CN105847281B - A kind of method and system of DNS defensive attack - Google Patents
A kind of method and system of DNS defensive attack Download PDFInfo
- Publication number
- CN105847281B CN105847281B CN201610317345.9A CN201610317345A CN105847281B CN 105847281 B CN105847281 B CN 105847281B CN 201610317345 A CN201610317345 A CN 201610317345A CN 105847281 B CN105847281 B CN 105847281B
- Authority
- CN
- China
- Prior art keywords
- name server
- address
- primary
- attack
- primary name
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 28
- 238000004458 analytical method Methods 0.000 claims abstract description 26
- 238000013507 mapping Methods 0.000 claims description 53
- 230000005484 gravity Effects 0.000 claims description 18
- 238000001914 filtration Methods 0.000 claims description 16
- 238000012544 monitoring process Methods 0.000 claims description 16
- 238000004364 calculation method Methods 0.000 claims description 13
- 239000000523 sample Substances 0.000 claims description 7
- 238000004891 communication Methods 0.000 abstract description 2
- 238000005516 engineering process Methods 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention provides a kind of method and system of DNS defensive attack, belongs to field of communication technology, and whether the method that can at least partly solve the problems, such as existing DNS defensive attack cannot determine DNS by attack like clockwork.The actual quantity N that the method for DNS defensive attack of the invention sends the actual quantity N of domain name analysis request according to statistics IP address and port is sentp, calculate the predicted quantity N that IP address sends domain name analysis requestfThe predicted quantity N of domain name analysis request is sent with portpf;Then, according to Nf、NpfAnd attacks results decision threshold values, determine whether IP address and port issue to primary name server to attack, only judge whether primary name server is attacked according to the actual quantity of statistics and preset threshold compared to the prior art, it can more accurately determine whether primary name server is attacked, avoid for normal users being mistaken for the user to launch a offensive, cause it can not normal use internet.
Description
Technical field
The invention belongs to fields of communication technology, and in particular to a kind of method and system of DNS defensive attack.
Background technique
DNS is the abbreviation of domain name system (Domain Name System), it is made of resolver and name server.
Name server (DNS Server), which refers to, preserves the domain name of All hosts and corresponding IP address in the network, and has domain
Name is converted to the server of IP address function.The process of dns resolution domain name is substantially as follows: initiating domain name mapping by user first and asks
It asks, after local dns server receives the request, can be searched in local cache, it if it is not found, then can be to upper level DNS
Server initiates request, and parsing result can be returned to local dns server by back message by upper level dns server, this
Parsing result is returned to the user of this request analysis domain name by ground dns server.
DNS attack repeated in recent years, and the common form that DNS is attacked is: direction of attack dns server hair
A large amount of domain name analysis request messages are sent, dns server is caused seriously to overload, the DNS request of normal users can not be proceeded to respond to, from
And achieve the purpose that attack.
In the prior art, the method for DNS defensive attack mainly passes through request number of times in measurement period, and normal domain name is asked
Seeking number is usually to be no more than certain threshold values, if it exceeds this threshold values, the IP address for being considered as issuing the request is attack source,
Just this IP address is filtered.
At least there are the following problems in the prior art for inventor's discovery:
1. the threshold values of normal domain name request number is not easy to set, it is thus impossible to determine like clockwork DNS whether by
Attack;
During 2.DNS is by attack to releasing attack, DNS performance is greatly reduced, and will affect DNS and mentions for normal users
For domain name resolution service, normal users is caused to be unable to normal use internet.
Therefore, a kind of method and system of DNS defensive attack are designed, can relatively accurately determine whether DNS is attacked
It hits, and DNS can be made to keep good performance during releasing attack, this is a technical problem to be solved urgently.
Summary of the invention
The present invention is at least to be partially solved existing above-mentioned problem, provides a kind of method of DNS defensive attack and is
System, the method and system of the DNS defensive attack can relatively accurately determine whether DNS is attacked, and can release
DNS is set to keep good performance during attack.
Solving technical solution used by present invention problem is: a kind of method of DNS defensive attack, comprising:
The actual quantity N that each IP address is sent to the domain name mapping request of primary name server daily is counted, and every
Each port of a IP address is sent to the actual quantity N of the domain name mapping request of primary name server dailyp;
According to actual quantity N and actual quantity Np, calculate the domain name that each IP address is sent to primary name server daily
The predicted quantity N of analysis requestfAnd each port of each IP address is sent to the domain name mapping of primary name server daily
The predicted quantity N of requestpf;
Default attacks results decision threshold values, according to predicted quantity NfJudge whether the IP address attacks to primary name server sending
It hits;And in the case where the IP address is issued to primary name server and attacked, according to the N of each port of the IP addresspfSentence
Break the port whether to primary name server issue attack;
The port that attack is issued to primary name server is filtered, to reduce the use state value of primary name server.
Preferably, preset attacks results decision threshold values includes the first quantity threshold values t and the second quantity threshold values u,
Judging whether the IP address issues attack to primary name server includes: the N-N for calculating each IP addressfIf N-Nf
> t then determines that the IP address is issued to primary name server and attacks;
And judging whether the port issues attack to primary name server includes: each port for calculating the IP address
Np-NpfIf Np-Npf> u then determines that the port is issued to primary name server and attacks.
Preferably, IP address the is sent to the predicted quantity N of the domain name mapping request of primary name server for c+1 daysf(c+1)
Calculation formula are as follows:
Nf(c+1)=M1*N1+M2*N2+…+Mc*Nc
In formula, NcThe actual quantity of the domain name mapping request of primary name server, M are sent within c days for IP address thecFor Nc
Weight parameter, M1+M2+…+Mc=1.
Preferably, port the is sent to the predicted quantity N of the domain name mapping request of primary name server for c+1 dayspf(c+1)
Calculation formula are as follows:
Npf(c+1)=W1*Np1+W2*Np2+…+Wc*Npc
In formula, NpcThe actual quantity of the domain name mapping request of primary name server, W are sent within c days for port thecFor Npc's
Weight parameter, W1+W2+…+Wc=1.
Preferably, further includes:
The use state value of real-time monitoring primary name server uses valve when the use state value of primary name server is greater than
It when value, then sequentially activates and assists name server, primary name server and auxiliary name server is made to provide domain jointly for user
Name analysis service;
When filtering to primary name server issue attack port after and primary name server use state value be less than or
Equal to threshold values is used, then auxiliary name server is sequentially switched off;Wherein, the calculation formula of the use state value of primary name server
Are as follows:
R=q1*p1+q2*p2+q3*p3
In formula, r is the use state value of primary name server, q1For the use ratio parameter of the CPU of primary name server,
p1Specific gravity shared by use ratio parameter for CPU, q2For the use ratio parameter of the memory of primary name server, p2For memory
Use ratio parameter shared by specific gravity, q3For the use ratio parameter of the bandwidth of primary name server, p3For the use ratio of bandwidth
Specific gravity shared by example parameter.
Another technical solution provided by the invention: a kind of system of DNS defensive attack, including attack source probe unit, institute
Stating attack source probe unit includes actual quantity statistical module, predicted quantity computing module, attack source locking module and attack source
Filtering module, in which:
The actual quantity statistical module, the domain name solution for being sent to primary name server daily for counting each IP address
The domain name mapping that each port of the actual quantity N and each IP address that analyse request are sent to primary name server daily is asked
The actual quantity N askedp;
The predicted quantity computing module, for according to actual quantity N and actual quantity Np, it is daily to calculate each IP address
It is sent to the predicted quantity N of the domain name mapping request of primary name serverfAnd each port of each IP address is sent daily
The predicted quantity N requested to the domain name mapping of primary name serverpf;
The attack source locking module, for presetting attacks results decision threshold values, according to predicted quantity NfJudging the IP address is
No issue to primary name server is attacked;And in the case where the IP address is issued to primary name server and attacked, according to this
The N of each port of IP addresspfJudge whether the port issues to primary name server to attack;
The attack source filtering module, for filtering the port for issuing attack to primary name server, to reduce Main Domain
The use state value of server.
Preferably, the preset attacks results decision threshold values of the attack source locking module includes the first quantity threshold values t and second
Quantity threshold values u,
Judging whether the IP address issues attack to primary name server includes: the N-N for calculating each IP addressfIf N-Nf
> t then determines that the IP address is issued to primary name server and attacks;
And judging whether the port issues attack to primary name server includes: each port for calculating the IP address
Np-NpfIf Np-Npf> u then determines that the port is issued to primary name server and attacks.
Preferably, the predicted quantity computing module calculates the domain that IP address the is sent to primary name server for c+1 days
The predicted quantity N of name analysis requestf(c+1)Used formula are as follows:
Nf(c+1)=M1*N1+M2*N2+…+Mc*Nc
In formula, NcThe actual quantity of the domain name mapping request of primary name server, M are sent within c days for IP address thecFor Nc
Weight parameter, M1+M2+…+Mc=1.
Preferably, the predicted quantity computing module calculates the domain name that port the is sent to primary name server for c+1 days
The predicted quantity N of analysis requestpf(c+1)Used formula are as follows:
Npf(c+1)=W1*Np1+W2*Np2+…+Wc*Npc
In formula, NpcThe actual quantity of the domain name mapping request of primary name server, W are sent within c days for port thecFor Npc's
Weight parameter, W1+W2+…+Wc=1.
It preferably, further include use state monitoring unit and switch control unit, in which:
The use state monitoring unit, connect with primary name server, for making for real-time monitoring primary name server
Use state value;
The switch control unit is connect with auxiliary name server and the use state monitoring unit, for as master
When the use state value of name server is greater than using threshold values, then sequentially activates and assist name server, make primary name server
Domain name resolution service is provided for user jointly with auxiliary name server;
When filtering to primary name server issue attack port after and primary name server use state value be less than or
Equal to threshold values is used, then auxiliary name server is sequentially switched off;Wherein, the calculation formula of the use state value of primary name server
Are as follows:
R=q1*p1+q2*p2+q3*p3
In formula, r is the use state value of primary name server, q1For the use ratio parameter of the CPU of primary name server,
p1Specific gravity shared by use ratio parameter for CPU, q2For the use ratio parameter of the memory of primary name server, p2For memory
Use ratio parameter shared by specific gravity, q3For the use ratio parameter of the bandwidth of primary name server, p3For the use ratio of bandwidth
Specific gravity shared by example parameter.
The method and system of DNS defensive attack provided by the invention are asked firstly, sending domain name mapping according to statistics IP address
The actual quantity N that the actual quantity N asked and port are sentp, calculate the predicted quantity N that IP address sends domain name analysis requestfWith
The predicted quantity N of port transmission domain name analysis requestpf;Then, according to Nf、NpfAnd attacks results decision threshold values, determine IP address with
And whether port issues to primary name server and attacks, compared to the prior art only according to the actual quantity and preset threshold of statistics
Judge whether primary name server is attacked, can more accurately determine whether primary name server is attacked, keep away
Exempt from the user for being mistaken for normal users to launch a offensive, cause it can not normal use internet.
Secondly, being attacked in primary name server, when being less than or equal to its use state value using threshold values, open in succession
Dynamic auxiliary name server makes primary name server and auxiliary name server provide domain name resolution service, energy jointly for user
Enough guarantee that user, still can normal use internet during primary name server is attacked by attack to releasing.
Detailed description of the invention
Fig. 1 is the flow diagram of the method for the DNS defensive attack of the embodiment of the present invention 1;
Fig. 2 is the composition schematic block diagram of the system of the DNS defensive attack of the embodiment of the present invention 2;
Wherein, appended drawing reference are as follows:
10, attack source probe unit;11, actual quantity statistical module;12, predicted quantity computing module;13, attack source is locked
Cover half block;14, attack source filtering module;20, use state monitoring unit;30, switch control unit;40, primary name server;
50, name server is assisted.
Specific embodiment
Technical solution in order to enable those skilled in the art to better understand the present invention, with reference to the accompanying drawing and specific embodiment party
Present invention is further described in detail for formula.
Embodiment 1:
The present embodiment provides a kind of method of DNS defensive attack, this method can accurately lock the IP address launched a offensive
And its port, and filter the port.
Fig. 1 is the method flow schematic diagram of the DNS defensive attack of the present embodiment, as shown in Figure 1, this method includes following step
It is rapid:
Step S1: counting the actual quantity N that each IP address is sent to the domain name mapping request of primary name server daily,
And each port of each IP address is sent to the actual quantity N of the domain name mapping request of primary name server dailyp。
One primary name server administers multiple users, these users are private network IP address, and private network IP address must lead to
Primary name server progress domain name mapping could be accessed by crossing public network IP address.In this step, each IP address is counted to send out daily
It send to the actual quantity N of the domain name mapping request of primary name server, for example, the c days d-th public network IP address is sent to main domain
The actual quantity of the domain name mapping request of name server can be denoted as Ncd;Each port of each IP address is sent to Main Domain daily
The actual quantity N of the domain name mapping request of serverp, for example, p-th of port of the c days d-th public network IP address is sent to master
The actual quantity of the domain name mapping request of name server can be denoted as Npcd。
In this way, clearly each IP address of statistic record and its each port primary name server can be sent to daily
The actual quantity of domain name mapping request.
Step S2: according to actual quantity N and actual quantity Np, calculate each IP address and be sent to primary name server daily
Domain name mapping request predicted quantity NfAnd each port of each IP address is sent to the domain of primary name server daily
The predicted quantity N of name analysis requestpf。
The actual quantity N that domain name analysis request is sent according to the IP address of daily statistic record calculates the IP address the
Send within two days the predicted quantity N of domain name analysis requestf, correspondingly, IP address is sent to the domain name of primary name server for c+1 days
The predicted quantity N of analysis requestf(c+1)Calculation formula are as follows:
Nf(c+1)=M1*N1+M2*N2+…+Mc*Nc (1)
In formula, NcThe actual quantity of the domain name mapping request of primary name server, M are sent within c days for IP address thecFor Nc
Weight parameter, M1+M2+…+Mc=1.
Specifically, the predicted quantity that the c+1 days d-th public network IP address sends domain name analysis request can be denoted as Nf(c+1)d,
Its calculation formula is:
Nf(c+1)d=M1*N1d+M2*N2d+…+Mc*Ncd (2)
In formula, NcdThe actual quantity of the domain name mapping request of primary name server is sent within c days for d-th IP address the.
According to formula (1) and (2), the predicted quantity that each IP address sends domain name analysis request daily can be calculated
Nf。
The actual quantity N of domain name analysis request is sent according to the port of daily statistic recordp, calculate the port second day
Send the predicted quantity N of domain name analysis requestpf, correspondingly, the domain name mapping that port is sent to primary name server for c+1 days is asked
The predicted quantity N askedpf(c+1)Calculation formula are as follows:
Npf(c+1)=W1*Np1+W2*Np2+…+Wc*Npc (3)
In formula, NpcThe actual quantity of the domain name mapping request of primary name server, W are sent within c days for port thecFor Npc's
Weight parameter, W1+W2+…+Wc=1.
Specifically, the predicted quantity that p-th of port of the c+1 days d-th public network IP address sends domain name analysis request can
It is denoted as Npf(c+1)d, its calculation formula is:
Npf(c+1)d=W1*Np1d+W2*Np2d+…+Wc*Npcd (4)
In formula, NpcdThe domain name mapping of primary name server is sent within c days for p-th of port of d-th of public network IP address
The actual quantity of request.
According to formula (3) and (4), the predicted quantity N that each port sends domain name analysis request daily can be calculatedpf。
In addition, the predicted quantity N in order to make the c+1 days d-th public network IP addressf(c+1)dClose to the c+1 days
The actual quantity N of d-th of public network IP address(c+1)d, it is preferable that c is bigger, McIt is bigger therewith, to improve the precision of predicted quantity.
Similarly, in order to make the c+1 days d-th public network IP address p-th of port predicted quantity Npf(c+1)dAs much as possible
Close to the actual quantity N of p-th of port of the c+1 days d-th public network IP addressp(c+1)d, it is preferable that c is bigger, WcIt is bigger therewith,
To improve the precision of predicted quantity.
Step S3: default attacks results decision threshold values, according to predicted quantity NfJudge the IP address whether to primary name server
Issue attack;And in the case where the IP address is issued to primary name server and attacked, according to each port of the IP address
NpfJudge whether the port issues to primary name server to attack.
Specifically, preset attacks results decision threshold values includes the first quantity threshold values t and the second quantity threshold values u.T's and u is specific
Size can flexibly be set according to the scene that this method is used.
Judging whether the IP address issues attack to primary name server includes: the N-N for calculating each IP addressfIf N-Nf
> t then determines that the IP address is issued to primary name server and attacks.
Judging whether the port issues attack to primary name server includes: the N for calculating each port of the IP addressp-
NpfIf Np-Npf> u then determines that the port is issued to primary name server and attacks.
According to above-mentioned steps, the IP address launched a offensive can be found out first, then, further locked and sent out in the IP address
The port for playing attack, to accurately lock attack source.
Step S4: the port that attack is issued to primary name server is filtered, to reduce the use state of primary name server
Value.
On the basis of step S3, this step will issue the ports filter of attack to primary name server, can reduce master
The use state value of name server restores the performance of primary name server.
In order to guarantee that the user under primary name server administration can normally receive always domain name resolution service, to Main Domain
Server is connected in parallel an at least auxiliary name server, also, the use state value of real-time monitoring primary name server, when
When the use state value of primary name server is greater than using threshold values, then sequentially activates and assist name server, make primary Domain Name Service
Device and auxiliary name server provide domain name resolution service jointly for user;
When filtering to primary name server issue attack port after and primary name server use state value be less than or
Equal to threshold values is used, then auxiliary name server is sequentially switched off;Wherein, the calculation formula of the use state value of primary name server
Are as follows:
R=q1*p1+q2*p2+q3*p3
In formula, r is the use state value of primary name server, q1For the use ratio parameter of the CPU of primary name server,
p1Specific gravity shared by use ratio parameter for CPU, q2For the use ratio parameter of the memory of primary name server, p2For memory
Use ratio parameter shared by specific gravity, q3For the use ratio parameter of the bandwidth of primary name server, p3For the use ratio of bandwidth
Specific gravity shared by example parameter.
It sets using threshold values as s, specific size value is specifically determined according to operation environment.As r > s, Main Domain is indicated
The performance of server has reduced, then sequentially activates and assist name server, accordingly increases bandwidth;As r≤s, main domain is indicated
The performance of name server has been restored, then sequentially switches off auxiliary name server, reduce bandwidth accordingly.
In addition, in the case where primary name server is not by attacking, due to the user under primary name server administration
Increase or the frequency of user's access internet increases, it is also possible to cause the use state value of primary name server to be greater than and use valve
Value increases corresponding bandwidth at this point, then first starting First assists name server, if primary name server uses shape
State value is still greater than using threshold values, then sequentially activate second auxiliary name server, increases corresponding bandwidth, all to guarantee
User's normal use internet.When the use state value of primary name server is gradually reduced, then second auxiliary is sequentially switched off
Name server and First assist name server.
The method of the DNS defensive attack of the present embodiment, according to Nf、NpfAnd attacks results decision threshold values, determine IP address and
Port whether to primary name server issue attack, compared to the prior art only according to the actual quantity and preset threshold of statistics come
Judge whether primary name server is attacked, can more accurately determine whether primary name server is attacked, avoid
Normal users are mistaken for the user to launch a offensive, cause it can not normal use internet.Secondly, meeting in primary name server
Under fire, it when being less than or equal to its use state value using threshold values, sequentially activates and assists name server, make primary Domain Name Service
Device and auxiliary name server provide domain name resolution service jointly for user, can guarantee that user is attacked in primary name server
It, still can normal use internet during hitting releasing attack.
Embodiment 2:
The present embodiment provides a kind of system of DNS defensive attack, which is the equipment for realizing the method for embodiment 1.Fig. 2
For the composition schematic block diagram of the system of the DNS defensive attack of the present embodiment, as shown in Fig. 2, the system includes and primary Domain Name Service
The connected attack source probe unit 10 of device 40, attack source probe unit 10 include actual quantity statistical module 11, predicted quantity meter
Calculate module 12, attack source locking module 13 and attack source filtering module 14, in which:
Actual quantity statistical module 11 is for counting the domain name solution that each IP address is sent to primary name server 40 daily
Each port of the actual quantity N and each IP address that analyse request are sent to the domain name mapping of primary name server 40 daily
The actual quantity N of requestp。
For example, p-th of port of the c days d-th public network IP address is sent to the domain name mapping request of primary name server
Actual quantity can be denoted as Npcd.Actual quantity statistical module can the clearly each IP address of statistic record and its each port
It is sent to the actual quantity of the domain name mapping request of primary name server daily.
Predicted quantity computing module 12 is used for according to actual quantity N and actual quantity Np, calculate each IP address and send out daily
It send to the predicted quantity N of the domain name mapping request of primary name serverfAnd each port of each IP address is sent to daily
The predicted quantity N of the domain name mapping request of primary name serverpf。
Predicted quantity computing module 12 calculates IP address the and is sent within c+1 days what the domain name mapping of primary name server was requested
Predicted quantity Nf(c+1)Used formula are as follows:
Nf(c+1)=M1*N1+M2*N2+…+Mc*Nc
In formula, NcThe actual quantity of the domain name mapping request of primary name server, M are sent within c days for IP address thecFor Nc
Weight parameter, M1+M2+…+Mc=1.
Predicted quantity computing module 12 calculate port the be sent within c+1 days primary name server domain name mapping request it is pre-
Quantitation Npf(c+1)Used formula are as follows:
Npf(c+1)=W1*Np1+W2*Np2+…+Wc*Npc
In formula, NpcThe actual quantity of the domain name mapping request of primary name server, W are sent within c days for port thecFor Npc's
Weight parameter, W1+W2+…+Wc=1.
According to above-mentioned formula, the predicted quantity N that each IP address sends domain name analysis request daily can be calculatedfAnd
Each port sends the predicted quantity N of domain name analysis request dailypf。
Attack source locking module 13 is for presetting attacks results decision threshold values, according to predicted quantity NfJudge the IP address whether to
Primary name server issues attack;And in the case where the IP address is issued to primary name server and attacked, according to the IP
The N of each port of locationpfJudge whether the port issues to primary name server to attack.
The preset attacks results decision threshold values of attack source locking module 13 includes the first quantity threshold values t and the second quantity threshold values u.t
It can flexibly be set according to the scene that this method is used with the specific size of u.
Judging whether the IP address issues attack to primary name server includes: the N-N for calculating each IP addressfIf N-Nf
> t then determines that the IP address is issued to primary name server and attacks.
Judging whether the port issues attack to primary name server includes: the N for calculating each port of the IP addressp-
NpfIf Np-Npf> u then determines that the port is issued to primary name server and attacks.
According to above-mentioned judgment mode, attack source locking module 13 can find out the IP address launched a offensive first, then, into
One step locks the port launched a offensive in the IP address, to accurately lock attack source.
Attack source filtering module 14 is used to filter the port for issuing attack to primary name server, to reduce primary Domain Name Service
The use state value of device.
After attack source locking module 13 locks the IP address launched a offensive and its port, attack source filtering module 14 will
The ports filter that attack is issued to primary name server, can reduce the use state value of primary name server, that is, restores main domain
The performance of name server.
In order to guarantee that the user under primary name server administration can normally receive always domain name resolution service, to Main Domain
Server is connected in parallel an at least auxiliary name server 50, correspondingly, the system further includes use state monitoring unit 20
With switch control unit 30, in which:
Use state monitoring unit 20 is connect with primary name server 40, the use for real-time monitoring primary name server
State value;
Switch control unit 30 is connect with auxiliary name server 50 and use state monitoring unit 20, for working as Main Domain
When the use state value of server 40 is greater than using threshold values, then sequentially activates and assist name server 50, make primary name server
40 provide domain name resolution service jointly with auxiliary name server 50 for user;
When filtering to primary name server issue attack port after and primary name server use state value be less than or
Equal to threshold values is used, then auxiliary name server 50 is sequentially switched off;Wherein, the calculating of the use state value of primary name server 40
Formula are as follows:
R=q1*p1+q2*p2+q3*p3
In formula, r is the use state value of primary name server, q1For the use ratio parameter of the CPU of primary name server,
p1Specific gravity shared by use ratio parameter for CPU, q2For the use ratio parameter of the memory of primary name server, p2For memory
Use ratio parameter shared by specific gravity, q3For the use ratio parameter of the bandwidth of primary name server, p3For the use ratio of bandwidth
Specific gravity shared by example parameter.
It sets using threshold values as s, specific size value is specifically determined according to operation environment.As r > s, Main Domain is indicated
The performance of server has reduced, then switch control unit 30, which sequentially activates, assists name server, accordingly increases bandwidth;Work as r
When≤s, indicate that the performance of primary name server has been restored, then switch control unit 30 sequentially switches off auxiliary name server, phase
The reduction bandwidth answered.
The system of the DNS defensive attack of the present embodiment can more accurately determine whether primary name server meets with first
Under fire, it avoids the user for being mistaken for normal users to launch a offensive, cause it can not normal use internet;Secondly, in master
Name server is attacked, and when being less than or equal to its use state value using threshold values, is sequentially activated and is assisted name server,
So that primary name server and auxiliary name server is provided domain name resolution service jointly for user, guarantees user in primary Domain Name Service
It, still can normal use internet during device is by attack to releasing attack.
It is understood that the principle that embodiment of above is intended to be merely illustrative of the present and the exemplary implementation that uses
Mode, however the present invention is not limited thereto.For those skilled in the art, essence of the invention is not being departed from
In the case where mind and essence, various changes and modifications can be made therein, these variations and modifications are also considered as protection scope of the present invention.
Claims (10)
1. a kind of method of DNS defensive attack characterized by comprising
Count actual quantity N and each IP that each IP address is sent to the domain name mapping request of primary name server daily
Each port of address is sent to the actual quantity N of the domain name mapping request of primary name server dailyp;
According to actual quantity N and actual quantity Np, calculate each IP address and be sent to the domain name mapping of primary name server daily and ask
The predicted quantity N askedfAnd each port of each IP address is sent to the domain name mapping request of primary name server daily
Predicted quantity Npf;
Default attacks results decision threshold values, according to predicted quantity NfJudge whether the IP address issues to primary name server to attack;With
And in the case where the IP address is issued to primary name server and attacked, according to the N of each port of the IP addresspfJudgement should
Whether port issues to primary name server is attacked;
The port that attack is issued to primary name server is filtered, to reduce the use state value of primary name server.
2. the method for DNS defensive attack according to claim 1, which is characterized in that preset attacks results decision threshold values includes
First quantity threshold values t and the second quantity threshold values u,
Judging whether the IP address issues attack to primary name server includes: the N-N for calculating each IP addressfIf N-Nf> t,
Then determine that the IP address is issued to primary name server to attack;
And judging whether the port issues attack to primary name server includes: the N for calculating each port of the IP addressp-
NpfIf Np-Npf> u then determines that the port is issued to primary name server and attacks.
3. the method for DNS defensive attack according to claim 1, which is characterized in that IP address is sent to main domain for c+1 days
The predicted quantity N of the domain name mapping request of name serverf(c+1)Calculation formula are as follows:
Nf(c+1)=M1*N1+M2*N2+…+Mc*Nc
In formula, NcThe actual quantity of the domain name mapping request of primary name server, M are sent within c days for IP address thecFor NcPower
Weight parameter, M1+M2+…+Mc=1.
4. the method for DNS defensive attack according to claim 1, which is characterized in that port is sent to Main Domain in c+1 days
The predicted quantity N of the domain name mapping request of serverpf(c+1)Calculation formula are as follows:
Npf(c+1)=W1*Np1+W2*Np2+…+Wc*Npc
In formula, NpcThe actual quantity of the domain name mapping request of primary name server, W are sent within c days for port thecFor NpcWeight
Parameter, W1+W2+…+Wc=1.
5. the method for DNS defensive attack according to claim 1, which is characterized in that further include:
The use state value of real-time monitoring primary name server uses threshold values when the use state value of primary name server is greater than
When, then it sequentially activates and assists name server, primary name server and auxiliary name server is made to provide domain name jointly for user
Analysis service;
After filtering issues the port of attack to primary name server and the use state value of primary name server is less than or equal to
Using threshold values, then auxiliary name server is sequentially switched off;Wherein, the calculation formula of the use state value of primary name server are as follows:
R=q1*p1+q2*p2+q3*p3
In formula, r is the use state value of primary name server, q1For the use ratio parameter of the CPU of primary name server, p1For
Specific gravity shared by the use ratio parameter of CPU, q2For the use ratio parameter of the memory of primary name server, p2For making for memory
The specific gravity shared by scale parameter, q3For the use ratio parameter of the bandwidth of primary name server, p3Join for the use ratio of bandwidth
The shared specific gravity of number.
6. a kind of system of DNS defensive attack, which is characterized in that including attack source probe unit, the attack source probe unit
Including actual quantity statistical module, predicted quantity computing module, attack source locking module and attack source filtering module, in which:
The actual quantity statistical module, the domain name mapping for being sent to primary name server daily for counting each IP address are asked
Each port of the actual quantity N and each IP address that ask are sent to the domain name mapping request of primary name server daily
Actual quantity Np;
The predicted quantity computing module, for according to actual quantity N and actual quantity Np, calculate each IP address and send daily
The predicted quantity N requested to the domain name mapping of primary name serverfAnd each port of each IP address is sent to master daily
The predicted quantity N of the domain name mapping request of name serverpf;
The attack source locking module, for presetting attacks results decision threshold values, according to predicted quantity NfJudge the IP address whether to master
Name server issues attack;And in the case where the IP address is issued to primary name server and attacked, according to the IP address
Each port NpfJudge whether the port issues to primary name server to attack;
The attack source filtering module, for filtering the port for issuing attack to primary name server, to reduce primary Domain Name Service
The use state value of device.
7. the system of DNS defensive attack according to claim 6, which is characterized in that the attack source locking module is default
Attacks results decision threshold values include the first quantity threshold values t and the second quantity threshold values u,
Judging whether the IP address issues attack to primary name server includes: the N-N for calculating each IP addressfIf N-Nf> t,
Then determine that the IP address is issued to primary name server to attack;
And judging whether the port issues attack to primary name server includes: the N for calculating each port of the IP addressp-
NpfIf Np-Npf> u then determines that the port is issued to primary name server and attacks.
8. the system of DNS defensive attack according to claim 6, which is characterized in that the predicted quantity computing module meter
It calculates IP address the and is sent within c+1 days the predicted quantity N that the domain name mapping of primary name server is requestedf(c+1)Used formula are as follows:
Nf(c+1)=M1*N1+M2*N2+…+Mc*Nc
In formula, NcThe actual quantity of the domain name mapping request of primary name server, M are sent within c days for IP address thecFor NcPower
Weight parameter, M1+M2+…+Mc=1.
9. the system of DNS defensive attack according to claim 6, which is characterized in that the predicted quantity computing module meter
It calculates port the and is sent within c+1 days the predicted quantity N that the domain name mapping of primary name server is requestedpf(c+1)Used formula are as follows:
Npf(c+1)=W1*Np1+W2*Np2+…+Wc*Npc
In formula, NpcThe actual quantity of the domain name mapping request of primary name server, W are sent within c days for port thecFor NpcWeight
Parameter, W1+W2+…+Wc=1.
10. the system of DNS defensive attack according to claim 6, which is characterized in that further include use state monitoring unit
And switch control unit, in which:
The use state monitoring unit, connect with primary name server, uses shape for real-time monitoring primary name server
State value;
The switch control unit is connect with auxiliary name server and the use state monitoring unit, for working as Main Domain
It when the use state value of server is greater than using threshold values, then sequentially activates and assists name server, make primary name server and auxiliary
Name server is helped to provide domain name resolution service jointly for user;
After filtering issues the port of attack to primary name server and the use state value of primary name server is less than or equal to
Using threshold values, then auxiliary name server is sequentially switched off;Wherein, the calculation formula of the use state value of primary name server are as follows:
R=q1*p1+q2*p2+q3*p3
In formula, r is the use state value of primary name server, q1For the use ratio parameter of the CPU of primary name server, p1For
Specific gravity shared by the use ratio parameter of CPU, q2For the use ratio parameter of the memory of primary name server, p2For making for memory
The specific gravity shared by scale parameter, q3For the use ratio parameter of the bandwidth of primary name server, p3Join for the use ratio of bandwidth
The shared specific gravity of number.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610317345.9A CN105847281B (en) | 2016-05-12 | 2016-05-12 | A kind of method and system of DNS defensive attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610317345.9A CN105847281B (en) | 2016-05-12 | 2016-05-12 | A kind of method and system of DNS defensive attack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105847281A CN105847281A (en) | 2016-08-10 |
CN105847281B true CN105847281B (en) | 2019-02-19 |
Family
ID=56592022
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610317345.9A Active CN105847281B (en) | 2016-05-12 | 2016-05-12 | A kind of method and system of DNS defensive attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105847281B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9264440B1 (en) * | 2015-08-04 | 2016-02-16 | Farsight Security, Inc. | Parallel detection of updates to a domain name system record system using a common filter |
CN106534141A (en) * | 2016-11-22 | 2017-03-22 | 汉柏科技有限公司 | Method and system for preventing domain name server from being attacked and firewall |
CN109936551B (en) * | 2017-12-19 | 2022-03-25 | 天翼云科技有限公司 | Domain name system attack defense method, defense device and controller |
CN110324295B (en) * | 2018-03-30 | 2022-04-12 | 阿里云计算有限公司 | Defense method and device for domain name system flooding attack |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1592167A2 (en) * | 2004-04-27 | 2005-11-02 | AT&T Corp. | Systems and methods for optimizing access provisioning and capacity planning in IP networks |
CN101826996A (en) * | 2010-03-19 | 2010-09-08 | 中国科学院计算机网络信息中心 | Domain name system flow detection method and domain name server |
CN102291411A (en) * | 2011-08-18 | 2011-12-21 | 网宿科技股份有限公司 | Anti-DDOS (distributed denial of service) attack method and system against DNS (domain name system) service |
CN103139184A (en) * | 2011-12-02 | 2013-06-05 | 中国电信股份有限公司 | Intelligent network firewall device and network attack protection method |
CN103957195A (en) * | 2014-04-04 | 2014-07-30 | 上海聚流软件科技有限公司 | DNS system and defense method and device for DNS attack |
CN105491032A (en) * | 2015-11-30 | 2016-04-13 | 睿峰网云(北京)科技股份有限公司 | Botnet discovery technique and device |
-
2016
- 2016-05-12 CN CN201610317345.9A patent/CN105847281B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1592167A2 (en) * | 2004-04-27 | 2005-11-02 | AT&T Corp. | Systems and methods for optimizing access provisioning and capacity planning in IP networks |
CN101826996A (en) * | 2010-03-19 | 2010-09-08 | 中国科学院计算机网络信息中心 | Domain name system flow detection method and domain name server |
CN102291411A (en) * | 2011-08-18 | 2011-12-21 | 网宿科技股份有限公司 | Anti-DDOS (distributed denial of service) attack method and system against DNS (domain name system) service |
CN103139184A (en) * | 2011-12-02 | 2013-06-05 | 中国电信股份有限公司 | Intelligent network firewall device and network attack protection method |
CN103957195A (en) * | 2014-04-04 | 2014-07-30 | 上海聚流软件科技有限公司 | DNS system and defense method and device for DNS attack |
CN105491032A (en) * | 2015-11-30 | 2016-04-13 | 睿峰网云(北京)科技股份有限公司 | Botnet discovery technique and device |
Non-Patent Citations (1)
Title |
---|
"DNS攻击检测与防御技术研究";彭嘉填;《信息通信》;20150930(第9期);138 * |
Also Published As
Publication number | Publication date |
---|---|
CN105847281A (en) | 2016-08-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105847281B (en) | A kind of method and system of DNS defensive attack | |
WO2018113594A1 (en) | Method and device for defending dns attack and storage medium | |
CN105024969B (en) | A kind of method and device for realizing the identification of malice domain name | |
WO2022017249A1 (en) | Programmable switch, traffic statistics method, defense method, and packet processing method | |
CN109474575B (en) | DNS tunnel detection method and device | |
CN105681133B (en) | A method of the detection whether anti-network attack of dns server | |
US20150067764A1 (en) | Whitelist-based network switch | |
US20120173712A1 (en) | Method and device for identifying p2p application connections | |
CN106101104A (en) | A kind of malice domain name detection method based on domain name mapping and system | |
CN108600003B (en) | Intrusion detection method, device and system for video monitoring network | |
US10193890B2 (en) | Communication apparatus to manage whitelist information | |
TWI439091B (en) | Network communication system with protecting phishing attacks and method of protecting phishing attacks using the seme | |
CN108683686A (en) | A kind of Stochastic subspace name ddos attack detection method | |
CN103152357A (en) | Defense method, device and system for DNS (Domain Name System) services | |
CN109327426A (en) | A kind of firewall attack defense method | |
TWI405434B (en) | Botnet early detection using hhmm algorithm | |
CN102624716B (en) | Prevention method and device for domain name system (DNS) denial of service | |
CN105812318B (en) | For preventing method, controller and the system of attack in a network | |
CN107547503A (en) | A kind of session entry processing method and processing device | |
CN105959282A (en) | Protection method and device for DHCP attack | |
CN106487807A (en) | A kind of means of defence of domain name mapping and device | |
CN107135127A (en) | A kind of network flow abnormal detecting method and device | |
CN106713307B (en) | method and system for detecting flow table consistency in SDN | |
CN104125213A (en) | Distributed denial of service DDOS attack resisting method and device for firewall | |
CN104796423A (en) | ARP (address resolution protocol) bidirectional active defense method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |