CN104618351A - Method for identifying DNS spoofing attack packet and detecting DNS spoofing attack - Google Patents

Method for identifying DNS spoofing attack packet and detecting DNS spoofing attack Download PDF

Info

Publication number
CN104618351A
CN104618351A CN201510020628.2A CN201510020628A CN104618351A CN 104618351 A CN104618351 A CN 104618351A CN 201510020628 A CN201510020628 A CN 201510020628A CN 104618351 A CN104618351 A CN 104618351A
Authority
CN
China
Prior art keywords
dns
response
packet
domain
packets
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510020628.2A
Other languages
Chinese (zh)
Inventor
郑超
赵静芬
孙永
刘庆云
郭莉
杨嵘
杨威
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201510020628.2A priority Critical patent/CN104618351A/en
Publication of CN104618351A publication Critical patent/CN104618351A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • H04L63/0218Distributed architectures, e.g. distributed firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明涉及一种识别DNS欺骗攻击包及检测DNS欺骗攻击的方法。对于五元组(事务标识符、源IP地址、目的IP地址、源端口号、目的端口号)相同的若干个DNS应答包,同时符合以下四个特征的即为DNS欺骗包:仅有一个应答域,应答域中是一个IP地址;应答域中不包含Cname类型的记录;应答包中A类记录对应的TTL值不合理;应答包中不包含授权域和附加域。检测DNS欺骗攻击时,首先捕获客户端和域名服务器之间的所有DNS数据包,然后依据上述方法判断每个应答包是否为DNS欺骗攻击包。本发明能够有效地识别DNS欺骗攻击包并及时检测出DNS欺骗攻击,对提高DNS系统的抗攻击性、保护DNS服务系统有很高的实用价值。

The invention relates to a method for identifying DNS spoofing attack packets and detecting DNS spoofing attacks. For several DNS response packets with the same five-tuple (transaction identifier, source IP address, destination IP address, source port number, and destination port number), those that meet the following four characteristics are DNS spoofing packets: only one response Domain, the response domain is an IP address; the response domain does not contain Cname type records; the TTL value corresponding to the A type record in the response packet is unreasonable; the response packet does not contain the authorization domain and additional domain. When detecting DNS spoofing attacks, first capture all DNS data packets between the client and the domain name server, and then judge whether each response packet is a DNS spoofing attack packet according to the above method. The invention can effectively identify the DNS spoofing attack packet and detect the DNS spoofing attack in time, and has high practical value for improving the attack resistance of the DNS system and protecting the DNS service system.

Description

一种识别DNS欺骗攻击包及检测DNS欺骗攻击的方法A method for identifying DNS spoofing attack packets and detecting DNS spoofing attacks

技术领域technical field

本发明属于通信技术、DNS技术领域,具体涉及一种识别DNS欺骗攻击包的方法,以及利用该方法检测DNS欺骗攻击的方法。The invention belongs to the field of communication technology and DNS technology, and in particular relates to a method for identifying DNS spoofing attack packets and a method for detecting DNS spoofing attacks by using the method.

背景技术Background technique

DNS是一个用于管理主机名字和地址信息映射的分布式数据库系统,它将便于记忆和理解的名称同枯燥的IP地址联系起来,大大方便了人们的使用。DNS是大部分网络应用的基础,但是由于协议本身的设计缺陷,没有提供适当的信息保护和认证机制,使得DNS很容易受到攻击。DNS is a distributed database system used to manage the mapping of host names and address information. It associates names that are easy to remember and understand with boring IP addresses, which greatly facilitates people's use. DNS is the basis of most network applications, but due to the design flaws of the protocol itself, it does not provide appropriate information protection and authentication mechanisms, making DNS vulnerable to attacks.

DNS欺骗(DNS Spoofing)正是利用设计上的缺陷——仅使用一个序列号(事务标识符)作为鉴别DNS应答报文有效性的依据,致使攻击者监听到查询请求后,伪造大量的DNS应答包发送给客户端,这些应答包将一些合法域名重定向至恶意IP地址,从而达到欺骗用户的目的。DNS欺骗攻击可能存在于客户端和DNS服务器间,也可能存在于各DNS服务器之间,被攻击的对象除了DNS Server或某台主机,也有可能是某个用户应用程序,例如浏览器,域名查询软件(NS lookup)等。DNS spoofing (DNS Spoofing) is the use of design flaws - only one sequence number (transaction identifier) is used as the basis for identifying the validity of DNS response messages, causing attackers to forge a large number of DNS responses after listening to query requests Packets are sent to the client, and these response packets redirect some legitimate domain names to malicious IP addresses, thereby achieving the purpose of deceiving users. DNS spoofing attacks may exist between the client and the DNS server, or between DNS servers. The attacked object may not only be the DNS Server or a certain host, but may also be a user application, such as a browser, domain name query Software (NS lookup), etc.

目前已有一些学者给出了防御域名系统欺骗攻击的解决方案,例如A·谢里斯特使用加密哈希函数生成事务标识符(Transaction ID),构造新的DNS查询,以提高请求的抗攻击性;马勺布则将请求包中的查询域名字段的字母按照预定的规则进行大小写转换,以防范DNS欺骗攻击。但是这些防范策略并没有得到很好的推广以及应用。At present, some scholars have given solutions to defend against domain name system spoofing attacks. For example, A. Sherrister uses encrypted hash functions to generate transaction identifiers (Transaction IDs) and construct new DNS queries to improve the attack resistance of requests. Ma Shaobu converts the letters in the query domain name field in the request packet to upper and lower case according to predetermined rules to prevent DNS spoofing attacks. But these preventive strategies have not been well promoted and applied.

同时,欺骗攻击的检测也是DNS安全领域研究的热点问题。依据DNS欺骗攻击的原理可知如果受到攻击,那么客户端会至少接收到两个应答包,一个欺骗包,一个合法的响应包。因此若在一段时间内,一个DNS请求接收到两个或者更多的应答包,则其可能受到了DNS欺骗攻击,若应答包中存在欺骗包,表明一定受到了欺骗攻击。At the same time, the detection of spoofing attacks is also a hot issue in the field of DNS security research. According to the principle of DNS spoofing attack, if attacked, the client will receive at least two response packets, one spoofing packet and one legal response packet. Therefore, if a DNS request receives two or more response packets within a period of time, it may have been subjected to a DNS spoofing attack, and if there is a spoofing packet in the response packet, it indicates that it must have been subjected to a spoofing attack.

发明内容Contents of the invention

本发明针对上述问题,提供一种识别DNS欺骗攻击包的方法,以及利用该方法进一步检测DNS欺骗攻击的方法。Aiming at the above problems, the present invention provides a method for identifying DNS spoofing attack packets, and a method for further detecting DNS spoofing attacks by using the method.

具体来说,本发明采用的技术方案如下:Specifically, the technical scheme adopted in the present invention is as follows:

一种识别DNS欺骗攻击包的方法,五元组(事务标识符、源IP地址、目的IP地址、源端口号、目的端口号)相同的若干个DNS应答包,同时符合以下四个特征的即为DNS欺骗包:A method for identifying DNS spoofing attack packets, several DNS response packets with the same quintuple (transaction identifier, source IP address, destination IP address, source port number, destination port number), which meet the following four characteristics at the same time Spoof packets for DNS:

仅有一个应答域,应答域中是一个IP地址;There is only one response domain, and the response domain is an IP address;

应答域中不包含Cname类型的记录;The response field does not contain records of type Cname;

应答包中A类记录对应的TTL值不合理;The TTL value corresponding to the class A record in the response packet is unreasonable;

应答包中不包含授权域和附加域。Authorized fields and additional fields are not included in the response packet.

一种检测DNS欺骗攻击的方法,其步骤包括:A method for detecting DNS spoofing attacks, the steps comprising:

1)通过旁路监听的方式捕获客户端和域名服务器之间的所有DNS数据包;1) Capture all DNS packets between the client and the domain name server through bypass monitoring;

2)挑选在一定时间间隔内到达的应答包,并依据事务标识符建立请求应答映射表;2) Select the response packets that arrive within a certain time interval, and establish a request-reply mapping table according to the transaction identifier;

3)提取每个应答报文中的应答域个数、授权域个数、附加域个数、应答域的资源记录类型和对应的TTL值;3) Extract the number of response domains, the number of authorized domains, the number of additional domains, the resource record type of the response domain and the corresponding TTL value in each response message;

4)依据上述四个特征判断每个应答包是否为DNS欺骗攻击包,若是DNS欺骗攻击包则将其丢弃,否则即为合法的DNS应答包,将其转发给客户端。4) Determine whether each response packet is a DNS spoofing attack packet according to the above four characteristics, and discard it if it is a DNS spoofing attack packet, otherwise it is a legal DNS response packet, and forward it to the client.

本发明能够简单有效地识别DNS欺骗攻击包,及时检测出DNS欺骗攻击,对提高DNS系统的抗攻击性、保护DNS服务系统有很高的实用价值。The invention can simply and effectively identify DNS spoofing attack packets, detect DNS spoofing attacks in time, and has high practical value for improving the attack resistance of the DNS system and protecting the DNS service system.

附图说明Description of drawings

图1是本发明检测欺骗攻击的方法的步骤流程图。FIG. 1 is a flow chart of the steps of the method for detecting spoofing attacks of the present invention.

具体实施方式Detailed ways

为使本发明的上述目的、特征和优点能够更加明显易懂,下面通过具体实施例和附图,对本发明做进一步说明。In order to make the above objects, features and advantages of the present invention more obvious and understandable, the present invention will be further described below through specific embodiments and accompanying drawings.

通常情况下,本地DNS服务器接收到上一级DNS服务器返回的响应报文后会对报文做如下处理:Normally, after receiving the response message returned by the upper-level DNS server, the local DNS server will process the message as follows:

检查响应报文的目的端口,是否与DNS请求报文的源端口相等,若不相等,说明不是对该请求的响应,协议栈则会丢弃该数据报文;Check whether the destination port of the response message is equal to the source port of the DNS request message. If not, it means that it is not a response to the request, and the protocol stack will discard the data message;

检查响应报文问题域,即确定应答包中的请求域名与请求包中的域名一致;Check the problem domain of the response message, that is, make sure that the domain name of the request in the response packet is consistent with the domain name in the request packet;

检查响应报文的事务ID(TID),在DNS服务器发出的查询请求中会包含一个TID,用来标识某个查询,在收到的DNS回复包中同样会包含TID,表示是对某个查询请求的应答。DNS服务器则根据TID来判断请求应答对,如果两个TID不相等,则丢弃该数据报文;Check the transaction ID (TID) of the response message. A TID will be included in the query request sent by the DNS server to identify a certain query. The TID will also be included in the received DNS reply packet, indicating that it is for a certain query. The response to the request. The DNS server judges the request-response pair according to the TID, and discards the data message if the two TIDs are not equal;

检查授权域和附加域,授权域和附加域中的域名必须和问题域中的域名同属于某个域名下的子域名;Check the authorized domain and additional domain. The domain names in the authorized domain and additional domain must belong to the same subdomain name as the domain name in the problem domain;

如果上述所有条件都满足了,域名服务器就会接受该响应数据包作为其查询请求的应答,并缓存结果。综上所述,如果攻击者成功对DNS服务器进行欺骗攻击,必须要满足上面4个条件,缺一不可。If all the above conditions are met, the domain name server will accept the response packet as a reply to its query request and cache the result. To sum up, if the attacker successfully spoofs the DNS server, the above four conditions must be met, and none of them is dispensable.

另一方面,对于一个DNS请求,域名服务器不会给出结果不同的多个应答包,即使目标域名对应多个IP地址,DNS服务器也会在一个DNS应答包中返回,只是有多个应答域而已。因此,若一个请求对应两个或两个以上五元组(事务标识符、源IP地址、目的IP地址、源端口号、目的端口号)相同,应答域不同的应答包,则怀疑其可能受到了欺骗攻击。On the other hand, for a DNS request, the domain name server will not give multiple response packets with different results. Even if the target domain name corresponds to multiple IP addresses, the DNS server will return in one DNS response packet, but there are multiple response domains. That's all. Therefore, if a request corresponds to two or more quintuples (transaction identifier, source IP address, destination IP address, source port number, destination port number) that are the same and have different response fields, it is suspected that it may be attacked. spoofing attack.

目前所有DNS客户端处理DNS应答包的方法都是简单地信任首先到达的数据包,丢弃所有后到达的,而不会对数据包的合法性作任何的分析。所以,攻击者为了攻击成功,必须保证其发出的欺骗包先于合法的应答包到达客户端。这就决定了欺骗包的简单化,具体体现在:只有一个应答域,没有授权域和附加域。相比之下,合法应答包的信息则比较丰富,除了可能有多个应答域之外,通常还有授权域,附加域等。At present, all DNS clients handle DNS response packets by simply trusting the first arriving data packets and discarding all later arrivals without any analysis of the legality of the data packets. Therefore, in order to attack successfully, the attacker must ensure that the spoofed packet sent by it reaches the client before the legitimate response packet. This determines the simplification of the spoofed packet, which is specifically reflected in the fact that there is only one response domain, and there is no authorization domain and additional domain. In contrast, the information of the legal response packet is relatively rich. In addition to multiple response fields, there are usually authorized fields, additional fields, and so on.

Tom Callahan等人(Tom Callahan,Mark Allman,Michael Rabinovich.On Modern DNSBehavior and Properties.SIGCOMM ACM Special Interest Group on Data communication.2013)在2013年6月发表的论文中指出:40%的域名其TTL值小于一分钟,50%的均小于350秒,80%小于一小时,仅有约1%的域名的TTL值超过一天;同时Rajab等人(RajabM A,Monrose F,Terzis A,et al.Peeking through the cloud:DNS-based estimation and itsapplications[C].Applied Cryptography and Network Security,2008:21-38.)测量了Alexa网站上全球排名前100的网站域名的授权TTL值,表明:大约85%的域名的TTL值小于1个小时。DNS欺骗攻击的最终目的是诱导用户访问一个恶意网址,进行诈骗、数据偷窃等恶意行为,攻击者希望此DNS记录在域名服务器中被缓存尽量长的时间,以扩大攻击范围,因此欺骗应答包中TTL值通常很大、不合理,具体体现在A类记录(将域名映射为对应的IPv4地址)的TTL值大于一小时,甚至超过一天。Tom Callahan et al. (Tom Callahan, Mark Allman, Michael Rabinovich. On Modern DNS Behavior and Properties. SIGCOMM ACM Special Interest Group on Data communication. 2013) pointed out in a paper published in June 2013: 40% of domain names have a TTL value less than One minute, 50% of domain names are less than 350 seconds, 80% are less than one hour, and only about 1% of domain names have TTL values exceeding one day; while Rajab et al. (RajabM A, Monrose F, Terzis A, et al. cloud:DNS-based estimation and its applications[C].Applied Cryptography and Network Security,2008:21-38.) Measured the authoritative TTL values of the world's top 100 website domain names on the Alexa website, indicating that: about 85% of the domain names The TTL value is less than 1 hour. The ultimate goal of a DNS spoofing attack is to induce users to visit a malicious website to perform malicious acts such as fraud and data theft. The attacker hopes that this DNS record will be cached in the domain name server for as long as possible to expand the scope of the attack. Therefore, the spoofed response packet contains The TTL value is usually very large and unreasonable, which is specifically reflected in the TTL value of a class A record (mapping a domain name to a corresponding IPv4 address) greater than one hour, or even more than one day.

Cname类型的记录标记了别名对应的正则名称。为了尽快将欺骗数据包返回给客户端,需要尽可能节约数据包的构造时间。因此,即使请求的域名为别名,欺骗应答包中也不包含Cname类型的记录。The record of type Cname marks the regular name corresponding to the alias. In order to return the spoofed data packet to the client as soon as possible, it is necessary to save the construction time of the data packet as much as possible. Therefore, even if the requested domain name is an alias, the spoofed response packet does not contain a record of the Cname type.

以上阐述了DNS欺骗攻击包四大特征的形成缘由,接下来对检测攻击系统作详细说明。The reasons for the formation of the four major characteristics of the DNS spoofing attack packet have been explained above, and the attack detection system will be described in detail next.

图1是本发明提供的检测欺骗攻击的方法的流程图,具体步骤包括:Fig. 1 is a flow chart of the method for detecting spoofing attacks provided by the present invention, and the specific steps include:

101、通过旁路监听的方式捕获所有DNS请求包、应答包;101. Capture all DNS request packets and response packets through bypass monitoring;

102、获取DNS请求包的发送时间T,挑选出在时间T+ΔT之前到达的所有应答包,依据事务ID建立映射表;ΔT是比请求响应延迟(客户端发出请求至收到第一个应答包的时间间隔)较大的一个时间间隔,实验测量表明请求响应延迟均小于1秒,所以ΔT可以取值为2~5秒;102. Obtain the sending time T of the DNS request packet, select all response packets that arrive before time T+ΔT, and establish a mapping table based on the transaction ID; ΔT is delayed from the request response (the client sends the request to the receipt of the first response Packet time interval) is a relatively large time interval. Experimental measurements show that the request response delay is less than 1 second, so ΔT can take a value of 2 to 5 seconds;

103、基于网络数据包捕获开发包Libpcap,编程实现对捕获到的DNS数据包进行协议解析,提取每个应答报文中的应答域个数、授权域个数、附加域个数、应答域的资源记录类型、对应的TTL值等信息;103. Based on the network data packet capture development kit Libpcap, programming implements protocol analysis on captured DNS data packets, and extracts the number of response domains, the number of authorized domains, the number of additional domains, and the number of response domains in each response message Resource record type, corresponding TTL value and other information;

104、依据本发明提出的四个特征依次判断每个应答包是否为欺骗攻击包,是,则执行步骤105,否,则执行步骤106;104. Determine whether each response packet is a spoofing attack packet in turn according to the four features proposed by the present invention, if yes, then perform step 105, if not, then perform step 106;

105、丢弃DNS欺骗攻击包;105. Discard DNS spoofing attack packets;

106、此包为合法的DNS应答包,转发给目标域名系统客户端。106. This packet is a legal DNS response packet, and is forwarded to the target domain name system client.

以上实施例仅用以说明本发明的技术方案而非对其进行限制,本领域的普通技术人员可以对本发明的技术方案进行修改或者等同替换,而不脱离本发明的精神和范围,本发明的保护范围应以权利要求书所述为准。The above embodiments are only used to illustrate the technical solution of the present invention and not to limit it. Those of ordinary skill in the art can modify or equivalently replace the technical solution of the present invention without departing from the spirit and scope of the present invention. The scope of protection should be determined by the claims.

Claims (6)

1.一种识别DNS欺骗攻击包的方法,其特征在于,对于事务标识符、源IP地址、目的IP地址、源端口号和目的端口号相同的若干个DNS应答包,同时符合以下四个特征的即为DNS欺骗包:1. A method for identifying DNS spoofing attack packets, characterized in that, for several DNS response packets that are identical in transaction identifier, source IP address, destination IP address, source port number and destination port number, meet the following four characteristics simultaneously The DNS spoofing package is: a)仅有一个应答域,应答域中是一个IP地址;a) There is only one response domain, and the response domain is an IP address; b)应答域中不包含Cname类型的记录;b) The response domain does not contain records of type Cname; c)应答包中A类记录对应的TTL值不合理;c) The TTL value corresponding to the class A record in the response packet is unreasonable; d)应答包中不包含授权域和附加域。d) Authorized fields and additional fields are not included in the response packet. 2.如权利要求1所述的方法,其特征在于:所述A类记录对应的TTL值不合理,是指该TTL值超过1小时。2. The method according to claim 1, wherein the TTL value corresponding to the type A record is unreasonable, which means that the TTL value exceeds 1 hour. 3.一种检测DNS欺骗攻击的方法,其特征在于,包括如下步骤:3. A method for detecting DNS spoofing attacks, comprising the steps of: 1)通过旁路监听的方式捕获客户端和域名服务器之间的所有DNS数据包;1) Capture all DNS packets between the client and the domain name server through bypass monitoring; 2)挑选在一定时间间隔内到达的应答包,并依据事务标识符建立请求应答映射表;2) Select the response packets that arrive within a certain time interval, and establish a request-reply mapping table according to the transaction identifier; 3)提取每个应答报文中的应答域个数、授权域个数、附加域个数、应答域的资源记录类型和对应的TTL值;3) Extract the number of response domains, the number of authorized domains, the number of additional domains, the resource record type of the response domain and the corresponding TTL value in each response message; 4)采用权利要求1所述方法中的四个特征判断每个应答包是否为DNS欺骗攻击包,若是DNS欺骗攻击包则将其丢弃,否则即为合法的DNS应答包,将其转发给客户端。4) adopting four features in the method described in claim 1 to judge whether each response packet is a DNS spoofing attack packet, if it is a DNS spoofing attack packet, it is discarded, otherwise it is a legal DNS response packet, which is forwarded to the client end. 4.如权利要求3所述的方法,其特征在于:步骤2)首先获取DNS请求包的发送时间T,然后挑选出在时间T+ΔT之前到达的所有应答包,并依据事务标识符建立映射表,所述ΔT是比客户端发出请求至收到第一个应答包的时间间隔较大的一个时间间隔。4. The method according to claim 3, characterized in that: step 2) first obtain the sending time T of the DNS request packet, then select all response packets that arrive before the time T+ΔT, and establish a mapping according to the transaction identifier Table, the ΔT is a time interval greater than the time interval from the client sending a request to receiving the first response packet. 5.如权利要求4所述的方法,其特征在于:所述ΔT为2~5秒。5. The method according to claim 4, characterized in that: said ΔT is 2-5 seconds. 6.如权利要求3所述的方法,其特征在于:步骤3)通过编程实现对捕获到的DNS数据包进行协议解析,然后提取每个应答报文中的信息。6. The method according to claim 3, characterized in that: step 3) implements protocol analysis on the captured DNS data packets through programming, and then extracts information in each response message.
CN201510020628.2A 2015-01-15 2015-01-15 Method for identifying DNS spoofing attack packet and detecting DNS spoofing attack Pending CN104618351A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510020628.2A CN104618351A (en) 2015-01-15 2015-01-15 Method for identifying DNS spoofing attack packet and detecting DNS spoofing attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510020628.2A CN104618351A (en) 2015-01-15 2015-01-15 Method for identifying DNS spoofing attack packet and detecting DNS spoofing attack

Publications (1)

Publication Number Publication Date
CN104618351A true CN104618351A (en) 2015-05-13

Family

ID=53152626

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510020628.2A Pending CN104618351A (en) 2015-01-15 2015-01-15 Method for identifying DNS spoofing attack packet and detecting DNS spoofing attack

Country Status (1)

Country Link
CN (1) CN104618351A (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105812204A (en) * 2016-03-14 2016-07-27 中国科学院信息工程研究所 Recursion domain name server online identification method based on connectivity estimation
CN106341418A (en) * 2016-10-08 2017-01-18 中国科学院信息工程研究所 Domain name system (DNS) distributed reflection denial of service attack (DRDoS) detection and defense methods and systems
CN107070957A (en) * 2017-06-19 2017-08-18 电子科技大学 A kind of method that DNS is cheated of preventing based on SDN
CN107204965A (en) * 2016-03-18 2017-09-26 阿里巴巴集团控股有限公司 The hold-up interception method and system of a kind of password cracking behavior
CN107948151A (en) * 2017-11-22 2018-04-20 北京大天信息技术有限公司 A kind of DNS protection based on metadata analysis and the method for anti-leaking data
CN110933177A (en) * 2019-12-04 2020-03-27 国家计算机网络与信息安全管理中心 Domain name request processing method and device
CN111385293A (en) * 2020-03-04 2020-07-07 腾讯科技(深圳)有限公司 Network risk detection method and device
CN111885089A (en) * 2020-08-06 2020-11-03 四川长虹电器股份有限公司 DNS server DDoS attack defense method based on analytic hierarchy process
CN112771833A (en) * 2018-09-28 2021-05-07 奥兰治 Method of assigning an identifier to a client node, method of recording an identifier, corresponding device, client node, server and computer program
CN112953916A (en) * 2021-01-29 2021-06-11 丁牛信息安全科技(江苏)有限公司 Anomaly detection method and device
CN113472761A (en) * 2021-06-22 2021-10-01 杭州默安科技有限公司 Website cheating method and system
CN117061247A (en) * 2023-10-11 2023-11-14 国家计算机网络与信息安全管理中心 DNS-based traceability positioning method and device, electronic equipment and storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104243408A (en) * 2013-06-14 2014-12-24 中国移动通信集团公司 Method, device and system for monitoring messages in domain name resolution service DNS system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104243408A (en) * 2013-06-14 2014-12-24 中国移动通信集团公司 Method, device and system for monitoring messages in domain name resolution service DNS system

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
N. VLAJIC、等: "The Role of DNS TTL Values in Potential DDoS Attacks:What Do the Major Banks Know About It?", 《PROCEDIA COMPUTER SCIENCE 》 *
TOM CALLAHAN、等: "On Modern DNS Behavior and Properties", 《ACM SIGCOMM COMPUTER COMMUNICATION》 *
闫伯儒、等: "DNS 欺骗攻击的检测和防范", 《计算机工程》 *

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105812204B (en) * 2016-03-14 2019-02-15 中国科学院信息工程研究所 An Online Recognition Method of Recursive Domain Name Server Based on Estimation of Connectivity
CN105812204A (en) * 2016-03-14 2016-07-27 中国科学院信息工程研究所 Recursion domain name server online identification method based on connectivity estimation
CN107204965A (en) * 2016-03-18 2017-09-26 阿里巴巴集团控股有限公司 The hold-up interception method and system of a kind of password cracking behavior
CN106341418A (en) * 2016-10-08 2017-01-18 中国科学院信息工程研究所 Domain name system (DNS) distributed reflection denial of service attack (DRDoS) detection and defense methods and systems
CN106341418B (en) * 2016-10-08 2019-07-02 中国科学院信息工程研究所 DNS distributed reflection denial of service attack detection, defense method and system
CN107070957A (en) * 2017-06-19 2017-08-18 电子科技大学 A kind of method that DNS is cheated of preventing based on SDN
CN107948151A (en) * 2017-11-22 2018-04-20 北京大天信息技术有限公司 A kind of DNS protection based on metadata analysis and the method for anti-leaking data
CN107948151B (en) * 2017-11-22 2020-10-09 北京大天信息技术有限公司 DNS protection and data leakage prevention method based on metadata analysis
CN112771833A (en) * 2018-09-28 2021-05-07 奥兰治 Method of assigning an identifier to a client node, method of recording an identifier, corresponding device, client node, server and computer program
US12218955B2 (en) 2018-09-28 2025-02-04 Orange Method for allocating an identifier to a client node, method for recording an identifier, corresponding device, client node, server and computer programs
CN110933177A (en) * 2019-12-04 2020-03-27 国家计算机网络与信息安全管理中心 Domain name request processing method and device
CN111385293A (en) * 2020-03-04 2020-07-07 腾讯科技(深圳)有限公司 Network risk detection method and device
CN111385293B (en) * 2020-03-04 2021-06-22 腾讯科技(深圳)有限公司 Network risk detection method and device
CN111885089A (en) * 2020-08-06 2020-11-03 四川长虹电器股份有限公司 DNS server DDoS attack defense method based on analytic hierarchy process
CN112953916A (en) * 2021-01-29 2021-06-11 丁牛信息安全科技(江苏)有限公司 Anomaly detection method and device
CN113472761A (en) * 2021-06-22 2021-10-01 杭州默安科技有限公司 Website cheating method and system
CN117061247A (en) * 2023-10-11 2023-11-14 国家计算机网络与信息安全管理中心 DNS-based traceability positioning method and device, electronic equipment and storage medium
CN117061247B (en) * 2023-10-11 2024-01-05 国家计算机网络与信息安全管理中心 DNS-based traceability positioning method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
CN104618351A (en) Method for identifying DNS spoofing attack packet and detecting DNS spoofing attack
US7620733B1 (en) DNS anti-spoofing using UDP
CN107124434B (en) A method and system for discovering DNS malicious attack traffic
CN101420433B (en) Method and device for domain name system cheating attack defense
Rozekrans et al. Defending against DNS reflection amplification attacks
Weaver et al. Detecting Forged TCP Reset Packets.
Park et al. Where are you taking me? Behavioral analysis of open DNS resolvers
WO2018113594A1 (en) Method and device for defending dns attack and storage medium
CN107018084B (en) DDOS attack defense network security method based on SDN framework
Bushart et al. DNS unchained: Amplified application-layer DoS attacks against DNS authoritatives
Guo et al. Spoof detection for preventing dos attacks against dns servers
CN103685168B (en) A kind of inquiry request method of servicing of DNS recursion server
KR20130014226A (en) Dns flooding attack detection method on the characteristics by attack traffic type
EP2557759A1 (en) White listing dns top-talkers
CN105827599A (en) Cache infection detection method and apparatus based on deep analysis on DNS message
CN108111548A (en) A kind of domain name system attack detection method, apparatus and system
CN106487807A (en) A kind of means of defence of domain name mapping and device
Herzberg et al. Towards adoption of dnssec: Availability and security challenges
Herzberg et al. Antidotes for DNS poisoning by off-path adversaries
Ichise et al. Detection method of DNS-based botnet communication using obtained NS record history
Hmood et al. Adaptive caching approach to prevent DNS cache poisoning attack
Griffioen et al. Taxonomy and adversarial strategies of random subdomain attacks
Cai et al. A behavior-based method for detecting DNS amplification attacks
CN106534141A (en) Method and system for preventing domain name server from being attacked and firewall
Al-Duwairi et al. Distributed packet pairing for reflector based DDoS attack mitigation

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20150513