Network attack defence method based on DNS intelligently parsing system
Technical field
The present invention relates to network attack defence method, be specifically related to a kind of based on DNS intelligently parsing
The network attack defence method of system.
Background technology
Along with the development of computer networking technology, the popularity of computer network improves rapidly,
But while improving resource-sharing, also bring the safety problem of network.Along with network attack
The development of technology, computer network security is also faced with threat greatly.For currently mainly depositing
Dos Denial of Service attack, program attack, electronic spoofing attack and weak to procotol
The types such as the attack of point, existing more ripe network attack defence method.But presently, there are
The drawback that defense mechanism existence is bigger:
The most different services often uses same domain name even device port;
2. network attack defensive equipment, already consumed by access bandwidth when attack being detected, in case of
During to flood, dos attack, amount of bandwidth will surge, serious directly blocking upper strata physical exchange
Machine;
3. must utilize the layer 7 equipment of costliness, after packet is carried out deep analysis, ability
Distinguishing attack request and normal request, add the cost of data cleansing;
4. the difference characteristic of query-attack and normal request generally requires manual analysis, disposes defence
Entry-into-force time slower.
Summary of the invention
The present invention is directed to the problems referred to above that prior art exists, it is provided that a kind of based on DNS intelligence
The network attack defence method of resolution system.
The network attack defence method based on DNS intelligently parsing system that the present invention provides, including
Following steps:
Gather network service request, and be different nets by service subdomain name automatically configuring module
Network service request is respectively allocated the subdomain name of correspondence;
Judge whether this subdomain name is present in attack subdomain name black list database, if existing, then
Refuse this network service request;Otherwise, by DNS IP region parsing module to network service
Request carries out the parsing of IP region and obtains corresponding IP region;
Judge whether this IP region is present in attack IP subdomain name black list database, if existing,
Then refuse this network service request;Otherwise by dns resolution configuration module to network service request
It is filtrated to get solicited message;
Judge whether this solicited message is present in attack mode data base, if existing, it is determined that should
Solicited message is query-attack, and refuses this network service request, otherwise allows this network service
Ask properly functioning.
It is further preferred that described method also includes:
When this subdomain name is present in attack subdomain name black list database, pre-by attacking detecting
Alert module sends early warning signal.
It is further preferred that described method also includes:
When this IP region is present in attack IP subdomain name black list database, detected by attack
Warning module sends early warning signal.
It is further preferred that described method also includes:
Described dns resolution configuration module utilizes distributed High Availabitity DNS end to obtain solicited message.
It is further preferred that described method also includes:
When determining that this solicited message is query-attack, corresponding for this solicited message subdomain name is deposited
Enter to attack subdomain name black list database, corresponding for this solicited message IP region is stored in attack
IP subdomain name black list database, and send early warning signal by attacking detecting and early warning module.
The network attack defence method based on DNS intelligently parsing system of the present invention, by clothes
It is the subdomain name that network service request is respectively allocated correspondence that business subdomain name automatically configures module, so
Just service isolation is achieved;And utilize the subdomain name that dns resolution obtains, directly utilize distributed
High Availabitity DNS end filters to be attacked, and query-attack will not enter back into server cluster occupied bandwidth;
Only need to carry out the parsing of IP point of region of DNS, the provinces and cities of attack are not occurring, still can provide
Normal service, shortens to second level by arranging the entry-into-force time, it is not necessary to use layer 7 exchange;Complete
After having become the quickly shunting of attack and normal request, can individually ask by analytical attack, decreasing please
Seek the resource cost of pattern recognition.
Accompanying drawing explanation
Fig. 1 provides for present invention network attack defence method based on DNS intelligently parsing system
The method flow diagram of one embodiment;
Fig. 2 provides for present invention network attack defence method based on DNS intelligently parsing system
The method flow diagram of preferred embodiment.
Detailed description of the invention
Below in conjunction with the accompanying drawings 1 and the accompanying drawing 2 net based on DNS intelligently parsing system to the present invention
Network attack defense method is described in detail.
As indicated with 1, network attack defence method based on DNS intelligently parsing system, including with
Lower step:
Step 11: gather network service request;
Step 12: automatically configure module by service subdomain name, please for different network services
Seek the subdomain name being respectively allocated correspondence;
Step 13: judge whether this subdomain name is present in attack subdomain name black list database,
If existing, then perform step 20;Otherwise, next step is continued executing with;
Step 14: by DNS IP region parsing module to network service request with carrying out IP
Territory resolves and obtains corresponding IP region;
Step 15: judge whether this IP region is present in attack IP subdomain name blacklist data
Storehouse, if existing, then performs step 20;Otherwise perform next step;
Step 16: network service request is filtrated to get request by dns resolution configuration module
Information;
Step 17: judge whether this solicited message is present in attack mode data base, if existing,
Then perform step 19, otherwise continue executing with next step;
Step 18: allow this network service request properly functioning, terminates flow process;
Step 19: determine that this solicited message is query-attack;
Step 20: refuse this network service request.
The network attack defence method based on DNS intelligently parsing system of the present embodiment, by clothes
It is the subdomain name that network service request is respectively allocated correspondence that business subdomain name automatically configures module, so
Just service isolation is achieved;And utilize the subdomain name that dns resolution obtains, directly utilize distributed
High Availabitity DNS end filters to be attacked, and query-attack will not enter back into server cluster occupied bandwidth;
Only need to carry out the parsing of IP point of region of DNS, the provinces and cities of attack are not occurring, still can provide
Normal service, shortens to second level by arranging the entry-into-force time, it is not necessary to use layer 7 exchange;Complete
After having become the quickly shunting of attack and normal request, can individually ask by analytical attack, decreasing please
Seek the resource cost of pattern recognition.
Fig. 2 provides for present invention network attack defence method based on DNS intelligently parsing system
The method flow diagram of preferred embodiment, as in figure 2 it is shown, said method comprising the steps of:
Step 21: gather network service request;
Step 22: automatically configure module by service subdomain name, please for different network services
Seek the subdomain name being respectively allocated correspondence;
Step 23: judge whether this subdomain name is present in attack subdomain name black list database,
If existing, then perform step 31;Otherwise, next step is continued executing with;
Step 24: by DNS IP region parsing module to network service request with carrying out IP
Territory resolves and obtains corresponding IP region;
Step 25: judge whether this IP region is present in attack IP subdomain name blacklist data
Storehouse, if existing, then performs step 31;Otherwise perform next step;
Step 26: network service request is filtrated to get request by dns resolution configuration module
Information;
In being embodied as, described dns resolution configuration module utilizes distributed High Availabitity DNS end to obtain
To solicited message.
Step 27: judge whether this solicited message is present in attack mode data base, if existing,
Then perform step 29, otherwise continue executing with next step;
Step 28: allow this network service request properly functioning, terminates flow process;
Step 29: determine that this solicited message is query-attack, and perform next step;
Step 30: corresponding for this solicited message subdomain name is stored in attack subdomain name blacklist number
According to storehouse, corresponding for this solicited message IP region is stored in attack IP subdomain name black list database;
Step 31: cross attack detecting and early warning module and send early warning signal;
Step 32: refuse this network service request, terminates flow process.
From above-described embodiment, embodiment two is essentially identical with the scheme of embodiment one, implements
Example two, in addition to possessing the effect of embodiment one, also has the effect that
(1) when this subdomain name is present in attack subdomain name black list database, when this IP ground
When territory is present in attack IP subdomain name black list database, and when determining that this solicited message is
During query-attack, send early warning signal by attacking detecting and early warning module, it is therefore an objective to can be timely
User or designer is reminded to note.
(1) when determining that this solicited message is query-attack, by the most sub for this solicited message
Domain name is stored in attack subdomain name black list database, is deposited corresponding for this solicited message IP region
Enter to attack IP subdomain name black list database, son that so can be corresponding by determining query-attack
Domain name is stored in attack subdomain name black list database, and corresponding IP region is stored in attack IP subdomain
Name black list database, thus reach to constantly update attack subdomain name black list database and attack
The effect of IP subdomain name black list database.
It should be noted that at this, the network attack based on DNS intelligently parsing system of the present invention is prevented
Imperial method can be used for the enterprise level service of complexity, so when in single service malicious attack, still
The service of old receiving normal request;And difference is saved to the scene of municipalization difference service request,
Can be according to provinces and cities' intelligent scheduling service at service requester place.
As known by the technical knowledge, the present invention can by other essence without departing from its spirit or must
The embodiment wanting feature realizes.Therefore, embodiment disclosed above, with regard to each side
Speech, is all merely illustrative, is not only.All within the scope of the present invention or equivalent
Change in the scope of the present invention is all included in the invention.