Method And System For Protection From DDoS Attack For CDN Server Group

Abstract

A method and system for protection from DDoS attack for a CDN server group. The CDN server group includes a plurality of CDN servers and a center server. The method includes: sending by each CDN server access source information of an access request to the center server; counting by the center server the number of access requests in each CDN server; determining by the center server access requests, of which the number is greater than a predetermined threshold, corresponding to the same access source information in each CDN server as DDoS attacks, and generating by the center server a blacklist; issuing by the center server the blacklist to the plurality of CDN servers; and making the CDN servers refuse to provide a service to an access source in the blacklist. Accordingly, the CDN server group is protected against DDoS attacks from the entire network.

Claims

1. A method for protecting a CDN server group from DDoS attack, wherein said CDN server group comprises a plurality of CDN servers and a center server, the method comprising: sending access source information of an access request to the center server by each CDN server; counting the number of access requests corresponding to the same access source information in each CDN server within a period by the center server; determining access requests, of which the number is greater than a predetermined threshold, corresponding to the same access source information in each CDN server as DDoS attacks by the center server, and generating a blacklist based on the access source information of the above access requests by the center server; issuing the blacklist to the plurality of CDN servers in the CDN server group by the center server; and making the CDN servers refuse to provide a service to an access source in the blacklist.

2. The method of claim 1, wherein the access source information comprises IP information, URL information and/or Refer information.

3. The method of claim 1, wherein the CDN server group is a plurality of CDN server groups arranged on a CDN platform and classified based on different network types.

4. The method of claim 3, wherein after a center server in any one of the plurality of CDN server groups issues the blacklist to a plurality of CDN servers in said one server group, the center server selectively shares the blacklist with center servers in other CDN server groups.

5. A system for protection from DDoS attack for a CDN server group comprising a plurality of CDN servers and a center server, wherein each CDN server having at least one processor, a memory in electronic communication with the processor and instructions stored in the memory, comprises: a collecting unit implemented by the at least one processor and configured to collect access source information of an access request, a sending unit implemented by the at least one processor and configured to send the access source information to the center server, a blacklist receiving unit, and a service controlling unit implemented by the at least one processor and configured to be associated with the blacklist receiving unit, so as to refuse service provision to an access source in a blacklist; and the center server having at least one processor, a memory in electronic communication with the processor and instructions stored in the memory, comprises: a counting unit implemented by the at least one processor and configured to count the number of access requests corresponding to the same access source information in each CDN server within a period, a blacklist generating unit implemented by the at least one processor and configured to determine access requests, of which the number is greater than a predetermined threshold, corresponding to the same access source information in each CDN server as DDoS attacks, and generate a blacklist based on the access source information of the above access requests, and an issuing unit implemented by the at least one processor and configured to issue the blacklist to the blacklist receiving units in the plurality of CDN servers in the CDN server group.

6. The system of claim 5, wherein the collecting unit is an nginx module.

7. The system of claim 6, wherein the access source information comprises IP information, URL information and/or Refer information.

8. The system of claim 5, wherein the CDN server group is a plurality of CDN server groups arranged on a CDN platform and classified based on different network types.

9. The system of claim 8, wherein a center server in any one of the plurality of CDN server groups is configured to selectively share a blacklist with center servers in other CDN server groups.

10. An electronic device for protecting a CDN server group from DDoS attack, comprising: at least one processor; and a memory communicably connected with the at least one processor for storing instructions executable by the at least one processor, wherein execution of the instructions by the at least one processor causes the at least one processor to: receiving access source information of an access request from each CDN server; counting the number of access requests corresponding to the same access source information in each CDN server within a period; determining access requests, of which the number is greater than a predetermined threshold, corresponding to the same access source information in each CDN server as DDoS attacks, and generating a blacklist based on the access source information of the above access requests; issuing the blacklist to the plurality of CDN servers in the CDN server group; and making the CDN servers refuse to provide a service to an access source in the blacklist.

11. The electronic device of claim 10, wherein the access source information comprises IP information, URL information and/or Refer information.

12. The electronic device of claim 10, wherein the CDN server group is a plurality of CDN server groups arranged on a CDN platform and classified based on different network types.

13. The electronic device of claim 12, wherein execution of the instructions by the at least one processor further causes the at least one processor to selectively share the blacklist with center servers in other CDN server groups after sending the blacklist to a plurality of CDN servers in one server group.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0029] In order to more clearly illustrate the embodiments of the present application, figures to be used in the embodiments will be briefly introduced in the following. Apparently, figures in the following description are some embodiments of the present application, and other figures can be obtained by those skilled in the art based on these figures without inventive efforts.

[0030] FIG. 1 shows a flow chart of a method for protection from DDoS attack for a CDN server group according to an embodiment of the present application;

[0031] FIG. 2 shows a schematic structural drawing of a system for protection from DDoS attack for a CDN server group according to an embodiment of the present application;

[0032] FIG. 3 shows a schematic structural drawing of a CDN platform on which a plurality of CDN server groups shown in FIG. 2 are arranged according to an embodiment of the present application; and

[0033] FIG. 4 is a schematic structural drawing of a computer system of a terminal device or server for realizing the embodiments of the present application.

DETAILED DESCRIPTION

[0034] In order to make the purpose, technical solutions, and advantages of the embodiments of the application more clearly, technical solutions of the embodiments of the present application will be described clearly and completely in conjunction with the figures. Obviously, the described embodiments are merely part of the embodiments of the present application, but not all embodiments. Based on the embodiments of the present application, other embodiments obtained by the ordinary skill in the art without inventive efforts are within the scope of the present application.

[0035] FIG. 1 shows a method for protection from DDoS attack for a CDN server group according to an embodiment of the present application. The CDN server group includes a plurality of CDN servers and a center server, and the method includes:

[0036] S101: sending by each CDN server access source information of an access request to the center server;

[0037] S102: counting by the center server the number of access requests corresponding to the same access source information in each CDN server within a period;

[0038] S103: determining by the center server access requests, of which the number is greater than a predetermined threshold, corresponding to the same access source information in each CDN server as DDoS attacks, and generating by the center server a blacklist based on the access source information of the above access requests;

[0039] S104: issuing by the center server the blacklist to the plurality of CDN servers in the CDN server group; and

[0040] S105: making the CDN servers refuse to provide a service to an access source in the blacklist.

[0041] The method provided by the embodiment of the present application has the following advantages.

[0042] Attack sources of DDoS attacks are marked in a blacklist, and access of all marked DDoS attack sources are rejected, so that effective protection against the DDoS attacks is realized. The center server completes identification of access of the DDoS attack sources to all CDN servers, so that resource consumption of each CDN server is reduced. Meanwhile, the access of the DDoS attack sources to the center server is avoided as all CDN servers send access source information to the center server, thereby effectively hiding and protecting the center server. After identifying an attack source of a DDoS which attacked one CDN server in a CDN server group, the center server records the DDoS attack source into a blacklist, and issues the blacklist to all CDN servers in the CDN server group, so that blacklists in all CDN servers in the CDN server group are updated synchronously, and the CDN server group is protected against DDoS attacks from the entire network. When a blacklisted DDoS attack source attempts to attack each CDN server in the CDN server group, the center server does not need to identify the DDoS attack source again, thereby reducing the resource consumption of the center server in terms of DDoS attack protection.

[0043] In the method provided by an embodiment of the present application, the access source information includes IP information, URL information and/or Refer information of access request sources. The method specifically includes: sending by each CDN server access source information of an access request to a center server; and counting by the center server the number of access requests corresponding to the same access source information in each CDN server within a period. For example, the number of access of one IP of one CDN server to said one CDN server within a period is counted; the total number of access of one URL of one CDN server to said one CDN server within a period is counted; the total number of access of one Refer of one CDN server to said one CDN server within a period is counted; and numbers of access requests of the same IP, URL and/or Refer in each CDN server are acquired by repeating the above processing.

[0044] The method further includes: determining by the center server access requests, of which the number is greater than a predetermined threshold, corresponding to the same access source information in each CDN server as DDoS attacks, and generating by the center server a blacklist based on the access source information of the above access requests. For example, the center server compares the numbers of access requests of the same IP, URL and/or Refer in each CDN server with the predetermined threshold, and determines access requests, of which the number is greater than the predetermined threshold, corresponding to the same IP, URL and/or Refer as DDoS attacks. Specifically, determining by the center server access requests, of which the number is greater than the predetermined threshold, corresponding to the same access source information in each CDN server as the DDoS attacks, and generating by the center server the blacklist based on the access source information of the above access requests includes the following sub-steps: I) presetting an IP normal threshold, comparing the number of access requests of the same IP with the IP normal threshold, and determining the access requests of the same IP as DDoS attacks when the number of the access requests of the same IP is greater than the IP normal threshold; II) presetting a URL normal threshold, comparing the number of access requests of the same URL with the URL normal threshold, and determining the access requests of the same URL as DDoS attacks when the number of the access requests of the same URL is greater than the URL normal threshold; III) presetting a Refer normal threshold, comparing the number of access requests of the same Refer with the Refer normal threshold, and determining the access requests of the same Refer as DDoS attacks when the number of the access requests of the same Refer is greater than the URL normal threshold; and IV) generating the blacklist according to the access requests, determined as DDoS attacks, of the IP, URL and/or Refer. The DDoS attack identifications in the sub-steps I), II) and III) are independent from one another, while the sub-steps I), II) and III) may be executed synchronously or progressively. The thresholds set in the above sub-steps may be reference values determined based on experience or several experiments.

[0045] The method further includes issuing by the center server the blacklist to the plurality of CDN servers in the CDN server group. For example, the center server issues the blacklist generated based on the access requests of one CDN server to other CDN servers in the CDN server group. Preferably, the center server issues the blacklist generated based on the requests of access to one CDN server to each CDN server in the CDN server group.

[0046] The method further includes making the CDN servers refuse to provide a service to an access source in the blacklist. For example, the CDN servers in the CDN server group refuse to provide a service to the IP, URL and/or Refer in the blacklist. Preferably, the CDN servers in the CDN server group refuse to provide a service to each of the IP, URL and/or Refer in the blacklist.

[0047] As an improvement of the method provided by the present embodiment, the CDN server group may be a plurality of CDN server groups arranged on a CDN platform and classified based on different network types.

[0048] Thus, the CDN platform is divided into a plurality of CDN server groups based on network types. For instance, the CDN platform includes a first network type China Telecom, a second network type China Unicom, and other telecommunication network types. So, the CDN platform is divided into a plurality of CDN server groups based on the first network type China Telecom, the second network type China Unicom, and other telecommunication network types.

[0049] In general, a DDoS attack source will attack servers in a particular network type. As the CDN platform is divided into a plurality of CDN server groups based on the network types, when CDN servers in one of CDN server groups in the CDN platform are attacked, servers in other CDN server groups can be punctually called to replace the attacked CDN servers. Thus, the CDN platform can schedule CDN servers based on monitoring of DDoS attacks to ensure normal operation of a website.

[0050] As a further optimization of the method provided by the present embodiment, after a center server in any one of the plurality of CDN server groups issues the blacklist to a plurality of CDN servers in said one server group, the center server selectively shares the blacklist with center servers in other CDN server groups.

[0051] By sending the blacklist of one of CDN server groups in the CDN platform to other CDN server groups in the CDN platform, blacklists in all CDN server groups in the CDN platform are updated synchronously, and the CDN platform is protected against DDoS attacks from the entire network. Further, when a blacklisted DDoS attack source attempts to attack each CDN server in a CDN server group, the center server does not need to identify the DDoS attack source again, thereby reducing the resource consumption of the center server in terms of DDoS attack protection.

[0052] FIG. 2 shows a system for protection from DDoS attack for a CDN server group including a plurality of CDN serves and a center server, wherein

[0053] each CDN server includes:

[0054] a collecting unit configured to collect access source information of an access request,

[0055] a sending unit configured to send the access source information collected by the collecting unit to the center server,

[0056] a blacklist receiving unit, and

[0057] a service controlling unit configured to be associated with the blacklist receiving unit, so as to refuse service provision to an access source in a blacklist; and

[0058] the center server includes:

[0059] a counting unit configured to count the number of access requests corresponding to the same access source information in each CDN server within a period,

[0060] a blacklist generating unit configured to determine access requests, of which the number is greater than a predetermined threshold, counted by the counting unit and corresponding to the same access source information in each CDN server as DDoS attacks, and generate a blacklist based on the access source information of the above access requests, and

[0061] an issuing unit configured to issue the blacklist generated by the blacklist generating unit to the blacklist receiving units in the plurality of CDN servers in the CDN server group.

[0062] The DDoS attack protecting system for the CDN server group provided by the embodiments may be a server or server cluster, wherein each unit may be a separate server or server cluster. Thus, interactions among the above units are that among the servers or server clusters corresponding to respective units, and the plurality of servers or server clusters constitute the DDoS attack protecting system for the CDN server group provided by the present application.

[0063] In an alternative embodiment, several units in the above multiple units together form a server or server cluster. For example, the collecting unit, the sending unit, the blacklist receiving unit and the service controlling unit together constitute a first server or first server cluster, and the counting unit, the blacklist generating unit and the issuing unit form a second server or second server cluster.

[0064] Here, the interaction among the above units is that between the first and second servers or the first and second server clusters, and the first and second servers or the first and second server clusters constitute the DDoS attack protecting system for the CDN server group provided by the present application.

[0065] The system provided by the embodiments of the present application has the following advantages.

[0066] Attack sources of DDoS attacks are marked in a blacklist, and access of all marked DDoS attack sources are rejected, so that effective protection against the DDoS attacks is realized. The center server completes identification of access of the DDoS attack sources to all CDN servers, so that resource consumption of each CDN server is reduced. Meanwhile, the access of the DDoS attack sources to the center server is avoided as all CDN servers send access source information to the center server, thereby effectively hiding and protecting the center server. After identifying a DDoS attack source which attacks one CDN server in a CDN server group, the center server records the DDoS attack source into a blacklist, and issues the blacklist to all CDN servers in the CDN server group, so that blacklists in all CDN servers in the CDN server group are updated synchronously, and the CDN server group is protected against DDoS attacks from the entire network. When a DDoS attack source in a blacklist attempts to attack each CDN server in the CDN server group, the center server does not need to identify the DDoS attack source again, thereby reducing the resource consumption of the center server in terms of DDoS attack protection.

[0067] It should be noted that related units may be implemented by a hardware processor.

[0068] In the method provided by an embodiment of the present application, the access source information includes IP information, URL information and/or Refer information.

[0069] As an improvement of the embodiment shown in FIG. 2, the collecting unit may be an nginx module.

[0070] FIG. 3 shows a CDN platform on which a plurality of CDN server groups shown in FIG. 2 are arranged, and the plurality of CDN server groups are arranged on the CDN platform and classified based on different network types.

[0071] In general, a DDoS attack source will attack servers in a particular network type. As the CDN platform is divided into a plurality of CDN server groups based on the network types, when CDN servers in one of CDN server groups in the CDN platform are attacked, servers in other CDN server groups can be timely called to replace the attacked CDN servers. Thus, the CDN platform can schedule CDN servers based on monitoring of DDoS attacks to ensure normal operation of a website.

[0072] As an improvement of FIG. 3, a center server in any one of the plurality of CDN server groups is configured to selectively share a blacklist with center servers in other CDN server groups.

[0073] By sending the blacklist of one of CDN server groups in the CDN platform to other CDN server groups in the CDN platform, blacklists in all CDN server groups in the CDN platform are updated synchronously, and the CDN platform is protected against DDoS attacks from the entire network. Further, when a blacklisted DDoS attack source attempts to attack each CDN server in a CDN server group, the center server does not need to identify the DDoS attack source again, thereby reducing the resource consumption of the center server in terms of DDoS attack protection.

[0074] FIG. 4 is a schematic structural drawing of a computer system of a terminal device or server for realizing each CDN server or a center server according to the embodiments of the present application. The computer system includes a central processing unit (CPU) 401 which can perform various appropriate actions and processing according to a program stored in a read-only memory (ROM) 402 or a program loaded to a random access memory (RAM) 403 from a storage part 408. Various programs and data required during operation of the system are also stored in the RAM 403. The CPU 401, the ROM 402 and the RAM 403 are connected with one another via a bus 404. An Input/Output (I/O) interface 405 is also connected to the bus 404.

[0075] Components connected to the Input/Output (I/O) interface 405 includes an input part 406 including a keyboard, a mouse and the like, an output part 407 including a cathode ray tube (CRT), a liquid crystal display (LCD) and the like, the storage part 408 including a hard disk and the like, and a communication part 409 of network interface cards including an LAN card, a modem, etc. The communication part 409 performs communication processing via a network such as the Internet. A driver 410 is connected to the Input/Output (I/O) interface 405 as required. A removable medium 411 such as a magnetic disk, an optical disk, a magneto-optical disk or a semiconductor memory is installed on the driver 410 as required so as to enable a computer program to read out from the removable medium to be installed into the storage part 408 according to the needs.

[0076] Particularly, according to the embodiments of the present application, the steps described in the above reference flow charts may be implemented as a computer program. For example, the embodiments of the present application include a computer program product including a computer program which is tangibly contained in a machine-readable medium, and the computer program includes a program code for performing the method as shown in the flow chart. In such embodiments, the computer program may be downloaded and installed from the network via the communication part 409, and/or may be installed from the removable medium 411.

[0077] In one aspect of application of the present application, system for protection from DDoS attack protecting for the CDN server group, provided by the embodiments of the present application, may be embedded in the center server of the CDN server group and the CDN servers as a functional element.

[0078] It should be noted that, embodiments of the present application and the technical features involved therein may be combined with each other in case they are not conflict with each other. Further, terms like comprise, include, and the like are to be construed as including not only the elements described, but also those elements not specifically described, or further comprising elements which are essential to such process, method, article or device. Unless the context clearly requires, throughout the description and the claims, elements defined by recitation with comprising . . . should not be construed as exclusive from the process, method, article or device comprising said elements of other equivalent elements.

[0079] The foregoing embodiments of device are merely illustrative, in which those units described as separate parts may or may not be separated physically. Displaying part may or may not be a physical unit, i.e., may locate in one place or distributed in several parts of a network. Some or all modules may be selected according to practical requirement to realize the purpose of the embodiments, and such embodiments can be understood and implemented by the skilled person in the art without inventive effort.

[0080] A person skilled in the art can clearly understand from the above description of embodiments that these embodiments can be implemented through software in conjunction with general-purpose hardware, or directly through hardware. Based on such understanding, the essence of foregoing technical solutions, or those features making contribution to the prior art may be embodied as software product stored in computer-readable medium such as ROM/RAM, diskette, optical disc, etc., and including instructions for execution by a computer device (such as a personal computer, a server, or a network device) to implement methods described by foregoing embodiments or a part thereof.

[0081] Finally, it should be noted that, the above embodiments are merely provided for describing the technical solutions of the present application, but not intended as a limitation. Although the present application has been described in detail with reference to the embodiments, those skilled in the art will appreciate that the technical solutions described in the foregoing various embodiments can still be modified, or some technical features therein can be equivalently replaced. Such modifications or replacements do not make the essence of corresponding technical solutions depart from the spirit and scope of technical solutions embodiments of the present application.