CN106034116A - Method and system for reducing malicious network flow - Google Patents

Method and system for reducing malicious network flow Download PDF

Info

Publication number
CN106034116A
CN106034116A CN 201510112440 CN201510112440A CN106034116A CN 106034116 A CN106034116 A CN 106034116A CN 201510112440 CN201510112440 CN 201510112440 CN 201510112440 A CN201510112440 A CN 201510112440A CN 106034116 A CN106034116 A CN 106034116A
Authority
CN
Grant status
Application
Patent type
Prior art keywords
dtaf
firewall
dns server
network traffic
system
Prior art date
Application number
CN 201510112440
Other languages
Chinese (zh)
Inventor
刘阳
薛晨
王东安
崔佳
黄亮
常为岭
王博
袁庆升
徐原
王凯峰
Original Assignee
国家计算机网络与信息安全管理中心
北京天元特通科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Abstract

The invention discloses a method and system for reducing malicious network flow. The system comprises a protected server positioned in a domain, at least one authoritative domain name system DNS server, at least one DNS flow analyzer, a firewall and a central master DTAF; the network flow has to pass through the DTAF firewall before accessing the authoritative DNS server, and the DTAF firewall analyzes the network flow trying to pass through the DTAF firewall; the DTAF firewall transmits network flow data to the central master DTAF, and the central master DTAF transmits at least one access control list to the DTAF firewall. Through above arrangement, the method and system can reduce the malicious internet flow (like DDOS attack).

Description

减少恶意网络流量的方法和系统 Malicious network traffic reduction methods and systems

技术领域 FIELD

[0001] 本发明涉及一种网络技术领域,特别是涉及一种减少恶意网络流量的方法和系统。 [0001] The present invention relates to network technologies, and particularly to a method and system for reducing malicious network traffic.

背景技术 Background technique

[0002] 一台计算机的用户仅知道预期目的地的名称,而不是目的地的IP地址,通过使用域名系统(DNS,Domain Name System),这台计算机的用户也可访问目的地。 User [0002] a computer only know the name of the intended destination, instead of the IP address of the destination by using the Domain Name System (DNS, Domain Name System), the user of this computer can access destination. 在给定特定域名的情况下,DNS使用被称为DNS名称解析的过程来找到具体的IP地址。 In the case of a given particular domain name, DNS using a process called DNS name resolution to find a specific IP address. 权威DNS服务器是响应于针对特定DNS区域的询问给出解答的DNS服务器。 Authoritative DNS server answers given in response to a specific inquiry for the DNS zone DNS server. 如果特定的DNS服务器无法解答询问,那么可通过执行反向查找,询问处于更高位置处的其他DNS服务器。 If a particular DNS server can not answer inquiries, you can by performing a reverse lookup, ask other DNS server is at a higher position.

[0003] 现有技术中,已开发出许多装置来保护服务器和网络免受来自互联网的恶意攻击。 [0003] prior art, a number of devices have been developed to protect servers and network from malicious attacks from the Internet. 通常,这些装置归类为防火墙和专用路由器。 Typically, these devices are classified as dedicated routers and firewalls. 互联网流量也可以通过使用白名单、黑名单、和/或灰名单对一组被允许或被拒绝的用户进行管理来调控。 Internet traffic may be, the blacklist, and / or gray-list of a group of users is permitted or denied by using a white list managed to regulate. 防火墙和专用路由器通常可利用源IP检测、数据包和内容分析、流量模式分析、和阵列政策和规则来过滤掉恶意流量和内容。 Dedicated routers and firewalls commonly available source IP detection, and packet content analysis, traffic pattern analysis, and an array of policies and rules to filter out malicious traffic and content. 一种基于互联网的攻击是分布式拒绝服务(DDOS,Distributed Denial ofService)攻击。 An Internet-based attack is a distributed denial of service (DDOS, Distributed Denial ofService) attack. 一般来讲,DDOS攻击是尝试通过阻碍目标计算机或服务器工作而使目标计算机或服务器不能为其预期用户所使用。 In general, DDOS attacks try to hinder the work of the target computer or the target server computer or server can not be used for its intended users. 可通过传统方法(例如防火墙)来防御某些DDOS攻击。 DDOS attacks may be some defense by conventional means (e.g. a firewall).

[0004] 然而,近年来,一些DDOS攻击已发展到空前大的规模且持续时间长,已经超出了最大且最有力的防火墙和防御系统的能力和资源。 [0004] However, in recent years, a number of DDOS attacks has grown to an unprecedented large-scale and long duration, is beyond the capabilities and resources of the largest and most powerful firewall and defense systems.

发明内容 SUMMARY

[0005] 本发明主要解决的技术问题是提供一种减少恶意网络流量的方法和系统,能够减少恶意互联网流量(例如DDOS攻击)。 [0005] The present invention solves the technical problem is to provide a method and system for reducing malicious network traffic, malicious Internet traffic can be reduced (e.g. DDOS attack).

[0006] 为解决上述技术问题,本发明采用的一个技术方案是:提供一种减少恶意网络流量的系统,所述系统包括:受保护服务器,位于域内;至少一个权威域名系统DNS服务器;至少一个DNS流量分析器和防火墙DTAF,其中,网络流量在访问所述权威DNS服务器之前必须穿过所述DTAF防火墙,且所述DTAF防火墙分析试图穿过所述DTAF防火墙的网络流量;中央主DTAF,其中所述DTAF防火墙发送网络流量数据到所述中央主DTAF,且所述中央主DTAF发送至少一个访问控制列表到所述DTAF防火墙。 [0006] To solve the above problems, an aspect of the present invention is that: a method of reducing malicious network traffic, the system comprising: a protected server, located within the domain; at least one of the authoritative domain name system DNS server; at least one DNS traffic analyzer and firewall DTAF, wherein the network traffic must pass through prior to accessing the authoritative DNS server DTAF the firewall, the firewall and the DTAF DTAF analysis attempts to pass through the firewall network traffic; central main DTAF, wherein the firewall DTAF traffic data transmission network to the central main DTAF, and said at least one central main DTAF transmitted to the access control list DTAF firewall.

[0007] 其中,所述网络流量在访问所述受保护的服务器之前也必须穿过所述DTAF防火 [0007] wherein, prior to the network traffic to the access server must be protected through the fire DTAF

m ο m ο

[0008] 其中,所述网络流量在访问公共DNS服务器之前也必须穿过所述DTAF防火墙。 [0008] wherein the network traffic before accessing a public DNS server must pass through the firewall DTAF.

[0009] 其中,所述网络流量数据包括历史数据和实时数据两者。 [0009] wherein the network traffic data includes both real-time data and historical data.

[0010] 其中,所述受保护的服务器发送网络流量数据到所述中央主DTAF。 [0010] wherein said protected network server transmits data to the central traffic master DTAF.

[0011] 其中,所述权威DNS服务器发送网络流量数据到所述中央主DTAF。 [0011] wherein, the authoritative DNS server transmits traffic data to the central network master DTAF.

[0012] 其中,所述访问控制列表包括与DNS服务器相关的信息,且其中所述DTAF防火墙能够控制或分析来自所述DNS服务器的流量。 [0012] wherein the access control list includes information associated with the DNS server, and wherein said analyzing DTAF firewall to control or traffic from the DNS server.

[0013] 其中,所述系统还包括域转移子系统,其中所述域转移子系统形成新的权威DNS服务器并使至少一些网络流量重新路由到所述新的权威DNS服务器。 [0013] wherein said system further comprises a domain transfer subsystem, wherein the domain transfer subsystem to form a new authoritative DNS servers and at least some of the network traffic re-routed to the new authoritative DNS server.

[0014] 其中,所述域转移子系统定期地旋转所述权威DNS服务器。 [0014] wherein the domain transfer subsystem periodically rotating the authoritative DNS server.

[0015] 其中,所述新的权威DNS服务器处理新的网络流量。 [0015] wherein said new authoritative DNS servers to handle the new network traffic.

[0016] 为解决上述技术问题,本发明采用的另一个技术方案是:提供一种减少恶意网络流量的方法,包括:分析针对至少一个权威域名系统DNS服务器的网络流量;根据分析结果产生网络流量数据;向中央系统发送所述网络流量数据;接收来自所述中央系统的访问控制列表;根据所接收的所述访问控制列表更新防火墙参数。 [0016] In order to solve the above problems, another aspect of the present invention is that: the malicious provide a method for reducing network traffic, comprising: analyze network traffic for at least one of the authoritative domain name system DNS server; generating network traffic analysis results transactions; central system transmits to the network traffic data; receiving from the central system access control list; control list according to the access parameter update firewall received.

[0017] 其中,所述方法还包括:确定被可疑网络流量使用的DNS服务器;将所述被可疑网络流量使用的DNS服务器的数据包含在所述网络流量数据中;将所述被可疑网络流量使用的DNS服务器的信息包含在所述访问控制列表中。 [0017] wherein said method further comprises: determining a DNS server is used by suspicious network traffic; the suspicious data traffic network using DNS server included in the network traffic data; the network traffic is suspect DNS servers use information contained in the access control list.

[0018] 其中,所述方法还包括:形成至少一个新的权威DNS服务器;将所述网络流量中的至少一些路由到所述新的权威DNS服务器。 [0018] wherein, said method further comprising: forming at least a new authoritative DNS server; at least some of the network traffic routed to the new authoritative DNS server.

[0019] 其中,所述方法还包括:定期地旋转所述权威DNS服务器。 [0019] wherein said method further comprises: periodically rotating the authoritative DNS server.

[0020] 本发明的有益效果是:区别于现有技术的情况,本发明系统包括:受保护的服务器,位于域内;至少一个权威域名系统DNS服务器;至少一个DNS流量分析器和防火墙DTAF,其中,网络流量在访问权威DNS服务器之前必须穿过DTAF防火墙,且DTAF防火墙分析试图穿过DTAF防火墙的网络流量;中央主DTAF,其中DTAF防火墙发送网络流量数据到中央主DTAF,且中央主DTAF发送至少一个访问控制列表到DTAF防火墙。 [0020] Advantageous effects of the present invention are: to be distinguished from the prior art, the present invention system comprising: a protected server, located within the domain; at least one of the authoritative domain name system DNS server; DNS traffic analyzer and at least one firewall DTAF, wherein , the network traffic must pass through the firewall DTAF before accessing the authoritative DNS server, and a firewall DTAF analysis attempts to network traffic passing through the firewall DTAF; central main DTAF, wherein DTAF firewall traffic data transmission network to a central main DTAF, and transmits at least the central main DTAF an access control list to DTAF firewall. 由于DTAF防火墙分析试图穿过DTAF防火墙的网络流量,并将网络流量数据发送到中央主DTAF,然后中央主DTAF发送至少一个访问控制列表到DTAF防火墙,从而使得DTAF防火墙通过访问控制列表拦截恶意流量,通过这种方式,能够减少恶意互联网流量(例如DDOS攻击)。 Since DTAF tries to pass the firewall analyzes network traffic DTAF firewall, network traffic and transmits the data to the central main DTAF, and transmitting at least one central main DTAF to DTAF firewall access control list so that the firewall access control list DTAF block malicious traffic, In this way, it is possible to reduce malicious Internet traffic (such as DDOS attacks).

附图说明 BRIEF DESCRIPTION

[0021]图1是本发明减少恶意网络流量的系统一实施方式的结构示意图; [0021] FIG. 1 is a schematic structural diagram of an embodiment of the present invention reduces malicious network traffic system;

[0022] 图2是本发明减少恶意网络流量的方法一实施方式的流程图; [0022] FIG 2 is a flowchart of a method to reduce malicious network traffic to an embodiment of the present invention;

[0023] 图3是本发明减少恶意网络流量的方法另一实施方式的流程图; [0023] FIG. 3 is a flowchart of a method for reducing the malicious network traffic to another embodiment of the present invention;

[0024] 图4是本发明减少恶意网络流量的方法又一实施方式的流程图。 [0024] FIG. 4 is a flowchart of a method for reducing malicious network traffic further embodiment of the present invention.

具体实施方式 detailed description

[0025] 下面结合附图和实施方式对本发明进行详细说明。 [0025] The present invention will be described in detail in conjunction with the accompanying drawings and embodiments.

[0026] 图1是本发明减少恶意网络流量的系统一实施方式的结构示意图。 [0026] FIG. 1 is a structural diagram of the present invention reduces a malicious network traffic system embodiment. 该系统包括:客户端11 (无论是合法的还是恶意的)、受保护的服务器12、域的权威DNS服务器13、公共DNS 服务器14、DNS 流量分析器和防火墙DTAF (DNS Traffic Analyzer and Firewall)防火墙15。 The system includes: a client 11 (either legitimate or malicious), the protected server 12, the authoritative DNS server for the domain 13, public DNS server 14, DNS traffic analyzer and firewall DTAF (DNS Traffic Analyzer and Firewall) Firewall 15.

[0027] 客户端11通过网络(例如公共互联网)访问受保护的服务器12。 [0027] 11 Client Access server protected by a network (such as the public Internet) 12. 受保护的服务器12可以是网页服务器、邮件服务器、应用服务器、或任何其他类型的可通过公共互联网或任何其他网络被访问的服务器。 Protected server 12 may be a web server, mail server, application server, or any other type of server that can be accessed over the public Internet or any other network.

[0028] 在图1所示的实施方式中,针对受保护的服务器12、域的权威DNS服务器13、或公共DNS服务器14的流量必须首先穿过DTAF防火墙15。 [0028] In the embodiment shown in FIG. 1, for the protected server 12, 13, or flow authoritative DNS server public domain DNS server 14 must first pass through a firewall 15 DTAF. 可设想其中DTAF防火墙15仅位于这些目的地的子集之间的其他实施方式。 DTAF contemplated wherein the firewall 15 located between the other embodiments only a subset of these destinations.

[0029] —般来讲,DTAF能够分析从互联网所接收的数据,并基于所述分析来优化防火墙。 [0029] - generally speaking, DTAF can analyze data received from the Internet, based on the analysis and optimization of the firewall. 举例来说,在一些实施方式中,DTAF防火墙利用DNS及应用日志档案以及对实时日志的分析,从而通过IP地址、子网络、和/或访客的DNS服务器来追踪并分析所述访客。 For example, in some embodiments, the use of DNS DTAF firewall log files and applications and real-time analysis of the log, so as to track and analyze the guest IP address, subnet, and / or visitors DNS server.

[0030] 通过使用归档的数据及实时的数据,DTAF可保持经过更新的、实时的访问控制列表(ACL,Access Control Lists),该ACL实现将流量转移到防火墙或路由器。 [0030] By using archived data and real-time data, DTAF can be kept updated, real-time access control list (ACL, Access Control Lists), the ACL to achieve the transfer of traffic to the firewall or router. 实时ACL可使用白名单、黑名单、和灰名单的组合来动态地保持被接受和被拒绝的客户端列表。 ACL can be used in real time whitelist, blacklist, and combinations of gray list to dynamically holding accepted and rejected client list. 防火墙和专用路由器防止或减少恶意攻击的一般应用为本领域技术人员所熟知,在此不再赘述。 Dedicated routers and firewalls prevent or reduce malicious applications generally known to those skilled in the art and are not repeated here.

[0031] 在一些实施方式中,DTAF能够使用参考资料和DNS查找表来确定访客的DNS服务器。 [0031] In some embodiments, DTAF references can be used and DNS lookup table to determine visitor DNS server. 因此,ACL也可保持被允许和被拒绝的DNS服务器的列表(或DNS-ACL)。 Thus, ACL may also maintain a list of the DNS server is allowed and rejected (or DNS-ACL). 然后,可将所述DNS-ACL反馈到路由器和防火墙来阻挡可疑的DNS源。 Then, the DNS-ACL may be fed back to the router and firewall to block suspected source DNS.

[0032] 在一些实施方式中,DTAF防火墙能够允许、阻挡、或修改DNS询问和/或回复数据。 [0032] In some embodiments, the firewall can allow DTAF, a barrier, or modify the DNS inquiry and / or response data. 因此,通过使用DNS-ACL,DTAF可允许或拒绝单独的IP地址或来自特定DNS服务器的所有地址。 Thus, by using the DNS-ACL, DTAF allow or deny all individual addresses or IP addresses from a particular DNS server. 还可设想:灰名单中的地址或DNS服务器可位于候选名单中以供进一步分析,特别是在出现异常高的流量期间,例如在DDOS攻击期间。 Also conceivable: the gray list address or DNS server may be located in the candidate list for further analysis, especially during the period of abnormally high flow rate, for example in the event of DDOS attacks.

[0033] 在图1所示的实施方式中,DTAF防火墙15和受保护的服务器12发送包括关于IP地址或DNS服务器的实时信息和历史数据在内的流量数据到中央主DTAF 16。 [0033] In the embodiment shown in FIG. 1, DTAF firewall 15 and the protected server 12 includes transmitting real-time and historical data about the IP address or DNS server including the data to a central main flow DTAF 16. 流量数据可包括多种信息,包括但不限于数据和时间信息、源IP地址、请求频率、请求模式、和数据包内容数据。 Traffic data may include a variety of information, including but not limited to data and time information, source IP address, frequency of requests, request mode, and data packet contents.

[0034] 图1所示的中央主DTAF 16基于包括可能合法的(非恶意的)一组源IP地址(或DNS服务器)的白名单来分析流量数据并导出ACL。 Shown central main [0034] FIG 1 DTAF 16 may be based on a valid (non-malicious) a set of source IP address (or DNS server) whitelist to analyze traffic data and deriving ACL. 此外,或作为另外一种选择,ACL可包含黑名单和/或灰名单。 In addition, or alternatively, may comprise the ACL black list and / or the gray list. 由于中央主DTAF 16从以下多个源接收数据:例如,受保护的服务器12、域的权威DNS服务器13、公共DNS服务器14、和它们各自的DTAF防火墙15,因此中央主DTAF 16可更好地执行单独DTAF防火墙15的功能。 Since the central main DTAF 16 receives data from a plurality of the following sources: For example, the authoritative DNS server protected server 12, the domain 13, a public DNS server 14, and their respective firewalls DTAF 15, 16 and therefore the center main DTAF may be better DTAF firewall functions execution alone 15.

[0035] 中央主DTAF 16发送DTAF-ACL到DTAF防火墙15。 [0035] The center of the main transmission 16 DTAF DTAF-ACL 15 to DTAF firewall. DTAF-ACL可包括关于客户端、他们的DNS服务器或所述两者的信息。 DTAF-ACL may include information about a client, said information server DNS or both of them. 关于用于DNS服务器的DTAF-ACL,中央主DTAF16可通过例如执行反向查找来导出此信息,以确定客户端地址的相关子网络和权威互联网服务提供商(ISP,Internet Service Provider),,且最终确定ISP所指定和所发布的被分配给所述客户端地址的DNS服务器。 About DNS server for the DTAF-ACL, the central main DTAF16 can be derived for example, by performing a reverse lookup this information to determine the relevant sub-network and Internet service providers authoritative client addresses (ISP, Internet Service Provider) ,, and ISP finalized and issued the specified DNS server is assigned to the client address. 一旦被DTAF防火墙15接收,DNS DTAF-ACL便可用于通过以下方式来减少恶意流量:通过控制DNS DTAF-ACL中所包含的公共DNS服务器对受保护的服务器12的地址的查找来拒绝服务器IP地址查找。 Once the firewall 15 receives the DTAF, DNS DTAF-ACL malicious traffic can be reduced for the following ways: to find the address of the protected server 12 to reject the common control server IP address by DNS server DNS DTAF-ACL contained Find.

[0036] 在图1所示的实施方式中,中央主DTAF 16可形成新的DNS服务器以用作域的新的权威DNS服务器(或新的DNS服务器)13b。 [0036] In the embodiment shown in FIG. 1, the center main DTAF 16 may be a new authoritative DNS server (DNS server or new) is used as the domain 13b to form a new DNS server. 在其他实施方式中,由除中央主DTAF 16以外的部件来执行此种功能和其他功能。 In other embodiments, to perform such functions and other functions performed by components other than the central main DTAF 16. 在图1所示的实施方式中,中央主DTAF 16为具有给定TTL(存活时间)和TTR(刷新时间)值的受保护的域产生DNS区域文件。 In the embodiment shown in Figure 1, having a central main DTAF 16 is given to TTL (time) and protected TTR (refresh time) field values ​​generated DNS zone files. 然后,所述区域文件被传播到域的权威DNS服务器13的原始集合。 Then, the region is propagated to the original document set authoritative DNS server 13 of the domain.

[0037] —般来讲,TTL率和TTR率可大约长达数小时,但可设想可利用以下不同的存活率和刷新率在猛烈DDOS攻击之下优化系统的功能:例如,I小时、45分钟、30分钟、10分钟、5分钟、I分钟、30秒、或30秒以下。 [0037] - generally speaking, TTL and TTR rate rate may be around for hours, but can be envisaged optimization system under heavy DDOS attacks use the following different refresh rates and survival rates: for example, I hour, 45 minutes, 30 minutes, 10 minutes, 5 minutes, the I minute, 30 seconds, or 30 seconds or less.

[0038] 通过形成新的DNS服务器13b,中央主DTAF16可利用DNS转移来进一步减少来自恶意客户端的潜在损害。 [0038] By forming the new DNS server 13b, the center main DTAF16 transfer may be utilized to further reduce DNS potential damage from a malicious client. 这可通过多种方式来执行。 This can be carried out in various ways. 举例来说,在新的DNS区域文件的TTL过期之前,中央主DTAF可形成新的DNS服务器13b,并将域名委派到这些新的DNS服务器13b。 For example, the TTL expires before a new DNS zone file, DTAF may be formed in the central main new DNS server 13b, and delegate to the new domain DNS server 13b. 原始权威DNS服务器13将继续为指向其的请求服务(通常直到由TTL所限定的持续时间)。 Original authoritative DNS server 13 will continue to service requests directed to it (typically up to a duration defined TTL). 新的DNS服务器13b将从寻找域名的新刷新的DNS服务器接收DNS请求。 The new DNS server 13b will look for a new domain name to refresh the DNS server receives a DNS request. 对于近期被服务的DNS服务器,新的DNS服务器13b将继续接收请求直到它们的TTL。 For DNS servers recent being served, the new DNS server 13b will continue to receive requests until their TTL.

[0039] 以上概述的过程可被重复多次,这将使DNS请求流量分散于新的DNS服务器13b之中。 [0039] The process outlined above may be repeated a plurality of times, which will flow dispersed in the DNS request new DNS server 13b. 实际上,通过以这种方式形成新的DNS服务器13b,便能使DNS请求流量扩散于比互联网注册或根(Internet Registry or Root)处由最大数量的权威DNS服务器所规定者更多的权威DNS服务器上。 In fact, by the formation of a new DNS server 13b in this way, it will cause the DNS requests to the registered flow diffusion than the Internet or root (Internet Registry or Root) at specified by the maximum number of authoritative DNS servers were more authoritative DNS on the server.

[0040] 可通过DNS旋转和DNS缓存来促进流量分布。 [0040] The cache can be facilitated and the rotating flow distribution through the DNS DNS. 在图1中,这由中央主DTAF 16完成,中央主DTAF 16通过旋转域的权威DNS服务器13、13b来更新DNS区域。 In Figure 1, this is done by Central DTAF 16, central main DTAF 16 is updated by the authoritative DNS server DNS zone 13,13b domain rotation. 在一些实施例中,中央主DTAF 16在时间周期T之后定期地快速改变权威DNS。 In some embodiments, the center main DTAF 16 after a time period T authoritative DNS rapidly changed periodically. DNS记录将得到保持并定期地(T2)改变,其中TTL和刷新值小于T。 DNS records will be maintained and periodically (T2) changes, and wherein the TTL value is less than the refresh T. 然后,中央主DTAF将旋转权威DNS列表和DNS记录。 Then, the rotation center of the main DTAF list of authoritative DNS and DNS records.

[0041] 在各种实施例中,DNS转移可使用各种ACL、白名单、黑名单和灰名单以多种不同方式运作。 [0041] In various embodiments, the DNS may be transferred using a variety of the ACL, white list, black list and a gray list operation in many different ways. 举例来说,中央主DTAF 16可向白名单上的客户端或DNS发布其新的DNS位置。 For example, the client 16 may be whitelisted DTAF end of the central or primary DNS DNS released its new location. 因此,可阻挡所有其他客户端(新客户端、灰名单中的客户端等)访问服务器。 Accordingly, blocking all other clients (new clients, client gray list, etc.) to access the server. 这种方法在DDOS攻击期间(当与受到全力攻击相比,牺牲一些合法客户端更可取时)尤其有用。 (When compared to being full attack, sacrificing some legitimate clients more desirable) This method is especially useful during a DDOS attack. 在一些实施例中,新的客户端、白名单中的客户端和灰名单中的客户端(或DNS服务器)可被划分成使优选的流量可正常地行进,而更多可疑流量则可被分散到多个新的DNS服务器之间,以扩散攻击并提高防火墙和专用路由器的有效性或对可疑客户端着重进行额外分析。 In some embodiments, the new client, client white list and a gray list of clients (or DNS servers) may be divided such that a preferred flow rate may be traveling normally, but may be more suspicious traffic dispersed among several new DNS server to diffuse attacks and improve the effectiveness of firewalls and a dedicated router or suspicious clients focus on additional analysis.

[0042] 本发明系统包括:受保护服务器,位于域内;至少一个权威域名系统DNS服务器;至少一个DNS流量分析器和防火墙DTAF,其中,网络流量在访问权威DNS服务器之前必须穿过DTAF防火墙,且DTAF防火墙分析试图穿过DTAF防火墙的网络流量;中央主DTAF,其中DTAF防火墙发送网络流量数据到中央主DTAF,且中央主DTAF发送至少一个访问控制列表到DTAF防火墙。 [0042] The system of the present invention comprising: a protected server, located within the domain; at least one of the authoritative domain name system DNS server; DNS traffic analyzer and at least one firewall DTAF, wherein the network traffic must pass through the firewall DTAF before accessing the authoritative DNS server, and DTAF firewall analysis attempts to network traffic passing through the firewall DTAF; central main DTAF, wherein DTAF firewall sending network traffic to the central main DTAF data, and transmitting at least one central main DTAF to DTAF firewall access control list. 由于DTAF防火墙分析试图穿过DTAF防火墙的网络流量,并将网络流量数据发送到中央主DTAF,然后中央主DTAF发送至少一个访问控制列表到DTAF防火墙,从而使得DTAF防火墙通过访问控制列表拦截恶意流量,通过这种方式,能够减少恶意互联网流量(例如DDOS攻击)。 Since DTAF tries to pass the firewall analyzes network traffic DTAF firewall, network traffic and transmits the data to the central main DTAF, and transmitting at least one central main DTAF to DTAF firewall access control list so that the firewall access control list DTAF block malicious traffic, In this way, it is possible to reduce malicious Internet traffic (such as DDOS attacks).

[0043] 参阅图2,图2是本发明减少恶意网络流量的方法一实施方式的流程图。 [0043] Referring to FIG. 2, FIG. 2 is a flowchart of a method for reducing the malicious network traffic to an embodiment of the present invention. 上述图1中减少恶意网络流量的系统在减少恶意网络流量的时候采用的方法即为该方法,有关系统和方法结合在一起的详细说明请参见图1以及对应的文字说明,在此不再赘叙。 1 to reduce the above-described malicious network traffic system of FIG malicious network traffic while reducing method employed is the method, system and related methods detailed description in conjunction with the corresponding see Figure 1 and text, which is not redundant Syria. 该方法包括:步骤S101、步骤S102、步骤S103、步骤S104以及步骤S105。 The method comprises: step S101, the step S102, step S103, the step S104 and step S105. 具体内容如下: Details are as follows:

[0044] 步骤SlOl:分析针对至少一个权威域名系统DNS服务器的网络流量。 [0044] Step SlOl: analyze network traffic for at least one authoritative DNS server's domain name system.

[0045] 步骤S102:根据分析结果产生网络流量数据。 [0045] the step S102: generating network traffic data based on the analysis.

[0046] 步骤S103:向中央系统发送所述网络流量数据。 [0046] Step S103: transmitting the network traffic data to a central system.

[0047] 步骤S104:接收来自所述中央系统的访问控制列表。 [0047] Step S104: receiving an access from the central system control list.

[0048] 步骤S105:根据所接收的所述访问控制列表更新防火墙参数。 [0048] Step S105: updating the firewall control list according to the access parameters received.

[0049] 参见图3,该方法还包括:步骤S201、步骤S202以及步骤S203。 [0049] Referring to Figure 3, the method further comprises: step S201, the step S202 and step S203. 具体内容如下: Details are as follows:

[0050] 步骤S201:确定被可疑网络流量使用的DNS服务器。 [0050] Step S201: determining the DNS server is used suspect network traffic.

[0051] 步骤S202:将所述被可疑网络流量使用的DNS服务器的数据包含在所述网络流量数据中。 [0051] Step S202: the data is suspect network traffic to use the DNS server included in the network traffic data.

[0052] 步骤S203:将所述被可疑网络流量使用的DNS服务器的信息包含在所述访问控制列表中。 [0052] Step S203: the information is suspect network traffic comprises using DNS server in the access control list.

[0053] 参阅图4,该方法还包括:步骤S301、步骤S302。 [0053] Referring to Figure 4, the method further comprises: step S301, the step S302. 具体内容如下: Details are as follows:

[0054] 步骤S301:形成至少一个新的权威DNS服务器。 [0054] Step S301: forming at least one new authoritative DNS server.

[0055] 步骤S302:将所述网络流量中的至少一些路由到所述新的权威DNS服务器。 [0055] Step S302: at least some of the network traffic routed to the new authoritative DNS server.

[0056] 方法还可以包括:步骤S303。 [0056] The method may further comprise: step S303.

[0057] 步骤S303:定期地旋转所述权威DNS服务器。 [0057] Step S303: periodically rotating the authoritative DNS server.

[0058] 本发明方法包括:分析针对至少一个权威域名系统DNS服务器的网络流量;根据分析结果产生网络流量数据;向中央系统发送所述网络流量数据;接收来自所述中央系统的访问控制列表;根据所接收的所述访问控制列表更新防火墙参数。 [0058] The method of the present invention comprises: analyzing network traffic for at least one of the authoritative domain name system DNS server; receiving an access control list from the central system; generating network traffic data according to the analysis result; transmitting the network traffic data to a central system; according to the access control list of the received parameter update firewall. 由于分析针对至少一个权威域名系统DNS服务器的网络流量,并将网络流量数据发送到中央系统,然后接收中央系统发送的至少一个访问控制列表,从而通过访问控制列表更新防火墙参数,拦截恶意流量,通过这种方式,能够减少恶意互联网流量(例如DDOS攻击)。 Since the analysis of network traffic for at least one authoritative DNS server's domain name system, network traffic and sends data to the central system, and then receive at least one central system access control list sent to control parameters by accessing the updated list of firewall, blocking malicious traffic, through In this way, it is possible to reduce malicious Internet traffic (such as DDOS attacks).

[0059] 以上所述仅为本发明的实施方式,并非因此限制本发明的专利范围,凡是利用本发明说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本发明的专利保护范围内。 [0059] The above are only embodiments of the present invention, not intended to limit the scope of the present invention, all utilize the present specification and drawings taken equivalent structures or equivalent process, or other direct or indirect application Related technical fields shall fall within the scope of protection of the present invention.

Claims (14)

  1. 1.一种减少恶意网络流量的系统,其特征在于,所述系统包括: 受保护的服务器,位于域内; 至少一个权威域名系统DNS服务器; 至少一个DNS流量分析器和防火墙DTAF防火墙,其中,网络流量在访问所述权威DNS服务器之前必须穿过所述DTAF防火墙,且所述DTAF防火墙分析试图穿过所述DTAF防火墙的网络流量; 中央主DTAF,其中所述DTAF防火墙发送网络流量数据到所述中央主DTAF,且所述中央主DTAF发送至少一个访问控制列表到所述DTAF防火墙。 1. A method of reducing malicious network traffic system, wherein, said system comprising: a protected server, located within the domain; at least one of the authoritative domain name system DNS server; DNS traffic analyzer and at least one firewall DTAF firewall, wherein the network DTAF flow must pass through the firewall prior to accessing the authoritative DNS server, firewall and the DTAF DTAF analysis attempts to pass through the firewall network traffic; central main DTAF, wherein said firewall DTAF transmission data to the network traffic DTAF central master, and the at least one central main DTAF transmitted to the access control list DTAF firewall.
  2. 2.如权利要求1所述的系统,其特征在于,所述网络流量在访问所述受保护的服务器之前也必须穿过所述DTAF防火墙。 2. The system according to claim 1, characterized in that, prior to the network traffic to the access server must be protected DTAF through the firewall.
  3. 3.如权利要求1所述的系统,其特征在于,所述网络流量在访问公共DNS服务器之前也必须穿过所述DTAF防火墙。 The system according to claim 1, wherein the network traffic before accessing a public DNS server must pass through the firewall DTAF.
  4. 4.如权利要求1所述的系统,其特征在于,所述网络流量数据包括历史数据和实时数据。 4. The system according to claim 1, wherein the network traffic data includes real-time data and historical data.
  5. 5.如权利要求1所述的系统,其特征在于,所述受保护的服务器发送网络流量数据到所述中央主DTAF。 5. The system according to claim 1, characterized in that said protected network server transmits data to the central traffic master DTAF.
  6. 6.如权利要求1所述的系统,其特征在于,所述权威DNS服务器发送网络流量数据到所述中央主DTAF。 6. The system according to claim 1, characterized in that, the authoritative DNS server transmits traffic data to the central network master DTAF.
  7. 7.如权利要求1所述的系统,其特征在于,所述访问控制列表包括与DNS服务器相关的信息,且其中所述DTAF防火墙能够控制或分析来自所述DNS服务器的流量。 7. The system according to claim 1, wherein the access control list includes information associated with the DNS server, and wherein said analyzing DTAF firewall to control or traffic from the DNS server.
  8. 8.如权利要求1所述的系统,其特征在于,所述系统还包括域转移子系统,其中所述域转移子系统形成新的权威DNS服务器并使至少一些网络流量重新路由到所述新的权威DNS服务器。 8. The system according to claim 1, characterized in that the system further comprises a domain transfer subsystem, wherein the domain transfer subsystem to form a new authoritative DNS servers and at least some of the network traffic re-routed to the new authoritative DNS server.
  9. 9.如权利要求8所述的系统,其特征在于,所述域转移子系统定期地旋转所述权威DNS服务器。 9. The system according to claim 8, wherein the domain transfer subsystem periodically rotating the authoritative DNS server.
  10. 10.如权利要求8所述的系统,其特征在于,所述新的权威DNS服务器处理新的网络流量。 10. The system according to claim 8, wherein said new authoritative DNS servers to handle the new network traffic.
  11. 11.一种减少恶意网络流量的方法,其特征在于,所述方法包括: 分析针对至少一个权威域名系统DNS服务器的网络流量; 根据分析结果产生网络流量数据; 向中央系统发送所述网络流量数据; 接收来自所述中央系统的访问控制列表; 根据所接收的所述访问控制列表更新防火墙参数。 11. A method of reducing malicious network traffic, wherein the method comprises: analyzing network traffic for at least one of the authoritative domain name system DNS server; generating network traffic data according to the analysis result; transmitting the network traffic data to a central system ; receiving from the central system access control list; control list according to the access parameter update firewall received.
  12. 12.如权利要求11所述的方法,其特征在于,所述方法还包括: 确定被可疑网络流量使用的DNS服务器; 将所述被可疑网络流量使用的DNS服务器的数据包含在所述网络流量数据中; 将所述被可疑网络流量使用的DNS服务器的信息包含在所述访问控制列表中。 12. The method according to claim 11, wherein said method further comprises: determining a DNS server is used by suspicious network traffic; the suspicious data traffic network using DNS server included in the network traffic data; the information is suspect network traffic to use the DNS server included in the access control list.
  13. 13.如权利要求11所述的方法,其特征在于,所述方法还包括: 形成至少一个新的权威DNS服务器;将所述网络流量中的至少一些路由到所述新的权威DNS服务器。 13. The method according to claim 11, wherein said method further comprises: forming at least a new authoritative DNS server; at least some of the network traffic routed to the new authoritative DNS server.
  14. 14.如权利要求13所述的方法,其特征在于,所述方法还包括:定期地旋转所述权威DNS服务器。 14. The method according to claim 13, wherein said method further comprises: periodically rotating the authoritative DNS server.
CN 201510112440 2015-03-13 2015-03-13 Method and system for reducing malicious network flow CN106034116A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201510112440 CN106034116A (en) 2015-03-13 2015-03-13 Method and system for reducing malicious network flow

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201510112440 CN106034116A (en) 2015-03-13 2015-03-13 Method and system for reducing malicious network flow

Publications (1)

Publication Number Publication Date
CN106034116A true true CN106034116A (en) 2016-10-19

Family

ID=57150699

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201510112440 CN106034116A (en) 2015-03-13 2015-03-13 Method and system for reducing malicious network flow

Country Status (1)

Country Link
CN (1) CN106034116A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101567815A (en) * 2009-05-27 2009-10-28 清华大学 Method for effectively detecting and defending domain name server (DNS) amplification attacks
CN101572701A (en) * 2009-02-10 2009-11-04 中科正阳信息安全技术有限公司 Security gateway system for resisting DDoS attack for DNS service
US20100138910A1 (en) * 2008-12-03 2010-06-03 Check Point Software Technologies, Ltd. Methods for encrypted-traffic url filtering using address-mapping interception
CN104135461A (en) * 2013-05-02 2014-11-05 中国移动通信集团河北有限公司 Firewall policy processing method and device
US20140331304A1 (en) * 2013-05-03 2014-11-06 John Wong Method and system for mitigation of distributed denial of service (ddos) attacks
CN104301180A (en) * 2014-10-16 2015-01-21 杭州华三通信技术有限公司 Service message processing method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100138910A1 (en) * 2008-12-03 2010-06-03 Check Point Software Technologies, Ltd. Methods for encrypted-traffic url filtering using address-mapping interception
CN101572701A (en) * 2009-02-10 2009-11-04 中科正阳信息安全技术有限公司 Security gateway system for resisting DDoS attack for DNS service
CN101567815A (en) * 2009-05-27 2009-10-28 清华大学 Method for effectively detecting and defending domain name server (DNS) amplification attacks
CN104135461A (en) * 2013-05-02 2014-11-05 中国移动通信集团河北有限公司 Firewall policy processing method and device
US20140331304A1 (en) * 2013-05-03 2014-11-06 John Wong Method and system for mitigation of distributed denial of service (ddos) attacks
CN104301180A (en) * 2014-10-16 2015-01-21 杭州华三通信技术有限公司 Service message processing method and device

Similar Documents

Publication Publication Date Title
Kargl et al. Protecting web servers from distributed denial of service attacks
Bellovin Distributed firewalls
US7610375B2 (en) Intrusion detection in a data center environment
US7058718B2 (en) Blended SYN cookies
US7506360B1 (en) Tracking communication for determining device states
Zargar et al. A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks
US7120934B2 (en) System, method and apparatus for detecting, identifying and responding to fraudulent requests on a network
Weiler Honeypots for distributed denial-of-service attacks
US7240368B1 (en) Intrusion and misuse deterrence system employing a virtual network
US20080052758A1 (en) Method and system for propagating network policy
US20040111623A1 (en) Systems and methods for detecting user presence
US20070192858A1 (en) Peer based network access control
Jackson et al. Protecting browsers from DNS rebinding attacks
US20090217346A1 (en) Dhcp centric network access management through network device access control lists
US20130097692A1 (en) System and method for host-initiated firewall discovery in a network environment
US20130133057A1 (en) System for managing virtual private network and method thereof
US20030126252A1 (en) Method and apparatus for dynamic client-side load balancing system
US20120304244A1 (en) Malware analysis system
US6981143B2 (en) System and method for providing connection orientation based access authentication
US8370407B1 (en) Systems providing a network resource address reputation service
US20050283831A1 (en) Security system and method using server security solution and network security solution
US20080196098A1 (en) System For Protecting Identity in a Network Environment
US20140173712A1 (en) Network security system with customizable rule-based analytics engine for identifying application layer violations
US20040088409A1 (en) Network architecture using firewalls
US7735116B1 (en) System and method for unified threat management with a relational rules methodology

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination