CN104954316A - Protection method for DNSSEC server in DNSSEC query - Google Patents

Protection method for DNSSEC server in DNSSEC query Download PDF

Info

Publication number
CN104954316A
CN104954316A CN201410112890.5A CN201410112890A CN104954316A CN 104954316 A CN104954316 A CN 104954316A CN 201410112890 A CN201410112890 A CN 201410112890A CN 104954316 A CN104954316 A CN 104954316A
Authority
CN
China
Prior art keywords
dnssec
query
inquiry
server
rate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201410112890.5A
Other languages
Chinese (zh)
Inventor
王正
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CHINA ORGANIZATIONAL NAME ADMINISTRATION CENTER
Original Assignee
CHINA ORGANIZATIONAL NAME ADMINISTRATION CENTER
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CHINA ORGANIZATIONAL NAME ADMINISTRATION CENTER filed Critical CHINA ORGANIZATIONAL NAME ADMINISTRATION CENTER
Priority to CN201410112890.5A priority Critical patent/CN104954316A/en
Publication of CN104954316A publication Critical patent/CN104954316A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a protection method for a DNSSEC server in DNSSEC query. The protection method comprises the following steps: a monitoring step of monitoring the source address information and the query speed information of the DNSSEC query, and obtaining a query source address and a query speed corresponding to the DNSSEC query, a judgement step of comparing the query speed with a speed threshold value, if the query speed is continuously greater than the speed threshold value, judging the DNSSEC query to be an attack query, and entering a DNS query step, and if the query speed is less than the speed threshold value, judging the DNSSEC query to be normal, and entering a DNSSEC query step, the DNSSEC query step of pointing the DNSSEC query to the DNSSEC server, and a DNS query step of degrading the DNSSEC query to DNS query and pointing the DNS query to a DNS server.

Description

The guard method of DNSSEC server in DNSSEC inquiry
Technical field
The present invention relates to a kind of guard method of DNSSEC server, particularly relate to a kind of guard method preventing aggressive DNSSEC inquiry from attacking paralysed DNSSEC server.
Background technology
Domain name system (Domain Name System, DNS), as the infrastructure network of the Internet and the door link of customer access network, in occupation of critical role in Internet service, generally includes caching server, recursion server and authoritative server.The inquiry request that wherein authoritative server is responsible for client is sent responds.
DNSSEC is DNS security expansion, it provides the expansion of a kind of Identification of The Origin and data integrity.DNSSEC is by cipher key technique on original DNS, carries out digital signature to the information in DNS, thus provides safety certification and the information integrity inspection of DNS.In DNSSEC, all responses returning to Domain Name Resolver (DNS client-side program) all addition of digital signature.By digital signature, Domain Name Resolver verifies that whether these records are completely the same with the record on the name server of authority.DNSSEC defines three kinds of resource record sets (Resource Record): for depositing resource record signature record (RRSIG) of DNS message digit signature; For depositing DNS key resource record set (DNSKEY) of deciphering PKI; For DNS key resource record set checking, the authorized signature person (Delegation Signer is called for short DS) of storage key label, cryptographic algorithm and DNS key resource record set summary info.
Dns server only supports DNS query, but DNSSEC server is except support DNS query, also supports DNSSEC inquiry.DNSSEC server is when the DNSSEC inquiry request that customer in response end is sent, and its response also returns the resource record of DNSSEC protocol definition except need returning the resource record of DNS Protocol definition.Compared with dns server, the response time of DNSSEC server to inquiry request is longer, needed for the resource (such as bandwidth, CPU etc.) that expends also more.So assailant, by sending a large amount of DNSSEC inquiry request, is easy to the authoritative server of attacking paralysed DNSSEC signature region, causes the effect of Denial of Service attack.
Summary of the invention
The object of this invention is to provide the guard method of DNSSEC server in a kind of DNSSEC inquiry, inquire about to avoid aggressive DNSSEC and attack paralysed DNSSEC server.
The invention provides the guard method of DNSSEC server in a kind of DNSSEC inquiry, described DNSSEC inquires about sensing DNSSEC signature region, and is also provided with the dns server corresponding with described DNSSEC server in this DNSSEC signature region.Guard method comprises monitoring step: monitor source address information and query rate information that described DNSSEC inquires about, obtains and described DNSSEC inquires about corresponding inquiry and to originate address and query rate; Determining step: described query rate is compared with a rate-valve value, if described query rate continues to be greater than described rate-valve value, then judge that described DNSSEC inquires about as attacking inquiry, enter DNS query step, if described query rate is less than described rate-valve value, then judge that described DNSSEC inquires about normal, enter DNSSEC query steps; DNSSEC query steps: described DNSSEC server is pointed in described DNSSEC inquiry; DNS query step: described DNSSEC inquiry is downgraded to DNS query and points to described dns server.
The guard method of DNSSEC server in DNSSEC inquiry, can branch to dns server by aggressive DNSSEC inquiry, reduce the processing load of DNSSEC server, avoid DNSSEC server to be attacked paralysis.
In another schematic execution mode of the guard method of DNSSEC server in DNSSEC inquiry, rate-valve value is the different described mean values inquiring about described query rate corresponding to address, source.
In the schematic execution mode of another kind of the guard method of DNSSEC server in DNSSEC inquiry, rate-valve value is the same described mean value inquiring about described query rate corresponding to address, source.
DNSSEC inquiry in DNSSEC server guard method the schematic execution mode of another kind in, rate-valve value be in C class subnet from the same described initial value inquiring about described query rate corresponding to address of originating.
Accompanying drawing explanation
The following drawings only schematically illustrates the present invention and explains, not delimit the scope of the invention.
Fig. 1 is for illustration of a kind of schematically network configuration of DNSSEC inquiry system.
Fig. 2 is for illustration of the flow process of the guard method of DNSSEC server in DNSSEC inquiry.
Label declaration
10 inquiry main frames
20 routers
30 fire compartment walls
40 DNSSEC signature regions
42 DNSSEC servers
44 dns servers.
Embodiment
In order to the technical characteristic to invention, object and effect have understanding clearly, now contrast accompanying drawing and the specific embodiment of the present invention is described, label identical in the various figures represents identical part.
In this article, " schematically " expression " serves as example, example or explanation ", not should by being described to any diagram of " schematically " in this article, execution mode is interpreted as a kind of preferred or have more the technical scheme of advantage.
In this article, " one " not only represents " only this ", also can represent the situation of " more than one ".
Fig. 1 is for illustration of a kind of schematically network configuration of DNSSEC inquiry system.As shown in Figure 1, DNSSEC inquiry system comprises multiple queries main frame 10, router two 0, fire compartment wall 30 and a DNSSEC signature region 40.Wherein, comprise in DNSSEC signature region 40 the DNSSEC server 42 that performs DESSEC inquiry, and the dns server 44 of an execution DNS query.DNSSEC signs region can corresponding to each level of DNS recursive query, such as name server or root server.
Fig. 2 is for illustration of the flow process of the guard method of DNSSEC server in DNSSEC inquiry.Step S10 is started from see the guard method of DNSSEC server in Fig. 1 and Fig. 2, DNSSEC inquiry.Step S10 is monitoring step, in step slo, monitors the DNSSEC sent from each inquiry main frame 10 inquire about by router two 0 or fire compartment wall 30.By the monitoring inquired about these DNSSEC, parse source address information and query rate information that each DNSSEC inquires about, thus acquire and to inquire about DNSSEC that main frame 10 sends with each and inquire about corresponding inquiry and to originate address and query rate.Namely address, inquiry source sends the inquiry host address of inquiry.Query rate is the number of times of the DNSSEC inquiry sent by same inquiry main frame in the unit interval.After completing monitoring step S10, enter step S20.
Step S20 is determining step, in step S20, preset by a rate-valve value at router two 0 or fire compartment wall 30, inquired about corresponding query rate with each DNSSEC by router two 0 or fire compartment wall 30 compare what obtain in step S10 with rate-valve value, if inquire about corresponding query rate with certain DNSSEC to continue to be greater than a rate-valve value, then be judged as that the inquiry main frame sending this DNSSEC inquiry is launched a offensive to DNSSEC server, and inquire about from the DNSSEC inquiry that this inquiry main frame sends for attacking, enter step S30; If inquire about corresponding query rate with certain DNSSEC to be less than rate-valve value, be then judged as that this DNSSEC inquires about as normal queries, enter step S40.
In DNSSEC inquiry in a kind of exemplary embodiment of the guard method of DNSSEC server, rate-valve value can be the mean value of the query rate of the DNSSEC inquiry that each inquiry main frame sends.Rate-valve value also can be the mean value of the query rate of the DNSSEC inquiry that same inquiry main frame sends.
In DNSSEC inquiry in the another kind of exemplary embodiment of the guard method of DNSSEC server, rate-valve value is in same C class subnet, comes from the initial value of the query rate of the DNSSEC inquiry that same inquiry main frame sends.In the process judged, by the query rate of the DNSSEC inquiry that each inquiry main frame sends, inquire about the initial value that main frame sends the query rate that DNSSEC inquire about compare with each, the DNSSEC inquiry judging that will be greater than initial value is inquired about for attack.
Step S30 is DNSSEC query steps, in step s 30, DNSSEC inquiry is pointed to dns server 44 by router two 0 or fire compartment wall 30, DNSSEC is inquired about and becomes common DNS query, and the Query Result that dns server 44 returns only comprises the record of DNS Protocol definition.Terminate the guard method of DNSSEC server in DNSSEC inquiry.
Step S40 is DNS query step, and in step s 40, DNSSEC inquiry is pointed to the record that Query Result that DNSSEC server 42, DNSSEC server 42 returns comprises DNSSEC protocol definition by router two 0 or fire compartment wall 30.Terminate the guard method of DNSSEC server in DNSSEC inquiry.
The guard method of DNSSEC server in DNSSEC inquiry, can branch to dns server by aggressive DNSSEC inquiry, reduce the processing load of DNSSEC server, avoid DNSSEC server to be attacked paralysis.
Be to be understood that, although this specification describes according to each embodiment, but not each embodiment only comprises an independently technical scheme, this narrating mode of specification is only for clarity sake, those skilled in the art should by specification integrally, technical scheme in each embodiment also through appropriately combined, can form other execution modes that it will be appreciated by those skilled in the art that.
A series of detailed description listed is above only illustrating for possible embodiments of the present invention; they are also not used to limit the scope of the invention; allly do not depart from the skill of the present invention equivalent embodiments done of spirit or change; as the combination of feature, segmentation or repetition, all should be included within protection scope of the present invention.

Claims (4)

  1. The guard method of DNSSEC server in 1.DNSSEC inquiry, wherein said DNSSEC inquires about sensing DNSSEC signature region, and is also provided with the dns server corresponding with described DNSSEC server in this DNSSEC signature region, and described guard method comprises:
    Monitoring step: monitor source address information and query rate information that described DNSSEC inquires about, obtains and described DNSSEC inquires about corresponding inquiry and to originate address and query rate;
    Determining step: described query rate is compared with a rate-valve value, if described query rate continues to be greater than described rate-valve value, then judge that described DNSSEC inquires about as attacking inquiry, enter DNS query step, if described query rate is less than described rate-valve value, then judge that described DNSSEC inquires about normal, enter DNSSEC query steps;
    DNSSEC query steps: described DNSSEC server is pointed in described DNSSEC inquiry; With
    DNS query step: described DNSSEC inquiry is downgraded to DNS query and points to described dns server.
  2. 2. the guard method of DNSSEC server in DNSSEC inquiry as claimed in claim 1, wherein said rate-valve value is the mean values of described query rate corresponding to address, different described inquiry source.
  3. 3. the guard method of DNSSEC server in DNSSEC inquiry as claimed in claim 1, wherein said rate-valve value is the mean value of described query rate corresponding to address, same described inquiry source.
  4. 4. the guard method of DNSSEC server in DNSSEC inquiry as claimed in claim 1, wherein said rate-valve value be in C class subnet from the same described initial value inquiring about described query rate corresponding to address of originating.
CN201410112890.5A 2014-03-25 2014-03-25 Protection method for DNSSEC server in DNSSEC query Pending CN104954316A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410112890.5A CN104954316A (en) 2014-03-25 2014-03-25 Protection method for DNSSEC server in DNSSEC query

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410112890.5A CN104954316A (en) 2014-03-25 2014-03-25 Protection method for DNSSEC server in DNSSEC query

Publications (1)

Publication Number Publication Date
CN104954316A true CN104954316A (en) 2015-09-30

Family

ID=54168676

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410112890.5A Pending CN104954316A (en) 2014-03-25 2014-03-25 Protection method for DNSSEC server in DNSSEC query

Country Status (1)

Country Link
CN (1) CN104954316A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101789940A (en) * 2010-01-28 2010-07-28 联想网御科技(北京)有限公司 Method for preventing flood attack of DNS request message and device thereof
CN102045331A (en) * 2009-10-22 2011-05-04 成都市华为赛门铁克科技有限公司 Method, device and system for processing inquiry request message
US20120096166A1 (en) * 2010-10-15 2012-04-19 Brocade Communications Systems, Inc. Domain name system security extensions (dnssec) for global server load balancing
CN102882892A (en) * 2012-10-26 2013-01-16 杭州迪普科技有限公司 Method and device for protecting DNS (Domain Name Server)

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102045331A (en) * 2009-10-22 2011-05-04 成都市华为赛门铁克科技有限公司 Method, device and system for processing inquiry request message
CN101789940A (en) * 2010-01-28 2010-07-28 联想网御科技(北京)有限公司 Method for preventing flood attack of DNS request message and device thereof
US20120096166A1 (en) * 2010-10-15 2012-04-19 Brocade Communications Systems, Inc. Domain name system security extensions (dnssec) for global server load balancing
CN102882892A (en) * 2012-10-26 2013-01-16 杭州迪普科技有限公司 Method and device for protecting DNS (Domain Name Server)

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
谭果: "《DNS缓存毒化攻击防御系统的设计与实现》", 《中国优秀硕士学位论文全文数据库信息科技辑》 *

Similar Documents

Publication Publication Date Title
US20230035336A1 (en) Systems and methods for mitigating and/or preventing distributed denial-of-service attacks
US20160150004A1 (en) Integrity Check of DNS Server Setting
US9729413B2 (en) Apparatus and method for identifying domain name system tunneling, exfiltration and infiltration
US9648033B2 (en) System for detecting the presence of rogue domain name service providers through passive monitoring
JP5499183B2 (en) Method and system for preventing DNS cache poisoning
JP6483819B2 (en) Apparatus and method for identifying resource exhaustion attack of domain name system
US8904524B1 (en) Detection of fast flux networks
CN108270778B (en) DNS domain name abnormal access detection method and device
US11722488B2 (en) Non-intrusive / agentless network device identification
JP2015043204A (en) Detection of pattern co-occurring in dns
Song et al. DS‐ARP: A New Detection Scheme for ARP Spoofing Attacks Based on Routing Trace for Ubiquitous Environments
US11223599B1 (en) Techniques for templated domain management
US10432646B2 (en) Protection against malicious attacks
CN104954316A (en) Protection method for DNSSEC server in DNSSEC query
US9077639B2 (en) Managing data traffic on a cellular network
CN113812125B (en) Verification method and device for login behavior, system, storage medium and electronic device
US20130318605A1 (en) System for detecting rogue network protocol service providers
US11503008B1 (en) Protecting against network vulnerabilities
AU2018304187B2 (en) Systems and methods for mitigating and/or preventing distributed denial-of-service attacks
Lin et al. A Proposal for a schema for ARP Spoofing Protection
WO2023160775A1 (en) Generation of internet protocol address for a communication session
GB2531540A (en) Security check of local-area DHCP server devices
CN116418534A (en) Out-of-band attack detection method and device, electronic equipment, medium and product
TW201441861A (en) Network attack-proof sampling detection system and method
Dolmans Preventing DNS Amplification Attacks using white-and greylisting

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20150930

WD01 Invention patent application deemed withdrawn after publication