A kind of apparatus and method of taking precautions against DNS cache and attacking
Technical field
The present invention relates to network security technology, particularly relate to a kind of apparatus and method of taking precautions against DNS cache and attacking.
Background technology
DNS is the abbreviation of domain name system (Domain Name System), and it is made up of resolver and name server.Name server (DNS Server) refers to the domain name and corresponding IP address of preserving All hosts in this network, and to have domain name mapping be the server of IP address function.Please refer to Fig. 1, the flow process of dns resolution domain name is substantially as follows: first by the request of client initiated domain name analysis, after local dns server receives this request, can search in this locality and buffer memory, if do not found, then can initiate analysis request to upper level dns server, analysis result can be returned to local dns server by back message by upper level dns server, now, local dns server by described analysis result stored in buffer memory, so that subsequent client again this domain name of request analysis time, directly can return analysis result, analysis result can be returned to the client of this this domain name of request analysis simultaneously.
DNS attack occurs repeatedly in recent years, and the behavior of carrying out attacking for DNS cache is at present also very common.DNS cache is attacked and is mainly contained two classes:
The first kind, the buffer memory of dns server meeting regular update oneself.During buffer update, need superior server to send request, assailant then sends the back message of structure meticulously to dns server.Such as if when dns server upgrades www.google.com domain name, assailant sends back message to dns server, just likely success attack, makes the IP address that assailant specifies into by IP address corresponding for www.google.com domain name.
Equations of The Second Kind, assailant deliberately utilizes the second level domain of certain domain name non-existent to send request, and such dns server will the request of superior dns server sending domain name analysis owing to resolving, this time, assailant sends back message to DNS, just likely success attack.Such as, assailant wants to attack www.google.com, it just can send aa.google.com(is only example, suppose that this domain name does not exist) to dns server, in this time, assailant sends back message, and this message is replied aa.google.com domain name and do not existed, but in additional resource, www.google.com is made into the IP address that assailant specifies wherein, so DNS cache success attack.
Summary of the invention
In view of this, the invention provides a kind of apparatus and method of taking precautions against DNS cache and attacking, to solve the deficiency that prior art exists.
Particularly, described application of installation is on Network Security Device, and this device comprises:
Domain name judge module, for obtaining its resolved domain name of carrying from the DNS response message received, and judges described resolved domain name whether in the domain name watch-list preset, if, then advice range detection module, if not, then notification filter protection module;
Range detection module, for judging the parsing IP address corresponding with this resolved domain name that described DNS response message carries whether all in white list, if so, then allows this DNS response message to pass through;
Filter protection module, for judging whether the parsing IP address corresponding with this resolved domain name that described DNS response message carries has the unusual IP addresses belonged in blacklist, if not, then allows this DNS response message to pass through.
Said method comprising the steps of:
Steps A, from the DNS response message received, obtain its resolved domain name of carrying, and judge described resolved domain name whether in the domain name watch-list preset, if so, then go to step B, if not, then go to step C;
Step B, judge the parsing IP address corresponding with this resolved domain name that described DNS response message carries whether all in white list, if so, then allow this DNS response message to pass through;
Step C, judge whether the parsing IP address corresponding with this resolved domain name that described DNS response message carries has the unusual IP addresses belonged in blacklist, if not, then allow this DNS response message to pass through.
From above technical scheme, the present invention by arranging black, white list, and then realizes resolving the monitoring of IP address, and can Exception Filter IP address, has effectively taken precautions against the attack of assailant to DNS cache.
Accompanying drawing explanation
Fig. 1 is typical DNS request process chart;
Fig. 2 is the method flow diagram of one embodiment of the present invention;
Fig. 3 is the device logic diagram of one embodiment of the present invention.
Embodiment
In prior art, Network Security Device between DNS request side and parsing side is after receiving DNS request message, according to random algorithm amendment source port and TID, and then DNS request message repeating can be gone out, the source port before and after record modification simultaneously and the mapping relations of TID.After receiving DNS response message, contrast source port and TID errorless after, by described source port and TID reduction, and then to forward.Although this method substantially reduces the success rate that traditional buffer memory is attacked, but in extreme circumstances, if assailant sends the response message for certain domain name discretely, or send attack message after source port and TID being reduced the scope, in theory still having necessarily may success attack.The invention provides a kind of apparatus and method of taking precautions against DNS cache and attacking, be applied on Network Security Device, be intended to the difficulty of to increase substantially assailant, DNS cache being attacked from another angle, DNS is served safer.In order to make the object, technical solutions and advantages of the present invention clearly, describe the present invention below in conjunction with the drawings and specific embodiments.
Please refer to Fig. 2 and Fig. 3, one of the present invention preferred embodiment in, the invention provides a kind of DNS cache of taking precautions against and attack device, this device comprises: domain name judge module, range detection module, filter protection module and list maintenance module.This device performs following handling process in running:
Step 101, from the DNS response message received, obtain its resolved domain name of carrying, and judge described resolved domain name whether in the domain name watch-list preset.This step is performed by domain name judge module.
In the Internet of present stage, DNS cache is attacked pointed often, most assailant can select to attack specific well-known website, the present invention utilizes this behavioral characteristic of assailant, by knowing the identity of more assailant to the monitoring of the well-known website of minority, a lot of assailant may attack these well-known websites usually.In this step, described default domain name monitoring form, by administrator configurations, generally includes the high well-known website domain name of clicking rate and other pregnable website domain names.By to preset domain name monitoring form, can not only know assailant in subsequent treatment, the domain name of these well-known websites more importantly can be protected not attacked, these well-known websites have accumulated the most flowing of access in the Internet after all.
The modes such as safety means can receive various message, and it can utilize the mechanism of some maturations, such as ACL, filter out DNS response message and do special process.After receiving DNS response message, its resolved domain name of carrying can be obtained from the field that DNS response message is fixed, judge described resolved domain name whether in described default domain name watch-list, if, illustrate that described resolved domain name is the domain name that emphasis needs monitoring, go to step 102; If not, then go to step 103.
Step 102, judge the parsing IP address corresponding with this resolved domain name that described DNS response message carries whether all in white list, if so, then allow this DNS response message to pass through.This step is performed by range detection module.
Described white list is for recording legal IP address.A website usually can to there being multiple legal IP address; for example as the large-scale website such as Google, Sina; a lot of station server can be disposed; every station server all can have a private network IP address, considers the property in short supply of IP address, in IPv4 network; these servers can share multiple public network IP address; and for Internet user, the service that these public network IP address provide is consistent, therefore just there will be the situation of the corresponding multiple IP address of a domain name.Although each domain name may corresponding multiple IP address, but in the scope that many times all IP addresses of its correspondence all can be specified or several, so the IP scope that the present invention can specify according to this or several (such as IP address field) formulates white list.
If described parsing IP address is all in white list, illustrating that these resolve IP address is the legitimate ip address that dns server parses, and allows described DNS response message to pass through.If described parsing IP address is not exclusively in white list, now can not determine that this parsing IP address is exactly illegal, because these well-known websites newly-increased more public network IP address resources possibly; Therefore in fact this situation may need further judgement, and then goes to step 103, and reports daily record to webmaster.
Webmaster regularly check described in parsing IP address in the daily record that reports not in white list, if described parsing IP address is the IP address that this website self increases newly really, this parsing IP address then can notify that this parsing IP address is increased in white list by list maintenance module by network management path, so that next time, can be passed through smoothly.If described parsing IP address is unusual IP addresses, then illustrates that this is the IP address that assailant attempts to use, now can notify that this parsing IP address is increased in blacklist by list maintenance module, this IP address directly can be filtered out next time.Described blacklist is used for the unusual IP addresses of records manager identification or characterizes the IP address range of multiple unusual IP addresses, and these IP addresses, from the angle of domain name mapping, also can be understood as illegal IP address usually.Particularly, described unusual IP addresses or IP address range may be the addresses that assailant wants to guide user's access, now, just can be set to the abnormal IP of the overall situation; Described unusual IP addresses or IP address range also may be the addresses that assailant wants to attack, namely assailant wants the described address of access by guiding user a large amount of, and then cause the server of described address to collapse, now, will by this unusual IP addresses or IP address range corresponding with some domain name, like this can the misguidance of security from attacks person, also can not stop the normal access of other users.
Step 103, judge whether the parsing IP address that described DNS response message carries has the unusual IP addresses belonged in blacklist.This step is performed by filter protection module.
The setting of this step is mainly in order to avoid the domain name not in domain name watch-list not attacked as far as possible; although the domain name not in domain name watch-list can be the non-well-known website that some rates of people logging in are lower usually; but it also may be attacked, that is this step can also determine the parsing IP address not in white list in monitoring step 102.Particularly, check whether the parsing IP address that DNS response message carries has the unusual IP addresses belonged in blacklist, described blacklist is except comprising known illegal IP, according to the needs of user, can also configure and comprise: the IP address that private network IP address, multicast address and broadcast address etc. are abnormal, usually such IP address should not appear at as analysis result in DNS response message.If described parsing IP address is not in blacklist, then can illustrate that resolving IP address is a legitimate ip address to a great extent, described DNS response message now can be allowed to pass through, if when there is a unusual IP addresses belonged in blacklist described parsing IP address, illustrate that this DNS response message is very likely that assailant sends, now, this message can directly be lost.
In actual applications, also the existing legitimate ip address in parsing IP address that there will be in certain DNS response message has again the situation of unusual IP addresses, so, in a preferred embodiment, when there is unusual IP addresses in the parsing IP address of filter protection module through judging discovery DNS response message, not merely lose this message, but delete the parsing IP address of exception wherein, if the parsing IP address after deleting in described DNS response message is not empty, then this DNS response message is allowed to pass through.So just can ensure that legitimate ip address wherein normally can be sent to the server or client of asking this dns resolution.
By describing above and can finding out, the present invention is by the monitoring to minority well-known website domain name, the unusual IP addresses that most of assailant uses can be known, can the unusual IP addresses that assailant uses be added in blacklist again while realizing the protection of emphasis domain name, then blacklist is utilized to realize the filtration to unusual IP addresses, and the filtration of blacklist can be attacked towards whole domain name, therefore strengthen again the safeguard function of DNS cache on the whole.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment made, equivalent replacement, improvement etc., all should be included within the scope of protection of the invention.