WO2018112878A1 - Token mechanism-based system and method for detecting and defending against cc attack - Google Patents

Token mechanism-based system and method for detecting and defending against cc attack Download PDF

Info

Publication number
WO2018112878A1
WO2018112878A1 PCT/CN2016/111695 CN2016111695W WO2018112878A1 WO 2018112878 A1 WO2018112878 A1 WO 2018112878A1 CN 2016111695 W CN2016111695 W CN 2016111695W WO 2018112878 A1 WO2018112878 A1 WO 2018112878A1
Authority
WO
WIPO (PCT)
Prior art keywords
token
user
unit
detecting
defending
Prior art date
Application number
PCT/CN2016/111695
Other languages
French (fr)
Chinese (zh)
Inventor
覃武权
Original Assignee
深圳投之家金融信息服务有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳投之家金融信息服务有限公司 filed Critical 深圳投之家金融信息服务有限公司
Priority to PCT/CN2016/111695 priority Critical patent/WO2018112878A1/en
Priority to CN201680062168.2A priority patent/CN108476199A/en
Publication of WO2018112878A1 publication Critical patent/WO2018112878A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present invention relates to the field of network security technologies, and in particular, to a system and method for detecting and defending against CC attacks based on a token mechanism for implementing web secure access.
  • the present invention provides a system and method for detecting and defending against CC attacks based on a token mechanism, which can detect and defend against CC attacks at the first time.
  • a system for detecting and defending a CC attack based on a token mechanism comprising a token detecting unit, a token assigning unit, a defense configuration unit, and a token management unit, wherein the defense configuration unit is configured to read a configuration, to the order
  • the token detecting unit sends a configuration instruction;
  • the token assigning unit is configured to apply a token to the token management unit, and allocate the token to the requesting user, where the token assigned by the token assigning unit includes a token script code;
  • the token detecting unit is configured to determine whether to enable the detecting function in response to the configuration command sent by the defense configuration unit, and the token management unit is configured to respond to the request of the token allocating unit and the token detecting unit.
  • the token includes a token identification code and a token script code
  • the token identifier is a set of characters consisting of numbers or letters
  • the token script code is used to generate the token
  • the script of the identification code, the user access terminal may calculate the token identification code according to the token script code.
  • the token information database is further configured to allocate a unique random User ID to the visiting user, and store information about the token corresponding to each User ID row, including the token identifier and the token. Script code and token creation time.
  • the configuration that is read by the defense configuration unit includes three configurations, namely, a blacklist, a whitelist, and a check whether the IP address is detected, and the blacklist is a set of user access IPs that are not passed through. Detecting the set of user access IPs that pass through, whether to enable detection to determine whether to enable blacklist and whitelist detection, and if not, to forward the user access request to the protected service system.
  • a method for detecting and defending a CC attack based on a token mechanism includes the following steps:
  • Step 1 receiving the user's HTTP request, reading the configuration, determining whether the detection function is enabled, and if so, proceeding to step 2;
  • Step 2 Determine whether the user access IP is a whitelist or a blacklist. If not, determine whether the CC defense is enabled. If not, allow the user to access, otherwise go to step 3.
  • Step 3 Determine whether the HTTP request packet header contains a token. If yes, whether the verification token is consistent with the registration, if the agreement is consistent, the user is allowed to access, otherwise the user's HTTP request is redirected to the original request URL; if the HTTP request packet is The header does not contain the token, go to step 4;
  • Step 4 Assign a token to the user, redirect the user's HTTP request to the original request URL; the token includes a token script code and a token identifier.
  • step 2 specifically includes the following steps:
  • Step 201 determining whether the user access IP belongs to the white list, and if so, allowing the user to access, if not, proceeding to step 202;
  • Step 202 Determine whether the user access IP belongs to the blacklist, and if yes, reject the user access, and if not, proceed to the next step;
  • step 203 it is determined whether the CC defense is enabled. If not, the user is allowed to access, otherwise, the process proceeds to step 3.
  • step 3 if the verification token is inconsistent with the registration, it is determined whether the verification number exceeds the threshold, and if so, the user access IP is added to the blacklist, otherwise the user's HTTP request is redirected to the original request URL.
  • step 4 specifically includes the following steps:
  • Step 401 The token assigning unit sends a request to the token management unit to apply for a token, and sends a unique random User ID to the visiting user to be sent to the token management unit.
  • Step 402 The token management unit extracts a token template from the token mouch block, and generates a corresponding token script code and a token identification code according to the random user ID and the token template.
  • step 403 the token related information is sent to the token information database for storage.
  • the token identification code is a set of characters consisting of numbers or letters
  • the token script code is a script for generating the token identifier
  • the user access terminal can obtain token identification according to the token script code operation. code.
  • step 3 verifying whether the token is consistent with the registration specifically includes the following steps:
  • the information related to the token is extracted from the token information database and compared with the token in the HTTP request packet header of the user.
  • the invention has the beneficial effects that the user needs to carry the token, and the token contains the token script code, that is, a piece of code, which is difficult for the CC attacker to obtain, thereby achieving the purpose of detecting and defending the CC attack in the first time.
  • FIG. 1 is a schematic block diagram of a system for detecting and defending against CC attacks based on a token mechanism according to the present invention
  • FIG. 2 is a flow chart of a method for detecting and defending a CC attack based on a token mechanism according to the present invention.
  • the present invention provides a system for detecting and defending against CC attacks based on a token mechanism, including a token detecting unit, a token assigning unit, a defense configuration unit, and a token management unit, and the defense configuration unit is used for Reading the configuration, sending a configuration instruction to the token detecting unit; the token assigning unit is configured to apply for a token to the token management unit, and allocate the token to the requesting user, and the token assigned by the token assigning unit includes the token script code; The token detection unit is configured to determine whether to enable the detection function in response to the configuration command issued by the defense configuration unit, and if not, directly forward the user request to the protected service system of the back end; if enabled, determine the user to visit the IP first.
  • the token management unit is requested to verify whether the token is legal. If it is not legal, it will be rejected. Otherwise, it will be rejected.
  • the request is forwarded to the backend protected service system; the token management unit is configured to respond to the request of the token allocation unit and the token detecting unit, and when the token assigning unit requests the token from the token management unit, the token allocation is recorded
  • the global unique random UserID of the visiting user submitted by the unit and then extracts the token template from the implemented token template library, and combines the UserID and the token template to generate a specific token script code and token identifier (analog The title and answer), and recorded in the token information database for reference.
  • the token detecting unit requests the token management unit whether the verification token is legal, according to the UserID and the token identification, in the token information database, whether the originally assigned token information is consistent, and returns the comparison result.
  • the token includes a token identification code and a token script code
  • the token identification code is a set of characters consisting of numbers or letters
  • the token script code is a script for generating a token identification code
  • the user access terminal can be ordered according to The card script code operation obtains the token identification code.
  • the token consists of the token identifier and the token script code in pairs instead of only one identifier. This avoids the token identifier being transmitted directly on the network, which improves the effectiveness of defending against CC attacks.
  • the token information database is further configured to allocate a unique random User ID to the visiting user, and store information about the token corresponding to each User ID row, including the token identifier, the token script code, and the token. Create time.
  • the configuration of the defensive configuration unit includes three configurations, namely, blacklist, whitelist, and whether to enable detection.
  • the blacklist is a collection of IP addresses that the user does not pass (such as the IP that has been confirmed as the attack source), and the whitelist.
  • the set of user access IPs that pass all the way such as exempting the search engine crawler and exempting the trust IP
  • whether to enable the detection to determine whether to enable the blacklist and white name Single detection, if not, forwards the user access request to the protected service system, ie, agrees to the user's access.
  • the invention can prevent the CC attack in the first time, because the browser jump idea is introduced in the defense system, the first access does not carry the token identification code, and the token detection unit causes the user terminal to perform the 302 jump. After the token allocation code is obtained, the token execution code is executed again, and 302 is returned to the token detection unit.
  • the token script code is a piece of code (more specifically, a piece of javascript code) that requires an operation to get the token identifier. This process is complicated for the attacker, but the browser is very simple. Defend the purpose of the attacker.
  • the present invention also provides a method for detecting and defending a CC attack based on a token mechanism, which specifically includes the following steps:
  • Step 1 receiving the user's HTTP request, reading the configuration, determining whether the detection function is enabled, and if so, proceeding to step 2;
  • Step 2 Determine whether the user access IP is a whitelist or a blacklist. If not, determine whether the CC defense is enabled. If not, allow the user to access, otherwise go to step 3.
  • Step 2 specifically includes the following steps:
  • Step 201 determining whether the user access IP belongs to the white list, and if so, allowing the user to access, if not, proceeding to step 202;
  • Step 202 Determine whether the user access IP belongs to the blacklist, and if yes, reject the user access, and if not, proceed to the next step;
  • step 203 it is determined whether the CC defense is enabled. If not, the user is allowed to access, otherwise, the process proceeds to step 3.
  • Step 3 Determine whether the HTTP request packet header contains a token. If yes, whether the verification token is consistent with the registration, if the agreement is consistent, the user is allowed to access, otherwise the user's HTTP request is redirected to the original request URL; if the HTTP request packet is The packet header does not contain the token, and the process proceeds to step 4. In step 3, if the verification token is inconsistent with the registration, it is determined whether the verification number exceeds the threshold. If yes, the user access IP is added to the blacklist, otherwise the user's HTTP request is sent. Redirect to the original request URL.
  • step 3 verifying whether the token is consistent with the registration specifically includes the following steps:
  • the information related to the token is extracted from the token information database and compared with the token in the HTTP request packet header of the user.
  • Step 4 Assign a token to the user, redirect the user's HTTP request to the original request URL; the token includes a token script code and a token identifier.
  • Step 4 specifically includes the following steps:
  • Step 401 the token assigning unit sends a request to the token management unit to apply for a token, and sends a unique random User ID to the visiting user to the token management unit;
  • Step 402 The token management unit extracts a token template from the token mouch block, and generates a corresponding token script code and a token identification code according to the random user ID and the token template.
  • step 403 the token related information is sent to the token information database for storage.
  • the token identification code is a set of characters consisting of numbers or letters. It is a random code randomly assigned by the defense system to the access terminal on the server side. The random code is a pair with the token script code, which can be based on the token script code.
  • the token script code is a script for generating a token identification code, and the user access terminal can obtain the token identification code according to the token script code operation.
  • the token script code is a script for generating a token identification code, and the defense system allocates a script for the access terminal, and the access terminal can calculate the token identification code according to the script. During the access process, the defense system delivers the token script code.
  • the access terminal obtains the token identification code according to the token script code operation, and then carries the token identification code in the accessed http packet header, and the defense system determines whether the submitted token identification code is consistent with the expected, thereby determining whether to allow the access terminal to continue. access.
  • the result of successful operation is the token identification code.
  • it is a browser or a attack program.
  • the intent of this design is to confirm that the client accessing the protected website is a normal browser user, not a program with attack instructions.
  • the browser can access the website through the browser, and the browser can easily execute the token script code (because this is the function of the browser), and the operation obtains the token identifier.
  • the attack program to develop a set of software to run the script code, this cost is extremely high for the attacker. Therefore, the goal of defending against the attacker is achieved.
  • Var token (parseInt(codeTable.substr(1,2))*2000+((10+parseInt(codeTable.substr(7,1))*54))*3+20000000;
  • the script code is the syntax of javascript, and the result of the browser terminal operation is the token identification code:
  • the http request is as follows:
  • User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64; rv: 47.0) Gecko/20100101Firefox/47.0
  • the token detecting unit does not detect the expected token identification code in the http request packet, returns a 302 jump, and causes the user terminal to request the token allocation unit http://www.example.com/cc_code_assign, and the http response packet is as follows:
  • User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64; rv: 47.0) Gecko/20100101Firefox/47.0
  • the token allocation unit prepares the ⁇ token identification code, token script code ⁇ after receiving the request, wherein
  • the http header is:
  • Cookie CC_TOKEN_SCRIPT this line is the line of the token script code issued.
  • the user terminal obtains CC_TOKEN_SCRIPT from the http request packet obtained by the token allocation unit. This is the token script code allocated by the defense system, and the code is obtained after the urlcode:
  • Var token (parseInt(codeTable.substr(1,2))*2000+((10+parseInt(codeTable.substr(7,1))*54))*3+20000000;
  • User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64; rv: 47.0) Gecko/20100101Firefox/47.0
  • the defense detection unit obtains the CC_TOKEN_CODE item from the http request packet, and the comparison is consistent with the previously assigned value, thus permitting access to the protected system at the back end.

Abstract

Disclosed by the present invention are a token mechanism-based system and method for detecting and defending against a challenge collapsar (CC) attack, comprising a token detection unit, a token distribution unit, a defense configuration unit and a token management unit. The defense configuration unit is used for reading configuration and issuing a configuration instruction to the token detection unit; the token distribution unit is used for applying for a token from the token management unit and distributing the token to a requesting user, the token distributed by the token distribution unit comprising a token script code; the token detection unit is used for responding to a configuration command issued by the defense configuration unit and determining whether to enable a detection function; and the token management unit is used for responding to requests from the token distribution unit and the token detection unit. The present invention may achieve the purpose of detecting and defending against a CC attack at a first time.

Description

一种基于令牌机制的检测和防御CC攻击的系统和方法System and method for detecting and defending CC attacks based on token mechanism 技术领域Technical field
本发明涉及网络安全技术领域,特别涉及用于实现web安全访问的一种基于令牌机制的检测和防御CC攻击的系统和方法。The present invention relates to the field of network security technologies, and in particular, to a system and method for detecting and defending against CC attacks based on a token mechanism for implementing web secure access.
背景技术Background technique
现有技术中,通常无法抵挡在第一次抵挡住CC攻击,即,需要CC攻击产生了,防御系统收集到了一些信息,系统才会做出反应,第二次攻击才能被防御住。如果是基于行为统计的防御方法,需要承受的攻击就更多,即需要忍受多次攻击,防御系统才会识别出攻击者。In the prior art, it is usually impossible to resist the CC attack for the first time, that is, a CC attack is required, and the defense system collects some information, and the system responds, and the second attack can be defended. If it is a behavior-based defense method, there are more attacks that need to be tolerated, that is, the attack system will recognize the attacker.
发明内容Summary of the invention
本发明提出一种基于令牌机制的检测和防御CC攻击的系统和方法,能够在第一时间检测和防御CC攻击。The present invention provides a system and method for detecting and defending against CC attacks based on a token mechanism, which can detect and defend against CC attacks at the first time.
本发明的技术方案是这样实现的:The technical solution of the present invention is implemented as follows:
一种基于令牌机制的检测和防御CC攻击的系统,包括令牌检测单元、令牌分配单元、防御配置单元和令牌管理单元,所述防御配置单元用于读取配置,向所述令牌检测单元下发配置指令;所述令牌分配单元用于向所述令牌管理单元申请令牌,分配给发出请求的用户,所述令牌分配单元分配的令牌包括令牌脚本代码;所述令牌检测单元用于响应所述防御配置单元下发的配置命令,决定是否启用检测功能;所述令牌管理单元用于响应令牌分配单元及令牌检测单元的请求。A system for detecting and defending a CC attack based on a token mechanism, comprising a token detecting unit, a token assigning unit, a defense configuration unit, and a token management unit, wherein the defense configuration unit is configured to read a configuration, to the order The token detecting unit sends a configuration instruction; the token assigning unit is configured to apply a token to the token management unit, and allocate the token to the requesting user, where the token assigned by the token assigning unit includes a token script code; The token detecting unit is configured to determine whether to enable the detecting function in response to the configuration command sent by the defense configuration unit, and the token management unit is configured to respond to the request of the token allocating unit and the token detecting unit.
进一步的,所述令牌包括令牌识别码和令牌脚本代码,所述令牌识别码为一组由数字或字母组成的字符串,所述令牌脚本代码是用于生成所述令牌识别码的脚本,用户访问终端可根据所述令牌脚本代码运算得到所述令牌识别码。 Further, the token includes a token identification code and a token script code, the token identifier is a set of characters consisting of numbers or letters, and the token script code is used to generate the token The script of the identification code, the user access terminal may calculate the token identification code according to the token script code.
进一步的,还包括令牌信息数据库,所述令牌信息数据库用于为来访用户分配唯一的随机User ID,存储每一个User ID行对应的令牌的相关信息,包括令牌识别码、令牌脚本代码和令牌创建时间。Further, the token information database is further configured to allocate a unique random User ID to the visiting user, and store information about the token corresponding to each User ID row, including the token identifier and the token. Script code and token creation time.
进一步的,所述防御配置单元读取的配置包括三种配置,分别为黑名单、白名单和是否开启检测,所述黑名单为检测一律不通过的用户访问IP的集合,所述白名单为检测一律通过的用户访问IP的集合,是否开启检测用于判断是否开启黑名单和白名单检测,若否,则将用户访问请求转发至受保护的业务系统。Further, the configuration that is read by the defense configuration unit includes three configurations, namely, a blacklist, a whitelist, and a check whether the IP address is detected, and the blacklist is a set of user access IPs that are not passed through. Detecting the set of user access IPs that pass through, whether to enable detection to determine whether to enable blacklist and whitelist detection, and if not, to forward the user access request to the protected service system.
一种基于令牌机制的检测和防御CC攻击的方法,具体包括以下步骤:A method for detecting and defending a CC attack based on a token mechanism includes the following steps:
步骤1,接收用户的HTTP请求,读取配置,判断是否启用检测功能,若是,则进入步骤2;Step 1, receiving the user's HTTP request, reading the configuration, determining whether the detection function is enabled, and if so, proceeding to step 2;
步骤2,判断用户访问IP是否属于白名单或黑名单,若否,判断CC防御是否开启,若否,允许用户访问,否则进入步骤3;Step 2: Determine whether the user access IP is a whitelist or a blacklist. If not, determine whether the CC defense is enabled. If not, allow the user to access, otherwise go to step 3.
步骤3,判断HTTP请求数据包包头是否包含令牌,若是,验证令牌是否与登记的一致,若一致,允许用户访问,否则将用户的HTTP请求重新定向到原请求网址;若HTTP请求数据包包头不包含令牌,进入步骤4;Step 3: Determine whether the HTTP request packet header contains a token. If yes, whether the verification token is consistent with the registration, if the agreement is consistent, the user is allowed to access, otherwise the user's HTTP request is redirected to the original request URL; if the HTTP request packet is The header does not contain the token, go to step 4;
步骤4,为用户分配令牌,将用户的HTTP请求重新定向到原请求网址;令牌包括令牌脚本代码和令牌识别码。Step 4: Assign a token to the user, redirect the user's HTTP request to the original request URL; the token includes a token script code and a token identifier.
进一步的,步骤2具体包括以下步骤:Further, step 2 specifically includes the following steps:
步骤201,判断用户访问IP是否属于白名单,若是,允许用户访问,若否,进入步骤202;Step 201, determining whether the user access IP belongs to the white list, and if so, allowing the user to access, if not, proceeding to step 202;
步骤202,判断用户访问IP是否属于黑名单,若是,拒绝用户访问,若否,进入下一步;Step 202: Determine whether the user access IP belongs to the blacklist, and if yes, reject the user access, and if not, proceed to the next step;
步骤203,判断CC防御是否开启,若否,允许用户访问,否则进入步骤3。In step 203, it is determined whether the CC defense is enabled. If not, the user is allowed to access, otherwise, the process proceeds to step 3.
进一步的,在步骤3中,若验证令牌与登记的不一致,判断验证次数是否超过阈值,若是,将该用户访问IP加入到黑名单中,否则将用户的HTTP请求重新定向到原请求网址。Further, in step 3, if the verification token is inconsistent with the registration, it is determined whether the verification number exceeds the threshold, and if so, the user access IP is added to the blacklist, otherwise the user's HTTP request is redirected to the original request URL.
进一步的,步骤4具体包括以下步骤: Further, step 4 specifically includes the following steps:
步骤401,令牌分配单元向令牌管理单元发出请求,申请令牌,并将为来访用户分配唯一的随机User ID发送至所述令牌管理单元;Step 401: The token assigning unit sends a request to the token management unit to apply for a token, and sends a unique random User ID to the visiting user to be sent to the token management unit.
步骤402,令牌管理单元从令牌莫板块抽取令牌模板,根据随机User ID和令牌模板,生成相应的令牌脚本代码和令牌识别码;Step 402: The token management unit extracts a token template from the token mouch block, and generates a corresponding token script code and a token identification code according to the random user ID and the token template.
步骤403,将令牌相关信息发送至令牌信息数据库中进行存储。In step 403, the token related information is sent to the token information database for storage.
进一步的,令牌识别码为一组由数字或字母组成的字符串,令牌脚本代码是用于生成所述令牌识别码的脚本,用户访问终端可根据令牌脚本代码运算得到令牌识别码。Further, the token identification code is a set of characters consisting of numbers or letters, and the token script code is a script for generating the token identifier, and the user access terminal can obtain token identification according to the token script code operation. code.
进一步的,步骤3中,验证令牌是否与登记的一致具体包括以下步骤:Further, in step 3, verifying whether the token is consistent with the registration specifically includes the following steps:
从令牌信息数据库中提取令牌的相关信息,与用户的HTTP请求数据包头中的令牌进行对比。The information related to the token is extracted from the token information database and compared with the token in the HTTP request packet header of the user.
本发明的有益效果在于:用户访问需携带令牌,令牌包含令牌脚本代码,即一段代码,CC攻击者不易获取,从而在第一时间达到检测和防御CC攻击的目的。The invention has the beneficial effects that the user needs to carry the token, and the token contains the token script code, that is, a piece of code, which is difficult for the CC attacker to obtain, thereby achieving the purpose of detecting and defending the CC attack in the first time.
附图说明DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any inventive labor.
图1为本发明一种基于令牌机制的检测和防御CC攻击的系统的原理框图;1 is a schematic block diagram of a system for detecting and defending against CC attacks based on a token mechanism according to the present invention;
图2为本发明一种基于令牌机制的检测和防御CC攻击的方法的流程图。2 is a flow chart of a method for detecting and defending a CC attack based on a token mechanism according to the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。 The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
如图1所示,本发明提出了一种基于令牌机制的检测和防御CC攻击的系统,包括令牌检测单元、令牌分配单元、防御配置单元和令牌管理单元,防御配置单元用于读取配置,向令牌检测单元下发配置指令;令牌分配单元用于向令牌管理单元申请令牌,分配给发出请求的用户,令牌分配单元分配的令牌包括令牌脚本代码;令牌检测单元用于响应防御配置单元下发的配置命令,决定是否启用检测功能,如果不开启,则直接将用户请求转发到后端的受保护业务系统;如果开启,则先判断用户来访IP,如果处于白名单中则可通行,如果处于黑名单中则直接拒绝,否则需要验证令牌。此时会先判断请求的HTTP包头中是否存在令牌,如果不存在,则将请求重定向到令牌分配单元,否则向令牌管理单元请求验证令牌是否合法,如果不合法则拒绝,否则将请求转发到后端受保护的业务系统;令牌管理单元用于响应令牌分配单元及令牌检测单元的请求,当令牌分配单元向令牌管理单元申请令牌,则记录下令牌分配单元提交过来的来访用户的全局唯一的随机UserID,然后从实现准备好的令牌模板库抽取令牌模板,结合UserID和令牌模板,生成具体的令牌脚本代码与令牌识别码(类比于题目跟答案),并记录到令牌信息数据库中备查。当令牌检测单元向令牌管理单元请求验证令牌是否合法,则根据UserID与令牌识别,在令牌信息数据库中,当初分配的令牌信息比对是否一致,并返回比对结果。As shown in FIG. 1 , the present invention provides a system for detecting and defending against CC attacks based on a token mechanism, including a token detecting unit, a token assigning unit, a defense configuration unit, and a token management unit, and the defense configuration unit is used for Reading the configuration, sending a configuration instruction to the token detecting unit; the token assigning unit is configured to apply for a token to the token management unit, and allocate the token to the requesting user, and the token assigned by the token assigning unit includes the token script code; The token detection unit is configured to determine whether to enable the detection function in response to the configuration command issued by the defense configuration unit, and if not, directly forward the user request to the protected service system of the back end; if enabled, determine the user to visit the IP first. If it is in the whitelist, it can pass. If it is in the blacklist, it will be rejected directly. Otherwise, the token needs to be verified. At this point, it will first determine whether there is a token in the HTTP header of the request. If it does not exist, the request is redirected to the token allocation unit. Otherwise, the token management unit is requested to verify whether the token is legal. If it is not legal, it will be rejected. Otherwise, it will be rejected. The request is forwarded to the backend protected service system; the token management unit is configured to respond to the request of the token allocation unit and the token detecting unit, and when the token assigning unit requests the token from the token management unit, the token allocation is recorded The global unique random UserID of the visiting user submitted by the unit, and then extracts the token template from the implemented token template library, and combines the UserID and the token template to generate a specific token script code and token identifier (analog The title and answer), and recorded in the token information database for reference. When the token detecting unit requests the token management unit whether the verification token is legal, according to the UserID and the token identification, in the token information database, whether the originally assigned token information is consistent, and returns the comparison result.
令牌包括令牌识别码和令牌脚本代码,令牌识别码为一组由数字或字母组成的字符串,令牌脚本代码是用于生成令牌识别码的脚本,用户访问终端可根据令牌脚本代码运算得到令牌识别码。令牌由令牌识别码和令牌脚本代码成对组成,而不是只有一个识别码,这样避免了令牌识别码直接在网路上传输,提高了防御CC攻击的有效性。The token includes a token identification code and a token script code, the token identification code is a set of characters consisting of numbers or letters, and the token script code is a script for generating a token identification code, and the user access terminal can be ordered according to The card script code operation obtains the token identification code. The token consists of the token identifier and the token script code in pairs instead of only one identifier. This avoids the token identifier being transmitted directly on the network, which improves the effectiveness of defending against CC attacks.
还包括令牌信息数据库,令牌信息数据库用于为来访用户分配唯一的随机User ID,存储每一个User ID行对应的令牌的相关信息,包括令牌识别码、令牌脚本代码和令牌创建时间。The token information database is further configured to allocate a unique random User ID to the visiting user, and store information about the token corresponding to each User ID row, including the token identifier, the token script code, and the token. Create time.
防御配置单元读取的配置包括三种配置,分别为黑名单、白名单和是否开启检测,黑名单为检测一律不通过的用户访问IP的集合(比如已经确认是攻击源的IP),白名单为检测一律通过的用户访问IP的集合(比如对搜索引擎爬虫进行免检、对信任IP进行免检),是否开启检测用于判断是否开启黑名单和白名 单检测,若否,则将用户访问请求转发至受保护的业务系统,即同意用户的访问。The configuration of the defensive configuration unit includes three configurations, namely, blacklist, whitelist, and whether to enable detection. The blacklist is a collection of IP addresses that the user does not pass (such as the IP that has been confirmed as the attack source), and the whitelist. In order to detect the set of user access IPs that pass all the way (such as exempting the search engine crawler and exempting the trust IP), whether to enable the detection to determine whether to enable the blacklist and white name Single detection, if not, forwards the user access request to the protected service system, ie, agrees to the user's access.
本发明能做到在第一时间防御CC攻击,原因是在防御系统中引入了浏览器跳转的思路,首次访问,未携带令牌识别码,令牌检测单元会让用户终端执行302跳转到令牌分配单元,得到令牌脚本代码后,再次执行302跳转回到令牌检测单元The invention can prevent the CC attack in the first time, because the browser jump idea is introduced in the defense system, the first access does not carry the token identification code, and the token detection unit causes the user terminal to perform the 302 jump. After the token allocation code is obtained, the token execution code is executed again, and 302 is returned to the token detection unit.
令牌脚本代码是一段代码(更具体的说,是一段javascript代码),需要运算才能得到令牌识别码,这个运算过程对对攻击程序来说很复杂,但是浏览器来说非常简单,达到了防御攻击者的目的。The token script code is a piece of code (more specifically, a piece of javascript code) that requires an operation to get the token identifier. This process is complicated for the attacker, but the browser is very simple. Defend the purpose of the attacker.
如图2所示,本发明还提出了一种基于令牌机制的检测和防御CC攻击的方法,具体包括以下步骤:As shown in FIG. 2, the present invention also provides a method for detecting and defending a CC attack based on a token mechanism, which specifically includes the following steps:
步骤1,接收用户的HTTP请求,读取配置,判断是否启用检测功能,若是,则进入步骤2;Step 1, receiving the user's HTTP request, reading the configuration, determining whether the detection function is enabled, and if so, proceeding to step 2;
步骤2,判断用户访问IP是否属于白名单或黑名单,若否,判断CC防御是否开启,若否,允许用户访问,否则进入步骤3;Step 2: Determine whether the user access IP is a whitelist or a blacklist. If not, determine whether the CC defense is enabled. If not, allow the user to access, otherwise go to step 3.
步骤2具体包括以下步骤:Step 2 specifically includes the following steps:
步骤201,判断用户访问IP是否属于白名单,若是,允许用户访问,若否,进入步骤202;Step 201, determining whether the user access IP belongs to the white list, and if so, allowing the user to access, if not, proceeding to step 202;
步骤202,判断用户访问IP是否属于黑名单,若是,拒绝用户访问,若否,进入下一步;Step 202: Determine whether the user access IP belongs to the blacklist, and if yes, reject the user access, and if not, proceed to the next step;
步骤203,判断CC防御是否开启,若否,允许用户访问,否则进入步骤3。In step 203, it is determined whether the CC defense is enabled. If not, the user is allowed to access, otherwise, the process proceeds to step 3.
步骤3,判断HTTP请求数据包包头是否包含令牌,若是,验证令牌是否与登记的一致,若一致,允许用户访问,否则将用户的HTTP请求重新定向到原请求网址;若HTTP请求数据包包头不包含令牌,进入步骤4;在步骤3中,若验证令牌与登记的不一致,判断验证次数是否超过阈值,若是,将该用户访问IP加入到黑名单中,否则将用户的HTTP请求重新定向到原请求网址。Step 3: Determine whether the HTTP request packet header contains a token. If yes, whether the verification token is consistent with the registration, if the agreement is consistent, the user is allowed to access, otherwise the user's HTTP request is redirected to the original request URL; if the HTTP request packet is The packet header does not contain the token, and the process proceeds to step 4. In step 3, if the verification token is inconsistent with the registration, it is determined whether the verification number exceeds the threshold. If yes, the user access IP is added to the blacklist, otherwise the user's HTTP request is sent. Redirect to the original request URL.
步骤3中,验证令牌是否与登记的一致具体包括以下步骤: In step 3, verifying whether the token is consistent with the registration specifically includes the following steps:
从令牌信息数据库中提取令牌的相关信息,与用户的HTTP请求数据包头中的令牌进行对比。The information related to the token is extracted from the token information database and compared with the token in the HTTP request packet header of the user.
步骤4,为用户分配令牌,将用户的HTTP请求重新定向到原请求网址;令牌包括令牌脚本代码和令牌识别码。Step 4: Assign a token to the user, redirect the user's HTTP request to the original request URL; the token includes a token script code and a token identifier.
步骤4具体包括以下步骤:Step 4 specifically includes the following steps:
步骤401,令牌分配单元向令牌管理单元发出请求,申请令牌,并将为来访用户分配唯一的随机User ID发送至令牌管理单元;Step 401, the token assigning unit sends a request to the token management unit to apply for a token, and sends a unique random User ID to the visiting user to the token management unit;
步骤402,令牌管理单元从令牌莫板块抽取令牌模板,根据随机User ID和令牌模板,生成相应的令牌脚本代码和令牌识别码;Step 402: The token management unit extracts a token template from the token mouch block, and generates a corresponding token script code and a token identification code according to the random user ID and the token template.
步骤403,将令牌相关信息发送至令牌信息数据库中进行存储。In step 403, the token related information is sent to the token information database for storage.
令牌识别码为一组由数字或字母组成的字符串,是防御系统在server端为访问终端随机分配的随机码,该随机码与令牌脚本代码是一对,它可以根据令牌脚本代码计算得到;令牌脚本代码是用于生成令牌识别码的脚本,用户访问终端可根据令牌脚本代码运算得到令牌识别码。令牌脚本代码,是用于生成令牌识别码的一段脚本,由防御系统为访问终端分配的脚本,访问终端根据该脚本可以运算得到令牌识别码。在访问过程中,防御系统下发的是令牌脚本代码。访问终端根据令牌脚本代码运算得到令牌识别码,然后在访问的http包头中携带令牌识别码,防御系统判断提交过来的令牌识别码是否与期望的一致,从而决定是否允许访问终端继续访问。The token identification code is a set of characters consisting of numbers or letters. It is a random code randomly assigned by the defense system to the access terminal on the server side. The random code is a pair with the token script code, which can be based on the token script code. The token script code is a script for generating a token identification code, and the user access terminal can obtain the token identification code according to the token script code operation. The token script code is a script for generating a token identification code, and the defense system allocates a script for the access terminal, and the access terminal can calculate the token identification code according to the script. During the access process, the defense system delivers the token script code. The access terminal obtains the token identification code according to the token script code operation, and then carries the token identification code in the accessed http packet header, and the defense system determines whether the submitted token identification code is consistent with the expected, thereby determining whether to allow the access terminal to continue. access.
给用户提供一段脚本代码,成功运行得到的结果才是令牌识别码,通过这种方式来区分访问的是一台浏览器,还是一段攻击程序。这样设计的意图是为了确认访问受保护网站的客户端是一个正常的浏览器用户,而不是一段具有攻击指令的程序。对于正常的浏览器用户,通过浏览器来访问网站,浏览器可以轻易执行令牌脚本代码(因为这就是浏览器的功能),运算得到令牌识别码。而对于攻击程序而言,要研发一套软件来运行下发的脚本代码,这个成本对攻击者而言是极高的。因此,达到了防御攻击者的目的。Give the user a piece of script code. The result of successful operation is the token identification code. In this way, it is a browser or a attack program. The intent of this design is to confirm that the client accessing the protected website is a normal browser user, not a program with attack instructions. For normal browser users, the browser can access the website through the browser, and the browser can easily execute the token script code (because this is the function of the browser), and the operation obtains the token identifier. For the attack program, to develop a set of software to run the script code, this cost is extremely high for the attacker. Therefore, the goal of defending against the attacker is achieved.
对于令牌脚本代码,一个具体的例子如下:For the token script code, a specific example is as follows:
var codeTable="1234567890"; Var codeTable="1234567890";
var token=(parseInt(codeTable.substr(1,2))*2000+((10+parseInt(codeTable.substr(7,1)))*54))*3+20000000;Var token=(parseInt(codeTable.substr(1,2))*2000+((10+parseInt(codeTable.substr(7,1)))*54))*3+20000000;
该脚本代码是javascript的语法,浏览器终端运算得到的结果为令牌识别码:The script code is the syntax of javascript, and the result of the browser terminal operation is the token identification code:
2014091620140916
以用户首次访问网站为例,经过若干次交互才能访问到受保护站点。Take the user's first visit to the website as an example. After several interactions, you can access the protected site.
(1)首次访问,向令牌检测单元发起请求,此时没有携带令牌识别码,http请求如下:(1) The first access, the request is initiated to the token detection unit, and the token identification code is not carried at this time. The http request is as follows:
GET/HTTP/1.1GET/HTTP/1.1
Host:www.example.comHost: www.example.com
User-Agent:Mozilla/5.0(Windows NT 10.0;WOW64;rv:47.0)Gecko/20100101Firefox/47.0User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv: 47.0) Gecko/20100101Firefox/47.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept: text/html, application/xhtml+xml, application/xml; q=0.9, */*; q=0.8
Accept-Language:zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Language: zh-CN, zh; q = 0.8, en-US; q = 0.5, en; q = 0.3
Accept-Encoding:gzip,deflateAccept-Encoding: gzip, deflate
Connection:keep-aliveConnection: keep-alive
Cache-Control:max-age=0Cache-Control: max-age=0
令牌检测单元没有在http请求包中检测有期望的令牌识别码,返回302跳转,让用户终端请求令牌分配单元http://www.example.com/cc_code_assign,http响应包如下:The token detecting unit does not detect the expected token identification code in the http request packet, returns a 302 jump, and causes the user terminal to request the token allocation unit http://www.example.com/cc_code_assign, and the http response packet is as follows:
HTTP/1.1302Moved TemporarilyHTTP/1.1302Moved Temporarily
Server:TZJ/1.0Server: TZJ/1.0
Date:Mon,18Jul 201614:09:37GMTDate:Mon,18Jul 201614:09:37GMT
Content-Type:text/html;charset=UTF-8Content-Type: text/html;charset=UTF-8
Transfer-Encoding:chunkedTransfer-Encoding: chunked
Connection:keep-aliveConnection: keep-alive
Vary:Accept-EncodingVary: Accept-Encoding
X-Powered-By:PHP/7.0.3 X-Powered-By: PHP/7.0.3
Content-Encoding:gzipContent-Encoding: gzip
Location:http://www.example.com/cc_code_assignLocation: http://www.example.com/cc_code_assign
(2)客户端转向请求令牌分配单元,http请求为:(2) The client turns to the request token allocation unit, and the http request is:
GET/cc_code_assign HTTP/1.1GET/cc_code_assign HTTP/1.1
Host:www.example.comHost: www.example.com
User-Agent:Mozilla/5.0(Windows NT 10.0;WOW64;rv:47.0)Gecko/20100101Firefox/47.0User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv: 47.0) Gecko/20100101Firefox/47.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept: text/html, application/xhtml+xml, application/xml; q=0.9, */*; q=0.8
Accept-Language:zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Language: zh-CN, zh; q = 0.8, en-US; q = 0.5, en; q = 0.3
Accept-Encoding:gzip,deflateAccept-Encoding: gzip, deflate
Connection:keep-aliveConnection: keep-alive
Cache-Control:max-age=0Cache-Control: max-age=0
令牌分配单元接到请求后准备好{令牌识别码,令牌脚本代码},其中The token allocation unit prepares the {token identification code, token script code} after receiving the request, wherein
●令牌识别码=20140916●Token identification code=20140916
●令牌脚本代码=●Token script code =
var+codeTable+%3d+%26quot%3b1234567890%26quot%3b%3bvar+token+%3d+(parseInt(codeTable.substr(1%2c+2))*2000+%2b+((10%2bparseInt(codeTable.substr(7%2c+1)))*54))*3%2b20000000%3bVar+codeTable+%3d+%26quot%3b1234567890%26quot%3b%3bvar+token+%3d+(parseInt(codeTable.substr(1%2c+2))*2000+%2b+((10%2bparseInt(codeTable.substr(7%) 2c+1)))*54))*3%2b20000000%3b
这个pair存入令牌信息数据库,并将令牌脚本代码,通过返回给客户端的响应包。返回的http请求也是一个302跳转,指示终端要访问令牌检测单元,http包头为:This pair is stored in the token information database, and the token script code is passed back to the client's response packet. The returned http request is also a 302 jump indicating that the terminal wants to access the token detection unit. The http header is:
HTTP/1.1302Moved TemporarilyHTTP/1.1302Moved Temporarily
Server:TZJ/1.0Server: TZJ/1.0
Date:Mon,18Jul 201614:09:37GMTDate:Mon,18Jul 201614:09:37GMT
Content-Type:text/html;charset=UTF-8Content-Type: text/html;charset=UTF-8
Transfer-Encoding:chunkedTransfer-Encoding: chunked
Connection:keep-aliveConnection: keep-alive
Vary:Accept-EncodingVary: Accept-Encoding
X-Powered-By:PHP/7.0.3X-Powered-By: PHP/7.0.3
Content-Encoding:gzip Content-Encoding: gzip
Location:http://www.example.com/Location: http://www.example.com/
Cookie:CC_TOKEN_SCRIPT=Cookie: CC_TOKEN_SCRIPT=
var+codeTable+%3d+%26quot%3b1234567890%26quot%3b%3bvar+token+%3d+(parseInt(Var+codeTable+%3d+%26quot%3b1234567890%26quot%3b%3bvar+token+%3d+(parseInt(
codeTable.substr(1%2c+2))*2000+%2b+((10%2bparseInt(codeTable.substr(7%2c+1)))codeTable.substr(1%2c+2))*2000+%2b+((10%2bparseInt(codeTable.substr(7%2c+1)))
*54))*3%2b20000000%3b*54))*3%2b20000000%3b
注:Cookie:CC_TOKEN_SCRIPT这一行就是下发的令牌脚本代码一行Note: Cookie: CC_TOKEN_SCRIPT this line is the line of the token script code issued.
(3)用户终端从令牌分配单元获得的http请求包中获得CC_TOKEN_SCRIPT,这个为防御系统分配的令牌脚本代码,通过urlcode之后得到代码:(3) The user terminal obtains CC_TOKEN_SCRIPT from the http request packet obtained by the token allocation unit. This is the token script code allocated by the defense system, and the code is obtained after the urlcode:
var codeTable="1234567890";Var codeTable="1234567890";
var token=(parseInt(codeTable.substr(1,2))*2000+((10+parseInt(codeTable.substr(7,1)))*54))*3+20000000;Var token=(parseInt(codeTable.substr(1,2))*2000+((10+parseInt(codeTable.substr(7,1)))*54))*3+20000000;
这是一段javascript代码,运行得到结果:20140916,然后将该结果作为令牌识别码,携带在http请求包中,向防御系统请求:This is a piece of javascript code, run the result: 20140916, and then use the result as a token identifier, carried in the http request packet, requesting the defense system:
GET/HTTP/1.1GET/HTTP/1.1
Host:www.example.comHost: www.example.com
User-Agent:Mozilla/5.0(Windows NT 10.0;WOW64;rv:47.0)Gecko/20100101Firefox/47.0User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv: 47.0) Gecko/20100101Firefox/47.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept: text/html, application/xhtml+xml, application/xml; q=0.9, */*; q=0.8
Accept-Language:zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Language: zh-CN, zh; q = 0.8, en-US; q = 0.5, en; q = 0.3
Accept-Encoding:gzip,deflateAccept-Encoding: gzip, deflate
Connection:keep-aliveConnection: keep-alive
Cache-Control:max-age=0Cache-Control: max-age=0
Cookie:CC_TOKEN_CODE=20140916Cookie: CC_TOKEN_CODE=20140916
防御检测单元从http请求包中获得CC_TOKEN_CODE一项,对比与之前分配的值一致,于是准许访问后端的受保护系统。 The defense detection unit obtains the CC_TOKEN_CODE item from the http request packet, and the comparison is consistent with the previously assigned value, thus permitting access to the protected system at the back end.
以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。 The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention. Any modifications, equivalent substitutions, improvements, etc., which are included in the spirit and scope of the present invention, should be included in the present invention. Within the scope of protection.

Claims (10)

  1. 一种基于令牌机制的检测和防御CC攻击的系统,其特征在于:包括令牌检测单元、令牌分配单元、防御配置单元和令牌管理单元,所述防御配置单元用于读取配置,向所述令牌检测单元下发配置指令;所述令牌分配单元用于向所述令牌管理单元申请令牌,分配给发出请求的用户,所述令牌分配单元分配的令牌包括令牌脚本代码;所述令牌检测单元用于响应所述防御配置单元下发的配置命令,决定是否启用检测功能;所述令牌管理单元用于响应令牌分配单元及令牌检测单元的请求。A system for detecting and defending a CC attack based on a token mechanism, comprising: a token detecting unit, a token assigning unit, a defense configuration unit, and a token management unit, wherein the defense configuration unit is configured to read a configuration, And sending a configuration instruction to the token detecting unit; the token assigning unit is configured to apply a token to the token management unit, and allocate the token to the requesting user, where the token allocated by the token assigning unit includes a command The token detection unit is configured to determine whether to enable the detection function in response to the configuration command issued by the defense configuration unit; the token management unit is configured to respond to the request of the token allocation unit and the token detection unit .
  2. 根据权利要求1所述的一种基于令牌机制的检测和防御CC攻击的系统,其特征在于:所述令牌包括令牌识别码和令牌脚本代码,所述令牌识别码为一组由数字或字母组成的字符串,所述令牌脚本代码是用于生成所述令牌识别码的脚本,用户访问终端可根据所述令牌脚本代码运算得到所述令牌识别码。The system for detecting and defending a CC attack based on a token mechanism according to claim 1, wherein the token comprises a token identification code and a token script code, and the token identifier is a group A character string consisting of a number or a letter, the token script code being a script for generating the token identifier, and the user access terminal may calculate the token identifier according to the token script code.
  3. 根据权利要求2所述的一种基于令牌机制的检测和防御CC攻击的系统,其特征在于:还包括令牌信息数据库,所述令牌信息数据库用于为来访用户分配唯一的随机User ID,存储每一个User ID行对应的令牌的相关信息,包括令牌识别码、令牌脚本代码和令牌创建时间。The system for detecting and defending a CC attack based on a token mechanism according to claim 2, further comprising: a token information database, wherein the token information database is configured to allocate a unique random User ID to the visiting user. , storing information about the token corresponding to each User ID line, including the token identification code, the token script code, and the token creation time.
  4. 根据权利要求1所述的一种基于令牌机制的检测和防御CC攻击的系统,其特征在于:所述防御配置单元读取的配置包括三种配置,分别为黑名单、白名单和是否开启检测,所述黑名单为检测一律不通过的用户访问IP的集合,所述白名单为检测一律通过的用户访问IP的集合,是否开启检测用于判断是否开启黑名单和白名单检测,若否,则将用户访问请求转发至受保护的业务系统。The system for detecting and defending a CC attack based on the token mechanism according to claim 1, wherein the configuration read by the defense configuration unit includes three configurations, namely, a blacklist, a whitelist, and whether to open. The blacklist is configured to detect a set of user access IPs that are not passed, and the whitelist is a set of user access IPs that are uniformly passed, and whether the detection is enabled to determine whether to enable blacklist and whitelist detection, and if not , forwards the user access request to the protected business system.
  5. 一种基于令牌机制的检测和防御CC攻击的方法,其特征在于,具体包括以下步骤:A method for detecting and defending a CC attack based on a token mechanism, which is characterized by the following steps:
    步骤1,接收用户的HTTP请求,读取配置,判断是否启用检测功能,若是,则进入步骤2;Step 1, receiving the user's HTTP request, reading the configuration, determining whether the detection function is enabled, and if so, proceeding to step 2;
    步骤2,判断用户访问IP是否属于白名单或黑名单,若否,判断CC防御是否开启,若否,允许用户访问,否则进入步骤3; Step 2: Determine whether the user access IP is a whitelist or a blacklist. If not, determine whether the CC defense is enabled. If not, allow the user to access, otherwise go to step 3.
    步骤3,判断HTTP请求数据包包头是否包含令牌,若是,验证令牌是否与登记的一致,若一致,允许用户访问,否则将用户的HTTP请求重新定向到原请求网址;若HTTP请求数据包包头不包含令牌,进入步骤4;Step 3: Determine whether the HTTP request packet header contains a token. If yes, whether the verification token is consistent with the registration, if the agreement is consistent, the user is allowed to access, otherwise the user's HTTP request is redirected to the original request URL; if the HTTP request packet is The header does not contain the token, go to step 4;
    步骤4,为用户分配令牌,将用户的HTTP请求重新定向到原请求网址;令牌包括令牌脚本代码和令牌识别码。Step 4: Assign a token to the user, redirect the user's HTTP request to the original request URL; the token includes a token script code and a token identifier.
  6. 根据权利要求5所述的一种基于令牌机制的检测和防御CC攻击的方法,其特征在于,步骤2具体包括以下步骤:The method for detecting and defending a CC attack based on a token mechanism according to claim 5, wherein the step 2 comprises the following steps:
    步骤201,判断用户访问IP是否属于白名单,若是,允许用户访问,若否,进入步骤202;Step 201, determining whether the user access IP belongs to the white list, and if so, allowing the user to access, if not, proceeding to step 202;
    步骤202,判断用户访问IP是否属于黑名单,若是,拒绝用户访问,若否,进入下一步;Step 202: Determine whether the user access IP belongs to the blacklist, and if yes, reject the user access, and if not, proceed to the next step;
    步骤203,判断CC防御是否开启,若否,允许用户访问,否则进入步骤3。In step 203, it is determined whether the CC defense is enabled. If not, the user is allowed to access, otherwise, the process proceeds to step 3.
  7. 根据权利要求5所述的一种基于令牌机制的检测和防御CC攻击的方法,其特征在于:在步骤3中,若验证令牌与登记的不一致,判断验证次数是否超过阈值,若是,将该用户访问IP加入到黑名单中,否则将用户的HTTP请求重新定向到原请求网址。The method for detecting and defending a CC attack based on a token mechanism according to claim 5, wherein in step 3, if the verification token is inconsistent with the registration, it is determined whether the verification number exceeds a threshold, and if so, The user access IP is added to the blacklist, otherwise the user's HTTP request is redirected to the original request URL.
  8. 根据权利要求5所述的一种基于令牌机制的检测和防御CC攻击的方法,其特征在于:步骤4具体包括以下步骤:The method for detecting and defending a CC attack based on a token mechanism according to claim 5, wherein the step 4 comprises the following steps:
    步骤401,令牌分配单元向令牌管理单元发出请求,申请令牌,并将为来访用户分配唯一的随机User ID发送至所述令牌管理单元;Step 401: The token assigning unit sends a request to the token management unit to apply for a token, and sends a unique random User ID to the visiting user to be sent to the token management unit.
    步骤402,令牌管理单元从令牌莫板块抽取令牌模板,根据随机User ID和令牌模板,生成相应的令牌脚本代码和令牌识别码;Step 402: The token management unit extracts a token template from the token mouch block, and generates a corresponding token script code and a token identification code according to the random user ID and the token template.
    步骤403,将令牌相关信息发送至令牌信息数据库中进行存储。In step 403, the token related information is sent to the token information database for storage.
  9. 根据权利要求8所述的一种基于令牌机制的检测和防御CC攻击的方法,其特征在于:令牌识别码为一组由数字或字母组成的字符串,令牌脚本代码是用于生成所述令牌识别码的脚本,用户访问终端可根据令牌脚本代码运算得到令牌识别码。 A method for detecting and defending a CC attack based on a token mechanism according to claim 8, wherein the token identification code is a set of characters consisting of numbers or letters, and the token script code is used to generate The token identification code script, the user access terminal may obtain the token identification code according to the token script code operation.
  10. 根据权利要求8所述的一种基于令牌机制的检测和防御CC攻击的方法,其特征在于:步骤3中,验证令牌是否与登记的一致具体包括以下步骤:The method for detecting and defending a CC attack based on a token mechanism according to claim 8, wherein in step 3, verifying whether the token is consistent with the registration specifically includes the following steps:
    从令牌信息数据库中提取令牌的相关信息,与用户的HTTP请求数据包头中的令牌进行对比。 The information related to the token is extracted from the token information database and compared with the token in the HTTP request packet header of the user.
PCT/CN2016/111695 2016-12-23 2016-12-23 Token mechanism-based system and method for detecting and defending against cc attack WO2018112878A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2016/111695 WO2018112878A1 (en) 2016-12-23 2016-12-23 Token mechanism-based system and method for detecting and defending against cc attack
CN201680062168.2A CN108476199A (en) 2016-12-23 2016-12-23 A kind of system and method for detection and defence CC attacks based on token mechanism

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/111695 WO2018112878A1 (en) 2016-12-23 2016-12-23 Token mechanism-based system and method for detecting and defending against cc attack

Publications (1)

Publication Number Publication Date
WO2018112878A1 true WO2018112878A1 (en) 2018-06-28

Family

ID=62624501

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/111695 WO2018112878A1 (en) 2016-12-23 2016-12-23 Token mechanism-based system and method for detecting and defending against cc attack

Country Status (2)

Country Link
CN (1) CN108476199A (en)
WO (1) WO2018112878A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111241543A (en) * 2020-01-07 2020-06-05 中国搜索信息科技股份有限公司 Method and system for intelligently resisting DDoS attack by application layer
CN115208601A (en) * 2021-09-18 2022-10-18 上海漫道科技有限公司 Method and system for actively defending malicious scanning

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113542223A (en) * 2021-06-16 2021-10-22 杭州拼便宜网络科技有限公司 Equipment fingerprint-based crawler-resisting method
CN114640525A (en) * 2022-03-21 2022-06-17 北京从云科技有限公司 Method, device and equipment for protecting DDoS attack for WEB service

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104618404A (en) * 2015-03-10 2015-05-13 网神信息技术(北京)股份有限公司 Processing method, device and system for preventing network attack to Web server

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101834866B (en) * 2010-05-05 2013-06-26 北京来安科技有限公司 CC (Communication Center) attack protective method and system thereof
CN102281298A (en) * 2011-08-10 2011-12-14 深信服网络科技(深圳)有限公司 Method and device for detecting and defending challenge collapsar (CC) attack
CN103685293B (en) * 2013-12-20 2017-05-03 北京奇安信科技有限公司 Protection method and device for denial of service attack
CN106230785A (en) * 2016-07-20 2016-12-14 南京铱迅信息技术股份有限公司 A kind of defence method of the HTTPS Denial of Service attack without private key

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104618404A (en) * 2015-03-10 2015-05-13 网神信息技术(北京)股份有限公司 Processing method, device and system for preventing network attack to Web server

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111241543A (en) * 2020-01-07 2020-06-05 中国搜索信息科技股份有限公司 Method and system for intelligently resisting DDoS attack by application layer
CN115208601A (en) * 2021-09-18 2022-10-18 上海漫道科技有限公司 Method and system for actively defending malicious scanning
CN115208601B (en) * 2021-09-18 2024-02-06 上海漫道科技有限公司 Method and system for actively defending malicious scanning

Also Published As

Publication number Publication date
CN108476199A (en) 2018-08-31

Similar Documents

Publication Publication Date Title
CN109587133B (en) Single sign-on system and method
CN104519018B (en) A kind of methods, devices and systems preventing the malicious requests for server
CN104378376B (en) Single-point logging method, certificate server and browser based on SOA
US9112828B2 (en) Method for defending against session hijacking attacks and firewall
US10778668B2 (en) HTTP session validation module
CN103428179B (en) A kind of log in the method for many domain names website, system and device
CN109413000B (en) Anti-stealing-link method and anti-stealing-link network relation system
US10476733B2 (en) Single sign-on system and single sign-on method
CN106411823B (en) A kind of access control method and relevant device based on CDN
WO2018112878A1 (en) Token mechanism-based system and method for detecting and defending against cc attack
CN106878250B (en) Cross-application single-state login method and device
US11012233B1 (en) Method for providing authentication service by using decentralized identity and server using the same
WO2020259389A1 (en) Csrf vulnerability detection method and apparatus
CN102480490A (en) Method for preventing CSRF attack and equipment thereof
US8650405B1 (en) Authentication using dynamic, client information based PIN
CN102571846A (en) Method and device for forwarding hyper text transport protocol (HTTP) request
CN112202705A (en) Digital signature verification generation and verification method and system
CN107517179A (en) A kind of method for authenticating, device and system
CN102073822A (en) Method and system for preventing user information from leaking
CN106550056B (en) A kind of domain name analytic method and device
CN105141709B (en) Determine the method and device of page jump in application program
CN105897663A (en) Method for determining access authority, device and equipment
CN106254319B (en) Light application login control method and device
CN104158818A (en) Single sign-on method and system
US20210203668A1 (en) Systems and methods for malicious client detection through property analysis

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16924836

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC , EPO FORM 1205A DATED 15.10.19.

122 Ep: pct application non-entry in european phase

Ref document number: 16924836

Country of ref document: EP

Kind code of ref document: A1