CN105991557A - Network attack defense method based on DNS intelligent analysis system - Google Patents
Network attack defense method based on DNS intelligent analysis system Download PDFInfo
- Publication number
- CN105991557A CN105991557A CN201510059605.2A CN201510059605A CN105991557A CN 105991557 A CN105991557 A CN 105991557A CN 201510059605 A CN201510059605 A CN 201510059605A CN 105991557 A CN105991557 A CN 105991557A
- Authority
- CN
- China
- Prior art keywords
- attack
- network service
- subdomain name
- network
- dns
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a network attack defense method based on a DNS intelligent analysis system. The network attack defense method comprises the steps: collecting network service requests, and respectively distributing corresponding subdomain names for different network service requests; judging whether a subdomain name exists in an attack subdomain name blacklist database, if so, rejecting the network service request and if not, performing IP region analysis on the network service request to obtain the corresponding IP region; judging whether the IP region exists in an attack IP subdomain name blacklist database, if so, rejecting the network service request and if not, filtering the network service request to obtain the request information; judging whether the request information exists in an attack mode database; if so, determining that the request information is an attack request and rejecting the network service request; and if not, allowing normal operation of the network service request. The network attack defense method based on a DNS intelligent analysis system can individually analyze the attack request after completing quick distribution of attack and normal requests, and can reduce resource consumption for identification of request modes.
Description
Technical field
The present invention relates to network attack defence method, be specifically related to a kind of based on DNS intelligently parsing
The network attack defence method of system.
Background technology
Along with the development of computer networking technology, the popularity of computer network improves rapidly,
But while improving resource-sharing, also bring the safety problem of network.Along with network attack
The development of technology, computer network security is also faced with threat greatly.For currently mainly depositing
Dos Denial of Service attack, program attack, electronic spoofing attack and weak to procotol
The types such as the attack of point, existing more ripe network attack defence method.But presently, there are
The drawback that defense mechanism existence is bigger:
The most different services often uses same domain name even device port;
2. network attack defensive equipment, already consumed by access bandwidth when attack being detected, in case of
During to flood, dos attack, amount of bandwidth will surge, serious directly blocking upper strata physical exchange
Machine;
3. must utilize the layer 7 equipment of costliness, after packet is carried out deep analysis, ability
Distinguishing attack request and normal request, add the cost of data cleansing;
4. the difference characteristic of query-attack and normal request generally requires manual analysis, disposes defence
Entry-into-force time slower.
Summary of the invention
The present invention is directed to the problems referred to above that prior art exists, it is provided that a kind of based on DNS intelligence
The network attack defence method of resolution system.
The network attack defence method based on DNS intelligently parsing system that the present invention provides, including
Following steps:
Gather network service request, and be different nets by service subdomain name automatically configuring module
Network service request is respectively allocated the subdomain name of correspondence;
Judge whether this subdomain name is present in attack subdomain name black list database, if existing, then
Refuse this network service request;Otherwise, by DNS IP region parsing module to network service
Request carries out the parsing of IP region and obtains corresponding IP region;
Judge whether this IP region is present in attack IP subdomain name black list database, if existing,
Then refuse this network service request;Otherwise by dns resolution configuration module to network service request
It is filtrated to get solicited message;
Judge whether this solicited message is present in attack mode data base, if existing, it is determined that should
Solicited message is query-attack, and refuses this network service request, otherwise allows this network service
Ask properly functioning.
It is further preferred that described method also includes:
When this subdomain name is present in attack subdomain name black list database, pre-by attacking detecting
Alert module sends early warning signal.
It is further preferred that described method also includes:
When this IP region is present in attack IP subdomain name black list database, detected by attack
Warning module sends early warning signal.
It is further preferred that described method also includes:
Described dns resolution configuration module utilizes distributed High Availabitity DNS end to obtain solicited message.
It is further preferred that described method also includes:
When determining that this solicited message is query-attack, corresponding for this solicited message subdomain name is deposited
Enter to attack subdomain name black list database, corresponding for this solicited message IP region is stored in attack
IP subdomain name black list database, and send early warning signal by attacking detecting and early warning module.
The network attack defence method based on DNS intelligently parsing system of the present invention, by clothes
It is the subdomain name that network service request is respectively allocated correspondence that business subdomain name automatically configures module, so
Just service isolation is achieved;And utilize the subdomain name that dns resolution obtains, directly utilize distributed
High Availabitity DNS end filters to be attacked, and query-attack will not enter back into server cluster occupied bandwidth;
Only need to carry out the parsing of IP point of region of DNS, the provinces and cities of attack are not occurring, still can provide
Normal service, shortens to second level by arranging the entry-into-force time, it is not necessary to use layer 7 exchange;Complete
After having become the quickly shunting of attack and normal request, can individually ask by analytical attack, decreasing please
Seek the resource cost of pattern recognition.
Accompanying drawing explanation
Fig. 1 provides for present invention network attack defence method based on DNS intelligently parsing system
The method flow diagram of one embodiment;
Fig. 2 provides for present invention network attack defence method based on DNS intelligently parsing system
The method flow diagram of preferred embodiment.
Detailed description of the invention
Below in conjunction with the accompanying drawings 1 and the accompanying drawing 2 net based on DNS intelligently parsing system to the present invention
Network attack defense method is described in detail.
As indicated with 1, network attack defence method based on DNS intelligently parsing system, including with
Lower step:
Step 11: gather network service request;
Step 12: automatically configure module by service subdomain name, please for different network services
Seek the subdomain name being respectively allocated correspondence;
Step 13: judge whether this subdomain name is present in attack subdomain name black list database,
If existing, then perform step 20;Otherwise, next step is continued executing with;
Step 14: by DNS IP region parsing module to network service request with carrying out IP
Territory resolves and obtains corresponding IP region;
Step 15: judge whether this IP region is present in attack IP subdomain name blacklist data
Storehouse, if existing, then performs step 20;Otherwise perform next step;
Step 16: network service request is filtrated to get request by dns resolution configuration module
Information;
Step 17: judge whether this solicited message is present in attack mode data base, if existing,
Then perform step 19, otherwise continue executing with next step;
Step 18: allow this network service request properly functioning, terminates flow process;
Step 19: determine that this solicited message is query-attack;
Step 20: refuse this network service request.
The network attack defence method based on DNS intelligently parsing system of the present embodiment, by clothes
It is the subdomain name that network service request is respectively allocated correspondence that business subdomain name automatically configures module, so
Just service isolation is achieved;And utilize the subdomain name that dns resolution obtains, directly utilize distributed
High Availabitity DNS end filters to be attacked, and query-attack will not enter back into server cluster occupied bandwidth;
Only need to carry out the parsing of IP point of region of DNS, the provinces and cities of attack are not occurring, still can provide
Normal service, shortens to second level by arranging the entry-into-force time, it is not necessary to use layer 7 exchange;Complete
After having become the quickly shunting of attack and normal request, can individually ask by analytical attack, decreasing please
Seek the resource cost of pattern recognition.
Fig. 2 provides for present invention network attack defence method based on DNS intelligently parsing system
The method flow diagram of preferred embodiment, as in figure 2 it is shown, said method comprising the steps of:
Step 21: gather network service request;
Step 22: automatically configure module by service subdomain name, please for different network services
Seek the subdomain name being respectively allocated correspondence;
Step 23: judge whether this subdomain name is present in attack subdomain name black list database,
If existing, then perform step 31;Otherwise, next step is continued executing with;
Step 24: by DNS IP region parsing module to network service request with carrying out IP
Territory resolves and obtains corresponding IP region;
Step 25: judge whether this IP region is present in attack IP subdomain name blacklist data
Storehouse, if existing, then performs step 31;Otherwise perform next step;
Step 26: network service request is filtrated to get request by dns resolution configuration module
Information;
In being embodied as, described dns resolution configuration module utilizes distributed High Availabitity DNS end to obtain
To solicited message.
Step 27: judge whether this solicited message is present in attack mode data base, if existing,
Then perform step 29, otherwise continue executing with next step;
Step 28: allow this network service request properly functioning, terminates flow process;
Step 29: determine that this solicited message is query-attack, and perform next step;
Step 30: corresponding for this solicited message subdomain name is stored in attack subdomain name blacklist number
According to storehouse, corresponding for this solicited message IP region is stored in attack IP subdomain name black list database;
Step 31: cross attack detecting and early warning module and send early warning signal;
Step 32: refuse this network service request, terminates flow process.
From above-described embodiment, embodiment two is essentially identical with the scheme of embodiment one, implements
Example two, in addition to possessing the effect of embodiment one, also has the effect that
(1) when this subdomain name is present in attack subdomain name black list database, when this IP ground
When territory is present in attack IP subdomain name black list database, and when determining that this solicited message is
During query-attack, send early warning signal by attacking detecting and early warning module, it is therefore an objective to can be timely
User or designer is reminded to note.
(1) when determining that this solicited message is query-attack, by the most sub for this solicited message
Domain name is stored in attack subdomain name black list database, is deposited corresponding for this solicited message IP region
Enter to attack IP subdomain name black list database, son that so can be corresponding by determining query-attack
Domain name is stored in attack subdomain name black list database, and corresponding IP region is stored in attack IP subdomain
Name black list database, thus reach to constantly update attack subdomain name black list database and attack
The effect of IP subdomain name black list database.
It should be noted that at this, the network attack based on DNS intelligently parsing system of the present invention is prevented
Imperial method can be used for the enterprise level service of complexity, so when in single service malicious attack, still
The service of old receiving normal request;And difference is saved to the scene of municipalization difference service request,
Can be according to provinces and cities' intelligent scheduling service at service requester place.
As known by the technical knowledge, the present invention can by other essence without departing from its spirit or must
The embodiment wanting feature realizes.Therefore, embodiment disclosed above, with regard to each side
Speech, is all merely illustrative, is not only.All within the scope of the present invention or equivalent
Change in the scope of the present invention is all included in the invention.
Claims (5)
1. a network attack defence method based on DNS intelligently parsing system, including following
Step:
Gather network service request, and be different nets by service subdomain name automatically configuring module
Network service request is respectively allocated the subdomain name of correspondence;
Judge whether this subdomain name is present in attack subdomain name black list database, if existing, then
Refuse this network service request;Otherwise, by DNS IP region parsing module to network service
Request carries out the parsing of IP region and obtains corresponding IP region;
Judge whether this IP region is present in attack IP subdomain name black list database, if existing,
Then refuse this network service request;Otherwise by dns resolution configuration module to network service request
It is filtrated to get solicited message;
Judge whether this solicited message is present in attack mode data base, if existing, it is determined that should
Solicited message is query-attack, and refuses this network service request, otherwise allows this network service
Ask properly functioning.
2. network attack based on DNS intelligently parsing system defence as claimed in claim 1
Method, it is characterised in that described method also includes:
When this subdomain name is present in attack subdomain name black list database, pre-by attacking detecting
Alert module sends early warning signal.
3. network attack based on DNS intelligently parsing system defence as claimed in claim 2
Method, it is characterised in that described method also includes:
When this IP region is present in attack IP subdomain name black list database, detected by attack
Warning module sends early warning signal.
4. network attack based on DNS intelligently parsing system defence as claimed in claim 1
Method, it is characterised in that described method also includes:
Described dns resolution configuration module utilizes distributed High Availabitity DNS end to obtain solicited message.
5. network attack based on DNS intelligently parsing system defence as claimed in claim 4
Method, it is characterised in that described method also includes:
When determining that this solicited message is query-attack, corresponding for this solicited message subdomain name is deposited
Enter to attack subdomain name black list database, corresponding for this solicited message IP region is stored in attack
IP subdomain name black list database, and send early warning signal by attacking detecting and early warning module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510059605.2A CN105991557B (en) | 2015-02-05 | 2015-02-05 | Network attack defence method based on DNS intelligently parsing system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510059605.2A CN105991557B (en) | 2015-02-05 | 2015-02-05 | Network attack defence method based on DNS intelligently parsing system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105991557A true CN105991557A (en) | 2016-10-05 |
| CN105991557B CN105991557B (en) | 2019-05-10 |
Family
ID=57037138
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510059605.2A Active CN105991557B (en) | 2015-02-05 | 2015-02-05 | Network attack defence method based on DNS intelligently parsing system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105991557B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106453421A (en) * | 2016-12-08 | 2017-02-22 | 北京交通大学 | Smart identifier network service tampered DoS (denial of service) attack cooperative defense method integrating LTE (long term evolution) |
| CN106685951A (en) * | 2016-12-26 | 2017-05-17 | 北京奇虎科技有限公司 | Network flow filtering system and method based on domain name rules |
| CN108667782A (en) * | 2017-04-01 | 2018-10-16 | 贵州白山云科技有限公司 | A kind of ddos attack defence method and system for DNS service |
| CN110958246A (en) * | 2019-11-29 | 2020-04-03 | 中电福富信息科技有限公司 | Dynamic intelligent protection method based on WEB server and application thereof |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1642099A (en) * | 2004-01-15 | 2005-07-20 | 英业达股份有限公司 | Computer network domain name system configuration method and platform |
| US20100154055A1 (en) * | 2008-12-12 | 2010-06-17 | At&T Intellectual Property I, L.P. | Prefix Domain Matching for Anti-Phishing Pattern Matching |
| CN103152357A (en) * | 2013-03-22 | 2013-06-12 | 北京网御星云信息技术有限公司 | Defense method, device and system for DNS (Domain Name System) services |
| CN103634315A (en) * | 2013-11-29 | 2014-03-12 | 杜跃进 | Front end control method and system of domain name server (DNS) |
-
2015
- 2015-02-05 CN CN201510059605.2A patent/CN105991557B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1642099A (en) * | 2004-01-15 | 2005-07-20 | 英业达股份有限公司 | Computer network domain name system configuration method and platform |
| US20100154055A1 (en) * | 2008-12-12 | 2010-06-17 | At&T Intellectual Property I, L.P. | Prefix Domain Matching for Anti-Phishing Pattern Matching |
| CN103152357A (en) * | 2013-03-22 | 2013-06-12 | 北京网御星云信息技术有限公司 | Defense method, device and system for DNS (Domain Name System) services |
| CN103634315A (en) * | 2013-11-29 | 2014-03-12 | 杜跃进 | Front end control method and system of domain name server (DNS) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106453421A (en) * | 2016-12-08 | 2017-02-22 | 北京交通大学 | Smart identifier network service tampered DoS (denial of service) attack cooperative defense method integrating LTE (long term evolution) |
| CN106453421B (en) * | 2016-12-08 | 2019-08-16 | 北京交通大学 | The wisdom mark network of fusion LTE distorts the composite defense method of DoS attack to service |
| CN106685951A (en) * | 2016-12-26 | 2017-05-17 | 北京奇虎科技有限公司 | Network flow filtering system and method based on domain name rules |
| CN108667782A (en) * | 2017-04-01 | 2018-10-16 | 贵州白山云科技有限公司 | A kind of ddos attack defence method and system for DNS service |
| CN108667782B (en) * | 2017-04-01 | 2021-03-23 | 贵州白山云科技股份有限公司 | DDoS attack defense method and system for DNS service |
| CN110958246A (en) * | 2019-11-29 | 2020-04-03 | 中电福富信息科技有限公司 | Dynamic intelligent protection method based on WEB server and application thereof |
| CN110958246B (en) * | 2019-11-29 | 2022-04-15 | 中电福富信息科技有限公司 | Dynamic intelligent protection method based on WEB server and application thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105991557B (en) | 2019-05-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110011982B (en) | Intelligent attack decoy system and method based on virtualization | |
| US10382469B2 (en) | Domain age registration alert | |
| CN107517195B (en) | Method and device for positioning attack domain name of content distribution network | |
| US9954896B2 (en) | Preconfigured honey net | |
| KR101391781B1 (en) | Apparatus and Method for Detecting HTTP Botnet based on the Density of Web Transaction | |
| CN103905373B (en) | Method and device for intercepting network attack based on cloud | |
| CN101309180B (en) | Security network invasion detection system suitable for virtual machine environment | |
| CN103297433B (en) | The HTTP Botnet detection method of data flow Network Based and system | |
| CN104333529B (en) | The detection method and system of HTTP dos attacks under a kind of cloud computing environment | |
| CN108289088A (en) | Abnormal traffic detection system and method based on business model | |
| CN103607399A (en) | Special IP network safety monitor system and method based on hidden network | |
| CN103746885A (en) | Test system and test method oriented to next-generation firewall | |
| CN105991557A (en) | Network attack defense method based on DNS intelligent analysis system | |
| CN101924757A (en) | Method and system for reviewing Botnet | |
| CN106656989B (en) | Flow monitoring method and terminal | |
| CN107666473A (en) | The method and controller of a kind of attack detecting | |
| CN109587156A (en) | Abnormal network access connection identification and blocking-up method, system, medium and equipment | |
| CN107426132B (en) | The detection method and device of network attack | |
| CN106357628A (en) | Attack defense method and device | |
| CN105592141B (en) | A kind of connection number control method and device | |
| CN110445772A (en) | A kind of the internet host scan method and system of Intrusion Detection based on host relationship | |
| CN106067879A (en) | The detection method of information and device | |
| CN109756467A (en) | A kind of recognition methods of fishing website and device | |
| CN108737421B (en) | Method, system, device and storage medium for discovering potential threats in network | |
| CN108270753A (en) | The method and device of logging off users account |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 100144, room 9, building 3, building 30, 9014 Xing Xing street, Beijing, Shijingshan District Applicant after: Jing Shuo Technology (Beijing) Limited by Share Ltd Address before: 100107, Beijing, 13 Beiyuan Road, Chaoyang District hospital, OfficeA floor, block 16 Applicant before: JINGSHUO CENTURY TECHNOLOGY (BEIJING) CO., LTD. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20200612 Address after: 136a, 1f, d-1f, Dongsheng Science Park, No. 66, xixiaokou Road, Haidian District, Beijing Patentee after: Enyike (Beijing) Data Technology Co.,Ltd. Address before: 100144, room 9, building 3, building 30, 9014 Xing Xing street, Beijing, Shijingshan District Patentee before: ADMASTER TECHNOLOGY (BEIJING) Co.,Ltd. |