CN105162793A - Method and apparatus for defending against network attacks - Google Patents
Method and apparatus for defending against network attacks Download PDFInfo
- Publication number
- CN105162793A CN105162793A CN201510611890.4A CN201510611890A CN105162793A CN 105162793 A CN105162793 A CN 105162793A CN 201510611890 A CN201510611890 A CN 201510611890A CN 105162793 A CN105162793 A CN 105162793A
- Authority
- CN
- China
- Prior art keywords
- information
- subscriber equipment
- access request
- equipment
- described subscriber
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention aims at providing a method and an apparatus for defending against network attacks. The method comprises the steps of obtaining an access request of a user device to a target page, detecting whether the access request triggers defensive strategy information corresponding to the target page, performing verification processing on the user device corresponding to the access request triggering the defensive strategy information and returning the target page to the user device passing the verification processing. Compared with the prior art, the defensive strategy information involved in the method comprises a plurality of flexibly configurable defensive strategies and the verification processing can be implemented in a plurality of flexibly configurable verification modes to meet the requirements under different circumstances and enhance the experience of users. Furthermore, the method is capable of visually displaying the running conditions and providing support for the optimization of the defensive strategy information by collecting various running indices in real time, displaying attack logs in real time and generating a graphic report according to the collection result, thereby further enhancing he experience of the users.
Description
Technical field
The application relates to computer realm, particularly relates to a kind of technology of defending against network attacks.
Background technology
Along with the arrival in Web2.0 epoch, the internet product of the series of news such as social networks, ecommerce, game on line is born, and the internet, applications of sing on web environment is more and more extensive, and in the process of IT application in enterprises, various application is all erected on Web platform.But Web service develop the strong interest that also result in hackers rapidly, network security problem highlights day by day.DDoS (DistributedDenialofService, distributed denial of service) attack towards more greatly, more by force, sooner, more clever trend development.
As a kind of ddos attack for Web server resource, CC (ChallengeCollapsar, Challenging black hole) attacks and is being subject to increasing attention in recent years.The principle that CC attacks is that assailant controls some main frame and ceaselessly sends out mass data bag and cause server resource to exhaust to the other side's server, until machine collapse of delaying.It is the one of ddos attack that CC attacks, and it is the attack initiated in layer 7 agreement for Web service, compared with four layers of ddos attack, convenience of launching a offensive, filtration difficulty, to have a far reaching influence.CC attack pattern mainly contains three kinds: the virtual many IP address mode of single host, utilize server proxy cluster or utilize Botnet attack pattern.Different from traditional flow type ddos attack, it is attack for Website server performance weakness that CC attacks, so likely only need very little flow just can reach to allow the effect of server denial of service.Secondly, be different from the attack based on TCP half-open connection or SYNFlood, it is a normal application request access that CC attacks, and have the feature of normal access, and the attack feature that it has is not obvious, is therefore difficult to screen.Finally, CC attacks and generally proxy server or Botnet can be utilized to attack, and such attack is the access asking source different IP at server end, has very strong disguise, and whether very difficult differentiation is attack.
Because CC attacks the feature having low discharge, analog subscriber and normally access and adopt real IP address to conduct interviews, this this kind of attack is caused to be difficult to be found by current detection means.The technology that existing defence CC attacks, sum up following a few class: (1) scanning system network connects or daily record, analyze and connect frequent IP address, these IP addresses are added to iptables (IP packet filtration system and fire compartment wall); (2) build-in function or third party's module of Web server is utilized, limit request quantity or concurrent connection number; (3) Cookie certification or correlated variables (as user-agent, http-x_forwarded-for etc.) is adopted to detect; (4) send JS identifying code to client, let pass after being verified.
But, the technology that existing defence CC attacks, the following problem of ubiquity: (1) can not accomplish in real time, most Web server just prints correlation log when request process terminates, when detecting that CC attacks by log analysis, possible website machine of having delayed is paralysed; (2) defence policies is limited, is difficult to general; (3) complicated operation is not directly perceived, dumb, easily causes and manslaughters, and affects normal users access; (4) some HTTP variablees (as user-agent, http-x_forwarded-for etc.) are easy to victim and forge, and assailant only need revise attacker a little just can spoofing server, does not have defense reaction; (5) the easy victim of verification mode penetrates, and attacks incessantly anti-; (6) cannot add up and attack data (as number of times of attack, attack time etc.) in real time.
Summary of the invention
An object of the application is to provide a kind of method and apparatus of defending against network attacks.
According to an aspect of the application, provide a kind of method of defending against network attacks, wherein, the method comprises:
A obtains subscriber equipment to the access request of target pages;
The defence policies information that b is corresponding according to described target pages, detects described access request and whether triggers described defence policies information;
C triggers described defence policies information when described access request, carries out verification process to described subscriber equipment;
Described target pages, when described subscriber equipment is by verification process, is back to described subscriber equipment by d.
Further, described step b comprises: the defence policies information corresponding according to described target pages, and the white list information of correspondence, detects described access request and whether triggers described defence policies information.
Further, described white list information comprises following at least any one: page white list information; Static network address white list information.
Further, the method also comprises:
When described subscriber equipment is by verification process, the network address of described subscriber equipment is added in corresponding dynamic network address white list information; Or
When described subscriber equipment is not by verification process, the network address of described subscriber equipment is added in corresponding dynamic network address black list information.
Further, described step c comprises:
C1 triggers described defence policies information when described access request, sends corresponding authorization information to described subscriber equipment;
C2 receives the feedback information of described subscriber equipment to described authorization information;
C3, according to described feedback information, carries out verification process to described subscriber equipment.
Further, described authorization information comprises encrypted executable module information; Described feedback information comprises the requests for page information that described subscriber equipment resends, and wherein, described request page info comprises the certificate parameter information that described subscriber equipment obtains by performing described executable module information.
Further, described authorization information comprises the address relevant information of executable module information; Described feedback information comprises the requests for page information that described subscriber equipment resends, wherein, described request page info comprises the certificate parameter information that described subscriber equipment obtains by performing described executable module information, and described executable module information is that described subscriber equipment obtains according to described address relevant information.
Further, described step c1 comprises: when described access request triggers described defence policies information, detects whether meet identifying code trigger condition; When meeting described identifying code trigger condition, send corresponding authorization information to described subscriber equipment, wherein, described authorization information comprises the checking page comprising picture validation code.
Further, described identifying code trigger condition comprises following at least any one: described access request is derived from class browser and attacks device; Current attack frequency information corresponding to described target pages equals or exceeds predetermined attack threshold information.
According to another aspect of the application, provide a kind of equipment of defending against network attacks, wherein, this equipment comprises:
First device, for obtaining the access request of subscriber equipment to target pages;
Second device, for the defence policies information corresponding according to described target pages, detects described access request and whether triggers described defence policies information;
3rd device, for triggering described defence policies information when described access request, carries out verification process to described subscriber equipment;
4th device, for when described subscriber equipment is by verification process, is back to described subscriber equipment by described target pages.
Further, described second device is used for: the defence policies information corresponding according to described target pages, and the white list information of correspondence, detects described access request and whether triggers described defence policies information.
Further, described white list information comprises following at least any one: page white list information; Static network address white list information.
Further, this equipment also comprises:
5th device, for when described subscriber equipment is by verification process, is added in corresponding dynamic network address white list information by the network address of described subscriber equipment; Or
6th device, for when described subscriber equipment is not by verification process, is added into the network address of described subscriber equipment in corresponding dynamic network address black list information.
Further, described 3rd device comprises:
First module, for triggering described defence policies information when described access request, sends corresponding authorization information to described subscriber equipment;
Second unit, for receiving the feedback information of described subscriber equipment to described authorization information;
Unit the 3rd, for according to described feedback information, carries out verification process to described subscriber equipment.
Further, described authorization information comprises encrypted executable module information; Described feedback information comprises the requests for page information that described subscriber equipment resends, and wherein, described request page info comprises the certificate parameter information that described subscriber equipment obtains by performing described executable module information.
Further, described authorization information comprises the address relevant information of executable module information; Described feedback information comprises the requests for page information that described subscriber equipment resends, wherein, described request page info comprises the certificate parameter information that described subscriber equipment obtains by performing described executable module information, and described executable module information is that described subscriber equipment obtains according to described address relevant information.
Further, described first module is used for: when described access request triggers described defence policies information, detects whether meet identifying code trigger condition; When meeting described identifying code trigger condition, send corresponding authorization information to described subscriber equipment, wherein, described authorization information comprises the checking page comprising picture validation code.
Further, described identifying code trigger condition comprises following at least any one: described access request is derived from class browser and attacks device; Current attack frequency information corresponding to described target pages equals or exceeds predetermined attack threshold information.
Compared with prior art, the application obtains the access request of subscriber equipment to target pages, the defence policies information corresponding according to described target pages, detect described access request and whether trigger described defence policies information, the described subscriber equipment corresponding for the access request triggering described defence policies information carries out verification process, described target pages is back to the described subscriber equipment by verification process.The described defence policies information of the application comprise multiple can the defence policies of flexible configuration, described verification process comprise multiple can the verification mode of flexible configuration, the demand under different situations can be met, promote Consumer's Experience.Further, the application passes through the every operating index of real-time statistics, real-time exhibition attack logs, pictorial statement is generated according to statistics, show ruuning situation visual in imagely, provide support for optimizing described defence policies information, thus promote Consumer's Experience further.
Accompanying drawing explanation
By reading the detailed description done non-limiting example done with reference to the following drawings, the other features, objects and advantages of the application will become more obvious:
Fig. 1 illustrates the method flow diagram of a kind of defending against network attacks according to the application aspect;
Fig. 2 illustrates the method flow diagram of a kind of defending against network attacks according to the application's preferred embodiment;
Fig. 3 illustrates the equipment schematic diagram of a kind of defending against network attacks according to another aspect of the application;
Fig. 4 illustrates the equipment schematic diagram of a kind of defending against network attacks according to the application's preferred embodiment.
In accompanying drawing, same or analogous Reference numeral represents same or analogous parts.
Embodiment
Below in conjunction with accompanying drawing, the application is described in further detail.
In the application one typically configuration, the equipment of terminal, service network and trusted party include one or more processor (CPU), input/output interface, network interface and internal memory.
Internal memory may comprise the volatile memory in computer-readable medium, and the forms such as random access memory (RAM) and/or Nonvolatile memory, as read-only memory (ROM) or flash memory (flashRAM).Internal memory is the example of computer-readable medium.
Computer-readable medium comprises permanent and impermanency, removable and non-removable media can be stored to realize information by any method or technology.Information can be computer-readable instruction, data structure, the module of program or other data.The example of the storage medium of computer comprises, but be not limited to phase transition internal memory (PRAM), static RAM (SRAM), dynamic random access memory (DRAM), the random access memory (RAM) of other types, read-only memory (ROM), Electrically Erasable Read Only Memory (EEPROM), fast flash memory bank or other memory techniques, read-only optical disc read-only memory (CD-ROM), digital versatile disc (DVD) or other optical storage, magnetic cassette tape, magnetic disk stores or other magnetic storage apparatus or any other non-transmitting medium, can be used for storing the information can accessed by computing equipment.According to defining herein, computer-readable medium does not comprise non-temporary computer readable media (transitorymedia), as data-signal and the carrier wave of modulation.
In the application, first, subscriber equipment is obtained to the access request of target pages; Then, detect described access request and whether trigger defence policies information corresponding to described target pages, wherein, described defence policies information comprise multiple can the defence policies of flexible configuration; Next, verification process is carried out to the described subscriber equipment triggering the access request of described defence policies information corresponding, wherein, described verification process comprise multiple can the verification mode of flexible configuration; Finally, described target pages is back to the described subscriber equipment by verification process.For by the subscriber equipment (attack device) of checking, cannot returning described target pages.
The equipment of the defending against network attacks in the application includes but not limited to: store and manage hypermedia (comprising the multimedia file based on web page platform such as hypertext document, audio file, video file), and by network their transmission and server or the server application of distributing to client.Preferably, the equipment of described defending against network attacks can be the Web server realized based on Nginx (a high-performance Web and Reverse Proxy) module.Certainly, the equipment of described defending against network attacks also can realize based on modules such as Apache (at present maximum Web servers) in the world, Kangle (a cross-platform, powerful, safety and stability, easy-operating high-performance web server and Reverse Proxy software), Tomcat (open source code, run the Web application software container based on Java of servlet and JSPWeb application software).Those skilled in the art will be understood that the equipment of above-mentioned defending against network attacks is only citing; the equipment of other defending against network attacks that are existing or that may occur from now on is as being applicable to the application; also should be included within the application's protection range, and be contained in this at this with way of reference.
Fig. 1 illustrates the method flow diagram of a kind of defending against network attacks according to the application aspect.
The method comprising the steps of S11, step S12, step S13 and step S14.Particularly, in step s 11, equipment 1 obtains the access request of subscriber equipment to target pages; In step s 12, the defence policies information that equipment 1 is corresponding according to described target pages, detects described access request and whether triggers described defence policies information; In step s 13, equipment 1 triggers described defence policies information when described access request, carries out verification process to described subscriber equipment; In step S14, described target pages, when described subscriber equipment is by verification process, is back to described subscriber equipment by equipment 1.
At this, described equipment 1 includes but not limited to that subscriber equipment, the network equipment or subscriber equipment and the network equipment are by the mutually integrated equipment formed of network.Described subscriber equipment its include but not limited to that any one can to carry out the mobile electronic product of man-machine interaction with user by touch pad, such as smart mobile phone, PDA etc., described mobile electronic product can adopt any operating system, as android operating system, iOS operating system etc.Wherein, the described network equipment comprise a kind of can according in advance setting or the instruction stored, automatically carry out the electronic equipment of numerical computations and information processing, its hardware includes but not limited to microprocessor, application-specific integrated circuit (ASIC) (ASIC), programmable gate array (FPGA), digital processing unit (DSP), embedded device etc.The described network equipment its include but not limited to computer, network host, single network server, cloud that multiple webserver collection or multiple server are formed; At this, cloud is formed by based on a large amount of computer of cloud computing (CloudComputing) or the webserver, and wherein, cloud computing is the one of Distributed Calculation, the virtual supercomputer be made up of the loosely-coupled computer collection of a group.Described network includes but not limited to the Internet, wide area network, metropolitan area network, local area network (LAN), VPN, wireless self-organization network (AdHoc network) etc.Preferably, equipment 1 can also be run on described subscriber equipment, the network equipment or subscriber equipment and the network equipment, the network equipment, touch terminal or the network equipment and touch terminal by the shell script on the mutually integrated equipment formed of network.Certainly, those skilled in the art will be understood that the said equipment 1 is only citing, and other equipment 1 that are existing or that may occur from now on, as being applicable to the application, also should being included within the application's protection range, and being contained in this at this with way of reference.
Constant work between each step of equipment 1.Particularly, in step s 11, equipment 1 continues to obtain subscriber equipment to the access request of target pages; In step s 12, equipment 1 continues the defence policies information corresponding according to described target pages, detects described access request and whether triggers described defence policies information; In step s 13, when described access request triggers described defence policies information, equipment 1 continues to carry out verification process to described subscriber equipment; In step S14, when described subscriber equipment is by verification process, equipment 1 continues described target pages to be back to described subscriber equipment; Until equipment 1 stops obtaining subscriber equipment to the access request of target pages in step S11.
In step s 11, equipment 1 obtains the access request of subscriber equipment to target pages.
In the particular embodiment, if close the function of defending against network attacks, so directly described target pages can be back to subscriber equipment after the described access request of acquisition; If open the function of defending against network attacks, so need the defence policies information corresponding according to described target pages, after the relevant process such as detection, checking, determine whether described target pages to be back to subscriber equipment.
In step s 12, the defence policies information that equipment 1 is corresponding according to described target pages, detects described access request and whether triggers described defence policies information.
At this, described defence policies information comprises the defence policies according to described target web actual conditions configuration, can configure identical or different defence policies for different webpages.In a preferred embodiment, a Web server can run multiple fictitious host computer, and each fictitious host computer can support multiple website, can configure independently defence policies respectively for each fictitious host computer.
In the particular embodiment, described defence policies can comprise the restriction of single IP request frequency, the restriction of single URL (UniformResourceLocator, URL(uniform resource locator)) request frequency, the restriction of the mono-URL request frequency limitation of single IP, fictitious host computer request frequency, fictitious host computer list URL request frequency limitation.Wherein, described single IP request frequency limits the frequency limitation referred to for the access request from same IP address; Described single URL request frequency limitation refers to the IP address open frequency restriction to the same URL of all access, opens restriction after the sum (within the unit interval) of accessing a fixing URL when all IP addresses reaches threshold value; Described single IP mono-URL request frequency limitation refers to access request is initiated in same IP address frequency limitation to a fixing URL; Described fictitious host computer request frequency restriction refers to all access request open frequency restrictions from same fictitious host computer; Described fictitious host computer list URL request frequency limitation refers to access request initiated by same fictitious host computer frequency limitation to a fixing URL.Detect described access request whether to trigger described defence policies information and be and judge whether described access request exceedes the frequency limitation of the corresponding defence policies configured for described target pages.
Preferably, in step s 12, the defence policies information that equipment 1 is corresponding according to described target pages, and the white list information of correspondence, detect described access request and whether trigger described defence policies information.
In the particular embodiment, for the access request from subscriber equipment in white list, will directly return described target pages to described subscriber equipment; For the access request from subscriber equipment in blacklist, described target pages can not be returned.
Particularly, described white list information comprises following at least any one: page white list information; Static network address white list information.
At this, described page white list information comprises URL (UniformResourceLocator, URL(uniform resource locator)) white list, such as, the static Web page of being trusted, picture, api interface can be called etc. to add URL white list.Described static network address white list information comprises static ip address white list, such as, the IP address of being trusted can be added static ip address white list.
In a preferred embodiment, described white list information can also comprise dynamic IP addressing white list, the difference of described dynamic IP addressing white list and described static ip address white list is, described dynamic IP addressing white list has the life cycle that can arrange, to reject from described dynamic IP addressing white list for the IP address exceeding life cycle, and described static ip address white list is not effectively provided with life cycle all the time.Correspondingly, dynamic IP addressing blacklist also has the life cycle that can arrange, and will reject for the IP address exceeding life cycle from described dynamic IP addressing blacklist.
In step s 13, equipment 1 triggers described defence policies information when described access request, carries out verification process to described subscriber equipment.
In the particular embodiment, described verification process can comprise multiple verification method, can configure the mode of a kind of verification method or multiple verification method independent assortment according to actual conditions.
Particularly, in step s 13, when described access request triggers described defence policies information, equipment 1 sends corresponding authorization information to described subscriber equipment; Equipment 1 receives the feedback information of described subscriber equipment to described authorization information; Equipment 1, according to described feedback information, carries out verification process to described subscriber equipment.
At this, described authorization information can be determined according to the independent assortment of configured a kind of verification method or multiple verification method.According to the feedback information of described subscriber equipment to described authorization information, carry out corresponding verification process, judge that whether described subscriber equipment is by checking.
In a preferred embodiment, can also to total access request number, normal access request number, trigger authentication number of times, carry out real-time statistics by index such as checking number of times, network attack number of times, transmission and reception flow, buffer memory flow etc., and can real-time exhibition attack logs, several IP addresses that statistical attack number of times rank is forward, pictorial statement is generated according to statistics, show ruuning situation visual in imagely, promote Consumer's Experience.
Particularly, described authorization information can comprise encrypted executable module information; Described feedback information can comprise the requests for page information that described subscriber equipment resends, and wherein, described request page info comprises the certificate parameter information that described subscriber equipment obtains by performing described executable module information.
Such as, described encrypted executable module information can be the JavaScript code of one section of encryption, suppose described user equipment requests accession page https: //www.baidu.com/, when described access request triggers described defence policies information, described subscriber equipment obtains the JavaScript code of one section of encryption, supposing that described subscriber equipment performs certificate parameter information that this code (i.e. described executable module information) obtains afterwards is character string "? jskey=4946fab98eff024e8877 ", does the requests for page information that so described subscriber equipment resends comprise https: //www.baidu.com/? jskey=4946fab98eff024e8877, judge that whether described subscriber equipment is by checking according to this requests for page information.The browser of described subscriber equipment can automatically perform described executable module information, accomplishes proof procedure user unaware.And attack device in most cases and cannot perform described executable module information, therefore cannot by checking.
Preferably, described authorization information can also comprise the address relevant information of executable module information; Described feedback information comprises the requests for page information that described subscriber equipment resends, wherein, described request page info comprises the certificate parameter information that described subscriber equipment obtains by performing described executable module information, and described executable module information is that described subscriber equipment obtains according to described address relevant information.
Such as, the address relevant information of described executable module information can be one section of Flash code, when described access request triggers described defence policies information, described subscriber equipment obtains one section of Flash code, suppose that described subscriber equipment performs the address that this Flash code (i.e. the address relevant information of described executable module information) obtains corresponding Flash file afterwards and then obtains this Flash file, suppose that described Flash file comprises the JavaScript code (i.e. described executable module information) of one section of encryption, described subscriber equipment obtains corresponding character string after performing this JavaScript code in described Flash file, then described request page info is resend.The browser of described subscriber equipment can automatically perform described executable module information, accomplishes proof procedure user unaware.And attack device in most cases and cannot perform described executable module information, therefore cannot by checking.
Preferably, in step s 13, when described access request triggers described defence policies information, equipment 1 detects whether meet identifying code trigger condition; When meeting described identifying code trigger condition, equipment 1 sends corresponding authorization information to described subscriber equipment, and wherein, described authorization information comprises the checking page comprising picture validation code.
At this, when meeting described identifying code trigger condition, described subscriber equipment obtains corresponding authorization information, and the browser display of described subscriber equipment comprises the checking page of picture validation code, user can identify picture validation code and the manual corresponding identifying code of input, and attacks device and cannot accomplish.Described subscriber equipment can comprise the feedback information of described authorization information and whether comprise identifying code, whether the identifying code that comprises is correct.
Particularly, described identifying code trigger condition comprises following at least any one: described access request is derived from class browser and attacks device; Current attack frequency information corresponding to described target pages equals or exceeds predetermined attack threshold information.
In the particular embodiment, if described access request is derived from class browser and attacks device, this type of attacks device can perform described executable module information, and the address relevant information that described authorization information comprises encrypted executable module information or executable module information all cannot stop this type of to attack device by checking.Now, detect and meet identifying code trigger condition, described authorization information comprises the checking page comprising picture validation code and this type of can be stoped to attack device by checking.If the current attack frequency information corresponding to described target pages equals or exceeds predetermined attack threshold information, this strict verification mode also can be adopted.
In step S14, described target pages, when described subscriber equipment is by verification process, is back to described subscriber equipment by equipment 1.
At this, for the described subscriber equipment by verification process, the access request of described subscriber equipment will be responded, return described target pages; For the described subscriber equipment (attack device) not by verification process, the access request of described subscriber equipment can not be responded.
Fig. 2 illustrates the method flow diagram of a kind of defending against network attacks according to the application's preferred embodiment.
The method comprising the steps of S21, step S22, step S23, step S24, step S25 and step S26.At this, in step S21, step S22, step S23, step S24 and Fig. 1, the content of step S11, step S12, step S13, step S14 is identical or substantially identical, for simplicity's sake, repeats no more.
Particularly, in step s 25, when described subscriber equipment is by verification process, the network address of described subscriber equipment is added in corresponding dynamic network address white list information by equipment 1; In step S26, when described subscriber equipment is not by verification process, the network address of described subscriber equipment is added in corresponding dynamic network address black list information by equipment 1.
In a preferred embodiment, described dynamic network address white list information and described dynamic network address blacklist have the life cycle that can arrange, and will reject for the network address exceeding described life cycle from described dynamic network address white list information or described dynamic network address blacklist.In described life cycle, directly respond the access request of the described subscriber equipment in described dynamic network address white list information without checking, directly stop the access request of the described subscriber equipment in described dynamic network address black list information without checking.After exceeding described life cycle, when described access request triggers described defence policies information, the described subscriber equipment to not belonging in described dynamic network address white list information or described dynamic network address blacklist is needed to carry out verification process.
Fig. 3 illustrates the equipment 1 of a kind of defending against network attacks according to another aspect of the application, and wherein, equipment 1 comprises first device 11, second device 12, the 3rd device 13 and the 4th device 14.
Particularly, described first device 11 obtains the access request of subscriber equipment to target pages; The defence policies information that described second device 12 is corresponding according to described target pages, detects described access request and whether triggers described defence policies information; Described 3rd device 13 triggers described defence policies information when described access request, carries out verification process to described subscriber equipment; Described target pages, when described subscriber equipment is by verification process, is back to described subscriber equipment by described 4th device 14.
At this, described equipment 1 includes but not limited to that subscriber equipment, the network equipment or subscriber equipment and the network equipment are by the mutually integrated equipment formed of network.Described subscriber equipment its include but not limited to that any one can to carry out the mobile electronic product of man-machine interaction with user by touch pad, such as smart mobile phone, PDA etc., described mobile electronic product can adopt any operating system, as android operating system, iOS operating system etc.Wherein, the described network equipment comprise a kind of can according in advance setting or the instruction stored, automatically carry out the electronic equipment of numerical computations and information processing, its hardware includes but not limited to microprocessor, application-specific integrated circuit (ASIC) (ASIC), programmable gate array (FPGA), digital processing unit (DSP), embedded device etc.The described network equipment its include but not limited to computer, network host, single network server, cloud that multiple webserver collection or multiple server are formed; At this, cloud is formed by based on a large amount of computer of cloud computing (CloudComputing) or the webserver, and wherein, cloud computing is the one of Distributed Calculation, the virtual supercomputer be made up of the loosely-coupled computer collection of a group.Described network includes but not limited to the Internet, wide area network, metropolitan area network, local area network (LAN), VPN, wireless self-organization network (AdHoc network) etc.Preferably, equipment 1 can also be run on described subscriber equipment, the network equipment or subscriber equipment and the network equipment, the network equipment, touch terminal or the network equipment and touch terminal by the shell script on the mutually integrated equipment formed of network.Certainly, those skilled in the art will be understood that the said equipment 1 is only citing, and other equipment 1 that are existing or that may occur from now on, as being applicable to the application, also should being included within the application's protection range, and being contained in this at this with way of reference.
Constant work between above-mentioned each device, at this, it will be understood by those skilled in the art that " continuing " refer to above-mentioned each device respectively in real time or according to setting or the mode of operation requirement of adjustment in real time, such as described first device 11 continues to obtain subscriber equipment to the access request of target pages; Described second device 12 continues the defence policies information corresponding according to described target pages, detects described access request and whether triggers described defence policies information; When described access request triggers described defence policies information, described 3rd device 13 continues to carry out verification process to described subscriber equipment; When described subscriber equipment is by verification process, described 4th device 14 continues described target pages to be back to described subscriber equipment; Until described first device 11 stops obtaining subscriber equipment to the access request of target pages.
Described first device 11 obtains the access request of subscriber equipment to target pages.
In the particular embodiment, if close the function of defending against network attacks, so directly described target pages can be back to subscriber equipment after the described access request of acquisition; If open the function of defending against network attacks, so need the defence policies information corresponding according to described target pages, after the relevant process such as detection, checking, determine whether described target pages to be back to subscriber equipment.
The defence policies information that described second device 12 is corresponding according to described target pages, detects described access request and whether triggers described defence policies information.
At this, described defence policies information comprises the defence policies according to described target web actual conditions configuration, can configure identical or different defence policies for different webpages.In a preferred embodiment, a Web server can run multiple fictitious host computer, and each fictitious host computer can support multiple website, can configure independently defence policies respectively for each fictitious host computer.
In the particular embodiment, described defence policies can comprise the restriction of single IP request frequency, the restriction of single URL (UniformResourceLocator, URL(uniform resource locator)) request frequency, the restriction of the mono-URL request frequency limitation of single IP, fictitious host computer request frequency, fictitious host computer list URL request frequency limitation.Wherein, described single IP request frequency limits the frequency limitation referred to for the access request from same IP address; Described single URL request frequency limitation refers to the IP address open frequency restriction to the same URL of all access, opens restriction after the sum (within the unit interval) of accessing a fixing URL when all IP addresses reaches threshold value; Described single IP mono-URL request frequency limitation refers to access request is initiated in same IP address frequency limitation to a fixing URL; Described fictitious host computer request frequency restriction refers to all access request open frequency restrictions from same fictitious host computer; Described fictitious host computer list URL request frequency limitation refers to access request initiated by same fictitious host computer frequency limitation to a fixing URL.Detect described access request whether to trigger described defence policies information and be and judge whether described access request exceedes the frequency limitation of the corresponding defence policies configured for described target pages.
Preferably, the defence policies information that described second device 12 is corresponding according to described target pages, and the white list information of correspondence, detect described access request and whether trigger described defence policies information.
In the particular embodiment, for the access request from subscriber equipment in white list, will directly return described target pages to described subscriber equipment; For the access request from subscriber equipment in blacklist, described target pages can not be returned.
Particularly, described white list information comprises following at least any one: page white list information; Static network address white list information.
At this, described page white list information comprises URL (UniformResourceLocator, URL(uniform resource locator)) white list, such as, the static Web page of being trusted, picture, api interface can be called etc. to add URL white list.Described static network address white list information comprises static ip address white list, such as, the IP address of being trusted can be added static ip address white list.
In a preferred embodiment, described white list information can also comprise dynamic IP addressing white list, the difference of described dynamic IP addressing white list and described static ip address white list is, described dynamic IP addressing white list has the life cycle that can arrange, to reject from described dynamic IP addressing white list for the IP address exceeding life cycle, and described static ip address white list is not effectively provided with life cycle all the time.Correspondingly, dynamic IP addressing blacklist also has the life cycle that can arrange, and will reject for the IP address exceeding life cycle from described dynamic IP addressing blacklist.
Described 3rd device 13 triggers described defence policies information when described access request, carries out verification process to described subscriber equipment.
In the particular embodiment, described verification process can comprise multiple verification method, can configure the mode of a kind of verification method or multiple verification method independent assortment according to actual conditions.
Particularly, described 3rd device 13 can comprise first module (not shown), second unit (not shown) and the 3rd unit (not shown).Wherein, when described access request triggers described defence policies information, described first module sends corresponding authorization information to described subscriber equipment; Described second unit receives the feedback information of described subscriber equipment to described authorization information; Described Unit the 3rd, according to described feedback information, carries out verification process to described subscriber equipment.
At this, described authorization information can be determined according to the independent assortment of configured a kind of verification method or multiple verification method.According to the feedback information of described subscriber equipment to described authorization information, carry out corresponding verification process, judge that whether described subscriber equipment is by checking.
In a preferred embodiment, can also to total access request number, normal access request number, trigger authentication number of times, carry out real-time statistics by index such as checking number of times, network attack number of times, transmission and reception flow, buffer memory flow etc., and can real-time exhibition attack logs, several IP addresses that statistical attack number of times rank is forward, pictorial statement is generated according to statistics, show ruuning situation visual in imagely, promote Consumer's Experience.
Particularly, described authorization information can comprise encrypted executable module information; Described feedback information can comprise the requests for page information that described subscriber equipment resends, and wherein, described request page info comprises the certificate parameter information that described subscriber equipment obtains by performing described executable module information.
Such as, described encrypted executable module information can be the JavaScript code of one section of encryption, suppose described user equipment requests accession page https: //www.baidu.com/, when described access request triggers described defence policies information, described subscriber equipment obtains the JavaScript code of one section of encryption, supposing that described subscriber equipment performs certificate parameter information that this code (i.e. described executable module information) obtains afterwards is character string "? jskey=4946fab98eff024e8877 ", does the requests for page information that so described subscriber equipment resends comprise https: //www.baidu.com/? jskey=4946fab98eff024e8877, judge that whether described subscriber equipment is by checking according to this requests for page information.The browser of described subscriber equipment can automatically perform described executable module information, accomplishes proof procedure user unaware.And attack device in most cases and cannot perform described executable module information, therefore cannot by checking.
Preferably, described authorization information can also comprise the address relevant information of executable module information; Described feedback information comprises the requests for page information that described subscriber equipment resends, wherein, described request page info comprises the certificate parameter information that described subscriber equipment obtains by performing described executable module information, and described executable module information is that described subscriber equipment obtains according to described address relevant information.
Such as, the address relevant information of described executable module information can be one section of Flash code, when described access request triggers described defence policies information, described subscriber equipment obtains one section of Flash code, suppose that described subscriber equipment performs the address that this Flash code (i.e. the address relevant information of described executable module information) obtains corresponding Flash file afterwards and then obtains this Flash file, suppose that described Flash file comprises the JavaScript code (i.e. described executable module information) of one section of encryption, described subscriber equipment obtains corresponding character string after performing this JavaScript code in described Flash file, then described request page info is resend.The browser of described subscriber equipment can automatically perform described executable module information, accomplishes proof procedure user unaware.And attack device in most cases and cannot perform described executable module information, therefore cannot by checking.
Preferably, described first module triggers described defence policies information when described access request, detects whether meet identifying code trigger condition; When meeting described identifying code trigger condition, described first module sends corresponding authorization information to described subscriber equipment, and wherein, described authorization information comprises the checking page comprising picture validation code.
At this, when meeting described identifying code trigger condition, described subscriber equipment obtains corresponding authorization information, and the browser display of described subscriber equipment comprises the checking page of picture validation code, user can identify picture validation code and the manual corresponding identifying code of input, and attacks device and cannot accomplish.Described subscriber equipment can comprise the feedback information of described authorization information and whether comprise identifying code, whether the identifying code that comprises is correct.
Particularly, described identifying code trigger condition comprises following at least any one: described access request is derived from class browser and attacks device; Current attack frequency information corresponding to described target pages equals or exceeds predetermined attack threshold information.
In the particular embodiment, if described access request is derived from class browser and attacks device, this type of attacks device can perform described executable module information, and the address relevant information that described authorization information comprises encrypted executable module information or executable module information all cannot stop this type of to attack device by checking.Now, detect and meet identifying code trigger condition, described authorization information comprises the checking page comprising picture validation code and this type of can be stoped to attack device by checking.If the current attack frequency information corresponding to described target pages equals or exceeds predetermined attack threshold information, this strict verification mode also can be adopted.
Described target pages, when described subscriber equipment is by verification process, is back to described subscriber equipment by described 4th device 14.
At this, for the described subscriber equipment by verification process, the access request of described subscriber equipment will be responded, return described target pages; For the described subscriber equipment (attack device) not by verification process, the access request of described subscriber equipment can not be responded.
Fig. 4 illustrates the equipment 1 of a kind of defending against network attacks according to the application's preferred embodiment, and wherein, equipment 1 comprises first device 11 ', the second device 12 ', the 3rd device 13 ', the 4th device 14 ', the 5th device 15 ' and the 6th device 16 '.
At this, described first device 11 ', the second device 12 ', the 3rd device 13 ', the 4th device 14 ' are identical or substantially identical with the content of first device in Fig. 3 11, second device 12, the 3rd device 13, the 4th device 14, for simplicity's sake, repeat no more.
Particularly, when described subscriber equipment is by verification process, the network address of described subscriber equipment is added in corresponding dynamic network address white list information by described 5th device 15 '; When described subscriber equipment is not by verification process, the network address of described subscriber equipment is added in corresponding dynamic network address black list information by described 6th device 16 '.
In a preferred embodiment, described dynamic network address white list information and described dynamic network address blacklist have the life cycle that can arrange, and will reject for the network address exceeding described life cycle from described dynamic network address white list information or described dynamic network address blacklist.In described life cycle, directly respond the access request of the described subscriber equipment in described dynamic network address white list information without checking, directly stop the access request of the described subscriber equipment in described dynamic network address black list information without checking.After exceeding described life cycle, when described access request triggers described defence policies information, the described subscriber equipment to not belonging in described dynamic network address white list information or described dynamic network address blacklist is needed to carry out verification process.
Compared with prior art, the application obtains the access request of subscriber equipment to target pages, the defence policies information corresponding according to described target pages, detect described access request and whether trigger described defence policies information, the described subscriber equipment corresponding for the access request triggering described defence policies information carries out verification process, described target pages is back to the described subscriber equipment by verification process.The described defence policies information of the application comprise multiple can the defence policies of flexible configuration, described verification process comprise multiple can the verification mode of flexible configuration, the demand under different situations can be met, promote Consumer's Experience.Further, the application passes through the every operating index of real-time statistics, real-time exhibition attack logs, pictorial statement is generated according to statistics, show ruuning situation visual in imagely, provide support for optimizing described defence policies information, thus promote Consumer's Experience further.
Obviously, those skilled in the art can carry out various change and modification to the application and not depart from the spirit and scope of the application.Like this, if these amendments of the application and modification belong within the scope of the application's claim and equivalent technologies thereof, then the application is also intended to comprise these change and modification.
It should be noted that the application can be implemented in the assembly of software and/or software restraint, such as, application-specific integrated circuit (ASIC) (ASIC), general object computer or any other similar hardware device can be adopted to realize.In one embodiment, the software program of the application can perform to realize step mentioned above or function by processor.Similarly, the software program of the application can be stored in computer readable recording medium storing program for performing (comprising relevant data structure), such as, and RAM memory, magnetic or CD-ROM driver or floppy disc and similar devices.In addition, some steps of the application or function can adopt hardware to realize, such as, as coordinating with processor thus performing the circuit of each step or function.
In addition, a application's part can be applied to computer program, such as computer program instructions, when it is performed by computer, by the operation of this computer, can call or provide the method according to the application and/or technical scheme.And call the program command of the method for the application, may be stored in fixing or moveable recording medium, and/or be transmitted by the data flow in broadcast or other signal bearing medias, and/or be stored in the working storage of the computer equipment run according to described program command.At this, an embodiment according to the application comprises a device, this device comprises the memory for storing computer program instructions and the processor for execution of program instructions, wherein, when this computer program instructions is performed by this processor, trigger this plant running based on the method for aforementioned multiple embodiments according to the application and/or technical scheme.
To those skilled in the art, obvious the application is not limited to the details of above-mentioned one exemplary embodiment, and when not deviating from spirit or the essential characteristic of the application, can realize the application in other specific forms.Therefore, no matter from which point, all should embodiment be regarded as exemplary, and be nonrestrictive, the scope of the application is limited by claims instead of above-mentioned explanation, and all changes be therefore intended in the implication of the equivalency by dropping on claim and scope are included in the application.Any Reference numeral in claim should be considered as the claim involved by limiting.In addition, obviously " comprising " one word do not get rid of other unit or step, odd number does not get rid of plural number.Multiple unit of stating in device claim or device also can be realized by software or hardware by a unit or device.First, second word such as grade is used for representing title, and does not represent any specific order.
Claims (18)
1. a method for defending against network attacks, wherein, the method comprises:
A obtains subscriber equipment to the access request of target pages;
The defence policies information that b is corresponding according to described target pages, detects described access request and whether triggers described defence policies information;
C triggers described defence policies information when described access request, carries out verification process to described subscriber equipment;
Described target pages, when described subscriber equipment is by verification process, is back to described subscriber equipment by d.
2. method according to claim 1, wherein, described step b comprises:
The defence policies information corresponding according to described target pages, and the white list information of correspondence, detect described access request and whether trigger described defence policies information.
3. method according to claim 2, wherein, described white list information comprises following at least any one:
Page white list information;
Static network address white list information.
4. according to the method in claim 2 or 3, wherein, the method also comprises:
When described subscriber equipment is by verification process, the network address of described subscriber equipment is added in corresponding dynamic network address white list information; Or
When described subscriber equipment is not by verification process, the network address of described subscriber equipment is added in corresponding dynamic network address black list information.
5. method according to any one of claim 1 to 4, wherein, described step c comprises:
C1 triggers described defence policies information when described access request, sends corresponding authorization information to described subscriber equipment;
C2 receives the feedback information of described subscriber equipment to described authorization information;
C3, according to described feedback information, carries out verification process to described subscriber equipment.
6. method according to claim 5, wherein, described authorization information comprises encrypted executable module information; Described feedback information comprises the requests for page information that described subscriber equipment resends, and wherein, described request page info comprises the certificate parameter information that described subscriber equipment obtains by performing described executable module information.
7. method according to claim 5, wherein, described authorization information comprises the address relevant information of executable module information; Described feedback information comprises the requests for page information that described subscriber equipment resends, wherein, described request page info comprises the certificate parameter information that described subscriber equipment obtains by performing described executable module information, and described executable module information is that described subscriber equipment obtains according to described address relevant information.
8. the method according to any one of claim 5 to 7, wherein, described step c1 comprises:
When described access request triggers described defence policies information, detect whether meet identifying code trigger condition;
When meeting described identifying code trigger condition, send corresponding authorization information to described subscriber equipment, wherein, described authorization information comprises the checking page comprising picture validation code.
9. method according to claim 8, wherein, described identifying code trigger condition comprises following at least any one:
Described access request is derived from class browser and attacks device;
Current attack frequency information corresponding to described target pages equals or exceeds predetermined attack threshold information.
10. an equipment for defending against network attacks, wherein, this equipment comprises:
First device, for obtaining the access request of subscriber equipment to target pages;
Second device, for the defence policies information corresponding according to described target pages, detects described access request and whether triggers described defence policies information;
3rd device, for triggering described defence policies information when described access request, carries out verification process to described subscriber equipment;
4th device, for when described subscriber equipment is by verification process, is back to described subscriber equipment by described target pages.
11. equipment according to claim 10, wherein, described second device is used for:
The defence policies information corresponding according to described target pages, and the white list information of correspondence, detect described access request and whether trigger described defence policies information.
12. equipment according to claim 11, wherein, described white list information comprises following at least any one:
Page white list information;
Static network address white list information.
13. equipment according to claim 11 or 12, wherein, this equipment also comprises:
5th device, for when described subscriber equipment is by verification process, is added in corresponding dynamic network address white list information by the network address of described subscriber equipment; Or
6th device, for when described subscriber equipment is not by verification process, is added into the network address of described subscriber equipment in corresponding dynamic network address black list information.
14. according to claim 10 to the equipment according to any one of 13, and wherein, described 3rd device comprises:
First module, for triggering described defence policies information when described access request, sends corresponding authorization information to described subscriber equipment;
Second unit, for receiving the feedback information of described subscriber equipment to described authorization information;
Unit the 3rd, for according to described feedback information, carries out verification process to described subscriber equipment.
15. equipment according to claim 14, wherein, described authorization information comprises encrypted executable module information; Described feedback information comprises the requests for page information that described subscriber equipment resends, and wherein, described request page info comprises the certificate parameter information that described subscriber equipment obtains by performing described executable module information.
16. equipment according to claim 14, wherein, described authorization information comprises the address relevant information of executable module information; Described feedback information comprises the requests for page information that described subscriber equipment resends, wherein, described request page info comprises the certificate parameter information that described subscriber equipment obtains by performing described executable module information, and described executable module information is that described subscriber equipment obtains according to described address relevant information.
17. according to claim 14 to the equipment according to any one of 16, and wherein, described first module is used for:
When described access request triggers described defence policies information, detect whether meet identifying code trigger condition;
When meeting described identifying code trigger condition, send corresponding authorization information to described subscriber equipment, wherein, described authorization information comprises the checking page comprising picture validation code.
18. equipment according to claim 17, wherein, described identifying code trigger condition comprises following at least any one:
Described access request is derived from class browser and attacks device;
Current attack frequency information corresponding to described target pages equals or exceeds predetermined attack threshold information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510611890.4A CN105162793A (en) | 2015-09-23 | 2015-09-23 | Method and apparatus for defending against network attacks |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510611890.4A CN105162793A (en) | 2015-09-23 | 2015-09-23 | Method and apparatus for defending against network attacks |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105162793A true CN105162793A (en) | 2015-12-16 |
Family
ID=54803547
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510611890.4A Pending CN105162793A (en) | 2015-09-23 | 2015-09-23 | Method and apparatus for defending against network attacks |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105162793A (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106230785A (en) * | 2016-07-20 | 2016-12-14 | 南京铱迅信息技术股份有限公司 | A kind of defence method of the HTTPS Denial of Service attack without private key |
| CN106506559A (en) * | 2016-12-29 | 2017-03-15 | 北京奇虎科技有限公司 | Access behavior control method and device |
| CN106789983A (en) * | 2016-12-08 | 2017-05-31 | 北京安普诺信息技术有限公司 | A kind of CC attack defense methods and its system of defense |
| CN107948125A (en) * | 2016-10-13 | 2018-04-20 | 腾讯科技(深圳)有限公司 | A kind of processing method and processing device of network attack |
| CN108959923A (en) * | 2018-05-31 | 2018-12-07 | 深圳壹账通智能科技有限公司 | Comprehensive safety cognitive method, device, computer equipment and storage medium |
| CN110177096A (en) * | 2019-05-24 | 2019-08-27 | 网易(杭州)网络有限公司 | Client certificate method, apparatus, medium and calculating equipment |
| CN110401654A (en) * | 2019-07-23 | 2019-11-01 | 广州市百果园信息技术有限公司 | A kind of method, apparatus of business access, system, equipment and storage medium |
| CN110636068A (en) * | 2019-09-24 | 2019-12-31 | 杭州安恒信息技术股份有限公司 | Method and device for identifying unknown CDN nodes in CC attack protection |
| WO2020014954A1 (en) * | 2018-07-20 | 2020-01-23 | 威富通科技有限公司 | Data control method and terminal device |
| CN111092881A (en) * | 2019-12-12 | 2020-05-01 | 杭州安恒信息技术股份有限公司 | An access interception method, apparatus, device and readable storage medium |
| CN111585956A (en) * | 2020-03-31 | 2020-08-25 | 完美世界(北京)软件科技发展有限公司 | Website anti-brushing verification method and device |
| CN113591072A (en) * | 2021-05-07 | 2021-11-02 | 海尔数字科技(青岛)有限公司 | Attack event processing method, device, equipment and storage medium |
| CN113810418A (en) * | 2021-09-18 | 2021-12-17 | 土巴兔集团股份有限公司 | Method for defending cross-site scripting attack and related equipment thereof |
| CN114024739A (en) * | 2021-11-03 | 2022-02-08 | 中国联合网络通信集团有限公司 | DDoS attack resisting cooperative defense method, platform, equipment and medium |
| CN116866051A (en) * | 2023-07-23 | 2023-10-10 | 深圳市锐速云计算有限公司 | CC (control and communication) defense system of multiple application scenes |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1411199A (en) * | 2002-11-07 | 2003-04-16 | 上海交通大学 | Content safe monitoring system based on digital label and its method |
| EP2541861A1 (en) * | 2011-06-30 | 2013-01-02 | British Telecommunications Public Limited Company | Server security systems and related aspects |
| CN103139138A (en) * | 2011-11-22 | 2013-06-05 | 飞塔公司 | Application layer denial of service (DoS) protective method and system based on client detection |
| CN104092665A (en) * | 2014-06-19 | 2014-10-08 | 小米科技有限责任公司 | Access request filtering method, device and facility |
-
2015
- 2015-09-23 CN CN201510611890.4A patent/CN105162793A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1411199A (en) * | 2002-11-07 | 2003-04-16 | 上海交通大学 | Content safe monitoring system based on digital label and its method |
| EP2541861A1 (en) * | 2011-06-30 | 2013-01-02 | British Telecommunications Public Limited Company | Server security systems and related aspects |
| CN103139138A (en) * | 2011-11-22 | 2013-06-05 | 飞塔公司 | Application layer denial of service (DoS) protective method and system based on client detection |
| CN104092665A (en) * | 2014-06-19 | 2014-10-08 | 小米科技有限责任公司 | Access request filtering method, device and facility |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106230785A (en) * | 2016-07-20 | 2016-12-14 | 南京铱迅信息技术股份有限公司 | A kind of defence method of the HTTPS Denial of Service attack without private key |
| CN107948125A (en) * | 2016-10-13 | 2018-04-20 | 腾讯科技(深圳)有限公司 | A kind of processing method and processing device of network attack |
| CN106789983A (en) * | 2016-12-08 | 2017-05-31 | 北京安普诺信息技术有限公司 | A kind of CC attack defense methods and its system of defense |
| CN106789983B (en) * | 2016-12-08 | 2019-09-06 | 北京安普诺信息技术有限公司 | A kind of CC attack defense method and its system of defense |
| CN106506559A (en) * | 2016-12-29 | 2017-03-15 | 北京奇虎科技有限公司 | Access behavior control method and device |
| CN106506559B (en) * | 2016-12-29 | 2020-02-18 | 北京奇虎科技有限公司 | Access behavior control method and device |
| CN108959923A (en) * | 2018-05-31 | 2018-12-07 | 深圳壹账通智能科技有限公司 | Comprehensive safety cognitive method, device, computer equipment and storage medium |
| WO2020014954A1 (en) * | 2018-07-20 | 2020-01-23 | 威富通科技有限公司 | Data control method and terminal device |
| CN110177096A (en) * | 2019-05-24 | 2019-08-27 | 网易(杭州)网络有限公司 | Client certificate method, apparatus, medium and calculating equipment |
| CN110177096B (en) * | 2019-05-24 | 2021-09-07 | 网易(杭州)网络有限公司 | Client authentication method, device, medium and computing equipment |
| CN110401654A (en) * | 2019-07-23 | 2019-11-01 | 广州市百果园信息技术有限公司 | A kind of method, apparatus of business access, system, equipment and storage medium |
| CN110636068B (en) * | 2019-09-24 | 2022-01-28 | 杭州安恒信息技术股份有限公司 | Method and device for identifying unknown CDN node in CC attack protection |
| CN110636068A (en) * | 2019-09-24 | 2019-12-31 | 杭州安恒信息技术股份有限公司 | Method and device for identifying unknown CDN nodes in CC attack protection |
| CN111092881A (en) * | 2019-12-12 | 2020-05-01 | 杭州安恒信息技术股份有限公司 | An access interception method, apparatus, device and readable storage medium |
| CN111585956B (en) * | 2020-03-31 | 2022-09-09 | 完美世界(北京)软件科技发展有限公司 | Website anti-brushing verification method and device |
| CN111585956A (en) * | 2020-03-31 | 2020-08-25 | 完美世界(北京)软件科技发展有限公司 | Website anti-brushing verification method and device |
| CN113591072A (en) * | 2021-05-07 | 2021-11-02 | 海尔数字科技(青岛)有限公司 | Attack event processing method, device, equipment and storage medium |
| CN113810418A (en) * | 2021-09-18 | 2021-12-17 | 土巴兔集团股份有限公司 | Method for defending cross-site scripting attack and related equipment thereof |
| CN113810418B (en) * | 2021-09-18 | 2023-12-26 | 土巴兔集团股份有限公司 | Method for defending cross-site scripting attack and related equipment thereof |
| CN114024739A (en) * | 2021-11-03 | 2022-02-08 | 中国联合网络通信集团有限公司 | DDoS attack resisting cooperative defense method, platform, equipment and medium |
| CN114024739B (en) * | 2021-11-03 | 2024-02-06 | 中国联合网络通信集团有限公司 | Anti-DDoS attack collaborative defense methods, platforms, equipment and media |
| CN116866051A (en) * | 2023-07-23 | 2023-10-10 | 深圳市锐速云计算有限公司 | CC (control and communication) defense system of multiple application scenes |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105162793A (en) | Method and apparatus for defending against network attacks | |
| US11405359B2 (en) | Network firewall for mitigating against persistent low volume attacks | |
| US10826872B2 (en) | Security policy for browser extensions | |
| EP3557843B1 (en) | Content delivery network (cdn) bot detection using compound feature sets | |
| US8601586B1 (en) | Method and system for detecting web application vulnerabilities | |
| US8495742B2 (en) | Identifying malicious queries | |
| US10558807B2 (en) | Method and device for providing access page | |
| US9350748B1 (en) | Countering service enumeration through optimistic response | |
| Stasinopoulos et al. | Commix: automating evaluation and exploitation of command injection vulnerabilities in web applications | |
| US20150106933A1 (en) | Device for detecting cyber attack based on event analysis and method thereof | |
| US11799876B2 (en) | Web crawler systems and methods to efficiently detect malicious sites | |
| CA2973969A1 (en) | Session security splitting and application profiler | |
| Maroofi et al. | Are you human? resilience of phishing detection to evasion techniques based on human verification | |
| Patel et al. | A theoretical review of social media usage by cyber-criminals | |
| CN110602032A (en) | Attack identification method and device | |
| Surnin et al. | Probabilistic estimation of honeypot detection in Internet of things environment | |
| US10686834B1 (en) | Inert parameters for detection of malicious activity | |
| CN109361574B (en) | JavaScript script-based NAT detection method, system, medium and equipment | |
| JP2018533803A (en) | IP address acquisition method and apparatus | |
| CN105939320A (en) | Message processing method and device | |
| US20140208385A1 (en) | Method, apparatus and system for webpage access control | |
| Shukla et al. | PythonHoneyMonkey: Detecting malicious web URLs on client side honeypot systems | |
| Stritter et al. | Cleaning up Web 2.0's Security Mess-at Least Partly | |
| Park et al. | How to design practical client honeypots based on virtual environment | |
| US11539738B1 (en) | Methods, systems, and media for mitigating damage resulting from a website being an intermediary in a cyberattack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20151216 |
|
| RJ01 | Rejection of invention patent application after publication |