Waf linkage scheduling deployment method, system, device and medium in cdn

By deploying WAF monitoring and handling functions at CDN edge nodes, combined with dynamic scheduling and joint blocking mechanisms, the problem of static and fixed strategies for WAF deployment in CDN is solved, achieving efficient security protection and resource optimization for CDN.

CN122339722APending Publication Date: 2026-07-03CHINA MOBILE COMM GRP CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
CHINA MOBILE COMM GRP CO LTD
Filing Date
2026-02-27
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

The existing deployment method of WAF in CDN cannot be dynamically adjusted according to the attack situation and node resource status, resulting in a serious imbalance between investment efficiency and protection effect, making it difficult to cope with low-frequency and scattered attacks and sudden large-scale attacks that are coordinated across nodes.

Method used

WAF monitoring is deployed on all CDN edge nodes, and WAF handling is deployed on some nodes. By collecting attack monitoring data, overloaded nodes are identified, and traffic is dispatched to nodes with handling capabilities. Combined with LVS linkage blocking, domain name attribute classification, collaborative identification and blocking of low-frequency dispersed attacks, honeypot protection and expansion planning, a provincial-level regional dynamic linkage scheduling mechanism is constructed.

Benefits of technology

It enables on-demand deployment and resource coordination of WAF protection capabilities, reduces deployment and maintenance costs, effectively responds to sudden large-volume and low-frequency dispersed attacks, and improves the intelligence and refinement of CDN security protection.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122339722A_ABST
    Figure CN122339722A_ABST
Patent Text Reader

Abstract

This invention discloses a method, system, device, and medium for coordinated deployment and scheduling of Web Application Firewall (WAF) in a CDN, relating to the field of network security technology. The method includes: deploying WAF monitoring functions on all CDN edge nodes and deploying WAF handling functions on some nodes; collecting attack monitoring data reported by the WAF monitoring functions of each node; identifying a first node carrying attack traffic exceeding a preset WAF handling capacity threshold; scheduling at least a portion of the access traffic of the attacked domain name carried by the first node to a second node belonging to the same provincial region as the first node and possessing sufficient WAF handling capacity; and issuing handling rules corresponding to the attack traffic to the WAF handling function of the second node. This invention, through the separate deployment of monitoring and handling functions and dynamic coordinated scheduling within a provincial region, achieves on-demand deployment and resource collaboration of WAF protection capabilities, reduces deployment costs, and improves the overall security protection efficiency and service quality of the CDN.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security technology, and in particular to a method, system, device and medium for WAF linkage scheduling and deployment in CDN. Background Technology

[0002] Content Delivery Networks (CDNs) carry online services such as e-commerce and government services. With their nodes widely distributed and content becoming increasingly dynamic, they face web attack risks such as Structured Query Language (SQL) injection, Cross-Site Scripting (XSS), and Challenge Collapsar (CC). The industry generally adopts integrated Web Application Firewalls (WAFs) for protection.

[0003] Currently, the deployment methods of WAF in CDN are mainly divided into the following three categories: Firstly, deploy WAF devices on all CDN edge nodes. While this approach achieves full coverage of node-level protection, the sheer number of CDN nodes (up to thousands) results in extremely high hardware procurement and maintenance costs. Furthermore, the deep detection and processing of WAF significantly increases distribution latency, impacting the end-user experience.

[0004] Secondly, WAF is deployed only centrally on the CDN origin link. This approach has lower investment and no direct impact on distribution performance, but it only protects the origin server. The CDN edge nodes themselves are exposed to attacks and cannot effectively defend against CC attacks and other application layer threats targeting the nodes.

[0005] Third, WAF is deployed in a mixed manner on a small number of edge nodes and back-to-origin links. This approach attempts to balance cost and coverage, but because attackers dynamically select nodes without WAF deployment for concentrated attacks, and because attack behavior is becoming less frequent and more dispersed, static and fixed deployment strategies are difficult to achieve effective protection and are prone to creating blind spots in protection.

[0006] Therefore, there is an urgent need for a dynamic protection solution that provides full monitoring coverage, on-demand handling, and deep integration with CDN scheduling, in order to improve overall security protection capabilities and reduce deployment costs while ensuring service quality. Summary of the Invention

[0007] This invention provides a method, system, device, and medium for coordinated scheduling and deployment of WAF in CDN, which solves the technical problem that the existing WAF deployment method in CDN adopts a static and fixed strategy, which cannot be dynamically adjusted according to the attack situation, domain name attributes, and node resource status, resulting in a serious imbalance between investment efficiency and protection effect, and is particularly difficult to deal with low-frequency and dispersed attacks and sudden large-volume attacks across nodes.

[0008] This invention provides a method for coordinated scheduling and deployment of Web Application Firewall (WAF) in a CDN. The method includes: deploying Web Application Firewall (WAF) monitoring functions on all content distribution network (CDN) edge nodes and deploying WAF handling functions on some CDN edge nodes; collecting attack monitoring data reported by the WAF monitoring functions of all CDN edge nodes; identifying a first CDN edge node carrying attack traffic exceeding a preset WAF handling capacity threshold based on the attack monitoring data; scheduling at least a portion of the access traffic of the attacked domain name carried by the first CDN edge node to a second CDN edge node belonging to the same provincial region as the first CDN edge node and possessing sufficient WAF handling capacity; and issuing handling rules corresponding to the attack traffic to the WAF handling function of the second CDN edge node.

[0009] According to the WAF linkage scheduling and deployment method in CDN provided by the present invention, the attack monitoring data includes at least the attack source IP information; the method further includes: generating an attack source blocking instruction based on the attack source IP information; sending the attack source blocking instruction to the load balancer Linux Virtual Server (LVS) associated with the first CDN edge node and / or the second CDN edge node, and having the LVS perform a drop operation on the access traffic of the attack source IP.

[0010] According to the present invention, a method for coordinated scheduling and deployment of WAF in CDN is provided, which identifies a first CDN edge node carrying attack traffic and whose attack traffic exceeds a preset WAF handling capacity threshold based on attack monitoring data. The method includes: aggregating the attack target URLs in the attack monitoring data to obtain the attacked domain name; calculating the attack request rate against the attacked domain name as the attack traffic; comparing the attack request rate with the preset WAF handling capacity threshold; and determining the CDN edge node whose attack request rate exceeds the corresponding threshold as the first CDN edge node.

[0011] According to the present invention, a WAF linkage scheduling and deployment method in CDN is provided, which further includes: analyzing the content elements of CDN distributed domain names and classifying the domain names into static domain names or dynamic domain names; wherein, when scheduling access traffic to a second CDN edge node, dynamic domain names are preferentially scheduled to CDN edge nodes with WAF processing functions.

[0012] According to the present invention, a method for coordinated scheduling and deployment of WAF in a CDN is provided, which schedules at least a portion of the access traffic of the attacked domain name carried by the first CDN edge node to a second CDN edge node that belongs to the same provincial region as the first CDN edge node and has WAF handling capacity margin. The method includes: obtaining the WAF handling capacity margin of each CDN edge node in the same provincial region; determining the proportion of traffic to be scheduled and the corresponding second CDN edge node based on the attack traffic and the WAF handling capacity margin of each node; and updating the domain name resolution records to guide user access traffic.

[0013] According to the present invention, a WAF linkage scheduling and deployment method in CDN is provided. The method further includes: when the total WAF handling capacity of all CDN edge nodes in the same provincial region is insufficient to carry the traffic to be scheduled, the access traffic of the attacked domain name is scheduled to a pre-deployed high-defense node cluster, which is equipped with enhanced WAF handling functions.

[0014] According to the present invention, a WAF coordinated scheduling and deployment method in CDN is provided, which further includes: collecting WAF attack monitoring data reported by multiple CDN edge nodes; generating attack source profiles and / or attacked domain profiles based on historical attack monitoring data; identifying low-frequency dispersed attack behaviors originating from the same attack source and whose attack frequency at each CDN edge node is lower than the single-node WAF warning threshold based on the attack source profiles; and issuing coordinated blocking instructions to multiple CDN edge nodes to block low-frequency dispersed attacks from the network-wide level.

[0015] According to the present invention, a WAF linkage scheduling and deployment method in CDN is provided, wherein the collaborative blocking instruction includes at least one of the following: an attack source IP blocking policy issued to the WAF handling function of multiple CDN edge nodes; and an attack source IP packet dropping instruction issued to the load balancer LVS associated with multiple CDN edge nodes.

[0016] According to the present invention, a WAF linkage scheduling and deployment method in CDN is provided. The method further includes: statistically analyzing the WAF attack traffic gap data that the CDN edge nodes of each province cannot bear within a preset period to form a traffic gap array; calculating the average value and the maximum value of the traffic gap array; and generating a recommended value for expanding the WAF handling capacity of the corresponding province based on the weighted calculation result of the average value and the maximum value; wherein the value range of the recommended expansion value is between the average value and the maximum value.

[0017] According to the present invention, a WAF linkage scheduling and deployment method in CDN is provided, which further includes: deploying honeypot nodes at the management entry point for customer content maintenance for customers whose content is distributed to CDN across the entire site; diverting abnormal access traffic to the honeypot nodes; collecting attack behavior data of abnormal access traffic and reporting it to the WAF attack global display center; and generating corresponding protection and handling instructions based on the attack behavior data.

[0018] According to the present invention, a WAF linkage scheduling and deployment method in CDN is provided. The method further includes: displaying attack situation data, handling data and attack source analysis data corresponding to the distributed domain name under the customer's name to the CDN customer based on the principle of hierarchical division and domain division; and providing the CDN customer with an interface for self-blocking configuration of attack source IP to support the customer to manually or automatically configure blocking policies.

[0019] This invention also provides a WAF linkage scheduling and deployment system in a CDN, comprising: a WAF monitoring module deployed on all CDN edge nodes for generating attack monitoring data; a WAF handling module deployed on some CDN edge nodes; a WAF attack global display center for: collecting attack monitoring data reported by the WAF monitoring functions of all CDN edge nodes; identifying a first CDN edge node carrying attack traffic that exceeds a preset WAF handling capacity threshold based on the attack monitoring data; a CDN scheduling center for scheduling at least a portion of the access traffic of the attacked domain name carried by the first CDN edge node to a second CDN edge node belonging to the same provincial region as the first CDN edge node and having sufficient WAF handling capacity; and a WAF handling monitoring center for issuing handling rules corresponding to the attack traffic to the WAF handling function of the second CDN edge node.

[0020] According to the present invention, a WAF linkage scheduling and deployment system in a CDN is provided, which further includes: a load balancer LVS associated with each CDN edge node; a WAF attack global display center, which is also used to extract attack source IP information from attack monitoring data; and a WAF handling and monitoring center, which is also used to: generate an attack source blocking instruction based on the attack source IP information provided by the WAF attack global display center; and send the attack source blocking instruction to the load balancer LVS associated with the first CDN edge node and / or the second CDN edge node, so that the LVS can perform a drop operation on the access traffic of the attack source IP.

[0021] According to the present invention, a WAF linkage scheduling and deployment system in a CDN is provided. The system further includes: a low-frequency attack identification module, used to: obtain WAF attack monitoring data of multiple CDN edge nodes from the WAF attack global display center; generate attack source profiles and / or attacked domain profiles based on historical attack monitoring data; identify low-frequency dispersed attack behaviors originating from the same attack source and whose attack frequency at each CDN edge node is lower than the single-node WAF warning threshold based on the attack source profile; and a collaborative handling module, used to issue collaborative blocking instructions to multiple CDN edge nodes to block low-frequency dispersed attacks from the network-wide level.

[0022] According to the present invention, a WAF linkage scheduling and deployment system in a CDN is provided. The system further includes: a honeypot node, deployed at the content maintenance and management entry point of the site-wide distribution customer; a traffic redirection module, used to redirect abnormal access traffic to the honeypot node; the honeypot node is also used to collect attack behavior data of abnormal access traffic and report it to the WAF attack global display center; the WAF handling and monitoring center is also used to generate corresponding protection and handling instructions based on the attack behavior data.

[0023] The present invention also provides a computing device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement any of the above-described WAF linkage scheduling and deployment methods in a CDN.

[0024] The present invention also provides a computer-readable storage medium having a computer program stored thereon, wherein the program, when executed by a processor, implements any of the above-described CDN WAF linkage scheduling and deployment methods.

[0025] The CDN WAF linkage scheduling deployment method, system, equipment, and media provided by this invention achieve separate deployment of monitoring and handling, and full coverage monitoring of attack behavior by deploying WAF monitoring functions on all CDN edge nodes and WAF handling functions on some edge nodes. By collecting attack monitoring data from the entire network and identifying nodes with excessive handling capacity, the traffic of attacked domain names is scheduled to nodes with sufficient handling capacity in the same province and corresponding handling rules are issued, thus constructing a provincial-level regional dynamic linkage scheduling mechanism based on attack situation and node resource status. Furthermore, through features such as LVS linkage blocking, domain name attribute classification scheduling, high-defense node traffic diversion, low-frequency dispersed attack collaborative identification and blocking, honeypot protection, expansion planning, and customer-defined rights and domain-based security value-added services, a closed-loop system is formed from attack monitoring, situation analysis, resource scheduling, handling execution to capacity planning and commercial monetization. This invention enables on-demand deployment and resource coordination of WAF protection capabilities. While ensuring the quality of CDN distribution services, it reduces the deployment and maintenance costs of WAF, effectively responds to sudden large-scale attacks and low-frequency, dispersed attacks across nodes, improves the intelligence and refinement of the overall security protection of CDN, and expands the space for security value-added services. Attached Figure Description

[0026] To more clearly illustrate the technical solutions in this invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this invention. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.

[0027] Figure 1 This is a schematic diagram of the architecture of the CDN WAF linkage scheduling and deployment system provided in this embodiment of the invention.

[0028] Figure 2 This is a schematic diagram of a process for determining static elements under a domain name, provided by an embodiment of the present invention.

[0029] Figure 3 This is a schematic diagram of the structure of a statistical analysis model provided in an embodiment of the present invention.

[0030] Figure 4 This is a flowchart illustrating a WAF linkage scheduling and deployment method in a CDN provided by an embodiment of the present invention.

[0031] Figure 5 This is a flowchart illustrating an edge node and a high-defense node provided in an embodiment of the present invention.

[0032] Figure 6 This is a schematic diagram of an edge node analysis process provided in an embodiment of the present invention.

[0033] Figure 7 This is a schematic diagram of an edge node internal adjustment process provided by an embodiment of the present invention.

[0034] Figure 8 This is a schematic diagram of the physical structure of an electronic device provided in an embodiment of the present invention. Detailed Implementation

[0035] To make the objectives, technical solutions, and advantages of this invention clearer, the technical solutions of this invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this invention. All other embodiments obtained by those skilled in the art based on the embodiments of this invention without creative effort are within the scope of protection of this invention.

[0036] Figure 1 This is a schematic diagram of the architecture of the WAF linkage scheduling and deployment system in CDN provided by an embodiment of the present invention. Figure 1 As shown, the system includes a CDN edge node cluster, which contains multiple CDN edge nodes.

[0037] in: CDN edge node 101 is equipped with WAF monitoring function 1011 and LVS 1012; CDN edge node 102 is equipped with WAF processing function 1021, WAF monitoring function 1022 and LVS 1023; CDN edge node 103 is equipped with WAF processing function 1031, WAF monitoring function 1032 and LVS 1033; Domain Name Analysis Center 104; WAF Disposal Monitoring Center 105; CDN scheduling center 106; WAF Attack Global Display Center 107; High-defense node 108 has CDN services deployed internally; Local Domain Name System (LDNS) 109; CDN customer origin server 110; Controlled host cluster 111; Operator 112; CDN customer 113; User 114; Hacker115; Threshold library 116.

[0038] The following is a detailed description of each component of the system: In this embodiment of the invention, the CDN edge node cluster is deployed in various provinces and cities across the country to provide content distribution acceleration services to end users. Each CDN edge node is equipped with an LVS module for performing network layer traffic forwarding and access control.

[0039] CDN edge node 101 is equipped with WAF monitoring functionality 1011, which performs web attack monitoring on all traffic flowing through this node, generates WAF attack monitoring data, and reports it to the WAF attack global display center 107. This node does not have WAF handling functionality deployed and is mainly used for distributing static domain name content.

[0040] CDN edge node 102 is equipped with WAF handling function 1021 and WAF monitoring function 1022. The WAF monitoring function 1022 performs web attack monitoring on all traffic flowing through this node, generates WAF attack monitoring data, and reports it. The WAF handling function 1021 receives handling instructions from the WAF handling monitoring center 105 and performs blocking, cleaning, or restriction processing on the attack traffic according to the instructions. This node, which deploys both WAF monitoring and handling functions, is primarily used for distributing dynamic domain name content.

[0041] CDN edge node 103, as the core content management component on the node side, is used to store and manage the full content resources cached by the node, and maintain content metadata (such as content type, associated domain name attributes, etc.), providing contextual support for WAF monitoring and handling, and assisting in judging the static / dynamic type of the domain name, thereby matching differentiated monitoring rules.

[0042] In some embodiments, the WAF monitoring function deployed on CDN edge nodes has a built-in differentiated monitoring rule base, which is configured differently based on the static / dynamic attributes of the distributed domain name.

[0043] Specifically, for static domains, early warning monitoring rules for SQL injection and XSS attacks, as well as multi-level early warning monitoring rules for CC attacks can be configured; for dynamic domains, interception monitoring rules for SQL injection and XSS attacks, as well as multi-level early warning and interception monitoring rules for CC attacks can be configured.

[0044] For example, the WAF monitoring function performs real-time analysis of HTTP / HTTPS requests according to monitoring rules, identifies at least one web attack behavior among SQL injection, XSS, and CC attacks, and encapsulates the identified web attack behaviors and related information into monitoring data, which is then reported in batches to the WAF Global Attack Display Center 107 according to a preset unified reporting cycle. It should be noted that, to ensure the integrity of the reported data, this reporting cycle is usually set to 1 to 10 minutes, preferably 1 minute.

[0045] LVS1012 and 1023 are deployed on each CDN edge node to perform network layer traffic dropping operations on the specified attack source IP according to the blocking instructions issued by the WAF handling and monitoring center 105, and report the handling results to the WAF attack global display center 107.

[0046] It should be noted that since the WAF handling and monitoring center 105 issues handling instructions to LVS periodically, LVS also adopts an interval reporting mechanism, that is, it reports uniformly when a preset time interval T (which can be uniformly configured by the system administrator) is reached. This time interval is usually set to 1 to 10 minutes, preferably 1 minute. The reporting cycle of LVS is consistent with the reporting cycle of the WAF monitoring function deployed on the CDN edge nodes to facilitate the synchronization of data statistics.

[0047] The data format reported by LVS is shown in Table 1 below. Since the instructions received by LVS are packet drop instructions targeting specific attack source IPs, they do not involve the complex monitoring and handling rules used by CDN edge nodes. Blocking instructions are uniformly issued by the WAF handling and monitoring center 105 based on the analysis results, and their content mainly includes the start time and end time of the blocking action, as well as the information of the blocked requesting IP.

[0048] Table 1 LVS Disposal Instruction Number Command reception time Blocking IPs Start time of treatment End time of disposal Start recording time Time interval (s) The time sequence number of this disposal report Attack Description Description of the handling situation LVS-0001 2025 / 4 / 60:00 1.1.1.1 2025 / 4 / 60:00 2025 / 4 / 70:00 2025 / 4 / 514:23 60 7 XXX XXX LVS-0002 2025 / 4 / 612:00 4.1.1.2 2025 / 4 / 712:00 2025 / 4 / 812:00 2025 / 4 / 514:23 60 7 XXX XXX LVS-0003 2025 / 4 / 615:00 2.2.2.2 2025 / 4 / 815:00 2025 / 4 / 915:00 2025 / 4 / 514:23 60 1 XXX XXX LVS-0004 2025 / 4 / 6 18:00 3.3.3.3 2025 / 4 / 918:00 2025 / 4 / 1018:00 2025 / 4 / 514:23 60 7 XXX XXX Domain name analysis center 104 is used to analyze the content elements of CDN distributed domain names, classify the domain names into static domain names or dynamic domain names, and feed back the analysis results to CDN scheduling center 106.

[0049] In this embodiment of the invention, the domain name analysis center 104 specifically includes: Element traversal submodule: Used to traverse all content elements under the target distribution domain. Based on a preset list of static file suffixes, it performs an initial screening of each content element, marking content elements whose suffixes match the list of static file suffixes as initial screening static elements, and marking the rest as dynamic elements; Download Verification Submodule: Used to perform download verification on all initially screened static elements. If the element is downloaded successfully and the return status code is a preset success status code (e.g., 200), then the element is marked as a final static element; otherwise, it is marked as a dynamic element. The attribute discrimination submodule is used to count the proportion of final static elements under the target distribution domain. If the proportion exceeds a preset threshold (e.g., 90%), the domain is marked as a static domain; otherwise, it is marked as a dynamic domain, and the corresponding domain attribute tags are generated.

[0050] Figure 2 This is a schematic diagram of a process for determining static elements under a domain name, provided by an embodiment of the present invention. The specific execution process will be described below in conjunction with... Figure 2 Detailed description.

[0051] The WAF handling and monitoring center 105 is used to issue handling instructions to the WAF handling function 1021 and LVS 1012 and 1023 of the CDN edge node based on the analysis results of the WAF attack global display center 107.

[0052] In some embodiments, the WAF handling and monitoring center 105 is specifically used to: generate an attack source blocking instruction based on the attack source IP information provided by the WAF attack global display center 107; send the attack source blocking instruction to the LVS associated with the target CDN edge node; and have the LVS perform a network layer drop operation on the access traffic of the attack source IP.

[0053] Specifically, the WAF monitoring and control center 105 includes: The WAF handling instruction generation submodule is used to generate WAF handling rule update instructions, attack source IP blocking instructions, and protection threshold adjustment instructions based on the received analysis results, and send them to the target CDN edge node. LVS command generation submodule: Used to generate attack source IP packet drop commands and blocking duration configuration commands, and send them to the target CDN edge node LVS module; The submodule for monitoring the handling effect is used to monitor the execution of all protection and handling commands and synchronize the handling results to the WAF attack global display center 107.

[0054] CDN scheduling center 106 is used to dynamically adjust domain name scheduling strategy based on the domain name classification results of domain name analysis center 104 and the attack situation analysis results of WAF attack global display center 107.

[0055] In this embodiment of the invention, the CDN scheduling center 106 adds the following functions to the original CDN scheduling functions: Based on the analysis results of Domain Name Analysis Center 104, the scheduling strategy is dynamically adjusted, prioritizing the scheduling of static domain names to CDN edge nodes that have not deployed WAF processing functions (such as CDN edge node 101), and prioritizing the scheduling of dynamic domain names to CDN edge nodes that have deployed WAF processing functions (such as CDN edge node 102).

[0056] Based on the analysis results of the WAF attack global display center 107, the attack traffic detected by the WAF monitoring function and the current processing traffic of each WAF processing function node are analyzed. After comprehensive evaluation, domain name scheduling is performed through LDNS109 to schedule the attack traffic accompanying the domain name to the WAF processing function node with the most suitable resources.

[0057] When a first CDN edge node carrying attack traffic is identified and the attack traffic exceeds the preset WAF handling capacity threshold, at least a portion of the access traffic of the attacked domain name carried by that node is scheduled to a second CDN edge node that belongs to the same provincial region as the first CDN edge node and has WAF handling capacity margin.

[0058] When the total WAF processing capacity of all CDN edge nodes within the same provincial region is insufficient to handle the traffic that needs to be scheduled, the access traffic of the attacked domain name will be scheduled to the high-defense node 108.

[0059] Optionally, the CDN scheduling center 106 also includes a high-defense scheduling submodule, which is used to execute the above-mentioned high-defense node scheduling logic.

[0060] The WAF Global Attack Display Center 107 collects attack monitoring data reported by the WAF monitoring functions of all CDN edge nodes, as well as handling execution data reported by the LVS of each CDN edge node. Furthermore, the WAF Global Attack Display Center 107 performs global statistical analysis based on the attack monitoring data, generating network-wide security posture data, CDN edge node security status data, attack source profile data, and attacked source site profile data. The analysis results are then output to the WAF Handling and Monitoring Center 105 and the CDN Scheduling Center 106, respectively.

[0061] In this embodiment of the invention, the WAF attack global display center 107 specifically includes the following sub-modules: Data aggregation submodule: Used to receive and store all WAF attack monitoring data and LVS handling execution data reported by CDN edge nodes, and aggregate the data by node, domain name, attack source and time.

[0062] The node security analysis submodule is used to generate security status data for a single CDN edge node based on attack and operational data. The security status data includes the node's attack pressure level, WAF handling capacity margin, and node operational risk level.

[0063] The network-wide situational analysis submodule is used to perform cross-node correlation analysis on all attack data to generate network-wide security situational data, network-wide attack trend data, and network-wide WAF handling capacity reserve data.

[0064] Attack profiling submodule: Used to generate attack source profile data by attack source IP dimension, generate attacked source site profile data by domain name / origin site dimension, and identify low-frequency scattered attack behavior across nodes to generate a list of low-frequency attack sources.

[0065] Source tracing and analysis submodule: Used to perform attack source tracing, attack path reconstruction, and attack protection effectiveness evaluation and analysis based on full attack data.

[0066] Figure 3 This is a schematic diagram of the structure of a statistical analysis model provided in an embodiment of the present invention. Its specific workflow will be described below. Figure 3 Detailed description.

[0067] For example, the high-defense node 108 is equipped with CDN services to handle large-scale attack traffic that exceeds the processing capacity of ordinary CDN edge nodes.

[0068] For example, the high-defense node 108 is also equipped with enhanced WAF handling capabilities, supporting Tbps-level Distributed Denial of Service (DDoS) attack cleanup and million-level QPS web attack detection capabilities.

[0069] Specifically, the high-defense node 108 can be uniformly scheduled by the CDN scheduling center 106. When the access traffic of the attacked domain name is scheduled to the high-defense node 108, the cleaned normal business traffic is directed to the CDN customer origin server 110 through the high-speed back-to-origin link.

[0070] LDNS109 is a local domain name system server used to receive domain name resolution requests from end users and return the corresponding CDN edge node IP address or CNAME record according to the scheduling policy issued by CDN scheduling center 106.

[0071] CDN customer origin server 110 is the original business server for CDN distribution customers, storing all origin server content of the customer's website. In a CDN full-site distribution scenario, the customer's origin server content has been fully deployed to CDN edge nodes, and the customer performs data maintenance and update operations through the CDN system.

[0072] Controlled host cluster 111 is a dummy host cluster controlled by the attacker and used to launch attacks. Hacker 115 launches a distributed web attack on CDN edge nodes through controlled host cluster 111.

[0073] Operator 112 is a telecommunications operator that provides network infrastructure for CDN services. In this embodiment of the invention, CDN edge nodes achieve multi-operator network coverage to ensure the service quality of end users accessing services across networks.

[0074] CDN Customer 113 is for enterprise or individual users who use CDN services. By interacting with the WAF Global Attack Display Center, they can view the attack situation data, handling data, and attack source analysis data corresponding to the domains they distribute, based on the principle of hierarchical and domain-based access control. They can also independently configure attack source IP blocking policies through the policy configuration interface to improve their autonomy in security protection.

[0075] User 114 is an end user who initiated a normal business access request. After being resolved by LDNS109, the access request is directed to the optimal CDN edge node to obtain accelerated content.

[0076] Hacker 115 was the initiator of the attack, and used the controlled host group 111 to carry out web attacks such as SQL injection, XSS, and CC against CDN edge nodes.

[0077] Threshold library 116: Used to store CDN distribution capability thresholds, WAF handling capability thresholds, and node operation security thresholds for each CDN edge node and high-defense node. This threshold library 115 supports differentiated configuration by node, region, and customer level, and supports dynamic updates and adjustments.

[0078] Optionally, the system also includes the following modules not shown in the figures, as other embodiments of the present invention: Low-frequency attack identification module: Used to obtain WAF attack monitoring data from multiple CDN edge nodes from the WAF attack global display center 107, generate attack source profiles and / or attacked domain profiles based on historical attack monitoring data, and identify low-frequency scattered attack behaviors originating from the same attack source and whose attack frequency on each CDN edge node is lower than the single-node WAF warning threshold based on the attack source profile.

[0079] Collaborative handling module: Used to issue collaborative blocking commands to multiple CDN edge nodes to block low-frequency, dispersed attacks from the network-wide perspective.

[0080] The capacity expansion planning module is used to collect data on the WAF attack traffic gaps that CDN edge nodes in each province cannot handle within a preset period, form a traffic gap array, calculate the average and maximum values ​​of the traffic gap array, and generate a recommended value for WAF handling capacity expansion for the corresponding province based on the weighted calculation result of the average and maximum values.

[0081] The recommended value for expansion ranges between the average and the maximum value.

[0082] Honeypot Nodes and Traffic Redirection Module: Honeypot nodes are deployed at the content maintenance and management entry point of the site-wide distribution customers to collect attack behavior data of abnormal access traffic targeting the management entry point and report it to the WAF Global Attack Display Center 107; the traffic redirection module is used to redirect abnormal access traffic targeting the management entry point to the honeypot nodes.

[0083] Tiered display module and policy configuration interface: The tiered display module is used to display attack status data, handling data and attack source analysis data corresponding to the distributed domains under the customer's name to CDN customers based on the principle of hierarchical and domain-based management; The policy configuration interface is used to provide CDN customers with the function of self-blocking attack source IPs, supporting customers to manually or automatically configure blocking policies.

[0084] It should be noted that the above optional modules can be deployed independently or integrated into existing components of this system.

[0085] For example, the low-frequency attack identification module and the collaborative handling module can be integrated into the WAF attack global display center 107 or the WAF handling monitoring center 105; the expansion planning module can be integrated into the CDN scheduling center 106; the honeypot node and traffic redirection module can be used as an extension function of the high-defense node 108; the hierarchical display module and policy configuration interface can be integrated into the CDN scheduling center 106 or deployed independently. Those skilled in the art can flexibly choose according to actual deployment needs, and all of these fall within the protection scope of this invention.

[0086] The following is combined Figure 4 This invention describes the WAF (Web Application Firewall) coordinated scheduling and deployment method in a CDN. For consistency, the entity executing this method will be uniformly named "System," and will not be described further thereafter.

[0087] Figure 4 This is a flowchart illustrating the WAF-linked scheduling and deployment method in a CDN provided in this embodiment of the invention. Figure 4 As shown, the method includes the following steps: S401. Deploy Web Application Firewall (WAF) monitoring functionality on all CDN edge nodes, and deploy WAF handling functionality on some CDN edge nodes.

[0088] In some embodiments, the WAF monitoring function performs real-time analysis of HTTP / HTTPS requests according to predefined monitoring rules, identifies at least one web attack behavior among SQL injection, cross-site scripting (XSS) or CC attacks, and encapsulates the identified web attack behavior and related information into monitoring data, which is then reported to the WAF attack global display center according to a preset cycle.

[0089] For example, the monitoring rules used by the WAF monitoring function are shown in Table 2 below: Table 2 WAF attack monitoring rule ID Applicable domain name Attack type Matching mode Keyword list Matching rules Disposal rules 941100 static SQLInjection Perform regular expression matching on the GET and POST parameter values ​​in the request. ('union', 'select', 'insert', 'update', 'delete', 'drop', 'truncate', 'create', 'alter') Matches strings containing any of the keywords mentioned above, case-insensitive. Warning 941101 dynamic SQLInjection Perform regular expression matching on the GET and POST parameter values ​​in the request. ('union', 'select', 'insert', 'update', 'delete', 'drop', 'truncate', 'create', 'alter') Matches strings containing any of the keywords mentioned above, case-insensitive. Intercept Request 941110 dynamic XSS Perform regular expression matching on the GET and POST parameter values ​​in the request. ( '<img src="javascript:', '<a href="javascript:', '<svgonload=') Matches strings containing any of the above tags, case-insensitive. Intercept Request 941111 static XSS Perform regular expression matching on the GET and POST parameter values ​​in the request. (' <script>', '< / script> ') Matches strings containing any of the above tags, case-insensitive. Warning 941210 static CC Analyze based on the requested URL and time. The maximum number of requests to the same URL within a 60-second time window is 50. Advanced warning 941211 static CC Analyze based on the requested URL and time. The maximum number of requests to the same URL within a 60-second time window is 10. Warning 941310 dynamic CC Analyze based on the requested URL and time. The maximum number of requests to the same URL within a 60-second time window is 50. Intercept relevant requests or restrict the IP address that initiates the request. 941311 dynamic CC Analyze based on the requested URL and time. The maximum number of requests to the same URL within a 60-second time window is 10. Warning Specifically, if a CDN edge node only distributes static domain names, when a security attack is detected, although it cannot be intercepted in real time due to the lack of WAF (Web Application Firewall) handling functionality, it should still immediately generate an alert and report it to the WAF global attack display center. The center will then mark the domain name and issue a notification to the CDN system administrator for analysis and handling. If a CDN edge node distributes dynamic domain names, when a security attack is detected, it should implement interception according to the configured handling rules and report the handling results to the WAF global attack display center.

[0090] S402. Collect attack monitoring data reported by the WAF monitoring function of all CDN edge nodes.

[0091] In this embodiment of the invention, the attack monitoring data includes at least the attack source IP information.

[0092] In some embodiments, the full data of WAF attack behavior reported by the WAF monitoring function includes the following fields: local node event number, start recording time, time interval, attack source IP, attack type, attacked CDN IP address, attack target URL, WAF attack monitoring rule ID, configured and effective handling method, number of attacks, number of handling actions, etc.

[0093] For example, the data format reported by the WAF monitoring function is shown in Table 3 below: Table 3 Event number for this node Start recording time Time interval (s) Attack source IP Attack type Attacked CDN IP address Attack target URL WAF attack monitoring rule ID The configured and effective handling method Number of attacks Number of times 10000102 2025 / 4 / 514:23 60 1.1.1.1 SQLInjection 32.2.1.2 / search.php?id=1' OR 1=1-- 941100 Source address blocking 2 2 10000103 2025 / 4 / 514:23 60 4.1.1.2 XSS 32.2.1.3 / comment.php?text= <script>941110无2无100001042025 / 4 / 514:23602.2.2.2CC32.2.1.2http: / / example.com / index.php941210返回403,拒绝3030100001052025 / 4 / 514:23603.3.3.3CC32.2.1.3http: / / example.com / index.php941210返回403,拒绝70需要说明的是,CDN边缘节点部署的WAF监测功能采用周期性上报机制,即每间隔时间T(T可由系统管理员统一配置)进行一次批量数据上报。为确保监测数据的完整性,时间间隔T通常设定为1至10分钟,优选为1分钟。无论是否发生处置行为,均需将相关监测结果上报。

[0094] 为便于全网数据统一处理,所有CDN边缘节点应采用相同的统计周期。该周期参数可由系统管理员在CDN全网参数中统一设定,亦可根据业务负载、攻击态势及统计资源状况进行动态调整。

[0095] 可选地,在收集到攻击源IP信息之后,还可以根据攻击源IP信息生成攻击源封堵指令。

[0096] 示例性地,WAF攻击全局展示中心对采集到的攻击源IP进行聚合分析,当某攻击源IP的累计攻击次数或攻击频率超过预设阈值时,触发攻击源封堵指令的生成。

[0097] 具体地,攻击源封堵指令包括封堵目标IP地址、封堵开始时间、封堵结束时间、封堵策略类型等信息。

[0098] 进一步地,将攻击源封堵指令下发至第一CDN边缘节点和 / 或第二CDN边缘节点关联的LVS,由LVS对攻击源IP的访问流量执行丢弃操作。

[0099] 示例性地,LVS接收到封堵指令后,在本地维护一个封堵IP黑名单表项,对匹配该表项源IP的入向数据包进行即时丢弃处理。

[0100] 具体地,该丢弃操作在网络层执行,不经过上层协议栈处理,因此资源消耗极小,可有效应对大规模、高强度的攻击源IP封堵需求。

[0101] 如此,本发明通过WAF监测功能与LVS联动封堵机制,实现了应用层深度检测与网络层高速封堵的优势互补,既保证了攻击识别的准确性,又提升了大规模封堵的执行效率。

[0102] S403、根据攻击监测数据,识别出承载攻击流量且攻击流量超过预设的WAF处置能力阈值的第一CDN边缘节点。

[0103] 在一些实施例中,根据攻击监测数据中的攻击目标URL聚合得到受攻击域名。

[0104] 示例性地,系统对攻击监测数据中的"攻击目标url”字段进行正则提取,获取其中的域名部分(例如从"http: / / example.com / XXX.php”中提取"example.com”),作为受攻击域名的候选。

[0105] 具体地,对于不包含域名(如仅包含IP地址)或URL格式异常的记录,予以剔除,从而形成域名集合T={t1,t2,t3,...,ti},其中T的记录数量通常小于原始监测数据总量。随后,系统对全网CDN数据进行按域名维度的攻击流量汇总,形成T序列的攻击量分析数据,记为T1、T2、Tj。对于归属同一源站的多个域名,可进一步合并处理。

[0106] 进一步地,计算针对受攻击域名的攻击请求速率作为攻击流量。

[0107] 示例性地,系统以60秒为统计窗口,统计针对同一受攻击域名在窗口内的总请求次数,将该次数除以60得到每秒查询率(Queries Per Second,QPS),作为攻击流量的量化指标。

[0108] 具体地,攻击请求速率的计算支持多种时间窗口配置,系统管理员可根据业务特点和攻击态势动态调整窗口大小(例如30秒、120秒、300秒等)。

[0109] 再进一步地,将攻击请求速率与预设的WAF处置能力阈值进行比较。

[0110] 示例性地,对于某CDN边缘节点,其预设的WAF处置能力阈值为18,000QPS。当系统监测到针对某受攻击域名的攻击请求速率达到或超过18,000QPS时,判定该节点承载的攻击流量超出其处置能力阈值。

[0111] 更进一步地,将攻击请求速率超过对应阈值的CDN边缘节点确定为第一CDN边缘节点。

[0112] 如此,本发明通过攻击目标URL聚合、攻击请求速率计算、阈值比较等一系列操作,实现了对处置能力超限节点的精准识别,为后续的动态调度提供了明确的触发条件和决策依据。

[0113] S404、将第一CDN边缘节点所承载的受攻击域名的至少部分访问流量,调度至与第一CDN边缘节点属于同一省级区域且具备WAF处置能力余量的第二CDN边缘节点。

[0114] 可选地,可以先分析CDN分发域名的内容元素,将域名分类为静态域名或动态域名。

[0115] 示例性地,域名分析中心遍历目标分发域名下的所有内容元素,基于jpg、mp3、mp4、png、css、js等静态文件后缀列表进行初筛。

[0116] 具体地,对初步标记为静态的元素,使用curl命令从CDN内容中心执行下载操作。若下载成功且返回第一状态码(如200),则将该元素标记为最终静态元素;若下载失败、返回第二状态码(如302)或返回其他非预期文件,则将该元素标记为动态元素。

[0117] 进一步地,在将访问流量调度至第二CDN边缘节点时,优先将动态域名调度至部署有WAF处置功能的CDN边缘节点。

[0118] 如此,本发明通过域名内容性质分析,实现了对不同安全需求的域名进行差异化调度,避免了为全量域名部署WAF处置功能造成的资源浪费,同时确保了动态域名获得充分的Web全类攻击防护。

[0119] 在一些实施例中,可以获取同一省级区域内各CDN边缘节点的WAF处置能力余量。

[0120] 示例性地,系统从阈值库中读取各CDN边缘节点的CDN分发阈值、WAF处置阈值,并结合当前实时的攻击处置流量数据,计算各节点的WAF处置能力余量。

[0121] 具体地,本省各CDN边缘节点CDN分发阈值、WAF处置阈值表如下表4所示:表4CDN边缘节点编号CDN分发阈值(Mbps)waf处置阈值(QPS)<![CDATA[ah001]]>30018000<![CDATA[ah002]]>40020000进一步地,根据攻击流量与各节点的WAF处置能力余量确定需调度的流量比例及对应的第二CDN边缘节点。

[0122] 图5是本发明实施例提供的一种边缘节点及高防节点的流程示意图。如图5所示,以单个CDN边缘节点为例,其具体分析流程如下:WAF攻击全局展示中心首先对该边缘节点的WAF攻击流量进行分析,将流量按攻击节点IP和攻击域名两个维度进行分类;判断针对节点IP的攻击流量是否超过该节点预设的处置能力阈值。若超过,则计算该节点所需的扩容容量;若未超过,则说明该节点针对节点IP攻击的处置能力无需扩容;针对域名维度的攻击流量进行分析,在满足节点IP攻击处置需求的前提下,判断该部分攻击流量是否超过本节点阈值。若未超过,则说明该节点针对域名攻击的处置能力无需扩容;若域名攻击处置能力需扩容,则优先基于CDN调度机制,计算本省其他CDN边缘节点当前的剩余可调动处置能力;结合调度中心的调度策略,评估可调度的WAF处置能力是否能够伴随CDN域名调度进行动态迁移;若通过本省CDN节点内部调整可满足WAF处置能力需求,则判定无需对域名攻击处置能力进行扩容;综合上述分析,汇总该CDN边缘节点需要扩容的WAF处置能力总量,以及该节点所承接CDN业务需要扩容的WAF处置能力分量;针对域名处置扩容需求,进一步判断是否需要将相关域名调整至高防节点。该决策需综合考虑CDN分发客户的业务安全等级、投入产出比、收入贡献及品牌重要性等多维因素;若需将域名调整至高防节点,则评估目标高防节点是否能够承载域名迁移带来的CDN分发增量及攻击流量处置增量;若现有高防节点无法满足上述增量需求,则启动高防节点扩容操作。扩容完成后,将相应CDN域名调度至高防节点;在扩容完成前,仍按原有方式继续处置。

[0123] 图6是本发明实施例提供的一种边缘节点的分析流程示意图。图7是本发明实施例提供的一种边缘节点内部调整的流程示意图。

[0124] 结合图6、图7所示,本省内部调整流程包括:WAF攻击全局展示中心基于攻击数据提取域名,并以此维度整理本省内各CDN边缘节点的攻击量;同时,由CDN调度中心获取各节点的域名分发流量表,阈值库提供各CDN边缘节点的分发阈值及WAF处置阈值等信息;记录受攻击域名A的原有WAF攻击流量x,以及新增攻击流量a;分别计算本省各边缘节点的WAF处置能力余量;汇总本省所有边缘节点WAF处置能力余量之和,记为b,判断当前省内总余量是否足以承载新增攻击流量a;若a>b,则判定本省已无法承接新增WAF攻击量,立即向系统管理员发出告警,并启动后续应急措施(如LVS封堵、跨省调度等);若a<b,则判定省内总余量可满足新增攻击流量需求;计算c=(a-b) / 2。由于CDN流量波动剧烈且WAF攻击增量变化迅速,为减少调度生效延迟对业务的影响,采用快速判定算法:评估是否至少有2个节点能够分别承担新增攻击压力的一半;若存在至少2个满足承接条件的边缘节点,则按节点WAF处置能力余量从高到低顺序选择对应数量的节点,WAF攻击全局展示中心与调度中心协同,由调度中心将受攻击域名对应的服务调度至所选节点,同时WAF攻击全局展示中心与WAF处置监控中心协同,由处置监控中心向目标节点的WAF处置能力下发相应的处置策略;若不足2个节点满足承接条件,则判定本省资源不足,向系统管理员发出告警;若本省边缘节点无法满足处置需求,系统管理员可手工执行调度干预,例如启用跨省资源覆盖、将域名调度至高防节点、或向对应边缘节点下发LVS封堵指令等。

[0125] 需要说明的是,上述调度策略旨在实现CDN调度效率、服务质量与WAF处置效果三者之间的平衡。由于CDN分发业务对服务质量要求较高,新增承接节点数量不宜过多,以避免调度策略频繁变更对分发效果产生负面影响。

[0126] 再进一步地,更新域名解析记录以引导用户访问流量。

[0127] 示例性地,CDN调度中心通过修改权威DNS服务器的域名解析记录,将受攻击域名的CNAME记录指向第二CDN边缘节点的加速域名,从而实现用户访问流量的平滑迁移。

[0128] 具体地,该域名解析记录的更新时间受DNS解析记录的生存时间(Time To Live,TTL)值影响。为加快调度生效速度,系统可针对受攻击域名临时下调TTL值(例如从600秒下调至60秒),待攻击缓解后再恢复至正常水平。

[0129] 如此,本发明通过省内各节点WAF处置能力余量的动态感知与智能计算,实现了攻击流量的精准拆分与按需投放,在不增加硬件投资的前提下,最大化利用了现网WAF处置资源。

[0130] 可选地,当同一省级区域内所有CDN边缘节点的总WAF处置能力余量不足以承载需调度的流量时,将受攻击域名的访问流量调度至预先部署的高防节点集群。

[0131] 其中,高防节点集群部署有增强的WAF处置功能。

[0132] 示例性地,当某省遭受大规模CC攻击,省内全部边缘节点的总WAF处置能力余量为50000QPS,而实际攻击流量已达80000QPS时,CDN调度中心将超额的30000QPS攻击流量调度至高防节点集群进行清洗。

[0133] 具体地,高防节点集群内部署有高性能WAF设备集群,支持Tbps级DDoS攻击清洗和百万级QPS的Web攻击检测能力。流量调度至高防节点后,经过清洗的正常业务流量会通过高速回源链路重新指向源站,确保业务持续可用。

[0134] 如此,本发明通过构建"CDN边缘节点-高防节点集群”两级防护体系,实现了攻击流量的分级分层处置:普通攻击由省内边缘节点协同应对,超大规模攻击由高防节点集群集中清洗,在保障服务质量的同时实现了防护成本与防护能力的平衡。

[0135] S405、向第二CDN边缘节点的WAF处置功能下发与攻击流量对应的处置规则。

[0136] 在一些实施例中,WAF处置监控中心根据WAF攻击全局展示中心的分析结果,生成与攻击流量特征相匹配的处置规则,并通过控制通道下发至目标边缘节点的WAF处置功能模块。

[0137] 示例性地,当攻击类型为SQL注入时,下发的处置规则为"对匹配SQL注入特征库的请求执行拦截并记录日志”;当攻击类型为CC攻击时,下发的处置规则为"对特定URI的访问频率限制为单IP10次 / 分钟,超限请求返回第三状态码(如403)”。

[0138] 具体地,处置规则的下发支持两种模式:静态预置模式,即在系统初始化时批量下发全量规则库,WAF处置功能模块本地加载;动态实时模式,即在攻击发生时由WAF处置监控中心按需下发针对特定攻击事件的精细化处置策略。

[0139] 如此,本发明实现了防护能力的按需投放:对于无攻击流量的边缘节点,仅需承载轻量级的监测功能;对于确需防御攻击的节点,由中央控制平面动态下发处置能力,从而在全局尺度上实现了WAF处置资源的池化与复用。

[0140] 在本发明提供的CDN中WAF联动调度部署方法中,通过在所有CDN边缘节点部署WAF监测功能、在部分边缘节点部署WAF处置功能,实现了监测与处置的分离部署与攻击行为全覆盖监测;通过收集全网攻击监测数据并识别处置能力超限节点,将受攻击域名的流量调度至同省具备处置能力余量的节点并下发对应处置规则,构建了基于攻击态势与节点资源状态的省级区域动态联动调度机制;进一步,通过LVS联动封堵、域名属性分类调度、高防节点引流、低频分散攻击协同识别与封堵、蜜罐防护、扩容规划及客户分权分域安全增值服务等特征,形成了从攻击监测、态势分析、资源调度、处置执行到能力规划与商业变现的全链路闭环。本发明实现了WAF防护能力的按需投放与资源协同,在保障CDN分发服务质量的前提下,降低了WAF部署与运维成本,有效应对突发大流量攻击及跨节点低频分散攻击,提升了CDN整体安全防护的智能化、精细化水平,并拓展了安全增值业务空间。

[0141] 可选地,还可以收集多个CDN边缘节点上报的WAF攻击监测数据。

[0142] 示例性地,低频攻击识别模块从WAF攻击全局展示中心获取近7天内全省所有CDN边缘节点的WAF攻击监测数据,形成跨节点、跨时间维度的攻击事件数据集。

[0143] 具体地,该数据集包含攻击源IP、攻击时间、攻击目标URL、攻击类型、被攻击节点ID等字段,用于后续的攻击源画像构建与低频攻击行为识别。

[0144] 进一步地,基于历史攻击监测数据生成攻击源画像和 / 或被攻击域名画像。

[0145] 示例性地,攻击源画像包括攻击源IP的地理位置、活跃时间段、偏好的攻击类型、常攻击的域名列表、攻击频率分布等信息;被攻击域名画像包括域名的攻击总量、主要攻击类型、攻击源分布、攻击时间规律等信息。

[0146] 具体地,攻击源画像的构建采用多维聚合分析技术:系统按攻击源IP维度汇总攻击次数、攻击类型、攻击目标、攻击时间分布,生成单攻击源的攻击行为画像;按IP地址段、物理地域、所属运营商维度对攻击源进行聚类分析,生成攻击主体群画像。

[0147] 再进一步地,根据攻击源画像识别出源自同一攻击源、且在各CDN边缘节点的攻击频次均低于单节点WAF预警阈值的低频分散攻击行为。

[0148] 需要说明的是,攻击者常利用CDN防护策略中预设的阈值盲区实施攻击。

[0149] 例如,若某CDN边缘节点设定单节点1分钟内针对特定攻击类型超过5次即触发处置,攻击者可对各边缘节点分别发起每分钟4次的攻击,使任一节点均不触发告警,但全网总攻击量仍居高不下。

[0150] 此外,攻击者还可组织多个攻击主体(即攻击主体群)协同攻击,进一步放大攻击规模。低频攻击识别模块正是通过跨节点关联分析,识别此类在单节点视角下难以察觉的低频分散攻击。

[0151] 更进一步地,向多个CDN边缘节点下发协同封堵指令,以从全网层面阻断低频分散攻击。

[0152] 一种可选地实现方式中,协同封堵指令为向多个CDN边缘节点的WAF处置功能下发的攻击源IP封堵策略。

[0153] 示例性地,当识别出攻击源IP5.5.5.5在过去1小时内对全国12个省的CDN边缘节点发起攻击,且在各节点的攻击频次均未超过单节点预警阈值(例如10次 / 分钟)时,系统判定该IP为低频分散攻击源,并向这12个省的所有边缘节点下发针对IP5.5.5.5的全局封堵策略。

[0154] 另一种可选地实现方式中,协同封堵指令为向多个CDN边缘节点关联的LVS下发的攻击源IP数据包丢弃指令。

[0155] 如此,本发明通过攻击源画像构建与跨节点低频攻击行为识别,实现了从"单节点被动防御”到"全网主动协同封堵”的能力跃迁,有效破解了攻击者利用阈值盲区进行分散式渗透的难题。

[0156] 可选地,还可以统计预设周期内各省份CDN边缘节点无法承载的WAF攻击流量缺口数据,形成流量缺口数组。

[0157] 示例性地,扩容规划模块以周为统计周期,记录各省份CDN边缘节点因WAF处置能力不足而触发告警的事件,并记录每次告警对应的攻击流量超出阈值部分的具体数值。

[0158] 具体地,对于A省,其一周内的流量缺口数组RA={1200,3500,800,2100,0,4500,1800},单位QPS。

[0159] 进一步地,计算流量缺口数组的平均值与最大值。

[0160] 示例性地,对于RA数组,计算得到最大值a=4500QPS,平均值b=(1200+3500+800+2100+0+4500+1800) / 7=1985.7QPS。

[0161] 再进一步地,基于平均值与最大值的加权计算结果,生成对应省份的WAF处置能力扩容推荐值。

[0162] 其中,扩容推荐值的取值范围在平均值与最大值之间。

[0163] 示例性地,扩容规划模块采用公式c=(a+b) / 2计算扩容推荐值,即c=(4500+1985.7) / 2=3242.85QPS,向上取整为3300QPS。系统管理员可根据该推荐值,在A省省会节点优先增加约3300QPS的WAF处置能力。

[0164] 如此,本发明通过历史流量缺口数据的统计分析,提出了一种介于峰值与平均值之间的扩容推荐算法,既避免了按峰值扩容造成的资源闲置,又防止了按平均值扩容导致的能力不足,实现了WAF处置能力的科学规划与精准投资。

[0165] 可选地,还可以针对全站分发至CDN的客户,在客户内容维护的管理入口部署蜜罐节点。

[0166] 示例性地,对于某大型电商客户,其将全部源站内容部署至CDN,并通过CDN控制台进行商品上下架、价格调整、库存维护等操作。系统在该客户CDN控制台的登录入口和管理操作入口旁路部署一套与真实界面高度仿真的蜜罐节点。

[0167] 进一步地,将针对管理入口的异常访问流量引流至蜜罐节点。

[0168] 示例性地,引流模块通过策略路由或代理重定向技术,将源IP不在白名单列表中的、或访问行为存在异常特征(如高频登录尝试、非常规操作时间等)的管理请求,引流至蜜罐节点进行处理,而正常的运维人员请求仍被转发至真实管理入口。

[0169] 再进一步地,采集异常访问流量的攻击行为数据并上报至WAF攻击全局展示中心。

[0170] 示例性地,蜜罐节点详细记录攻击者的操作全流程,包括但不限于:攻击源IP、攻击时间、尝试登录的账号、输入的SQL语句、上传的文件样本、点击的页面元素等。

[0171] 更进一步地,根据攻击行为数据生成对应的防护处置指令。

[0172] 如此,本发明通过在CDN全站分发场景下部署蜜罐节点,将被动防御升级为主动诱捕,不仅保护了真实的管理入口免受攻击,更通过对攻击者行为的深度捕获与分析,生成了高价值的威胁情报,为CDN整体安全防护能力的持续进化提供了数据支撑。

[0173] 可选地,还可以基于分权分域原则,向CDN客户展示该客户名下分发域名对应的攻击态势数据、处置数据及攻击源分析数据。

[0174] 示例性地,某电商客户登录CDN安全增值服务控制台后,只能看到自己名下域名(如"shop.example.com”、"payment.example.com”)的攻击态势面板,无法查看其他客户的数据;CDN运营商的管理员则可查看全网所有域名的安全态势。

[0175] 进一步地,向CDN客户提供攻击源IP自主封堵配置接口,以支持客户手动或自动配置封堵策略。

[0176] 示例性地,该配置接口提供以下功能:1)攻击源IP查询:客户可输入可疑IP,查询该IP近期对其名下域名的攻击记录;2)临时封堵:客户可对确认的攻击源IP发起5分钟、30分钟、1小时或24小时的临时封堵;3)永久黑名单:客户可将特定IP加入个人黑名单,系统将持续拦截该IP对所有客户域名的访问;4)策略自动化:客户可设置自动封堵规则,例如"当单IP攻击频率超过100次 / 分钟时,自动封堵30分钟”。

[0177] 如此,本发明通过分权分域的安全态势展示与客户自主封堵配置,将CDN的安全防护能力从"运营商集中运维”延伸至"客户自助服务”,既减轻了运营商的运维压力,又满足了客户对自身资产安全状况的知情权与控制权,为CDN安全能力的商业化增值变现打开了通路。

[0178] 图8示例了一种电子设备的实体结构示意图,如图8所示,该电子设备可以包括:处理器(processor)810、通信接口(Communications Interface)820、存储器(memory)830和通信总线840,其中,处理器810,通信接口820,存储器830通过通信总线840完成相互间的通信。

[0179] 处理器810可以调用存储器830中的逻辑指令,以执行CDN中WAF联动调度部署方法,该方法包括:在所有内容分发网络CDN边缘节点部署Web应用防火墙WAF监测功能,并在部分CDN边缘节点部署WAF处置功能;收集所有CDN边缘节点的WAF监测功能所上报的攻击监测数据;根据攻击监测数据,识别出承载攻击流量且攻击流量超过预设的WAF处置能力阈值的第一CDN边缘节点;将第一CDN边缘节点所承载的受攻击域名的至少部分访问流量,调度至与第一CDN边缘节点属于同一省级区域且具备WAF处置能力余量的第二CDN边缘节点;向第二CDN边缘节点的WAF处置功能下发与攻击流量对应的处置规则。

[0180] 此外,上述的存储器830中的逻辑指令可以通过软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-OnlyMemory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。

[0181] 另一方面,本发明还提供一种计算机程序产品,计算机程序产品包括计算机程序,计算机程序可存储在非暂态计算机可读存储介质上,计算机程序被处理器执行时,计算机能够执行上述各方法所提供的CDN中WAF联动调度部署方法,该方法包括:在所有内容分发网络CDN边缘节点部署Web应用防火墙WAF监测功能,并在部分CDN边缘节点部署WAF处置功能;收集所有CDN边缘节点的WAF监测功能所上报的攻击监测数据;根据攻击监测数据,识别出承载攻击流量且攻击流量超过预设的WAF处置能力阈值的第一CDN边缘节点;将第一CDN边缘节点所承载的受攻击域名的至少部分访问流量,调度至与第一CDN边缘节点属于同一省级区域且具备WAF处置能力余量的第二CDN边缘节点;向第二CDN边缘节点的WAF处置功能下发与攻击流量对应的处置规则。

[0182] 又一方面,本发明还提供一种非暂态计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现以执行上述各方法提供的CDN中WAF联动调度部署方法,该方法包括:在所有内容分发网络CDN边缘节点部署Web应用防火墙WAF监测功能,并在部分CDN边缘节点部署WAF处置功能;收集所有CDN边缘节点的WAF监测功能所上报的攻击监测数据;根据攻击监测数据,识别出承载攻击流量且攻击流量超过预设的WAF处置能力阈值的第一CDN边缘节点;将第一CDN边缘节点所承载的受攻击域名的至少部分访问流量,调度至与第一CDN边缘节点属于同一省级区域且具备WAF处置能力余量的第二CDN边缘节点;向第二CDN边缘节点的WAF处置功能下发与攻击流量对应的处置规则。

[0183] 以上所描述的装置实施例仅仅是示意性的,其中作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下,即可以理解并实施。

[0184] 通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到各实施方式可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件。基于这样的理解,上述技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在计算机可读存储介质中,如ROM / RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行各个实施例或者实施例的某些部分的方法。

[0185] 最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。< / script>

Claims

1. A CDN WAF linkage scheduling deployment method, characterized in that, The method includes: Deploy Web Application Firewall (WAF) monitoring functionality on all content distribution network (CDN) edge nodes, and deploy WAF handling functionality on some CDN edge nodes; Collect attack monitoring data reported by the WAF monitoring function of all CDN edge nodes; Based on the attack monitoring data, the first CDN edge node that carries attack traffic and whose attack traffic exceeds the preset WAF handling capacity threshold is identified; At least a portion of the access traffic of the attacked domain name carried by the first CDN edge node is scheduled to a second CDN edge node that belongs to the same provincial region as the first CDN edge node and has WAF processing capacity. The WAF processing function of the second CDN edge node issues the processing rules corresponding to the attack traffic.

2. The method of claim 1, wherein, The attack monitoring data includes at least the attack source IP information; the method further includes: An attack source blocking instruction is generated based on the attack source IP information; The attack source blocking instruction is sent to the load balancer LVS associated with the first CDN edge node and / or the second CDN edge node, and the LVS performs a drop operation on the access traffic of the attack source IP.

3. The method according to claim 1, characterized in that, The first CDN edge node identified based on attack monitoring data as carrying attack traffic exceeding a preset WAF handling capacity threshold includes: The attacked domain name is obtained by aggregating the attack target URLs in the attack monitoring data; The rate of attack requests to the attacked domain name is calculated as the attack traffic; The attack request rate is compared with a preset WAF processing capacity threshold; The CDN edge node whose attack request rate exceeds the corresponding threshold is identified as the first CDN edge node.

4. The method according to claim 1, characterized in that, The method further includes: Analyze the content elements of CDN-distributed domains and classify them into static or dynamic domains; Specifically, when routing access traffic to the second CDN edge node, dynamic domain names are preferentially routed to the CDN edge node that has the WAF processing function deployed.

5. The method according to claim 1, characterized in that, The step of scheduling at least a portion of the access traffic of the attacked domain name carried by the first CDN edge node to a second CDN edge node that belongs to the same provincial region as the first CDN edge node and has WAF processing capacity margin includes: Obtain the WAF processing capacity margin of each CDN edge node within the same provincial region; The proportion of traffic to be scheduled and the corresponding second CDN edge node are determined based on the attack traffic and the WAF processing capacity margin of each node. Update DNS records to redirect user traffic.

6. The method according to claim 1, characterized in that, The method further includes: When the total WAF processing capacity of all CDN edge nodes in the same provincial region is insufficient to handle the traffic that needs to be scheduled, the access traffic of the attacked domain name will be scheduled to a pre-deployed high-defense node cluster, which is equipped with enhanced WAF processing functions.

7. The method according to claim 1, characterized in that, The method further includes: Collect WAF attack monitoring data reported by multiple CDN edge nodes; Generate attack source profiles and / or attacked domain profiles based on historical attack monitoring data; Based on the attack source profile, low-frequency, dispersed attack behaviors originating from the same attack source and with attack frequencies at each CDN edge node all below the single-node WAF warning threshold were identified. Coordinated blocking commands are issued to the multiple CDN edge nodes to block the low-frequency, dispersed attacks from the network-wide perspective.

8. The method according to claim 7, characterized in that, The coordinated blocking command includes at least one of the following: Attack source IP blocking strategies are issued to the WAF processing functions of the multiple CDN edge nodes; The attack source IP data packets were dropped by the LVS associated with the multiple CDN edge nodes.

9. The method according to claim 1, characterized in that, The method further includes: Collect data on WAF attack traffic gaps that CDN edge nodes in each province cannot handle within a preset period, and form a traffic gap array. Calculate the average and maximum values ​​of the flow gap array; Based on the weighted calculation result of the average value and the maximum value, a recommended value for expanding the WAF processing capacity of the corresponding province is generated; The recommended expansion value ranges between the average value and the maximum value.

10. The method according to claim 1, characterized in that, The method further includes: For customers whose entire site is distributed to CDN, deploy honeypot nodes at the customer's content maintenance management portal; Abnormal access traffic targeting the management entry point will be redirected to the honeypot node; Collect attack behavior data of the abnormal access traffic and report it to the WAF global attack display center; Based on the attack behavior data, corresponding protection and handling instructions are generated.

11. The method according to claim 1, characterized in that, The method further includes: Based on the principle of decentralization and domain division, the attack situation data, handling data and attack source analysis data corresponding to the domains distributed under the customer's name are displayed to the CDN customer. Provide the CDN customer with an interface for self-configuration of blocking attack source IPs, so that the customer can manually or automatically configure blocking policies.

12. A WAF linkage scheduling and deployment system in a CDN, characterized in that, The system includes: The WAF monitoring module is deployed on all CDN edge nodes to generate attack monitoring data; The WAF processing module is deployed on some CDN edge nodes; A global WAF attack showcase center, used for: Collect attack monitoring data reported by the WAF monitoring function of all CDN edge nodes; Based on the attack monitoring data, the first CDN edge node that carries attack traffic and whose attack traffic exceeds the preset WAF handling capacity threshold is identified; The CDN scheduling center is used to schedule at least a portion of the access traffic of the attacked domain name carried by the first CDN edge node to a second CDN edge node that belongs to the same provincial region as the first CDN edge node and has WAF processing capacity. The WAF handling and monitoring center is used to issue handling rules corresponding to the attack traffic to the WAF handling function of the second CDN edge node.

13. The system according to claim 12, characterized in that, The system also includes: The load balancer LVS associated with each CDN edge node; The WAF attack global display center is also used to extract attack source IP information from the attack monitoring data; The WAF processing and monitoring center is also used for: An attack source blocking instruction is generated based on the attack source IP information provided by the WAF attack global display center. The attack source blocking instruction is sent to the load balancer LVS associated with the first CDN edge node and / or the second CDN edge node, and the LVS performs a drop operation on the access traffic of the attack source IP.

14. The system according to claim 12, characterized in that, The system also includes: The low-frequency attack identification module is used for: WAF attack monitoring data from multiple CDN edge nodes were obtained from the WAF attack global display center. Generate attack source profiles and / or attacked domain profiles based on historical attack monitoring data; Based on the attack source profile, low-frequency, dispersed attack behaviors originating from the same attack source and with attack frequencies at each CDN edge node all below the single-node WAF warning threshold were identified. The collaborative handling module is used to issue collaborative blocking instructions to the multiple CDN edge nodes to block the low-frequency dispersed attacks from the network-wide level.

15. The system according to claim 12, characterized in that, The system also includes: Honeypot nodes are deployed as the content maintenance and management portal for customers across the entire site. The traffic redirection module is used to redirect abnormal access traffic targeting the management entry point to the honeypot node; The honeypot node is also used to collect attack behavior data of the abnormal access traffic and report it to the WAF attack global display center. The WAF monitoring and control center is also used to generate corresponding protection and control instructions based on the attack behavior data.

16. A computing device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the program, it implements the method as described in any one of claims 1 to 11.

17. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the program is executed by the processor, it implements the method as described in any one of claims 1 to 11.