CN106790073B - Blocking method and device for malicious attack of Web server and firewall - Google Patents
Blocking method and device for malicious attack of Web server and firewall Download PDFInfo
- Publication number
- CN106790073B CN106790073B CN201611192582.3A CN201611192582A CN106790073B CN 106790073 B CN106790073 B CN 106790073B CN 201611192582 A CN201611192582 A CN 201611192582A CN 106790073 B CN106790073 B CN 106790073B
- Authority
- CN
- China
- Prior art keywords
- client
- access request
- identification information
- malicious attack
- web server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000000903 blocking effect Effects 0.000 title claims abstract description 61
- 238000000034 method Methods 0.000 title claims abstract description 44
- 235000014510 cooky Nutrition 0.000 claims description 45
- 238000004458 analytical method Methods 0.000 claims description 40
- 238000012545 processing Methods 0.000 claims description 3
- 230000006399 behavior Effects 0.000 description 4
- 238000001514 detection method Methods 0.000 description 3
- 238000006243 chemical reaction Methods 0.000 description 2
- 239000003795 chemical substances by application Substances 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 231100000572 poisoning Toxicity 0.000 description 1
- 230000000607 poisoning effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/306—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Technology Law (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a blocking method, a blocking device and a firewall for malicious attack of a Web server, wherein the blocking method comprises the following steps: receiving an access request sent by a client for accessing a Web server; judging whether the access request is a malicious attack request, if so, marking the client as a malicious attack client; and discarding the access request and blocking a subsequent access request sent by the malicious attack client. Therefore, in the invention, the IP address is not directly blocked, but only the client side which launches the malicious attack is blocked, so that the normal user without the malicious attack in the local area network can still normally access the Web server.
Description
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a method and a device for blocking malicious attacks of a Web server and a firewall.
Background
With the continuous development of internet technology, more and more users need to access the internet to acquire data, access various websites and other activities, and the address of the IPV4 is exhausted because the users access the internet by using the IPV4 address and the IPV4 address is limited in number.
In order to deal with the problem of address exhaustion of IPV4, most companies, governments, internet cafes, and other places having a large number of clients are basically configured to set the clients as local area networks, and then connect to the internet after NAT address translation by NAT devices. This allows all clients in the local area network to access the internet using only one public IP.
Meanwhile, malicious attacks directed to the Web server are becoming more and more rampant. The malicious attacks mainly comprise crawler attacks and vulnerability scanning attacks, and attackers attack the Web server through scanning detection tools, automatic attack tools and the like.
In order to cope with malicious attacks, a network security device such as a firewall is deployed on a website to enhance the security of a Web server. The existing firewall deals with the malicious attack of the Web server by blocking the access of an IP address once the attack is identified.
However, because there are a large number of users in the lan, if only one of the users actively initiates a malicious attack or passively initiates a malicious attack due to factors such as poisoning and trojan, once the access of the IP address used by the user is blocked, all the users in the entire lan cannot access the Web server. For users without malicious attacks, the Web server cannot be normally accessed.
Therefore, a method for ensuring that a normal user without malicious attack in a local area network can normally access a Web server after an attack is identified is needed.
Disclosure of Invention
In view of this, the present invention provides a blocking method, an apparatus and a firewall for malicious attack of a Web server, so as to solve the technical problem in the prior art that all users in the entire local area network cannot normally access the Web server due to abnormal users in the local area network.
In order to achieve the purpose, the invention provides the following technical scheme:
the invention provides a method for blocking malicious attack of a Web server, which comprises the following steps:
receiving an access request sent by a client for accessing a Web server;
judging whether the access request is a malicious attack request, if so, marking the client as a malicious attack client;
and discarding the access request and blocking a subsequent access request sent by the malicious attack client.
Preferably, the marking the client as a malicious client comprises:
analyzing the access request to obtain the identification information of the client;
and marking the client corresponding to the identification information in a preset template as a malicious attack client according to the identification information.
Preferably, the analyzing the access request to obtain the identification information of the client includes:
analyzing the access request by using a protocol analysis method to obtain an analysis result;
judging whether the analysis result contains Cookie or not;
if so, taking the session information of the Web server accessed in the Cookie as the identification information of the client;
if not, obtaining Cookie containing identification information by using a preset algorithm according to the analysis result;
and replying the Cookie containing the identification information to the client as a redirection message so that the Cookie is stored by the client and carried in the next access request.
Preferably, after analyzing the access request and obtaining the identification information of the client, the method further includes:
analyzing the access request to obtain the IP address of the client;
and generating a preset template according to the IP address of the client and the identification information of the client.
Preferably, the same IP address in the preset template corresponds to identification information of multiple clients, and the blocking method further includes:
and sending the IP address of the client in the preset template and the identification information of the client under the IP address to a display module for displaying in a report and/or log mode.
Another aspect of the present invention provides a blocking apparatus for malicious attack on a Web server, including:
the receiving module is used for receiving an access request sent by a client for accessing the Web server;
the judging module is used for judging whether the access request is a malicious attack request, and if so, marking the client as a malicious attack client;
and the processing module is used for discarding the access request and blocking a subsequent access request sent by the malicious attack client.
Preferably, the judging module includes:
the analysis unit is used for analyzing the access request to obtain the identification information of the client;
and the marking unit is used for marking the client corresponding to the identification information in the preset template as a malicious attack client according to the identification information.
Preferably, the analysis unit includes:
the first analysis subunit is used for analyzing the access request by using a protocol analysis method to obtain an analysis result;
the judging unit is used for judging whether the analysis result contains Cookie or not; if so, taking the session information of the Web server accessed in the Cookie as the identification information of the client; if not, obtaining Cookie containing identification information by using a preset algorithm according to the analysis result;
and the redirection unit is used for replying the Cookie containing the identification information to the client as a redirection message so that the Cookie is stored by the client and is carried in the next access request.
Preferably, the method further comprises the following steps:
the second analysis subunit is used for analyzing the access request to obtain the IP address of the client;
and the generating unit is used for generating a preset template according to the IP address of the client and the identification information of the client.
The invention also discloses a firewall, which comprises the blocking device.
Compared with the prior art, the technical scheme shows that the invention discloses a blocking method, a device and a firewall for malicious attack of a Web server, wherein the blocking method comprises the following steps: receiving an access request sent by a client for accessing a Web server; judging whether the access request is a malicious attack request, if so, marking the client as a malicious attack client; and discarding the access request and blocking a subsequent access request sent by the malicious attack client. Therefore, in the invention, the IP address is not directly blocked, but only the client side which launches the malicious attack is blocked, so that the normal user without the malicious attack in the local area network can still normally access the Web server.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic flowchart of a blocking method for malicious attack of a Web server according to an embodiment of the present invention;
fig. 2 is another schematic flow chart of a blocking method for malicious attack of a Web server according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a blocking apparatus for malicious attack on a Web server according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the prior art, a blocking method for malicious attacks includes acquiring an IP address of a client sending an access request once an access request is found to be a malicious attack, and then blocking the malicious attack of the client on a Web server by blocking the IP address.
The IP blocking only records log information of the blocked IP, and evidence information cannot be provided for investigation and evidence obtaining of a real attacker.
Moreover, once the access of the IP address used by the user is blocked, all users in the entire lan cannot access the Web server. For users without malicious attacks, the Web server cannot be normally accessed.
In order to solve the problems in the prior art, the embodiment of the invention discloses a blocking method and device for malicious attack of a Web server and a firewall. The technical means of the present invention will be described in detail below.
Fig. 1 is a schematic flow diagram of a blocking method for malicious attack of a Web server according to the present invention.
Referring to fig. 1, the present invention provides a blocking method for malicious attacks on a Web server, including:
s101, receiving an access request sent by a client for accessing a Web server;
in the embodiment of the present invention, the blocking method is preferably applied to a firewall. The firewall is erected between the Web server and the client and serves as a bridge for connecting the Web server and the client.
In practical use, a firewall is usually deployed in a gateway mode, and any traffic or request that needs to access the Web server needs to pass through the firewall.
Therefore, in the embodiment of the present invention, when the client needs to access the Web server, the firewall receives the access request sent by the client before the access request is sent to the Web server.
In actual use, this step may also be detecting, in real time, traffic of the client accessing the Web server, where the traffic includes an access request of the client accessing the Web server.
S102, judging whether the access request is a malicious attack request, and if so, marking the client as a malicious attack client;
when an access request is received, a detection means developed in the prior art is used to determine whether the request is a malicious attack request, such as an attack request of malicious crawler, vulnerability scanning, and the like.
If so, marking the client initiating the attack and marking the client as a malicious attack client.
In actual use, whether a malicious attack request exists in the traffic or not can be identified, and if the malicious attack request exists, the client is marked as a malicious attack client.
If not, the access request may be released, so that the client may normally access the Web client, and of course, other policies may also be executed, for example, whether the Web server reaches an access upper limit, and the like, and corresponding subsequent operations may be executed on the request, which is not described herein again.
S103, discarding the access request and blocking the subsequent access request sent by the malicious attack client.
If the access request is a malicious attack request, the access request is discarded, namely a data packet or a message sent by the client is discarded. The Web server is protected from attacks.
And blocking subsequent requests sent by the malicious attack client. I.e., to shield the client from communication and connection with the Web server and prevent it from attempting to attack the Web server again in a subsequent period of time. The subsequent time period may be set to a specific value by the user, for example, 1 hour, 1 day, one week, or permanently, depending on the actual situation or reference.
Certainly, when the mark is cleared or the limit time is reached, the client is not shielded, and a prompt request can be sent to inquire whether the user clears the mark or not, the user operates the mark according to the actual situation, receives the operation of the user on the mark of the malicious client, and clears or retains the mark.
Compared with the prior art, the technical scheme shows that the invention discloses a blocking method for malicious attack of a Web server, which comprises the following steps: receiving an access request sent by a client for accessing a Web server; judging whether the access request is a malicious attack request, if so, marking the client as a malicious attack client; and discarding the access request and blocking a subsequent access request sent by the malicious attack client. Therefore, in the invention, the IP address is not directly blocked, but only the client side which launches the malicious attack is blocked, so that the normal user without the malicious attack in the local area network can still normally access the Web server.
And analyzing the access request to acquire the identification information of the client. The identification information is used for representing the record of the client accessing the Web server.
In the above embodiment, it is necessary to determine whether the access request is a malicious attack request, and the following further describes this process.
Referring to fig. 2, fig. 2 is another schematic flowchart of a blocking method for malicious attacks on a Web server according to an embodiment of the present invention.
The invention provides a method for blocking malicious attack of a Web server, which comprises the following steps:
s201, receiving an access request sent by a client for accessing a Web server;
s202, analyzing the access request to obtain identification information of the client;
and marking the client corresponding to the identification information in a preset template as a malicious attack client according to the identification information.
S203, discarding the access request and blocking the subsequent access request sent by the malicious attack client.
S201 and S203 are the same as S101 and S103, and are not described herein.
The following mainly describes step S202.
The preset template in the invention comprises a plurality of clients and identification information corresponding to the clients, namely, the preset template comprises the clients accessing the Web server and the identification information corresponding to the clients.
After analyzing that the access request is a malicious attack request, marking the client in the preset template according to the identification information of the client, wherein the marking can be associated with the preset template in a policy table, and the policy table has an execution policy for the malicious attack client. Or the mark data column may be set in a preset template. Of course, other forms are also possible, as long as the attacking client can be marked as a malicious attacking client, and the specific limitation is not made herein.
Wherein S202 may be divided into the following steps.
The analyzing the access request to obtain the identification information of the client comprises:
analyzing the access request by using a protocol analysis method to obtain an analysis result;
judging whether the analysis result contains Cookie or not;
if so, taking the session information of the Web server accessed in the Cookie as the identification information of the client;
if not, obtaining Cookie containing identification information by using a preset algorithm according to the analysis result;
and replying the Cookie containing the identification information to the client as a redirection message so that the Cookie is stored by the client and carried in the next access request.
Generally, in the art, if a user accesses a certain website, that is, if the client used by the user accesses a Web server, the client is usually instructed to store a record for accessing the website, and generally instructed to store cookies. In a Cookie, session information, namely a known session identifier sessionID, is usually included, and a specific value of the sessionID of each client is unique, so that each piece of session information is different. The known sessionID may characterize a client as accessing a Web server. Such as new waves, fox searches, etc., there is a sessionID of itself in the Cookie file.
Therefore, in the embodiment of the present invention, obtaining the identification information of the client may be understood as obtaining the known sessionID in the Cookie.
In the embodiment of the invention, the access request is analyzed by using a mature protocol analysis method in the prior art to obtain an analysis result. The analysis result includes the IP address of the client, User-Agent (UA, usually containing information of operating system and browser), Accept (file type received by browser), and Cookie. It may also include Host (domain name), Accept-Language (Language received by browser), request method URL, and other data related to the client.
If the analysis result contains the Cookie, the client is proved to have access to the Web server, and the session information in the Cookie is used as the identification information of the client.
If not, that is, the case does not contain the known sessionID. And generating unique identification information by using a preset algorithm according to the analysis result, carrying the identification information into the Cookie to serve as a redirection message to be replied to the client, and ending the session, namely disconnecting the session with the client.
And after receiving the Cookie, the client stores the Cookie and sends the Cookie to the firewall as data in the next access request.
It should be noted that, if the analysis result includes a Cookie, it may also be determined whether the Cookie includes session information of the client, and if the Cookie is not acquired, the subsequent steps may also be executed to generate unique identification information, and the Cookie including the identification information is returned to the client as a redirection packet.
The identification information of the client may be calculated according to fields and time such as IP, User-agent (UA, which generally includes operating system and browser information), Accept (file type received by a browser), Host (domain name), Accept-Language (Language received by a browser), request method URL, and the like, and the specific calculation manner is not limited herein as long as unique identification information can be obtained.
In the above embodiments, reference is made to the preset template, and a method for generating the preset template is described below.
The analyzing the access request to obtain the identification information of the client further comprises:
analyzing the access request to obtain the IP address of the client;
and generating a preset template according to the IP address of the client and the identification information of the client.
After receiving an access request sent by a client, regardless of whether the access request is a malicious attack, storing the IP address of the client and the identification information of the client as a corresponding relation in a preset template. The preset template can be understood as a corresponding table of IPs and ids.
Optionally, the same IP address in the preset template corresponds to identification information of multiple clients, and the blocking method further includes:
and sending the IP address of the client in the preset template and the identification information of the client under the IP address to a display module for displaying in a report and/or log mode.
After the preset template is established, report forms and log display can be carried out according to the IP and the client identification.
And sending the IP address of the client in the preset template and the identification information of the client under the IP address to a display module for displaying in a report and/or log mode according to the corresponding relation.
When the access request is identified to be a malicious attack or a malicious attack in the detection flow is detected, information including historical access files, attack fragments, access time and the like of the client is uploaded to an event log, and meanwhile, client identification information is recorded in the event log and is stored in a database.
According to the above description, it can be seen that the present invention has the following effects:
1) and identifying the client mark and NAT conversion IP, and being used for tracing the attack tracing and positioning the attacker equipment according to the client information.
2) And the IP is not blocked, and the blocking of the whole local area network in the NAT conversion environment is avoided according to the client mark blocking.
3) The attack IP and the client mark corresponding template can be used for tracing the attack, locating the local area network where the attacker is located through the IP, and distinguishing equipment in the local area network through the client mark information. And tracking the attack events marked by the client, and displaying reports from the same IP but different client dimensions. And recording access behaviors and attack behaviors of different clients in the report, counting the number of the clients in the same IP local area network, comparing the behaviors of the different clients, and displaying suspicious client behaviors.
Corresponding to the above method embodiments, the embodiment of the present invention provides a blocking apparatus for malicious attack of a Web server.
Referring to fig. 3, the blocking apparatus for malicious attack on a Web server provided by the present invention includes:
a blocking device for malicious attacks on a Web server is characterized by comprising:
a receiving module 301, configured to receive an access request sent by a client accessing a Web server;
a determining module 302, configured to determine whether the access request is a malicious attack request, and if so, mark the client as a malicious attack client;
the processing module 303 is configured to discard the access request and block a subsequent access request sent by the malicious attack client.
Optionally, the determining module includes:
the analysis unit is used for analyzing the access request to obtain the identification information of the client;
and the marking unit is used for marking the client corresponding to the identification information in the preset template as a malicious attack client according to the identification information.
Optionally, the parsing unit includes:
the first analysis subunit is used for analyzing the access request by using a protocol analysis method to obtain an analysis result;
the judging unit is used for judging whether the analysis result contains Cookie or not; if so, taking the session information of the Web server accessed in the Cookie as the identification information of the client; if not, obtaining Cookie containing identification information by using a preset algorithm according to the analysis result;
and the redirection unit is used for replying the Cookie containing the identification information to the client as a redirection message so that the Cookie is stored by the client and is carried in the next access request.
Optionally, the method further includes:
the second analysis subunit is used for analyzing the access request to obtain the IP address of the client;
and the generating unit is used for generating a preset template according to the IP address of the client and the identification information of the client.
It should be noted that, the blocking apparatus for malicious attacks on a Web server in this embodiment may adopt one of the blocking methods for malicious attacks on a Web server in the foregoing method embodiments, so as to implement all technical solutions in the foregoing method embodiments, functions of each module of the blocking apparatus may be specifically implemented according to the method in the foregoing method embodiments, and a specific implementation process of the blocking apparatus may refer to relevant descriptions in the foregoing embodiments, which is not described herein again.
The invention also discloses a firewall, which comprises the blocking device.
According to the technical scheme, compared with the prior art, the technical scheme shows that the invention discloses a blocking method, a blocking device and a firewall for malicious attack of a Web server, wherein the blocking device receives an access request sent by a client for accessing the Web server; judging whether the access request is a malicious attack request, if so, marking the client as a malicious attack client; and discarding the access request and blocking a subsequent access request sent by the malicious attack client. Therefore, in the invention, the IP address is not directly blocked, but only the client side which launches the malicious attack is blocked, so that the normal user without the malicious attack in the local area network can still normally access the Web server.
Of course, the firewall can also perform the same function as the blocking device described above.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other.
The method proposed by the present invention is described above by way of example with reference to the accompanying drawings, and the above description of the embodiments is only intended to help the understanding of the core ideas of the present invention. For those skilled in the art, variations can be made in the specific embodiments and applications without departing from the spirit of the invention. In view of the above, the present disclosure should not be construed as limiting the invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (6)
1. A method for blocking malicious attacks on a Web server is characterized by comprising the following steps:
receiving an access request sent by a client accessing a Web server in a local area network;
judging whether the access request is a malicious attack request, if so, marking the client as a malicious attack client;
discarding the access request and blocking a subsequent access request sent by the malicious attack client;
the marking the client as the malicious attack client comprises the following steps:
analyzing the access request to obtain the identification information of the client; the identification information of the client is calculated according to the IP, the operating system, the browser information, the file type and the domain name received by the browser, the language received by the browser, the request method URL field and the time;
marking the client corresponding to the identification information in a preset template as a malicious attack client according to the identification information;
the analyzing the access request to obtain the identification information of the client further comprises:
analyzing the access request to obtain the IP address of the client;
and generating a preset template according to the IP address of the client and the identification information of the client.
2. The blocking method according to claim 1, wherein the parsing the access request to obtain the identification information of the client comprises:
analyzing the access request by using a protocol analysis method to obtain an analysis result;
judging whether the analysis result contains Cookie or not;
if the judgment result is yes, the session information of the Web server accessed in the Cookie is used as the identification information of the client;
if not, obtaining Cookie containing identification information by using a preset algorithm according to the analysis result;
and replying the Cookie containing the identification information to the client as a redirection message so that the Cookie is stored by the client and carried in the next access request.
3. The blocking method according to claim 1, wherein the same IP address in the preset template corresponds to identification information of a plurality of clients, and the blocking method further comprises:
and sending the IP address of the client in the preset template and the identification information of the client under the IP address to a display module for displaying in a report and/or log mode.
4. A blocking device for malicious attacks on a Web server is characterized by comprising:
the receiving module is used for receiving an access request sent by a client accessing the Web server in the local area network;
the judging module is used for judging whether the access request is a malicious attack request, and if so, marking the client as a malicious attack client;
the processing module is used for discarding the access request and blocking a subsequent access request sent by the malicious attack client;
the judging module comprises:
the analysis unit is used for analyzing the access request to obtain the identification information of the client; the identification information of the client is calculated according to the IP, the operating system, the browser information, the file type and the domain name received by the browser, the language received by the browser, the request method URL field and the time;
the marking unit is used for marking the client corresponding to the identification information in the preset template as a malicious attack client according to the identification information;
further comprising:
the second analysis subunit is used for analyzing the access request to obtain the IP address of the client;
and the generating unit is used for generating a preset template according to the IP address of the client and the identification information of the client.
5. The blocking device according to claim 4, wherein the parsing unit comprises:
the first analysis subunit is used for analyzing the access request by using a protocol analysis method to obtain an analysis result;
the judging unit is used for judging whether the analysis result contains Cookie or not; if so, taking the session information of the Web server accessed in the Cookie as the identification information of the client; if not, obtaining Cookie containing identification information by using a preset algorithm according to the analysis result;
and the redirection unit is used for replying the Cookie containing the identification information to the client as a redirection message so that the Cookie is stored by the client and is carried in the next access request.
6. Firewall according to any one of claims 4 or 5, characterized in that it comprises blocking means according to any one of the claims 4 or 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611192582.3A CN106790073B (en) | 2016-12-21 | 2016-12-21 | Blocking method and device for malicious attack of Web server and firewall |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611192582.3A CN106790073B (en) | 2016-12-21 | 2016-12-21 | Blocking method and device for malicious attack of Web server and firewall |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106790073A CN106790073A (en) | 2017-05-31 |
| CN106790073B true CN106790073B (en) | 2020-06-05 |
Family
ID=58893690
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611192582.3A Active CN106790073B (en) | 2016-12-21 | 2016-12-21 | Blocking method and device for malicious attack of Web server and firewall |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106790073B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107241333A (en) * | 2017-06-13 | 2017-10-10 | 上海微烛信息技术有限公司 | Recognition methods, system, Network Security Device and the server of exception request |
| CN112217777A (en) * | 2019-07-12 | 2021-01-12 | 上海云盾信息技术有限公司 | Attack backtracking method and equipment |
| CN114465744A (en) * | 2021-09-15 | 2022-05-10 | 中科方德软件有限公司 | Safety access method and network firewall system |
| CN114168946A (en) * | 2021-12-14 | 2022-03-11 | 杭州安恒信息技术股份有限公司 | An attack detection method, device and storage medium |
| CN116582366B (en) * | 2023-07-12 | 2023-09-15 | 中国电信股份有限公司 | Web attack prevention method, device and system and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20110043373A (en) * | 2009-10-21 | 2011-04-27 | 충남대학교산학협력단 | System and method for detecting and blocking SIP protocol denial-of-service attack using hidden Markov model |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102932380B (en) * | 2012-11-30 | 2016-06-29 | 网宿科技股份有限公司 | The distributed preventing malicious attack method and system of content-based distribution network |
| CN103384242B (en) * | 2013-03-15 | 2016-12-28 | 中标软件有限公司 | Intrusion detection method based on Nginx proxy server and system |
| CN104811424B (en) * | 2014-01-26 | 2019-05-14 | 腾讯科技(深圳)有限公司 | Malicious user recognition methods and device |
| CN105516073B (en) * | 2014-10-20 | 2018-12-25 | 中国银联股份有限公司 | Network intrusion prevention method |
-
2016
- 2016-12-21 CN CN201611192582.3A patent/CN106790073B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20110043373A (en) * | 2009-10-21 | 2011-04-27 | 충남대학교산학협력단 | System and method for detecting and blocking SIP protocol denial-of-service attack using hidden Markov model |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106790073A (en) | 2017-05-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11057427B2 (en) | Method for identifying phishing websites and hindering associated activity | |
| KR101689299B1 (en) | Automated verification method of security event and automated verification apparatus of security event | |
| CN103607385B (en) | Method and apparatus for security detection based on browser | |
| US8972571B2 (en) | System and method for correlating network identities and addresses | |
| US8910280B2 (en) | Detecting and blocking domain name system cache poisoning attacks | |
| CN102884764B (en) | Message receiving method, deep packet inspection device, and system | |
| CN106790073B (en) | Blocking method and device for malicious attack of Web server and firewall | |
| CN108270722B (en) | Attack behavior detection method and device | |
| KR101623068B1 (en) | System for collecting and analyzing traffic on network | |
| CN102594825A (en) | Method and device for detecting intranet Trojans | |
| CN105939326A (en) | Message processing method and device | |
| CN112311722B (en) | An access control method, device, device, and computer-readable storage medium | |
| CN108063833B (en) | HTTP DNS analysis message processing method and device | |
| CN106982188A (en) | The detection method and device in malicious dissemination source | |
| CN112217777A (en) | Attack backtracking method and equipment | |
| CN113852625B (en) | A weak password monitoring method, device, equipment and storage medium | |
| KR101072981B1 (en) | Protection system against DDoS | |
| CN112422486B (en) | SDK-based safety protection method and device | |
| CN106411819A (en) | Method and apparatus for recognizing proxy Internet protocol address | |
| Stoecklin et al. | Passive security intelligence to analyze the security risks of mobile/BYOD activities | |
| US11683337B2 (en) | Harvesting fully qualified domain names from malicious data packets | |
| JP5743822B2 (en) | Information leakage prevention device and restriction information generation device | |
| KR100977827B1 (en) | Connection detection device and method of malicious web server system | |
| CN113904843A (en) | Method and device for analyzing abnormal DNS (Domain name Server) behaviors of terminal | |
| CN114417198A (en) | Phishing early warning method, phishing early warning device, phishing early warning system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |