Method for realizing Portal authentication server attack prevention and broadband access server

Abstract

The invention discloses a method for realizing Portal authentication server attack prevention. The method comprises the following steps of: acquiring, by a broadband access server BAS, an HTTP request message which does not pass Portal authentication from a client; establishing TCP (Transmission Control Protocol) connection; transmitting an inquiry authentication request message to the client; after receiving, by the BAS, an inquiry authentication response message returned by a browser of the client, analyzing the inquiry authentication response message and performing identity authentication on the inquiry authentication response message; and when the authentication is successful, transmitting to the browser of the client a redirect message comprising Portal server URL (Uniform Resource Locator). The invention also discloses the broadband access server BAS. According to the method and the broadband access server, before redirect message transmission, inquiry authentication is introduced to the obtained Http request by the BAS, the traffic flow produced by a non-browser application program of a client can be shielded, and the Portal server is prevented from being attacked; and meanwhile, after the inquiry authentication is introduced, the client actually needs to pass secondary authentication, and the safety of an accessed user is more strictly guaranteed.

Description

technical field [0001] The application relates to the technical field of server anti-attack, in particular to a method for realizing Portal authentication server anti-attack and a broadband access server. Background technique [0002] Currently, the Web-based Portal access authentication solution is widely used in campus networks and carrier broadband access because it does not involve clients and is easy to deploy. Typical networking for Portal access authentication based on Web figure 1 As shown, the basic principle is: when the Portal authentication is not passed, the Http request of the user to access the external network will be redirected by the BAS device, and the authentication page will be pushed to the user through the Portal server. After the user enters the correct account and password information, continue Subsequent authentication and billing process, after the authentication is passed, the user can normally access external network resources. [0003] like f...

AI Technical Summary

Problems solved by technology

For the BAS device, it is impossible to distinguish whether the Http request it receives is an Internet access request from the user browser or business traffic from a non-browser application program. As long as it is an Http request message, it will be redirected, that is, the The sender of the message responds with a redirection message, telling the sender to access the Portal server, which will cause a large number of Http messages from non-browser applications to be sent to the Portal authentication server, which seriously affects the performance of the Portal Server and causes a de facto attack

[0005] like figure 2 As shown, a large number of Http requests are sent to the Portal authentication server after being redirected by the BAS, and the Portal Server will respond one by one; for the Http requests sent by non-browser applications, the Portal Server will also respond one by one. The program does not have the browser's ability to parse pages and provide user identity information in an interactive manner. It cannot respond after receiving the response message from the Portal Server. These response messages are eventually discarded by the client's non-browser application. Wasted Portal authentication server resources

[0006] Since the BAS device cannot effectively distinguish between the Internet access request from the client browser and the business traffic generated by the non-browser application, the Portal server is finally attacked.

Images