CN101789940A - Method for preventing flood attack of DNS request message and device thereof - Google Patents
Method for preventing flood attack of DNS request message and device thereof Download PDFInfo
- Publication number
- CN101789940A CN101789940A CN201010102758A CN201010102758A CN101789940A CN 101789940 A CN101789940 A CN 101789940A CN 201010102758 A CN201010102758 A CN 201010102758A CN 201010102758 A CN201010102758 A CN 201010102758A CN 101789940 A CN101789940 A CN 101789940A
- Authority
- CN
- China
- Prior art keywords
- domain name
- dns
- request message
- dns request
- presets
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a method for preventing flood attack of DNS request message and a device thereof. The method for preventing the flood attack of the DNS request message comprises the steps that: a DNS server receives the DNS request message sent by a DNS client; the DNS server acquires the domain name which is carried by the DNS request message and is needed to be analyzed by analyzing the DNS request message; and according to the preset domain name resolution condition, the DNS server judges the legality of the domain name, and when the domain name is analyzed in an illegal way, the domain name is forbidden to be analyzed. The invention can improve the capability of preventing the flood attack of the DNS request message.
Description
Technical field
The present invention relates to the network security technology field, more particularly, relate to a kind of method and device of the DNS of strick precaution request message flood attack.
Background technology
(Domain Name System is a kind of distributed data base of the TCP/IP of being used for application program DNS) to domain name system, and the conversion between domain name and the IP address is provided.By domain name system, the user can use the domain name of being convenient to remember, and is correct IP address by dns server in the network with domain name mapping.
Usually, the DNS client is by sending the IP address that DNS request message (DNS Query) obtains the domain name correspondence to dns server.Dns server is searched according to the domain name of request after receiving the DNS request message, also needs sometimes to the request of higher level's dns server.Dns server sends DNS response message (DNS Reply) notice DNS client behind the IP address of the domain name correspondence that finally obtains the DNS client-requested, the DNS client just can have been served to this IP Address requests network.This shows,, the proper network that has a strong impact on people is used in case dns server is received attack.
It is a kind of UDP Flood based on the application-specific agreement that DNS request message inundation (DNS Query Flood) is attacked, the direction of attack dns server sends a large amount of domain name mapping requests, cause dns server seriously to overload, can't continue to respond the DNS request of normal users, thereby reach the purpose of attack.Generally speaking, the DNS request that the attacker sends is a non-existent at all domain name in the network that generates at random, when dns server under fire receives this request, this domain name is resolved, resolve unsuccessful, then this dns server is submitted analysis request by recursive query to its higher level's dns server, and then forms the attack to higher level's dns server, forms chain reaction.The process of domain name mapping can be brought very big load to dns server, and when surpassing the domain name mapping threshold value of dns server, it is overtime until paralysis to cause dns server to resolve.
In order to protect dns server, and then guarantee the normal use of network to have produced DNS Query Flood precautionary technology.Precautionary technology commonly used of the prior art comprises: adopt DNS cache technology, domain name credit mechanism and challenge retransmission mechanism on protection equipment, its groundwork principle is:
(1) on protection equipment, adopts DNS cache technology
Protection equipment is initiatively learnt the domain name mapping result when not detecting the generation attack, the corresponding relation of record domain name and IP is set up DNS cache.When detecting the generation attack; protection equipment is when receiving the domain name mapping request; at first inquire about DNS cache; according to the request of Query Result response field name analysis; transferring to dns server for the domain name mapping request in DNS cache not resolves; and in DNS cache, write down analysis result, thereby alleviate the dns server load.
(2) on protection equipment, adopt the domain name credit mechanism
Protection equipment is initiatively learnt the domain name mapping result when not detecting the generation attack, the number of times of unified domain name mapping number of times and domain name mapping failure is set up the domain name credit mechanism; The corresponding domain name analysis frequency of failure or ask same domain name number of times to surpass certain value, its domain name degrees of comparison of corresponding reduction.When detecting when take place attacking, protection equipment when receiving the domain name mapping request, nslookup degrees of comparison table, according to the domain name credit mechanism, filtration fraction domain name mapping request; The bandwidth of the source IP of the low domain name mapping request of degrees of comparison is initiated in restriction.
(3) on protection equipment, adopt the challenge retransmission mechanism
Protection equipment can be lost the mandatory requirement client to first DNS request message of initiating with the UDP mode and carry out the DNS request with the TCP mode, like this must be through just being resolved to the IP address of domain name after retransmitting.
Yet, by discovering, there is following problem in the prior art at least:
Attack for the DNS Flood that accounts at present most forgery source IP in DNS Flood, all under the situation of change at random, because these domain names scarcely exist, DNS cache will not have any effect in the domain name mapping request; And by the domain name credit mechanism, all abandon the low domain name request of credit rating, filtration fraction only, remaining is transferred to dns server and resolves, for situation about all abandoning, influence the DNS request of part normal users, and filtration fraction only, still can cause great impact to server, can not protect dns server well, in addition, the foundation of domain name credit mechanism needs the study of long period, the prestige assessment algorithm is not only complicated, and its assessment result directly influences the validity of defence; For the third technology, cause the hard-to-use phenomenon of network to the user easily, and if closed when domain name resolution server under the situation of DNS name resolution of TCP mode, challenge retransmits the consequence that will cause domain name to resolve.
As seen, prior art can't realize effectively taking precautions against DNS Flood attack.
Summary of the invention
In view of this, the embodiment of the invention provides a kind of method and device of the DNS of strick precaution request message flood attack, so that the ability of the DNS request message flood attack of improving the precaution.
The embodiment of the invention provides a kind of method of the DNS of strick precaution request message flood attack, and described method comprises:
The DNS service end receives the DNS request message that the DNS client sends;
The DNS service end obtains the domain name that the entrained needs of described DNS request message are resolved by resolving described DNS request message;
The DNS service end is judged the legitimacy of domain name according to the domain name mapping condition that presets, and when domain name is the domain name of illegal parsing, then forbids the parsing to domain name.
Preferably, described DNS service end is judged the legitimacy of domain name according to the domain name mapping condition that presets, and comprising:
Preset the domain name blacklist, the domain name that comprises in the domain name blacklist is illegal domain name of resolving;
Domain name that described needs are resolved and the domain name in the domain name blacklist are mated;
When domain name that described needs are resolved is included in the domain name blacklist, judge that then the domain name that described needs are resolved is illegal domain name of resolving.
Preferably, described DNS service end is judged the legitimacy of domain name according to the domain name mapping condition that presets, and comprising:
Preset the analytic frequency of the domain name that described needs resolve;
Whether the analytic frequency of judging each domain name surpasses the described analytic frequency threshold value that presets, if then directly will abandon above the DNS request message of described analytic frequency threshold value.
Preferably, described method also comprises:
The described analytic frequency threshold value that presets is unified numerical value corresponding to all domain names;
Judge that whether the analytic frequency of each domain name surpasses the analytic frequency threshold value of the described unified numerical value that presets, if then directly will abandon above the DNS request message of the analytic frequency threshold value of described unified numerical value.
Preferably, described DNS service end comprises dns server or DNS agency.
A kind of device of taking precautions against DNS request message flood attack, described device comprises:
Receiver module is used for the DNS service end and receives the DNS request message that the DNS client sends;
The packet parsing module is used for the DNS service end by resolving described DNS request message, obtains the domain name that the entrained needs of described DNS request message are resolved;
The legitimacy judge module is used for the DNS service end according to the domain name mapping condition that presets, and judges the legitimacy of domain name, when domain name is the domain name of illegal parsing, then forbids the parsing to domain name.
Preferably, described legitimacy judge module comprises:
Blacklist presets submodule, is used to preset the domain name blacklist, and the domain name that comprises in the domain name blacklist is illegal domain name of resolving;
Matched sub-block is used for the domain name that described needs are resolved and the domain name of domain name blacklist and mates;
First judges submodule, is used for being included in the domain name blacklist when the domain name that described needs are resolved, and judges that then the domain name that described needs are resolved is illegal domain name of resolving.
Preferably, described legitimacy judge module comprises:
Analytic frequency obtains submodule, is used to obtain the analytic frequency of the domain name that described needs resolve;
Second judges submodule, is used to judge whether described analytic frequency surpasses the analytic frequency threshold value that presets, if then directly will abandon above the DNS request message of described analytic frequency threshold value.
Preferably, described device also comprises:
The analytic uniform frequency threshold is provided with module, is used to be provided with the described analytic frequency threshold value that presets and is unified numerical value corresponding to all domain names;
The 3rd judges submodule, is used to judge whether each domain name mapping frequency surpasses the analytic frequency threshold value of the described unified numerical value that presets, if then directly will abandon above the DNS request message of the analytic frequency threshold value of described unified numerical value.
Preferably, described DNS service end comprises dns server or DNS agency.
Compare with prior art, technical scheme provided by the invention is by presetting the domain name mapping condition, the legitimacy of the domain name of resolving according to domain name mapping condition judgment needs has only when the domain name of need determining to resolve is the domain name of legal parsing, just allows the parsing of dns server execution to this domain name; Otherwise, directly corresponding D NS request message is abandoned, forbid parsing to this domain name; thereby, when producing DNS request message flood attack, can realize specific defence at the domain name of appointment; dns server is effectively protected, avoided producing the serious consequence that network interrupts.
Description of drawings
In order to be illustrated more clearly in the technical scheme of the embodiment of the invention, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
The method step flow chart of a kind of DNS of strick precaution request message flood attack that Fig. 1 provides for the embodiment of the invention;
The apparatus structure schematic diagram of a kind of DNS of strick precaution request message flood attack that Fig. 2 provides for the embodiment of the invention;
Fig. 3 is a kind of structural representation of the legitimacy judge module among Fig. 2;
Fig. 4 is the another kind of structural representation of the legitimacy judge module among Fig. 2.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
At first the method to strick precaution DNS request message flood attack provided by the invention describes, and with reference to shown in Figure 1, described method can may further comprise the steps flow process:
Step 101, DNS service end receive the DNS request message that the DNS client sends;
Step 102, DNS service end obtain the domain name that the entrained needs of described DNS request message are resolved by resolving described DNS request message;
Step 103, DNS service end are judged the legitimacy of domain name according to the domain name mapping condition that presets, and when domain name is the domain name of illegal parsing, then forbid the parsing to domain name.
Technical scheme provided by the invention is by presetting the domain name mapping condition, the legitimacy of the domain name of resolving according to domain name mapping condition judgment needs, have only when determining that the domain name that need resolve is the domain name of legal parsing, just allow the parsing of dns server execution this domain name; Otherwise, directly corresponding D NS request message is abandoned, forbid parsing to this domain name; thereby, when producing DNS request message flood attack, can realize specific defence at the domain name of appointment; dns server is effectively protected, avoided producing the serious consequence that network interrupts.
For the ease of the present invention is further understood, describe the present invention below in conjunction with the specific embodiment of the present invention.
In a preferred embodiment of the invention, described DNS service end is judged the legitimacy of domain name according to the domain name mapping condition that presets, and can realize by following concrete mode:
Preset the domain name blacklist, the domain name that comprises in the domain name blacklist is illegal domain name of resolving;
Domain name that described needs are resolved and the domain name in the domain name blacklist are mated;
When domain name that described needs are resolved is included in the domain name blacklist, judge that then the domain name that described needs are resolved is illegal domain name of resolving.
Among this embodiment, the domain name blacklist is the set of the domain name of the illegal parsing of DNS service end setting, and wherein all domain names are the domain name of illegal parsing.Those skilled in the art can preset the form of domain name blacklist with configured list in the specific implementation, certainly, also can adopt other mode, and this present invention is not done concrete restriction.
Receive the DNS request message of DNS client transmission when the DNS service end after, at first the DNS request message is resolved the domain name that the needs that obtain to carry in the DNS request message are resolved; Whether after the domain name that the needs that obtain to carry in the DNS request message are resolved, the DNS service end is not directly resolved this domain name, but at first the domain name in this domain name and the domain name blacklist is mated, serve as illegal domain name of resolving to verify this domain name; When in finding the domain name blacklist, having this domain name, determine that then this domain name is illegal domain name of resolving, and resolves the illegal operation that is operating as of this domain name, then forbid parsing to this domain name, particularly, can not handle this DNS request message, the DNS request message that perhaps directly will comprise this domain name abandons.When in finding the domain name blacklist, not having this domain name, determine that then this domain name is the domain name of legal parsing, resolve the legal operation of being operating as of this domain name, then allow of the parsing of DNS service end this domain name.
Usually, the domain name that appears in the domain name blacklist can be determined in the following ways: when not carrying out the condition of any protection, the domain name that needs are resolved is carried out statistical learning, thereby obtain which domain name and be illegal domain name of resolving, thereby these domain names are added in the domain name blacklist, to be defined as illegal operation to the parsing of these domain names, thereby restriction is resolved restriction to the domain name that occurs in the domain name blacklist.
The embodiment of the invention can be applied in the network user with on the equipment between the dns server, and dns server is protected.When disposing the domain name blacklist on the equipment and certain domain name being added in the middle of the blacklist, when the user sent the DNS request of this domain name, this equipment will be lost this request analysis message, made dns server can't finish parsing to this domain name.
The mode of this blacklist is mainly used to protect the attack of some attack tools; for example: user side is initiated the DNS request message of non-existent domain name in the reality at random; when dns server does not carry out any protection; this message will be sent to dns server and carry out domain name mapping; even but through domain name mapping; also can not be resolved to the IP's of this domain name; on the contrary; this domain name mapping process will be wasted the ample resources of dns server, also can cause when serious the parsing that the normal DNS that dns server receives asks is exerted an influence.Technical scheme in adopting the embodiment of the invention; can directly be added to this domain name in the domain name blacklist of equipment; therefore; can determine the legitimacy of the domain name that needs are resolved fast; the DNS request message that comprises this domain name will be dropped on safeguard and can not arrive dns server; like this, will alleviate the parsing burden of dns server, and then dns server will be protected.
In another preferred embodiment of the present invention, described DNS service end is judged the legitimacy of domain name according to the domain name mapping condition that presets, and can realize by following concrete mode:
Obtain the analytic frequency of the domain name that described needs resolve;
Judge whether described analytic frequency surpasses the analytic frequency threshold value that presets, if then directly will abandon above the DNS request message of described analytic frequency threshold value.
In the embodiment of the invention,, realize the DNS extensive aggression of concrete domain name is on the defensive by the analytic frequency of restriction domain name.Wherein, the analytic frequency of domain name is often referred to the DNS request message number of resolving in the per second time; The analytic frequency threshold value refers to allow in the per second time DNS request message number of parsing, and usually, the analytic frequency threshold value has determined the analytic ability of dns server.If in the short time, the analytic frequency of finding current domain name surpasses the analytic frequency threshold value that presets, though the domain name that these DNS request messages comprise is the domain name of legal parsing, but, surpass the analytic ability of dns server and the dns server paralysis even the network that cause interrupt for fear of the analytic frequency of domain name, in the process of defence, the analytic frequency of each domain name that need resolve of DNS service end active monitoring, and whether the analytic frequency of judging current domain name surpasses the analytic frequency threshold value that presets, surpass the analytic frequency threshold value that presets if find the analytic frequency of current domain name, then directly will abandon, prevent that dns server from resolving these DNS request messages and paralysis of the dns server that causes even network interrupt above the DNS request message of described analytic frequency threshold value.
For example: the analytic frequency threshold value that presets " www.baidu.com " is 1000, the analytic frequency threshold value of " www.google.cn " is 10000, comprise the DNS request message of " www.baidu.com " or " www.google.cn " when receiving after, will detect on the equipment, if when finding that analysis request per second to " www.baidu.com " surpasses 1000, just per second is abandoned above 1000 other request message; If when finding that analysis request per second to " www.google.cn " surpasses 10000; just per second is surpassed 10000 other request message and abandon, and then the DNS request message number that the protection dns server receives is limited within the analytic ability scope of dns server all the time.
Certainly, the present invention depend on study to the long period for the setting of analytic frequency threshold value, and the accuracy of learning outcome depends on the precondition that does not have any attack between the learning period to a great extent when specific implementation.This partial content belongs to technology well known to those skilled in the art, and to this, the present invention does not do concrete qualification.
By the analytic frequency threshold value of domain name is set, the ability of the DNS request message flood attack of can improving the precaution simply, is effectively protected dns server.
Among the top embodiment, can the domain name mapping of appointment be limited, certainly, in order more easily dns server to be applied protection, the analytic frequency of all DNS request messages that can receive dns server limits.For convenience of description, an analytic frequency threshold value can be set to all domain name mappings, for example the unification of analytic frequency threshold value is set to 10000, that is to say that this dns server all can not be above 10000/ second to the analytic frequency of arbitrary domain name.Then, judge that whether the analytic frequency of each domain name surpasses the analytic frequency threshold value of the described unified numerical value that presets, if then directly will abandon above the DNS request message of the analytic frequency threshold value of described unified numerical value.
Need to prove that the described DNS service end in the foregoing description comprises dns server or DNS agency.After the legitimacy of DNS client is confirmed,, then after getting access to the IP address of corresponding domain name analysis, just the logical DNS response message in this IP address is sent to the DNS client if the DNS service end is a dns server; If the DNS service end is the DNS agency, then utilize TCP (Transmission ControlProtocol, transmission control protocol) agent skill group, carry out the DNS request of UDP to dns server, the response with dns server sends to the DNS client in the TCP mode again.
The method of corresponding above-mentioned strick precaution DNS request message flood attack, the embodiment of the invention also provides a kind of device of the DNS of strick precaution request message flood attack, and as shown in Figure 2, described device comprises:
The device technique scheme of strick precaution DNS request message flood attack provided by the invention is by presetting the domain name mapping condition, the legitimacy of the domain name of resolving according to domain name mapping condition judgment needs, have only when determining that the domain name that need resolve is the domain name of legal parsing, just allow the parsing of dns server execution this domain name; Otherwise, directly corresponding D NS request message is abandoned, forbid parsing to this domain name; thereby, when producing DNS request message flood attack, can realize specific defence at the domain name of appointment; dns server is effectively protected, avoided producing the serious consequence that network interrupts.
In a preferred embodiment of the invention, as shown in Figure 3, the specific implementation of described legitimacy judge module 203 is for specifically comprising following function sub-modules:
Blacklist presets submodule 2031, is used to preset the domain name blacklist, and the domain name that comprises in the domain name blacklist is illegal domain name of resolving;
Matched sub-block 2032 is used for the domain name that described needs are resolved and the domain name of domain name blacklist and mates;
First judges submodule 2033, is used for being included in the domain name blacklist when the domain name that described needs are resolved, and judges that then the domain name that described needs are resolved is illegal domain name of resolving.
Among this embodiment, the domain name blacklist is the set of the domain name of the illegal parsing of DNS service end setting, and wherein all domain names are the domain name of illegal parsing.
The embodiment of the invention can be applied in the network user with on the equipment between the dns server, and dns server is protected.When disposing the domain name blacklist on the equipment and certain domain name being added in the middle of the blacklist, when the user sent the DNS request of this domain name, this equipment will be lost this request analysis message, made dns server can't finish parsing to this domain name.
The mode of this blacklist is mainly used to protect the attack of some attack tools; for example: user side is initiated the DNS request message of non-existent domain name in the reality at random; when dns server does not carry out any protection; this message will be sent to dns server and carry out domain name mapping; even but through domain name mapping; also can not be resolved to the IP's of this domain name; on the contrary; this domain name mapping process will be wasted the ample resources of dns server, also can cause when serious the parsing that the normal DNS that dns server receives asks is exerted an influence.Technical scheme in adopting the embodiment of the invention; can directly be added to this domain name in the domain name blacklist of equipment; therefore; can determine the legitimacy of the domain name that needs are resolved fast; the DNS request message that comprises this domain name will be dropped on safeguard and can not arrive dns server; like this, will alleviate the parsing burden of dns server, and then dns server will be protected.
In another embodiment, provide the another kind of implementation of described legitimacy judge module 203, as shown in Figure 4, specifically comprised:
Analytic frequency obtains submodule 2034, is used to obtain the analytic frequency of the domain name that described needs resolve;
Second judges submodule 2035, is used to judge whether described analytic frequency surpasses the analytic frequency threshold value that presets, if then directly will abandon above the DNS request message of described analytic frequency threshold value.
In the embodiment of the invention,, realize the DNS extensive aggression of concrete domain name is on the defensive by the analytic frequency of restriction domain name.Surpass the analytic frequency threshold value that presets if find the analytic frequency of current domain name, then directly will abandon, prevent that dns server from resolving these DNS request messages and paralysis of the dns server that causes even network interrupt above the DNS request message of described analytic frequency threshold value.
In order better dns server to be applied protection, the analytic frequency of all DNS request messages that can receive dns server limits, and an analytic frequency threshold value can be set all domain name mappings.Therefore, described device can also comprise:
The analytic uniform frequency threshold is provided with module, is used to be provided with the described analytic frequency threshold value that presets and is unified numerical value corresponding to all domain names;
The 3rd judges submodule, is used to judge whether each domain name mapping frequency surpasses the analytic frequency threshold value of the described unified numerical value that presets, if then directly will abandon above the DNS request message of the analytic frequency threshold value of described unified numerical value.
In addition, the described DNS service end among the said apparatus embodiment comprises dns server or DNS agency.After the legitimacy of DNS client is confirmed,, then after getting access to the IP address of corresponding domain name analysis, just the logical DNS response message in this IP address is sent to the DNS client if the DNS service end is a dns server; If the DNS service end is the DNS agency, then utilize TCP (Transmission ControlProtocol, transmission control protocol) agent skill group, carry out the DNS request of UDP to dns server, the response with dns server sends to the DNS client in the TCP mode again.
For device embodiment, because it is substantially corresponding to method embodiment, so describe fairly simplely, relevant part gets final product referring to the part explanation of method embodiment.Device embodiment described above only is schematic, wherein said unit as the separating component explanation can or can not be physically to separate also, the parts that show as the unit can be or can not be physical locations also, promptly can be positioned at a place, perhaps also can be distributed on a plurality of network element.Can select wherein some or all of module to realize the purpose of present embodiment scheme according to the actual needs.Those of ordinary skills promptly can understand and implement under the situation of not paying creative work.
One of ordinary skill in the art will appreciate that all or part of flow process that realizes in the foregoing description method, be to instruct relevant hardware to finish by computer program, described program can be stored in the computer read/write memory medium, this program can comprise the flow process as the embodiment of above-mentioned each side method when carrying out.Wherein, described storage medium can be magnetic disc, CD, read-only storage memory body (Read-OnlyMemory, ROM) or at random store memory body (Random Access Memory, RAM) etc.
To the above-mentioned explanation of the disclosed embodiments, make this area professional and technical personnel can realize or use the present invention.Multiple modification to these embodiment will be conspicuous concerning those skilled in the art, and defined herein General Principle can realize under the situation of the spirit or scope that do not break away from the embodiment of the invention in other embodiments.Therefore, the embodiment of the invention will can not be restricted to these embodiment shown in this article, but will meet and principle disclosed herein and features of novelty the wideest corresponding to scope.
Claims (10)
1. a method of taking precautions against DNS request message flood attack is characterized in that, described method comprises:
The DNS service end receives the DNS request message that the DNS client sends;
The DNS service end obtains the domain name that the entrained needs of described DNS request message are resolved by resolving described DNS request message;
The DNS service end is judged the legitimacy of domain name according to the domain name mapping condition that presets, and when domain name is the domain name of illegal parsing, then forbids the parsing to domain name.
2. the method for strick precaution DNS request message flood attack according to claim 1 is characterized in that described DNS service end is judged the legitimacy of domain name according to the domain name mapping condition that presets, and comprising:
Preset the domain name blacklist, the domain name that comprises in the domain name blacklist is illegal domain name of resolving;
Domain name that described needs are resolved and the domain name in the domain name blacklist are mated;
When domain name that described needs are resolved is included in the domain name blacklist, judge that then the domain name that described needs are resolved is illegal domain name of resolving.
3. the method for strick precaution DNS request message flood attack according to claim 1 is characterized in that described DNS service end is judged the legitimacy of domain name according to the domain name mapping condition that presets, and comprising:
Obtain the analytic frequency of the domain name that described needs resolve;
Judge whether described analytic frequency surpasses the analytic frequency threshold value that presets, if then directly will abandon above the DNS request message of described analytic frequency threshold value.
4. the method for strick precaution DNS request message flood attack according to claim 3 is characterized in that described method also comprises:
The described analytic frequency threshold value that presets is unified numerical value corresponding to all domain names;
Judge that whether the analytic frequency of each domain name surpasses the analytic frequency threshold value of the described unified numerical value that presets, if then directly will abandon above the DNS request message of the analytic frequency threshold value of described unified numerical value.
5. according to the method for each described strick precaution DNS request message flood attack among the claim 1-4, it is characterized in that described DNS service end comprises dns server or DNS agency.
6. a device of taking precautions against DNS request message flood attack is characterized in that, described device comprises:
Receiver module is used for the DNS service end and receives the DNS request message that the DNS client sends;
The packet parsing module is used for the DNS service end by resolving described DNS request message, obtains the domain name that the entrained needs of described DNS request message are resolved;
The legitimacy judge module is used for the DNS service end according to the domain name mapping condition that presets, and judges the legitimacy of domain name, when domain name is the domain name of illegal parsing, then forbids the parsing to domain name.
7. the device of strick precaution DNS request message flood attack according to claim 6 is characterized in that described legitimacy judge module comprises:
Blacklist presets submodule, is used to preset the domain name blacklist, and the domain name that comprises in the domain name blacklist is illegal domain name of resolving;
Matched sub-block is used for the domain name that described needs are resolved and the domain name of domain name blacklist and mates;
First judges submodule, is used for being included in the domain name blacklist when the domain name that described needs are resolved, and judges that then the domain name that described needs are resolved is illegal domain name of resolving.
8. the device of strick precaution DNS request message flood attack according to claim 6 is characterized in that described legitimacy judge module comprises:
Analytic frequency obtains submodule, is used to obtain the analytic frequency of the domain name that described needs resolve;
Second judges submodule, is used to judge whether described analytic frequency surpasses the analytic frequency threshold value that presets, if then directly will abandon above the DNS request message of described analytic frequency threshold value.
9. the device of strick precaution DNS request message flood attack according to claim 8 is characterized in that described device also comprises:
The analytic uniform frequency threshold is provided with module, is used to be provided with the described analytic frequency threshold value that presets and is unified numerical value corresponding to all domain names;
The 3rd judges submodule, is used to judge whether each domain name mapping frequency surpasses the analytic frequency threshold value of the unified numerical value that presets, if then directly will abandon above the DNS request message of the analytic frequency threshold value of described unified numerical value.
10. according to the device of each described strick precaution DNS request message flood attack among the claim 6-9, it is characterized in that described DNS service end comprises dns server or DNS agency.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010102758A CN101789940A (en) | 2010-01-28 | 2010-01-28 | Method for preventing flood attack of DNS request message and device thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010102758A CN101789940A (en) | 2010-01-28 | 2010-01-28 | Method for preventing flood attack of DNS request message and device thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101789940A true CN101789940A (en) | 2010-07-28 |
Family
ID=42532994
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010102758A Pending CN101789940A (en) | 2010-01-28 | 2010-01-28 | Method for preventing flood attack of DNS request message and device thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101789940A (en) |
Cited By (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102006286A (en) * | 2010-10-29 | 2011-04-06 | 北京星网锐捷网络技术有限公司 | Access management method, device and system as well as access device for information system |
| CN102739683A (en) * | 2012-06-29 | 2012-10-17 | 杭州迪普科技有限公司 | Network attack filtering method and device |
| CN102984178A (en) * | 2012-12-31 | 2013-03-20 | 山石网科通信技术(北京)有限公司 | Detection method and device for data message |
| CN103051743A (en) * | 2012-12-27 | 2013-04-17 | 茂名市群英网络有限公司 | Domain name system (DNS) prevention system based on distributed hierarchy and method |
| CN103179100A (en) * | 2011-12-26 | 2013-06-26 | 中国移动通信集团广西有限公司 | Method and device for preventing the attack on a domain name system tunnel |
| CN103201999A (en) * | 2010-11-22 | 2013-07-10 | 亚马逊技术有限公司 | Request routing processing |
| CN103957195A (en) * | 2014-04-04 | 2014-07-30 | 上海聚流软件科技有限公司 | DNS system and defense method and device for DNS attack |
| CN104184585A (en) * | 2013-05-28 | 2014-12-03 | 杭州迪普科技有限公司 | Device and method preventing DNS flood attack |
| CN104516944A (en) * | 2013-09-30 | 2015-04-15 | 弗里塞恩公司 | NXD query monitor |
| CN104954316A (en) * | 2014-03-25 | 2015-09-30 | 政务和公益机构域名注册管理中心 | Protection method for DNSSEC server in DNSSEC query |
| CN105306416A (en) * | 2014-06-17 | 2016-02-03 | 腾讯科技(深圳)有限公司 | Method and device for detecting retransmission bug |
| CN105939321A (en) * | 2015-12-07 | 2016-09-14 | 杭州迪普科技有限公司 | DNS (Domain Name System) attack detection method and device |
| CN106453215A (en) * | 2015-08-13 | 2017-02-22 | 阿里巴巴集团控股有限公司 | Method, device and system for network attack defense |
| CN106559420A (en) * | 2016-11-07 | 2017-04-05 | 杭州迪普科技股份有限公司 | A kind of filter method and device of message |
| CN107508840A (en) * | 2017-09-29 | 2017-12-22 | 烽火通信科技股份有限公司 | A kind of method that monitoring DNS domain name based on DNS Proxy is attacked |
| CN108259294A (en) * | 2017-02-28 | 2018-07-06 | 新华三技术有限公司 | Message processing method and device |
| CN108270755A (en) * | 2017-01-03 | 2018-07-10 | 中国移动通信有限公司研究院 | A kind of method and apparatus of the adaptive anti-DDOS attack of domain name grade |
| CN108667769A (en) * | 2017-03-29 | 2018-10-16 | 华为数字技术(苏州)有限公司 | A kind of domain name source tracing method and equipment |
| CN109361779A (en) * | 2018-10-22 | 2019-02-19 | 江苏满运软件科技有限公司 | The management method of domain name and system, node server in distributed system |
| CN109451091A (en) * | 2018-11-29 | 2019-03-08 | 华为技术有限公司 | Means of defence and agent equipment |
| CN110267322A (en) * | 2019-07-09 | 2019-09-20 | 哈尔滨工业大学 | One kind being based on the improved unmanned plane ad hoc network fast reaction routing algorithm of DSR agreement |
| CN110855603A (en) * | 2018-12-24 | 2020-02-28 | 互联网域名系统北京市工程研究中心有限公司 | Method for preventing DoS attack based on block chain technology |
| TWI702510B (en) * | 2019-07-09 | 2020-08-21 | 中華電信股份有限公司 | Method and device for finding amalicious encrypted connection fingerprint |
| CN111953638A (en) * | 2019-05-17 | 2020-11-17 | 北京京东尚科信息技术有限公司 | Network attack behavior detection method and device and readable storage medium |
| WO2022128925A1 (en) | 2020-12-18 | 2022-06-23 | Basf Se | Color-stable curing agent compositions comprising polyisocyanates of (cyclo)aliphatic diisocyanates |
| WO2023280648A1 (en) | 2021-07-08 | 2023-01-12 | Basf Se | Polyisocyanate-containing formulations |
-
2010
- 2010-01-28 CN CN201010102758A patent/CN101789940A/en active Pending
Cited By (41)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102006286A (en) * | 2010-10-29 | 2011-04-06 | 北京星网锐捷网络技术有限公司 | Access management method, device and system as well as access device for information system |
| CN103201999A (en) * | 2010-11-22 | 2013-07-10 | 亚马逊技术有限公司 | Request routing processing |
| CN103201999B (en) * | 2010-11-22 | 2016-09-28 | 亚马逊技术有限公司 | Request Route Selection processes |
| CN103179100A (en) * | 2011-12-26 | 2013-06-26 | 中国移动通信集团广西有限公司 | Method and device for preventing the attack on a domain name system tunnel |
| CN103179100B (en) * | 2011-12-26 | 2016-09-07 | 中国移动通信集团广西有限公司 | A kind of method and apparatus preventing domain name system Tunnel Attack |
| CN102739683A (en) * | 2012-06-29 | 2012-10-17 | 杭州迪普科技有限公司 | Network attack filtering method and device |
| CN102739683B (en) * | 2012-06-29 | 2015-09-09 | 杭州迪普科技有限公司 | A kind of network attack filter method and device |
| CN103051743B (en) * | 2012-12-27 | 2015-11-11 | 茂名市群英网络有限公司 | A kind of DNS system of defense based on distributed hierarchy and method |
| CN103051743A (en) * | 2012-12-27 | 2013-04-17 | 茂名市群英网络有限公司 | Domain name system (DNS) prevention system based on distributed hierarchy and method |
| CN102984178A (en) * | 2012-12-31 | 2013-03-20 | 山石网科通信技术(北京)有限公司 | Detection method and device for data message |
| CN102984178B (en) * | 2012-12-31 | 2015-07-29 | 山石网科通信技术有限公司 | The detection method of data message and device |
| CN104184585A (en) * | 2013-05-28 | 2014-12-03 | 杭州迪普科技有限公司 | Device and method preventing DNS flood attack |
| CN104184585B (en) * | 2013-05-28 | 2018-03-16 | 杭州迪普科技股份有限公司 | A kind of apparatus and method of strick precaution DNS flood attacks |
| CN104516944A (en) * | 2013-09-30 | 2015-04-15 | 弗里塞恩公司 | NXD query monitor |
| CN104954316A (en) * | 2014-03-25 | 2015-09-30 | 政务和公益机构域名注册管理中心 | Protection method for DNSSEC server in DNSSEC query |
| CN103957195B (en) * | 2014-04-04 | 2017-11-03 | 北京奇虎科技有限公司 | DNS systems and the defence method and defence installation of DNS attacks |
| CN103957195A (en) * | 2014-04-04 | 2014-07-30 | 上海聚流软件科技有限公司 | DNS system and defense method and device for DNS attack |
| CN105306416A (en) * | 2014-06-17 | 2016-02-03 | 腾讯科技(深圳)有限公司 | Method and device for detecting retransmission bug |
| CN106453215A (en) * | 2015-08-13 | 2017-02-22 | 阿里巴巴集团控股有限公司 | Method, device and system for network attack defense |
| CN106453215B (en) * | 2015-08-13 | 2019-09-10 | 阿里巴巴集团控股有限公司 | A kind of defence method of network attack, apparatus and system |
| CN105939321B (en) * | 2015-12-07 | 2019-08-06 | 杭州迪普科技股份有限公司 | A kind of DNS attack detection method and device |
| CN105939321A (en) * | 2015-12-07 | 2016-09-14 | 杭州迪普科技有限公司 | DNS (Domain Name System) attack detection method and device |
| CN106559420A (en) * | 2016-11-07 | 2017-04-05 | 杭州迪普科技股份有限公司 | A kind of filter method and device of message |
| CN108270755B (en) * | 2017-01-03 | 2021-01-15 | 中国移动通信有限公司研究院 | Domain name level adaptive DDOS attack resisting method and device |
| CN108270755A (en) * | 2017-01-03 | 2018-07-10 | 中国移动通信有限公司研究院 | A kind of method and apparatus of the adaptive anti-DDOS attack of domain name grade |
| CN108259294B (en) * | 2017-02-28 | 2021-01-26 | 新华三技术有限公司 | Message processing method and device |
| CN108259294A (en) * | 2017-02-28 | 2018-07-06 | 新华三技术有限公司 | Message processing method and device |
| CN108667769A (en) * | 2017-03-29 | 2018-10-16 | 华为数字技术(苏州)有限公司 | A kind of domain name source tracing method and equipment |
| CN108667769B (en) * | 2017-03-29 | 2021-06-08 | 华为数字技术(苏州)有限公司 | Domain name tracing method and device |
| CN107508840A (en) * | 2017-09-29 | 2017-12-22 | 烽火通信科技股份有限公司 | A kind of method that monitoring DNS domain name based on DNS Proxy is attacked |
| CN107508840B (en) * | 2017-09-29 | 2020-01-07 | 烽火通信科技股份有限公司 | DNS Proxy-based method for monitoring DNS domain name attack |
| CN109361779A (en) * | 2018-10-22 | 2019-02-19 | 江苏满运软件科技有限公司 | The management method of domain name and system, node server in distributed system |
| CN109451091A (en) * | 2018-11-29 | 2019-03-08 | 华为技术有限公司 | Means of defence and agent equipment |
| CN110855603A (en) * | 2018-12-24 | 2020-02-28 | 互联网域名系统北京市工程研究中心有限公司 | Method for preventing DoS attack based on block chain technology |
| CN110855603B (en) * | 2018-12-24 | 2021-11-09 | 互联网域名系统北京市工程研究中心有限公司 | Method for preventing DoS attack based on block chain technology |
| CN111953638A (en) * | 2019-05-17 | 2020-11-17 | 北京京东尚科信息技术有限公司 | Network attack behavior detection method and device and readable storage medium |
| CN111953638B (en) * | 2019-05-17 | 2023-06-27 | 北京京东尚科信息技术有限公司 | Network attack behavior detection method and device and readable storage medium |
| TWI702510B (en) * | 2019-07-09 | 2020-08-21 | 中華電信股份有限公司 | Method and device for finding amalicious encrypted connection fingerprint |
| CN110267322A (en) * | 2019-07-09 | 2019-09-20 | 哈尔滨工业大学 | One kind being based on the improved unmanned plane ad hoc network fast reaction routing algorithm of DSR agreement |
| WO2022128925A1 (en) | 2020-12-18 | 2022-06-23 | Basf Se | Color-stable curing agent compositions comprising polyisocyanates of (cyclo)aliphatic diisocyanates |
| WO2023280648A1 (en) | 2021-07-08 | 2023-01-12 | Basf Se | Polyisocyanate-containing formulations |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101789940A (en) | Method for preventing flood attack of DNS request message and device thereof | |
| Liu et al. | All your dns records point to us: Understanding the security threats of dangling dns records | |
| US10097520B2 (en) | Method and apparatus for causing delay in processing requests for internet resources received from client devices | |
| US9843590B1 (en) | Method and apparatus for causing a delay in processing requests for internet resources received from client devices | |
| US9374313B2 (en) | System and method to prevent endpoint device recovery flood in NGN | |
| CN109474575B (en) | DNS tunnel detection method and device | |
| JP5350649B2 (en) | Method for authenticating user, device for authenticating user terminal, and authentication server for authenticating user terminal | |
| CN101321055A (en) | Attack protection method and device | |
| US20020184362A1 (en) | System and method for extending server security through monitored load management | |
| US9756071B1 (en) | DNS denial of service attack protection | |
| GB2512954A (en) | Detecting and marking client devices | |
| US10419387B2 (en) | Domain name resolution method, system, and device | |
| WO2014048746A1 (en) | Device, system and method for reducing attacks on dns | |
| US9680950B1 (en) | Method and apparatus for causing delay in processing requests for internet resources received from client devices | |
| Adams et al. | Lightweight protection against brute force login attacks on web applications | |
| US10110567B2 (en) | Server using unpredictable scrambled cookie names | |
| US8001243B2 (en) | Distributed denial of service deterrence using outbound packet rewriting | |
| CN105939315A (en) | Method and device for protecting against HTTP attack | |
| US7568231B1 (en) | Integrated firewall/virus scanner system, method, and computer program product | |
| Tzur-David et al. | Delay fast packets (dfp): Prevention of dns cache poisoning | |
| Long et al. | An alternative DOS attack on windows | |
| KR101090920B1 (en) | Method for leading web site connection for emergency when Dos/DDos generate | |
| CN108200076B (en) | Method and device for protecting Host header field counterfeiting attack | |
| KR101505138B1 (en) | Security device connecting to network and operating method thereof | |
| KR101370244B1 (en) | Method of detecting and blocking application layer ddos attack and device of the same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20100728 |