CN104954316A - Protection method for DNSSEC server in DNSSEC query - Google Patents
Protection method for DNSSEC server in DNSSEC query Download PDFInfo
- Publication number
- CN104954316A CN104954316A CN201410112890.5A CN201410112890A CN104954316A CN 104954316 A CN104954316 A CN 104954316A CN 201410112890 A CN201410112890 A CN 201410112890A CN 104954316 A CN104954316 A CN 104954316A
- Authority
- CN
- China
- Prior art keywords
- dnssec
- query
- inquiry
- server
- rate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a protection method for a DNSSEC server in DNSSEC query. The protection method comprises the following steps: a monitoring step of monitoring the source address information and the query speed information of the DNSSEC query, and obtaining a query source address and a query speed corresponding to the DNSSEC query, a judgement step of comparing the query speed with a speed threshold value, if the query speed is continuously greater than the speed threshold value, judging the DNSSEC query to be an attack query, and entering a DNS query step, and if the query speed is less than the speed threshold value, judging the DNSSEC query to be normal, and entering a DNSSEC query step, the DNSSEC query step of pointing the DNSSEC query to the DNSSEC server, and a DNS query step of degrading the DNSSEC query to DNS query and pointing the DNS query to a DNS server.
Description
Technical field
The present invention relates to a kind of guard method of DNSSEC server, particularly relate to a kind of guard method preventing aggressive DNSSEC inquiry from attacking paralysed DNSSEC server.
Background technology
Domain name system (Domain Name System, DNS), as the infrastructure network of the Internet and the door link of customer access network, in occupation of critical role in Internet service, generally includes caching server, recursion server and authoritative server.The inquiry request that wherein authoritative server is responsible for client is sent responds.
DNSSEC is DNS security expansion, it provides the expansion of a kind of Identification of The Origin and data integrity.DNSSEC is by cipher key technique on original DNS, carries out digital signature to the information in DNS, thus provides safety certification and the information integrity inspection of DNS.In DNSSEC, all responses returning to Domain Name Resolver (DNS client-side program) all addition of digital signature.By digital signature, Domain Name Resolver verifies that whether these records are completely the same with the record on the name server of authority.DNSSEC defines three kinds of resource record sets (Resource Record): for depositing resource record signature record (RRSIG) of DNS message digit signature; For depositing DNS key resource record set (DNSKEY) of deciphering PKI; For DNS key resource record set checking, the authorized signature person (Delegation Signer is called for short DS) of storage key label, cryptographic algorithm and DNS key resource record set summary info.
Dns server only supports DNS query, but DNSSEC server is except support DNS query, also supports DNSSEC inquiry.DNSSEC server is when the DNSSEC inquiry request that customer in response end is sent, and its response also returns the resource record of DNSSEC protocol definition except need returning the resource record of DNS Protocol definition.Compared with dns server, the response time of DNSSEC server to inquiry request is longer, needed for the resource (such as bandwidth, CPU etc.) that expends also more.So assailant, by sending a large amount of DNSSEC inquiry request, is easy to the authoritative server of attacking paralysed DNSSEC signature region, causes the effect of Denial of Service attack.
Summary of the invention
The object of this invention is to provide the guard method of DNSSEC server in a kind of DNSSEC inquiry, inquire about to avoid aggressive DNSSEC and attack paralysed DNSSEC server.
The invention provides the guard method of DNSSEC server in a kind of DNSSEC inquiry, described DNSSEC inquires about sensing DNSSEC signature region, and is also provided with the dns server corresponding with described DNSSEC server in this DNSSEC signature region.Guard method comprises monitoring step: monitor source address information and query rate information that described DNSSEC inquires about, obtains and described DNSSEC inquires about corresponding inquiry and to originate address and query rate; Determining step: described query rate is compared with a rate-valve value, if described query rate continues to be greater than described rate-valve value, then judge that described DNSSEC inquires about as attacking inquiry, enter DNS query step, if described query rate is less than described rate-valve value, then judge that described DNSSEC inquires about normal, enter DNSSEC query steps; DNSSEC query steps: described DNSSEC server is pointed in described DNSSEC inquiry; DNS query step: described DNSSEC inquiry is downgraded to DNS query and points to described dns server.
The guard method of DNSSEC server in DNSSEC inquiry, can branch to dns server by aggressive DNSSEC inquiry, reduce the processing load of DNSSEC server, avoid DNSSEC server to be attacked paralysis.
In another schematic execution mode of the guard method of DNSSEC server in DNSSEC inquiry, rate-valve value is the different described mean values inquiring about described query rate corresponding to address, source.
In the schematic execution mode of another kind of the guard method of DNSSEC server in DNSSEC inquiry, rate-valve value is the same described mean value inquiring about described query rate corresponding to address, source.
DNSSEC inquiry in DNSSEC server guard method the schematic execution mode of another kind in, rate-valve value be in C class subnet from the same described initial value inquiring about described query rate corresponding to address of originating.
Accompanying drawing explanation
The following drawings only schematically illustrates the present invention and explains, not delimit the scope of the invention.
Fig. 1 is for illustration of a kind of schematically network configuration of DNSSEC inquiry system.
Fig. 2 is for illustration of the flow process of the guard method of DNSSEC server in DNSSEC inquiry.
Label declaration
10 inquiry main frames
20 routers
30 fire compartment walls
40 DNSSEC signature regions
42 DNSSEC servers
44 dns servers.
Embodiment
In order to the technical characteristic to invention, object and effect have understanding clearly, now contrast accompanying drawing and the specific embodiment of the present invention is described, label identical in the various figures represents identical part.
In this article, " schematically " expression " serves as example, example or explanation ", not should by being described to any diagram of " schematically " in this article, execution mode is interpreted as a kind of preferred or have more the technical scheme of advantage.
In this article, " one " not only represents " only this ", also can represent the situation of " more than one ".
Fig. 1 is for illustration of a kind of schematically network configuration of DNSSEC inquiry system.As shown in Figure 1, DNSSEC inquiry system comprises multiple queries main frame 10, router two 0, fire compartment wall 30 and a DNSSEC signature region 40.Wherein, comprise in DNSSEC signature region 40 the DNSSEC server 42 that performs DESSEC inquiry, and the dns server 44 of an execution DNS query.DNSSEC signs region can corresponding to each level of DNS recursive query, such as name server or root server.
Fig. 2 is for illustration of the flow process of the guard method of DNSSEC server in DNSSEC inquiry.Step S10 is started from see the guard method of DNSSEC server in Fig. 1 and Fig. 2, DNSSEC inquiry.Step S10 is monitoring step, in step slo, monitors the DNSSEC sent from each inquiry main frame 10 inquire about by router two 0 or fire compartment wall 30.By the monitoring inquired about these DNSSEC, parse source address information and query rate information that each DNSSEC inquires about, thus acquire and to inquire about DNSSEC that main frame 10 sends with each and inquire about corresponding inquiry and to originate address and query rate.Namely address, inquiry source sends the inquiry host address of inquiry.Query rate is the number of times of the DNSSEC inquiry sent by same inquiry main frame in the unit interval.After completing monitoring step S10, enter step S20.
Step S20 is determining step, in step S20, preset by a rate-valve value at router two 0 or fire compartment wall 30, inquired about corresponding query rate with each DNSSEC by router two 0 or fire compartment wall 30 compare what obtain in step S10 with rate-valve value, if inquire about corresponding query rate with certain DNSSEC to continue to be greater than a rate-valve value, then be judged as that the inquiry main frame sending this DNSSEC inquiry is launched a offensive to DNSSEC server, and inquire about from the DNSSEC inquiry that this inquiry main frame sends for attacking, enter step S30; If inquire about corresponding query rate with certain DNSSEC to be less than rate-valve value, be then judged as that this DNSSEC inquires about as normal queries, enter step S40.
In DNSSEC inquiry in a kind of exemplary embodiment of the guard method of DNSSEC server, rate-valve value can be the mean value of the query rate of the DNSSEC inquiry that each inquiry main frame sends.Rate-valve value also can be the mean value of the query rate of the DNSSEC inquiry that same inquiry main frame sends.
In DNSSEC inquiry in the another kind of exemplary embodiment of the guard method of DNSSEC server, rate-valve value is in same C class subnet, comes from the initial value of the query rate of the DNSSEC inquiry that same inquiry main frame sends.In the process judged, by the query rate of the DNSSEC inquiry that each inquiry main frame sends, inquire about the initial value that main frame sends the query rate that DNSSEC inquire about compare with each, the DNSSEC inquiry judging that will be greater than initial value is inquired about for attack.
Step S30 is DNSSEC query steps, in step s 30, DNSSEC inquiry is pointed to dns server 44 by router two 0 or fire compartment wall 30, DNSSEC is inquired about and becomes common DNS query, and the Query Result that dns server 44 returns only comprises the record of DNS Protocol definition.Terminate the guard method of DNSSEC server in DNSSEC inquiry.
Step S40 is DNS query step, and in step s 40, DNSSEC inquiry is pointed to the record that Query Result that DNSSEC server 42, DNSSEC server 42 returns comprises DNSSEC protocol definition by router two 0 or fire compartment wall 30.Terminate the guard method of DNSSEC server in DNSSEC inquiry.
The guard method of DNSSEC server in DNSSEC inquiry, can branch to dns server by aggressive DNSSEC inquiry, reduce the processing load of DNSSEC server, avoid DNSSEC server to be attacked paralysis.
Be to be understood that, although this specification describes according to each embodiment, but not each embodiment only comprises an independently technical scheme, this narrating mode of specification is only for clarity sake, those skilled in the art should by specification integrally, technical scheme in each embodiment also through appropriately combined, can form other execution modes that it will be appreciated by those skilled in the art that.
A series of detailed description listed is above only illustrating for possible embodiments of the present invention; they are also not used to limit the scope of the invention; allly do not depart from the skill of the present invention equivalent embodiments done of spirit or change; as the combination of feature, segmentation or repetition, all should be included within protection scope of the present invention.
Claims (4)
- The guard method of DNSSEC server in 1.DNSSEC inquiry, wherein said DNSSEC inquires about sensing DNSSEC signature region, and is also provided with the dns server corresponding with described DNSSEC server in this DNSSEC signature region, and described guard method comprises:Monitoring step: monitor source address information and query rate information that described DNSSEC inquires about, obtains and described DNSSEC inquires about corresponding inquiry and to originate address and query rate;Determining step: described query rate is compared with a rate-valve value, if described query rate continues to be greater than described rate-valve value, then judge that described DNSSEC inquires about as attacking inquiry, enter DNS query step, if described query rate is less than described rate-valve value, then judge that described DNSSEC inquires about normal, enter DNSSEC query steps;DNSSEC query steps: described DNSSEC server is pointed in described DNSSEC inquiry; WithDNS query step: described DNSSEC inquiry is downgraded to DNS query and points to described dns server.
- 2. the guard method of DNSSEC server in DNSSEC inquiry as claimed in claim 1, wherein said rate-valve value is the mean values of described query rate corresponding to address, different described inquiry source.
- 3. the guard method of DNSSEC server in DNSSEC inquiry as claimed in claim 1, wherein said rate-valve value is the mean value of described query rate corresponding to address, same described inquiry source.
- 4. the guard method of DNSSEC server in DNSSEC inquiry as claimed in claim 1, wherein said rate-valve value be in C class subnet from the same described initial value inquiring about described query rate corresponding to address of originating.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410112890.5A CN104954316A (en) | 2014-03-25 | 2014-03-25 | Protection method for DNSSEC server in DNSSEC query |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410112890.5A CN104954316A (en) | 2014-03-25 | 2014-03-25 | Protection method for DNSSEC server in DNSSEC query |
Publications (1)
Publication Number | Publication Date |
---|---|
CN104954316A true CN104954316A (en) | 2015-09-30 |
Family
ID=54168676
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410112890.5A Pending CN104954316A (en) | 2014-03-25 | 2014-03-25 | Protection method for DNSSEC server in DNSSEC query |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104954316A (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101789940A (en) * | 2010-01-28 | 2010-07-28 | 联想网御科技(北京)有限公司 | Method for preventing flood attack of DNS request message and device thereof |
CN102045331A (en) * | 2009-10-22 | 2011-05-04 | 成都市华为赛门铁克科技有限公司 | Method, device and system for processing inquiry request message |
US20120096166A1 (en) * | 2010-10-15 | 2012-04-19 | Brocade Communications Systems, Inc. | Domain name system security extensions (dnssec) for global server load balancing |
CN102882892A (en) * | 2012-10-26 | 2013-01-16 | 杭州迪普科技有限公司 | Method and device for protecting DNS (Domain Name Server) |
-
2014
- 2014-03-25 CN CN201410112890.5A patent/CN104954316A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102045331A (en) * | 2009-10-22 | 2011-05-04 | 成都市华为赛门铁克科技有限公司 | Method, device and system for processing inquiry request message |
CN101789940A (en) * | 2010-01-28 | 2010-07-28 | 联想网御科技(北京)有限公司 | Method for preventing flood attack of DNS request message and device thereof |
US20120096166A1 (en) * | 2010-10-15 | 2012-04-19 | Brocade Communications Systems, Inc. | Domain name system security extensions (dnssec) for global server load balancing |
CN102882892A (en) * | 2012-10-26 | 2013-01-16 | 杭州迪普科技有限公司 | Method and device for protecting DNS (Domain Name Server) |
Non-Patent Citations (1)
Title |
---|
谭果: "《DNS缓存毒化攻击防御系统的设计与实现》", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20230035336A1 (en) | Systems and methods for mitigating and/or preventing distributed denial-of-service attacks | |
US20160150004A1 (en) | Integrity Check of DNS Server Setting | |
US9729413B2 (en) | Apparatus and method for identifying domain name system tunneling, exfiltration and infiltration | |
US9648033B2 (en) | System for detecting the presence of rogue domain name service providers through passive monitoring | |
JP5499183B2 (en) | Method and system for preventing DNS cache poisoning | |
JP6483819B2 (en) | Apparatus and method for identifying resource exhaustion attack of domain name system | |
US8904524B1 (en) | Detection of fast flux networks | |
CN108270778B (en) | DNS domain name abnormal access detection method and device | |
US11722488B2 (en) | Non-intrusive / agentless network device identification | |
JP2015043204A (en) | Detection of pattern co-occurring in dns | |
Song et al. | DS‐ARP: A New Detection Scheme for ARP Spoofing Attacks Based on Routing Trace for Ubiquitous Environments | |
US11223599B1 (en) | Techniques for templated domain management | |
US10432646B2 (en) | Protection against malicious attacks | |
CN104954316A (en) | Protection method for DNSSEC server in DNSSEC query | |
US9077639B2 (en) | Managing data traffic on a cellular network | |
CN113812125B (en) | Verification method and device for login behavior, system, storage medium and electronic device | |
US20130318605A1 (en) | System for detecting rogue network protocol service providers | |
US11503008B1 (en) | Protecting against network vulnerabilities | |
AU2018304187B2 (en) | Systems and methods for mitigating and/or preventing distributed denial-of-service attacks | |
Lin et al. | A Proposal for a schema for ARP Spoofing Protection | |
WO2023160775A1 (en) | Generation of internet protocol address for a communication session | |
GB2531540A (en) | Security check of local-area DHCP server devices | |
CN116418534A (en) | Out-of-band attack detection method and device, electronic equipment, medium and product | |
TW201441861A (en) | Network attack-proof sampling detection system and method | |
Dolmans | Preventing DNS Amplification Attacks using white-and greylisting |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20150930 |
|
WD01 | Invention patent application deemed withdrawn after publication |