CN104219335B - A kind of processing method of DNS request, apparatus and system - Google Patents
A kind of processing method of DNS request, apparatus and system Download PDFInfo
- Publication number
- CN104219335B CN104219335B CN201310211355.0A CN201310211355A CN104219335B CN 104219335 B CN104219335 B CN 104219335B CN 201310211355 A CN201310211355 A CN 201310211355A CN 104219335 B CN104219335 B CN 104219335B
- Authority
- CN
- China
- Prior art keywords
- dns
- domain
- name information
- dns request
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of processing method of DNS request, apparatus and systems, to solve the problems, such as in the prior art to forging the leakage identification of DNS request, misidentifying and expending DNS compared with multi-system resource.This method includes:Obtain the domain-name information for including in domain name system DNS request;Judge whether domain name information is matched with the credible domain-name information in the domain-name information set being obtained ahead of time included;When the judgment result is No, according to the preset processing mode for forging DNS request, the DNS request comprising domain name information is handled.
Description
Technical field
The present invention relates to field of communication technology more particularly to a kind of processing method of DNS request, apparatus and systems.
Background technology
Computer domain name system(Domain Name System or Domain Name Service, DNS) it is by resolver
With name server composition.Name server refers to preserving the domain name of All hosts and corresponding IP address in network, and have
There is the server that domain name is converted to IP address function.Wherein domain name must correspond to an IP address, and IP address is not necessarily only
A corresponding domain name.Although domain name is remembered convenient for people, IP address is only recognized between machine, the conversion work between them is known as
Domain name mapping, domain name mapping needs are completed by special domain name resolution server, and DNS is exactly the service for carrying out domain name mapping
Device.When user inputs the domain name of host in the application, to trigger the DNS that user terminal initiates to include the domain name to DNS
When request, the domain name mapping in DNS request can be associated other information, such as IP address by DNS.
In the prior art, since DNS may be attacked by automatic network is carried out, it is therefore desirable to use such as fire wall, flow
The DNS securities defense mechanism such as cleaning system realizes identification and defence to attack.DNS security defense mechanism in the prior art
Technical principle be generally:After safety equipment kidnaps the DNS request that user terminal is sent using route technology, by whole to user
End sends DNS response messages, and by the mode of the mark positions TC 1 in the response message, and triggering user terminal is initiated to DNS again
One is based on transmission control protocol(Transmission Control Protocol, TCP)TCP request.According to the principle,
If the user terminal for sending above-mentioned DNS request is legal user terminal, it can be triggered and send TCP requests;And if sending
The user terminal of the DNS request is illegal user terminal, or not existing user terminal, then it will not be triggered again
Send TCP requests.For example, for by tool initiation of giving out a contract for a project attack based on discrete source IP or based on forging domain name mode
Attack for, since DNS request is the source IP address for uniformly being sent by tool of giving out a contract for a project, and being included in DNS request
The IP address often forged, to which the DNS DNS response messages fed back based on DNS request finally will not really be deposited by one
User terminal received, also there will be no user terminals sends TCP requests to DNS, therefore can be real to a certain extent
Existing DNS security defence.
Currently, above-mentioned DNS security defense mechanism in the prior art has been demonstrated that there are following defects:
1. the distributed denial of service for the forgery domain name initiated by broiler chicken can not be resisted(Distributed Denial of
Service, DDoS)Attack.Wherein, broiler chicken is each germline for being broken through by hacker, arbitrarily manipulate, and having planted trojan horse
System or server.It is using the real address of broiler chicken host and broiler chicken host operating system association when initiating ddos attack due to broiler chicken
It discusses stack to initiate to forge DNS request, to which the DNS that broiler chicken host can receive the mark positions TC 1 returned by safety equipment is answered
Message is answered, also, under the triggering of the DNS response messages, broiler chicken host can also initiate TCP requests as ordinary user, from
And so that the forgery DNS request that broiler chicken host is initiated is erroneously identified as the DNS request of validated user by safety equipment, therefore lead
Safety equipment is caused to fail the defence of the forgery DNS request.
2. causing manslaughtering for validated user DNS request.The scene that validated user DNS request is manslaughtered mainly has:A, it uses
The attacker that tool of giving out a contract for a project is launched a offensive is during forging source IP often by the way of discrete IP, and which may
It can accidentally " usurp " source IP address of validated user;B, validated user does not have when sending out DNS request and receiving DNS response messages
One time replied TCP requests.Under both the above scene, it can all so that the IP address of safety equipment misidentification validated user is attacker
IP address, to can also execute security strategy to the DNS request of validated user, for example filter this kind of DNS request.
3. increasing the resource occupation pressure of DNS.Due to using DNS security defense mechanism in the prior art, need to trigger
Validated user sends TCP requests to DNS, so that DNS needs to give response one by one to each TCP requests received, therefore,
In this case, DNS can consume more system resources, and the pressure of bigger is brought to system.
In existing DNS attack patterns, most important mode is ddos attack.Its realization principle is:Attacker passes through spy
Fixed tool of giving out a contract for a project(Attack tool), a large amount of DNS request is constructed, and fill discrete source IP address and change character at random
Domain name achievees the purpose that attack DNS systems.This tool of giving out a contract for a project does not follow the protocol stack logic of validated user operating system,
It only can be to specific purpose IP address(The target object of attack)Send a large amount of DNS request.In this attack pattern, DNS is asked
Domain name in asking is typically to forge, however DNS systems are in the case where whether the None- identified DNS request is attack, still
It needs to expend certain process resource and parses the operations such as the DNS request to execute.In this way, with challenging dose(Tool of giving out a contract for a project is sent
DNS request quantity)Increase, DNS eventually collapsed due to resource exhaustion, and attacker attacks the mesh of paralysed DNS to realize
's.
Fig. 1 show the domain-name information for the forgery that some are generated with random character.Based on the attack for forging domain-name information
Under pattern, DNS can only be NXDOMAIN to the handling result comprising the DNS request for forging domain-name information(Domain name is not present)Or
SERVFAIL(Authorization server failure), without having true analysis result.With the DNS for including these forgery domain-name informations
Request number increases, so as to cause the collapse of DNS.
For ddos attack, using Prevention-Security mechanism in the prior art to the DNS progress by ddos attack
When Prevention-Security, still can exist and identify, misidentify and cause to expend DNS compared with multi-system resource to forging the leakage of DNS request
The problem of.
Invention content
The embodiment of the present invention provides a kind of processing method of DNS request, apparatus and system, to be attacked by DDoS in DNS
When hitting, solve according to existing DNS security defense mechanism come when preventing DNS under attack, existing there may be to forging DNS
The leakage identification of request misidentifies and can expend the problem of DNS is compared with multi-system resource.
The embodiment of the present invention uses following technical scheme:
A kind of processing method of DNS request, including:Obtain the domain-name information for including in domain name system DNS request;Judge institute
State whether domain-name information is matched with the credible domain-name information in the domain-name information set being obtained ahead of time included;It is no in judging result
When, according to the preset processing mode for forging DNS request, the DNS request comprising domain name information is handled.
A kind of processing unit of DNS request, including:Obtaining unit, for obtaining the domain for including in domain name system DNS request
Name information;Judging unit, for judging whether the domain name information that obtaining unit obtains is matched with the domain name being obtained ahead of time letter
The credible domain-name information for including in breath set;Processing unit, when the judging result for being obtained in judging unit is no, according to pre-
If forgery DNS request processing mode, the DNS request comprising domain name information is handled.
A kind of processing system of DNS request, including domain name system DNS flow collection system and DNS security system of defense,
In:
DNS flow collection systems, for determining that each DNS request that DNS is received whithin a period of time is separately included
Domain-name information;From the domain-name information that each DNS request is separately included, it is chosen at interviewed in described a period of time
Ask that number is more than the domain-name information composition domain-name information set of preset times threshold value;
DNS security system of defense, for obtaining the domain-name information for including in DNS request;Whether judge domain name information
It is matched with the credible domain-name information in the domain-name information set being obtained ahead of time included;When the judgment result is No, according to preset
The processing mode for forging DNS request, handles the DNS request comprising domain name information.
The embodiment of the present invention has the beneficial effect that:
It is to include according in the forgery DNS request in ddos attack due to said program provided in an embodiment of the present invention
It is this feature of the domain name of random variation character, pointedly proposes according to the domain-name information for including in DNS request and obtain in advance
The credible domain-name information for including in the domain-name information set obtained, to identify whether a DNS request is to forge DNS request, to
The program identifies whether DNS request is to forge DNS request, and the program is whole without triggering user independent of source IP address
End sends TCP requests, to when DNS is by ddos attack, solve to prevent DNS according to existing DNS security defense mechanism
When under attack, existing to attack, there may be identified to the leakage for forging DNS request, misidentify and can expend DNS
The problem of compared with multi-system resource.
Description of the drawings
Fig. 1 is the domain-name information of some forgeries generated with random character;
Fig. 2 is a kind of flow diagram of the processing method of DNS request provided in an embodiment of the present invention;
Fig. 3 a are the regular traffic flow model of DNS under existing net network environment provided in an embodiment of the present invention;
Fig. 3 b are the under fire discharge model of DNS under existing net network environment provided in an embodiment of the present invention;
Fig. 4 is the system architecture schematic diagram of scheme provided in an embodiment of the present invention;
Fig. 5 is a kind of particular flow sheet of the processing method of DNS request provided in an embodiment of the present invention;
Fig. 6 is a kind of processing unit of DNS request provided in an embodiment of the present invention;
Fig. 7 is a kind of processing system of DNS request provided in an embodiment of the present invention.
Specific implementation mode
Inventor has found TC specified in DNS Protocol by the analysis and research to Prevention-Security mechanism in the prior art
Flag bit has its specific function.It is embodied in:It is excessive in the DNS response messages of single DNS request(More than 512Byte)
When, DNS can block all DNS response messages automatically, and by the mark positions TC 1, to force the user for sending the single DNS request
Terminal initiates the DNS request based on TCP53 again(I.e. previously described TCP requests), so that it is guaranteed that the user terminal can receive
Corresponding to all DNS response messages of the single DNS request.
It can be seen from the above, the mark positions TC 1 can initiate touching for the DNS request based on TCP53 as triggering user terminal
Clockwork spring part.Exactly according to the principle, DNS security defense mechanism in the prior art just triggers user using the mark positions TC 1
Terminal initiates the DNS request based on TCP53, and initiates the DNS request according to whether user terminal is triggered, to judge DNS institutes
Whether the corresponding DNS request received is to forge DNS request.But there are these three and asks in actual use in the mechanism
Topic:1, the forgery domain name ddos attack behavior initiated by broiler chicken can not be resisted;2, manslaughtering for validated user DNS request is caused;3、
Increase the resource occupation pressure of original DNS systems.
In order to solve the above safety defect existing in the prior art, an embodiment of the present invention provides a kind of DNS requests
Processing method, apparatus and system.The embodiment of the present invention is illustrated below in conjunction with Figure of description, it should be understood that herein
Described embodiment is merely to illustrate and explain the present invention, and is not intended to restrict the invention.And in the absence of conflict,
The feature in embodiment and embodiment in this explanation can be combined with each other.
First, the embodiment of the present invention provides a kind of processing method of DNS request, and the idiographic flow schematic diagram of this method is as schemed
Shown in 2, include the following steps:
Step 21, the domain-name information for including in domain name system DNS request is obtained;
In embodiments of the present invention, a kind of concrete implementation for the domain-name information for including in domain name system DNS request is obtained
Mode may include following sub-steps:
First, DNS request is obtained, and according to specified safety check strategy, school is carried out to the safety of the DNS request
It tests;
Then, after the DNS request is verified as safety, the domain-name information that the DNS request includes is obtained.
Optionally, the domain-name information for including in the DNS request can be extracted by using hash mode.Wherein, Hash is
A kind of numerical expression form, it can be expressed one piece of data in a manner of unique and extremely compact.
For example, if the executive agent of this method that the embodiment of the present invention is provided is DNS security system of defense, then,
The DNS security system of defense can be after obtaining the single DNS request that user terminal is sent, according to specified safety check plan
Slightly, preliminary safety check is carried out to the DNS request.After verification, if the DNS request is confirmed as safety, DNS security
System of defense can extract the domain-name information for including in the DNS request in a manner of Hash;If the DNS request is verified as uneasiness
Entirely, then DNS security system of defense can be handled the DNS request accordingly according to specified processing mode, such as abandon the DNS
Request.
In general, there are many kinds of safety check strategies, in an embodiment of the present invention, the safety check strategy can with but not
It is limited to include one or more combinations in following manner:
Abnormal packet filtering, list IP speed limits and single domain name speed limit.Since abnormal packet filtering, list IP speed limits and single domain name limit
Speed is the technology of comparative maturity in the prior art, and the emphasis of those technologies and non-present invention, therefore is repeated no more.
Step 22, judge whether the domain-name information obtained by executing step 21 is matched with the domain-name information being obtained ahead of time
The credible domain-name information for including in set executes step 23 when the judgment result is No;
Still by taking DNS security system of defense as an example, in an embodiment of the present invention, which once carries
Get the DNS request domain-name information that is included of user terminal transmission, will will in a hashed form the existing domain-name information it is saturating
The special memory headroom of DNS security system of defense is passed to, triggering is to the domain-name information and is stored in advance in the special memory headroom
Domain-name information set included in each domain-name information matched, with judge in the domain-name information set whether comprising with
The identical domain-name information of domain-name information that the DNS request is included.Since the domain-name information exists in a hashed form, so the domain
Name information and the speed that domain-name information sets match verifies are very fast, have ignored the delay caused by this part operation.
Optionally, when the determination result is yes, DNS security system of defense can directly by the DNS request be sent to DNS into
Row subsequent processing.Specifically, when the determination result is yes, i.e., include to be obtained with by executing step 21 in domain-name information set
The identical domain-name information of the domain-name information, then the DNS security system of defense judge the domain-name information for trust domain-name information,
To which the DNS request will also be determined as legal DNS request, and then the legal DNS request will be by DNS security system of defense just
Often it is forwarded to DNS.
Optionally, the domain-name information set being obtained ahead of time can be obtained by following sub-step:
First, the domain-name information that each DNS request that DNS is received whithin a period of time is separately included is determined;
Then, it in the domain-name information that each DNS request received whithin a period of time from DNS is separately included, chooses
The domain-name information that accessed number within this time is more than preset times threshold value constitutes domain-name information set.
It is that legal domain name is believed in domain-name information set in order to ensure the domain-name information for including all in the embodiment of the present invention
Breath, can be obtained from being counted to the DNS request received by DNS when the service traffics of DNS are in normal condition.
I.e.:Can then be determined when all forgery DNS requests for judging that DNS is received within this time meet rated condition
The domain-name information that each DNS request that DNS is received within this time is separately included.Wherein, which can wrap
It includes:The number for all forgery DNS requests that DNS is received within this time with its within this time it is received all
The ratio between sum of DNS request is less than preset ratio threshold value.
Step 23, according to the preset processing mode for forging DNS request, to the DNS request of the domain-name information comprising acquisition
It is handled.
For example, still by taking DNS security system of defense as an example, it can be according in the unit interval set by the unit interval
The number for forging DNS request is sent, which is sent to DNS.Specifically, judging domain by executing step 22
Do not have in name information aggregate comprising after domain-name information identical with the domain-name information of acquisition, which will be pacified by DNS
Full system of defense is determined as non-trusted domain-name information, correspondingly, the DNS request will be judged as forging DNS request, in turn
DNS security system of defense can be directed to the forgery DNS request and execute unified speed limit strategy, i.e., according to for set by the unit interval
The number for forging DNS request is sent in the unit interval set, which is sent to DNS.
It is, in general, that can be smaller for the number set by the unit interval, even if occur to synchronization
The DNS request for not matching in domain-name information set the credible domain-name information for including is more, and DNS security system of defense can also root
According to the number, limit the transmission speed of those DNS requests, to reduce it is a large amount of forge DNS requests attack DNS in synchronization and
The risk for causing it to paralyse.
Optionally, if the executive agent of above-mentioned steps 21~23 is DNS itself, the specific implementation of step 23 can be with
For:Directly abandon the DNS request.
By using said program provided in an embodiment of the present invention, the domain-name information for being included using domain-name information set is real
Now to the judgement of ddos attack, it can achieve the purpose that defensive attack.Specifically, this method provided in an embodiment of the present invention
Technique effect is shown:1. the ddos attack behavior of the various attack types by initiations such as broiler chicken, tools of giving out a contract for a project can be defendd, it is complete
Completely without the composed structure of form and attack traffic regarding attack source;2. under the scene there are ddos attack, the program realizes
Attack protection reliability more than 99.9%, while user experience is not influenced completely, it under non-extreme conditions will not be to legal DNS
Request causes to manslaughter;3. any pressure will not be caused to original DNS, keep original DNS anti-in DNS security proposed by the present invention
It can be with the offer DNS service of normal table under the protection of imperial mechanism.
Below in conjunction with reality, said program application process in practice that embodiment that the present invention will be described in detail provides.
Firstly the need of explanation, in order to when DNS is by ddos attack, solve to defend machine according to existing DNS security
System come when preventing DNS under attack, it is existing to attack there may be to forging DNS request leakage identification, misidentify with
And can expend the problem of DNS is compared with multi-system resource, inventor is directed to existing net network environment and the DNS discharge models that build and each
Secondary severe ddos attack behavior has carried out detailed analysis and research.It is found by analyzing and researching, in regular traffic flow model
In, as shown in Figure 3a, in a measurement period, the legal DNS request number that DNS is received is asked in whole DNS of its reception
It asks the accounting in number very big, it is very small to forge accounting of the DNS request number in whole DNS request numbers;Under fire
In discharge model, as shown in Figure 3b, in a measurement period identical with the duration in aforesaid statistical period, legal DNS request
Number is held essentially constant, and it is very big to forge DNS request number, to which legal DNS request number is in whole DNS request numbers
Accounting become smaller, it is very big to forge accounting of the DNS request number in whole DNS request numbers.
By the analysis and research for DNS request under existing net network environment, it is found that normal DNS discharge models are i.e. normal
Service traffics model has the characteristics that:
1, for the domain name number of necessary being in terms of hundred billion, domain name that is newly-increased daily, disappearing is more than ten million in real networking;
2, normal DNS discharge models follow pyramid discharge model structure, i.e., included in a large amount of user's request
It is a small amount of domain name in real networking in the domain name of necessary being in fact;
3, it was counted for the period with one day, the legal DNS request for having more than 10,000,000 accesses DNS;
4, it being counted for the period with one day, the number that domain name is accessed according to validated user carries out ranking, including TOP1,
The DNS request of arbitrary domain name occupies the 99.9% of all DNS requests in 000,000 domain name;In this TOP1,000,000 domain names institute
In the domain-name information set of composition, 000,000 number that is accessed daily of domain name of being ranked first is less than 10 times;
5, in normal DNS discharge models, the domain name for having more than 5,000,000 daily belongs to " disposable domain name ", that is, being directed to should
A DNS request that domain name is initiated is once.
The characteristics of according to the above normal DNS discharge models, inventors herein propose the side verified based on DNS request domain name
Method, and introduce important component of the DNS flow collection systems as DNS security system of defense.
In practical applications, realize that the system architecture schematic diagram of scheme provided in an embodiment of the present invention is as shown in Figure 4.This is
System framework specifically includes:Attacker 41, validated user 42, DNS security system of defense 43,44 and of DNS flow collection systems
DNS45.Wherein, DNS45 can receive DNS request of the number in terms of hundred billion whithin a period of time.Wherein, validated user 42 can be at this
A large amount of DNS request is initiated in the section time, and attacker 41 initiates a DNS request.When in normal traffic pattern(Work as
The DNS45 sums of the DNS request number of received all forgeries and all DNS requests received whithin a period of time
Than being less than preset ratio threshold value)When, DNS flow collection systems 44 are it is determined that each DNS that DNS45 is received within one day
The separately included domain-name information of request, then, DNS flow collection systems 44 are by each domain-name information determined according to interviewed
It asks that number is ranked up, obtains a sorted lists, be more than 10 from accessed number of the extraction within this time in the list
All domain-name informations as domain-name information set.Finally, DNS flow collection systems 44 take specified transmission mode that will extract
Domain-name information set be forwarded to the special memory headroom that DNS security system of defense 43 is opened up and stored.When DNS security is defendd
After system 43 receives the domain-name information set from DNS flow collection systems, so that it may with to subsequently received DNS request into
Row domain name verifies, and then realizes the defence attacked DNS.
It should be noted that domain-name information collection is combined into TOP1 in domain-name information sorted lists, 000,000 domain-name information institute
The set of composition.And the DNS request that each domain name in the domain-name information set is initiated occupies all DNS requests
99.9%.It is randomly generated due to the character of the domain-name information of forgery, the domain name forged can only access DNS once and nothing
True analysis result, the domain-name information to forge will not enter in domain-name information set, ensure that domain-name information set is adopted
Collection, which obtains domain-name information, to be legal and is popular.For example, in actual life, famous, popular domain name has
Www.baidu.com etc., the domain name must be trusted domain names;And domain name forge, unexpected winner has
Www.adskfjkdsa.com etc., the domain name must be non-trusted domain names.
In addition it should be noted that above-mentioned specified transmission mode includes:Inter-Process Communication mode or two layers of group packet hair
Packet mode.Two kinds of transmission modes are respectively applied to following two scenes:When DNS flow collection systems 44 and DNS security defence system
The mode of Inter-Process Communication in same hardware machine may be used when being deployed in same hardware machine in system 43, i.e., it is shared with
Domain-name information set existing for text file mode;When DNS flow collection systems 44 and DNS security system of defense 43 independently
When disposing different hardware machines, then by the way of network communication, DNS flow collection systems 44 will be deposited in a manner of text file
Domain-name information set be transferred in DNS security system of defense 43.
Based on system architecture as shown in Figure 4, when DNS security system of defense receives the single DNS from unknown subscriber
After request, following step as shown in Figure 5 can be executed, is judged so that whether realization is legal to the DNS request:
Step 51, DNS security system of defense implements abnormal packet filtering, list IP speed limits and single domain name limit to the DNS request
The safety checks strategy such as speed.
Step 52, after verification passes through, DNS security system of defense can just extract the DNS request institute by way of Hash
Including domain-name information, and quickly traverse the memory headroom where the domain-name information set being obtained ahead of time, realize that domain name matches school
It tests.Since the mode of Hash is very fast in million grades of traversal queries medium velocity, it can be considered that the operation is not delayed.If
It is one in domain-name information set that the result of matching verification, which is the domain-name information, thens follow the steps 53;If matching the knot of verification
Fruit be the domain-name information not in domain-name information set, then follow the steps 54;
Step 53, which is determined as trust domain-name information by DNS security system of defense, rather than by attacker's puppet
The domain-name information for the random character made, then the DNS request can be normal through DNS security system of defense.
Step 54, which is determined as non-trusted domain-name information by DNS security system of defense, which needs
It executes DNS security system of defense and is directed to the unified speed limit strategy that non-trusted domain-name information is implemented, such as to all non-trusted domains
Name implements that speed limit is added up to be 10000QPS(QPS:Number/per second)Unified speed limit strategy.
By the application of scheme provided in an embodiment of the present invention in practice it is found that due to by taking DNS flow collections system
System learns normal DNS discharge models and simultaneously calculates the mode for generating domain-name information set so that the domain-name information set included
All DNS requests occupy 99.9% or more of the overall DNS request that DNS is received, ensure that this 99.9% DNS request
It is protected by DNS security system of defense.At the same time, the DNS that the domain-name information other than the domain-name information set is included is asked
It asks and occupies the 0.1% of the overall DNS request that DNS is received, correspondingly, 0.1% DNS request can receive DNS security defence system
The unified speed limit strategy of system protects the DNS normal operations of rear end so as to effectively defend this kind of ddos attack behavior.Meanwhile
Our experiments show that it is shorter using system delay caused by scheme provided in an embodiment of the present invention, it can not consider, thus
While so that Prevention-Security effect is up to 99.9%, user experience is not influenced.
In addition, the DNS flow collections mechanism provided in an embodiment of the present invention can also ensure the real-time of domain-name information set
Update(Renewal frequency is usually set to one day), so as to allow the newest domain-name information of DNS security system of defense timing acquisition
Set, meets domain name renewal speed with rapid changepl. never-ending changes and improvements, it is ensured that 99.9% DNS request is trusted by DNS security system of defense
's.
By using above-mentioned concrete scheme provided in an embodiment of the present invention, believed using the domain name that domain-name information set is included
Breath realizes the judgement to ddos attack, can achieve the purpose that defensive attack.Specifically, the party provided in an embodiment of the present invention
The technique effect of method is shown:1. the ddos attack row of the various attack types by initiations such as broiler chicken, tools of giving out a contract for a project can be defendd
For entirely without the composed structure of form and attack traffic regarding attack source;2. under the scene there are ddos attack, the program is real
Showed be more than 99.9% attack protection reliability, while not influencing user experience completely, under non-extreme conditions will not be to legal
DNS request causes to manslaughter;3. any pressure will not be caused to original DNS, original DNS is made to pacify in DNS proposed by the present invention
It can be with the offer DNS service of normal table under the protection of full defense mechanism.
Corresponding to the processing method of DNS request provided in an embodiment of the present invention, the embodiment of the present invention also provides a kind of DNS and asks
The processing unit asked, the concrete structure schematic diagram of the device is as shown in fig. 6, it includes mainly:Obtaining unit 61, judging unit 62
And processing unit 63.The concrete function of each unit is described below:
Obtaining unit 61, for obtaining the domain-name information for including in domain name system DNS request;
In embodiments of the present invention, obtaining unit 61 is obtained in domain name system DNS request by subelement in detail below and is wrapped
The domain-name information contained:
Subelement is verified, for obtaining DNS request, and according to specified safety check strategy, to the safety of the DNS request
Property is verified;
Obtain subelement, for verify subelement to the DNS request carry out verification and result be safety after, be somebody's turn to do
The domain-name information that DNS request includes.Wherein, optionally, it can extract in the DNS request by using hash mode and include
Domain-name information.
In general, there are many kinds of safety check strategies, in an embodiment of the present invention, the safety check strategy can with but not
It is limited to include one or more combinations in following manner:
Abnormal packet filtering, list IP speed limits and single domain name speed limit.Since abnormal packet filtering, list IP speed limits and single domain name limit
Speed is the technology of comparative maturity in the prior art, and the emphasis of those technologies and non-present invention, therefore is repeated no more.
Hash is a kind of numerical expression form, it can be expressed one piece of data in a manner of unique and extremely compact.
Judging unit 62, for judging whether the domain-name information that obtaining unit 61 obtains is matched with the domain name being obtained ahead of time letter
Obtaining unit 61 is obtained the processing of DNS request feeding by the credible domain-name information for including in breath set when it is no to judge result
Unit 63 is handled;
Wherein, the domain-name information set being obtained ahead of time can be obtained by following sub-step:
First, the domain-name information that each DNS request that DNS is received whithin a period of time is separately included is determined, specifically
For:When all forgery DNS requests for judging that the DNS is received within this time meet rated condition, determine DNS one
The domain-name information that each DNS request received in the section time is separately included;Wherein, which includes:All forgeries
The ratio between the number of DNS request sum of all DNS requests received within this time with the DNS is less than preset ratio threshold
Value.
Then, from the domain-name information that each DNS request is separately included, the accessed number that is chosen in this time
Domain-name information more than preset times threshold value constitutes domain-name information set.
Processing unit 63, according to the preset processing mode for forging DNS request, to the DNS request comprising the domain-name information
It is handled.It specifically includes:It, will according to the number for forging DNS request for transmission in the unit interval set by the unit interval
The DNS request is sent to DNS.
By using said program provided in an embodiment of the present invention, the domain-name information for being included using domain-name information set is real
Now to the judgement of ddos attack, it can achieve the purpose that defensive attack.Specifically, this method provided in an embodiment of the present invention
Technique effect is shown:1. the ddos attack behavior of the various attack types by initiations such as broiler chicken, tools of giving out a contract for a project can be defendd, it is complete
Completely without the composed structure of form and attack traffic regarding attack source;2. under the scene there are ddos attack, the program realizes
Attack protection reliability more than 99.9%, while user experience is not influenced completely, it under non-extreme conditions will not be to legal DNS
Request causes to manslaughter;3. any pressure will not be caused to original DNS, keep original DNS anti-in DNS security proposed by the present invention
It can be with the offer DNS service of normal table under the protection of imperial mechanism.
Correspondingly, corresponding with above method flow, the embodiment of the present invention additionally provides a kind of processing system of DNS request,
As shown in fig. 7, the system includes:
DNS flow collection systems 71, for determining that each DNS request that DNS is received whithin a period of time is wrapped respectively
The domain-name information contained;From the domain-name information that each DNS request is separately included, the accessed number that is chosen in this time
Domain-name information more than preset times threshold value constitutes domain-name information set;
DNS security system of defense 72, for obtaining the domain-name information for including in DNS request;Whether judge the domain-name information
It is matched with the credible domain-name information in the domain-name information set being obtained ahead of time by DNS flow collection systems 71 included;Judging to tie
When fruit is no, according to the preset processing mode for forging DNS request, the DNS request comprising the domain-name information is handled.
In embodiments of the present invention, DNS flow collection systems 71 are responsible for obtaining domain-name information set, the acquisition process packet
It includes:
First, DNS flow collection systems 71 determine that each DNS request that DNS is received whithin a period of time is wrapped respectively
The domain-name information contained, specially:Judging that all forgery DNS requests that DNS is received within this time meet regulation item
When part, the domain-name information that each DNS request that DNS is received whithin a period of time is separately included is determined;Wherein, the regulation item
Part includes:The ratio between the sum of all numbers and DNS for forging DNS requests received all DNS requests whithin a period of time
Less than preset ratio threshold value.
Then, from the domain-name information that each DNS request is separately included, accessed number whithin a period of time is chosen
Domain-name information more than preset times threshold value constitutes domain-name information set.
Finally, DNS flow collection systems 71 take specified transmission mode that the domain-name information set of extraction is forwarded to DNS
The special memory headroom that safety defense system 72 is opened up is stored.
Optionally, the specified update cycle DNS flow collection systems 71 can be arranged, to realize DNS flow collections
System 71 is directed to the real-time update of domain-name information set, obtains the domain-name information set closest to real network, it is ensured that 99.9%
DNS request is all legal.
After the DNS request that user terminal is sent enters DNS security system of defense 72, according to specified safety check strategy
The safety of the DNS request is verified;After the DNS request is verified as safety, the domain name that the DNS request includes is obtained
Information.DNS security system of defense 72 once extracts the domain-name information that the DNS request of user terminal transmission is included, and will incite somebody to action
The existing domain-name information is transparent to the special memory headroom of DNS security system of defense 72 in a hashed form, triggers domain name letter
Breath and special memory headroom storage and the domain-name information set that is obtained by DNS flow collection systems 71 included in it is each
Domain-name information is verified, and checks in domain-name information set whether include domain-name information identical with the domain-name information.Judging
When being as a result no, DNS security system of defense 72 can be asked according to DNS is forged for transmission in the unit interval set by the unit interval
The DNS request is sent to DNS by the number asked.
By using said program provided in an embodiment of the present invention, the domain-name information for being included using domain-name information set is real
Now to the judgement of ddos attack, it can achieve the purpose that defensive attack.Specifically, this method provided in an embodiment of the present invention
Technique effect is shown:1. the ddos attack behavior of the various attack types by initiations such as broiler chicken, tools of giving out a contract for a project can be defendd, it is complete
Completely without the composed structure of form and attack traffic regarding attack source;2. under the scene there are ddos attack, the program realizes
Attack protection reliability more than 99.9%, while user experience is not influenced completely, it under non-extreme conditions will not be to legal DNS
Request causes to manslaughter;3. any pressure will not be caused to original DNS, keep original DNS anti-in DNS security proposed by the present invention
It can be with the offer DNS service of normal table under the protection of imperial mechanism.
It can be seen that compared with DNS request processing method in the prior art, there are following for DNS security system of defense of the invention
Technical advantage:
Initiate TCP requests again without user;
It is being implemented for DNS request to be verified with domain-name information set matching, DNS flow throughput performances are improved, are increased
The strong stability of DNS operations;
Realize be more than 99.9% attack protection reliability, far above the Prevention-Security realized by Transmission Control Protocol;In addition, with
Hash mode is delayed and can ignore caused by directly being matched with domain-name information set, to reduce for user experience
Influence.
It should be understood by those skilled in the art that, the embodiment of the present invention can be provided as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention
Apply the form of example.Moreover, the present invention can be used in one or more wherein include computer usable program code computer
Usable storage medium(Including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)The computer program of upper implementation produces
The form of product.
The present invention be with reference to according to the method for the embodiment of the present invention, equipment(System)And the flow of computer program product
Figure and/or block diagram describe.It should be understood that can be realized by computer program instructions every first-class in flowchart and/or the block diagram
The combination of flow and/or box in journey and/or box and flowchart and/or the block diagram.These computer programs can be provided
Instruct the processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine so that the instruction executed by computer or the processor of other programmable data processing devices is generated for real
The device for the function of being specified in present one flow of flow chart or one box of multiple flows and/or block diagram or multiple boxes.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that instruction generation stored in the computer readable memory includes referring to
Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device so that count
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, in computer or
The instruction executed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic
Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as
It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
God and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.
Claims (14)
1. a kind of processing method of DNS request, which is characterized in that including:
Obtain the domain-name information for including in domain name system DNS request;
Judge whether domain name information is matched with the credible domain-name information in the domain-name information set being obtained ahead of time included;
When the judgment result is No, DNS request is forged according to for transmission in the unit interval set by the unit interval
The DNS request is sent to DNS by number;
When the determination result is yes, the DNS request is normally sent to DNS.
2. the method as described in claim 1, which is characterized in that obtain domain name information aggregate using following manner:
Determine the domain-name information that each DNS request that DNS is received whithin a period of time is separately included;
From the domain-name information that each DNS request is separately included, the accessed number that is chosen in described a period of time
Domain-name information more than preset times threshold value constitutes domain name information aggregate.
3. method as claimed in claim 2, which is characterized in that determine each DNS that DNS is received within described a period of time
The separately included domain-name information of request, specifically includes:
When all forgery DNS requests for judging that the DNS is received within described a period of time meet rated condition, determine
The domain-name information that each DNS request that DNS is received within described a period of time is separately included;
Wherein, the rated condition includes:All numbers for forging DNS request are with the DNS within described a period of time
The ratio between received sum of all DNS requests is less than preset ratio threshold value.
4. the method as described in claims 1 to 3 is any, which is characterized in that acquisition was parsed from domain name system DNS request
Domain-name information specifically includes:
The DNS request is obtained, and according to specified safety check strategy, the safety of the DNS request is verified;
After the DNS request is verified as safety, the domain-name information that the DNS request includes is obtained.
5. the method as described in claims 1 to 3 is any, which is characterized in that obtain the domain name letter for including in the DNS request
Breath, specifically includes:
By using hash mode, the domain-name information for including in the DNS request is extracted.
6. a kind of processing unit of DNS request, which is characterized in that including:
Obtaining unit, for obtaining the domain-name information for including in domain name system DNS request;
Judging unit, for judging whether the domain name information that obtaining unit obtains is matched with the domain-name information collection being obtained ahead of time
The credible domain-name information for including in conjunction;
Processing unit, when judging result for being obtained in judging unit is no, according to for described in set by the unit interval
The number for forging DNS request is sent in unit interval, and the DNS request is sent to DNS;When the determination result is yes, by institute
It states DNS request and is normally sent to DNS.
7. device as claimed in claim 6, which is characterized in that obtain domain name information aggregate using following manner:
Determine the domain-name information that each DNS request that DNS is received whithin a period of time is separately included;
From the domain-name information that each DNS request is separately included, the accessed number that is chosen in described a period of time
Domain-name information more than preset times threshold value constitutes domain name information aggregate.
8. device as claimed in claim 7, which is characterized in that determine each DNS that DNS is received within described a period of time
The separately included domain-name information of request, specifically includes:
When all forgery DNS requests for judging that the DNS is received within described a period of time meet rated condition, determine
The domain-name information that each DNS request that DNS is received within described a period of time is separately included;
Wherein, the rated condition includes:All numbers for forging DNS request are with the DNS within described a period of time
The ratio between received sum of all DNS requests is less than preset ratio threshold value.
9. the device as described in claim 6~8 is any, which is characterized in that the obtaining unit is specifically used for:
The DNS request is obtained, and according to specified safety check strategy, the safety of the DNS request is verified;
After the DNS request is verified as safety, the domain-name information that the DNS request includes is obtained.
10. the device as described in claim 6~8 is any, which is characterized in that the obtaining unit is specifically used for:By using
Hash mode extracts the domain-name information for including in the DNS request.
11. a kind of processing system of DNS request, which is characterized in that including domain name system DNS flow collection system and DNS security
System of defense, wherein:
DNS flow collection systems, the domain separately included for determining each DNS request that DNS is received whithin a period of time
Name information;From the domain-name information that each DNS request is separately included, it is chosen at accessed secondary in described a period of time
Number constitutes domain-name information set more than the domain-name information of preset times threshold value;
DNS security system of defense, for obtaining the domain-name information for including in DNS request;Judge whether domain name information matches
The credible domain-name information for including in the domain-name information set being obtained ahead of time;When the judgment result is No, according to for unit
Between send the number for forging DNS request in set unit interval, the DNS request is sent to DNS;Judging to tie
Fruit is that when being, the DNS request is normally sent to DNS.
12. system as claimed in claim 11, which is characterized in that DNS flow collection systems are specifically used for through following manner,
Determine the domain-name information that each DNS request that DNS is received whithin a period of time is separately included:
When all forgery DNS requests for judging that the DNS is received within described a period of time meet rated condition, determine
The domain-name information that each DNS request that DNS is received whithin a period of time is separately included;
Wherein, the rated condition includes:All numbers for forging DNS request are with the DNS within described a period of time
The ratio between received sum of all DNS requests is less than preset ratio threshold value.
13. the system as described in claim 11 or 12, which is characterized in that DNS security system of defense is used to use following manner,
Obtain the domain-name information parsed from domain name system DNS request:
The DNS request is obtained, and according to specified safety check strategy, the safety of the DNS request is verified;
After the DNS request is verified as safety, the domain-name information that the DNS request includes is obtained.
14. the system as described in claim 11 or 12, which is characterized in that DNS security system of defense is used to use following manner,
Obtain the domain-name information for including in the DNS request:
By using hash mode, the domain-name information for including in the DNS request is extracted.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310211355.0A CN104219335B (en) | 2013-05-30 | 2013-05-30 | A kind of processing method of DNS request, apparatus and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310211355.0A CN104219335B (en) | 2013-05-30 | 2013-05-30 | A kind of processing method of DNS request, apparatus and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104219335A CN104219335A (en) | 2014-12-17 |
CN104219335B true CN104219335B (en) | 2018-08-24 |
Family
ID=52100459
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310211355.0A Active CN104219335B (en) | 2013-05-30 | 2013-05-30 | A kind of processing method of DNS request, apparatus and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104219335B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104506538B (en) * | 2014-12-26 | 2018-01-19 | 北京奇虎科技有限公司 | Machine learning type domain name system security defence method and device |
CN106534051B (en) * | 2015-09-11 | 2020-02-14 | 阿里巴巴集团控股有限公司 | Processing method and device for access request |
CN107040546B (en) * | 2017-05-26 | 2020-03-03 | 浙江鹏信信息科技股份有限公司 | Domain name hijacking detection and linkage handling method and system |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101567888A (en) * | 2008-12-29 | 2009-10-28 | 郭世泽 | Safety protection method of network feedback host computer |
CN102301682A (en) * | 2011-04-29 | 2011-12-28 | 华为技术有限公司 | Method and system for network caching, domain name system redirection sub-system thereof |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7930428B2 (en) * | 2008-11-11 | 2011-04-19 | Barracuda Networks Inc | Verification of DNS accuracy in cache poisoning |
CN102404334A (en) * | 2011-12-07 | 2012-04-04 | 山石网科通信技术(北京)有限公司 | Method and device for preventing denial of service attacks |
CN102739683B (en) * | 2012-06-29 | 2015-09-09 | 杭州迪普科技有限公司 | A kind of network attack filter method and device |
-
2013
- 2013-05-30 CN CN201310211355.0A patent/CN104219335B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101567888A (en) * | 2008-12-29 | 2009-10-28 | 郭世泽 | Safety protection method of network feedback host computer |
CN102301682A (en) * | 2011-04-29 | 2011-12-28 | 华为技术有限公司 | Method and system for network caching, domain name system redirection sub-system thereof |
Also Published As
Publication number | Publication date |
---|---|
CN104219335A (en) | 2014-12-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103916389B (en) | Defend the method and fire wall of HttpFlood attacks | |
CN104468624B (en) | SDN controllers, routing/exchanging equipment and network defense method | |
CN104219338B (en) | The generation method and device of the safe list item of authorized address analysis protocol | |
CN105939337B (en) | The means of defence and device that DNS cache is poisoned | |
CN107888546A (en) | network attack defence method, device and system | |
EP2136526A1 (en) | Method, device for identifying service flows and method, system for protecting against a denial of service attack | |
CN111800401B (en) | Service message protection method, device, system and computer equipment | |
CN107124402A (en) | A kind of method and apparatus of packet filtering | |
JP7388613B2 (en) | Packet processing method and apparatus, device, and computer readable storage medium | |
CN108833450B (en) | Method and device for preventing server from being attacked | |
CN103997489A (en) | Method and device for recognizing DDoS bot network communication protocol | |
CN104219335B (en) | A kind of processing method of DNS request, apparatus and system | |
CN106209852A (en) | A kind of DNS refusal service attack defending method based on DPDK | |
CN107835145B (en) | Method for preventing replay attack and distributed system | |
CN102158492A (en) | Web authentication method, device and network equipment | |
CN105812318A (en) | Method, controller and system for preventing attack in network | |
CN108881233A (en) | anti-attack processing method, device, equipment and storage medium | |
CN107911219A (en) | A kind of anti-CC methods of API based on key signature | |
WO2013172743A1 (en) | Method for protected interaction between a client device and a server via the internet | |
CN104158799A (en) | HTTP DDOS defense method based on URL dynamic mapping | |
RU2307392C1 (en) | Method (variants) for protecting computer networks | |
CN105991632A (en) | Network security protection method and device | |
CN107306255A (en) | Defend flow attacking method, the presets list generation method, device and cleaning equipment | |
CN106888192A (en) | The method and device that a kind of resistance DNS is attacked | |
CN106470193A (en) | A kind of anti-DoS of DNS recursion server, the method and device of ddos attack |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |