Network attack defense method, device, equipment and storage medium
By injecting defense strategies using kernel hooks on the server side and generating and adding watermark values on terminal devices, the high cost of existing DDoS protection solutions is solved, achieving low-cost and effective network attack defense, suitable for various cloud environments.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- TENCENT TECHNOLOGY (SHENZHEN) CO LTD
- Filing Date
- 2024-12-18
- Publication Date
- 2026-06-19
Smart Images

Figure CN122247646A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of computer technology, and in particular to a network attack defense method, apparatus, device, and storage medium. Background Technology
[0002] A Distributed Denial of Service (DDoS) attack is a type of cyberattack. Attackers typically control a large number of computers or other network devices to send a massive number of network requests to a target system, exceeding its processing capacity and thus preventing legitimate users from accessing or using the system.
[0003] Current DDoS protection solutions use a splitter to copy the received traffic and send it to a detection cluster for monitoring. If a Grid Attack is detected in the traffic, a warning is sent to the control center. The control center then uses a scrubbing cluster to clean the received traffic and returns the cleaned traffic to the switch, which then forwards the cleaned traffic to the service server for processing. Therefore, current DDoS protection solutions rely on dedicated network deployment architectures and customized hardware support, resulting in high costs. Summary of the Invention
[0004] This application provides a network attack defense method, apparatus, device, and storage medium, which can implement network attack defense on the business server side without requiring additional equipment resources and has low defense costs.
[0005] Firstly, this application provides a network attack defense method applied to a server, comprising:
[0006] The service message from the terminal device is obtained and parsed to obtain the sequence number value and the first watermark value corresponding to the service message. The first watermark value is calculated by the terminal device based on the sequence number value corresponding to the service message and the first key built into the terminal device. The sequence number value is different for different service messages.
[0007] Obtain the key configuration information stored on the server, and determine the second key based on the key configuration information;
[0008] A second watermark value is obtained by performing watermark calculation based on the second key and the serial number value.
[0009] If the first watermark value is inconsistent with the second watermark value, the service message is cleared.
[0010] Secondly, this application provides a network attack defense method applied to a terminal device, the method comprising:
[0011] Obtain the first key built into the terminal device and generate the sequence number value corresponding to the service message. Different service messages correspond to different sequence number values.
[0012] A watermark value is obtained by performing watermark calculation based on the first key and the serial number value.
[0013] Add the first watermark value and the sequence number value to the service message;
[0014] The service message is sent to the server so that the server calculates the second watermark value based on the second key and the sequence number value, and determines whether to clear the service message based on the first watermark value and the second watermark value. The second key is determined based on the key configuration information stored by the server.
[0015] Thirdly, this application provides a network attack defense device applied to a server, comprising:
[0016] The parsing unit is used to obtain service messages from the terminal device and parse the service messages to obtain the sequence number value and the first watermark value corresponding to the service message. The first watermark value is calculated by the terminal device based on the sequence number value corresponding to the service message and the first key built into the terminal device. Different service messages have different sequence number values.
[0017] A key determination unit is used to obtain the key configuration information stored by the server and determine a second key based on the key configuration information;
[0018] A watermark calculation unit is used to perform watermark calculation based on the second key and the serial number value to obtain a second watermark value;
[0019] The processing unit is configured to clear the service message if the first watermark value is inconsistent with the second watermark value.
[0020] In some embodiments, if the key configuration information is obtained by the server encrypting the second key using an encryption key, and the encryption key is generated based on the server's device information, then the key determination unit is specifically used to obtain the server's device information; determine the server's fingerprint identifier based on the server's device information; generate the encryption key based on the server's fingerprint identifier; and decrypt the key configuration information using the encryption key to obtain the second key.
[0021] In some embodiments, when the key configuration information is obtained by encrypting the second key and the fingerprint identifier of the server using the encryption key, the parsing unit is further configured to: obtain the device information of the server and the key configuration information stored by the server; determine the fingerprint identifier of the server based on the device information of the server; generate the encryption key based on the determined fingerprint identifier of the server; decrypt the key configuration information using the encryption key to obtain the fingerprint identifier of the server included in the key configuration information; and if the fingerprint identifier of the server included in the key configuration information matches the determined fingerprint identifier of the server, then the service message is obtained.
[0022] In some embodiments, the key determination unit is specifically used to obfuscate the device information of the server to obtain first obfuscated information; and to perform a hash operation on the first obfuscated information to obtain the fingerprint identifier of the server.
[0023] In some embodiments, the key determination unit is specifically used to obtain a third key built into the server; and to generate the encryption key based on the third key and the fingerprint identifier of the server.
[0024] In some embodiments, the key determination unit is specifically used to obfuscate the third key and the fingerprint identifier of the server to obtain second obfuscated information; and to perform a hash operation on the second obfuscated information to generate the encryption key.
[0025] In some embodiments, if the server is a service server, the processing unit is further configured to process the service message if the first watermark value is consistent with the second watermark value, and send the processing result of the service message to the terminal device.
[0026] In some embodiments, if the server is a proxy server for a service server, the processing unit is further configured to: send the service message to the service server if the first watermark value is consistent with the second watermark value, so that the service server can process the service message; receive the processing result of the service message sent by the service server; and send the processing result of the service message to the terminal device.
[0027] In some embodiments, the service server includes multiple proxy servers, which are communicatively connected to the terminal device through a gateway. The parsing unit is specifically used to receive the service message sent by the gateway. The service message is sent by the terminal device to the gateway so that the gateway can load balance one service message from the multiple received service messages to one of the proxy servers.
[0028] In some embodiments, the parsing unit is specifically used to obtain a preset watermark storage offset, the watermark storage offset being used to indicate the storage position of the sequence number value and the first watermark value corresponding to the service message in the service message; based on the watermark storage offset, the sequence number value and the first watermark value corresponding to the service message are parsed from the service message.
[0029] Fourthly, this application provides a network attack defense device applied to a terminal device, comprising:
[0030] The acquisition unit is used to acquire the first key built into the terminal device and generate the sequence number value corresponding to the service message. The sequence number value is different for different service messages.
[0031] A watermark calculation unit is used to perform watermark calculation based on the first key and the serial number value to obtain a first watermark value.
[0032] An adding unit is used to add the first watermark value and the sequence number value to the service message;
[0033] The transceiver unit is used to send the service message to the server so that the server calculates a second watermark value based on the second key and the sequence number value, and determines whether to clear the service message based on the first watermark value and the second watermark value. The second key is determined based on the key configuration information stored by the server.
[0034] In some embodiments, the adding unit is specifically used to add the sequence number value and the first watermark value to the service message according to a preset watermark storage offset.
[0035] In some embodiments, if the server is a service server, the transceiver unit is further configured to receive the processing result of the service message sent by the service server, wherein the processing result is the result of the service processor processing the service message when the first watermark value and the second watermark value are consistent.
[0036] In some embodiments, if the server is one of a plurality of proxy servers included in the business server, and the plurality of proxy servers are connected to the terminal device through a gateway, the transceiver unit is specifically used to send the business message to the gateway, so that the gateway sends the business message to one of the plurality of proxy servers based on load balancing.
[0037] In some embodiments, the transceiver unit is further configured to receive the processing result of the service message sent by the gateway, wherein the processing result is the result of the service processor processing the service message when the first watermark value and the second watermark value are consistent.
[0038] Fifthly, an electronic device is provided, including a processor and a memory. The memory is used to store a computer program, and the processor is used to invoke and run the computer program stored in the memory to perform the methods described in the first or second aspect and their respective implementations.
[0039] In a sixth aspect, a chip is provided for implementing the methods of any one of the first aspects or their respective implementations. Specifically, the chip includes a processor for calling and running a computer program from a memory, causing a device on which the chip is installed to perform the methods of the first or second aspect and their respective implementations.
[0040] In a seventh aspect, a computer-readable storage medium is provided for storing a computer program that causes a computer to perform the methods described in the first or second aspect and their respective implementations.
[0041] Eighthly, a computer program product is provided, including computer program instructions that cause a computer to perform the methods described in the first or second aspect and their respective implementations.
[0042] Ninthly, a computer program is provided that, when run on a computer, causes the computer to perform the methods of the first or second aspect and their respective implementations described above.
[0043] In summary, this embodiment of the application obtains a first key built into the terminal device and generates a sequence number value corresponding to a service message, wherein different service messages correspond to different sequence number values. Then, a watermark calculation is performed based on the first key and the sequence number value to obtain a first watermark value, and the first watermark value and the sequence number value are added to the service message. The service message is then sent to the server. After receiving the service message from the terminal device, the server parses the service message to obtain the sequence number value and the first watermark value corresponding to the service message. Next, the server obtains the key configuration information stored on the server and determines a second key based on the key configuration information. Then, a watermark calculation is performed based on the second key and the sequence number value included in the service message to obtain a second watermark value. If the first watermark value included in the service message is inconsistent with the calculated second watermark value, the service message is determined to be an attack message, and the service message is then cleared. Therefore, the network attack defense method of this application embodiment injects defense strategies into the server through kernel hooks, thereby enabling the server to implement network attack defense functions without the need for additional device resources. Its defense cost is low and it is easily compatible with various cloud environments. Furthermore, in this application embodiment, the terminal device generates a first watermark based on the sequence number value corresponding to the service packet and the first key, ensuring that the first watermark corresponding to each service packet is unique. This allows the server to determine whether a service packet is an attack packet by detecting the first watermark included in the service packet, thereby achieving accurate detection of various attack methods such as replay attacks and pulse attacks, thus improving network attack defense performance and enhancing network security. Attached Figure Description
[0044] To more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0045] Figure 1 This is an existing method for defending against network attacks;
[0046] Figure 2 A schematic diagram of an implementation environment for the network attack defense method provided in this application embodiment;
[0047] Figure 3 This is a schematic flowchart of a network attack defense method provided in an embodiment of this application;
[0048] Figure 4 A schematic diagram illustrating the calculation of the first watermark value;
[0049] Figure 5A This is a schematic diagram of a business message;
[0050] Figure 5B This is another schematic diagram of a business message;
[0051] Figure 6A A schematic diagram illustrating the parsing of sequence number and first watermark values from a business message;
[0052] Figure 6B Another schematic diagram for parsing the sequence number value and the first watermark value from a business message;
[0053] Figure 7 This is a schematic diagram of the server configuration involved in an embodiment of this application;
[0054] Figure 8 A schematic diagram illustrating the calculation of the second watermark value;
[0055] Figure 9 This is a schematic flowchart of a network attack defense method provided in an embodiment of this application;
[0056] Figure 10 A schematic diagram illustrating the generation of key configuration information;
[0057] Figure 11 A diagram illustrating how to prevent key information from being copied;
[0058] Figure 12 A flowchart illustrating a grid attack defense method provided in an embodiment of this application;
[0059] Figure 13 A schematic diagram showing a protection module installed on a business server;
[0060] Figure 14 A flowchart illustrating a grid attack defense method provided in an embodiment of this application;
[0061] Figure 15 A diagram illustrating the configuration of a protection module on a proxy server;
[0062] Figure 16 This is a schematic diagram illustrating a scenario where the protection module is set up on a proxy server.
[0063] Figure 17 This is a schematic block diagram of a network attack defense device provided in an embodiment of this application;
[0064] Figure 18 This is a schematic block diagram of a network attack defense device provided in an embodiment of this application;
[0065] Figure 19 This is a schematic block diagram of the electronic device provided in the embodiments of this application. Detailed Implementation
[0066] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those of ordinary skill in the art without creative effort are within the scope of protection of this application.
[0067] It should be noted that the terms "first," "second," etc., in the specification, claims, and accompanying drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of this application described herein can be implemented in sequences other than those illustrated or described herein. In embodiments of the invention, "B corresponding to A" means that B is associated with A. In one implementation, B can be determined based on A. However, it should also be understood that determining B based on A does not mean determining B solely based on A; B can also be determined based on A and / or other information. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusion. For example, a process, method, system, product, or server that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to these processes, methods, products, or devices. In the description of this application, unless otherwise stated, "a plurality of" means two or more.
[0068] The technical solution proposed in this application can be applied to the fields of network security, cloud services, Aegis, etc. It can achieve network attack defense on the server side without the need for additional equipment resources, and its defense cost is low.
[0069] The relevant technologies involved in the embodiments of this application are described below.
[0070] A Distributed Denial of Service (DDoS) attack is a type of network attack in which attackers control a large number of computers or other network devices to send a large number of network requests to the target system, exceeding its processing capacity and thus preventing normal users from accessing or using the system.
[0071] Flow splitting uses a splitter to copy the optical signal (network traffic) from the optical fiber.
[0072] Border Gateway Protocol (BGP) is a core routing protocol used on the Internet. It is responsible for exchanging routing and reachability information between Autonomous Systems (AS). BGP traffic steering is a method for optimizing, managing, and controlling data traffic flowing through a computer network. It influences route selection by manipulating BGP attributes (such as AS-PATH, MED, and local priority), thereby controlling the direction of network traffic.
[0073] The proxy architecture is a design pattern in software architecture, also known as the proxy pattern. In this pattern, one object (the proxy) controls access to another object (the target). The proxy can add additional logic when accessing the target object, such as security checks and load balancing.
[0074] Kernel hooks are a technique within the operating system kernel that allows developers to insert custom code into system calls or other kernel operations. This technique is commonly used for operating system extensions, debugging, and security.
[0075] Hashcode is an integer value generated from the content of an object. The calculated value is unique and different for different objects.
[0076] A fingerprint ID is a unique identifier used to identify specific information or data, and can be used to verify the integrity and authenticity of the data.
[0077] Currently, most cloud-based DDoS protection solutions use traffic redirection methods, such as... Figure 1 As shown, it mainly includes three core components: a traffic detection cluster, a management and control center, and a traffic scrubbing cluster. Specifically, as... Figure 1 As shown, a copy of the network traffic is obtained from the received raw traffic via a splitter and sent to the detection cluster. The detection cluster then inspects the copied network traffic. If a network attack is detected in the traffic, a warning is sent to the control center. The control center then triggers the cleaning cluster to perform traffic cleaning. In this way, the switch uses BGP traffic redirection to send the received raw traffic to the cleaning cluster for cleaning. The cleaning cluster then injects the cleaned traffic back into the switch, enabling the switch to send the cleaned traffic to the business server for processing. Therefore, current DDoS protection solutions rely on dedicated network deployment architectures and customized hardware support, resulting in high costs. This makes the adaptation cost of this DDoS protection solution high, preventing direct migration. Furthermore, the DDoS protection capabilities provided by different cloud vendors vary and cannot meet business needs.
[0078] To address the aforementioned technical problems, this application provides a novel network attack defense method. First, a terminal device obtains a first key built into the device and generates a sequence number value corresponding to a service message, wherein different service messages correspond to different sequence number values. Next, a watermark calculation is performed based on the first key and the sequence number value to obtain a first watermark value, which is then added to the service message. The service message is then sent to a server. After receiving the service message from the terminal device, the server parses it to obtain the corresponding sequence number value and the first watermark value. Next, the server obtains key configuration information stored on the server and determines a second key based on this information. Then, a watermark calculation is performed based on the second key and the sequence number value included in the service message to obtain a second watermark value. If the first watermark value included in the service message is inconsistent with the calculated second watermark value, the service message is determined to be an attack message, and the service message is then cleared. Therefore, the network attack defense method of this application embodiment injects defense strategies into the server through kernel hooks, thereby enabling the server to implement network attack defense functions without the need for additional device resources. Its defense cost is low and it is easily compatible with various cloud environments. Furthermore, in this application embodiment, the terminal device generates a first watermark based on the sequence number value corresponding to the service packet and the first key, ensuring that the first watermark corresponding to each service packet is unique. This allows the server to determine whether a service packet is an attack packet by detecting the first watermark included in the service packet, thereby achieving accurate detection of various attack methods such as replay attacks and pulse attacks, thus improving network attack defense performance and enhancing network security.
[0079] The implementation environment of the embodiments of this application is described below.
[0080] Figure 2 This is a schematic diagram of an implementation environment for the network attack defense method provided in this application embodiment, including multiple terminal devices 101 and a server 102. Figure 2 As shown, terminal device 101 is connected to server 102.
[0081] In this embodiment, the terminal device 101 has a client for a certain program installed, such as a cloud gaming client. In some embodiments, the server 102 can be understood as the business server of the program, such as a cloud server for cloud gaming. In some embodiments, the server 102 can be a proxy server for the business server of the program, used to implement network attack defense.
[0082] In this embodiment, the objects corresponding to the multiple terminal devices 101 may include attackers. In this embodiment, normal objects (i.e., non-attackers) send service messages to the server according to the method of this embodiment, while the service messages sent by attackers may have problems. Therefore, in this embodiment, the server can identify attack messages by detecting the service messages sent by the terminal devices.
[0083] like Figure 2 As shown, the server 102 in this embodiment includes a protection module. This protection module can be understood as a custom code that the developer inserts into the kernel of the server through a kernel hook, so that when the server executes the code, it implements the network attack defense method provided in this embodiment.
[0084] In the embodiments of this application, such as Figure 2 As shown, when a client installed on terminal device 101 sends a service message to the server, terminal device 101 first obtains the built-in first key and generates a sequence number value corresponding to the service message. Different service messages have different sequence number values. Watermark calculation is performed based on the first key and the sequence number value to obtain the first watermark value. The first watermark value and the sequence number value are added to the service message. The service message is sent to the server so that the server can calculate the second watermark value based on the second key and the sequence number value, and determine whether to clear the service message based on the first watermark value and the second watermark value. The second key is determined based on the key configuration information stored by the server.
[0085] Correspondingly, after server 102 obtains the service message from terminal device 101, it parses the service message to obtain the sequence number value and the first watermark value corresponding to the service message; then, it obtains the key configuration information stored by the server and determines the second key based on the key configuration information; then, it performs watermark calculation based on the second key and the sequence number value included in the service message to obtain the second watermark value; if the first watermark value included in the service message is inconsistent with the second watermark value calculated above, then the service message is determined to be an attack message, and the service message is then cleared.
[0086] Therefore, the network attack defense method of this application embodiment injects defense strategies into the server through kernel hooks, thereby enabling the server to implement network attack defense functions without the need for additional device resources. Its defense cost is low and it is easily compatible with various cloud environments. Furthermore, in this application embodiment, the terminal device generates a first watermark based on the sequence number value corresponding to the service packet and the first key, ensuring that the first watermark corresponding to each service packet is unique. This allows the server to determine whether a service packet is an attack packet by detecting the first watermark included in the service packet, thereby achieving accurate detection of various attack methods such as replay attacks and pulse attacks, thus improving network attack defense performance and enhancing network security.
[0087] In some embodiments, the terminal device 101 includes, but is not limited to, desktop computers, laptops, smartphones, tablets, IoT devices, and portable wearable devices. IoT devices may include smart speakers, smart TVs, smart air conditioners, and smart in-vehicle systems. Portable wearable devices may include smartwatches, smart bracelets, and head-mounted devices. Terminal devices are often equipped with a display device, which may be a monitor, display screen, touchscreen, etc., and the touchscreen may be a touchscreen, touch panel, etc.
[0088] In some embodiments, the server 102 described above can be one or more servers. When there are multiple servers, at least two servers are used to provide different services, and / or at least two servers are used to provide the same service, such as providing the same service in a load-balanced manner. This application embodiment does not limit this. The server described above can be an independent physical server, a server cluster or distributed system composed of multiple physical servers, or a cloud server providing basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDN (Content Delivery Network), and big data and artificial intelligence platforms. The server can also be a node in a blockchain.
[0089] It should be noted that the implementation environment of this application embodiment includes, but is not limited to, Figure 2 As shown.
[0090] The technical solutions of the embodiments of this application will be described in detail below through some examples. The following embodiments can be combined with each other, and the same or similar concepts or processes may not be described again in some embodiments.
[0091] Figure 3 This is a schematic flowchart of a network attack defense method provided in an embodiment of this application.
[0092] like Figure 3 As shown, the network attack defense method of this application embodiment includes the following steps:
[0093] S101. The terminal device obtains the first key built into the terminal device and generates the sequence number value corresponding to the service message.
[0094] Different service messages have different sequence number values.
[0095] The network attack defense method of this application embodiment can defend against various network attacks, such as network attacks against third-party clouds.
[0096] In this embodiment, a client for a certain application is installed on the terminal device. This embodiment does not limit the specific type of the application; it can be any application with a client and a server. For example, the application can be a cloud game. In a cloud gaming scenario, the client is used for display and interaction with objects (such as users), while the server is responsible for game calculations, rendering, and storage.
[0097] In this embodiment, the client has a built-in first key, which is used to generate a first watermark value for the service message. In this embodiment, since the client is installed on the terminal device, the first key built into the client can also be understood as the first key built into the terminal device.
[0098] In some embodiments, the first key of the same version of the same application can be the same.
[0099] The embodiments of this application do not limit the specific form of the first key. In one possible manner, the first key is a multi-byte number, such as a 4-byte number.
[0100] In this embodiment of the application, when the terminal device detects that the client needs to send a service message to the service server, it obtains the built-in first key and the sequence number value corresponding to the service message.
[0101] In this embodiment of the application, different service messages correspond to different sequence number values. This ensures that different first watermark values are generated for different service messages based on the sequence number value and the first key, which facilitates the server's accurate detection of the service message.
[0102] This application does not restrict the specific method by which the terminal device generates the sequence number value corresponding to the service message.
[0103] In one possible implementation, the terminal device first randomly initializes a value as the initial value for the sequence number. Then, when sending a service message, the terminal device dynamically changes this initial value to generate a new value as the sequence number for that service message. For example, the terminal device randomly generates 4 bytes of data as the initial value for the sequence number. When sending the first service message, this initial value can be used as the sequence number for that service message, or it can be modified before being used as the sequence number for the first service message. When sending the second service message, the terminal device modifies the sequence number for the first service message to obtain a 4-byte data with a different sequence number than the first service message, and then uses this 4-byte data as the sequence number for the second service message. This process continues, with the terminal device generating different sequence number values for different service messages.
[0104] As described above, in this embodiment, the processing procedures for different service messages by different terminal devices are basically the same. For ease of description, we will take the example of a terminal device sending a service message. Specifically, when a terminal device needs to send the service message to the service server, the terminal device obtains the built-in first key and generates the sequence number value corresponding to the service message. Then, the following steps S102 are executed.
[0105] S102. The terminal device performs watermark calculation based on the first key and the serial number value to obtain the first watermark value.
[0106] As described above, when the terminal device determines to send a service message to the service server, it obtains the built-in first key and generates the sequence number value corresponding to the service message. In this embodiment, different service messages correspond to different sequence number values. Therefore, the first watermark value generated by the terminal device based on the first key and the sequence number value corresponding to the service message is unique, meaning that the first watermark value corresponding to different service messages is different. This facilitates the subsequent accurate detection of the service message by the server based on the first watermark value corresponding to the service message.
[0107] This application embodiment performs watermark calculation on the terminal device based on the first key and the sequence number value corresponding to the service message, and the specific method for obtaining the first watermark value corresponding to the service message is not limited. For example, such as Figure 4 As shown, the server inputs the first key and serial number value into a preset watermark calculation function to calculate a watermark value, which is recorded as the first watermark value. This application embodiment does not limit the specific type of the watermark calculation function; it can be determined according to actual needs.
[0108] In one example, if the sequence number corresponding to the service message is 4 bytes of data, the server inputs the first key and the sequence number value into a preset watermark calculation function, and the calculated first watermark value is also a 4-byte data.
[0109] S103. The terminal device adds the first watermark value and the sequence number value to the service message.
[0110] In this embodiment, the terminal device generates a first watermark value corresponding to the service message based on a built-in first key and the sequence number value corresponding to the service message. Then, the terminal device adds the first watermark value and the sequence number value corresponding to the service message to the service message.
[0111] This application embodiment does not limit the specific method by which the terminal device adds the first watermark value and sequence number value corresponding to the service message to the service message.
[0112] In some embodiments, the terminal device adds the first watermark value and sequence number value corresponding to the service message to the service message according to a preset addition rule. For example, the terminal device adds the first watermark value and sequence number value corresponding to the service message to the header or footer of the service message.
[0113] In some embodiments, the terminal device adds the sequence number value and the first watermark value corresponding to the service message to the service message in sequence according to the preset watermark storage offset.
[0114] In one example, such as Figure 5A As shown, the terminal device can add the sequence number value and the first watermark value corresponding to the service message to the service message in sequence according to the preset watermark storage offset, wherein the sequence number value is added first and the first watermark value is added after the sequence number value.
[0115] In another example, such as Figure 5B As shown, the terminal device can add the first watermark value and the sequence number value corresponding to the service message to the service message in sequence according to the preset watermark storage offset, wherein the first watermark value is added first and the sequence number value is added after the first watermark value.
[0116] This application does not limit the specific data size of the sequence number value and the first watermark value corresponding to the service message. In one example, the sequence number value corresponding to the service message is a 4-byte data, and the first watermark value corresponding to the service message is also a 4-byte data.
[0117] S104. The terminal device sends the service message to the server so that the server can calculate the second watermark value based on the second key and the sequence number value, and determine whether to clear the service message based on the first watermark value and the second watermark value.
[0118] The second key is determined based on the key configuration information stored on the server.
[0119] In this embodiment, the terminal device adds the sequence number value and the first watermark value corresponding to the service message to the service message based on the above steps, and then sends the service message to the server.
[0120] In some embodiments, the server can be a service server, allowing the terminal device to directly send service messages including a sequence number value and a first watermark value to the service server. The service server uses the method described in this application to detect the service message, and if it determines that the service message is not an attack message, it processes the service message.
[0121] In some embodiments, the server is a proxy server for the service server. In this case, the terminal device sends a service message including a sequence number value and a first watermark value to the proxy server. The proxy server uses the method described in this application to detect the service message. If it determines that the service message is not an attack message, it sends the service message to the service server for processing.
[0122] S105. The server obtains the service message from the terminal device, parses the service message, and obtains the sequence number value and the first watermark value corresponding to the service message.
[0123] The first watermark value is calculated by the terminal device based on the sequence number value corresponding to the service message and the first key built into the terminal device. The sequence number value is different for different service messages.
[0124] In this embodiment, after receiving a service message sent by a terminal device, the server parses the service message to obtain the sequence number value and the first watermark value corresponding to the service message. Specifically, the server parses the sequence number value and the first watermark value corresponding to the service message from the service message containing the sequence number value and the first watermark value, according to the method by which the terminal device adds the sequence number value and the first watermark value to the service message.
[0125] In some embodiments, if the terminal device adds the sequence number value and the first watermark value corresponding to the service message to the header of the service message, the server parses the service message and obtains the sequence number value and the first watermark value corresponding to the service message from the header of the service message.
[0126] In some embodiments, if the terminal device adds the sequence number value and the first watermark value corresponding to the service message to the service message according to a preset watermark storage offset, the server obtains the preset watermark storage offset, which is used to indicate the storage location of the sequence number value and the first watermark value corresponding to the service message in the service message. Then, based on the watermark storage offset, the server parses the sequence number value and the first watermark value corresponding to the service message from the service message.
[0127] In one example, such as Figure 5A As shown, if the terminal device adds the sequence number value and the first watermark value corresponding to the service message to the service message in sequence according to the preset watermark storage offset, with the sequence number value added first and the first watermark value added after the sequence number value, then... Figure 6A As shown, after receiving a service message, the server parses the sequence number and the first watermark value from the service message according to the preset watermark storage offset. That is, the server first parses the sequence number value from the service message according to the watermark storage offset, and then parses the first watermark value.
[0128] In another example, such as Figure 5B As shown, if the terminal device adds the first watermark value and sequence number value corresponding to the service message to the service message in sequence according to the preset watermark storage offset, with the first watermark value added first and the sequence number value added after the first watermark value, then... Figure 6B As shown, after receiving a service message, the server parses the sequence number and the first watermark value from the message according to a preset watermark storage offset. Specifically, the server first parses the first watermark value from the message based on the watermark storage offset, and then parses the sequence number. For example, this sequence number is a 4-byte data value.
[0129] Based on the above steps, the server parses the business message, obtains the sequence number value and the first watermark value corresponding to the business message, and then executes the following step S106.
[0130] S106. The server obtains the key configuration information stored on the server and determines the second key based on the key configuration information.
[0131] In this embodiment, a defense strategy is injected into the server through a kernel hook, thereby enabling the server to implement network attack defense functions without the need for additional equipment resources. Its defense cost is low and it is convenient to be compatible with various cloud environments.
[0132] This application does not limit the specific method of injecting defense strategies into the server.
[0133] In some possible implementations, configuring the necessary information for host protection on the configuration page mainly involves four steps: First, selecting the protection version, i.e., selecting the server's operating system kernel version. Next, obtaining the server's fingerprint information. Then, configuring the protection parameters, such as... Figure 7As shown, the settings include internal and external network IP mapping, service port range settings, and secondary key settings. In this embodiment, up to two secondary keys can be set, one of which is the key corresponding to the old version of the client, and the other is the key corresponding to the current version of the client. Finally, an installation package (containing encrypted configuration and kernel modules) is generated, and then the package is downloaded to the server for deployment.
[0134] With the above settings, the server in this embodiment of the application has the ability to execute the defense method provided in this embodiment of the application.
[0135] This application does not limit the specific form of the key configuration information stored on the server, as long as it can indicate the second key. This second key is used to verify whether the first watermark value in the service message sent by the terminal device is correct. In some embodiments, this second key is consistent with the first key built into the terminal device.
[0136] In some embodiments, the key configuration information is a second key. This allows the server to directly obtain the second password it has stored.
[0137] In some embodiments, if the server in this application is a cloud server, the second key is hosted together with the business on a third-party cloud. To prevent the leakage of the second key, the second key needs to be encrypted and processed to form key configuration information.
[0138] The following describes the specific process by which the server encrypts the second key and generates key configuration information.
[0139] In this embodiment of the application, in order to prevent the leakage of the second key, the server generates key configuration information through the following steps A to D:
[0140] Step A: Obtain the server's device information;
[0141] Step B: Generate a fingerprint identifier for the server based on its device information;
[0142] Step C: Generate an encryption key based on the server's fingerprint identifier;
[0143] Step D: Use the encryption key to decrypt the key configuration information.
[0144] Specifically, the server obtains the server's device information and then generates a fingerprint identifier based on that information. This fingerprint identifier uniquely identifies the server, and different servers have different fingerprint identifiers.
[0145] This application does not limit the specific method by which the server generates a fingerprint identifier based on the server's device information.
[0146] In some embodiments, the server performs a hash operation on the server's device information and determines the hash value as the server's fingerprint identifier.
[0147] In some embodiments, the server obfuscates its device information according to a preset obfuscation method to obtain first obfuscated information. For example, the server obtains the first obfuscated information by modifying or hiding certain information in the server's device information, or by adding certain information to the server's device information. Then, the server performs a hash operation on the first obfuscated information to obtain the server's fingerprint identifier.
[0148] After obtaining the server's fingerprint identifier based on the above steps, the server generates an encryption key based on the fingerprint identifier.
[0149] This application does not limit the specific method by which the server generates encryption keys based on the server's fingerprint identifier.
[0150] In some embodiments, the server performs a hash operation on the server's fingerprint identifier to generate an encryption key.
[0151] In some embodiments, the server also has a built-in third key. The value of the built-in third key in different servers may be the same or different, and this application embodiment does not impose any restrictions on this. In this way, the server generates an encryption key based on the third key and the server's fingerprint identifier.
[0152] In one possible implementation, the server performs a hash operation on the combination of the third key and the server's fingerprint identifier to obtain the encryption key.
[0153] In one possible implementation, the server performs an obfuscation operation on the third key and the server's fingerprint identifier to obtain second obfuscated information. For example, the server may adjust the order of data in the third key and the server's fingerprint identifier, or replace or hide certain information in the third key and the server's fingerprint identifier, or add certain information to at least one of the third key and the server's fingerprint identifier to obtain the second obfuscated information. Next, a hash operation is performed on the second obfuscated information to generate an encryption key.
[0154] Finally, the server uses the generated encryption key to encrypt the second key, generates key configuration information, and saves the key configuration information on the server.
[0155] In this embodiment of the application, the server uses the encryption key generated above to encrypt the second key, and the specific method of generating the key configuration information is not limited.
[0156] In one example, the server uses the encryption key generated above to encrypt only the second key, generating key configuration information that includes only the second key.
[0157] In one example, the server uses the encryption key generated above to encrypt the second key and the server's fingerprint identifier to generate key configuration information, which includes the second key.
[0158] As described above, in this embodiment, the server uses an encryption key to encrypt the second key and generates key configuration information which is stored on the server. This prevents the leakage of the second key. For example, if an attacker steals the key configuration information from the server, since this key configuration information is obtained by encrypting the second key with the encryption key, and the encryption key is generated based on the server's fingerprint identifier, the attacker cannot generate the encryption key and therefore cannot parse the second key from the key configuration information, thus achieving effective storage of the second key.
[0159] If the key configuration information is obtained by the server encrypting the second key using an encryption key, and the encryption key is generated based on the server's device information, then determining the second key based on the key configuration information in S106 above includes the following steps S106-A to S106-D:
[0160] S106-A, The server obtains the server's device information;
[0161] S106-B: The server determines the server's fingerprint identifier based on the server's device information;
[0162] S106-C: The server generates an encryption key based on the server's fingerprint identifier;
[0163] S106-D: The server uses the encryption key to decrypt the key configuration information and obtain the second key.
[0164] In this implementation, if the key configuration information is obtained by the server encrypting the second key using the encryption key, then when the server parses the second key from the key configuration information, the server first obtains the server's device information, and then generates the server's fingerprint identifier based on the server's device information.
[0165] This application does not limit the specific method by which the server generates a fingerprint identifier based on the server's device information.
[0166] In some embodiments, the server performs a hash operation on the server's device information and determines the hash value as the server's fingerprint identifier.
[0167] In some embodiments, the server obfuscates its device information according to a preset obfuscation method to obtain first obfuscated information. For example, the server obtains the first obfuscated information by modifying or hiding certain information in the server's device information, or by adding certain information to the server's device information. Then, the server performs a hash operation on the first obfuscated information to obtain the server's fingerprint identifier.
[0168] After obtaining the server's fingerprint identifier based on the above steps, the server generates an encryption key based on the fingerprint identifier.
[0169] This application does not limit the specific method by which the server generates encryption keys based on the server's fingerprint identifier.
[0170] In some embodiments, the server performs a hash operation on the server's fingerprint identifier to generate an encryption key.
[0171] In some embodiments, the server also has a built-in third key. The value of the built-in third key in different servers may be the same or different, and this application embodiment does not impose any restrictions on this. In this way, the server generates an encryption key based on the third key and the server's fingerprint identifier.
[0172] In one possible implementation, the server performs a hash operation on the combination of the third key and the server's fingerprint identifier to obtain the encryption key.
[0173] In one possible implementation, the server performs an obfuscation operation on the third key and the server's fingerprint identifier to obtain second obfuscated information. For example, the server may adjust the order of data in the third key and the server's fingerprint identifier, or replace or hide certain information in the third key and the server's fingerprint identifier, or add certain information to at least one of the third key and the server's fingerprint identifier to obtain the second obfuscated information. Next, a hash operation is performed on the second obfuscated information to generate an encryption key.
[0174] Finally, the server uses the generated encryption key to decrypt the key configuration information stored on the server, obtaining the second key included in the key configuration information.
[0175] In this embodiment of the application, after obtaining the second key based on the key configuration information stored by the server, the server performs the following step S107.
[0176] S107. The server performs watermark calculation based on the second key and the sequence number value to obtain the second watermark value.
[0177] In this embodiment, under normal circumstances, the second key stored by the server is consistent with the first key stored by the terminal device. The first watermark value included in the service message sent by the terminal device to the server is generated based on the first key and the sequence number corresponding to the service message. Thus, as... Figure 8 As shown, after receiving the service message, the server parses it to obtain the first watermark value and sequence number corresponding to the service message, and based on the above steps, the server obtains the second key stored by the server. Next, the server performs watermark calculation based on the second key and the sequence number corresponding to the service message to obtain the second watermark value. Based on the first and second watermark values, the server determines whether the service message is an attack message.
[0178] This application embodiment performs watermark calculation on the server's second key and serial number value, and the specific method for obtaining the second watermark value is not limited. For example, the server inputs the second key and serial number value into a preset watermark calculation function to calculate a watermark value, which is recorded as the second watermark value. This application embodiment does not limit the specific type of watermark calculation function, and it can be determined according to actual needs.
[0179] In one example, if the sequence number corresponding to the service message is 4 bytes of data, the server inputs the second key and the sequence number value into a preset watermark calculation function, and the calculated second watermark value is also a 4-byte data.
[0180] S108. If the first watermark value and the second watermark value are inconsistent, the server will clear the business message.
[0181] In this embodiment, the server parses the first watermark value from the service message sent by the terminal device, and calculates the second watermark value based on the above steps. Then, the server compares the first watermark value with the second watermark value to determine whether the service message is an attack service.
[0182] As described above, in this embodiment, under normal circumstances, the first key built into the terminal device is consistent with the second key stored on the server. Thus, when the terminal device needs to send a service message, it generates a sequence number corresponding to the service message, and then generates a first watermark value corresponding to the service message based on the sequence number and the first key. The first watermark value and the aforementioned sequence number are then added to the service message and sent to the server. Upon receiving the service message sent by the terminal device, the server parses the service message to obtain the first watermark value and sequence number corresponding to the service message. Then, the server uses its stored second key and the parsed sequence number to generate a second watermark value.
[0183] If the first watermark value carried in the aforementioned service message does not match the second watermark value calculated by the server, it indicates that the service message sent by the terminal device is an abnormal service message, i.e., an attack message. In this case, the server deletes the service message.
[0184] If the first watermark value carried in the aforementioned service message matches the second watermark value calculated by the server, it indicates that the service message sent by the terminal device is a normal service message, i.e., not an attack message. In this case, the server can process the service message normally.
[0185] In some embodiments, if the server is a service server and the service message is a normal message, the service server processes the service message and sends the processing result to the terminal device.
[0186] In some embodiments, if the server is a proxy server for a service server, and the service message is a normal message, the proxy server sends the service message to the service server. The service server processes the service message. Optionally, the service server can directly send the processing result of the service message to the terminal device. Optionally, the service server can send the processing result of the service message to the proxy server, so that the proxy server can send the processing result to the terminal device.
[0187] The network attack defense method provided in this application embodiment obtains a first key built into the terminal device and generates a sequence number value corresponding to a service message, wherein different service messages correspond to different sequence number values; then, a watermark calculation is performed based on the first key and the sequence number value to obtain a first watermark value, and the first watermark value and the sequence number value are added to the service message; then, the service message is sent to a server. After the server obtains the service message from the terminal device, it parses the service message to obtain the sequence number value and the first watermark value corresponding to the service message; then, it obtains the key configuration information stored by the server and determines a second key based on the key configuration information; then, a watermark calculation is performed based on the second key and the sequence number value included in the service message to obtain a second watermark value; if the first watermark value included in the service message is inconsistent with the calculated second watermark value, the service message is determined to be an attack message, and the service message is then cleared. Therefore, the network attack defense method of this application embodiment injects defense strategies into the server through kernel hooks, thereby enabling the server to implement network attack defense functions without the need for additional device resources. Its defense cost is low and it is easily compatible with various cloud environments. Furthermore, in this application embodiment, the terminal device generates a first watermark based on the sequence number value corresponding to the service packet and the first key, ensuring that the first watermark corresponding to each service packet is unique. This allows the server to determine whether a service packet is an attack packet by detecting the first watermark included in the service packet, thereby achieving accurate detection of various attack methods such as replay attacks and pulse attacks, thus improving network attack defense performance and enhancing network security.
[0188] The foregoing provides an overall overview of the network attack defense method proposed in the embodiments of this application. In some embodiments, when the key configuration information is obtained by encrypting the second key and the fingerprint identifier of the server using an encryption key, the following will be combined with... Figure 9 This application will introduce the network attack defense method according to the embodiments of the present application.
[0189] Figure 9 This is a schematic flowchart of a network attack defense method provided in an embodiment of this application.
[0190] like Figure 9 As shown, the network attack defense method of this application embodiment includes:
[0191] S201, The server obtains the server's device information.
[0192] S202. The server determines the server's fingerprint identifier based on the server's device information.
[0193] S203. The server generates an encryption key based on the server's fingerprint identifier.
[0194] S204. The server uses an encryption key to encrypt the second key and the server's fingerprint identifier, obtains the key configuration information, and saves it.
[0195] The steps S201 to S204 above can be understood as the process by which the server generates key configuration information, which includes a second key and the server's fingerprint identifier.
[0196] Specifically, the server first obtains its own device information and then generates a fingerprint identifier based on that information. For example, the server performs a hash operation on the device information and uses the hash value as the fingerprint identifier. Alternatively, the server obfuscates the device information using a preset obfuscation method to obtain first obfuscated information. For instance, the server modifies or hides certain information in the device information or adds information to it to obtain the first obfuscated information. Next, the server performs a hash operation on this first obfuscated information to obtain the fingerprint identifier. Then, the server generates an encryption key based on this fingerprint identifier. For instance, the server performs a hash operation on the fingerprint identifier to generate an encryption key. Alternatively, the server may also have a built-in third key, the values of which can be the same or different across different servers; this embodiment does not impose such restrictions. Thus, the server generates an encryption key based on the third key and the fingerprint identifier. For instance, the server performs a hash operation on the combination of the third key and the fingerprint identifier to obtain the encryption key. Alternatively, the server performs an obfuscation operation on the third key and the fingerprint identifier to obtain second obfuscated information. For example, the server adjusts the sorting order of data in the third key and the server's fingerprint identifier, or replaces or hides some information in the third key and the server's fingerprint identifier, or adds certain information to at least one of the third key and the server's fingerprint identifier, to obtain second obfuscated information. Next, a hash operation is performed on the second obfuscated information to generate an encryption key. Finally, the server uses the generated encryption key to encrypt the second key and the server's fingerprint identifier to generate key configuration information. For example, the server uses the generated encryption key to encrypt the second key and the server's fingerprint identifier to generate key configuration information. As another example, the server obfuscates the second key and the server's fingerprint identifier, and then uses the encryption key to encrypt the obfuscated second key and the server's fingerprint identifier to generate key configuration information.
[0197] In one example, the process of the server generating key configuration information is as follows: Figure 10As shown, the server collects its device information and mixes it to obtain first mixed information. This first mixed information is then hashed to obtain the server's fingerprint. Next, the server's fingerprint and a third key built into the server are mixed to obtain second mixed information. This second mixed information is then hashed to obtain an encryption key. Finally, this encryption key is used to encrypt the server's fingerprint and the second key to obtain key configuration information, which is then stored locally on the server.
[0198] In this embodiment of the application, the second key and the fingerprint identifier of the server are encrypted using an encryption key to obtain key configuration information. Since the fingerprint identifiers of different servers are all different and unique, the configuration (i.e., key configuration information) of the same watermark key (i.e., the second key) is also different on different servers, thereby achieving key security.
[0199] S205. When the server starts, obtain the server's device information;
[0200] S206. The server determines the server's fingerprint identifier based on the server's device information;
[0201] S207. The server generates an encryption key based on the server's fingerprint identifier;
[0202] S208. The server uses the encryption key to decrypt the key configuration information and obtain the server's fingerprint identifier.
[0203] S209. The server verifies the device fingerprint based on the decrypted server fingerprint identifier and the determined server fingerprint identifier.
[0204] In this embodiment, to prevent the key configuration information in the server's protection module from being maliciously copied, anti-copying processing is required. Specifically, when the server starts up—specifically when the protection module in the server starts—the server verifies whether its own fingerprint identifier matches the fingerprint identifier in the key configuration information stored on the server. If they match, it means that the key configuration information stored on the server was not copied; if they do not match, it means that the key configuration information stored on the server was copied.
[0205] Specifically, such as Figure 11As shown, when the server starts up (specifically, when the protection module within the server starts), it acquires the server's device information and then generates a fingerprint identifier for the server based on this information. For example, the server performs a hash operation on the server's device information and uses the hash value as the server's fingerprint identifier. Another example is that the server obfuscates the server's device information according to a preset obfuscation method to obtain first obfuscated information. For example, the server obtains first obfuscated information by modifying or hiding certain information in the server's device information, or by adding certain information to the server's device information. Next, the server performs a hash operation on this first obfuscated information to obtain the server's fingerprint identifier. Then, the server generates an encryption key based on this fingerprint identifier. For example, the server performs a hash operation on the server's fingerprint identifier to generate an encryption key. Another example is that the server also has a built-in third key, which the server uses to generate an encryption key. For example, the server performs a hash operation on the combination of the third key and the server's fingerprint identifier to obtain an encryption key. Yet another example is that the server performs an obfuscation operation on the third key and the server's fingerprint identifier to obtain second obfuscated information, and then performs a hash operation on this second obfuscated information to generate an encryption key. Finally, the server uses the generated encryption key to decrypt the key configuration information stored on the server, obtaining the server's fingerprint. Then, it checks whether the server's own fingerprint matches the fingerprint in the key configuration information stored on the server.
[0206] In this embodiment of the application, if the fingerprint identifier of the server itself is inconsistent with the fingerprint identifier in the key configuration information stored by the server, it indicates that the key configuration information stored by the server may be copied. In this case, the server does not execute the method of this embodiment of the application.
[0207] In some embodiments, if the server verifies that its own fingerprint identifier matches the fingerprint identifier in the key configuration information stored by the server, it indicates that the key configuration information stored by the server is not copied from another server. In this case, the network attack defense method of this application embodiment can be executed, i.e., steps S210 to S217 can be performed.
[0208] S210. The terminal device obtains the first key built into the terminal device and generates the sequence number value corresponding to the service message.
[0209] Different service messages have different sequence number values.
[0210] The specific implementation process of S210 is described in the relevant description of S101 above, and will not be repeated here.
[0211] S211. The terminal device performs watermark calculation based on the first key and the serial number value to obtain the first watermark value.
[0212] The specific implementation process of S211 is described in the relevant description of S102 above, and will not be repeated here.
[0213] S212. The terminal device adds the first watermark value and the sequence number value to the service message.
[0214] The specific implementation process of S212 is described in the relevant description of S103 above, and will not be repeated here.
[0215] S213. The terminal device sends the service message to the server so that the server can calculate the second watermark value based on the second key and the sequence number value, and determine whether to clear the service message based on the first watermark value and the second watermark value.
[0216] The second key is determined based on the key configuration information stored on the server.
[0217] The specific implementation process of S213 is described in the relevant description of S104 above, and will not be repeated here.
[0218] S214. The server obtains the service message from the terminal device, parses the service message, and obtains the sequence number value and the first watermark value corresponding to the service message.
[0219] The first watermark value is calculated by the terminal device based on the sequence number value corresponding to the service message and the first key built into the terminal device. The sequence number value is different for different service messages.
[0220] The specific implementation process of S214 is described in the relevant description of S105 above, and will not be repeated here.
[0221] S215. The server obtains the key configuration information stored on the server and determines the second key based on the key configuration information.
[0222] In some embodiments, the server performs the steps of S208 described above, using the encryption key to decrypt the key configuration information, thereby obtaining not only the server's fingerprint identifier but also the second key.
[0223] In some embodiments, the server reacquires the server's device information; determines the server's fingerprint identifier based on the server's device information; generates an encryption key based on the server's fingerprint identifier; and decrypts the key configuration information using the encryption key to obtain a second key.
[0224] The specific implementation process of S215 is described in the relevant description of S106 above, and will not be repeated here.
[0225] S216. The server performs watermark calculation based on the second key and the sequence number value to obtain the second watermark value.
[0226] The specific implementation process of S216 is described in the relevant description of S107 above, and will not be repeated here.
[0227] S217. If the first watermark value and the second watermark value are inconsistent, the server will clear the business message.
[0228] The specific implementation process of S217 is described in the relevant description of S108 above, and will not be repeated here.
[0229] The network attack defense method provided in this application embodiment, during the configuration phase, involves the server encrypting a second key using an encryption key to obtain key configuration information, and storing this key configuration information. This improves the security of the second key and prevents its leakage. Upon server startup, the server verifies device fingerprint information to achieve functional copy protection. Specifically, the server generates a server fingerprint identifier based on its device information, then generates an encryption key based on this fingerprint identifier. This generated encryption key is then used to decrypt the key configuration information stored on the server, obtaining the server fingerprint identifier included in the key configuration information. The server can then compare its own fingerprint identifier with the server fingerprint identifier included in the key configuration information to determine whether the key configuration information included in the key configuration information has been copied, thus achieving functional copy protection. If the server's fingerprint identifier matches the server fingerprint identifier included in the key configuration information, the network attack defense method of this application embodiment continues to execute. If the server's fingerprint identifier does not match the server fingerprint identifier included in the key configuration information, it is determined that the server poses a network attack risk, further achieving effective defense against network attacks.
[0230] As described above, in this embodiment, the protection module can be deployed on a business server, i.e., the server mentioned above is a business server. In some embodiments, the business server of this embodiment has multiple proxy servers, and the protection module can be deployed on the proxy servers.
[0231] The following is combined Figure 12 The specific process of this application embodiment is described when the server is a business server.
[0232] Figure 12 This is a flowchart illustrating a grid attack defense method provided in an embodiment of this application. Figure 12 As shown, the method in this application embodiment includes the following steps:
[0233] S301. The terminal device obtains the first key built into the terminal device and generates the sequence number value corresponding to the service message.
[0234] Different service messages have different sequence number values.
[0235] The specific implementation process of S301 can be referred to the relevant description of S101 above, and will not be repeated here.
[0236] S302. The terminal device performs watermark calculation based on the first key and the serial number value to obtain the first watermark value.
[0237] The specific implementation process of S302 can be referred to the relevant description of S102 above, and will not be repeated here.
[0238] S303. The terminal device adds the first watermark value and the sequence number value to the service message.
[0239] For example, the terminal device adds the sequence number value and the first watermark value to the service message according to the preset watermark storage offset.
[0240] The specific implementation process of S303 can be referred to the relevant description of S103 above, and will not be repeated here.
[0241] S304. The terminal device sends the service message to the service server.
[0242] like Figure 13 As shown in the figure, the DDoS protection module and the business service are deployed on the same machine, i.e., both are deployed on the business server. The protection module processes network packets at the kernel protocol stack layer, cleans up illegal attack packets, and forwards legitimate business packets to the upper-layer protocol stack. In this mode, the business can access the service without any architectural adjustments.
[0243] S305. The service server parses the service message to obtain the sequence number value and the first watermark value corresponding to the service message.
[0244] The first watermark value is calculated by the terminal device based on the sequence number value corresponding to the service message and the first key built into the terminal device. The sequence number value is different for different service messages.
[0245] S306. The business server obtains the key configuration information stored on the server and determines the second key based on the key configuration information.
[0246] In some embodiments, if the key configuration information is obtained by encrypting the second key using an encryption key, and the encryption key is generated based on the device information of the business server, the business server obtains the device information of the business server; and determines the fingerprint identifier of the business server based on the device information of the business server. In some embodiments, the business server determines the fingerprint identifier of the server based on the device information of the server, including: the business server obfuscating the device information of the business server to obtain first obfuscated information; and performing a hash operation on the first obfuscated information to obtain the fingerprint identifier of the business server.
[0247] Next, the business server generates an encryption key based on its fingerprint identifier. In some embodiments, the business server obtains a third key built into the business server; and generates an encryption key based on the third key and the server's fingerprint identifier. For example, the business server obfuscates the third key and the business server's fingerprint identifier to obtain second obfuscated information; and performs a hash operation on the second obfuscated information to generate the encryption key.
[0248] Finally, the business server uses the encryption key to decrypt the key configuration information and obtain the second key.
[0249] The specific implementation process of S306 can be referred to the relevant description of S106 above, and will not be repeated here.
[0250] S307. The business server performs watermark calculation based on the second key and the sequence number value to obtain the second watermark value.
[0251] For example, a preset watermark calculation function can be used to perform watermark calculation on the second key and the serial number value to obtain the second watermark value. This application does not limit the specific type of watermark calculation function.
[0252] The specific implementation process of S307 can be referred to the relevant description of S107 above, and will not be repeated here.
[0253] S308. If the first watermark value and the second watermark value are inconsistent, the service server will clear the service message.
[0254] S309. If the first watermark value is consistent with the second watermark value, the business server will process the business message.
[0255] S310, the service server sends the processing result of the service message to the terminal device.
[0256] In this embodiment, the service server has network attack defense capabilities. The terminal device directly sends a service message, including a first watermark value and a sequence number value, to the service server. The service server parses the service message to obtain the corresponding sequence number value and the first watermark value. Simultaneously, the service server obtains the key configuration information stored on the server and determines a second key based on the key configuration information; then, it performs watermark calculation based on the second key and the sequence number value to obtain the second watermark value. If the first watermark value and the second watermark value are inconsistent, the service server clears the service message. If the first watermark value and the second watermark value are consistent, the service server processes the service message and sends the processing result to the terminal device. Therefore, the network attack defense method of this embodiment injects defense strategies directly into the service server through kernel hooks, enabling the service server to implement network attack defense capabilities without additional device resources. It can elastically expand and shrink with the service server, offering convenient access, low access costs, low resource consumption, and compatibility with various cloud environments. In addition, in this embodiment, the terminal device generates a first watermark based on the sequence number value and the first key corresponding to the service message, so that the first watermark corresponding to each service message is different. In this way, the service server can determine whether the service message is an attack message by detecting the first watermark included in the service message, thereby realizing accurate detection of various attack methods such as replay bombing attacks and pulse attacks, thereby improving network attack defense performance and enhancing network security.
[0257] The following is combined Figure 14 The specific process of this application embodiment is described when the server is a proxy server.
[0258] Figure 14 This is a flowchart illustrating a grid attack defense method provided in an embodiment of this application. Figure 14 As shown, the method in this application embodiment includes the following steps:
[0259] S401. The terminal device obtains the first key built into the terminal device and generates the sequence number value corresponding to the service message.
[0260] Different service messages have different sequence number values.
[0261] The specific implementation process of S401 can be referred to the relevant description of S101 above, and will not be repeated here.
[0262] S402. The terminal device performs watermark calculation based on the first key and the serial number value to obtain the first watermark value.
[0263] The specific implementation process of S402 can be referred to the relevant description of S102 above, and will not be repeated here.
[0264] S403. The terminal device adds the first watermark value and sequence number value to the service message.
[0265] For example, the terminal device adds the sequence number value and the first watermark value to the service message according to the preset watermark storage offset.
[0266] The specific implementation process of S403 can be referred to the relevant description of S103 above, and will not be repeated here.
[0267] S404. The terminal device sends the service message to the gateway.
[0268] Alternatively, the network can be a Virtual Private Cloud (VPC) gateway.
[0269] like Figure 15 and Figure 16 As shown, one business server can correspond to multiple proxy servers. The DDoS protection module is deployed on the proxy server, and all business traffic is cleaned by the protection module on the proxy server. Specifically, as... Figure 14 As shown, inbound traffic (i.e., business packets) enters the proxy server, where the protection module cleans the traffic. The cleaned traffic then flows from the proxy server to the business server. Outbound traffic (i.e., the processing results of the business packets) travels from the business server to the proxy server, and then from the proxy server to the terminal device. For example... Figure 15 As shown, multiple proxy servers can distribute the load on the business server, increasing the protection capacity of a single business server. In extreme cases, if some proxy servers are attacked and rendered unusable, it will not affect other proxy servers. This means that only some users are affected, while users on normal proxy servers remain unaffected, achieving service degradation and disaster recovery.
[0270] S405, the gateway sends the service message to the proxy server.
[0271] For example, such as Figure 16 As shown, the service messages received by the gateway include normal messages sent by legitimate users, and may also include attack messages sent by attackers. After receiving a large number of service messages, the gateway, based on the principle of load balancing, forwards the different service messages received to multiple proxy servers for processing. For example, the service message sent by the terminal device is forwarded to proxy server 1 for processing.
[0272] S406. The proxy server parses the business message to obtain the sequence number value and the first watermark value corresponding to the business message.
[0273] The first watermark value is calculated by the terminal device based on the sequence number value corresponding to the service message and the first key built into the terminal device. The sequence number value is different for different service messages.
[0274] S407. The proxy server obtains the key configuration information stored by the server and determines the second key based on the key configuration information.
[0275] In some embodiments, if the key configuration information is obtained by encrypting the second key using an encryption key, and the encryption key is generated based on the proxy server's device information, the proxy server obtains the proxy server's device information; and determines the proxy server's fingerprint based on the proxy server's device information. In some embodiments, the proxy server determines the server's fingerprint based on the server's device information, including: the proxy server obfuscating the proxy server's device information to obtain first obfuscated information; and performing a hash operation on the first obfuscated information to obtain the proxy server's fingerprint.
[0276] Next, the proxy server generates an encryption key based on its fingerprint identifier. In some embodiments, the proxy server obtains a third key built into the proxy server; and generates an encryption key based on the third key and the server's fingerprint identifier. For example, the proxy server obfuscates the third key and the proxy server's fingerprint identifier to obtain second obfuscated information; and performs a hash operation on the second obfuscated information to generate the encryption key.
[0277] Finally, the proxy server uses the encryption key to decrypt the key configuration information and obtain the second key.
[0278] The specific implementation process of S407 can be referred to the relevant description of S106 above, and will not be repeated here.
[0279] S408. The proxy server calculates the watermark based on the second key and the sequence number value to obtain the second watermark value.
[0280] For example, a preset watermark calculation function can be used to perform watermark calculation on the second key and the serial number value to obtain the second watermark value. This application does not limit the specific type of watermark calculation function.
[0281] The specific implementation process of S408 can be referred to the relevant description of S107 above, and will not be repeated here.
[0282] S409. If the first watermark value and the second watermark value are inconsistent, the proxy server will clear the business message.
[0283] S410. If the first watermark value is consistent with the second watermark value, the proxy server sends the service message to the service server.
[0284] S411, The business server processes business messages.
[0285] S412. The business server sends the processing result of the business message to the proxy server.
[0286] S413. The proxy server sends the processing result of the service message to the terminal device.
[0287] In one example, the proxy server directly sends the processing result of the service message to the terminal device.
[0288] In one example, the proxy server sends the processing result of the service message to the gateway, and the gateway then sends the processing result of the service message to the terminal device.
[0289] In this embodiment, the proxy server has network attack defense capabilities. The terminal device directly sends a service message, including a first watermark value and a sequence number value, to the proxy server. The proxy server parses the service message to obtain the corresponding sequence number value and the first watermark value. Simultaneously, the proxy server obtains the key configuration information stored on the server and determines a second key based on the key configuration information; then, it calculates the watermark based on the second key and the sequence number value to obtain the second watermark value. If the first watermark value and the second watermark value are inconsistent, the proxy server clears the service message. If the first watermark value and the second watermark value are consistent, the proxy server sends the service message to the service server for processing. Therefore, the network attack defense method in this embodiment injects a defense strategy into the proxy server through kernel hooks, enabling the proxy server to implement network attack defense capabilities without requiring additional device resources. Its defense cost is low and it is easily compatible with various cloud environments. Furthermore, in this embodiment, the service server corresponds to multiple proxy servers, which can distribute the load on the service server and increase the upper limit of the protection capability of a single service server. If some proxy servers are attacked and rendered unusable, it will not affect other proxy servers, meaning only some users are affected. Users on normal proxy servers will remain unaffected, achieving service degradation and disaster recovery. Furthermore, this application's embodiments utilize a security watermarking strategy to effectively protect against scenarios such as data breaches, small-scale attacks, pulse attacks, cloud-based attacks, and small-scale data transmission due to inadequate protection from third-party cloud vendors, thereby improving network attack defense performance and enhancing network security.
[0290] The above text combined Figures 3 to 16 The following describes in detail the embodiments of the task processing method of this application, in conjunction with... Figure 17 The following describes in detail the device embodiments of this application.
[0291] Figure 17This is a schematic block diagram of a network attack defense device provided in one embodiment of this application. The device 10 can be applied to a server.
[0292] like Figure 17 As shown, the network attack defense device 10 includes:
[0293] The parsing unit 11 is used to obtain service messages from the terminal device and parse the service messages to obtain the sequence number value and the first watermark value corresponding to the service message. The first watermark value is calculated by the terminal device based on the sequence number value corresponding to the service message and the first key built into the terminal device. Different service messages have different sequence number values.
[0294] The key determination unit 12 is used to obtain the key configuration information stored by the server and determine the second key based on the key configuration information;
[0295] Watermark calculation unit 13 is used to perform watermark calculation based on the second key and the serial number value to obtain the second watermark value;
[0296] The processing unit 14 is used to clear the service message if the first watermark value is inconsistent with the second watermark value.
[0297] In some embodiments, if the key configuration information is obtained by the server encrypting the second key using an encryption key, and the encryption key is generated based on the server's device information, then the key determination unit 12 is specifically used to obtain the server's device information; determine the server's fingerprint identifier based on the server's device information; generate the encryption key based on the server's fingerprint identifier; and decrypt the key configuration information using the encryption key to obtain the second key.
[0298] In some embodiments, when the key configuration information is obtained by encrypting the second key and the fingerprint identifier of the server using the encryption key, the parsing unit 11 is further configured to: obtain the device information of the server and the key configuration information stored by the server; determine the fingerprint identifier of the server based on the device information of the server; generate the encryption key based on the determined fingerprint identifier of the server; decrypt the key configuration information using the encryption key to obtain the fingerprint identifier of the server included in the key configuration information; and obtain the service message if the fingerprint identifier of the server included in the key configuration information matches the determined fingerprint identifier of the server.
[0299] In some embodiments, the key determination unit 12 is specifically used to obfuscate the device information of the server to obtain first obfuscated information; and to perform a hash operation on the first obfuscated information to obtain the fingerprint identifier of the server.
[0300] In some embodiments, the key determination unit 12 is specifically used to obtain a third key built into the server; and to generate the encryption key based on the third key and the fingerprint identifier of the server.
[0301] In some embodiments, the key determination unit 12 is specifically used to obfuscate the third key and the fingerprint identifier of the server to obtain second obfuscated information; and to perform a hash operation on the second obfuscated information to generate the encryption key.
[0302] In some embodiments, if the server is a service server, the processing unit 14 is further configured to process the service message if the first watermark value is consistent with the second watermark value, and send the processing result of the service message to the terminal device.
[0303] In some embodiments, if the server is a proxy server for a service server, the processing unit 14 is further configured to send the service message to the service server if the first watermark value is consistent with the second watermark value, so that the service server can process the service message; receive the processing result of the service message sent by the service server; and send the processing result of the service message to the terminal device.
[0304] In some embodiments, the service server includes multiple proxy servers, which are connected to the terminal device via a gateway. The parsing unit 11 is specifically used to receive the service message sent by the gateway. The service message is sent by the terminal device to the gateway so that the gateway can load balance the service message from the multiple received service messages to one service message on the proxy server.
[0305] In some embodiments, the parsing unit 11 is specifically used to obtain a preset watermark storage offset, the watermark storage offset being used to indicate the storage position of the sequence number value and the first watermark value corresponding to the service message in the service message; based on the watermark storage offset, the sequence number value and the first watermark value corresponding to the service message are parsed from the service message.
[0306] It should be understood that the device embodiments and method embodiments can correspond to each other, and similar descriptions can be referred to the method embodiments. To avoid repetition, further details will not be provided here. Specifically, Figure 17The apparatus shown can execute the above-described server-side method embodiments, and the foregoing and other operations and / or functions of each module in the apparatus are respectively for implementing the method embodiments, which will not be described in detail here for the sake of brevity.
[0307] Figure 18 This is a schematic block diagram of a network attack defense device provided in an embodiment of this application. The device 20 can be applied to terminal devices.
[0308] like Figure 18 As shown, the network attack defense device 20 includes:
[0309] The acquisition unit 21 is used to acquire the first key built into the terminal device and generate the sequence number value corresponding to the service message. The sequence number value is different for different service messages.
[0310] Watermark calculation unit 22 is used to perform watermark calculation based on the first key and the serial number value to obtain the first watermark value;
[0311] Adding unit 23 is used to add the first watermark value and the sequence number value to the service message;
[0312] The transceiver unit 24 is used to send the service message to the server so that the server calculates the second watermark value based on the second key and the sequence number value, and determines whether to clear the service message based on the first watermark value and the second watermark value. The second key is determined based on the key configuration information stored by the server.
[0313] In some embodiments, the adding unit 23 is specifically used to add the sequence number value and the first watermark value to the service message according to a preset watermark storage offset.
[0314] In some embodiments, if the server is a service server, the transceiver unit 24 is further configured to receive the processing result of the service message sent by the service server, wherein the processing result is the result of the service processor processing the service message when the first watermark value and the second watermark value are consistent.
[0315] In some embodiments, if the server is one of a plurality of proxy servers included in the service server, and the plurality of proxy servers are connected to the terminal device through a gateway, the transceiver unit 24 is specifically used to send the service message to the gateway, so that the gateway sends the service message to one of the plurality of proxy servers based on load balancing.
[0316] In some embodiments, the transceiver unit 24 is further configured to receive the processing result of the service message sent by the gateway, wherein the processing result is the result of the service processor processing the service message when the first watermark value and the second watermark value are consistent.
[0317] It should be understood that the device embodiments and method embodiments can correspond to each other, and similar descriptions can be referred to the method embodiments. To avoid repetition, further details will not be provided here. Specifically, Figure 18 The apparatus shown can execute the embodiments of the terminal device side method described above, and the foregoing and other operations and / or functions of each module in the apparatus are respectively for implementing the method embodiments, which will not be described in detail here for the sake of brevity.
[0318] The apparatus of this application embodiment has been described above from the perspective of functional modules in conjunction with the accompanying drawings. It should be understood that this functional module can be implemented in hardware, in software instructions, or in a combination of hardware and software modules. Specifically, the steps of the method embodiments in this application can be completed by integrated logic circuits in the processor's hardware and / or by software instructions. The steps of the method disclosed in this application embodiment can be directly embodied as being executed by a hardware decoding processor, or by a combination of hardware and software modules in the decoding processor. Optionally, the software module can reside in a mature storage medium in the art, such as random access memory, flash memory, read-only memory, programmable read-only memory, electrically erasable programmable memory, registers, etc. This storage medium is located in memory, and the processor reads information from the memory and, in conjunction with its hardware, completes the steps in the above method embodiments.
[0319] Figure 19 This is a schematic block diagram of the electronic device provided in the embodiments of this application. Figure 19 The electronic device can be the aforementioned task controller, node, or terminal device.
[0320] like Figure 19 As shown, the electronic device 30 may include:
[0321] The system includes a memory 31 and a processor 32. The memory 31 stores a computer program 33 and transfers the program code 33 to the processor 32. In other words, the processor 32 can retrieve and run the computer program 33 from the memory 31 to implement the methods described in the embodiments of this application.
[0322] For example, the processor 32 can be used to execute the steps in the above method according to the instructions in the computer program 33.
[0323] In some embodiments of this application, the processor 32 may include, but is not limited to:
[0324] General-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
[0325] In some embodiments of this application, the memory 31 includes, but is not limited to:
[0326] Volatile memory and / or non-volatile memory. Non-volatile memory can be read-only memory (ROP), programmable ROP (PROP), erasable PROP (EPROP), electrically erasable EPROP (EEPROP), or flash memory. Volatile memory can be random access memory (RAP), used as an external cache. By way of example, but not limitation, many forms of RAP are available, such as Static RAP (SRAP), Dynamic RAP (DRAP), Synchronous DRAP (SDRAP), Double Data Rate SDRAP (DDR SDRAP), Enhanced SDRAP (ESDRAP), Synchronous Link DRAP (SLDRAP), and Direct Rambus RAP (DR RAP).
[0327] In some embodiments of this application, the computer program 33 may be divided into one or more modules, which are stored in the memory 31 and executed by the processor 32 to complete the page recording method provided in this application. The one or more modules may be a series of computer program instruction segments capable of performing specific functions, which describe the execution process of the computer program 33 in the electronic device.
[0328] like Figure 19 As shown, the electronic device 30 may further include:
[0329] Transceiver 34, which can be connected to processor 32 or memory 31.
[0330] The processor 32 can control the transceiver 34 to communicate with other devices; specifically, it can send information or data to other devices or receive information or data sent by other devices. The transceiver 34 may include a transmitter and a receiver. The transceiver 34 may further include antennas, and the number of antennas may be one or more.
[0331] It should be understood that the various components in the electronic device 30 are connected through a bus system, which includes a data bus, a power bus, a control bus, and a status signal bus.
[0332] According to one aspect of this application, a computer storage medium is provided that stores a computer program thereon, which, when executed by a computer, enables the computer to perform the methods of the above-described method embodiments. Alternatively, embodiments of this application also provide a computer program product containing instructions that, when executed by a computer, cause the computer to perform the methods of the above-described method embodiments.
[0333] According to another aspect of this application, a computer program product or computer program is provided, comprising computer instructions stored in a computer-readable storage medium. A processor of a computer device reads the computer instructions from the computer-readable storage medium and executes the computer instructions, causing the computer device to perform the method described in the above-described method embodiments.
[0334] In other words, when implemented using software, it can be implemented entirely or partially as a computer program product. This computer program product includes one or more computer instructions. When these computer program instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of this application are generated. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions can be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, the computer instructions can be transmitted from one website, computer, server, or data center to another via wired (e.g., coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium accessible to a computer or a data storage device such as a server or data center that integrates one or more available media. The available medium can be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., digital video disc (DVD)), or a semiconductor medium (e.g., solid-state disk (SSD)).
[0335] Those skilled in the art will recognize that the modules and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.
[0336] In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of modules is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple modules or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between apparatuses or modules may be electrical, mechanical, or other forms.
[0337] The modules described as separate components may or may not be physically separate. The components shown as modules may or may not be physical modules; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. For example, the functional modules in the various embodiments of this application may be integrated into one processing module, or each module may exist physically separately, or two or more modules may be integrated into one module.
[0338] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.
Claims
1. A network attack defense method characterized by, Applied to a server, the method includes: The service message from the terminal device is obtained and parsed to obtain the sequence number value and the first watermark value corresponding to the service message. The first watermark value is calculated by the terminal device based on the sequence number value corresponding to the service message and the first key built into the terminal device. The sequence number value is different for different service messages. Obtain the key configuration information stored on the server, and determine the second key based on the key configuration information; A second watermark value is obtained by performing watermark calculation based on the second key and the serial number value. If the first watermark value is inconsistent with the second watermark value, the service message is cleared.
2. The method of claim 1, wherein, If the key configuration information is obtained by encrypting the second key using an encryption key, and the encryption key is generated based on the server's device information, then determining the second key based on the key configuration information includes: Obtain the device information of the server; Based on the device information of the server, determine the fingerprint identifier of the server; The encryption key is generated based on the fingerprint identifier of the server; The encryption key is used to decrypt the key configuration information to obtain the second key.
3. The method of claim 2, wherein, When the key configuration information is obtained by encrypting the second key and the fingerprint identifier of the server using the encryption key, before obtaining the service message from the terminal device, the method further includes: Obtain the device information of the server and the key configuration information stored on the server; Based on the device information of the server, determine the fingerprint identifier of the server; The encryption key is generated based on the determined fingerprint of the server; Using the encryption key, the key configuration information is decrypted to obtain the fingerprint identifier of the server included in the key configuration information; The acquisition of service messages from the terminal device includes: If the fingerprint identifier of the server included in the key configuration information matches the determined fingerprint identifier of the server, then the service message is obtained.
4. The method according to claim 2 or 3, characterized in that, Determining the fingerprint identifier of the server based on the server's device information includes: The device information of the server is obfuscated to obtain first obfuscated information; A hash operation is performed on the first obfuscated information to obtain the fingerprint identifier of the server.
5. The method according to claim 2 or 3, characterized in that, The process of generating the encryption key based on the fingerprint identifier of the server includes: Obtain the third key built into the server; The encryption key is generated based on the third key and the fingerprint identifier of the server.
6. The method of claim 5, wherein, The process of generating the encryption key based on the third key and the fingerprint identifier of the server includes: The third key and the fingerprint identifier of the server are obfuscated to obtain the second obfuscated information; The second obfuscated information is hashed to generate the encryption key.
7. The method of claim 1, wherein, If the server is a business server, the method further includes: If the first watermark value is consistent with the second watermark value, then the service message is processed; The processing result of the service message is sent to the terminal device.
8. The method of claim 1, wherein, If the server is a proxy server for the business server, the method further includes: If the first watermark value is consistent with the second watermark value, the service message is sent to the service server so that the service server can process the service message. The processing result of the service message sent by the service server is received; The processing result of the service message is sent to the terminal device.
9. The method of claim 8, wherein, The service server includes multiple proxy servers, which communicate with the terminal device through a gateway. Obtaining service messages from the terminal device includes: The terminal device receives the service message sent by the gateway, which is sent to the gateway so that the gateway can load balance the service message from the multiple received service messages to one service message on the proxy server.
10. The method of claim 1, wherein, The step of parsing the service message to obtain the sequence number value and the first watermark value corresponding to the service message includes: Obtain a preset watermark storage offset, the watermark storage offset being used to indicate the storage location of the sequence number value and the first watermark value corresponding to the service message in the service message; Based on the watermark storage offset, the sequence number value and the first watermark value corresponding to the service message are parsed from the service message.
11. A network attack defense method characterized by, Applied to a terminal device, the method includes: Obtain the first key built into the terminal device and generate the sequence number value corresponding to the service message. Different service messages correspond to different sequence number values. A watermark value is obtained by performing watermark calculation based on the first key and the serial number value. Add the first watermark value and the sequence number value to the service message; The service message is sent to the server so that the server calculates the second watermark value based on the second key and the sequence number value, and determines whether to clear the service message based on the first watermark value and the second watermark value. The second key is determined based on the key configuration information stored by the server.
12. The method of claim 11, wherein, Adding the first watermark value and the sequence number value to the service message includes: According to the preset watermark storage offset, the sequence number value and the first watermark value are added to the service message.
13. The method according to claim 11, characterized in that, If the server is a business server, the method further includes: The service processor receives the processing result of the service message sent by the service server. The processing result is the result of the service processor processing the service message when the first watermark value and the second watermark value are consistent.
14. The method according to claim 11, characterized in that, If the server is one of a plurality of proxy servers included in a service server, and the plurality of proxy servers are connected to the terminal device through a gateway, sending the service message to the server includes: The service message is sent to the gateway, so that the gateway sends the service message to one of the multiple proxy servers based on load balancing.
15. The method according to claim 14, characterized in that, The method further includes: The service processor receives the processing result of the service message sent by the gateway, wherein the processing result is the result of the service processor processing the service message when the first watermark value and the second watermark value are consistent.
16. A network attack defense device, characterized in that, Applied to servers, including: The parsing unit is used to obtain service messages from the terminal device and parse the service messages to obtain the sequence number value and the first watermark value corresponding to the service message. The first watermark value is calculated by the terminal device based on the sequence number value corresponding to the service message and the first key built into the terminal device. Different service messages have different sequence number values. A key determination unit is used to obtain the key configuration information stored by the server and determine a second key based on the key configuration information; A watermark calculation unit is used to perform watermark calculation based on the second key and the serial number value to obtain a second watermark value; The processing unit is configured to clear the service message if the first watermark value is inconsistent with the second watermark value.
17. A network attack defense device, characterized in that, Applied to terminal devices, including: The method is the same, used to obtain the first key built into the terminal device and generate the sequence number value corresponding to the service message. Different service messages correspond to different sequence number values. A watermark calculation unit is used to perform watermark calculation based on the first key and the serial number value to obtain a first watermark value. An adding unit is used to add the first watermark value and the sequence number value to the service message; The transceiver unit is used to send the service message to the server so that the server calculates a second watermark value based on the second key and the sequence number value, and determines whether to clear the service message based on the first watermark value and the second watermark value. The second key is determined based on the key configuration information stored by the server.
18. An electronic device, characterized in that, Including processor and memory; The memory is used to store computer programs; The processor is configured to execute the computer program to implement the method as described in any one of claims 1 to 10 or 11 to 15.
19. A computer-readable storage medium, characterized in that, Used to store computer programs; The computer program causes the computer to perform the method as described in any one of claims 1 to 10 or 11 to 15.