CN107528811A - The response method and device of request - Google Patents

Abstract

The present invention provides a request response method and device, wherein the method includes: when receiving a hypertext transfer protocol HTTP request carrying attack information sent by the attacker, forwarding the HTTP request to the destination server; The target server obtains the HTTP response information corresponding to the HTTP request, and performs scramble processing on the HTTP response information; sends the scrambled HTTP response information to the attacker, and adopts the above technical solution to solve the problem of In related technologies, the anti-attack means always take corresponding remedial measures after an attack occurs, and then can take corresponding remedial measures when an attacker launches an attack.

Description

Request response method and device

technical field

The present invention relates to the communication field, in particular, to a request response method and device.

Background technique

Today, as the penetration rate of the Internet is getting higher and higher, the Internet has become ubiquitous in life. From the era of Personal Computer (PC) to the era of mobile Internet and then to the era of the Internet of Things in the future, the convenience and speed brought by the Internet have already benefited people greatly. However, whether it is the vast number of Internet users or IT companies, the emphasis on network security has not been able to prevent it before it happens, and most of the cases are "remedy". In recent years, various attacks on the network have occurred frequently, which has sounded the alarm for network security. Although people have adopted various methods and tools to strengthen the security of network communication, the number of successful attacks is still increasing. In recent years, the relatively "famous" network security incidents such as the vulnerability incident of a certain travel software: the security payment log can be easily downloaded, resulting in the leakage of a large number of users' bank card information (including the cardholder's name and ID card, bank card number, card CVV code, 6-digit card Bin). As soon as the vulnerability was exposed, it sparked heated discussions about "e-commerce websites store sensitive information such as user credit cards, and there is a risk of leakage". There are also 14 million information leaks in express delivery, large data leaks on trading websites, 5 million account information leaks, a film company’s photography plan, celebrity privacy, unpublished scripts and other sensitive information stolen, booking website user data leaks including With a series of incidents such as ID card and password information, the importance of network security has been raised to an unprecedented height.

At present, netizens are most concerned about security troubles involving property security and information privacy, and the top three concerns are insecure online payment, information leakage, and account theft.

Due to the openness, interconnection, and sharing at the beginning of the network design, it is determined that the current network is not safe, and the network is frequently attacked and destroyed. There are more and more new means and methods of attack, emerge in endlessly, and are ever-changing.

Traditional firewalls and intrusion detection systems are passive and static means of defense. In the face of new attack methods that are constantly emerging, traditional passive defense methods are becoming more and more inadequate. Often, the system responds accordingly after the system is attacked. Such defenses always take remedial measures after the attack occurs.

Aiming at the problem in related technologies that the anti-attack means always take corresponding remedial measures after the attack occurs, no effective solution has been proposed yet.

Contents of the invention

Embodiments of the present invention provide a method and device for responding to a request, so as to at least solve the problem in the related art that the anti-attack means always take corresponding remedial measures after the attack occurs.

According to one aspect of the present invention, a method for responding to a request is provided, including:

When receiving the hypertext transfer protocol HTTP request that the attacker sends and carries the attack information, forward the HTTP request to the destination server; obtain the HTTP response information corresponding to the HTTP request from the destination server, and respond to the HTTP The information is scrambled; and the HTTP response information after the scrambled processing is sent to the attacker.

Optionally, before performing scramble processing on the HTTP response information, the method further includes:

Judging whether the HTTP request is within the scope of scrambling processing, and if so, performing scrambling processing on the HTTP response information.

Optionally, performing scrambling processing on the HTTP response information includes: performing scrambling processing on a packet header and a packet body of the HTTP response information.

Optionally, performing scrambling processing on the header and body of the HTTP response information includes: adding predefined scrambling content to the packet body of the HTTP response information; adding the content length in the header information to The field is modified to add the content length after the scrambled content.

Optionally, the confusing content includes: hidden attribute information and false hyperlinks.

Optionally, the method further includes: backing up the log audit information to a message queue implemented based on an in-memory database.

According to another aspect of the present invention, a request response device is also provided, including:

The forwarding module is used to forward the HTTP request to the destination server when receiving the HTTP request carrying the attack information sent by the attacker; the acquisition module is used to obtain the corresponding HTTP request from the destination server. HTTP response information; a scramble processing module, configured to scramble the HTTP response information; and a sending module, configured to send the scrambled HTTP response information to the attacker.

Optionally, the device further includes: a judging module, configured to judge whether the HTTP request is within the scope of scrambling processing, and if so, perform scrambling processing on the HTTP response information.

Optionally, the scrambling processing module is configured to scramble the header and body of the HTTP response information.

Optionally, the scrambling processing module includes: an adding unit, configured to add predefined scrambling content to the packet body of the HTTP response information; a modifying unit, configured to add the content in the header information The length field is modified to be the content length after adding the scrambled content.

Through the present invention, when receiving the hypertext transfer protocol HTTP request carrying the attack information sent by the attacker, forward the HTTP request to the destination server; obtain the HTTP response information corresponding to the HTTP request from the destination server, and The HTTP response information is subjected to scrambling processing; the HTTP response information after scrambling processing is sent to the attacker, and the above technical solution is adopted to solve the problem that in related technologies, the anti-attack means are always made after the attack occurs. The problem of corresponding remedial measures, and then can make corresponding remedial measures when the attacker launches an attack.

Description of drawings

The accompanying drawings described here are used to provide a further understanding of the present invention and constitute a part of the application. The schematic embodiments of the present invention and their descriptions are used to explain the present invention and do not constitute improper limitations to the present invention. In the attached picture:

Fig. 1 is the flowchart of the request response method according to the embodiment of the present invention;

Fig. 2 is a structural block diagram of a device for responding to a request according to an embodiment of the present invention;

FIG. 3 is another structural block diagram of a device for responding to a request according to an embodiment of the present invention;

FIG. 4 is a network topology diagram according to an embodiment of the present invention;

Fig. 5 is a flow chart of the execution of the security gateway according to the embodiment of the present invention.

detailed description

Hereinafter, the present invention will be described in detail with reference to the drawings and examples. It should be noted that, in the case of no conflict, the embodiments in the present application and the features in the embodiments can be combined with each other.

It should be noted that the terms "first" and "second" in the description and claims of the present invention and the above drawings are used to distinguish similar objects, but not necessarily used to describe a specific sequence or sequence.

The steps shown in the flowcharts of the figures may be performed in a computer system, such as a set of computer-executable instructions. Also, although a logical order is shown in the flowcharts, in some cases the steps shown or described may be performed in an order different from that shown or described herein.

Example 1

In an embodiment of the present invention, a method for responding to a request is provided. FIG. 1 is a flowchart of a method for responding to a request according to an embodiment of the present invention. As shown in FIG. 1 , it includes the following steps:

Step S102, when receiving a Hypertext Transfer Protocol HTTP request carrying attack information sent by the attacker, forwarding the HTTP request to the destination server;

Step S104, obtaining HTTP response information corresponding to the HTTP request from the destination server, and performing scramble processing on the HTTP response information;

Step S106, sending the HTTP response information after the obfuscation processing to the attacker.

Through the above-mentioned steps, when receiving the hypertext transfer protocol HTTP request that the attacker sends and carries the attack information, forward the HTTP request to the destination server; obtain the HTTP response information corresponding to the HTTP request from the destination server, Perform scramble processing on the HTTP response information; send the scrambled HTTP response information to the attacker, and adopt the above technical solution to solve the problem that in related technologies, the anti-attack means are always performed after the attack occurs. Therefore, when the attacker launches an attack, corresponding remedial measures can be taken, which greatly improves the reliability of the WEB page.

Before executing step S104, in the embodiment of the present invention, the following scheme can also be executed: determine whether the HTTP request is within the scope of scrambling processing, if so, perform scrambling processing on the HTTP response information, in fact, the scrambling processing What the scope includes needs to be configured in advance. When receiving a Hypertext Transfer Protocol HTTP request carrying attack information sent by the attacker, it can be judged whether the HTTP request is within the scope.

In an optional embodiment, the scrambling processing in step S104 can be implemented through the following scheme: performing scrambling processing on the header and body of the HTTP response information, specifically, adding predefined scrambling content to the HTTP response information In the package body: modify the content length field in the header information to the content length after adding the scrambled content, wherein the scrambled content includes: hidden attribute information and false hyperlinks.

Optionally, the above method further includes: backing up log audit information to a message queue implemented based on a memory database.

Through the above-mentioned technical solution of the embodiment of the present invention, that is, when collecting the structure information of the Web application website and sensitive pages before the attack occurs, the attacker returns the information with added garbled content; after the attack occurs, the off-site backup of the attack site is covertly completed . Induce and confuse attackers, increase their attack cost and time, and effectively prevent the leakage of server information.

Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by means of software plus a necessary general-purpose hardware platform, and of course also by hardware, but in many cases the former is Better implementation. Based on such an understanding, the essence of the technical solution of the present invention or the part that contributes to the prior art can be embodied in the form of software products, and the computer software products are stored in a storage medium (such as ROM/RAM, disk, CD) contains several instructions to make a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) execute the method of each embodiment of the present invention.

Example 2

In this embodiment, a device for responding to a request is also provided, which is used to implement the above embodiments and preferred implementation modes, and what has been explained will not be repeated here. As used below, the term "module" is a combination of software and/or hardware that can realize a predetermined function. Although the devices described in the following embodiments are preferably implemented in software, implementations in hardware, or a combination of software and hardware are also possible and contemplated.

Fig. 2 is a structural block diagram of a device for responding to a request according to an embodiment of the present invention. As shown in Fig. 2, the device includes:

The forwarding module 20 is used to forward the HTTP request to the destination server when receiving the Hypertext Transfer Protocol HTTP request that the attacker sends and carries the attack information;

An acquisition module 22, configured to acquire HTTP response information corresponding to the HTTP request from the destination server;

The scrambling processing module 24 is used to scramble the HTTP response information;

The sending module 26 is configured to send the HTTP response information after the scramble processing to the attacker.

Through the comprehensive function of the above-mentioned various modules, when receiving the hypertext transfer protocol HTTP request that the attacker sends and carries the attack information, the HTTP request is forwarded to the destination server; the HTTP request corresponding to the HTTP request is obtained from the destination server. Response information, performing scrambling processing on the HTTP response information; sending the HTTP response information after scrambling processing to the attacking party, adopting the above technical solution, solving the problem that in related technologies, the anti-attack means are always in the event of an attack Afterwards, corresponding remedial measures are taken, and then when the attacker launches an attack, corresponding remedial measures can be taken, which greatly improves the reliability of the WEB page.

Fig. 3 is another structural block diagram of a device for responding to a request according to an embodiment of the present invention. As shown in Fig. 3 , the device includes:

The judging module 28 is used to judge whether the HTTP request is within the scope of scrambling processing, and if so, perform scrambling processing on the HTTP response information.

Optionally, the scrambling processing module 24 is configured to scramble the header and body of the HTTP response information. As shown in FIG. 3 , the scrambling processing module 24 includes: an adding unit 240, which The scrambled content is added to the packet body of the HTTP response information; the modifying unit 242 is configured to modify the content length field in the header information to the content length after adding the scrambled content.

It should be noted that each of the above-mentioned modules can be implemented by software or hardware. For the latter, it can be implemented in the following manner, but not limited to this: the above-mentioned modules are all located in the same processor; or, the above-mentioned modules can be combined in any combination The forms of are located in different processors.

In order to better understand the response process of the above request, the following description will be made in conjunction with preferred embodiments, but not intended to limit the embodiments of the present invention.

The purpose of the preferred embodiments of the present invention is to provide a method for backing up webpage content confusion and log audit information, which can actively prevent HTTP response content and Web server log audit information, and mainly includes the following steps:

Step 1: set up a reverse proxy server (as shown in Figure 4) between Web server and user, this reverse proxy server realizes based on Nginx; Realize message forwarding and routing rule on reverse proxy server, user and Web afterwards Messages between servers are processed and forwarded by the reverse proxy server, and the reverse proxy server is transparent and invisible to users and servers;

Step 2: Configure Nginx-based functional modules on the reverse proxy server, including HTTP response content confusion module and server log audit information backup module. After the response content confusion module takes effect, the server log audit information backup module processes the server log audit information again, and the processing flow is shown in Figure 2; modify the configuration file to determine the scope (all HTTP requests, all Web server response requests or Specify URI, etc.), functional modules and execution instructions; complete the compilation and installation; after the functional modules are added, restart the reverse proxy server to make the functional modules take effect;

Step 3: The attacker initiates a request to the server or uses a vulnerability scanning tool to sniff or attack, and the HTTP request is sent to the reverse proxy server; the reverse proxy server obtains the content of the request and forwards the request to the upstream server; the upstream server constructs the request based on the HTTP request The response content, including the response header and body, is sent to the reverse proxy server;

Step 4: The web page content scrambling module on the reverse proxy server obtains the content of the HTTP response packet, and completes the content scrambling of the HTTP response. This step is realized through the following sub-steps:

(4.1) Check the server configuration file to determine whether the request is within the scope of the content disturbance module, if not, skip to step 6;

(4.2) If the request is within the scope of this module, start the content scrambling module and hand over the request to this module for processing;

(4.3) The content scrambling module first reads the configuration items in the configuration file, that is, whether the specified configuration switch for adding scrambled content is turned on; then retrieves and processes the HTTP response header and body to complete the content scrambling function. This step is divided into It is the following sub-steps, as shown in Figure 5:

It should be noted that the step description in Figure 5 is only used to explain step (4.3.1) to step 6, but not to limit the embodiment of the present invention, and Figure 5 can also be understood as the content of step S4.3 The specific implementation process of the confusion function.

(4.3.1) Analyze the information in the HTTP response header to determine whether the Content Type is text/plain; if yes, set the configuration item ctx->add_prefix in the context information of this module to 1; if not, jump to Step 5: Only the HTML content of the web page is processed here. If responses in other formats such as image files and CSS format files are processed, the image and CSS format files will not be parsed normally;

(4.3.2) Modify the content length field in the HTTP response header information, and add the length of the scrambled content on the original basis to ensure that the HTTP response body is complete;

(4.3.3) During the processing of the HTTP packet body, the addition of garbled content is completed; this step includes the following sub-steps:

(4.3.3.1) Define the obfuscated content to be added, the obfuscated content includes hidden attributes, several false hyperlinks, and each hyperlink points to a false URL. The purpose of adding hidden attributes is to prevent normal users from browsing the website. The access response content of false links will still be processed by content scrambling, so the web scanner will fall into an infinite loop of false connections and cannot obtain real and effective website structure and sensitive page information. . The content of the confusion is briefly as follows:

static ngx_str_t filter_prefix＝ngx_string("<div style='display:none;'><p>'Can you come to-morrow?'<a href='base.php? rub='>Traffic Analysis for</a>unpardonable in me.'<a href='buy'>Your password is*Remember this for later use</a>Elizabeth felt herself completely taken in. She had fully proposed being<a href='view.php?b='>appSettings< /a>upon yourself alone.'<ahref＝'freedownload.asp?bookid＝'>Warning: *am able*write**configuration file</a>attending it, and occasionally from some peevish allusions of her<a href＝ 'index2.php?p='>Most Submitted Forms and Scripts</a>very tender affectionfor Bingley.Having never even fancied herself<a href='config.php?_CCFG[_PKG_PATH_DBSE]='>This summary was generated by wwwstat </a>tears and lamentations of regret, invectives against the villainous<a href='path.php?pre='>WebSTARMail-Please Log In</a>her, after his return from</p></div>" );

(4.3.3.2) Check whether the add_prefix in the context is 1, if it is 1, it means that it needs to be processed, otherwise skip to step 5;

(4.3.3.3) Set the add_prefix in the context information to 2, indicating that it has been processed to prevent repeated processing;

(4.3.3.4) Generate the ngx_chain_t linked list from the memory pool, and add the disturbing content defined in the previous step to the head of the linked list, that is, to the header of the HTTP response packet body;

Step 5: The log audit information backup module on the reverse proxy server writes messages in a custom format into the message queue based on the memory database redis and realizes off-site reading, and completes off-site backup and reading of log audit information. This step is through the following steps Substeps to achieve:

(5.1) Redis is embedded in the Nginx module, and the C language client of redis and redis is installed to the reverse proxy server;

(5.2) Complete the redis connection initialization work in the log audit information backup module, and ensure that the connection is successful through the PING heartbeat connection; if the connection is unsuccessful, perform error handling and skip to step 6;

(5.3) Create a message queue and determine the name of the message queue. Different modules have different message queues, which are more convenient for classification and statistics when reading;

(5.4) Format the on-site information that needs to be stored, and then write it into the message queue created in the previous step through the redisCommand command, using the data format of list;

(5.5) Close the redis connection after the on-site information is stored, and forward the HTTP response packet header and packet body to the next HTTP filtering module according to the sequence in the HTTP frame;

(5.6) The on-site information has been stored in the message queue in the log audit information backup module, and then the reading of the on-site information is completed. The reading method can be multiple reading or one-time consumption, depending on the different needs of consumers such as mail service, SMS service, and log backup service. This step is divided into the following substeps:

(5.6.1) Install the phpredis extension in the PHP of the local client, or install the corresponding redis extension according to the language type used by the local server, such as Java, C#, etc.;

(5.6.2) Initialize the redis connection, the host address is the IP address where the reverse proxy server is located, and use the PING command to ensure that the connection is successful;

(5.6.3) Specify the name of the message queue to be read, which is the name of the queue specified in step 5.3. After setting the reading method, read the field information. You can read a single message or set the reading interval for batch reading , it can be seen that the site information has also been completely saved in the reverse proxy server;

Step 6: Send the HTTP response packet header and response packet body to the user, and the client receives the response message processed by the content scrambling and log audit information backup module, so as to realize content scrambling and log audit information backup, and achieve effective Purpose of protecting server information.

The embodiment of the present invention achieves the following technical effects: when the attacker scans the structure of the Web application website and sensitive page information, the return information is confused, the effective information obtained by the attacker is confused, and the detection and scanning cost of the attacker is increased. After the attacker completes the attack through the vulnerability, the on-site information of the attacker's attack can also be hidden and off-site backup through log audit information backup to prevent the on-site information from being destroyed. Compared with the traditional Web security defense, the present invention can confuse the attacker's audiovisual before the attack occurs, and can also save the attack scene information after the attack is completed, and can be flexibly configured, transparent to normal users, and has good scalability, portability.

The embodiment of the invention also provides a storage medium. Optionally, in this embodiment, the above-mentioned storage medium may be configured to store program codes for performing the following steps:

S1, when receiving a hypertext transfer protocol HTTP request carrying attack information sent by the attacker, forward the HTTP request to the destination server;

S2, obtaining HTTP response information corresponding to the HTTP request from the destination server, and performing scramble processing on the HTTP response information;

S3, sending the scrambled HTTP response information to the attacker.

Optionally, in this embodiment, the above-mentioned storage medium may include but not limited to: U disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disk Various media that can store program codes such as discs or optical discs.

Optionally, for specific examples in this embodiment, reference may be made to the examples described in the foregoing embodiments and optional implementation manners, and details are not repeated in this embodiment.

Obviously, those skilled in the art should understand that each module or each step of the above-mentioned present invention can be realized by a general-purpose computing device, and they can be concentrated on a single computing device, or distributed in a network formed by multiple computing devices Alternatively, they may be implemented in program code executable by a computing device so that they may be stored in a storage device to be executed by a computing device, and in some cases, in an order different from that shown here The steps shown or described are carried out, or they are separately fabricated into individual integrated circuit modules, or multiple modules or steps among them are fabricated into a single integrated circuit module for implementation. As such, the present invention is not limited to any specific combination of hardware and software.

The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. For those skilled in the art, the present invention may have various modifications and changes. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included within the protection scope of the present invention.

Claims (10)

1. A requesting response method, characterized in that, comprising: When receiving the Hypertext Transfer Protocol HTTP request carrying the attack information sent by the attacker, forward the HTTP request to the destination server; Obtaining HTTP response information corresponding to the HTTP request from the destination server, and performing scramble processing on the HTTP response information; Send the HTTP response information after the scramble processing to the attacking party. 2. The method according to claim 1, wherein, before performing scramble processing on the HTTP response information, the method further comprises: Judging whether the HTTP request is within the scope of scrambling processing, and if so, performing scrambling processing on the HTTP response information. 3. The method according to claim 1, characterized in that scrambling the HTTP response information includes: Perform scrambling processing on the packet header and packet body of the HTTP response information. 4. The method according to claim 3, characterized in that scrambling the header and the body of the HTTP response information includes: Adding predefined confusing content to the packet body of the HTTP response information; Modifying the content length field in the header information to the content length after adding the scrambled content. 5 . The method according to claim 4 , wherein the garbled content includes: hidden attribute information and false hyperlinks. 6. The method according to claim 1, further comprising: Back up the log audit information to the message queue implemented based on the memory database. 7. A device for responding to a request, comprising: The forwarding module is used to forward the HTTP request to the destination server when receiving the Hypertext Transfer Protocol HTTP request carrying the attack information sent by the attacker; An acquisition module, configured to acquire HTTP response information corresponding to the HTTP request from the destination server; A scrambling processing module, configured to scramble the HTTP response information; A sending module, configured to send the scrambled HTTP response information to the attacker. 8. The device according to claim 7, further comprising: A judging module, configured to judge whether the HTTP request is within the scope of scrambling processing, and if so, perform scrambling processing on the HTTP response information. 9. The device according to claim 7, wherein the scrambling processing module is configured to perform scrambling processing on the header and body of the HTTP response information. 10. The device according to claim 9, wherein the disturbance processing module comprises: an adding unit, configured to add predefined garbled content to the packet body of the HTTP response information; A modifying unit, configured to modify the content length field in the header information to the content length after adding the scrambled content.