WO2024156236A1 - Slow attack identification method and apparatus, electronic device and storage medium - Google Patents

Slow attack identification method and apparatus, electronic device and storage medium Download PDF

Info

Publication number
WO2024156236A1
WO2024156236A1 PCT/CN2023/139654 CN2023139654W WO2024156236A1 WO 2024156236 A1 WO2024156236 A1 WO 2024156236A1 CN 2023139654 W CN2023139654 W CN 2023139654W WO 2024156236 A1 WO2024156236 A1 WO 2024156236A1
Authority
WO
WIPO (PCT)
Prior art keywords
request
slow attack
data packet
network system
slow
Prior art date
Application number
PCT/CN2023/139654
Other languages
French (fr)
Chinese (zh)
Inventor
李竞佳
林顺东
陈晓裕
林漳坤
李可惟
Original Assignee
天翼云科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 天翼云科技有限公司 filed Critical 天翼云科技有限公司
Publication of WO2024156236A1 publication Critical patent/WO2024156236A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Definitions

  • the present application belongs to the field of network communication technology, and in particular, relates to a slow attack identification method, device, electronic device and storage medium.
  • slow attacks are a type of attack that is more difficult to defend.
  • Slow attacks mainly refer to maintaining a connection with the network system through a small amount of data and a low rate, thereby consuming the resources of the network system.
  • Chinese patent CN109040140A discloses a slow attack detection method and device.
  • the defense against slow attacks in this patent is mainly to identify and intercept them at the application layer of the network system.
  • the present application provides a slow attack identification method, device, electronic device and storage medium, aiming to solve the problem of identifying slow attacks at the application layer, etc., which occupies more resources of the application layer.
  • the present application provides a slow attack identification method, which is applied to a network system, comprising:
  • the transport layer of the network system determines the data packet as a slow attack data packet when the data packet meets the preset slow attack condition, and determines the request as a slow attack request when the data packet corresponding to the request includes the slow attack data packet.
  • the present application provides a slow attack identification device, which is applied to a network system, comprising:
  • a receiving module used for receiving a data packet corresponding to a request
  • the identification module is used in the transport layer of the network system.
  • the data packet meets the preset slow attack condition, the data packet is determined as a slow attack data packet, and when the data packet corresponding to the request includes the slow attack data packet, the request is determined as a slow attack request.
  • the present application provides an electronic device, including: a processor, a memory, and a computer program stored in the memory and executable on the processor, wherein the processor implements the above-mentioned slow attack identification method when executing the program.
  • the present application provides a readable storage medium, when the instructions in the storage medium are executed by a processor of an electronic device, the electronic device is enabled to execute the above-mentioned slow attack identification method.
  • the data packets that meet the preset slow attack conditions are determined as slow attack data packets at the transport layer of the network system, and the requests including slow attack data packets are determined as slow attack requests at the transport layer of the network system. That is to say, the identification of slow attack data packets and slow attack requests is completed at the transport layer of the network system, and there is no need to identify slow attack requests at the application layer, and the application layer does not need to parse protocols, etc., and thus the identification of slow attacks does not occupy the resources of the application layer, so that the application layer has higher processing performance for applications. Moreover, the transport layer is closer to the application layer, and the slow attack is recognized at the transport layer.
  • early identification helps to protect against slow attacks as early as possible, ensuring the resource utilization of back-end application services.
  • it eliminates the need for each back-end application service to identify slow attacks one by one, greatly reducing the workload of operation and maintenance.
  • FIG1 is a flowchart of a method for identifying a slow attack provided by an embodiment of the present application
  • FIG2 is a flowchart of another method for identifying a slow attack provided by an embodiment of the present application.
  • FIG3 is a structural diagram of a slow attack identification device provided in an embodiment of the present application.
  • FIG4 shows a schematic diagram of a partial architecture of a network system provided in an embodiment of the present application.
  • FIG5 shows a schematic diagram of an initialization process of a network system provided in an embodiment of the present application
  • FIG6 shows a schematic diagram of a process flow of a slow attack on a network system provided in an embodiment of the present application
  • FIG. 7 is a structural diagram of an electronic device provided in an embodiment of the present application.
  • FIG1 is a flowchart of a method for identifying a slow attack provided by an embodiment of the present application.
  • the method is applied to a network system.
  • the network model of the network system can be a seven-layer model (Open System Interconnection, OSI) or a four-layer model.
  • the seven-layer model is from bottom to top: physical layer, data link layer, network layer, transport layer, session layer, presentation layer, and application layer.
  • the four-layer model is from bottom to top: link layer, network layer, transport layer, and application layer.
  • Slow read attack means that the attacker sends a complete request to the network system after establishing a link, and then keeps the link, reading the response at a very low speed or making the network system mistakenly believe that the client is busy, so as to consume the link and memory resources of the network system.
  • Slow headers attack means that the attacker initiates an HTTP (Hyper Text Transfer Protocol) request to the network system, continuously sending HTTP headers, and the network system needs to receive all HTTP headers before processing, thus consuming the link and memory resources of the network system.
  • Slow body attack means that the attacker sends an HTTP POST request, indicating that a large amount of data is to be sent. At this time, the network system will maintain the link and prepare to receive data, but the attacking client only sends a small amount of data each time, thereby consuming the link and memory resources of the network system.
  • the method may include the following steps.
  • Step 101 Receive a data packet corresponding to a request.
  • the network system can provide network data services, and each client can send a data packet corresponding to the request to the network system.
  • the data packet corresponding to the request is used to request the network system for network data services.
  • the number of data packets corresponding to the request is not specifically limited.
  • Step 102 The transport layer of the network system determines the data packet as a slow attack data packet when the data packet meets the preset slow attack condition, and determines the request as a slow attack request when the data packet corresponding to the request includes the slow attack data packet.
  • the transport layer of the network system determines the request as a slow attack request when the data packets corresponding to the request include at least one slow attack data packet. That is, the transport layer of the network system determines the request as a slow attack request when the data packets corresponding to the request include at least one slow attack data packet.
  • the network system includes a thread-based application service Apache, and an application service Httpd.
  • the network system also includes an event-based application service Nginx, and an application service lighttpd.
  • the network system also includes other application services, such as application service falsk, application service gin, etc.
  • each application service such as application service Apache, application service Httpd, application service Nginx, application service lighttpd, application service falsk, application service gin, etc. needs to identify slow attacks separately, and each of the above application services also needs to be upgraded and changed in accordance with the changed slow attacks, which makes the workload of operation and maintenance very large.
  • the present application realizes the identification of slow attack data packets and slow attack requests at the transport layer of the network system, that is, the identification of slow attacks is realized at the transport layer of the network system, and there is no need to identify slow attacks at the application layer, and the application layer does not need to parse protocols, etc., and then the identification of slow attacks does not need to occupy the resources of the application layer, so that the application layer has higher processing performance for the application.
  • the transport layer is closer to the application layer, and the identification of slow attacks is realized at the transport layer.
  • early identification helps to protect as early as possible, ensuring the resource utilization of the back-end application services.
  • it eliminates the need for each application at the back end to identify slow attacks one by one, greatly reducing the workload of operation and maintenance.
  • the transport layer here may be the transport layer in a seven-layer model of a network system, or may be the transport layer in a four-layer model, etc., and there is no specific limitation on this.
  • determining the slow attack data packet in the aforementioned step 102 may include at least one of the following sub-steps.
  • the transport layer of the network system determines each consecutive data packet as a slow attack data packet when each consecutive data packet is a small data packet and a first total number of each consecutive data packet is greater than or equal to a first preset number; and the length of the small data packet is less than or equal to a preset length.
  • a small data packet is a data packet whose length is less than or equal to a preset length.
  • the preset length here can be determined according to actual needs.
  • the preset length here can be 50 bytes, or the preset length here can be 60 bytes, etc.
  • the transport layer of the network system determines the continuous data packets or continuous small data packets as slow attack data packets, regardless of whether the continuous data packets are from the same request or not, as long as the continuous data packets received are all small data packets, and the first total number of the continuous data packets or continuous small data packets is greater than or equal to the first preset number.
  • This is equivalent to the client sending only a small amount of data each time, thereby consuming the link and memory resources of the network system, and the continuous data packets or continuous small data packets are all slow attack data packets.
  • the size of the first preset number is determined according to actual needs.
  • the first preset number is greater than or equal to 3, and the size of the first preset number is set appropriately, so that slow attack data packets can be more accurately identified.
  • the transport layer of the network system does not care whether the consecutive data packets are from the same request, as long as the consecutive data packets received are all small data packets, and the first total number of consecutive data packets or consecutive small data packets is greater than or equal to 3, then the consecutive data packets or consecutive small data packets are all slow attack data packets.
  • the first preset number is 3. If the network system receives 4 small data packets consecutively, then the first total number of consecutive data packets or consecutive small data packets is 4. If 4 is greater than 3, the transport layer of the network system will determine the 4 consecutive data packets or 4 consecutive small data packets as slow attack data packets.
  • the transport layer of the network system determines both adjacent data packets as slow attack data packets when the interval between the reception times of two adjacent data packets corresponding to the same request is greater than or equal to a preset time.
  • the network system needs to maintain a longer connection for the request to receive each data packet of the request, which will make the network system mistakenly believe that the client is very busy and consume the connection and memory resources of the network system.
  • the transport layer of the network system will determine the two adjacent data packets as slow attack data packets.
  • the preset time length can be set according to actual needs.
  • the preset time length is greater than or equal to 120 seconds, which is more appropriate and can more accurately identify slow attack data packets.
  • the preset duration is 120 seconds.
  • the network system receives a data packet at 13:20:20 on December 20, 2022, and then receives the next data packet at 13:22:40 on December 20, 2022. Then, for request A, the interval between the reception times of the two adjacent data packets is 140 seconds, which is greater than or equal to the preset duration of 120 seconds.
  • the transport layer of the network system will determine request A and the two adjacent data packets as slow attack data packets.
  • Sub-step 1023 The transport layer of the network system determines the SYN packet as a slow attack packet when the window value in the SYN packet corresponding to the request is less than or equal to the preset window value.
  • the SYN packet is the first packet or header of the Transmission Control Protocol (TCP) connection. It is the handshake signal used when TCP/IP (Transmission Control Protocol/Internet Protocol) establishes a connection.
  • TCP Transmission Control Protocol
  • IP Transmission Control Protocol/Internet Protocol
  • the client When a normal TCP network connection is established between the client and the network system, the client first sends a SYN message or SYN packet. The network system uses a SYN+ACK response to indicate that it has received the message. Finally, the client responds with an ACK message. In this way, a reliable TCP connection can be established between the client and the network system, and data can be transmitted. To be passed between the client and the network system.
  • the window value in the SYN packet can be obtained from the header of the SYN packet.
  • the network system can only transmit data to the client at a very low bit rate, which will make the network system mistakenly believe that the client is very busy, consuming the link and memory resources of the network system. Therefore, the transport layer of the network system determines the SYN packet as a slow attack packet.
  • the preset window value here is determined according to actual needs, and is not specifically limited in the embodiments of the present application.
  • the preset window value may be 512 bytes.
  • the preset window value is 512 bytes
  • the window value in the SYN data packet corresponding to the request is 400 bytes, which is smaller than the preset window value of 512 bytes. Then, the transport layer of the network system determines the SYN data packet as a slow attack data packet.
  • Sub-step 1024 the transport layer of the network system determines each consecutive data packet as a slow attack data packet when each consecutive data packet is a zero window data packet and the second total number of the consecutive data packets is greater than or equal to a second preset number; the window value in the zero window data packet is 0.
  • the window value in the zero window data packet is 0, and the data packet received by the network system is a zero window data packet.
  • the network system can only transmit data to the client at a very low bit rate, or the network system needs to wait for a period of time before transmitting data to the client.
  • the transport layer of the network system determines that the consecutive data packets are all slow attack data packets.
  • the second preset number here can be determined according to actual needs.
  • the second preset number is greater than or equal to 4, and the size of the second preset number is set appropriately, so that slow attack data packets can be more accurately identified.
  • the transport layer of the network system does not care whether the consecutive data packets are from the same request, as long as the consecutive data packets received are all zero window data packets, and the second total number of consecutive data packets or consecutive zero window data packets is greater than or equal to 4, then the consecutive data packets or consecutive zero window data packets are all slow attack data packets.
  • the second preset number is 4. If the network system receives 4 consecutive zero-window data packets, the second total number of consecutive data packets or consecutive zero-window data packets is 4, and 4 is equal to the second preset number. Then, the transport layer of the network system will determine the 4 consecutive data packets or 4 consecutive zero-window data packets as slow attack data packets.
  • a load balancer is provided at the transport layer of the network system, and the above step 102 is implemented by the load balancer.
  • a load balancer is provided at the transport layer of the network system, which can improve the performance of the network system.
  • the type of the load balancer is not specifically limited.
  • the load balancer can be a DPVS load balancer developed based on DPDK.
  • the method may further include: the transport layer of the network system, when the request is not a slow attack request, releases the data packet corresponding to the request. That is, when the request is not a slow attack request, the data packet corresponding to the request is forwarded or processed normally to ensure normal Forwarding and processing of data packets.
  • FIG2 is a flowchart of the steps of another slow attack identification method provided in an embodiment of the present application. The method is also applied to the aforementioned network system. Referring to FIG2 , the method includes the following steps.
  • Step 201 Receive a data packet corresponding to a request.
  • Step 202 The transport layer of the network system determines the data packet as a slow attack data packet when the data packet meets the preset slow attack condition, and determines the request as a slow attack request when the data packet corresponding to the request includes the slow attack data packet.
  • the steps 201 and 202 may refer to the aforementioned steps 101 and 102 respectively, and can achieve the same or similar beneficial effects. To avoid repetition, they will not be described again here.
  • Step 203 When the request is a slow attack request, a protection operation is performed on the request.
  • the request is a slow attack request
  • performing a protection operation on the request can reduce the adverse effects caused by the slow attack request as much as possible.
  • step 203 may include: in the case where the request is a slow attack request, the transport layer of the network system performs a protection operation on the request, that is, the protection operation on the slow attack request is completed at the transport layer of the network system, and there is no need to perform the protection operation on the slow attack request at the application layer, and the application layer does not need to parse the protocol, etc., and thus the protection operation on the slow attack request does not need to occupy the resources of the application layer, so that the application layer has higher processing performance for the application.
  • the transport layer is closer to the application layer than the application layer, and the protection operation on the slow attack request is implemented at the transport layer.
  • the protection operation on the slow attack request is implemented as early as possible, ensuring the resource utilization of the back-end application service.
  • it eliminates the need for each back-end application service to perform protection operations on the slow attack request one by one, greatly reducing the operation and maintenance workload.
  • the transport layer of the network system performs protection operations on the request, which may include at least one of the following steps.
  • Step S1 When the request is a slow attack request, the transport layer of the network system discards the data packet corresponding to the request.
  • the transport layer of the network system discards the data packet corresponding to the request, that is, does not respond to the data packet corresponding to the request, which can reduce the adverse effects of the slow attack request.
  • Step S2 When the request is a slow attack request, the transport layer of the network system disconnects the link corresponding to the request.
  • the transport layer of the network system disconnects the link corresponding to the request. After disconnecting the link corresponding to the request, the network system will no longer receive the data packet corresponding to the request, thereby reducing the adverse effects of the slow attack request.
  • Step S3 When the request is a slow attack request, the transport layer of the network system adds the source IP address corresponding to the request to a blacklist.
  • the transport layer of the network system adds the source IP address corresponding to the request to the blacklist, and then performs protection operations on the request according to the protection operations in the blacklist, which can reduce the adverse effects of the slow attack request and reduce the subsequent adverse effects brought by the source IP address.
  • Step S4 When the request is a slow attack request, the transport layer of the network system adds a log record indicating that the request is a slow attack request.
  • the transport layer of the network system adds a log record indicating that the request is a slow attack request, so as to facilitate subsequent search for the slow attack request. For example, in the testing phase of the network system, by adding a log record of the slow attack request, it is possible to grasp as much as possible which slow attack requests the network system is susceptible to.
  • the transport layer of the network system specifically performs one or more of the above steps to perform the protection operation, which is not specifically limited.
  • the transport layer of the network system can disconnect the link corresponding to the request and add the source IP address corresponding to the request to the blacklist.
  • step 203 may include: when the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request is greater than or equal to a third preset number, performing a protection operation on the request, thereby avoiding misoperation.
  • the third preset number can be set according to actual needs and is not specifically limited in the embodiment of the present application.
  • the third preset number is greater than or equal to 2, that is, when the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request is greater than or equal to 2, a protection operation is performed on the request, thereby avoiding misoperation and minimizing the adverse effects of slow attacks.
  • the third preset number is 2, the network system receives a total of 5 data packets corresponding to request B, and the transport layer of the network system identifies that 3 of the 5 data packets are slow attack data packets, then the third total number of slow attack data packets in the data packets corresponding to request B is 3, which is greater than the third preset number 2, and thus, a protection operation is performed for request B.
  • the third preset number is 2, the network system receives a total of 6 data packets corresponding to request C, and the transport layer of the network system identifies that 1 of the 6 data packets is a slow attack data packet, then the third total number of slow attack data packets in the data packets corresponding to request C is 1, which is less than the third preset number 2, and thus, no protection operation is performed for request C.
  • the aforementioned protection operation for the request when the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request is greater than or equal to the third preset number may include: when the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request within the preset period is greater than or equal to the third preset number, the transport layer of the network system performs a protection operation for the request, which can further reduce misoperation. Moreover, the protection operation for the slow attack request is completed at the transport layer of the network system, and there is no need to perform the protection operation for the slow attack request at the application layer.
  • the application layer does not need to parse the protocol, etc., and thus the protection operation for the slow attack request does not need to occupy the resources of the application layer, so that the application layer has higher processing performance for the application.
  • the transport layer is closer to the application layer, and the protection operation for the slow attack request is implemented at the transport layer.
  • the protection operation for the slow attack request is implemented as early as possible, ensuring the resource utilization of the back-end application service.
  • the preset period can be set according to actual needs.
  • the size of the preset period may be 900 seconds.
  • the transport layer of the network system performs a protection operation on the request, including at least one of the following steps.
  • Step X1 When the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request within a preset period is greater than or equal to a third preset number, the transport layer of the network system discards the data packets corresponding to the request.
  • Step X2 When the request is a slow attack request and a third total number of slow attack data packets in the data packets corresponding to the request within a preset period is greater than or equal to a third preset number, the transport layer of the network system disconnects the link corresponding to the request.
  • Step X3 When the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request within the preset period is greater than or equal to the third preset number, the transport layer of the network system adds the source IP address corresponding to the request to the blacklist.
  • Step X4 When the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request within the preset period is greater than or equal to the third preset number, the transport layer of the network system adds a log record that the request is a slow attack request.
  • the above steps X1 to X4 can refer to the above steps S1 to S4 and the above related contents, and will not be described again here to avoid repetition.
  • the above steps X1 to X4 can further reduce misoperation, and the protection operation of the slow attack request is completed at the transport layer of the network system, and there is no need to perform the protection operation of the slow attack request at the application layer.
  • the application layer does not need to parse the protocol, etc., and the protection operation of the slow attack request does not need to occupy the resources of the application layer, so that the application layer has higher processing performance for the application.
  • the transport layer is closer to the application layer than the application layer, and the protection operation of the slow attack request is implemented at the transport layer.
  • the protection operation of the slow attack request is implemented as early as possible, ensuring the resource utilization of the back-end application service.
  • it eliminates the need for each application service at the back end to perform protection operations on the slow attack request one by one, greatly reducing the operation and maintenance workload.
  • FIG3 is a structural diagram of a slow attack identification device provided in an embodiment of the present application.
  • the device is applied to a network system.
  • the device may include: a receiving module 301, which is used to receive a data packet corresponding to a request.
  • an identification module 302 which is used in the transport layer of the network system, determines the aforementioned data packet as a slow attack data packet when the aforementioned data packet meets the preset slow attack condition, and determines the request as a slow attack request when the data packet corresponding to the request includes a slow attack data packet.
  • the identification module 302 may include at least one of the following sub-modules.
  • the first identification submodule is used in the transport layer of the network system.
  • each consecutive data packet is a small data packet and the first total number of each consecutive data packet is greater than or equal to a first preset number
  • each consecutive data packet is determined as a slow attack data packet; the length of the small data packet is less than or equal to the preset length.
  • the second identification submodule is used in the transport layer of the network system to identify two adjacent data corresponding to the same request. When the interval between the receiving times of the packets is greater than or equal to the preset time, the two adjacent data packets are determined as slow attack data packets;
  • the third identification submodule is used for the transport layer of the network system, and determines the SYN data packet as a slow attack data packet when the window value in the SYN data packet corresponding to the request is less than or equal to the preset window value.
  • the fourth identification submodule is used for the transport layer of the network system.
  • each consecutive data packet is a zero window data packet and the second total number of the consecutive data packets is greater than or equal to the second preset number, each consecutive data packet is determined as a slow attack data packet; the window value in the zero window data packet is 0.
  • the slow attack identification device may further include: a protection module, configured to perform a protection operation on the request when the request is a slow attack request.
  • a protection module configured to perform a protection operation on the request when the request is a slow attack request.
  • the protection module may include: a first protection submodule, which is used for performing a protection operation on the request at the transport layer of the network system when the request is a slow attack request.
  • the first protection submodule may include at least one of the following units.
  • the first protection unit is used for discarding a data packet corresponding to a request at a transport layer of a network system when the request is a slow attack request.
  • the second protection unit is used for disconnecting the link corresponding to the request at the transport layer of the network system when the request is a slow attack request.
  • the third protection unit is used for, when the request is a slow attack request, the transport layer of the network system to add the source IP address corresponding to the request into a blacklist.
  • the fourth protection unit is used to add a log record of the request being a slow attack request to the transport layer of the network system when the request is a slow attack request.
  • the protection module may include: a second protection sub-module, used to perform a protection operation on the request when the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request is greater than or equal to a third preset number.
  • the second protection submodule may include: a fifth protection unit, used for the transport layer of the network system to perform protection operations on the request when the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request within a preset period is greater than or equal to a third preset number.
  • the fifth protection unit may include at least one of the following sub-units.
  • the first subunit is used for, when the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request within a preset period is greater than or equal to a third preset number, the transport layer of the network system discards the data packets corresponding to the request.
  • the second subunit is used to disconnect the link corresponding to the request at the transport layer of the network system when the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request within a preset period is greater than or equal to a third preset number.
  • the third subunit is used for, when the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request within a preset period is greater than or equal to a third preset number, the transport layer of the network system will add the source IP address corresponding to the request to the blacklist.
  • the fourth subunit is used for, when the request is a slow attack request and a third total number of slow attack data packets in the data packets corresponding to the request within a preset period is greater than or equal to a third preset number, the network system
  • the transport layer of the system adds logging of slow attack requests.
  • a load balancer is deployed at the transport layer.
  • the slow attack identification device may further include: a release module, which is used in the transport layer of the network system and releases the data packet corresponding to the request when the request is not a slow attack request.
  • a release module which is used in the transport layer of the network system and releases the data packet corresponding to the request when the request is not a slow attack request.
  • the first preset number is greater than or equal to 3; the preset duration is greater than or equal to 120 seconds; and the second preset number is greater than or equal to 4.
  • the third preset number is greater than or equal to 2.
  • the slow attack identification device has the same or similar beneficial effects as any of the aforementioned slow attack identification methods, which will not be described again to avoid repetition.
  • Figure 4 shows a schematic diagram of a partial architecture of a network system provided in an embodiment of the present application.
  • Figure 5 shows a schematic diagram of an initialization process of a network system provided in an embodiment of the present application.
  • Figure 6 shows a schematic diagram of a slow attack process of a network system provided in an embodiment of the present application.
  • a load balancer is arranged at the transport layer of the network system, and the load balancer realizes the identification of slow attack requests and performs protection operations for the slow attack requests.
  • the load balancer releases the data packet corresponding to the request, and the data packet can be forwarded to the corresponding application service.
  • the application services included in the network system include: application service Nginx, application service Apache, and other application services.
  • the identification module and the protection module will be loaded, and then the aforementioned first preset number, second preset number, third preset number, preset length, preset duration, preset window value and other configurations will be read. After the configuration is read, the initialization process is completed.
  • the data packet passes through the aforementioned slowhttp_process processing logic.
  • http_request_size_limit specifies a preset length
  • http_request_count_limit specifies a first preset number
  • tcp_syn_win_size_limit defines the preset window value.
  • tcp_zero_win_count_limit is limited to the second preset number.
  • the present application also provides an electronic device, see FIG. 7 , comprising: a processor 901 , a memory 902 , and a computer program 9021 stored in the memory and executable on the processor, and the processor implements the slow attack identification method of the aforementioned embodiment when executing the program.
  • the present application also provides a readable storage medium.
  • the instructions in the storage medium are executed by a processor of an electronic device, the electronic device can execute the slow attack identification method of the aforementioned embodiment.
  • the description is relatively simple, and the relevant parts can be referred to the partial description of the method embodiment.
  • modules in the devices in the embodiments may be adaptively changed and arranged in one or more devices different from the embodiments.
  • the modules or units or components in the embodiments may be combined into one module or unit or component, and in addition they may be divided into a plurality of submodules or subunits or subcomponents. All features disclosed in this specification (including the accompanying claims, abstracts and drawings) and all processes or units of any method or device disclosed in this manner may be combined in any combination, except that at least some of such features and/or processes or units are mutually exclusive. Unless otherwise expressly stated, each feature disclosed in this specification (including the accompanying claims, abstracts and drawings) may be replaced by an alternative feature providing the same, equivalent or similar purpose.
  • the various component embodiments of the present application can be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof.
  • a microprocessor or digital signal processor can be used in practice to implement some or all functions of some or all components of the sorting device according to the present application.
  • DSP digital signal processor
  • the present application can also be implemented as a device or apparatus program for executing part or all of the methods described herein.
  • the program may be stored on a computer readable medium, or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, or provided on a carrier signal, or in any other form.
  • the user information (including but not limited to the user's device information, user personal information, etc.) and related data involved in this application are all information authorized by the user or by all parties.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present application relates to the technical field of network communications and provides a slow attack identification method and apparatus, an electronic device and a storage medium. The method comprises: receiving a data packet corresponding to a request; and, when the data packet satisfies a preset slow attack condition, a transport layer of a network system determining the data packet as a slow attack data packet and, when the data packet corresponding to the request comprises the slow attack data packet, determining the request as a slow attack request. Identifying the slow attack data packet and the slow attack request at the transport layer of the network system avoids identifying the slow attack request at the application layer and avoids occupying application layer resources, such that the application layer has higher application processing performance. The transport layer is more ahead of the application layer, such that early identification aids in early protection, ensures resource utilization of back-end application services, and avoids operations in which applications individually identify the slow attacks, thus reducing the operation and maintenance workload.

Description

慢速攻击识别方法、装置、电子设备及存储介质Slow attack identification method, device, electronic device and storage medium
本申请要求于2023年01月28日提交中国专利局,申请号为202310042925.1,申请名称为“慢速攻击识别方法、装置、电子设备及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to a Chinese patent application filed with the China Patent Office on January 28, 2023, with application number 202310042925.1 and application name “Slow Attack Identification Method, Device, Electronic Device and Storage Medium”, the entire contents of which are incorporated by reference in this application.
技术领域Technical Field
本申请属于网络通信技术领域,特别是涉及慢速攻击识别方法、装置、电子设备及存储介质。The present application belongs to the field of network communication technology, and in particular, relates to a slow attack identification method, device, electronic device and storage medium.
背景技术Background technique
随着网络的快速发展,网络安全问题日渐严峻,其中,慢速攻击是较为难以防御的一种攻击。慢速攻击主要是指通过较小的数据量、较低的速率,维持与网络系统的链接,从而消耗网络系统的资源。With the rapid development of the Internet, network security issues are becoming increasingly serious. Among them, slow attacks are a type of attack that is more difficult to defend. Slow attacks mainly refer to maintaining a connection with the network system through a small amount of data and a low rate, thereby consuming the resources of the network system.
中国专利CN109040140A公开了一种慢速攻击检测方法及装置,该专利中对于慢速攻击的防御主要是在网络系统的应用层进行识别并拦截等。Chinese patent CN109040140A discloses a slow attack detection method and device. The defense against slow attacks in this patent is mainly to identify and intercept them at the application layer of the network system.
然而,在应用层对慢速攻击进行识别等,占用了应用层的较多资源,使得应用层对于应用处理性能欠佳。However, identifying slow attacks at the application layer occupies more resources of the application layer, resulting in poor application processing performance at the application layer.
发明内容Summary of the invention
本申请提供一种慢速攻击识别方法、装置、电子设备及存储介质,旨在解决在应用层对慢速攻击进行识别等,占用了应用层的较多资源的问题。The present application provides a slow attack identification method, device, electronic device and storage medium, aiming to solve the problem of identifying slow attacks at the application layer, etc., which occupies more resources of the application layer.
第一方面,本申请提供一种慢速攻击识别方法,应用于网络系统,包括:In a first aspect, the present application provides a slow attack identification method, which is applied to a network system, comprising:
接收请求对应的数据包;Receive the data packet corresponding to the request;
网络系统的传输层,在数据包满足预设的慢速攻击条件的情况下,将数据包确定为慢速攻击数据包,并在请求对应的数据包中包括慢速攻击数据包的情况下,将请求确定为慢速攻击请求。The transport layer of the network system determines the data packet as a slow attack data packet when the data packet meets the preset slow attack condition, and determines the request as a slow attack request when the data packet corresponding to the request includes the slow attack data packet.
第二方面,本申请提供一种慢速攻击识别装置,应用于网络系统,包括:In a second aspect, the present application provides a slow attack identification device, which is applied to a network system, comprising:
接收模块,用于接收请求对应的数据包;A receiving module, used for receiving a data packet corresponding to a request;
识别模块,用于网络系统的传输层,在数据包满足预设的慢速攻击条件的情况下,将数据包确定为慢速攻击数据包,并在请求对应的数据包中包括慢速攻击数据包的情况下,将请求确定为慢速攻击请求。The identification module is used in the transport layer of the network system. When the data packet meets the preset slow attack condition, the data packet is determined as a slow attack data packet, and when the data packet corresponding to the request includes the slow attack data packet, the request is determined as a slow attack request.
第三方面,本申请提供一种电子设备,包括:处理器、存储器以及存储在存储器上并可在处理器上运行的计算机程序,处理器执行程序时实现上述慢速攻击识别方法。In a third aspect, the present application provides an electronic device, including: a processor, a memory, and a computer program stored in the memory and executable on the processor, wherein the processor implements the above-mentioned slow attack identification method when executing the program.
第四方面,本申请提供一种可读存储介质,当存储介质中的指令由电子设备的处理器执行时,使得电子设备能够执行上述慢速攻击识别方法。In a fourth aspect, the present application provides a readable storage medium, when the instructions in the storage medium are executed by a processor of an electronic device, the electronic device is enabled to execute the above-mentioned slow attack identification method.
在本申请实施例中,在网络系统的传输层就将满足预设的慢速攻击条件的数据包确定为慢速攻击数据包,在网络系统的传输层,将包括慢速攻击数据包的请求,确定为慢速攻击请求,也就是说在网络系统的传输层就完成了慢速攻击数据包、慢速攻击请求的识别,无需在应用层进行慢速攻击请求的识别,应用层无需解析协议等,进而识别慢速攻击无需占用应用层的资源,使得应用层对于应用具有更高的处理性能。而且,传输层比应用层更靠前,在传输层就实现了对慢速攻 击的识别,一方面,尽早识别有助于尽早防护,保障了后端应用服务的资源利用,另一方面,免去了后端的各个应用服务均一一识别慢速攻击的操作,大大降低了运维工作量。In the embodiment of the present application, the data packets that meet the preset slow attack conditions are determined as slow attack data packets at the transport layer of the network system, and the requests including slow attack data packets are determined as slow attack requests at the transport layer of the network system. That is to say, the identification of slow attack data packets and slow attack requests is completed at the transport layer of the network system, and there is no need to identify slow attack requests at the application layer, and the application layer does not need to parse protocols, etc., and thus the identification of slow attacks does not occupy the resources of the application layer, so that the application layer has higher processing performance for applications. Moreover, the transport layer is closer to the application layer, and the slow attack is recognized at the transport layer. On the one hand, early identification helps to protect against slow attacks as early as possible, ensuring the resource utilization of back-end application services. On the other hand, it eliminates the need for each back-end application service to identify slow attacks one by one, greatly reducing the workload of operation and maintenance.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the following is a brief introduction to the drawings required for use in the embodiments or the description of the prior art. Obviously, the drawings described below are some embodiments of the present application. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying any creative work.
图1是本申请实施例提供的一种慢速攻击识别方法的步骤流程图;FIG1 is a flowchart of a method for identifying a slow attack provided by an embodiment of the present application;
图2是本申请实施例提供的另一种慢速攻击识别方法的步骤流程图;FIG2 is a flowchart of another method for identifying a slow attack provided by an embodiment of the present application;
图3是本申请实施例提供的一种慢速攻击识别装置的结构图;FIG3 is a structural diagram of a slow attack identification device provided in an embodiment of the present application;
图4示出了本申请实施例提供的一种网络系统的局部架构示意图;FIG4 shows a schematic diagram of a partial architecture of a network system provided in an embodiment of the present application;
图5示出了本申请实施例提供的一种网络系统的初始化流程示意图;FIG5 shows a schematic diagram of an initialization process of a network system provided in an embodiment of the present application;
图6示出了本申请实施例提供的一种网络系统的慢速攻击的流程示意图;FIG6 shows a schematic diagram of a process flow of a slow attack on a network system provided in an embodiment of the present application;
图7是本申请实施例提供的一种电子设备的结构图。FIG. 7 is a structural diagram of an electronic device provided in an embodiment of the present application.
具体实施方式Detailed ways
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The following will be combined with the drawings in the embodiments of the present application to clearly and completely describe the technical solutions in the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of this application.
图1是本申请实施例提供的一种慢速攻击识别方法的步骤流程图,该方法应用于网络系统,网络系统的网络模型可以为七层模型(Open System Interconnection,OSI)或四层模型等,七层模型从下至上为:物理层、数据链路层、网络层、传输层、会话层、表示层、应用层。四层模型从下至上为:链路层、网络层、传输层和应用层。FIG1 is a flowchart of a method for identifying a slow attack provided by an embodiment of the present application. The method is applied to a network system. The network model of the network system can be a seven-layer model (Open System Interconnection, OSI) or a four-layer model. The seven-layer model is from bottom to top: physical layer, data link layer, network layer, transport layer, session layer, presentation layer, and application layer. The four-layer model is from bottom to top: link layer, network layer, transport layer, and application layer.
本申请中所提及的慢速攻击主要分为三种,分别为:Slow read(慢速读取)攻击、Slow headers(慢速头部)攻击、Slow body(慢速主体)攻击。Slow read攻击是指攻击者建立链接后发送完整的请求给网络系统,然后一直保持这个链接,以很低的速度读取Response或者让网络系统误以为客户端很忙,以消耗网络系统的链接和内存资源。Slow headers攻击是指攻击者对网络系统发起一个HTTP(Hyper Text Transfer Protocol,超文本传输协议)请求,一直不停地发送HTTP头部,而网络系统在处理之前需要先接收完所有的HTTP头部,这样就消耗了网络系统的链接和内存资源。Slow body攻击是指攻击者发送一个HTTP POST请求,表示要发送大量数据,此时网络系统会保持链接准备接收数据,但攻击客户端每次只发送很少量的数据,以此消耗网络系统的链接和内存资源。The slow attacks mentioned in this application are mainly divided into three types: Slow read attack, Slow headers attack, and Slow body attack. Slow read attack means that the attacker sends a complete request to the network system after establishing a link, and then keeps the link, reading the response at a very low speed or making the network system mistakenly believe that the client is busy, so as to consume the link and memory resources of the network system. Slow headers attack means that the attacker initiates an HTTP (Hyper Text Transfer Protocol) request to the network system, continuously sending HTTP headers, and the network system needs to receive all HTTP headers before processing, thus consuming the link and memory resources of the network system. Slow body attack means that the attacker sends an HTTP POST request, indicating that a large amount of data is to be sent. At this time, the network system will maintain the link and prepare to receive data, but the attacking client only sends a small amount of data each time, thereby consuming the link and memory resources of the network system.
如图1所示,该方法可以包括如下步骤。As shown in FIG. 1 , the method may include the following steps.
步骤101、接收请求对应的数据包。Step 101: Receive a data packet corresponding to a request.
该网络系统可以提供网络数据服务,各个客户端可以向网络系统发送请求对应的数据包。该请求对应的数据包用于向网络系统请求网络数据服务。对于一个 请求对应的数据包的数量不作具体限定。The network system can provide network data services, and each client can send a data packet corresponding to the request to the network system. The data packet corresponding to the request is used to request the network system for network data services. The number of data packets corresponding to the request is not specifically limited.
步骤102、网络系统的传输层,在数据包满足预设的慢速攻击条件的情况下,将数据包确定为慢速攻击数据包,并在请求对应的数据包中包括慢速攻击数据包的情况下,将请求确定为慢速攻击请求。Step 102: The transport layer of the network system determines the data packet as a slow attack data packet when the data packet meets the preset slow attack condition, and determines the request as a slow attack request when the data packet corresponding to the request includes the slow attack data packet.
网络系统的传输层,在请求对应的数据包中包括至少一个慢速攻击数据包的情况下,就将该请求确定为慢速攻击请求。就是说网络系统的传输层,在请求对应的数据包中只要包括慢速攻击数据包的情况下,就将该请求确定为慢速攻击请求。The transport layer of the network system determines the request as a slow attack request when the data packets corresponding to the request include at least one slow attack data packet. That is, the transport layer of the network system determines the request as a slow attack request when the data packets corresponding to the request include at least one slow attack data packet.
发明人发现,现有技术在网络系统的应用层才识别慢速攻击,则不同的应用服务需要各自识别慢速攻击,并且,如果慢速攻击有改变,各个不同的应用服务还需要针对上述改变后的慢速攻击进行升级、更改配置等,使得运维的工作量很大。例如,若网络系统包括基于线程(thread-base)的应用服务Apache,以及应用服务Httpd。该网络系统还包括基于事件(event-base)的应用服务Nginx,以及应用服务lighttpd。该网络系统还包括其他的应用服务,如应用服务falsk、应用服务gin等,若采用现有技术在网络系统的应用层才识别慢速攻击,则应用服务Apache、应用服务Httpd、应用服务Nginx、应用服务lighttpd、应用服务falsk、应用服务gin等每一个应用服务,需要各自识别慢速攻击,且上述各个应用服务还需要针对改变后的慢速攻击进行升级、更改配置等,使得运维的工作量很大。The inventor found that the prior art only identifies slow attacks at the application layer of the network system, so different application services need to identify slow attacks separately, and if the slow attacks change, each different application service also needs to be upgraded and changed in accordance with the above-mentioned changed slow attacks, which makes the workload of operation and maintenance very large. For example, if the network system includes a thread-based application service Apache, and an application service Httpd. The network system also includes an event-based application service Nginx, and an application service lighttpd. The network system also includes other application services, such as application service falsk, application service gin, etc. If the prior art is used to identify slow attacks at the application layer of the network system, each application service such as application service Apache, application service Httpd, application service Nginx, application service lighttpd, application service falsk, application service gin, etc. needs to identify slow attacks separately, and each of the above application services also needs to be upgraded and changed in accordance with the changed slow attacks, which makes the workload of operation and maintenance very large.
相对于现有技术在网络系统的应用层才识别慢速攻击而言,本申请中,在网络系统的传输层,在数据包满足预设的慢速攻击条件的情况下,就将该数据包确定为慢速攻击数据,在网络系统的传输层,将包括慢速攻击数据包的请求,确定为慢速攻击请求,也就是说,本申请在网络系统的传输层就实现了慢速攻击数据包、慢速攻击请求的识别,就是在网络系统的传输层就实现了慢速攻击的识别,无需在应用层进行慢速攻击的识别,应用层无需解析协议等,进而识别慢速攻击无需占用应用层的资源,使得应用层对于应用具有更高的处理性能。而且,传输层比应用层更靠前,在传输层就实现了对慢速攻击的识别,一方面,尽早识别有助于尽早防护,保障了后端应用服务的资源利用,另一方面,免去了后端的各个应用均一一识别慢速攻击的操作,大大降低了运维工作量。Compared with the prior art that identifies slow attacks only at the application layer of the network system, in the present application, at the transport layer of the network system, when a data packet meets the preset slow attack conditions, the data packet is determined as slow attack data, and at the transport layer of the network system, a request including a slow attack data packet is determined as a slow attack request. That is to say, the present application realizes the identification of slow attack data packets and slow attack requests at the transport layer of the network system, that is, the identification of slow attacks is realized at the transport layer of the network system, and there is no need to identify slow attacks at the application layer, and the application layer does not need to parse protocols, etc., and then the identification of slow attacks does not need to occupy the resources of the application layer, so that the application layer has higher processing performance for the application. Moreover, the transport layer is closer to the application layer, and the identification of slow attacks is realized at the transport layer. On the one hand, early identification helps to protect as early as possible, ensuring the resource utilization of the back-end application services. On the other hand, it eliminates the need for each application at the back end to identify slow attacks one by one, greatly reducing the workload of operation and maintenance.
此处的传输层可以是网络系统的七层模型中的传输层,或者可以是四层模型中的传输层等,对此不作具体限定。The transport layer here may be the transport layer in a seven-layer model of a network system, or may be the transport layer in a four-layer model, etc., and there is no specific limitation on this.
可选的,前述步骤102中确定慢速攻击数据包可以包括下述各个子步骤中的至少一种。Optionally, determining the slow attack data packet in the aforementioned step 102 may include at least one of the following sub-steps.
子步骤1021、网络系统的传输层,在连续的各个数据包均是小数据包,且连续的各个数据包的第一总数量,大于或等于第一预设数量的情况下,将连续的各个数据包,均确定为慢速攻击数据包;小数据包的长度,小于或等于预设长度。Sub-step 1021, the transport layer of the network system determines each consecutive data packet as a slow attack data packet when each consecutive data packet is a small data packet and a first total number of each consecutive data packet is greater than or equal to a first preset number; and the length of the small data packet is less than or equal to a preset length.
小数据包就是其长度小于或等于预设长度的数据包。此处的预设长度可以根据实际需要进行确定。例如,此处的预设长度可以为50字节,或者,此处的预设长度可以为60字节等。 A small data packet is a data packet whose length is less than or equal to a preset length. The preset length here can be determined according to actual needs. For example, the preset length here can be 50 bytes, or the preset length here can be 60 bytes, etc.
就是说网络系统的传输层不管连续的各个数据包是不是同一个请求的,只要是接收到连续的各个数据包均是小数据包,且连续的各个数据包或连续的各个小数据包的第一总数量,大于或等于第一预设数量,就将连续的各个数据包或者连续的各个小数据包,均确定为慢速攻击数据包。相当于,客户端每次只发送很少量的数据,以此消耗网络系统的链接和内存资源,则,连续的各个数据包或连续的各个小数据包均为慢速攻击数据包。That is to say, the transport layer of the network system determines the continuous data packets or continuous small data packets as slow attack data packets, regardless of whether the continuous data packets are from the same request or not, as long as the continuous data packets received are all small data packets, and the first total number of the continuous data packets or continuous small data packets is greater than or equal to the first preset number. This is equivalent to the client sending only a small amount of data each time, thereby consuming the link and memory resources of the network system, and the continuous data packets or continuous small data packets are all slow attack data packets.
第一预设数量的大小根据实际需要确定。可选的,第一预设数量大于或等于3,该第一预设数量的大小设置较为合适,能够更为准确的识别出慢速攻击数据包。如,网络系统的传输层不管连续的各个数据包是不是同一个请求的,只要是接收到连续的各个数据包均是小数据包,且连续的各个数据包或连续的各个小数据包的第一总数量,大于或等于3,则,连续的各个数据包或连续的各个小数据包均为慢速攻击数据包。The size of the first preset number is determined according to actual needs. Optionally, the first preset number is greater than or equal to 3, and the size of the first preset number is set appropriately, so that slow attack data packets can be more accurately identified. For example, the transport layer of the network system does not care whether the consecutive data packets are from the same request, as long as the consecutive data packets received are all small data packets, and the first total number of consecutive data packets or consecutive small data packets is greater than or equal to 3, then the consecutive data packets or consecutive small data packets are all slow attack data packets.
例如,第一预设数量为3,若网络系统连续接收到了4个小数据包,则,连续的各个数据包或连续的各个小数据包的第一总数量为4,4大于3,则,网络系统的传输层将连续的4个数据包或连续的4个小数据包,均确定为慢速攻击数据包。For example, the first preset number is 3. If the network system receives 4 small data packets consecutively, then the first total number of consecutive data packets or consecutive small data packets is 4. If 4 is greater than 3, the transport layer of the network system will determine the 4 consecutive data packets or 4 consecutive small data packets as slow attack data packets.
子步骤1022、网络系统的传输层,在同一请求对应的相邻两个数据包的接收时刻之间的间隔时长,大于或等于预设时长的情况下,将相邻两个数据包,均确定为慢速攻击数据包。Sub-step 1022, the transport layer of the network system determines both adjacent data packets as slow attack data packets when the interval between the reception times of two adjacent data packets corresponding to the same request is greater than or equal to a preset time.
同一请求对应的相邻两个数据包的接收时刻之间的间隔时长,大于或等于预设时长,则网络系统对于该请求,需要保持较长时间的链接,以接收该请求的各个数据包,会让网络系统误以为客户端很忙,以消耗网络系统的链接和内存资源,则,网络系统的传输层将该相邻两个数据包,均确定为慢速攻击数据包。If the interval between the reception times of two adjacent data packets corresponding to the same request is greater than or equal to the preset interval, the network system needs to maintain a longer connection for the request to receive each data packet of the request, which will make the network system mistakenly believe that the client is very busy and consume the connection and memory resources of the network system. In this case, the transport layer of the network system will determine the two adjacent data packets as slow attack data packets.
该预设时长可以根据实际需要进行设定。可选的,该预设时长大于或等于120秒,该预设时长设置的较为合适,能够更为准确的识别出慢速攻击数据包。The preset time length can be set according to actual needs. Optionally, the preset time length is greater than or equal to 120 seconds, which is more appropriate and can more accurately identify slow attack data packets.
例如,预设时长为120秒,对于请求A,网络系统在2022年12月20日13:20:20接收到一个数据包,接着又在2022年12月20日13:22:40接收到下一个数据包,则,对于请求A,相邻的这两个数据包的接收时刻之间的间隔时长为140秒,大于或等于预设时长120秒,网络系统的传输层将请求A,相邻的这两个数据包均确定为慢速攻击数据包。For example, the preset duration is 120 seconds. For request A, the network system receives a data packet at 13:20:20 on December 20, 2022, and then receives the next data packet at 13:22:40 on December 20, 2022. Then, for request A, the interval between the reception times of the two adjacent data packets is 140 seconds, which is greater than or equal to the preset duration of 120 seconds. The transport layer of the network system will determine request A and the two adjacent data packets as slow attack data packets.
子步骤1023、网络系统的传输层,在请求对应的SYN数据包中的窗口值小于或等于预设窗口值的情况下,将SYN数据包确定为慢速攻击数据包。Sub-step 1023: The transport layer of the network system determines the SYN packet as a slow attack packet when the window value in the SYN packet corresponding to the request is less than or equal to the preset window value.
SYN数据包是传输控制协议(TCP,Transmission Control Protocol)连接的第一个包或首包,是TCP/IP(Transmission Control Protocol/Internet Protocol,传输控制协议/网际协议)建立连接时使用的握手信号。在客户端和网络系统之间建立正常的TCP网络连接时,客户端首先发出一个SYN消息或SYN数据包,网络系统使用SYN+ACK应答表示接收到了这个消息,最后客户端再以ACK消息响应。这样在客户端和网络系统之间才能建立起可靠的TCP连接,数据才可 以在客户端和网络系统之间传递。The SYN packet is the first packet or header of the Transmission Control Protocol (TCP) connection. It is the handshake signal used when TCP/IP (Transmission Control Protocol/Internet Protocol) establishes a connection. When a normal TCP network connection is established between the client and the network system, the client first sends a SYN message or SYN packet. The network system uses a SYN+ACK response to indicate that it has received the message. Finally, the client responds with an ACK message. In this way, a reliable TCP connection can be established between the client and the network system, and data can be transmitted. To be passed between the client and the network system.
SYN数据包中的窗口值可以从SYN数据包的包头等位置中获取。请求对应的SYN数据包中的窗口值小于或等于预设窗口值的情况下,网络系统只能以很小的比特率向客户端传输数据,会让网络系统误以为客户端很忙,以消耗网络系统的链接和内存资源,因此,网络系统的传输层,将该SYN数据包确定为慢速攻击数据包。The window value in the SYN packet can be obtained from the header of the SYN packet. When the window value in the SYN packet corresponding to the request is less than or equal to the preset window value, the network system can only transmit data to the client at a very low bit rate, which will make the network system mistakenly believe that the client is very busy, consuming the link and memory resources of the network system. Therefore, the transport layer of the network system determines the SYN packet as a slow attack packet.
此处的预设窗口值根据实际需要确定,本申请实施例中,对此不作具体限定。例如,该预设窗口值可以为512字节。The preset window value here is determined according to actual needs, and is not specifically limited in the embodiments of the present application. For example, the preset window value may be 512 bytes.
例如,该预设窗口值为512字节,请求对应的SYN数据包中的窗口值为400字节,小于预设窗口值512字节,则,网络系统的传输层将该SYN数据包确定为慢速攻击数据包。For example, the preset window value is 512 bytes, and the window value in the SYN data packet corresponding to the request is 400 bytes, which is smaller than the preset window value of 512 bytes. Then, the transport layer of the network system determines the SYN data packet as a slow attack data packet.
子步骤1024、网络系统的传输层,在连续的各个数据包均是零窗口数据包,且连续的各个数据包的第二总数量,大于或等于第二预设数量的情况下,将连续的各个数据包,均确定为慢速攻击数据包;零窗口数据包中的窗口值为0。Sub-step 1024, the transport layer of the network system determines each consecutive data packet as a slow attack data packet when each consecutive data packet is a zero window data packet and the second total number of the consecutive data packets is greater than or equal to a second preset number; the window value in the zero window data packet is 0.
零窗口数据包中的窗口值为0,网络系统接收到的数据包为零窗口数据包,则网络系统只能以特别小的比特率向客户端传输数据,或者,网络系统需要等待一段时间才能向客户端传输数据。The window value in the zero window data packet is 0, and the data packet received by the network system is a zero window data packet. In this case, the network system can only transmit data to the client at a very low bit rate, or the network system needs to wait for a period of time before transmitting data to the client.
在网络系统接收到连续的各个数据包均是零窗口数据包,且该连续的各个数据包的第二总数量,大于或等于第二预设数量的情况下,会让网络系统误以为客户端很忙,以消耗网络系统的链接和内存资源,因此,网络系统的传输层,将该连续的各个数据包,均确定为慢速攻击数据包。When the network system receives consecutive data packets that are all zero window data packets, and the second total number of the consecutive data packets is greater than or equal to the second preset number, the network system will mistakenly believe that the client is very busy in order to consume the link and memory resources of the network system. Therefore, the transport layer of the network system determines that the consecutive data packets are all slow attack data packets.
此处的第二预设数量可以根据实际需要确定。可选的,该第二预设数量大于或等于4,该第二预设数量的大小设置较为合适,能够更为准确的识别出慢速攻击数据包。如,网络系统的传输层不管连续的各个数据包是不是同一个请求的,只要是接收到连续的各个数据包均是零窗口数据包,且连续的各个数据包或连续的各个零窗口数据包的第二总数量,大于或等于4,则,连续的各个数据包或连续的各个零窗口数据包均为慢速攻击数据包。The second preset number here can be determined according to actual needs. Optionally, the second preset number is greater than or equal to 4, and the size of the second preset number is set appropriately, so that slow attack data packets can be more accurately identified. For example, the transport layer of the network system does not care whether the consecutive data packets are from the same request, as long as the consecutive data packets received are all zero window data packets, and the second total number of consecutive data packets or consecutive zero window data packets is greater than or equal to 4, then the consecutive data packets or consecutive zero window data packets are all slow attack data packets.
例如,第二预设数量为4,若网络系统连续接收到了4个零窗口数据包,则,连续的各个数据包或连续的各个零窗口数据包的第二总数量为4,4等于第二预设数量,则,网络系统的传输层将连续的4个数据包或连续的4个零窗口数据包,均确定为慢速攻击数据包。For example, the second preset number is 4. If the network system receives 4 consecutive zero-window data packets, the second total number of consecutive data packets or consecutive zero-window data packets is 4, and 4 is equal to the second preset number. Then, the transport layer of the network system will determine the 4 consecutive data packets or 4 consecutive zero-window data packets as slow attack data packets.
可选的,网络系统的传输层布设有负载均衡器,则,上述步骤102由该负载均衡器实现。网络系统的传输层布设有负载均衡器,可以提升该网络系统的性能。需要说明的是该负载均衡器的类型等不作具体限定。例如,该负载均衡器可以是基于DPDK开发的DPVS负载均衡器。Optionally, a load balancer is provided at the transport layer of the network system, and the above step 102 is implemented by the load balancer. A load balancer is provided at the transport layer of the network system, which can improve the performance of the network system. It should be noted that the type of the load balancer is not specifically limited. For example, the load balancer can be a DPVS load balancer developed based on DPDK.
可选的,在前述步骤102之后,该方法还可以包括:网络系统的传输层,在请求不是慢速攻击请求的情况下,放行请求对应的数据包。就是说,在请求不是慢速攻击请求的情况下,正常转发或正常处理该请求对应的数据包,以保证正常 数据包的转发和处理。Optionally, after the aforementioned step 102, the method may further include: the transport layer of the network system, when the request is not a slow attack request, releases the data packet corresponding to the request. That is, when the request is not a slow attack request, the data packet corresponding to the request is forwarded or processed normally to ensure normal Forwarding and processing of data packets.
图2是本申请实施例提供的另一种慢速攻击识别方法的步骤流程图,该方法同样应用于前述的网络系统,参照图2所示,该方法包括如下步骤。FIG2 is a flowchart of the steps of another slow attack identification method provided in an embodiment of the present application. The method is also applied to the aforementioned network system. Referring to FIG2 , the method includes the following steps.
步骤201、接收请求对应的数据包。Step 201: Receive a data packet corresponding to a request.
步骤202、网络系统的传输层,在数据包满足预设的慢速攻击条件的情况下,将数据包确定为慢速攻击数据包,并在请求对应的数据包中包括慢速攻击数据包的情况下,将请求确定为慢速攻击请求。Step 202: The transport layer of the network system determines the data packet as a slow attack data packet when the data packet meets the preset slow attack condition, and determines the request as a slow attack request when the data packet corresponding to the request includes the slow attack data packet.
该步骤201和步骤202可以分别参照前述的步骤101和步骤102,且能达到相同或相似的有益效果,为了避免重复,此处不再赘述。The steps 201 and 202 may refer to the aforementioned steps 101 and 102 respectively, and can achieve the same or similar beneficial effects. To avoid repetition, they will not be described again here.
步骤203、在请求为慢速攻击请求的情况下,针对请求进行防护操作。Step 203: When the request is a slow attack request, a protection operation is performed on the request.
在该请求为慢速攻击请求的情况下,针对该请求进行防护操作,可以尽可能的减少该慢速攻击请求带来的不良影响。In the case that the request is a slow attack request, performing a protection operation on the request can reduce the adverse effects caused by the slow attack request as much as possible.
可选的,该步骤203可以包括:在该请求为慢速攻击请求的情况下,该网络系统的传输层,针对该请求进行防护操作,就是在网络系统的传输层就完成了慢速攻击请求的防护操作,无需在应用层进行慢速攻击请求的防护操作,应用层无需解析协议等,进而对慢速攻击请求的防护操作无需占用应用层的资源,使得应用层对于应用具有更高的处理性能。而且,传输层比应用层更靠前,在传输层就实现了对慢速攻击请求的防护操作,一方面,尽早实现了对慢速攻击请求的防护操作,保障了后端应用服务的资源利用,另一方面,免去了后端的各个应用服务均一一针对慢速攻击请求进行防护操作,大大降低了运维工作量。Optionally, step 203 may include: in the case where the request is a slow attack request, the transport layer of the network system performs a protection operation on the request, that is, the protection operation on the slow attack request is completed at the transport layer of the network system, and there is no need to perform the protection operation on the slow attack request at the application layer, and the application layer does not need to parse the protocol, etc., and thus the protection operation on the slow attack request does not need to occupy the resources of the application layer, so that the application layer has higher processing performance for the application. Moreover, the transport layer is closer to the application layer than the application layer, and the protection operation on the slow attack request is implemented at the transport layer. On the one hand, the protection operation on the slow attack request is implemented as early as possible, ensuring the resource utilization of the back-end application service. On the other hand, it eliminates the need for each back-end application service to perform protection operations on the slow attack request one by one, greatly reducing the operation and maintenance workload.
可选的,前述在该请求为慢速攻击请求的情况下,该网络系统的传输层,针对该请求进行防护操作,可以包括下述步骤中的至少一种。Optionally, when the request is a slow attack request, the transport layer of the network system performs protection operations on the request, which may include at least one of the following steps.
步骤S1、在请求为慢速攻击请求的情况下,网络系统的传输层,丢弃请求对应的数据包。Step S1: When the request is a slow attack request, the transport layer of the network system discards the data packet corresponding to the request.
在该请求为慢速攻击请求的情况下,网络系统的传输层,丢弃该请求对应的数据包,也就是不响应该请求对应的数据包,可以减少该慢速攻击请求带来的不良影响。In the case that the request is a slow attack request, the transport layer of the network system discards the data packet corresponding to the request, that is, does not respond to the data packet corresponding to the request, which can reduce the adverse effects of the slow attack request.
步骤S2、在请求为慢速攻击请求的情况下,网络系统的传输层,断开请求对应的链接。Step S2: When the request is a slow attack request, the transport layer of the network system disconnects the link corresponding to the request.
在该请求为慢速攻击请求的情况下,网络系统的传输层,断开该请求对应的链接,断开该请求对应的链接后,网络系统将不再接收该请求对应的数据包,可以减少该慢速攻击请求带来的不良影响。In the case that the request is a slow attack request, the transport layer of the network system disconnects the link corresponding to the request. After disconnecting the link corresponding to the request, the network system will no longer receive the data packet corresponding to the request, thereby reducing the adverse effects of the slow attack request.
步骤S3、在请求为慢速攻击请求的情况下,网络系统的传输层,将请求对应的源IP地址拉进黑名单。Step S3: When the request is a slow attack request, the transport layer of the network system adds the source IP address corresponding to the request to a blacklist.
在该请求为慢速攻击请求的情况下,网络系统的传输层,将该请求对应的源IP地址拉进黑名单,进而按照黑名单中的防护操作来对该请求进行防护操作,可以减少该慢速攻击请求带来的不良影响,并减少后续该源IP地带来的不良影响。 In the case that the request is a slow attack request, the transport layer of the network system adds the source IP address corresponding to the request to the blacklist, and then performs protection operations on the request according to the protection operations in the blacklist, which can reduce the adverse effects of the slow attack request and reduce the subsequent adverse effects brought by the source IP address.
步骤S4、在请求为慢速攻击请求的情况下,网络系统的传输层,增加请求为慢速攻击请求的日志记录。Step S4: When the request is a slow attack request, the transport layer of the network system adds a log record indicating that the request is a slow attack request.
在该请求为慢速攻击请求的情况下,网络系统的传输层,增加该请求为慢速攻击请求的日志记录,便于后续查找等该慢速攻击请求。例如,在网络系统的测试环节,通过增加该慢速攻击请求的日志记录,可以尽可能多的掌握该网络系统容易遭受哪些慢速攻击请求等。In the case where the request is a slow attack request, the transport layer of the network system adds a log record indicating that the request is a slow attack request, so as to facilitate subsequent search for the slow attack request. For example, in the testing phase of the network system, by adding a log record of the slow attack request, it is possible to grasp as much as possible which slow attack requests the network system is susceptible to.
需要说明的是,在该请求为慢速攻击请求的情况下,网络系统的传输层具体执行一个还是多个上述步骤以进行防护操作,不作具体限定。例如,在该请求为慢速攻击请求的情况下,网络系统的传输层,可以断开该请求对应的链接,并将该请求对应的源IP地址拉进黑名单。It should be noted that, in the case where the request is a slow attack request, the transport layer of the network system specifically performs one or more of the above steps to perform the protection operation, which is not specifically limited. For example, in the case where the request is a slow attack request, the transport layer of the network system can disconnect the link corresponding to the request and add the source IP address corresponding to the request to the blacklist.
可选的,该步骤203可以包括:在该请求为慢速攻击请求,且该请求对应的数据包中慢速攻击数据包的第三总数量大于或等于第三预设数量的情况下,针对该请求进行防护操作,进而可以避免误操作。该第三预设数量可以根据实际需要进行设定,在本申请实施例中,对此不作具体限定。Optionally, step 203 may include: when the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request is greater than or equal to a third preset number, performing a protection operation on the request, thereby avoiding misoperation. The third preset number can be set according to actual needs and is not specifically limited in the embodiment of the present application.
可选的,该第三预设数量大于等于2,就是说,在该请求为慢速攻击请求,且该请求对应的数据包中慢速攻击数据包的第三总数量大于或等于2的情况下,针对该请求进行防护操作,进而可以避免误操作,且尽可能减少慢速攻击带来的不良影响。Optionally, the third preset number is greater than or equal to 2, that is, when the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request is greater than or equal to 2, a protection operation is performed on the request, thereby avoiding misoperation and minimizing the adverse effects of slow attacks.
例如,第三预设数量为2,网络系统一共接收到请求B对应的5个数据包,网络系统的传输层识别出该5个数据包中3个数据包是慢速攻击数据包,则请求B对应的数据包中慢速攻击数据包的第三总数量即为3,大于第三预设数量2,则,针对请求B进行防护操作。再例如,第三预设数量为2,网络系统一共接收到请求C对应的6个数据包,网络系统的传输层识别出该6个数据包中1个数据包是慢速攻击数据包,则请求C对应的数据包中慢速攻击数据包的第三总数量即为1,小于第三预设数量2,则,针对请求C不进行防护操作。For example, the third preset number is 2, the network system receives a total of 5 data packets corresponding to request B, and the transport layer of the network system identifies that 3 of the 5 data packets are slow attack data packets, then the third total number of slow attack data packets in the data packets corresponding to request B is 3, which is greater than the third preset number 2, and thus, a protection operation is performed for request B. For another example, the third preset number is 2, the network system receives a total of 6 data packets corresponding to request C, and the transport layer of the network system identifies that 1 of the 6 data packets is a slow attack data packet, then the third total number of slow attack data packets in the data packets corresponding to request C is 1, which is less than the third preset number 2, and thus, no protection operation is performed for request C.
可选的,前述在该请求为慢速攻击请求,且该请求对应的数据包中慢速攻击数据包的第三总数量大于或等于第三预设数量的情况下,针对该请求进行防护操作,可以包括:在该请求为慢速攻击请求,且在预设周期内该请求对应的数据包中慢速攻击数据包的第三总数量,大于或等于该第三预设数量的情况下,网络系统的传输层,针对该请求进行防护操作,可以进一步减少误操作,而且,在网络系统的传输层就完成了慢速攻击请求的防护操作,无需在应用层进行慢速攻击请求的防护操作,应用层无需解析协议等,进而对慢速攻击请求的防护操作无需占用应用层的资源,使得应用层对于应用具有更高的处理性能。而且,传输层比应用层更靠前,在传输层就实现了对慢速攻击请求的防护操作,一方面,尽早实现了对慢速攻击请求的防护操作,保障了后端应用服务的资源利用,另一方面,免去了后端的各个应用服务均一一针对慢速攻击请求进行防护操作,大大降低了运维工作量。Optionally, the aforementioned protection operation for the request when the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request is greater than or equal to the third preset number may include: when the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request within the preset period is greater than or equal to the third preset number, the transport layer of the network system performs a protection operation for the request, which can further reduce misoperation. Moreover, the protection operation for the slow attack request is completed at the transport layer of the network system, and there is no need to perform the protection operation for the slow attack request at the application layer. The application layer does not need to parse the protocol, etc., and thus the protection operation for the slow attack request does not need to occupy the resources of the application layer, so that the application layer has higher processing performance for the application. Moreover, the transport layer is closer to the application layer, and the protection operation for the slow attack request is implemented at the transport layer. On the one hand, the protection operation for the slow attack request is implemented as early as possible, ensuring the resource utilization of the back-end application service. On the other hand, it is unnecessary for each back-end application service to perform protection operations for the slow attack request one by one, greatly reducing the operation and maintenance workload.
需要说明的是,该预设周期可以根据实际需要进行设定,在本申请实施例中, 对于该预设周期的大小不作具体限定。例如,该预设周期可以为900秒。It should be noted that the preset period can be set according to actual needs. In the embodiment of the present application, There is no specific limitation on the size of the preset period. For example, the preset period may be 900 seconds.
可选的,前述的在该请求为慢速攻击请求,且在预设周期内请求对应的数据包中慢速攻击数据包的第三总数量,大于或等于第三预设数量的情况下,网络系统的传输层,针对请求进行防护操作,包括下述步骤中的至少一种。Optionally, in the aforementioned case where the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request within a preset period is greater than or equal to a third preset number, the transport layer of the network system performs a protection operation on the request, including at least one of the following steps.
步骤X1、在请求为慢速攻击请求,且在预设周期内请求对应的数据包中慢速攻击数据包的第三总数量,大于或等于第三预设数量的情况下,网络系统的传输层,丢弃请求对应的数据包。Step X1: When the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request within a preset period is greater than or equal to a third preset number, the transport layer of the network system discards the data packets corresponding to the request.
步骤X2、在请求为慢速攻击请求,且在预设周期内请求对应的数据包中慢速攻击数据包的第三总数量,大于或等于第三预设数量的情况下,网络系统的传输层,断开请求对应的链接。Step X2: When the request is a slow attack request and a third total number of slow attack data packets in the data packets corresponding to the request within a preset period is greater than or equal to a third preset number, the transport layer of the network system disconnects the link corresponding to the request.
步骤X3、在请求为慢速攻击请求,且在预设周期内请求对应的数据包中慢速攻击数据包的第三总数量,大于或等于第三预设数量的情况下,网络系统的传输层,将请求对应的源IP地址拉进黑名单。Step X3: When the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request within the preset period is greater than or equal to the third preset number, the transport layer of the network system adds the source IP address corresponding to the request to the blacklist.
步骤X4、在请求为慢速攻击请求,且在预设周期内请求对应的数据包中慢速攻击数据包的第三总数量,大于或等于第三预设数量的情况下,网络系统的传输层,增加请求为慢速攻击请求的日志记录。Step X4: When the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request within the preset period is greater than or equal to the third preset number, the transport layer of the network system adds a log record that the request is a slow attack request.
上述步骤X1至步骤X4,可以对应参照前述步骤S1至步骤S4,以及前述有关内容,为了避免重复此处不再赘述。上述步骤X1至步骤X4,可以进一步减少误操作,而且,在网络系统的传输层就完成了慢速攻击请求的防护操作,无需在应用层进行慢速攻击请求的防护操作,应用层无需解析协议等,进而对慢速攻击请求的防护操作无需占用应用层的资源,使得应用层对于应用具有更高的处理性能。而且,传输层比应用层更靠前,在传输层就实现了对慢速攻击请求的防护操作,一方面,尽早实现了对慢速攻击请求的防护操作,保障了后端应用服务的资源利用,另一方面,免去了后端的各个应用服务均一一针对慢速攻击请求进行防护操作,大大降低了运维工作量。The above steps X1 to X4 can refer to the above steps S1 to S4 and the above related contents, and will not be described again here to avoid repetition. The above steps X1 to X4 can further reduce misoperation, and the protection operation of the slow attack request is completed at the transport layer of the network system, and there is no need to perform the protection operation of the slow attack request at the application layer. The application layer does not need to parse the protocol, etc., and the protection operation of the slow attack request does not need to occupy the resources of the application layer, so that the application layer has higher processing performance for the application. Moreover, the transport layer is closer to the application layer than the application layer, and the protection operation of the slow attack request is implemented at the transport layer. On the one hand, the protection operation of the slow attack request is implemented as early as possible, ensuring the resource utilization of the back-end application service. On the other hand, it eliminates the need for each application service at the back end to perform protection operations on the slow attack request one by one, greatly reducing the operation and maintenance workload.
需要说明的是,该申请的慢速攻击识别方法的某些步骤的执行先后顺序不作具体限定。It should be noted that the execution order of certain steps of the slow attack identification method of this application is not specifically limited.
图3是本申请实施例提供的一种慢速攻击识别装置的结构图,该装置应用于网络系统,该装置可以包括:接收模块301,用于接收请求对应的数据包。FIG3 is a structural diagram of a slow attack identification device provided in an embodiment of the present application. The device is applied to a network system. The device may include: a receiving module 301, which is used to receive a data packet corresponding to a request.
以及识别模块302,用于该网络系统的传输层,在前述数据包满足预设的慢速攻击条件的情况下,将前述数据包确定为慢速攻击数据包,并在该请求对应的数据包中包括慢速攻击数据包的情况下,将该请求确定为慢速攻击请求。And an identification module 302, which is used in the transport layer of the network system, determines the aforementioned data packet as a slow attack data packet when the aforementioned data packet meets the preset slow attack condition, and determines the request as a slow attack request when the data packet corresponding to the request includes a slow attack data packet.
可选的,识别模块302,可以包括下述子模块中的至少一种。Optionally, the identification module 302 may include at least one of the following sub-modules.
第一识别子模块,用于网络系统的传输层,在连续的各个数据包均是小数据包,且连续的各个数据包的第一总数量,大于或等于第一预设数量的情况下,将连续的各个数据包,均确定为慢速攻击数据包;小数据包的长度,小于或等于预设长度。The first identification submodule is used in the transport layer of the network system. When each consecutive data packet is a small data packet and the first total number of each consecutive data packet is greater than or equal to a first preset number, each consecutive data packet is determined as a slow attack data packet; the length of the small data packet is less than or equal to the preset length.
第二识别子模块,用于网络系统的传输层,在同一请求对应的相邻两个数据 包的接收时刻之间的间隔时长,大于或等于预设时长的情况下,将相邻两个数据包,均确定为慢速攻击数据包;The second identification submodule is used in the transport layer of the network system to identify two adjacent data corresponding to the same request. When the interval between the receiving times of the packets is greater than or equal to the preset time, the two adjacent data packets are determined as slow attack data packets;
第三识别子模块,用于网络系统的传输层,在请求对应的SYN数据包中的窗口值小于或等于预设窗口值的情况下,将SYN数据包确定为慢速攻击数据包。The third identification submodule is used for the transport layer of the network system, and determines the SYN data packet as a slow attack data packet when the window value in the SYN data packet corresponding to the request is less than or equal to the preset window value.
第四识别子模块,用于网络系统的传输层,在连续的各个数据包均是零窗口数据包,且连续的各个数据包的第二总数量,大于或等于第二预设数量的情况下,将连续的各个数据包,均确定为慢速攻击数据包;零窗口数据包中的窗口值为0。The fourth identification submodule is used for the transport layer of the network system. When each consecutive data packet is a zero window data packet and the second total number of the consecutive data packets is greater than or equal to the second preset number, each consecutive data packet is determined as a slow attack data packet; the window value in the zero window data packet is 0.
可选的,慢速攻击识别装置还可以包括:防护模块,用于在请求为慢速攻击请求的情况下,针对请求进行防护操作。Optionally, the slow attack identification device may further include: a protection module, configured to perform a protection operation on the request when the request is a slow attack request.
可选的,防护模块,可以包括:第一防护子模块,用于在请求为慢速攻击请求的情况下,网络系统的传输层,针对请求进行防护操作。Optionally, the protection module may include: a first protection submodule, which is used for performing a protection operation on the request at the transport layer of the network system when the request is a slow attack request.
可选的,第一防护子模块,可以包括下述单元中的至少一种。Optionally, the first protection submodule may include at least one of the following units.
第一防护单元,用于在请求为慢速攻击请求的情况下,网络系统的传输层,丢弃请求对应的数据包。The first protection unit is used for discarding a data packet corresponding to a request at a transport layer of a network system when the request is a slow attack request.
第二防护单元,用于在请求为慢速攻击请求的情况下,网络系统的传输层,断开请求对应的链接。The second protection unit is used for disconnecting the link corresponding to the request at the transport layer of the network system when the request is a slow attack request.
第三防护单元,用于在请求为慢速攻击请求的情况下,网络系统的传输层,将请求对应的源IP地址拉进黑名单。The third protection unit is used for, when the request is a slow attack request, the transport layer of the network system to add the source IP address corresponding to the request into a blacklist.
第四防护单元,用于在请求为慢速攻击请求的情况下,网络系统的传输层,增加请求为慢速攻击请求的日志记录。The fourth protection unit is used to add a log record of the request being a slow attack request to the transport layer of the network system when the request is a slow attack request.
可选的,防护模块,可以包括:第二防护子模块,用于在请求为慢速攻击请求,且请求对应的数据包中慢速攻击数据包的第三总数量大于或等于第三预设数量的情况下,针对请求进行防护操作。Optionally, the protection module may include: a second protection sub-module, used to perform a protection operation on the request when the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request is greater than or equal to a third preset number.
可选的,第二防护子模块,可以包括:第五防护单元,用于在请求为慢速攻击请求,且在预设周期内请求对应的数据包中慢速攻击数据包的第三总数量,大于或等于第三预设数量的情况下,网络系统的传输层,针对请求进行防护操作。Optionally, the second protection submodule may include: a fifth protection unit, used for the transport layer of the network system to perform protection operations on the request when the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request within a preset period is greater than or equal to a third preset number.
可选的,第五防护单元,可以包括下述子单元中的至少一种。Optionally, the fifth protection unit may include at least one of the following sub-units.
第一子单元,用于在请求为慢速攻击请求,且在预设周期内请求对应的数据包中慢速攻击数据包的第三总数量,大于或等于第三预设数量的情况下,网络系统的传输层,丢弃请求对应的数据包。The first subunit is used for, when the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request within a preset period is greater than or equal to a third preset number, the transport layer of the network system discards the data packets corresponding to the request.
第二子单元,用于在请求为慢速攻击请求,且在预设周期内请求对应的数据包中慢速攻击数据包的第三总数量,大于或等于第三预设数量的情况下,网络系统的传输层,断开请求对应的链接。The second subunit is used to disconnect the link corresponding to the request at the transport layer of the network system when the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request within a preset period is greater than or equal to a third preset number.
第三子单元,用于在请求为慢速攻击请求,且在预设周期内请求对应的数据包中慢速攻击数据包的第三总数量,大于或等于第三预设数量的情况下,网络系统的传输层,将请求对应的源IP地址拉进黑名单。The third subunit is used for, when the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request within a preset period is greater than or equal to a third preset number, the transport layer of the network system will add the source IP address corresponding to the request to the blacklist.
第四子单元,用于在请求为慢速攻击请求,且在预设周期内请求对应的数据包中慢速攻击数据包的第三总数量,大于或等于第三预设数量的情况下,网络系 统的传输层,增加请求为慢速攻击请求的日志记录。The fourth subunit is used for, when the request is a slow attack request and a third total number of slow attack data packets in the data packets corresponding to the request within a preset period is greater than or equal to a third preset number, the network system The transport layer of the system adds logging of slow attack requests.
可选的,传输层布设有负载均衡器。Optionally, a load balancer is deployed at the transport layer.
可选的,慢速攻击识别装置还可以包括:放行模块,用于网络系统的传输层,在请求不是慢速攻击请求的情况下,放行请求对应的数据包。Optionally, the slow attack identification device may further include: a release module, which is used in the transport layer of the network system and releases the data packet corresponding to the request when the request is not a slow attack request.
可选的,第一预设数量大于或等于3;预设时长大于或等于120秒;第二预设数量大于或等于4。Optionally, the first preset number is greater than or equal to 3; the preset duration is greater than or equal to 120 seconds; and the second preset number is greater than or equal to 4.
可选的,第三预设数量大于或等于2。Optionally, the third preset number is greater than or equal to 2.
该慢速攻击识别装置与任一前述的慢速攻击识别方法具有相同或相似的有益效果,为了避免重复此处不再赘述。The slow attack identification device has the same or similar beneficial effects as any of the aforementioned slow attack identification methods, which will not be described again to avoid repetition.
下面结合具体的实施例,进一步解释说明本申请。The present application is further explained below in conjunction with specific embodiments.
实施例Example
图4示出了本申请实施例提供的一种网络系统的局部架构示意图。图5示出了本申请实施例提供的一种网络系统的初始化流程示意图。图6示出了本申请实施例提供的一种网络系统的慢速攻击的流程示意图。Figure 4 shows a schematic diagram of a partial architecture of a network system provided in an embodiment of the present application. Figure 5 shows a schematic diagram of an initialization process of a network system provided in an embodiment of the present application. Figure 6 shows a schematic diagram of a slow attack process of a network system provided in an embodiment of the present application.
参照图4所示,该网络系统中,网络系统的传输层布设有负载均衡器,负载均衡器实现慢速攻击请求的识别,以及针对该慢速攻击请求进行防护操作。负载均衡器在请求不是慢速攻击请求的情况下,将该请求对应的数据包放行,上述数据包可以转发至对应的应用服务。该网络系统包括的应用服务包括:应用服务Nginx、应用服务Apache,以及其他应用服务。As shown in FIG4 , in the network system, a load balancer is arranged at the transport layer of the network system, and the load balancer realizes the identification of slow attack requests and performs protection operations for the slow attack requests. When the request is not a slow attack request, the load balancer releases the data packet corresponding to the request, and the data packet can be forwarded to the corresponding application service. The application services included in the network system include: application service Nginx, application service Apache, and other application services.
参照图5所示,本实施例中,网络系统的程序启动后,会加载识别模块和防护模块,然后读取前述的第一预设数量、第二预设数量、第三预设数量、预设长度、预设时长、预设窗口值等配置,配置读取后,则初始化流程完成。As shown in Figure 5, in this embodiment, after the program of the network system is started, the identification module and the protection module will be loaded, and then the aforementioned first preset number, second preset number, third preset number, preset length, preset duration, preset window value and other configurations will be read. After the configuration is read, the initialization process is completed.
该实施例中的上述配置可以如下程序段所示。

The above configuration in this embodiment can be shown in the following program segment.

具体的,参照图6所示,1.数据包经过前述的slowhttp_process处理逻辑。Specifically, as shown in FIG6 , 1. the data packet passes through the aforementioned slowhttp_process processing logic.
2.先从req->l4hdr获取dst_port,匹配不到,放行。2. First get dst_port from req->l4hdr, if no match is found, release it.
3.匹配到的话,则进行慢速攻击识别。3. If a match is found, slow attack identification is performed.
(1).连续收到的http数据包的大小小于或等于http_request_size_limit的包个数大于或等于http_request_count_limit,视为攻击。http_request_size_limit中限定的是预设长度,http_request_count_limit限定的是第一预设数量。(1) If the number of consecutively received http data packets whose size is less than or equal to http_request_size_limit is greater than or equal to http_request_count_limit, it is considered an attack. http_request_size_limit specifies a preset length, and http_request_count_limit specifies a first preset number.
(2).针对同一请求,连续收到的相邻两个数据包的接收时刻之间的间隔时长,大于或等于http_package_interval_limit的数据包个数超过http_package_interval_count_limit,则视为攻击。http_package_interval_limit限制的是预设时长,http_package_interval_count_limit限制的是相邻的两个数据包。(2) For the same request, if the interval between the receiving times of two consecutive data packets is greater than or equal to http_package_interval_limit, and the number of data packets exceeds http_package_interval_count_limit, it is considered an attack. http_package_interval_limit limits the preset time, while http_package_interval_count_limit limits two consecutive data packets.
(3).tcp SYN包中的窗口值小于tcp_syn_win_size_limit,则视为攻击。tcp_syn_win_size_limit限定的是预设窗口值。(3) If the window value in the TCP SYN packet is smaller than tcp_syn_win_size_limit, it is considered an attack. tcp_syn_win_size_limit defines the preset window value.
(4).连续收到zero windows的个数大tcp_zero_win_count_limit则视为攻击。tcp_zero_win_count_limit限定的是第二预设数量。(4) If the number of consecutive zero windows received is greater than tcp_zero_win_count_limit, it is considered an attack. tcp_zero_win_count_limit is limited to the second preset number.
4.Slowhttp防护操作过程。4.Slowhttp protection operation process.
(1).当识别模块检测到上述攻击的任何一种时,慢速攻击数据包的计数器累加。(1) When the identification module detects any of the above attacks, the counter of the slow attack data packet is incremented.
(2).当统计周期内(period),针对该同一请求的统计慢速攻击数据包数大于exception_count_limit,则对该请求执行action_sip防护操作。period限定的是预设周期,exception_count_limit限定的是第三预设数量。 (2) When the number of slow attack packets for the same request within the statistical period is greater than exception_count_limit, the action_sip protection operation is performed on the request. The period defines the preset period, and the exception_count_limit defines the third preset number.
本申请还提供了一种电子设备,参见图7,包括:处理器901、存储器902以及存储在存储器上并可在处理器上运行的计算机程序9021,处理器执行程序时实现前述实施例的慢速攻击识别方法。The present application also provides an electronic device, see FIG. 7 , comprising: a processor 901 , a memory 902 , and a computer program 9021 stored in the memory and executable on the processor, and the processor implements the slow attack identification method of the aforementioned embodiment when executing the program.
本申请还提供了一种可读存储介质,当存储介质中的指令由电子设备的处理器执行时,使得电子设备能够执行前述实施例的慢速攻击识别方法。The present application also provides a readable storage medium. When the instructions in the storage medium are executed by a processor of an electronic device, the electronic device can execute the slow attack identification method of the aforementioned embodiment.
对于装置实施例而言,由于其与方法实施例基本相似,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。As for the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the partial description of the method embodiment.
需要说明的是,本申请实施例中获取的各种信息、数据,均是在得到信息/数据持有方授权的情况下获取的。It should be noted that the various information and data obtained in the embodiments of the present application are obtained with the authorization of the information/data holder.
在此提供的算法和显示不与任何特定计算机、虚拟系统或者其它设备固有相关。各种通用系统也可以与基于在此的示教一起使用。根据上面的描述,构造这类系统所要求的结构是显而易见的。此外,本申请也不针对任何特定编程语言。应当明白,可以利用各种编程语言实现在此描述的本申请的内容,并且上面对特定语言所做的描述是为了披露本申请的最佳实施方式。The algorithm and display provided herein are not inherently related to any particular computer, virtual system or other device. Various general purpose systems can also be used together with the teachings based on this. According to the above description, it is obvious that the structure required for constructing such systems. In addition, the application is not directed to any specific programming language either. It should be understood that various programming languages can be utilized to realize the content of the application described herein, and the description of the above specific languages is to disclose the best mode of implementation of the application.
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本申请的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the description provided herein, a large number of specific details are described. However, it is understood that the embodiments of the present application can be practiced without these specific details. In some instances, well-known methods, structures and techniques are not shown in detail so as not to obscure the understanding of this description.
类似地,应当理解,为了精简本申请并帮助理解各个发明方面中的一个或多个,在上面对本申请的示例性实施例的描述中,本申请的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本申请要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如下面的权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本申请的单独实施例。Similarly, it should be understood that in order to streamline the present application and help understand one or more of the various inventive aspects, in the above description of the exemplary embodiments of the present application, the various features of the present application are sometimes grouped together into a single embodiment, figure, or description thereof. However, the disclosed method should not be interpreted as reflecting the following intention: the claimed application requires more features than the features clearly stated in each claim. More specifically, as reflected in the following claims, the inventive aspects are less than all the features of the single embodiment disclosed above. Therefore, the claims following the specific embodiment are hereby expressly incorporated into the specific embodiment, wherein each claim itself serves as a separate embodiment of the present application.
本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的替代特征来代替。Those skilled in the art will appreciate that the modules in the devices in the embodiments may be adaptively changed and arranged in one or more devices different from the embodiments. The modules or units or components in the embodiments may be combined into one module or unit or component, and in addition they may be divided into a plurality of submodules or subunits or subcomponents. All features disclosed in this specification (including the accompanying claims, abstracts and drawings) and all processes or units of any method or device disclosed in this manner may be combined in any combination, except that at least some of such features and/or processes or units are mutually exclusive. Unless otherwise expressly stated, each feature disclosed in this specification (including the accompanying claims, abstracts and drawings) may be replaced by an alternative feature providing the same, equivalent or similar purpose.
本申请的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本申请的排序设备中的一些或者全部部件的一些或者全部功能。本申请还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序。这样的实现本申请的 程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。The various component embodiments of the present application can be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art should understand that a microprocessor or digital signal processor (DSP) can be used in practice to implement some or all functions of some or all components of the sorting device according to the present application. The present application can also be implemented as a device or apparatus program for executing part or all of the methods described herein. Such an implementation of the present application The program may be stored on a computer readable medium, or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, or provided on a carrier signal, or in any other form.
应该注意的是上述实施例对本申请进行说明而不是对本申请进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本申请可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。It should be noted that the above embodiments illustrate the present application rather than limit the present application, and that those skilled in the art may design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference symbol between brackets should not be constructed as a limitation to the claims. The word "comprising" does not exclude the presence of elements or steps not listed in the claims. The word "one" or "an" preceding an element does not exclude the presence of multiple such elements. The present application may be implemented by means of hardware including several different elements and by means of a suitably programmed computer. In a unit claim that lists several devices, several of these devices may be embodied by the same hardware item. The use of the words first, second, and third, etc. does not indicate any order. These words may be interpreted as names.
本申请所涉及的用户信息(包括但不限于用户的设备信息、用户个人信息等)、相关数据等均为经用户授权或经各方授权后的信息。The user information (including but not limited to the user's device information, user personal information, etc.) and related data involved in this application are all information authorized by the user or by all parties.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working processes of the systems, devices and units described above can refer to the corresponding processes in the aforementioned method embodiments and will not be repeated here.
以上仅为本申请的较佳实施例而已,并不用以限制本申请,凡在本申请的精神和原则之内所作的任何修改、等同替换和改进等,均应包含在本申请的保护范围之内。The above are only preferred embodiments of the present application and are not intended to limit the present application. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present application should be included in the protection scope of the present application.
以上,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以权利要求的保护范围为准。 The above are only specific implementations of the present application, but the protection scope of the present application is not limited thereto. Any technician familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the present application, which should be included in the protection scope of the present application. Therefore, the protection scope of the present application should be based on the protection scope of the claims.

Claims (15)

  1. 一种慢速攻击识别方法,其特征在于,应用于网络系统,所述方法包括:A slow attack identification method, characterized in that it is applied to a network system, and the method comprises:
    接收请求对应的数据包;Receive the data packet corresponding to the request;
    所述网络系统的传输层,在所述数据包满足预设的慢速攻击条件的情况下,将所述数据包确定为慢速攻击数据包,并在所述请求对应的数据包中包括慢速攻击数据包的情况下,将所述请求确定为慢速攻击请求。The transport layer of the network system determines the data packet as a slow attack data packet when the data packet meets a preset slow attack condition, and determines the request as a slow attack request when the data packet corresponding to the request includes a slow attack data packet.
  2. 根据权利要求1所述的慢速攻击识别方法,其特征在于,所述网络系统的传输层,在所述数据包满足预设的慢速攻击条件的情况下,将所述数据包确定为慢速攻击数据包,包括下述步骤中的至少一种:The slow attack identification method according to claim 1 is characterized in that the transport layer of the network system, when the data packet meets a preset slow attack condition, determines the data packet as a slow attack data packet, comprising at least one of the following steps:
    所述网络系统的传输层,在连续的各个数据包均是小数据包,且所述连续的各个数据包的第一总数量,大于或等于第一预设数量的情况下,将所述连续的各个数据包,均确定为慢速攻击数据包;所述小数据包的长度,小于或等于预设长度;The transport layer of the network system determines each of the consecutive data packets as a slow attack data packet when each of the consecutive data packets is a small data packet and a first total number of the consecutive data packets is greater than or equal to a first preset number; and the length of the small data packet is less than or equal to a preset length;
    所述网络系统的传输层,在同一请求对应的相邻两个数据包的接收时刻之间的间隔时长,大于或等于预设时长的情况下,将所述相邻两个数据包,均确定为慢速攻击数据包;The transport layer of the network system determines both of the two adjacent data packets corresponding to the same request as slow attack data packets when the interval between the reception times of the two adjacent data packets is greater than or equal to a preset time.
    所述网络系统的传输层,在所述请求对应的SYN数据包中的窗口值小于或等于预设窗口值的情况下,将所述SYN数据包确定为慢速攻击数据包;The transport layer of the network system, when the window value in the SYN data packet corresponding to the request is less than or equal to the preset window value, determines the SYN data packet as a slow attack data packet;
    所述网络系统的传输层,在连续的各个数据包均是零窗口数据包,且所述连续的各个数据包的第二总数量,大于或等于第二预设数量的情况下,将所述连续的各个数据包,均确定为慢速攻击数据包;所述零窗口数据包中的窗口值为0。The transport layer of the network system determines each of the consecutive data packets as a slow attack data packet when each of the consecutive data packets is a zero window data packet and the second total number of the consecutive data packets is greater than or equal to a second preset number; the window value in the zero window data packet is 0.
  3. 根据权利要求1所述的慢速攻击识别方法,其特征在于,所述方法还包括:The slow attack identification method according to claim 1, characterized in that the method further comprises:
    在所述请求为慢速攻击请求的情况下,针对所述请求进行防护操作。In the case that the request is a slow attack request, a protection operation is performed on the request.
  4. 根据权利要求3所述的慢速攻击识别方法,其特征在于,所述在所述请求为慢速攻击请求的情况下,针对所述请求进行防护操作,包括:The slow attack identification method according to claim 3 is characterized in that, when the request is a slow attack request, performing a protection operation on the request comprises:
    在所述请求为慢速攻击请求的情况下,所述网络系统的传输层,针对所述请求进行防护操作。In the case that the request is a slow attack request, the transport layer of the network system performs a protection operation on the request.
  5. 根据权利要求4所述的慢速攻击识别方法,其特征在于,所述在所述请求为慢速攻击请求的情况下,所述网络系统的传输层,针对所述请求进行防护操作,包括下述步骤中的至少一种:The slow attack identification method according to claim 4 is characterized in that, when the request is a slow attack request, the transport layer of the network system performs a protection operation on the request, comprising at least one of the following steps:
    在所述请求为慢速攻击请求的情况下,所述网络系统的传输层,丢弃所述请求对应的数据包;In the case where the request is a slow attack request, the transport layer of the network system discards a data packet corresponding to the request;
    在所述请求为慢速攻击请求的情况下,所述网络系统的传输层,断开所述请求对应的链接;In the case where the request is a slow attack request, the transport layer of the network system disconnects the link corresponding to the request;
    在所述请求为慢速攻击请求的情况下,所述网络系统的传输层,将所述请求对应的源IP地址拉进黑名单;In the case where the request is a slow attack request, the transport layer of the network system adds the source IP address corresponding to the request to a blacklist;
    在所述请求为慢速攻击请求的情况下,所述网络系统的传输层,增加所述请求为慢速攻击请求的日志记录。 In the case that the request is a slow attack request, the transport layer of the network system adds a log record indicating that the request is a slow attack request.
  6. 根据权利要求3所述的慢速攻击识别方法,其特征在于,所述在所述请求为慢速攻击请求的情况下,针对所述请求进行防护操作,包括:The slow attack identification method according to claim 3 is characterized in that, when the request is a slow attack request, performing a protection operation on the request comprises:
    在所述请求为慢速攻击请求,且所述请求对应的数据包中慢速攻击数据包的第三总数量大于或等于第三预设数量的情况下,针对所述请求进行防护操作。When the request is a slow attack request and a third total number of slow attack data packets in the data packets corresponding to the request is greater than or equal to a third preset number, a protection operation is performed on the request.
  7. 根据权利要求6所述的慢速攻击识别方法,其特征在于,所述在所述请求为慢速攻击请求,且所述请求对应的数据包中慢速攻击数据包的第三总数量大于或等于第三预设数量的情况下,针对所述请求进行防护操作,包括:The slow attack identification method according to claim 6 is characterized in that, when the request is a slow attack request and a third total number of slow attack data packets in the data packets corresponding to the request is greater than or equal to a third preset number, performing a protection operation on the request comprises:
    在所述请求为慢速攻击请求,且在预设周期内所述请求对应的数据包中慢速攻击数据包的第三总数量,大于或等于所述第三预设数量的情况下,所述网络系统的传输层,针对所述请求进行防护操作。When the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request within a preset period is greater than or equal to the third preset number, the transport layer of the network system performs a protection operation on the request.
  8. 根据权利要求7所述的慢速攻击识别方法,其特征在于,所述在所述请求为慢速攻击请求,且在预设周期内所述请求对应的数据包中慢速攻击数据包的第三总数量,大于或等于所述第三预设数量的情况下,所述网络系统的传输层,针对所述请求进行防护操作,包括下述步骤中的至少一种:The slow attack identification method according to claim 7 is characterized in that, when the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request within a preset period is greater than or equal to the third preset number, the transport layer of the network system performs a protection operation on the request, comprising at least one of the following steps:
    在所述请求为慢速攻击请求,且在所述预设周期内所述请求对应的数据包中慢速攻击数据包的第三总数量,大于或等于所述第三预设数量的情况下,所述网络系统的传输层,丢弃所述请求对应的数据包;When the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request within the preset period is greater than or equal to the third preset number, the transport layer of the network system discards the data packet corresponding to the request;
    在所述请求为慢速攻击请求,且在所述预设周期内所述请求对应的数据包中慢速攻击数据包的第三总数量,大于或等于所述第三预设数量的情况下,所述网络系统的传输层,断开所述请求对应的链接;When the request is a slow attack request and a third total number of slow attack data packets in the data packets corresponding to the request within the preset period is greater than or equal to the third preset number, the transport layer of the network system disconnects the link corresponding to the request;
    在所述请求为慢速攻击请求,且在所述预设周期内所述请求对应的数据包中慢速攻击数据包的第三总数量,大于或等于所述第三预设数量的情况下,所述网络系统的传输层,将所述请求对应的源IP地址拉进黑名单;When the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request within the preset period is greater than or equal to the third preset number, the transport layer of the network system adds the source IP address corresponding to the request to a blacklist;
    在所述请求为慢速攻击请求,且在所述预设周期内所述请求对应的数据包中慢速攻击数据包的第三总数量,大于或等于所述第三预设数量的情况下,所述网络系统的传输层,增加所述请求为慢速攻击请求的日志记录。When the request is a slow attack request and the third total number of slow attack data packets in the data packets corresponding to the request within the preset period is greater than or equal to the third preset number, the transport layer of the network system adds a log record that the request is a slow attack request.
  9. 根据权利要求1至8中任一所述的慢速攻击识别方法,其特征在于,所述传输层布设有负载均衡器。The slow attack identification method according to any one of claims 1 to 8 is characterized in that a load balancer is deployed at the transport layer.
  10. 根据权利要求1至8中任一所述的慢速攻击识别方法,其特征在于,所述方法还包括:The slow attack identification method according to any one of claims 1 to 8, characterized in that the method further comprises:
    所述网络系统的传输层,在所述请求不是慢速攻击请求的情况下,放行所述请求对应的数据包。The transport layer of the network system releases the data packet corresponding to the request when the request is not a slow attack request.
  11. 根据权利要求2所述的慢速攻击识别方法,其特征在于,所述第一预设数量大于或等于3;The slow attack identification method according to claim 2, characterized in that the first preset number is greater than or equal to 3;
    所述预设时长大于或等于120秒;The preset duration is greater than or equal to 120 seconds;
    所述第二预设数量大于或等于4。The second preset number is greater than or equal to 4.
  12. 根据权利要求6所述的慢速攻击识别方法,其特征在于,所述第三预设数量大于或等于2。 The slow attack identification method according to claim 6, characterized in that the third preset number is greater than or equal to 2.
  13. 一种慢速攻击识别装置,其特征在于,应用于网络系统,包括:A slow attack identification device, characterized in that it is applied to a network system and comprises:
    接收模块,用于接收请求对应的数据包;A receiving module, used for receiving a data packet corresponding to a request;
    识别模块,用于所述网络系统的传输层,在所述数据包满足预设的慢速攻击条件的情况下,将所述数据包确定为慢速攻击数据包,并在所述请求对应的数据包中包括慢速攻击数据包的情况下,将所述请求确定为慢速攻击请求。An identification module is used for the transport layer of the network system. When the data packet meets a preset slow attack condition, the data packet is determined as a slow attack data packet, and when the data packet corresponding to the request includes a slow attack data packet, the request is determined as a slow attack request.
  14. 一种电子设备,其特征在于,包括:An electronic device, comprising:
    处理器、存储器以及存储在所述存储器上并可在所述处理器上运行的计算机程序,所述处理器执行所述程序时实现如权利要求1至12中任一所述的方法。A processor, a memory, and a computer program stored in the memory and executable on the processor, wherein the processor implements the method according to any one of claims 1 to 12 when executing the program.
  15. 一种可读存储介质,其特征在于,当所述存储介质中的指令由电子设备的处理器执行时,使得电子设备能够执行权利要求1至12中任一所述的方法。 A readable storage medium, characterized in that when the instructions in the storage medium are executed by a processor of an electronic device, the electronic device is enabled to execute any one of the methods described in claims 1 to 12.
PCT/CN2023/139654 2023-01-28 2023-12-18 Slow attack identification method and apparatus, electronic device and storage medium WO2024156236A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202310042925.1A CN116074083B (en) 2023-01-28 2023-01-28 Method and device for identifying slow attack, electronic equipment and storage medium
CN202310042925.1 2023-01-28

Publications (1)

Publication Number Publication Date
WO2024156236A1 true WO2024156236A1 (en) 2024-08-02

Family

ID=86181591

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/139654 WO2024156236A1 (en) 2023-01-28 2023-12-18 Slow attack identification method and apparatus, electronic device and storage medium

Country Status (2)

Country Link
CN (1) CN116074083B (en)
WO (1) WO2024156236A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116074083B (en) * 2023-01-28 2023-06-23 天翼云科技有限公司 Method and device for identifying slow attack, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140304817A1 (en) * 2013-04-09 2014-10-09 Electronics And Telecommunications Research Institute APPARATUS AND METHOD FOR DETECTING SLOW READ DoS ATTACK
CN105591832A (en) * 2014-11-13 2016-05-18 腾讯数码(天津)有限公司 Application layer slow-speed attack detection method and correlation apparatus
KR20180125293A (en) * 2017-05-15 2018-11-23 주식회사 시큐아이 Network security apparatus and method for detecting attack thereof
US20210099482A1 (en) * 2019-09-26 2021-04-01 Radware, Ltd. DETECTION AND MITIGATION DDoS ATTACKS PERFORMED OVER QUIC COMMUNICATION PROTOCOL
CN116074083A (en) * 2023-01-28 2023-05-05 天翼云科技有限公司 Method and device for identifying slow attack, electronic equipment and storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102135024B1 (en) * 2019-11-25 2020-07-20 한국인터넷진흥원 Method and apparatus for identifying category of cyber attack aiming iot devices
CN111478893B (en) * 2020-04-02 2022-06-28 中核武汉核电运行技术股份有限公司 Detection method for slow HTTP attack
CN113242260B (en) * 2021-06-09 2023-02-21 中国银行股份有限公司 Attack detection method and device, electronic equipment and storage medium
CN115242551B (en) * 2022-09-21 2022-12-06 北京中科网威信息技术有限公司 Slow attack defense method and device, electronic equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140304817A1 (en) * 2013-04-09 2014-10-09 Electronics And Telecommunications Research Institute APPARATUS AND METHOD FOR DETECTING SLOW READ DoS ATTACK
CN105591832A (en) * 2014-11-13 2016-05-18 腾讯数码(天津)有限公司 Application layer slow-speed attack detection method and correlation apparatus
KR20180125293A (en) * 2017-05-15 2018-11-23 주식회사 시큐아이 Network security apparatus and method for detecting attack thereof
US20210099482A1 (en) * 2019-09-26 2021-04-01 Radware, Ltd. DETECTION AND MITIGATION DDoS ATTACKS PERFORMED OVER QUIC COMMUNICATION PROTOCOL
CN116074083A (en) * 2023-01-28 2023-05-05 天翼云科技有限公司 Method and device for identifying slow attack, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN116074083A (en) 2023-05-05
CN116074083B (en) 2023-06-23

Similar Documents

Publication Publication Date Title
US8856913B2 (en) Method and protection system for mitigating slow HTTP attacks using rate and time monitoring
US7636305B1 (en) Method and apparatus for monitoring network traffic
US7930349B2 (en) Method and apparatus for reducing host overhead in a socket server implementation
US7895431B2 (en) Packet queuing, scheduling and ordering
US9794282B1 (en) Server with queuing layer mechanism for changing treatment of client connections
EP2289221B1 (en) Network intrusion protection
US7535907B2 (en) TCP engine
CN110266678B (en) Security attack detection method and device, computer equipment and storage medium
US7984160B2 (en) Establishing a split-terminated communication connection through a stateful firewall, with network transparency
JP4743894B2 (en) Method and apparatus for improving security while transmitting data packets
WO2024156236A1 (en) Slow attack identification method and apparatus, electronic device and storage medium
US8611222B1 (en) Selectively enabling packet concatenation based on a transaction boundary
CN110365658B (en) Reflection attack protection and flow cleaning method, device, equipment and medium
US20160197954A1 (en) Defending against flow attacks
WO2024159952A1 (en) Bidirectional forwarding detection method and apparatus, and electronic device and readable storage medium
CN116232690A (en) DDOS attack resistance method and device, intelligent network card, medium and product
CN114124489B (en) Method, cleaning device, equipment and medium for preventing flow attack
Kumar et al. Data sequence map flooding in MPTCP framework: Potential challenges and efficient countermeasures
US20060282508A1 (en) System and method of responding to a flood attack on a data processing system
CN117768130A (en) Attack defense method and device
EP3525413A1 (en) Connectionless protocol with bandwidth and congestion control
EP3525412A1 (en) Improved connectionless data transport protocol
JP2004159038A (en) Communication device and communication method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23918236

Country of ref document: EP

Kind code of ref document: A1