CN105338017A - WEB defense method and system - Google Patents
WEB defense method and system Download PDFInfo
- Publication number
- CN105338017A CN105338017A CN201410306976.1A CN201410306976A CN105338017A CN 105338017 A CN105338017 A CN 105338017A CN 201410306976 A CN201410306976 A CN 201410306976A CN 105338017 A CN105338017 A CN 105338017A
- Authority
- CN
- China
- Prior art keywords
- web
- rule
- list
- server
- dangerous
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a WEB defense method and system. The method comprises the following steps that: WEB defense modules are deployed for each WEB server in a distributed system; independent from each WEB server, a rule server is deployed, and a rule table and a dangerous IP list are maintained on the rules server; when being started, the WEB defense modules obtain the rule table and the dangerous IP list from the rule server; http protocol data packet analysis is performed on the WEB servers, so that WEB requests can be obtained, whether the IPs of the WEB requests are in the dangerous IP list is judged; if the IPs of the WEB requests are in the dangerous IP list, connection establishment for the WEB requests is refuse; if the IPs of the WEB requests are not in the dangerous IP list, whether the WEB requests are dangerous requests is further judged according to the rule table; and if the WEB requests are dangerous requests, the WEB requests are responded according to the rule table, and information of the WEB requests, which triggers rules, is submitted to the rule server, so that the IP list can be updated. With the WEB defense method and system of the invention adopted, large-flow WEB requests can be processed timely.
Description
Technical field
The present invention relates to internet security technical field, particularly relate to a kind of WEB defence method and system.
Background technology
Along with the fast development of Internet service and WEB application, the update of WEB technology, the attack face of WEB application is in continuous expansion, and various leak emerges in an endless stream, and the safety of WEB application is faced with new challenges.
Existing WEB attacks roughly can be divided into two classes: a kind of is utilize the leak of WEB server to attack, and another kind utilizes the security breaches of webpage self to attack.In existing defence WEB attack pattern, website application layer intrusion prevention system (WAF, WebApplicationFirewall), can carry out abnormality detection to the request of HTTP, and refusal does not meet the request of HTTP standard.But due to its network architecture, be mainly used in the WEB application of low discharge.When in the face of the application of large discharge, it is excessive to there is network entity load in the network architecture of WAF, and performance is difficult to the defect of being competent at.
Summary of the invention
The invention provides a kind of WEB defence method and system, to solve the problem that existing WEB defense mechanism can not process in time when the WEB processing large discharge asks.
The invention discloses a kind of WEB defence method, each WEB server deploy WEB defense module in a distributed system; Rule server is disposed, maintenance regulation table and dangerous IP list in described rule server independent of each WEB server; Wherein, described rule list is configured with and detects the rule whether WEB request is dangerous request, and the WEB of triggering rule is asked to the response made; The triggering rule number of times that described dangerous IP list comprises some reaches the IP of the WEB request of pre-set threshold value; The method comprises:
Described WEB defense module, when starting, obtains described rule list and described dangerous IP list from described rule server;
Obtain the WEB request that WEB server parsing HTML (Hypertext Markup Language) http packet obtains;
Judge IP that described WEB asks whether in described dangerous IP list;
If, refuse as described WEB request connects;
If not, whether then continue to judge that described WEB asks according to described rule list is dangerous request;
If so, according to described rule list, response is made to described WEB request, and the information of the described WEB request of triggering rule is submitted to described rule server to upgrade in described dangerous IP list;
If not, described WEB request is handed to other resume module of described WEB server.
Optionally, described WEB defense module periodically obtains described rule list and described dangerous IP list from described rule server; And,
When described rule list or described dangerous IP list have renewal, receive the rule list after the renewal that described rule server issues or dangerous IP list.
Optionally, dispose monitoring server independent of described rule server, described monitoring server is used for issuing new rule to upgrade described rule list to described rule server; The method also comprises: described WEB defense module receives the WEB inquiry request of described monitoring server, and according to described WEB inquiry request, the running status of self is reported described monitoring server.
According to another aspect of the present invention, provide a kind of WEB defence method, each WEB server deploy WEB defense module in a distributed system; Rule server is disposed, maintenance regulation table and dangerous IP list in described rule server independent of each WEB server; The method comprises:
Whether described rule server receives and detects WEB request is dangerous rule of asking, and the WEB of triggering rule is asked to the configuration information of the response made;
Configuration information according to described rule and response is set up or upgrades described rule list;
Receive the information of the WEB request of rule in the described rule list of triggering of described WEB defense module submission;
Information according to the described WEB request of triggering rule does Hash table, and the key of Hash table comprises the IP of described WEB request, and corresponding value is the triggering times of this IP, and wherein, once, then triggering times adds one to every triggering rule;
The triggering times obtaining some from described Hash table reaches the IP foundation of the WEB request of pre-set threshold value or upgrades described dangerous IP list;
When described WEB defense module starts, send described rule list and described dangerous IP list to described WEB defense module, make described WEB defense module ask to be on the defensive to WEB according to described rule list and described dangerous IP list.
Optionally, when described rule list or described dangerous IP list have renewal, issue the rule list after renewal or dangerous IP list to described WEB defense module; And, according to the acquisition request that described WEB defense module periodically sends, described rule list and described dangerous IP list are sent to described WEB defense module.
Optionally, dispose monitoring server independent of described rule server, described monitoring server is used for issuing new rule to upgrade described rule list to described rule server; The method also comprises: described rule server receives the WEB inquiry request of described monitoring server, and according to described WEB inquiry request, described rule list and described dangerous IP list is reported described monitoring server.
According to another aspect of the present invention, provide a kind of WEB and defend imperial system, this system comprises: at least one WEB defense module, a rule server, and wherein, described WEB defense module is disposed in each WEB server in a distributed system; Described rule server is disposed independent of each WEB server, maintenance regulation table and dangerous IP list in described rule server;
Described WEB defense module, for obtaining described rule list and described dangerous IP list when starting from described rule server; The WEB request that http packet obtains is resolved to WEB server, judges IP that described WEB asks whether in described dangerous IP list; If, refuse as described WEB request connects; If not, whether then continue to judge that described WEB asks according to described rule list is dangerous request; If so, according to described rule list, response is made to described WEB request, and the information of the described WEB request of triggering rule is submitted to described rule server to upgrade described dangerous IP list; If not, described WEB request is handed to other resume module of described WEB server;
Described rule server, whether is dangerous rule of asking, and the WEB of triggering rule is asked to the configuration information of the response made for receiving detection WEB request, the configuration information according to described rule and response is set up or upgrades described rule list; Information according to the WEB request of the triggering rule of WEB defense module submission does Hash table, and the key of Hash table comprises the IP of described WEB request, and corresponding value is the triggering times of this IP, and wherein, once, then triggering times adds one to every triggering rule; The triggering times obtaining some from described Hash table reaches the IP foundation of the WEB request of pre-set threshold value or upgrades described dangerous IP list.
Optionally, described WEB defense module, also for periodically obtaining described rule list and described dangerous IP list from described rule server; And/or, when described rule list or described dangerous IP list have renewal, receive the rule list after the renewal that described rule server issues or dangerous IP list.
Optionally, described rule server, also for when described rule list or described dangerous IP list have renewal, issues the rule list after renewal or dangerous IP list to described WEB defense module; And/or, according to the acquisition request that described WEB defense module periodically sends, described rule list and described dangerous IP list are sent to described WEB defense module.
Optionally, this system also comprises: monitoring server, disposes independent of described rule server, for issuing new rule to described rule server to upgrade described rule list; And, send to described WEB defense module the running status that WEB inquiry request inquires about described WEB defense module, send WEB inquiry request to described rule server and inquire about described rule list and described dangerous IP list.
In sum, technical scheme of the present invention, because WEB defense module is deployed in separately in WEB server, any one machine of delaying can not have influence on other server and business, stablize easy-to-use and be convenient to expand, overcoming performance bottleneck and the Single Point of Faliure of traditional single node deployment.In addition, because WEB defense module processes the WEB request that WEB server parsing http packet obtains, can make full use of the resource of WEB server, analyzing efficiency and handling property are taken into account, therefore, it is possible to the WEB of process large discharge asks in time.
Accompanying drawing explanation
Fig. 1 is the flow chart of a kind of WEB defence method that the embodiment of the present invention provides;
Fig. 2 is the flow chart of the another kind of WEB defence method that the embodiment of the present invention provides;
Fig. 3 is the structural representation of a kind of WEB system of defense that the embodiment of the present invention provides.
Embodiment
For making the object, technical solutions and advantages of the present invention clearly, below in conjunction with accompanying drawing, embodiment of the present invention is described further in detail.
Fig. 1 is the flow chart of a kind of WEB defence method that the embodiment of the present invention provides.As shown in Figure 1, the method comprises the steps.
Step 101, each WEB server deploy WEB defense module in a distributed system; Rule server is disposed, maintenance regulation table and dangerous IP list in described rule server independent of each WEB server.
In a step 101, in order to better defend the attack from WEB, each WEB server of distributed system disposes WEB defense module.Because the WEB defense module in each WEB server is separate, there is the normal work of the WEB defense module in other WEB server that the machine of delaying can not affect in this distributed system in the WEB defense module therefore on individual server.
In addition, rule server is disposed independent of each WEB server, maintenance regulation table and dangerous IP list in described rule server; Be configured with in rule list and detect the rule whether WEB request is dangerous request, and the WEB of triggering rule is asked to the response made; The triggering rule number of times that described dangerous IP list comprises some reaches the IP of the WEB request of pre-set threshold value.Because WEB defense module and rule server are separate, therefore the machine of delaying of rule server can't affect the normal work of WEB defense module, and WEB defense module still can be on the defensive to WEB request according to existing rule list and dangerous IP list.
Step 102, WEB defense module, when starting, obtains described rule list and described dangerous IP list from described rule server.
In a step 102, WEB defense module is deployed in each WEB server with the form of WEB server module, therefore can by the mode of WEB server loading configuration file to activate this WEB defense module.And when WEB defense module starts, can send to rule server the request of acquisition, from rule server, obtain rule list and dangerous IP list.
Step 103, obtains the WEB request that WEB server parsing http packet obtains.
In step 103, WEB server, when receiving http packet, is resolved the http packet received, and obtains corresponding WEB and asks.And this WEB request is sent to described WEB defense module; Wherein, carry out resolving the WEB request that can obtain correspondence to http packet to comprise: URL address, the cookie corresponding with IP, and the first-class information of http.
Step 104, judges IP that described WEB asks whether in described dangerous IP list; If it is carry out step 105, if otherwise carry out step 106.
At step 104, WEB defense module resolves to WEB server the WEB request that http packet obtains, and judges to send the IP of this WEB request whether in dangerous IP list according to dangerous IP list.
In a kind of specific embodiment of the present invention, in dangerous IP list, preserve dangerous IP and the cookie corresponding with this dangerous IP.Can distinguish the main frame of launching a offensive by the cookie in dangerous IP list is certain concrete main frame under this IP, under solving an IP, have multiple host, and what launch a offensive may be only the situation of a wherein main frame.
Step 105, when judging that the IP of this WEB of transmission request is in dangerous IP list, refuses as described WEB request connects.
Step 106, whether when judging that the IP of this WEB of transmission request is not in dangerous IP list, then continuing to judge that described WEB asks according to rule list is that danger is asked.If carry out step 107, carry out step 108 if not.
In step 106, WEB defense module judges WEB request according to rule list, when the keyword comprised in rule list in any rule being detected during this WEB asks, then showing that this WEB request triggers this rule, namely judging that this WEB asks as dangerous request.
Step 107, makes response according to described rule list to described WEB request, and the information of the described WEB request of triggering rule is submitted to described rule server to upgrade in described IP list.
In step 107, after judging that WEB request is as dangerous request, WEB defense module makes response according to the operation response corresponding with the rule triggered; Be exemplified as, if be refusal to the response action of the WEB request triggering certain rule, then stop the described WEB request of process, namely this WEB request is not handed to other resume module of WEB server; If be log to the response action of the WEB request triggering certain rule, then the WEB request triggering this rule is recorded in the daily record in rule server.Also comprise other operation responses in rule list, and each operation response can carry out simultaneously, is exemplified as, operation response is refusal and log, does not repeat one by one at this.
Step 108, when judging that this WEB request is not dangerous request, hands to other resume module of described WEB server by described WEB request.
In above-mentioned step 103, WEB defense module obtains the WEB request obtained after WEB server is resolved http packet.Because this WEB pattern of defending is deployed in WEB server, only need to carry out once to unpacking of WEB layer, therefore, it is possible to make full use of the resource of WEB server, do not need extra cost overhead, namely WEB defense module does not need to carry out independent parsing to http packet, only need the result after resolving WEB server to analyze, therefore improve the efficiency to http processing data packets.Compared with prior art, can the process WEB of efficiency more ask.
In a kind of specific embodiment of the present invention, in order to defend the attack from WEB better, WEB defense module periodically sends to rule server the request of acquisition, obtains rule list and dangerous IP list from rule server; Namely from rule server, rule list and dangerous IP list is obtained by arranging WEB defense module every some cycles.WEB defense module is on the defensive to WEB request according to the rule list that newly gets and dangerous IP list, and the rule list simultaneously preserved this locality according to the rule list newly got and dangerous IP list and dangerous IP list upgrade.
In other embodiments of the invention, can also arrange in rule server and periodically issue rule list and dangerous IP list to each WEB defense module.
Preferably, in order to WEB defense module can be allowed sooner, more in time to upgrade local rule list and dangerous IP list.In the present invention, when described rule list or described dangerous IP list have renewal, rule list after renewal or described dangerous IP list are sent to WEB defense module by rule server, when having arbitrarily renewal in the rule list namely in rule server or dangerous IP list, immediately the rule list after upgrading or dangerous IP list are handed down to WEB defense module.
In the above-described embodiments, when having new security risk or new WEB attack pattern occurs, by arranging new rule list in rule server, and being handed down to WEB defense module in time, making WEB defense module more have ageing to the defence that WEB attacks.
From the above, WEB defense module periodically can obtain rule list and dangerous IP list from rule server, and the rule list after renewal or described dangerous IP list are sent to WEB defense module by rule server in time, ensure that WEB defends mould can get up-to-date rule list and dangerous IP list in time, realize the defence that up-to-date WEB is attacked.
In a kind of specific embodiment of the present invention, dispose monitoring server independent of described rule server, monitoring server is used for issuing new rule to upgrade described rule list to described rule server.In the present embodiment, monitoring server can be disposed by across a network, and namely monitoring server and rule server be not in same local area network (LAN).In the above-described embodiments, can also be checked rule server by monitoring server or configure.Be exemplified as: check or rule list on configuration rule server, check or dangerous IP list on configuration rule server.The daily record of the preservation in certain period can also be checked by monitoring server.
In a kind of specific embodiment of the present invention, in order to monitor the running status of WEB defense module more intuitively.WEB defense module receives the WEB inquiry request of monitoring server, and according to described WEB inquiry request, the running status of self is reported described monitoring server.Be specially, WEB defense module receives the WEB inquiry request of the transmission of the monitoring server that across a network is disposed, and according to described WEB inquiry request, the running status of self is reported described monitoring server.Be exemplified as: monitoring server can check the running status of the WEB defense module in WEB server in the mode of WEB access, check that the number of times that rule is triggered is maximum, checked how many IP offensive attacks, and the physical address at IP place.
As from the foregoing, in the present invention, user can be configured the rule list in rule server in time by monitoring server, can also the running status of real time inspection WEB defense module, is convenient to user and carries out actual operation according to the displaying of monitoring server.
Fig. 2 is the flow chart of the another kind of WEB defence method that the embodiment of the present invention provides, and as described in Figure 2, the method comprises the steps:
Step 201, each WEB server deploy WEB defense module in a distributed system; Rule server is disposed, maintenance regulation table and dangerous IP list in described rule server independent of each WEB server.
In step 201, the mode of WEB defense module Sum fanction server is disposed with the step 101 in Fig. 1.
Step 202, whether described rule server receives and detects WEB request is dangerous rule of asking, and the WEB of triggering rule is asked to the configuration information of the response made.
In step 202., described configuration information can be that user manually configures in rule server, also can be configured by monitoring server.Namely rule server receives the configuration information that user manually inputs, or the configuration information that rule server reception user is sent by monitoring server.
Step 203, the configuration information according to rule and response is set up or update rule table.
In step 202., the configuration information of reception is stored as rule list with xml form.The example of the rule list of a kind of xml form of the present invention as follows.
This example represents that to ask with WEB to mate anti-injects rule, and pattern is interception and log.When comprising any one keyword herein in WEB request, just trigger this rule.
Step 204, receives the information of the WEB request of rule in the described rule list of triggering of WEB defense module submission.
In step 204, when WEB defense module has detected that WEB request triggers rule in rule list, the information this being triggered the WEB request of rule has sent to rule server.
Step 205, the information according to the described WEB request of triggering rule does Hash table, and the key of Hash table comprises the IP of described WEB request, and corresponding value is the triggering times of this IP, and wherein, once, then triggering times adds one to every triggering rule;
In step 205, the information that rule list is asked according to the WEB of triggering rule does Hash table; Wherein, rule server is done Hash for key with IP and cookie sending this WEB request, the triggering times of the rule that this IP triggers is the key-value pair of value, is saved in the Hash table in buffer memory or database.Wherein, once, the value of the correspondence in this Hash table adds one to every triggering rule.
Step 206, obtains triggering times and reaches the IP foundation of the WEB request of pre-set threshold value or upgrade dangerous IP list from described Hash table.
In step 206, when the value of triggering times reaches default threshold values, IP and cookie corresponding for this triggering times is loaded in dangerous IP list, namely realizes the renewal to dangerous IP list.
Step 207, when WEB defense module starts, transmission rule list and dangerous IP list, to WEB defense module, make WEB defense module be on the defensive to WEB request according to rule list and dangerous IP list.
In an embodiment of the present invention, in order to ensure the ageing of WEB defense module, adopt Trigger update mode, namely when rule list or dangerous IP list have renewal, rule server directly can issue the rule list after renewal or dangerous IP list to each WEB defense module.
In an embodiment of the present invention, the acquisition request that rule server periodically can also send according to WEB defense module, is sent to WEB defense module by rule list and dangerous IP list.
In a kind of specific embodiment of the present invention, dispose monitoring server independent of rule server; Wherein, monitoring server is used for issuing new rule with update rule table to rule server.Rule server receives the WEB inquiry request that monitoring server sends, and according to this WEB inquiry request, the rule list of this locality and dangerous IP list is reported monitoring server.Namely in the present embodiment, monitoring server is with the mode access rule server of WEB, check the rule list in this rule server and dangerous IP list, the rule list in rule server list can also be configured, be exemplified as: increase or amendment rule wherein.
The invention also discloses a kind of WEB system of defense, Fig. 3 is the structural representation of a kind of WEB system of defense in the present invention.As shown in Figure 3, this system comprises: at least one WEB defense module 301, rule server 302.Wherein, WEB defense module 301 is disposed in each WEB server 304 in a distributed system, and described rule server 302 is disposed independent of each WEB server 304, maintenance regulation table and dangerous IP list in rule server 302.
WEB defense module 301, for obtaining rule list and dangerous IP list when starting from rule server 302; The WEB request that http packet obtains is resolved to WEB server, judges IP that described WEB asks whether in described dangerous IP list; If, refuse as described WEB request connects; If not, whether then continue to judge that described WEB asks according to described rule list is dangerous request; If so, according to described rule list, response is made to described WEB request, and the information of the described WEB request of triggering rule is submitted to described rule server to upgrade dangerous IP list; If not, described WEB request is handed to other resume module of described WEB server.
Rule server 302, whether is dangerous rule of asking, and the WEB of triggering rule is asked to the configuration information of the response made for receiving detection WEB request, the information according to described rule and response is set up or upgrades described rule list; Information according to the WEB request of the triggering rule of WEB defense module 301 submission does Hash table, and the key of Hash table comprises the IP of described WEB request, and corresponding value is the triggering times of this IP, and wherein, once, then triggering times adds one to every triggering rule; The triggering times obtaining some from described Hash table reaches the IP foundation of the WEB request of pre-set threshold value or upgrades dangerous IP list.
In a kind of specific embodiment of the present invention, WEB defense module 301 periodically obtains rule list and dangerous IP list from rule server 302.Namely the mode that WEB defense module 301 periodically sends to rule server 302 request of acquisition obtains rule list and dangerous IP list from rule server 302.When rule list or dangerous IP list have renewal, WEB defense module 301 also can receive the rule list after the renewal that rule server 302 issues or dangerous IP list.
In a kind of specific embodiment of the present invention, when rule list or dangerous IP list have renewal, rule server 302 issues the rule list after renewal or dangerous IP list to WEB defense module 301.The acquisition request that rule server 302 periodically sends according to WEB defense module 301, is sent to WEB defense module by rule list and dangerous IP list.
As shown in Figure 3, this system also comprises: monitoring server 303.This monitoring server 303 is disposed independent of rule server 302.
In an embodiment of the present invention, monitoring server 303 issues new rule with update rule table to rule server 302.Be specially: monitoring server 303 sends WEB configuring request to rule server 302, described WEB configuring request comprises rule list to be updated or dangerous IP list.Monitoring server 303, with the mode access rule server 302 of WEB, is configured the rule list in rule server 302 and dangerous IP list according to WEB configuring request.
In an embodiment of the present invention, monitoring server 303 sends the running status of WEB inquiry request inquiry WEB defense module 301 to WEB defense module.In the present embodiment, monitoring server 303 sends WEB inquiry request to WEB defense module 301, receives the running status of self that WEB defense module 301 reports according to WEB inquiry request.Be exemplified as: monitoring server can access WEB defense module 301 in the mode of WEB, and then check that the number of times that those rules are triggered is maximum, initiate the IP that WEB attacks, and the information such as the physical address of this IP.
In an embodiment of the present invention, monitoring server 303 sends WEB inquiry request to rule server 302, the rule list on rule searching server 302 and dangerous IP list.In the present embodiment, monitoring server 303 with the mode access rule server 302 of WEB, and then checks the rule list of configuration in rule server 302 and dangerous IP list.Can also check and be kept at daily record in rule server 302.
In a kind of specific embodiment of the present invention, monitoring server 303, can dispose by across a network, namely monitoring server 303 and WEB server 304 and rule server 302 be not in same local area network (LAN), monitoring server 303 can run in the mode of WEB, by mode access rule server 302 and the WEB defense module 301 of WEB.
In a kind of specific embodiment of the present invention, rule server 302 receives the information of the WEB request of rule in the triggering rule table of WEB defense module 301 submission; The information of asking according to the WEB of triggering rule does Hash table, and the key of Hash table comprises the IP of described WEB request, and corresponding value is the triggering times of this IP, and wherein, once, then triggering times adds one to every triggering rule.Obtain from this Hash table triggering times reach pre-set threshold value WEB request IP set up dangerous IP list; Rule list and dangerous IP list are issued to WEB defense module 301.
Shown in Figure 3, system provided by the invention can be divided into three-tier architecture, WEB defense module, rule server and monitoring server.The machine of delaying of any one deck can not affect the normal work of other layers.Wherein, WEB defense module 301 is deployed in each WEB server 304 of distributed system, the machine of delaying of single WEB defense module 301 can't affect the normal work of other WEB defense modules 301, also can not affect the normal work of other WEB server and business.Therefore performance bottleneck and the Single Point of Faliure of the deployment of traditional single node is overcome.Further, said system has to be stablized easy-to-use, is convenient to the advantage expanded, the WEB server deploy WEB defense module namely newly increased, then obtain rule list and dangerous IP list from rule server, fast configures the rule of new risk flexibly.
In sum, the present invention is by each WEB server deploy WEB defense module in a distributed system; From rule server, rule list and dangerous IP list is obtained when starting; Whether there is attack according to rule list and dangerous IP list to WEB request to detect, and the technical scheme of corresponding operation is carried out according to judged result, in technical scheme provided by the invention, WEB defense module is deployed in separately in WEB server, stablizes easy-to-use and is convenient to expand.In addition, when the WEB request processing large discharge, because WEB defense module just processes the WEB request that WEB server parsing http packet obtains, the resource of WEB server can be made full use of, analyzing efficiency and handling property are taken into account, therefore, it is possible to the WEB of process large discharge asks in time.
Further, technical scheme provided by the invention adopts relatively independent WEB defense module, rule list and monitoring server three-tier architecture.The machine of delaying of individual layer can not affect the normal work of other layers, and namely the machine of delaying of monitoring server can not affect the normal work of WEB defense module or rule server; The machine of delaying of rule server can not affect the normal work of WEB defense module, and WEB defense module can be on the defensive according to the rule list preserved before and dangerous IP list.Therefore there is the advantage of high availability and reliability and stability.
Further, realize configuring in real time the rule list in rule server by monitoring server, and the rule list newly configured is handed down to each WEB defense module in time, realize resisting in real time emerging security risk and new WEB attack pattern.
The foregoing is only preferred embodiment of the present invention, be not intended to limit protection scope of the present invention.All any amendments done within the spirit and principles in the present invention, equivalent replacement, improvement etc., be all included in protection scope of the present invention.
Claims (10)
1. a WEB defence method, is characterized in that, each WEB server deploy WEB defense module in a distributed system; Rule server is disposed, maintenance regulation table and dangerous IP list in described rule server independent of each WEB server; Wherein, described rule list is configured with and detects the rule whether WEB request is dangerous request, and the WEB of triggering rule is asked to the response made; The triggering rule number of times that described dangerous IP list comprises some reaches the IP of the WEB request of pre-set threshold value; The method comprises:
Described WEB defense module, when starting, obtains described rule list and described dangerous IP list from described rule server;
Obtain the WEB request that WEB server parsing HTML (Hypertext Markup Language) http packet obtains;
Judge IP that described WEB asks whether in described dangerous IP list;
If, refuse as described WEB request connects;
If not, whether then continue to judge that described WEB asks according to described rule list is dangerous request;
If so, according to described rule list, response is made to described WEB request, and the information of the described WEB request of triggering rule is submitted to described rule server to upgrade in described dangerous IP list;
If not, described WEB request is handed to other resume module of described WEB server.
2. method according to claim 1, is characterized in that, the method also comprises:
Described WEB defense module periodically obtains described rule list and described dangerous IP list from described rule server; And,
When described rule list or described dangerous IP list have renewal, receive the rule list after the renewal that described rule server issues or dangerous IP list.
3. method according to claim 1 and 2, is characterized in that, disposes monitoring server independent of described rule server, and described monitoring server is used for issuing new rule to upgrade described rule list to described rule server; The method also comprises:
Described WEB defense module receives the WEB inquiry request of described monitoring server, and according to described WEB inquiry request, the running status of self is reported described monitoring server.
4. a WEB defence method, is characterized in that, each WEB server deploy WEB defense module in a distributed system; Rule server is disposed, maintenance regulation table and dangerous IP list in described rule server independent of each WEB server; The method comprises:
Whether described rule server receives and detects WEB request is dangerous rule of asking, and the WEB of triggering rule is asked to the configuration information of the response made;
Configuration information according to described rule and response is set up or upgrades described rule list;
Receive the information of the WEB request of rule in the described rule list of triggering of described WEB defense module submission;
Information according to the described WEB request of triggering rule does Hash table, and the key of Hash table comprises the IP of described WEB request, and corresponding value is the triggering times of this IP, and wherein, once, then triggering times adds one to every triggering rule;
The triggering times obtaining some from described Hash table reaches the IP foundation of the WEB request of pre-set threshold value or upgrades described dangerous IP list;
When described WEB defense module starts, send described rule list and described dangerous IP list to described WEB defense module, make described WEB defense module ask to be on the defensive to WEB according to described rule list and described dangerous IP list.
5. method according to claim 4, is characterized in that, the method also comprises:
When described rule list or described dangerous IP list have renewal, issue the rule list after renewal or dangerous IP list to described WEB defense module; And,
According to the acquisition request that described WEB defense module periodically sends, described rule list and described dangerous IP list are sent to described WEB defense module.
6. the method according to claim 4 or 5, is characterized in that, disposes monitoring server independent of described rule server, and described monitoring server is used for issuing new rule to upgrade described rule list to described rule server; The method also comprises:
Described rule server receives the WEB inquiry request of described monitoring server, and according to described WEB inquiry request, described rule list and described dangerous IP list is reported described monitoring server.
7. a WEB system of defense, is characterized in that, this system comprises: at least one WEB defense module, a rule server, and wherein, described WEB defense module is disposed in each WEB server in a distributed system; Described rule server is disposed independent of each WEB server, maintenance regulation table and dangerous IP list in described rule server;
Described WEB defense module, for obtaining described rule list and described dangerous IP list when starting from described rule server; The WEB request that http packet obtains is resolved to WEB server, judges IP that described WEB asks whether in described dangerous IP list; If, refuse as described WEB request connects; If not, whether then continue to judge that described WEB asks according to described rule list is dangerous request; If so, according to described rule list, response is made to described WEB request, and the information of the described WEB request of triggering rule is submitted to described rule server to upgrade described dangerous IP list; If not, described WEB request is handed to other resume module of described WEB server;
Described rule server, whether is dangerous rule of asking, and the WEB of triggering rule is asked to the configuration information of the response made for receiving detection WEB request, the configuration information according to described rule and response is set up or upgrades described rule list; Information according to the WEB request of the triggering rule of WEB defense module submission does Hash table, and the key of Hash table comprises the IP of described WEB request, and corresponding value is the triggering times of this IP, and wherein, once, then triggering times adds one to every triggering rule; The triggering times obtaining some from described Hash table reaches the IP foundation of the WEB request of pre-set threshold value or upgrades described dangerous IP list.
8. system according to claim 7, is characterized in that,
Described WEB defense module, also for periodically obtaining described rule list and described dangerous IP list from described rule server; And/or,
When described rule list or described dangerous IP list have renewal, receive the rule list after the renewal that described rule server issues or dangerous IP list.
9. system according to claim 7, is characterized in that,
Described rule server, also for when described rule list or described dangerous IP list have renewal, issues the rule list after renewal or dangerous IP list to described WEB defense module; And/or,
According to the acquisition request that described WEB defense module periodically sends, described rule list and described dangerous IP list are sent to described WEB defense module.
10. the system according to any one of claim 7-9, is characterized in that, this system also comprises:
Monitoring server, disposes independent of described rule server, for issuing new rule to described rule server to upgrade described rule list; And, send to described WEB defense module the running status that WEB inquiry request inquires about described WEB defense module, send WEB inquiry request to described rule server and inquire about described rule list and described dangerous IP list.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410306976.1A CN105338017A (en) | 2014-06-30 | 2014-06-30 | WEB defense method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410306976.1A CN105338017A (en) | 2014-06-30 | 2014-06-30 | WEB defense method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105338017A true CN105338017A (en) | 2016-02-17 |
Family
ID=55288296
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410306976.1A Pending CN105338017A (en) | 2014-06-30 | 2014-06-30 | WEB defense method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105338017A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106506559A (en) * | 2016-12-29 | 2017-03-15 | 北京奇虎科技有限公司 | Access behavior control method and device |
| CN106973058A (en) * | 2017-03-31 | 2017-07-21 | 北京奇艺世纪科技有限公司 | A kind of Web application firewalls rule update method, apparatus and system |
| CN111585981A (en) * | 2020-04-24 | 2020-08-25 | 上海泛微网络科技股份有限公司 | Security detection method based on application firewall and related equipment |
| CN114422206A (en) * | 2021-12-29 | 2022-04-29 | 北京致远互联软件股份有限公司 | JAVA WEB dynamic configuration security defense method |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO1999021340A1 (en) * | 1997-10-23 | 1999-04-29 | At & T Wireless Services, Inc. | A method and apparatus for filtering packets using a dedicated processor |
| CN101115023A (en) * | 2006-07-25 | 2008-01-30 | 华为技术有限公司 | Method for subscripting, amending, canceling subscription authority and desubscripting CBCS service |
| CN102158568A (en) * | 2011-04-20 | 2011-08-17 | 北京蓝汛通信技术有限责任公司 | Method and device for banning IP (Internet Protocol) addresses and content distribution network server |
| CN102184356A (en) * | 2011-04-21 | 2011-09-14 | 奇智软件(北京)有限公司 | Method, device and safety browser by utilizing sandbox technology to defend |
| CN103107948A (en) * | 2011-11-15 | 2013-05-15 | 阿里巴巴集团控股有限公司 | Flow control method and flow control device |
| CN103139041A (en) * | 2011-11-23 | 2013-06-05 | 中兴通讯股份有限公司 | Method for filtering information and method, device and system for processing forwarded information |
| CN103514401A (en) * | 2011-04-21 | 2014-01-15 | 北京奇虎科技有限公司 | Method and device for defense by utilization of sandbox technology and security browser |
-
2014
- 2014-06-30 CN CN201410306976.1A patent/CN105338017A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO1999021340A1 (en) * | 1997-10-23 | 1999-04-29 | At & T Wireless Services, Inc. | A method and apparatus for filtering packets using a dedicated processor |
| CN101115023A (en) * | 2006-07-25 | 2008-01-30 | 华为技术有限公司 | Method for subscripting, amending, canceling subscription authority and desubscripting CBCS service |
| CN102158568A (en) * | 2011-04-20 | 2011-08-17 | 北京蓝汛通信技术有限责任公司 | Method and device for banning IP (Internet Protocol) addresses and content distribution network server |
| CN102184356A (en) * | 2011-04-21 | 2011-09-14 | 奇智软件(北京)有限公司 | Method, device and safety browser by utilizing sandbox technology to defend |
| CN103514401A (en) * | 2011-04-21 | 2014-01-15 | 北京奇虎科技有限公司 | Method and device for defense by utilization of sandbox technology and security browser |
| CN103107948A (en) * | 2011-11-15 | 2013-05-15 | 阿里巴巴集团控股有限公司 | Flow control method and flow control device |
| CN103139041A (en) * | 2011-11-23 | 2013-06-05 | 中兴通讯股份有限公司 | Method for filtering information and method, device and system for processing forwarded information |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106506559A (en) * | 2016-12-29 | 2017-03-15 | 北京奇虎科技有限公司 | Access behavior control method and device |
| CN106973058A (en) * | 2017-03-31 | 2017-07-21 | 北京奇艺世纪科技有限公司 | A kind of Web application firewalls rule update method, apparatus and system |
| CN111585981A (en) * | 2020-04-24 | 2020-08-25 | 上海泛微网络科技股份有限公司 | Security detection method based on application firewall and related equipment |
| CN114422206A (en) * | 2021-12-29 | 2022-04-29 | 北京致远互联软件股份有限公司 | JAVA WEB dynamic configuration security defense method |
| CN114422206B (en) * | 2021-12-29 | 2024-02-02 | 北京致远互联软件股份有限公司 | JAVA WEB dynamic configuration security defense method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10637888B2 (en) | Automated lifecycle system operations for threat mitigation | |
| CN103685575B (en) | A kind of web portal security monitoring method based on cloud framework | |
| CN104917779B (en) | A kind of means of defence, the apparatus and system of CC attacks based on cloud | |
| US10432650B2 (en) | System and method to protect a webserver against application exploits and attacks | |
| US20230092522A1 (en) | Data packet processing method, apparatus, and electronic device, computer-readable storage medium, and computer program product | |
| CN106534114B (en) | Malicious attack prevention system based on big data analysis | |
| CN104125242B (en) | Protection method and protection device capable of recognizing DDOS (distributed denial of service) attacks camouflaged as LDNS (local domain name server) requests | |
| US11652828B1 (en) | Systems and methods for automated anomalous behavior detection and risk-scoring individuals | |
| CN103179132A (en) | A method and device for detecting and defending against CC attacks | |
| CN111740868B (en) | Alarm data processing method and device and storage medium | |
| CN105391818A (en) | Authoritative name emergency resolution system and method based on recursive server | |
| US20150358343A1 (en) | Detection and classification of malicious clients based on message alphabet analysis | |
| JP5813810B2 (en) | Blacklist expansion device, blacklist expansion method, and blacklist expansion program | |
| US10805271B2 (en) | Method and system for intrusion detection and prevention | |
| CN109074456A (en) | Computer attack blocking method of two-stage filtering and device using method | |
| CN105338017A (en) | WEB defense method and system | |
| KR101200906B1 (en) | High Performance System and Method for Blocking Harmful Sites Access on the basis of Network | |
| CN109660552A (en) | A kind of Web defence method combining address jump and WAF technology | |
| CN112491883A (en) | Method, device, electronic device and storage medium for detecting web attack | |
| CN104331660A (en) | Method, device and system for repairing system file | |
| US20120047248A1 (en) | Method and System for Monitoring Flows in Network Traffic | |
| CN110602134B (en) | Method, device and system for identifying illegal terminal access based on session tags | |
| CN110347955B (en) | Resource detection method and device | |
| CN106209867B (en) | Advanced threat defense method and system | |
| Hu et al. | Research of DDoS attack mechanism and its defense frame |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160217 |
|
| RJ01 | Rejection of invention patent application after publication |