Network attack detection method and device thereof

Abstract

The application discloses a network attack detection method and a device thereof. The network attack detection method of the embodiment of the application comprises the steps that access request information of an access website server is acquired; statistics is performed on the access request information within a preset time period; and related access information of an IP address is calculated according to the access request information within the preset time period, and if the related access information corresponding to the IP address is less than a preset value, the IP address is an attack IP address through judgment. Over intervention of operation and maintenance personnel is not needed, and the method is completely decoupled from services so that accurate detection of HTTP-Flood attack is realized.

Description

technical field [0001] The present application relates to the technical field of network security, in particular to a network attack detection method and device thereof. Background technique [0002] The basic attributes of network security are mainly confidentiality, integrity, legality and availability, and attackers use all possible methods and means to destroy these attributes. The purpose of Distributed Denial of Service (DDoS for short) is to destroy the availability of the network. In the Internet business, Web services have already occupied a considerable proportion, and more and more people obtain and publish information through the services provided by the Web, so Web security is also a research hotspot in today's network security. Hypertext Transfer Protocol (HTTP for short), as a key protocol of web applications, is often used by hackers to implement DDoS attacks, and it is very difficult to detect and defend against. [0003] The main target of HTTP-Flood atta...

AI Technical Summary

Problems solved by technology

[0006] 2. It is difficult to detect, because HTTP is a standard open protocol, the protocol format is simple, and it is easy to forge. The HTTP request initiated during the attack can be forged to be exactly the same as the request of a normal user, and the Web Server cannot distinguish

[0007] 3. It is very harmful to the website. Once the website is attacked by HTTP-Flood, it will affect the user experience (the website access speed will be slowed down) if it is small, and it may cause the website to be paralyzed and unable to provide external services. For hosting websites charged by traffic, it may need to pay high fees

[0010] 1. It is highly coupled with the business, and needs to specify a specific URL or cookie for statistics. For websites with a relatively large business volume (number of URLs), it is not easy to deploy and maintain

[0011] 2. It is difficult to set the threshold of access frequency. Different URLs carry different services, have different visits, and cause different pressures on the website server. Therefore, it is difficult to set the access threshold of different URLs uniformly, and under normal circumstances It is difficult to have a clear threshold to set the access frequency and the access frequency when the attack occurs

[0012] 3. Simple IP address access frequency statistics, for NAT (Network Address Translation, Network Address Translation) users sharing IP outlets and independent IP address users, it is easy to cause NAT users to be killed by mistake

[0013] 4. It is impossible to detect distributed HTTP-Flood attacks, because the access frequency of a single attacking IP address (broiler) is not high, which cannot reach the attack frequency threshold, but hundreds of thousands of IP addresses (broilers) initiate requests at the same time. will result in a denial of service for the site

Images