把A记录数据指向的第一跳转地址(如IP地址)发至客户端,客户端加载该第一跳转地址(如IP地址),访问第一跳转服务器。The DNS server searches for the address record data corresponding to the source address (that is, the A record data), and sends the first jump address (such as the IP address) pointed to by the A record data to the client, and the client loads the first jump address (eg, IP address), access the first jump server.
若该客户端的访问请求为正常访问,则第一跳转服务器返回对应的跳转记录给客户端,客户端从第一转跳服务器获取源地址对应的目的地址进行加载,请求显示页面。If the access request of the client is a normal access, the first jump server returns a corresponding jump record to the client, and the client obtains the destination address corresponding to the source address from the first jump server to load, and requests the display page.
步骤102,DNS服务器接收第一转跳服务器在判断异常访问时发送的通知消息;Step 102: The DNS server receives a notification message sent by the first forwarding server when determining an abnormal access.
在本申请实施例中,第一转跳服务器可以基于Netflow、sFlow、Netstream等协议,以源IP地址、目的IP地址、输入接口、输出接口、Socket源端口、目的端口、协议、TOS等信息标识一个流,对流量数据进行采集并分析,判断客户端的访问请求是否为异常访问。In the embodiment of the present application, the first forwarding server may identify the source IP address, the destination IP address, the input interface, the output interface, the Socket source port, the destination port, the protocol, the TOS, etc. based on protocols such as Netflow, sFlow, and Netstream. A flow collects and analyzes traffic data to determine whether the client's access request is abnormal.
异常流量(访问请求)的检测通常分为三个步骤,检测指标实测值的计算,检测指标基线值的计算,实测值与基线值的比较。The detection of abnormal traffic (access request) is usually divided into three steps, the calculation of the measured value of the detection index, the calculation of the baseline value of the detection index, and the comparison of the measured value with the baseline value.
每一种检测指标都对应一种或多种可能的攻击,也就是说,有的检测指标是专门检测某一种特定的异常流量的,而有的检测指标出现异常时,则只能判断存在几种可能的异常流量,这种指标就是非特异性指标。Each type of detection indicator corresponds to one or more possible attacks. That is to say, some detection indicators are specifically for detecting a specific abnormal flow, and when some detection indicators are abnormal, only one can be judged to exist. Several possible abnormal traffic, this indicator is a non-specific indicator.
每种检测指标都有自己的基线,但基线的算法是类似的。Each test has its own baseline, but the baseline algorithm is similar.
基线算法通常有两种,一种是周期性基线,另一种是移动窗口基线。There are usually two types of baseline algorithms, one is a periodic baseline and the other is a moving window baseline.
如果检测指标的正常值的变化趋势有明显的周期性,则可以采用周期性基线。If the trend of the normal value of the detection index has a significant periodicity, a periodic baseline can be used.
如果检测指标的正常值没有明显的周期性变化,而且在一个较小的范围内波动,则可以使用移动窗口基线。If the normal value of the detection index does not change significantly, and it fluctuates within a small range, the moving window baseline can be used.
在一个防护业务规则的示例中,第一转跳服务器在判断客户端的访问请求的流量超过预设的流量阈值时,则认为异常访问。 In an example of a protection service rule, the first jump server considers an abnormal access when it determines that the traffic of the client's access request exceeds a preset traffic threshold.
通常,针对DNS服务器的攻击类型包括,域名劫持、DDoS攻击、DNS缓存投毒攻击、DNS欺骗等等。Generally, attack types for DNS servers include domain name hijacking, DDoS attacks, DNS cache poisoning attacks, DNS spoofing, and the like.
以DDoS攻击为例,其是通过向DNS服务器提交大量请求,使DNS服务器超负荷,导致网站访问速度慢,甚至死机,从而使用户无法访问DNS服务器。Take the DDoS attack as an example. By submitting a large number of requests to the DNS server, the DNS server is overloaded, resulting in slow website access and even crashes, thereby preventing users from accessing the DNS server.
DDoS攻击发生时,由于攻击方放起了大量的域名解析请求,这些请求中,URL转发解析请求只是其中的一种。当大量的URL转发解析请求汇集到URL转发服务器时,此URL转发服务器(即第一跳转服务器)也就被波及到了。When a DDoS attack occurs, the attacker puts up a large number of domain name resolution requests. Among these requests, the URL forwarding resolution request is only one of them. When a large number of URL forwarding resolution requests are collected into the URL forwarding server, the URL forwarding server (ie, the first jump server) is also affected.
若认为异常访问,则可以生成通知消息,发送通知消息至DNS服务器,以将客户端的访问请求转发至第二转跳服务器进行流量清洗。If the abnormal access is considered, a notification message may be generated, and the notification message is sent to the DNS server to forward the access request of the client to the second jump server for traffic cleaning.
此时,该源地址(如域名或主机名)的URL转发解析将被中止,而此过程不影响其他域名或主机名的URL转发解析。At this point, the URL forwarding resolution of the source address (such as the domain name or host name) will be aborted, and this process does not affect the URL forwarding resolution of other domain names or host names.
此外,第一跳转服务器还可以从预设的接口发送异常访问的警报信息,该接口可以为邮件接口,以发送邮件,也可以为即时通讯接口,以发送即时通讯消息,等等。In addition, the first jump server may also send an abnormal access alarm information from a preset interface, which may be a mail interface to send an email, or an instant messaging interface to send an instant messaging message, and the like.
当管理员收到警报信息之后,可以通过某些策略将被引入黑洞URL转发服务器的请求解析恢复至正常,或者用来监控目前服务器的状态,以保证系统的正常运行。After the administrator receives the alarm information, the policy analysis of the black hole URL forwarding server can be restored to normal by some policies, or used to monitor the current server status to ensure the normal operation of the system.
若认为正常访问,则将客户端的访问请求转跳至指定的页面,即第一跳转服务器返回对应的跳转记录给客户端,客户端从第一转跳服务器获取源地址对应的目的地址进行加载,请求显示页面。If the normal access is considered, the client's access request is forwarded to the specified page, that is, the first jump server returns the corresponding jump record to the client, and the client obtains the destination address corresponding to the source address from the first jump server. Load, request to display the page.
步骤103,DNS服务器依据所述通知消息,将客户端的访问请求转发至第二转跳服务器进行流量清洗。Step 103: The DNS server forwards the access request of the client to the second forwarding server for traffic cleaning according to the notification message.
在具体实现中,DNS服务器可以将地址记录数据中的第一转跳服务器的第一转跳地址修改为第二转跳服务器的第二转跳地址。In a specific implementation, the DNS server may modify the first forwarding address of the first forwarding server in the address record data to the second forwarding address of the second forwarding server.
其中,第二转跳服务器与URL转发服务器的功能基本是同样的,但是添加了对流量清洗和筛选的附加功能,形象地,可以称之为黑洞URL转发服务器。The function of the second jump server and the URL forwarding server is basically the same, but an additional function for traffic cleaning and filtering is added, which can be called a black hole URL forwarding server.
DNS服务器可以将第二转跳地址发送至客户端,以访问第二转跳服务器、对访问请求进行流量清洗。The DNS server can send the second forwarding address to the client to access the second forwarding server and perform traffic cleaning on the access request.
在实际应用中,访问请求流经一个根据预配置的防御策略和为贵阈值而创建的过滤器,该过滤器随后将流量传输到各分析检测模块。经检测后,流量传输到一个识别模块,提取精解数据,并不断调整过滤器,以适用持续变化的异常流量的特性。 In a practical application, the access request flows through a filter created according to a pre-configured defense policy and a threshold that then transmits the traffic to each analysis detection module. After detection, the flow is transmitted to an identification module that extracts the refined data and continuously adjusts the filter to apply the characteristics of the constantly changing abnormal flow.
黑洞URL转发服务器可以基于一个多验证过程(MVP)结构,将各种验证、分析和实施技术结合在一起,用来识别和分离恶意的流量。The Black Hole URL Forwarding Server can combine various authentication, analysis, and implementation techniques to identify and isolate malicious traffic based on a Multiple Authentication Process (MVP) structure.
流量清洗过程大致可以分为五个部分:The flow cleaning process can be roughly divided into five parts:
1、过滤;1. Filtering;
包括静态和动态的DDoS过滤器filters。Includes static and dynamic DDoS filter filters.
2、反欺骗;2. Anti-fraud;
用以验证进入黑洞URL转发服务器的数据包没有欺骗信息。The packet used to verify the entry into the black hole URL forwarding server has no spoofing information.
3、异常识别;3. Abnormal recognition;
检测通过了过滤器filters和反欺骗的流量,并将其与随时间纪录的基准行为相比,搜索那些异常的流量,识别恶意的数据包的来源。Detects traffic that passes filter filters and anti-spoofing and compares it to the baseline behavior recorded over time, searching for unusual traffic and identifying the source of malicious packets.
4、协议分析;4. Protocol analysis;
处理异常识别发现的恶意数据,目的是为了识别特定的应用攻击,如http-error攻击。Handling malicious data discovered by anomaly identification in order to identify specific application attacks, such as http-error attacks.
5、速率限制。5. Rate limit.
提供了一个执行选项,防止不正当数据流攻击目标。An execution option is provided to prevent illicit traffic from attacking the target.
通过流量清洗的访问请求,由第二转跳服务器进行转跳访问,即第二跳转服务器返回对应的跳转记录给客户端,客户端从第二转跳服务器获取源地址对应的目的地址进行加载,请求显示页面。The access request of the traffic cleaning is performed by the second transfer server, that is, the second jump server returns the corresponding jump record to the client, and the client obtains the destination address corresponding to the source address from the second transfer server. Load, request to display the page.
未通过流量清洗的访问请求,由第二转跳服务器拒绝转跳访问。The access request that failed to pass the traffic cleaning is rejected by the second transfer server.
本申请实施例客户端对于DNS服务器的正常访问,转发至第一跳转服务器进行跳转访问,客户端对于DNS服务器的异常访问,转发至第二跳转服务器进行流量清洗,针对单独的访问进行防御,在保证第一跳转服务器的安全性的同时,保证了其他的正常访问的不受影响,降低了错误率,提高了效率。In the embodiment of the present application, the client accesses the DNS server to the first jump server for jump access, and the client accesses the abnormality of the DNS server to the second jump server for traffic cleaning, for individual access. Defense, while ensuring the security of the first jump server, while ensuring that other normal access is not affected, reducing the error rate and improving efficiency.
参照图2,示出了本申请的一种针对访问请求的处理方法实施例2的步骤流程图,具体可以包括如下步骤:Referring to FIG. 2, a flow chart of the steps of the second embodiment of the processing method for the access request of the present application is shown, which may specifically include the following steps:
步骤201,第一转跳服务器接收DNS服务器转发的、客户端的访问请求;Step 201: The first transfer server receives the access request of the client forwarded by the DNS server.
步骤202,第一转跳服务器判断客户端的访问请求是否为异常访问;若是,则执行步骤203,若否,则执行步骤204; Step 202, the first jump server determines whether the client's access request is abnormal access; if yes, step 203 is performed, and if not, step 204 is performed;
步骤203,发送通知消息至DNS服务器,以将客户端的访问请求转发至第二转跳服 务器进行流量清洗;Step 203: Send a notification message to the DNS server to forward the client's access request to the second forwarding service. Server for traffic cleaning;
步骤204,将客户端的访问请求转跳至指定的页面。Step 204: Jump the client's access request to the specified page.
在本申请的一个实施例中,该方法还可以包括如下步骤:In an embodiment of the present application, the method may further include the following steps:
步骤205,从预设的接口发送异常访问的警报信息。Step 205: Send an abnormal access alarm information from a preset interface.
在本申请的一个实施例中,客户端的访问请求中包括源地址,步骤201可以包括如下子步骤:In an embodiment of the present application, the client's access request includes a source address, and step 201 may include the following sub-steps:
子步骤S11,第一转跳服务器接收客户端通过第一转跳地址发送的访问请求;Sub-step S11, the first transfer server receives an access request sent by the client through the first transfer address;
其中,所述第一转跳地址为NDS服务器接收到客户端的访问请求时,查找所述源地址对应的地址记录数据获得,所述地址记录数据中记录有第一转跳服务器的第一转跳地址。The first forwarding address is obtained by the NDS server when the access request of the client is received, and the address record data corresponding to the source address is obtained, and the first jump of the first jump server is recorded in the address record data. address.
在本申请的一个实施例中,步骤202可以包括如下子步骤:In an embodiment of the present application, step 202 may include the following sub-steps:
子步骤S21,判断客户端的访问请求的流量超过预设的流量阈值;若是,则执行子步骤S22,若否,则执行子步骤S23;Sub-step S21, it is determined that the traffic of the client's access request exceeds a preset traffic threshold; if so, sub-step S22 is performed, and if not, sub-step S23 is performed;
子步骤S22,判定客户端的访问请求为异常访问;Sub-step S22, determining that the client's access request is an abnormal access;
子步骤S23,判断客户端的访问请求为正常访问。Sub-step S23, determining that the client's access request is a normal access.
在本申请的一个实施例中,步骤203可以包括如下子步骤:In an embodiment of the present application, step 203 may include the following sub-steps:
子步骤S31,发送通知消息至DNS服务器,通知将所述地址记录数据中的第一转跳服务器的第一转跳地址修改为第二转跳服务器的第二转跳地址,以将所述第二转跳地址发送至客户端,访问第二转跳服务器、对访问请求进行流量清洗。Sub-step S31, sending a notification message to the DNS server, notifying that the first forwarding address of the first jump server in the address record data is modified to the second forwarding address of the second jump server, to The second forwarding address is sent to the client, accesses the second forwarding server, and performs traffic cleaning on the access request.
在实际应用中,通过流量清洗的访问请求,由第二转跳服务器进行转跳访问;In an actual application, the access request of the traffic cleaning is performed by the second transfer server;
未通过流量清洗的访问请求,由第二转跳服务器拒绝转跳访问。The access request that failed to pass the traffic cleaning is rejected by the second transfer server.
在本申请的一个实施例中,步骤204可以包括如下子步骤:In an embodiment of the present application, step 204 may include the following sub-steps:
子步骤S41,查找所述源地址对应的目的地址;Sub-step S41, searching for a destination address corresponding to the source address;
子步骤S42,将所述目的地址发送至客户端进行加载,以显示指定的页面。Sub-step S42, the destination address is sent to the client for loading to display the specified page.
本申请实施例客户端对于DNS服务器的正常访问,转发至第一跳转服务器进行跳转访问,客户端对于DNS服务器的异常访问,转发至第二跳转服务器进行流量清洗,针对单独的访问进行防御,在保证第一跳转服务器的安全性的同时,保证了其他的正常访问的不受影响,降低了错误率,提高了效率。In the embodiment of the present application, the client accesses the DNS server to the first jump server for jump access, and the client accesses the abnormality of the DNS server to the second jump server for traffic cleaning, for individual access. Defense, while ensuring the security of the first jump server, while ensuring that other normal access is not affected, reducing the error rate and improving efficiency.
在本申请实施例中,由于方法实施例2与方法实施例1的应用基本相似,所以描述 的比较简单,相关之处参见方法实施例1的部分说明即可,本申请实施例在此不加以详述。In the embodiment of the present application, since the method embodiment 2 is basically similar to the application of the method embodiment 1, the description is For a more detailed description, refer to the description of the method embodiment 1. The embodiment of the present application is not described in detail herein.
需要说明的是,对于方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本申请实施例并不受所描述的动作顺序的限制,因为依据本申请实施例,某些步骤可以采用其他顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作并不一定是本申请实施例所必须的。It should be noted that, for the method embodiments, for the sake of simple description, they are all expressed as a series of action combinations, but those skilled in the art should understand that the embodiments of the present application are not limited by the described action sequence, because In accordance with embodiments of the present application, certain steps may be performed in other sequences or concurrently. In the following, those skilled in the art should also understand that the embodiments described in the specification are all preferred embodiments, and the actions involved are not necessarily required in the embodiments of the present application.
参照图3,示出了本申请的一种针对访问请求的处理装置实施例1的结构框图,应用于DNS服务器中,具体可以包括如下模块:Referring to FIG. 3, a structural block diagram of a processing apparatus for an access request according to an application of the present application is shown in the DNS server. Specifically, the following modules may be included:
第一转发模块301,用于在接收到客户端的访问请求时,将客户端的访问请求转发至第一转跳服务器进行转跳访问;The first forwarding module 301 is configured to: when receiving the access request of the client, forward the access request of the client to the first forwarding server for the jump access;
通知消息接收模块302,用于接收第一转跳服务器在判断异常访问时发送的通知消息;The notification message receiving module 302 is configured to receive a notification message sent by the first transition server when determining an abnormal access;
第二转发模块303,用于依据所述通知消息,将客户端的访问请求转发至第二转跳服务器进行流量清洗。The second forwarding module 303 is configured to forward the access request of the client to the second forwarding server for traffic cleaning according to the notification message.
在本申请的一个实施例中,客户端的访问请求中包括源地址;In an embodiment of the present application, the source address is included in the access request of the client;
所述第一转发模块301可以包括如下子模块:The first forwarding module 301 can include the following submodules:
地址记录数据查找子模块,用于查找所述源地址对应的地址记录数据;所述地址记录数据中记录有第一转跳服务器的第一转跳地址;An address record data search sub-module, configured to search for address record data corresponding to the source address, where the first transfer address of the first jump server is recorded in the address record data;
第一转跳地址发送子模块,用于将所述第一转跳地址发送至客户端,以从第一转跳服务器获取所述源地址对应的目的地址进行加载。The first forwarding address sending submodule is configured to send the first forwarding address to the client, to obtain the destination address corresponding to the source address from the first forwarding server for loading.
在本申请的一个实施例中,所述第二转发模块303可以包括如下子模块:In an embodiment of the present application, the second forwarding module 303 may include the following submodules:
地址记录数据修改子模块,用于将所述地址记录数据中的第一转跳服务器的第一转跳地址修改为第二转跳服务器的第二转跳地址;An address record data modification submodule, configured to modify a first forwarding address of the first jump server in the address record data to a second jump address of the second jump server;
第二转跳地址发送子模块,用于将所述第二转跳地址发送至客户端,以访问第二转跳服务器、对访问请求进行流量清洗。The second forwarding address sending submodule is configured to send the second forwarding address to the client to access the second forwarding server and perform traffic cleaning on the access request.
在具体实现中,所述通知消息由第一转跳服务器在判断客户端的访问请求的流量超过预设的流量阈值时生成。In a specific implementation, the notification message is generated by the first forwarding server when determining that the traffic of the client's access request exceeds a preset traffic threshold.
在实际应用中,通过流量清洗的访问请求,由第二转跳服务器进行转跳访问; In an actual application, the access request of the traffic cleaning is performed by the second transfer server;
未通过流量清洗的访问请求,由第二转跳服务器拒绝转跳访问。The access request that failed to pass the traffic cleaning is rejected by the second transfer server.
参照图4,示出了本申请的一种针对访问请求的处理装置实施例2的结构框图,应用于第一转跳服务器中,具体可以包括如下模块:Referring to FIG. 4, a structural block diagram of Embodiment 2 of a processing device for an access request according to the present application is shown, which is applied to a first jump server, and specifically includes the following modules:
访问请求接收模块401,用于接收DNS服务器转发的、客户端的访问请求;The access request receiving module 401 is configured to receive an access request of the client forwarded by the DNS server;
异常访问判断模块402,用于判断客户端的访问请求是否为异常访问;若是,则调用通知消息发送模块403,若否,则调用转跳模块404;The abnormal access judging module 402 is configured to determine whether the access request of the client is abnormal access; if yes, the notification message sending module 403 is invoked, and if not, the jump module 404 is invoked;
通知消息发送模块403,用于发送通知消息至DNS服务器,以将客户端的访问请求转发至第二转跳服务器进行流量清洗;The notification message sending module 403 is configured to send a notification message to the DNS server, to forward the access request of the client to the second jump server for traffic cleaning;
转跳模块404,用于将客户端的访问请求转跳至指定的页面。The jump module 404 is configured to jump the client's access request to the specified page.
在本申请的一个实施例中,该装置还可以包括如下模块:In an embodiment of the present application, the apparatus may further include the following modules:
警报模块,用于从预设的接口发送异常访问的警报信息。An alarm module for sending an abnormally accessed alarm information from a preset interface.
在本申请的一个实施例中,客户端的访问请求中包括源地址,访问请求接收模块401可以包括如下子模块:In an embodiment of the present application, the access request of the client includes a source address, and the access request receiving module 401 may include the following submodules:
地址访问子模块,用于接收客户端通过第一转跳地址发送的访问请求;An address access submodule, configured to receive an access request sent by the client by using the first forwarding address;
其中,所述第一转跳地址为NDS服务器接收到客户端的访问请求时,查找所述源地址对应的地址记录数据获得,所述地址记录数据中记录有第一转跳服务器的第一转跳地址。The first forwarding address is obtained by the NDS server when the access request of the client is received, and the address record data corresponding to the source address is obtained, and the first jump of the first jump server is recorded in the address record data. address.
在本申请的一个实施例中,异常访问判断模块402可以包括如下子模块:In an embodiment of the present application, the abnormal access judging module 402 may include the following sub-modules:
流量判断子模块,用于判断客户端的访问请求的流量超过预设的流量阈值;若是,则调用第一判断子模块,若否,则调用第二判断子模块;The traffic judgment sub-module is configured to determine that the traffic of the client's access request exceeds a preset traffic threshold; if yes, the first determining sub-module is invoked, and if not, the second determining sub-module is invoked;
第一判断子模块,用于判定客户端的访问请求为异常访问;a first determining submodule, configured to determine that the access request of the client is an abnormal access;
第二判断子模块,用于判断客户端的访问请求为正常访问。The second determining submodule is configured to determine that the client access request is a normal access.
在本申请的一个实施例中,通知消息发送模块403可以包括如下子模块:In an embodiment of the present application, the notification message sending module 403 may include the following sub-modules:
通知子模块,用于发送通知消息至DNS服务器,通知将所述地址记录数据中的第一转跳服务器的第一转跳地址修改为第二转跳服务器的第二转跳地址,以将所述第二转跳地址发送至客户端,访问第二转跳服务器、对访问请求进行流量清洗。a notification sub-module, configured to send a notification message to the DNS server, to notify that the first forwarding address of the first jump server in the address record data is modified to the second forwarding address of the second transfer server, The second forwarding address is sent to the client, accesses the second forwarding server, and performs traffic cleaning on the access request.
在实际应用中,通过流量清洗的访问请求,由第二转跳服务器进行转跳访问;In an actual application, the access request of the traffic cleaning is performed by the second transfer server;
未通过流量清洗的访问请求,由第二转跳服务器拒绝转跳访问。The access request that failed to pass the traffic cleaning is rejected by the second transfer server.
在本申请的一个实施例中,转跳模块404可以包括如下子模块: In one embodiment of the present application, the jump module 404 can include the following sub-modules:
目的地址查找子模块,查找所述源地址对应的目的地址;The destination address is searched for the sub-module, and the destination address corresponding to the source address is searched for;
目的地址发送子模块,将所述目的地址发送至客户端进行加载,以显示指定的页面。The destination address sending submodule sends the destination address to the client for loading to display the specified page.
对于装置实施例而言,由于其与方法实施例基本相似,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。For the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
本说明书中的各个实施例均采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似的部分互相参见即可。The various embodiments in the present specification are described in a progressive manner, and each embodiment focuses on differences from other embodiments, and the same similar parts between the various embodiments can be referred to each other.
本领域内的技术人员应明白,本申请实施例的实施例可提供为方法、装置、或计算机程序产品。因此,本申请实施例可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请实施例可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the embodiments of the present application can be provided as a method, apparatus, or computer program product. Therefore, the embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware. Moreover, embodiments of the present application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
在一个典型的配置中,所述计算机设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括非持续性的电脑可读媒体(transitory media),如调制的数据信号和载波。In a typical configuration, the computer device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory. The memory may include non-persistent memory, random access memory (RAM), and/or non-volatile memory in a computer readable medium, such as read only memory (ROM) or flash memory. Memory is an example of a computer readable medium. Computer readable media includes both permanent and non-persistent, removable and non-removable media. Information storage can be implemented by any method or technology. The information can be computer readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory. (ROM), electrically erasable programmable read only memory (EEPROM), flash memory or other memory technology, compact disk read only memory (CD-ROM), digital versatile disk (DVD) or other optical storage, Magnetic tape cartridges, magnetic tape storage or other magnetic storage devices or any other non-transportable media can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include non-persistent computer readable media, such as modulated data signals and carrier waves.
本申请实施例是参照根据本申请实施例的方法、终端设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理终端设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理终端设 备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。Embodiments of the present application are described with reference to flowcharts and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the present application. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, a special purpose computer, an embedded processor or other programmable data processing terminal device to produce a machine such that it is provided by a computer or other programmable data processing terminal The instructions executed by the processor of the processor generate means for implementing the functions specified in one or more blocks of the flowchart or in a block or blocks of the flowchart.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理终端设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing terminal device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The instruction device implements the functions specified in one or more blocks of the flowchart or in a flow or block of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理终端设备上,使得在计算机或其他可编程终端设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程终端设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing terminal device such that a series of operational steps are performed on the computer or other programmable terminal device to produce computer-implemented processing, such that the computer or other programmable terminal device The instructions executed above provide steps for implementing the functions specified in one or more blocks of the flowchart or in a block or blocks of the flowchart.
尽管已描述了本申请实施例的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例做出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本申请实施例范围的所有变更和修改。While a preferred embodiment of the embodiments of the present application has been described, those skilled in the art can make further changes and modifications to the embodiments once they are aware of the basic inventive concept. Therefore, the appended claims are intended to be interpreted as including all the modifications and the modifications
最后,还需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者终端设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者终端设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者终端设备中还存在另外的相同要素。Finally, it should also be noted that in this context, relational terms such as first and second are used merely to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply these entities. There is any such actual relationship or order between operations. Furthermore, the terms "comprises" or "comprising" or "comprising" or any other variations are intended to encompass a non-exclusive inclusion, such that a process, method, article, or terminal device that includes a plurality of elements includes not only those elements but also Other elements that are included, or include elements inherent to such a process, method, article, or terminal device. An element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article, or terminal device that comprises the element, without further limitation.
以上对本申请所提供的一种针对访问请求的处理方法和一种针对访问请求的处理装置,进行了详细介绍,本文中应用了具体个例对本申请的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本申请的方法及其核心思想;同时,对于本领域的一般技术人员,依据本申请的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本申请的限制。 The method for processing an access request and the processing device for the access request provided by the present application are described in detail above. The principles and implementation manners of the present application are described in the following. The descriptions are only used to help understand the method of the present application and its core ideas; at the same time, for those of ordinary skill in the art, according to the idea of the present application, there will be changes in the specific embodiments and application scopes. The contents of this specification are not to be construed as limiting the present application.

Claims (14)

  1. 一种针对访问请求的处理方法,其特征在于,包括:A processing method for an access request, comprising:
    DNS服务器在接收到客户端的访问请求时,将客户端的访问请求转发至第一转跳服务器进行转跳访问;When receiving the access request of the client, the DNS server forwards the access request of the client to the first jump server for the jump access;
    DNS服务器接收第一转跳服务器在判断异常访问时发送的通知消息;The DNS server receives the notification message sent by the first transfer server when determining the abnormal access;
    DNS服务器依据所述通知消息,将客户端的访问请求转发至第二转跳服务器进行流量清洗。The DNS server forwards the access request of the client to the second jump server for traffic cleaning according to the notification message.
  2. 根据权利要求1所述的方法,其特征在于,客户端的访问请求中包括源地址;The method according to claim 1, wherein the client access request includes a source address;
    所述将客户端的访问请求转发至第一转跳服务器进行转跳访问的步骤包括:The step of forwarding the client's access request to the first transfer server for the jump access includes:
    查找所述源地址对应的地址记录数据;所述地址记录数据中记录有第一转跳服务器的第一转跳地址;Searching for address record data corresponding to the source address; the first record hopping address of the first jump server is recorded in the address record data;
    将所述第一转跳地址发送至客户端,以从第一转跳服务器获取所述源地址对应的目的地址进行加载。Sending the first forwarding address to the client, and acquiring the destination address corresponding to the source address from the first forwarding server for loading.
  3. 根据权利要求2所述的方法,其特征在于,所述将客户端的访问请求转发至第二转跳服务器进行流量清洗的步骤包括:The method according to claim 2, wherein the step of forwarding the access request of the client to the second jump server for traffic cleaning comprises:
    将所述地址记录数据中的第一转跳服务器的第一转跳地址修改为第二转跳服务器的第二转跳地址;Modifying, by the first forwarding address of the first forwarding server in the address record data, a second forwarding address of the second forwarding server;
    将所述第二转跳地址发送至客户端,以访问第二转跳服务器、对访问请求进行流量清洗。Sending the second forwarding address to the client to access the second forwarding server and performing traffic cleaning on the access request.
  4. 根据权利要求1或2或3所述的方法,其特征在于,所述通知消息由第一转跳服务器在判断客户端的访问请求的流量超过预设的流量阈值时生成。The method according to claim 1 or 2 or 3, wherein the notification message is generated by the first jump server when it is determined that the traffic of the client's access request exceeds a preset traffic threshold.
  5. 根据权利要求1或2或3所述的方法,其特征在于,Method according to claim 1 or 2 or 3, characterized in that
    通过流量清洗的访问请求,由第二转跳服务器进行转跳访问;Through the access request of the traffic cleaning, the second transfer server performs the jump access;
    未通过流量清洗的访问请求,由第二转跳服务器拒绝转跳访问。The access request that failed to pass the traffic cleaning is rejected by the second transfer server.
  6. 一种针对访问请求的处理方法,其特征在于,包括:A processing method for an access request, comprising:
    第一转跳服务器接收DNS服务器转发的、客户端的访问请求;The first jump server receives the access request of the client forwarded by the DNS server;
    第一转跳服务器判断客户端的访问请求是否为异常访问;The first jump server determines whether the client's access request is abnormal access;
    若是,则发送通知消息至DNS服务器,以将客户端的访问请求转发至第二转跳服务器进行流量清洗;If yes, sending a notification message to the DNS server to forward the client's access request to the second forwarding server for traffic cleaning;
    若否,则将客户端的访问请求转跳至指定的页面。 If not, the client's access request is forwarded to the specified page.
  7. 根据权利要求6所述的方法,其特征在于,还包括:The method of claim 6 further comprising:
    从预设的接口发送异常访问的警报信息。Sends an alert message for abnormal access from a preset interface.
  8. 一种针对访问请求的处理装置,其特征在于,应用于DNS服务器中,所述装置包括:A processing device for an access request, which is applied to a DNS server, the device comprising:
    第一转发模块,用于在接收到客户端的访问请求时,将客户端的访问请求转发至第一转跳服务器进行转跳访问;The first forwarding module is configured to: when receiving the access request of the client, forward the access request of the client to the first forwarding server for the jump access;
    通知消息接收模块,用于接收第一转跳服务器在判断异常访问时发送的通知消息;a notification message receiving module, configured to receive a notification message sent by the first transition server when determining an abnormal access;
    第二转发模块,用于依据所述通知消息,将客户端的访问请求转发至第二转跳服务器进行流量清洗。The second forwarding module is configured to forward the access request of the client to the second forwarding server for performing traffic cleaning according to the notification message.
  9. 根据权利要求8所述的装置,其特征在于,客户端的访问请求中包括源地址;The apparatus according to claim 8, wherein the access request of the client includes a source address;
    所述第一转发模块包括:The first forwarding module includes:
    地址记录数据查找子模块,用于查找所述源地址对应的地址记录数据;所述地址记录数据中记录有第一转跳服务器的第一转跳地址;An address record data search sub-module, configured to search for address record data corresponding to the source address, where the first transfer address of the first jump server is recorded in the address record data;
    第一转跳地址发送子模块,用于将所述第一转跳地址发送至客户端,以从第一转跳服务器获取所述源地址对应的目的地址进行加载。The first forwarding address sending submodule is configured to send the first forwarding address to the client, to obtain the destination address corresponding to the source address from the first forwarding server for loading.
  10. 根据权利要求9所述的装置,其特征在于,所述第二转发模块包括:The apparatus according to claim 9, wherein the second forwarding module comprises:
    地址记录数据修改子模块,用于将所述地址记录数据中的第一转跳服务器的第一转跳地址修改为第二转跳服务器的第二转跳地址;An address record data modification submodule, configured to modify a first forwarding address of the first jump server in the address record data to a second jump address of the second jump server;
    第二转跳地址发送子模块,用于将所述第二转跳地址发送至客户端,以访问第二转跳服务器、对访问请求进行流量清洗。The second forwarding address sending submodule is configured to send the second forwarding address to the client to access the second forwarding server and perform traffic cleaning on the access request.
  11. 根据权利要求8或9或10所述的装置,其特征在于,所述通知消息由第一转跳服务器在判断客户端的访问请求的流量超过预设的流量阈值时生成。The apparatus according to claim 8 or 9 or 10, wherein the notification message is generated by the first jump server when it is determined that the traffic of the client's access request exceeds a preset traffic threshold.
  12. 根据权利要求8或9或10所述的装置,其特征在于,Device according to claim 8 or 9 or 10, characterized in that
    通过流量清洗的访问请求,由第二转跳服务器进行转跳访问;Through the access request of the traffic cleaning, the second transfer server performs the jump access;
    未通过流量清洗的访问请求,由第二转跳服务器拒绝转跳访问。The access request that failed to pass the traffic cleaning is rejected by the second transfer server.
  13. 一种针对访问请求的处理装置,其特征在于,应用于第一转跳服务器中,所述装置包括:A processing device for an access request, which is applied to a first jump server, the device comprising:
    访问请求接收模块,用于接收DNS服务器转发的、客户端的访问请求;An access request receiving module, configured to receive a client access request forwarded by a DNS server;
    异常访问判断模块,用于判断客户端的访问请求是否为异常访问;若是,则调用通知消息发送模块,若否,则调用转跳模块; The abnormal access judging module is configured to determine whether the access request of the client is abnormal access; if yes, the notification message sending module is called, and if not, the jump module is called;
    通知消息发送模块,用于发送通知消息至DNS服务器,以将客户端的访问请求转发至第二转跳服务器进行流量清洗;a notification sending module, configured to send a notification message to the DNS server, to forward the access request of the client to the second forwarding server for traffic cleaning;
    转跳模块,用于将客户端的访问请求转跳至指定的页面。The jump module is used to jump the client's access request to the specified page.
  14. 根据权利要求13所述的装置,其特征在于,还包括:The device according to claim 13, further comprising:
    警报模块,用于从预设的接口发送异常访问的警报信息。 An alarm module for sending an abnormally accessed alarm information from a preset interface.
PCT/CN2016/097854 2015-09-11 2016-09-02 Processing method and device directed at access request WO2017041666A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510580405.1 2015-09-11
CN201510580405.1A CN106534051B (en) 2015-09-11 2015-09-11 Processing method and device for access request

Publications (1)

Publication Number Publication Date
WO2017041666A1 true WO2017041666A1 (en) 2017-03-16

Family

ID=58240568

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/097854 WO2017041666A1 (en) 2015-09-11 2016-09-02 Processing method and device directed at access request

Country Status (2)

Country Link
CN (1) CN106534051B (en)
WO (1) WO2017041666A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110597573A (en) * 2019-08-23 2019-12-20 贝壳技术有限公司 Warehouse entry request data processing method and device
CN112671664A (en) * 2020-12-04 2021-04-16 新浪网技术(中国)有限公司 CDN scheduling system and method based on refined scheduling
CN113840018A (en) * 2021-09-13 2021-12-24 支付宝(杭州)信息技术有限公司 DNS-based IPv6 drainage method, device and equipment
CN114024937A (en) * 2021-11-16 2022-02-08 北京天融信网络安全技术有限公司 DNS cache poisoning detection method and device
CN114900467A (en) * 2022-05-11 2022-08-12 融慧金科金融服务外包(北京)有限公司 API flow control method and device
CN115277599A (en) * 2022-06-16 2022-11-01 平安银行股份有限公司 Backflow method and device in current-limiting scene, computer equipment and storage medium
CN115292697A (en) * 2022-10-10 2022-11-04 北京安帝科技有限公司 Memory protection method and device based on intrusion behavior analysis

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106941505A (en) * 2017-05-16 2017-07-11 成都迈瑞科科技有限公司 A kind of method and its system of defence ddos attacks
CN108881367B (en) * 2018-04-09 2021-03-05 创新先进技术有限公司 Service request processing method, device and equipment
CN111478876A (en) * 2019-01-24 2020-07-31 中国互联网络信息中心 DNS amplification attack detection method, system, storage medium and electronic equipment
CN110049065B (en) * 2019-05-21 2022-04-05 网易(杭州)网络有限公司 Attack defense method, device, medium and computing equipment of security gateway
CN111371866B (en) * 2020-02-26 2023-03-21 厦门网宿有限公司 Method and device for processing service request
CN115396516A (en) * 2022-08-26 2022-11-25 中国建设银行股份有限公司 Access request processing method, device, equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101257502A (en) * 2008-01-31 2008-09-03 陈勇 Protecting server and network method
CN101902456A (en) * 2010-02-09 2010-12-01 北京启明星辰信息技术股份有限公司 Safety defense system of Website
CN102882892A (en) * 2012-10-26 2013-01-16 杭州迪普科技有限公司 Method and device for protecting DNS (Domain Name Server)
CN103051743A (en) * 2012-12-27 2013-04-17 茂名市群英网络有限公司 Domain name system (DNS) prevention system based on distributed hierarchy and method
US20140310811A1 (en) * 2013-04-11 2014-10-16 F-Secure Corporation Detecting and Marking Client Devices
CN104219335A (en) * 2013-05-30 2014-12-17 张大顺 A DNS request processing method, device and system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102195843B (en) * 2010-03-02 2014-06-11 中国移动通信集团公司 Flow control system and method
US9083733B2 (en) * 2011-08-01 2015-07-14 Visicom Media Inc. Anti-phishing domain advisor and method thereof

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101257502A (en) * 2008-01-31 2008-09-03 陈勇 Protecting server and network method
CN101902456A (en) * 2010-02-09 2010-12-01 北京启明星辰信息技术股份有限公司 Safety defense system of Website
CN102882892A (en) * 2012-10-26 2013-01-16 杭州迪普科技有限公司 Method and device for protecting DNS (Domain Name Server)
CN103051743A (en) * 2012-12-27 2013-04-17 茂名市群英网络有限公司 Domain name system (DNS) prevention system based on distributed hierarchy and method
US20140310811A1 (en) * 2013-04-11 2014-10-16 F-Secure Corporation Detecting and Marking Client Devices
CN104219335A (en) * 2013-05-30 2014-12-17 张大顺 A DNS request processing method, device and system

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110597573A (en) * 2019-08-23 2019-12-20 贝壳技术有限公司 Warehouse entry request data processing method and device
CN112671664A (en) * 2020-12-04 2021-04-16 新浪网技术(中国)有限公司 CDN scheduling system and method based on refined scheduling
CN112671664B (en) * 2020-12-04 2022-08-19 新浪网技术(中国)有限公司 CDN scheduling system and method based on refined scheduling
CN113840018A (en) * 2021-09-13 2021-12-24 支付宝(杭州)信息技术有限公司 DNS-based IPv6 drainage method, device and equipment
CN114024937A (en) * 2021-11-16 2022-02-08 北京天融信网络安全技术有限公司 DNS cache poisoning detection method and device
CN114024937B (en) * 2021-11-16 2023-11-10 北京天融信网络安全技术有限公司 DNS cache poisoning detection method and device
CN114900467A (en) * 2022-05-11 2022-08-12 融慧金科金融服务外包(北京)有限公司 API flow control method and device
CN115277599A (en) * 2022-06-16 2022-11-01 平安银行股份有限公司 Backflow method and device in current-limiting scene, computer equipment and storage medium
CN115277599B (en) * 2022-06-16 2023-08-15 平安银行股份有限公司 Reflow method and device under current limiting scene, computer equipment and storage medium
CN115292697A (en) * 2022-10-10 2022-11-04 北京安帝科技有限公司 Memory protection method and device based on intrusion behavior analysis

Also Published As

Publication number Publication date
CN106534051A (en) 2017-03-22
CN106534051B (en) 2020-02-14

Similar Documents

Publication Publication Date Title
WO2017041666A1 (en) Processing method and device directed at access request
JP6894003B2 (en) Defense against APT attacks
US9306964B2 (en) Using trust profiles for network breach detection
US9838413B2 (en) Zero day threat detection based on fast flux detection and aggregation
KR101836016B1 (en) Context-aware network forensics
US8959643B1 (en) Detecting malware infestations in large-scale networks
US8578493B1 (en) Botnet beacon detection
JP6006788B2 (en) Using DNS communication to filter domain names
US8516573B1 (en) Method and apparatus for port scan detection in a network
US7930746B1 (en) Method and apparatus for detecting anomalous network activities
US8869268B1 (en) Method and apparatus for disrupting the command and control infrastructure of hostile programs
US20160164916A1 (en) Automated responses to security threats
US8646038B2 (en) Automated service for blocking malware hosts
TW201723914A (en) Detection of advanced persistent threat attack on a private computer network
CN107493576B (en) Method and apparatus for determining security information for a wireless access point
WO2017074747A1 (en) Detection of cyber threats against cloud-based applications
US9392019B2 (en) Managing cyber attacks through change of network address
US8713674B1 (en) Systems and methods for excluding undesirable network transactions
WO2015096528A1 (en) Method and device for detecting security of online shopping environment
US20130268675A1 (en) Method and System for Tracing Domain Names and Computer Readable Storage Medium Storing the Method
US20140298466A1 (en) Data Detecting Method and Apparatus for Firewall
WO2015078388A1 (en) Processing method and device for denial of service attacks
US9350754B2 (en) Mitigating a cyber-security attack by changing a network address of a system under attack
JP2019523584A (en) Network attack prevention system and method
US20230283641A1 (en) Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16843604

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16843604

Country of ref document: EP

Kind code of ref document: A1