CN100589489C - Defense method and device for DDOS attack on web server - Google Patents
Defense method and device for DDOS attack on web server Download PDFInfo
- Publication number
- CN100589489C CN100589489C CN200610034795A CN200610034795A CN100589489C CN 100589489 C CN100589489 C CN 100589489C CN 200610034795 A CN200610034795 A CN 200610034795A CN 200610034795 A CN200610034795 A CN 200610034795A CN 100589489 C CN100589489 C CN 100589489C
- Authority
- CN
- China
- Prior art keywords
- web server
- tcp connection
- firewall
- server
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明提供一种防火墙防御针对web服务器DDOS攻击的方法和设备。所述防火墙设置在web服务器之前,所述方法包括步骤:接收用户向web服务器发起的tcp连接请求;将所述请求转发给web服务器;接收并且检查web服务器的回应报文;当回应报文中包括差错码时,断开与所述tcp连接请求对应的tcp连接。
The invention provides a firewall defense method and equipment for DDOS attacks on web servers. Described firewall is arranged before web server, and described method comprises steps: receive the tcp connection request that user initiates to web server; Described request is forwarded to web server; Receive and check the response message of web server; When response message When the error code is included, the tcp connection corresponding to the tcp connection request is disconnected.
Description
Technical field
The present invention relates to the web server, the DDOS that is related to specifically at the web server attacks the method and apparatus that defence is provided.
Background technology
When the user network browser obtains the Internet (Internet) station network information, in the ordinary course of things, must directly connect its Web server, webpage is sent the request of reading.Web server responds the user, and information is transmitted.Under a lot of situations, the user also can connect the web server by acting server.
Acting server is the station server between browser and Web server.When using acting server, browser does not directly read webpage to the Web server request, but sends request to acting server.Request can be delivered to acting server earlier.By the request of acting server initiation to Web server, and the webpage that Web server is responded sends user browser to.And most of acting server all has the function of high-speed cache, and it has very big memory space, constantly will newly obtain data storing to the memory of acting server.If the data that user browser is asked have existed on the memory of its this machine and have been up-to-date, it does not just fetch data from Web server again so, and directly the data on the memory is sent to user's browser.So just can significantly improve surfing and efficient.
Utilize this characteristic of acting server, at Web server, occurred a kind of novel distributed denial of service (DDoS) attack pattern on the network: its principle is to utilize the visit of numerous acting server simulation a large number of users, to server dynamic page (asp, php.aspx, jsp etc.) send in a large number and ask.These pages can be and the non-existent page.The assailant hides its real Internet protocol (IP) address by acting server, therefore is difficult to real assailant is on the defensive.And because webpage does not exist, acting server can't directly directly be issued the assailant with this machine data in buffer, assailant's request can only be issued the web server process.And the expense of these requests of web server process is bigger, can carry out operations very consuming time such as data base querying usually.Because these operations can not be finished at once, the web server can be gone into the formation buffer memory with the request of failing to finish dealing with, thereby takes the linking number of web server application layer service very soon, reaches the purpose of refusal normal users visit.For example, the concurrent connection number that a lot of apache servers can be handled only is 512 or 1024, by this attack, is easy to cause denial of service (DoS).Even cause the too heavy web of the causing servers go down of web server process load.
Fig. 1 utilizes transmission control protocol (tcp) to connect the schematic diagram that interactive information is carried out the canonical process of ddos attack.The assailant by acting server in same tcp connects, constantly to non-existent page of web server requests.Connect if the assailant starts a plurality of attacks simultaneously, can make that the web server is busy with handling the request that the assailant initiates, thereby reach the linking number of seizing and take the service of web server application layer, finally cause the purpose of DoS.
Because this type of attacks the normal visit behavior of simulation normal users, current firewall box can not effectively be defendd this type of attack.
Because this type of attacks the normal visit behavior of simulation normal users, so SynFlood defense technique tcp commonly used agency can not effectively take precautions against it.In a kind of prior art; usually can on each acting server, initiate the feature of some connection requests at this attack; can on firewall class equipment, manage by the flow to the user, limit the bandwidth of certain IP, perhaps carry out the restriction of linking number at each IP address.Can defend this type of attack to a certain extent.
Yet, manage by flow the user, limiting the bandwidth of certain IP or limiting each IP address initiation linking number has following limitation:
1. this type of attack is initiated by a large amount of acting servers, and the attack that each acting server is initiated connects may be seldom.If limit the linking number of each IP, linking number need be limited in just may be effectively in the very little scope.But if the acting server quantity that the assailant uses is a lot, the connection of attack server is still a lot of so.The method that flow manages does not just reach the purpose of defence.
2. this type of attack is primarily aimed at the performance bottleneck of server when handling dynamic web page, rather than the bandwidth that consumes server.Therefore less attack traffic still can consume a large amount of server resources, thereby reaches the purpose of attack.
3. user's flow being managed to influence the normal visit of normal users to server, causes networking speed to wait problem slowly, influences user experience.
In another kind of prior art, because this type of normal visit of attacking the simulation normal users all needs to finish by acting server, detect please adopting of HTML (Hypertext Markup Language) (http) and whether have some the special information that can represent by proxy access in (request) message, and determine that with this this is a proxy access and does filtration accordingly.
This scheme possesses certain anti-attack ability, but also has some problems: 1, this is to really forming erroneous judgement in the request of internal network by the proxy access external network; 2, the behavior of http acting server is unpredictable, can't discern and filter for those requests of not carrying specific information.
Summary of the invention
Can overcome the above problems the method that ddos attack is effectively defendd thereby the purpose of this invention is to provide.
Fire compartment wall is placed on the server front usually server is protected.The present invention will be by detecting the tcp connection status such as http on intermediate equipments such as fire compartment wall, the mechanism of forcing the disconnection assailant to be connected with the tcp of server protects server to avoid the method for Denial of Service attack.
According to first aspect, the invention provides the method that a kind of fire compartment wall defence is attacked at web server DDOS, described fire compartment wall is arranged on before the web server, and described method comprises step: receive the tcp connection request that the user initiates to the web server; Described request is transmitted to the web server; Receive and check the back message using of web server; When comprising error code in the back message using, disconnect the tcp corresponding and connect with described tcp connection request.
According to second aspect, a kind of web of being arranged on server fire compartment wall before is provided, be used to defend DDOS to attack at described web server, described fire compartment wall comprises the device of reception user to the tcp connection request of web server initiation; Described request is transmitted to the device of web server; Receive and check the device of the back message using of web server; When comprising error code in the back message using, disconnect the device that tcp connects.
Technical scheme of the present invention can the defensive attack person be attacked the invalid web pages of http-server initiation, alleviates load of server, makes normal users can be connected to server.
Description of drawings
Below will the present invention will be described in more detail with reference to accompanying drawing by way of example, in the accompanying drawings:
Fig. 1 utilizes tcp to connect the schematic diagram that interactive information is carried out the canonical process of ddos attack;
Fig. 2 is the schematic diagram that utilizes the embodiment of fire compartment wall defending DDoS (Distributed Denial of Service) attacks according to of the present invention.
Embodiment
The present invention protects the web server by intermediate equipments such as fire compartment walls.Hereinafter will specify embodiment of the present invention.
Fig. 2 is the schematic diagram that utilizes the embodiment of fire compartment wall defending DDoS (Distributed Denial of Service) attacks according to of the present invention.
The fire compartment wall supervisory user is connected with tcp between the web server.When the user initiates tcp when connecting to the web server, fire compartment wall is set up conversational list for this tcp connection.Conversational list for example can adopt five-tuple (source IP, source port, protocol type, purpose IP, destination interface) expression.The tcp message of process fire compartment wall is all with detected.If the destination interface of message is a http message port 80, then fire compartment wall judges that this message is the http message, and the protocol type that respective session information therefore is set is http.Need to prove that the Client-initiated web-page requests also can send to fire compartment wall by acting server.
Then, fire compartment wall is transmitted to Web server with message.
For user's request, the web server is made corresponding response.First row of response is a statusline, begins with HTTP version number, and response code is represented in back and then 3 bit digital, is the response phrase of readability at last.Following table is 3 answer codes and the explanation thereof of HTTP.
| Response | Explanation |
| 200 201 202 204 | Success OK asks successful OK, and new resource is set up (post order) request and is accepted, and does not finish OK but handle, but does not have content to return |
| 301 302 304 | Be redirected: need the user agent to carry out more action institute requested resource and be designated as new fixing URL institute requested resource and be positioned at other URL document temporarily and do not revise (condition Get) |
| 400 401 403 404 | The request of user's mistake mistake is uncommitted: this request require the authentification of user unknown cause forbid do not find |
| 500 501 502 503 | Server mistake internal server mistake does not realize wrong gateway: the null response service of gateway or upstream server was temporarily lost efficacy |
If the message of responding hits conversational list, illustrate that it is the http message.Fire compartment wall carries out depth detection to the http message of web server response, the information such as user's error code in the search web server response message.If what the web server returned is user's error code message, then fire compartment wall is directly removed the user and is connected with tcp between the web server, stops the connection at the web server.By the http session information that keeps on the fire compartment wall, can on fire compartment wall, the name with the user send reset RST or the connection of termination FIN message notifying web server closing to the web server.
If the assailant uses a large amount of acting servers to launch a offensive to same web server, so,, yet have a large amount of attack messages even removed being connected between web server and the some agencies, equally can consume the web server resource.Therefore, in a preferred embodiment, can adopt the method for limiting access simultaneously, promptly the http linking number that same source IP is initiated is added up, if within a certain period of time, the web server then adds blacklist with this IP to the number of times of the user's return error sign indicating number value greater than a certain appointment, limits the visit to the web server that this source IP initiates.
Above be connected to example, embodiment of the present invention are specified with http.It may be noted that to the invention is not restricted to this, also can be applicable to connect such as other tcp of ftp.
Obviously, the present invention described here can have many variations, and this variation can not be thought and departs from the spirit and scope of the present invention.Therefore, the change that all it will be apparent to those skilled in the art all is included within the covering scope of these claims.
Claims (8)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610034795A CN100589489C (en) | 2006-03-29 | 2006-03-29 | Defense method and device for DDOS attack on web server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610034795A CN100589489C (en) | 2006-03-29 | 2006-03-29 | Defense method and device for DDOS attack on web server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101047697A CN101047697A (en) | 2007-10-03 |
| CN100589489C true CN100589489C (en) | 2010-02-10 |
Family
ID=38771914
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200610034795A Expired - Fee Related CN100589489C (en) | 2006-03-29 | 2006-03-29 | Defense method and device for DDOS attack on web server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100589489C (en) |
Families Citing this family (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101478540B (en) * | 2008-12-31 | 2012-04-25 | 成都市华为赛门铁克科技有限公司 | Method and device for defending challenge black hole attack |
| CN101594269B (en) * | 2009-06-29 | 2012-05-02 | 成都市华为赛门铁克科技有限公司 | Method, device and gateway device for detecting abnormal connection |
| CN102014110A (en) * | 2009-09-08 | 2011-04-13 | 华为技术有限公司 | Method for authenticating communication flows, communication system and protective device |
| CN101826991A (en) * | 2010-02-04 | 2010-09-08 | 蓝盾信息安全技术股份有限公司 | Method and system for identifying illegal data packet |
| CN102291378B (en) * | 2010-06-18 | 2014-07-02 | 杭州华三通信技术有限公司 | Distributed deny of service (DDoS) attack defense method and device |
| JP5624973B2 (en) * | 2011-11-04 | 2014-11-12 | 株式会社日立製作所 | Filtering device |
| CN102404334A (en) * | 2011-12-07 | 2012-04-04 | 山石网科通信技术(北京)有限公司 | Method and device for preventing denial of service attack |
| WO2014040292A1 (en) * | 2012-09-17 | 2014-03-20 | 华为技术有限公司 | Protection method and device against attacks |
| CN103986690B (en) * | 2014-04-03 | 2017-08-04 | 北京京东尚科信息技术有限公司 | A kind of method and apparatus for handling client request |
| CN103929498B (en) * | 2014-05-05 | 2018-01-05 | 北京京东尚科信息技术有限公司 | The method and apparatus for handling client request |
| CN106789858B (en) * | 2015-11-25 | 2019-12-20 | 广州市动景计算机科技有限公司 | Access control method and device and server |
| CN107241304B (en) * | 2016-03-29 | 2021-02-02 | 阿里巴巴集团控股有限公司 | Method and device for detecting DDoS attack |
| CN108696400A (en) * | 2017-04-12 | 2018-10-23 | 北京京东尚科信息技术有限公司 | network monitoring method and device |
| CN107547551B (en) * | 2017-09-06 | 2020-09-25 | 新华三信息安全技术有限公司 | Message filtering method, device, equipment and storage medium |
| CN110944063B (en) * | 2019-12-10 | 2021-11-30 | 航天新长征大道科技有限公司 | Programmable logic control device connection method, control system and readable medium |
-
2006
- 2006-03-29 CN CN200610034795A patent/CN100589489C/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN101047697A (en) | 2007-10-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100589489C (en) | Defense method and device for DDOS attack on web server | |
| Cambiaso et al. | Slow DoS attacks: definition and categorisation | |
| JP5624973B2 (en) | Filtering device | |
| EP2408166B1 (en) | Filtering method, system and network device therefor | |
| CN106453669B (en) | Load balancing method and server | |
| CN102291390B (en) | Method for defending against denial of service attack based on cloud computation platform | |
| CN101478540B (en) | Method and device for defending challenge black hole attack | |
| CN108259425A (en) | The determining method, apparatus and server of query-attack | |
| WO2017004947A1 (en) | Method and apparatus for preventing domain name hijacking | |
| CN102571547A (en) | Method and device for controlling hyper text transport protocol (HTTP) traffic | |
| CN102137111A (en) | Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server | |
| CN109274632A (en) | Method and device for identifying website | |
| CN105939361A (en) | Method and device for defensing CC (Challenge Collapsar) attack | |
| CN101478387A (en) | Defense method, apparatus and system for hyper text transmission protocol attack | |
| CN102739683A (en) | Network attack filtering method and device | |
| CN100420197C (en) | A Method for Realizing Attack Defense of Network Equipment | |
| CN104618404A (en) | Processing method, device and system for preventing network attack to Web server | |
| CN112019508A (en) | Method, system and electronic device for detecting DDos attack based on Web log analysis | |
| CN110519265A (en) | A kind of method and device of defensive attack | |
| CN105959313A (en) | Method and device for preventing HTTP proxy attack | |
| CN107528812B (en) | An attack detection method and device | |
| CN107666473A (en) | The method and controller of a kind of attack detecting | |
| KR101200906B1 (en) | High Performance System and Method for Blocking Harmful Sites Access on the basis of Network | |
| CN113518064B (en) | Defense method and device for challenging black hole attack, computer equipment and storage medium | |
| CN105897694A (en) | Session identification method and system of client |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100210 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |