In a session between a server and a client, the server may receive malicious data flow or request sent from an attacker by means of manipulating the client or simulating the client. The malicious data flow or request may consume server resources and may impede the normal operation of the server. Therefore, for the security of the server, it is determined whether the server is suffering a malicious attack from statistics of the received packets based on the source addresses and destination addresses of the packets.
However, in the conventional technology, since a determination of the malicious attack is based on the statistics of the received packets, the determination is posterior to the malicious attack. Hence, the attacker has established enough null connections before the determination is completed and the capability of the server to accept new connections has already been adversely impacted.
In addition, for the clients accessing the server via Network Address Translation (NAT) or gateway, the source addresses of the different clients may be converted into a same address via a NAT or gateway device, and consequently the server is prone to misjudge the accesses from these clients as malicious attack due to the misjudgment from the source-address-based statistics.