CN111385248B - Attack defense method and attack defense device - Google Patents
Attack defense method and attack defense deviceDownload PDFInfo
- Publication number
- CN111385248B CN111385248BCN201811620997.5ACN201811620997ACN111385248BCN 111385248 BCN111385248 BCN 111385248BCN 201811620997 ACN201811620997 ACN 201811620997ACN 111385248 BCN111385248 BCN 111385248B
- Authority
- CN
- China
- Prior art keywords
- protection
- address
- sequence
- addresses
- attacked
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
Technical Field
The present application relates to the field of computer and communication technologies, and in particular, to an attack defense method and an attack defense device.
Background
Denial of service (DoS) attacks are network attack means, which aim to exhaust network resources or system resources of a target computer, so that services provided by the target computer are temporarily interrupted or stopped, and a normal user cannot access the target computer. When an attacker (also referred to as a hacker) launches a DoS attack to a target computer using two or more controlled computers on a network as attack initiators, this attack approach is referred to as a distributed denial-of-service attack (DDoS).
In recent years, an attack called challenge black hole (CC) has emerged. CC attacks are essentially DDoS attacks, characterized in that the attack object is a target web server providing a large number of dynamic web pages, such as a shopping web server or a game web server.
The principle of CC attack is that an attacker simulates dynamic web pages provided by a target website server for a plurality of users to access through a proxy server or a large number of controlled computers, so as to manufacture a large number of background database query operations, thereby consuming Central Processing Unit (CPU) resources of the target website server, causing the target website server to be paralyzed and failing to provide services for normal users.
Traditional DDoS attack defense is mainly based on a packet filtering mechanism of a firewall. Taking a synchronous Sequence number Flood (SYN Flood) attack as an example, a filtering rule and a threshold value are configured on a firewall, and when monitoring that the flow is abnormal, the flow is blocked or cleaned in time. For example, when a firewall deployed in front of the target computer monitors that the number of SYN messages accessing the port of the target computer 80 in a unit time (for example, 1 second) continuously exceeds a threshold value (for example, 5000), the SYN messages accessing the port of the target computer 80 subsequently are discarded, or the traffic of the target computer subsequently is forwarded to traffic cleansing equipment for cleansing, and the normal traffic obtained after cleansing is sent to the target computer again. However, the traditional DDoS attack defense method has poor effect on CC attack. This is because the CC attack itself sends a normal web access request, and the traffic caused by the CC attack often does not reach the abnormal traffic threshold set by the conventional firewall, because the important point of the attack is to make a large amount of background database queries.
The traditional defense scheme for the CC attack is that a station server for providing service uses dynamic web pages as little as possible and replaces the dynamic web pages with static web pages as much as possible. However, this approach obviously fails to meet the requirements of some provided services, such as shopping websites or game websites, which rely primarily on user interaction. How to effectively defend against CC attacks becomes a hotspot problem.
Disclosure of Invention
The embodiment of the application provides an attack defense method, which is used for reducing the influence of CC attack on a website server on the premise of not influencing the function of a webpage service.
In a first aspect, an attack defense method is provided, where the defense method is applied to a defense system, the defense system includes a scheduling device and at least one protection device, the protection device is disposed between a first terminal device and a protected web server, the at least one protection device provides a plurality of protection Internet Protocol (IP) addresses, and the first terminal device accesses the web server through the protection IP addresses.
The method is performed by a scheduling device. The method comprises the steps that a dispatching device receives a protection address obtaining request from a first terminal device, obtains a first protection address sequence corresponding to the identification of the first terminal device according to the identification of the first terminal device contained in the protection address obtaining request, obtains a first unused protection IP address from the first protection address sequence according to the storage sequence of the IP addresses, and returns the obtained unused protection IP address to the first terminal device, wherein the first protection address sequence comprises at least two protection IP addresses stored in sequence, and the unused protection IP address refers to the protection IP address which is not returned to the first terminal device.
If the protection device is attacked, the scheduling device acquires the attacked protection IP address and generates an attacked address sequence according to the time sequence of the attack, wherein the attacked address sequence comprises at least two different attacked protection IP addresses. The dispatching equipment judges whether the used protection IP addresses in the first protection address sequence are all attacked in sequence according to the attacked address sequence; and if the used protection IP addresses in the first protection address sequence are attacked in sequence, acquiring the identifier of the first terminal equipment corresponding to the first protection address sequence, and determining that the first terminal equipment is an attack source.
The scheduling device of the embodiment of the application establishes a mapping relation between the identifier of the terminal device and the protection address sequence. And the scheduling equipment provides the protection IP addresses for the terminal equipment mapped by the protection address sequence in sequence according to the sequence indicated by the protection address sequence. By comparing the attacked protection IP address and the protection address sequence, whether the protection IP addresses (namely, the used protection IP addresses) provided for the terminal equipment in one protection address sequence are attacked in sequence is judged. And if the used protection IP addresses in one protection address sequence are attacked in sequence, determining the terminal equipment corresponding to the identifier of the terminal equipment mapped by the protection address sequence as an attack source. The identification of the attack source is beneficial to carrying out anti-attack processing on the attack source, and the attack source is prevented from continuously attacking other protection IP addresses, so that the defense effect is improved, and the service stability of the website server is improved.
Optionally, in a possible implementation manner of the first aspect, before the scheduling device receives the guard address obtaining request from the first terminal device, the method further includes: and the dispatching equipment generates at least two protection address sequences according to the plurality of protection IP addresses, wherein the at least two protection address sequences comprise the first protection address sequence. The dispatching equipment generates a plurality of protection address sequences in advance before receiving the protection address acquisition request, but not generates the protection address sequences after receiving the protection address acquisition request, so that the waiting time of the terminal for acquiring the protection IP address can be reduced, and the service experience of the user is improved. There are various methods for generating the guard address sequence according to the plurality of guard IP addresses, for example, the scheduling device generates at least two mutually different guard address sequences by using an arrangement manner according to the plurality of guard IP addresses.
Optionally, in another possible implementation manner of the first aspect, the plurality of guard IP addresses respectively belong to a first guard address set and a second guard address set that are not coincident with each other, and the at least two guard address sequences are generated by guard IP addresses in the first guard address set. After the scheduling device obtains the attacked protection IP address, the method further comprises: the dispatching equipment acquires a protection IP address from the second protection address set; and the dispatching equipment replaces the unused attacked protection IP address in the at least two protection address sequences with the obtained protection IP address. By replacing the attacked protection IP address in the protection address sequence with the standby protection IP address, the interruption of terminal service after the attacked IP address is subsequently provided to the terminal equipment by the scheduling equipment can be avoided, and the influence of the attack on the service is reduced.
Optionally, in another possible implementation manner of the first aspect, the obtaining, by the scheduling device according to the identifier of the first terminal device, a first guard address sequence corresponding to the identifier of the first terminal device includes: the scheduling equipment searches whether a protection address sequence corresponding to the identifier of the first terminal equipment exists or not according to the identifier of the first terminal equipment; if the protection address sequence corresponding to the identifier of the first terminal device does not exist, selecting a protection address sequence from alternative protection address sequences, and taking the selected protection address sequence as a first protection address sequence corresponding to the identifier of the first terminal device, wherein the alternative protection address sequence refers to the protection address sequence of which at least two protection address sequences are not selected yet; and if the protection address sequence corresponding to the identifier of the first terminal equipment exists, taking the searched protection address sequence as the first protection address sequence. The timing of mapping the guard address sequence for the terminal device by the scheduling device may be executed in advance, or may be executed according to a request of the terminal device. The scheduling device establishes the mapping relation according to the request of the terminal device, so that the limited protection IP address resource can be saved, and unnecessary waste caused by the fact that a protection address sequence is allocated in advance to the terminal device which does not use the service for a long time is avoided.
Optionally, in a possible implementation manner of the first aspect, the determining whether guard IP addresses used in the first guard address sequence are successively attacked includes: and when the number of the used protection IP addresses in the first protection address sequence is determined to exceed a threshold value, judging whether the used protection IP addresses in the first protection address sequence are attacked in sequence, wherein the threshold value is determined according to the total number of the protection IP addresses contained in the first protection address sequence. When the waiting time of the scheduling equipment is mature, whether the used protection IP addresses in the protection address sequence are attacked in sequence or not is judged, and the accuracy of identifying attack sources can be improved.
Optionally, in a possible implementation manner of the first aspect, after determining that the first terminal device is an attack source, the method further includes: and carrying out anti-attack processing on the attack source. For example, the scheduling device stops returning a guard IP address to the attack source. After the attack source is identified, the attack source is timely subjected to attack prevention processing, so that the attack source can be prevented from continuously attacking other protection IP addresses, the defense effect is improved, and the service stability of the website server is improved.
In a second aspect, an embodiment of the present application provides an attack defense device, where the attack defense device has a function of implementing the method according to the first aspect or any one of the possible implementation manners of the first aspect. The functions can be realized by hardware, and the functions can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules corresponding to the above-described functions.
In a third aspect, an embodiment of the present application provides an attack defense system, where the system includes a scheduling device and at least one protection device, the protection device is disposed between a first terminal device and a protected website server, the at least one protection device provides a plurality of protection internet protocol IP addresses, and the first terminal device accesses the website server through the protection IP addresses. The scheduling apparatus is configured to perform the method according to the first aspect or any one of the possible implementation manners of the first aspect.
In a fourth aspect, embodiments of the present application provide a computer storage medium for storing computer software instructions for an attack defense device, which, when run on a computer, cause the computer to perform the method of the above aspects.
In a fifth aspect, embodiments of the present application provide a computer program product containing instructions that, when executed on a computer, cause the computer to perform the method of the first aspect or the various possible implementations of the first aspect.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic diagram of a "game shield" protection system in an embodiment of the present application;
FIG. 2 is a schematic deployment diagram of an attack defense system in an embodiment of the present application;
FIG. 3 is a schematic structural diagram of an attack defense device in an embodiment of the present application;
FIG. 4 is a schematic structural diagram of an attack defense device in an embodiment of the present application;
FIG. 5 is a flow chart of a main implementation principle of an attack defense method in an embodiment of the present application;
fig. 6 is a flowchart of an attack defense method in an embodiment of the present application.
Detailed Description
In order to defend against CC attacks against the game web server, some studies have attempted to use a protection system named "game shield". Fig. 1 is a schematic diagram of a game shield system deployed in a typical application scenario of a network game service. The game shield system comprises aguard device 10 and ascheduling device 20. Theguard device 10 and thedispatching device 20 can be implemented by two computers independently or integrated into the same computer. Theguard device 10 is deployed between the game client 30 and thegame site server 40. Theguard device 10 provides a plurality of guard IP addresses. The game shield system was originally designed to protect the game site server from CC attacks through multiple IP addresses. The basic principle of the game shield is as follows: onescheduling device 20 is provided, and thescheduling device 20 stores a plurality of protection IP addresses, where the protection IP addresses are public IP addresses provided by theprotection device 10 and are available for game clients to access the game server. In order to distinguish from the IP address of thegame site server 40, the IP address provided by theguard device 10 returned by thescheduling device 20 is referred to as a guard IP address in the embodiment of the present application. Before accessing the game service through the browser or the game client 30, the user requests a guard IP address from thescheduling device 20, as shown in step S1 in fig. 1. The browser or game client 30 receives the guard IP address returned by thescheduling device 20, as shown in step S2 in fig. 1. The browser or game client 30 then accesses theguard device 10 via the guard IP address and sends a service request to theguard device 10, as shown in step S3 in fig. 1. Theguard device 10 then establishes a connection with thegame site server 40 and forwards the service request to thegame server 40, as shown in step S4 in fig. 1. Theguard device 10 receives the service response correspondingly returned by thegame server 40, as shown in step S5 in fig. 1; the business response is forwarded to the browser or game client 30 as shown in step S6 in fig. 1.
Through the process shown in fig. 1, the game server provides a game service to the user. The game shield scheme hides the real IP address of the game website server through the protection IP address, and ensures that the IP address of the game website server is not public, so that an attacker cannot directly attack the game website server. When a guard IP address is attacked, the guard device disconnects from the game site server. When the subsequent game client or browser continuously requests the protection IP address from the scheduling equipment, the scheduling equipment returns another protection IP address, so that the game website server can provide service for the user, and the service is kept stable.
In the research process, the protection effect of the game shield scheme is not perfect. The main reason is that although an attacker cannot directly attack the game website server because the attacker does not know the IP address of the game website server, after one protection IP is attacked, the attacker can obtain a new protection IP address returned by the scheduling device through message analysis in a short time, and continue to attack the new protection IP address until all protection IP addresses are attacked, so that the game shield system is paralyzed.
The application provides an attack defense method on the basis of the game shield system. The method is suitable for a protection system for protecting the website server by using the protection IP address. The defense method focuses on analyzing an attack source, namely an IP address used by an attacker, such as an IP address used by a proxy server or an IP address of a controlled computer. Therefore, a new protection IP address is not provided for an attack source any more, the protection effect of the game shield is enhanced, and the normal service use of a legal user is ensured. The method analyzes the attack source by the following method: the scheduling device generates a plurality of guard address sequences, each guard address sequence including at least two different guard IP addresses arranged in sequence. When a protection IP address is requested to a scheduling device for a service requester, namely a browser or a service client (such as a game client, an online shopping client and the like), for the first time, the scheduling device maps a protection address sequence for the service requester and returns the first protection IP address in the mapped protection IP address sequence to the service requester. When a service requester requests the protection IP address again, the scheduling device obtains the next protection IP address of the protection IP address returned last time from the protection sequence mapped by the service requester. And the scheduling equipment positions an attack source according to the mapping relation between the protection address sequence and the service request party and the condition that the protection IP address is attacked. For example, when the protection IP address is attacked, the scheduling device obtains the attacked protection IP address, and generates an attacked sequence composed of the attacked protection IP address according to the sequence of the attacked protection IP address. And the dispatching equipment judges whether the used protection IP addresses in a protection address sequence are attacked in sequence or not according to the attacked address sequence, and if the used protection IP addresses in the protection address sequence are attacked in sequence, the service requester mapped by the protection address sequence is determined as an attack source.
Fig. 2 is a schematic deployment diagram of an attack defense system provided in an embodiment of the present application. The defence system comprises adispatching device 20 and at least oneguard device 10. The dispatchingdevice 20 and the at least oneguard device 10 may be separately provided on different computers or may be provided on the same computer in combination.
Theguard device 10 refers to a computer device having a network connection function and having an IP address that can be accessed. The protective equipment is deployed between the terminal equipment 301-302 and the protectedwebsite server 40. At least oneguard device 10 provides a plurality of guard IP addresses accessible by the terminal device.
The terminal devices 301-302 refer to terminal devices installed with browser software or business client (such as game client, network shopping client, etc.) software. The terminal device 30 includes, but is not limited to, a personal computer, a mobile phone, a server, a notebook, an IP phone, a camera, a tablet, a wearable device, and the like. In an actual network system, there are a large number of terminal devices, and for the sake of simplicity, the embodiments of the present application are described by taking only two terminal devices as examples.
In the present application, theweb server 40 includes a computer that provides web page related services. The web page related services include one or more services implemented based on dynamic web pages. Web page related services also include database queries, file services, and the like. Theweb server 40 is, for example, a game server, a web shopping server, or the like. Dynamic web pages are relative to static web pages. The static web page refers to a web page file stored on a web server and edited in advance, and the static web page corresponds to a fixed Uniform Resource Locator (URL) which takes a common form such as html, shtml and the like as a suffix. The website server directly sends the originally designed static HyperText Markup Language (HTML) document to the client browser only according to the URL carried in the access request from the client browser. Static websites have the disadvantage of being difficult to maintain and only manually update all HTML files when a web page needs to be updated. With the increasing expansion of the content and information amount of the website, the workload of making the webpage file is unacceptable. And the page contents of the dynamic web page at the server end are different from those of the client end. The most original page is stored in the server side, and according to the content or the requirement fed back by the user, the result is obtained by inquiring from the database at the server side, or the result is obtained by calculation and then is directly transmitted to the client computer to be displayed. Interactivity, automatic updates, content-time-by-person are features of dynamic web pages versus static web pages.
In the embodiment of the present application, thescheduling device 20 maintains a plurality of guard IP address sequences, such as a guard address sequence a and a guard address sequence B. Thescheduling device 20 establishes a one-to-one mapping relationship between the terminal devices and the guard address sequences. For example, the scheduling device establishes a mapping relationship between theterminal device 301 and the guard address sequence a, or establishes a mapping relationship between theterminal device 302 and the guard address sequence B.
Takingterminal device 301 as an example, based on the protection IP address sequence, the manner forscheduling device 20 to return a protection IP address to the terminal device is specifically as follows:
according to the identifier of theterminal device 301 carried in the protection address acquisition request, a protection address sequence a corresponding to theterminal device 301 is searched, a first unused protection IP address is acquired from the protection address sequence a, the acquired unused protection IP address is returned to theterminal device 301, the protection address sequence a includes at least two protection IP addresses stored in sequence, and the unused protection IP address refers to a protection IP address which is not returned to theterminal device 301.
Optionally, in order to save limited resources of the guard IP address, the scheduling device establishes the mapping relationship according to a request of the terminal device, without mapping a guard address sequence for the terminal device in advance. In other words, when theterminal device 301 or theterminal device 302 requests the guard IP address for the first time, the scheduling device establishes a one-to-one mapping relationship between the identifier of each terminal device and the guard address sequence. For example, the mapping relationship between theterminal device 301 and the guard address sequence a is established according to the guard address acquisition request of theterminal device 301, or the mapping relationship between theterminal device 302 and the guard address sequence B is established according to the guard address acquisition request of theterminal device 302. And returning the first protection IP address in the corresponding protection address sequence to the terminal equipment sending the protection address acquisition request. Thereafter, when theterminal device 301 requests the guard address again, the second guard IP address in the guard address sequence a is returned to theterminal device 301.
Thescheduling device 20 also monitors the protection device for attacks. Alternatively, the dispatchingdevice 20 may monitor the protected device for attacks in a variety of different ways. For example, thescheduling device 20 periodically sends a test packet to each protection IP address, and if a response packet is not received within a preset time period, it is determined that the protection IP address as the receiver of the test packet is attacked. For another example, theprotection device 10 periodically sends a heartbeat message to the scheduling device through the protection IP address according to the IP address and the open port number of the scheduling device stored in advance, and if thescheduling device 20 exceeds the preset time period and does not receive the heartbeat message with the source address being one protection IP address, it is determined that the protection IP address is attacked. For another example, thescheduling device 20 receives a security log sent by other security devices in the network, and obtains the attacked protection IP address from the log. Other specific ways of monitoring whether the security device is attacked are not listed here.
If the protection device is attacked, thescheduling device 20 obtains the attacked protection IP address, and locates the attack source according to the mapping relationship between the protection address sequence and the identifier of the terminal device and the attacked protection IP address. For example, the scheduling device generates an attacked address sequence according to the attacked time sequence, where the attacked address sequence includes at least two attacked protection IP addresses. The dispatchingdevice 20 judges whether the used protection IP addresses in the first protection address sequence are successively attacked or not according to the attacked address sequence, and if the used protection IP addresses in the first protection address sequence are successively attacked, obtains the identifier of the first terminal device corresponding to the first protection address sequence, and determines that the first terminal device is an attack source. For example, a subsequence of N guard IP addresses returned to theterminal device 301 in the guard address sequence a is referred to as subsequence a, where N is a natural number equal to or greater than 2. And if the attacked address sequence is the same as the subsequence A, taking theterminal device 301 corresponding to the protection IP address sequence A as an attack source.
In the defense system for denial of server attack as shown in fig. 2, when the scheduling device provides a protection IP address for the terminal device that sends the protection address acquisition request, the following method is adopted: the scheduling device maps a protection address sequence for sending a protection address acquisition request, acquires a first unused protection IP address from the mapped protection address sequence when receiving the protection address acquisition request every time, and returns the acquired unused protection IP address to the terminal device sending the protection address acquisition request. Based on the mapping, the scheduling equipment monitors the condition that the protection IP address is attacked and the mapping relation, can effectively identify the attack source, and carries out anti-attack processing on the attack source to prevent the attack source from continuously attacking other protection IP addresses, thereby perfecting the defense effect and improving the service stability of the website server.
Fig. 3 is a schematic structural diagram of an attack defense device provided in an embodiment of the present application. Alternatively, the attack-defending device having the structure shown in fig. 3 is thescheduling device 20 in fig. 2. The scheduling device comprises at least oneprocessor 31, amemory 32, anetwork interface 33, theprocessor 31, thememory 32 and thenetwork interface 33 being interconnected by abus 34.
The at least oneprocessor 31 may be one or more CPUs, which may be single core CPUs or multi-core CPUs.
TheMemory 32 includes, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), an erasable programmable Read-Only Memory (EPROM or flash Memory), or a portable Compact Disc Read-Only Memory (CD-ROM). Thememory 32 stores code for an operating system and program code for implementing the methods provided herein.
Thenetwork Interface 33 may be a wired Interface, such as a Fiber Distributed Data Interface (FDDI) Interface, Gigabit Ethernet (GE) Interface; thenetwork interface 33 may also be a wireless interface. Thenetwork interface 33 is configured to receive a guard address obtaining request of the first terminal device.
Theprocessor 31 is configured to read the program code stored in thememory 32, and perform the following operations: the method comprises the steps of obtaining a first protection address sequence corresponding to an identifier of a first terminal device according to the identifier of the first terminal device carried in a protection address obtaining request, obtaining a first unused protection IP address from the first protection address sequence according to a storage sequence of the IP addresses, and indicating anetwork interface 33 to return the obtained unused protection IP address to the first terminal device, wherein the first protection address sequence comprises at least two protection IP addresses stored in sequence, and the unused protection IP address refers to a protection IP address which is not returned to the first terminal device.
Theprocessor 31 is further configured to monitor whether the protection device is attacked, and if the protection device is attacked, the scheduling device obtains the attacked protection IP address.
Further, theprocessor 31 generates an attacked address sequence according to the attacked time sequence, where the attacked address sequence includes at least two attacked protection IP addresses. Theprocessor 31 judges whether the used protection IP addresses in the first protection address sequence are all attacked in sequence according to the attacked address sequence; and if the used protection IP addresses in the first protection address sequence are attacked in sequence, acquiring the identifier of the first terminal equipment corresponding to the first protection address sequence, and determining that the first terminal equipment is an attack source.
Optionally, after determining the attack source, theprocessor 31 performs anti-attack processing on the attack source.
For more details of thenetwork interface 33 or theprocessor 31 to implement the above functions, reference is made to the description of the method embodiments later.
Optionally, the scheduling device further includes an input/output interface 35, where the input/output interface 35 is configured to connect with an input device, and receive configuration information, such as a protection IP address, input by a user through the input device. Input devices include, but are not limited to, a keyboard, a touch screen, a microphone, and the like. The input/output interface 35 is also used for connecting with an output device, and outputting the attack source information determined by theprocessor 31. Output devices include, but are not limited to, a display, a printer, and the like.
Fig. 4 is a schematic structural diagram of another attack defense device provided in the embodiment of the present application. Alternatively, the attack-defending device having the structure shown in fig. 4 is thescheduling device 20 in fig. 2. The scheduling apparatus comprises astorage unit 40, a receivingunit 41, aprocessing unit 42, and a transmittingunit 43.
Thestorage unit 40 is used for storing a plurality of protection internet protocol IP addresses.
The receivingunit 41 is configured to receive a guard address obtaining request of the first terminal device.
Aprocessing unit 42, configured to obtain, according to an identifier of a first terminal device included in a protection address obtaining request, a first protection address sequence corresponding to the identifier of the first terminal device, obtain a first unused protection IP address from the first protection address sequence according to a storage order of IP addresses, and instruct a sendingunit 43 to return the obtained unused protection IP address to the first terminal device, where the first protection address sequence includes at least two protection IP addresses stored in order, and the unused protection IP address refers to a protection IP address that has not been returned to the first terminal device.
Theprocessing unit 42 is further configured to, if the protection device is attacked, the scheduling device obtains the attacked protection IP address, and generates an attacked address sequence according to the attacked time sequence. The attacked address sequence comprises at least two attacked protection IP addresses; the dispatching equipment judges whether the used protection IP addresses in the first protection address sequence are attacked in sequence or not according to the attacked address sequence; and if the used protection IP addresses in the first protection address sequence are attacked in sequence, acquiring the identifier of the first terminal equipment corresponding to the first protection address sequence, and determining that the first terminal equipment is an attack source. The attack source is an object of subsequent anti-attack processing.
The embodiment of the apparatus depicted in fig. 4 is merely illustrative, and for example, the division of the units is only one logical division, and in actual implementation, there may be other divisions, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. Each functional unit in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The above units in fig. 4 may be implemented in the form of hardware, or may be implemented in the form of software functional units. For example, when implemented in software, the receivingunit 41, theprocessing unit 42, and the transmittingunit 43 may be implemented by software functional modules generated by the CPU in fig. 3 after reading program codes stored in the memory. The above units in fig. 4 may also be implemented by different hardware in the scheduling device, for example, the receivingunit 41 and the sendingunit 43 are implemented by thenetwork interface 33 in fig. 3, the processing unit is implemented by theprocessor 31 in fig. 3, or implemented by a Programmable device such as a Field-Programmable Gate Array (FPGA) or a coprocessor. It is obvious that the above functional modules can also be implemented by a combination of software and hardware, for example, the receivingunit 41 and the sendingunit 43 are implemented by hardware programmable devices, and theprocessing unit 42 is a software functional module generated by the CPU reading the program codes stored in the memory.
The attack defense method provided by the embodiment of the present application is described below with reference to fig. 5. Optionally, the method is used to guard against denial of service attacks against the web server. Fig. 5 is a flowchart of an attack defense method provided in an embodiment of the present application. Optionally, a network deployment scenario of the scheduling device, the protection device, the terminal device, and the website server involved in the method shown in fig. 5 is shown in fig. 2. The scheduling apparatus of fig. 5 has the structure shown in fig. 3 or fig. 4.
Referring to fig. 5, a method for defending against a denial of service attack provided in an embodiment of the present application includes the following steps.
In this embodiment, step 501 to step 503, taking a process of processing a request for obtaining a protection address by a scheduling device as an example, a process of providing a protection IP address to a middle terminal device by the scheduling device is described.
In the embodiment of the present application, in order to distinguish different terminal devices, a plurality of different terminal devices are described with "a first terminal device" and "a second terminal device". Optionally, when viewed in conjunction with fig. 2, the first terminal device in fig. 5 is one of theterminal device 301 and theterminal device 302 in fig. 2.
The method and the device for providing the protection IP address for the terminal device describe the process of providing the protection IP address for the terminal device by the scheduling device by taking the interaction between the scheduling device and the first terminal device as an example. In an implementation scenario where there are multiple terminal devices, each terminal device may obtain the guard IP address from the scheduling device using a similar process.
The protection address acquisition request comprises the identifier of the first terminal equipment. Optionally, the identifier of the first terminal device includes, but is not limited to, an IP address of the first terminal device, or an International Mobile Subscriber Identity (IMSI) of the first terminal device, or a Mobile station International Subscriber identity (MSISDN) of the first terminal device. The guard address acquisition request may carry the identifier of the first terminal device through the source address field or the payload. For example, when the identifier of the first terminal device is the IP address of the first terminal device, the identifier of the first terminal device may be carried in the source address field of the guard address obtaining request.
The scheduling device may generate the guard address sequence before receiving the guard address acquisition request or after receiving the guard address acquisition request. In order to reduce the service waiting time of the user, the scheduling device may generate at least two guard address sequences according to the plurality of guard IP addresses before receiving a guard address acquisition request from the first terminal device, where the first guard address sequence is included in the at least two guard address sequences.
Optionally, the scheduling device generates a plurality of different guard address sequences in an arrangement manner according to the configured guard IP addresses, and maps a guard address sequence for the identifier of each terminal device in advance. Optionally, the guard IP address is set in the scheduling device by an administrator of the scheduling device in advance through an input/output interface of the scheduling device.
Permutation is a basic concept of mathematics, and permutation refers to sorting a given number of elements out of a given number of elements. Specifically, the permutation is a permutation in which m (m ═ n) elements are arbitrarily arranged in a row in a certain order from among n different elements, which is called a permutation in which m elements are extracted from among n different elements, where m and n are both natural numbers. The calculation formula of the sequence is
When the address protection sequence is generated in the embodiment of the application, the permutation is generated based on the set protection IP address, and one permutation of all the generated permutations is a protection address sequence. For example, assuming that there are 3 guard IP addresses in total, and each guard address sequence that needs to be obtained includes 2 (or 3) guard IP addresses, a total of 6 guard address sequences can be generated based on the 3 guard IP addresses. That is, 6 terminal devices can be identified by 6 guard address sequences. These guard IP addresses may be IPv4 addresses, and IPv4 addresses may be expressed in dotted decimal fashion, such as 126.155.255.254; or the protection IP addresses can be IPv6 addresses, and IPv6 is represented by top-scoring hexadecimal numbers, such as ABCD: EF01:2345:6789: ABCD: EF01:2345: 6789. In the embodiment of the present application, for simplicity and convenience of description,IP 1,IP 2, andIP 3 are used to refer to the 3 protection IP addresses, and then the protection address sequences generated by using the permutation method are:
IP 1-IP 2-IP 3,
IP 1-IP 3-IP 2,
IP 2-IP 1-IP 3,
IP 2-IP 3-IP 1,
IP 3-IP 1-IP 2,
IP 3-IP 2-IP 1。
assuming that the number of game clients is c, the constraint relationship between c and m and n is as follows.
It can be understood from the values of the following permutation that if 10 ten thousand game clients need to be supported, 10 ten thousand protection address sequences are correspondingly needed, and the values of m and n can be set according to the following formula.
·
·
·
·
According to the formulas, the correlation between the length of the protection address sequence and the number of the protection IP addresses can be seen under the condition that the number of the game clients is determined. For example, assuming that there are 48 guard IP addresses, the minimum sequence of guard addresses may be 3, i.e. on the 48 guard IP addresses, the attack source may be located after 3 attacks occur. Assuming that there are 20 protection IP addresses, the shortest sequence of the protection addresses can be 4, that is, on the 20 protection IP addresses, an attack source can be located after 4 attacks occur.
In the specific implementation process, the value of the protection address sequence length l can be flexibly set according to the number range of available protection IP addresses and the requirement on timeliness of the positioning attack source. For example, one trade-off scheme is that there are 13 guard IP addresses for generating a guard address sequence, and each guard address sequence includes 5 IP guard addresses, so that an attack source can be located after 5 attacks occur.
In order to save limited protection IP address resources and avoid unnecessary waste caused by pre-allocating a protection address sequence to terminal equipment which does not use services for a long time, the scheduling equipment establishes the mapping relation according to the request of the terminal equipment without mapping the protection address sequence to the terminal equipment in advance. In other words, the scheduling device generates a guard address sequence set in advance, selects a guard address sequence from the guard address sequence set when the first terminal device requests a guard IP address for the first time, establishes a one-to-one mapping relationship between the first terminal device and the selected guard address sequence, and returns the first guard IP address in the corresponding guard address sequence to the terminal device that sent the guard address acquisition request. And removing the selected guard address sequence from the set of guard address sequences. And then, when the first terminal equipment requests the protection address again, the second protection IP address in the corresponding protection address sequence is returned to the first terminal equipment. Alternatively, step 502 may be implemented using the following flow.
Optionally, the scheduling device records the use condition of each guard IP address in the guard address sequence corresponding to the first terminal device, for example, sets a flag bit to record the used guard IP address.
Suppose that the scheduling device sets the protection address sequence "IP 1-IP 2-IP 3" as the protection address sequence corresponding to the first terminal device, that is, the first protection address sequence is "IP 1-IP 2-IP 3". When the dispatching equipment receives the guard address acquisition request of the first terminal equipment for the first time,and returning the first protection IP address 'IP 1' to the first terminal equipment. The dispatching equipment sets a used mark for theIP 1 in the protection address sequence IP 1-IP 2-IP 3, and the used mark is represented by underlines and marked in the application for the convenience of concise text description "IP 1-IP 2-IP 3”。
If the scheduling device returns the protection IP address "IP 1" to the first terminal device, the protection IP address "IP 1" becomes unavailable due to an attack, that is, the terminal device cannot access the web server through "IP 1", the first terminal device will send a protection address acquisition request to the scheduling device again, so as to obtain a new protection IP address.
When the dispatching equipment receives the guard address acquisition request of the first terminal equipment for the second time, the dispatching equipment determines that the first unused guard IP address is ' IP 2 ', returns ' IP 2 ' to the first terminal equipment, and sets a used mark for ' IP 2 ' in the guard address sequence ' IP 1-IP 2-IP 3 ', and the used mark is recorded as 'IP 1-IP 2 IP 3 ", and so on. Optionally, since each guard IP address in the guard address sequence is sequentially stored, a used flag may be set only for the last guard IP address that has been currently returned, and the purpose of obtaining the first unused guard IP address from the first guard address sequence when the guard address obtaining request from the first terminal device is received again may also be achieved.
Optionally, instep 501, the first terminal device may construct the protection address obtaining request through a HyperText Transfer Protocol (HTTP) Protocol. For example, the scheduling device opens a designated port for providing a guard IP address to the end device. In the scenario shown in fig. 2, when a user needs to access a web server, the user needs to obtain a protection IP address from a scheduling device. In this process, the browser software or the service client in theterminal device
Accordingly, after receiving the HTTP request instep 503, the scheduling device returns a JavaScript Object Notation (JSON) formatted string, which is referred to as a JSON string for short, to the first terminal device, such asterminal device
The scheduling device performssteps 501 to 503 on one hand to provide the terminal device with the protection IP address, and on the other hand, monitors whether the protection device is attacked, that is, performs steps 504 to 505.
Step 504, the scheduling device monitors the condition of the protected device being attacked, and if the protected device is attacked,step 505 is executed. And if the protection device is not attacked, continuously monitoring the attacked condition of the protection device.
And 505, if the protection device is attacked, the scheduling device acquires the attacked protection IP address, and generates an attacked address sequence according to the time sequence of the attack, wherein the attacked address sequence comprises at least two attacked protection IP addresses.
Further, when the scheduling device changes in the attacked address sequence, that is, when the number of IP addresses included in the attacked address sequence increases incrementally, or when a new attack is monitored,step 506 to step 507 are executed.
Insteps 506 to 507, the embodiment of the present application is described only with a comparison process between the first protection address sequence and the attack sequence. In the actual execution process, the scheduling device stores the mapping relation between a plurality of protection address sequences and a plurality of terminal device identifiers, selects one protection address sequence every time, determines whether the used protection IP addresses in the selected protection address sequence are sequentially attacked or not according to the attacked address sequence, if yes, executes thestep 507 to determine an attack source, and if not, continues to select the next protection address sequence from the plurality of protection address sequences until all the protection address sequences mapped with the terminal device identifiers are compared.
Although the terminal device and the guard address sequence are mapped one to one, the first several guard IP addresses in the plurality of guard address sequences may be the same, i.e. the plurality of guard address sequences are partially the same. Thus, when the number of attacked IP addresses is small, if the used IP addresses in the multiple protection address sequences are the same, then in the result obtained by executingstep 506, the used protection IP addresses in the multiple protection address sequences may be attacked in sequence, that is, the multiple terminal devices are identified as attack sources, and the accuracy of identifying the attack sources is not high. Therefore, in order to improve the accuracy of identifying the attack source, the scheduling device may wait for a mature time, for example, after a greater number of protection IP addresses are attacked, or when the number of used protection IP addresses in the protection address sequence is greater, and then executestep 506, so as to improve the accuracy of identifying the attack source.
Optionally, beforestep 506, the scheduling system performsstep 506 when it determines that the number of guard IP addresses used in the guard address sequence exceeds a threshold. The threshold value is determined according to the total number of guard IP addresses contained in the first guard address sequence. Alternatively, if the length of the guard address sequence is represented by m and the value of the threshold is represented by l, then l ═ m, or l ═ m-1.
Continuing with the above example, if the scheduling device monitors thatIP 1 is attacked at a first time and thatIP 2 is attacked at a second time after the first time, the scheduling device generates an attacked address sequence "IP 1-IP 2". It is assumed here that the length m of the guard address sequence is 3 and the threshold l is 2. I.e., assuming that the scheduling device determines that the number of guard IP addresses used in the sequence of guard addresses exceeds 2,step 506 is performed. And the dispatching equipment determines whether the protection IP addresses used by the protection address sequences mapped to the identifiers of the terminal equipment are attacked in sequence or not according to the attacked address sequences 'IP 1-IP 2'. Still taking the first protected address sequence as an example, it is assumed that the scheduling device provides theIP 2 in the first protected address sequence to the first terminal device according to the request of the first terminal device, that is, the used protected IP address is marked by the above method, and the first protected address sequence is "IP 1-IP 2 IP 3 ", the used guard IP address in the first sequence of guard addresses is" IP 1-IP 2 ". And because the attacked address sequence 'IP 1-IP 2' is the same as the sequence 'IP 1-IP 2' formed by the used protection IP addresses in the first protection address sequence, the scheduling device determines that the first terminal device corresponding to the first protection address sequence is the attack source. In other words, when the guard address sequence length is 3, the scheduling device can lock the attack source after 2 times of attack occurrence.
Optionally, after the scheduling device determines the attack source, the attack source is subjected to anti-attack processing. For example, the scheduling device does not provide a new protection IP address to the attack source, so that the attack source cannot continue to attack the new protection IP address. The scheduling device may also send the identifier of the attack source to a message forwarding device such as a gateway and a firewall, so that the message forwarding device can block, discard, and the like subsequent traffic sent by the attack source, or the message forwarding device sends the subsequent traffic sent by the attack source to a traffic cleaning device for cleaning. The subsequent specific anti-attack processing mode for the attack source can be configured by a network administrator through a strategy according to the actual situation.
In the process that the scheduling device identifies the attack source by using the defense method shown in fig. 5, since the attacked IP address is not available after the attack occurs, the service of other terminal devices may be affected. For example, the attacked IP address exists in other protection address sequences, and the IP address is an unused protection IP address in the other protection address sequences, it is assumed that after the scheduling device subsequently provides the attacked IP address to other terminal devices, the other terminal devices cannot actually access the web server through the attacked IP address. In order to avoid affecting the service of the normal terminal device, the embodiment of the present application further provides a method for defending against a denial of service attack, as shown in fig. 6.
The defense method depicted in fig. 6 is based on the defense method depicted in fig. 5, whereinsteps 501 to 507 are identical to those of fig. 5, and reference is made to the above description regarding fig. 5, and the description is not repeated here. In the embodiment of the application, in order to reduce the influence of the attack on the normal service, the scheduling device also maintains a standby protection IP address set. The standby protection IP addresses in the standby protection IP address set do not participate in generating the protection address sequence in a permutation mode, but are used for replacing the attacked protection IP addresses in the protection address sequences when an attack occurs, and particularly, when the attacked protection IP addresses are unused protection IP addresses in the protection address sequence, the standby protection IP addresses are used for replacing the attacked protection IP addresses.
For convenience of description, the guard IP address used in thestep 502 for generating the guard address sequence in the permutation mode is classified into the first guard address set. I.e. the guard IP addresses in the first set of guard addresses are guard IP addresses used for generating the sequence of guard addresses. And classifying the protection IP address which does not participate in the arrangement mode to generate the protection address sequence and is used for carrying out the replacement when the attack occurs into a second protection address set. The protection IP addresses in the first protection address set and the second protection address set are all IP addresses provided by the protection device and accessible to the terminal device. The network administrator can flexibly determine the number or proportion of the protection IP addresses in the first protection address set and the second protection address set according to the attacked history, the total number of the application clients and the requirement of the service provided by the website server on the stability. For example, if the history of the attack on the protection device is low, or the total number of the application clients is large, a larger number of protection IP addresses may be set in the first protection address set, and a smaller number of protection IP addresses may be set in the second protection address set, for example, 10 protection IP addresses are provided in total, 9 protection IP addresses are set in the first protection address set, and only 1 protection IP address is set in the second protection address set. For another example, if the history of the attack on the protection device is high, or the requirement of the service on stability is high, a small number of protection IP addresses may be set in the second protection address set, for example, if there are 10 protection IP addresses in total, then 7 protection IP addresses are set in the first protection address set, and 3 protection IP addresses are set in the second protection address set. Obviously, the first set of guard addresses and the second set of guard addresses do not coincide with each other.
Referring to fig. 6, after the device is scheduled to acquire the attacked protection IP address instep 505, the embodiment of the present application further includessteps 508 to 509.
Instep 509, the scheduling device replaces the guard IP address that is not used in the at least two guard address sequences with the obtained guard IP address. For example, assuming that the attacked protection IP address is the first protection IP address, the protection IP address acquired by the scheduling device from the second protection address set is the second protection IP address, and the scheduling device replaces the unused first protection IP address in the at least two protection address sequences with the second protection IP address.
The defense method shown in fig. 5 and 6 will be described below with reference to two examples.
Example 1
The scheduling device maintains two protection address sets, namely a first protection address set and a second protection address set. The guard IP addresses in the first set of guard addresses are guard IP addresses used to generate a sequence of guard addresses. The protection IP addresses in the second protection address set do not participate in generating the protection address sequence in a permutation mode, and are used for replacing the attacked protection IP addresses in the protection address sequence when the attack occurs. The protection IP addresses in the first protection address set and the second protection address set are all IP addresses provided by the protection device and accessible to the terminal device.
The first protection address set comprises three protection IP addresses, namelyIP 1,IP 2 andIP 3. The second protection address set comprises a protection IP address which is IP 4.
According to the first protection address set, the protection address sequences generated by the arrangement method are respectively as follows:
(1)IP 1-IP 2-IP 3,
(2)IP 1-IP 3-IP 2,
(3)IP 2-IP 1-IP 3,
(4)IP 2-IP 3-IP 1,
(5)IP 3-IP 1-IP 2,
(6)IP 3-IP 2-IP 1。
it is assumed that the 6 guard address sequences are mapped by the scheduling device to 6 terminal devices that have sent the guard address request, and the first guard IP address in each guard address sequence is sent to the terminal device. For example, referring to fig. 2, the scheduling device maps the guard address sequence (1) to theterminal device 301, and sendsIP 1 in the guard address sequence (1) to theterminal device 301. The scheduling device maps the guard address sequence (2) to theterminal device 302, and sends theIP 1 in the guard address sequence (2) to theterminal device 302. The situation is similar for the remaining 4 of the 6 terminal devices.
The guard address sequence after the address that is now marked as used is:
(1)IP 1-IP 2-IP 3,
(2)IP 1-IP 3-IP 2,
(3)IP 2-IP 1-IP 3,
(4)IP 2-IP 3-IP 1,
(5)IP 3-IP 1-IP 2,
(6)IP 3-IP 2-IP 1。
after that, when the scheduling device monitors that theIP 1 is attacked, the IP 4 is used for replacing theunused IP 1 in the 6 protection address sequences, and the obtained new protection address sequence is as follows:
(1)IP 1-IP 2-IP 3,
(2)IP 1-IP 3-IP 2,
(3)IP 2-IP 4-IP 3,
(4)IP 2-IP 3-IP 4,
(5)IP 3-IP 4-IP 2,
(6)IP 3-IP 2-IP 4。
sinceIP 1 is attacked and not available, theterminal device 301 and theterminal device 302 cannot access the web server throughIP 1, and therefore theterminal device 301 and theterminal device 302 again send the guard address acquisition request to the scheduling device. The scheduling device sends theIP 2 in the guard address sequence (1) obtained after replacement to theterminal device 301, and sends theIP 3 in the guard address sequence (2) obtained after replacement to theterminal device 302. The guard address sequence after the address that is now marked as used is:
(1)IP 1-IP 2-IP 3,
(2)IP 1-IP 3-IP 2,
(3)IP 2-IP 1-IP 3,
(4)IP 2-IP 3-IP 1,
(5)IP 3-IP 1-IP 2,
(6)IP 3-IP 2-IP 1。
and then, the scheduling equipment monitors that theIP 2 is attacked, and generates an attacked address sequence 'IP 1-IP 2'. The scheduling device compares the attacked address sequence 'IP 1-IP 2' with the protection address sequences (1) - (6), and judges whether the used protection IP addresses in each protection address sequence are attacked in sequence according to the attacked address sequence 'IP 1-IP 2'. Accordingly, it is determined that the used protection IP addresses in the protection address sequence (1) are attacked in sequence, and therefore theterminal device 301 mapped by the protection address sequence (1) is determined to be an attack source.
Example 2
In order to deal with the situation, the same number of protection IP addresses can be set in the first protection set and the second protection address set, namely, a standby address is set for each protection IP address in the first protection address set. Similar to example 1, the guard IP addresses in the first set of guard addresses are guard IP addresses used to generate a sequence of guard addresses. The protection IP addresses in the second protection address set do not participate in generating the protection address sequence in a permutation mode, and are used for replacing the attacked protection IP addresses in the protection address sequence when the attack occurs. The protection IP addresses in the first protection address set and the second protection address set are all IP addresses provided by the protection device and accessible to the terminal device.
The first protection address set comprises three protection IP addresses, namelyIP 1,IP 2 andIP 3. The second protection address set comprises three protection IP addresses, namely IP 4, IP 5 and IP 6.
According to the first protection address set, the protection address sequences generated by the arrangement method are respectively as follows:
(1)IP 1-IP 2-IP 3,
(2)IP 1-IP 3-IP 2,
(3)IP 2-IP 1-IP 3,
(4)IP 2-IP 3-IP 1,
(5)IP 3-IP 1-IP 2,
(6)IP 3-IP 2-IP 1。
it is assumed that the 6 guard address sequences are mapped by the scheduling device to 6 terminal devices that have sent the guard address request, and the first guard IP address in each guard address sequence is sent to the terminal device. For example, referring to fig. 2, the scheduling device maps the guard address sequence (1) to theterminal device 301, and sendsIP 1 in the guard address sequence (1) to theterminal device 301. The scheduling device maps the guard address sequence (2) to theterminal device 302, and sends theIP 1 in the guard address sequence (2) to theterminal device 302. The situation is similar for the remaining 4 of the 6 terminal devices.
The guard address sequence after the address that is now marked as used is:
(1)IP 1-IP 2-IP 3,
(2)IP 1-IP 3-IP 2,
(3)IP 2-IP 1-IP 3,
(4)IP 2-IP 3-IP 1,
(5)IP 3-IP 1-IP 2,
(6)IP 3-IP 2-IP 1。
after that, the scheduling device monitors that theIP 1, theIP 2, and theIP 3 are attacked in sequence, replaces theunused IP 1 in the 6 protection address sequences with the IP 4, replaces theunused IP 2 in the 6 protection address sequences with the IP 5, and replaces theunused IP 3 in the 6 protection address sequences with the IP6, and the obtained new protection address sequence is:
(1)IP 1-IP 5-IP 6,
(2)IP 1-IP 6-IP 5,
(3)IP2-IP 4-IP 6,
(4)IP 2-IP 6-IP 4,
(5)IP 3-IP 4-IP 5,
(6)IP 3-IP 5-IP 4。
sinceIP 1 is attacked and not available, theterminal device 301 and theterminal device 302 cannot access the web server throughIP 1, and therefore theterminal device 301 and theterminal device 302 again send the guard address acquisition request to the scheduling device. The scheduling device sends the IP 5 in the guard address sequence (1) obtained after replacement to theterminal device 301, and sends the IP6 in the guard address sequence (2) obtained after replacement to theterminal device 302. The guard address sequence after the address that is now marked as used is:
(1)IP 1-IP 5-IP 6,
(2)IP 1-IP 6-IP 5,
(3)IP 2-IP 4-IP 6,
(4)IP 2-IP 6-IP 4,
(5)IP 3-IP 4-IP 5,
(6)IP 3-IP 5-IP 4。
and then, the dispatching equipment monitors that the IP 5 and the IP6 are attacked at the same time, and the dispatching equipment generates an attacked address sequence 'IP 1-IP 2-IP 3-IP 5-IP 6'. The scheduling device compares the attacked address sequence 'IP 1-IP 2-IP 3-IP 5-IP 6' with the protection address sequences (1) - (6) to determine whether the used protection IP address in each protection address sequence is attacked in sequence. Determination of guard IP addresses used in the guard Address sequence (1) in the present example "IP 1-IP 5"attack in sequence, so theterminal device 301 mapped by the protection address sequence (1) is determined as the attack source. Guard IP addresses used in the guard address sequence (2) "IP 1-IP 6"attack in sequence, so theterminal device 302 that determines the mapping of the protection address sequence (2) is also the attack source.
By the aid of the example, whether DoS attack or DDoS attack is adopted, the defense method provided by the embodiment of the application can quickly identify attack sources in an early stage of attack, and all protection IP addresses are prevented from being attacked. Therefore, the possibility of implementing early anti-attack processing on DoS attack or DDoS attack is improved, and the service stability of the website server is improved. And in the process, only a limited number of protection IP addresses are needed, so that the method is a low-cost defense scheme.
The embodiment of the application also provides an attack defense system, and a schematic diagram of the attack defense system is shown in fig. 2. The attack defense system comprises a scheduling device and at least one protection device. Please refer to the description in the foregoing embodiments for the functions of the scheduling device and the at least one protection device, and the interaction process therebetween, which are not described herein again.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the scope of the invention. Thus, to the extent that such modifications and variations of the present application fall within the scope of the claims, it is intended that the present invention encompass such modifications and variations as well.
Claims (14)
1. An attack defense method, which is applied to an attack defense system, wherein the attack defense system comprises a scheduling device and at least one protection device, the protection device is disposed between a first terminal device and a protected website server, the at least one protection device provides a plurality of protection Internet Protocol (IP) addresses, and the first terminal device accesses the website server through the protection IP addresses, the method comprises:
the dispatching equipment receives a protection address acquisition request from the first terminal equipment, acquires a first protection address sequence corresponding to the identification of the first terminal equipment according to the identification of the first terminal equipment contained in the protection address acquisition request, acquires a first unused protection IP address from the first protection address sequence according to the storage sequence of the IP addresses, and returns the acquired unused protection IP address to the first terminal equipment, wherein the first protection address sequence comprises at least two protection IP addresses stored in sequence, and the unused protection IP address refers to a protection IP address which is not returned to the first terminal equipment;
if the protection device is attacked, the scheduling device acquires the attacked protection IP address and generates an attacked address sequence according to the time sequence of the attack, wherein the attacked address sequence comprises at least two different attacked protection IP addresses;
the dispatching equipment judges whether the used protection IP addresses in the first protection address sequence are all attacked in sequence according to the attacked address sequence;
and if the used protection IP addresses in the first protection address sequence are attacked in sequence, acquiring the identifier of the first terminal equipment corresponding to the first protection address sequence, and determining that the first terminal equipment is an attack source.
2. The method of claim 1, wherein before the scheduling device receives the guard address acquisition request from the first terminal device, the method further comprises:
and the dispatching equipment generates at least two protection address sequences according to the plurality of protection IP addresses, wherein the at least two protection address sequences comprise the first protection address sequence.
3. The method of claim 2, wherein generating at least two guard address sequences comprises:
and the dispatching equipment generates at least two different protection address sequences by adopting an arrangement mode according to the plurality of protection IP addresses.
4. The method according to claim 2 or 3, wherein the plurality of guard IP addresses respectively belong to a first set of guard addresses and a second set of guard addresses that are not coincident with each other, and the at least two sequences of guard addresses are generated from guard IP addresses in the first set of guard addresses;
after the dispatching device acquires the attacked protection IP address, the method further comprises the following steps:
the dispatching equipment acquires a protection IP address from the second protection address set;
and the dispatching equipment replaces the unused attacked protection IP address in the at least two protection address sequences with the obtained protection IP address.
5. The method according to claim 2 or 3, wherein the obtaining a first guard address sequence corresponding to the identifier of the first terminal device according to the identifier of the first terminal device comprises:
the scheduling equipment searches whether a protection address sequence corresponding to the identifier of the first terminal equipment exists or not according to the identifier of the first terminal equipment;
if the protection address sequence corresponding to the identifier of the first terminal device does not exist, selecting a protection address sequence from alternative protection address sequences, and taking the selected protection address sequence as a first protection address sequence corresponding to the identifier of the first terminal device, wherein the alternative protection address sequence refers to the protection address sequence of which at least two protection address sequences are not selected yet;
and if the protection address sequence corresponding to the identifier of the first terminal equipment exists, taking the searched protection address sequence as the first protection address sequence.
6. The method according to any one of claims 1 to 3, wherein the determining whether the guard IP addresses used in the first guard address sequence are successively attacked comprises:
and when the number of the used protection IP addresses in the first protection address sequence is determined to exceed a threshold value, judging whether the used protection IP addresses in the first protection address sequence are attacked in sequence, wherein the threshold value is determined according to the total number of the protection IP addresses contained in the first protection address sequence.
7. The method of any of claims 1-3, wherein after determining that the first terminal device is the attack source, the method further comprises:
and carrying out anti-attack processing on the attack source.
8. The method of claim 7, wherein the processing the attack source against attacks comprises: and the dispatching equipment stops returning the protection IP address to the attack source.
9. An attack defense device comprising a memory, a network interface and at least one processor,
the storage is used for storing a plurality of protection Internet Protocol (IP) addresses, the protection IP addresses are provided by protection equipment deployed between first terminal equipment and a protected website server, and the first terminal equipment accesses the website server through the protection IP addresses;
the network interface is used for receiving a protection address acquisition request from the first terminal equipment;
the memory is also for stored program code;
the at least one processor is configured to read the program code stored in the memory and perform the following:
obtaining a first protection address sequence corresponding to the identifier of the first terminal device according to the identifier of the first terminal device included in the protection address obtaining request, obtaining a first unused protection IP address from the first protection address sequence according to a storage sequence of the IP addresses, and returning the obtained unused protection IP address to the first terminal device through the network interface, wherein the first protection address sequence comprises at least two protection IP addresses stored in sequence, and the unused protection IP address refers to a protection IP address which is not returned to the first terminal device;
if the protection device is attacked, acquiring the attacked protection IP address, and generating an attacked address sequence according to the time sequence of the attack, wherein the attacked address sequence comprises at least two different attacked protection IP addresses;
judging whether the used protection IP addresses in the first protection address sequence are all attacked in sequence or not according to the attacked address sequence;
and if the used protection IP addresses in the first protection address sequence are attacked in sequence, acquiring the identifier of the first terminal equipment corresponding to the first protection address sequence, and determining that the first terminal equipment is an attack source.
10. The attack defense device according to claim 9, wherein the processor, upon reading the program code stored in the memory, further performs the following:
before the network interface receives the protection address acquisition request, generating at least two protection address sequences according to the protection IP addresses, wherein the at least two protection address sequences comprise the first protection address sequence.
11. The attack defense device according to claim 10, wherein the plurality of guard IP addresses respectively belong to a first set of guard addresses and a second set of guard addresses that are not coincident with each other, the first sequence of guard addresses being generated from guard IP addresses in the first set of guard addresses;
after the processor reads the program codes stored in the memory, the following operations are further executed:
after the attacked protection IP address is obtained, obtaining a protection IP address from the second protection address set;
and replacing the unused attacked protection IP address in the at least two protection address sequences by the obtained protection IP address.
12. The attack defense device according to claim 10 or 11, characterized in that the processor, after reading the program code stored in the memory, further performs the following operations:
searching whether a protection address sequence corresponding to the identifier of the first terminal equipment exists or not according to the identifier of the first terminal equipment;
if the protection address sequence corresponding to the identifier of the first terminal device does not exist, selecting a protection address sequence from alternative protection address sequences, and taking the selected protection address sequence as a first protection address sequence corresponding to the identifier of the first terminal device, wherein the alternative protection address sequence refers to the protection address sequence of which at least two protection address sequences are not selected yet;
and if the protection address sequence corresponding to the identifier of the first terminal equipment exists, taking the searched protection address sequence as the first protection address sequence.
13. An attack defense device, comprising:
a storage unit, configured to store a plurality of protection IP addresses, where the plurality of protection IP addresses are provided by a protection device deployed between a first terminal device and a protected web server, and the first terminal device accesses the web server through the protection IP addresses;
a receiving unit, configured to receive a guard address acquisition request from a first terminal device;
a processing unit, configured to obtain a first protection address sequence corresponding to an identifier of the first terminal device according to the identifier of the first terminal device included in the protection address obtaining request, obtain a first unused protection IP address from the first protection address sequence according to a storage order of IP addresses, and return the obtained unused protection IP address to the first terminal device through a sending unit, where the first protection address sequence includes at least two protection IP addresses stored in order, and the unused protection IP address refers to a protection IP address that has not been returned to the first terminal device;
the processing unit is further used for acquiring the attacked protection IP address and generating an attacked address sequence according to the time sequence of the attack if the protection device is attacked, wherein the attacked address sequence comprises at least two different attacked protection IP addresses;
judging whether the used protection IP addresses in the first protection address sequence are all attacked in sequence or not according to the attacked address sequence;
and if the used protection IP addresses in the first protection address sequence are attacked in sequence, acquiring the identifier of the first terminal equipment corresponding to the first protection address sequence, and determining that the first terminal equipment is an attack source.
14. An attack defense system comprising a scheduling device and at least one guard device, the guard device being disposed between a first terminal device and a protected web server, the at least one guard device providing a plurality of guard internet protocol, IP, addresses through which the first terminal device accesses the web server,
the scheduling device is configured to receive a protection address acquisition request from the first terminal device, obtain a first protection address sequence corresponding to an identifier of the first terminal device according to the identifier of the first terminal device included in the protection address acquisition request, obtain a first unused protection IP address from the first protection address sequence according to a storage order of the IP addresses, and return the obtained unused protection IP address to the first terminal device, where the first protection address sequence includes at least two protection IP addresses stored in order, and the unused protection IP address refers to a protection IP address that has not been returned to the first terminal device;
if the protection device is attacked, the scheduling device acquires the attacked protection IP address and generates an attacked address sequence according to the time sequence of the attack, wherein the attacked address sequence comprises at least two different attacked protection IP addresses;
the dispatching equipment judges whether the used protection IP addresses in the first protection address sequence are all attacked in sequence according to the attacked address sequence;
and if the used protection IP addresses in the first protection address sequence are attacked in sequence, acquiring the identifier of the first terminal equipment corresponding to the first protection address sequence, and determining that the first terminal equipment is an attack source.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811620997.5ACN111385248B (en) | 2018-12-28 | 2018-12-28 | Attack defense method and attack defense device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811620997.5ACN111385248B (en) | 2018-12-28 | 2018-12-28 | Attack defense method and attack defense device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111385248A CN111385248A (en) | 2020-07-07 |
| CN111385248Btrue CN111385248B (en) | 2021-07-09 |
Family
ID=71221808
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811620997.5AActiveCN111385248B (en) | 2018-12-28 | 2018-12-28 | Attack defense method and attack defense device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111385248B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101242415A (en)* | 2001-12-10 | 2008-08-13 | 思科技术公司 | Method and device for filtering and analyzing communication traffic based on packet |
| US7584507B1 (en)* | 2005-07-29 | 2009-09-01 | Narus, Inc. | Architecture, systems and methods to detect efficiently DoS and DDoS attacks for large scale internet |
| CN103152357A (en)* | 2013-03-22 | 2013-06-12 | 北京网御星云信息技术有限公司 | Defense method, device and system for DNS (Domain Name System) services |
| CN107104921A (en)* | 2016-02-19 | 2017-08-29 | 阿里巴巴集团控股有限公司 | Ddos attack defence method and device |
| CN107800668A (en)* | 2016-09-05 | 2018-03-13 | 华为技术有限公司 | A kind of distributed refusal service attack defending method, apparatus and system |
| CN108989275A (en)* | 2017-11-14 | 2018-12-11 | 新华三信息安全技术有限公司 | A kind of attack prevention method and device |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP3794491B2 (en)* | 2002-08-20 | 2006-07-05 | 日本電気株式会社 | Attack defense system and attack defense method |
| CN102281295B (en)* | 2011-08-06 | 2015-01-21 | 黑龙江大学 | Method for easing distributed denial of service attacks |
| CN107332811A (en)* | 2016-04-29 | 2017-11-07 | 阿里巴巴集团控股有限公司 | The methods, devices and systems of intrusion detection |
- 2018
- 2018-12-28CNCN201811620997.5Apatent/CN111385248B/enactiveActive
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101242415A (en)* | 2001-12-10 | 2008-08-13 | 思科技术公司 | Method and device for filtering and analyzing communication traffic based on packet |
| US7584507B1 (en)* | 2005-07-29 | 2009-09-01 | Narus, Inc. | Architecture, systems and methods to detect efficiently DoS and DDoS attacks for large scale internet |
| CN103152357A (en)* | 2013-03-22 | 2013-06-12 | 北京网御星云信息技术有限公司 | Defense method, device and system for DNS (Domain Name System) services |
| CN107104921A (en)* | 2016-02-19 | 2017-08-29 | 阿里巴巴集团控股有限公司 | Ddos attack defence method and device |
| CN107800668A (en)* | 2016-09-05 | 2018-03-13 | 华为技术有限公司 | A kind of distributed refusal service attack defending method, apparatus and system |
| CN108989275A (en)* | 2017-11-14 | 2018-12-11 | 新华三信息安全技术有限公司 | A kind of attack prevention method and device |
Non-Patent Citations (1)
| Title |
|---|
| DDoS攻击防御技术研究;池水明、周苏杭;《信息网络安全》;20120510;27-31* |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111385248A (en) | 2020-07-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11863587B2 (en) | Webshell detection method and apparatus | |
| US10097566B1 (en) | Identifying targets of network attacks | |
| EP2939454B1 (en) | System and method for correlating network information with subscriber information in a mobile network environment | |
| US9258289B2 (en) | Authentication of IP source addresses | |
| US9742795B1 (en) | Mitigating network attacks | |
| CN107360184B (en) | Terminal equipment authentication method and device | |
| US8495742B2 (en) | Identifying malicious queries | |
| US8738906B1 (en) | Traffic classification and control on a network node | |
| WO2018121331A1 (en) | Attack request determination method, apparatus and server | |
| US9521162B1 (en) | Application-level DDoS detection using service profiling | |
| US20170134957A1 (en) | System and method for correlating network information with subscriber information in a mobile network environment | |
| US10122722B2 (en) | Resource classification using resource requests | |
| JP5415390B2 (en) | Filtering method, filtering system, and filtering program | |
| JP5813810B2 (en) | Blacklist expansion device, blacklist expansion method, and blacklist expansion program | |
| CN115883316B (en) | Generating application-based proxy auto-configuration | |
| CN106789413B (en) | Method and device for detecting proxy internet surfing | |
| CN105939320A (en) | Message processing method and device | |
| EP3382981B1 (en) | A user equipment and method for protection of user privacy in communication networks | |
| CN110392032B (en) | Method, device and storage medium for detecting abnormal URL | |
| CN115208625A (en) | Data processing method and device | |
| WO2022183794A1 (en) | Traffic processing method and protection system | |
| CN111385248B (en) | Attack defense method and attack defense device | |
| US11075911B2 (en) | Group-based treatment of network addresses | |
| RU2777348C1 (en) | Computing apparatus and method for identifying compromised apparatuses based on dns tunnelling detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |