[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN108400955B - Network attack protection method and system - Google Patents

Network attack protection method and system Download PDF

Info

Publication number
CN108400955B
CN108400955B CN201710067267.6A CN201710067267A CN108400955B CN 108400955 B CN108400955 B CN 108400955B CN 201710067267 A CN201710067267 A CN 201710067267A CN 108400955 B CN108400955 B CN 108400955B
Authority
CN
China
Prior art keywords
client
information
address information
network request
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710067267.6A
Other languages
Chinese (zh)
Other versions
CN108400955A (en
Inventor
金帅
张浩浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201710067267.6A priority Critical patent/CN108400955B/en
Publication of CN108400955A publication Critical patent/CN108400955A/en
Application granted granted Critical
Publication of CN108400955B publication Critical patent/CN108400955B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention discloses a method and a system for protecting network attacks, which are applied to the technical field of information processing. In the method of this embodiment, the protection device of the network attack may analyze the network request of the client forwarded by the proxy machine to obtain the address information of the client, then calculate the first verification information according to the address information of the client, and determine the trust list based on the address information of the client according to the first verification information. Therefore, in the protection process of network attack, whether the client is a normal client can be directly confirmed according to the address information of the client initiating the network request and the trust list, and compared with the trust list based on the source IP information in the prior art, the transparent transmission of the network request of the broiler chicken caused by the fact that the IP information of the proxy machine hits the trust list under the condition that the proxy machine is deployed in the system can be prevented.

Description

Network attack protection method and system
Technical Field
The present invention relates to the field of information processing technologies, and in particular, to a method and a system for protecting against network attacks.
Background
An attacker generates a legal request pointing to a victim host by means of a proxy server or a broiler chicken to realize Distributed Denial of Service (DDOS) and challenge black hole (CC) attack by pretending. Herein, the broiler is also called a puppet machine, which refers to a machine that can be remotely controlled by a hacker, for example, a user is induced to click by using a "grey pigeon" or the like, or a computer is hacked by the hacker, or a trojan is planted in the user computer with a bug, and the hacker can manipulate it at will and use it to do anything.
In the prior art, a CC protection device is deployed in a network, and when the CC protection device detects that a server is attacked by CC, a network request sent by a client is analyzed, source network Protocol (IP) information of a network layer is extracted, certain calculation is performed by using the source IP information to obtain verification information, and then a trust list based on the source IP information is obtained according to the verification information. In the protection process of network attack, if the source IP information of the network layer in the network request of a certain client does not belong to the trust list, the client is the broiler chicken. However, in the case of deploying a proxy machine in a network, the existing network protection method is adopted, and a large number of network requests sent by broiler chickens are transmitted to a server through hitting a trust list.
Disclosure of Invention
The embodiment of the invention provides a method and a system for protecting network attack, which realize that a trust list is determined according to address information of a client in a network request initiated by the client.
The embodiment of the invention provides a network attack protection method, which comprises the following steps:
acquiring a network request of a client forwarded by at least one level of proxy machine, and analyzing the network request to obtain address information of the client;
calculating first check information according to the address information of the client;
and if the network request further comprises second check information which is consistent with the first check information, adding the address information of the client into a trust list, and forwarding the network request to a server.
The embodiment of the invention provides a network attack protection system, which comprises:
the first address acquisition unit is used for acquiring a network request of a client forwarded by at least one level of proxy machine and analyzing the network request to obtain address information of the client;
the verification calculation unit is used for calculating first verification information according to the address information of the client;
and the first processing unit is used for adding the address information of the client into a trust list and forwarding the network request to a server if the network request also comprises second check information which is consistent with the first check information.
It can be seen that, in the method of this embodiment, the protection device for network attack may analyze the network request of the client forwarded by the proxy machine to obtain the address information of the client, then calculate the first verification information according to the address information of the client, and determine the trust list based on the address information of the client according to the first verification information. Therefore, in the protection process of network attack, whether the client is a normal client can be directly confirmed according to the address information of the client initiating the network request and the trust list, and compared with the trust list based on the source IP information in the prior art, the transparent transmission of the network request of the broiler chicken caused by the fact that the IP information of the proxy machine hits the trust list under the condition that the proxy machine is deployed in the system can be prevented.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a system to which a method for protecting against network attacks is applied according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for protecting against network attacks according to an embodiment of the present invention;
fig. 3 is a flowchart of another network attack protection method provided in an embodiment of the present invention;
fig. 4 is a schematic diagram of a network attack protection method provided by an application embodiment of the present invention;
fig. 5 is a schematic structural diagram of a network attack protection system according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of another network attack protection system provided in the embodiment of the present invention;
fig. 7 is a schematic structural diagram of a network device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are, for example, capable of operation in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
An embodiment of the present invention provides a method for protecting against a network attack, which may be mainly applied to a system shown in fig. 1, where the system includes a client, at least one level of proxy machine (as illustrated by taking multiple levels in fig. 1 as an example), a protection device for a network attack, and a server, where: the client is mainly used for initiating a network request to the server, such as a HyperText Transfer Protocol (HTTP) request; the agent machine is mainly used for forwarding a network request initiated by the client; the network attack protection device is mainly used for determining whether the client is a broiler chicken or not according to the network request of the client, so that the server is prevented from being subjected to network attack, such as CC attack.
The method of this embodiment is a method executed by the protection device for network attack in fig. 1, and a flowchart is shown in fig. 2, where the method includes:
step 101, obtaining a network request of a client forwarded by at least one level of proxy machine, and analyzing the network request to obtain address information of the client.
It can be understood that a user may operate the client to make the client initiate a network request, such as an HTTP request, and the guard device of the network attack obtains the network request forwarded by the at least one level of proxy machine, and parses the network request to obtain the address information of the client.
When a network requests any level of proxy machine, the proxy machine places the information of the source device address field in the message header of the network request (specifically, the address information of a network node on the proxy machine) into a certain field in the message body of the network request, specifically, a forwarding (X-Forwarded-For) field in the HTTP request, adds the address information of the proxy machine to the source device address field in the message header of the network request, and forwards the address information to the next network node. If there are multiple proxy machines in the system, the protecting device of the network attack will obtain the network request forwarded by the last proxy machine, so that the specific field (such as forwarding field) of the network request includes the address information of the network node (including the client and the proxy machine) through which the network request passes, when executing this step 101, the protecting device of the network attack will analyze the content of the specific field (such as forwarding field) in the network request, and use the first content in the forwarding field as the address information of the client; if only one level of agent machine exists in the system, the protection device of the network attack may obtain the network request forwarded by the level of agent machine, and when this step 101 is executed, the content of a specific field (such as a forwarding field) in the network request may be analyzed, and the content of the forwarding field is directly used as the address information of the client.
In addition, if no proxy machine is deployed in the system, the content of a specific field (such as a forwarding field) of the network message is empty, and the source device address field includes address information of the client in the message header of the network message.
It should be noted that the method of this embodiment may be a method that is started to be executed when the guard device of the network attack detects that the server is subjected to the CC attack, or may be a method that is started to be executed at any time of communication between the client and the server.
Step 102, calculating first check information according to the address information of the client, specifically, the network attack protection device may form an information group with the address information of the client and other information, such as the address information of the destination device, and perform a hash calculation on the information group to obtain the first check information.
Step 103, if the network request further includes second check information, and the second check information is consistent with the first check information, which indicates that the client is a normal client, adding the address information of the client to a trust list, and forwarding the network request to the server. Further, if the network request does not include the second check information, or the second check information is inconsistent with the first check information, the first check information is returned to the client, so that the client initiates the network request carrying the first check information.
And the second check information is check information which is calculated by the protection device of the network attack according to the address information of the client in the network request initiated by the client for the first time and returned to the client in the process of initiating the network request by the client for the first time. Therefore, the normal client re-initiates the network request and carries the second check information in the network request, and for the broilers, the second check information returned by the protection device which is not attacked by the network is not analyzed, so that the network request re-initiated by the broilers does not carry the second check information.
It should be noted that, after the protection device of the network attack obtains the trust list, if the client corresponding to the trust list initiates the network request again, the protection device of the network attack may directly confirm that the client is a normal client according to the trust list, and directly forward the network request initiated again to the server.
It can be seen that, in the method of this embodiment, the protection device for network attack may analyze the network request of the client forwarded by the proxy machine to obtain the address information of the client, then calculate the first verification information according to the address information of the client, and determine the trust list based on the address information of the client according to the first verification information. Therefore, in the protection process of network attack, whether the client is a normal client can be directly confirmed according to the address information of the client initiating the network request and the trust list, and compared with the trust list based on the source IP information in the prior art, the transparent transmission of the network request of the broiler chicken caused by the fact that the IP information of the proxy machine hits the trust list under the condition that the proxy machine is deployed in the system can be prevented.
Referring to fig. 3, in a specific embodiment, after performing step 101, the defending device of the network attack may perform the following step 104:
step 104, matching the address information of the client with a locally stored trust list, if the address information of the client is matched with the locally stored trust list, indicating that the client initiating the network request is a normal client, and executing step 105; if not, the steps 102 and 103 are executed again, that is, the first check information needs to be calculated through the address information of the client, and then whether the client is a normal client is determined according to the first check information, so as to add the client into the trust list.
Step 105, forwarding the network request to the server.
In another specific embodiment, before performing step 102, the protection device for network attack may further parse the network request to obtain address information of the at least one level of proxy machine, so that when performing step 102, the first check information is calculated according to the address information of the client and the address information of the at least one level of proxy machine. In this case, when the guard device of the network attack adds the address information of the client in step 103, the address information of at least one level of proxy machine and the address information of the client may also be correspondingly added to the trust list.
Specifically, when analyzing the network request to obtain the address information of the at least one level of proxy machine, the protection device for network attack may analyze the content of the forwarding field of the network request, and directly use at least one item of content except the first item in the forwarding field as the address information of the at least one level of proxy machine. Or, the contents of the forwarding field of the network request and the source device address field in the message header are analyzed, and the contents of other items except the first item in the forwarding field and the contents of the source device address field are used as the address information of the at least one level of proxy machine. Here, the first item in the forwarding field is address information of the client.
In another specific embodiment, in order to avoid that a hacker grabs and forges the check information, the protection device of the network attack adds the updated parameter value updated according to a preset period (for example, half an hour) in the process of generating the second check information when the client initiates the network request for the first time, so that the second check information generated by the protection device of the network attack has a certain validity period.
In this way, if the duration of the process that the client initiates the network request according to the second check information exceeds the preset period and the protection device of the network attack calculates the first check information in the step 102, specifically, the first check information is calculated according to the address information of the client and the update parameter value updated according to the preset period, that is, the address information of the client, the update parameter value updated according to the preset period and other information form an information group, and the information group is subjected to hash calculation to obtain the first check information. Because the updated parameter value is changed, the first check information calculated by the protection device of the network attack is inconsistent with the second check information in the network request, and the first check information needs to be returned to the client, so that the client initiates the network request carrying the first check information in the preset period.
It should be noted that the update parameter value updated according to the preset period may be a parameter value of any parameter, as long as the parameter value of the parameter is updated according to the preset period.
The method of the present embodiment is mainly applied to the system shown in fig. 1, and is described by taking a proxy machine as one level and two levels as examples, and a network request initiated by a client is an HTTP request, and address information of the client and the proxy machine is IP information of the client and the proxy machine, respectively. Then in this embodiment:
(1) for the case that a primary proxy machine is deployed in the system shown in fig. 1, a flowchart of a method for protecting against a network attack is shown in fig. 4, and includes:
step 201, when a client initiates an HTTP request, adding IP information of the client in a source device address field of a message header of the HTTP request, and sending the HTTP request to a proxy machine; the proxy machine places the IP information of the client in the message header of the HTTP request into the X-Forwarded-For field of the message body of the HTTP request, adds the IP information of the proxy machine in the source equipment address field of the message header, and then forwards the HTTP request.
Step 202, the protection device of the network attack obtains the HTTP request Forwarded by the proxy machine, and analyzes the content of the X-Forwarded-For field in the HTTP request to obtain the IP information of the client. If the IP information of the client hits a trust list stored by the protection equipment of the network attack, the client is indicated to be a normal client, and the acquired HTTP request is forwarded to the server; if there is no hit, step 203 is performed.
Step 203, the network attack protection device composes the IP information of the client and other information (for example, the IP information of the destination device) into an information group, and may obtain a 32-bit hash value by calculating according to a Cyclic Redundancy Check (CRC) algorithm and the information group, and use the hash value as the first Check information.
Step 204, the protection device of the network attack analyzes the contents of the Cookie field in the HTTP request forwarded by the proxy machine, and if the field includes the second check information and the second check information is consistent with the first check information, adds the IP information of the client to the trust list, and forwards the HTTP request to the server. If the field does not include the second parity information or the second parity information is inconsistent with the first parity information, step 205 is performed.
Step 205, the protection device of the network attack returns the first verification information to the client, specifically, the first verification information may be encapsulated in a JavaScript program, and the first verification information is returned to the client through the proxy machine.
Step 206, for the normal client, the JavaScript program is executed, the first check information is obtained through analysis, then the Cookie field of the network request is filled with the first check information, and the network request is reinitiated. When the protection device of the network attack receives the network request initiated by the normal client, the protection device performs protection according to the method of the above steps 201 to 204.
For the broiler chicken, the JavaScript program is not executed, but the network request is directly re-initiated, and no verification information is carried in the network request, so that when the network request initiated by the broiler chicken is received by the protection device of the network attack, the protection is performed according to the methods of the steps 201 to 203 and the step 205.
Further, in other specific embodiments, when the protection device for network attack performs step 203, it further needs to analyze content of a source device address field of a message header in the HTTP request, where the content includes IP information of the proxy machine, and form an information group with the IP information of the proxy machine, the IP information of the client, and other information, and then calculate the first check information according to the information group.
In addition, when the protection device for network attack calculates the first check information in step 203, the first check information may be calculated according to the IP information of the client and the updated parameter value and other information updated in the preset period.
(2) For the case that a two-level proxy machine is deployed in the system shown in fig. 1, the method executed by the protection device For network attack is similar to the above-mentioned case that a one-level proxy machine is deployed, except that after the one-level proxy machine forwards the HTTP request, the second-level proxy machine receives the HTTP request Forwarded by the one-level proxy machine, and places the IP information of the one-level proxy machine in the message header of the HTTP request into the X-Forwarded-For field of the message body of the HTTP request, so that the X-Forwarded-For field includes the IP information of the client and the first-level proxy machine, and adds the IP information of the second-level proxy machine in the source device address field of the message header, and then forwards the HTTP request. And after the protection device of the network attack acquires the HTTP request Forwarded by the second proxy machine, the first content of the X-Forwarded-For field in the HTTP request is analyzed to be used as the IP information of the client.
An embodiment of the present invention further provides a system for protecting against network attacks, where a schematic structural diagram of the system is shown in fig. 5, and the system may specifically include:
a first address obtaining unit 10, configured to obtain a network request of a client forwarded by at least one level of proxy machine, and analyze the network request to obtain address information of the client;
the first address obtaining unit 10 is specifically configured to analyze content of a forwarding field of the network request, and use the content of the forwarding field as address information of the client, or use first content in the forwarding field as address information of the client.
And a verification calculation unit 11, configured to calculate first verification information according to the address information of the client acquired by the first address acquisition unit 10. The verification calculation unit 11 may be specifically configured to calculate the first verification information according to the address information of the client and the update parameter value updated according to a preset period.
The first processing unit 12 is configured to, if the network request further includes second check information, and the second check information is consistent with the first check information calculated by the check calculation unit 11, add the address information of the client to a trust list, and forward the network request to the server.
As can be seen, in the protection system for network attack of this embodiment, the first address obtaining unit 10 may analyze the network request of the client forwarded by the proxy machine to obtain the address information of the client, then the verification calculating unit 11 calculates the first verification information according to the address information of the client, and then the first processing unit 12 determines the trust list based on the address information of the client according to the first verification information. Therefore, in the protection process of network attack, whether the client is a normal client can be directly confirmed according to the address information of the client initiating the network request and the trust list, and compared with the trust list based on the source IP information in the prior art, the transparent transmission of the network request of the broiler chicken caused by the fact that the IP information of the proxy machine hits the trust list under the condition that the proxy machine is deployed in the system can be prevented.
Referring to fig. 6, in a specific embodiment, the system for protecting against network attacks may further include a second address obtaining unit 13 and a second processing unit 14, in addition to the structure shown in fig. 5, where:
a second address obtaining unit 13, configured to analyze the network request to obtain address information of the at least one level of proxy machine; the verification calculation unit 11 calculates the first verification information based on the address information of the client acquired by the first address acquisition unit 10 and the address information of the at least one level of proxy machine acquired by the second address acquisition unit 13.
The second address obtaining unit 13 is specifically configured to parse the content of the forwarding field of the network request, and use at least one content of the forwarding field except the first item as the address information of the at least one level of proxy machine; or, the contents of the forwarding field of the network request and the source device address field in the message header are analyzed, and the contents of other items except the first item in the forwarding field and the contents of the source device address field are used as the address information of the at least one level of proxy machine.
In this embodiment, the first processing unit 12 is further configured to match the address information of the client acquired by the first address acquiring unit 10 with a locally stored trust list, forward the network request to the server if the address information of the client matches the locally stored trust list, and notify the verification calculating unit 11 to calculate the first verification information if the address information of the client does not match the locally stored trust list.
The second processing unit 14 is configured to, if the network request does not include the second check information, or the second check information is inconsistent with the first check information, return the first check information to the client, so that the client initiates a network request carrying the first check information.
In this embodiment, after the first address obtaining unit 10 obtains the address information of the client, the second processing unit 14 performs matching on the trust list of the local processing, and if the address information of the client is not matched, the verification calculation unit 11 is notified to calculate the first verification information.
The embodiment of the present invention further provides a network device, which is schematically shown in fig. 7, and the network device may generate a relatively large difference due to different configurations or performances, and may include one or more Central Processing Units (CPUs) 20 (e.g., one or more processors) and a memory 21, and one or more storage media 22 (e.g., one or more mass storage devices) for storing the application programs 221 or the data 222. Wherein the memory 21 and the storage medium 22 may be a transient storage or a persistent storage. The program stored on the storage medium 22 may include one or more modules (not shown), each of which may include a sequence of instructions operating on the network device. Still further, the central processor 20 may be configured to communicate with the storage medium 22 to execute a series of instruction operations in the storage medium 22 on a network device.
Specifically, the application 221 stored in the storage medium 22 includes a protection application for network attack, and the application may include the first address obtaining unit 10, the verification calculating unit 11, the first processing unit 12, the second address obtaining unit 13, and the second processing unit 14 in the protection system for network attack, which is not described herein again. Further, the central processor 20 may be configured to communicate with the storage medium 22, and execute a series of operations corresponding to the protection application against the network attack stored in the storage medium 22 on the network device.
The network device may also include one or more power supplies 23, one or more wired or wireless network interfaces 24, one or more input-output interfaces 25, and/or one or more operating systems 223, such as Windows Server, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, and the like.
The steps executed by the network attack protection system in the above method embodiment may be based on the structure of the network device shown in fig. 7.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by associated hardware instructed by a program, which may be stored in a computer-readable storage medium, and the storage medium may include: read Only Memory (ROM), Random Access Memory (RAM), magnetic or optical disks, and the like.
The method and system for protecting against network attacks provided by the embodiment of the present invention are described in detail above, and a specific example is applied in the text to explain the principle and the implementation of the present invention, and the description of the above embodiment is only used to help understanding the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (12)

1. A method for protecting against network attacks is characterized by comprising the following steps:
acquiring a network request of a client forwarded by at least one level of proxy machine, and analyzing the network request to obtain address information of the client;
analyzing the network request to obtain the address information of the at least one level of proxy machine;
calculating first check information according to the address information of the client and the address information of the at least one level of agent machine;
if the network request further comprises second check information, and the second check information is consistent with the first check information, adding the address information of the client into a trust list, and forwarding the network request to a server; the second check information is check information which is calculated by the protection equipment of the network attack according to the address information of the client in the network request initiated by the client for the first time, the address information of the at least one level of proxy machine and the updated parameter value updated according to the preset period and returned to the client in the process of initiating the network request by the client for the first time;
the calculating first check information according to the address information of the client and the address information of the at least one level of proxy machine specifically includes: and calculating the first check information according to the address information of the client, the address information of the at least one level of agent machine and the updated parameter value updated according to a preset period.
2. The method of claim 1, wherein the parsing the network request to obtain the address information of the client specifically comprises:
and analyzing the content of a forwarding field of the network request, and using the content of the forwarding field as the address information of the client, or using the first item of content in the forwarding field as the address information of the client.
3. The method of claim 1, wherein the parsing the network request to obtain address information of the at least one level of proxy machine comprises:
analyzing the content of a forwarding field of the network request, and taking at least one item of content except a first item in the forwarding field as the address information of the at least one level of proxy machine; or the like, or, alternatively,
and analyzing the contents of a forwarding field of the network request and a source equipment address field in a message header, and taking the contents of other items except the first item in the forwarding field and the contents of the source equipment address field as the address information of the at least one level of proxy machine.
4. The method of any of claims 1 to 3, wherein prior to calculating the first check-up information based on the address information of the client, the method further comprises:
and matching the address information of the client with a locally stored trust list, if the address information of the client is matched with the locally stored trust list, forwarding the network request to the server, and if the address information of the client is not matched with the locally stored trust list, executing the step of calculating first check information.
5. The method of any of claims 1 to 3, further comprising:
and if the network request does not include the second check information or the second check information is inconsistent with the first check information, returning the first check information to the client so that the client initiates the network request carrying the first check information.
6. A system for protecting against cyber attacks, comprising:
the first address acquisition unit is used for acquiring a network request of a client forwarded by at least one level of proxy machine and analyzing the network request to obtain address information of the client;
the verification calculation unit is used for calculating first verification information according to the address information of the client;
the first processing unit is used for adding the address information of the client into a trust list and forwarding the network request to a server if the network request also comprises second check information which is consistent with the first check information; the second check information is check information which is calculated by the protection equipment of the network attack according to the address information of the client in the network request initiated by the client for the first time, the address information of the at least one level of proxy machine and the updated parameter value updated according to the preset period and returned to the client in the process of initiating the network request by the client for the first time;
the system further comprises: the second address acquisition unit is used for analyzing the network request to obtain the address information of the at least one level of proxy machine; the verification calculation unit is specifically configured to calculate the first verification information according to the address information of the client and the address information of the at least one level of proxy machine;
the verification calculation unit is specifically configured to calculate the first verification information according to the address information of the client, the address information of the at least one level of proxy machine, and an update parameter value updated according to a preset period.
7. The system of claim 6,
the first address obtaining unit is specifically configured to analyze content of a forwarding field of the network request, and use the content of the forwarding field as address information of the client, or use first content in the forwarding field as address information of the client.
8. The system of claim 6,
the second address obtaining unit is specifically configured to parse content of a forwarding field of the network request, and use at least one item of content except the first item in the forwarding field as address information of the at least one level of proxy machine; or, the contents of the forwarding field of the network request and the source device address field in the message header are analyzed, and the contents of other items except the first item in the forwarding field and the contents of the source device address field are used as the address information of the at least one level of proxy machine.
9. The system according to any one of claims 6 to 8,
the first processing unit is further configured to match address information of the client with a locally stored trust list, forward the network request to the server if the address information of the client matches the locally stored trust list, and notify the verification calculation unit to calculate first verification information if the address information of the client does not match the locally stored trust list.
10. The system of claim 9, further comprising:
and the second processing unit is used for returning the first check information to the client if the network request does not include the second check information or the second check information is inconsistent with the first check information, so that the client initiates the network request carrying the first check information.
11. A computer-readable storage medium, characterized in that it stores a plurality of computer programs adapted to be loaded by a processor and to execute the method of protection against cyber attacks according to any one of claims 1 to 5.
12. A network device comprising a processor and a memory;
the memory is used for storing a plurality of computer programs, and the computer programs are used for being loaded by the processor and executing the network attack protection method according to any one of claims 1 to 5; the processor is configured to implement each of the plurality of computer programs.
CN201710067267.6A 2017-02-06 2017-02-06 Network attack protection method and system Active CN108400955B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710067267.6A CN108400955B (en) 2017-02-06 2017-02-06 Network attack protection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710067267.6A CN108400955B (en) 2017-02-06 2017-02-06 Network attack protection method and system

Publications (2)

Publication Number Publication Date
CN108400955A CN108400955A (en) 2018-08-14
CN108400955B true CN108400955B (en) 2020-12-22

Family

ID=63094508

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710067267.6A Active CN108400955B (en) 2017-02-06 2017-02-06 Network attack protection method and system

Country Status (1)

Country Link
CN (1) CN108400955B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110636068B (en) * 2019-09-24 2022-01-28 杭州安恒信息技术股份有限公司 Method and device for identifying unknown CDN node in CC attack protection
CN112272164B (en) * 2020-09-30 2022-07-12 新华三信息安全技术有限公司 Message processing method and device
CN112953921A (en) * 2021-02-02 2021-06-11 深信服科技股份有限公司 Scanning behavior identification method, device, equipment and storage medium
CN114237179B (en) * 2021-12-16 2023-09-08 常熟华庆汽车部件有限公司 Implementation method of flexible coating automatic control system based on industrial Internet of things
CN114640704B (en) * 2022-05-18 2022-08-19 山东云天安全技术有限公司 Communication data acquisition method, system, computer equipment and readable storage medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102404345A (en) * 2011-12-26 2012-04-04 山石网科通信技术(北京)有限公司 Distributed attack prevention method and device
CN103607392A (en) * 2010-12-14 2014-02-26 华为数字技术(成都)有限公司 Method and device used for preventing fishing attack
CN103888490A (en) * 2012-12-20 2014-06-25 上海天泰网络技术有限公司 Automatic WEB client man-machine identification method
CN103916389A (en) * 2014-03-19 2014-07-09 汉柏科技有限公司 Method for preventing HttpFlood attack and firewall
CN104023024A (en) * 2014-06-13 2014-09-03 中国民航信息网络股份有限公司 Network defense method and device
CN104079557A (en) * 2014-05-22 2014-10-01 汉柏科技有限公司 CC attack protection method and device
CN104113559A (en) * 2014-08-13 2014-10-22 浪潮电子信息产业股份有限公司 Method for resisting tcp full-link attack
CN105075216A (en) * 2013-03-11 2015-11-18 思科技术公司 Identification of originating IP address and client port connection
CN105959313A (en) * 2016-06-29 2016-09-21 杭州迪普科技有限公司 Method and device for preventing HTTP proxy attack

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102098305A (en) * 2004-01-26 2011-06-15 思科技术公司 Upper-level protocol authentication
CN101834866B (en) * 2010-05-05 2013-06-26 北京来安科技有限公司 CC (Communication Center) attack protective method and system thereof
CN102571547B (en) * 2010-12-29 2015-07-01 北京启明星辰信息技术股份有限公司 Method and device for controlling hyper text transport protocol (HTTP) traffic
CN104378450A (en) * 2013-08-12 2015-02-25 深圳市腾讯计算机系统有限公司 Protection method and device for network attacks
CN104519018B (en) * 2013-09-29 2018-09-18 阿里巴巴集团控股有限公司 A kind of methods, devices and systems preventing the malicious requests for server
CN105100093B (en) * 2015-07-15 2018-05-18 联动优势科技有限公司 A kind of identity authentication method and server

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103607392A (en) * 2010-12-14 2014-02-26 华为数字技术(成都)有限公司 Method and device used for preventing fishing attack
CN102404345A (en) * 2011-12-26 2012-04-04 山石网科通信技术(北京)有限公司 Distributed attack prevention method and device
CN103888490A (en) * 2012-12-20 2014-06-25 上海天泰网络技术有限公司 Automatic WEB client man-machine identification method
CN105075216A (en) * 2013-03-11 2015-11-18 思科技术公司 Identification of originating IP address and client port connection
CN103916389A (en) * 2014-03-19 2014-07-09 汉柏科技有限公司 Method for preventing HttpFlood attack and firewall
CN104079557A (en) * 2014-05-22 2014-10-01 汉柏科技有限公司 CC attack protection method and device
CN104023024A (en) * 2014-06-13 2014-09-03 中国民航信息网络股份有限公司 Network defense method and device
CN104113559A (en) * 2014-08-13 2014-10-22 浪潮电子信息产业股份有限公司 Method for resisting tcp full-link attack
CN105959313A (en) * 2016-06-29 2016-09-21 杭州迪普科技有限公司 Method and device for preventing HTTP proxy attack

Also Published As

Publication number Publication date
CN108400955A (en) 2018-08-14

Similar Documents

Publication Publication Date Title
US11122067B2 (en) Methods for detecting and mitigating malicious network behavior and devices thereof
CN108400955B (en) Network attack protection method and system
EP3577589B1 (en) Prevention of malicious automation attacks on a web service
US10354072B2 (en) System and method for detection of malicious hypertext transfer protocol chains
KR101607951B1 (en) Dynamic cleaning for malware using cloud technology
US10270792B1 (en) Methods for detecting malicious smart bots to improve network security and devices thereof
EP3557843B1 (en) Content delivery network (cdn) bot detection using compound feature sets
CN105939326B (en) Method and device for processing message
CN108881101B (en) Cross-site script vulnerability defense method and device based on document object model and client
US10218733B1 (en) System and method for detecting a malicious activity in a computing environment
US10218717B1 (en) System and method for detecting a malicious activity in a computing environment
WO2014032619A1 (en) Web address access method and system
CN105635064B (en) CSRF attack detection method and device
CN112398781B (en) Attack testing method, host server and control server
CN102982284A (en) Scanning equipment, cloud management equipment and method and system used for malicious program checking and killing
CN103701816B (en) Perform the scan method and scanning means of the server of Denial of Service attack
CN107395553B (en) Network attack detection method, device and storage medium
JP6050162B2 (en) Connection destination information extraction device, connection destination information extraction method, and connection destination information extraction program
CN109617917A (en) Address virtual Web application security firewall methods, devices and systems
CN106790189B (en) intrusion detection method and device based on response message
CN109660552A (en) A kind of Web defence method combining address jump and WAF technology
US9787711B2 (en) Enabling custom countermeasures from a security device
WO2023193513A1 (en) Honeypot network operation method and apparatus, device, and storage medium
CN108256327B (en) File detection method and device
Bruschi et al. Formal verification of ARP (address resolution protocol) through SMT-based model checking-A case study

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant