CN104219335B - A kind of processing method of DNS request, apparatus and system - Google Patents

A kind of processing method of DNS request, apparatus and system Download PDF

Info

Publication number
CN104219335B
CN104219335B CN201310211355.0A CN201310211355A CN104219335B CN 104219335 B CN104219335 B CN 104219335B CN 201310211355 A CN201310211355 A CN 201310211355A CN 104219335 B CN104219335 B CN 104219335B
Authority
CN
China
Prior art keywords
dns
domain
name information
dns request
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310211355.0A
Other languages
Chinese (zh)
Other versions
CN104219335A (en
Inventor
张大顺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201310211355.0A priority Critical patent/CN104219335B/en
Publication of CN104219335A publication Critical patent/CN104219335A/en
Application granted granted Critical
Publication of CN104219335B publication Critical patent/CN104219335B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of processing method of DNS request, apparatus and systems, to solve the problems, such as in the prior art to forging the leakage identification of DNS request, misidentifying and expending DNS compared with multi-system resource.This method includes:Obtain the domain-name information for including in domain name system DNS request;Judge whether domain name information is matched with the credible domain-name information in the domain-name information set being obtained ahead of time included;When the judgment result is No, according to the preset processing mode for forging DNS request, the DNS request comprising domain name information is handled.

Description

A kind of processing method of DNS request, apparatus and system
Technical field
The present invention relates to field of communication technology more particularly to a kind of processing method of DNS request, apparatus and systems.
Background technology
Computer domain name system(Domain Name System or Domain Name Service, DNS) it is by resolver With name server composition.Name server refers to preserving the domain name of All hosts and corresponding IP address in network, and have There is the server that domain name is converted to IP address function.Wherein domain name must correspond to an IP address, and IP address is not necessarily only A corresponding domain name.Although domain name is remembered convenient for people, IP address is only recognized between machine, the conversion work between them is known as Domain name mapping, domain name mapping needs are completed by special domain name resolution server, and DNS is exactly the service for carrying out domain name mapping Device.When user inputs the domain name of host in the application, to trigger the DNS that user terminal initiates to include the domain name to DNS When request, the domain name mapping in DNS request can be associated other information, such as IP address by DNS.
In the prior art, since DNS may be attacked by automatic network is carried out, it is therefore desirable to use such as fire wall, flow The DNS securities defense mechanism such as cleaning system realizes identification and defence to attack.DNS security defense mechanism in the prior art Technical principle be generally:After safety equipment kidnaps the DNS request that user terminal is sent using route technology, by whole to user End sends DNS response messages, and by the mode of the mark positions TC 1 in the response message, and triggering user terminal is initiated to DNS again One is based on transmission control protocol(Transmission Control Protocol, TCP)TCP request.According to the principle, If the user terminal for sending above-mentioned DNS request is legal user terminal, it can be triggered and send TCP requests;And if sending The user terminal of the DNS request is illegal user terminal, or not existing user terminal, then it will not be triggered again Send TCP requests.For example, for by tool initiation of giving out a contract for a project attack based on discrete source IP or based on forging domain name mode Attack for, since DNS request is the source IP address for uniformly being sent by tool of giving out a contract for a project, and being included in DNS request The IP address often forged, to which the DNS DNS response messages fed back based on DNS request finally will not really be deposited by one User terminal received, also there will be no user terminals sends TCP requests to DNS, therefore can be real to a certain extent Existing DNS security defence.
Currently, above-mentioned DNS security defense mechanism in the prior art has been demonstrated that there are following defects:
1. the distributed denial of service for the forgery domain name initiated by broiler chicken can not be resisted(Distributed Denial of Service, DDoS)Attack.Wherein, broiler chicken is each germline for being broken through by hacker, arbitrarily manipulate, and having planted trojan horse System or server.It is using the real address of broiler chicken host and broiler chicken host operating system association when initiating ddos attack due to broiler chicken It discusses stack to initiate to forge DNS request, to which the DNS that broiler chicken host can receive the mark positions TC 1 returned by safety equipment is answered Message is answered, also, under the triggering of the DNS response messages, broiler chicken host can also initiate TCP requests as ordinary user, from And so that the forgery DNS request that broiler chicken host is initiated is erroneously identified as the DNS request of validated user by safety equipment, therefore lead Safety equipment is caused to fail the defence of the forgery DNS request.
2. causing manslaughtering for validated user DNS request.The scene that validated user DNS request is manslaughtered mainly has:A, it uses The attacker that tool of giving out a contract for a project is launched a offensive is during forging source IP often by the way of discrete IP, and which may It can accidentally " usurp " source IP address of validated user;B, validated user does not have when sending out DNS request and receiving DNS response messages One time replied TCP requests.Under both the above scene, it can all so that the IP address of safety equipment misidentification validated user is attacker IP address, to can also execute security strategy to the DNS request of validated user, for example filter this kind of DNS request.
3. increasing the resource occupation pressure of DNS.Due to using DNS security defense mechanism in the prior art, need to trigger Validated user sends TCP requests to DNS, so that DNS needs to give response one by one to each TCP requests received, therefore, In this case, DNS can consume more system resources, and the pressure of bigger is brought to system.
In existing DNS attack patterns, most important mode is ddos attack.Its realization principle is:Attacker passes through spy Fixed tool of giving out a contract for a project(Attack tool), a large amount of DNS request is constructed, and fill discrete source IP address and change character at random Domain name achievees the purpose that attack DNS systems.This tool of giving out a contract for a project does not follow the protocol stack logic of validated user operating system, It only can be to specific purpose IP address(The target object of attack)Send a large amount of DNS request.In this attack pattern, DNS is asked Domain name in asking is typically to forge, however DNS systems are in the case where whether the None- identified DNS request is attack, still It needs to expend certain process resource and parses the operations such as the DNS request to execute.In this way, with challenging dose(Tool of giving out a contract for a project is sent DNS request quantity)Increase, DNS eventually collapsed due to resource exhaustion, and attacker attacks the mesh of paralysed DNS to realize 's.
Fig. 1 show the domain-name information for the forgery that some are generated with random character.Based on the attack for forging domain-name information Under pattern, DNS can only be NXDOMAIN to the handling result comprising the DNS request for forging domain-name information(Domain name is not present)Or SERVFAIL(Authorization server failure), without having true analysis result.With the DNS for including these forgery domain-name informations Request number increases, so as to cause the collapse of DNS.
For ddos attack, using Prevention-Security mechanism in the prior art to the DNS progress by ddos attack When Prevention-Security, still can exist and identify, misidentify and cause to expend DNS compared with multi-system resource to forging the leakage of DNS request The problem of.
Invention content
The embodiment of the present invention provides a kind of processing method of DNS request, apparatus and system, to be attacked by DDoS in DNS When hitting, solve according to existing DNS security defense mechanism come when preventing DNS under attack, existing there may be to forging DNS The leakage identification of request misidentifies and can expend the problem of DNS is compared with multi-system resource.
The embodiment of the present invention uses following technical scheme:
A kind of processing method of DNS request, including:Obtain the domain-name information for including in domain name system DNS request;Judge institute State whether domain-name information is matched with the credible domain-name information in the domain-name information set being obtained ahead of time included;It is no in judging result When, according to the preset processing mode for forging DNS request, the DNS request comprising domain name information is handled.
A kind of processing unit of DNS request, including:Obtaining unit, for obtaining the domain for including in domain name system DNS request Name information;Judging unit, for judging whether the domain name information that obtaining unit obtains is matched with the domain name being obtained ahead of time letter The credible domain-name information for including in breath set;Processing unit, when the judging result for being obtained in judging unit is no, according to pre- If forgery DNS request processing mode, the DNS request comprising domain name information is handled.
A kind of processing system of DNS request, including domain name system DNS flow collection system and DNS security system of defense, In:
DNS flow collection systems, for determining that each DNS request that DNS is received whithin a period of time is separately included Domain-name information;From the domain-name information that each DNS request is separately included, it is chosen at interviewed in described a period of time Ask that number is more than the domain-name information composition domain-name information set of preset times threshold value;
DNS security system of defense, for obtaining the domain-name information for including in DNS request;Whether judge domain name information It is matched with the credible domain-name information in the domain-name information set being obtained ahead of time included;When the judgment result is No, according to preset The processing mode for forging DNS request, handles the DNS request comprising domain name information.
The embodiment of the present invention has the beneficial effect that:
It is to include according in the forgery DNS request in ddos attack due to said program provided in an embodiment of the present invention It is this feature of the domain name of random variation character, pointedly proposes according to the domain-name information for including in DNS request and obtain in advance The credible domain-name information for including in the domain-name information set obtained, to identify whether a DNS request is to forge DNS request, to The program identifies whether DNS request is to forge DNS request, and the program is whole without triggering user independent of source IP address End sends TCP requests, to when DNS is by ddos attack, solve to prevent DNS according to existing DNS security defense mechanism When under attack, existing to attack, there may be identified to the leakage for forging DNS request, misidentify and can expend DNS The problem of compared with multi-system resource.
Description of the drawings
Fig. 1 is the domain-name information of some forgeries generated with random character;
Fig. 2 is a kind of flow diagram of the processing method of DNS request provided in an embodiment of the present invention;
Fig. 3 a are the regular traffic flow model of DNS under existing net network environment provided in an embodiment of the present invention;
Fig. 3 b are the under fire discharge model of DNS under existing net network environment provided in an embodiment of the present invention;
Fig. 4 is the system architecture schematic diagram of scheme provided in an embodiment of the present invention;
Fig. 5 is a kind of particular flow sheet of the processing method of DNS request provided in an embodiment of the present invention;
Fig. 6 is a kind of processing unit of DNS request provided in an embodiment of the present invention;
Fig. 7 is a kind of processing system of DNS request provided in an embodiment of the present invention.
Specific implementation mode
Inventor has found TC specified in DNS Protocol by the analysis and research to Prevention-Security mechanism in the prior art Flag bit has its specific function.It is embodied in:It is excessive in the DNS response messages of single DNS request(More than 512Byte) When, DNS can block all DNS response messages automatically, and by the mark positions TC 1, to force the user for sending the single DNS request Terminal initiates the DNS request based on TCP53 again(I.e. previously described TCP requests), so that it is guaranteed that the user terminal can receive Corresponding to all DNS response messages of the single DNS request.
It can be seen from the above, the mark positions TC 1 can initiate touching for the DNS request based on TCP53 as triggering user terminal Clockwork spring part.Exactly according to the principle, DNS security defense mechanism in the prior art just triggers user using the mark positions TC 1 Terminal initiates the DNS request based on TCP53, and initiates the DNS request according to whether user terminal is triggered, to judge DNS institutes Whether the corresponding DNS request received is to forge DNS request.But there are these three and asks in actual use in the mechanism Topic:1, the forgery domain name ddos attack behavior initiated by broiler chicken can not be resisted;2, manslaughtering for validated user DNS request is caused;3、 Increase the resource occupation pressure of original DNS systems.
In order to solve the above safety defect existing in the prior art, an embodiment of the present invention provides a kind of DNS requests Processing method, apparatus and system.The embodiment of the present invention is illustrated below in conjunction with Figure of description, it should be understood that herein Described embodiment is merely to illustrate and explain the present invention, and is not intended to restrict the invention.And in the absence of conflict, The feature in embodiment and embodiment in this explanation can be combined with each other.
First, the embodiment of the present invention provides a kind of processing method of DNS request, and the idiographic flow schematic diagram of this method is as schemed Shown in 2, include the following steps:
Step 21, the domain-name information for including in domain name system DNS request is obtained;
In embodiments of the present invention, a kind of concrete implementation for the domain-name information for including in domain name system DNS request is obtained Mode may include following sub-steps:
First, DNS request is obtained, and according to specified safety check strategy, school is carried out to the safety of the DNS request It tests;
Then, after the DNS request is verified as safety, the domain-name information that the DNS request includes is obtained.
Optionally, the domain-name information for including in the DNS request can be extracted by using hash mode.Wherein, Hash is A kind of numerical expression form, it can be expressed one piece of data in a manner of unique and extremely compact.
For example, if the executive agent of this method that the embodiment of the present invention is provided is DNS security system of defense, then, The DNS security system of defense can be after obtaining the single DNS request that user terminal is sent, according to specified safety check plan Slightly, preliminary safety check is carried out to the DNS request.After verification, if the DNS request is confirmed as safety, DNS security System of defense can extract the domain-name information for including in the DNS request in a manner of Hash;If the DNS request is verified as uneasiness Entirely, then DNS security system of defense can be handled the DNS request accordingly according to specified processing mode, such as abandon the DNS Request.
In general, there are many kinds of safety check strategies, in an embodiment of the present invention, the safety check strategy can with but not It is limited to include one or more combinations in following manner:
Abnormal packet filtering, list IP speed limits and single domain name speed limit.Since abnormal packet filtering, list IP speed limits and single domain name limit Speed is the technology of comparative maturity in the prior art, and the emphasis of those technologies and non-present invention, therefore is repeated no more.
Step 22, judge whether the domain-name information obtained by executing step 21 is matched with the domain-name information being obtained ahead of time The credible domain-name information for including in set executes step 23 when the judgment result is No;
Still by taking DNS security system of defense as an example, in an embodiment of the present invention, which once carries Get the DNS request domain-name information that is included of user terminal transmission, will will in a hashed form the existing domain-name information it is saturating The special memory headroom of DNS security system of defense is passed to, triggering is to the domain-name information and is stored in advance in the special memory headroom Domain-name information set included in each domain-name information matched, with judge in the domain-name information set whether comprising with The identical domain-name information of domain-name information that the DNS request is included.Since the domain-name information exists in a hashed form, so the domain Name information and the speed that domain-name information sets match verifies are very fast, have ignored the delay caused by this part operation.
Optionally, when the determination result is yes, DNS security system of defense can directly by the DNS request be sent to DNS into Row subsequent processing.Specifically, when the determination result is yes, i.e., include to be obtained with by executing step 21 in domain-name information set The identical domain-name information of the domain-name information, then the DNS security system of defense judge the domain-name information for trust domain-name information, To which the DNS request will also be determined as legal DNS request, and then the legal DNS request will be by DNS security system of defense just Often it is forwarded to DNS.
Optionally, the domain-name information set being obtained ahead of time can be obtained by following sub-step:
First, the domain-name information that each DNS request that DNS is received whithin a period of time is separately included is determined;
Then, it in the domain-name information that each DNS request received whithin a period of time from DNS is separately included, chooses The domain-name information that accessed number within this time is more than preset times threshold value constitutes domain-name information set.
It is that legal domain name is believed in domain-name information set in order to ensure the domain-name information for including all in the embodiment of the present invention Breath, can be obtained from being counted to the DNS request received by DNS when the service traffics of DNS are in normal condition. I.e.:Can then be determined when all forgery DNS requests for judging that DNS is received within this time meet rated condition The domain-name information that each DNS request that DNS is received within this time is separately included.Wherein, which can wrap It includes:The number for all forgery DNS requests that DNS is received within this time with its within this time it is received all The ratio between sum of DNS request is less than preset ratio threshold value.
Step 23, according to the preset processing mode for forging DNS request, to the DNS request of the domain-name information comprising acquisition It is handled.
For example, still by taking DNS security system of defense as an example, it can be according in the unit interval set by the unit interval The number for forging DNS request is sent, which is sent to DNS.Specifically, judging domain by executing step 22 Do not have in name information aggregate comprising after domain-name information identical with the domain-name information of acquisition, which will be pacified by DNS Full system of defense is determined as non-trusted domain-name information, correspondingly, the DNS request will be judged as forging DNS request, in turn DNS security system of defense can be directed to the forgery DNS request and execute unified speed limit strategy, i.e., according to for set by the unit interval The number for forging DNS request is sent in the unit interval set, which is sent to DNS.
It is, in general, that can be smaller for the number set by the unit interval, even if occur to synchronization The DNS request for not matching in domain-name information set the credible domain-name information for including is more, and DNS security system of defense can also root According to the number, limit the transmission speed of those DNS requests, to reduce it is a large amount of forge DNS requests attack DNS in synchronization and The risk for causing it to paralyse.
Optionally, if the executive agent of above-mentioned steps 21~23 is DNS itself, the specific implementation of step 23 can be with For:Directly abandon the DNS request.
By using said program provided in an embodiment of the present invention, the domain-name information for being included using domain-name information set is real Now to the judgement of ddos attack, it can achieve the purpose that defensive attack.Specifically, this method provided in an embodiment of the present invention Technique effect is shown:1. the ddos attack behavior of the various attack types by initiations such as broiler chicken, tools of giving out a contract for a project can be defendd, it is complete Completely without the composed structure of form and attack traffic regarding attack source;2. under the scene there are ddos attack, the program realizes Attack protection reliability more than 99.9%, while user experience is not influenced completely, it under non-extreme conditions will not be to legal DNS Request causes to manslaughter;3. any pressure will not be caused to original DNS, keep original DNS anti-in DNS security proposed by the present invention It can be with the offer DNS service of normal table under the protection of imperial mechanism.
Below in conjunction with reality, said program application process in practice that embodiment that the present invention will be described in detail provides.
Firstly the need of explanation, in order to when DNS is by ddos attack, solve to defend machine according to existing DNS security System come when preventing DNS under attack, it is existing to attack there may be to forging DNS request leakage identification, misidentify with And can expend the problem of DNS is compared with multi-system resource, inventor is directed to existing net network environment and the DNS discharge models that build and each Secondary severe ddos attack behavior has carried out detailed analysis and research.It is found by analyzing and researching, in regular traffic flow model In, as shown in Figure 3a, in a measurement period, the legal DNS request number that DNS is received is asked in whole DNS of its reception It asks the accounting in number very big, it is very small to forge accounting of the DNS request number in whole DNS request numbers;Under fire In discharge model, as shown in Figure 3b, in a measurement period identical with the duration in aforesaid statistical period, legal DNS request Number is held essentially constant, and it is very big to forge DNS request number, to which legal DNS request number is in whole DNS request numbers Accounting become smaller, it is very big to forge accounting of the DNS request number in whole DNS request numbers.
By the analysis and research for DNS request under existing net network environment, it is found that normal DNS discharge models are i.e. normal Service traffics model has the characteristics that:
1, for the domain name number of necessary being in terms of hundred billion, domain name that is newly-increased daily, disappearing is more than ten million in real networking;
2, normal DNS discharge models follow pyramid discharge model structure, i.e., included in a large amount of user's request It is a small amount of domain name in real networking in the domain name of necessary being in fact;
3, it was counted for the period with one day, the legal DNS request for having more than 10,000,000 accesses DNS;
4, it being counted for the period with one day, the number that domain name is accessed according to validated user carries out ranking, including TOP1, The DNS request of arbitrary domain name occupies the 99.9% of all DNS requests in 000,000 domain name;In this TOP1,000,000 domain names institute In the domain-name information set of composition, 000,000 number that is accessed daily of domain name of being ranked first is less than 10 times;
5, in normal DNS discharge models, the domain name for having more than 5,000,000 daily belongs to " disposable domain name ", that is, being directed to should A DNS request that domain name is initiated is once.
The characteristics of according to the above normal DNS discharge models, inventors herein propose the side verified based on DNS request domain name Method, and introduce important component of the DNS flow collection systems as DNS security system of defense.
In practical applications, realize that the system architecture schematic diagram of scheme provided in an embodiment of the present invention is as shown in Figure 4.This is System framework specifically includes:Attacker 41, validated user 42, DNS security system of defense 43,44 and of DNS flow collection systems DNS45.Wherein, DNS45 can receive DNS request of the number in terms of hundred billion whithin a period of time.Wherein, validated user 42 can be at this A large amount of DNS request is initiated in the section time, and attacker 41 initiates a DNS request.When in normal traffic pattern(Work as The DNS45 sums of the DNS request number of received all forgeries and all DNS requests received whithin a period of time Than being less than preset ratio threshold value)When, DNS flow collection systems 44 are it is determined that each DNS that DNS45 is received within one day The separately included domain-name information of request, then, DNS flow collection systems 44 are by each domain-name information determined according to interviewed It asks that number is ranked up, obtains a sorted lists, be more than 10 from accessed number of the extraction within this time in the list All domain-name informations as domain-name information set.Finally, DNS flow collection systems 44 take specified transmission mode that will extract Domain-name information set be forwarded to the special memory headroom that DNS security system of defense 43 is opened up and stored.When DNS security is defendd After system 43 receives the domain-name information set from DNS flow collection systems, so that it may with to subsequently received DNS request into Row domain name verifies, and then realizes the defence attacked DNS.
It should be noted that domain-name information collection is combined into TOP1 in domain-name information sorted lists, 000,000 domain-name information institute The set of composition.And the DNS request that each domain name in the domain-name information set is initiated occupies all DNS requests 99.9%.It is randomly generated due to the character of the domain-name information of forgery, the domain name forged can only access DNS once and nothing True analysis result, the domain-name information to forge will not enter in domain-name information set, ensure that domain-name information set is adopted Collection, which obtains domain-name information, to be legal and is popular.For example, in actual life, famous, popular domain name has Www.baidu.com etc., the domain name must be trusted domain names;And domain name forge, unexpected winner has Www.adskfjkdsa.com etc., the domain name must be non-trusted domain names.
In addition it should be noted that above-mentioned specified transmission mode includes:Inter-Process Communication mode or two layers of group packet hair Packet mode.Two kinds of transmission modes are respectively applied to following two scenes:When DNS flow collection systems 44 and DNS security defence system The mode of Inter-Process Communication in same hardware machine may be used when being deployed in same hardware machine in system 43, i.e., it is shared with Domain-name information set existing for text file mode;When DNS flow collection systems 44 and DNS security system of defense 43 independently When disposing different hardware machines, then by the way of network communication, DNS flow collection systems 44 will be deposited in a manner of text file Domain-name information set be transferred in DNS security system of defense 43.
Based on system architecture as shown in Figure 4, when DNS security system of defense receives the single DNS from unknown subscriber After request, following step as shown in Figure 5 can be executed, is judged so that whether realization is legal to the DNS request:
Step 51, DNS security system of defense implements abnormal packet filtering, list IP speed limits and single domain name limit to the DNS request The safety checks strategy such as speed.
Step 52, after verification passes through, DNS security system of defense can just extract the DNS request institute by way of Hash Including domain-name information, and quickly traverse the memory headroom where the domain-name information set being obtained ahead of time, realize that domain name matches school It tests.Since the mode of Hash is very fast in million grades of traversal queries medium velocity, it can be considered that the operation is not delayed.If It is one in domain-name information set that the result of matching verification, which is the domain-name information, thens follow the steps 53;If matching the knot of verification Fruit be the domain-name information not in domain-name information set, then follow the steps 54;
Step 53, which is determined as trust domain-name information by DNS security system of defense, rather than by attacker's puppet The domain-name information for the random character made, then the DNS request can be normal through DNS security system of defense.
Step 54, which is determined as non-trusted domain-name information by DNS security system of defense, which needs It executes DNS security system of defense and is directed to the unified speed limit strategy that non-trusted domain-name information is implemented, such as to all non-trusted domains Name implements that speed limit is added up to be 10000QPS(QPS:Number/per second)Unified speed limit strategy.
By the application of scheme provided in an embodiment of the present invention in practice it is found that due to by taking DNS flow collections system System learns normal DNS discharge models and simultaneously calculates the mode for generating domain-name information set so that the domain-name information set included All DNS requests occupy 99.9% or more of the overall DNS request that DNS is received, ensure that this 99.9% DNS request It is protected by DNS security system of defense.At the same time, the DNS that the domain-name information other than the domain-name information set is included is asked It asks and occupies the 0.1% of the overall DNS request that DNS is received, correspondingly, 0.1% DNS request can receive DNS security defence system The unified speed limit strategy of system protects the DNS normal operations of rear end so as to effectively defend this kind of ddos attack behavior.Meanwhile Our experiments show that it is shorter using system delay caused by scheme provided in an embodiment of the present invention, it can not consider, thus While so that Prevention-Security effect is up to 99.9%, user experience is not influenced.
In addition, the DNS flow collections mechanism provided in an embodiment of the present invention can also ensure the real-time of domain-name information set Update(Renewal frequency is usually set to one day), so as to allow the newest domain-name information of DNS security system of defense timing acquisition Set, meets domain name renewal speed with rapid changepl. never-ending changes and improvements, it is ensured that 99.9% DNS request is trusted by DNS security system of defense 's.
By using above-mentioned concrete scheme provided in an embodiment of the present invention, believed using the domain name that domain-name information set is included Breath realizes the judgement to ddos attack, can achieve the purpose that defensive attack.Specifically, the party provided in an embodiment of the present invention The technique effect of method is shown:1. the ddos attack row of the various attack types by initiations such as broiler chicken, tools of giving out a contract for a project can be defendd For entirely without the composed structure of form and attack traffic regarding attack source;2. under the scene there are ddos attack, the program is real Showed be more than 99.9% attack protection reliability, while not influencing user experience completely, under non-extreme conditions will not be to legal DNS request causes to manslaughter;3. any pressure will not be caused to original DNS, original DNS is made to pacify in DNS proposed by the present invention It can be with the offer DNS service of normal table under the protection of full defense mechanism.
Corresponding to the processing method of DNS request provided in an embodiment of the present invention, the embodiment of the present invention also provides a kind of DNS and asks The processing unit asked, the concrete structure schematic diagram of the device is as shown in fig. 6, it includes mainly:Obtaining unit 61, judging unit 62 And processing unit 63.The concrete function of each unit is described below:
Obtaining unit 61, for obtaining the domain-name information for including in domain name system DNS request;
In embodiments of the present invention, obtaining unit 61 is obtained in domain name system DNS request by subelement in detail below and is wrapped The domain-name information contained:
Subelement is verified, for obtaining DNS request, and according to specified safety check strategy, to the safety of the DNS request Property is verified;
Obtain subelement, for verify subelement to the DNS request carry out verification and result be safety after, be somebody's turn to do The domain-name information that DNS request includes.Wherein, optionally, it can extract in the DNS request by using hash mode and include Domain-name information.
In general, there are many kinds of safety check strategies, in an embodiment of the present invention, the safety check strategy can with but not It is limited to include one or more combinations in following manner:
Abnormal packet filtering, list IP speed limits and single domain name speed limit.Since abnormal packet filtering, list IP speed limits and single domain name limit Speed is the technology of comparative maturity in the prior art, and the emphasis of those technologies and non-present invention, therefore is repeated no more.
Hash is a kind of numerical expression form, it can be expressed one piece of data in a manner of unique and extremely compact.
Judging unit 62, for judging whether the domain-name information that obtaining unit 61 obtains is matched with the domain name being obtained ahead of time letter Obtaining unit 61 is obtained the processing of DNS request feeding by the credible domain-name information for including in breath set when it is no to judge result Unit 63 is handled;
Wherein, the domain-name information set being obtained ahead of time can be obtained by following sub-step:
First, the domain-name information that each DNS request that DNS is received whithin a period of time is separately included is determined, specifically For:When all forgery DNS requests for judging that the DNS is received within this time meet rated condition, determine DNS one The domain-name information that each DNS request received in the section time is separately included;Wherein, which includes:All forgeries The ratio between the number of DNS request sum of all DNS requests received within this time with the DNS is less than preset ratio threshold Value.
Then, from the domain-name information that each DNS request is separately included, the accessed number that is chosen in this time Domain-name information more than preset times threshold value constitutes domain-name information set.
Processing unit 63, according to the preset processing mode for forging DNS request, to the DNS request comprising the domain-name information It is handled.It specifically includes:It, will according to the number for forging DNS request for transmission in the unit interval set by the unit interval The DNS request is sent to DNS.
By using said program provided in an embodiment of the present invention, the domain-name information for being included using domain-name information set is real Now to the judgement of ddos attack, it can achieve the purpose that defensive attack.Specifically, this method provided in an embodiment of the present invention Technique effect is shown:1. the ddos attack behavior of the various attack types by initiations such as broiler chicken, tools of giving out a contract for a project can be defendd, it is complete Completely without the composed structure of form and attack traffic regarding attack source;2. under the scene there are ddos attack, the program realizes Attack protection reliability more than 99.9%, while user experience is not influenced completely, it under non-extreme conditions will not be to legal DNS Request causes to manslaughter;3. any pressure will not be caused to original DNS, keep original DNS anti-in DNS security proposed by the present invention It can be with the offer DNS service of normal table under the protection of imperial mechanism.
Correspondingly, corresponding with above method flow, the embodiment of the present invention additionally provides a kind of processing system of DNS request, As shown in fig. 7, the system includes:
DNS flow collection systems 71, for determining that each DNS request that DNS is received whithin a period of time is wrapped respectively The domain-name information contained;From the domain-name information that each DNS request is separately included, the accessed number that is chosen in this time Domain-name information more than preset times threshold value constitutes domain-name information set;
DNS security system of defense 72, for obtaining the domain-name information for including in DNS request;Whether judge the domain-name information It is matched with the credible domain-name information in the domain-name information set being obtained ahead of time by DNS flow collection systems 71 included;Judging to tie When fruit is no, according to the preset processing mode for forging DNS request, the DNS request comprising the domain-name information is handled.
In embodiments of the present invention, DNS flow collection systems 71 are responsible for obtaining domain-name information set, the acquisition process packet It includes:
First, DNS flow collection systems 71 determine that each DNS request that DNS is received whithin a period of time is wrapped respectively The domain-name information contained, specially:Judging that all forgery DNS requests that DNS is received within this time meet regulation item When part, the domain-name information that each DNS request that DNS is received whithin a period of time is separately included is determined;Wherein, the regulation item Part includes:The ratio between the sum of all numbers and DNS for forging DNS requests received all DNS requests whithin a period of time Less than preset ratio threshold value.
Then, from the domain-name information that each DNS request is separately included, accessed number whithin a period of time is chosen Domain-name information more than preset times threshold value constitutes domain-name information set.
Finally, DNS flow collection systems 71 take specified transmission mode that the domain-name information set of extraction is forwarded to DNS The special memory headroom that safety defense system 72 is opened up is stored.
Optionally, the specified update cycle DNS flow collection systems 71 can be arranged, to realize DNS flow collections System 71 is directed to the real-time update of domain-name information set, obtains the domain-name information set closest to real network, it is ensured that 99.9% DNS request is all legal.
After the DNS request that user terminal is sent enters DNS security system of defense 72, according to specified safety check strategy The safety of the DNS request is verified;After the DNS request is verified as safety, the domain name that the DNS request includes is obtained Information.DNS security system of defense 72 once extracts the domain-name information that the DNS request of user terminal transmission is included, and will incite somebody to action The existing domain-name information is transparent to the special memory headroom of DNS security system of defense 72 in a hashed form, triggers domain name letter Breath and special memory headroom storage and the domain-name information set that is obtained by DNS flow collection systems 71 included in it is each Domain-name information is verified, and checks in domain-name information set whether include domain-name information identical with the domain-name information.Judging When being as a result no, DNS security system of defense 72 can be asked according to DNS is forged for transmission in the unit interval set by the unit interval The DNS request is sent to DNS by the number asked.
By using said program provided in an embodiment of the present invention, the domain-name information for being included using domain-name information set is real Now to the judgement of ddos attack, it can achieve the purpose that defensive attack.Specifically, this method provided in an embodiment of the present invention Technique effect is shown:1. the ddos attack behavior of the various attack types by initiations such as broiler chicken, tools of giving out a contract for a project can be defendd, it is complete Completely without the composed structure of form and attack traffic regarding attack source;2. under the scene there are ddos attack, the program realizes Attack protection reliability more than 99.9%, while user experience is not influenced completely, it under non-extreme conditions will not be to legal DNS Request causes to manslaughter;3. any pressure will not be caused to original DNS, keep original DNS anti-in DNS security proposed by the present invention It can be with the offer DNS service of normal table under the protection of imperial mechanism.
It can be seen that compared with DNS request processing method in the prior art, there are following for DNS security system of defense of the invention Technical advantage:
Initiate TCP requests again without user;
It is being implemented for DNS request to be verified with domain-name information set matching, DNS flow throughput performances are improved, are increased The strong stability of DNS operations;
Realize be more than 99.9% attack protection reliability, far above the Prevention-Security realized by Transmission Control Protocol;In addition, with Hash mode is delayed and can ignore caused by directly being matched with domain-name information set, to reduce for user experience Influence.
It should be understood by those skilled in the art that, the embodiment of the present invention can be provided as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention Apply the form of example.Moreover, the present invention can be used in one or more wherein include computer usable program code computer Usable storage medium(Including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)The computer program of upper implementation produces The form of product.
The present invention be with reference to according to the method for the embodiment of the present invention, equipment(System)And the flow of computer program product Figure and/or block diagram describe.It should be understood that can be realized by computer program instructions every first-class in flowchart and/or the block diagram The combination of flow and/or box in journey and/or box and flowchart and/or the block diagram.These computer programs can be provided Instruct the processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine so that the instruction executed by computer or the processor of other programmable data processing devices is generated for real The device for the function of being specified in present one flow of flow chart or one box of multiple flows and/or block diagram or multiple boxes.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works so that instruction generation stored in the computer readable memory includes referring to Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device so that count Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, in computer or The instruction executed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art God and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies Within, then the present invention is also intended to include these modifications and variations.

Claims (14)

1. a kind of processing method of DNS request, which is characterized in that including:
Obtain the domain-name information for including in domain name system DNS request;
Judge whether domain name information is matched with the credible domain-name information in the domain-name information set being obtained ahead of time included;
When the judgment result is No, DNS request is forged according to for transmission in the unit interval set by the unit interval The DNS request is sent to DNS by number;
When the determination result is yes, the DNS request is normally sent to DNS.
2. the method as described in claim 1, which is characterized in that obtain domain name information aggregate using following manner:
Determine the domain-name information that each DNS request that DNS is received whithin a period of time is separately included;
From the domain-name information that each DNS request is separately included, the accessed number that is chosen in described a period of time Domain-name information more than preset times threshold value constitutes domain name information aggregate.
3. method as claimed in claim 2, which is characterized in that determine each DNS that DNS is received within described a period of time The separately included domain-name information of request, specifically includes:
When all forgery DNS requests for judging that the DNS is received within described a period of time meet rated condition, determine The domain-name information that each DNS request that DNS is received within described a period of time is separately included;
Wherein, the rated condition includes:All numbers for forging DNS request are with the DNS within described a period of time The ratio between received sum of all DNS requests is less than preset ratio threshold value.
4. the method as described in claims 1 to 3 is any, which is characterized in that acquisition was parsed from domain name system DNS request Domain-name information specifically includes:
The DNS request is obtained, and according to specified safety check strategy, the safety of the DNS request is verified;
After the DNS request is verified as safety, the domain-name information that the DNS request includes is obtained.
5. the method as described in claims 1 to 3 is any, which is characterized in that obtain the domain name letter for including in the DNS request Breath, specifically includes:
By using hash mode, the domain-name information for including in the DNS request is extracted.
6. a kind of processing unit of DNS request, which is characterized in that including:
Obtaining unit, for obtaining the domain-name information for including in domain name system DNS request;
Judging unit, for judging whether the domain name information that obtaining unit obtains is matched with the domain-name information collection being obtained ahead of time The credible domain-name information for including in conjunction;
Processing unit, when judging result for being obtained in judging unit is no, according to for described in set by the unit interval The number for forging DNS request is sent in unit interval, and the DNS request is sent to DNS;When the determination result is yes, by institute It states DNS request and is normally sent to DNS.
7. device as claimed in claim 6, which is characterized in that obtain domain name information aggregate using following manner:
Determine the domain-name information that each DNS request that DNS is received whithin a period of time is separately included;
From the domain-name information that each DNS request is separately included, the accessed number that is chosen in described a period of time Domain-name information more than preset times threshold value constitutes domain name information aggregate.
8. device as claimed in claim 7, which is characterized in that determine each DNS that DNS is received within described a period of time The separately included domain-name information of request, specifically includes:
When all forgery DNS requests for judging that the DNS is received within described a period of time meet rated condition, determine The domain-name information that each DNS request that DNS is received within described a period of time is separately included;
Wherein, the rated condition includes:All numbers for forging DNS request are with the DNS within described a period of time The ratio between received sum of all DNS requests is less than preset ratio threshold value.
9. the device as described in claim 6~8 is any, which is characterized in that the obtaining unit is specifically used for:
The DNS request is obtained, and according to specified safety check strategy, the safety of the DNS request is verified; After the DNS request is verified as safety, the domain-name information that the DNS request includes is obtained.
10. the device as described in claim 6~8 is any, which is characterized in that the obtaining unit is specifically used for:By using Hash mode extracts the domain-name information for including in the DNS request.
11. a kind of processing system of DNS request, which is characterized in that including domain name system DNS flow collection system and DNS security System of defense, wherein:
DNS flow collection systems, the domain separately included for determining each DNS request that DNS is received whithin a period of time Name information;From the domain-name information that each DNS request is separately included, it is chosen at accessed secondary in described a period of time Number constitutes domain-name information set more than the domain-name information of preset times threshold value;
DNS security system of defense, for obtaining the domain-name information for including in DNS request;Judge whether domain name information matches The credible domain-name information for including in the domain-name information set being obtained ahead of time;When the judgment result is No, according to for unit Between send the number for forging DNS request in set unit interval, the DNS request is sent to DNS;Judging to tie Fruit is that when being, the DNS request is normally sent to DNS.
12. system as claimed in claim 11, which is characterized in that DNS flow collection systems are specifically used for through following manner, Determine the domain-name information that each DNS request that DNS is received whithin a period of time is separately included:
When all forgery DNS requests for judging that the DNS is received within described a period of time meet rated condition, determine The domain-name information that each DNS request that DNS is received whithin a period of time is separately included;
Wherein, the rated condition includes:All numbers for forging DNS request are with the DNS within described a period of time The ratio between received sum of all DNS requests is less than preset ratio threshold value.
13. the system as described in claim 11 or 12, which is characterized in that DNS security system of defense is used to use following manner, Obtain the domain-name information parsed from domain name system DNS request:
The DNS request is obtained, and according to specified safety check strategy, the safety of the DNS request is verified;
After the DNS request is verified as safety, the domain-name information that the DNS request includes is obtained.
14. the system as described in claim 11 or 12, which is characterized in that DNS security system of defense is used to use following manner, Obtain the domain-name information for including in the DNS request:
By using hash mode, the domain-name information for including in the DNS request is extracted.
CN201310211355.0A 2013-05-30 2013-05-30 A kind of processing method of DNS request, apparatus and system Active CN104219335B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310211355.0A CN104219335B (en) 2013-05-30 2013-05-30 A kind of processing method of DNS request, apparatus and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310211355.0A CN104219335B (en) 2013-05-30 2013-05-30 A kind of processing method of DNS request, apparatus and system

Publications (2)

Publication Number Publication Date
CN104219335A CN104219335A (en) 2014-12-17
CN104219335B true CN104219335B (en) 2018-08-24

Family

ID=52100459

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310211355.0A Active CN104219335B (en) 2013-05-30 2013-05-30 A kind of processing method of DNS request, apparatus and system

Country Status (1)

Country Link
CN (1) CN104219335B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104506538B (en) * 2014-12-26 2018-01-19 北京奇虎科技有限公司 Machine learning type domain name system security defence method and device
CN106534051B (en) * 2015-09-11 2020-02-14 阿里巴巴集团控股有限公司 Processing method and device for access request
CN107040546B (en) * 2017-05-26 2020-03-03 浙江鹏信信息科技股份有限公司 Domain name hijacking detection and linkage handling method and system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101567888A (en) * 2008-12-29 2009-10-28 郭世泽 Safety protection method of network feedback host computer
CN102301682A (en) * 2011-04-29 2011-12-28 华为技术有限公司 Method and system for network caching, domain name system redirection sub-system thereof

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7930428B2 (en) * 2008-11-11 2011-04-19 Barracuda Networks Inc Verification of DNS accuracy in cache poisoning
CN102404334A (en) * 2011-12-07 2012-04-04 山石网科通信技术(北京)有限公司 Method and device for preventing denial of service attacks
CN102739683B (en) * 2012-06-29 2015-09-09 杭州迪普科技有限公司 A kind of network attack filter method and device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101567888A (en) * 2008-12-29 2009-10-28 郭世泽 Safety protection method of network feedback host computer
CN102301682A (en) * 2011-04-29 2011-12-28 华为技术有限公司 Method and system for network caching, domain name system redirection sub-system thereof

Also Published As

Publication number Publication date
CN104219335A (en) 2014-12-17

Similar Documents

Publication Publication Date Title
CN103916389B (en) Defend the method and fire wall of HttpFlood attacks
CN104468624B (en) SDN controllers, routing/exchanging equipment and network defense method
CN104219338B (en) The generation method and device of the safe list item of authorized address analysis protocol
CN105939337B (en) The means of defence and device that DNS cache is poisoned
CN107888546A (en) network attack defence method, device and system
EP2136526A1 (en) Method, device for identifying service flows and method, system for protecting against a denial of service attack
CN111800401B (en) Service message protection method, device, system and computer equipment
CN107124402A (en) A kind of method and apparatus of packet filtering
JP7388613B2 (en) Packet processing method and apparatus, device, and computer readable storage medium
CN108833450B (en) Method and device for preventing server from being attacked
CN103997489A (en) Method and device for recognizing DDoS bot network communication protocol
CN104219335B (en) A kind of processing method of DNS request, apparatus and system
CN106209852A (en) A kind of DNS refusal service attack defending method based on DPDK
CN107835145B (en) Method for preventing replay attack and distributed system
CN102158492A (en) Web authentication method, device and network equipment
CN105812318A (en) Method, controller and system for preventing attack in network
CN108881233A (en) anti-attack processing method, device, equipment and storage medium
CN107911219A (en) A kind of anti-CC methods of API based on key signature
WO2013172743A1 (en) Method for protected interaction between a client device and a server via the internet
CN104158799A (en) HTTP DDOS defense method based on URL dynamic mapping
RU2307392C1 (en) Method (variants) for protecting computer networks
CN105991632A (en) Network security protection method and device
CN107306255A (en) Defend flow attacking method, the presets list generation method, device and cleaning equipment
CN106888192A (en) The method and device that a kind of resistance DNS is attacked
CN106470193A (en) A kind of anti-DoS of DNS recursion server, the method and device of ddos attack

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant