CN106209852A - A kind of DNS refusal service attack defending method based on DPDK - Google Patents

A kind of DNS refusal service attack defending method based on DPDK Download PDF

Info

Publication number
CN106209852A
CN106209852A CN201610550587.2A CN201610550587A CN106209852A CN 106209852 A CN106209852 A CN 106209852A CN 201610550587 A CN201610550587 A CN 201610550587A CN 106209852 A CN106209852 A CN 106209852A
Authority
CN
China
Prior art keywords
dns
packet
dpdk
detection
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610550587.2A
Other languages
Chinese (zh)
Inventor
张文宇
蔡自彬
叶兴
皮少臣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Zhidaochuangyu Information Technology Co Ltd
Original Assignee
Chengdu Zhidaochuangyu Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Zhidaochuangyu Information Technology Co Ltd filed Critical Chengdu Zhidaochuangyu Information Technology Co Ltd
Priority to CN201610550587.2A priority Critical patent/CN106209852A/en
Publication of CN106209852A publication Critical patent/CN106209852A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Abstract

The invention discloses a kind of DNS refusal service attack defending method based on DPDK, comprise the following steps: DPDK reads DNS query request data package;Use whether DNS refusal service detection module detection packet is attack, if attacking then packet discard, otherwise forward the packet to KNI module;Packet is forwarded to dns resolution program through kernel protocol stack by KNI module, resolves packet;The present invention uses DPDK application to process, and improves the unit disposal ability of dns server, and decreases development and maintenance cost.

Description

A kind of DNS refusal service attack defending method based on DPDK
Technical field
The present invention relates to a kind of refusal service attack defending method, be specifically related to a kind of DNS based on DPDK refusal service Attack defense method.
Background technology
DNS is a Internet infrastructure service, the distributed data base mutually mapped as domain name and IP address, makes user The Internet can be accessed easily;When user is by a certain website of domain name access, can first initiate a DNS query and ask Dns server, the IP address that nslookup is corresponding, then user utilizes this IP address to go to access the resource of server;But one A little illegal or malicious user to dns server, causes service by the substantial amounts of Botnet of control, the inquiry request initiating to forge Device cannot process normal request, to reach the purpose attacked;Dns server uses Unix(Unix-like mostly at present) be System platform, the defence method of existing DNS Denial of Service attack is speed limit or closure inquiry request in system level, i.e. from NIC (network interface card) receives inquiry request packet, after the relief area of kernel state and driver process, data is copied to user The DNS of state detects program, if detection finds ddos attack, then performs speed limit or the closure action pre-set, packet discard, If the DNS service program that normal legal inquiry request then forwards requests to rear end completes to resolve;Existing DNS refuses clothes In business attack defense method, all of DNS query request data package is intended to after the protocol stack of kernel state processes transfer to user again The DDoS of state detects program, including the illegal request forged;Kernel protocol stack is made to become the bottleneck of performance, and at unit Reason ability is relatively low, and time especially by a large amount of ddos attack, the service quality of dns server is substantially reduced, it is impossible to meet quickly The business demand of development.
Summary of the invention
The present invention provides a kind of unit disposal ability improving dns server, and performance preferably DNS based on DPDK refuses Service attack defence method.
The technical solution used in the present invention is: a kind of DNS refusal service attack defending method based on DPDK, including following Step:
DPDK reads DNS query request data package;
Use whether DNS refusal service detection module detection packet is attack, if attacking then packet discard, on the contrary will Packet is forwarded to KNI module;
Packet is forwarded to dns resolution program through kernel protocol stack by KNI module, resolves packet.
Further, described DNS refusal service detection module detection process is as follows:
A, the data in DNS query request data package are carried out legal DNS head detection, if not conforming to rule packet discard, Otherwise proceed to step B;
B, obtaining DNS query data, whether be domain name service area in, if not in service area, abandon number if detecting it According to bag, otherwise proceed to step C;
C, detection data, the most by ddos attack, then perform closure or speed limit if it find that attack, on the contrary the step of proceeding to D;
Whether D, detection query rate reach the threshold value set, if it exceeds the threshold value set, then perform closure or speed limit, otherwise Proceed to step E;
E, forwarding packet;
In step C and step D, if performing closure, abandoning all packets, deblocking proceeds to step E;If performing speed limit, Discarded part divided data makes query rate be limited in threshold range, and the deblocking of predetermined execution time to after date proceeds to step E.
The invention has the beneficial effects as follows:
(1) present invention uses DPDK application to process, and improves the unit disposal ability of dns server, enabling defence scale Bigger DNS Denial of Service attack;
(2) The present invention reduces development and maintenance cost, low cost;
(3) present invention performs different defence action to attacking, and can realize automatically unsealing after reaching the execution time.
Accompanying drawing explanation
Fig. 1 is the flowage structure figure of the present invention.
Fig. 2 is the workflow diagram of DNS refusal service detection module in the present invention.
Fig. 3 is existing DNS refusal service attack defending method flow diagram.
Detailed description of the invention
The present invention will be further described with specific embodiment below in conjunction with the accompanying drawings.
As in figure 2 it is shown, a kind of DNS refusal service attack defending method based on DPDK, comprise the following steps:
DPDK reads DNS query request data package;
Use whether DNS refusal service detection module detection packet is attack, if attacking then packet discard, on the contrary will Packet is forwarded to KNI module;
Packet is forwarded to dns resolution program through kernel protocol stack by KNI module, resolves packet.
General DPDK is the packet reading DNS query request from NIC, then uses DNS refusal service detection module inspection Survey whether packet is attack, if attacking then packet discard, then forward the packet to KNI mould if not attacking Block;KNI module forwards the packet to kernel protocol stack, and kernel protocol stack processes and forwards packet to dns resolution program; Dns resolution program analysis request packet, inquires about data, Query Result is configured to corresponding data bag and returns to core protocol Stack;Kernel protocol stack process and forward corresponding data bag to KNI module, KNI resume module, and write data phase to network interface card NIC Should wrap, network interface card NIC sends data to user.
Further, it is characterised in that described DNS refusal service detection module detection process is as follows:
A, the data in DNS query request data package are carried out legal DNS head detection, if not conforming to rule packet discard, Otherwise proceed to step B;
B, obtaining DNS query data, whether be domain name service area in, if not in service area, abandon number if detecting it According to bag, otherwise proceed to step C;
C, detection data, the most by ddos attack, then perform closure or speed limit if it find that attack, on the contrary the step of proceeding to D;
Whether D, detection query rate reach the threshold value set, if it exceeds the threshold value set, then perform closure or speed limit, otherwise Proceed to step E;
E, forwarding packet;
In step C and step D, if performing closure, abandoning all packets, deblocking proceeds to step E;If performing speed limit, Discarded part divided data makes query rate be limited in threshold range, and the deblocking of predetermined execution time to after date proceeds to step E.
Be on the defensive before detection configuration to the domain name in service area, presets message rate threshold value, execution action and execution Time;Execution action includes speed limit, closure and normal;When certain domain name query rate within the unit interval exceedes predetermined threshold value Time, then perform speed limit or closure action, automatically carry out deblocking process when reaching the execution time;When attack being detected, can hold Row speed limit or closure action, two actions all can unseal to after date in the time automatically;" blocking " action is that all of request all can It is dropped, and " speed limit " action is that request speed is limited in threshold range, that is a part can be abandoned, let pass one Point;Defence configuration can carry out self-defined according to actual needs, as message rate threshold value, execution time etc. can sets itself, use Family can be according to the regulation defence configuration of actual attack situation.
The present invention utilizes the poll pattern of DPDK, caching, big page table management and without characteristics such as lock mechanisms, improves DNS service The unit disposal ability of device, performance reaches ten million rank, enabling defend more massive DNS Denial of Service attack, simultaneously Compared to prior art, decrease substantial amounts of development and maintenance cost.
Wen Zhong, DNS(Domain Name Server) domain name system, DDoS(Distributed Denial of Service) distributed denial of service attack, DPDK(Data Plane Development Kit) datum plane development kit, KNI(Kernel NIC Interface) a kind of interface mutual with kernel protocol stack, IP address (Internet Protocol Address), a kind of Internet protocol address, NIC(Network interface controller) network adapter, it is commonly called as Network interface card, Unix is existing a kind of computer operating system, has the feature of multitask, multi-user.
At present, also have and DNS Denial of Service attack detection program is embodied as kernel module, kernel module carry out detection and attack Hit and complete defence;Compared with the method for the present invention, the complexity of developing kernel module is the highest, the cost of later maintenance simultaneously Put into the biggest;Although haveing a certain upgrade for DNS Denial of Service attack detection performance, but with the impact of performance of the present invention Compare also a certain distance.
The foregoing is only presently preferred embodiments of the present invention, not in order to limit the present invention, all essences in the present invention Any amendment, equivalent and the improvement etc. made within god and principle, should be included within the scope of the present invention.

Claims (2)

1. a DNS refusal service attack defending method based on DPDK, it is characterised in that comprise the following steps:
DPDK reads DNS query request data package;
Use whether DNS refusal service detection module detection packet is attack, if attacking then packet discard, on the contrary will Packet is forwarded to KNI module;
Packet is forwarded to dns resolution program through kernel protocol stack by KNI module, resolves packet.
A kind of DNS refusal service attack defending method based on DPDK the most according to claim 1, it is characterised in that institute State DNS refusal service detection module detection process as follows:
A, the data in DNS query request data package are carried out legal DNS head detection, if not conforming to rule packet discard, Otherwise proceed to step B;
B, obtaining DNS query data, whether be domain name service area in, if not in service area, abandon number if detecting it According to bag, otherwise proceed to step C;
C, detection data, the most by ddos attack, then perform closure or speed limit if it find that attack, on the contrary the step of proceeding to D;
Whether D, detection query rate reach the threshold value set, if it exceeds the threshold value set, then perform closure or speed limit, otherwise Proceed to step E;
E, forwarding packet;
In step C and step D, if performing closure, abandoning all packets, deblocking proceeds to step E;If performing speed limit, Discarded part divided data makes query rate be limited in threshold range, and the deblocking of predetermined execution time to after date proceeds to step E.
CN201610550587.2A 2016-07-13 2016-07-13 A kind of DNS refusal service attack defending method based on DPDK Pending CN106209852A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610550587.2A CN106209852A (en) 2016-07-13 2016-07-13 A kind of DNS refusal service attack defending method based on DPDK

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610550587.2A CN106209852A (en) 2016-07-13 2016-07-13 A kind of DNS refusal service attack defending method based on DPDK

Publications (1)

Publication Number Publication Date
CN106209852A true CN106209852A (en) 2016-12-07

Family

ID=57478136

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610550587.2A Pending CN106209852A (en) 2016-07-13 2016-07-13 A kind of DNS refusal service attack defending method based on DPDK

Country Status (1)

Country Link
CN (1) CN106209852A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018130137A1 (en) * 2017-01-10 2018-07-19 贵州白山云科技有限公司 Method and apparatus for defending against network attacks, medium and device
CN111107081A (en) * 2019-12-17 2020-05-05 互联网域名系统北京市工程研究中心有限公司 DPDK-based multi-process DNS service method and system
CN111147391A (en) * 2019-12-05 2020-05-12 深圳市任子行科技开发有限公司 Data transmission method and system between DPDK user mode and linux kernel network protocol stack
CN111371920A (en) * 2020-03-16 2020-07-03 广州根链国际网络研究院有限公司 DNS front-end analysis method and system
CN111371804A (en) * 2020-03-16 2020-07-03 广州根链国际网络研究院有限公司 DNS (Domain name Server) back-end forwarding method and system
WO2020143119A1 (en) * 2019-01-08 2020-07-16 深圳大学 Method, device and system for defending internet of things against ddos attack, and storage medium
CN111835729A (en) * 2020-06-15 2020-10-27 东软集团股份有限公司 Message forwarding method, system, storage medium and electronic equipment
CN112134845A (en) * 2020-08-20 2020-12-25 广东网堤信息安全技术有限公司 Rejection service system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090037592A1 (en) * 2004-10-01 2009-02-05 Prolexic Technologies, Inc. Network overload detection and mitigation system and method
CN101572701A (en) * 2009-02-10 2009-11-04 中科正阳信息安全技术有限公司 Security gateway system for resisting DDoS attack for DNS service
CN102882881A (en) * 2012-10-10 2013-01-16 常州大学 Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service
CN105657745A (en) * 2015-12-31 2016-06-08 西安抱朴通信科技有限公司 Method, device and system for realizing data service

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090037592A1 (en) * 2004-10-01 2009-02-05 Prolexic Technologies, Inc. Network overload detection and mitigation system and method
CN101572701A (en) * 2009-02-10 2009-11-04 中科正阳信息安全技术有限公司 Security gateway system for resisting DDoS attack for DNS service
CN102882881A (en) * 2012-10-10 2013-01-16 常州大学 Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service
CN105657745A (en) * 2015-12-31 2016-06-08 西安抱朴通信科技有限公司 Method, device and system for realizing data service

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
DIVLEE130: "《DPDK简介 - divlee的博客》", 8 July 2015 *

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018130137A1 (en) * 2017-01-10 2018-07-19 贵州白山云科技有限公司 Method and apparatus for defending against network attacks, medium and device
WO2020143119A1 (en) * 2019-01-08 2020-07-16 深圳大学 Method, device and system for defending internet of things against ddos attack, and storage medium
CN111147391A (en) * 2019-12-05 2020-05-12 深圳市任子行科技开发有限公司 Data transmission method and system between DPDK user mode and linux kernel network protocol stack
CN111147391B (en) * 2019-12-05 2023-04-07 深圳市任子行科技开发有限公司 Data transmission method and system between DPDK user mode and linux kernel network protocol stack
CN111107081A (en) * 2019-12-17 2020-05-05 互联网域名系统北京市工程研究中心有限公司 DPDK-based multi-process DNS service method and system
CN111107081B (en) * 2019-12-17 2022-01-11 深圳网基科技有限公司 DPDK-based multi-process DNS service method and system
CN111371920A (en) * 2020-03-16 2020-07-03 广州根链国际网络研究院有限公司 DNS front-end analysis method and system
CN111371804A (en) * 2020-03-16 2020-07-03 广州根链国际网络研究院有限公司 DNS (Domain name Server) back-end forwarding method and system
CN111835729A (en) * 2020-06-15 2020-10-27 东软集团股份有限公司 Message forwarding method, system, storage medium and electronic equipment
CN111835729B (en) * 2020-06-15 2022-08-02 东软集团股份有限公司 Message forwarding method, system, storage medium and electronic equipment
CN112134845A (en) * 2020-08-20 2020-12-25 广东网堤信息安全技术有限公司 Rejection service system

Similar Documents

Publication Publication Date Title
CN106209852A (en) A kind of DNS refusal service attack defending method based on DPDK
CN104052734B (en) It the attack detecting that is identified using global device-fingerprint and prevents
CN106657044B (en) It is a kind of for improving the web page address jump method of web station system Prevention-Security
US10270792B1 (en) Methods for detecting malicious smart bots to improve network security and devices thereof
EP3264720B1 (en) Using dns communications to filter domain names
US8706866B2 (en) Virtual server and method for identifying zombie, and sinkhole server and method for integratedly managing zombie information
US8561188B1 (en) Command and control channel detection with query string signature
US20190222589A1 (en) Method computing device for detecting malicious domain names in network traffic
US8661522B2 (en) Method and apparatus for probabilistic matching to authenticate hosts during distributed denial of service attack
WO2018121331A1 (en) Attack request determination method, apparatus and server
US9807110B2 (en) Method and system for detecting algorithm-generated domains
WO2017004947A1 (en) Method and apparatus for preventing domain name hijacking
US20020120853A1 (en) Scripted distributed denial-of-service (DDoS) attack discrimination using turing tests
US20090228780A1 (en) Identification of and Countermeasures Against Forged Websites
WO2010063228A1 (en) Preventing domain name system spoofing attack method and device
US20160366176A1 (en) High-level reputation scoring architecture
WO2018076697A1 (en) Method and apparatus for detecting zombie feature
CN108270778B (en) DNS domain name abnormal access detection method and device
WO2020037781A1 (en) Anti-attack method and device for server
CN103139138A (en) Application layer denial of service (DoS) protective method and system based on client detection
Kim et al. Preventing DNS amplification attacks using the history of DNS queries with SDN
KR101200906B1 (en) High Performance System and Method for Blocking Harmful Sites Access on the basis of Network
CN107135203A (en) A kind of method and system of terminal access control strategy optimization
CN107623693B (en) Domain name resolution protection method, device, system, computing equipment and storage medium
WO2014048746A1 (en) Device, system and method for reducing attacks on dns

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20161207

RJ01 Rejection of invention patent application after publication