CN106803824A - A kind of means of defence attacked for random domain name inquiry - Google Patents
A kind of means of defence attacked for random domain name inquiry Download PDFInfo
- Publication number
- CN106803824A CN106803824A CN201611184032.7A CN201611184032A CN106803824A CN 106803824 A CN106803824 A CN 106803824A CN 201611184032 A CN201611184032 A CN 201611184032A CN 106803824 A CN106803824 A CN 106803824A
- Authority
- CN
- China
- Prior art keywords
- domain name
- queue
- nslookup
- class
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of means of defence attacked for random domain name inquiry, belong to internet domain name technical field, including:The inquiry request that name server is received is classified according to certain rule;For requests classifications at different levels distribute processing priority and CPU time slice;Setting abandons the strategy of inquiry request.The technical scheme that the present invention is provided, when a large amount of random domain name inquiry requests are met with, name server can be processed query-attack drop power, improves the negative effect to normal request.
Description
Technical field
It is that a kind of improvement is attacked in experience random domain name inquiry specifically the present invention relates to internet domain name system regions
When hitting, the means of defence attacked for random domain name inquiry that name server becomes negatively affected.
Background technology
The name space of DNS systems is very big, and this provides convenience for its application, but simultaneously also in reply DNS security problem
When bring some challenge.Sufficiently large address space means that enough random domain names can be constructed, for consuming originally
The server resource to the domain name mapping of necessary being should be used in.Then, it is a kind of to be referred to as domain name (Non-sense carelessly
Names) DoS attack attacked starts to be used.
Domain name (Non-sense Names) is attacked and looked into by sending the domain name of a large amount of random generations to name server carelessly
Ask to consume the resource of server, cause normal queries to be processed in time, be not processed even, so as to reach refusal
The purpose of service attack.
It is current have been carried out as servfail and IP/ domain name speed limits mechanism still can disguise oneself as normal request to a part
Flow open the gate wide, blacklist mode to such domain name attack it is not helpful, it is impossible to effectively realize to domain name carelessly
The limitation of inquiry.
The content of the invention
In order to solve the above technical problems, the invention provides a kind of means of defence attacked for random domain name inquiry, its
It is characterised by, methods described includes:
Nslookup is classified according to default classification policy, obtains an at least class domain name queue;
Domain name queue is dispatched according to default scheduling strategy, and processes the domain name in domain name queue.
Preferably, it is described classification is carried out to nslookup according to default classification policy to include:
At least one rule is formulated according to preset standard and corresponding information entropy is set;
Domain name is contrasted one by one with the rule, if meeting, the cumulative described information entropy of entropy of domain name;
Entropy according to domain name determines that it is classified.
Preferably, included according to specified at least one rule of preset standard:
The all ungratified class domain name of all chaotic features and rule is set as standard, and it is 0 to set its information entropy;
According to the rule of the standard formulation at least one.
Preferably, it is described nslookup is classified according to default classification policy also include:
Preset the classification quantity of the nslookup;
According to the different processing priority of different classification settings.
Preferably, it is described to obtain an at least class domain name queue and include:
It is every class field name single queue of distribution;
Wherein, the data structure of domain name is preserved in the queue sequentially in time.
Preferably, it is described to obtain an at least class domain name queue and also include:
In each described queue, holding time domain name earlier is set as processing priority higher.
Preferably, it is described to be included according to the scheduling domain name queue of default scheduling strategy:
It is the weight of each domain name queue assignment CPU time quota;
Thread chooses the nslookup in corresponding domain name queue according to the weight.
Preferably, the thread is chosen the nslookup in corresponding domain name queue and is included according to the weight:
Thread generates random number before treatment;
According to the selected domain name queue of the random number.
Preferably, methods described also includes:
When the domain name queue chosen is space-time, then priority is chosen rearward and closest to the domain name queue of this class
In nslookup.
Preferably, methods described also includes:
When traversal does not determine nslookup yet to the minimum domain name queue of priority, thread returns to original state,
Regenerate random number and choose domain name queue.
Compared with prior art, the present invention provides a kind of means of defence attacked for random domain name inquiry, by using
The Text Classification for continuing to develop, helps name server according to domain name quality to inquiry request optimization processing, and improvement is subject to
Attack influence.The risk for existing and occurring erroneous judgement in assorting process is taken into account simultaneously, when server load is higher to abandon please
Seek the condition of setting.
Brief description of the drawings
Fig. 1 is the means of defence flow chart attacked for random domain name inquiry in one embodiment of the present invention;
Fig. 2 is the method stream classified to nslookup according to default classification policy in one embodiment of the present invention
Cheng Tu;
Fig. 3 is the method flow diagram in one embodiment of the present invention according to the scheduling domain name queue of default scheduling strategy.
Specific embodiment
To make those skilled in the art more fully understand technical scheme, below in conjunction with the accompanying drawings and specific embodiment party
Formula is described in further detail to the present invention.
The attack method of random domain name is directed to the inquiry of the domain name that a name server initiates a large amount of random generations.Generally
Attack has certain specific aim, so the domain name of generation is probably the domain name under some area, such as 2dajhbn-
The domain name of xcna8o7wbgesw.1.com and 8djeyvzsoe783owxbfj67395.1.com so under 1.com.
And server whether there is before inquiry is completed almost without these domain names from discovery.If being carried out to these domain names
Inquiry, the then resource for consuming server has done not valuable thing.And blacklist mode is to such attack
It is not helpful, because can there is the inexhaustible random domain name can be utilized in huge name space.Additionally, these
Domain name is also possible to be resident the caching of normal domain name and impacts.Finally, the resource of server by these carelessly domain name phagocytosis, just
The inquiry at conventional family cannot be parsed.
The method of confrontation random domain name provided in an embodiment of the present invention, based on such a premise:Random domain name with it is normal
There is the difference (probability distribution that such as character is used) in some features between significant domain name.Based in this feature
Difference can be classified (classify) to all domain names for obtaining.
Shown in reference picture 1, one embodiment of the present invention provides a kind of protection side attacked for random domain name inquiry
Method, the method includes:
S110, nslookup is classified according to default classification policy, obtain an at least class domain name queue.
The classification policy can carry out different classification to different domain names, and for sorted domain name sets not equal
The priority processing of level sequentially, when inquiry of the domain name to be called is asked, more gentle can be called and abandon to request.
Specifically, shown in reference picture 2, carrying out classification to nslookup according to default classification policy includes:
S210, at least one rule is formulated according to preset standard and corresponding information entropy is set.
Specifically, all ungratified class domain name of all chaotic features and rule is set as standard, and sets its information
Entropy is 0;
According to the rule of standard formulation at least one.
Wherein, information entropy is relatively low for priority level is higher, and the entropy is a degree for the confusion degree of domain name
Amount, the entropy will determine the classification that domain name is finally grouped into, used as the foundation that chaotic domain name of putting up a resistance is attacked.
S220, by domain name with rule contrast one by one, if meet, the entropy accumulation information entropy of domain name.
All of domain name is scanned, and domain name is contrasted with least one rule of setting, if meeting the rule
Then, then the entropy of the rule settings is added on the entropy of the domain name, if being unsatisfactory for the rule, proceeds next rules and regulations
Contrast then, until contrast is completed, you can obtain total entropy of the domain name.
S230, according to the entropy of domain name determine its classify.
Different classification are divided to different entropy, so as to be divided into corresponding classification according to the entropy of domain name,
Accordingly, different priority processing grades are corresponded to.
Based on Text Classification, domain name is classified.Can be by all chaotic features and rule all ungratified
Class field name is used as a standard, if its comentropy (entropy) is 0.
For the every rule formulated sets a value, when domain name meets the rule, just its entropy is added up.
Optionally, while name server receives inquiry request and scans domain name, its entropy can be calculated.
By taking the prevention policies of BIND name servers as an example, and based on performance and reduce and realize examining in terms of complexity
Consider, the computational methods of entropy are predefined.
When the classification policy of domain name is set,
Preset the classification quantity of the nslookup;
According to the different processing priority of different classification settings.
Specifically, domain name is divided into 8 classes by strategy, and numbering is 0 to 7, wherein the confusion degree of 0 class domain name is considered as minimum
, 7 class domain names are the most chaotic.According to strategy, 0 class domain name possesses highest processing priority, and the priority of 7 classes is minimum.
When priority domain name higher and relatively low pours in server simultaneously, priority meeting high is faster located in
Reason, and the relatively low treatment that can then delay of priority is even dropped.When the priority of domain name in the request for receiving is identical, even if
It is that domain name as 7 classes can also be processed in time and normally.
Classification given below and a reference settings of entropy:
And the calculating of entropy, in investigating domain name:
1) letter and the digital number of times that is alternately present, single weight is 16.There is the alternating within 2 times not counted,
Beyond part entropy is calculated by actual frequency.Alternate frequency such as aa11bb22.cn is 4 times, and final this can make entropy increase by 32
(being obtained by 16* (4-2)).
2) ratio of numeral and number of letters, weight is 16.Condition is that numerical character quantity is more than alphabetic character.
3) continuous vowel number, weight is 32.Condition is continuous vowel more than 3.
4) continuous consonant number, weight is 32.Condition is continuous consonant more than 4.
5) continuous numerical character quantity, weight is 32.Condition is continuous element numerical character more than 5.
6) whether line quantity is more in, and weight is 32.Condition be it is middle line more than 3 and account for character total amount half and
More than.
7) whether the label quantity of domain name is more, and weight is 4.Condition is domain name label quantity more than 63.
8) the actual probability occurred in this domain name of single character, the ranking in all characters in this domain name is general with standard
Rate (such as the statistics in the domain name list that website alexa.com is counted) list is compareed, the permutation number for obtaining, single
The weight of individual backward is 1.
For encoded domain name, specific classification is not provided temporarily, it is necessary to do actual statistics to formulate one unified point
Class rank.Because the frequency that actual such inquiry of the domain name occurs is relatively low, give up the subdivision to their rank.
Weighted value mentioned above is exactly the value of the entropy added up for domain name when meeting condition.Entry listed above 1 and entry 8
Can repeatedly add up.So, after receiving inquiry request, first whole domain name is scanned one time, tries to achieve its entropy, be then mapped as one
Classify and it is given the BIND task systems changed and according to priority process.
Wherein, obtaining an at least class domain name queue includes:
It is every class field name single queue of distribution, preserves the data structure of domain name in queue sequentially in time.If should
Domain name capacity in queue reaches maximum, then abandon the domain name of wait.In priority, classifying and numbering it is relatively low with higher
Priority.In inner queue, the priority that head of the queue (on the time earlier) domain name has is higher.
S120, domain name queue is dispatched according to default scheduling strategy, and process the domain name in domain name queue.
Selection uses a kind of dispatching algorithm, a point priority processing is carried out come the inquiry of the domain name request to different classifications, to increase
Plus some are fault-tolerant.The relatively low inquiry of the domain name request of such dispatching algorithm meeting priority treatment entropy, and also have certain probability pair
Domain name with lower priority classification is processed.When the relatively low domain name of entropy is less, entropy domain name higher also has
More chances are processed.
Specifically, shown in reference picture 3, dispatching domain name queue according to default scheduling strategy includes:
S310, the weight for each domain name queue assignment CPU time quota.
Specifically, to one weight of CPU time slice quota of queue assignment that each is classified, for influenceing each queue quilt
The frequency of scheduling.
S320, thread choose the nslookup in corresponding domain name queue according to the weight.
Specifically, before one inquiry of thread process, random number is first generated, is fallen in specific interval, representative have chosen this
A request in queue.In case of there are 3 queues, three weights of queue are respectively 3,2 and 1, then random
The scope that number is chosen is exactly 0 to 5 this 6 integers.0 to 2 intervals for corresponding to queue 1,3 to 4 correspondence queues 2,5 last correspondences
Queue 3.
Optionally, when the queue chosen is for empty (without such request), selection priority is rearward and closest to the team of this class
Request in row.If traverse the queue of numbering highest does not find request yet.Thread can return to original state, regenerate random
Number is chosen again.So it is achieved that, when no higher quality inquiry of the domain name is thought, current queries there can be high priority.
In the domain name in processing domain name queue, in the ideal case, random domain name request is had than relatively low priority,
The inquiry request of high-quality domain name (entropy is relatively low) is not interfered with.And only when the domain name request amount of more high-quality is also very big, phase
The domain name request relatively low to quality can just be dropped.
A kind of means of defence attacked for random domain name inquiry provided in an embodiment of the present invention, by nslookup
Classification and scheduling, certain random domain name can be peeled off and realize that discarding etc. is processed from request queue;At priority
Reason, can increase the fault-tolerant for the treatment of, and request is abandoned using more gentle mode, help name server according to domain name
Quality improves influence under attack to inquiry request optimization processing.
It is understood that the embodiment of above principle being intended to be merely illustrative of the present and the exemplary implementation for using
Mode, but the invention is not limited in this.For those skilled in the art, essence of the invention is not being departed from
In the case of god and essence, various changes and modifications can be made therein, and these variations and modifications are also considered as protection scope of the present invention.
Claims (10)
1. it is a kind of that the means of defence attacked is inquired about for random domain name, it is characterised in that methods described includes:
Nslookup is classified according to default classification policy, obtains an at least class domain name queue;
Domain name queue is dispatched according to default scheduling strategy, and processes the domain name in domain name queue.
2. method according to claim 1, it is characterised in that described to be carried out to nslookup according to default classification policy
Classification includes:
At least one rule is formulated according to preset standard and corresponding information entropy is set;
Domain name is contrasted one by one with the rule, if meeting, the cumulative described information entropy of entropy of domain name;
Entropy according to domain name determines that it is classified.
3. method according to claim 2, it is characterised in that specify at least one rule to include according to preset standard:
The all ungratified class domain name of all chaotic features and rule is set as standard, and it is 0 to set its information entropy;
According to the rule of the standard formulation at least one.
4. method according to claim 1, it is characterised in that described to be carried out to nslookup according to default classification policy
Classification also includes:
Preset the classification quantity of the nslookup;
According to the different processing priority of different classification settings.
5. method according to claim 1, it is characterised in that described to obtain an at least class domain name queue and include:
It is every class field name single queue of distribution;
Wherein, the data structure of domain name is preserved in the queue sequentially in time.
6. method according to claim 5, it is characterised in that described to obtain an at least class domain name queue and also include:
In each described queue, holding time domain name earlier is set as processing priority higher.
7. method according to claim 1, it is characterised in that described that domain name team is dispatched according to default scheduling strategy
Row include:
It is the weight of each domain name queue assignment CPU time quota;
Thread chooses the nslookup in corresponding domain name queue according to the weight.
8. method according to claim 7, it is characterised in that the thread chooses corresponding domain name according to the weight
Nslookup in queue includes:
Thread generates random number before treatment;
According to the selected domain name queue of the random number.
9. method according to claim 7, it is characterised in that methods described also includes:
When the domain name queue chosen is space-time, then priority is chosen rearward and closest in the domain name queue of this class
Nslookup.
10. method according to claim 9, it is characterised in that methods described also includes:
When traversal does not determine nslookup yet to the minimum domain name queue of priority, thread returns to original state, again
Generation random number chooses domain name queue.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611184032.7A CN106803824A (en) | 2016-12-19 | 2016-12-19 | A kind of means of defence attacked for random domain name inquiry |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611184032.7A CN106803824A (en) | 2016-12-19 | 2016-12-19 | A kind of means of defence attacked for random domain name inquiry |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106803824A true CN106803824A (en) | 2017-06-06 |
Family
ID=58984016
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611184032.7A Pending CN106803824A (en) | 2016-12-19 | 2016-12-19 | A kind of means of defence attacked for random domain name inquiry |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106803824A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109194605A (en) * | 2018-07-02 | 2019-01-11 | 中国科学院信息工程研究所 | A kind of suspected threat index Proactive authentication method and system based on open source information |
| CN114726625A (en) * | 2022-04-08 | 2022-07-08 | Oppo广东移动通信有限公司 | Detection method and device, server and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101854404A (en) * | 2010-06-04 | 2010-10-06 | 中国科学院计算机网络信息中心 | Method and device for detecting anomaly of domain name system |
| US20110185425A1 (en) * | 2010-01-22 | 2011-07-28 | National Taiwan University Of Science & Technology | Network attack detection devices and methods |
| CN102882881A (en) * | 2012-10-10 | 2013-01-16 | 常州大学 | Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service |
| CN103001825A (en) * | 2012-11-15 | 2013-03-27 | 中国科学院计算机网络信息中心 | Method and system for detecting DNS (domain name system) traffic abnormality |
| CN105897714A (en) * | 2016-04-11 | 2016-08-24 | 天津大学 | Botnet detection method based on DNS (Domain Name System) flow characteristics |
-
2016
- 2016-12-19 CN CN201611184032.7A patent/CN106803824A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110185425A1 (en) * | 2010-01-22 | 2011-07-28 | National Taiwan University Of Science & Technology | Network attack detection devices and methods |
| CN101854404A (en) * | 2010-06-04 | 2010-10-06 | 中国科学院计算机网络信息中心 | Method and device for detecting anomaly of domain name system |
| CN102882881A (en) * | 2012-10-10 | 2013-01-16 | 常州大学 | Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service |
| CN103001825A (en) * | 2012-11-15 | 2013-03-27 | 中国科学院计算机网络信息中心 | Method and system for detecting DNS (domain name system) traffic abnormality |
| CN105897714A (en) * | 2016-04-11 | 2016-08-24 | 天津大学 | Botnet detection method based on DNS (Domain Name System) flow characteristics |
Non-Patent Citations (1)
| Title |
|---|
| 郑黎明 等: "基于多维熵值分类的骨干网流量异常检测研究", 《计算机研究与发展》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109194605A (en) * | 2018-07-02 | 2019-01-11 | 中国科学院信息工程研究所 | A kind of suspected threat index Proactive authentication method and system based on open source information |
| CN109194605B (en) * | 2018-07-02 | 2020-08-25 | 中国科学院信息工程研究所 | Active verification method and system for suspicious threat indexes based on open source information |
| CN114726625A (en) * | 2022-04-08 | 2022-07-08 | Oppo广东移动通信有限公司 | Detection method and device, server and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8561167B2 (en) | Web reputation scoring | |
| US9544272B2 (en) | Detecting image spam | |
| US8578051B2 (en) | Reputation based load balancing | |
| RU2541123C1 (en) | System and method of rating electronic messages to control spam | |
| US8762537B2 (en) | Multi-dimensional reputation scoring | |
| US8179798B2 (en) | Reputation based connection throttling | |
| US7949716B2 (en) | Correlation and analysis of entity attributes | |
| US20200380395A1 (en) | Machine learning and validation of account names, addresses, and/or identifiers | |
| US20070130351A1 (en) | Aggregation of Reputation Data | |
| US20090222917A1 (en) | Detecting spam from metafeatures of an email message | |
| US20120110668A1 (en) | Use of Popularity Information to Reduce Risk Posed by Guessing Attacks | |
| WO2016057401A1 (en) | Systems and methods of identifying suspicious hostnames | |
| WO2010045291A2 (en) | Method and apparatus for controlling unsolicited messages in a messaging network using an authoritative domain name server | |
| CN106961422B (en) | Mimicry security method and device of DNS recursive server | |
| Venkataraman et al. | Exploiting network structure for proactive spam mitigation | |
| AU2008207924A1 (en) | Web reputation scoring | |
| CN106803824A (en) | A kind of means of defence attacked for random domain name inquiry | |
| CN114640504B (en) | CC attack protection method, device, equipment and storage medium | |
| Sanchez et al. | Blocking spam by separating end-user machines from legitimate mail server machines | |
| CN106331066B (en) | Electronic equipment and information processing method | |
| JP5036742B2 (en) | E-mail sending host classification system, e-mail sending host classification method and program therefor | |
| CN111131285B (en) | Active protection method for random domain name attack | |
| CN110213218B (en) | Gray scale control method, apparatus, and medium for data transmission | |
| CN109617925B (en) | Method and system for protecting network attack and setting interval mark | |
| US8477796B1 (en) | System, method, and computer program product for processing different content each stored in one of a plurality of queues |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170606 |