CN105847281A - Method and system for defending DNS against attacks - Google Patents
Method and system for defending DNS against attacks Download PDFInfo
- Publication number
- CN105847281A CN105847281A CN201610317345.9A CN201610317345A CN105847281A CN 105847281 A CN105847281 A CN 105847281A CN 201610317345 A CN201610317345 A CN 201610317345A CN 105847281 A CN105847281 A CN 105847281A
- Authority
- CN
- China
- Prior art keywords
- name server
- attack
- primary
- address
- primary name
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Abstract
The invention provides a method and system for defending a DNS against attacks and belongs to the technical field of communication. The method and system for defending the DNS against the attacks can at least partially solve a problem that whether the DNS is under attack cannot be accurately determined via a conventional method for defending the DNS against the attacks. According to the method for defending the DNS against the attacks in the invention, based on statistics of a real quantity N of domain name resolution requests sent from IP addresses and a real quantity Np of domain name resolution requests sent from ports, a forecasted quantity Nf of the domain name resolution requests sent from the IP addresses and a forecasted quantity Npf of the domain name resolution requests sent from the ports can be calculated; based on Nf, Npf and an attack determining threshold value, whether the IP addresses and the ports launch attacks on a main domain name server can be determined; compared with technologies of the prior art via which whether the main domain name server is under attack is determined only based on real quantity statistics and a preset threshold value, the method and system for defending the DNS against the attacks are advantageous in that whether the main domain name server is under attack can be accurately determined, and a phenomenon that normal users are misjudged as users that launch the attacks and consequently the normal users cannot access the Internet can be prevented.
Description
Technical field
The invention belongs to communication technical field, be specifically related to the side of a kind of DNS defensive attack
Method and system.
Background technology
DNS is the abbreviation of domain name system (Domain Name System), and it is by resolving
Device and name server composition.Name server (DNS Server) refers to preserve this network
The domain name of middle All hosts and corresponding IP address, and have domain name is converted to IP address merit
The server of energy.The flow process of dns resolution domain name is as follows: first by user's initiated domain
Name analysis is asked, and after local dns server receives this request, can look in local cache
Look for, without finding, then can initiate request, upper level to upper level dns server
Analysis result can be returned to local dns server by back message by dns server,
Analysis result is returned to the user of this this domain name of request analysis by local dns server.
DNS attack occurs repeatedly in recent years, the common form that DNS is attacked
It is: direction of attack dns server sends domains name analysis request message, causes DNS
Server seriously overloads, it is impossible to proceeds to respond to the DNS request of normal users, thus reaches
The purpose attacked.
In prior art, the method for DNS defensive attack is mainly by asking in measurement period
Seeking number of times, normal domain name request number of times is usually less than certain threshold values, if super
Crossing this threshold values, the IP address being considered as sending this request is attack source, just by this IP address
Filter.
Inventor finds that in prior art, at least there are the following problems:
1. the threshold values of normal domain name request number of times is difficult to set, it is thus impossible to accurately nothing
Judge whether DNS is attacked by mistake;
During 2.DNS suffers to attack releasing attack, DNS performance greatly reduces,
There is provided domain name resolution service by affecting DNS for normal users, cause the normal users can not be just
Often use the Internet.
Therefore, the method and system of a kind of DNS defensive attack are designed, it is possible to the most accurate
Ground judges whether DNS is attacked, and can make DNS during releasing attack
Keeping good performance, this is technical problem the most urgently to be resolved hurrily.
Summary of the invention
The present invention is to solve existing above-mentioned problem at least in part, it is provided that a kind of DNS
The method and system of defensive attack, the method and system of this DNS defensive attack can be more
Judge whether DNS is attacked exactly, and can make during releasing attack
DNS keeps good performance.
Solve the technology of the present invention problem and be the technical scheme is that a kind of DNS defence is attacked
The method hit, including:
Add up each IP address and send the domain name mapping request to primary name server every day
Actual quantity N, and each port transmission every day of each IP address is to primary Domain Name Service
The actual quantity N of the domain name mapping request of devicep;
According to actual quantity N and actual quantity Np, calculate each IP address and send every day
The pre-quantitation N asked to the domain name mapping of primary name serverf, and each IP address
The pre-quantitation asked of the domain name mapping that sends every day to primary name server of each port
Npf;
Preset attacks results decision threshold values, according to pre-quantitation NfJudge this IP address whether to
Primary name server sends attack;And, send to primary name server in this IP address
In the case of attack, according to the N of each port of this IP addresspfWhether judge this port
Attack is sent to primary name server;
Filter the port sending attack to primary name server, to reduce primary name server
Use state value.
Preferably, the attacks results decision threshold values preset includes the first quantity threshold values t and second
Quantity threshold values u,
Judge whether this IP address sends attack to primary name server and include: calculate each
The N-N of IP addressfIf, N-Nf> t, then judge that this IP address is sent out to primary name server
Go out to attack;
And, it is judged that whether this port sends attack to primary name server includes: calculate
The N of each port of this IP addressp-NpfIf, Np-Npf> u, then judge that this port is to master
Name server sends attack.
Preferably, IP address sends the domain name mapping to primary name server in the c+1 days
The pre-quantitation N of requestf(c+1)Computing formula be:
Nf(c+1)=M1*N1+M2*N2+…+Mc*Nc
In formula, NcDomain name mapping for IP address transmission in the c days to primary name server please
The actual quantity asked, McFor NcWeight parameter, M1+M2+…+Mc=1.
Preferably, port transmission in the c+1 days please to the domain name mapping of primary name server
The pre-quantitation N askedpf(c+1)Computing formula be:
Npf(c+1)=W1*Np1+W2*Np2+…+Wc*Npc
In formula, NpcThe domain name mapping request to primary name server within the c days, is sent for port
Actual quantity, WcFor NpcWeight parameter, W1+W2+…+Wc=1.
Preferably, also include:
Monitor the use state value of primary name server in real time, when making of primary name server
During with state value more than use threshold values, then the auxiliary that sequentially activates name server, make main territory
Name server and auxiliary name server provide the user domain name resolution service jointly;
After filtering the port sending attack to primary name server and primary name server
Use state value less than or equal to use threshold values, then sequentially switch off auxiliary name server;
Wherein, the computing formula using state value of primary name server is:
R=q1*p1+q2*p2+q3*p3
In formula, r is the use state value of primary name server, q1For primary name server
The use scale parameter of CPU, p1For the proportion shared by the use scale parameter of CPU, q2
For the use scale parameter of the internal memory of primary name server, p2Use ratio for internal memory is joined
Proportion shared by number, q3For the use scale parameter of the bandwidth of primary name server, p3For
The use of bandwidth proportion shared by scale parameter.
Another technical scheme that the present invention provides: the system of a kind of DNS defensive attack, bag
Include attack source probe unit, described attack source probe unit include actual quantity statistical module,
Prediction number calculating section, attack source locking module and attack source filtering module, wherein:
Described actual quantity statistical module, is used for adding up each IP address and sends to main every day
The actual quantity N of the domain name mapping request of name server, and each IP address is every
Individual port sends the actual quantity N of the domain name mapping request to primary name server every dayp;
Described prediction number calculating section, for according to actual quantity N and actual quantity Np,
Calculate each IP address and send the prediction of the domain name mapping request to primary name server every day
Quantity Nf, and each port transmission every day of each IP address is to primary name server
The pre-quantitation N of domain name mapping requestpf;
Described attack source locking module, is used for presetting attacks results decision threshold values, according to prediction number
Amount NfJudge whether this IP address sends attack to primary name server;And, at this
IP address in the case of primary name server sends attack, each according to this IP address
The N of portpfJudge whether this port sends attack to primary name server;
Described attack source filtering module, sends attack for filtering to primary name server
Port, to reduce the use state value of primary name server.
Preferably, the attacks results decision threshold values that locking module in described attack source is preset includes the
One quantity threshold values t and the second quantity threshold values u,
Judge whether this IP address sends attack to primary name server and include: calculate each
The N-N of IP addressfIf, N-Nf> t, then judge that this IP address is sent out to primary name server
Go out to attack;
And, it is judged that whether this port sends attack to primary name server includes: calculate
The N of each port of this IP addressp-NpfIf, Np-Npf> u, then judge that this port is to master
Name server sends attack.
Preferably, described prediction number calculating section calculates the transmission in the c+1 days of IP address
The pre-quantitation N asked to the domain name mapping of primary name serverf(c+1)The formula used
For:
Nf(c+1)=M1*N1+M2*N2+…+Mc*Nc
In formula, NcDomain name mapping for IP address transmission in the c days to primary name server please
The actual quantity asked, McFor NcWeight parameter, M1+M2+…+Mc=1.
Preferably, described prediction number calculating section calculates port transmission in the c+1 days extremely
The pre-quantitation N of the domain name mapping request of primary name serverpf(c+1)The formula used
For:
Npf(c+1)=W1*Np1+W2*Np2+…+Wc*Npc
In formula, NpcThe domain name mapping request to primary name server within the c days, is sent for port
Actual quantity, WcFor NpcWeight parameter, W1+W2+…+Wc=1.
Preferably, also include using condition monitoring unit and switch control unit, wherein:
Described use condition monitoring unit, is connected with primary name server, for prison in real time
Survey the use state value of primary name server;
Described switch control unit, with auxiliary name server and described use condition monitoring
Unit connects, and is used for when the use state value of primary name server is more than use threshold values,
The auxiliary that then sequentially activates name server, makes primary name server and auxiliary name server
Jointly provide the user domain name resolution service;
After filtering the port sending attack to primary name server and primary name server
Use state value less than or equal to use threshold values, then sequentially switch off auxiliary name server;
Wherein, the computing formula using state value of primary name server is:
R=q1*p1+q2*p2+q3*p3
In formula, r is the use state value of primary name server, q1For primary name server
The use scale parameter of CPU, p1For the proportion shared by the use scale parameter of CPU, q2
For the use scale parameter of the internal memory of primary name server, p2Use ratio for internal memory is joined
Proportion shared by number, q3For the use scale parameter of the bandwidth of primary name server, p3For
The use of bandwidth proportion shared by scale parameter.
The method and system of the DNS defensive attack that the present invention provides, first, according to statistics
The actual quantity that the actual quantity N of IP address sending domain name analysis request and port send
Np, calculate the pre-quantitation N of IP address sending domain name analysis requestfWith port sending domain
The pre-quantitation N of name analysis requestpf;Then, according to Nf、NpfAnd attacks results decision valve
Value, it is determined that whether IP address and port send attack to primary name server, compares existing
Only actual quantity and pre-set threshold value according to statistics is had in technology to judge primary name server
Whether attacked, it is possible to more accurately judge whether primary name server is attacked,
The user that avoids being mistaken for normal users launching a offensive, it is caused cannot normally to use mutually
Networking.
Secondly, attacked at primary name server so that it is use state value less than or etc.
In time using threshold values, the auxiliary that sequentially activates name server, make primary name server and auxiliary
Name server is helped jointly to provide the user domain name resolution service, it is possible to ensure that user is leading
During name server suffers to attack releasing attack, still can normally use interconnection
Net.
Accompanying drawing explanation
Fig. 1 is the flow process signal of the method for the DNS defensive attack of embodiments of the invention 1
Figure;
Fig. 2 is the composition signal of the system of the DNS defensive attack of embodiments of the invention 2
Block diagram;
Wherein, reference is:
10, attack source probe unit;11, actual quantity statistical module;12, prediction number
Amount computing module;13, attack source locking module;14, attack source filtering module;20、
Use condition monitoring unit;30, switch control unit;40, primary name server;50、
Auxiliary name server.
Detailed description of the invention
For making those skilled in the art be more fully understood that technical scheme, knot below
Close the drawings and specific embodiments the present invention is described in further detail.
Embodiment 1:
The present embodiment provides a kind of method of DNS defensive attack, and the method can accurately be locked
Surely the IP address launched a offensive and port thereof, and filter this port.
Fig. 1 is the method flow schematic diagram of the DNS defensive attack of the present embodiment, such as Fig. 1
Shown in, the method comprises the following steps:
Step S1: add up each IP address and send the domain name solution to primary name server every day
The actual quantity N of analysis request, and each port transmission every day of each IP address is to main
The actual quantity N of the domain name mapping request of name serverp。
One primary name server administers multiple users, and these users are private network IP address,
Private network IP address must could access primary name server by public network IP address and carry out domain name
Resolve.In this step, add up each IP address to send to primary name server every day
The actual quantity N of domain name mapping request, such as, within the c days, the d public network IP address is sent out
The actual quantity of the domain name mapping request delivering to primary name server can be designated as Ncd;Each IP
Each port of address sends the reality of the domain name mapping request to primary name server every day
Quantity Np, such as, pth the port of the c days d public network IP address sends to main
The actual quantity of the domain name mapping request of name server can be designated as Npcd。
Such that can clearly statistic record each IP address and each port thereof send out every day
Deliver to the actual quantity of the domain name mapping request of primary name server.
Step S2: according to actual quantity N and actual quantity Np, calculate each IP address
Send the pre-quantitation N of the domain name mapping request to primary name server every dayf, and often
Each port of individual IP address sends the domain name mapping request to primary name server every day
Pre-quantitation Npf。
The actual quantity of the IP address sending domain name analysis request according to statistic record every day
N, calculates the pre-quantitation N of this IP address sending domain name analysis request in second dayf, phase
Answering, IP address sends the pre-of the domain name mapping request to primary name server for the c+1 days
Quantitation Nf(c+1)Computing formula be:
Nf(c+1)=M1*N1+M2*N2+…+Mc*Nc (1)
In formula, NcDomain name mapping for IP address transmission in the c days to primary name server please
The actual quantity asked, McFor NcWeight parameter, M1+M2+…+Mc=1.
Concrete, it is pre-that the c+1 days the d public network IP address sending domain name analysis are asked
Quantitation can be designated as Nf(c+1)d, its computing formula is:
Nf(c+1)d=M1*N1d+M2*N2d+…+Mc*Ncd (2)
In formula, NcdIt is that the d IP address sends the territory to primary name server in the c days
The actual quantity of name analysis request.
According to formula (1) and (2), each IP address sending domain every day can be calculated
The pre-quantitation N of name analysis requestf。
The actual quantity N of the port sending domain name analysis request according to statistic record every dayp,
Calculate the pre-quantitation N of this port sending domain name analysis request in second daypf, accordingly,
Port sends the pre-quantitation of the domain name mapping request to primary name server for the c+1 days
Npf(c+1)Computing formula be:
Npf(c+1)=W1*Np1+W2*Np2+…+Wc*Npc (3)
In formula, NpcThe domain name mapping request to primary name server within the c days, is sent for port
Actual quantity, WcFor NpcWeight parameter, W1+W2+…+Wc=1.
Concrete, pth the port of the c+1 days d public network IP address sends domain name
The pre-quantitation of analysis request can be designated as Npf(c+1)d, its computing formula is:
Npf(c+1)d=W1*Np1d+W2*Np2d+…+Wc*Npcd (4)
In formula, NpcdIt is that pth the port the c days of d public network IP address sends extremely
The actual quantity of the domain name mapping request of primary name server.
According to formula (3) and (4), each port can be calculated and send domain name every day
The pre-quantitation N of analysis requestpf。
Additionally, for the pre-quantitation N making the c+1 days d public network IP addressf(c+1)d
Actual quantity N close to the c+1 days d public network IP address(c+1)d, excellent
Choosing, c is the biggest, WcThe biggest, to improve the precision of pre-quantitation.
In like manner, in order to make the pre-of pth the port of the c+1 days d public network IP address
Quantitation Npf(c+1)dClose to the c+1 days d public network IP address pth
The actual quantity N of individual portp(c+1)d, it is preferable that c is the biggest, WcThe biggest, to improve
The precision of pre-quantitation.
Step S3: preset attacks results decision threshold values, according to pre-quantitation NfJudge this IP ground
Whether location sends attack to primary name server;And, take to Main Domain in this IP address
In the case of business device sends attack, according to the N of each port of this IP addresspfJudging should
Whether port sends attack to primary name server.
Concrete, the attacks results decision threshold values preset includes the first quantity threshold values t and second number
Amount threshold values u.The specific size of t and u can set flexibly according to the scene that this method is used.
Judge whether this IP address sends attack to primary name server and include: calculate each
The N-N of IP addressfIf, N-Nf> t, then judge that this IP address is sent out to primary name server
Go out to attack.
Judge whether this port sends attack to primary name server and include: calculate this IP ground
The N of each port of locationp-NpfIf, Np-Npf> u, then judge that this port takes to Main Domain
Business device sends attack.
According to above-mentioned steps, it is possible to first find out the IP address launched a offensive, then, enter
One step locks the port launched a offensive in this IP address, thus accurately locks attack source.
Step S4: filter the port sending attack to primary name server, to reduce main territory
The use state value of name server.
On the basis of step S3, this step will send the end of attack to primary name server
Make a slip of the tongue filter, it is possible to reduce the use state value of primary name server, i.e. recover Main Domain clothes
The performance of business device.
In order to ensure that the user under primary name server administration can the most normally accept domain name
Analysis service, is connected in parallel at least one auxiliary name server to primary name server,
Further, the use state value of primary name server is monitored in real time, when primary name server
When using state value more than use threshold values, then the auxiliary that sequentially activates name server, make main
Name server and auxiliary name server provide the user domain name resolution service jointly;
After filtering the port sending attack to primary name server and primary name server
Use state value less than or equal to use threshold values, then sequentially switch off auxiliary name server;
Wherein, the computing formula using state value of primary name server is:
R=q1*p1+q2*p2+q3*p3
In formula, r is the use state value of primary name server, q1For primary name server
The use scale parameter of CPU, p1For the proportion shared by the use scale parameter of CPU, q2
For the use scale parameter of the internal memory of primary name server, p2Use ratio for internal memory is joined
Proportion shared by number, q3For the use scale parameter of the bandwidth of primary name server, p3For
The use of bandwidth proportion shared by scale parameter.
Set use threshold values specifically to determine as s, its specific size value according to operation environment.When
During r > s, represent that the performance of primary name server reduces, then the auxiliary that sequentially activates domain name
Server, accordingly increases bandwidth;As r≤s, represent the performance of primary name server
Recover, then sequentially switch off auxiliary name server, reduce bandwidth accordingly.
Additionally, in the case of primary name server is attacked, due to this Main Domain
The lower user of server administration increases or user accesses the frequency increase of the Internet, it is possible to
The use state value of primary name server can be caused more than using threshold values, now, the most first open
Dynamic First auxiliary name server, increases corresponding bandwidth, if primary name server
Use state value still above use threshold values, then sequentially activate second and assist domain name to take
Business device, increases corresponding bandwidth, to ensure that all users normally use the Internet.Leading
When the use state value of name server is gradually reduced, then sequentially switch off second auxiliary territory
Name server and First auxiliary name server.
The method of the DNS defensive attack of the present embodiment, according to Nf、NpfAnd attacks results decision
Threshold values, it is determined that whether IP address and port send attack to primary name server, compare
In prior art, only actual quantity and pre-set threshold value according to statistics judges primary Domain Name Service
Whether device is attacked, it is possible to more accurately judge whether primary name server is attacked
Hit, it is to avoid the user that is mistaken for normal users launching a offensive, cause it normally to make
Use the Internet.Secondly, attacked at primary name server so that it is use state value little
In or equal to use threshold values time, the auxiliary that sequentially activates name server, make primary Domain Name Service
Device and auxiliary name server provide the user domain name resolution service jointly, it is possible to ensure to use
Family, during primary name server suffers to attack to and releases attack, still can normally make
Use the Internet.
Embodiment 2:
The present embodiment provides the system of a kind of DNS defensive attack, and this system is for realizing implementing
The equipment of the method for example 1.Fig. 2 is the group of the system of the DNS defensive attack of the present embodiment
Become schematic block diagram, as in figure 2 it is shown, what this system included being connected with primary name server 40
Attack source probe unit 10, attack source probe unit 10 includes actual quantity statistical module
11, prediction number calculating section 12, attack source locking module 13 and attack source filtering module
14, wherein:
Actual quantity statistical module 11 is used for adding up each IP address and sends to main territory every day
The actual quantity N of the domain name mapping request of name server 40, and each IP address
Each port sends the actual quantity of the domain name mapping request to primary name server 40 every day
Np。
Such as, pth the port of the c days d public network IP address sends to Main Domain
The actual quantity of the domain name mapping request of server can be designated as Npcd.Actual quantity statistics mould
Block can clearly statistic record each IP address and each port thereof send to main territory every day
The actual quantity of the domain name mapping request of name server.
Prediction number calculating section 12 is for according to actual quantity N and actual quantity Np,
Calculate each IP address and send the prediction of the domain name mapping request to primary name server every day
Quantity Nf, and each port transmission every day of each IP address is to primary name server
The pre-quantitation N of domain name mapping requestpf。
Prediction number calculating section 12 calculates IP address and within the c+1 days, sends to Main Domain clothes
The pre-quantitation N of the domain name mapping request of business devicef(c+1)The formula used is:
Nf(c+1)=M1*N1+M2*N2+…+Mc*Nc
In formula, NcDomain name mapping for IP address transmission in the c days to primary name server please
The actual quantity asked, McFor NcWeight parameter, M1+M2+…+Mc=1.
Prediction number calculating section 12 calculates port and sends to primary name server for the c+1 days
Domain name mapping request pre-quantitation Npf(c+1)The formula used is:
Npf(c+1)=W1*Np1+W2*Np2+…+Wc*Npc
In formula, NpcThe domain name mapping request to primary name server within the c days, is sent for port
Actual quantity, WcFor NpcWeight parameter, W1+W2+…+Wc=1.
According to above-mentioned formula, can calculate each IP address sending domain every day name analysis please
The pre-quantitation N askedfAnd the pre-quantitation of each port sending domain every day name analysis request
Npf。
Attack source locking module 13 is used for presetting attacks results decision threshold values, according to pre-quantitation
NfJudge whether this IP address sends attack to primary name server;And, at this IP
In the case of address sends attack to primary name server, according to each end of this IP address
The N of mouthpfJudge whether this port sends attack to primary name server.
The attacks results decision threshold values that attack source locking module 13 is preset includes the first quantity threshold values t
With the second quantity threshold values u.The scene spirit that the specific size of t and u can be used according to this method
Live and set.
Judge whether this IP address sends attack to primary name server and include: calculate each
The N-N of IP addressfIf, N-Nf> t, then judge that this IP address is sent out to primary name server
Go out to attack.
Judge whether this port sends attack to primary name server and include: calculate this IP ground
The N of each port of locationp-NpfIf, Np-Npf> u, then judge that this port takes to Main Domain
Business device sends attack.
According to above-mentioned judgment mode, first attack source locking module 13 can be found out initiation and attack
The IP address hit, then, locks the port launched a offensive in this IP address further, from
And accurately lock attack source.
Attack source filtering module 14 sends the end of attack for filtering to primary name server
Mouthful, to reduce the use state value of primary name server.
After the IP address that locking module 13 locking in attack source is launched a offensive and port thereof,
Attack source filtering module 14 will send the ports filter of attack to primary name server, it is possible to
Reduce the use state value of primary name server, i.e. recover the performance of primary name server.
In order to ensure that the user under primary name server administration can the most normally accept domain name
Analysis service, is connected in parallel at least one auxiliary name server 50 to primary name server,
Accordingly, this system also includes using condition monitoring unit 20 and switch control unit 30,
Wherein:
Condition monitoring unit 20 is used to be connected with primary name server 40, for prison in real time
Survey the use state value of primary name server;
Switch control unit 30 and auxiliary name server 50 and use condition monitoring unit
20 connect, and are used for when the use state value of primary name server 40 is more than use threshold values,
The auxiliary that then sequentially activates name server 50, makes primary name server 40 and auxiliary domain name clothes
Business device 50 provides the user domain name resolution service jointly;
After filtering the port sending attack to primary name server and primary name server
Use state value less than or equal to use threshold values, then sequentially switch off auxiliary name server
50;Wherein, the computing formula using state value of primary name server 40 is:
R=q1*p1+q2*p2+q3*p3
In formula, r is the use state value of primary name server, q1For primary name server
The use scale parameter of CPU, p1For the proportion shared by the use scale parameter of CPU, q2
For the use scale parameter of the internal memory of primary name server, p2Use ratio for internal memory is joined
Proportion shared by number, q3For the use scale parameter of the bandwidth of primary name server, p3For
The use of bandwidth proportion shared by scale parameter.
Set use threshold values specifically to determine as s, its specific size value according to operation environment.When
During r > s, represent that the performance of primary name server reduces, then switch control unit 30 phase
Continue startup auxiliary name server, accordingly increases bandwidth;As r≤s, represent main territory
The performance of name server is recovered, then switch control unit 30 sequentially switches off auxiliary domain name clothes
Business device, reduces bandwidth accordingly.
The system of the DNS defensive attack of the present embodiment, first can more accurately judge
Whether primary name server is attacked, it is to avoid be mistaken for normal users launching a offensive
User, it is caused cannot normally to use the Internet;Secondly, suffer at primary name server
Attack so that it is use state value less than or equal to when using threshold values, sequentially activate and assist territory
Name server, makes primary name server and auxiliary name server jointly provide the user territory
Name analysis services, it is ensured that user suffers to attack the mistake that releasing is attacked at primary name server
Cheng Zhong, still can normally use the Internet.
It is understood that the principle that embodiment of above is intended to be merely illustrative of the present
And the illustrative embodiments used, but the invention is not limited in this.For ability
For those of ordinary skill in territory, in the situation without departing from spirit and substance of the present invention
Under, various modification and improvement can be made, these modification and improvement are also considered as the present invention's
Protection domain.
Claims (10)
1. the method for a DNS defensive attack, it is characterised in that including:
Add up each IP address and send the domain name mapping request to primary name server every day
Actual quantity N, and each port transmission every day of each IP address is to primary Domain Name Service
The actual quantity N of the domain name mapping request of devicep;
According to actual quantity N and actual quantity Np, calculate each IP address and send every day
The pre-quantitation N asked to the domain name mapping of primary name serverf, and each IP address
The pre-quantitation asked of the domain name mapping that sends every day to primary name server of each port
Npf;
Preset attacks results decision threshold values, according to pre-quantitation NfJudge this IP address whether to
Primary name server sends attack;And, send to primary name server in this IP address
In the case of attack, according to the N of each port of this IP addresspfWhether judge this port
Attack is sent to primary name server;
Filter the port sending attack to primary name server, to reduce primary name server
Use state value.
The method of DNS defensive attack the most according to claim 1, it is characterised in that
The attacks results decision threshold values preset includes the first quantity threshold values t and the second quantity threshold values u,
Judge whether this IP address sends attack to primary name server and include: calculate each
The N-N of IP addressfIf, N-Nf> t, then judge that this IP address is sent out to primary name server
Go out to attack;
And, it is judged that whether this port sends attack to primary name server includes: calculate
The N of each port of this IP addressp-NpfIf, Np-Npf> u, then judge that this port is to master
Name server sends attack.
The method of DNS defensive attack the most according to claim 1, it is characterised in that
IP address sends the pre-quantitation of the domain name mapping request to primary name server for the c+1 days
Nf(c+1)Computing formula be:
Nf(c+1)=M1*N1+M2*N2+…+Mc*Nc
In formula, NcDomain name mapping for IP address transmission in the c days to primary name server please
The actual quantity asked, McFor NcWeight parameter, M1+M2+…+Mc=1.
The method of DNS defensive attack the most according to claim 1, it is characterised in that
Port sends the pre-quantitation of the domain name mapping request to primary name server for the c+1 days
Npf(c+1)Computing formula be:
Npf(c+1)=W1*Np1+W2*Np2+…+Wc*Npc
In formula, NpcThe domain name mapping request to primary name server within the c days, is sent for port
Actual quantity, WcFor NpcWeight parameter, W1+W2+…+Wc=1.
The method of DNS defensive attack the most according to claim 1, its feature exists
In, also include:
Monitor the use state value of primary name server in real time, when making of primary name server
During with state value more than use threshold values, then the auxiliary that sequentially activates name server, make main territory
Name server and auxiliary name server provide the user domain name resolution service jointly;
After filtering the port sending attack to primary name server and primary name server
Use state value less than or equal to use threshold values, then sequentially switch off auxiliary name server;
Wherein, the computing formula using state value of primary name server is:
R=q1*p1+q2*p2+q3*p3
In formula, r is the use state value of primary name server, q1For primary name server
The use scale parameter of CPU, p1For the proportion shared by the use scale parameter of CPU, q2
For the use scale parameter of the internal memory of primary name server, p2Use ratio for internal memory is joined
Proportion shared by number, q3For the use scale parameter of the bandwidth of primary name server, p3For
The use of bandwidth proportion shared by scale parameter.
6. the system of a DNS defensive attack, it is characterised in that include that attack source detects
Unit, described attack source probe unit includes actual quantity statistical module, pre-quantitation meter
Calculate module, attack source locking module and attack source filtering module, wherein:
Described actual quantity statistical module, is used for adding up each IP address and sends to main every day
The actual quantity N of the domain name mapping request of name server, and each IP address is every
Individual port sends the actual quantity N of the domain name mapping request to primary name server every dayp;
Described prediction number calculating section, for according to actual quantity N and actual quantity Np,
Calculate each IP address and send the prediction of the domain name mapping request to primary name server every day
Quantity Nf, and each port transmission every day of each IP address is to primary name server
The pre-quantitation N of domain name mapping requestpf;
Described attack source locking module, is used for presetting attacks results decision threshold values, according to prediction number
Amount NfJudge whether this IP address sends attack to primary name server;And, at this
IP address in the case of primary name server sends attack, each according to this IP address
The N of portpfJudge whether this port sends attack to primary name server;
Described attack source filtering module, sends attack for filtering to primary name server
Port, to reduce the use state value of primary name server.
The system of DNS defensive attack the most according to claim 6, its feature exists
In, the attacks results decision threshold values that described attack source locking module is preset includes the first quantity threshold values t
With the second quantity threshold values u,
Judge whether this IP address sends attack to primary name server and include: calculate each
The N-N of IP addressfIf, N-Nf> t, then judge that this IP address is sent out to primary name server
Go out to attack;
And, it is judged that whether this port sends attack to primary name server includes: calculate
The N of each port of this IP addressp-NpfIf, Np-Npf> u, then judge that this port is to master
Name server sends attack.
The system of DNS defensive attack the most according to claim 6, its feature exists
In, described prediction number calculating section calculates IP address and within the c+1 days, sends to Main Domain clothes
The pre-quantitation N of the domain name mapping request of business devicef(c+1)The formula used is:
Nf(c+1)=M1*N1+M2*N2+…+Mc*Nc
In formula, NcDomain name mapping for IP address transmission in the c days to primary name server please
The actual quantity asked, McFor NcWeight parameter, M1+M2+…+Mc=1.
The system of DNS defensive attack the most according to claim 6, its feature exists
In, described prediction number calculating section calculates port and sends to primary Domain Name Service for the c+1 days
The pre-quantitation N of the domain name mapping request of devicepf(c+1)The formula used is:
Npf(c+1)=W1*Np1+W2*Np2+…+Wc*Npc
In formula, NpcThe domain name mapping request to primary name server within the c days, is sent for port
Actual quantity, WcFor NpcWeight parameter, W1+W2+…+Wc=1.
The system of DNS defensive attack the most according to claim 6, its feature exists
In, also include using condition monitoring unit and switch control unit, wherein:
Described use condition monitoring unit, is connected with primary name server, for prison in real time
Survey the use state value of primary name server;
Described switch control unit, with auxiliary name server and described use condition monitoring
Unit connects, and is used for when the use state value of primary name server is more than use threshold values,
The auxiliary that then sequentially activates name server, makes primary name server and auxiliary name server
Jointly provide the user domain name resolution service;
After filtering the port sending attack to primary name server and primary name server
Use state value less than or equal to use threshold values, then sequentially switch off auxiliary name server;
Wherein, the computing formula using state value of primary name server is:
R=q1*p1+q2*p2+q3*p3
In formula, r is the use state value of primary name server, q1For primary name server
The use scale parameter of CPU, p1For the proportion shared by the use scale parameter of CPU, q2
For the use scale parameter of the internal memory of primary name server, p2Use ratio for internal memory is joined
Proportion shared by number, q3For the use scale parameter of the bandwidth of primary name server, p3For
The use of bandwidth proportion shared by scale parameter.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610317345.9A CN105847281B (en) | 2016-05-12 | 2016-05-12 | A kind of method and system of DNS defensive attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610317345.9A CN105847281B (en) | 2016-05-12 | 2016-05-12 | A kind of method and system of DNS defensive attack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105847281A true CN105847281A (en) | 2016-08-10 |
CN105847281B CN105847281B (en) | 2019-02-19 |
Family
ID=56592022
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610317345.9A Active CN105847281B (en) | 2016-05-12 | 2016-05-12 | A kind of method and system of DNS defensive attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105847281B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108616544A (en) * | 2015-08-04 | 2018-10-02 | 法赛特安全公司 | For detecting newer method, system and medium to record of domain name system system |
CN109936551A (en) * | 2017-12-19 | 2019-06-25 | 中国电信股份有限公司 | Defence method, defence installation and the controller of domain name system attack |
CN110324295A (en) * | 2018-03-30 | 2019-10-11 | 阿里巴巴集团控股有限公司 | A kind of defence method and device of domain name system extensive aggression |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1592167A2 (en) * | 2004-04-27 | 2005-11-02 | AT&T Corp. | Systems and methods for optimizing access provisioning and capacity planning in IP networks |
CN101826996A (en) * | 2010-03-19 | 2010-09-08 | 中国科学院计算机网络信息中心 | Domain name system flow detection method and domain name server |
CN102291411A (en) * | 2011-08-18 | 2011-12-21 | 网宿科技股份有限公司 | Anti-DDOS (distributed denial of service) attack method and system against DNS (domain name system) service |
CN103139184A (en) * | 2011-12-02 | 2013-06-05 | 中国电信股份有限公司 | Intelligent network firewall device and network attack protection method |
CN103957195A (en) * | 2014-04-04 | 2014-07-30 | 上海聚流软件科技有限公司 | DNS system and defense method and device for DNS attack |
CN105491032A (en) * | 2015-11-30 | 2016-04-13 | 睿峰网云(北京)科技股份有限公司 | Botnet discovery technique and device |
-
2016
- 2016-05-12 CN CN201610317345.9A patent/CN105847281B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1592167A2 (en) * | 2004-04-27 | 2005-11-02 | AT&T Corp. | Systems and methods for optimizing access provisioning and capacity planning in IP networks |
CN101826996A (en) * | 2010-03-19 | 2010-09-08 | 中国科学院计算机网络信息中心 | Domain name system flow detection method and domain name server |
CN102291411A (en) * | 2011-08-18 | 2011-12-21 | 网宿科技股份有限公司 | Anti-DDOS (distributed denial of service) attack method and system against DNS (domain name system) service |
CN103139184A (en) * | 2011-12-02 | 2013-06-05 | 中国电信股份有限公司 | Intelligent network firewall device and network attack protection method |
CN103957195A (en) * | 2014-04-04 | 2014-07-30 | 上海聚流软件科技有限公司 | DNS system and defense method and device for DNS attack |
CN105491032A (en) * | 2015-11-30 | 2016-04-13 | 睿峰网云(北京)科技股份有限公司 | Botnet discovery technique and device |
Non-Patent Citations (1)
Title |
---|
彭嘉填: ""DNS攻击检测与防御技术研究"", 《信息通信》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108616544A (en) * | 2015-08-04 | 2018-10-02 | 法赛特安全公司 | For detecting newer method, system and medium to record of domain name system system |
CN109936551A (en) * | 2017-12-19 | 2019-06-25 | 中国电信股份有限公司 | Defence method, defence installation and the controller of domain name system attack |
CN110324295A (en) * | 2018-03-30 | 2019-10-11 | 阿里巴巴集团控股有限公司 | A kind of defence method and device of domain name system extensive aggression |
CN110324295B (en) * | 2018-03-30 | 2022-04-12 | 阿里云计算有限公司 | Defense method and device for domain name system flooding attack |
Also Published As
Publication number | Publication date |
---|---|
CN105847281B (en) | 2019-02-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2018113594A1 (en) | Method and device for defending dns attack and storage medium | |
CN105024969B (en) | A kind of method and device for realizing the identification of malice domain name | |
US8479048B2 (en) | Root cause analysis method, apparatus, and program for IT apparatuses from which event information is not obtained | |
CN109246211B (en) | Resource uploading and resource requesting method in block chain | |
US7770208B2 (en) | Computer-implemented method, apparatus, and computer program product for securing node port access in a switched-fabric storage area network | |
CN110324313B (en) | Honeypot system-based malicious user identification method and related equipment | |
CN105681133A (en) | Method for detecting whether DNS server can prevent network attack | |
CN101834911B (en) | Defense method of domain name hijacking and network outlet equipment | |
CN105847281A (en) | Method and system for defending DNS against attacks | |
US11290485B2 (en) | Method and system for detecting and blocking data transfer using DNS protocol | |
CN109327426A (en) | A kind of firewall attack defense method | |
CN104219200A (en) | Device and method for protection from DNS cache attack | |
CN107454037A (en) | The recognition methods of network attack and system | |
CN106487807A (en) | A kind of means of defence of domain name mapping and device | |
CN108881233A (en) | anti-attack processing method, device, equipment and storage medium | |
CN101383818B (en) | Processing method and device for access network | |
Knockel et al. | Counting packets sent between arbitrary internet hosts | |
CN109981603A (en) | ARP Attack monitoring system and method | |
KR20140044987A (en) | Security system and operating method thereof | |
CN102223422A (en) | Domain name system (DNS) message processing method and network safety equipment | |
US20220046028A1 (en) | Method and system for determining a state of an account in a network device running a light client protocol of a distributed ledger technology network | |
CN113395369B (en) | Cache management method and device, electronic equipment and storage medium | |
CN110868392A (en) | Block chain safety control method and device based on SDN and block chain network | |
CN108322454B (en) | Network security detection method and device | |
JP2006331015A (en) | Server device protection system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |