CN110830453A - Attack processing method and device, electronic equipment and computer readable storage medium - Google Patents
Attack processing method and device, electronic equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN110830453A CN110830453A CN201911002129.5A CN201911002129A CN110830453A CN 110830453 A CN110830453 A CN 110830453A CN 201911002129 A CN201911002129 A CN 201911002129A CN 110830453 A CN110830453 A CN 110830453A
- Authority
- CN
- China
- Prior art keywords
- request
- address
- server
- attack
- firewall
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 20
- 238000012545 processing Methods 0.000 claims abstract description 62
- 238000001514 detection method Methods 0.000 claims abstract description 51
- 238000000034 method Methods 0.000 claims description 27
- 238000004590 computer program Methods 0.000 claims description 6
- 230000004044 response Effects 0.000 claims description 6
- 230000000977 initiatory effect Effects 0.000 claims description 2
- 238000004891 communication Methods 0.000 abstract description 11
- 230000002411 adverse Effects 0.000 abstract description 10
- 230000006870 function Effects 0.000 description 16
- 238000010586 diagram Methods 0.000 description 12
- 230000000694 effects Effects 0.000 description 10
- 230000008569 process Effects 0.000 description 5
- 230000002829 reductive effect Effects 0.000 description 5
- 230000002265 prevention Effects 0.000 description 4
- 241000287828 Gallus gallus Species 0.000 description 3
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000000670 limiting effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000003313 weakening effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention provides an attack processing method, an attack processing device, electronic equipment and a computer readable storage medium, and relates to the technical field of communication. The attack processing method is applied to a server side capable of communicating with a firewall, and whether relevant data meet set triggering conditions or not is judged by acquiring a request message sent by a request side and acquiring relevant data for identifying the attack. And if the set triggering condition is met, informing the firewall to start the detection of the real IP address of the request end sending the request message. And if the set triggering condition is not met, informing the firewall to stop detecting the real IP address of the request end sending the request message. Thereby reducing the adverse impact on the performance of the firewall while implementing anti-attack processing.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to an attack processing method and apparatus, an electronic device, and a computer-readable storage medium.
Background
Network attacks are ubiquitous, many attacks are in place at all times, and great harm is brought to production and life. One of the more common attack methods is: the attack source controls a plurality of broilers and uses the broilers as agents to initiate access to the service provider, and because of a large number of legal connections, resources on the service provider are occupied by the same attack source and cannot provide services normally. In the prior art, the processing of the attack is mainly realized based on the firewall, however, the attack processing mode can cause great influence on the performance of the firewall.
Disclosure of Invention
In view of the above, the present invention provides an attack processing method, an attack processing apparatus, an electronic device, and a computer-readable storage medium.
In order to achieve the above purpose, the embodiment of the present invention adopts the following technical solutions:
in a first aspect, an embodiment of the present invention provides an attack processing method, which is applied to a server capable of communicating with a firewall, where the method includes:
acquiring a request message sent by a request end, and acquiring related data for identifying an attack;
judging whether the related data meet a set triggering condition;
if the set triggering condition is met, informing the firewall to start the detection of the real IP address of the request end sending the request message; and if the set triggering condition is not met, informing the firewall to stop detecting the real IP address of the request end sending the request message.
In an optional embodiment, the obtaining related data for identifying an attack and determining whether the related data meets a set trigger condition include one or more of the following conditions:
identifying a source IP address of a request message, and judging whether the connection number of the request messages from the same source IP address exceeds a first threshold value;
acquiring the number of concurrent connections of the request message on the server, and judging whether the number of concurrent connections exceeds a second threshold value;
acquiring the CPU utilization rate of the server, and judging whether the CPU utilization rate of the server exceeds a third threshold value;
and acquiring the memory utilization rate of the server, and judging whether the memory utilization rate of the server exceeds a fourth threshold value.
In an optional embodiment, the obtaining the relevant data for identifying the attack includes: and detecting the X-Forward-For field of the request message to obtain the source IP address of the request message.
In a second aspect, an embodiment of the present invention provides an attack processing method, which is applied to a firewall capable of communicating with a server, where the method includes:
responding to a first notification message sent by the server, and starting detection of a real IP address of a request end sending a request message according to the first notification message;
and responding to a second notification message sent by the server, and closing the detection of the real IP address of the request end sending the request message according to the second notification message.
In an optional implementation manner, the initiating the detection of the real IP address of the request end that sends the request packet includes:
detecting an X-Forward-For field of a request message sent by the request end to obtain a source IP address of the request message;
judging whether the set information of the request messages from the same source IP address exceeds a set threshold value or not, and if so, carrying out anti-attack processing on the request messages from the source IP address;
the setting information comprises at least one of the number of concurrent connections of the request messages from the same source IP address, the newly-created number of the request messages from the same source IP address and the bandwidth occupied by the request messages from the same source IP address.
In a third aspect, an embodiment of the present invention provides an attack processing apparatus, applied to a server capable of communicating with a firewall, where the attack processing apparatus includes:
the data acquisition module is used for acquiring a request message sent by a request end and acquiring related data for identifying attacks;
the attack processing module is used for judging whether the related data meets a set triggering condition or not, and if the related data meets the set triggering condition, informing the firewall to start the detection of the real IP address of the request end for sending the request message; and if the set triggering condition is not met, informing the firewall to stop detecting the real IP address of the request end sending the request message.
In an optional implementation manner, the data obtaining module is configured to obtain relevant data for identifying an attack by one or more of identifying a source IP address of a request packet, obtaining a number of concurrent connections of the request packet on the server, obtaining a CPU utilization rate of the server, and obtaining a memory utilization rate of the server;
the attack processing module is used for judging whether the related data meet the set triggering condition by one or more of judging whether the connection number of request messages from the same source IP address exceeds a first threshold value, judging whether the concurrent connection number exceeds a second threshold value, judging whether the CPU utilization rate of the server exceeds a third threshold value and judging whether the memory utilization rate of the server exceeds a fourth threshold value.
In an optional implementation manner, the data obtaining module is configured to detect an X-Forward-For field of the request packet, and obtain a source IP address of the request packet.
In a fourth aspect, an embodiment of the present invention provides an attack processing apparatus, applied to a firewall capable of communicating with a server, where the attack processing apparatus includes:
the message response module is used for responding to a first notification message sent by the server and starting the detection of the real IP address of the request end sending the request message according to the first notification message; and responding to a second notification message sent by the server, and closing the detection of the real IP address of the request end sending the request message according to the second notification message.
In an optional implementation manner, the message response module is configured to initiate detection of a real IP address of a request end that sends a request packet, through the following steps:
detecting an X-Forward-For field of a request message sent by the request end to obtain a source IP address of the request message;
judging whether the set information of the request messages from the same source IP address exceeds a set threshold value or not, and if so, carrying out anti-attack processing on the request messages from the source IP address;
the setting information comprises at least one of the number of concurrent connections of the request messages from the same source IP address, the newly-created number of the request messages from the same source IP address and the bandwidth occupied by the request messages from the same source IP address.
In a fifth aspect, an embodiment of the present invention provides an electronic device, including a processor and a memory, where the memory stores machine executable instructions capable of being executed by the processor, and the processor can execute the machine executable instructions to implement the method described in any one of the foregoing embodiments.
In a sixth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the method according to any one of the foregoing embodiments.
According to the attack processing method, the attack processing device, the electronic equipment and the computer readable storage medium provided by the embodiment of the invention, the request message sent by the request end is obtained through the server end, the relevant data for identifying the attack is obtained, whether the relevant data for identifying the attack meets the set triggering condition or not is judged, the firewall is informed to start the detection of the real IP address of the request end sending the request message when the set triggering condition is met, and the firewall is informed to stop the detection of the real IP address of the request end sending the request message when the set triggering condition is not met, so that the attack prevention processing is realized, and the adverse effect on the performance of the firewall is reduced.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 shows a scenario diagram of an agent attack according to an embodiment of the present invention.
Fig. 2 is a schematic diagram illustrating an application scenario provided by an embodiment of the present invention.
Fig. 3 is a flowchart illustrating an attack processing method according to an embodiment of the present invention.
Fig. 4 is a schematic overall flow chart of an attack processing method in the scenario shown in fig. 2 according to an embodiment of the present invention.
Fig. 5 is a schematic diagram illustrating another application scenario provided in the embodiment of the present invention.
Fig. 6 is a schematic block diagram illustrating an attack processing apparatus according to an embodiment of the present invention.
Fig. 7 is a block diagram of an electronic device according to an embodiment of the present invention.
Icon: 100-an electronic device; 110-a memory; 120-a processor; 130-a communication module; 141-a data acquisition module; 142-attack processing module.
Detailed Description
Among various network attacks, attacks directed at a network server are common. Exemplarily, referring to fig. 1, in a scenario where a web Server is an HTTP (hypertext Transfer Protocol) Server, an attack source controls a plurality of "broilers" (also called puppet machines) and uses them as attack agents (fig. 1 exemplarily shows an attack agent 1 to an attack agent 3) to initiate an access to the HTTP Server through a network (network). In the scenario shown in fig. 1, because a large number of "legal" HTTP connections (such as request messages) sent by an attack source cause resources on an HTTP Server to be occupied by the same attack source, a DDOS attack (Distributed denial of service attack) phenomenon occurs, so that the HTTP Server cannot normally provide services.
In order to resist the attack, detection of a real IP (Internet Protocol ) address (IP address of an attack source) of a request end that sends a request message may be started on a Firewall (Firewall) device. If the firewall device starts to check the X-forward-for field of the request message, the content of the field of the request message is analyzed, and the real source IP address (the IP address of an attack source) of the request message is checked, but not the outer source IP address (the IP address of an attack agent) of the request message. The firewall checks the real source IP address of the received request message, and then performs anti-attack processing (such as intercepting the request message from an attack source) when the set triggering condition is met, thereby ensuring that the HTTP Server can normally provide service.
However, opening the detection of the real IP address of the request end that sends the request packet on the firewall can seriously affect the performance of the firewall, and particularly, in the case that the network service end is not attacked, after opening the detection of the real IP address of the request end that sends the request packet on the firewall, the firewall can detect each received request packet, which will result in the reduction in the throughput and the like. However, if the detection of the real IP address of the request end that sends the request message is stopped on the firewall, the anti-attack processing cannot be realized, and the reliability of the service provided by the network service end cannot be ensured (for example, the DDOS attack phenomenon occurs in the HTTP Server).
In summary, it can be seen that how to reduce the adverse impact on the performance of the firewall while implementing attack processing is a technical problem that needs to be improved at present.
In view of this, embodiments of the present invention provide an attack processing method, an attack processing apparatus, an electronic device, and a computer-readable storage medium, in which a server obtains a request packet sent by a request end, obtains related data for identifying an attack, determines whether the related data for identifying the attack satisfies a set trigger condition, notifies a firewall to start detection of a real IP address of the request end that sends the request packet when the set trigger condition is satisfied, and notifies the firewall to stop detection of the real IP address of the request end that sends the request packet when the set trigger condition is not satisfied, so that adverse effects on performance of the firewall are reduced while anti-attack processing is implemented.
The defects existing in the above solutions are the results obtained after the inventor has practiced and studied carefully, so the discovery process of the above problems and the solutions proposed by the embodiments of the present invention below to the above problems should be the contributions of the inventor in the invention process.
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It is to be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Furthermore, the appearances of the terms "first," "second," "third," "fourth," etc. in this specification are only used for distinguishing between similar elements and are not intended to indicate or imply relative importance.
It should be noted that the features of the embodiments of the present invention may be combined with each other without conflict.
Fig. 2 is a schematic view of an application scenario of the present invention according to an embodiment of the present invention. Based on the application scenario shown in fig. 2 and referring to fig. 3, the attack processing method in the embodiment of the present invention includes steps S110 to S140 executed by the server, where the server is capable of communicating with the firewall.
S110, acquiring a request message sent by a request end, and acquiring relevant data for identifying an attack.
And S120, judging whether the related data meet a set triggering condition. If the set trigger condition is satisfied, S130 is executed. If the set trigger condition is not satisfied, S140 is executed.
S130, the firewall is informed to start the detection of the real IP address of the request end sending the request message.
S140, notify the firewall to close the detection of the real IP address of the request end sending the request message.
The embodiment of the invention links the firewall with the Server, and executes the operation of judging whether the set triggering condition is met or not at the Server. And when the server judges that the set triggering condition is met, the server informs the firewall to start the detection of the real IP address of the request end for sending the request message, and when the server judges that the set triggering condition is not met, the server informs the firewall to stop the detection of the real IP address of the request end for sending the request message. Therefore, the firewall can perform attack prevention processing when the set triggering condition is met, the reliability of the attack processing is ensured, the attack prevention processing is closed when the set triggering condition is not met, and the adverse effect on the performance of the firewall caused by meaningless attack prevention processing is avoided. Compared with the method for directly opening or closing the anti-attack processing function of the firewall for a long time, the method for opening or closing the anti-attack processing function of the firewall for a long time flexibly triggers the firewall to open or close the anti-attack processing function by judging whether the set triggering condition is met at the server side, can reduce the adverse effect on the performance of the firewall while avoiding the network server side from being attacked, and improves the reasonability of the work of the firewall.
It is understood that the server in this embodiment is independent of the firewall, and therefore, performing the above steps at the server can reduce the adverse effect on the performance of the firewall. In this embodiment, the server may be each device independent of the firewall, and may be flexibly selected, for example, may be a network server. Fig. 2 shows a schematic diagram of a network Server being an HTTP Server, where a firewall is used as an Agent and the HTTP Server is used as the Server to implement communication. Protocol communication between the firewall and the HTTP server can be flexibly selected, for example, SNMP (Simple Network Management Protocol) and the like can be adopted.
In S110, the data related to identifying the attack may be flexibly set, and may include at least one of a source IP address of the request packet obtained by the server (a real IP address of the request packet sending the request packet), a number of concurrent connections of the request packet on the server, a Central Processing Unit (CPU) utilization rate of the server, a memory utilization rate of the server, and the like. Correspondingly, the server side obtains relevant data for identifying the attack, and judges whether the relevant data meets the set triggering condition, wherein the relevant data can include one or more of the following conditions: identifying a source IP address of a request message, and judging whether the connection number of the request messages from the same source IP address exceeds a first threshold value; acquiring the number of concurrent connections of the request message on the server, and judging whether the number of concurrent connections exceeds a second threshold value; acquiring the CPU utilization rate of the server, and judging whether the CPU utilization rate of the server exceeds a third threshold value; and acquiring the memory utilization rate of the server, and judging whether the memory utilization rate of the server exceeds a fourth threshold value.
The first threshold, the second threshold, the third threshold, and the fourth threshold may be flexibly set, which is not limited in this embodiment. At least one in this embodiment means any one, and a combination of any two or more.
In this embodiment, the protocol type of the request packet may be HTTP or HTTPs, and accordingly, the source IP address of the request packet may be obtained in the following manner: and detecting the X-Forward-For field of the request message to obtain the source IP address of the request message.
Wherein, the X-Forward-For field is also called X-Forward-For field and XFF header, which is HTTP request header field used to identify the most original IP address (real IP address) of the request end connected to the network service end through HTTP proxy or load balancing mode. Therefore, by detecting the X-Forward-For field of the request packet, the real IP address of the request end (such as the IP address of the attack source in fig. 2) sending the request packet can be obtained.
Based on the application scenario shown in fig. 2, the attack processing method in the embodiment of the present invention further includes the following steps performed by a firewall capable of communicating with the server: and responding to a first notification message sent by the server, and starting detection of a real IP address of a request end sending a request message according to the first notification message. And responding to a second notification message sent by the server, and closing the detection of the real IP address of the request end sending the request message according to the second notification message.
The first notification message is sent by the server under the condition that the relevant data for identifying the attack meets the set triggering condition, and the second notification message is sent by the server under the condition that the relevant data for identifying the attack does not meet the set triggering condition. Therefore, the firewall starts the detection of the real IP address of the request end for sending the request message under the condition that the server side judges that the relevant data for identifying the attack meets the set triggering condition, and closes the detection of the real IP address of the request end for sending the request message under the condition that the server side judges that the relevant data for identifying the attack does not meet the set triggering condition, so that the network server side is prevented from being attacked, the adverse effect on the performance of the firewall is reduced, and the working rationality of the firewall is improved.
In this embodiment, when the request message is an HTTP/HTTPs request message, the firewall starts detecting the real IP address of the request end that sends the request message by: detecting an X-Forward-For field of a request message sent by the request end to obtain a source IP address of the request message, where the source IP address of the request message is a real IP address of the request end sending the request message (e.g., an IP address of an attack source in fig. 2).
After the detection of the real IP address of the request end sending the request message is started and the source IP address of each received request message is obtained, the firewall judges whether the set information of the request message from the same source IP address exceeds a set threshold value or not, and if the set information exceeds the set threshold value, the request message from the source IP address is subjected to anti-attack processing. The setting information may be flexibly selected, and may include at least one of the number of concurrent connections of request packets from the same source IP address, the newly created number of request packets from the same source IP address, and the bandwidth occupied by the request packets from the same source IP address, for example.
Further, there are various ways to perform anti-attack processing on the request packet from the source IP address, for example, any one or a combination of two or more of discarding the request packet from the source IP address, redirecting the request packet from the source IP address, and performing an alarm.
To more clearly illustrate the overall implementation principle of the embodiment of the present invention, the scenario shown in fig. 2 is taken as an example for illustration.
In the embodiment, the network Server is used as an HTTP Server, the request end For sending the request message is an HTTP request end, the firewall starts attack processing by starting X-Forward-For detection, and closes attack processing by closing X-Forward-For detection. The firewall and the HTTP Server form an Agent and Server or a Client and Server linkage relationship for explanation. Then, the overall flow of the attack processing method is as follows.
Referring to fig. 4, the firewall and the HTTP Server are configured respectively, specifically as follows.
The firewall configuration is configured under the condition that an X-Forward-For detection function is started, if the number of concurrent connections of request messages from the same source IP address exceeds a first set threshold, the newly-established number of the request messages from the same source IP address exceeds a second set threshold or the bandwidth occupied by the request messages from the same source IP address exceeds a third threshold, the request messages from the source IP address are discarded.
The HTTP Server is configured with a trigger condition, and if the number of connections of request messages from the same source IP address exceeds a first threshold, the number of concurrent connections of the request messages exceeds a second threshold, the CPU utilization of the HTTP Server exceeds a third threshold, and the memory utilization of the HTTP Server exceeds a fourth threshold, it is determined that the trigger condition is satisfied (one or more of the above conditions are satisfied, and this embodiment is described by taking an example that all four conditions need to be satisfied, and the trigger condition is satisfied), or it is determined that the trigger condition is not satisfied. When the HTTP Server judges that the triggering condition is met, the HTTP Server sends a first notification message For starting X-Forward-For detection (detecting the real IP address of a request end For sending a request message) to the firewall so as to avoid that the HTTP Server is involved in DDOS attack. And when the HTTP Server judges that the triggering condition is not met (no attack occurs or attack weakening occurs), the HTTP Server sends a second notification message For closing the X-Forward-For detection to the firewall so as to reduce the resource consumption of the firewall and ensure the performance of the firewall.
Based on the configuration, the HTTP Server acquires a request message (such as a request message forwarded by a firewall) sent by a request end, then identifies a source IP address of the request message, and judges whether the connection number of the request messages from the same source IP address exceeds a first threshold value; acquiring the number of concurrent connections of the request message on the server, and judging whether the number of concurrent connections exceeds a second threshold value; acquiring the CPU utilization rate of the server, and judging whether the CPU utilization rate of the server exceeds a third threshold value; and acquiring the memory utilization rate of the server, and judging whether the memory utilization rate of the server exceeds a fourth threshold value. When the connection number of request messages from the same source IP address exceeds a first threshold value, the concurrent connection number of the request messages exceeds a second threshold value, the CPU utilization rate of the HTTP Server exceeds a third threshold value and the memory utilization rate of the HTTP Server exceeds a fourth threshold value, judging that a trigger condition is met, and sending a first notification message to a firewall, otherwise, judging that the trigger condition is not met, and sending a second notification message to the firewall.
And after receiving the first notification message, the firewall judges whether the X-Forward-For detection function is started, and if not, the firewall starts the X-Forward-For detection function according to the first notification message so as to detect the real IP address of the request end sending the request message. If so, no processing is performed.
And after receiving the second notification message, the firewall judges whether the X-Forward-For detection function is closed, and if not, the X-Forward-For detection function is closed according to the second notification message. If it has been shut down, no processing is done.
The embodiment of the invention flexibly controls the opening and closing of the X-Forward-For detection function on the firewall through the linkage of the firewall and the HTTP Server, and avoids the problems that the X-Forward-For function on the firewall is opened For a long time, the firewall resources are lost, the performance of the firewall is influenced, or the HTTP Server is not opened, so that the HTTP Server is attacked. The anti-attack processing is realized, and the adverse effect on the performance of the firewall is reduced.
The foregoing is only an exemplary implementation scenario of the embodiment of the present invention, and the embodiment of the present invention may also be applied to other implementation scenarios. For example, referring to fig. 5, to reduce the burden of the HTTP Server and the firewall on data traffic analysis, the data traffic may also be mirrored to the mirror analyzer in a mirroring manner, and the mirror analyzer serves as a Server For executing operations such as determining whether a set trigger condition is satisfied, and notifies the firewall to start or close the detection function of X-Forward-For, so as to reduce the resource consumption of the HTTP Server. It is understood that the applicable scenarios of the embodiments of the present invention are not limited to the above examples, and may also be other scenarios, which are not described herein by way of example.
Referring to fig. 6, in order to execute corresponding steps in the foregoing embodiment and various possible manners, an implementation manner of an attack processing apparatus is provided below, where the attack processing apparatus may be applied to the server side, and fig. 6 is a functional block diagram of an attack processing apparatus according to an embodiment of the present invention. It should be noted that the basic principle and the generated technical effect of the attack processing apparatus provided by the embodiment are the same as those of the method embodiment applied to the server, and for the sake of brief description, no part of the present embodiment is mentioned, and reference may be made to the corresponding contents in the method embodiment described above. The attack processing apparatus includes: a data acquisition module 141 and an attack processing module 142.
The data obtaining module 141 is configured to obtain a request packet sent by a request end, and obtain related data for identifying an attack.
The attack processing module 142 is configured to determine whether the related data meets a set trigger condition, and if the related data meets the set trigger condition, notify the firewall to start detection of a real IP address of a request end that sends a request packet; and if the set triggering condition is not met, informing the firewall to stop detecting the real IP address of the request end sending the request message.
In an implementation manner, the data obtaining module 141 is configured to obtain the relevant data for identifying the attack by one or more of identifying a source IP address of the request packet, obtaining a number of concurrent connections of the request packet on the server, obtaining a CPU utilization of the server, and obtaining a memory utilization of the server. The attack processing module 142 is configured to determine whether the related data meets a set trigger condition by one or more of determining whether the connection number of the request packets from the same source IP address exceeds a first threshold, determining whether the concurrent connection number exceeds a second threshold, determining whether the CPU utilization of the server exceeds a third threshold, and determining whether the memory utilization of the server exceeds a fourth threshold.
In an implementation manner, the data obtaining module 141 is configured to detect an X-Forward-For field of the request packet, so as to obtain a source IP address of the request packet.
The embodiment of the present invention further provides an attack processing apparatus applicable to the firewall, the basic principle and the generated technical effects of the attack processing apparatus are the same as those of the method embodiment applied to the firewall, and for brief description, no part of this embodiment is mentioned, and reference may be made to corresponding contents in the method embodiment described above. The attack processing apparatus includes: a message response module (not shown in the figure), configured to respond to a first notification message sent by the server, and initiate detection of a real IP address of a request end that sends a request message according to the first notification message; and responding to a second notification message sent by the server, and closing the detection of the real IP address of the request end sending the request message according to the second notification message.
In one implementation, the message response module is configured to initiate detection of a real IP address of a request end that sends a request packet by: and detecting the X-Forward-For field of the request message sent by the request end to obtain the source IP address of the request message. Judging whether the set information of the request message from the same source IP address exceeds a set threshold value or not, and if so, carrying out anti-attack processing on the request message from the source IP address. The setting information comprises at least one of the number of concurrent connections of the request messages from the same source IP address, the newly-created number of the request messages from the same source IP address and the bandwidth occupied by the request messages from the same source IP address.
On the basis of the above, please refer to fig. 7, an embodiment of the present invention further provides an electronic device 100, where the electronic device 100 may be a firewall or a server. The electronic device 100 includes a memory 110, a processor 120, and a communication module 130. The memory 110, the processor 120 and the communication module 130 are electrically connected to each other directly or indirectly to realize data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines.
The memory 110 is used to store programs or data. The Memory 110 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an erasable Read-Only Memory (EPROM), an electrically erasable Read-Only Memory (EEPROM), and the like.
The processor 120 is used for reading and writing data or programs stored in the memory 110 and executing corresponding functions.
The communication module 130 is configured to establish a communication connection between the electronic device 100 and another communication terminal through the network, and to transmit and receive data through the network.
It should be understood that the structure shown in fig. 7 is only a schematic structural diagram of the electronic device 100, and the electronic device 100 may also include more or fewer components than those shown in fig. 7, or have a different configuration than that shown in fig. 7. The components shown in fig. 7 may be implemented in hardware, software, or a combination thereof.
An embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method according to any one of the foregoing embodiments.
According to the attack processing scheme provided by the embodiment of the invention, the request message sent by the request end is obtained through the server end, the relevant data for identifying the attack is obtained, whether the relevant data meets the set triggering condition is further judged, the firewall is informed to start the detection of the real IP address of the request end sending the request message when the set triggering condition is met, and the firewall is informed to stop the detection of the real IP address of the request end sending the request message when the set triggering condition is not met, so that the adverse effect on the performance of the firewall is reduced while the attack processing is realized.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present invention may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (12)
1. An attack processing method applied to a server capable of communicating with a firewall, the method comprising:
acquiring a request message sent by a request end, and acquiring related data for identifying an attack;
judging whether the related data meet a set triggering condition;
if the set triggering condition is met, informing the firewall to start the detection of the real IP address of the request end sending the request message; and if the set triggering condition is not met, informing the firewall to stop detecting the real IP address of the request end sending the request message.
2. The attack processing method according to claim 1, wherein the obtaining of the relevant data for identifying the attack and the determining whether the relevant data satisfy a set trigger condition include one or more of the following:
identifying a source IP address of a request message, and judging whether the connection number of the request messages from the same source IP address exceeds a first threshold value;
acquiring the number of concurrent connections of the request message on the server, and judging whether the number of concurrent connections exceeds a second threshold value;
acquiring the CPU utilization rate of the server, and judging whether the CPU utilization rate of the server exceeds a third threshold value;
and acquiring the memory utilization rate of the server, and judging whether the memory utilization rate of the server exceeds a fourth threshold value.
3. The attack processing method according to claim 2, wherein the obtaining of the relevant data for identifying the attack comprises: and detecting the X-Forward-For field of the request message to obtain the source IP address of the request message.
4. An attack processing method applied to a firewall capable of communicating with a server side, the method comprising:
responding to a first notification message sent by the server, and starting detection of a real IP address of a request end sending a request message according to the first notification message;
and responding to a second notification message sent by the server, and closing the detection of the real IP address of the request end sending the request message according to the second notification message.
5. The attack processing method according to claim 4, wherein the initiating detection of the real IP address of the request side sending the request packet comprises:
detecting an X-Forward-For field of a request message sent by the request end to obtain a source IP address of the request message;
judging whether the set information of the request messages from the same source IP address exceeds a set threshold value or not, and if so, carrying out anti-attack processing on the request messages from the source IP address;
the setting information comprises at least one of the number of concurrent connections of the request messages from the same source IP address, the newly-created number of the request messages from the same source IP address and the bandwidth occupied by the request messages from the same source IP address.
6. An attack processing apparatus applied to a server capable of communicating with a firewall, the attack processing apparatus comprising:
the data acquisition module is used for acquiring a request message sent by a request end and acquiring related data for identifying attacks;
the attack processing module is used for judging whether the related data meets a set triggering condition or not, and if the related data meets the set triggering condition, informing the firewall to start the detection of the real IP address of the request end for sending the request message; and if the set triggering condition is not met, informing the firewall to stop detecting the real IP address of the request end sending the request message.
7. The attack processing apparatus according to claim 6, wherein the data obtaining module is configured to obtain the relevant data for identifying the attack by one or more of identifying a source IP address of the request packet, obtaining a number of concurrent connections of the request packet on the server, obtaining a CPU utilization of the server, and obtaining a memory utilization of the server;
the attack processing module is used for judging whether the related data meet the set triggering condition by one or more of judging whether the connection number of request messages from the same source IP address exceeds a first threshold value, judging whether the concurrent connection number exceeds a second threshold value, judging whether the CPU utilization rate of the server exceeds a third threshold value and judging whether the memory utilization rate of the server exceeds a fourth threshold value.
8. The attack processing apparatus according to claim 7, wherein the data obtaining module is configured to detect an X-Forward-For field of the request packet, and obtain a source IP address of the request packet.
9. An attack processing apparatus applied to a firewall capable of communicating with a server, the attack processing apparatus comprising:
the message response module is used for responding to a first notification message sent by the server and starting the detection of the real IP address of the request end sending the request message according to the first notification message; and responding to a second notification message sent by the server, and closing the detection of the real IP address of the request end sending the request message according to the second notification message.
10. The attack processing apparatus according to claim 9, wherein the message response module is configured to initiate detection of a real IP address of a requesting end that sends the request packet by:
detecting an X-Forward-For field of a request message sent by the request end to obtain a source IP address of the request message;
judging whether the set information of the request messages from the same source IP address exceeds a set threshold value or not, and if so, carrying out anti-attack processing on the request messages from the source IP address;
the setting information comprises at least one of the number of concurrent connections of the request messages from the same source IP address, the newly-created number of the request messages from the same source IP address and the bandwidth occupied by the request messages from the same source IP address.
11. An electronic device comprising a processor and a memory, the memory storing machine executable instructions executable by the processor to implement the method of any one of claims 1 to 5.
12. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911002129.5A CN110830453A (en) | 2019-10-21 | 2019-10-21 | Attack processing method and device, electronic equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911002129.5A CN110830453A (en) | 2019-10-21 | 2019-10-21 | Attack processing method and device, electronic equipment and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110830453A true CN110830453A (en) | 2020-02-21 |
Family
ID=69550094
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911002129.5A Pending CN110830453A (en) | 2019-10-21 | 2019-10-21 | Attack processing method and device, electronic equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110830453A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040015721A1 (en) * | 2002-07-22 | 2004-01-22 | General Instrument Corporation | Denial of service defense by proxy |
| CN103916387A (en) * | 2014-03-18 | 2014-07-09 | 汉柏科技有限公司 | DDOS attack protection method and system |
| CN105812318A (en) * | 2014-12-30 | 2016-07-27 | 中国电信股份有限公司 | Method, controller and system for preventing attack in network |
| CN105959313A (en) * | 2016-06-29 | 2016-09-21 | 杭州迪普科技有限公司 | Method and device for preventing HTTP proxy attack |
-
2019
- 2019-10-21 CN CN201911002129.5A patent/CN110830453A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040015721A1 (en) * | 2002-07-22 | 2004-01-22 | General Instrument Corporation | Denial of service defense by proxy |
| CN103916387A (en) * | 2014-03-18 | 2014-07-09 | 汉柏科技有限公司 | DDOS attack protection method and system |
| CN105812318A (en) * | 2014-12-30 | 2016-07-27 | 中国电信股份有限公司 | Method, controller and system for preventing attack in network |
| CN105959313A (en) * | 2016-06-29 | 2016-09-21 | 杭州迪普科技有限公司 | Method and device for preventing HTTP proxy attack |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11082436B1 (en) | System and method for offloading packet processing and static analysis operations | |
| US11563772B2 (en) | Detection and mitigation DDoS attacks performed over QUIC communication protocol | |
| US10033696B1 (en) | Identifying applications for intrusion detection systems | |
| US7302480B2 (en) | Monitoring the flow of a data stream | |
| US8402529B1 (en) | Preventing propagation of malicious software during execution in a virtual machine | |
| EP2289221B1 (en) | Network intrusion protection | |
| EP1817685B1 (en) | Intrusion detection in a data center environment | |
| US20070067438A1 (en) | Methods and systems for detecting abnormal digital traffic | |
| EP1122932B1 (en) | Protection of computer networks against malicious content | |
| US20070192593A1 (en) | Method and system for transparent bridging and bi-directional management of network data | |
| US11252184B2 (en) | Anti-attack data transmission method and device | |
| JP4259183B2 (en) | Information processing system, information processing apparatus, program, and method for detecting communication abnormality in communication network | |
| CN108667913B (en) | Method, device, computer equipment and storage medium for access management of shared terminal | |
| CN112311765A (en) | Message detection method and device | |
| CN110830453A (en) | Attack processing method and device, electronic equipment and computer readable storage medium | |
| CN114281547B (en) | Data message processing method and device, electronic equipment and storage medium | |
| US20230216875A1 (en) | Automated response to computer vulnerabilities | |
| WO2019035488A1 (en) | Control device, communication system, control method, and computer program | |
| CN100561492C (en) | Method and device for network attack detection | |
| CA3131921A1 (en) | Network traffic analysis | |
| CA3130584A1 (en) | Network connection request method and apparatus | |
| CN111130993A (en) | Information extraction method and device and readable storage medium | |
| KR100518844B1 (en) | Check method of network packet | |
| JP4526566B2 (en) | Network device, data relay method, and program | |
| CN115941428A (en) | Exception handling method, device, electronic device, and computer-readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200221 |