CN105847281A - Method and system for defending DNS against attacks - Google Patents

Method and system for defending DNS against attacks Download PDF

Info

Publication number
CN105847281A
CN105847281A CN201610317345.9A CN201610317345A CN105847281A CN 105847281 A CN105847281 A CN 105847281A CN 201610317345 A CN201610317345 A CN 201610317345A CN 105847281 A CN105847281 A CN 105847281A
Authority
CN
China
Prior art keywords
name server
attack
primary
address
primary name
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610317345.9A
Other languages
Chinese (zh)
Other versions
CN105847281B (en
Inventor
张余
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN201610317345.9A priority Critical patent/CN105847281B/en
Publication of CN105847281A publication Critical patent/CN105847281A/en
Application granted granted Critical
Publication of CN105847281B publication Critical patent/CN105847281B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Abstract

The invention provides a method and system for defending a DNS against attacks and belongs to the technical field of communication. The method and system for defending the DNS against the attacks can at least partially solve a problem that whether the DNS is under attack cannot be accurately determined via a conventional method for defending the DNS against the attacks. According to the method for defending the DNS against the attacks in the invention, based on statistics of a real quantity N of domain name resolution requests sent from IP addresses and a real quantity Np of domain name resolution requests sent from ports, a forecasted quantity Nf of the domain name resolution requests sent from the IP addresses and a forecasted quantity Npf of the domain name resolution requests sent from the ports can be calculated; based on Nf, Npf and an attack determining threshold value, whether the IP addresses and the ports launch attacks on a main domain name server can be determined; compared with technologies of the prior art via which whether the main domain name server is under attack is determined only based on real quantity statistics and a preset threshold value, the method and system for defending the DNS against the attacks are advantageous in that whether the main domain name server is under attack can be accurately determined, and a phenomenon that normal users are misjudged as users that launch the attacks and consequently the normal users cannot access the Internet can be prevented.

Description

A kind of method and system of DNS defensive attack
Technical field
The invention belongs to communication technical field, be specifically related to the side of a kind of DNS defensive attack Method and system.
Background technology
DNS is the abbreviation of domain name system (Domain Name System), and it is by resolving Device and name server composition.Name server (DNS Server) refers to preserve this network The domain name of middle All hosts and corresponding IP address, and have domain name is converted to IP address merit The server of energy.The flow process of dns resolution domain name is as follows: first by user's initiated domain Name analysis is asked, and after local dns server receives this request, can look in local cache Look for, without finding, then can initiate request, upper level to upper level dns server Analysis result can be returned to local dns server by back message by dns server, Analysis result is returned to the user of this this domain name of request analysis by local dns server.
DNS attack occurs repeatedly in recent years, the common form that DNS is attacked It is: direction of attack dns server sends domains name analysis request message, causes DNS Server seriously overloads, it is impossible to proceeds to respond to the DNS request of normal users, thus reaches The purpose attacked.
In prior art, the method for DNS defensive attack is mainly by asking in measurement period Seeking number of times, normal domain name request number of times is usually less than certain threshold values, if super Crossing this threshold values, the IP address being considered as sending this request is attack source, just by this IP address Filter.
Inventor finds that in prior art, at least there are the following problems:
1. the threshold values of normal domain name request number of times is difficult to set, it is thus impossible to accurately nothing Judge whether DNS is attacked by mistake;
During 2.DNS suffers to attack releasing attack, DNS performance greatly reduces, There is provided domain name resolution service by affecting DNS for normal users, cause the normal users can not be just Often use the Internet.
Therefore, the method and system of a kind of DNS defensive attack are designed, it is possible to the most accurate Ground judges whether DNS is attacked, and can make DNS during releasing attack Keeping good performance, this is technical problem the most urgently to be resolved hurrily.
Summary of the invention
The present invention is to solve existing above-mentioned problem at least in part, it is provided that a kind of DNS The method and system of defensive attack, the method and system of this DNS defensive attack can be more Judge whether DNS is attacked exactly, and can make during releasing attack DNS keeps good performance.
Solve the technology of the present invention problem and be the technical scheme is that a kind of DNS defence is attacked The method hit, including:
Add up each IP address and send the domain name mapping request to primary name server every day Actual quantity N, and each port transmission every day of each IP address is to primary Domain Name Service The actual quantity N of the domain name mapping request of devicep
According to actual quantity N and actual quantity Np, calculate each IP address and send every day The pre-quantitation N asked to the domain name mapping of primary name serverf, and each IP address The pre-quantitation asked of the domain name mapping that sends every day to primary name server of each port Npf
Preset attacks results decision threshold values, according to pre-quantitation NfJudge this IP address whether to Primary name server sends attack;And, send to primary name server in this IP address In the case of attack, according to the N of each port of this IP addresspfWhether judge this port Attack is sent to primary name server;
Filter the port sending attack to primary name server, to reduce primary name server Use state value.
Preferably, the attacks results decision threshold values preset includes the first quantity threshold values t and second Quantity threshold values u,
Judge whether this IP address sends attack to primary name server and include: calculate each The N-N of IP addressfIf, N-Nf> t, then judge that this IP address is sent out to primary name server Go out to attack;
And, it is judged that whether this port sends attack to primary name server includes: calculate The N of each port of this IP addressp-NpfIf, Np-Npf> u, then judge that this port is to master Name server sends attack.
Preferably, IP address sends the domain name mapping to primary name server in the c+1 days The pre-quantitation N of requestf(c+1)Computing formula be:
Nf(c+1)=M1*N1+M2*N2+…+Mc*Nc
In formula, NcDomain name mapping for IP address transmission in the c days to primary name server please The actual quantity asked, McFor NcWeight parameter, M1+M2+…+Mc=1.
Preferably, port transmission in the c+1 days please to the domain name mapping of primary name server The pre-quantitation N askedpf(c+1)Computing formula be:
Npf(c+1)=W1*Np1+W2*Np2+…+Wc*Npc
In formula, NpcThe domain name mapping request to primary name server within the c days, is sent for port Actual quantity, WcFor NpcWeight parameter, W1+W2+…+Wc=1.
Preferably, also include:
Monitor the use state value of primary name server in real time, when making of primary name server During with state value more than use threshold values, then the auxiliary that sequentially activates name server, make main territory Name server and auxiliary name server provide the user domain name resolution service jointly;
After filtering the port sending attack to primary name server and primary name server Use state value less than or equal to use threshold values, then sequentially switch off auxiliary name server; Wherein, the computing formula using state value of primary name server is:
R=q1*p1+q2*p2+q3*p3
In formula, r is the use state value of primary name server, q1For primary name server The use scale parameter of CPU, p1For the proportion shared by the use scale parameter of CPU, q2 For the use scale parameter of the internal memory of primary name server, p2Use ratio for internal memory is joined Proportion shared by number, q3For the use scale parameter of the bandwidth of primary name server, p3For The use of bandwidth proportion shared by scale parameter.
Another technical scheme that the present invention provides: the system of a kind of DNS defensive attack, bag Include attack source probe unit, described attack source probe unit include actual quantity statistical module, Prediction number calculating section, attack source locking module and attack source filtering module, wherein:
Described actual quantity statistical module, is used for adding up each IP address and sends to main every day The actual quantity N of the domain name mapping request of name server, and each IP address is every Individual port sends the actual quantity N of the domain name mapping request to primary name server every dayp
Described prediction number calculating section, for according to actual quantity N and actual quantity Np, Calculate each IP address and send the prediction of the domain name mapping request to primary name server every day Quantity Nf, and each port transmission every day of each IP address is to primary name server The pre-quantitation N of domain name mapping requestpf
Described attack source locking module, is used for presetting attacks results decision threshold values, according to prediction number Amount NfJudge whether this IP address sends attack to primary name server;And, at this IP address in the case of primary name server sends attack, each according to this IP address The N of portpfJudge whether this port sends attack to primary name server;
Described attack source filtering module, sends attack for filtering to primary name server Port, to reduce the use state value of primary name server.
Preferably, the attacks results decision threshold values that locking module in described attack source is preset includes the One quantity threshold values t and the second quantity threshold values u,
Judge whether this IP address sends attack to primary name server and include: calculate each The N-N of IP addressfIf, N-Nf> t, then judge that this IP address is sent out to primary name server Go out to attack;
And, it is judged that whether this port sends attack to primary name server includes: calculate The N of each port of this IP addressp-NpfIf, Np-Npf> u, then judge that this port is to master Name server sends attack.
Preferably, described prediction number calculating section calculates the transmission in the c+1 days of IP address The pre-quantitation N asked to the domain name mapping of primary name serverf(c+1)The formula used For:
Nf(c+1)=M1*N1+M2*N2+…+Mc*Nc
In formula, NcDomain name mapping for IP address transmission in the c days to primary name server please The actual quantity asked, McFor NcWeight parameter, M1+M2+…+Mc=1.
Preferably, described prediction number calculating section calculates port transmission in the c+1 days extremely The pre-quantitation N of the domain name mapping request of primary name serverpf(c+1)The formula used For:
Npf(c+1)=W1*Np1+W2*Np2+…+Wc*Npc
In formula, NpcThe domain name mapping request to primary name server within the c days, is sent for port Actual quantity, WcFor NpcWeight parameter, W1+W2+…+Wc=1.
Preferably, also include using condition monitoring unit and switch control unit, wherein:
Described use condition monitoring unit, is connected with primary name server, for prison in real time Survey the use state value of primary name server;
Described switch control unit, with auxiliary name server and described use condition monitoring Unit connects, and is used for when the use state value of primary name server is more than use threshold values, The auxiliary that then sequentially activates name server, makes primary name server and auxiliary name server Jointly provide the user domain name resolution service;
After filtering the port sending attack to primary name server and primary name server Use state value less than or equal to use threshold values, then sequentially switch off auxiliary name server; Wherein, the computing formula using state value of primary name server is:
R=q1*p1+q2*p2+q3*p3
In formula, r is the use state value of primary name server, q1For primary name server The use scale parameter of CPU, p1For the proportion shared by the use scale parameter of CPU, q2 For the use scale parameter of the internal memory of primary name server, p2Use ratio for internal memory is joined Proportion shared by number, q3For the use scale parameter of the bandwidth of primary name server, p3For The use of bandwidth proportion shared by scale parameter.
The method and system of the DNS defensive attack that the present invention provides, first, according to statistics The actual quantity that the actual quantity N of IP address sending domain name analysis request and port send Np, calculate the pre-quantitation N of IP address sending domain name analysis requestfWith port sending domain The pre-quantitation N of name analysis requestpf;Then, according to Nf、NpfAnd attacks results decision valve Value, it is determined that whether IP address and port send attack to primary name server, compares existing Only actual quantity and pre-set threshold value according to statistics is had in technology to judge primary name server Whether attacked, it is possible to more accurately judge whether primary name server is attacked, The user that avoids being mistaken for normal users launching a offensive, it is caused cannot normally to use mutually Networking.
Secondly, attacked at primary name server so that it is use state value less than or etc. In time using threshold values, the auxiliary that sequentially activates name server, make primary name server and auxiliary Name server is helped jointly to provide the user domain name resolution service, it is possible to ensure that user is leading During name server suffers to attack releasing attack, still can normally use interconnection Net.
Accompanying drawing explanation
Fig. 1 is the flow process signal of the method for the DNS defensive attack of embodiments of the invention 1 Figure;
Fig. 2 is the composition signal of the system of the DNS defensive attack of embodiments of the invention 2 Block diagram;
Wherein, reference is:
10, attack source probe unit;11, actual quantity statistical module;12, prediction number Amount computing module;13, attack source locking module;14, attack source filtering module;20、 Use condition monitoring unit;30, switch control unit;40, primary name server;50、 Auxiliary name server.
Detailed description of the invention
For making those skilled in the art be more fully understood that technical scheme, knot below Close the drawings and specific embodiments the present invention is described in further detail.
Embodiment 1:
The present embodiment provides a kind of method of DNS defensive attack, and the method can accurately be locked Surely the IP address launched a offensive and port thereof, and filter this port.
Fig. 1 is the method flow schematic diagram of the DNS defensive attack of the present embodiment, such as Fig. 1 Shown in, the method comprises the following steps:
Step S1: add up each IP address and send the domain name solution to primary name server every day The actual quantity N of analysis request, and each port transmission every day of each IP address is to main The actual quantity N of the domain name mapping request of name serverp
One primary name server administers multiple users, and these users are private network IP address, Private network IP address must could access primary name server by public network IP address and carry out domain name Resolve.In this step, add up each IP address to send to primary name server every day The actual quantity N of domain name mapping request, such as, within the c days, the d public network IP address is sent out The actual quantity of the domain name mapping request delivering to primary name server can be designated as Ncd;Each IP Each port of address sends the reality of the domain name mapping request to primary name server every day Quantity Np, such as, pth the port of the c days d public network IP address sends to main The actual quantity of the domain name mapping request of name server can be designated as Npcd
Such that can clearly statistic record each IP address and each port thereof send out every day Deliver to the actual quantity of the domain name mapping request of primary name server.
Step S2: according to actual quantity N and actual quantity Np, calculate each IP address Send the pre-quantitation N of the domain name mapping request to primary name server every dayf, and often Each port of individual IP address sends the domain name mapping request to primary name server every day Pre-quantitation Npf
The actual quantity of the IP address sending domain name analysis request according to statistic record every day N, calculates the pre-quantitation N of this IP address sending domain name analysis request in second dayf, phase Answering, IP address sends the pre-of the domain name mapping request to primary name server for the c+1 days Quantitation Nf(c+1)Computing formula be:
Nf(c+1)=M1*N1+M2*N2+…+Mc*Nc (1)
In formula, NcDomain name mapping for IP address transmission in the c days to primary name server please The actual quantity asked, McFor NcWeight parameter, M1+M2+…+Mc=1.
Concrete, it is pre-that the c+1 days the d public network IP address sending domain name analysis are asked Quantitation can be designated as Nf(c+1)d, its computing formula is:
Nf(c+1)d=M1*N1d+M2*N2d+…+Mc*Ncd (2)
In formula, NcdIt is that the d IP address sends the territory to primary name server in the c days The actual quantity of name analysis request.
According to formula (1) and (2), each IP address sending domain every day can be calculated The pre-quantitation N of name analysis requestf
The actual quantity N of the port sending domain name analysis request according to statistic record every dayp, Calculate the pre-quantitation N of this port sending domain name analysis request in second daypf, accordingly, Port sends the pre-quantitation of the domain name mapping request to primary name server for the c+1 days Npf(c+1)Computing formula be:
Npf(c+1)=W1*Np1+W2*Np2+…+Wc*Npc (3)
In formula, NpcThe domain name mapping request to primary name server within the c days, is sent for port Actual quantity, WcFor NpcWeight parameter, W1+W2+…+Wc=1.
Concrete, pth the port of the c+1 days d public network IP address sends domain name The pre-quantitation of analysis request can be designated as Npf(c+1)d, its computing formula is:
Npf(c+1)d=W1*Np1d+W2*Np2d+…+Wc*Npcd (4)
In formula, NpcdIt is that pth the port the c days of d public network IP address sends extremely The actual quantity of the domain name mapping request of primary name server.
According to formula (3) and (4), each port can be calculated and send domain name every day The pre-quantitation N of analysis requestpf
Additionally, for the pre-quantitation N making the c+1 days d public network IP addressf(c+1)d Actual quantity N close to the c+1 days d public network IP address(c+1)d, excellent Choosing, c is the biggest, WcThe biggest, to improve the precision of pre-quantitation.
In like manner, in order to make the pre-of pth the port of the c+1 days d public network IP address Quantitation Npf(c+1)dClose to the c+1 days d public network IP address pth The actual quantity N of individual portp(c+1)d, it is preferable that c is the biggest, WcThe biggest, to improve The precision of pre-quantitation.
Step S3: preset attacks results decision threshold values, according to pre-quantitation NfJudge this IP ground Whether location sends attack to primary name server;And, take to Main Domain in this IP address In the case of business device sends attack, according to the N of each port of this IP addresspfJudging should Whether port sends attack to primary name server.
Concrete, the attacks results decision threshold values preset includes the first quantity threshold values t and second number Amount threshold values u.The specific size of t and u can set flexibly according to the scene that this method is used.
Judge whether this IP address sends attack to primary name server and include: calculate each The N-N of IP addressfIf, N-Nf> t, then judge that this IP address is sent out to primary name server Go out to attack.
Judge whether this port sends attack to primary name server and include: calculate this IP ground The N of each port of locationp-NpfIf, Np-Npf> u, then judge that this port takes to Main Domain Business device sends attack.
According to above-mentioned steps, it is possible to first find out the IP address launched a offensive, then, enter One step locks the port launched a offensive in this IP address, thus accurately locks attack source.
Step S4: filter the port sending attack to primary name server, to reduce main territory The use state value of name server.
On the basis of step S3, this step will send the end of attack to primary name server Make a slip of the tongue filter, it is possible to reduce the use state value of primary name server, i.e. recover Main Domain clothes The performance of business device.
In order to ensure that the user under primary name server administration can the most normally accept domain name Analysis service, is connected in parallel at least one auxiliary name server to primary name server, Further, the use state value of primary name server is monitored in real time, when primary name server When using state value more than use threshold values, then the auxiliary that sequentially activates name server, make main Name server and auxiliary name server provide the user domain name resolution service jointly;
After filtering the port sending attack to primary name server and primary name server Use state value less than or equal to use threshold values, then sequentially switch off auxiliary name server; Wherein, the computing formula using state value of primary name server is:
R=q1*p1+q2*p2+q3*p3
In formula, r is the use state value of primary name server, q1For primary name server The use scale parameter of CPU, p1For the proportion shared by the use scale parameter of CPU, q2 For the use scale parameter of the internal memory of primary name server, p2Use ratio for internal memory is joined Proportion shared by number, q3For the use scale parameter of the bandwidth of primary name server, p3For The use of bandwidth proportion shared by scale parameter.
Set use threshold values specifically to determine as s, its specific size value according to operation environment.When During r > s, represent that the performance of primary name server reduces, then the auxiliary that sequentially activates domain name Server, accordingly increases bandwidth;As r≤s, represent the performance of primary name server Recover, then sequentially switch off auxiliary name server, reduce bandwidth accordingly.
Additionally, in the case of primary name server is attacked, due to this Main Domain The lower user of server administration increases or user accesses the frequency increase of the Internet, it is possible to The use state value of primary name server can be caused more than using threshold values, now, the most first open Dynamic First auxiliary name server, increases corresponding bandwidth, if primary name server Use state value still above use threshold values, then sequentially activate second and assist domain name to take Business device, increases corresponding bandwidth, to ensure that all users normally use the Internet.Leading When the use state value of name server is gradually reduced, then sequentially switch off second auxiliary territory Name server and First auxiliary name server.
The method of the DNS defensive attack of the present embodiment, according to Nf、NpfAnd attacks results decision Threshold values, it is determined that whether IP address and port send attack to primary name server, compare In prior art, only actual quantity and pre-set threshold value according to statistics judges primary Domain Name Service Whether device is attacked, it is possible to more accurately judge whether primary name server is attacked Hit, it is to avoid the user that is mistaken for normal users launching a offensive, cause it normally to make Use the Internet.Secondly, attacked at primary name server so that it is use state value little In or equal to use threshold values time, the auxiliary that sequentially activates name server, make primary Domain Name Service Device and auxiliary name server provide the user domain name resolution service jointly, it is possible to ensure to use Family, during primary name server suffers to attack to and releases attack, still can normally make Use the Internet.
Embodiment 2:
The present embodiment provides the system of a kind of DNS defensive attack, and this system is for realizing implementing The equipment of the method for example 1.Fig. 2 is the group of the system of the DNS defensive attack of the present embodiment Become schematic block diagram, as in figure 2 it is shown, what this system included being connected with primary name server 40 Attack source probe unit 10, attack source probe unit 10 includes actual quantity statistical module 11, prediction number calculating section 12, attack source locking module 13 and attack source filtering module 14, wherein:
Actual quantity statistical module 11 is used for adding up each IP address and sends to main territory every day The actual quantity N of the domain name mapping request of name server 40, and each IP address Each port sends the actual quantity of the domain name mapping request to primary name server 40 every day Np
Such as, pth the port of the c days d public network IP address sends to Main Domain The actual quantity of the domain name mapping request of server can be designated as Npcd.Actual quantity statistics mould Block can clearly statistic record each IP address and each port thereof send to main territory every day The actual quantity of the domain name mapping request of name server.
Prediction number calculating section 12 is for according to actual quantity N and actual quantity Np, Calculate each IP address and send the prediction of the domain name mapping request to primary name server every day Quantity Nf, and each port transmission every day of each IP address is to primary name server The pre-quantitation N of domain name mapping requestpf
Prediction number calculating section 12 calculates IP address and within the c+1 days, sends to Main Domain clothes The pre-quantitation N of the domain name mapping request of business devicef(c+1)The formula used is:
Nf(c+1)=M1*N1+M2*N2+…+Mc*Nc
In formula, NcDomain name mapping for IP address transmission in the c days to primary name server please The actual quantity asked, McFor NcWeight parameter, M1+M2+…+Mc=1.
Prediction number calculating section 12 calculates port and sends to primary name server for the c+1 days Domain name mapping request pre-quantitation Npf(c+1)The formula used is:
Npf(c+1)=W1*Np1+W2*Np2+…+Wc*Npc
In formula, NpcThe domain name mapping request to primary name server within the c days, is sent for port Actual quantity, WcFor NpcWeight parameter, W1+W2+…+Wc=1.
According to above-mentioned formula, can calculate each IP address sending domain every day name analysis please The pre-quantitation N askedfAnd the pre-quantitation of each port sending domain every day name analysis request Npf
Attack source locking module 13 is used for presetting attacks results decision threshold values, according to pre-quantitation NfJudge whether this IP address sends attack to primary name server;And, at this IP In the case of address sends attack to primary name server, according to each end of this IP address The N of mouthpfJudge whether this port sends attack to primary name server.
The attacks results decision threshold values that attack source locking module 13 is preset includes the first quantity threshold values t With the second quantity threshold values u.The scene spirit that the specific size of t and u can be used according to this method Live and set.
Judge whether this IP address sends attack to primary name server and include: calculate each The N-N of IP addressfIf, N-Nf> t, then judge that this IP address is sent out to primary name server Go out to attack.
Judge whether this port sends attack to primary name server and include: calculate this IP ground The N of each port of locationp-NpfIf, Np-Npf> u, then judge that this port takes to Main Domain Business device sends attack.
According to above-mentioned judgment mode, first attack source locking module 13 can be found out initiation and attack The IP address hit, then, locks the port launched a offensive in this IP address further, from And accurately lock attack source.
Attack source filtering module 14 sends the end of attack for filtering to primary name server Mouthful, to reduce the use state value of primary name server.
After the IP address that locking module 13 locking in attack source is launched a offensive and port thereof, Attack source filtering module 14 will send the ports filter of attack to primary name server, it is possible to Reduce the use state value of primary name server, i.e. recover the performance of primary name server.
In order to ensure that the user under primary name server administration can the most normally accept domain name Analysis service, is connected in parallel at least one auxiliary name server 50 to primary name server, Accordingly, this system also includes using condition monitoring unit 20 and switch control unit 30, Wherein:
Condition monitoring unit 20 is used to be connected with primary name server 40, for prison in real time Survey the use state value of primary name server;
Switch control unit 30 and auxiliary name server 50 and use condition monitoring unit 20 connect, and are used for when the use state value of primary name server 40 is more than use threshold values, The auxiliary that then sequentially activates name server 50, makes primary name server 40 and auxiliary domain name clothes Business device 50 provides the user domain name resolution service jointly;
After filtering the port sending attack to primary name server and primary name server Use state value less than or equal to use threshold values, then sequentially switch off auxiliary name server 50;Wherein, the computing formula using state value of primary name server 40 is:
R=q1*p1+q2*p2+q3*p3
In formula, r is the use state value of primary name server, q1For primary name server The use scale parameter of CPU, p1For the proportion shared by the use scale parameter of CPU, q2 For the use scale parameter of the internal memory of primary name server, p2Use ratio for internal memory is joined Proportion shared by number, q3For the use scale parameter of the bandwidth of primary name server, p3For The use of bandwidth proportion shared by scale parameter.
Set use threshold values specifically to determine as s, its specific size value according to operation environment.When During r > s, represent that the performance of primary name server reduces, then switch control unit 30 phase Continue startup auxiliary name server, accordingly increases bandwidth;As r≤s, represent main territory The performance of name server is recovered, then switch control unit 30 sequentially switches off auxiliary domain name clothes Business device, reduces bandwidth accordingly.
The system of the DNS defensive attack of the present embodiment, first can more accurately judge Whether primary name server is attacked, it is to avoid be mistaken for normal users launching a offensive User, it is caused cannot normally to use the Internet;Secondly, suffer at primary name server Attack so that it is use state value less than or equal to when using threshold values, sequentially activate and assist territory Name server, makes primary name server and auxiliary name server jointly provide the user territory Name analysis services, it is ensured that user suffers to attack the mistake that releasing is attacked at primary name server Cheng Zhong, still can normally use the Internet.
It is understood that the principle that embodiment of above is intended to be merely illustrative of the present And the illustrative embodiments used, but the invention is not limited in this.For ability For those of ordinary skill in territory, in the situation without departing from spirit and substance of the present invention Under, various modification and improvement can be made, these modification and improvement are also considered as the present invention's Protection domain.

Claims (10)

1. the method for a DNS defensive attack, it is characterised in that including:
Add up each IP address and send the domain name mapping request to primary name server every day Actual quantity N, and each port transmission every day of each IP address is to primary Domain Name Service The actual quantity N of the domain name mapping request of devicep
According to actual quantity N and actual quantity Np, calculate each IP address and send every day The pre-quantitation N asked to the domain name mapping of primary name serverf, and each IP address The pre-quantitation asked of the domain name mapping that sends every day to primary name server of each port Npf
Preset attacks results decision threshold values, according to pre-quantitation NfJudge this IP address whether to Primary name server sends attack;And, send to primary name server in this IP address In the case of attack, according to the N of each port of this IP addresspfWhether judge this port Attack is sent to primary name server;
Filter the port sending attack to primary name server, to reduce primary name server Use state value.
The method of DNS defensive attack the most according to claim 1, it is characterised in that The attacks results decision threshold values preset includes the first quantity threshold values t and the second quantity threshold values u,
Judge whether this IP address sends attack to primary name server and include: calculate each The N-N of IP addressfIf, N-Nf> t, then judge that this IP address is sent out to primary name server Go out to attack;
And, it is judged that whether this port sends attack to primary name server includes: calculate The N of each port of this IP addressp-NpfIf, Np-Npf> u, then judge that this port is to master Name server sends attack.
The method of DNS defensive attack the most according to claim 1, it is characterised in that IP address sends the pre-quantitation of the domain name mapping request to primary name server for the c+1 days Nf(c+1)Computing formula be:
Nf(c+1)=M1*N1+M2*N2+…+Mc*Nc
In formula, NcDomain name mapping for IP address transmission in the c days to primary name server please The actual quantity asked, McFor NcWeight parameter, M1+M2+…+Mc=1.
The method of DNS defensive attack the most according to claim 1, it is characterised in that Port sends the pre-quantitation of the domain name mapping request to primary name server for the c+1 days Npf(c+1)Computing formula be:
Npf(c+1)=W1*Np1+W2*Np2+…+Wc*Npc
In formula, NpcThe domain name mapping request to primary name server within the c days, is sent for port Actual quantity, WcFor NpcWeight parameter, W1+W2+…+Wc=1.
The method of DNS defensive attack the most according to claim 1, its feature exists In, also include:
Monitor the use state value of primary name server in real time, when making of primary name server During with state value more than use threshold values, then the auxiliary that sequentially activates name server, make main territory Name server and auxiliary name server provide the user domain name resolution service jointly;
After filtering the port sending attack to primary name server and primary name server Use state value less than or equal to use threshold values, then sequentially switch off auxiliary name server; Wherein, the computing formula using state value of primary name server is:
R=q1*p1+q2*p2+q3*p3
In formula, r is the use state value of primary name server, q1For primary name server The use scale parameter of CPU, p1For the proportion shared by the use scale parameter of CPU, q2 For the use scale parameter of the internal memory of primary name server, p2Use ratio for internal memory is joined Proportion shared by number, q3For the use scale parameter of the bandwidth of primary name server, p3For The use of bandwidth proportion shared by scale parameter.
6. the system of a DNS defensive attack, it is characterised in that include that attack source detects Unit, described attack source probe unit includes actual quantity statistical module, pre-quantitation meter Calculate module, attack source locking module and attack source filtering module, wherein:
Described actual quantity statistical module, is used for adding up each IP address and sends to main every day The actual quantity N of the domain name mapping request of name server, and each IP address is every Individual port sends the actual quantity N of the domain name mapping request to primary name server every dayp
Described prediction number calculating section, for according to actual quantity N and actual quantity Np, Calculate each IP address and send the prediction of the domain name mapping request to primary name server every day Quantity Nf, and each port transmission every day of each IP address is to primary name server The pre-quantitation N of domain name mapping requestpf
Described attack source locking module, is used for presetting attacks results decision threshold values, according to prediction number Amount NfJudge whether this IP address sends attack to primary name server;And, at this IP address in the case of primary name server sends attack, each according to this IP address The N of portpfJudge whether this port sends attack to primary name server;
Described attack source filtering module, sends attack for filtering to primary name server Port, to reduce the use state value of primary name server.
The system of DNS defensive attack the most according to claim 6, its feature exists In, the attacks results decision threshold values that described attack source locking module is preset includes the first quantity threshold values t With the second quantity threshold values u,
Judge whether this IP address sends attack to primary name server and include: calculate each The N-N of IP addressfIf, N-Nf> t, then judge that this IP address is sent out to primary name server Go out to attack;
And, it is judged that whether this port sends attack to primary name server includes: calculate The N of each port of this IP addressp-NpfIf, Np-Npf> u, then judge that this port is to master Name server sends attack.
The system of DNS defensive attack the most according to claim 6, its feature exists In, described prediction number calculating section calculates IP address and within the c+1 days, sends to Main Domain clothes The pre-quantitation N of the domain name mapping request of business devicef(c+1)The formula used is:
Nf(c+1)=M1*N1+M2*N2+…+Mc*Nc
In formula, NcDomain name mapping for IP address transmission in the c days to primary name server please The actual quantity asked, McFor NcWeight parameter, M1+M2+…+Mc=1.
The system of DNS defensive attack the most according to claim 6, its feature exists In, described prediction number calculating section calculates port and sends to primary Domain Name Service for the c+1 days The pre-quantitation N of the domain name mapping request of devicepf(c+1)The formula used is:
Npf(c+1)=W1*Np1+W2*Np2+…+Wc*Npc
In formula, NpcThe domain name mapping request to primary name server within the c days, is sent for port Actual quantity, WcFor NpcWeight parameter, W1+W2+…+Wc=1.
The system of DNS defensive attack the most according to claim 6, its feature exists In, also include using condition monitoring unit and switch control unit, wherein:
Described use condition monitoring unit, is connected with primary name server, for prison in real time Survey the use state value of primary name server;
Described switch control unit, with auxiliary name server and described use condition monitoring Unit connects, and is used for when the use state value of primary name server is more than use threshold values, The auxiliary that then sequentially activates name server, makes primary name server and auxiliary name server Jointly provide the user domain name resolution service;
After filtering the port sending attack to primary name server and primary name server Use state value less than or equal to use threshold values, then sequentially switch off auxiliary name server; Wherein, the computing formula using state value of primary name server is:
R=q1*p1+q2*p2+q3*p3
In formula, r is the use state value of primary name server, q1For primary name server The use scale parameter of CPU, p1For the proportion shared by the use scale parameter of CPU, q2 For the use scale parameter of the internal memory of primary name server, p2Use ratio for internal memory is joined Proportion shared by number, q3For the use scale parameter of the bandwidth of primary name server, p3For The use of bandwidth proportion shared by scale parameter.
CN201610317345.9A 2016-05-12 2016-05-12 A kind of method and system of DNS defensive attack Active CN105847281B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610317345.9A CN105847281B (en) 2016-05-12 2016-05-12 A kind of method and system of DNS defensive attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610317345.9A CN105847281B (en) 2016-05-12 2016-05-12 A kind of method and system of DNS defensive attack

Publications (2)

Publication Number Publication Date
CN105847281A true CN105847281A (en) 2016-08-10
CN105847281B CN105847281B (en) 2019-02-19

Family

ID=56592022

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610317345.9A Active CN105847281B (en) 2016-05-12 2016-05-12 A kind of method and system of DNS defensive attack

Country Status (1)

Country Link
CN (1) CN105847281B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108616544A (en) * 2015-08-04 2018-10-02 法赛特安全公司 For detecting newer method, system and medium to record of domain name system system
CN109936551A (en) * 2017-12-19 2019-06-25 中国电信股份有限公司 Defence method, defence installation and the controller of domain name system attack
CN110324295A (en) * 2018-03-30 2019-10-11 阿里巴巴集团控股有限公司 A kind of defence method and device of domain name system extensive aggression

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1592167A2 (en) * 2004-04-27 2005-11-02 AT&T Corp. Systems and methods for optimizing access provisioning and capacity planning in IP networks
CN101826996A (en) * 2010-03-19 2010-09-08 中国科学院计算机网络信息中心 Domain name system flow detection method and domain name server
CN102291411A (en) * 2011-08-18 2011-12-21 网宿科技股份有限公司 Anti-DDOS (distributed denial of service) attack method and system against DNS (domain name system) service
CN103139184A (en) * 2011-12-02 2013-06-05 中国电信股份有限公司 Intelligent network firewall device and network attack protection method
CN103957195A (en) * 2014-04-04 2014-07-30 上海聚流软件科技有限公司 DNS system and defense method and device for DNS attack
CN105491032A (en) * 2015-11-30 2016-04-13 睿峰网云(北京)科技股份有限公司 Botnet discovery technique and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1592167A2 (en) * 2004-04-27 2005-11-02 AT&T Corp. Systems and methods for optimizing access provisioning and capacity planning in IP networks
CN101826996A (en) * 2010-03-19 2010-09-08 中国科学院计算机网络信息中心 Domain name system flow detection method and domain name server
CN102291411A (en) * 2011-08-18 2011-12-21 网宿科技股份有限公司 Anti-DDOS (distributed denial of service) attack method and system against DNS (domain name system) service
CN103139184A (en) * 2011-12-02 2013-06-05 中国电信股份有限公司 Intelligent network firewall device and network attack protection method
CN103957195A (en) * 2014-04-04 2014-07-30 上海聚流软件科技有限公司 DNS system and defense method and device for DNS attack
CN105491032A (en) * 2015-11-30 2016-04-13 睿峰网云(北京)科技股份有限公司 Botnet discovery technique and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
彭嘉填: ""DNS攻击检测与防御技术研究"", 《信息通信》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108616544A (en) * 2015-08-04 2018-10-02 法赛特安全公司 For detecting newer method, system and medium to record of domain name system system
CN109936551A (en) * 2017-12-19 2019-06-25 中国电信股份有限公司 Defence method, defence installation and the controller of domain name system attack
CN110324295A (en) * 2018-03-30 2019-10-11 阿里巴巴集团控股有限公司 A kind of defence method and device of domain name system extensive aggression
CN110324295B (en) * 2018-03-30 2022-04-12 阿里云计算有限公司 Defense method and device for domain name system flooding attack

Also Published As

Publication number Publication date
CN105847281B (en) 2019-02-19

Similar Documents

Publication Publication Date Title
WO2018113594A1 (en) Method and device for defending dns attack and storage medium
CN105024969B (en) A kind of method and device for realizing the identification of malice domain name
US8479048B2 (en) Root cause analysis method, apparatus, and program for IT apparatuses from which event information is not obtained
CN109246211B (en) Resource uploading and resource requesting method in block chain
US7770208B2 (en) Computer-implemented method, apparatus, and computer program product for securing node port access in a switched-fabric storage area network
CN110324313B (en) Honeypot system-based malicious user identification method and related equipment
CN105681133A (en) Method for detecting whether DNS server can prevent network attack
CN101834911B (en) Defense method of domain name hijacking and network outlet equipment
CN105847281A (en) Method and system for defending DNS against attacks
US11290485B2 (en) Method and system for detecting and blocking data transfer using DNS protocol
CN109327426A (en) A kind of firewall attack defense method
CN104219200A (en) Device and method for protection from DNS cache attack
CN107454037A (en) The recognition methods of network attack and system
CN106487807A (en) A kind of means of defence of domain name mapping and device
CN108881233A (en) anti-attack processing method, device, equipment and storage medium
CN101383818B (en) Processing method and device for access network
Knockel et al. Counting packets sent between arbitrary internet hosts
CN109981603A (en) ARP Attack monitoring system and method
KR20140044987A (en) Security system and operating method thereof
CN102223422A (en) Domain name system (DNS) message processing method and network safety equipment
US20220046028A1 (en) Method and system for determining a state of an account in a network device running a light client protocol of a distributed ledger technology network
CN113395369B (en) Cache management method and device, electronic equipment and storage medium
CN110868392A (en) Block chain safety control method and device based on SDN and block chain network
CN108322454B (en) Network security detection method and device
JP2006331015A (en) Server device protection system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant