CN105827599A - Cache infection detection method and apparatus based on deep analysis on DNS message - Google Patents

Cache infection detection method and apparatus based on deep analysis on DNS message Download PDF

Info

Publication number
CN105827599A
CN105827599A CN201610140358.3A CN201610140358A CN105827599A CN 105827599 A CN105827599 A CN 105827599A CN 201610140358 A CN201610140358 A CN 201610140358A CN 105827599 A CN105827599 A CN 105827599A
Authority
CN
China
Prior art keywords
dns
message
address information
server
domain names
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610140358.3A
Other languages
Chinese (zh)
Inventor
李晓东
李洪涛
张恒
张鹏
孙才
姜涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Internet Network Information Center
Original Assignee
China Internet Network Information Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Internet Network Information Center filed Critical China Internet Network Information Center
Priority to CN201610140358.3A priority Critical patent/CN105827599A/en
Publication of CN105827599A publication Critical patent/CN105827599A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0654Management of faults, events, alarms or notifications using network fault recovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5076Update or notification mechanisms, e.g. DynDNS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a cache infection detection method and apparatus based on a deep analysis on a DNS message. Therefore, a DNS cache infecting attack can be detected timely and warning is carried out. Moreover, after DNS cache infection, a change of a network domain name address in the DNS server cache can be reported accurately, so that the DNS server operaton and maintennace personnel can correct the wrong network domain name address in the DNS server timely.

Description

A kind of Cache Poisoning detection method based on DNS message deep analysis and device
Technical field
The invention belongs to computer network security technology field, relate to a kind of Cache Poisoning detection method based on DNS message deep analysis and device.
Background technology
In computer network communication, it is to be appreciated that the IP address of Correspondent Node can be communicated with the other side by IP network between main frame.But the IPv4 address of 32 (IPv6 address is 128) is not easy memory for communication participant.Therefore, domain name (such as www.google.com.hk) is widely adopted to solve the problem that IP address is difficult to remember the most intuitively.But network service operates based on IP agreement, main frame to be accessed can not be directly found by domain name.Therefore main frame needs the domain name by user inputs to be converted to IP address, and this process is referred to as domain name mapping.
In order to complete domain name mapping, needing domain name system (DomainNameSystem, DNS) to coordinate, it is a kind of distributed data base for TCP/IP application program, it is provided that the conversion between domain name and IP address.By domain name system, when user carries out some application, can directly use be easy to memory and significant domain name, and be translated domain names into the main frame being then returned to user for correct IP address by the dns server in network.Name server, refers to preserve the domain name of All hosts and corresponding IP address in this network, and has the server that domain name is converted to IP address function.Domain name resolution process refer to when some application process need be IP address by hostname resolution time, this application process just becomes a client of domain name system DNS, and domain name to be resolved is placed in DNS request message issues name server, corresponding IP address is placed in reply message after searching domain name and returns to client application process by name server.DNS recursion server is the visual plant in dns resolution system, and DNS recursion server responds according to the domain name address information in caching, the DNS query initiating terminal use.
At present, the attack pattern to DNS system mainly has a following several ways:
The first attack pattern is flow type Denial of Service attack.Such as based on User Datagram Protocol (UDP, UserDatagramProtocol) (flood) is flowed, based on transmission control protocol (TCP, TransmissionControlProtocol) flood, DNS request flood, or spell (PING) flood etc..Attack under this kind of mode be typically characterised by the resource consuming dns server so that it is can not timely respond to normal dns resolution request.Wherein, the consumption of resource includes the consumption to server CPU, Internet resources etc..
The second attack pattern is that exception request accesses attack.Such as overlength domain name request, abnormal domain name request etc..The feature of the attack under this kind of mode is the leak by excavating dns server, by forging specific request message, causes dns server software work abnormal and exits or collapse and cannot start, reach to affect the purpose that dns server normally works.
The third attack pattern is DNS hijack attack.Such as DNS cache " is poisoned ", is distorted Authorized Domain content, ARP deception abduction Authorized Domain etc..The feature of the attack under this kind of mode is by response of perhaps trying to be the first in directly distorting solution new record or distorting it in solving new record transmittance process, thus reaches to affect the purpose of analysis result.
4th kind of attack pattern is that assailant utilizes DNS to attack.Such as assailant controls a corpse group of planes and uses and be hacked the IP address of main frame and disguise oneself as and be hacked the request of main frame sending domain name analysis, after substantial amounts of domain name mapping request is resolved by dns server recursive query, dns server sends the response to the person of being hacked, substantial amounts of response data packet is passed back from different dns servers and is constituted distributed denial of service (DDoS, DistributedDenialofService) attack.
Wherein, for above-mentioned DNS hijack attack, when the DNS cache assailant that poisons injects illegal domain names address information to DNS recursion server, and DNS recursion server receives this illegal domain name address, and the domain name request of response will be transferred to illegal network address later.
Summary of the invention
It is an object of the invention to provide a kind of Cache Poisoning detection method based on DNS message deep analysis and device, it is possible in time detection DNS cache is poisoned the generation attacked, and alerts;And, after DNS cache poisoning, can accurately report the change of domain names address in dns server caching, make dns server operation maintenance personnel can correct the wrong network domain name addresses in dns server in time.
For achieving the above object, the technical solution used in the present invention is:
A kind of Cache Poisoning detection method based on DNS message deep analysis, comprises the following steps:
1) DNS the flow 1 and DNS recursion server between the DNS recursion server of mirror image and DNS authority server and the DNS flow 2 between DNS terminal use are obtained respectively;
2) resolve the domain names address information in the DNS response message in DNS flow 1, and it is added up, if the response times of certain domain name has exceeded the threshold value set in the measurement period set, it is determined that there is DNS and poison attack;Resolve the DNS response message in DNS flow 2, when domain-name information therein is consistent with user configured domain name, but when domain names address information storage being detected is inconsistent with the domain names address information in the DNS response message received, it is determined that there is DNS poisoning.
Further, said method is additionally included in when determining that there is DNS is poisoned, and sends DNS poisoning warning information, comprises the domain names address information comparison before and after change in described DNS poisoning warning information.
Further, using Double buffer storage to carry out the domain names address information in the DNS response message added up, during current statistic end cycle, the domain name address information in next cycle stores in other caching.
A kind of Cache Poisoning based on DNS message deep analysis detection device, including DNS message analysis device, described DNS message analysis device is for receiving the DNS flow between the DNS recursion server of mirror image and DNS authority server and between DNS recursion server and DNS terminal use, resolve the domain names information in corresponding DNS response message, it is saved into carrying out statistical analysis in DNS message analysis device internal memory and to it, determines whether there is Cache Poisoning according to statistic analysis result.
Further, said apparatus also includes switch, and described switch is for being mirrored to DNS message analysis device by the DNS response message between terminal use and DNS recursion server and between DNS recursion server and DNS authority server.
Further, described DNS message analysis device distinguishes the different DNS flow of two kinds between DNS recursion server from DNS authority server and DNS recursion server and DNS terminal use by the IP and port information analyzing DNS response message.
Further, described DNS message analysis device resolves the domain names address information in the DNS response message between DNS recursion service and DNS authority server, it is saved in DNS message analysis device internal memory and adds up, if the response times of certain domain name has exceeded the threshold value set in the measurement period set, it is determined that there is DNS and poison attack.
Further, described DNS message analysis device resolves the domain names address information between DNS recursion server and DNS terminal use in DNS response message, when the domain name in the DNS response message received is consistent with user configured domain name, but detect when in DNS message analysis device internal memory, the domain names address information of storage is inconsistent with the domain names address information in the DNS response message received, it is determined that there is DNS poisoning.
Further, described DNS message analysis device sends DNS poisoning warning information when determining and there is DNS poisoning, comprises the domain names address information comparison before and after change in described DNS poisoning warning information.
Further, described DNS message analysis device uses Double buffer policy store domain names address information, and during current statistic end cycle, the domain names address information in next cycle stores in other caching.
Use above scheme, can realize advantages below:
1) when DNS poison attack occur time, can find that DNS poisons attack in time.2) can check that the domain name address information in DNS cache is the most correct according to warning information, and correct in time.3) if DNS cache is poisoned really, the method can accurately report the domain names address information being tampered, and reports to DNS operation maintenance personnel.4) DNS operation maintenance personnel can be with according to warning information, recovering domain names address information correct in caching in time.
Accompanying drawing explanation
Fig. 1 shows DNS cache of the present invention poisoning detection device architecture.
Fig. 2 shows DNS cache of the present invention poisoning testing process.
Detailed description of the invention
DNS cache of the present invention poisoning detection device disposing as it is shown in figure 1, DNS flow between DNS recursion server and DNS authority server and between DNS recursion server and DNS terminal use is mirrored to DNS message analysis device by switch carries out DNS cache poisoning and detect in a network.
The DNS cache poisoning testing process of the present embodiment is as shown in Figure 2.Its step is described as follows:
For DNS recursion server and DNS authority server:
1) DNS message analysis device receives DNS flow between the DNS recursion server of mirror image and DNS authority server.
2) domain names address information during DNS message analysis device resolves DNS response message, and be saved in DNS message analysis device internal memory, and this dns response number of times is added up.
3) at the end of measurement period (such as 1 minute), if the DNS domain name response times counted on exceedes defined threshold (such as 100 times), send DNS and poison alarm.
Simultaneously for DNS recursion server and DNS terminal use:
1) DNS message analysis device receives DNS response message between the DNS recursion server of mirror image and DNS terminal use.
2) the domain names address information during DNS message analysis device resolves DNS response message.
3) when the domain name in the DNS response message received is consistent with user configured domain name (if user is configured without this domain name, this domain name is not carried out Cache Poisoning detection), in detection DNS message analysis device internal memory, the domain names address information of storage is the most consistent with the domain names address information in the DNS response message received, if domain names address information is inconsistent, at the end of the current statistic cycle (1 minute), send DNS cache poisoning warning information, warning information comprises the domain names address information comparison before and after change.
Wherein, the DNS cache poisoning detection between DNS recursion server and DNS authority server and between DNS recursion server and DNS terminal use is Parallel Implementation.
DNS message analysis device uses Double buffer strategy, stores domain name address information.During current statistic end cycle, the domain name address information in next cycle stores in other caching, had both accomplished the real-time analysis of DNS message, and had not also interfered with alarm function.
Utilization present invention achieves:
1) DNS message analysis device resolves all DNS response messages received, and in the time interval set, (1 minute) is according to domain names information in the response message received, and adds up domain names response times.When the response times of domain names is beyond when setting threshold value (100 times), sends DNS and poison alarm.The accuracy of warning can be effectively improved.
2) domain name that DNS message analysis device can be concerned about for user, records the change of its response message content, if domain name address information changes, sends DNS cache poisoning alarm.Can find that DNS cache is poisoned in time, it is to avoid the further diffusion of error message.

Claims (9)

1. a Cache Poisoning detection method based on DNS message deep analysis, comprises the following steps:
1) DNS the flow 1 and DNS recursion server between the DNS recursion server of mirror image and DNS authority server and the DNS flow 2 between DNS terminal use are obtained respectively;
2) resolve the domain names address information in the DNS response message in DNS flow 1, and it is added up, if the response times of certain domain name has exceeded the threshold value set in the measurement period set, it is determined that there is DNS and poison attack;Resolve the DNS response message in DNS flow 2, when domain-name information therein is consistent with user configured domain name, but when domain names address information storage being detected is inconsistent with the domain names address information in the DNS response message received, it is determined that there is DNS poisoning.
2. Cache Poisoning detection method based on DNS message deep analysis as claimed in claim 1, it is characterized in that, it is additionally included in and determines when there is DNS poisoning, send DNS and be poisoned warning information, described DNS poisoning warning information comprises the domain names address information comparison before and after change.
3. Cache Poisoning detection method based on DNS message deep analysis as claimed in claim 1, it is characterized in that, Double buffer storage is used to carry out the domain names address information in the DNS response message added up, during current statistic end cycle, the domain name address information in next cycle stores in other caching.
4. Cache Poisoning based on a DNS message deep analysis detection device, including DNS message analysis device, described DNS message analysis device is for receiving the DNS flow between the DNS recursion server of mirror image and DNS authority server and between DNS recursion server and DNS terminal use, resolve the domain names information in corresponding DNS response message, it is saved into carrying out statistical analysis in DNS message analysis device internal memory and to it, determines whether there is Cache Poisoning according to statistic analysis result.
5. Cache Poisoning based on DNS message deep analysis detection device as claimed in claim 4, it is characterized in that, also including switch, described switch is for being mirrored to DNS message analysis device by the DNS response message between terminal use and DNS recursion server and between DNS recursion server and DNS authority server.
6. Cache Poisoning based on DNS message deep analysis detection device as claimed in claim 4, it is characterized in that, described DNS message analysis device distinguishes the different DNS flow of two kinds between DNS recursion server from DNS authority server and DNS recursion server and DNS terminal use by the IP and port information analyzing DNS response message.
7. Cache Poisoning based on DNS message deep analysis detection device as claimed in claim 4, it is characterized in that, described DNS message analysis device resolves the domain names address information in the DNS response message between DNS recursion service and DNS authority server, it is saved in DNS message analysis device internal memory and adds up, if the response times of certain domain name has exceeded the threshold value set in the measurement period set, it is determined that there is DNS and poison attack.
8. Cache Poisoning based on DNS message deep analysis detection device as claimed in claim 4, it is characterized in that, described DNS message analysis device resolves the domain names address information between DNS recursion server and DNS terminal use in DNS response message, when the domain name in the DNS response message received is consistent with user configured domain name, but detect when in DNS message analysis device internal memory, the domain names address information of storage is inconsistent with the domain names address information in the DNS response message received, it is determined that there is DNS poisoning.
9. Cache Poisoning based on DNS message deep analysis detection device as claimed in claim 4, it is characterized in that, described DNS message analysis device uses Double buffer policy store domain names address information, during current statistic end cycle, the domain names address information in next cycle stores in other caching.
CN201610140358.3A 2016-03-11 2016-03-11 Cache infection detection method and apparatus based on deep analysis on DNS message Pending CN105827599A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610140358.3A CN105827599A (en) 2016-03-11 2016-03-11 Cache infection detection method and apparatus based on deep analysis on DNS message

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610140358.3A CN105827599A (en) 2016-03-11 2016-03-11 Cache infection detection method and apparatus based on deep analysis on DNS message

Publications (1)

Publication Number Publication Date
CN105827599A true CN105827599A (en) 2016-08-03

Family

ID=56987163

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610140358.3A Pending CN105827599A (en) 2016-03-11 2016-03-11 Cache infection detection method and apparatus based on deep analysis on DNS message

Country Status (1)

Country Link
CN (1) CN105827599A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106572199A (en) * 2016-10-11 2017-04-19 上海北信源信息技术有限公司 Method for avoiding DNS pollution
CN107592374A (en) * 2017-09-04 2018-01-16 北京新流万联网络技术有限公司 The DNS correcting methods and system of DNS domain name error resolution
CN108270778A (en) * 2017-12-29 2018-07-10 中国互联网络信息中心 A kind of DNS domain name abnormal access detection method and device
CN108667799A (en) * 2018-03-28 2018-10-16 中国科学院信息工程研究所 It is a kind of to be directed to the defence method and system that browser rs cache is poisoned
CN113810510A (en) * 2021-07-30 2021-12-17 绿盟科技集团股份有限公司 Domain name access method and device and electronic equipment
CN114301614A (en) * 2020-09-23 2022-04-08 中国电信股份有限公司 Method and system for detecting illegal monitoring of domain name in network
CN116436705A (en) * 2023-06-13 2023-07-14 武汉绿色网络信息服务有限责任公司 Network security detection method and device, electronic equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103685168A (en) * 2012-09-07 2014-03-26 中国科学院计算机网络信息中心 Query request service method for DNS (Domain Name System) recursive server
CN103685599A (en) * 2013-12-09 2014-03-26 中国科学院计算机网络信息中心 Domain name recursion service pre-judgment and intervention method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103685168A (en) * 2012-09-07 2014-03-26 中国科学院计算机网络信息中心 Query request service method for DNS (Domain Name System) recursive server
CN103685599A (en) * 2013-12-09 2014-03-26 中国科学院计算机网络信息中心 Domain name recursion service pre-judgment and intervention method

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106572199A (en) * 2016-10-11 2017-04-19 上海北信源信息技术有限公司 Method for avoiding DNS pollution
CN107592374A (en) * 2017-09-04 2018-01-16 北京新流万联网络技术有限公司 The DNS correcting methods and system of DNS domain name error resolution
CN107592374B (en) * 2017-09-04 2021-06-04 北京新流万联网络技术有限公司 Correction method and system for domain name error resolution
CN108270778A (en) * 2017-12-29 2018-07-10 中国互联网络信息中心 A kind of DNS domain name abnormal access detection method and device
CN108270778B (en) * 2017-12-29 2020-11-20 中国互联网络信息中心 DNS domain name abnormal access detection method and device
CN108667799A (en) * 2018-03-28 2018-10-16 中国科学院信息工程研究所 It is a kind of to be directed to the defence method and system that browser rs cache is poisoned
CN108667799B (en) * 2018-03-28 2021-01-15 中国科学院信息工程研究所 Defense method and system for browser cache poisoning
CN114301614A (en) * 2020-09-23 2022-04-08 中国电信股份有限公司 Method and system for detecting illegal monitoring of domain name in network
CN113810510A (en) * 2021-07-30 2021-12-17 绿盟科技集团股份有限公司 Domain name access method and device and electronic equipment
CN116436705A (en) * 2023-06-13 2023-07-14 武汉绿色网络信息服务有限责任公司 Network security detection method and device, electronic equipment and storage medium
CN116436705B (en) * 2023-06-13 2023-08-11 武汉绿色网络信息服务有限责任公司 Network security detection method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
CN105827599A (en) Cache infection detection method and apparatus based on deep analysis on DNS message
CN109474575B (en) DNS tunnel detection method and device
US11290485B2 (en) Method and system for detecting and blocking data transfer using DNS protocol
CN108270778B (en) DNS domain name abnormal access detection method and device
US9578040B2 (en) Packet receiving method, deep packet inspection device and system
CN113301012B (en) Network threat detection method and device, electronic equipment and storage medium
CN111953673B (en) DNS hidden tunnel detection method and system
CN108111548A (en) A kind of domain name system attack detection method, apparatus and system
CN105025025A (en) Cloud-platform-based domain name active detecting method and system
CN102624750B (en) Resist the method and system that DNS recurrence is attacked
CN107135238A (en) A kind of DNS reflection amplification attacks detection method, apparatus and system
WO2017067443A1 (en) Security domain name system and fault processing method therefor
CN110602048B (en) Method and device for preventing domain name hijacking and computer equipment
CN109862129A (en) DNS Traffic anomaly detection method, apparatus, electronic equipment and storage medium
CN111988447A (en) Network security protection method and DNS recursive server
CN102223422A (en) Domain name system (DNS) message processing method and network safety equipment
CN110061998B (en) Attack defense method and device
CN112839005B (en) DNS domain name abnormal access monitoring method and device
CN107508840A (en) A kind of method that monitoring DNS domain name based on DNS Proxy is attacked
Affinito et al. Local and public dns resolvers: do you trade off performance against security?
CN110266684B (en) Domain name system safety protection method and device
CN106534141A (en) Method and system for preventing domain name server from being attacked and firewall
Barbosa et al. Identifying and Classifying Suspicious Network Behavior Using Passive DNS Analysis
CN109040137A (en) For detecting the method, apparatus and electronic equipment of man-in-the-middle attack
US9077639B2 (en) Managing data traffic on a cellular network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20160803

RJ01 Rejection of invention patent application after publication