Method for preventing HttpFlood attack and firewall

Abstract

The invention provides a method for preventing an HttpFlood attack. The method includes the steps that a firewall generates and maintains a challenge list; the firewall establishes TCP connection with a user and judges whether a source IP address of a get message received from the user exist in the challenge list; if the source IP address of the get message received by the firewall does not exist in the challenge list, the firewall intercepts the get message and establishes a JavaScript redirection page according to the get message and adds the source IP address of the get message, the address of a get request page and the generated address of the generated JavaScript redirection page into the challenge list; when the firewall detects that an entry in the challenge list does not have a redirection access in a preset duration, the firewall adds the source IP address of the entry into a blacklist so as to prevent the subsequent traffic of the source IP address. The invention further provides the firewall for preventing the HttpFlood attack. Through the method, the firewall will not make a misjudgment, so the judgment accuracy rate is high.

Description

technical field [0001] The invention relates to the technical field of security defense, in particular to a method for defending against HttpFlood attacks and a firewall, in particular to a method for defending against HttpFlood attacks and a firewall. Background technique [0002] HttpFlood is an attack launched against the seventh layer (application layer) protocol of WEB services. It is extremely harmful, mainly manifested in the convenience of launching, the difficulty of filtering, and the far-reaching impact. HttpFlood attackers search for anonymous HTTP proxies or SOCKS proxies on the Internet through port scanners, and attackers initiate HTTP requests to attack targets through anonymous proxies. HttpFlood can imitate normal users' web page request behavior, and is closely related to the website business. It not only directly leads to the slow response of the attacked WEB front-end, but also indirectly attacks the business layer logic such as JAVA at the back-end and ...

AI Technical Summary

Problems solved by technology

HttpFlood can imitate normal users' web page request behavior, and is closely related to the website business. It not only directly leads to the slow response of the attacked WEB front-end, but also indirectly attacks the business layer logic such as JAVA at the back-end and the database service at the back-end, resulting in an increase in the size of the database server. The pressure even affects the log storage server

[0003] The methods currently used to defend against HttpFlood mainly include: threshold statistics on the number of global packets and threshold statistics on the number of source IP packets, but both methods have certain limitations

According to the threshold statistics method for the number of source IP packets, when the attacker deliberately forges a certain source IP address to attack, it will cause the firewall to misidentify, thus blocking the normal access of users with this source IP address

However, the threshold statistics for the global number of packets will lead to a large number of false interceptions.

Images