Method, client, server and system for preventing network attack
阅读说明:本技术 防止网络攻击的方法、客户端、服务器及系统 (Method, client, server and system for preventing network attack ) 是由 侯贵斌 梁晓东 陈景斌 于 2020-05-08 设计创作,主要内容包括:本发明公开了一种防止网络攻击的方法、客户端、服务器及系统,涉及通信领域,以解决网络攻击的防护成本高的问题。包括:从客户端发送的数据包中获取第一防止网络攻击验证信息,其中,所述第一防止网络攻击验证信息包括:防止网络攻击动态串码以及所述客户端的识别码;根据所述客户端的识别码验证所述客户端的合法性,获取第一验证结果;如果所述第一验证结果指示所述客户端合法,根据所述防止网络攻击动态串码验证所述数据包的合法性,获取第二验证结果;如果所述第二验证结果指示所述数据包合法,正常处理所述数据包。本发明实施例提供的技术方案可以应用在互联网领域。(The invention discloses a method, a client, a server and a system for preventing network attack, relates to the field of communication and aims to solve the problem of high protection cost of network attack. The method comprises the following steps: acquiring first network attack prevention verification information from a data packet sent by a client, wherein the first network attack prevention verification information comprises: preventing network attack from dynamically stringing codes and the identification code of the client; verifying the validity of the client according to the identification code of the client to obtain a first verification result; if the first verification result indicates that the client is legal, verifying the legality of the data packet according to the network attack preventing dynamic serial code to obtain a second verification result; and if the second verification result indicates that the data packet is legal, the data packet is normally processed. The technical scheme provided by the embodiment of the invention can be applied to the field of the Internet.)
1. A method for preventing cyber attacks, comprising:
acquiring first network attack prevention verification information from a data packet sent by a client, wherein the first network attack prevention verification information comprises: preventing network attack from dynamically stringing codes and the identification code of the client;
verifying the validity of the client according to the identification code of the client to obtain a first verification result;
if the first verification result indicates that the client is legal, verifying the legality of the data packet according to the network attack preventing dynamic serial code to obtain a second verification result;
and if the second verification result indicates that the data packet is legal, the data packet is normally processed.
2. The method of claim 1, wherein the verifying the validity of the data packet according to the network attack prevention dynamic string code, and obtaining a second verification result comprises:
determining whether the dynamic serial code for preventing the network attack is not updated after overtime according to a preset dynamic serial code updating period, and acquiring a first determination sub-result;
if the first determination sub-result indicates that the network attack prevention dynamic string code is not updated due to timeout, the second verification result is that the data packet is illegal;
otherwise, determining whether the dynamic serial code for preventing the network attack is received overtime according to a preset dynamic serial code receiving time error range, and acquiring a second determination sub-result;
if the second determination sub-result indicates that the network attack prevention dynamic string code reception is overtime, the second verification result is that the data packet is illegal;
otherwise, the second verification result is that the data packet is legal.
3. The method of claim 1, further comprising:
if the second verification result indicates that the data packet is illegal, recording the verification failure times of the data packet, and sending a serial code updating indication to the client;
receiving the data packet retransmitted by the client according to the serial code updating indication;
acquiring second network attack prevention verification information from the data packet, wherein the second network attack prevention verification information comprises: the updated dynamic serial code for preventing the network attack and the identification code of the client side are obtained;
verifying the validity of the data packet according to the updated network attack prevention dynamic serial code to obtain a third verification result;
and if the third verification result indicates that the data packet is legal, the data packet is normally processed.
4. The method of claim 3, further comprising:
if the third verification result indicates that the data packet is illegal, and the verification failure times of the data packet do not exceed a preset failure time threshold, updating and recording the verification failure times of the data packet, and sending the serial code updating indication to the client again;
and if the third verification result indicates that the data packet is illegal and the verification failure times of the data packet exceed a preset failure time threshold, listing the identification code of the client into a blacklist and setting the existence time of the identification code in the blacklist.
5. The method according to claim 1, further comprising a step of negotiating a generation manner of the network attack prevention dynamic string code with the client before obtaining the first network attack prevention verification information from the data packet sent by the client.
6. The method of claim 5, wherein negotiating the generation of the network attack prevention dynamic string code with the client comprises:
receiving a generation mode list for preventing the network attack dynamic string codes sent by the client;
according to a preset selection rule, selecting a generation mode of the network attack prevention dynamic string codes from the generation mode list of the network attack prevention dynamic string codes;
and sending the generation mode of the dynamic string code for preventing the network attack to the client.
7. A method for preventing cyber attacks, comprising:
generating a dynamic serial code for preventing network attack according to a preset generation mode for preventing the dynamic serial code for preventing network attack and a preset updating period of the dynamic serial code;
acquiring an identification code of a client;
generating first network attack prevention verification information according to the network attack prevention dynamic serial codes and the identification codes of the client;
and sending a data packet to a server, wherein the data packet carries the first network attack prevention verification information.
8. The method of claim 7, further comprising:
receiving a string code updating indication sent by the server;
updating the network attack prevention dynamic string code according to the string code updating indication to obtain the updated network attack prevention dynamic string code;
generating second network attack prevention verification information according to the updated network attack prevention dynamic string code and the identification code of the client;
and sending the data packet to a server, wherein the second network attack prevention verification information is carried in the data packet.
9. The method according to claim 7, wherein the preset network attack prevention dynamic string code generation manner is specifically a network attack prevention dynamic string code generation manner obtained by negotiation with the server,
the step of negotiating with the server to obtain a generation mode for preventing network attack dynamic string codes comprises:
sending a generation mode list for preventing network attack dynamic string codes to the server;
and receiving the generation mode of the network attack prevention dynamic string code selected by the server according to the generation mode list of the network attack prevention dynamic string code.
10. A server, comprising:
a first obtaining module, configured to obtain first network attack prevention verification information from a data packet sent by a client, where the first network attack prevention verification information includes: preventing network attack from dynamically stringing codes and the identification code of the client;
the first verification module is used for verifying the legality of the client according to the identification code of the client acquired by the first acquisition module to acquire a first verification result;
the second verification module is used for verifying the legality of the data packet according to the network attack preventing dynamic serial code acquired by the first acquisition module and acquiring a second verification result if the first verification result acquired by the first verification module indicates that the client is legal;
and the processing module is used for normally processing the data packet if the second verification result obtained by the second verification module indicates that the data packet is legal.
11. The server according to claim 10, wherein the second authentication module comprises:
the first determining submodule is used for determining whether the dynamic serial code for preventing the network attack is not updated due to time-out according to a preset dynamic serial code updating period, and acquiring a first determining submodule result;
the first verification sub-module is configured to, if the first determination sub-result obtained by the first determination sub-module indicates that the network attack dynamic string code is not updated due to timeout, determine that the second verification result is that the data packet is illegal;
a second determining submodule, configured to determine whether the dynamic string code for preventing network attack is received overtime according to a preset dynamic string code receiving time error range, and obtain a second determining submodule if the dynamic string code for preventing network attack is received overtime;
and the second verification sub-module is configured to determine that the data packet is invalid if the second determination sub-result obtained by the second verification sub-module indicates that the network attack dynamic string code reception is overtime, and determine that the data packet is valid if the second determination sub-result obtained by the second verification sub-module indicates that the network attack dynamic string code reception is overtime.
12. The server of claim 10, further comprising:
a recording and sending module, configured to record, if the second verification result obtained by the second verification module indicates that the data packet is illegal, the number of times of verification failure of the data packet, and send an indication of updating the serial code to the client;
a receiving module, configured to receive the data packet that is retransmitted by the client according to the serial code update indication;
the first obtaining module is further configured to obtain second network attack prevention verification information from the data packet received by the receiving module, where the second network attack prevention verification information includes: the updated dynamic serial code for preventing the network attack and the identification code of the client side are obtained;
the second verification module is further configured to verify the validity of the data packet according to the updated network attack prevention dynamic string code obtained by the first obtaining module, and obtain a third verification result;
the processing module is further configured to normally process the data packet if the third verification result obtained by the second verification module indicates that the data packet is legal.
13. The server according to claim 12,
the recording and sending module is further configured to update and record the verification failure times of the data packet and send the string update instruction to the client again if the third verification result obtained by the second verification module indicates that the data packet is illegal and the verification failure times of the data packet do not exceed a preset failure time threshold;
the processing module is further configured to, if the third verification result obtained by the second verification module indicates that the data packet is illegal, and the verification failure times of the data packet exceed a preset failure time threshold, list the identification code of the client in a blacklist, and set the existence time of the identification code in the blacklist.
14. The server of claim 10, further comprising:
and the negotiation module is used for negotiating the generation mode of the network attack prevention dynamic string code with the client.
15. The server according to claim 14, wherein the negotiation module comprises:
the receiving submodule is used for receiving a generation mode list which is sent by the client and used for preventing the network attack dynamic serial codes;
the selection submodule is used for selecting a generation mode of the network attack prevention dynamic string code from the generation mode list of the network attack prevention dynamic string code received by the receiving submodule according to a preset selection rule;
and the sending submodule is used for sending the generation mode of the network attack prevention dynamic string code selected by the selection submodule to the client.
16. A client, comprising:
the first generation module is used for generating the network attack prevention dynamic serial code according to a preset generation mode of the network attack prevention dynamic serial code and a preset dynamic serial code updating period;
the acquisition module is used for acquiring the identification code of the client;
the second generation module is used for generating first network attack prevention verification information according to the network attack prevention dynamic serial code generated by the first generation module and the identification code of the client acquired by the acquisition module;
and the first sending module is used for sending a data packet to a server, and the data packet carries the first network attack prevention verification information generated by the second generating module.
17. The client of claim 16, further comprising:
the first receiving module is used for receiving a serial code updating indication sent by the server;
the first generating module is configured to update the network attack prevention dynamic string code according to the string code update instruction received by the first receiving module, and obtain an updated network attack prevention dynamic string code;
the second generation module is further configured to generate second network attack prevention verification information according to the updated network attack prevention dynamic string code obtained by the first generation module and the identification code of the client obtained by the obtaining module;
the first sending module is further configured to send the data packet to a server, where the data packet carries the second network attack prevention verification information generated by the second generating module.
18. The client of claim 16,
the preset generation mode of the network attack prevention dynamic string code is specifically a generation mode of the network attack prevention dynamic string code obtained by negotiation with the server,
the client further comprises:
the second sending module is used for sending a generation mode list for preventing the network attack dynamic serial codes to the server;
and the second receiving module is used for receiving the generation mode of the network attack prevention dynamic serial codes selected by the server according to the generation mode list of the network attack prevention dynamic serial codes.
19. A system for preventing network attacks, comprising a server according to any of the preceding claims 10-15 and a client according to any of the preceding claims 16-18.
Technical Field
The invention relates to the field of communication, in particular to a method, a client, a server and a system for preventing network attack.
Background
Currently, network attacks generally include the following:
1. tampering
Modification, deletion, etc. of portions of the contents of a legitimate message causes the message to be delayed or the transmission sequence to be changed and an unauthorized effect to be produced.
2. Counterfeiting
A certain entity sends out data containing identity information of other entities, impersonates the other entities and fraudulently acquires the legal rights of the other entities.
3. Denial of Service (Deny of Service, DoS)
The method can damage the whole network, refuse the normal use of the legal entity or interrupt the network service unconditionally.
In the prior art, for the above network attacks, security protection is mainly performed through a special hardware device or a software firewall. For example: Anti-DDos devices, used to defend against DOS attacks exclusively; for another example: the Web Application Firewall (WAF) device is used for carrying out security protection on network attacks of an HTTP (hyper text transport protocol) layer such as tampering and counterfeiting.
However, in the process of implementing the embodiment of the present invention, the inventor finds that, in the prior art, network attacks are prevented by adding hardware devices, the hardware cost is high, and the network deployment is difficult due to the addition of new hardware devices.
Disclosure of Invention
In order to solve the above problem, embodiments of the present invention provide a method, a client, a server, and a system for preventing a network attack, which can reduce a protection cost of the network attack.
On one hand, the method for preventing network attacks provided by the embodiment of the invention comprises the following steps: acquiring first network attack prevention verification information from a data packet sent by a client, wherein the first network attack prevention verification information comprises: preventing network attack from dynamically stringing codes and the identification code of the client; verifying the validity of the client according to the identification code of the client to obtain a first verification result; if the first verification result indicates that the client is legal, verifying the legality of the data packet according to the network attack preventing dynamic serial code to obtain a second verification result; and if the second verification result indicates that the data packet is legal, the data packet is normally processed.
Further, the verifying the validity of the data packet according to the network attack prevention dynamic string code, and obtaining a second verification result includes: determining whether the dynamic serial code for preventing the network attack is not updated after overtime according to a preset dynamic serial code updating period, and acquiring a first determination sub-result; if the first determination sub-result indicates that the network attack prevention dynamic string code is not updated due to timeout, the second verification result is that the data packet is illegal; otherwise, determining whether the dynamic serial code for preventing the network attack is received overtime according to a preset dynamic serial code receiving time error range, and acquiring a second determination sub-result; if the second determination sub-result indicates that the network attack prevention dynamic string code reception is overtime, the second verification result is that the data packet is illegal; otherwise, the second verification result is that the data packet is legal.
Further, the method for preventing network attacks further includes: if the second verification result indicates that the data packet is illegal, recording the verification failure times of the data packet, and sending a serial code updating indication to the client; receiving the data packet retransmitted by the client according to the serial code updating indication; acquiring second network attack prevention verification information from the data packet, wherein the second network attack prevention verification information comprises: the updated dynamic serial code for preventing the network attack and the identification code of the client side are obtained; verifying the validity of the data packet according to the updated network attack prevention dynamic serial code to obtain a third verification result; and if the third verification result indicates that the data packet is legal, the data packet is normally processed.
Further, the method for preventing network attacks further includes: if the third verification result indicates that the data packet is illegal, and the verification failure times of the data packet do not exceed a preset failure time threshold, updating and recording the verification failure times of the data packet, and sending the serial code updating indication to the client again; and if the third verification result indicates that the data packet is illegal and the verification failure times of the data packet exceed a preset failure time threshold, listing the identification code of the client into a blacklist and setting the existence time of the identification code in the blacklist.
Further, before the first network attack prevention verification information is acquired from the data packet sent by the client, a step of negotiating a generation mode of the network attack prevention dynamic serial code with the client is further included.
Further, the negotiating the generation manner of the network attack prevention dynamic string code with the client includes: receiving a generation mode list for preventing the network attack dynamic string codes sent by the client; according to a preset selection rule, selecting a generation mode of the network attack prevention dynamic string codes from the generation mode list of the network attack prevention dynamic string codes; and sending the generation mode of the dynamic string code for preventing the network attack to the client.
On the other hand, the method for preventing network attacks provided by the embodiment of the present invention includes: generating a dynamic serial code for preventing network attack according to a preset generation mode for preventing the dynamic serial code for preventing network attack and a preset updating period of the dynamic serial code; acquiring an identification code of a client; generating first network attack prevention verification information according to the network attack prevention dynamic serial codes and the identification codes of the client; and sending a data packet to a server, wherein the data packet carries the first network attack prevention verification information.
Further, the method for preventing network attacks further includes: receiving a string code updating indication sent by the server; updating the network attack prevention dynamic string code according to the string code updating indication to obtain the updated network attack prevention dynamic string code; generating second network attack prevention verification information according to the updated network attack prevention dynamic string code and the identification code of the client; and sending the data packet to a server, wherein the second network attack prevention verification information is carried in the data packet.
Further, the preset generation manner of the network attack prevention dynamic string code is specifically a generation manner of the network attack prevention dynamic string code obtained by negotiating with the server, and the step of negotiating with the server to obtain the generation manner of the network attack prevention dynamic string code includes: sending a generation mode list for preventing network attack dynamic string codes to the server; and receiving the generation mode of the network attack prevention dynamic string code selected by the server according to the generation mode list of the network attack prevention dynamic string code.
In another aspect, a server provided in an embodiment of the present invention includes:
a first obtaining module, configured to obtain first network attack prevention verification information from a data packet sent by a client, where the first network attack prevention verification information includes: preventing network attack from dynamically stringing codes and the identification code of the client;
the first verification module is used for verifying the legality of the client according to the identification code of the client acquired by the first acquisition module to acquire a first verification result;
the second verification module is used for verifying the legality of the data packet according to the network attack preventing dynamic serial code acquired by the first acquisition module and acquiring a second verification result if the first verification result acquired by the first verification module indicates that the client is legal;
and the processing module is used for normally processing the data packet if the second verification result obtained by the second verification module indicates that the data packet is legal.
Further, the second authentication module includes:
the first determining submodule is used for determining whether the dynamic serial code for preventing the network attack is not updated due to time-out according to a preset dynamic serial code updating period, and acquiring a first determining submodule result;
the first verification sub-module is configured to, if the first determination sub-result obtained by the first determination sub-module indicates that the network attack dynamic string code is not updated due to timeout, determine that the second verification result is that the data packet is illegal;
a second determining submodule, configured to determine whether the dynamic string code for preventing network attack is received overtime according to a preset dynamic string code receiving time error range, and obtain a second determining submodule if the dynamic string code for preventing network attack is received overtime;
and the second verification sub-module is configured to determine that the data packet is invalid if the second determination sub-result obtained by the second verification sub-module indicates that the network attack dynamic string code reception is overtime, and determine that the data packet is valid if the second determination sub-result obtained by the second verification sub-module indicates that the network attack dynamic string code reception is overtime.
Further, the server further includes:
a recording and sending module, configured to record, if the second verification result obtained by the second verification module indicates that the data packet is illegal, the number of times of verification failure of the data packet, and send an indication of updating the serial code to the client;
a receiving module, configured to receive the data packet that is retransmitted by the client according to the serial code update indication;
the first obtaining module is further configured to obtain second network attack prevention verification information from the data packet received by the receiving module, where the second network attack prevention verification information includes: the updated dynamic serial code for preventing the network attack and the identification code of the client side are obtained;
the second verification module is further configured to verify the validity of the data packet according to the updated network attack prevention dynamic string code obtained by the first obtaining module, and obtain a third verification result;
the processing module is further configured to normally process the data packet if the third verification result obtained by the second verification module indicates that the data packet is legal.
Further, the recording and sending module is further configured to update and record the verification failure times of the data packet and send the string code update instruction to the client again if the third verification result obtained by the second verification module indicates that the data packet is illegal and the verification failure times of the data packet do not exceed a preset failure time threshold;
the processing module is further configured to, if the third verification result obtained by the second verification module indicates that the data packet is illegal, and the verification failure times of the data packet exceed a preset failure time threshold, list the identification code of the client in a blacklist, and set the existence time of the identification code in the blacklist.
Further, the server further includes:
and the negotiation module is used for negotiating the generation mode of the network attack prevention dynamic string code with the client.
Further, the negotiation module includes:
the receiving submodule is used for receiving a generation mode list which is sent by the client and used for preventing the network attack dynamic serial codes;
the selection submodule is used for selecting a generation mode of the network attack prevention dynamic string code from the generation mode list of the network attack prevention dynamic string code received by the receiving submodule according to a preset selection rule;
and the sending submodule is used for sending the generation mode of the network attack prevention dynamic string code selected by the selection submodule to the client.
In another aspect, a client provided in an embodiment of the present invention includes:
the first generation module is used for generating the network attack prevention dynamic serial code according to a preset generation mode of the network attack prevention dynamic serial code and a preset dynamic serial code updating period;
the acquisition module is used for acquiring the identification code of the client;
the second generation module is used for generating first network attack prevention verification information according to the network attack prevention dynamic serial code generated by the first generation module and the identification code of the client acquired by the acquisition module;
and the first sending module is used for sending a data packet to a server, and the data packet carries the first network attack prevention verification information generated by the second generating module.
Further, the client further includes:
the first receiving module is used for receiving a serial code updating indication sent by the server;
the first generating module is configured to update the network attack prevention dynamic string code according to the string code update instruction received by the first receiving module, and obtain an updated network attack prevention dynamic string code;
the second generation module is further configured to generate second network attack prevention verification information according to the updated network attack prevention dynamic string code obtained by the first generation module and the identification code of the client obtained by the obtaining module;
the first sending module is further configured to send the data packet to a server, where the data packet carries the second network attack prevention verification information generated by the second generating module.
Further, the preset generation manner of the network attack prevention dynamic string code is specifically a generation manner of the network attack prevention dynamic string code obtained by negotiation with the server, and the client further includes:
the second sending module is used for sending a generation mode list for preventing the network attack dynamic serial codes to the server;
and the second receiving module is used for receiving the generation mode of the network attack prevention dynamic serial codes selected by the server according to the generation mode list of the network attack prevention dynamic serial codes.
In another aspect, the system for preventing a network attack provided by the embodiment of the present invention includes the above server and the client.
According to the method, the client, the server and the system for preventing the network attack, the client is subjected to the legality verification through the identification code of the client, the network attack in a counterfeit mode can be effectively prevented, the data packet is subjected to the legality verification through the dynamic series code for preventing the network attack, the network attack in a tampering mode, a service denial mode and other modes can be effectively prevented, furthermore, the reliability of the legality verification of the data packet through the dynamic series code for preventing the network attack is higher due to the fact that the dynamic series code for preventing the network attack is dynamically changed, and the network attack caused by the fact that the dynamic series code for preventing the network attack is leaked is not easy to be maliciously intercepted by a third party. Compared with the prior art, the technical scheme provided by the embodiment of the invention can achieve the aim of preventing the network attack without adding any network equipment, and reduce the protection cost of the network attack.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings in which:
fig. 1 is a flowchart of a method for preventing a network attack according to a first embodiment of the present invention;
fig. 2 is a flowchart of step 103 in the method for preventing a network attack according to the first embodiment of the present invention shown in fig. 1;
fig. 3 is a flowchart of a method for preventing network attacks according to a second embodiment of the present invention;
fig. 4 is a flowchart of a method for preventing network attacks according to a second embodiment of the present invention;
fig. 5 is a flowchart of a method for preventing a network attack according to a third embodiment of the present invention;
fig. 6 is a flowchart of step 112 in the method for preventing network attacks according to the third embodiment of the present invention shown in fig. 5;
fig. 7 is a flowchart of a method for preventing a network attack according to a fourth embodiment of the present invention;
fig. 8 is a flowchart of a method for preventing network attacks according to a fourth embodiment of the present invention;
fig. 9 is a flowchart of a method for preventing network attacks according to a fourth embodiment of the present invention;
fig. 10 is a first schematic structural diagram of a server according to a fifth embodiment of the present invention;
fig. 11 is a schematic structural diagram of a
fig. 12 is a second schematic structural diagram of a server according to a fifth embodiment of the present invention;
fig. 13 is a third schematic structural diagram of a server according to a fifth embodiment of the present invention;
fig. 14 is a schematic structural diagram of a
fig. 15 is a first schematic structural diagram of a client according to a sixth embodiment of the present invention;
fig. 16 is a schematic structural diagram of a client according to a sixth embodiment of the present invention;
fig. 17 is a third schematic structural diagram of a client according to a sixth embodiment of the present invention;
fig. 18 is a schematic structural diagram of a system for preventing a network attack according to a seventh embodiment of the present invention.
Detailed Description
The present application will be described in further detail with reference to the following drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. It should be noted that, for convenience of description, only the portions related to the present invention are shown in the drawings.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
In order to solve the problem of high protection cost caused by the fact that network attack protection work needs to be carried out through independent hardware equipment in the prior art, the embodiment of the invention provides a method, a client, a server and a system for preventing network attack.
As shown in fig. 1, a method for preventing a network attack according to a first embodiment of the present invention includes:
step 101, obtaining first network attack prevention verification information from a data packet sent by a client. Wherein the first network attack prevention authentication information includes: and the dynamic serial codes and the identification codes of the client are prevented from being attacked by the network.
And 102, verifying the legality of the client according to the identification code of the client, and acquiring a first verification result.
In this embodiment, the identification code of the client is not specifically limited, and in an actual use process, the identification code of the client may be any information capable of uniquely identifying the client, for example: the product ID of the client may be used, or the identification code uniquely generated according to the CPU of the client may be used, which is not described in detail herein.
In this embodiment, the identification code of the valid client may be stored in advance, for example: a legal user information table may be preset, and the identification code of the legal client is stored in the legal user information table, at this time, step 102 may search the legal user information table according to the received identification code of the client, if the identification code of the client is stored in the legal user information table, the first verification result is that the client is legal, otherwise, the first verification result is that the client is illegal.
And 103, if the first verification result indicates that the client is legal, verifying the legality of the data packet according to the dynamic serial code for preventing network attack, and acquiring a second verification result.
Specifically, as shown in fig. 2, step 103 may include the following steps:
step 201, determining whether the dynamic serial code for preventing network attack is not updated due to time-out according to a preset dynamic serial code updating period, and obtaining a first determination sub-result.
Specifically, step 201 may obtain the receiving time of the network attack prevention dynamic string code, then search the time of receiving the network attack prevention dynamic string code for the first time from the legal user relationship table, calculate the difference between the two, if the difference is greater than the preset dynamic string code updating period, the first determining sub-result is that the network attack prevention dynamic string code is not updated overtime, and if the difference is less than the preset dynamic string code updating period, the first determining sub-result is that the network attack prevention dynamic string code is not updated overtime.
It should be noted that, the setting method of the dynamic string update period is not limited, and in the actual use process, the dynamic string update period may be set as needed.
Step 202, if the first determining sub-result indicates that the dynamic string code for preventing network attack is not updated due to timeout, the second verification result is that the data packet is illegal.
And step 203, otherwise, determining whether the dynamic serial code for preventing the network attack is received overtime according to the preset error range of the receiving time of the dynamic serial code, and acquiring a second determination sub-result.
Specifically, step 203 may obtain a transmission duration of the dynamic string code according to the time stamps (the sending time stamp and the receiving time stamp) in the data packet, and if the transmission duration is greater than a preset error range of the receiving time of the dynamic string code, the second determining sub-result is that the receiving of the dynamic string code for preventing the network attack is overtime, otherwise, the second determining sub-result is that the receiving of the dynamic string code for preventing the network attack is not overtime.
It should be noted that, in this embodiment, the preset dynamic string code receiving time error range may also be stored in the legal user information table, and this embodiment does not limit the setting method of the dynamic string code receiving time error range, and in the actual using process, the dynamic string code receiving time error range may be set as needed, which is not described herein.
And step 204, if the second determination sub-result indicates that the dynamic serial code reception for preventing the network attack is overtime, the second verification result is that the data packet is illegal.
Step 205, otherwise, the second verification result is that the data packet is legal.
And 104, if the second verification result indicates that the data packet is legal, normally processing the data packet.
The method for preventing the network attack provided by the invention can effectively prevent the network attack in a counterfeit mode by carrying out the legality verification on the client through the identification code of the client, can effectively prevent the network attack in a tampering mode, a service denial mode and other modes by preventing the network attack dynamic serial code from carrying out the legality verification on the data packet, and further can ensure that the reliability of the legality verification on the data packet through preventing the network attack dynamic serial code is higher because the dynamic serial code is dynamically changed, and the network attack caused by the leakage of the network attack dynamic serial code verification is not easy to be maliciously intercepted by a third party. Compared with the prior art, the technical scheme provided by the embodiment of the invention can achieve the aim of preventing the network attack without adding any network equipment, and reduce the protection cost of the network attack.
As shown in fig. 3, the second embodiment of the present invention further provides a method for preventing a network attack, which is substantially the same as that shown in fig. 1, except that after step 103, the method may further include:
and 105, if the second verification result indicates that the data packet is illegal, recording the verification failure times of the data packet, and sending a serial code updating indication to the client.
In this embodiment, step 105 may record the number of times of authentication failures of the data packet in the legitimate user information table.
And 106, receiving the data packet which is retransmitted by the client according to the serial code updating indication.
Step 107, obtaining second network attack prevention verification information from the data packet, wherein the second network attack prevention verification information includes: the updated dynamic serial codes for preventing network attacks and the identification codes of the clients.
And 108, verifying the legality of the data packet according to the updated network attack prevention dynamic serial code, and acquiring a third verification result.
In this embodiment, the specific implementation method of step 108 may refer to the steps shown in fig. 2, which is not described herein again.
And step 109, if the third verification result indicates that the data packet is legal, processing the data packet normally.
Further, as shown in fig. 4, in this embodiment, step 108 may further include:
and step 110, if the third verification result indicates that the data packet is illegal and the verification failure times of the data packet do not exceed a preset failure time threshold, updating and recording the verification failure times of the data packet, and sending the serial code updating indication to the client again.
And step 111, if the third verification result indicates that the data packet is illegal and the verification failure times of the data packet exceed a preset failure time threshold, listing the identification code of the client into a blacklist and setting the existence time of the identification code in the blacklist.
In this embodiment, the failure number threshold may be set according to actual needs, and this embodiment does not specifically limit this.
When the third verification result indicates that the data packet is illegal and the verification failure number of the data packet exceeds the preset failure number threshold, step 111 deletes the identification code of the user side from the legal user information table and adds the identification code into the blacklist, the existence time of the identification code in the blacklist is set, and the significance of the existence time is that the client is allowed to reply the normal service between the client and the server again after the network attack is solved, the existence time of the identification code in the blacklist aims at solving the network attack time for the client, and the server is protected from being influenced by the network attack and can normally provide service for other clients.
Due to the adoption of the steps shown in the figure 4, even if the client really has the risk of network attack, the client is not subjected to complete service denial operation, so that the whole network attack protection system is more flexible and reliable on the basis of achieving the protection purpose.
The technical scheme provided by the embodiment further improves the reliability of protecting against network attacks on the basis of achieving the beneficial effects provided by the technical scheme shown in fig. 1.
As shown in fig. 5, the third embodiment of the present invention further provides a method for preventing a network attack, which is substantially the same as that shown in fig. 1, except that before step 101, the method may further include:
and step 112, negotiating with the client to prevent the generation mode of the network attack dynamic code.
Then, in step 101, the network attack prevention dynamic string code is generated by the client according to the generation manner of the network attack prevention dynamic string code negotiated in step 112.
As shown in fig. 6, step 112 may specifically include the following steps:
In this embodiment, the generation mode list for preventing the network attack dynamic string code may be actively reported by the client, or may be returned by the client according to the received negotiation request, and details of each case are not described here.
It should be noted that, the present embodiment does not limit the selection rule, and the selection rule may be set according to needs in an actual use process.
It should be noted that, this embodiment also does not limit the generation manner of the network attack prevention dynamic string, and in the actual use process, the generation manner of the network attack prevention dynamic string may be any kind, for example: the system timestamp can be converted into the number of seconds from 1970 to the present as a generation method for preventing network attack dynamic string codes, and details are not described in each case here.
Further, if the dynamic string update period is determined by the server,
According to the technical scheme provided by the embodiment of the invention, on the basis of achieving the beneficial effects brought by the technical scheme shown in figure 1, the reliability of protecting against network attack is further improved because the generation mode of the dynamic code for preventing network attack is obtained through negotiation.
In addition, on the basis of the technical solutions provided in the first to third embodiments, in order to further improve the reliability of protecting against network attacks, encryption operations may be performed on the transmitted information, that is, encryption operations may be performed on information such as the network attack prevention dynamic string code and the identification code of the client, and the generation method of the network attack prevention dynamic string code. The embodiment does not limit the specific encryption algorithm, and the encryption algorithm can be selected according to the requirement in the actual use process.
In addition, as can be seen from the disclosure in the above technical solutions, the legal user information table according to the embodiment of the present invention may include, but is not limited to, the following: the identification code of a legal client, a generation mode of the dynamic serial code for preventing network attack, the time for receiving the dynamic serial code for preventing network attack for the first time, the updating period of the dynamic serial code, the error range of the receiving time of the dynamic serial code, a decryption key and the like.
Further, it should be noted that, in the embodiment of the present invention, a specific format of the legal user information table is not limited, and the content included above may be stored in any feasible manner, which is not described herein again.
Further, it should be noted that the technical solutions provided in the first to third embodiments are applied to a server to implement a protection work of the server against a network attack on a client.
As shown in fig. 7, a fourth embodiment of the present invention further provides a method for preventing a network attack, including:
step 701, generating a dynamic serial code for preventing network attack according to a preset generation mode for preventing network attack dynamic serial codes and a preset dynamic serial code update period.
Step 702, acquiring the identification code of the client.
And 703, generating first network attack prevention verification information according to the network attack prevention dynamic string code and the identification code of the client.
Step 704, sending a data packet to the server, where the data packet carries the first network attack prevention verification information.
Further, as shown in fig. 8, step 704 may further include: further comprising:
step 705, receiving a string update instruction sent by the server.
And step 706, updating the network attack prevention dynamic string code according to the string code updating indication, and obtaining the updated network attack prevention dynamic string code.
And step 707, generating second network attack prevention verification information according to the updated network attack prevention dynamic string code and the identification code of the client.
Step 708, sending a data packet to the server, where the data packet carries the second network attack prevention verification information.
Further, if the preset generation manner of the network attack prevention dynamic string code is specifically a generation manner of the network attack prevention dynamic string code obtained by negotiation with the server, as shown in fig. 9, before step 701, the method may further include:
step 709, send the generation mode list of preventing network attack dynamic string code to the server.
And step 710, receiving the generation mode of the network attack prevention dynamic serial code selected by the server according to the generation mode list of the network attack prevention dynamic serial code.
The technical scheme provided by the embodiment of the invention is applied to the client to realize the protection work of the server on the network attack of the client. The specific implementation method corresponds to the technical solutions provided in the first to third embodiments, which may be specifically described in the first to third embodiments, and details are not described here.
The method for preventing the network attack provided by the invention can effectively prevent the network attack in a counterfeit mode by carrying out the legality verification on the client through the identification code of the client, can effectively prevent the network attack in a tampering mode, a service denial mode and other modes by preventing the network attack dynamic serial code from carrying out the legality verification on the data packet, and further can ensure that the reliability of the legality verification on the data packet through preventing the network attack dynamic serial code is higher because the dynamic serial code is dynamically changed, and the network attack caused by the leakage of the network attack dynamic serial code verification is not easy to be maliciously intercepted by a third party. Compared with the prior art, the technical scheme provided by the embodiment of the invention can achieve the aim of preventing the network attack without adding any network equipment, and reduce the protection cost of the network attack.
As shown in fig. 10, a fifth embodiment of the present invention provides a server including:
a first obtaining module 1001, configured to obtain first network attack prevention verification information from a data packet sent by a client, where the first network attack prevention verification information includes: preventing network attack from dynamically stringing codes and the identification code of the client;
a
a
a
Further, as shown in fig. 11, the
the first determining submodule 1101 is configured to determine, according to a preset dynamic string code update period, whether the network attack prevention dynamic string code is not updated due to timeout, and obtain a first determining submodule;
a first verification sub-module 1102, configured to, if the first determination sub-result obtained by the first determination sub-module 1101 indicates that the network attack dynamic string code is not updated after timeout, determine that the second verification result is that the data packet is illegal;
a second determining submodule 1103, configured to determine whether the network attack prevention dynamic string code is received overtime according to a preset dynamic string code receiving time error range, and obtain a second determining submodule if the network attack prevention dynamic string code is received overtime;
a second verification sub-module 1104, configured to, if the second determination sub-result obtained by the second verification sub-module 1103 indicates that the network attack prevention dynamic string code reception is overtime, determine that the second verification result is that the data packet is illegal, and otherwise, determine that the second verification result obtained by the second verification sub-module is that the data packet is legal.
Further, as shown in fig. 12, the server provided in the embodiment of the present invention further includes:
a record and send
a
the first obtaining module 1001 is further configured to obtain second network attack prevention verification information from the data packet received 1006 by the receiving module, where the second network attack prevention verification information includes: the updated dynamic serial code for preventing the network attack and the identification code of the client side are obtained;
the
the
Further, the recording and sending
the
Further, as shown in fig. 13, the server provided in the embodiment of the present invention further includes:
a
Further, as shown in fig. 14, the
a receiving
a selecting
the sending sub-module 1403 is configured to send the generation manner of the network attack prevention dynamic string code selected by the selecting sub-module 1402 to the client.
The specific implementation method of the technical solution provided by the embodiment of the present invention may be referred to the technical solutions provided in the first to third embodiments, and is not described herein again.
As shown in fig. 15, a sixth embodiment of the present invention provides a client, including:
a
an obtaining
a
a
Further, as shown in fig. 16, the client according to the embodiment of the present invention further includes:
a first receiving module 1505, configured to receive a string update indication sent by the server;
the
the
the
Further, the preset generation mode of the network attack prevention dynamic string code is specifically a generation mode of the network attack prevention dynamic string code obtained by negotiation with the server,
as shown in fig. 17, the client further includes:
a
a
The specific implementation method provided in the embodiment of the present invention may refer to the technical solution described in the fourth embodiment of the present invention, and details are not described herein.
As shown in fig. 18, a seventh embodiment of the present invention provides a system for preventing a network attack, including: the server 1801 described in the above embodiment, and the client 1802 described in the above embodiment.
According to the technical scheme provided by the invention, the client is legally verified through the identification code of the client, so that network attack in a counterfeit mode can be effectively prevented, the data packet is legally verified through the dynamic serial code for preventing network attack, network attack in modes of tampering, service denial and the like can be effectively prevented, and further, the reliability of legally verifying the data packet through the dynamic serial code for preventing network attack is higher due to the fact that the dynamic serial code for preventing network attack is dynamically changed, and network attack caused by leakage of the dynamic serial code for preventing network attack is not easy to be maliciously intercepted by a third party. Compared with the prior art, the technical scheme provided by the embodiment of the invention can achieve the aim of preventing the network attack without adding any network equipment, and reduce the protection cost of the network attack.
The above description is only a preferred embodiment of the application and is illustrative of the principles of the technology employed. It will be appreciated by a person skilled in the art that the scope of the invention as referred to in the present application is not limited to the embodiments with a specific combination of the above-mentioned features, but also covers other embodiments with any combination of the above-mentioned features or their equivalents without departing from the inventive concept. For example, the above features may be replaced with (but not limited to) features having similar functions disclosed in the present application.