CN105827599A - Cache infection detection method and apparatus based on deep analysis on DNS message - Google Patents
Cache infection detection method and apparatus based on deep analysis on DNS message Download PDFInfo
- Publication number
- CN105827599A CN105827599A CN201610140358.3A CN201610140358A CN105827599A CN 105827599 A CN105827599 A CN 105827599A CN 201610140358 A CN201610140358 A CN 201610140358A CN 105827599 A CN105827599 A CN 105827599A
- Authority
- CN
- China
- Prior art keywords
- dns
- message
- address information
- server
- domain names
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0654—Management of faults, events, alarms or notifications using network fault recovery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5076—Update or notification mechanisms, e.g. DynDNS
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a cache infection detection method and apparatus based on a deep analysis on a DNS message. Therefore, a DNS cache infecting attack can be detected timely and warning is carried out. Moreover, after DNS cache infection, a change of a network domain name address in the DNS server cache can be reported accurately, so that the DNS server operaton and maintennace personnel can correct the wrong network domain name address in the DNS server timely.
Description
Technical field
The invention belongs to computer network security technology field, relate to a kind of Cache Poisoning detection method based on DNS message deep analysis and device.
Background technology
In computer network communication, it is to be appreciated that the IP address of Correspondent Node can be communicated with the other side by IP network between main frame.But the IPv4 address of 32 (IPv6 address is 128) is not easy memory for communication participant.Therefore, domain name (such as www.google.com.hk) is widely adopted to solve the problem that IP address is difficult to remember the most intuitively.But network service operates based on IP agreement, main frame to be accessed can not be directly found by domain name.Therefore main frame needs the domain name by user inputs to be converted to IP address, and this process is referred to as domain name mapping.
In order to complete domain name mapping, needing domain name system (DomainNameSystem, DNS) to coordinate, it is a kind of distributed data base for TCP/IP application program, it is provided that the conversion between domain name and IP address.By domain name system, when user carries out some application, can directly use be easy to memory and significant domain name, and be translated domain names into the main frame being then returned to user for correct IP address by the dns server in network.Name server, refers to preserve the domain name of All hosts and corresponding IP address in this network, and has the server that domain name is converted to IP address function.Domain name resolution process refer to when some application process need be IP address by hostname resolution time, this application process just becomes a client of domain name system DNS, and domain name to be resolved is placed in DNS request message issues name server, corresponding IP address is placed in reply message after searching domain name and returns to client application process by name server.DNS recursion server is the visual plant in dns resolution system, and DNS recursion server responds according to the domain name address information in caching, the DNS query initiating terminal use.
At present, the attack pattern to DNS system mainly has a following several ways:
The first attack pattern is flow type Denial of Service attack.Such as based on User Datagram Protocol (UDP, UserDatagramProtocol) (flood) is flowed, based on transmission control protocol (TCP, TransmissionControlProtocol) flood, DNS request flood, or spell (PING) flood etc..Attack under this kind of mode be typically characterised by the resource consuming dns server so that it is can not timely respond to normal dns resolution request.Wherein, the consumption of resource includes the consumption to server CPU, Internet resources etc..
The second attack pattern is that exception request accesses attack.Such as overlength domain name request, abnormal domain name request etc..The feature of the attack under this kind of mode is the leak by excavating dns server, by forging specific request message, causes dns server software work abnormal and exits or collapse and cannot start, reach to affect the purpose that dns server normally works.
The third attack pattern is DNS hijack attack.Such as DNS cache " is poisoned ", is distorted Authorized Domain content, ARP deception abduction Authorized Domain etc..The feature of the attack under this kind of mode is by response of perhaps trying to be the first in directly distorting solution new record or distorting it in solving new record transmittance process, thus reaches to affect the purpose of analysis result.
4th kind of attack pattern is that assailant utilizes DNS to attack.Such as assailant controls a corpse group of planes and uses and be hacked the IP address of main frame and disguise oneself as and be hacked the request of main frame sending domain name analysis, after substantial amounts of domain name mapping request is resolved by dns server recursive query, dns server sends the response to the person of being hacked, substantial amounts of response data packet is passed back from different dns servers and is constituted distributed denial of service (DDoS, DistributedDenialofService) attack.
Wherein, for above-mentioned DNS hijack attack, when the DNS cache assailant that poisons injects illegal domain names address information to DNS recursion server, and DNS recursion server receives this illegal domain name address, and the domain name request of response will be transferred to illegal network address later.
Summary of the invention
It is an object of the invention to provide a kind of Cache Poisoning detection method based on DNS message deep analysis and device, it is possible in time detection DNS cache is poisoned the generation attacked, and alerts;And, after DNS cache poisoning, can accurately report the change of domain names address in dns server caching, make dns server operation maintenance personnel can correct the wrong network domain name addresses in dns server in time.
For achieving the above object, the technical solution used in the present invention is:
A kind of Cache Poisoning detection method based on DNS message deep analysis, comprises the following steps:
1) DNS the flow 1 and DNS recursion server between the DNS recursion server of mirror image and DNS authority server and the DNS flow 2 between DNS terminal use are obtained respectively;
2) resolve the domain names address information in the DNS response message in DNS flow 1, and it is added up, if the response times of certain domain name has exceeded the threshold value set in the measurement period set, it is determined that there is DNS and poison attack;Resolve the DNS response message in DNS flow 2, when domain-name information therein is consistent with user configured domain name, but when domain names address information storage being detected is inconsistent with the domain names address information in the DNS response message received, it is determined that there is DNS poisoning.
Further, said method is additionally included in when determining that there is DNS is poisoned, and sends DNS poisoning warning information, comprises the domain names address information comparison before and after change in described DNS poisoning warning information.
Further, using Double buffer storage to carry out the domain names address information in the DNS response message added up, during current statistic end cycle, the domain name address information in next cycle stores in other caching.
A kind of Cache Poisoning based on DNS message deep analysis detection device, including DNS message analysis device, described DNS message analysis device is for receiving the DNS flow between the DNS recursion server of mirror image and DNS authority server and between DNS recursion server and DNS terminal use, resolve the domain names information in corresponding DNS response message, it is saved into carrying out statistical analysis in DNS message analysis device internal memory and to it, determines whether there is Cache Poisoning according to statistic analysis result.
Further, said apparatus also includes switch, and described switch is for being mirrored to DNS message analysis device by the DNS response message between terminal use and DNS recursion server and between DNS recursion server and DNS authority server.
Further, described DNS message analysis device distinguishes the different DNS flow of two kinds between DNS recursion server from DNS authority server and DNS recursion server and DNS terminal use by the IP and port information analyzing DNS response message.
Further, described DNS message analysis device resolves the domain names address information in the DNS response message between DNS recursion service and DNS authority server, it is saved in DNS message analysis device internal memory and adds up, if the response times of certain domain name has exceeded the threshold value set in the measurement period set, it is determined that there is DNS and poison attack.
Further, described DNS message analysis device resolves the domain names address information between DNS recursion server and DNS terminal use in DNS response message, when the domain name in the DNS response message received is consistent with user configured domain name, but detect when in DNS message analysis device internal memory, the domain names address information of storage is inconsistent with the domain names address information in the DNS response message received, it is determined that there is DNS poisoning.
Further, described DNS message analysis device sends DNS poisoning warning information when determining and there is DNS poisoning, comprises the domain names address information comparison before and after change in described DNS poisoning warning information.
Further, described DNS message analysis device uses Double buffer policy store domain names address information, and during current statistic end cycle, the domain names address information in next cycle stores in other caching.
Use above scheme, can realize advantages below:
1) when DNS poison attack occur time, can find that DNS poisons attack in time.2) can check that the domain name address information in DNS cache is the most correct according to warning information, and correct in time.3) if DNS cache is poisoned really, the method can accurately report the domain names address information being tampered, and reports to DNS operation maintenance personnel.4) DNS operation maintenance personnel can be with according to warning information, recovering domain names address information correct in caching in time.
Accompanying drawing explanation
Fig. 1 shows DNS cache of the present invention poisoning detection device architecture.
Fig. 2 shows DNS cache of the present invention poisoning testing process.
Detailed description of the invention
DNS cache of the present invention poisoning detection device disposing as it is shown in figure 1, DNS flow between DNS recursion server and DNS authority server and between DNS recursion server and DNS terminal use is mirrored to DNS message analysis device by switch carries out DNS cache poisoning and detect in a network.
The DNS cache poisoning testing process of the present embodiment is as shown in Figure 2.Its step is described as follows:
For DNS recursion server and DNS authority server:
1) DNS message analysis device receives DNS flow between the DNS recursion server of mirror image and DNS authority server.
2) domain names address information during DNS message analysis device resolves DNS response message, and be saved in DNS message analysis device internal memory, and this dns response number of times is added up.
3) at the end of measurement period (such as 1 minute), if the DNS domain name response times counted on exceedes defined threshold (such as 100 times), send DNS and poison alarm.
Simultaneously for DNS recursion server and DNS terminal use:
1) DNS message analysis device receives DNS response message between the DNS recursion server of mirror image and DNS terminal use.
2) the domain names address information during DNS message analysis device resolves DNS response message.
3) when the domain name in the DNS response message received is consistent with user configured domain name (if user is configured without this domain name, this domain name is not carried out Cache Poisoning detection), in detection DNS message analysis device internal memory, the domain names address information of storage is the most consistent with the domain names address information in the DNS response message received, if domain names address information is inconsistent, at the end of the current statistic cycle (1 minute), send DNS cache poisoning warning information, warning information comprises the domain names address information comparison before and after change.
Wherein, the DNS cache poisoning detection between DNS recursion server and DNS authority server and between DNS recursion server and DNS terminal use is Parallel Implementation.
DNS message analysis device uses Double buffer strategy, stores domain name address information.During current statistic end cycle, the domain name address information in next cycle stores in other caching, had both accomplished the real-time analysis of DNS message, and had not also interfered with alarm function.
Utilization present invention achieves:
1) DNS message analysis device resolves all DNS response messages received, and in the time interval set, (1 minute) is according to domain names information in the response message received, and adds up domain names response times.When the response times of domain names is beyond when setting threshold value (100 times), sends DNS and poison alarm.The accuracy of warning can be effectively improved.
2) domain name that DNS message analysis device can be concerned about for user, records the change of its response message content, if domain name address information changes, sends DNS cache poisoning alarm.Can find that DNS cache is poisoned in time, it is to avoid the further diffusion of error message.
Claims (9)
1. a Cache Poisoning detection method based on DNS message deep analysis, comprises the following steps:
1) DNS the flow 1 and DNS recursion server between the DNS recursion server of mirror image and DNS authority server and the DNS flow 2 between DNS terminal use are obtained respectively;
2) resolve the domain names address information in the DNS response message in DNS flow 1, and it is added up, if the response times of certain domain name has exceeded the threshold value set in the measurement period set, it is determined that there is DNS and poison attack;Resolve the DNS response message in DNS flow 2, when domain-name information therein is consistent with user configured domain name, but when domain names address information storage being detected is inconsistent with the domain names address information in the DNS response message received, it is determined that there is DNS poisoning.
2. Cache Poisoning detection method based on DNS message deep analysis as claimed in claim 1, it is characterized in that, it is additionally included in and determines when there is DNS poisoning, send DNS and be poisoned warning information, described DNS poisoning warning information comprises the domain names address information comparison before and after change.
3. Cache Poisoning detection method based on DNS message deep analysis as claimed in claim 1, it is characterized in that, Double buffer storage is used to carry out the domain names address information in the DNS response message added up, during current statistic end cycle, the domain name address information in next cycle stores in other caching.
4. Cache Poisoning based on a DNS message deep analysis detection device, including DNS message analysis device, described DNS message analysis device is for receiving the DNS flow between the DNS recursion server of mirror image and DNS authority server and between DNS recursion server and DNS terminal use, resolve the domain names information in corresponding DNS response message, it is saved into carrying out statistical analysis in DNS message analysis device internal memory and to it, determines whether there is Cache Poisoning according to statistic analysis result.
5. Cache Poisoning based on DNS message deep analysis detection device as claimed in claim 4, it is characterized in that, also including switch, described switch is for being mirrored to DNS message analysis device by the DNS response message between terminal use and DNS recursion server and between DNS recursion server and DNS authority server.
6. Cache Poisoning based on DNS message deep analysis detection device as claimed in claim 4, it is characterized in that, described DNS message analysis device distinguishes the different DNS flow of two kinds between DNS recursion server from DNS authority server and DNS recursion server and DNS terminal use by the IP and port information analyzing DNS response message.
7. Cache Poisoning based on DNS message deep analysis detection device as claimed in claim 4, it is characterized in that, described DNS message analysis device resolves the domain names address information in the DNS response message between DNS recursion service and DNS authority server, it is saved in DNS message analysis device internal memory and adds up, if the response times of certain domain name has exceeded the threshold value set in the measurement period set, it is determined that there is DNS and poison attack.
8. Cache Poisoning based on DNS message deep analysis detection device as claimed in claim 4, it is characterized in that, described DNS message analysis device resolves the domain names address information between DNS recursion server and DNS terminal use in DNS response message, when the domain name in the DNS response message received is consistent with user configured domain name, but detect when in DNS message analysis device internal memory, the domain names address information of storage is inconsistent with the domain names address information in the DNS response message received, it is determined that there is DNS poisoning.
9. Cache Poisoning based on DNS message deep analysis detection device as claimed in claim 4, it is characterized in that, described DNS message analysis device uses Double buffer policy store domain names address information, during current statistic end cycle, the domain names address information in next cycle stores in other caching.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610140358.3A CN105827599A (en) | 2016-03-11 | 2016-03-11 | Cache infection detection method and apparatus based on deep analysis on DNS message |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610140358.3A CN105827599A (en) | 2016-03-11 | 2016-03-11 | Cache infection detection method and apparatus based on deep analysis on DNS message |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105827599A true CN105827599A (en) | 2016-08-03 |
Family
ID=56987163
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610140358.3A Pending CN105827599A (en) | 2016-03-11 | 2016-03-11 | Cache infection detection method and apparatus based on deep analysis on DNS message |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105827599A (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106572199A (en) * | 2016-10-11 | 2017-04-19 | 上海北信源信息技术有限公司 | Method for avoiding DNS pollution |
CN107592374A (en) * | 2017-09-04 | 2018-01-16 | 北京新流万联网络技术有限公司 | The DNS correcting methods and system of DNS domain name error resolution |
CN108270778A (en) * | 2017-12-29 | 2018-07-10 | 中国互联网络信息中心 | A kind of DNS domain name abnormal access detection method and device |
CN108667799A (en) * | 2018-03-28 | 2018-10-16 | 中国科学院信息工程研究所 | It is a kind of to be directed to the defence method and system that browser rs cache is poisoned |
CN113810510A (en) * | 2021-07-30 | 2021-12-17 | 绿盟科技集团股份有限公司 | Domain name access method and device and electronic equipment |
CN114301614A (en) * | 2020-09-23 | 2022-04-08 | 中国电信股份有限公司 | Method and system for detecting illegal monitoring of domain name in network |
CN116436705A (en) * | 2023-06-13 | 2023-07-14 | 武汉绿色网络信息服务有限责任公司 | Network security detection method and device, electronic equipment and storage medium |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103685168A (en) * | 2012-09-07 | 2014-03-26 | 中国科学院计算机网络信息中心 | Query request service method for DNS (Domain Name System) recursive server |
CN103685599A (en) * | 2013-12-09 | 2014-03-26 | 中国科学院计算机网络信息中心 | Domain name recursion service pre-judgment and intervention method |
-
2016
- 2016-03-11 CN CN201610140358.3A patent/CN105827599A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103685168A (en) * | 2012-09-07 | 2014-03-26 | 中国科学院计算机网络信息中心 | Query request service method for DNS (Domain Name System) recursive server |
CN103685599A (en) * | 2013-12-09 | 2014-03-26 | 中国科学院计算机网络信息中心 | Domain name recursion service pre-judgment and intervention method |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106572199A (en) * | 2016-10-11 | 2017-04-19 | 上海北信源信息技术有限公司 | Method for avoiding DNS pollution |
CN107592374A (en) * | 2017-09-04 | 2018-01-16 | 北京新流万联网络技术有限公司 | The DNS correcting methods and system of DNS domain name error resolution |
CN107592374B (en) * | 2017-09-04 | 2021-06-04 | 北京新流万联网络技术有限公司 | Correction method and system for domain name error resolution |
CN108270778A (en) * | 2017-12-29 | 2018-07-10 | 中国互联网络信息中心 | A kind of DNS domain name abnormal access detection method and device |
CN108270778B (en) * | 2017-12-29 | 2020-11-20 | 中国互联网络信息中心 | DNS domain name abnormal access detection method and device |
CN108667799A (en) * | 2018-03-28 | 2018-10-16 | 中国科学院信息工程研究所 | It is a kind of to be directed to the defence method and system that browser rs cache is poisoned |
CN108667799B (en) * | 2018-03-28 | 2021-01-15 | 中国科学院信息工程研究所 | Defense method and system for browser cache poisoning |
CN114301614A (en) * | 2020-09-23 | 2022-04-08 | 中国电信股份有限公司 | Method and system for detecting illegal monitoring of domain name in network |
CN113810510A (en) * | 2021-07-30 | 2021-12-17 | 绿盟科技集团股份有限公司 | Domain name access method and device and electronic equipment |
CN116436705A (en) * | 2023-06-13 | 2023-07-14 | 武汉绿色网络信息服务有限责任公司 | Network security detection method and device, electronic equipment and storage medium |
CN116436705B (en) * | 2023-06-13 | 2023-08-11 | 武汉绿色网络信息服务有限责任公司 | Network security detection method and device, electronic equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105827599A (en) | Cache infection detection method and apparatus based on deep analysis on DNS message | |
CN109474575B (en) | DNS tunnel detection method and device | |
US11290485B2 (en) | Method and system for detecting and blocking data transfer using DNS protocol | |
CN108270778B (en) | DNS domain name abnormal access detection method and device | |
US9578040B2 (en) | Packet receiving method, deep packet inspection device and system | |
CN113301012B (en) | Network threat detection method and device, electronic equipment and storage medium | |
CN111953673B (en) | DNS hidden tunnel detection method and system | |
CN108111548A (en) | A kind of domain name system attack detection method, apparatus and system | |
CN105025025A (en) | Cloud-platform-based domain name active detecting method and system | |
CN102624750B (en) | Resist the method and system that DNS recurrence is attacked | |
CN107135238A (en) | A kind of DNS reflection amplification attacks detection method, apparatus and system | |
WO2017067443A1 (en) | Security domain name system and fault processing method therefor | |
CN110602048B (en) | Method and device for preventing domain name hijacking and computer equipment | |
CN109862129A (en) | DNS Traffic anomaly detection method, apparatus, electronic equipment and storage medium | |
CN111988447A (en) | Network security protection method and DNS recursive server | |
CN102223422A (en) | Domain name system (DNS) message processing method and network safety equipment | |
CN110061998B (en) | Attack defense method and device | |
CN112839005B (en) | DNS domain name abnormal access monitoring method and device | |
CN107508840A (en) | A kind of method that monitoring DNS domain name based on DNS Proxy is attacked | |
Affinito et al. | Local and public dns resolvers: do you trade off performance against security? | |
CN110266684B (en) | Domain name system safety protection method and device | |
CN106534141A (en) | Method and system for preventing domain name server from being attacked and firewall | |
Barbosa et al. | Identifying and Classifying Suspicious Network Behavior Using Passive DNS Analysis | |
CN109040137A (en) | For detecting the method, apparatus and electronic equipment of man-in-the-middle attack | |
US9077639B2 (en) | Managing data traffic on a cellular network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160803 |
|
RJ01 | Rejection of invention patent application after publication |