CN104618351A - Method for identifying DNS spoofing attack packet and detecting DNS spoofing attack - Google Patents
Method for identifying DNS spoofing attack packet and detecting DNS spoofing attack Download PDFInfo
- Publication number
- CN104618351A CN104618351A CN201510020628.2A CN201510020628A CN104618351A CN 104618351 A CN104618351 A CN 104618351A CN 201510020628 A CN201510020628 A CN 201510020628A CN 104618351 A CN104618351 A CN 104618351A
- Authority
- CN
- China
- Prior art keywords
- dns
- spoofing attack
- acknowledge
- packet
- dns spoofing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
- H04L63/0218—Distributed architectures, e.g. distributed firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a method for identifying DNS spoofing attack packet and detecting DNS spoofing attack. For a plurality of DSN response packets with identical quintuple (business identifier, source IP address, destination IP address, source port number, destination port number), the one which concurrently accords to the following four characteristics is a DNS spoofing packet: having only one acknowledge field, one IP address is inside the acknowledge field; the acknowledge field does not contain Cname type records; the TTL values corresponding to class A records in acknowledge packets are not reasonable; the acknowledge packets do not contain authorized fields or additional fields. When detecting the DNS spoofing attack, firstly all DNS packets between a client terminal and a domain name server are captured; and then each acknowledge packet is judged whether to be the DNS spoofing packet based on the method above. The method for identifying DNS spoofing attack packet and detecting DNS spoofing attack is able to effectively identify DNS spoofing packets and timely detect DNS spoofing attack, thus the method has a high practical value in increasing the anti-attack ability of DNS system as well as protecting DNS service system.
Description
Technical field
The invention belongs to the communication technology, DNS technical field, be specifically related to a kind of method identifying DNS spoofing attack bag, and utilize the method to detect the method for DNS spoofing attack.
Background technology
DNS is a distributed data base system for management host name and mapping address information, and the title being convenient to remember and understand connects with uninteresting IP address by it, greatly facilitates the use of people.DNS is the basis of most of network application, but due to the design defect of agreement itself, does not provide suitable information protection and authentication mechanism, DNS is easy under attack.
DNS deception (DNS Spoofing) utilizes the defect in design just---and only use a sequence number (transaction identifiers) as the foundation differentiating DNS response message validity, after causing assailant to listen to inquiry request, forge a large amount of DNS response packets and send to client, some legitimate domain name are redirected to malicious IP addresses by these response packets, thus reach the object of user cheating.DNS spoofing attack may be present between client and dns server, also may be present between each dns server, by the object attacked except DNS Server or certain main frame, also be likely certain user application, such as browser, inquiry of the domain name software (NS lookup) etc.
More existing scholars give the solution of domain name system cheating attack defense at present, such as A Xie Lisi special envoy generates transaction identifiers (Transaction ID) by keyed Hash function, construct new DNS query, to improve the attack tolerant of request; The letter of the nslookup field in request bag is then carried out capital and small letter conversion according to predetermined rule, to take precautions against DNS spoofing attack by ladle cloth.But these Precaution Tactics are not well promoted and are applied.
Meanwhile, the detection of spoofing attack is also the hot issue of DNS security area research.If known under attack according to the principle of DNS spoofing attack, so client at least can receive two response packets, a deception bag, a legal respond packet.If therefore within a period of time, a DNS request receives two or more response packet, then it may receive DNS spoofing attack, if there is deception bag in response packet, shows necessarily to receive spoofing attack.
Summary of the invention
The present invention is directed to the problems referred to above, a kind of method identifying DNS spoofing attack bag is provided, and utilize the method to detect the method for DNS spoofing attack further.
Specifically, the technical solution used in the present invention is as follows:
Identify a method for DNS spoofing attack bag, several DNS response packets that five-tuple (transaction identifiers, source IP address, object IP address, source port number, destination slogan) is identical, what meet following four features is DNS deception bag simultaneously:
Only having an Acknowledge, is an IP address in Acknowledge;
The record of Cname type is not comprised in Acknowledge;
The ttl value that in response packet, category-A record is corresponding is unreasonable;
Authorized Domain and additional field is not comprised in response packet.
Detect a method for DNS spoofing attack, its step comprises:
1) by all DNS packets between the mode capture client of monitor bypass and name server;
2) select the response packet arrived in a certain time interval, and set up request-reply mapping table according to transaction identifiers;
3) the Acknowledge number in each response message, Authorized Domain number, additional field number, the resource record types of Acknowledge and the ttl value of correspondence is extracted;
4) judge whether each response packet is DNS spoofing attack bag, if DNS spoofing attack Bao Ze is abandoned, otherwise is legal DNS response packet, is transmitted to client according to above-mentioned four features.
The present invention can identify DNS spoofing attack bag simply and effectively, detects DNS spoofing attack in time, has very high practical value to attack tolerant, the protection DNS service system improving DNS system.
Accompanying drawing explanation
Fig. 1 is the flow chart of steps that the present invention detects the method for spoofing attack.
Embodiment
For enabling above-mentioned purpose of the present invention, feature and advantage become apparent more, and below by specific embodiments and the drawings, the present invention will be further described.
Under normal circumstances, following process can be done to message after local dns server receives the response message that upper level dns server returns:
Check the destination interface of response message, whether equal with the source port of DNS request message, if unequal, illustrate it is not response to this request, protocol stack then can abandon this data message;
Check response message Problem Areas, the domain name in namely determining request domain name in response packet and asking to wrap is consistent;
Check the affairs ID (TID) of response message, can comprise a TID in the inquiry request that dns server sends, be used for identifying certain inquiry, reply in bag at the DNS received and can comprise TID equally, expression is the response to certain inquiry request.Dns server then judges request and corresponding reply according to TID, if two TID are unequal, then abandons this data message;
Check Authorized Domain and additional field, the domain name in Authorized Domain and additional field must belong to the subdomain name under certain domain name with the domain name in Problem Areas;
If above-mentioned all conditions all meets, name server will accept the response of this response data packet as its inquiry request, and buffered results.In sum, if assailant successfully carries out spoofing attack to dns server, 4 conditions above must be met, indispensable.
On the other hand, for a DNS request, name server can not provide the different multiple response packets of result, even if the corresponding multiple IP address of target domain name, dns server also can return in a DNS response packet, just has multiple Acknowledge.Therefore, if corresponding two or more five-tuple (transaction identifiers, source IP address, object IP address, source port number, destination slogan) of request is identical, the response packet that Acknowledge is different, then suspect that it may receive spoofing attack.
The method of current all DNS client process DNS response packets is all trust the packet first arrived simply, abandons all rear arrival, and can not do any analysis to the legitimacy of packet.So assailant, in order to success attack, must ensure that its deception bag sent arrives client prior to legal response packet.This just determines the simplification of deception bag, is embodied in: only have an Acknowledge, with no authorized territory and additional field.By contrast, the information of legal response packet is then abundanter, except may having multiple Acknowledge, usually also has Authorized Domain, additional field etc.
People (the Tom Callahan such as Tom Callahan, Mark Allman, Michael Rabinovich.On Modern DNSBehavior and Properties.SIGCOMM ACM Special Interest Group on Data communication.2013) the article pointed out in the opinion delivered in June, 2013: its ttl value of the domain name of 40% is less than one minute, 50% be all less than 350 seconds, 80% is less than one hour, only have an appointment 1% the ttl value of domain name more than one day; Simultaneously people (the RajabM A such as Rajab, Monrose F, Terzis A, et al.Peeking through the cloud:DNS-based estimation and itsapplications [C] .Applied Cryptography and Network Security, 2008:21-38.) to measure on Alexa website the mandate ttl value of the website domain name of before global rank 100, show: the ttl value of the domain name of about 85% is less than 1 hour.The final purpose of DNS spoofing attack is that induction user accesses a malice network address, carry out swindling, the malicious act such as data theft, assailant wishes that this DNS is recorded in name server and is buffered the as far as possible long time, to expand firing area, therefore ttl value in response packet is cheated usually very large, unreasonable, the ttl value being embodied in category-A record (domain name being mapped as corresponding IPv4 address) is greater than one hour, even more than one day.
The canonical title that the recording mark of Cname type another name is corresponding.In order to as early as possible deception packet be returned to client, need the structure time of saving packet as far as possible.Therefore, even if the domain name of request is another name, the record of Cname type in deception response packet, is not comprised yet.
Above describe the formation cause of DNS spoofing attack Bao Si great feature, next detection attacking system is elaborated.
Fig. 1 is the flow chart of the method for detection spoofing attack provided by the invention, and concrete steps comprise:
101, all DNS request bags, response packet is caught by the mode of monitor bypass;
102, obtain the transmitting time T of DNS request bag, pick out all response packets arrived before time T+ Δ T, set up mapping table according to affairs ID; Δ T is a time interval larger than request operating lag (client sends request to the time interval receiving first response packet), and experiment measuring shows that request operating lag is all less than 1 second, so Δ T can value be 2 ~ 5 seconds;
103, packet capture kit Libpcap Network Based, programming realization carries out protocol analysis to the DNS packet captured, and extracts the information such as the Acknowledge number in each response message, Authorized Domain number, additional field number, the resource record types of Acknowledge, corresponding ttl value;
104, four features proposed according to the present invention judge whether each response packet is spoofing attack bag, is successively, then perform step 105, no, then perform step 106;
105, DNS spoofing attack bag is abandoned;
106, this bag is legal DNS response packet, is transmitted to target domain name system client.
Above embodiment is only in order to illustrate technical scheme of the present invention but not to be limited; those of ordinary skill in the art can modify to technical scheme of the present invention or equivalent replacement; and not departing from the spirit and scope of the present invention, protection scope of the present invention should be as the criterion with described in claims.
Claims (6)
1. identify a method for DNS spoofing attack bag, it is characterized in that, for transaction identifiers, source IP address, object IP address, several DNS response packets that source port number is identical with destination slogan, what meet following four features is DNS deception bag simultaneously:
A) only having an Acknowledge, is an IP address in Acknowledge;
B) record of Cname type is not comprised in Acknowledge;
C) ttl value that in response packet, category-A record is corresponding is unreasonable;
D) Authorized Domain and additional field is not comprised in response packet.
2. the method for claim 1, is characterized in that: the ttl value that described category-A record is corresponding is unreasonable, refers to that this ttl value was more than 1 hour.
3. detect a method for DNS spoofing attack, it is characterized in that, comprise the steps:
1) by all DNS packets between the mode capture client of monitor bypass and name server;
2) select the response packet arrived in a certain time interval, and set up request-reply mapping table according to transaction identifiers;
3) the Acknowledge number in each response message, Authorized Domain number, additional field number, the resource record types of Acknowledge and the ttl value of correspondence is extracted;
4) four features in method described in claim 1 are adopted to judge whether each response packet is DNS spoofing attack bag, if DNS spoofing attack Bao Ze is abandoned, otherwise is legal DNS response packet, is transmitted to client.
4. method as claimed in claim 3, it is characterized in that: step 2) first obtain the transmitting time T of DNS request bag, then all response packets arrived before time T+ Δ T are picked out, and setting up mapping table according to transaction identifiers, described Δ T sends request to larger time interval in the time interval receiving first response packet than client.
5. method as claimed in claim 4, is characterized in that: described Δ T is 2 ~ 5 seconds.
6. method as claimed in claim 3, is characterized in that: step 3) by programming realization, protocol analysis is carried out to the DNS packet captured, then extract the information in each response message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510020628.2A CN104618351A (en) | 2015-01-15 | 2015-01-15 | Method for identifying DNS spoofing attack packet and detecting DNS spoofing attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510020628.2A CN104618351A (en) | 2015-01-15 | 2015-01-15 | Method for identifying DNS spoofing attack packet and detecting DNS spoofing attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104618351A true CN104618351A (en) | 2015-05-13 |
Family
ID=53152626
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510020628.2A Pending CN104618351A (en) | 2015-01-15 | 2015-01-15 | Method for identifying DNS spoofing attack packet and detecting DNS spoofing attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104618351A (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105812204A (en) * | 2016-03-14 | 2016-07-27 | 中国科学院信息工程研究所 | Recursion domain name server online identification method based on connectivity estimation |
| CN106341418A (en) * | 2016-10-08 | 2017-01-18 | 中国科学院信息工程研究所 | Domain name system (DNS) distributed reflection denial of service attack (DRDoS) detection and defense methods and systems |
| CN107070957A (en) * | 2017-06-19 | 2017-08-18 | 电子科技大学 | A kind of method that DNS is cheated of preventing based on SDN |
| CN107204965A (en) * | 2016-03-18 | 2017-09-26 | 阿里巴巴集团控股有限公司 | The hold-up interception method and system of a kind of password cracking behavior |
| CN107948151A (en) * | 2017-11-22 | 2018-04-20 | 北京大天信息技术有限公司 | A kind of DNS protection based on metadata analysis and the method for anti-leaking data |
| CN110933177A (en) * | 2019-12-04 | 2020-03-27 | 国家计算机网络与信息安全管理中心 | Domain name request processing method and device |
| CN111385293A (en) * | 2020-03-04 | 2020-07-07 | 腾讯科技(深圳)有限公司 | Network risk detection method and device |
| CN111885089A (en) * | 2020-08-06 | 2020-11-03 | 四川长虹电器股份有限公司 | DNS server DDoS attack defense method based on analytic hierarchy process |
| CN112771833A (en) * | 2018-09-28 | 2021-05-07 | 奥兰治 | Method of assigning an identifier to a client node, method of recording an identifier, corresponding device, client node, server and computer program |
| CN112953916A (en) * | 2021-01-29 | 2021-06-11 | 丁牛信息安全科技(江苏)有限公司 | Anomaly detection method and device |
| CN113472761A (en) * | 2021-06-22 | 2021-10-01 | 杭州默安科技有限公司 | Website cheating method and system |
| CN117061247A (en) * | 2023-10-11 | 2023-11-14 | 国家计算机网络与信息安全管理中心 | DNS-based traceability positioning method and device, electronic equipment and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104243408A (en) * | 2013-06-14 | 2014-12-24 | 中国移动通信集团公司 | Method, device and system for monitoring messages in domain name resolution service DNS system |
-
2015
- 2015-01-15 CN CN201510020628.2A patent/CN104618351A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104243408A (en) * | 2013-06-14 | 2014-12-24 | 中国移动通信集团公司 | Method, device and system for monitoring messages in domain name resolution service DNS system |
Non-Patent Citations (3)
| Title |
|---|
| N. VLAJIC、等: "The Role of DNS TTL Values in Potential DDoS Attacks:What Do the Major Banks Know About It?", 《PROCEDIA COMPUTER SCIENCE 》 * |
| TOM CALLAHAN、等: "On Modern DNS Behavior and Properties", 《ACM SIGCOMM COMPUTER COMMUNICATION》 * |
| 闫伯儒、等: "DNS 欺骗攻击的检测和防范", 《计算机工程》 * |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105812204B (en) * | 2016-03-14 | 2019-02-15 | 中国科学院信息工程研究所 | A kind of recurrence name server online recognition method based on Connected degree estimation |
| CN105812204A (en) * | 2016-03-14 | 2016-07-27 | 中国科学院信息工程研究所 | Recursion domain name server online identification method based on connectivity estimation |
| CN107204965A (en) * | 2016-03-18 | 2017-09-26 | 阿里巴巴集团控股有限公司 | The hold-up interception method and system of a kind of password cracking behavior |
| CN106341418A (en) * | 2016-10-08 | 2017-01-18 | 中国科学院信息工程研究所 | Domain name system (DNS) distributed reflection denial of service attack (DRDoS) detection and defense methods and systems |
| CN106341418B (en) * | 2016-10-08 | 2019-07-02 | 中国科学院信息工程研究所 | The detection of DNS distributed reflection type Denial of Service attack, defence method and system |
| CN107070957A (en) * | 2017-06-19 | 2017-08-18 | 电子科技大学 | A kind of method that DNS is cheated of preventing based on SDN |
| CN107948151A (en) * | 2017-11-22 | 2018-04-20 | 北京大天信息技术有限公司 | A kind of DNS protection based on metadata analysis and the method for anti-leaking data |
| CN107948151B (en) * | 2017-11-22 | 2020-10-09 | 北京大天信息技术有限公司 | DNS protection and data leakage prevention method based on metadata analysis |
| CN112771833A (en) * | 2018-09-28 | 2021-05-07 | 奥兰治 | Method of assigning an identifier to a client node, method of recording an identifier, corresponding device, client node, server and computer program |
| CN110933177A (en) * | 2019-12-04 | 2020-03-27 | 国家计算机网络与信息安全管理中心 | Domain name request processing method and device |
| CN111385293A (en) * | 2020-03-04 | 2020-07-07 | 腾讯科技(深圳)有限公司 | Network risk detection method and device |
| CN111385293B (en) * | 2020-03-04 | 2021-06-22 | 腾讯科技(深圳)有限公司 | Network risk detection method and device |
| CN111885089A (en) * | 2020-08-06 | 2020-11-03 | 四川长虹电器股份有限公司 | DNS server DDoS attack defense method based on analytic hierarchy process |
| CN112953916A (en) * | 2021-01-29 | 2021-06-11 | 丁牛信息安全科技(江苏)有限公司 | Anomaly detection method and device |
| CN113472761A (en) * | 2021-06-22 | 2021-10-01 | 杭州默安科技有限公司 | Website cheating method and system |
| CN117061247A (en) * | 2023-10-11 | 2023-11-14 | 国家计算机网络与信息安全管理中心 | DNS-based traceability positioning method and device, electronic equipment and storage medium |
| CN117061247B (en) * | 2023-10-11 | 2024-01-05 | 国家计算机网络与信息安全管理中心 | DNS-based traceability positioning method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104618351A (en) | Method for identifying DNS spoofing attack packet and detecting DNS spoofing attack | |
| CN107404465B (en) | Network data analysis method and server | |
| Passerini et al. | Fluxor: Detecting and monitoring fast-flux service networks | |
| CN103067385B (en) | The method of defence Hijack Attack and fire compartment wall | |
| US20130031626A1 (en) | Methods of detecting dns flooding attack according to characteristics of type of attack traffic | |
| CN100563149C (en) | A kind of DHCP monitor method and device thereof | |
| US11777960B2 (en) | Detection of DNS (domain name system) tunneling and exfiltration through DNS query analysis | |
| CN103685168B (en) | A kind of inquiry request method of servicing of DNS recursion server | |
| CN103297433A (en) | HTTP botnet detection method and system based on net data stream | |
| CN103685584B (en) | A kind of anti-Domain Hijacking method and system based on tunneling technique | |
| CN103078877A (en) | User authentication and domain name access control method and system based on DNS (domain name system) | |
| US20220174072A1 (en) | Data Processing Method and Device | |
| Deccio et al. | Measuring email sender validation in the wild | |
| CN113347155A (en) | Method, system and device for defending ARP spoofing | |
| US20180295142A1 (en) | Extracted data classification to determine if a dns packet is malicious | |
| Ichise et al. | Detection method of DNS-based botnet communication using obtained NS record history | |
| Yu et al. | Fast-flux attack network identification based on agent lifespan | |
| Yaibuates et al. | ICMP based malicious attack identification method for DHCP | |
| Park et al. | Identification of hosts behind a NAT device utilizing multiple fields of IP and TCP | |
| Zhang et al. | Silence is not Golden: Disrupting the Load Balancing of Authoritative DNS Servers | |
| Al-Duwairi et al. | Distributed packet pairing for reflector based DDoS attack mitigation | |
| Li et al. | Prospect for the future internet: A study based on TCP/IP vulnerabilities | |
| CN104320501B (en) | A kind of centralized DNS security monitoring method applied to router | |
| CN114006709B (en) | Malicious domain name server detection method based on active and passive detection | |
| CN101635733A (en) | Arp virus detecting and positioning method and arp virus immunizing method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20150513 |
|
| WD01 | Invention patent application deemed withdrawn after publication |