A kind of apparatus and method for taking precautions against DNS cache attack
Technical field
The present invention relates to network security technology, more particularly to a kind of apparatus and method for taking precautions against DNS cache attack.
Background technology
DNS is domain name system(Domain Name System)Abbreviation, it is made up of resolver and name server
's.Name server(DNS Server)Refer to preserve the domain name of All hosts and correspondence IP address in the network, and have
Translate domain names into as the server of IP address function.Fig. 1 is refer to, the flow of dns resolution domain name is substantially as follows:First by client
Domain name analysis request is initiated at end, and local dns server is received after the request, can be searched in local and caching, if do not looked for
Arrive, then can initiate analysis request to upper level dns server, analysis result can be passed through back message by upper level dns server
Local dns server is returned to, now, the analysis result is stored in and cached by local dns server, so as to subsequent client again
When the secondary request analysis domain name, analysis result can be directly returned to, while analysis result can be returned to this to be solved
Analyse the client of the domain name.
DNS attacks occur repeatedly in recent years, and the behavior attacked currently for DNS cache is also very common.DNS
Caching attack mainly has two classes:
The first kind, dns server can regularly update the caching of oneself., it is necessary to which superior server is sent during buffer update
Request, and attacker then sends the back message constructed meticulously to dns server.Such as, if dns server updates
During www.google.com domain names, attacker sends back message to dns server, it is possible to success attack, will
The corresponding IP address of www.google.com domain names makes the IP address that attacker specifies into.
Equations of The Second Kind, attacker deliberately sends request, such DNS using the second level domain of a non-existent certain domain name
Server due to can not parse will superior dns server send domain name analysis request, this when, attacker sends out to DNS
Send back message, it is possible to success attack.Such as, attacker wants to attack www.google.com, and it can just send
aa.google.com(Only example, it is assumed that the domain name is simultaneously not present)To dns server, this when, attacker sends back
Message is answered, this message is replied aa.google.com domain names and is not present, but wherein by www.google.com in additional resource
Make the IP address that attacker specifies into, so DNS cache success attack.
The content of the invention
In view of this, the present invention provides a kind of apparatus and method for taking precautions against DNS cache attack, to solve prior art presence
Deficiency.
Specifically, described device is applied on Network Security Device, and the device includes:
Domain name judge module, for obtaining the resolved domain name of its carrying from the DNS response messages received, and judges
Whether the resolved domain name is in default domain name watch-list, if it is, advice range detection module, if it is not, then
Notification filter protection module;
Range detection module, for the parsing IP corresponding with the resolved domain name that judge that the DNS response messages carry
Whether address is all in white list, if it is, allowing the DNS response messages to pass through;
Filter protection module, for the parsing IP corresponding with the resolved domain name that judge that the DNS response messages carry
Whether address has the unusual IP addresses belonged in blacklist, if it is not, then allowing the DNS response messages to pass through.
It the described method comprises the following steps:
Step A, the resolved domain name for obtaining from the DNS response messages received its carrying, and judge described resolved
Whether domain name is in default domain name watch-list, if it is, B is gone to step, if it is not, then going to step C;
All whether step B, the parsing IP address corresponding with the resolved domain name for judging that the DNS response messages carry
In white list, if it is, allowing the DNS response messages to pass through;
Whether step C, the parsing IP address corresponding with the resolved domain name for judging that the DNS response messages carry have category
Unusual IP addresses in blacklist, if it is not, then allowing the DNS response messages to pass through.
From above technical scheme, the present invention realizes the prison to parsing IP address by setting black, white list
Control, and can Exception Filter IP address, effectively guarded against attack of the attacker to DNS cache.
Brief description of the drawings
Fig. 1 is typical DNS request process chart;
Fig. 2 is the method flow diagram of one embodiment of the present invention;
Fig. 3 is the device logic chart of one embodiment of the present invention.
Embodiment
In the prior art, the Network Security Device between DNS request side and parsing side is receiving DNS request message
Afterwards, source port and TID can be changed according to random algorithm, then again forwarded DNS request message, while record modification
Front and rear source port and TID mapping relations.After DNS response messages are received, contrast source port and TID it is errorless after, will
Source port and the TID reduction, is then forwarded again.Although this method substantially reduces the success of tradition caching attack
Rate, but in extreme circumstances, if attacker discretely sends the response message for certain domain name, or by source port
Attack message is sent after being reduced the scope with TID, still there is certainly possible meeting success attack in theory.The present invention provides a kind of
The apparatus and method for taking precautions against DNS cache attack, are applied on Network Security Device, it is intended to increased substantially from another angle
The difficulty that attacker is attacked DNS cache so that DNS service is safer.In order that the purpose of the present invention, technical scheme and excellent
Point is clearer, and the present invention will be described in detail with specific embodiment below in conjunction with the accompanying drawings.
Fig. 2 and Fig. 3 are refer to, in the present invention is a kind of preferred embodiment, the present invention provides a kind of strick precaution DNS cache
Device is attacked, the device includes:Domain name judge module, range detection module, filter protection module and list maintenance module.Should
Device performs following handling process in the process of running:
Step 101, the resolved domain name for obtaining from the DNS response messages received its carrying, and judge described solved
Domain name is analysed whether in default domain name watch-list.This step is performed by domain name judge module.
In internet at this stage, DNS cache attack often has targetedly, and most attacker can select
The specific well-known website of attack, the present invention is obtained using this behavioral characteristic of attacker by the monitoring to a small number of well-known websites
Know the identity of more attackers, generally many attackers may attack these well-known websites.It is described default in this step
Domain name monitor table by administrator configurations, generally include the high well-known website domain name of clicking rate and other pregnable websites
Domain name.By monitoring table to default domain name, attacker can not only be known in subsequent treatment, can more importantly be protected
The domain name of these well-known websites is not attacked, and these well-known websites have accumulated the most flowing of access in internet after all.
Safety means can receive various messages, and it can utilize some ripe mechanism, such as the side such as ACL
Formula, DNS response messages are filtered out and do special processing.After DNS response messages are received, it can be fixed from DNS response messages
Field in obtain its carrying resolved domain name, judge the resolved domain name whether in the default domain name watch-list
In, if it is, the explanation resolved domain name, which is emphasis, needs the domain name of monitoring, go to step 102;If it is not, then turning step
Rapid 103.
Whether step 102, the parsing IP address corresponding with the resolved domain name for judging that the DNS response messages carry are complete
Portion is in white list, if it is, allowing the DNS response messages to pass through.This step is performed by range detection module.
The white list is used to record legal IP address.One website would generally to that should have multiple legal IP address,
For example such as Google, Sina's large-scale website, can dispose very multiple servers, every server is with can all having a private network IP
Location, it is contemplated that the property in short supply of IP address, in IPv4 networks, these servers can share multiple public network IP address, and for upper
For network users, the service provided on these public network IP address is consistent, therefore just occurs that a domain name correspondence is multiple
The situation of IP address.Although each domain name may correspond to multiple IP address, many times its corresponding all IP address
Will be at one or in several scopes specified, so the IP models that the present invention can be specified according to this or several
Enclose(Such as IP address section)To formulate white list.
If the parsing IP address all in white list, illustrates that these parsing IP address are that dns server is parsed
The legitimate ip address come, it is allowed to which the DNS response messages pass through.If the parsing IP address is not exclusively in white list, this
When not can determine that the parsing IP address is exactly illegal because these well-known websites be likely to increase newly more public network IPs
Address resource;Therefore in fact such case may need to determine whether, and then go to step 103, and report daily record to webmaster.
Webmaster periodically checks the parsing IP address not in white list in the daily record reported, if the parsing IP
Location is strictly the newly-increased IP address in the website itself, then can notify list maintenance module by parsing IP by network management path
Location increases in white list, so that the next parsing IP address can be passed through.If the parsing IP address is abnormal IP
Address, then it is the IP address that attacker attempts to use to illustrate this, can now notify list maintenance module by the parsing IP address
Increase in blacklist, so that next time can directly filter out the IP address.The blacklist is used for what records manager was assert
Unusual IP addresses or the IP address range for characterizing multiple unusual IP addresses, these IP address are led to from the perspective of domain name mapping
Often it can be appreciated that illegal IP address.Specifically, the unusual IP addresses or IP address range are probably that attacker wants
The address for guiding user to access, now, it is possible to be set to the abnormal IP of the overall situation;The unusual IP addresses or IP address
Scope is also likely to be that the address that attacker wants attack, i.e. attacker are wanted by guiding user is substantial amounts of to access the address,
And then cause the server crash of the address, now it is necessary to by the unusual IP addresses or IP address range and some domain names
It is corresponding, so can security from attacks person misguidance, will not also prevent the normal access of other users.
Step 103, judge whether the parsing IP address that the DNS response messages are carried has the abnormal IP belonged in blacklist
Address.This step is performed by filter protection module.
The setting of this step primarily to avoid the domain name not in domain name watch-list from not attacked as far as possible, although no
Domain name in domain name watch-list would generally be some rates of people logging in than relatively low non-well-known website, but it may also be attacked
Hit, that is to say, that this step can also determine the parsing IP address not in white list in monitoring step 102.Specifically, DNS is checked
Whether the parsing IP address that response message is carried has the unusual IP addresses belonged in blacklist, and the blacklist is except including known
Illegal IP outside, according to user the need for, can also configure including:Private network IP address, multicast address and broadcast address etc. are different
Normal IP address, generally such IP address should not be appeared in DNS response messages as analysis result.If described
IP address is parsed not in blacklist, then can largely illustrate that parsing IP address is a legitimate ip address, now
The DNS response messages can be allowed to pass through, if the parsing IP address there are the unusual IP addresses belonged in blacklist, said
This bright DNS response message is particularly likely that what attacker sent, at this point it is possible to directly lose this message.
In actual applications, also occur that the existing legitimate ip address of parsing IP address in some DNS response message has again
The situation of unusual IP addresses, so, in a preferred embodiment, filter protection module finds that DNS responses are reported through judging
It is not merely to lose the message when there are unusual IP addresses in the parsing IP address of text, but deletes abnormal solution therein
IP address is analysed, if the parsing IP address after deleting in the DNS response messages is not sky, allows the DNS response messages to lead to
Cross.So ensure that legitimate ip address therein can normally be sent to the server for asking the dns resolution or client
End.
By above description as can be seen that the present invention can know big portion by the monitoring to a small number of well-known website domain names
Point unusual IP addresses used in attacker, again can will be used in attacker extremely while realizing the protection of emphasis domain name
IP address is added in blacklist, then realizes the filtering to unusual IP addresses using blacklist, and the filtering of blacklist
Can be attacked towards whole domain names, therefore strengthen the safeguard function of DNS cache on the whole again.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present invention
God is with principle, and any modification, equivalent substitution and improvements done etc. should be included within the scope of protection of the invention.