http flow defense method and system for resisting DDoS attack

A defense system and flow technology, applied in the transmission system, electrical components, etc., can solve the problems of inability to distinguish between normal clients and illegal attacker traffic, incompleteness, and many restrictions, so as to improve recognition and performance processing capabilities, and general strong effect

Active Publication Date: 2020-11-27
CHENGDU DBAPP SECURITY
View PDF13 Cites 5 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0013] The present invention aims at the aforementioned problems of backwardness, incompleteness, many restrictions, and many omissions and misreports in the prior art, and proposes an http traffic defense method and system against DDoS attacks, which are generated by a dynamic watermark built into the mobile client The module generates a dynamic watermark when an HTTP request is initiated to the server, and quickly checks the correctness and integrity of the watermark in the HTTP protocol header when the message passes through the DDoS defe...

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • http flow defense method and system for resisting DDoS attack
  • http flow defense method and system for resisting DDoS attack
  • http flow defense method and system for resisting DDoS attack

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0044] This embodiment proposes an anti-DDoS attack http traffic defense method, based on the anti-DDoS attack http traffic defense system, such as figure 1 , image 3 As shown, the method first performs watermark configuration on the head of the http access request sent by the user content module through the dynamic watermark generation module, and then normally sends the http access request, and the watermark of the head of the http access request is checked by the dynamic watermark inspection module Analyze the watermark field; finally, manage the IP corresponding to the http access request according to the result of the analysis;

[0045] Before watermark configuration, the watermark configuration parameter request module requests watermark configuration parameters from the dynamic watermark configuration module through an encrypted channel, and then the dynamic watermark configuration module sends the watermark configuration parameters to the watermark configuration param...

Embodiment 2

[0048] In this embodiment, on the basis of the above-mentioned embodiment 1, in order to better realize the present invention, further, the watermark hash content is configured in the user-agent field of the header of the http access request.

[0049] Working principle: Based on the design of the generation and verification mechanism of the watermark information added to the HTTP header, including but not limited to the user-agent field, it protects other common or custom fields of the HTTP header with similar mechanisms. The user-agent field is read-only for the server and does not affect the parsing and use of the server. You can also add parameters to other header field parameters or custom parameters, and then obtain the encrypted string watermark hash content. For example, by reading user-agent=Mozilla / 5.0 (Windows NT 10.0; Win64; x64) hash-AF11SD22SSDLKJJ, the result of obtaining the watermark hash2 content after analyzing the keyword hash is AF11SD22SSDLKJJ.

[0050] Ot...

Embodiment 3

[0052] In this embodiment, on the basis of any one of the foregoing embodiments 1-2, in order to better realize the present invention, further, the watermark hash content includes the second-level timestamp parameter Timestamp, source sip, source port sport, key key, time range conf_time, configured encryption method alg;

[0053] The generating formula for generating the watermark hash content is hash=f(timestamp / conf_time, sip, sport, key, alg);

[0054] The f() function is used to control through the alg parameter, and the input parameters are calculated to obtain the watermark hash content, and the operation is quickly completed through binary AND or NOT.

[0055] Working principle: The f operation is performed here to solve the problem of inaccurate watermark caused by message transmission on the network.

[0056] Other parts of this embodiment are the same as those of any one of Embodiments 1-2 above, so details are not repeated here.

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides an http flow defense method and system for resisting DDoS attack. A dynamic watermark generation module is arranged in a mobile client, a dynamic watermark is generated when anHTTP request is initiated to a server, when the message passes through a DDoS defense device, the correctness and integrity of the watermark in the HTTP protocol header are quickly checked to identifywhether the message belongs to the flow of a normal client or the attack flow initiated by a zombie host controlled by an attacker, and a cleaning action is performed through the defense device. Through the arrangement, the identification function of the mobile client is ensured, and the flow problem that a normal client and an illegal attacker cannot be distinguished is effectively solved; and the HTTP attack identification and performance processing capabilities of the DDoS defense device are improved.

Description

technical field [0001] The invention belongs to the technical field of computer information security protection, and in particular relates to an http flow defense method and system against DDoS attacks. Background technique [0002] From the PC era to the mobile Internet era, the rapid growth of mobile traffic has significantly exceeded that of PC traffic. However, the current DDoS protection algorithm for the application layer is still the traditional browser-server mode, and the real IP check of TCP is realized according to the three-way handshake of the packet. , the protocol features of HTTP and HTTPS 302 and 307 jumps support packet detection at the application layer, but this method first requires the client to fully support the protocol stack. In addition, if the attacker simulates the Requests are difficult to distinguish between authenticity and falsehood. [0003] At present, although the traffic on the mobile terminal is still accessed through the browser, most o...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06
CPCH04L63/1458H04L63/1416
Inventor 蔡后祥范渊吴永越郑学新刘韬
Owner CHENGDU DBAPP SECURITY
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap