CN106209852A - A kind of DNS refusal service attack defending method based on DPDK - Google Patents
A kind of DNS refusal service attack defending method based on DPDK Download PDFInfo
- Publication number
- CN106209852A CN106209852A CN201610550587.2A CN201610550587A CN106209852A CN 106209852 A CN106209852 A CN 106209852A CN 201610550587 A CN201610550587 A CN 201610550587A CN 106209852 A CN106209852 A CN 106209852A
- Authority
- CN
- China
- Prior art keywords
- dns
- packet
- dpdk
- detection
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Abstract
The invention discloses a kind of DNS refusal service attack defending method based on DPDK, comprise the following steps: DPDK reads DNS query request data package;Use whether DNS refusal service detection module detection packet is attack, if attacking then packet discard, otherwise forward the packet to KNI module;Packet is forwarded to dns resolution program through kernel protocol stack by KNI module, resolves packet;The present invention uses DPDK application to process, and improves the unit disposal ability of dns server, and decreases development and maintenance cost.
Description
Technical field
The present invention relates to a kind of refusal service attack defending method, be specifically related to a kind of DNS based on DPDK refusal service
Attack defense method.
Background technology
DNS is a Internet infrastructure service, the distributed data base mutually mapped as domain name and IP address, makes user
The Internet can be accessed easily;When user is by a certain website of domain name access, can first initiate a DNS query and ask
Dns server, the IP address that nslookup is corresponding, then user utilizes this IP address to go to access the resource of server;But one
A little illegal or malicious user to dns server, causes service by the substantial amounts of Botnet of control, the inquiry request initiating to forge
Device cannot process normal request, to reach the purpose attacked;Dns server uses Unix(Unix-like mostly at present) be
System platform, the defence method of existing DNS Denial of Service attack is speed limit or closure inquiry request in system level, i.e. from NIC
(network interface card) receives inquiry request packet, after the relief area of kernel state and driver process, data is copied to user
The DNS of state detects program, if detection finds ddos attack, then performs speed limit or the closure action pre-set, packet discard,
If the DNS service program that normal legal inquiry request then forwards requests to rear end completes to resolve;Existing DNS refuses clothes
In business attack defense method, all of DNS query request data package is intended to after the protocol stack of kernel state processes transfer to user again
The DDoS of state detects program, including the illegal request forged;Kernel protocol stack is made to become the bottleneck of performance, and at unit
Reason ability is relatively low, and time especially by a large amount of ddos attack, the service quality of dns server is substantially reduced, it is impossible to meet quickly
The business demand of development.
Summary of the invention
The present invention provides a kind of unit disposal ability improving dns server, and performance preferably DNS based on DPDK refuses
Service attack defence method.
The technical solution used in the present invention is: a kind of DNS refusal service attack defending method based on DPDK, including following
Step:
DPDK reads DNS query request data package;
Use whether DNS refusal service detection module detection packet is attack, if attacking then packet discard, on the contrary will
Packet is forwarded to KNI module;
Packet is forwarded to dns resolution program through kernel protocol stack by KNI module, resolves packet.
Further, described DNS refusal service detection module detection process is as follows:
A, the data in DNS query request data package are carried out legal DNS head detection, if not conforming to rule packet discard,
Otherwise proceed to step B;
B, obtaining DNS query data, whether be domain name service area in, if not in service area, abandon number if detecting it
According to bag, otherwise proceed to step C;
C, detection data, the most by ddos attack, then perform closure or speed limit if it find that attack, on the contrary the step of proceeding to
D;
Whether D, detection query rate reach the threshold value set, if it exceeds the threshold value set, then perform closure or speed limit, otherwise
Proceed to step E;
E, forwarding packet;
In step C and step D, if performing closure, abandoning all packets, deblocking proceeds to step E;If performing speed limit,
Discarded part divided data makes query rate be limited in threshold range, and the deblocking of predetermined execution time to after date proceeds to step E.
The invention has the beneficial effects as follows:
(1) present invention uses DPDK application to process, and improves the unit disposal ability of dns server, enabling defence scale
Bigger DNS Denial of Service attack;
(2) The present invention reduces development and maintenance cost, low cost;
(3) present invention performs different defence action to attacking, and can realize automatically unsealing after reaching the execution time.
Accompanying drawing explanation
Fig. 1 is the flowage structure figure of the present invention.
Fig. 2 is the workflow diagram of DNS refusal service detection module in the present invention.
Fig. 3 is existing DNS refusal service attack defending method flow diagram.
Detailed description of the invention
The present invention will be further described with specific embodiment below in conjunction with the accompanying drawings.
As in figure 2 it is shown, a kind of DNS refusal service attack defending method based on DPDK, comprise the following steps:
DPDK reads DNS query request data package;
Use whether DNS refusal service detection module detection packet is attack, if attacking then packet discard, on the contrary will
Packet is forwarded to KNI module;
Packet is forwarded to dns resolution program through kernel protocol stack by KNI module, resolves packet.
General DPDK is the packet reading DNS query request from NIC, then uses DNS refusal service detection module inspection
Survey whether packet is attack, if attacking then packet discard, then forward the packet to KNI mould if not attacking
Block;KNI module forwards the packet to kernel protocol stack, and kernel protocol stack processes and forwards packet to dns resolution program;
Dns resolution program analysis request packet, inquires about data, Query Result is configured to corresponding data bag and returns to core protocol
Stack;Kernel protocol stack process and forward corresponding data bag to KNI module, KNI resume module, and write data phase to network interface card NIC
Should wrap, network interface card NIC sends data to user.
Further, it is characterised in that described DNS refusal service detection module detection process is as follows:
A, the data in DNS query request data package are carried out legal DNS head detection, if not conforming to rule packet discard,
Otherwise proceed to step B;
B, obtaining DNS query data, whether be domain name service area in, if not in service area, abandon number if detecting it
According to bag, otherwise proceed to step C;
C, detection data, the most by ddos attack, then perform closure or speed limit if it find that attack, on the contrary the step of proceeding to
D;
Whether D, detection query rate reach the threshold value set, if it exceeds the threshold value set, then perform closure or speed limit, otherwise
Proceed to step E;
E, forwarding packet;
In step C and step D, if performing closure, abandoning all packets, deblocking proceeds to step E;If performing speed limit,
Discarded part divided data makes query rate be limited in threshold range, and the deblocking of predetermined execution time to after date proceeds to step E.
Be on the defensive before detection configuration to the domain name in service area, presets message rate threshold value, execution action and execution
Time;Execution action includes speed limit, closure and normal;When certain domain name query rate within the unit interval exceedes predetermined threshold value
Time, then perform speed limit or closure action, automatically carry out deblocking process when reaching the execution time;When attack being detected, can hold
Row speed limit or closure action, two actions all can unseal to after date in the time automatically;" blocking " action is that all of request all can
It is dropped, and " speed limit " action is that request speed is limited in threshold range, that is a part can be abandoned, let pass one
Point;Defence configuration can carry out self-defined according to actual needs, as message rate threshold value, execution time etc. can sets itself, use
Family can be according to the regulation defence configuration of actual attack situation.
The present invention utilizes the poll pattern of DPDK, caching, big page table management and without characteristics such as lock mechanisms, improves DNS service
The unit disposal ability of device, performance reaches ten million rank, enabling defend more massive DNS Denial of Service attack, simultaneously
Compared to prior art, decrease substantial amounts of development and maintenance cost.
Wen Zhong, DNS(Domain Name Server) domain name system, DDoS(Distributed Denial of
Service) distributed denial of service attack, DPDK(Data Plane Development Kit) datum plane development kit,
KNI(Kernel NIC Interface) a kind of interface mutual with kernel protocol stack, IP address (Internet Protocol
Address), a kind of Internet protocol address, NIC(Network interface controller) network adapter, it is commonly called as
Network interface card, Unix is existing a kind of computer operating system, has the feature of multitask, multi-user.
At present, also have and DNS Denial of Service attack detection program is embodied as kernel module, kernel module carry out detection and attack
Hit and complete defence;Compared with the method for the present invention, the complexity of developing kernel module is the highest, the cost of later maintenance simultaneously
Put into the biggest;Although haveing a certain upgrade for DNS Denial of Service attack detection performance, but with the impact of performance of the present invention
Compare also a certain distance.
The foregoing is only presently preferred embodiments of the present invention, not in order to limit the present invention, all essences in the present invention
Any amendment, equivalent and the improvement etc. made within god and principle, should be included within the scope of the present invention.
Claims (2)
1. a DNS refusal service attack defending method based on DPDK, it is characterised in that comprise the following steps:
DPDK reads DNS query request data package;
Use whether DNS refusal service detection module detection packet is attack, if attacking then packet discard, on the contrary will
Packet is forwarded to KNI module;
Packet is forwarded to dns resolution program through kernel protocol stack by KNI module, resolves packet.
A kind of DNS refusal service attack defending method based on DPDK the most according to claim 1, it is characterised in that institute
State DNS refusal service detection module detection process as follows:
A, the data in DNS query request data package are carried out legal DNS head detection, if not conforming to rule packet discard,
Otherwise proceed to step B;
B, obtaining DNS query data, whether be domain name service area in, if not in service area, abandon number if detecting it
According to bag, otherwise proceed to step C;
C, detection data, the most by ddos attack, then perform closure or speed limit if it find that attack, on the contrary the step of proceeding to
D;
Whether D, detection query rate reach the threshold value set, if it exceeds the threshold value set, then perform closure or speed limit, otherwise
Proceed to step E;
E, forwarding packet;
In step C and step D, if performing closure, abandoning all packets, deblocking proceeds to step E;If performing speed limit,
Discarded part divided data makes query rate be limited in threshold range, and the deblocking of predetermined execution time to after date proceeds to step E.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610550587.2A CN106209852A (en) | 2016-07-13 | 2016-07-13 | A kind of DNS refusal service attack defending method based on DPDK |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610550587.2A CN106209852A (en) | 2016-07-13 | 2016-07-13 | A kind of DNS refusal service attack defending method based on DPDK |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106209852A true CN106209852A (en) | 2016-12-07 |
Family
ID=57478136
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610550587.2A Pending CN106209852A (en) | 2016-07-13 | 2016-07-13 | A kind of DNS refusal service attack defending method based on DPDK |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106209852A (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018130137A1 (en) * | 2017-01-10 | 2018-07-19 | 贵州白山云科技有限公司 | Method and apparatus for defending against network attacks, medium and device |
CN111107081A (en) * | 2019-12-17 | 2020-05-05 | 互联网域名系统北京市工程研究中心有限公司 | DPDK-based multi-process DNS service method and system |
CN111147391A (en) * | 2019-12-05 | 2020-05-12 | 深圳市任子行科技开发有限公司 | Data transmission method and system between DPDK user mode and linux kernel network protocol stack |
CN111371920A (en) * | 2020-03-16 | 2020-07-03 | 广州根链国际网络研究院有限公司 | DNS front-end analysis method and system |
CN111371804A (en) * | 2020-03-16 | 2020-07-03 | 广州根链国际网络研究院有限公司 | DNS (Domain name Server) back-end forwarding method and system |
WO2020143119A1 (en) * | 2019-01-08 | 2020-07-16 | 深圳大学 | Method, device and system for defending internet of things against ddos attack, and storage medium |
CN111835729A (en) * | 2020-06-15 | 2020-10-27 | 东软集团股份有限公司 | Message forwarding method, system, storage medium and electronic equipment |
CN112134845A (en) * | 2020-08-20 | 2020-12-25 | 广东网堤信息安全技术有限公司 | Rejection service system |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090037592A1 (en) * | 2004-10-01 | 2009-02-05 | Prolexic Technologies, Inc. | Network overload detection and mitigation system and method |
CN101572701A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Security gateway system for resisting DDoS attack for DNS service |
CN102882881A (en) * | 2012-10-10 | 2013-01-16 | 常州大学 | Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service |
CN105657745A (en) * | 2015-12-31 | 2016-06-08 | 西安抱朴通信科技有限公司 | Method, device and system for realizing data service |
-
2016
- 2016-07-13 CN CN201610550587.2A patent/CN106209852A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090037592A1 (en) * | 2004-10-01 | 2009-02-05 | Prolexic Technologies, Inc. | Network overload detection and mitigation system and method |
CN101572701A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Security gateway system for resisting DDoS attack for DNS service |
CN102882881A (en) * | 2012-10-10 | 2013-01-16 | 常州大学 | Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service |
CN105657745A (en) * | 2015-12-31 | 2016-06-08 | 西安抱朴通信科技有限公司 | Method, device and system for realizing data service |
Non-Patent Citations (1)
Title |
---|
DIVLEE130: "《DPDK简介 - divlee的博客》", 8 July 2015 * |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018130137A1 (en) * | 2017-01-10 | 2018-07-19 | 贵州白山云科技有限公司 | Method and apparatus for defending against network attacks, medium and device |
WO2020143119A1 (en) * | 2019-01-08 | 2020-07-16 | 深圳大学 | Method, device and system for defending internet of things against ddos attack, and storage medium |
CN111147391A (en) * | 2019-12-05 | 2020-05-12 | 深圳市任子行科技开发有限公司 | Data transmission method and system between DPDK user mode and linux kernel network protocol stack |
CN111147391B (en) * | 2019-12-05 | 2023-04-07 | 深圳市任子行科技开发有限公司 | Data transmission method and system between DPDK user mode and linux kernel network protocol stack |
CN111107081A (en) * | 2019-12-17 | 2020-05-05 | 互联网域名系统北京市工程研究中心有限公司 | DPDK-based multi-process DNS service method and system |
CN111107081B (en) * | 2019-12-17 | 2022-01-11 | 深圳网基科技有限公司 | DPDK-based multi-process DNS service method and system |
CN111371920A (en) * | 2020-03-16 | 2020-07-03 | 广州根链国际网络研究院有限公司 | DNS front-end analysis method and system |
CN111371804A (en) * | 2020-03-16 | 2020-07-03 | 广州根链国际网络研究院有限公司 | DNS (Domain name Server) back-end forwarding method and system |
CN111835729A (en) * | 2020-06-15 | 2020-10-27 | 东软集团股份有限公司 | Message forwarding method, system, storage medium and electronic equipment |
CN111835729B (en) * | 2020-06-15 | 2022-08-02 | 东软集团股份有限公司 | Message forwarding method, system, storage medium and electronic equipment |
CN112134845A (en) * | 2020-08-20 | 2020-12-25 | 广东网堤信息安全技术有限公司 | Rejection service system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106209852A (en) | A kind of DNS refusal service attack defending method based on DPDK | |
CN104052734B (en) | It the attack detecting that is identified using global device-fingerprint and prevents | |
CN106657044B (en) | It is a kind of for improving the web page address jump method of web station system Prevention-Security | |
US10270792B1 (en) | Methods for detecting malicious smart bots to improve network security and devices thereof | |
EP3264720B1 (en) | Using dns communications to filter domain names | |
US8706866B2 (en) | Virtual server and method for identifying zombie, and sinkhole server and method for integratedly managing zombie information | |
US8561188B1 (en) | Command and control channel detection with query string signature | |
US20190222589A1 (en) | Method computing device for detecting malicious domain names in network traffic | |
US8661522B2 (en) | Method and apparatus for probabilistic matching to authenticate hosts during distributed denial of service attack | |
WO2018121331A1 (en) | Attack request determination method, apparatus and server | |
US9807110B2 (en) | Method and system for detecting algorithm-generated domains | |
WO2017004947A1 (en) | Method and apparatus for preventing domain name hijacking | |
US20020120853A1 (en) | Scripted distributed denial-of-service (DDoS) attack discrimination using turing tests | |
US20090228780A1 (en) | Identification of and Countermeasures Against Forged Websites | |
WO2010063228A1 (en) | Preventing domain name system spoofing attack method and device | |
US20160366176A1 (en) | High-level reputation scoring architecture | |
WO2018076697A1 (en) | Method and apparatus for detecting zombie feature | |
CN108270778B (en) | DNS domain name abnormal access detection method and device | |
WO2020037781A1 (en) | Anti-attack method and device for server | |
CN103139138A (en) | Application layer denial of service (DoS) protective method and system based on client detection | |
Kim et al. | Preventing DNS amplification attacks using the history of DNS queries with SDN | |
KR101200906B1 (en) | High Performance System and Method for Blocking Harmful Sites Access on the basis of Network | |
CN107135203A (en) | A kind of method and system of terminal access control strategy optimization | |
CN107623693B (en) | Domain name resolution protection method, device, system, computing equipment and storage medium | |
WO2014048746A1 (en) | Device, system and method for reducing attacks on dns |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161207 |
|
RJ01 | Rejection of invention patent application after publication |