WO2018130137A1 - Method and apparatus for defending against network attacks, medium and device - Google Patents
Method and apparatus for defending against network attacks, medium and device Download PDFInfo
- Publication number
- WO2018130137A1 WO2018130137A1 PCT/CN2018/071892 CN2018071892W WO2018130137A1 WO 2018130137 A1 WO2018130137 A1 WO 2018130137A1 CN 2018071892 W CN2018071892 W CN 2018071892W WO 2018130137 A1 WO2018130137 A1 WO 2018130137A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- access request
- service access
- request message
- packet
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Definitions
- the embodiments of the present invention relate to the field of Internet technologies, and in particular, to a method, an apparatus, a medium, and a device for defending against network attacks.
- Traffic attacks generally refer to Layer 3 (network layer) or Layer 4 (transport layer) attacks.
- the main purpose is to use IP/TCP (English name: Transmission Control Protocol/ Internet Protocol) Some flaws in the protocol itself, forging source IP to create attack packets to combat traffic to make traffic smash.
- SYN-flood the most common denial of service attack
- the attacker fakes TCP handshake.
- the signal (English full name: SYNCHRONOUS, abbreviation: SYN) package to combat the ingress traffic of the equipment room, so that the normal business package can not be processed, so that the normal business is paralyzed.
- the 7-layer (application layer) attack generally refers to the CC (Challenge Collapsar) attack, which is mainly for specific attacks against actual services. It can also be regarded as a hypertext transfer protocol (abbreviation: HTTP) attack. For example, the most common one is high. Frequent access to an interface, making the application server anomaly and affecting the business, such as by constructing a request to brush tickets or swipe verification codes, etc., are all within the scope of CC attacks.
- RST Real-Time Transport Stream
- RST bounce is a common defense attack.
- the main principle is that when a user initiates a TCP connection request, the connection request is first rejected by returning the RST packet, and the real user will retry at this time, that is, initiate a second connection request. Then the firewall is released again, but the attacker (such as the program) will not retry, so the interception purpose is achieved.
- RST rebound has many drawbacks. One of them is that the RST bounce is implemented in the traditional load balancing layer 7 layer interception (that is, directly intercepted in the load balancing program or device), and needs to perform complete HTTP protocol parsing, which requires more consumption. CPU resources.
- the embodiment of the invention provides a method and a device for defending against network attacks.
- the interception of attack packets at the kernel layer does not require complete HTTP protocol parsing, and can effectively reduce CPU resources consumed.
- the service access request message is discarded at the kernel layer.
- the service access request packet is discarded at the kernel layer, including:
- the service access request message is discarded at the kernel layer by operating Iptables.
- the method further includes:
- the TCP connection corresponding to the service access request packet is released, including:
- the Iptables is used to change the packet type of the TCP packet corresponding to the TCP connection to the connection reset RST packet to release the TCP connection corresponding to the service access request message.
- the determining whether the service access request packet is an attack packet includes:
- Whether the service access request packet is an attack packet is determined according to the feature information of the service access request log.
- the service access request packet is an attack packet according to the feature information of the service access request log and the currently accessed domain name.
- the service access request packet is determined to be an attack packet.
- the method further includes:
- a warning indication is displayed, and the warning indication is used to indicate that there is currently a network attack, and the first degree of danger level is higher than the second level of danger level.
- An obtaining module configured to obtain a service access request message
- a first determining module configured to determine whether the service access request packet obtained by the acquiring module is an attack packet
- the discarding module is configured to discard the service access request packet at the kernel layer if the first determining module determines that the service access request packet is an attack packet.
- the discarding module is specifically used to:
- the service access request message is discarded at the kernel layer by operating Iptables.
- the device further comprises:
- the release module is configured to release the TCP connection corresponding to the service access request message after the service layer discards the service access request message by operating the Iptables.
- the release module is specifically used to:
- the Iptables is used to change the packet type of the TCP packet corresponding to the TCP connection to the connection reset RST packet to release the TCP connection corresponding to the service access request packet.
- the first determining module includes:
- a collection unit configured to collect a service access request log
- the determining unit is configured to determine, according to the feature information of the service access request log collected by the collecting unit, whether the service access request packet is an attack packet.
- the determining unit is further configured to:
- the service access request packet is an attack packet according to the feature information of the service access request log and the currently accessed domain name.
- the determining unit is specifically used for:
- the service access request packet is determined to be an attack packet.
- the device further comprises:
- a second determining module configured to determine a risk level of the service access request message after the first determining module determines that the service access request message is an attack message
- a triggering module configured to: when the second determining module determines that the risk level of the service access request message is the first risk level, triggering the discarding module to discard the service access request message at the kernel layer;
- a display module configured to: when the second determining module determines that the risk level of the service access request message is a second degree of danger level, displaying a warning indication, where the warning indication is used to indicate that a current network attack exists, and the first risk level is higher than the first Two levels of danger.
- a computer program is stored on the storage medium, and when the program is executed by the processor, the steps of the foregoing method are implemented.
- a computer device provided by an embodiment of the present invention includes a memory, a processor, and a computer program stored on the memory and operable on the processor, and the processor implements the steps of the foregoing method when the program is executed.
- the attack packet is discarded at the kernel layer, and complete protocol parsing is not required, that is, no large CPU resources are consumed. Can effectively reduce the consumption of CPU resources.
- FIG. 1 is a schematic flowchart diagram of a method for defending against network attacks according to an embodiment of the present invention
- FIG. 2 is another schematic flowchart of a method for defending against network attacks according to an embodiment of the present invention
- FIG. 3 is a schematic structural diagram of a system for implementing a defense against a network attack according to an embodiment of the present invention
- FIG. 4 is a schematic structural diagram of a Storm big data computing platform according to an embodiment of the present invention.
- FIG. 5 is a schematic structural diagram of an apparatus for defending against network attacks according to an embodiment of the present invention.
- FIG. 6 is another schematic structural diagram of an apparatus for defending against network attacks according to an embodiment of the present invention.
- FIG. 7 is another schematic structural diagram of an apparatus for defending against network attacks according to an embodiment of the present invention.
- FIG. 8 is another schematic structural diagram of an apparatus for defending against network attacks according to an embodiment of the present invention.
- FIG. 1 is a schematic flowchart of an embodiment of a method for defending against a network attack according to an embodiment of the present invention, including:
- Step 101 Obtain a service access request message.
- Step 102 Determine whether the service access request packet is an attack packet, and if yes, perform step 103.
- Step 103 Discard the service access request message at the kernel layer.
- the service access request packet is obtained, and the service access request packet is determined to be an attack packet, and the service access request packet is determined to be an attack packet.
- the service access request message is discarded at the kernel layer. It can be seen that, in the embodiment of the present invention, the attack packet is discarded at the kernel layer, and the complete protocol parsing is not required, so that it is not necessary to consume a large amount of CPU resources. Can effectively reduce the consumption of CPU resources.
- FIG. 2 is a schematic flowchart of another embodiment of a method for defending against network attacks according to an embodiment of the present invention, including:
- Step 201 Collect a service access request log.
- the Kafka (Apache Kafka) queue is a high-throughput distributed message queue that records all the action flow data in a website. For example, user web browsing, search, and other user behavior.
- a data processing framework specifically for handling massive business access request logs, user behavior, and website operations statistics. Collecting business access request logs using Kafka queues has the following characteristics:
- the disk data structure with time complexity at O(1) to provide message persistence, even for messages exceeding the terabyte (Terabyte) level, can maintain storage stability for a long time.
- Kafka queues can meet a variety of real-time online and offline processing, as well as low latency and batch throughput performance requirements.
- the HTTP request is used as an example, and the HTTP access request log can be collected through the Kafka queue.
- Step 202 Obtain a service access request message.
- Step 203 Determine, according to the feature information of the service access request log, whether the service access request packet is an attack packet.
- step 204 is performed.
- the service access request log is a file for recording information related to the access process, such as the access time and the source IP address of the service access request, for a certain period of time.
- the HTTP access request packet is an attack message according to the feature information of the HTTP access request log, wherein the HTTP access request log is characterized.
- Information includes, but is not limited to:
- the HTTP access record of the request log record can be used to determine the access status of the currently acquired HTTP access request message within a certain period of time. For example, information such as the historical access frequency and the total number of accesses of the HTTP access request message in the preset time period is determined.
- the preset time period may be set according to the actual application, for example, the preset time period may be within one month, and the like, which is not limited herein.
- determining whether the service access request packet is an attack packet according to the feature information of the service access request log, specifically:
- the request time of the service access request log determines the historical access frequency of the service access request message.
- the service access request message is determined to be an attack message.
- the preset value can be set according to actual needs, which is not limited herein. It should be noted that whether the foregoing service access request packet is an attack packet is only one of the implementation manners. According to the feature information of the service access request log, it can be determined whether the currently obtained service access request packet is an attack. The message is not limited here.
- the load balancing server is a control server, and all user service access requests are first sent to the load balancing server, and then the load balancing server specifically allocates the service access request to a certain one according to the actual processing server status. Actually processed in the server.
- the load balancing server generally only performs load balancing task allocation, but is not a server that actually processes the service access request.
- Behind the same load balancing server generally corresponds to multiple domain names.
- Sohu corresponding server load balancing for example, behind a load balancing domain name server is http: //www.sohu.com, i.e.
- Sohu master there is a http://m.sohu.com, i.e. Sohu's mobile host station has different behaviors for different domain names for the same message, that is, only the same message is allowed to access certain domain names.
- the feature information of the service access request log and the currently accessed domain name are used to determine whether the service access request message is an attack message.
- the historical access frequency of the service access request packet is determined, and the domain name currently accessed by the service access request log is determined.
- the historical access frequency of the service access request packet is greater than a preset value and the current access domain name is a preset domain name,
- the service access request packet is determined to be an attack packet.
- the IP packet when the historical access frequency of an IP packet is higher than the preset value, the IP packet is identified as the IP packet of the mobile terminal ( http://m.sohu.com ) that attacks Sohu.
- the generated service access request cannot pass through the firewall, but the normal access to the Sohu's primary station ( http://m.sohu.com ) is not affected. Therefore, in the embodiment of the present invention, the same IP packet can be used.
- the behavior of different domain names of the load balancing server is different, that is, the domain name can be used to restrict the behavior of the IP packet.
- the IP packet is not allowed to access certain domain names behind the same balanced load, instead of being completely disabled. It enhances the diversity of the solution and can effectively reduce the situation that the business corresponding to some domain names cannot be performed normally.
- Step 204 Discard the service access request message at the kernel layer by operating the Ip table (Iptables).
- Iptables is a packet processing module inside the core layer of the Linux operating system. It has a network address translation function, specifically a firewall function for modifying packet content and packet filtering.
- the service access request packet is discarded at the kernel layer by operating the Iptables.
- the method further includes:
- the step of discarding the service access request message at the kernel layer is triggered when the risk level of the service access request message is the first degree of danger level;
- a warning indication is displayed, where the warning indication is used to indicate that there is currently a network attack, wherein the first risk level is higher than the second risk level.
- the risk level of the attack message may be classified into a first risk level and a second risk level, wherein the risk level of the attack message may be based on some access conditions of the attack message. For example, the historical access frequency, the access path ring repetition degree, and the like are determined, and are not limited herein.
- the service access request packet is determined by the degree of danger level, and the service access request packet is processed differently according to the risk level of the service access request packet.
- each attack packet is scored, and the scoring criteria may include historical access frequency, access request time difference, access path loop repeatability, access path dispersion, access status code difference, etc., and then combined according to these scoring standards.
- the range of the score is [0,99], 0 is harmless, 99 is the most dangerous, the user can set the danger range, such as 60 no treatment, 60 to 80 is the second danger level, When it is 60 minutes to 80 minutes, only the alarm system is notified to display the alarm, which is used to indicate that there is a current network attack, and 80 points or more is the first dangerous degree level, and when it is 80 points or more, the actual interception is performed.
- Step 205 Release the TCP connection corresponding to the service access request message.
- the TCP connection corresponding to the service access request message is released.
- a TCP connection is first performed, and an HTTP protocol layer session is performed after the TCP connection is established.
- the HTTP access request packet is discarded, and the TCP connection corresponding to the HTTP access request packet is released, which can effectively reduce the number of TCP connections on the server.
- the TCP connection corresponding to the service access request message is released, specifically by the following manner:
- the packet type of the TCP packet corresponding to the TCP connection is changed to the connection reset RST packet, and the purpose of releasing the TCP connection corresponding to the service access request message is achieved.
- FIG. 3 is a schematic structural diagram of a system for implementing a method for defending against a network attack according to an embodiment of the present invention.
- the interceptor mainly plays the role of intercepting the attack message at the kernel layer, and intercepts the kernel in the iptabl es.
- the interceptor sets the matching rule in the kernel by operating the iptables.
- the interception action is triggered.
- FIG. 4 shows a schematic diagram of the Storm big data computing platform, including log input module (loginput), filtering module (filter), IP module (IP), configuration module (Conf), and alarm module (alert).
- log input module loginput
- filter filter
- IP IP
- Conf configuration module
- alarm module alarm module
- the filtering module then extracts the feature information of the valid HTTP access request log, such as the request time of the HTTP access request log, and sends the feature information to the IP module after extracting the feature information.
- the matching parameters are configured in the configuration file of the Storm big data computing platform.
- the configuration module calculates the matching rules of the configuration files in the platform according to the Storm big data, and the matching rules are applied to the IP module.
- the IP module sends the filtering module through the filtering module.
- the feature information is used to classify the HTTP access request message for each received HTTP access request message, for example, to query the historical access frequency of the HTTP access request message by using the feature information, according to the KMP algorithm. Determine the domain name accessed by the HTTP access request packet.
- the HTTP access request packet is an attack packet, and the HTTP access request packet is sent to the alert module.
- the alert module performs different actions according to the severity level of the HTTP access request packet, and the risk of the service access request packet is When the degree of severity is the first level of danger, the step of discarding the service access request message at the kernel layer is triggered.
- the degree of danger of the service access request message is the second degree of danger level, a warning indication is displayed, and the warning indication is used for Indicates that there is currently a cyber attack, wherein the first level of danger is higher than the second level of risk.
- the embodiment of the present invention provides a method and device for defending a network attack, by obtaining a service access request packet, determining whether the service access request packet is an attack packet, and determining a service access request packet.
- the service access request packet is discarded at the kernel layer. Therefore, compared with the traditional load balancing layer 7 layer, the attack packet is discarded.
- the attack packet is discarded at the kernel layer, and complete protocol parsing is not required, so that no large consumption is required. CPU resources can effectively reduce the CPU resources consumed.
- the method for defending against network attacks is described in the foregoing embodiment of the present invention. Based on the method, the embodiment of the present invention provides a device for defending against network attacks, and the following provides a defense against network attacks according to an embodiment of the present invention. The device is described.
- FIG. 5 is a schematic structural diagram of an apparatus for defending against network attacks according to an embodiment of the present invention.
- the apparatus includes an obtaining module 501, a first determining module 502, and a discarding module 503. Function description:
- the obtaining module 501 is configured to obtain a service access request packet.
- the first determining module 502 is configured to determine whether the service access request packet obtained by the obtaining module 501 is an attack packet.
- the discarding module 503 is configured to discard the service access request message at the kernel layer if the first determining module 502 determines that the service access request message is an attack message.
- the discarding module 503 is specifically configured to:
- the service access request message is discarded at the kernel layer by operating Iptables.
- the apparatus further includes:
- the release module 504 is configured to release the TCP connection corresponding to the service access request message after the service layer discards the service access request message by operating the Iptables.
- the release module 504 is specifically configured to:
- the Iptables is used to change the packet type of the TCP packet corresponding to the TCP connection to the connection reset RST packet to release the TCP connection corresponding to the service access request message.
- the first determining module 502 includes:
- the collecting unit 5021 is configured to collect a service access request log.
- the determining unit 5022 is configured to determine, according to the feature information of the service access request log collected by the collecting unit 5021, whether the service access request message is an attack message.
- the determining unit 5022 is further configured to:
- the service access request packet is an attack packet according to the feature information of the service access request log and the currently accessed domain name.
- the determining unit 5022 is specifically configured to:
- the service access request packet is determined to be an attack packet.
- the determining unit 5022 is specifically configured to:
- the service access request packet is determined to be an attack packet.
- the device further includes:
- the second determining module 505 is configured to determine a risk level of the service access request message after the first determining module 502 determines that the service access request message is an attack message;
- the triggering module 506 is configured to: when the second determining module 505 determines that the risk level of the service access request message is the first risk level, triggering the discarding module to discard the service access request message at the kernel layer;
- the display module 507 is configured to: when the second determining module 505 determines that the risk level of the service access request message is the second degree of danger level, display a warning indication, where the warning indication is used to indicate that the network attack currently exists, and the first risk level is high. At the second level of danger.
- the embodiment of the present invention provides a method and device for defending a network attack, by obtaining a service access request packet, determining whether the service access request packet is an attack packet, and determining a service access request packet.
- the service access request packet is discarded at the kernel layer. Therefore, in the embodiment of the present invention, the attack packet is discarded at the kernel layer, and complete protocol parsing is not required, that is, the CPU resources are not consumed, and the consumed CPU resources can be effectively reduced.
- computer storage medium includes volatile and nonvolatile, implemented in any method or technology for storing information, such as computer readable instructions, data structures, program modules or other data. Sex, removable and non-removable media.
- Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical disc storage, magnetic cartridge, magnetic tape, magnetic disk storage or other magnetic storage device, or may Any other medium used to store the desired information and that can be accessed by the computer.
- communication media typically includes computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and can include any information delivery media. .
- the attack packet is discarded at the kernel layer, and complete protocol parsing is not required, that is, the CPU resources are not consumed, and the consumed CPU resources can be effectively reduced.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
本申请要求在2017年1月10日提交中国专利局、申请号为201710018349.1、发明名称为“一种防御网络攻击的方法以及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. JP-A No. No. No. No. No. No. No. No. No. No. No. No. No. No. No. No. In the application.
本发明实施例涉及互联网技术领域,尤其涉及一种防御网络攻击的方法、装置、介质及设备。The embodiments of the present invention relate to the field of Internet technologies, and in particular, to a method, an apparatus, a medium, and a device for defending against network attacks.
当前网络攻击主要分为流量攻击和应用层攻击,其中,流量攻击一般是指3层(网络层)或者4层(传输层)攻击,主要是指利用IP/TCP(英文全称:Transmission Control Protocol/Internet Protocol)协议本身的一些缺陷,伪造源IP从而制造攻击包,以打击流量来使业务瘫痪,比如最常见的拒绝服务攻击(SYN-flood)就是非常典型的流量攻击,攻击者通过伪造TCP握手信号(英文全称:SYNCHRONOUS,缩写:SYN)包来打击机房的入口流量,使得正常业务的包无法被处理,从而使正常业务瘫痪。另外其他的流量攻击还有诸如域名系统(DNS)反射攻击、用户数据报协议攻击(UDP-flood)攻击、网络时间协议(NTP)反射攻击等等。而7层(应用层)攻击一般指CC(Challenge Collapsar)攻击,主要是针对实际业务进行特定的攻击,也可以被看做是超文本传输协议(缩写:HTTP)攻击,比如最常见的就是高频地访问某个接口,使应用服务器异常从而影响业务,再比如通过构造请求来刷票或者刷验证码等,这些都属于CC攻击的范围。Current network attacks are mainly classified into traffic attacks and application layer attacks. Traffic attacks generally refer to Layer 3 (network layer) or Layer 4 (transport layer) attacks. The main purpose is to use IP/TCP (English name: Transmission Control Protocol/ Internet Protocol) Some flaws in the protocol itself, forging source IP to create attack packets to combat traffic to make traffic smash. For example, the most common denial of service attack (SYN-flood) is a typical traffic attack. The attacker fakes TCP handshake. The signal (English full name: SYNCHRONOUS, abbreviation: SYN) package to combat the ingress traffic of the equipment room, so that the normal business package can not be processed, so that the normal business is paralyzed. Other traffic attacks include domain name system (DNS) reflection attacks, user datagram protocol attacks (UDP-flood) attacks, and network time protocol (NTP) reflection attacks. The 7-layer (application layer) attack generally refers to the CC (Challenge Collapsar) attack, which is mainly for specific attacks against actual services. It can also be regarded as a hypertext transfer protocol (abbreviation: HTTP) attack. For example, the most common one is high. Frequent access to an interface, making the application server anomaly and affecting the business, such as by constructing a request to brush tickets or swipe verification codes, etc., are all within the scope of CC attacks.
但是目前的安全防御基本集中在分布式拒绝服务(DDoS)流量清洗攻击,而对于以HTTP请求等为基础的应用层上的CC攻击目前的有效办法不多,现有中常用的防御手段是基于硬件的防御技术,比如RST(Reset the connection)反弹进行防御。RST反弹是一种常见的防御攻击的手段,主要原理是当用户发起TCP连接请求时,先将连接请求通过返回RST包拒绝,而真实用户这时会进行重试也就是发起第二次连接请求,然后防火墙再放行,但攻击者(如程序)则不会进 行重试,于是也就达到了拦截目的。但RST反弹有很多弊端,其中一点就是RST反弹实现时是在传统的负载均衡层7层拦截(即在负载均衡程序或者设备上直接拦截),需要进行完整的HTTP协议解析,需要消耗较较多的CPU资源。However, the current security defenses are mainly concentrated on distributed denial of service (DDoS) traffic cleaning attacks. However, there are not many effective methods for CC attacks on the application layer based on HTTP requests. The existing defense methods are based on Hardware defense techniques, such as RST (Reset the connection), bounce for defense. RST bounce is a common defense attack. The main principle is that when a user initiates a TCP connection request, the connection request is first rejected by returning the RST packet, and the real user will retry at this time, that is, initiate a second connection request. Then the firewall is released again, but the attacker (such as the program) will not retry, so the interception purpose is achieved. However, RST rebound has many drawbacks. One of them is that the RST bounce is implemented in the traditional load balancing layer 7 layer interception (that is, directly intercepted in the load balancing program or device), and needs to perform complete HTTP protocol parsing, which requires more consumption. CPU resources.
发明内容Summary of the invention
本发明实施例提供了一种防御网络攻击的方法以及装置,在内核层进行攻击报文的拦截,不需进行完整的HTTP协议解析,可以有效地降低消耗的CPU资源。The embodiment of the invention provides a method and a device for defending against network attacks. The interception of attack packets at the kernel layer does not require complete HTTP protocol parsing, and can effectively reduce CPU resources consumed.
本发明实施例提供的防御网络攻击的方法,包括:The method for defending against network attacks provided by the embodiments of the present invention includes:
获取业务访问请求报文;Obtain a service access request message;
确定业务访问请求报文是否为攻击报文;Determine whether the service access request packet is an attack packet;
若是,在内核层丢弃业务访问请求报文。If yes, the service access request message is discarded at the kernel layer.
其中,在内核层丢弃业务访问请求报文,包括:The service access request packet is discarded at the kernel layer, including:
通过操作Iptables在内核层丢弃业务访问请求报文。The service access request message is discarded at the kernel layer by operating Iptables.
其中,通过操作Iptables在内核层丢弃业务访问请求报文之后,方法还包括:After the service access request packet is discarded at the kernel layer by the operation of the Iptables, the method further includes:
释放业务访问请求报文所对应的TCP连接。Release the TCP connection corresponding to the service access request packet.
其中,释放业务访问请求报文所对应的TCP连接,包括:The TCP connection corresponding to the service access request packet is released, including:
通过操作Iptables将TCP连接所对应的TCP包的包类型改为连接重置RST包,以释放业务访问请求报文所对应的TCP连接。The Iptables is used to change the packet type of the TCP packet corresponding to the TCP connection to the connection reset RST packet to release the TCP connection corresponding to the service access request message.
其中,确定业务访问请求报文是否为攻击报文,包括:The determining whether the service access request packet is an attack packet includes:
收集业务访问请求日志;Collect business access request logs;
根据业务访问请求日志的特征信息确定业务访问请求报文是否为攻击报文。Whether the service access request packet is an attack packet is determined according to the feature information of the service access request log.
其中,根据业务访问请求日志的特征信息确定业务访问请求报文是否为攻击报文,包括:And determining, according to the feature information of the service access request log, whether the service access request packet is an attack packet, including:
根据业务访问请求日志的特征信息以及当前所访问的域名确定业务访问请求报文是否为攻击报文。The service access request packet is an attack packet according to the feature information of the service access request log and the currently accessed domain name.
其中,根据业务访问请求日志的特征信息以及当前所访问的域名确定业务访问请求报文是否为攻击报文,包括:And determining, according to the feature information of the service access request log and the currently accessed domain name, whether the service access request packet is an attack packet, including:
根据业务访问请求日志的请求时间确定业务访问请求报文的历史访问频率;Determining the historical access frequency of the service access request packet according to the request time of the service access request log;
确定业务访问请求日志当前所访问的域名;Determine the domain name currently accessed by the service access request log;
当业务访问请求报文的历史访问频率大于预置数值并且当前访问域名为预置域名时,则确定业务访问请求报文为攻击报文。When the historical access frequency of the service access request packet is greater than the preset value and the current access domain name is the preset domain name, the service access request packet is determined to be an attack packet.
其中,当确定业务访问请求报文为攻击报文之后,方法还包括:After determining that the service access request packet is an attack packet, the method further includes:
确定业务访问请求报文的危险程度等级;Determine the risk level of the service access request message;
当业务访问请求报文的危险程度等级为第一危险程度等级时,触发在内核层丢弃业务访问请求报文的步骤;The step of discarding the service access request message at the kernel layer when the risk level of the service access request message is the first degree of danger level;
当业务访问请求报文的危险程度等级为第二危险程度等级时,显示警告指示,警告指示用于指示当前存在网络攻击,第一危险程度等级高于第二危险程度等级。When the risk level of the service access request message is the second degree of danger level, a warning indication is displayed, and the warning indication is used to indicate that there is currently a network attack, and the first degree of danger level is higher than the second level of danger level.
本发明实施例提供的种防御网络攻击的装置,包括:The device for defending against network attacks provided by the embodiment of the invention includes:
获取模块,用于获取业务访问请求报文;An obtaining module, configured to obtain a service access request message;
第一确定模块,用于确定获取模块获取的业务访问请求报文是否为攻击报文;a first determining module, configured to determine whether the service access request packet obtained by the acquiring module is an attack packet;
丢弃模块,用于若第一确定模块确定业务访问请求报文为攻击报文,则在内核层丢弃业务访问请求报文。The discarding module is configured to discard the service access request packet at the kernel layer if the first determining module determines that the service access request packet is an attack packet.
其中,丢弃模块具体用于:The discarding module is specifically used to:
通过操作Iptables在内核层丢弃业务访问请求报文。The service access request message is discarded at the kernel layer by operating Iptables.
其中,装置还包括:Wherein, the device further comprises:
释放模块,用于丢弃模块通过操作Iptables在内核层丢弃业务访问请求报文之后,释放业务访问请求报文所对应的TCP连接。The release module is configured to release the TCP connection corresponding to the service access request message after the service layer discards the service access request message by operating the Iptables.
其中,释放模块具体用于:The release module is specifically used to:
通过操作Iptables将TCP连接所对应的TCP包的包类型改为连接重置RST 包,以释放业务访问请求报文所对应的TCP连接。The Iptables is used to change the packet type of the TCP packet corresponding to the TCP connection to the connection reset RST packet to release the TCP connection corresponding to the service access request packet.
其中,第一确定模块包括:The first determining module includes:
收集单元,用于收集业务访问请求日志;a collection unit, configured to collect a service access request log;
确定单元,用于根据收集单元收集的业务访问请求日志的特征信息确定业务访问请求报文是否为攻击报文。The determining unit is configured to determine, according to the feature information of the service access request log collected by the collecting unit, whether the service access request packet is an attack packet.
其中,确定单元还用于:Wherein, the determining unit is further configured to:
根据业务访问请求日志的特征信息以及当前所访问的域名确定业务访问请求报文是否为攻击报文。The service access request packet is an attack packet according to the feature information of the service access request log and the currently accessed domain name.
其中,确定单元具体用于:Wherein, the determining unit is specifically used for:
根据业务访问请求日志的请求时间确定业务访问请求报文的历史访问频率;Determining the historical access frequency of the service access request packet according to the request time of the service access request log;
确定业务访问请求日志当前所访问的域名;Determine the domain name currently accessed by the service access request log;
当业务访问请求报文的历史访问频率大于预置数值并且当前访问域名为预置域名时,则确定业务访问请求报文为攻击报文。When the historical access frequency of the service access request packet is greater than the preset value and the current access domain name is the preset domain name, the service access request packet is determined to be an attack packet.
其中,装置还包括:Wherein, the device further comprises:
第二确定模块,用于当第一确定模块确定业务访问请求报文为攻击报文之后,确定业务访问请求报文的危险程度等级;a second determining module, configured to determine a risk level of the service access request message after the first determining module determines that the service access request message is an attack message;
触发模块,用于当第二确定模块确定业务访问请求报文的危险程度等级为第一危险程度等级时,触发丢弃模块在内核层丢弃业务访问请求报文的步骤;a triggering module, configured to: when the second determining module determines that the risk level of the service access request message is the first risk level, triggering the discarding module to discard the service access request message at the kernel layer;
显示模块,用于当第二确定模块确定业务访问请求报文的危险程度等级为第二危险程度等级时,显示警告指示,警告指示用于指示当前存在网络攻击,第一危险程度等级高于第二危险程度等级。a display module, configured to: when the second determining module determines that the risk level of the service access request message is a second degree of danger level, displaying a warning indication, where the warning indication is used to indicate that a current network attack exists, and the first risk level is higher than the first Two levels of danger.
本发明实施例提供的计算机可读存储介质中,存储介质上存储有计算机程序,此程序被处理器执行时实现上述方法的步骤。In the computer readable storage medium provided by the embodiment of the present invention, a computer program is stored on the storage medium, and when the program is executed by the processor, the steps of the foregoing method are implemented.
本发明实施例提供的计算机设备,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机程序,所述处理器执行所述程序时实现上述方法的步骤。A computer device provided by an embodiment of the present invention includes a memory, a processor, and a computer program stored on the memory and operable on the processor, and the processor implements the steps of the foregoing method when the program is executed.
由此可见,与传统的负载均衡层7层拦截攻击报文相比,本发明实施例中,在内核层丢弃攻击报文,不需要进行完整的协议解析,即不需要消耗较多大的CPU资源,可以有效地降低CPU资源的消耗。Therefore, compared with the traditional load balancing layer 7 layer interception attack packet, in the embodiment of the present invention, the attack packet is discarded at the kernel layer, and complete protocol parsing is not required, that is, no large CPU resources are consumed. Can effectively reduce the consumption of CPU resources.
此处所说明的附图用来提供对本发明实施例的进一步理解,构成本申请的一部分,本发明实施例的示意性实施例及其说明用于解释本发明实施例,并不构成对本发明实施例的不当限定。在附图中:The accompanying drawings are intended to provide a further understanding of the embodiments of the embodiments of the invention Improper limitations. In the drawing:
图1为本发明实施例中的防御网络攻击的方法的流程示意图;FIG. 1 is a schematic flowchart diagram of a method for defending against network attacks according to an embodiment of the present invention;
图2为本发明实施例中防御网络攻击的方法的另一流程示意图;2 is another schematic flowchart of a method for defending against network attacks according to an embodiment of the present invention;
图3为本发明实施例中实现防御网络攻击的系统的架构示意图;3 is a schematic structural diagram of a system for implementing a defense against a network attack according to an embodiment of the present invention;
图4为本发明实施例中Storm大数据计算平台的结构示意图;4 is a schematic structural diagram of a Storm big data computing platform according to an embodiment of the present invention;
图5为本发明实施例中防御网络攻击的装置的结构示意图;FIG. 5 is a schematic structural diagram of an apparatus for defending against network attacks according to an embodiment of the present invention;
图6为本发明实施例中防御网络攻击的装置的另一结构示意图;FIG. 6 is another schematic structural diagram of an apparatus for defending against network attacks according to an embodiment of the present invention;
图7为本发明实施例中防御网络攻击的装置的另一结构示意图;FIG. 7 is another schematic structural diagram of an apparatus for defending against network attacks according to an embodiment of the present invention;
图8为本发明实施例中防御网络攻击的装置的另一结构示意图。FIG. 8 is another schematic structural diagram of an apparatus for defending against network attacks according to an embodiment of the present invention.
现结合附图和具体实施方式对本发明实施例进一步说明。The embodiments of the present invention will be further described with reference to the drawings and specific embodiments.
下面通过实施例对本发明实施例一种防御网络攻击的方法进行描述,请参阅图1,图1为本发明实施例一种防御网络攻击的方法的一个实施例流程示意图,包括:The following is a description of a method for defending against a network attack according to an embodiment of the present invention. Referring to FIG. 1 , FIG. 1 is a schematic flowchart of an embodiment of a method for defending against a network attack according to an embodiment of the present invention, including:
步骤101、获取业务访问请求报文。Step 101: Obtain a service access request message.
步骤102、确定业务访问请求报文是否为攻击报文,若是,则执行步骤103。Step 102: Determine whether the service access request packet is an attack packet, and if yes, perform
步骤103、在内核层丢弃业务访问请求报文。Step 103: Discard the service access request message at the kernel layer.
至此,本发明实施例的基本流程已经结束,在本发明实施例中,通过获取业务访问请求报文,确定业务访问请求报文是否为攻击报文,当确定业务访问请求报文为攻击报文时,在内核层丢弃该业务访问请求报文。由此可见,与传 统的在负载均衡层拦截攻击报文相比,本发明实施例中,通过在内核层丢弃攻击报文,不需要进行完整的协议解析,从而不需要消耗较多大的CPU资源,可以有效地降低CPU资源的消耗。At this point, the basic process of the embodiment of the present invention has been completed. In the embodiment of the present invention, the service access request packet is obtained, and the service access request packet is determined to be an attack packet, and the service access request packet is determined to be an attack packet. The service access request message is discarded at the kernel layer. It can be seen that, in the embodiment of the present invention, the attack packet is discarded at the kernel layer, and the complete protocol parsing is not required, so that it is not necessary to consume a large amount of CPU resources. Can effectively reduce the consumption of CPU resources.
为了便于理解,下面将本发明实施例进行一个详细的描述,请参阅图2,图2为本发明实施例一种防御网络攻击的方法的另一实施例流程示意图,包括:For ease of understanding, a detailed description of the embodiments of the present invention is provided below. Referring to FIG. 2, FIG. 2 is a schematic flowchart of another embodiment of a method for defending against network attacks according to an embodiment of the present invention, including:
步骤201、收集业务访问请求日志。Step 201: Collect a service access request log.
Kafka(Apache Kafka)队列是一种高吞吐量的分布式消息队列,它可以记录网站中的所有动作流数据。例如用户网页浏览、搜索和其他用户的行为。具体用来处理海量业务访问请求日志、用户行为和网站运营统计等的数据处理框架。使用Kafka队列收集业务访问请求日志具有如下特点:The Kafka (Apache Kafka) queue is a high-throughput distributed message queue that records all the action flow data in a website. For example, user web browsing, search, and other user behavior. A data processing framework specifically for handling massive business access request logs, user behavior, and website operations statistics. Collecting business access request logs using Kafka queues has the following characteristics:
(1)通过时间复杂度在O(1)的磁盘数据结构以提供消息的持久化,即使是超过TB(Terabyte)量级的消息也能够长时间保持存储的稳定性能。(1) The disk data structure with time complexity at O(1) to provide message persistence, even for messages exceeding the terabyte (Terabyte) level, can maintain storage stability for a long time.
(2)高吞吐量,在实际应用中,即使是普通的硬件Kafka也可以支持收集每秒数百万的消息。(2) High throughput. In practical applications, even ordinary hardware Kafka can support collecting millions of messages per second.
(3)支持对消息进行分区,即支持将消息指定到不同的topic分区,并支持Hadoop并行数据加载。(3) Support for partitioning messages, that is, support for assigning messages to different topic partitions, and supporting Hadoop parallel data loading.
即在结合了数据挖掘、行为分析、运营监控等需求的情况下,Kafka队列能够满足各种实时在线和离线处理,以及对低延迟和批量吞吐性能的要求。在本发明实施例中,以HTTP请求为例,可以通过Kafka队列收集HTTP访问请求日志。That is, when combined with data mining, behavior analysis, operational monitoring and other requirements, Kafka queues can meet a variety of real-time online and offline processing, as well as low latency and batch throughput performance requirements. In the embodiment of the present invention, the HTTP request is used as an example, and the HTTP access request log can be collected through the Kafka queue.
步骤202、获取业务访问请求报文。Step 202: Obtain a service access request message.
步骤203、根据业务访问请求日志的特征信息确定业务访问请求报文是否为攻击报文,当根据业务访问请求日志的特征信息确定业务访问请求报文为攻击报文时,则执行步骤204。Step 203: Determine, according to the feature information of the service access request log, whether the service access request packet is an attack packet. When the service access request packet is determined as the attack packet according to the feature information of the service access request log,
业务访问请求日志是对某段时间内业务访问请求中,对访问过程涉及到的信息,例如访问时间,发出业务访问请求的源IP地址等信息进行记录的文件。以业务访问请求报文为HTTP访问请求报文为例,在本发明实施例中,根据HTTP访问请求日志的特征信息确定HTTP访问请求报文是否为攻击报文,其中,HTTP访问请求日志的特征信息包括,但不局限于:The service access request log is a file for recording information related to the access process, such as the access time and the source IP address of the service access request, for a certain period of time. For example, in the embodiment of the present invention, the HTTP access request packet is an attack message according to the feature information of the HTTP access request log, wherein the HTTP access request log is characterized. Information includes, but is not limited to:
HTTP请求头;HTTP request header;
HTTP响应状态码;HTTP response status code;
HTTP响应状态头;HTTP response status header;
HTTP响应状态体;HTTP response status body;
HTTP请求时间;HTTP request time;
HTTP请求长度。HTTP request length.
应理解,通过HTTP访问请求日志记录的HTTP访问记录,可以确定出当前获取的HTTP访问请求报文在某段时间内的访问情况。例如确定出HTTP访问请求报文在预置时段内的历史访问频率、访问总数等信息。其中,预置时段可以根据实际应用情况进行设置,例如预置时段可以为一个月内等等,具体此处不做限定。It should be understood that the HTTP access record of the request log record can be used to determine the access status of the currently acquired HTTP access request message within a certain period of time. For example, information such as the historical access frequency and the total number of accesses of the HTTP access request message in the preset time period is determined. The preset time period may be set according to the actual application, for example, the preset time period may be within one month, and the like, which is not limited herein.
在本发明的一些实例中,根据业务访问请求日志的特征信息确定业务访问请求报文是否为攻击报文,具体是指:In some examples of the present invention, determining whether the service access request packet is an attack packet according to the feature information of the service access request log, specifically:
根据业务访问请求日志的请求时间确定业务访问请求报文的历史访问频率;Determining the historical access frequency of the service access request packet according to the request time of the service access request log;
业务访问请求日志的请求时间确定业务访问请求报文的历史访问频率,当业务访问请求报文的历史访问频率大于预置数值时,则确定业务访问请求报文为攻击报文。其中,预置数值可以根据实际需要进行设置,具体此处不做限定。需要说明的是,上述确定业务访问请求报文是否为攻击报文在这里只是其中一种实现方式,根据业务访问请求日志的特征信息,还可以确定出当前获取的业务访问请求报文是否为攻击报文,具体此处不做限定。The request time of the service access request log determines the historical access frequency of the service access request message. When the historical access frequency of the service access request message is greater than the preset value, the service access request message is determined to be an attack message. The preset value can be set according to actual needs, which is not limited herein. It should be noted that whether the foregoing service access request packet is an attack packet is only one of the implementation manners. According to the feature information of the service access request log, it can be determined whether the currently obtained service access request packet is an attack. The message is not limited here.
应理解,在实际应用中,负载均衡服务器是控制服务器,所有用户的业务访问请求都首先到该负载均衡服务器,然后由该负载均衡服务器根据各个实际处理服务器状态将业务访问请求具体分配到某个实际处理服务器中。该负载均衡服务器一般只做负载均衡任务分配,但不是实际对业务访问请求进行处理的服务器。在同一个负载均衡服务器后面,一般对应多个域名。例如以搜狐对应的负载均衡服务器为例,负载均衡服务器后面的域名一个是 http: //www.sohu.com,即搜狐的主站,还有一个是 http://m.sohu.com,即搜狐的移动端主站,为了对于同一报文,针对不同域名具有不同的行为,即只允许同一报文访问某些域名。在本发明的一些实施例中,结合业务访问请求日志的特征信息以及当前所访问的域名确定业务访问请求报文是否为攻击报文。 It should be understood that, in a practical application, the load balancing server is a control server, and all user service access requests are first sent to the load balancing server, and then the load balancing server specifically allocates the service access request to a certain one according to the actual processing server status. Actually processed in the server. The load balancing server generally only performs load balancing task allocation, but is not a server that actually processes the service access request. Behind the same load balancing server, generally corresponds to multiple domain names. E.g. Sohu corresponding server load balancing, for example, behind a load balancing domain name server is http: //www.sohu.com, i.e. Sohu master, there is a http://m.sohu.com, i.e. Sohu's mobile host station has different behaviors for different domain names for the same message, that is, only the same message is allowed to access certain domain names. In some embodiments of the present invention, the feature information of the service access request log and the currently accessed domain name are used to determine whether the service access request message is an attack message.
例如,确定出业务访问请求报文的历史访问频率,并确定业务访问请求日志当前所访问的域名,当业务访问请求报文的历史访问频率大于预置数值并且当前访问域名为预置域名时,才确定业务访问请求报文为攻击报文。For example, the historical access frequency of the service access request packet is determined, and the domain name currently accessed by the service access request log is determined. When the historical access frequency of the service access request packet is greater than a preset value and the current access domain name is a preset domain name, The service access request packet is determined to be an attack packet.
例如,当某个IP报文的历史访问频率高于预置数值时,被标识为攻击搜狐的移动端主站( http://m.sohu.com)的IP报文后,该IP报文产生的业务访问请求无法通过防火墙,但对于搜狐的主站( http://m.sohu.com)则正常访问,不受影响,由此可见,本发明实施例,可以对同一个IP报文针对负载均衡服务器的不同域名表现不同的行为,也就是能够分域名限制该IP报文的行为,比如只是不让这个IP报文访问同个均衡负载后面的某几个域名,而不是全面禁用掉,增强了方案的多样性以及可以有效地减少某些域名对应的业务无法正常进行的情况。 For example, when the historical access frequency of an IP packet is higher than the preset value, the IP packet is identified as the IP packet of the mobile terminal ( http://m.sohu.com ) that attacks Sohu. The generated service access request cannot pass through the firewall, but the normal access to the Sohu's primary station ( http://m.sohu.com ) is not affected. Therefore, in the embodiment of the present invention, the same IP packet can be used. The behavior of different domain names of the load balancing server is different, that is, the domain name can be used to restrict the behavior of the IP packet. For example, the IP packet is not allowed to access certain domain names behind the same balanced load, instead of being completely disabled. It enhances the diversity of the solution and can effectively reduce the situation that the business corresponding to some domain names cannot be performed normally.
步骤204、通过操作Ip表格(Iptables)在内核层丢弃业务访问请求报文。Step 204: Discard the service access request message at the kernel layer by operating the Ip table (Iptables).
Iptables是Linux操作系统核心层内部的一个数据包处理模块,它具有网络地址转换功能,具体是指数据包内容修改以及数据包过滤的防火墙功能。Iptables is a packet processing module inside the core layer of the Linux operating system. It has a network address translation function, specifically a firewall function for modifying packet content and packet filtering.
本发明实施例中,当确定业务访问请求报文为攻击报文后,则通过操作Iptables在内核层丢弃业务访问请求报文。In the embodiment of the present invention, after determining that the service access request packet is an attack packet, the service access request packet is discarded at the kernel layer by operating the Iptables.
可选地,在本发明的一些实施例中,当确定业务访问请求报文为攻击报文之后,此方法还包括:Optionally, in some embodiments of the present invention, after determining that the service access request message is an attack message, the method further includes:
确定业务访问请求报文的危险程度等级;Determine the risk level of the service access request message;
当业务访问请求报文的危险程度等级为第一危险程度等级时,才触发在内核层丢弃业务访问请求报文的步骤;The step of discarding the service access request message at the kernel layer is triggered when the risk level of the service access request message is the first degree of danger level;
当业务访问请求报文的危险程度等级为第二危险程度等级时,显示警告指示,警告指示用于指示当前存在网络攻击,其中,第一危险程度等级高于第二危险程度等级。When the risk level of the service access request message is the second degree of danger level, a warning indication is displayed, where the warning indication is used to indicate that there is currently a network attack, wherein the first risk level is higher than the second risk level.
即在本发明实施例中,可以将攻击报文的危险程度等级分为第一危险程度等级以及第二危险程度等级,其中,攻击报文的危险程度等级可以根据攻击报文的一些访问情况,例如历史访问频率、访问路径环重复度等进行确定,具体此处不做限定。当确定业务访问请求报文为攻击报文之后,会再确定该业务访问请求报文的危险程度等级,针对该业务访问请求报文的危险程度等级,对业务访问请求报文进行不同的处理。That is, in the embodiment of the present invention, the risk level of the attack message may be classified into a first risk level and a second risk level, wherein the risk level of the attack message may be based on some access conditions of the attack message. For example, the historical access frequency, the access path ring repetition degree, and the like are determined, and are not limited herein. After determining that the service access request packet is an attack packet, the service access request packet is determined by the degree of danger level, and the service access request packet is processed differently according to the risk level of the service access request packet.
例如,对每一个攻击报文进行评分,评分标准可以包括历史访问频率、访问请求时间差异度、访问路径环重复度、访问路径离散度、访问状态码差异度等等,然后根据这些评分标准组合成一个分数,该分值的范围为[0,99],0为无害,99为最危险,用户可以设定危险范围,如60以下不做处理,60到80为第二危险程度等级,当为60分到80分时则只通知报警系统进行报警显示,用于指示当前存在网络攻击,而80分以上则为第一危险程度等级,当为80分以上时则进行实际拦截。For example, each attack packet is scored, and the scoring criteria may include historical access frequency, access request time difference, access path loop repeatability, access path dispersion, access status code difference, etc., and then combined according to these scoring standards. Into a score, the range of the score is [0,99], 0 is harmless, 99 is the most dangerous, the user can set the danger range, such as 60 no treatment, 60 to 80 is the second danger level, When it is 60 minutes to 80 minutes, only the alarm system is notified to display the alarm, which is used to indicate that there is a current network attack, and 80 points or more is the first dangerous degree level, and when it is 80 points or more, the actual interception is performed.
步骤205、释放业务访问请求报文所对应的TCP连接。Step 205: Release the TCP connection corresponding to the service access request message.
在本发明实施例中,当通过操作Iptables在内核层丢弃业务访问请求报文后,释放业务访问请求报文所对应的TCP连接。应理解,对于一个HTTP请求,会先进行TCP连接,当TCP连接建立好了以后才会进行HTTP协议层会话,当确定HTTP请求对应的HTTP访问请求报文为符合攻击报文时,会将该HTTP访问请求报文丢弃掉,并释放该HTTP访问请求报文所对应的TCP连接,可以有效的减少服务端TCP连接数。In the embodiment of the present invention, after the service access request message is discarded at the kernel layer by the operation of the Iptables, the TCP connection corresponding to the service access request message is released. It should be understood that for an HTTP request, a TCP connection is first performed, and an HTTP protocol layer session is performed after the TCP connection is established. When it is determined that the HTTP access request packet corresponding to the HTTP request matches the attack packet, the The HTTP access request packet is discarded, and the TCP connection corresponding to the HTTP access request packet is released, which can effectively reduce the number of TCP connections on the server.
优选地,在本发明实施例中,释放业务访问请求报文所对应的TCP连接,具体通过以下方式:Preferably, in the embodiment of the present invention, the TCP connection corresponding to the service access request message is released, specifically by the following manner:
通过操作Iptables将TCP连接所对应的TCP包的包类型改为连接重置RST包,达到释放业务访问请求报文所对应的TCP连接的目的。By operating Iptables, the packet type of the TCP packet corresponding to the TCP connection is changed to the connection reset RST packet, and the purpose of releasing the TCP connection corresponding to the service access request message is achieved.
为了便于理解,以HTTP访问请求为例,下面通过Storm大数据计算平台实现上述方法的一个应用实例进行描述:For ease of understanding, taking an HTTP access request as an example, an application example of the above method is described by the Storm big data computing platform:
如图3所示,图3为本发明实施例中实现防御网络攻击的方法的系统的构造示意图。其中,拦截器主要起到在内核层拦截攻击报文的作用,采用iptabl es在内核进行拦截,拦截器通过操作iptables在内核中设置匹配规则,当发生报文匹配规则时,会触发拦截动作。As shown in FIG. 3, FIG. 3 is a schematic structural diagram of a system for implementing a method for defending against a network attack according to an embodiment of the present invention. Among them, the interceptor mainly plays the role of intercepting the attack message at the kernel layer, and intercepts the kernel in the iptabl es. The interceptor sets the matching rule in the kernel by operating the iptables. When the packet matching rule occurs, the interception action is triggered.
如图4所示为风暴(Storm)大数据计算平台的一个结构示意图,包括日志输入模块(loginput)、过滤模块(filter)、IP模块(IP)、配置模块(Conf)以及告警模块(alert)。通过日志输入模块从kafka队列获取HTTP访问请求日志,并进入过滤模块,过滤模块会对HTTP访问请求日志进行过滤,剔除无效的HTTP访问请求日志,例如HTTP访问请求日志中出现数据错误或缺失的日志,例如HTTP访问请求日志记录的日期超过当前的时间的日志,又例如出现HTTP 请求头等数据缺失的日志。在本发明实施例中,可以根据实际应用情况进行配置,配置出何种情况的日志为无效HTTP访问请求日志,具体此处不做限定。Figure 4 shows a schematic diagram of the Storm big data computing platform, including log input module (loginput), filtering module (filter), IP module (IP), configuration module (Conf), and alarm module (alert). . Obtain an HTTP access request log from the kafka queue through the log input module, and enter the filtering module. The filtering module filters the HTTP access request log and eliminates the invalid HTTP access request log. For example, a data error or missing log occurs in the HTTP access request log. For example, the date of the HTTP access request log record exceeds the log of the current time, and for example, a log with missing data such as the HTTP request header appears. In the embodiment of the present invention, the configuration may be performed according to the actual application, and the log of the case is configured as an invalid HTTP access request log, which is not limited herein.
过滤模块接着对有效的HTTP访问请求日志的特征信息,例如HTTP访问请求日志的请求时间进行提取,提取完特征信息后将特征信息发送至IP模块。Storm大数据计算平台中的配置文件中配置有匹配规则,配置模块会根据Storm大数据计算平台中的配置文件的分析匹配规则,并将匹配规则作用在IP模块中,IP模块会通过过滤模块提出的特征信息,对每个接收到的HTTP访问请求报文在一定时间产生的行为对HTTP访问请求报文进行归类,例如看通过特征信息查询HTTP访问请求报文的历史访问频率、根据KMP算法确定HTTP访问请求报文所访问的域名等。一旦HTTP访问请求报文的行为匹配规则,例如HTTP访问请求报文的在最近2天内,访问次数高于设定次数,并且该HTTP访问请求报文所访问的域名为预置域名,则将确定该HTTP访问请求报文为攻击报文,并将该HTTP访问请求报文输送到alert模块,alert模块会根据该HTTP访问请求报文危险程度等级进行不同的动作,当业务访问请求报文的危险程度等级为第一危险程度等级时,才触发在内核层丢弃业务访问请求报文的步骤,当业务访问请求报文的危险程度等级为第二危险程度等级时,显示警告指示,警告指示用于指示当前存在网络攻击,其中,第一危险程度等级高于第二危险程度等级。The filtering module then extracts the feature information of the valid HTTP access request log, such as the request time of the HTTP access request log, and sends the feature information to the IP module after extracting the feature information. The matching parameters are configured in the configuration file of the Storm big data computing platform. The configuration module calculates the matching rules of the configuration files in the platform according to the Storm big data, and the matching rules are applied to the IP module. The IP module sends the filtering module through the filtering module. The feature information is used to classify the HTTP access request message for each received HTTP access request message, for example, to query the historical access frequency of the HTTP access request message by using the feature information, according to the KMP algorithm. Determine the domain name accessed by the HTTP access request packet. Once the behavior of the HTTP access request message matches the rule, for example, the number of accesses of the HTTP access request message in the last 2 days is higher than the set number of times, and the domain name accessed by the HTTP access request message is a preset domain name, it will be determined. The HTTP access request packet is an attack packet, and the HTTP access request packet is sent to the alert module. The alert module performs different actions according to the severity level of the HTTP access request packet, and the risk of the service access request packet is When the degree of severity is the first level of danger, the step of discarding the service access request message at the kernel layer is triggered. When the degree of danger of the service access request message is the second degree of danger level, a warning indication is displayed, and the warning indication is used for Indicates that there is currently a cyber attack, wherein the first level of danger is higher than the second level of risk.
从以上技术方案可以看出,本发明实施例提供了一种防御网络攻击的方法以及装置,通过获取业务访问请求报文;确定业务访问请求报文是否为攻击报文,当确定业务访问请求报文为攻击报文时,在内核层丢弃业务访问请求报文。由此可见,与传统的负载均衡层7层对攻击报文进行拦截相比,本发明实施例中,在内核层丢弃攻击报文,不需要进行完整的协议解析,从而不需要消耗较多大的CPU资源,可以有效地降低消耗的CPU资源。As can be seen from the foregoing technical solutions, the embodiment of the present invention provides a method and device for defending a network attack, by obtaining a service access request packet, determining whether the service access request packet is an attack packet, and determining a service access request packet. When the packet is an attack packet, the service access request packet is discarded at the kernel layer. Therefore, compared with the traditional load balancing layer 7 layer, the attack packet is discarded. In the embodiment of the present invention, the attack packet is discarded at the kernel layer, and complete protocol parsing is not required, so that no large consumption is required. CPU resources can effectively reduce the CPU resources consumed.
上面对本发明实施例一种防御网络攻击的方法进行了描述,基于该方法,对应的,本发明实施例提出了一种防御网络攻击的装置,下面对本发明实施例提出的一种防御网络攻击的装置进行描述。The method for defending against network attacks is described in the foregoing embodiment of the present invention. Based on the method, the embodiment of the present invention provides a device for defending against network attacks, and the following provides a defense against network attacks according to an embodiment of the present invention. The device is described.
请参阅图5,图5为本发明实施例一种防御网络攻击的装置一个实施例结构示意图,该装置包括获取模块501、第一确定模块502、丢弃模块503,下面对各个模块之间的功能进行描述:Referring to FIG. 5, FIG. 5 is a schematic structural diagram of an apparatus for defending against network attacks according to an embodiment of the present invention. The apparatus includes an obtaining
其中,获取模块501,用于获取业务访问请求报文;The obtaining
第一确定模块502,用于确定获取模块501获取的业务访问请求报文是否为 攻击报文;The first determining
丢弃模块503,用于若第一确定模块502确定业务访问请求报文为攻击报文,则在内核层丢弃业务访问请求报文。The discarding
在一种可能的实现中,丢弃模块503具体用于:In a possible implementation, the discarding
通过操作Iptables在内核层丢弃业务访问请求报文。The service access request message is discarded at the kernel layer by operating Iptables.
结合图5,请参阅图6,在一种可能的实现中,此装置还包括:Referring to FIG. 5, referring to FIG. 6, in a possible implementation, the apparatus further includes:
释放模块504,用于通过操作Iptables在内核层丢弃业务访问请求报文之后,释放业务访问请求报文所对应的TCP连接。The
在一种可能的实现中,释放模块504具体用于:In one possible implementation, the
通过操作Iptables将TCP连接所对应的TCP包的包类型改为连接重置RST包,以释放业务访问请求报文所对应的TCP连接。The Iptables is used to change the packet type of the TCP packet corresponding to the TCP connection to the connection reset RST packet to release the TCP connection corresponding to the service access request message.
结合图6,请参阅图7,在一种可能的实现中,第一确定模块502包括:Referring to FIG. 6, referring to FIG. 7, in a possible implementation, the first determining
收集单元5021,用于收集业务访问请求日志;The
确定单元5022,用于根据收集单元5021收集的业务访问请求日志的特征信息确定业务访问请求报文是否为攻击报文。The determining
在一种可能的实现中,确定单元5022还用于:In one possible implementation, the determining
根据业务访问请求日志的特征信息以及当前所访问的域名确定业务访问请求报文是否为攻击报文。The service access request packet is an attack packet according to the feature information of the service access request log and the currently accessed domain name.
在一种可能的实现中,确定单元5022具体用于:In a possible implementation, the determining
根据业务访问请求日志的请求时间确定业务访问请求报文的历史访问频率以及所访问的域名;Determining the historical access frequency of the service access request packet and the accessed domain name according to the request time of the service access request log;
当确定业务访问请求报文的历史访问频率大于预置数值并且访问域名为预置域名时,则确定业务访问请求报文为攻击报文。When it is determined that the historical access frequency of the service access request packet is greater than the preset value and the access domain name is the preset domain name, the service access request packet is determined to be an attack packet.
在一种可能的实现中,确定单元5022具体用于:In a possible implementation, the determining
根据业务访问请求日志的请求时间确定业务访问请求报文的历史访问频率;Determining the historical access frequency of the service access request packet according to the request time of the service access request log;
确定业务访问请求日志当前所访问的域名;Determine the domain name currently accessed by the service access request log;
当业务访问请求报文的历史访问频率大于预置数值并且当前访问域名为预 置域名时,则确定业务访问请求报文为攻击报文。When the historical access frequency of the service access request packet is greater than the preset value and the current access domain name is the preset domain name, the service access request packet is determined to be an attack packet.
结合图7,请参阅图8在一种可能的实现中,装置还包括:Referring to FIG. 7, referring to FIG. 8, in a possible implementation, the device further includes:
第二确定模块505,用于当第一确定模块502确定业务访问请求报文为攻击报文之后,确定业务访问请求报文的危险程度等级;The second determining
触发模块506,用于当第二确定模块505确定业务访问请求报文的危险程度等级为第一危险程度等级时,触发丢弃模块在内核层丢弃业务访问请求报文的步骤;The triggering
显示模块507,用于当第二确定模块505确定业务访问请求报文的危险程度等级为第二危险程度等级时,显示警告指示,警告指示用于指示当前存在网络攻击,第一危险程度等级高于第二危险程度等级。The
从以上技术方案可以看出,本发明实施例提供了一种防御网络攻击的方法以及装置,通过获取业务访问请求报文;确定业务访问请求报文是否为攻击报文,当确定业务访问请求报文为攻击报文时,在内核层丢弃业务访问请求报文。由此可见,本发明实施例中,在内核层丢弃攻击报文,不需要进行完整的协议解析,即不需要消耗较多大的CPU资源,可以有效地降低消耗的CPU资源。As can be seen from the foregoing technical solutions, the embodiment of the present invention provides a method and device for defending a network attack, by obtaining a service access request packet, determining whether the service access request packet is an attack packet, and determining a service access request packet. When the packet is an attack packet, the service access request packet is discarded at the kernel layer. Therefore, in the embodiment of the present invention, the attack packet is discarded at the kernel layer, and complete protocol parsing is not required, that is, the CPU resources are not consumed, and the consumed CPU resources can be effectively reduced.
本领域的普通技术人员应当理解,可以对本发明的技术方案进行修改或者等同替换,而不脱离本发明技术方案的精神和范围,均应涵盖在权利要求范围当中。A person skilled in the art should understand that the technical solutions of the present invention may be modified or equivalent, without departing from the spirit and scope of the present invention, and should be included in the scope of the claims.
本领域普通技术人员可以理解,上文中所公开方法中的全部或某些步骤、系统、装置中的功能模块/单元可以被实施为软件、固件、硬件及其适当的组合。在硬件实施方式中,在以上描述中提及的功能模块/单元之间的划分不一定对应于物理组件的划分;例如,一个物理组件可以具有多个功能,或者一个功能或步骤可以由若干物理组件合作执行。某些组件或所有组件可以被实施为由处理器,如数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于RAM、ROM、EEPROM、闪存或其他存储器技术、CD-ROM、数字 多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。Those of ordinary skill in the art will appreciate that all or some of the steps, systems, and functional blocks/units of the methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be composed of several physical The components work together. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on a computer readable medium, which may include computer storage media (or non-transitory media) and communication media (or transitory media). As is well known to those of ordinary skill in the art, the term computer storage medium includes volatile and nonvolatile, implemented in any method or technology for storing information, such as computer readable instructions, data structures, program modules or other data. Sex, removable and non-removable media. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical disc storage, magnetic cartridge, magnetic tape, magnetic disk storage or other magnetic storage device, or may Any other medium used to store the desired information and that can be accessed by the computer. Moreover, it is well known to those skilled in the art that communication media typically includes computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and can include any information delivery media. .
本发明实施例中,在内核层丢弃攻击报文,不需要进行完整的协议解析,即不需要消耗较多大的CPU资源,可以有效地降低消耗的CPU资源。In the embodiment of the present invention, the attack packet is discarded at the kernel layer, and complete protocol parsing is not required, that is, the CPU resources are not consumed, and the consumed CPU resources can be effectively reduced.
Claims (18)
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710018349.1A CN107707513B (en) | 2017-01-10 | 2017-01-10 | A kind of method and device of defending against network attacks |
| CN201710018349.1 | 2017-01-10 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2018130137A1 true WO2018130137A1 (en) | 2018-07-19 |
Family
ID=61169428
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/CN2018/071892 Ceased WO2018130137A1 (en) | 2017-01-10 | 2018-01-09 | Method and apparatus for defending against network attacks, medium and device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN107707513B (en) |
| WO (1) | WO2018130137A1 (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111866003A (en) * | 2020-07-27 | 2020-10-30 | 中国联合网络通信集团有限公司 | A terminal risk assessment method and device |
| CN112134838A (en) * | 2020-08-12 | 2020-12-25 | 新华三技术有限公司合肥分公司 | Method and device for preventing network attack |
| CN114205116A (en) * | 2021-11-16 | 2022-03-18 | 广西中科曙光云计算有限公司 | Zero-trust borderless security access system |
| CN115314297A (en) * | 2022-08-09 | 2022-11-08 | 深圳星云智联科技有限公司 | A DOSS attack defense method, device, equipment, and storage medium |
| CN115361179A (en) * | 2022-08-04 | 2022-11-18 | 四川启睿克科技有限公司 | A CC attack protection method based on custom interception identification |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114520766B (en) * | 2022-04-21 | 2022-08-30 | 博为科技有限公司 | Networking control method of router and related equipment |
| CN115801401A (en) * | 2022-11-15 | 2023-03-14 | 北京天融信网络安全技术有限公司 | Method and device for monitoring user access request, electronic equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101572701A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Security gateway system for resisting DDoS attack for DNS service |
| CN101958883A (en) * | 2010-03-26 | 2011-01-26 | 湘潭大学 | A Method of Defense against SYN Flood Attack Based on Bloom Filter and Open Source Kernel |
| CN102833335A (en) * | 2012-08-29 | 2012-12-19 | 北京星网锐捷网络技术有限公司 | Method, device and client side for controlling agency internet service |
| US20130212679A1 (en) * | 2007-05-25 | 2013-08-15 | New Jersey Institute Of Technology | PROACTIVE TEST-BASED DIFFERENTIATION METHOD AND SYSTEM TO MITIGATE LOW RATE DoS ATTACKS |
| CN106209852A (en) * | 2016-07-13 | 2016-12-07 | 成都知道创宇信息技术有限公司 | A kind of DNS refusal service attack defending method based on DPDK |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102457489B (en) * | 2010-10-26 | 2015-11-25 | 中国民航大学 | Low-rate DoS (LDoS) attack, detection and defense module |
| CN104468624B (en) * | 2014-12-22 | 2018-01-02 | 上海斐讯数据通信技术有限公司 | SDN controllers, routing/exchanging equipment and network defense method |
| CN105991628A (en) * | 2015-03-24 | 2016-10-05 | 杭州迪普科技有限公司 | Network attack identification method and network attack identification device |
| CN104954188B (en) * | 2015-06-30 | 2018-05-01 | 北京奇安信科技有限公司 | Web log file safety analytical method based on cloud, device and system |
-
2017
- 2017-01-10 CN CN201710018349.1A patent/CN107707513B/en not_active Expired - Fee Related
-
2018
- 2018-01-09 WO PCT/CN2018/071892 patent/WO2018130137A1/en not_active Ceased
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130212679A1 (en) * | 2007-05-25 | 2013-08-15 | New Jersey Institute Of Technology | PROACTIVE TEST-BASED DIFFERENTIATION METHOD AND SYSTEM TO MITIGATE LOW RATE DoS ATTACKS |
| CN101572701A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Security gateway system for resisting DDoS attack for DNS service |
| CN101958883A (en) * | 2010-03-26 | 2011-01-26 | 湘潭大学 | A Method of Defense against SYN Flood Attack Based on Bloom Filter and Open Source Kernel |
| CN102833335A (en) * | 2012-08-29 | 2012-12-19 | 北京星网锐捷网络技术有限公司 | Method, device and client side for controlling agency internet service |
| CN106209852A (en) * | 2016-07-13 | 2016-12-07 | 成都知道创宇信息技术有限公司 | A kind of DNS refusal service attack defending method based on DPDK |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111866003A (en) * | 2020-07-27 | 2020-10-30 | 中国联合网络通信集团有限公司 | A terminal risk assessment method and device |
| CN111866003B (en) * | 2020-07-27 | 2022-04-08 | 中国联合网络通信集团有限公司 | A terminal risk assessment method and device |
| CN112134838A (en) * | 2020-08-12 | 2020-12-25 | 新华三技术有限公司合肥分公司 | Method and device for preventing network attack |
| CN112134838B (en) * | 2020-08-12 | 2022-05-27 | 新华三技术有限公司合肥分公司 | Method and device for preventing network attack |
| CN114205116A (en) * | 2021-11-16 | 2022-03-18 | 广西中科曙光云计算有限公司 | Zero-trust borderless security access system |
| CN114205116B (en) * | 2021-11-16 | 2023-12-19 | 广西中科曙光云计算有限公司 | A zero-trust borderless secure access system |
| CN115361179A (en) * | 2022-08-04 | 2022-11-18 | 四川启睿克科技有限公司 | A CC attack protection method based on custom interception identification |
| CN115314297A (en) * | 2022-08-09 | 2022-11-08 | 深圳星云智联科技有限公司 | A DOSS attack defense method, device, equipment, and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107707513A (en) | 2018-02-16 |
| CN107707513B (en) | 2019-05-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2018130137A1 (en) | Method and apparatus for defending against network attacks, medium and device | |
| CN109829310B (en) | Similar attack defense method and device, system, storage medium, electronic device | |
| US10608992B2 (en) | Hybrid hardware-software distributed threat analysis | |
| EP2289221B1 (en) | Network intrusion protection | |
| US9071576B1 (en) | Application rate limiting without overhead | |
| CN117321966A (en) | Method and system for efficient threat context-aware packet filtering for network protection | |
| CN109194680B (en) | Network attack identification method, device and equipment | |
| WO2018095192A1 (en) | Method and system for website attack detection and prevention | |
| US20180167361A1 (en) | Network Attack Prevention Method, Apparatus and System | |
| US20110083179A1 (en) | System and method for mitigating a denial of service attack using cloud computing | |
| US10298613B2 (en) | Mitigation of distributed denial-of-service attacks | |
| JP2019021294A (en) | SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS | |
| CN110166480B (en) | Data packet analysis method and device | |
| CN108809749B (en) | Performing upper layer inspection of a stream based on a sampling rate | |
| CN103428224A (en) | Method and device for intelligently defending DDoS attacks | |
| CN110875907A (en) | Access request control method and device | |
| JP6548823B2 (en) | Real-time validation of JSON data applying tree graph properties | |
| CN111565203B (en) | Method, device and system for protecting service request and computer equipment | |
| Arafat et al. | A practical approach and mitigation techniques on application layer DDoS attack in web server | |
| CN112434304A (en) | Method, server and computer readable storage medium for defending network attack | |
| CN111131309A (en) | Distributed denial of service detection method and device and model creation method and device | |
| CN118316656A (en) | Data packet processing method, device, electronic device and storage medium | |
| CN112202821B (en) | Identification defense system and method for CC attack | |
| US20230056625A1 (en) | Computing device and method of detecting compromised network devices | |
| Aldaoud et al. | Detecting and mitigating DHCP attacks in OpenFlow-based SDN networks: a comprehensive approach |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 18738485 Country of ref document: EP Kind code of ref document: A1 |
|
| NENP | Non-entry into the national phase |
Ref country code: DE |
|
| 122 | Ep: pct application non-entry in european phase |
Ref document number: 18738485 Country of ref document: EP Kind code of ref document: A1 |