CN108667782B - DDoS attack defense method and system for DNS service - Google Patents
DDoS attack defense method and system for DNS service Download PDFInfo
- Publication number
- CN108667782B CN108667782B CN201710213718.2A CN201710213718A CN108667782B CN 108667782 B CN108667782 B CN 108667782B CN 201710213718 A CN201710213718 A CN 201710213718A CN 108667782 B CN108667782 B CN 108667782B
- Authority
- CN
- China
- Prior art keywords
- dns
- domain name
- specified level
- access target
- blacklist
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Abstract
The invention discloses a DDoS attack defense method and system for DNS service. The method comprises the following steps: step 1, receiving a DNS request message including access target domain name information; step 2, extracting a parent domain of the specified level of the access target domain name from the DNS request message; and 3, judging whether the number of the DNS requests pointing to the parent domain of the specified level in a first preset time is larger than a preset first threshold value, if so, discarding the DNS requests and adding the parent domain of the specified level to a blacklist, and if not, forwarding the DNS requests pointing to the parent domain of the specified level to a DNS server. The method and the system are more beneficial to the attack judgment of the DNS system and more effective attack defense.
Description
Technical Field
The invention relates to the field of wireless network communication, in particular to a DDoS attack defense method and system for DNS service.
Background
The DNS (Domain Name System) is a distributed database on the internet as a mapping between Domain names and IP addresses, and enables users to access the internet more conveniently. Domain name resolution is a service that directs domain names to IP addresses, allowing people to conveniently access a website through a registered domain name. The domain name resolution work is performed by a DNS server, which is a server that performs conversion of domain names and IP addresses corresponding thereto.
A DoS (Denial of Service) attack refers to an attack that causes DoS, and aims to prevent a computer or a network from providing normal services. The most common DoS attacks are computer network bandwidth attacks and connectivity attacks. DoS attacks refer to intentional defects in the implementation of attacking network protocols or the direct and brute force approach of exhausting the resources of the attacked objects, which aims to make the target computer or network unable to provide normal service or resource access and make the target system service system stop responding or even crash, and in such attacks, intrusion into the target server or target network device is not included. These service resources include network bandwidth, file system space capacity, open processes or allowed connections. Such attacks can result in resource scarcity, and the consequences of such attacks cannot be avoided no matter how fast the processing speed of the computer is, how large the memory capacity is, and how fast the network bandwidth is.
DDoS (Distributed Denial of Service) attacks refer to the joint use of a plurality of computers as an attack platform by means of a client/server technology, and launch DDoS attacks on one or more targets, thereby exponentially improving the power of Denial of Service attacks. Typically, an attacker installs a DDoS master on a computer using a stolen account number, and at a set time the master will communicate with a number of agents that have been installed on many computers on the network. The agent, upon receiving the instruction, launches an attack. With client/server technology, the host can activate hundreds or thousands of runs of agents in a few seconds.
Compared with DoS attacks, the DDoS attacks multiply improve the power of denial of service attacks, and due to the small and reasonable number of DNS service requests initiated by each puppet computer and the irregularity of DDoS attack modes, DDoS attack sources are difficult to determine, so that DDoS attacks are difficult to defend.
Therefore, a need exists for a method and system that is effective against DDoS attacks.
Disclosure of Invention
In order to solve the problem of defending DDoS attacks in the prior art, a DDoS attack defense method and system for DNS service are provided.
According to an aspect of the present invention, there is provided a DDoS attack defense method for DNS service, the method including:
step 1, receiving a DNS request message including access target domain name information;
step 2, extracting a parent domain of the specified level of the access target domain name from the DNS request message;
and 3, judging whether the number of the DNS requests pointing to the parent domain of the specified level in a first preset time is larger than a preset first threshold value, if so, discarding the DNS requests and adding the parent domain of the specified level to a blacklist, and if not, forwarding the DNS requests pointing to the parent domain of the specified level to a DNS server.
Wherein the method further comprises:
the following steps are performed between step 1 and step 2:
and judging whether the domain name of the access target is in a domain name white list, if so, forwarding a DNS request comprising the domain name of the access target to a DNS server, and if not, executing the step 2.
Wherein the method further comprises:
the following steps are also performed between step 2 and step 3:
and judging whether the parent domain of the specified level in the access target domain name information is in the blacklist or not, if so, discarding the DNS request, and if not, executing the step 3.
Wherein the step 3 comprises: and when the DNS request number pointing to the parent domain of the specified level in a first preset time length is judged to be larger than a preset first threshold value, adding the characteristic character string representing the parent domain of the specified level into the blacklist.
Wherein the method further comprises:
the following steps are also performed between step 2 and step 3:
and judging whether the number of the DNS requests of the domain name of the access target, which are received within a second preset time length and are not in the white list, is larger than a preset second threshold value, and if so, discarding the DNS request.
Wherein, judging whether the specified level parent domain in the access target domain name information includes the following two modes in the blacklist:
in a first mode, after the DNS request message is analyzed, it is determined whether the access target domain name information includes a characteristic character string existing in the blacklist, and if so, it is determined that a parent domain of an assigned level in the access target domain name information is in the blacklist;
in a second mode, the binary character string in the DNS request message is compared with the binary character string of the blacklist character string to determine whether the binary character string in the DNS request message includes the binary character string of the blacklist character string, and if so, it is determined that the parent domain of the specified level in the access target domain name information is in the blacklist.
According to another aspect of the present invention, there is provided a DDoS attack defense system for DNS service, the system including:
the receiving module is used for receiving a DNS request message including access target domain name information;
an extraction module, configured to extract a parent domain of a specified level of the access target domain name from the DNS request message;
and the defense module is used for judging whether the number of the DNS requests pointing to the parent domain of the specified level in a first preset time length is larger than a preset first threshold value, discarding the DNS requests and adding the parent domain of the specified level to a blacklist if the number of the DNS requests pointing to the parent domain of the specified level is larger than the preset first threshold value, and forwarding the DNS requests pointing to the parent domain of the specified level to the DNS server if the number of the DNS requests pointing to the parent domain of the specified level is not larger than the.
Wherein the defense module is further to:
after the receiving module receives a DNS request message including information of an access target domain name and before the extracting module extracts a parent domain of a specified level of the access target domain name from the DNS request message, judging whether the domain name of the access target is in a domain name white list, if so, forwarding the DNS request including the domain name of the access target to a DNS server.
Wherein the defense module is further to:
after the extraction module extracts the parent domain of the specified level of the access target domain name from the DNS request message, before judging whether the number of DNS requests directed to the parent domain of the specified level within a first predetermined time period is greater than a preset first threshold, judging whether the parent domain of the specified level in the access target domain name information is in the blacklist, and if so, discarding the DNS request.
The defense module is further configured to add a characteristic character string representing the parent domain of the specified level to the blacklist when it is judged that the number of DNS requests directed to the parent domain of the specified level within a first predetermined time period is greater than a preset first threshold. .
Wherein the defense module is further to:
after the extraction module extracts the parent domain of the specified level of the access target domain name from the DNS request message, before judging whether the number of DNS requests directed to the parent domain of the specified level within a first predetermined time period is greater than a preset first threshold, judging whether the number of DNS requests received within a second predetermined time period, for which the domain name of the access target is not in the white list, is greater than a preset second threshold, and if so, discarding the DNS request.
The defense module is further configured to determine whether a parent domain of a specified level in the access target domain name information is in the blacklist by:
in a first mode, after the DNS request message is analyzed, it is determined whether the access target domain name information includes a characteristic character string existing in the blacklist, and if so, it is determined that a parent domain of an assigned level in the access target domain name information is in the blacklist;
in a second mode, the binary character string in the DNS request message is compared with the binary character string of the blacklist character string to determine whether the binary character string in the DNS request message includes the binary character string of the blacklist character string, and if so, it is determined that the parent domain of the specified level in the access target domain name information is in the blacklist.
The DDoS attack defense method and the system judge whether to intercept the DNS request pointing to the access target by counting the number of the DNS requests pointing to the access target. Thus, even if each puppet machine issues a small and reasonable number of DNS requests, it is possible to effectively defend against DDoS attacks. In addition, the DNS request is managed through the white list and the black list, whether the DNS request is forwarded or not can be judged quickly, and the processing timeliness is enhanced.
The invention aims at the parent domain with the specified level as the target of the attack behavior technology, has more accurate statistical granularity, and is more beneficial to the attack judgment of a DNS system and more effective attack defense.
Specifically, in the method, a blacklist is formed by extracting a characteristic character string of an appointed parent domain, and the blacklist is used as a basis for forwarding or discarding the DNS request, so that the influence on a non-attack target domain name is avoided to the maximum extent in the processing process, and compared with a service loss scheme for discarding the DNS request according to the percentage in the prior art, the method is more accurate in processing and has zero influence on service. In addition, the patent provides two methods for discarding DNS requests containing specified character strings, wherein the scheme of binary comparison is efficient and practical, the processing efficiency is 500 times that of general DNS software, and the processing efficiency is 20 times that of a software firewall.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate an embodiment of the invention and, together with the description, serve to explain the invention and not to limit the invention. In the drawings:
FIG. 1 is a diagram illustrating exemplary relationships between hierarchy domains;
FIG. 2 is a flow chart of a DDoS attack defense method for DNS services according to the present invention;
fig. 3 is a block diagram of a DDoS attack defense system for DNS services according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention. It should be noted that the embodiments and features of the embodiments in the present application may be arbitrarily combined with each other without conflict.
For convenience of explaining the levels of domain names, fig. 1 shows a schematic diagram representing the levels of the respective domain names. Wherein, A represents an unnamed tree root, B represents a top level domain, C represents a second level domain, D represents a common domain, and E represents a national domain. ae denotes the united cacique of arabia and zw denotes zimbabwe. The domain name of sun is sun.tuc.noao.edu, the domain name of cnri is cnri.reston.va.us, and the domain name of 33 is 33.13.252.140. in-addr.arpa.
The invention provides a DDoS attack defense method for DNS service, as shown in FIG. 2, the method comprises:
step 203, judging whether the number of the DNS requests pointing to the parent domain of the specified level within the first predetermined time is greater than a preset first threshold, if so, discarding the DNS request and adding the parent domain of the specified level to a blacklist, and if not, forwarding the DNS request pointing to the parent domain of the specified level to a DNS server.
Wherein the minimum value of the first predetermined time is 20ms, which is generally 1s by default. In addition, the preset first threshold value can be obtained by counting the normal access amount of the regular service, and the first threshold value is 5 times of the average value of the number of requests in every first predetermined time period in one week of all domain names.
The following steps may also be included between steps 201 and 202: and judging whether the domain name of the access target is in a domain name white list, if so, forwarding a DNS request comprising the domain name of the access target to a DNS server, and if not, executing the step 202. That is, before determining whether the number of DNS requests directed to a parent domain at a specified level is greater than a preset first threshold, it is first determined whether a domain name of an access target included in the DNS request message is in a domain name white list, and if the domain name is in the domain name white list, the domain name is forwarded to the DNS server, so as to ensure that the domain names in the domain name white list can be normally resolved. The domain name white list is a static configuration file defined by maintenance personnel, and manual operation is required if content is changed.
The following steps may also be included between steps 202 and 203: and judging whether the parent domain of the specified level in the access target domain name information is in the blacklist or not, if so, discarding the DNS request, and if not, executing the step 203. That is, when it is determined that the parent domain of the specified level is in the blacklist, the DNS request is directly discarded without being forwarded to the DNS server. The blacklist is a static configuration file, the blacklist is empty under the conventional condition, and the character strings added into the blacklist in the attack process need to be manually deleted after being manually judged.
The above-mentioned determining whether the parent domain of the specified level in the access target domain name information includes the following two ways in the blacklist:
after analyzing a DNS request message, judging whether the access target domain name information contains a characteristic character string existing in a blacklist, and if so, judging that a parent domain of a specified level in the access target domain name information is in the blacklist;
and judging whether the binary character string in the DNS request message contains the binary character string of the blacklist character string or not by comparing the binary character string in the DNS request message with the binary character string of the blacklist character string, and if so, judging that the parent domain of the specified level in the access target domain name information is in the blacklist.
Step 203 further comprises: and when the DNS request number pointing to the parent domain of the specified level in a first preset time length is judged to be larger than a preset first threshold value, adding the characteristic character string representing the parent domain of the specified level into the blacklist.
In addition, the following steps can be included between steps 202 and 203: and judging whether the number of the DNS requests of the domain name of the access target, which is received within a second preset time length and is not in the white list, is larger than a preset second threshold value or not, and if so, discarding the DNS request. That is, it is determined whether the total DNS request amount of the domain name of the access target not in the domain name white list within a certain predetermined time exceeds a preset threshold, and if the total DNS request amount exceeds the processing capability of the DNS server within the predetermined time, the DNS request received within the predetermined time is discarded. Wherein the minimum value of the second predetermined time period is 20ms, which is generally 1s by default. The preset second threshold may be obtained by counting the normal access amount of the regular service, and the second threshold is 5 times the average value of the number of requests every second predetermined time in one week of all domain names. The preset second threshold may be set according to the specific processing capability of the DNS server, for example, if the processing capability of the DNS server is 1 second and processes 2000 DNS requests at most, the second predetermined time is 1 second here, and the preset second threshold is 2000.
The parent domain in the above description is explained below. All domain names have parent domains, the domain name requested by the method can be in any level, generally five-seven level domain names are most representative, and the extracted three-level parent domain is the level which can find the commonalities of attack targets through statistics aiming at all DDOS attacks at present. For example, when a hierarchical parent domain is designated as a tertiary domain, it is ultimately more vulnerable to attacks. The concrete description is as follows:
the domain name aaacdn.qq.bbbcdn.com, whose level 3 parent domain is qq.bbbcdn.com;
and the dns message of a general attack is qq.bbbcdn.com, for example:
1111.qq.bbbcdn.com;
1112.qq.bbbcdn.com;
1113.qq.bbbcdn.com。
the parent domain of the specified level is configured at the time of program startup, and the specified level is set as the domain name most likely to be attacked, taking the lowest level.
It should be noted that the parent domain of the specified level in the above method is the domain name of the parent domain to which the access target belongs, for example, if the domain name of the access target is 1.www.a.com, then the third-level domain name of the parent domain to which the access target belongs is www.a.com. Of course, other level domains may be selected in addition to the level three domain.
Specifically, for example, the domain name of the access target in the DNS request is 1.www.a.com, and the domain name is represented in the form of a character string. When a parent domain of a specified level (e.g., a tertiary domain name) is extracted, a character string representing www.a.com is extracted. If the number of DNS requests including the www.a.com string within the first predetermined length of time exceeds a preset first threshold, the DNS requests are discarded without being forwarded to the DNS server, and the string www.a.com is written to the blacklist. When the system is under DDoS attack, as long as the access target information of the DNS request comprises the character string www.a.com, the DNS request is discarded and is not forwarded.
In addition, in the present invention, when selecting a characteristic character string, a characteristic character string indicating a domain name of a parent domain to which an access destination belongs is usually selected. The characteristics of DDoS attack are considered, that is, a puppet usually discretizes an attack target, so that a domain name of a father domain to which the access target belongs is selected for statistics, the attack target can be accurately judged, and the attack is prevented. The method for extracting the characteristic character string of the domain name of the parent domain comprises the following steps: the extraction starts with the first character to the left of the designated parent field and ends with the first ". multidot..
The present invention also provides a DDoS attack defense system for DNS service, as shown in fig. 3, the system includes:
a receiving module 301, configured to receive a DNS request packet including access target domain name information;
an extracting module 302, configured to extract a parent domain of an assigned level of an access target domain name from the DNS request packet;
the defense module 303 is configured to determine whether the number of DNS requests pointing to the parent domain of the specified level within a first predetermined time period is greater than a preset first threshold, discard the DNS request and add the parent domain of the specified level to a blacklist if the number of DNS requests pointing to the parent domain of the specified level is greater than the preset first threshold, and forward the DNS request pointing to the parent domain of the specified level to the DNS server if the number of DNS requests pointing to the parent domain of the specified level is not greater than the preset first threshold.
Wherein the defense module 303 is further configured to: after the receiving module 301 receives the DNS request packet including the access target domain name information, and before the extracting module 302 extracts the parent domain of the specified level of the access target domain name from the DNS request packet, it determines whether the domain name of the access target is in a domain name white list, and if so, forwards the DNS request including the domain name of the access target to a DNS server.
Wherein the defense module 303 is further configured to: after the extracting module 302 extracts the parent domain of the specified level of the access target domain name from the DNS request message, before determining whether the number of DNS requests directed to the parent domain of the specified level within a first predetermined time period is greater than a preset first threshold, it is determined whether the parent domain of the specified level in the access target domain name information is in the blacklist, and if so, the DNS request is discarded.
The defense module 303 is further configured to add a characteristic character string representing the parent domain of the specified level to the blacklist when it is determined that the number of DNS requests directed to the parent domain of the specified level within a first predetermined time period is greater than a preset first threshold.
Wherein the defense module 303 is further configured to: after the extracting module 302 extracts the parent domain of the specified level of the access target domain name from the DNS request message, before determining whether the number of DNS requests directed to the parent domain of the specified level within a first predetermined time period is greater than a preset first threshold, it is determined whether the number of DNS requests received within a second predetermined time period that the domain name of the access target is not in the white list is greater than a preset second threshold, and if so, the DNS request is discarded.
The defense module 303 is further configured to determine whether a parent domain of a specified level in the access target domain name information is in the blacklist by:
in a first mode, after the DNS request message is analyzed, it is determined whether the access target domain name information includes a characteristic character string existing in the blacklist, and if so, it is determined that a parent domain of an assigned level in the access target domain name information is in the blacklist;
in a second mode, the binary character string in the DNS request message is compared with the binary character string of the blacklist character string to determine whether the binary character string in the DNS request message includes the binary character string of the blacklist character string, and if so, it is determined that the parent domain of the specified level in the access target domain name information is in the blacklist.
Wherein, the parent domain of the specified level is a third-level domain name.
The DDoS attack defense method and the system judge whether to intercept the DNS request pointing to the access target by counting the number of the DNS requests pointing to the access target. Thus, even if each puppet machine issues a small and reasonable number of DNS requests, it is possible to effectively defend against DDoS attacks. In addition, the DNS request is managed through the white list and the black list, whether the DNS request is forwarded or not can be judged quickly, and the processing timeliness is enhanced.
The invention aims at the parent domain with the specified level as the target of the attack behavior technology, has more accurate statistical granularity, and is more beneficial to the attack judgment of a DNS system and more effective attack defense.
Specifically, in the method, a blacklist is formed by extracting a characteristic character string of an appointed parent domain, and the blacklist is used as a basis for forwarding or discarding the DNS request, so that the influence on a non-attack target domain name is avoided to the maximum extent in the processing process, and compared with a service loss scheme for discarding the DNS request according to the percentage in the prior art, the method is more accurate in processing and has zero influence on service. In addition, the patent provides two methods for discarding DNS requests containing specified character strings, wherein the scheme of binary comparison is efficient and practical, the processing efficiency is 500 times that of general DNS software, and the processing efficiency is 20 times that of a software firewall.
The above-described aspects may be implemented individually or in various combinations, and such variations are within the scope of the present invention.
It is to be noted that, in this document, the terms "comprises", "comprising" or any other variation thereof are intended to cover a non-exclusive inclusion, so that an article or apparatus including a series of elements includes not only those elements but also other elements not explicitly listed or inherent to such article or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of additional like elements in the article or device comprising the element.
The above embodiments are merely to illustrate the technical solutions of the present invention and not to limit the present invention, and the present invention has been described in detail with reference to the preferred embodiments. It will be understood by those skilled in the art that various modifications and equivalent arrangements may be made without departing from the spirit and scope of the present invention and it should be understood that the present invention is to be covered by the appended claims.
Claims (12)
1. A DDoS attack defense method for DNS services, the method comprising:
step 1, receiving a DNS request message including access target domain name information;
step 2, extracting a parent domain of the specified level of the access target domain name from the DNS request message;
step 3, judging whether the number of DNS requests pointing to the parent domain of the specified level within a first preset time is larger than a preset first threshold value, if so, discarding the DNS requests and adding the parent domain of the specified level to a blacklist, and if not, forwarding the DNS requests pointing to the parent domain of the specified level to a DNS server;
wherein the specified level refers to: and statistically finding the common level of the attack targets.
2. The method of claim 1, wherein the method further comprises:
the following steps are performed between step 1 and step 2:
and judging whether the domain name of the access target is in a domain name white list, if so, forwarding a DNS request comprising the domain name of the access target to a DNS server, and if not, executing the step 2.
3. The method of claim 1, wherein the method further comprises:
the following steps are also performed between step 2 and step 3:
and judging whether the parent domain of the specified level in the access target domain name information is in the blacklist or not, if so, discarding the DNS request, and if not, executing the step 3.
4. The method of claim 3,
the step 3 comprises the following steps: and when the DNS request number pointing to the parent domain of the specified level in a first preset time length is judged to be larger than a preset first threshold value, adding the characteristic character string representing the parent domain of the specified level into the blacklist.
5. The method of claim 2, wherein the method further comprises:
the following steps are also performed between step 2 and step 3:
and judging whether the number of the DNS requests of the domain name of the access target, which are received within a second preset time length and are not in the white list, is larger than a preset second threshold value, and if so, discarding the DNS request.
6. The method of claim 3,
judging whether the parent domain of the specified level in the access target domain name information comprises the following two modes in the blacklist:
in a first mode, after the DNS request message is analyzed, it is determined whether the access target domain name information includes a characteristic character string existing in the blacklist, and if so, it is determined that a parent domain of an assigned level in the access target domain name information is in the blacklist;
in a second mode, the binary character string in the DNS request message is compared with the binary character string of the blacklist character string to determine whether the binary character string in the DNS request message includes the binary character string of the blacklist character string, and if so, it is determined that the parent domain of the specified level in the access target domain name information is in the blacklist.
7. A DDoS attack defense system for DNS services, the system comprising:
the receiving module is used for receiving a DNS request message including access target domain name information;
an extraction module, configured to extract a parent domain of a specified level of the access target domain name from the DNS request message;
the defense module is used for judging whether the number of DNS requests pointing to the parent domain of the specified level in a first preset time length is larger than a preset first threshold value, if so, discarding the DNS requests and adding the parent domain of the specified level to a blacklist, and if not, forwarding the DNS requests pointing to the parent domain of the specified level to a DNS server;
wherein the specified level refers to: and statistically finding the common level of the attack targets.
8. The system of claim 7, wherein the defense module is further to:
after the receiving module receives a DNS request message including information of an access target domain name and before the extracting module extracts a parent domain of a specified level of the access target domain name from the DNS request message, judging whether the domain name of the access target is in a domain name white list, if so, forwarding the DNS request including the domain name of the access target to a DNS server.
9. The system of claim 7, wherein the defense module is further to:
after the extraction module extracts the parent domain of the specified level of the access target domain name from the DNS request message, before judging whether the number of DNS requests directed to the parent domain of the specified level within a first predetermined time period is greater than a preset first threshold, judging whether the parent domain of the specified level in the access target domain name information is in the blacklist, and if so, discarding the DNS request.
10. The system of claim 9,
the defense module is further used for adding the characteristic character string representing the parent domain of the specified level to the blacklist when judging that the number of the DNS requests pointing to the parent domain of the specified level in a first preset time length is larger than a preset first threshold value.
11. The system of claim 8, wherein the defense module is further to:
after the extraction module extracts the parent domain of the specified level of the access target domain name from the DNS request message, before judging whether the number of DNS requests directed to the parent domain of the specified level within a first predetermined time period is greater than a preset first threshold, judging whether the number of DNS requests received within a second predetermined time period, for which the domain name of the access target is not in the white list, is greater than a preset second threshold, and if so, discarding the DNS request.
12. The system of claim 10,
the defense module is further configured to determine whether a parent domain of a specified level in the access target domain name information is in the blacklist by:
in a first mode, after the DNS request message is analyzed, it is determined whether the access target domain name information includes a characteristic character string existing in the blacklist, and if so, it is determined that a parent domain of an assigned level in the access target domain name information is in the blacklist;
in a second mode, the binary character string in the DNS request message is compared with the binary character string of the blacklist character string to determine whether the binary character string in the DNS request message includes the binary character string of the blacklist character string, and if so, it is determined that the parent domain of the specified level in the access target domain name information is in the blacklist.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710213718.2A CN108667782B (en) | 2017-04-01 | 2017-04-01 | DDoS attack defense method and system for DNS service |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710213718.2A CN108667782B (en) | 2017-04-01 | 2017-04-01 | DDoS attack defense method and system for DNS service |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108667782A CN108667782A (en) | 2018-10-16 |
| CN108667782B true CN108667782B (en) | 2021-03-23 |
Family
ID=63783822
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710213718.2A Active CN108667782B (en) | 2017-04-01 | 2017-04-01 | DDoS attack defense method and system for DNS service |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108667782B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110445779B (en) * | 2019-08-02 | 2021-08-17 | 深圳互联先锋科技有限公司 | Automatic protection method and system for DNS system under attack |
| CN110581842B (en) * | 2019-08-19 | 2022-07-19 | 网宿科技股份有限公司 | DNS request processing method and server |
| CN116155545B (en) * | 2022-12-21 | 2023-08-04 | 广东天耘科技有限公司 | Dynamic DDos defense method and system using multi-way tree and honey pot system architecture |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102984178A (en) * | 2012-12-31 | 2013-03-20 | 山石网科通信技术(北京)有限公司 | Detection method and device for data message |
| CN103152357A (en) * | 2013-03-22 | 2013-06-12 | 北京网御星云信息技术有限公司 | Defense method, device and system for DNS (Domain Name System) services |
| CN103685317A (en) * | 2013-12-31 | 2014-03-26 | 山石网科通信技术有限公司 | Protection system and device for domain name system |
| CN104219200A (en) * | 2013-05-30 | 2014-12-17 | 杭州迪普科技有限公司 | Device and method for protection from DNS cache attack |
| CN104618354A (en) * | 2015-01-19 | 2015-05-13 | 中国科学院信息工程研究所 | Cache optimization method and system for resisting continuous variable-domain name prefix attack |
| US9106695B2 (en) * | 2012-03-14 | 2015-08-11 | Daniel Kaminsky | Method and system for user authentication using DNSSEC |
| CN105991557A (en) * | 2015-02-05 | 2016-10-05 | 精硕世纪科技(北京)有限公司 | Network attack defense method based on DNS intelligent analysis system |
-
2017
- 2017-04-01 CN CN201710213718.2A patent/CN108667782B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9106695B2 (en) * | 2012-03-14 | 2015-08-11 | Daniel Kaminsky | Method and system for user authentication using DNSSEC |
| CN102984178A (en) * | 2012-12-31 | 2013-03-20 | 山石网科通信技术(北京)有限公司 | Detection method and device for data message |
| CN103152357A (en) * | 2013-03-22 | 2013-06-12 | 北京网御星云信息技术有限公司 | Defense method, device and system for DNS (Domain Name System) services |
| CN104219200A (en) * | 2013-05-30 | 2014-12-17 | 杭州迪普科技有限公司 | Device and method for protection from DNS cache attack |
| CN103685317A (en) * | 2013-12-31 | 2014-03-26 | 山石网科通信技术有限公司 | Protection system and device for domain name system |
| CN104618354A (en) * | 2015-01-19 | 2015-05-13 | 中国科学院信息工程研究所 | Cache optimization method and system for resisting continuous variable-domain name prefix attack |
| CN105991557A (en) * | 2015-02-05 | 2016-10-05 | 精硕世纪科技(北京)有限公司 | Network attack defense method based on DNS intelligent analysis system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108667782A (en) | 2018-10-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2017004947A1 (en) | Method and apparatus for preventing domain name hijacking | |
| CN110324295B (en) | Defense method and device for domain name system flooding attack | |
| EP2136526A1 (en) | Method, device for identifying service flows and method, system for protecting against a denial of service attack | |
| US10218717B1 (en) | System and method for detecting a malicious activity in a computing environment | |
| CN111737696A (en) | Method, system and equipment for detecting malicious file and readable storage medium | |
| JP6196008B2 (en) | Communication destination malignancy calculation device, communication destination malignancy calculation method, and communication destination malignancy calculation program | |
| CN106101104A (en) | A kind of malice domain name detection method based on domain name mapping and system | |
| US10218733B1 (en) | System and method for detecting a malicious activity in a computing environment | |
| US11290484B2 (en) | Bot characteristic detection method and apparatus | |
| CN110213212A (en) | A kind of classification method and device of equipment | |
| CN112600852B (en) | Vulnerability attack processing method, device, equipment and storage medium | |
| WO2020037781A1 (en) | Anti-attack method and device for server | |
| CN108667782B (en) | DDoS attack defense method and system for DNS service | |
| CN110266650B (en) | Identification method of Conpot industrial control honeypot | |
| US20170070520A1 (en) | Website information extraction device, system, website information extraction method, and website information extraction program | |
| CN111565203B (en) | Method, device and system for protecting service request and computer equipment | |
| CN107395553B (en) | Network attack detection method, device and storage medium | |
| CN106209852A (en) | A kind of DNS refusal service attack defending method based on DPDK | |
| CN106209907B (en) | Method and device for detecting malicious attack | |
| CN107623693B (en) | Domain name resolution protection method, device, system, computing equipment and storage medium | |
| CN111314379B (en) | Attacked domain name identification method and device, computer equipment and storage medium | |
| WO2023041039A1 (en) | Secure access control method, system and apparatus based on dns resolution, and device | |
| CN107360198B (en) | Suspicious domain name detection method and system | |
| JP2014179025A (en) | Connection destination information extraction device, connection destination information extraction method, and connection destination information extraction program | |
| US10404738B2 (en) | IPFIX-based detection of amplification attacks on databases |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 550003 Building No. 12 in the Southern Park of Gui'an High-end Equipment Industrial Park, Guizhou Province Applicant after: Guizhou Baishan cloud Polytron Technologies Inc Address before: 100015 5 floor, block E, 201 IT tower, electronic city, 10 Jiuxianqiao Road, Chaoyang District, Beijing. Applicant before: Guizhou white cloud Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |