CN105847281B - A kind of method and system of DNS defensive attack - Google Patents

A kind of method and system of DNS defensive attack Download PDF

Info

Publication number
CN105847281B
CN105847281B CN201610317345.9A CN201610317345A CN105847281B CN 105847281 B CN105847281 B CN 105847281B CN 201610317345 A CN201610317345 A CN 201610317345A CN 105847281 B CN105847281 B CN 105847281B
Authority
CN
China
Prior art keywords
name server
address
primary
attack
primary name
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610317345.9A
Other languages
Chinese (zh)
Other versions
CN105847281A (en
Inventor
张余
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN201610317345.9A priority Critical patent/CN105847281B/en
Publication of CN105847281A publication Critical patent/CN105847281A/en
Application granted granted Critical
Publication of CN105847281B publication Critical patent/CN105847281B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention provides a kind of method and system of DNS defensive attack, belongs to field of communication technology, and whether the method that can at least partly solve the problems, such as existing DNS defensive attack cannot determine DNS by attack like clockwork.The actual quantity N that the method for DNS defensive attack of the invention sends the actual quantity N of domain name analysis request according to statistics IP address and port is sentp, calculate the predicted quantity N that IP address sends domain name analysis requestfThe predicted quantity N of domain name analysis request is sent with portpf;Then, according to Nf、NpfAnd attacks results decision threshold values, determine whether IP address and port issue to primary name server to attack, only judge whether primary name server is attacked according to the actual quantity of statistics and preset threshold compared to the prior art, it can more accurately determine whether primary name server is attacked, avoid for normal users being mistaken for the user to launch a offensive, cause it can not normal use internet.

Description

A kind of method and system of DNS defensive attack
Technical field
The invention belongs to fields of communication technology, and in particular to a kind of method and system of DNS defensive attack.
Background technique
DNS is the abbreviation of domain name system (Domain Name System), it is made of resolver and name server. Name server (DNS Server), which refers to, preserves the domain name of All hosts and corresponding IP address in the network, and has domain Name is converted to the server of IP address function.The process of dns resolution domain name is substantially as follows: initiating domain name mapping by user first and asks It asks, after local dns server receives the request, can be searched in local cache, it if it is not found, then can be to upper level DNS Server initiates request, and parsing result can be returned to local dns server by back message by upper level dns server, this Parsing result is returned to the user of this request analysis domain name by ground dns server.
DNS attack repeated in recent years, and the common form that DNS is attacked is: direction of attack dns server hair A large amount of domain name analysis request messages are sent, dns server is caused seriously to overload, the DNS request of normal users can not be proceeded to respond to, from And achieve the purpose that attack.
In the prior art, the method for DNS defensive attack mainly passes through request number of times in measurement period, and normal domain name is asked Seeking number is usually to be no more than certain threshold values, if it exceeds this threshold values, the IP address for being considered as issuing the request is attack source, Just this IP address is filtered.
At least there are the following problems in the prior art for inventor's discovery:
1. the threshold values of normal domain name request number is not easy to set, it is thus impossible to determine like clockwork DNS whether by Attack;
During 2.DNS is by attack to releasing attack, DNS performance is greatly reduced, and will affect DNS and mentions for normal users For domain name resolution service, normal users is caused to be unable to normal use internet.
Therefore, a kind of method and system of DNS defensive attack are designed, can relatively accurately determine whether DNS is attacked It hits, and DNS can be made to keep good performance during releasing attack, this is a technical problem to be solved urgently.
Summary of the invention
The present invention is at least to be partially solved existing above-mentioned problem, provides a kind of method of DNS defensive attack and is System, the method and system of the DNS defensive attack can relatively accurately determine whether DNS is attacked, and can release DNS is set to keep good performance during attack.
Solving technical solution used by present invention problem is: a kind of method of DNS defensive attack, comprising:
The actual quantity N that each IP address is sent to the domain name mapping request of primary name server daily is counted, and every Each port of a IP address is sent to the actual quantity N of the domain name mapping request of primary name server dailyp
According to actual quantity N and actual quantity Np, calculate the domain name that each IP address is sent to primary name server daily The predicted quantity N of analysis requestfAnd each port of each IP address is sent to the domain name mapping of primary name server daily The predicted quantity N of requestpf
Default attacks results decision threshold values, according to predicted quantity NfJudge whether the IP address attacks to primary name server sending It hits;And in the case where the IP address is issued to primary name server and attacked, according to the N of each port of the IP addresspfSentence Break the port whether to primary name server issue attack;
The port that attack is issued to primary name server is filtered, to reduce the use state value of primary name server.
Preferably, preset attacks results decision threshold values includes the first quantity threshold values t and the second quantity threshold values u,
Judging whether the IP address issues attack to primary name server includes: the N-N for calculating each IP addressfIf N-Nf > t then determines that the IP address is issued to primary name server and attacks;
And judging whether the port issues attack to primary name server includes: each port for calculating the IP address Np-NpfIf Np-Npf> u then determines that the port is issued to primary name server and attacks.
Preferably, IP address the is sent to the predicted quantity N of the domain name mapping request of primary name server for c+1 daysf(c+1) Calculation formula are as follows:
Nf(c+1)=M1*N1+M2*N2+…+Mc*Nc
In formula, NcThe actual quantity of the domain name mapping request of primary name server, M are sent within c days for IP address thecFor Nc Weight parameter, M1+M2+…+Mc=1.
Preferably, port the is sent to the predicted quantity N of the domain name mapping request of primary name server for c+1 dayspf(c+1) Calculation formula are as follows:
Npf(c+1)=W1*Np1+W2*Np2+…+Wc*Npc
In formula, NpcThe actual quantity of the domain name mapping request of primary name server, W are sent within c days for port thecFor Npc's Weight parameter, W1+W2+…+Wc=1.
Preferably, further includes:
The use state value of real-time monitoring primary name server uses valve when the use state value of primary name server is greater than It when value, then sequentially activates and assists name server, primary name server and auxiliary name server is made to provide domain jointly for user Name analysis service;
When filtering to primary name server issue attack port after and primary name server use state value be less than or Equal to threshold values is used, then auxiliary name server is sequentially switched off;Wherein, the calculation formula of the use state value of primary name server Are as follows:
R=q1*p1+q2*p2+q3*p3
In formula, r is the use state value of primary name server, q1For the use ratio parameter of the CPU of primary name server, p1Specific gravity shared by use ratio parameter for CPU, q2For the use ratio parameter of the memory of primary name server, p2For memory Use ratio parameter shared by specific gravity, q3For the use ratio parameter of the bandwidth of primary name server, p3For the use ratio of bandwidth Specific gravity shared by example parameter.
Another technical solution provided by the invention: a kind of system of DNS defensive attack, including attack source probe unit, institute Stating attack source probe unit includes actual quantity statistical module, predicted quantity computing module, attack source locking module and attack source Filtering module, in which:
The actual quantity statistical module, the domain name solution for being sent to primary name server daily for counting each IP address The domain name mapping that each port of the actual quantity N and each IP address that analyse request are sent to primary name server daily is asked The actual quantity N askedp
The predicted quantity computing module, for according to actual quantity N and actual quantity Np, it is daily to calculate each IP address It is sent to the predicted quantity N of the domain name mapping request of primary name serverfAnd each port of each IP address is sent daily The predicted quantity N requested to the domain name mapping of primary name serverpf
The attack source locking module, for presetting attacks results decision threshold values, according to predicted quantity NfJudging the IP address is No issue to primary name server is attacked;And in the case where the IP address is issued to primary name server and attacked, according to this The N of each port of IP addresspfJudge whether the port issues to primary name server to attack;
The attack source filtering module, for filtering the port for issuing attack to primary name server, to reduce Main Domain The use state value of server.
Preferably, the preset attacks results decision threshold values of the attack source locking module includes the first quantity threshold values t and second Quantity threshold values u,
Judging whether the IP address issues attack to primary name server includes: the N-N for calculating each IP addressfIf N-Nf > t then determines that the IP address is issued to primary name server and attacks;
And judging whether the port issues attack to primary name server includes: each port for calculating the IP address Np-NpfIf Np-Npf> u then determines that the port is issued to primary name server and attacks.
Preferably, the predicted quantity computing module calculates the domain that IP address the is sent to primary name server for c+1 days The predicted quantity N of name analysis requestf(c+1)Used formula are as follows:
Nf(c+1)=M1*N1+M2*N2+…+Mc*Nc
In formula, NcThe actual quantity of the domain name mapping request of primary name server, M are sent within c days for IP address thecFor Nc Weight parameter, M1+M2+…+Mc=1.
Preferably, the predicted quantity computing module calculates the domain name that port the is sent to primary name server for c+1 days The predicted quantity N of analysis requestpf(c+1)Used formula are as follows:
Npf(c+1)=W1*Np1+W2*Np2+…+Wc*Npc
In formula, NpcThe actual quantity of the domain name mapping request of primary name server, W are sent within c days for port thecFor Npc's Weight parameter, W1+W2+…+Wc=1.
It preferably, further include use state monitoring unit and switch control unit, in which:
The use state monitoring unit, connect with primary name server, for making for real-time monitoring primary name server Use state value;
The switch control unit is connect with auxiliary name server and the use state monitoring unit, for as master When the use state value of name server is greater than using threshold values, then sequentially activates and assist name server, make primary name server Domain name resolution service is provided for user jointly with auxiliary name server;
When filtering to primary name server issue attack port after and primary name server use state value be less than or Equal to threshold values is used, then auxiliary name server is sequentially switched off;Wherein, the calculation formula of the use state value of primary name server Are as follows:
R=q1*p1+q2*p2+q3*p3
In formula, r is the use state value of primary name server, q1For the use ratio parameter of the CPU of primary name server, p1Specific gravity shared by use ratio parameter for CPU, q2For the use ratio parameter of the memory of primary name server, p2For memory Use ratio parameter shared by specific gravity, q3For the use ratio parameter of the bandwidth of primary name server, p3For the use ratio of bandwidth Specific gravity shared by example parameter.
The method and system of DNS defensive attack provided by the invention are asked firstly, sending domain name mapping according to statistics IP address The actual quantity N that the actual quantity N asked and port are sentp, calculate the predicted quantity N that IP address sends domain name analysis requestfWith The predicted quantity N of port transmission domain name analysis requestpf;Then, according to Nf、NpfAnd attacks results decision threshold values, determine IP address with And whether port issues to primary name server and attacks, compared to the prior art only according to the actual quantity and preset threshold of statistics Judge whether primary name server is attacked, can more accurately determine whether primary name server is attacked, keep away Exempt from the user for being mistaken for normal users to launch a offensive, cause it can not normal use internet.
Secondly, being attacked in primary name server, when being less than or equal to its use state value using threshold values, open in succession Dynamic auxiliary name server makes primary name server and auxiliary name server provide domain name resolution service, energy jointly for user Enough guarantee that user, still can normal use internet during primary name server is attacked by attack to releasing.
Detailed description of the invention
Fig. 1 is the flow diagram of the method for the DNS defensive attack of the embodiment of the present invention 1;
Fig. 2 is the composition schematic block diagram of the system of the DNS defensive attack of the embodiment of the present invention 2;
Wherein, appended drawing reference are as follows:
10, attack source probe unit;11, actual quantity statistical module;12, predicted quantity computing module;13, attack source is locked Cover half block;14, attack source filtering module;20, use state monitoring unit;30, switch control unit;40, primary name server; 50, name server is assisted.
Specific embodiment
Technical solution in order to enable those skilled in the art to better understand the present invention, with reference to the accompanying drawing and specific embodiment party Present invention is further described in detail for formula.
Embodiment 1:
The present embodiment provides a kind of method of DNS defensive attack, this method can accurately lock the IP address launched a offensive And its port, and filter the port.
Fig. 1 is the method flow schematic diagram of the DNS defensive attack of the present embodiment, as shown in Figure 1, this method includes following step It is rapid:
Step S1: counting the actual quantity N that each IP address is sent to the domain name mapping request of primary name server daily, And each port of each IP address is sent to the actual quantity N of the domain name mapping request of primary name server dailyp
One primary name server administers multiple users, these users are private network IP address, and private network IP address must lead to Primary name server progress domain name mapping could be accessed by crossing public network IP address.In this step, each IP address is counted to send out daily It send to the actual quantity N of the domain name mapping request of primary name server, for example, the c days d-th public network IP address is sent to main domain The actual quantity of the domain name mapping request of name server can be denoted as Ncd;Each port of each IP address is sent to Main Domain daily The actual quantity N of the domain name mapping request of serverp, for example, p-th of port of the c days d-th public network IP address is sent to master The actual quantity of the domain name mapping request of name server can be denoted as Npcd
In this way, clearly each IP address of statistic record and its each port primary name server can be sent to daily The actual quantity of domain name mapping request.
Step S2: according to actual quantity N and actual quantity Np, calculate each IP address and be sent to primary name server daily Domain name mapping request predicted quantity NfAnd each port of each IP address is sent to the domain of primary name server daily The predicted quantity N of name analysis requestpf
The actual quantity N that domain name analysis request is sent according to the IP address of daily statistic record calculates the IP address the Send within two days the predicted quantity N of domain name analysis requestf, correspondingly, IP address is sent to the domain name of primary name server for c+1 days The predicted quantity N of analysis requestf(c+1)Calculation formula are as follows:
Nf(c+1)=M1*N1+M2*N2+…+Mc*Nc (1)
In formula, NcThe actual quantity of the domain name mapping request of primary name server, M are sent within c days for IP address thecFor Nc Weight parameter, M1+M2+…+Mc=1.
Specifically, the predicted quantity that the c+1 days d-th public network IP address sends domain name analysis request can be denoted as Nf(c+1)d, Its calculation formula is:
Nf(c+1)d=M1*N1d+M2*N2d+…+Mc*Ncd (2)
In formula, NcdThe actual quantity of the domain name mapping request of primary name server is sent within c days for d-th IP address the.
According to formula (1) and (2), the predicted quantity that each IP address sends domain name analysis request daily can be calculated Nf
The actual quantity N of domain name analysis request is sent according to the port of daily statistic recordp, calculate the port second day Send the predicted quantity N of domain name analysis requestpf, correspondingly, the domain name mapping that port is sent to primary name server for c+1 days is asked The predicted quantity N askedpf(c+1)Calculation formula are as follows:
Npf(c+1)=W1*Np1+W2*Np2+…+Wc*Npc (3)
In formula, NpcThe actual quantity of the domain name mapping request of primary name server, W are sent within c days for port thecFor Npc's Weight parameter, W1+W2+…+Wc=1.
Specifically, the predicted quantity that p-th of port of the c+1 days d-th public network IP address sends domain name analysis request can It is denoted as Npf(c+1)d, its calculation formula is:
Npf(c+1)d=W1*Np1d+W2*Np2d+…+Wc*Npcd (4)
In formula, NpcdThe domain name mapping of primary name server is sent within c days for p-th of port of d-th of public network IP address The actual quantity of request.
According to formula (3) and (4), the predicted quantity N that each port sends domain name analysis request daily can be calculatedpf
In addition, the predicted quantity N in order to make the c+1 days d-th public network IP addressf(c+1)dClose to the c+1 days The actual quantity N of d-th of public network IP address(c+1)d, it is preferable that c is bigger, McIt is bigger therewith, to improve the precision of predicted quantity.
Similarly, in order to make the c+1 days d-th public network IP address p-th of port predicted quantity Npf(c+1)dAs much as possible Close to the actual quantity N of p-th of port of the c+1 days d-th public network IP addressp(c+1)d, it is preferable that c is bigger, WcIt is bigger therewith, To improve the precision of predicted quantity.
Step S3: default attacks results decision threshold values, according to predicted quantity NfJudge the IP address whether to primary name server Issue attack;And in the case where the IP address is issued to primary name server and attacked, according to each port of the IP address NpfJudge whether the port issues to primary name server to attack.
Specifically, preset attacks results decision threshold values includes the first quantity threshold values t and the second quantity threshold values u.T's and u is specific Size can flexibly be set according to the scene that this method is used.
Judging whether the IP address issues attack to primary name server includes: the N-N for calculating each IP addressfIf N-Nf > t then determines that the IP address is issued to primary name server and attacks.
Judging whether the port issues attack to primary name server includes: the N for calculating each port of the IP addressp- NpfIf Np-Npf> u then determines that the port is issued to primary name server and attacks.
According to above-mentioned steps, the IP address launched a offensive can be found out first, then, further locked and sent out in the IP address The port for playing attack, to accurately lock attack source.
Step S4: the port that attack is issued to primary name server is filtered, to reduce the use state of primary name server Value.
On the basis of step S3, this step will issue the ports filter of attack to primary name server, can reduce master The use state value of name server restores the performance of primary name server.
In order to guarantee that the user under primary name server administration can normally receive always domain name resolution service, to Main Domain Server is connected in parallel an at least auxiliary name server, also, the use state value of real-time monitoring primary name server, when When the use state value of primary name server is greater than using threshold values, then sequentially activates and assist name server, make primary Domain Name Service Device and auxiliary name server provide domain name resolution service jointly for user;
When filtering to primary name server issue attack port after and primary name server use state value be less than or Equal to threshold values is used, then auxiliary name server is sequentially switched off;Wherein, the calculation formula of the use state value of primary name server Are as follows:
R=q1*p1+q2*p2+q3*p3
In formula, r is the use state value of primary name server, q1For the use ratio parameter of the CPU of primary name server, p1Specific gravity shared by use ratio parameter for CPU, q2For the use ratio parameter of the memory of primary name server, p2For memory Use ratio parameter shared by specific gravity, q3For the use ratio parameter of the bandwidth of primary name server, p3For the use ratio of bandwidth Specific gravity shared by example parameter.
It sets using threshold values as s, specific size value is specifically determined according to operation environment.As r > s, Main Domain is indicated The performance of server has reduced, then sequentially activates and assist name server, accordingly increases bandwidth;As r≤s, main domain is indicated The performance of name server has been restored, then sequentially switches off auxiliary name server, reduce bandwidth accordingly.
In addition, in the case where primary name server is not by attacking, due to the user under primary name server administration Increase or the frequency of user's access internet increases, it is also possible to cause the use state value of primary name server to be greater than and use valve Value increases corresponding bandwidth at this point, then first starting First assists name server, if primary name server uses shape State value is still greater than using threshold values, then sequentially activate second auxiliary name server, increases corresponding bandwidth, all to guarantee User's normal use internet.When the use state value of primary name server is gradually reduced, then second auxiliary is sequentially switched off Name server and First assist name server.
The method of the DNS defensive attack of the present embodiment, according to Nf、NpfAnd attacks results decision threshold values, determine IP address and Port whether to primary name server issue attack, compared to the prior art only according to the actual quantity and preset threshold of statistics come Judge whether primary name server is attacked, can more accurately determine whether primary name server is attacked, avoid Normal users are mistaken for the user to launch a offensive, cause it can not normal use internet.Secondly, meeting in primary name server Under fire, it when being less than or equal to its use state value using threshold values, sequentially activates and assists name server, make primary Domain Name Service Device and auxiliary name server provide domain name resolution service jointly for user, can guarantee that user is attacked in primary name server It, still can normal use internet during hitting releasing attack.
Embodiment 2:
The present embodiment provides a kind of system of DNS defensive attack, which is the equipment for realizing the method for embodiment 1.Fig. 2 For the composition schematic block diagram of the system of the DNS defensive attack of the present embodiment, as shown in Fig. 2, the system includes and primary Domain Name Service The connected attack source probe unit 10 of device 40, attack source probe unit 10 include actual quantity statistical module 11, predicted quantity meter Calculate module 12, attack source locking module 13 and attack source filtering module 14, in which:
Actual quantity statistical module 11 is for counting the domain name solution that each IP address is sent to primary name server 40 daily Each port of the actual quantity N and each IP address that analyse request are sent to the domain name mapping of primary name server 40 daily The actual quantity N of requestp
For example, p-th of port of the c days d-th public network IP address is sent to the domain name mapping request of primary name server Actual quantity can be denoted as Npcd.Actual quantity statistical module can the clearly each IP address of statistic record and its each port It is sent to the actual quantity of the domain name mapping request of primary name server daily.
Predicted quantity computing module 12 is used for according to actual quantity N and actual quantity Np, calculate each IP address and send out daily It send to the predicted quantity N of the domain name mapping request of primary name serverfAnd each port of each IP address is sent to daily The predicted quantity N of the domain name mapping request of primary name serverpf
Predicted quantity computing module 12 calculates IP address the and is sent within c+1 days what the domain name mapping of primary name server was requested Predicted quantity Nf(c+1)Used formula are as follows:
Nf(c+1)=M1*N1+M2*N2+…+Mc*Nc
In formula, NcThe actual quantity of the domain name mapping request of primary name server, M are sent within c days for IP address thecFor Nc Weight parameter, M1+M2+…+Mc=1.
Predicted quantity computing module 12 calculate port the be sent within c+1 days primary name server domain name mapping request it is pre- Quantitation Npf(c+1)Used formula are as follows:
Npf(c+1)=W1*Np1+W2*Np2+…+Wc*Npc
In formula, NpcThe actual quantity of the domain name mapping request of primary name server, W are sent within c days for port thecFor Npc's Weight parameter, W1+W2+…+Wc=1.
According to above-mentioned formula, the predicted quantity N that each IP address sends domain name analysis request daily can be calculatedfAnd Each port sends the predicted quantity N of domain name analysis request dailypf
Attack source locking module 13 is for presetting attacks results decision threshold values, according to predicted quantity NfJudge the IP address whether to Primary name server issues attack;And in the case where the IP address is issued to primary name server and attacked, according to the IP The N of each port of locationpfJudge whether the port issues to primary name server to attack.
The preset attacks results decision threshold values of attack source locking module 13 includes the first quantity threshold values t and the second quantity threshold values u.t It can flexibly be set according to the scene that this method is used with the specific size of u.
Judging whether the IP address issues attack to primary name server includes: the N-N for calculating each IP addressfIf N-Nf > t then determines that the IP address is issued to primary name server and attacks.
Judging whether the port issues attack to primary name server includes: the N for calculating each port of the IP addressp- NpfIf Np-Npf> u then determines that the port is issued to primary name server and attacks.
According to above-mentioned judgment mode, attack source locking module 13 can find out the IP address launched a offensive first, then, into One step locks the port launched a offensive in the IP address, to accurately lock attack source.
Attack source filtering module 14 is used to filter the port for issuing attack to primary name server, to reduce primary Domain Name Service The use state value of device.
After attack source locking module 13 locks the IP address launched a offensive and its port, attack source filtering module 14 will The ports filter that attack is issued to primary name server, can reduce the use state value of primary name server, that is, restores main domain The performance of name server.
In order to guarantee that the user under primary name server administration can normally receive always domain name resolution service, to Main Domain Server is connected in parallel an at least auxiliary name server 50, correspondingly, the system further includes use state monitoring unit 20 With switch control unit 30, in which:
Use state monitoring unit 20 is connect with primary name server 40, the use for real-time monitoring primary name server State value;
Switch control unit 30 is connect with auxiliary name server 50 and use state monitoring unit 20, for working as Main Domain When the use state value of server 40 is greater than using threshold values, then sequentially activates and assist name server 50, make primary name server 40 provide domain name resolution service jointly with auxiliary name server 50 for user;
When filtering to primary name server issue attack port after and primary name server use state value be less than or Equal to threshold values is used, then auxiliary name server 50 is sequentially switched off;Wherein, the calculating of the use state value of primary name server 40 Formula are as follows:
R=q1*p1+q2*p2+q3*p3
In formula, r is the use state value of primary name server, q1For the use ratio parameter of the CPU of primary name server, p1Specific gravity shared by use ratio parameter for CPU, q2For the use ratio parameter of the memory of primary name server, p2For memory Use ratio parameter shared by specific gravity, q3For the use ratio parameter of the bandwidth of primary name server, p3For the use ratio of bandwidth Specific gravity shared by example parameter.
It sets using threshold values as s, specific size value is specifically determined according to operation environment.As r > s, Main Domain is indicated The performance of server has reduced, then switch control unit 30, which sequentially activates, assists name server, accordingly increases bandwidth;Work as r When≤s, indicate that the performance of primary name server has been restored, then switch control unit 30 sequentially switches off auxiliary name server, phase The reduction bandwidth answered.
The system of the DNS defensive attack of the present embodiment can more accurately determine whether primary name server meets with first Under fire, it avoids the user for being mistaken for normal users to launch a offensive, cause it can not normal use internet;Secondly, in master Name server is attacked, and when being less than or equal to its use state value using threshold values, is sequentially activated and is assisted name server, So that primary name server and auxiliary name server is provided domain name resolution service jointly for user, guarantees user in primary Domain Name Service It, still can normal use internet during device is by attack to releasing attack.
It is understood that the principle that embodiment of above is intended to be merely illustrative of the present and the exemplary implementation that uses Mode, however the present invention is not limited thereto.For those skilled in the art, essence of the invention is not being departed from In the case where mind and essence, various changes and modifications can be made therein, these variations and modifications are also considered as protection scope of the present invention.

Claims (10)

1. a kind of method of DNS defensive attack characterized by comprising
Count actual quantity N and each IP that each IP address is sent to the domain name mapping request of primary name server daily Each port of address is sent to the actual quantity N of the domain name mapping request of primary name server dailyp
According to actual quantity N and actual quantity Np, calculate each IP address and be sent to the domain name mapping of primary name server daily and ask The predicted quantity N askedfAnd each port of each IP address is sent to the domain name mapping request of primary name server daily Predicted quantity Npf
Default attacks results decision threshold values, according to predicted quantity NfJudge whether the IP address issues to primary name server to attack;With And in the case where the IP address is issued to primary name server and attacked, according to the N of each port of the IP addresspfJudgement should Whether port issues to primary name server is attacked;
The port that attack is issued to primary name server is filtered, to reduce the use state value of primary name server.
2. the method for DNS defensive attack according to claim 1, which is characterized in that preset attacks results decision threshold values includes First quantity threshold values t and the second quantity threshold values u,
Judging whether the IP address issues attack to primary name server includes: the N-N for calculating each IP addressfIf N-Nf> t, Then determine that the IP address is issued to primary name server to attack;
And judging whether the port issues attack to primary name server includes: the N for calculating each port of the IP addressp- NpfIf Np-Npf> u then determines that the port is issued to primary name server and attacks.
3. the method for DNS defensive attack according to claim 1, which is characterized in that IP address is sent to main domain for c+1 days The predicted quantity N of the domain name mapping request of name serverf(c+1)Calculation formula are as follows:
Nf(c+1)=M1*N1+M2*N2+…+Mc*Nc
In formula, NcThe actual quantity of the domain name mapping request of primary name server, M are sent within c days for IP address thecFor NcPower Weight parameter, M1+M2+…+Mc=1.
4. the method for DNS defensive attack according to claim 1, which is characterized in that port is sent to Main Domain in c+1 days The predicted quantity N of the domain name mapping request of serverpf(c+1)Calculation formula are as follows:
Npf(c+1)=W1*Np1+W2*Np2+…+Wc*Npc
In formula, NpcThe actual quantity of the domain name mapping request of primary name server, W are sent within c days for port thecFor NpcWeight Parameter, W1+W2+…+Wc=1.
5. the method for DNS defensive attack according to claim 1, which is characterized in that further include:
The use state value of real-time monitoring primary name server uses threshold values when the use state value of primary name server is greater than When, then it sequentially activates and assists name server, primary name server and auxiliary name server is made to provide domain name jointly for user Analysis service;
After filtering issues the port of attack to primary name server and the use state value of primary name server is less than or equal to Using threshold values, then auxiliary name server is sequentially switched off;Wherein, the calculation formula of the use state value of primary name server are as follows:
R=q1*p1+q2*p2+q3*p3
In formula, r is the use state value of primary name server, q1For the use ratio parameter of the CPU of primary name server, p1For Specific gravity shared by the use ratio parameter of CPU, q2For the use ratio parameter of the memory of primary name server, p2For making for memory The specific gravity shared by scale parameter, q3For the use ratio parameter of the bandwidth of primary name server, p3Join for the use ratio of bandwidth The shared specific gravity of number.
6. a kind of system of DNS defensive attack, which is characterized in that including attack source probe unit, the attack source probe unit Including actual quantity statistical module, predicted quantity computing module, attack source locking module and attack source filtering module, in which:
The actual quantity statistical module, the domain name mapping for being sent to primary name server daily for counting each IP address are asked Each port of the actual quantity N and each IP address that ask are sent to the domain name mapping request of primary name server daily Actual quantity Np
The predicted quantity computing module, for according to actual quantity N and actual quantity Np, calculate each IP address and send daily The predicted quantity N requested to the domain name mapping of primary name serverfAnd each port of each IP address is sent to master daily The predicted quantity N of the domain name mapping request of name serverpf
The attack source locking module, for presetting attacks results decision threshold values, according to predicted quantity NfJudge the IP address whether to master Name server issues attack;And in the case where the IP address is issued to primary name server and attacked, according to the IP address Each port NpfJudge whether the port issues to primary name server to attack;
The attack source filtering module, for filtering the port for issuing attack to primary name server, to reduce primary Domain Name Service The use state value of device.
7. the system of DNS defensive attack according to claim 6, which is characterized in that the attack source locking module is default Attacks results decision threshold values include the first quantity threshold values t and the second quantity threshold values u,
Judging whether the IP address issues attack to primary name server includes: the N-N for calculating each IP addressfIf N-Nf> t, Then determine that the IP address is issued to primary name server to attack;
And judging whether the port issues attack to primary name server includes: the N for calculating each port of the IP addressp- NpfIf Np-Npf> u then determines that the port is issued to primary name server and attacks.
8. the system of DNS defensive attack according to claim 6, which is characterized in that the predicted quantity computing module meter It calculates IP address the and is sent within c+1 days the predicted quantity N that the domain name mapping of primary name server is requestedf(c+1)Used formula are as follows:
Nf(c+1)=M1*N1+M2*N2+…+Mc*Nc
In formula, NcThe actual quantity of the domain name mapping request of primary name server, M are sent within c days for IP address thecFor NcPower Weight parameter, M1+M2+…+Mc=1.
9. the system of DNS defensive attack according to claim 6, which is characterized in that the predicted quantity computing module meter It calculates port the and is sent within c+1 days the predicted quantity N that the domain name mapping of primary name server is requestedpf(c+1)Used formula are as follows:
Npf(c+1)=W1*Np1+W2*Np2+…+Wc*Npc
In formula, NpcThe actual quantity of the domain name mapping request of primary name server, W are sent within c days for port thecFor NpcWeight Parameter, W1+W2+…+Wc=1.
10. the system of DNS defensive attack according to claim 6, which is characterized in that further include use state monitoring unit And switch control unit, in which:
The use state monitoring unit, connect with primary name server, uses shape for real-time monitoring primary name server State value;
The switch control unit is connect with auxiliary name server and the use state monitoring unit, for working as Main Domain It when the use state value of server is greater than using threshold values, then sequentially activates and assists name server, make primary name server and auxiliary Name server is helped to provide domain name resolution service jointly for user;
After filtering issues the port of attack to primary name server and the use state value of primary name server is less than or equal to Using threshold values, then auxiliary name server is sequentially switched off;Wherein, the calculation formula of the use state value of primary name server are as follows:
R=q1*p1+q2*p2+q3*p3
In formula, r is the use state value of primary name server, q1For the use ratio parameter of the CPU of primary name server, p1For Specific gravity shared by the use ratio parameter of CPU, q2For the use ratio parameter of the memory of primary name server, p2For making for memory The specific gravity shared by scale parameter, q3For the use ratio parameter of the bandwidth of primary name server, p3Join for the use ratio of bandwidth The shared specific gravity of number.
CN201610317345.9A 2016-05-12 2016-05-12 A kind of method and system of DNS defensive attack Active CN105847281B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610317345.9A CN105847281B (en) 2016-05-12 2016-05-12 A kind of method and system of DNS defensive attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610317345.9A CN105847281B (en) 2016-05-12 2016-05-12 A kind of method and system of DNS defensive attack

Publications (2)

Publication Number Publication Date
CN105847281A CN105847281A (en) 2016-08-10
CN105847281B true CN105847281B (en) 2019-02-19

Family

ID=56592022

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610317345.9A Active CN105847281B (en) 2016-05-12 2016-05-12 A kind of method and system of DNS defensive attack

Country Status (1)

Country Link
CN (1) CN105847281B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9264440B1 (en) * 2015-08-04 2016-02-16 Farsight Security, Inc. Parallel detection of updates to a domain name system record system using a common filter
CN106534141A (en) * 2016-11-22 2017-03-22 汉柏科技有限公司 Method and system for preventing domain name server from being attacked and firewall
CN109936551B (en) * 2017-12-19 2022-03-25 天翼云科技有限公司 Domain name system attack defense method, defense device and controller
CN110324295B (en) * 2018-03-30 2022-04-12 阿里云计算有限公司 Defense method and device for domain name system flooding attack

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1592167A2 (en) * 2004-04-27 2005-11-02 AT&T Corp. Systems and methods for optimizing access provisioning and capacity planning in IP networks
CN101826996A (en) * 2010-03-19 2010-09-08 中国科学院计算机网络信息中心 Domain name system flow detection method and domain name server
CN102291411A (en) * 2011-08-18 2011-12-21 网宿科技股份有限公司 Anti-DDOS (distributed denial of service) attack method and system against DNS (domain name system) service
CN103139184A (en) * 2011-12-02 2013-06-05 中国电信股份有限公司 Intelligent network firewall device and network attack protection method
CN103957195A (en) * 2014-04-04 2014-07-30 上海聚流软件科技有限公司 DNS system and defense method and device for DNS attack
CN105491032A (en) * 2015-11-30 2016-04-13 睿峰网云(北京)科技股份有限公司 Botnet discovery technique and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1592167A2 (en) * 2004-04-27 2005-11-02 AT&T Corp. Systems and methods for optimizing access provisioning and capacity planning in IP networks
CN101826996A (en) * 2010-03-19 2010-09-08 中国科学院计算机网络信息中心 Domain name system flow detection method and domain name server
CN102291411A (en) * 2011-08-18 2011-12-21 网宿科技股份有限公司 Anti-DDOS (distributed denial of service) attack method and system against DNS (domain name system) service
CN103139184A (en) * 2011-12-02 2013-06-05 中国电信股份有限公司 Intelligent network firewall device and network attack protection method
CN103957195A (en) * 2014-04-04 2014-07-30 上海聚流软件科技有限公司 DNS system and defense method and device for DNS attack
CN105491032A (en) * 2015-11-30 2016-04-13 睿峰网云(北京)科技股份有限公司 Botnet discovery technique and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"DNS攻击检测与防御技术研究";彭嘉填;《信息通信》;20150930(第9期);138 *

Also Published As

Publication number Publication date
CN105847281A (en) 2016-08-10

Similar Documents

Publication Publication Date Title
CN105847281B (en) A kind of method and system of DNS defensive attack
WO2018113594A1 (en) Method and device for defending dns attack and storage medium
CN105024969B (en) A kind of method and device for realizing the identification of malice domain name
WO2022017249A1 (en) Programmable switch, traffic statistics method, defense method, and packet processing method
CN109474575B (en) DNS tunnel detection method and device
CN105681133B (en) A method of the detection whether anti-network attack of dns server
US20150067764A1 (en) Whitelist-based network switch
US20120173712A1 (en) Method and device for identifying p2p application connections
CN106101104A (en) A kind of malice domain name detection method based on domain name mapping and system
CN108600003B (en) Intrusion detection method, device and system for video monitoring network
US10193890B2 (en) Communication apparatus to manage whitelist information
TWI439091B (en) Network communication system with protecting phishing attacks and method of protecting phishing attacks using the seme
CN108683686A (en) A kind of Stochastic subspace name ddos attack detection method
CN103152357A (en) Defense method, device and system for DNS (Domain Name System) services
CN109327426A (en) A kind of firewall attack defense method
TWI405434B (en) Botnet early detection using hhmm algorithm
CN102624716B (en) Prevention method and device for domain name system (DNS) denial of service
CN105812318B (en) For preventing method, controller and the system of attack in a network
CN107547503A (en) A kind of session entry processing method and processing device
CN105959282A (en) Protection method and device for DHCP attack
CN106487807A (en) A kind of means of defence of domain name mapping and device
CN107135127A (en) A kind of network flow abnormal detecting method and device
CN106713307B (en) method and system for detecting flow table consistency in SDN
CN104125213A (en) Distributed denial of service DDOS attack resisting method and device for firewall
CN104796423A (en) ARP (address resolution protocol) bidirectional active defense method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant