[go: up one dir, main page]

CN115174243A - Malicious IP address blocking processing method, device, equipment and storage medium - Google Patents

Malicious IP address blocking processing method, device, equipment and storage medium Download PDF

Info

Publication number
CN115174243A
CN115174243A CN202210833404.3A CN202210833404A CN115174243A CN 115174243 A CN115174243 A CN 115174243A CN 202210833404 A CN202210833404 A CN 202210833404A CN 115174243 A CN115174243 A CN 115174243A
Authority
CN
China
Prior art keywords
address
blocking
real
malicious
access request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210833404.3A
Other languages
Chinese (zh)
Inventor
张宏斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ucloud Technology Co ltd
Original Assignee
Ucloud Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ucloud Technology Co ltd filed Critical Ucloud Technology Co ltd
Priority to CN202210833404.3A priority Critical patent/CN115174243A/en
Publication of CN115174243A publication Critical patent/CN115174243A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明涉及计算机网络技术领域,公开了一种恶意IP地址的封堵处理方法、装置、设备及存储介质。恶意IP地址的封堵处理方法包括:建立IP地址信息库,并配置封堵策略;当接收到访问请求时,获取所述访问请求来源客户端的真实IP地址;基于所述封堵策略,对所述真实IP地址进行封堵处理。本发明对真实的客户端IP地址进行封堵,可以灵活配置封堵策略,避免封堵了代理服务器IP地址而造成大面积无法访问的情况。

Figure 202210833404

The invention relates to the technical field of computer networks, and discloses a method, device, equipment and storage medium for blocking malicious IP addresses. The method for blocking malicious IP addresses includes: establishing an IP address information base, and configuring a blocking strategy; when receiving an access request, acquiring the real IP address of the client where the access request comes from; The real IP address is blocked. The present invention blocks the real client IP address, and can flexibly configure the blocking strategy, so as to avoid the situation that the IP address of the proxy server is blocked and a large area cannot be accessed.

Figure 202210833404

Description

恶意IP地址的封堵处理方法、装置、设备及存储介质Method, device, device and storage medium for blocking malicious IP address

技术领域technical field

本发明涉及计算机网络领域,尤其涉及一种恶意IP地址的封堵处理方法、装置、设备及存储介质。The present invention relates to the field of computer networks, and in particular, to a method, device, device and storage medium for blocking malicious IP addresses.

背景技术Background technique

随着互联网的高速发展,互联网规模日益庞大、互联网安全问题也日益复杂,大型网站系统经常会被非法攻击,大量的恶意IP地址访问,挤占服务器资源或攻击计算机网络宽带与连通性,影响网站的正常访问。为了快速截断非法攻击对网络产生的影响,需要及时禁止非法用户或非法攻击源头对网络的访问,IP地址封堵就是通过网络技术使封锁特定IP地址,拒绝其访问,达到抵御攻击的目的。With the rapid development of the Internet, the scale of the Internet has become increasingly large, and Internet security issues have become increasingly complex. Large-scale website systems are often illegally attacked, and a large number of malicious IP addresses are accessed, occupying server resources or attacking computer network bandwidth and connectivity. normal access. In order to quickly cut off the impact of illegal attacks on the network, it is necessary to promptly prohibit illegal users or the source of illegal attacks from accessing the network. IP address blocking is to block specific IP addresses through network technology, deny their access, and achieve the purpose of resisting attacks.

在现有的技术中,Web服务器运行在网络中的应用层,而现有的应用层的恶意IP地址的自动封堵装置主要是基于IP地址的访问行为或者威胁情报库进行封堵。当一个IP地址的访问行为触发了高频次的安全规则就会被封堵装置封堵;或者是导入威胁情报库内的恶意IP地址,封堵装置直接封堵。现有的这种封堵装置的安全规则需要安全人员分析网络流量、日志等信息后手动创建,后续规则还需要人员手动维护、更新等;同时威胁情报库也需要经常更新以获取最新的恶意IP地址信息,而对待不同的恶意IP地址直接采用相同的封堵策略误封率太高,同时现有的封堵装置大部分在网络层就封堵了恶意IP地址,不够灵活,且若Web服务器前方有代理,容易造成大面积无法访问Web服务器,影响业务。In the prior art, the Web server runs at the application layer in the network, and the existing automatic blocking device for malicious IP addresses of the application layer is mainly based on the access behavior of the IP address or the threat intelligence database for blocking. When the access behavior of an IP address triggers high-frequency security rules, it will be blocked by the blocking device; or a malicious IP address imported into the threat intelligence database will be blocked by the blocking device directly. The existing security rules of this blocking device need to be manually created by security personnel after analyzing network traffic, logs and other information, and subsequent rules also need to be manually maintained and updated by personnel; at the same time, the threat intelligence database also needs to be updated frequently to obtain the latest malicious IP. address information, and directly adopt the same blocking strategy for different malicious IP addresses, the false blocking rate is too high. At the same time, most of the existing blocking devices block malicious IP addresses at the network layer, which is not flexible enough, and if the Web server There is an agent in front, which can easily cause a large area to be unable to access the Web server and affect the business.

发明内容SUMMARY OF THE INVENTION

本发明的主要目的在于提供一种恶意IP地址的封堵处理方法、装置、设备及存储介质,旨在解决现有技术中恶意IP封堵装置的封堵策略单一且容易误封的技术问题。The main purpose of the present invention is to provide a method, device, device and storage medium for blocking malicious IP addresses, aiming to solve the technical problem that the blocking strategy of the malicious IP blocking device in the prior art is single and easy to be blocked by mistake.

本发明第一方面提供了一种恶意IP地址的封堵处理方法,包括:A first aspect of the present invention provides a method for blocking malicious IP addresses, including:

建立IP地址信息库,并配置封堵策略;Establish an IP address information base and configure blocking policies;

当接收到访问请求时,获取所述访问请求来源客户端的真实IP地址;When receiving the access request, obtain the real IP address of the source client of the access request;

基于所述封堵策略,对所述真实IP地址进行封堵处理。Based on the blocking policy, blocking processing is performed on the real IP address.

可选地,在本发明第一方面的第一种实现方式中,所述建立IP地址信息库包括:Optionally, in a first implementation manner of the first aspect of the present invention, the establishing an IP address information base includes:

获取各类标签以及与其对应的IP地址信息,其中,标签类别包括地址、ISP、IDC、任播、威胁情报、自定义中的一种或多种;Obtain various labels and their corresponding IP address information, wherein the label categories include one or more of address, ISP, IDC, anycast, threat intelligence, and customization;

基于各所述标签与各所述IP地址信息建立IP地址信息库。An IP address information base is established based on each of the tags and each of the IP address information.

可选地,在本发明第一方面的第二种实现方式中,所述配置封堵策略包括:Optionally, in a second implementation manner of the first aspect of the present invention, the configuring the blocking strategy includes:

获取匹配对象的IP地址信息;Obtain the IP address information of the matching object;

基于所述匹配对象的IP地址信息,统计所述匹配对象在预置周期个数内访问某个路径的请求次数;Based on the IP address information of the matching object, count the number of requests that the matching object accesses a certain path within a preset number of cycles;

获取匹配动作,并配置当所述匹配对象的请求次数满足预置封堵条件时,执行所述匹配动作的封堵策略。Acquire a matching action, and configure a blocking strategy for executing the matching action when the number of requests for the matching object satisfies a preset blocking condition.

可选地,在本发明第一方面的第三种实现方式中,所述配置封堵策略还包括:Optionally, in a third implementation manner of the first aspect of the present invention, the configuring the blocking strategy further includes:

当配置有多个封堵策略时,配置各所述封堵策略的优先级。When multiple blocking strategies are configured, the priority of each blocking strategy is configured.

可选地,在本发明第一方面的第四种实现方式中,所述基于所述封堵策略,对所述真实IP地址进行封堵处理包括:Optionally, in a fourth implementation manner of the first aspect of the present invention, the blocking processing on the real IP address based on the blocking policy includes:

基于各所述封堵策略的优先级,以从高优先级到低优先级的顺序依次判断所述真实IP地址是否满足各所述预置封堵条件;Based on the priority of each blocking strategy, determine whether the real IP address satisfies each of the preset blocking conditions in order from high priority to low priority;

当所述真实IP地址满足某一预置封堵条件时,执行对应的匹配动作,并停止对后续各预置封堵条件的判断。When the real IP address satisfies a certain preset blocking condition, a corresponding matching action is performed, and the judgment on each subsequent preset blocking condition is stopped.

可选地,在本发明第一方面的第五种实现方式中,所述当接收到访问请求时,获取所述访问请求来源客户端的真实IP地址包括:Optionally, in a fifth implementation manner of the first aspect of the present invention, when an access request is received, acquiring the real IP address of the client from which the access request is received includes:

当接收到访问请求时,判断在应用层前是否有代理服务器;When an access request is received, determine whether there is a proxy server in front of the application layer;

若在应用层前没有代理服务器,则将建立链接的对端IP地址作为真实IP地址;If there is no proxy server in front of the application layer, the IP address of the peer that establishes the link will be taken as the real IP address;

若在应用层前有代理服务器,则应用预置解析方法获取真实IP地址。If there is a proxy server in front of the application layer, the preset resolution method is used to obtain the real IP address.

可选地,在本发明第一方面的第六种实现方式中,所述若在应用层前有代理服务器,则应用预置解析方法获取真实IP地址包括:Optionally, in the sixth implementation manner of the first aspect of the present invention, if there is a proxy server in front of the application layer, applying the preset resolution method to obtain the real IP address includes:

判断建立链接的对端IP地址是否为信任IP;Determine whether the peer IP address of the established link is a trusted IP;

若建立链接的对端IP地址为非信任IP,则将建立链接的对端IP地址作为真实IP地址;If the peer IP address for establishing the link is an untrusted IP, the peer IP address for establishing the link is used as the real IP address;

若建立链接的对端IP地址为信任IP,则判断所述代理服务器是否为网络层代理服务器;If the peer IP address of the established link is a trusted IP, then determine whether the proxy server is a network layer proxy server;

若所述代理服务器为网络层代理服务器,则从TCP报文中获取真实IP地址;If the proxy server is a network layer proxy server, obtain the real IP address from the TCP message;

若所述代理服务器为非网络层代理服务器,则判断所述访问请求的头部字段是否为自定义头部字段;If the proxy server is a non-network layer proxy server, then determine whether the header field of the access request is a custom header field;

若所述访问请求的头部字段为自定义头部字段,则取所述头部字段中的信息为真实IP地址;If the header field of the access request is a custom header field, then take the information in the header field as the real IP address;

若所述访问请求的头部字段为非自定义头部字段,则取所述访问请求的头部字段的X-Forwarded-For字段的值作为真实IP地址。If the header field of the access request is a non-customized header field, the value of the X-Forwarded-For field in the header field of the access request is taken as the real IP address.

本发明第二方面提供了一种恶意IP地址的封堵处理装置,包括:A second aspect of the present invention provides a device for blocking malicious IP addresses, including:

配置模块,用于建立IP地址信息库,并配置封堵策略;The configuration module is used to establish the IP address information base and configure the blocking strategy;

处理模块,用于当接收到访问请求时,获取所述访问请求来源客户端的真实IP地址;a processing module, configured to obtain the real IP address of the source client of the access request when receiving the access request;

封堵模块,用于基于所述封堵策略,对所述真实IP地址进行封堵处理。A blocking module, configured to perform blocking processing on the real IP address based on the blocking strategy.

可选地,在本发明第二方面的第一种实现方式中,所述配置模块具体用于:Optionally, in the first implementation manner of the second aspect of the present invention, the configuration module is specifically configured to:

获取各类标签以及与其对应的IP地址信息,其中,标签类别包括地址、ISP、IDC、任播、威胁情报、自定义中的一种或多种;Obtain various labels and their corresponding IP address information, wherein the label categories include one or more of address, ISP, IDC, anycast, threat intelligence, and customization;

基于各所述标签与各所述IP地址信息建立IP地址信息库。An IP address information base is established based on each of the tags and each of the IP address information.

可选地,在本发明第二方面的第二种实现方式中,所述配置模块还具体用于:Optionally, in the second implementation manner of the second aspect of the present invention, the configuration module is further specifically used for:

获取匹配对象的IP地址信息;Obtain the IP address information of the matching object;

基于所述匹配对象的IP地址信息,统计所述匹配对象在预置周期个数内访问某个路径的请求次数;Based on the IP address information of the matching object, count the number of requests that the matching object accesses a certain path within a preset number of cycles;

获取匹配动作,并配置当所述匹配对象的请求次数满足预置封堵条件时,执行所述匹配动作的封堵策略。Acquire a matching action, and configure a blocking strategy for executing the matching action when the number of requests for the matching object satisfies a preset blocking condition.

可选地,在本发明第二方面的第三种实现方式中,所述配置模块还具体用于:Optionally, in a third implementation manner of the second aspect of the present invention, the configuration module is further specifically configured to:

当配置有多个封堵策略时,配置各所述封堵策略的优先级。When multiple blocking strategies are configured, the priority of each blocking strategy is configured.

可选地,在本发明第二方面的第四种实现方式中,所述封堵模块具体用于:Optionally, in a fourth implementation manner of the second aspect of the present invention, the blocking module is specifically used for:

基于各所述封堵策略的优先级,以从高优先级到低优先级的顺序依次判断所述真实IP地址是否满足各所述预置封堵条件;Based on the priority of each blocking strategy, determine whether the real IP address satisfies each of the preset blocking conditions in order from high priority to low priority;

当所述真实IP地址满足某一预置封堵条件时,执行对应的匹配动作,并停止对后续各预置封堵条件的判断。When the real IP address satisfies a certain preset blocking condition, a corresponding matching action is performed, and the judgment on each subsequent preset blocking condition is stopped.

可选地,在本发明第二方面的第五种实现方式中,所述处理模块包括:Optionally, in a fifth implementation manner of the second aspect of the present invention, the processing module includes:

判断单元,用于当接收到访问请求时,判断在应用层前是否有代理服务器;a judging unit for judging whether there is a proxy server in front of the application layer when an access request is received;

处理单元,用于若在应用层前没有代理服务器,则将建立链接的对端IP地址作为真实IP地址;The processing unit is used to set the peer IP address of the link as the real IP address if there is no proxy server in front of the application layer;

解析单元,用于若在应用层前有代理服务器,则应用预置解析方法获取真实IP地址。The parsing unit is used to obtain the real IP address by applying the preset parsing method if there is a proxy server in front of the application layer.

可选地,在本发明第二方面的第六种实现方式中,所述解析单元具体用于:Optionally, in a sixth implementation manner of the second aspect of the present invention, the parsing unit is specifically configured to:

判断建立链接的对端IP地址是否为信任IP;Determine whether the peer IP address of the established link is a trusted IP;

若建立链接的对端IP地址为非信任IP,则将建立链接的对端IP地址作为真实IP地址;If the peer IP address for establishing the link is an untrusted IP, the peer IP address for establishing the link is used as the real IP address;

若建立链接的对端IP地址为信任IP,则判断所述代理服务器是否为网络层代理服务器;If the peer IP address of the established link is a trusted IP, then determine whether the proxy server is a network layer proxy server;

若所述代理服务器为网络层代理服务器,则从TCP报文中获取真实IP地址;If the proxy server is a network layer proxy server, obtain the real IP address from the TCP message;

若所述代理服务器为非网络层代理服务器,则判断所述访问请求的头部字段是否为自定义头部字段;If the proxy server is a non-network layer proxy server, then determine whether the header field of the access request is a custom header field;

若所述访问请求的头部字段为自定义头部字段,则取所述头部字段中的信息为真实IP地址;If the header field of the access request is a custom header field, then take the information in the header field as the real IP address;

若所述访问请求的头部字段为非自定义头部字段,则取所述访问请求的头部字段的X-Forwarded-For字段的值作为真实IP地址。If the header field of the access request is a non-customized header field, the value of the X-Forwarded-For field in the header field of the access request is taken as the real IP address.

本发明第三方面提供了一种电子设备,包括:存储器和至少一个处理器,所述存储器中存储有指令;所述至少一个处理器调用所述存储器中的所述指令,以使得所述电子设备执行上述的恶意IP地址的封堵处理方法。A third aspect of the present invention provides an electronic device, comprising: a memory and at least one processor, wherein instructions are stored in the memory; the at least one processor invokes the instructions in the memory to make the electronic device The device executes the above-mentioned method for blocking malicious IP addresses.

本发明的第四方面提供了一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行上述的恶意IP地址的封堵处理方法。A fourth aspect of the present invention provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, when the computer-readable storage medium runs on a computer, the computer executes the above-mentioned method for blocking malicious IP addresses.

本发明提供的技术方案中,建立IP地址信息库,并配置封堵策略;当接收到访问请求时,获取所述访问请求来源客户端的真实IP地址;基于所述封堵策略,对所述真实IP地址进行封堵处理。本发明自动获取到真实的客户端IP地址,并对真实的客户端IP地址进行封堵,避免封堵了代理服务器IP地址而造成大面积无法访问的情况,同时可以根据多维度的信息灵活配置封堵策略,客服现有封堵装置仅根据IP地址单一信息封堵的不足。In the technical scheme provided by the present invention, an IP address information base is established, and a blocking strategy is configured; when an access request is received, the real IP address of the source client of the access request is obtained; The IP address is blocked. The invention automatically obtains the real client IP address, and blocks the real client IP address, so as to avoid blocking the IP address of the proxy server and cause a large area of inaccessibility, and at the same time, it can be flexibly configured according to multi-dimensional information Blocking strategy, to solve the insufficiency of existing blocking devices that only block based on a single IP address.

附图说明Description of drawings

图1为本发明实施例中恶意IP地址的封堵处理方法的一个实施例示意图;1 is a schematic diagram of an embodiment of a method for blocking malicious IP addresses in an embodiment of the present invention;

图2为本发明实施例中恶意IP地址的封堵处理方法的另一个实施例示意图;2 is a schematic diagram of another embodiment of a method for blocking malicious IP addresses in an embodiment of the present invention;

图3为本发明实施例中恶意IP地址的封堵处理装置的一个实施例示意图;3 is a schematic diagram of an embodiment of an apparatus for blocking malicious IP addresses in an embodiment of the present invention;

图4为本发明实施例中电子设备的一个实施例示意图。FIG. 4 is a schematic diagram of an embodiment of an electronic device in an embodiment of the present invention.

具体实施方式Detailed ways

本发明实施例提供了一种恶意IP地址的封堵处理方法、装置、设备及存储介质,自动获取到真实的客户端IP地址,并对真实的客户端IP地址进行封堵,避免封堵了代理服务器IP地址而造成大面积无法访问的情况,同时可以根据多维度的信息灵活配置封堵策略,客服现有封堵装置仅根据IP地址单一信息封堵的不足。The embodiments of the present invention provide a method, device, device and storage medium for blocking malicious IP addresses, which can automatically obtain the real client IP address and block the real client IP address to avoid blocking The IP address of the proxy server causes a large area of inaccessibility. At the same time, the blocking strategy can be flexibly configured according to multi-dimensional information, and the existing blocking device can only block the insufficiency of a single information based on the IP address.

本发明的说明书和权利要求书及上述附图中的术语“第一”、“第二”、“第三”、“第四”等(如果存在)是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的实施例能够以除了在这里图示或描述的内容以外的顺序实施。此外,术语“包括”或“具有”及其任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。The terms "first", "second", "third", "fourth", etc. (if present) in the description and claims of the present invention and the above-mentioned drawings are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It is to be understood that data so used may be interchanged under appropriate circumstances so that the embodiments described herein can be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "comprising" or "having" and any variations thereof are intended to cover non-exclusive inclusion, for example, a process, method, system, product or device comprising a series of steps or units is not necessarily limited to those expressly listed steps or units, but may include other steps or units not expressly listed or inherent to these processes, methods, products or devices.

为便于理解,下面对本发明实施例的具体流程进行描述,请参阅图1,本发明实施例中恶意IP地址的封堵处理方法的一个实施例包括:For ease of understanding, the following describes the specific process of the embodiment of the present invention, referring to FIG. 1 , an embodiment of the method for blocking malicious IP addresses in the embodiment of the present invention includes:

101、建立IP地址信息库,并配置封堵策略;101. Establish an IP address information base and configure a blocking strategy;

可以理解的是,本发明的执行主体可以为恶意IP地址的封堵处理装置,还可以是终端或者服务器,具体此处不做限定。本发明实施例以服务器为执行主体为例进行说明。It can be understood that the execution subject of the present invention may be a device for blocking malicious IP addresses, and may also be a terminal or a server, which is not specifically limited here. The embodiments of the present invention are described by taking a server as an execution subject as an example.

本实施例中,IP(Internet Protocol,网际互连协议),是TCP/IP(TransmissionControl Protocol/Internet Protocol,传输控制协议/网际协议)地址体系中的网络层协议,IP规定网络上所有的设备都必须有一个独一无二的IP地址,IP地址信息库是根据GeoIP、ISP、IDC等标签预先建立的基础的IP地址信息库,存储有各类预定义的标签及其对应的IP地址信息;封堵策略是指对特定IP地址进行封堵,限制其访问。In this embodiment, IP (Internet Protocol, Internet Protocol) is a network layer protocol in the TCP/IP (Transmission Control Protocol/Internet Protocol, Transmission Control Protocol/Internet Protocol) address system, and IP specifies that all devices on the network are There must be a unique IP address. The IP address information database is a basic IP address information database pre-established according to GeoIP, ISP, IDC and other labels, and stores various predefined labels and their corresponding IP address information; blocking strategy Refers to blocking specific IP addresses and restricting their access.

可选地,在一实施例中,所述建立IP地址信息库包括:Optionally, in an embodiment, the establishing the IP address information base includes:

获取各类标签以及与其对应的IP地址信息,其中,标签类别包括地址、ISP、IDC、任播、威胁情报、自定义中的一种或多种;Obtain various labels and their corresponding IP address information, wherein the label categories include one or more of address, ISP, IDC, anycast, threat intelligence, and customization;

基于各所述标签与各所述IP地址信息建立IP地址信息库。An IP address information base is established based on each of the tags and each of the IP address information.

具体地,IP地址信息指某一个IP地址或一类IP地址;GeoIP标签包含了IP地址的地址信息,包括经纬度、城市、省份/州、国家、国家代码、城市代码、邮编;ISP(InternetService Provider,互联网服务提供商)标签指中国电信、中国移动、长城宽带等面向公众提供接入Internet服务的电信运营商;IDC(Internet Data Center,互联网数据中心)是电信部门或企业利用已有的互联网通信线路、带宽资源,建立标准化的电信专业级机房环境,为企业、政府提供服务器托管、租用以及相关增值等方面的全方位服务的中心平台,如优刻得乌兰察布数据中心、北京鹏博士数据中心等;任播在IP网络上通过一个Anycast地址标识一组提供特定服务的主机,同时服务访问方并不关心提供服务的具体是哪一台主机,访问该地址的报文可以被IP网络路由到这一组目标中的任何一台主机上,此类IP地址大部分为服务器IP地址,很少主动对外访问;威胁情报标签包括但不限于扫描器、僵尸主机、家用宽带、主机操作系统、主机服务等标签,其中,扫描器是使用使用该类IP地址并利用编程语言或工具自动化发送TCP报文,以探测互联网网络中的主机,记录主机的开放端口情况,有时还会探测操作系统信息、某个端口的应用层协议信息、应用层服务信息、操作系统或服务的漏洞信息等;僵尸主机是指感染僵尸程序病毒,从而被黑客程序控制的计算机设备,该计算机设备可以是终端设备,也可以是云端设备,其可以随时按照黑客的命令与控制指令展开拒绝服务(DoS,Denial of Service)攻击或发送垃圾信息,使计算机或网络无法提供正常的服务;家用宽带是指由ISP提供给个人、家庭用户的IP地址,这些用户可以使用这些IP地址访问互联网;主机操作系统是指互联网中有很多主机,这些主机都会安装操作系统,特别属于IDC的主机,不同操作系统会开放一些固定的端口或其他特征,能根据这些信息判断主机所安装的操作系统,如扫描主机得到端口信息,或者根据不同操作系统处理TCP报文的不同点可以判断一台主机的操作系统,如Windows、Linux等;主机服务是指属于IDC的主机一般作为某项服务的服务端,通常扫描其端口信息,根据常用端口信息,或者往该主机的某个端口发不同类型的TCP报文,根据返回信息判断主机提供的服务,服务器主机的IP地址也很少主动对外访问;自定义标签是用户自定义的标签,如深圳分公司办公区出口IP地址、上海分公司办公区出口IP地址等标签,还可以根据某个IP地址的触发规则设置某个自定义标签,可以搜索某个标签,并给该标签下的IP地址设置其他标签。Specifically, the IP address information refers to a certain IP address or a class of IP addresses; the GeoIP label contains the address information of the IP address, including latitude and longitude, city, province/state, country, country code, city code, and zip code; ISP (Internet Service Provider) , Internet Service Provider) label refers to China Telecom, China Mobile, Great Wall Broadband and other telecommunications operators that provide Internet access services to the public; IDC (Internet Data Center, Internet Data Center) refers to the use of existing Internet communication by telecommunications departments or enterprises. Line and bandwidth resources, establish a standardized telecommunications professional-grade computer room environment, and provide enterprises and governments with a central platform for server hosting, leasing and related value-added services, such as UCED Ulanqab Data Center, Beijing Dr. Peng Data centers, etc.; anycast identifies a group of hosts that provide a specific service through an Anycast address on the IP network, and the service visitor does not care which host provides the service. The packets accessing this address can be transmitted by the IP network. Routing to any host in this group of targets, most of these IP addresses are server IP addresses, and seldom actively access externally; threat intelligence labels include but are not limited to scanners, zombie hosts, home broadband, host operating systems , host services and other labels, where the scanner uses this type of IP address and uses programming languages or tools to automatically send TCP packets to detect hosts in the Internet network, record the host's open ports, and sometimes detect the operating system. information, application layer protocol information of a port, application layer service information, operating system or service vulnerability information, etc.; bots refer to computer equipment infected with bot virus and thus controlled by hacker programs, and the computer equipment can be terminal equipment , it can also be a cloud device, which can launch a denial of service (DoS, Denial of Service) attack or send spam information at any time according to the hacker's command and control instructions, so that the computer or network cannot provide normal services; home broadband refers to the ISP provided The IP address given to individual and home users, these users can use these IP addresses to access the Internet; the host operating system refers to many hosts on the Internet, and these hosts will have operating systems installed, especially those belonging to IDC, and different operating systems will open some fixed The port or other characteristics of the host can be used to judge the operating system installed on the host according to this information, such as scanning the host to obtain port information, or according to the different points of different operating systems processing TCP packets, the operating system of a host can be judged, such as Windows, Linux etc.; Host service means that the host belonging to the IDC is generally used as the server of a service, usually scans its port information, or sends different types of TCP packets to a certain port of the host according to the commonly used port information, and judges based on the returned information. The service provided by the host, the IP address of the server host is rarely actively accessed externally; the custom label is user-defined Defined labels, such as the exit IP address of the Shenzhen branch office area, the exit IP address of the Shanghai branch office area, etc., you can also set a custom label according to the trigger rule of a certain IP address, you can search for a certain label, and give The IP address under this tab sets other tabs.

具体地,获取各类标签以及与其对应的IP地址信息,进行归并,建立标签与IP地址信息关联对应的数据库,即IP地址信息库。Specifically, various labels and their corresponding IP address information are obtained, merged, and a database corresponding to the association between labels and IP address information, that is, an IP address information database is established.

可选地,在一实施例中,所述配置封堵策略包括:Optionally, in an embodiment, the configuring the blocking strategy includes:

获取匹配对象的IP地址信息;Obtain the IP address information of the matching object;

基于所述匹配对象的IP地址信息,统计所述匹配对象在预置周期个数内访问某个路径的请求次数;Based on the IP address information of the matching object, count the number of requests that the matching object accesses a certain path within a preset number of cycles;

获取匹配动作,并配置当所述匹配对象的请求次数满足预置封堵条件时,执行所述匹配动作的封堵策略。Acquire a matching action, and configure a blocking strategy for executing the matching action when the number of requests for the matching object satisfies a preset blocking condition.

具体地,匹配对象是与当前封堵策略匹配的对象,需执行当前封堵策略对应的动作,匹配对象包括单个IP地址、同属某个CIDR(Classless Inter-Domain Routing,无类别域间路由)块下的IP地址、拥有某个标签的IP地址;单个IP地址N1.N2.N3.N4,其中,N1、N2、N3、N4可为0-255之间的任意数字;同属某个CIDR块A.B.C.D/N下的IP,其中,A、B、C、D无法设置,代表一个十进制表示法IP地址,N可为0-32的任意数字,表示A.B.C.D中标识网络的前缀转化为二进制数的位数,如192.168.10.1/16表示标识网络的前缀有16位,即192.168为前缀,10.1为在这个网络内具体的主机的地址,N为0时能匹配全部的IP地址,为32时等同于单个IP地址。Specifically, the matching object is an object that matches the current blocking policy, and the action corresponding to the current blocking policy needs to be executed. The matching object includes a single IP address, a CIDR (Classless Inter-Domain Routing, Classless Inter-Domain Routing) block that belongs to the same The IP address below, the IP address with a certain label; a single IP address N 1 .N 2 .N 3 .N 4 , where N 1 , N 2 , N 3 , N 4 can be any between 0-255 Number; both belong to the IP under a CIDR block ABCD/N, where A, B, C, and D cannot be set and represent an IP address in decimal notation. N can be any number from 0 to 32, indicating the network identifier in ABCD. The number of digits in which the prefix is converted into a binary number. For example, 192.168.10.1/16 indicates that the prefix identifying the network has 16 bits, that is, 192.168 is the prefix, and 10.1 is the address of the specific host in this network. When N is 0, it can match all IPs. address, which is equivalent to a single IP address when it is 32.

具体地,统计匹配对象在N个M秒的周期内访问/攻击某个路径或文件的请求次数,如统计得到匹配对象在三个连续的60秒周期内访问某个路径或文件的请求次数为5次、3次、5次;或统计匹配对象在N个M秒的周期内访问/攻击某个路径或文件且HTTP头部字段等于/包含/正则匹配某个字符串的请求次数,如匹配对象在三个连续的60秒周期内访问某个路径或文件,且这些访问请求的头部字段中包含特定的From字段(设置发送请求的用户的email地址),统计得到请求次数为5次、2次、5次。Specifically, count the number of requests that the matching object accesses/attacks a certain path or file within N M seconds. For example, the number of requests that the matching object accesses a certain path or file in three consecutive 60-second periods is: 5 times, 3 times, 5 times; or count the number of requests that the matching object accesses/attacks a certain path or file in a period of N M seconds and the HTTP header field is equal to/contains/regularly matches a certain string, such as matching The object accesses a certain path or file in three consecutive 60-second periods, and the header field of these access requests contains a specific From field (set the email address of the user who sent the request), and the number of requests is 5, 2 times, 5 times.

具体地,匹配动作包括但不限于拦截此类请求,启用验证码,限制请求速率,返回自定义响应码与自定义响应内容,不处理、仅记录日志;匹配动作还包括直接封禁,当匹配对象的匹配动作为直接封禁时,无需统计匹配对象的请求次数。匹配动作还可以增加附加动作,如:额外拦截匹配对象及同属某个CIDR块A.B.C.D/N下的IP地址,给匹配对象(及同属某个CIDR块A.B.C.D/N下的IP地址)添加某一标签(如:扫描器IP、IDC机房IP、爬虫池IP)。Specifically, matching actions include, but are not limited to, intercepting such requests, enabling verification codes, limiting request rates, returning custom response codes and custom response content, not processing, and only recording logs; matching actions also include direct ban, when the matching object When the matching action is direct ban, there is no need to count the number of requests for the matching object. The matching action can also add additional actions, such as: additionally intercept the matching object and the IP address under the same CIDR block A.B.C.D/N, and add a certain label to the matching object (and the IP address under the same CIDR block A.B.C.D/N). (eg: scanner IP, IDC room IP, crawler pool IP).

可选地,在一实施例中,所述配置封堵策略还包括:Optionally, in an embodiment, the configuring the blocking strategy further includes:

当配置有多个封堵策略时,配置各所述封堵策略的优先级。When multiple blocking strategies are configured, the priority of each blocking strategy is configured.

具体地,不同的封堵策略可以设置不同的封堵时间和封堵方式,还可以根据需要封堵网段,同时配置多个封堵策略,并配置各封堵策略的优先级,从高优先级至低优先级进行封堵处理。Specifically, different blocking time and blocking method can be set for different blocking strategies, and network segments can also be blocked as required, multiple blocking strategies can be configured at the same time, and the priority of each blocking strategy can be configured, starting from high priority. Priority to low priority for blocking treatment.

102、当接收到访问请求时,获取所述访问请求来源客户端的真实IP地址;102. When receiving the access request, obtain the real IP address of the source client of the access request;

本实施例中,根据访问请求的头部信息,获取访问请求来源客户端的真是IP地址。In this embodiment, the real IP address of the source client of the access request is obtained according to the header information of the access request.

103、基于所述封堵策略,对所述真实IP地址进行封堵处理。103. Perform blocking processing on the real IP address based on the blocking policy.

本实施例中,基于配置的各封堵策略,统计访问请求的请求次数,并判断是否需进行封堵处理,若是,则执行相应的匹配动作进行封堵。In this embodiment, based on the configured blocking policies, the number of requests for access requests is counted, and it is determined whether blocking processing is required, and if so, a corresponding matching action is performed to block.

本发明实施例中,建立IP地址信息库,并配置封堵策略;当接收到访问请求时,获取所述访问请求来源客户端的真实IP地址;基于所述封堵策略,对所述真实IP地址进行封堵处理。本发明自动获取到真实的客户端IP地址,并对真实的客户端IP地址进行封堵,避免封堵了代理服务器IP地址而造成大面积无法访问的情况,同时可以根据多维度的信息灵活配置封堵策略,客服现有封堵装置仅根据IP地址单一信息封堵的不足。In the embodiment of the present invention, an IP address information base is established, and a blocking strategy is configured; when an access request is received, the real IP address of the source client of the access request is obtained; based on the blocking strategy, the real IP address is Perform blocking treatment. The invention automatically obtains the real client IP address, and blocks the real client IP address, so as to avoid blocking the IP address of the proxy server and cause a large area of inaccessibility, and at the same time, it can be flexibly configured according to multi-dimensional information Blocking strategy, to solve the insufficiency of existing blocking devices that only block based on a single IP address.

请参阅图2,本发明实施例中恶意IP地址的封堵处理方法的另一个实施例包括:Referring to FIG. 2, another embodiment of the method for blocking malicious IP addresses in the embodiment of the present invention includes:

201、建立IP地址信息库,并配置封堵策略;201. Establish an IP address information base, and configure a blocking strategy;

可选地,在一实施例中,建立黑白名单标签,白名单标签的IP地址不需经过封堵检测,直接放行,黑名单标签的IP地址直接进行封堵处理。Optionally, in an embodiment, a black and white list label is established, the IP address of the white list label is directly released without being subjected to blocking detection, and the IP address of the black list label is directly blocked.

可选地,在一实施例中,对IP地址信息库进行更新时,移除已封堵的在更新前的IP地址信息库中具有某一标签,但在更新后的IP地址信息库中不具有该标签的IP地址。Optionally, in one embodiment, when updating the IP address information base, remove the blocked IP address information base that has a certain label in the pre-updated IP address information base, but does not have a label in the updated IP address information base. IP address with that label.

202、当接收到访问请求时,判断在应用层前是否有代理服务器;202. When an access request is received, determine whether there is a proxy server in front of the application layer;

本实施例中,应用层是网络OSI参考模型中的最高层,为用户提供服务,具有网络传输的用户接口功能,主要负责在网络上用户与应用程序或应用程序与应用程序之间的通信,应用层是用户或应用程序接口与协议对网络访问的切入点,代理服务器是代理网络用户去取得网络信息的服务器,是个人网络和Internet服务商之间的中间代理机构,负责转发合法的网络信息,对转发进行控制和登记。In this embodiment, the application layer is the highest layer in the network OSI reference model, provides services for users, has the user interface function of network transmission, and is mainly responsible for the communication between users and applications or between applications and applications on the network, The application layer is the entry point for users or application program interfaces and protocols to access the network. The proxy server is a server that acts as a proxy for network users to obtain network information. It is an intermediate agency between personal networks and Internet service providers, responsible for forwarding legitimate network information. , to control and register the forwarding.

203、若在应用层前没有代理服务器,则将建立链接的对端IP地址作为真实IP地址;203. If there is no proxy server in front of the application layer, the peer IP address of the established link is taken as the real IP address;

本实施例中,若应用层前没有代理服务器,则建立连接的对端IP地址就是发送访问请求的主机真实IP地址。In this embodiment, if there is no proxy server before the application layer, the IP address of the peer for establishing the connection is the real IP address of the host sending the access request.

204、若在应用层前有代理服务器,则应用预置解析方法获取真实IP地址;204. If there is a proxy server in front of the application layer, apply the preset parsing method to obtain the real IP address;

可选地,在一实施例中,上述步骤204包括:Optionally, in an embodiment, the foregoing step 204 includes:

判断建立链接的对端IP地址是否为信任IP;Determine whether the peer IP address of the established link is a trusted IP;

若建立链接的对端IP地址为非信任IP,则将建立链接的对端IP地址作为真实IP地址;If the peer IP address for establishing the link is an untrusted IP, the peer IP address for establishing the link is used as the real IP address;

若建立链接的对端IP地址为信任IP,则判断所述代理服务器是否为网络层代理服务器;If the peer IP address of the established link is a trusted IP, then determine whether the proxy server is a network layer proxy server;

若所述代理服务器为网络层代理服务器,则从TCP报文中获取真实IP地址;If the proxy server is a network layer proxy server, obtain the real IP address from the TCP message;

若所述代理服务器为非网络层代理服务器,则判断所述访问请求的头部字段是否为自定义头部字段;If the proxy server is a non-network layer proxy server, then determine whether the header field of the access request is a custom header field;

若所述访问请求的头部字段为自定义头部字段,则取所述头部字段中的信息为真实IP地址;If the header field of the access request is a custom header field, then take the information in the header field as the real IP address;

若所述访问请求的头部字段为非自定义头部字段,则取所述访问请求的头部字段的X-Forwarded-For字段的值作为真实IP地址。If the header field of the access request is a non-customized header field, the value of the X-Forwarded-For field in the header field of the access request is taken as the real IP address.

具体地,为防止恶意IP地址的请求仿造,可以配置信任IP地址列表,只有在信任IP地址列表里的IP地址才提取传递的信息以获得客户端真实IP地址,不在信任IP地址列表里的IP地址一律视为客户端真实IP地址。Specifically, in order to prevent malicious IP address requests from being counterfeited, a trusted IP address list can be configured. Only the IP addresses in the trusted IP address list can extract the transmitted information to obtain the real IP address of the client, and the IP addresses that are not in the trusted IP address list can be obtained. The address is always regarded as the real IP address of the client.

具体地,对于在信任IP地址列表里的IP地址,判断代理服务器是否为网络层代理服务器,若代理服务器是网络层代理服务器,则通过TOA(Type of Address,是把IP地址和端口放置在TCP规定的3次握手过程中的最后一个数据包报文的option字段里的方法)获取客户端真实IP地址;否则(代理服务器不是网络层代理服务器)判断访问请求的头部字段是否包含自定义传递IP地址的请求头字段,若包含,则取头部字段中自定义传递IP地址的字段中的IP地址为真实IP地址,若不包含,则取访问请求的头部字段中的X-Forwarded-For字段的值作为真实IP地址,其中,X-Forwarded-For(XFF)是用来识别通过HTTP代理或负载均衡方式连接到Web服务器的客户端最原始的IP地址的HTTP请求头字段。Specifically, for the IP addresses in the trusted IP address list, it is determined whether the proxy server is a network layer proxy server. The method in the option field of the last data packet in the specified 3-way handshake process) to obtain the real IP address of the client; otherwise (the proxy server is not a network layer proxy server) to determine whether the header field of the access request contains a custom transmission The request header field of the IP address. If it is included, the IP address in the field of the custom-delivered IP address in the header field is taken as the real IP address. If not included, the X-Forwarded- in the header field of the access request is taken. The value of the For field is used as the real IP address, where X-Forwarded-For (XFF) is an HTTP request header field used to identify the original IP address of the client connecting to the Web server through HTTP proxy or load balancing.

205、基于所述封堵策略,对所述真实IP地址进行封堵处理。205. Perform blocking processing on the real IP address based on the blocking policy.

可选地,在一实施例中,基于主机的负载情况进行相应的调整,负载过大时进行粗颗粒度的封堵,如:当主机的负载大于预置阈值,则将匹配对象扩大到同属某个CIDR块A.B.C.D/N下的IP地址,最大程度的封堵恶意IP地址,减少主机资源消耗,当主机负载正常时,恢复原有封堵策略。Optionally, in an embodiment, corresponding adjustments are made based on the load situation of the host, and coarse-grained blocking is performed when the load is too large. For example, when the load of the host is greater than a preset threshold, the matching objects are expanded to the same group. The IP addresses under a certain CIDR block A.B.C.D/N block malicious IP addresses to the greatest extent, reduce host resource consumption, and restore the original blocking policy when the host load is normal.

可选地,在一实施例中,将封堵的恶意IP地址同步到网络层防火墙或者前方代理服务器,在网络层就拦截请求,减少资源消耗。Optionally, in an embodiment, the blocked malicious IP address is synchronized to the network layer firewall or the front proxy server, and requests are intercepted at the network layer to reduce resource consumption.

可选地,在一实施例中,上述步骤205包括:Optionally, in an embodiment, the foregoing step 205 includes:

基于各所述封堵策略的优先级,以从高优先级到低优先级的顺序依次判断所述真实IP地址是否满足各所述预置封堵条件;Based on the priority of each blocking strategy, determine whether the real IP address satisfies each of the preset blocking conditions in order from high priority to low priority;

当所述真实IP地址满足某一预置封堵条件时,执行对应的匹配动作,并停止对后续各预置封堵条件的判断。When the real IP address satisfies a certain preset blocking condition, a corresponding matching action is performed, and the judgment on each subsequent preset blocking condition is stopped.

为便于理解,以下例对封堵处理流程进行说明:For ease of understanding, the following example illustrates the plugging process:

本实施例中,配置有如下4条封堵策略,其优先级为①>②>③>④:In this embodiment, the following four blocking strategies are configured, and their priorities are ①>②>③>④:

①封禁IP地址信息库中GeoIP标签中,国家信息为美国的IP地址;①In the GeoIP tag of the banned IP address information database, the country information is the IP address of the United States;

②任一IP地址在一个60秒周期内访问次数达到100次则自动封堵该IP地址1小时;②When any IP address is accessed 100 times within a 60-second period, the IP address will be automatically blocked for 1 hour;

③任一IP地址在一个10秒周期内攻击触发次数超过10次则自动封堵该IP地址所属的CIDR块A.B.C.D/24下的所有IP地址24小时;③ If any IP address is triggered more than 10 times in a 10-second period, all IP addresses under the CIDR block A.B.C.D/24 to which the IP address belongs will be automatically blocked for 24 hours;

④任一IP地址在三个连续的60秒周期内访问次数均未超过10次则自动封堵该IP地址1小时并将该IP地址添加扫描器标签。④If any IP address is accessed less than 10 times in three consecutive 60-second periods, the IP address will be automatically blocked for 1 hour and the IP address will be added to the scanner label.

此时,若一个IP地址(1.1.1.1)访问应用,先查询该IP地址的GeoIP,若查询到该IP地址的国家信息是美国,会被视为触发封堵策略①而封堵,并停止继续对封堵策略②、③、④的判断;反之,则统计该IP地址的访问情况:At this time, if an IP address (1.1.1.1) accesses the application, first query the GeoIP of the IP address. If the country information of the IP address is found to be the United States, it will be considered as triggering the blocking strategy ① and block it, and stop Continue to judge the blocking strategies ②, ③, ④; otherwise, count the access of the IP address:

若该IP地址在60秒内访问了110次,其中有20次攻击行为,攻击行为是3秒1次(匹配封堵策略②),则IP地址1.1.1.1会被封堵装置视为触发规则②而封堵1小时;If the IP address is accessed 110 times within 60 seconds, there are 20 attacks, and the attack behavior is 1 time in 3 seconds (matching the blocking policy ②), then the IP address 1.1.1.1 will be regarded by the blocking device as a triggering rule ② while blocking for 1 hour;

若该IP地址在60秒内访问了100次,其中有10次攻击行为,攻击行为在连续的10秒内(匹配封堵策略②和③),则IP地址1.1.1.1会被封堵装置视为触发规则②而封堵1小时(封堵策略②优先级较高,判断满足封堵策略②后执行相应的匹配动作,无需对封堵策略③和④进行判断);If the IP address has been accessed 100 times within 60 seconds, among which there are 10 attacks, and the attacks are within 10 consecutive seconds (matching blocking policies ② and ③), then the IP address 1.1.1.1 will be viewed by the blocking device. Blocking for 1 hour in order to trigger rule ② (blocking strategy ② has a higher priority, and the corresponding matching action is executed after judging that blocking strategy ② is satisfied, and there is no need to judge blocking strategies ③ and ④);

若该IP地址在10秒内访问了50次,其中有10次攻击行为,则该IP地址所属的所属的CIDR块1.1.1.0/24会被封堵装置视为触发规则③而封堵24小时;If the IP address is accessed 50 times within 10 seconds, and there are 10 attacks, the CIDR block 1.1.1.0/24 to which the IP address belongs will be considered by the blocking device as triggering the rule ③ and blocked for 24 hours ;

若改IP地址在1分钟内访问5次,其后的1分钟内访问1次,再其后的1分钟访问5次,则IP地址1.1.1.1会被封堵装置视为触发规则④而封堵1小时并且该IP地址将被加入扫描器标签。If the changed IP address is accessed 5 times within 1 minute, 1 visit within the following 1 minute, and 5 visits within the next 1 minute, the IP address 1.1.1.1 will be blocked by the blocking device as a triggering rule ④ Block for 1 hour and the IP address will be added to the scanner tag.

本发明实施例中,建立IP地址信息库,并配置封堵策略;当接收到访问请求时,判断在应用层前是否有代理服务器;若在应用层前没有代理服务器,则将建立链接的对端IP地址作为真实IP地址;若在应用层前有代理服务器,则应用预置解析方法获取真实IP地址;基于所述封堵策略,对所述真实IP地址进行封堵处理。本发明通过预置解析方法获取到真实的客户端IP地址,并对真实的客户端IP地址进行封堵,避免封堵了代理服务器IP地址而造成大面积无法访问的情况,根据精准的IP地址访问行为进行封堵,可以统计IP地址过量/过少的访问请求,相比现有封堵装置可以封堵比正常访问相比访问量过少的IP地址,这样就可以抵御大量IP地址的慢速CC攻击,还可以统计IP地址访问请求的各种HTTP头部字段以及统计响应码的次数和占比,实现自动封堵出现异常访问行为的恶意IP,同时可以根据多维度的信息灵活配置封堵策略,还可进行粗粒度的封堵,提高效率。In the embodiment of the present invention, an IP address information base is established, and a blocking policy is configured; when an access request is received, it is judged whether there is a proxy server in front of the application layer; if there is no proxy server in front of the application layer, the link pair will be established The terminal IP address is used as the real IP address; if there is a proxy server in front of the application layer, a preset parsing method is used to obtain the real IP address; based on the blocking strategy, the real IP address is blocked. The present invention obtains the real client IP address through a preset analysis method, and blocks the real client IP address, so as to avoid blocking the IP address of the proxy server and cause a large area of inaccessibility. The access behavior is blocked, and the access requests with excessive or insufficient IP addresses can be counted. Compared with the existing blocking device, the IP addresses with less traffic than normal access can be blocked, so that the slowness of a large number of IP addresses can be resisted. Speed CC attack, you can also count various HTTP header fields of IP address access requests and count the number and proportion of response codes, so as to automatically block malicious IPs with abnormal access behaviors, and flexibly configure the blocking according to multi-dimensional information. The plugging strategy can also be used for coarse-grained plugging to improve efficiency.

上面对本发明实施例中恶意IP地址的封堵处理方法进行了描述,下面对本发明实施例中恶意IP地址的封堵处理装置进行描述,请参阅图3,本发明实施例中恶意IP地址的封堵处理装置一个实施例包括:The method for blocking and processing malicious IP addresses in the embodiment of the present invention has been described above. The following describes the device for blocking and processing malicious IP addresses in the embodiment of the present invention. Please refer to FIG. 3 . An embodiment of the blockage treatment device includes:

配置模块301,用于建立IP地址信息库,并配置封堵策略;A configuration module 301 is used to establish an IP address information base and configure a blocking strategy;

处理模块302,用于当接收到访问请求时,获取所述访问请求来源客户端的真实IP地址;a processing module 302, configured to obtain the real IP address of the client from the source of the access request when the access request is received;

封堵模块303,用于基于所述封堵策略,对所述真实IP地址进行封堵处理。The blocking module 303 is configured to perform blocking processing on the real IP address based on the blocking strategy.

可选地,配置模块301具体用于:Optionally, the configuration module 301 is specifically used for:

获取各类标签以及与其对应的IP地址信息,其中,标签类别包括地址、ISP、IDC、任播、威胁情报、自定义中的一种或多种;Obtain various labels and their corresponding IP address information, wherein the label categories include one or more of address, ISP, IDC, anycast, threat intelligence, and customization;

基于各所述标签与各所述IP地址信息建立IP地址信息库。An IP address information base is established based on each of the tags and each of the IP address information.

可选地,配置模块301还可以具体用于:Optionally, the configuration module 301 can also be specifically used for:

获取匹配对象的IP地址信息;Obtain the IP address information of the matching object;

基于所述匹配对象的IP地址信息,统计所述匹配对象在预置周期个数内访问某个路径的请求次数;Based on the IP address information of the matching object, count the number of requests that the matching object accesses a certain path within a preset number of cycles;

获取匹配动作,并配置当所述匹配对象的请求次数满足预置封堵条件时,执行所述匹配动作的封堵策略。Acquire a matching action, and configure a blocking strategy for executing the matching action when the number of requests for the matching object satisfies a preset blocking condition.

可选地,配置模块301还可以具体用于:Optionally, the configuration module 301 can also be specifically used for:

当配置有多个封堵策略时,配置各所述封堵策略的优先级。When multiple blocking strategies are configured, the priority of each blocking strategy is configured.

可选地,封堵模块303具体用于:Optionally, the blocking module 303 is specifically used for:

基于各所述封堵策略的优先级,以从高优先级到低优先级的顺序依次判断所述真实IP地址是否满足各所述预置封堵条件;Based on the priority of each blocking strategy, determine whether the real IP address satisfies each of the preset blocking conditions in order from high priority to low priority;

当所述真实IP地址满足某一预置封堵条件时,执行对应的匹配动作,并停止对后续各预置封堵条件的判断。When the real IP address satisfies a certain preset blocking condition, a corresponding matching action is performed, and the judgment on each subsequent preset blocking condition is stopped.

可选地,处理模块302包括:Optionally, the processing module 302 includes:

判断单元3021,用于当接收到访问请求时,判断在应用层前是否有代理服务器;The judgment unit 3021 is used to judge whether there is a proxy server before the application layer when the access request is received;

处理单元3022,用于若在应用层前没有代理服务器,则将建立链接的对端IP地址作为真实IP地址;The processing unit 3022 is used for, if there is no proxy server before the application layer, the peer IP address for establishing the link is used as the real IP address;

解析单元3023,用于若在应用层前有代理服务器,则应用预置解析方法获取真实IP地址。The parsing unit 3023 is configured to obtain a real IP address by applying a preset parsing method if there is a proxy server in front of the application layer.

可选地,解析单元3023具体用于:Optionally, the parsing unit 3023 is specifically used for:

判断建立链接的对端IP地址是否为信任IP;Determine whether the peer IP address of the established link is a trusted IP;

若建立链接的对端IP地址为非信任IP,则将建立链接的对端IP地址作为真实IP地址;If the peer IP address for establishing the link is an untrusted IP, the peer IP address for establishing the link is used as the real IP address;

若建立链接的对端IP地址为信任IP,则判断所述代理服务器是否为网络层代理服务器;If the peer IP address of the established link is a trusted IP, then determine whether the proxy server is a network layer proxy server;

若所述代理服务器为网络层代理服务器,则从TCP报文中获取真实IP地址;If the proxy server is a network layer proxy server, obtain the real IP address from the TCP message;

若所述代理服务器为非网络层代理服务器,则判断所述访问请求的头部字段是否为自定义头部字段;If the proxy server is a non-network layer proxy server, then determine whether the header field of the access request is a custom header field;

若所述访问请求的头部字段为自定义头部字段,则取所述头部字段中的信息为真实IP地址;If the header field of the access request is a custom header field, then take the information in the header field as the real IP address;

若所述访问请求的头部字段为非自定义头部字段,则取所述访问请求的头部字段的X-Forwarded-For字段的值作为真实IP地址。If the header field of the access request is a non-customized header field, the value of the X-Forwarded-For field in the header field of the access request is taken as the real IP address.

本发明实施例中,建立IP地址信息库,并配置封堵策略;当接收到访问请求时,获取所述访问请求来源客户端的真实IP地址;基于所述封堵策略,对所述真实IP地址进行封堵处理。本发明自动获取到真实的客户端IP地址,并对真实的客户端IP地址进行封堵,避免封堵了代理服务器IP地址而造成大面积无法访问的情况,同时可以根据多维度的信息灵活配置封堵策略,客服现有封堵装置仅根据IP地址单一信息封堵的不足。In the embodiment of the present invention, an IP address information base is established, and a blocking strategy is configured; when an access request is received, the real IP address of the source client of the access request is obtained; based on the blocking strategy, the real IP address is Perform blocking treatment. The invention automatically obtains the real client IP address, and blocks the real client IP address, so as to avoid blocking the IP address of the proxy server and cause a large area of inaccessibility, and at the same time, it can be flexibly configured according to multi-dimensional information Blocking strategy, to solve the insufficiency of existing blocking devices that only block based on a single IP address.

上面图3从模块化功能实体的角度对本发明实施例中的恶意IP地址的封堵处理装置进行详细描述,下面从硬件处理的角度对本发明实施例中电子设备进行详细描述。FIG. 3 above describes the device for blocking malicious IP addresses in the embodiment of the present invention in detail from the perspective of modular functional entities, and the electronic device in the embodiment of the present invention is described in detail below from the perspective of hardware processing.

图4是本发明实施例提供的一种电子设备的结构示意图,该电子设备500可因配置或性能不同而产生比较大的差异,可以包括一个或一个以上处理器(central processingunits,CPU)510(例如,一个或一个以上处理器)和存储器520,一个或一个以上存储应用程序533或数据532的存储介质530(例如一个或一个以上海量存储设备)。其中,存储器520和存储介质530可以是短暂存储或持久存储。存储在存储介质530的程序可以包括一个或一个以上模块(图示没标出),每个模块可以包括对电子设备500中的一系列指令操作。更进一步地,处理器510可以设置为与存储介质530通信,在电子设备500上执行存储介质530中的一系列指令操作。FIG. 4 is a schematic structural diagram of an electronic device provided by an embodiment of the present invention. The electronic device 500 may vary greatly due to different configurations or performances, and may include one or more processors (central processing units, CPU) 510 ( For example, one or more processors) and memory 520, one or more storage media 530 (eg, one or more mass storage devices) storing applications 533 or data 532. Among them, the memory 520 and the storage medium 530 may be short-term storage or persistent storage. The program stored in the storage medium 530 may include one or more modules (not shown in the figure), and each module may include a series of instructions to operate on the electronic device 500 . Furthermore, the processor 510 may be configured to communicate with the storage medium 530 to execute a series of instruction operations in the storage medium 530 on the electronic device 500 .

电子设备500还可以包括一个或一个以上电源540,一个或一个以上有线或无线网络接口550,一个或一个以上输入输出接口560,和/或,一个或一个以上操作系统531,例如Windows Serve,Mac OS X,Unix,Linux,FreeBSD等等。本领域技术人员可以理解,图4示出的电子设备结构并不构成对电子设备的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。The electronic device 500 may also include one or more power supplies 540, one or more wired or wireless network interfaces 550, one or more input and output interfaces 560, and/or, one or more operating systems 531, such as Windows Server, Mac OS X, Unix, Linux, FreeBSD and many more. Those skilled in the art can understand that the structure of the electronic device shown in FIG. 4 does not constitute a limitation on the electronic device, and may include more or less components than the one shown, or combine some components, or arrange different components.

本发明还提供一种电子设备,所述电子设备包括存储器和处理器,存储器中存储有计算机可读指令,计算机可读指令被处理器执行时,使得处理器执行上述各实施例中的所述恶意IP地址的封堵处理方法的步骤。The present invention also provides an electronic device, the electronic device includes a memory and a processor, the memory stores computer-readable instructions, and when the computer-readable instructions are executed by the processor, causes the processor to execute the above-mentioned various embodiments. Steps of the method for blocking malicious IP addresses.

本发明还提供一种计算机可读存储介质,该计算机可读存储介质可以为非易失性计算机可读存储介质,该计算机可读存储介质也可以为易失性计算机可读存储介质,所述计算机可读存储介质中存储有指令,当所述指令在计算机上运行时,使得计算机执行所述恶意IP地址的封堵处理方法的步骤。The present invention also provides a computer-readable storage medium. The computer-readable storage medium may be a non-volatile computer-readable storage medium. The computer-readable storage medium may also be a volatile computer-readable storage medium. Instructions are stored in the computer-readable storage medium, and when the instructions are executed on the computer, make the computer execute the steps of the method for blocking the malicious IP address.

所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the system, device and unit described above may refer to the corresponding process in the foregoing method embodiments, which will not be repeated here.

所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The integrated unit, if implemented in the form of a software functional unit and sold or used as an independent product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present invention is essentially or the part that contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes: U disk, removable hard disk, read-only memory (ROM), random access memory (RAM), magnetic disk or optical disk and other media that can store program codes .

以上所述,以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。As mentioned above, the above embodiments are only used to illustrate the technical solutions of the present invention, but not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand: The technical solutions described in the embodiments are modified, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (10)

1.一种恶意IP地址的封堵处理方法,其特征在于,所述恶意IP地址的封堵处理包括:1. a method for blocking and processing a malicious IP address, wherein the blocking processing for the malicious IP address comprises: 建立IP地址信息库,并配置封堵策略;Establish an IP address information base and configure blocking policies; 当接收到访问请求时,获取所述访问请求来源客户端的真实IP地址;When receiving the access request, obtain the real IP address of the source client of the access request; 基于所述封堵策略,对所述真实IP地址进行封堵处理。Based on the blocking policy, blocking processing is performed on the real IP address. 2.根据权利要求1所述的恶意IP地址的封堵处理方法,其特征在于,所述建立IP地址信息库包括:2. the blocking processing method of malicious IP address according to claim 1, is characterized in that, described establishing IP address information base comprises: 获取各类标签以及与其对应的IP地址信息,其中,标签类别包括地址、ISP、IDC、任播、威胁情报、自定义中的一种或多种;Obtain various labels and their corresponding IP address information, wherein the label categories include one or more of address, ISP, IDC, anycast, threat intelligence, and customization; 基于各所述标签与各所述IP地址信息建立IP地址信息库。An IP address information base is established based on each of the tags and each of the IP address information. 3.根据权利要求1所述的恶意IP地址的封堵处理方法,其特征在于,所述配置封堵策略包括:3. The method for blocking malicious IP addresses according to claim 1, wherein the configuration blocking strategy comprises: 获取匹配对象的IP地址信息;Obtain the IP address information of the matching object; 基于所述匹配对象的IP地址信息,统计所述匹配对象在预置周期个数内访问某个路径的请求次数;Based on the IP address information of the matching object, count the number of requests that the matching object accesses a certain path within a preset number of cycles; 获取匹配动作,并配置当所述匹配对象的请求次数满足预置封堵条件时,执行所述匹配动作的封堵策略。Acquire a matching action, and configure a blocking strategy for executing the matching action when the number of requests for the matching object satisfies a preset blocking condition. 4.根据权利要求3所述的恶意IP地址的封堵处理方法,其特征在于,所述配置封堵策略还包括:4. The method for blocking malicious IP addresses according to claim 3, wherein the configuration blocking strategy further comprises: 当配置有多个封堵策略时,配置各所述封堵策略的优先级。When multiple blocking strategies are configured, the priority of each blocking strategy is configured. 5.根据权利要求4所述的恶意IP地址的封堵处理方法,其特征在于,所述基于所述封堵策略,对所述真实IP地址进行封堵处理包括:5. The method for blocking and processing malicious IP addresses according to claim 4, wherein the blocking processing on the real IP address based on the blocking strategy comprises: 基于各所述封堵策略的优先级,以从高优先级到低优先级的顺序依次判断所述真实IP地址是否满足各所述预置封堵条件;Based on the priority of each blocking strategy, determine whether the real IP address satisfies each of the preset blocking conditions in order from high priority to low priority; 当所述真实IP地址满足某一预置封堵条件时,执行对应的匹配动作,并停止对后续各预置封堵条件的判断。When the real IP address satisfies a certain preset blocking condition, a corresponding matching action is performed, and the judgment on each subsequent preset blocking condition is stopped. 6.根据权利要求1所述的恶意IP地址的封堵处理方法,其特征在于,所述当接收到访问请求时,获取所述访问请求来源客户端的真实IP地址包括:6. The method for blocking malicious IP addresses according to claim 1, wherein when an access request is received, acquiring the real IP address of the access request source client comprises: 当接收到访问请求时,判断在应用层前是否有代理服务器;When an access request is received, determine whether there is a proxy server in front of the application layer; 若在应用层前没有代理服务器,则将建立链接的对端IP地址作为真实IP地址;If there is no proxy server in front of the application layer, the IP address of the peer that establishes the link will be taken as the real IP address; 若在应用层前有代理服务器,则应用预置解析方法获取真实IP地址。If there is a proxy server in front of the application layer, the preset resolution method is used to obtain the real IP address. 7.根据权利要求6所述的恶意IP地址的封堵处理方法,其特征在于,所述若在应用层前有代理服务器,则应用预置解析方法获取真实IP地址包括:7. the blocking processing method of malicious IP address according to claim 6, is characterized in that, described if there is proxy server in front of application layer, then applying preset analysis method to obtain real IP address comprises: 判断建立链接的对端IP地址是否为信任IP;Determine whether the peer IP address of the established link is a trusted IP; 若建立链接的对端IP地址为非信任IP,则将建立链接的对端IP地址作为真实IP地址;If the peer IP address for establishing the link is an untrusted IP, the peer IP address for establishing the link is used as the real IP address; 若建立链接的对端IP地址为信任IP,则判断所述代理服务器是否为网络层代理服务器;If the peer IP address of the established link is a trusted IP, then determine whether the proxy server is a network layer proxy server; 若所述代理服务器为网络层代理服务器,则从TCP报文中获取真实IP地址;If the proxy server is a network layer proxy server, obtain the real IP address from the TCP message; 若所述代理服务器为非网络层代理服务器,则判断所述访问请求的头部字段是否为自定义头部字段;If the proxy server is a non-network layer proxy server, then determine whether the header field of the access request is a custom header field; 若所述访问请求的头部字段为自定义头部字段,则取所述头部字段中的信息为真实IP地址;If the header field of the access request is a custom header field, then take the information in the header field as the real IP address; 若所述访问请求的头部字段为非自定义头部字段,则取所述访问请求的头部字段的X-Forwarded-For字段的值作为真实IP地址。If the header field of the access request is a non-customized header field, the value of the X-Forwarded-For field in the header field of the access request is taken as the real IP address. 8.一种恶意IP地址的封堵处理装置,其特征在于,所述恶意IP地址的封堵处理装置包括:8. An apparatus for blocking and processing malicious IP addresses, wherein the apparatus for blocking and processing malicious IP addresses comprises: 配置模块,用于建立IP地址信息库,并配置封堵策略;The configuration module is used to establish the IP address information base and configure the blocking strategy; 处理模块,用于当接收到访问请求时,获取所述访问请求来源客户端的真实IP地址;a processing module, configured to obtain the real IP address of the source client of the access request when receiving the access request; 封堵模块,用于基于所述封堵策略,对所述真实IP地址进行封堵处理。A blocking module, configured to perform blocking processing on the real IP address based on the blocking strategy. 9.一种电子设备,其特征在于,所述电子设备包括:存储器和至少一个处理器,所述存储器中存储有指令;9. An electronic device, characterized in that the electronic device comprises: a memory and at least one processor, wherein instructions are stored in the memory; 所述至少一个处理器调用所述存储器中的所述指令,以使得所述电子设备执行如权利要求1-7中任一项所述的恶意IP地址的封堵处理方法。The at least one processor invokes the instructions in the memory, so that the electronic device executes the method for blocking malicious IP addresses according to any one of claims 1-7. 10.一种计算机可读存储介质,所述计算机可读存储介质上存储有指令,其特征在于,所述指令被处理器执行时实现如权利要求1-7中任一项所述的恶意IP地址的封堵处理方法。10. A computer-readable storage medium on which instructions are stored, wherein when the instructions are executed by a processor, the malicious IP according to any one of claims 1-7 is implemented Address blocking method.
CN202210833404.3A 2022-07-15 2022-07-15 Malicious IP address blocking processing method, device, equipment and storage medium Pending CN115174243A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210833404.3A CN115174243A (en) 2022-07-15 2022-07-15 Malicious IP address blocking processing method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210833404.3A CN115174243A (en) 2022-07-15 2022-07-15 Malicious IP address blocking processing method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115174243A true CN115174243A (en) 2022-10-11

Family

ID=83494219

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210833404.3A Pending CN115174243A (en) 2022-07-15 2022-07-15 Malicious IP address blocking processing method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115174243A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116319044A (en) * 2023-04-03 2023-06-23 京东科技信息技术有限公司 IP address interception method, device, electronic equipment and readable medium
CN119363477A (en) * 2024-12-19 2025-01-24 南京赛宁信息技术有限公司 A prefix-based IP blacklist storage and retrieval method and system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105491054A (en) * 2015-12-22 2016-04-13 网易(杭州)网络有限公司 Method and apparatus for determining malicious access, and method and apparatus for intercepting malicious access
CN113225349A (en) * 2021-05-21 2021-08-06 中国工商银行股份有限公司 Method and device for establishing malicious IP address threat intelligence library and preventing malicious attack
CN113596058A (en) * 2021-08-13 2021-11-02 广东电网有限责任公司 Malicious address processing method and device, computer equipment and storage medium
CN113596028A (en) * 2021-07-29 2021-11-02 南京南瑞信息通信科技有限公司 Method and device for handling network abnormal behaviors
US20210400080A1 (en) * 2020-06-17 2021-12-23 Paypal, Inc. Systems and methods for detecting and automatically blocking malicious traffic
CN113949581A (en) * 2021-10-22 2022-01-18 中国建设银行股份有限公司 Address blocking method, device and system, storage medium and electronic device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105491054A (en) * 2015-12-22 2016-04-13 网易(杭州)网络有限公司 Method and apparatus for determining malicious access, and method and apparatus for intercepting malicious access
US20210400080A1 (en) * 2020-06-17 2021-12-23 Paypal, Inc. Systems and methods for detecting and automatically blocking malicious traffic
CN113225349A (en) * 2021-05-21 2021-08-06 中国工商银行股份有限公司 Method and device for establishing malicious IP address threat intelligence library and preventing malicious attack
CN113596028A (en) * 2021-07-29 2021-11-02 南京南瑞信息通信科技有限公司 Method and device for handling network abnormal behaviors
CN113596058A (en) * 2021-08-13 2021-11-02 广东电网有限责任公司 Malicious address processing method and device, computer equipment and storage medium
CN113949581A (en) * 2021-10-22 2022-01-18 中国建设银行股份有限公司 Address blocking method, device and system, storage medium and electronic device

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116319044A (en) * 2023-04-03 2023-06-23 京东科技信息技术有限公司 IP address interception method, device, electronic equipment and readable medium
CN119363477A (en) * 2024-12-19 2025-01-24 南京赛宁信息技术有限公司 A prefix-based IP blacklist storage and retrieval method and system
CN119363477B (en) * 2024-12-19 2025-03-11 南京赛宁信息技术有限公司 Prefix-based IP blacklist storage and retrieval method and system

Similar Documents

Publication Publication Date Title
US10284603B2 (en) System and method for providing network and computer firewall protection with dynamic address isolation to a device
JP7299415B2 (en) Security vulnerability protection methods and devices
CN114145004B (en) System and method for using DNS messages to selectively collect computer forensic data
EP3171572B1 (en) Network security protection method and device
CN101589595B (en) Pinning mechanism for potentially contaminated end systems
CN112468518B (en) Access data processing method and device, storage medium and computer equipment
US9369434B2 (en) Whitelist-based network switch
US9258329B2 (en) Dynamic access control policy with port restrictions for a network security appliance
EP3297248B1 (en) System and method for generating rules for attack detection feedback system
US12355725B2 (en) Systems and methods for blocking spoofed traffic
JP7388613B2 (en) Packet processing method and apparatus, device, and computer readable storage medium
CN110266650B (en) Identification method of Conpot industrial control honeypot
US20230370482A1 (en) Method for identifying successful attack and protection device
Huang et al. An authentication scheme to defend against UDP DrDoS attacks in 5G networks
CN115174243A (en) Malicious IP address blocking processing method, device, equipment and storage medium
WO2024099078A1 (en) Method for detecting attack traffic, and related device
RU2679219C1 (en) Method of protection of service server from ddos attack
Salim et al. Preventing ARP spoofing attacks through gratuitous decision packet
CN101277302A (en) Device and method for centralized security protection of distributed network equipment
JP7600463B1 (en) Method for providing a cybersecurity service to detect cyberthreats to a network using a virtual host and a cybersecurity service providing server using the same
JP7659685B1 (en) Method for detecting cyber threats to a network using a virtual host, and access switch and network controller using the same
CN102196054B (en) Routing device and related control circuit
WO2008047141A1 (en) Method and apparatus for monitoring a digital network
HK40040725B (en) Access data processing method, device, storage medium and computer equipment
HK40040725A (en) Access data processing method, device, storage medium and computer equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination