CN104618354A - Cache optimization method and system for resisting continuous variable-domain name prefix attack - Google Patents
Cache optimization method and system for resisting continuous variable-domain name prefix attack Download PDFInfo
- Publication number
- CN104618354A CN104618354A CN201510026060.5A CN201510026060A CN104618354A CN 104618354 A CN104618354 A CN 104618354A CN 201510026060 A CN201510026060 A CN 201510026060A CN 104618354 A CN104618354 A CN 104618354A
- Authority
- CN
- China
- Prior art keywords
- domain name
- domain
- record
- prefix
- names
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/568—Storing data temporarily at an intermediate stage, e.g. caching
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a cache optimization method and system for resisting continuous variable-domain name prefix attack. The method includes that regularly counting domain name absence records according to a set time period through a domain name cache server, when the domain name absence records surpass a set threshold, beginning to automatically gather the domain names; dividing the domain names into a plurality of aggregate classes according to the complete matching between second-level domain names and third-level domain names, if the element number of the aggregate class surpasses a set threshold, aggregating all the domain names in the aggregate class into an aggregate domain name with prefix *; for a new domain name query request, if there is no corresponding concrete record in the domain name cache server, matching with the aggregate domain name, if the matching is successful, returning a domain name absence response, otherwise, performing domain name query in an authorization domain name server. The cache optimization method for resisting the continuous variable-domain name prefix attack has advantages of strong cache stability, high timeliness, cache space saving and the like.
Description
Technical field
The invention belongs to network protection technical field, be specifically related to a kind of cache optimization method for the attack of caching nameserver opposing continuation variable domain name prefix and system.
Background technology
The title of a certain computer or calculating unit on the Internet that domain name is made up of the name of a string separation, electronic bearing for the mark computer when transfer of data (also refers to geographical position sometimes, geographic domain name, refer to a local area of administrative autonomy power), be IP address " mask ".Domain name can be divided into multiple rank, and last ". " right-hand component is called TLD, as .com .net .org etc.Last ". " left-hand component is called second level domain, as abc.com, trueland.net etc.The left-hand component of second level domain is called three grades of domain names, as a.trueland.net.By that analogy, every top-level domain controls the distribution of its next stage domain name.
The object of a domain name is convenient to memory and links up one group of computer address.But the meaning of domain name exceeds address, computer Dou Shiyou affiliated unit, domain name is the permanent address of computer affiliated unit in cyberspace and title.Such as, the Taobao of group of Alibaba by domain name www.taobao.com for people provide shopping online service.When people utilize domain name access specific network service, must the IP address that the calculating unit of service is provided corresponding to first nslookup.Inquiry of the domain name process is completed by name server, and name server comprises authoritative domain name server and caching nameserver.Authoritative domain name server is issue and the guardian of domain-name information, is awarded the server managed the part in name space, is divided into main authorization server and from authorization server.From the backup that authorization server is main authorization server, its information obtains to main authorization server when startup or upgrades according to main authorization server in real time.Caching nameserver does not manage name space, the mapping relations of special buffer memory local search domain name and IP address.Caching nameserver only knows the address of root server, when nslookup in caching nameserver without corresponding record time, to root name server inquiry, the outcome record of inquiry is in caching server, and this Query Result is effective in given TTL.When the domain name of inquiring about has record in caching nameserver, directly return response, significantly reduce the expense of inquiry of the domain name like this.
We receive the caching nameserver that name server Jun Shi operator that network service uses provides.Normal domain name (www.taobao.com) query script as shown in Figure 1, if without the domain name record of client query in caching nameserver, just represents client and carries out inquiry of the domain name.It can thus be appreciated that play a part very important when caching nameserver carries out inquiry of the domain name, not only make client be responded fast, and greatly reduce the burden of authorization server.It is exactly utilize inquiry of the domain name process to destroy name server that continuation variable domain name prefix is attacked.Becoming prefix domain name is the continuous change at random of prefix, the domain name that suffix is constant, such as:
7e904rLc.rrr17.com
7Q6wDtzi.rrr17.com
8115CuCv.rrr17.com
82A8S0Q8.rrr17.com
8MyUs2w3.rrr17.com
C8c6eQY6.rrr17.com
These domain name prefixes produce at random, seldom repeat, in caching nameserver, do not have buffer memory, must carry out inquiry of the domain name, Query Result generally returns domain name not to be existed, simultaneously by < domain name, TTL, there is not > record in the buffer in domain name.But a large amount of change prefix domain name request attack (as shown in Figure 2) causes the authorization server of being correlated with cannot bear attack load and collapse or denial of service.Simultaneously caching nameserver constantly and authorization server carry out interactive query, because authorization server can not respond in time, illegitimate client continues again to send to become prefix domain name request, causes caching nameserver resource exhaustion, program crashing, cannot realize normal domain name mapping.This attack makes normal users request to meet with a response, and causes serious network failure.
Existing prevention policies carries out mainly through analysis domain name and object IP.Analysis domain name mainly analyzes the territory belonging to domain name, and then notify that caching nameserver shields this territory, the shortcoming done like this is poor real, when finding that variable domain name prefix is attacked, just carrying out the analysis of domain name, and then taking prevention policies.It is analyzed every one-level of each domain name simultaneously, inefficiency.Analysis purpose IP catches domain name data query bag (CN 102868669 A) by setting up bypass flow analytical system, and the object IP total degree in statistics inquiry of the domain name bag and object IP are at the change frequency of certain time period.If object IP total degree or change frequency exceed setting threshold, just think that there occurs variable domain name prefix attacks, take packet loss or send out false the strategy of response packet, shortcoming is: (1) expense is large: need to set up bypass flow analytical system and catch storage domain name data query bag in real time, the object IP quantity of all packets of statistical analysis, computing cost and storage overhead are all larger.(2) poor stability: the threshold value setting of object IP total degree or change frequency is not unique, has certain mobility, larger to entire effect.Also there is the possibility of packet spoof simultaneously, to taking the mode of analysis purpose IP to have certain interference, causing less stable.
Two large class prevention policies is all not direct is optimized caching nameserver itself for this, is all after being analyzed by external auxiliary device, and notice caching nameserver is taked certain measures to tackle to attack.
Summary of the invention
The defect that the present invention exists to overcome above-mentioned prior art, provide a kind of real-time high, expense is little, the cache optimization method for the attack of caching nameserver opposing continuation variable domain name prefix that stability is strong and system.
Object of the present invention can be achieved through the following technical solutions:
Resist the cache optimization method that continuation variable domain name prefix is attacked, comprise the following steps:
1) every the time period of a setting, the non-existent record of caching nameserver statistics domain name, starts domain name auto-polymerization when the non-existent record of domain name exceedes the threshold value of setting;
2) domain name to be polymerized is divided into two classes by progression: secondary, three grades of domain names are a class, and the subdomain of three grades of domain names is called another kind of;
3) by the coupling completely of second level domain and three grades of domain names, multiple polymeric type is divided into respectively to this two class fields name, calculates the element number of each polymeric type and maximum ttl value simultaneously;
4) if the element number of polymeric type exceedes the threshold value of setting, domain names all in polymeric type are polymerized to the polymerization domain name that prefix is *, and record maximum ttl value;
5) in caching nameserver, all elements in polymeric type is removed, and stored in a record: <*. secondary or three grades of domain names, maximum ttl value, there is not > in domain name;
6) for new domain name inquiry request, in caching nameserver, first inquire about the physical record with or without correspondence, if having, directly return response to client; If, do not mate with described domain name of being polymerized, if the match is successful, return the non-existent response of domain name; If it fails to match, carry out inquiry of the domain name to authoritative domain name server, Query Result is write caching nameserver, and return response to client;
7) when the buffer memory of caching nameserver is full, the minimum record of TTL is replaced with new record.
Step 1) time period of described setting is preferably 90 ~ 120s, and the threshold value of described setting is preferably 200 ~ 300; Step 4) threshold value of described setting is 50 ~ 100.
Step 3) in, described by the coupling completely of second level domain and three grades of domain names, multiple polymeric type is divided into respectively to this two class fields name, refer to: for step 2) in the class that is made up of secondary, three grades of domain names, mate by identical the carrying out of second level domain and be polymerized; For step 2) in by the subdomain name of three grades of domain names form another kind of, mate by three grades of identical carrying out of domain name and be polymerized.Such as first kind unit have a.b, c.a.b; Equations of The Second Kind unit have a.b.c.d, e.b.c.d; It is identical that second level domain is pressed in first kind polymerization, and result is * .a.b; Equations of The Second Kind polymerization is identical by three grades of domain names, and result is * .b.c.d.
Step 4) in, because the element suffix of polymeric type is identical, therefore all domain names in polymeric type being polymerized to prefix is *, the record that suffix is identical; In order to make polymerization domain name better work, select maximum TTL as the TTL of aggregating records.
Step 5) in, all elements in described removing polymeric type, stored in a record: <*. secondary or three grades of domain names, maximum ttl value, there is not > in domain name, its objective is and make domain name auto-polymerization, reduce record number, save spatial cache; The change prefix domain name simultaneously making continuation requests inquire about is responded timely, avoids caching nameserver to collapse because of inquiry overload.
Step 6) in, by new requesting query domain name be polymerized domain name and mate, if new request domain name be polymerized the suffix match of domain name successfully, then directly return domain name and there is not record, the detailed process of matching algorithm is as follows:
A) set new nslookup as s, polymerization domain is called p, and the position of both characters represents with i and j respectively, length respectively with | s| and | p| represents;
If b) | s|<|p|, then it fails to match, exits; Otherwise both compare suffix from end, initially establish i=|s|, j=|p|;
If c) s [i]==p [j], s and p continues to mate forward;
If d) s [i] unequal to p [j], if p [j]==' * ', then the match is successful, otherwise it fails to match.
Adopt the cache optimization system that the opposing continuation variable domain name prefix of said method is attacked, the mode with plug-in unit in domain name caching server is run, automatically obtain caching record go forward side by side row cache calculating upgrade, specifically comprise as lower module:
Domain name statistical module, for the time period every a setting, statistics domain name non-existent record, and judge the non-existent record of domain name whether more than the threshold value of a setting;
Domain name auto-polymerization module, for domain name is non-existent record the threshold value of super described setting after, carry out auto-polymerization to domain name, obtaining prefix is one of * polymerization domain name;
Inquiry of the domain name and matching module, for new domain name inquiry request, first inquire about the physical record with or without correspondence, if having, directly return response to client; If, do not mate with described domain name of being polymerized, if the match is successful, return the non-existent response of domain name; If it fails to match, carry out inquiry of the domain name to authoritative domain name server, Query Result is write caching nameserver, and return response to client.
Compared with prior art, the present invention has the following advantages:
1, the present invention is polymerized for the cycle does not exist record to all domain names with certain hour (as 90 ~ 120s), ensure that the real-time that domain name is analyzed;
2, contemplated by the invention the sudden of change prefix domain name attack, selected the foundation whether multiple statistical indicator is polymerized as domain name, False Rate is lower;
3, the present invention is polymerized the failed domain name of inquiry automatically, ensure that the stability meeting with caching nameserver when unknown change prefix domain name is attacked, and saves the space of caching nameserver;
4, the present invention is to maximum TTL in polymerization domain name record selective polymerization class as its entry-into-force time, ensure that caching nameserver maximally utilises the validity that the opposing of polymerization domain name becomes the attack of prefix domain name.
Accompanying drawing explanation
Fig. 1 is the normal domain name www.taobao.com flow chart of inquiry.
Fig. 2 becomes prefix domain name request attack flow chart.
Fig. 3 is the cache optimization method flow chart that opposing continuation variable domain name prefix of the present invention is attacked.
Fig. 4 is new requesting query domain name and be polymerized domain name and mate flow chart.
Fig. 5 is system schematic of the present invention.
Embodiment
System of the present invention is the plug-in component operation with caching nameserver, and below in conjunction with the drawings and specific embodiments, the present invention is described in detail.
As shown in Figure 3, a kind of cache optimization method attacked for caching nameserver opposing continuation variable domain name prefix, the method comprises the following steps:
Step 101): the bind9.0 caching nameserver building a current popular on a virtual machine, carries out cache optimization to bind9.0 caching nameserver.First, in order to test, the data set conformed to reality must be had.We utilize the second level domain (rrr17.com) of website of upgrading and the invalid change prefix three grades of domain names (* .rrr17.coms) of three grades of domain name (1.499aa.com) stochastic generation 100,000 and 100,000 invalid change prefix level Four domain names (* .1.499aa.com), and therefrom Stochastic choice goes out 300 domain names.Then generate secondary or incomplete same 200 domain names of three grades of domain names, these 500 domain names are sent continuously inquiry request to the bind server of setting, after the 90s of interval, the number that statistics domain name does not exist record is 469, and record is simply illustrated as table 1:
Table 1 is added up domain name and be there is not record
| Domain name | TTL | Inquiry response |
| s1duSQ0Wz.purpose.arts. | 10542 | \-ANY;-$NXDOMAIN |
| 09FpvADCm6mKK.1.499aa.com.localdomain. | 10503 | \-ANY;-$NXDOMAIN |
| 0sN9L21mV.rrr17.com. | 10564 | \-ANY;-$NXDOMAIN |
Step 102): obtain the domain name obtained in previous step and there is not record, record is classified by domain name progression (with '. ' segmentation): secondary, three grades of domain names are a class, the subdomain of three grades of domain names is called another kind of, in the configuration file that after classification, write is different.
Step 103): from configuration file, read two class domain names respectively, and be multiple polymeric type by secondary or three grades of identical couplings of domain name.Fast finding and access secondary or three grades of domain names is come, to the maximum TTL and the element number that calculate different suffix while Hash table inserts domain suffix by setting up Hash table.Wherein, hash-collision is solved by chained list mode.Through Hash statistics, polymeric type has 62, and statistics is simply illustrated as table 2:
Table 2 polymeric type statistics
| The domain suffix of polymeric type | Maximum TTL | Polymeric type element number |
| .it.net. | 10490 | 2 |
| .1.499aa.com. | 10628 | 110 |
| .rrr17.com. | 10626 | 187 |
| .purpose.arts. | 10549 | 5 |
Step 104): element number is greater than to the polymeric type of 50, generates new polymerization domain name, ttl value maximum in record class.Can obtain the domain suffix of element number more than 50 from experiment is .rrr17.com. and .1.499aa.com., and therefore polymerization domain is called * .rrr17.com. and * .1.499aa.com., and records their maximum ttl value.
Step 105): the element removing by the domain suffix in caching nameserver being .1.499aa.com. and .rrr17.com., add two aggregating records, as shown in table 3:
Table 3 increases aggregating records newly
| Polymerization domain name | Maximum TTL | Inquiry response |
| *.rrr17.com. | 10626 | \-ANY;-$NXDOMAIN |
| *.1.499aa.com. | 10628 | \-ANY;-$NXDOMAIN |
Step 106): when new domain name inquiry request arrives, with or without physical record in first query caching name server, if there is physical record, directly return response.If there is no physical record, then be polymerized domain name and mate, if the match is successful with being polymerized domain name, then directly return the non-existent response of domain name.Otherwise, carry out the recursive query of domain name.Such as, now send non-existent domain name Y15hzI.rrr17.com in buffer memory and inquire about, directly return domain name and there is not response.
In this step, by new nslookup be polymerized algorithm that domain name carries out mating as shown in Figure 4, detailed process is as follows:
201) set new nslookup as s, polymerization domain is called p, and the position of both characters represents with i and j respectively, length respectively with | s| and | p| represents;
202) if | s|<|p|, it fails to match, exits; Otherwise both compare suffix from end, initially establish i=|s|, j=|p|;
203) if s [i]==p [j], s and p continues to mate forward;
204) if s [i] unequal to p [j], if p [j]==' * ', the match is successful, otherwise it fails to match.
Step 107): in buffer memory during write record, if buffer memory is full, replace the record that TTL is minimum.
System of the present invention as shown in Figure 5, run by the mode with plug-in unit in domain name caching server, automatically obtain caching record go forward side by side row cache calculating upgrade.
For testing good effect of the present invention, build bind9.0 caching nameserver in virtual machine, contrast utilizes the cache optimization effect before and after the present invention, adopts two kinds of indexs to weigh good effect of the present invention: A) buffer memory capacity increment in 90s; B) through how many query times, there is identical buffer memory increment.
Test experiments is on the basis of above-mentioned embodiment, 100,000 that are generated by Stochastic choice invalid change prefix three grades of domain names (* .rrr17.coms), 100000 invalid change prefix level Four domain names (* .1.499aa.com), the incomplete same change prefix domain name of 100,000 suffix is attacked the change prefix domain name that bind9.0 caching nameserver continues.
The comparative result of two kinds of indexs is as shown in table 4, and after utilizing the present invention, domain name caching server is in inner capacities saving equal time 56%, and same buffered Delta Time increases by 75%.It can thus be appreciated that more stable when the variable domain name prefix utilizing caching nameserver of the present invention inadvertently to be continued is attacked.The present invention has good optimization function when attacking the variable domain name prefix that caching nameserver opposing continues.
The comparative result of table 4 two kinds of indexs
| A) buffer memory capacity increment in 90s | B) buffer memory increment reaches the 443KB time used | |
| Do not use the present invention | 158KB | 205s |
| Utilize the present invention | 69KB | 360s |
Above embodiment is only in order to illustrate technical scheme of the present invention but not to be limited; those of ordinary skill in the art can modify to technical scheme of the present invention or equivalent replacement; and not departing from the spirit and scope of the present invention, protection scope of the present invention should be as the criterion with described in claim.
Claims (8)
1. resist the cache optimization method that continuation variable domain name prefix is attacked, its step comprises:
1) every the time period of a setting, the non-existent record of caching nameserver statistics domain name, starts domain name auto-polymerization when the non-existent record of domain name exceedes the threshold value of setting;
2) domain name to be polymerized is divided into two classes by progression: secondary, three grades of domain names are a class, and the subdomain of three grades of domain names is called another kind of;
3) by the coupling completely of second level domain and three grades of domain names, multiple polymeric type is divided into respectively to this two class fields name, calculates the element number of each polymeric type and maximum ttl value simultaneously;
4) if the element number of polymeric type exceedes the threshold value of setting, domain names all in polymeric type are polymerized to the polymerization domain name that prefix is *, and record maximum ttl value;
5) in caching nameserver, all elements in polymeric type is removed, and stored in a record: <*. secondary or three grades of domain names, maximum ttl value, there is not > in domain name;
6) for new domain name inquiry request, in caching nameserver, first inquire about the physical record with or without correspondence, if having, directly return response to client; If, do not mate with described domain name of being polymerized, if the match is successful, return the non-existent response of domain name; If it fails to match, carry out inquiry of the domain name to authoritative domain name server, Query Result is write caching nameserver, and return response to client;
7) when the buffer memory of caching nameserver is full, the minimum record of TTL is replaced with new record.
2. the method for claim 1, is characterized in that: step 1) time period of described setting is 90 ~ 120s, the threshold value of described setting is 200 ~ 300.
3. the method for claim 1, it is characterized in that: step 2) domain name to be polymerized is divided into two classes after, write in different configuration files, step 3) from configuration file, read two class domain names respectively, then carry out describedly mating completely and being divided into multiple polymeric type.
4. the method for claim 1, is characterized in that: step 3) come fast finding and access secondary or three grades of domain names by setting up Hash table, to the maximum TTL and the element number that calculate different suffix while Hash table inserts domain suffix.
5. the method for claim 1, step 4) threshold value of described setting is 50 ~ 100.
6. the method for claim 1, is characterized in that, step 6) in, by the domain name of new requesting query be polymerized the method that domain name carries out mating and be:
A) set new nslookup as s, polymerization domain is called p, and the position of both characters represents with i and j respectively, length respectively with | s| and | p| represents;
If b) | s|<|p|, then it fails to match, exits; Otherwise both compare suffix from end, initially establish i=|s|, j=|p|;
If c) s [i]==p [j], s and p continues to mate forward;
If d) s [i] unequal to p [j], if p [j]==' * ', then the match is successful, otherwise it fails to match.
7. adopt the cache optimization system that the opposing continuation variable domain name prefix of method described in claim 1 is attacked, it is characterized in that, the mode with plug-in unit in domain name caching server is run, and comprises as lower module:
Domain name statistical module, for the time period every a setting, statistics domain name non-existent record, and judge the non-existent record of domain name whether more than the threshold value of a setting;
Domain name auto-polymerization module, for domain name is non-existent record the threshold value of super described setting after, carry out auto-polymerization to domain name, obtaining prefix is one of * polymerization domain name;
Inquiry of the domain name and matching module, for new domain name inquiry request, first inquire about the physical record with or without correspondence, if having, directly return response to client; If, do not mate with described domain name of being polymerized, if the match is successful, return the non-existent response of domain name; If it fails to match, carry out inquiry of the domain name to authoritative domain name server, Query Result is write caching nameserver, and return response to client.
8. system as claimed in claim 7, it is characterized in that: in domain name statistical module, the time period of described setting is 90 ~ 120s, and the threshold value of described setting is 200 ~ 300.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510026060.5A CN104618354B (en) | 2015-01-19 | 2015-01-19 | A kind of cache optimization method and system resisted continuation and become the attack of domain name prefix |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510026060.5A CN104618354B (en) | 2015-01-19 | 2015-01-19 | A kind of cache optimization method and system resisted continuation and become the attack of domain name prefix |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104618354A true CN104618354A (en) | 2015-05-13 |
| CN104618354B CN104618354B (en) | 2018-04-27 |
Family
ID=53152629
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510026060.5A Active CN104618354B (en) | 2015-01-19 | 2015-01-19 | A kind of cache optimization method and system resisted continuation and become the attack of domain name prefix |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104618354B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105791460A (en) * | 2016-03-03 | 2016-07-20 | 中国科学院信息工程研究所 | DNS agent cache optimization method and system based on multi-dimension aggregation |
| CN106453674A (en) * | 2016-09-09 | 2017-02-22 | 中国互联网络信息中心 | DNS multistage domain name query method |
| CN108667782A (en) * | 2017-04-01 | 2018-10-16 | 贵州白山云科技有限公司 | A kind of ddos attack defence method and system for DNS service |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101986642A (en) * | 2010-10-18 | 2011-03-16 | 中国科学院计算技术研究所 | Detection system and method of Domain Flux data stream |
| CN102868669A (en) * | 2011-07-08 | 2013-01-09 | 上海寰雷信息技术有限公司 | Protection method and device aiming to attacks continuously changing prefix domain name |
| CN102938769A (en) * | 2012-11-22 | 2013-02-20 | 国家计算机网络与信息安全管理中心 | Detection method of Domain flux botnet domain names |
| US20140026186A1 (en) * | 2011-08-11 | 2014-01-23 | Verisign, Inc. | White listing dns top-talkers |
| CN103685317A (en) * | 2013-12-31 | 2014-03-26 | 山石网科通信技术有限公司 | Protection system and device for domain name system |
-
2015
- 2015-01-19 CN CN201510026060.5A patent/CN104618354B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101986642A (en) * | 2010-10-18 | 2011-03-16 | 中国科学院计算技术研究所 | Detection system and method of Domain Flux data stream |
| CN102868669A (en) * | 2011-07-08 | 2013-01-09 | 上海寰雷信息技术有限公司 | Protection method and device aiming to attacks continuously changing prefix domain name |
| US20140026186A1 (en) * | 2011-08-11 | 2014-01-23 | Verisign, Inc. | White listing dns top-talkers |
| CN102938769A (en) * | 2012-11-22 | 2013-02-20 | 国家计算机网络与信息安全管理中心 | Detection method of Domain flux botnet domain names |
| CN103685317A (en) * | 2013-12-31 | 2014-03-26 | 山石网科通信技术有限公司 | Protection system and device for domain name system |
Non-Patent Citations (2)
| Title |
|---|
| SANDEEP YADAV: "Detecting Algorithmically Generated Domain-Flux Attacks With DNS Traffic Analysis", 《IEEE》 * |
| 李青山: "Domain-flux僵尸网络域名检测", 《计算机工程与设计》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105791460A (en) * | 2016-03-03 | 2016-07-20 | 中国科学院信息工程研究所 | DNS agent cache optimization method and system based on multi-dimension aggregation |
| CN105791460B (en) * | 2016-03-03 | 2019-04-30 | 中国科学院信息工程研究所 | DNS proxy cache optimization method and system based on various dimensions polymerization |
| CN106453674A (en) * | 2016-09-09 | 2017-02-22 | 中国互联网络信息中心 | DNS multistage domain name query method |
| CN106453674B (en) * | 2016-09-09 | 2019-05-17 | 中国互联网络信息中心 | A kind of DNS multistage domain name inquiry method |
| CN108667782A (en) * | 2017-04-01 | 2018-10-16 | 贵州白山云科技有限公司 | A kind of ddos attack defence method and system for DNS service |
| CN108667782B (en) * | 2017-04-01 | 2021-03-23 | 贵州白山云科技股份有限公司 | DDoS attack defense method and system for DNS service |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104618354B (en) | 2018-04-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Mahadevan et al. | CCN-krs: A key resolution service for ccn | |
| CN103051740B (en) | Domain name analytic method, dns server and domain name analysis system | |
| CN111245972B (en) | Domain name resolution method, device, medium and equipment | |
| CN103347068B (en) | A kind of based on Agent cluster network-caching accelerated method | |
| CN107104921B (en) | DDoS attack defense method and device | |
| TW201824047A (en) | Attack request determination method, apparatus and server | |
| CN103701957A (en) | Domain name server (DNS) recursive method and system thereof | |
| CN109639748B (en) | Cache updating method, device and system of DNS (Domain name Server) and domain name system | |
| CN107613039B (en) | IP address attribution inquiry method, device, system and storage medium | |
| CN104618354A (en) | Cache optimization method and system for resisting continuous variable-domain name prefix attack | |
| Hilgenstieler et al. | Extensions to the source path isolation engine for precise and efficient log-based IP traceback | |
| CN108632401B (en) | Anonymous query method and system for reducing privacy leakage on DNS recursive server | |
| JP2014179993A (en) | White listing dns top-talkers | |
| CN102594885A (en) | Sensor network analyzing intercommunicating platform, sensor network intercommunicating method and system | |
| CN110708385A (en) | CDN scheduling algorithm and system based on network delay | |
| JP2013026993A (en) | Node detection device, node detection method, and program | |
| CN104424316A (en) | Data storage method, data searching method, related device and system | |
| Zhu et al. | Decentralized grid resource discovery based on resource information community | |
| CN115766745B (en) | Method and device for collecting and broadcasting transaction data of block chain link point memory pool | |
| CN104125310A (en) | Semi-permanent address based message sending method | |
| CN103731454A (en) | Method for responding to requests in point-to-point network and server system | |
| Danielis et al. | P-DONAS: a P2P-based domain name system in access networks | |
| CN104994186A (en) | Query method, processor and device of media access control address | |
| CN103701846B (en) | The peer-to-peer network resource search optimization method estimated based on node proximity | |
| CN109889619B (en) | Abnormal domain name monitoring method and device based on block chain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |