CN108989320B - Method and device for detecting distributed denial of service (DDoS) attack target - Google Patents

Method and device for detecting distributed denial of service (DDoS) attack target Download PDF

Info

Publication number
CN108989320B
CN108989320B CN201810845713.6A CN201810845713A CN108989320B CN 108989320 B CN108989320 B CN 108989320B CN 201810845713 A CN201810845713 A CN 201810845713A CN 108989320 B CN108989320 B CN 108989320B
Authority
CN
China
Prior art keywords
dns server
region
dns
address
ddos
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201810845713.6A
Other languages
Chinese (zh)
Other versions
CN108989320A (en
Inventor
曹聪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wangsu Science and Technology Co Ltd
Original Assignee
Wangsu Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wangsu Science and Technology Co Ltd filed Critical Wangsu Science and Technology Co Ltd
Priority to CN201810845713.6A priority Critical patent/CN108989320B/en
Publication of CN108989320A publication Critical patent/CN108989320A/en
Application granted granted Critical
Publication of CN108989320B publication Critical patent/CN108989320B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Abstract

The invention discloses a method and a device for detecting a distributed denial of service (DDoS) attack target. The method comprises the following steps: after determining that a first DNS server is attacked by DDoS, determining a first region from the first DNS server, and modifying authorization information of the first region, so that whether a second DNS server corresponding to the first region modified the authorization information is attacked by DDoS is judged, and when determining that no more than N first regions are attacked by DDoS in the second DNS server, determining that an attack target is N regions can be effectively detected, and further, specific regions of the attack target can be attacked; furthermore, the embodiment of the invention takes the IP address as the identification of the attacked area, thereby avoiding the problem that the attacked target can not be accurately distinguished when the domain name is unavailable, further distinguishing the attacked target from the non-attacked target and improving the efficiency of attack detection.

Description

Method and device for detecting distributed denial of service (DDoS) attack target
Technical Field
The invention relates to the technical field of computers, in particular to a method and a device for detecting a distributed denial of service (DDoS) attack target.
Background
The Domain Name System (DNS), which is a distributed database on the internet as a mapping between Domain names and IP addresses, enables users to access the internet more conveniently. The importance of DNS as an addressing means for the vast majority of applications in the internet is self-evident. Attacks against DNS servers are also more and more frequent and larger in size.
Distributed Denial of Service (DDoS) attacks are used as an attack for a DNS server, and a plurality of computers can be combined together as an attack platform by means of a client/server technology to launch a DDoS attack on one or more targets, so that the attack power is increased exponentially, and the whole DNS server is paralyzed. However, some DDoS attacks are non-DNS message attacks, and when the attacks launch an attack to an authoritative DNS server, a manufacturer providing an authoritative DNS service cannot even determine which target is attacked by the DDoS attack because of missing key information of a domain name, so it is difficult to take a corresponding effective defense measure, and only a passive hard-defense is available, and once the attack exceeds the protection capability of the whole platform, a serious consequence that the whole platform is broken down and all regions cannot be resolved is likely to be brought.
Based on this, a detection method of DDoS attack targets is needed at present to solve the problem of DNS server paralysis caused by incapability of determining the attack targets in the prior art.
Disclosure of Invention
The embodiment of the invention provides a method and a device for detecting a distributed denial of service (DDoS) attack target, which are used for solving the technical problem that a Domain Name System (DNS) server is paralyzed because the attack target cannot be determined in the prior art.
The embodiment of the invention provides a method for detecting a distributed denial of service (DDoS) attack target, which comprises the following steps:
after determining that a first DNS server is attacked by DDoS, determining a first region from the first DNS server, wherein the first DNS server is provided with a first IP address; the first area provides any area of resolution service for the first DNS server;
modifying the authorization information of the first area from the first IP address to a second IP address, and judging whether a second DNS server corresponding to the second IP address is attacked by DDoS; the second DNS server and the first DNS server are the same DNS server or different DNS servers;
if the number of the first areas is not more than N and the second DNS server is attacked by DDoS, determining that the attack targets are the N areas; the N first regions provide N different regions of resolution service for the first DNS server, where N is a positive integer.
Thus, the authorization information of each region is modified to the DNS server using another IP address by modifying the authorization information of each region, so that whether each region is attacked by DDoS can be detected, and the specific region of an attack target can be determined; furthermore, the embodiment of the invention takes the IP address as the identification of the attacked area, thereby avoiding the problem that the attacked target can not be accurately distinguished when the domain name is unavailable, effectively distinguishing the attacked target from the non-attacked target and improving the efficiency of attack detection.
In one possible implementation manner, determining the first area from the first DNS server includes:
dividing the region in the first DNS into a plurality of sets according to a set rule, wherein each set comprises at least one region;
modifying the authorization information of each region included in the first set from the first IP address to a third IP address, wherein a server corresponding to the third IP address is a third DNS server; the third DNS server and the second DNS server are the same DNS server or different DNS servers;
judging whether the third DNS server is attacked by DDoS, and if so, determining the first region from the first set; and if the DDoS attack is not received, determining the first region from the sets except the first set.
Thus, whether the plurality of regions are attack targets can be detected in batch, detection time can be shortened, and detection efficiency can be improved.
In a possible implementation manner, before determining the first zone from the first DNS server after determining that the first DNS server is attacked by DDoS, the method further includes:
acquiring attribute information of each region in the first DNS, wherein the attribute information comprises a request amount and/or the number of the domain names to be hung;
determining the first region from the first DNS server, including:
and according to the priority of each region, taking the region with the highest priority as the first region, wherein the priority of each region is determined according to the request quantity of each region and/or the number of the domain names hung down in each region.
In this way, the first region can be determined according to the level of the priority, so that the region with high priority can be processed with priority.
In a possible implementation manner, dividing the area in the first DNS server into a plurality of sets according to a set rule includes:
determining the priority of each region according to the request quantity of each region in the first DNS and/or the number of the domain names hung down in each region;
and according to the priority of each area, dividing the areas with the priority in a set level range in the first DNS into the same set.
In this way, the first set can be determined according to the priority level, so as to ensure that a plurality of areas with high priority levels can be processed preferentially.
In a possible implementation manner, after determining whether the second DNS server corresponding to the second IP address is attacked by DDoS, the method further includes:
if the second DNS server is not attacked by DDoS, the authorization information of the first region is modified from the second IP address to a fourth IP address, and a server corresponding to the fourth IP address is a fourth DNS server; the first DNS server, the second DNS server and the fourth DNS server are different DNS servers respectively, and the second DNS server is only used for providing resolution service for the first area.
By adopting the method, whether the first area is an attack target or not can be effectively distinguished, and the area which is not attacked can be effectively isolated, so that the safety of the first area is ensured, and the first area is prevented from being influenced by DDoS attack.
In one possible implementation, the method further includes:
and if more than N first areas are attacked by DDoS in the second DNS, determining that the attack target is the DNS.
The embodiment of the invention provides a device for detecting a distributed denial of service (DDoS) attack target, which comprises:
the device comprises a determining unit, a determining unit and a processing unit, wherein the determining unit is used for determining a first area from a first DNS (domain name system) server after determining that the first DNS server is attacked by DDoS (distributed denial of service), and the first DNS server is provided with a first IP (Internet protocol) address; the first area provides any area of resolution service for the first DNS server;
the processing unit is used for modifying the authorization information of the first area from the first IP address to a second IP address and judging whether a second DNS server corresponding to the second IP address is attacked by DDoS; the second DNS server and the first DNS server are the same DNS server or different DNS servers;
the processing unit is further configured to determine that an attack target is the N regions if there are no more than the N first regions that are all attacked by DDoS in the second DNS server; the N first regions provide N different regions of resolution service for the first DNS server, where N is a positive integer.
In a possible implementation manner, the determining unit is specifically configured to:
dividing the region in the first DNS into a plurality of sets according to a set rule, wherein each set comprises at least one region; modifying the authorization information of each region included in the first set from the first IP address to a third IP address, wherein a server corresponding to the third IP address is a third DNS server; the third DNS server and the second DNS server are the same DNS server or different DNS servers; judging whether the third DNS server is attacked by DDoS, and if so, determining the first region from the first set; and if the DDoS attack is not received, determining the first region from the sets except the first set.
In a possible implementation manner, the apparatus further includes an obtaining unit;
after the determining unit determines that the first DNS server is attacked by DDoS and before the determining unit determines the first zone from the first DNS server, the acquiring unit:
the system comprises a first DNS server, a second DNS server and a server, wherein the first DNS server is used for acquiring attribute information of each area in the first DNS server, and the attribute information comprises a request amount and/or the number of domain names to be hung;
the determining unit is specifically configured to:
and according to the priority of each region, taking the region with the highest priority as the first region, wherein the priority of each region is determined according to the request quantity of each region and/or the number of the domain names hung down in each region.
In a possible implementation manner, the determining unit is specifically configured to:
determining the priority of each region according to the request quantity of each region in the first DNS and/or the number of the domain names hung down in each region; and dividing the areas with the priority in a set level range in the first DNS into the same set according to the priority of each area.
In one possible implementation, the processing unit is further configured to:
if the second DNS server is not attacked by DDoS, the authorization information of the first region is modified from the second IP address to a fourth IP address, and a server corresponding to the fourth IP address is a fourth DNS server; the first DNS server, the second DNS server and the fourth DNS server are different DNS servers respectively, and the second DNS server is only used for providing resolution service for the first area.
In one possible implementation, the processing unit is further configured to:
and if more than N first areas are attacked by DDoS in the second DNS, determining that the attack target is the DNS.
The embodiment of the present application further provides an apparatus, which has a function of implementing the above-described detection method for DDoS attack targets. This function may be implemented by hardware executing corresponding software, and in one possible design, the apparatus includes: a processor, a transceiver, a memory; the memory is used for storing computer execution instructions, the transceiver is used for realizing the communication between the device and other communication entities, the processor is connected with the memory through the bus, and when the device runs, the processor executes the computer execution instructions stored in the memory so as to enable the device to execute the above-described detection method for the DDoS attack target.
An embodiment of the present invention further provides a computer storage medium, where a software program is stored in the storage medium, and the software program, when being read and executed by one or more processors, implements the method for detecting a DDoS attack target described in the foregoing various possible implementation manners.
Embodiments of the present invention further provide a computer program product including instructions, which when run on a computer, causes the computer to execute the method for detecting a DDoS attack target described in the foregoing various possible implementation manners.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings that are required to be used in the description of the embodiments will be briefly described below.
FIG. 1 is a diagram of a system architecture suitable for use with embodiments of the present invention;
fig. 2 is a schematic flowchart corresponding to a method for detecting a DDoS attack target according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a process for determining a first area according to an embodiment of the present invention;
FIG. 4a is one of the schematic diagrams of the relationship between the first IP address and the second IP address;
FIG. 4b is a second schematic diagram illustrating the relationship between the first IP address and the second IP address;
FIG. 5a is one of the relationship diagrams of the first IP address, the second IP address and the third IP address;
FIG. 5b is a second schematic diagram illustrating the relationship between the first IP address, the second IP address and the third IP address;
FIG. 6 is a schematic diagram of an overall process involved in an embodiment of the present invention;
FIG. 7 is a schematic diagram of another overall process involved in an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a device for detecting a DDoS attack target according to an embodiment of the present invention.
Detailed Description
The present application will be described in detail below with reference to the accompanying drawings, and the specific operation methods in the method embodiments can also be applied to the apparatus embodiments.
Fig. 1 illustrates an architecture diagram of a system to which an embodiment of the present invention is applicable, and as shown in fig. 1, the system 100 includes an upper level DNS server 101 and a plurality of DNS servers, for example, a DNS server 102, a DNS server 103, a DNS server 104, and a DNS server 105 shown in fig. 1. The upper level DNS server 101 may be connected to any of the plurality of DNS servers via a network, and may also manage any of the plurality of DNS servers, for example, the upper level DNS server 101 may be in contact with the DNS server 102 via a network, and may manage the DNS server 102 (for example, may manage authorization information of each area in the DNS server 102).
Further, each DNS server may provide resolution services for one or more zones (zones). For example, as shown in fig. 1, the DNS server 102 may provide resolution services for the area 1021, the area 1022, and the area 1023, and accordingly, in the upper server 101, authorization information of each area in the DNS server 102 may be stored, as shown in table 1, which is an example of authorization information of each area.
Table 1: one example of authorization information for each region
Region(s) Authorization information
Region
1021 Resolving the zone by DNS Server 102
Region 1022 Resolving the zone by DNS Server 102
Region 1023 Resolving the zone by DNS Server 102
In the embodiment of the present invention, the DNS server may be an authoritative DNS server, such as a root authoritative DNS server, a COM authoritative DNS server, and the like, which is not limited specifically.
Based on the system architecture shown in fig. 1, fig. 2 exemplarily shows a flow diagram corresponding to a method for detecting a DDoS attack target provided by an embodiment of the present invention, which includes the following steps:
step 201, after determining that a first DNS server is attacked by DDoS, determining a first region from the first DNS server.
Step 202, modifying the authorization information of the first region from the first IP address to a second IP address, and determining whether a second DNS server corresponding to the second IP address is attacked by DDoS.
Step 203, if there are no more than N first regions all attacked by DDoS on the second DNS server, determining that the attack targets are the N regions.
It should be noted that the above steps 201 to 203 may be executed by the upper level DNS server 101 shown in fig. 1; alternatively, the above steps 201 to 203 may also be executed by any DNS server shown in fig. 1, for example, the DNS server 102, and after it is determined that the DNS server 102 is attacked by DDoS, the first area may be determined from the DNS server 102, and an authorization information modification request may be sent to the upper level DNS server 101, and an attack condition of the second DNS server may be obtained, so as to determine an attack target of the DDoS attack.
Thus, the authorization information of each region is modified to the DNS server using another IP address by modifying the authorization information of each region, so that whether each region is attacked by DDoS can be detected, and the specific region of an attack target can be determined; furthermore, the embodiment of the invention takes the IP address as the identification of the attacked area, thereby avoiding the problem that the attacked target can not be accurately distinguished when the domain name is unavailable, effectively distinguishing the attacked target from the non-attacked target and improving the efficiency of attack detection.
Specifically, before step 201 is executed, the authorization information of each region in the first DNS server may be modified from the first IP address corresponding to the first DNS server to the IP address corresponding to the other DNS server, and it may be determined whether the DNS server after the authorization information modification is attacked by DDoS. If the modified DNS server is not attacked by DDoS, the first DNS server may be considered as being attacked by the DNS server, and subsequent steps 201 to 202 do not need to be executed; if the modified DNS server is still attacked by DDoS, the subsequent steps 201 to 202 may be continuously performed.
In step 201, there are various ways to determine the first region from the first DNS server, for example, the first region may be determined from the first DNS server by adopting a randomly selected way, that is, the first region may be any region that provides resolution service for the first DNS server; alternatively, the first zone may be determined from the first DNS server according to the priority of each zone, which is not limited specifically.
Taking the manner of determining the first zone according to the priority of each zone as an example, before performing step 201, the attribute information of each zone in the first DNS server may be obtained. The attribute information may include a request amount and/or a number of domain names to be hung down. In one example, the priority of each zone is determined according to the size of the request quantity of each zone by the zone in the first DNS server. As shown in table 2, is an example one of the priority of each region. If the request amount of the area 1 (which may be average daily request amount, total request amount, etc.) is 10000 times, the request amount of the area 2 is 5000 times, and the request amount of the area 3 is 2000 times, the priorities of the three areas are ranked as follows: region 1 > region 2 > region 3. Further, since the priority of the area 1 is the highest, the area 1 may be regarded as the first area.
Table 2: example of priority of each region
Region(s) Request volume Priority ranking
Region 1 10,000 times 1 st position
Region 2 5,000 times Position 2
Region 3 1,000 times Position 3
In yet another example, the zone in the first DNS server is used to determine the priority level of each zone according to the number of domain names to be hung down in each zone. As shown in table 3, example two of the priority of each region. If the number of the domain names to be hung in the region 1 is 10, the number of the domain names to be hung in the region 2 is 15, and the number of the domain names to be hung in the region 3 is 20, the priorities of the three regions are ranked as follows: region 3 > region 2 > region 1. Further, since the priority of the area 3 is the highest, the area 3 can be regarded as the first area.
Table 3: example two of priority for each region
Region(s) Number of domain names to be hung down Priority ranking
Region 1 10 are provided with Position 3
Region 2 15 are provided with Position 2
Region 3 20 are provided with 1 st position
In another example, the priority of each zone is determined according to the request quantity of each zone and the quantity of the domain names hung down by the zone in the first DNS server. As shown in table 4, example three of the priority of each region. If the request amount of the region 1 is 10000 times, the number of the down-hanging domain names is 10; the request amount of the area 2 is 5000 times, and the number of the down-hung domain names is 15; the request amount of the area 3 is 2000 times, and the number of the domain names to be hung down is 20; the weight of each region can be calculated according to the request amount and the number of the domain names to be hung, and then the priority of each region can be determined according to the size of the weight. As shown in table 4, the priorities of the three regions are ranked as follows according to their weights: region 2 > region 1 > region 3, since region 2 has the highest priority, region 2 can be regarded as the first region. The specific calculation method of the weight may refer to an existing weight calculation method, and is not described in detail herein.
Table 4: example three of priority for each region
Region(s) Request volume Number of domain names to be hung down Weight of Priority ranking
Region 1 10,000 times 10 are provided with 0.8 Position 2
Region 2 5,000 times 15 are provided with 1 1 st position
Region 3 1,000 times 20 are provided with 0.6 Position 3
In this way, the first region can be determined according to the level of the priority, so that the region with high priority can be processed with priority.
In consideration of the fact that a large number of areas may exist in the DNS server, the embodiments of the present invention may also divide a plurality of areas in the first DNS server into a plurality of sets, and then determine the first area from the plurality of sets. Specifically, as shown in fig. 3, a schematic flow chart for determining a first area is provided for the embodiment of the present invention, which specifically includes the following steps:
step 301, dividing the area in the first DNS server into a plurality of sets according to a set rule, where each set includes at least one area.
In the embodiments of the present invention, there are various methods for dividing the area in the first DNS server into a plurality of sets. For example, the zones in the first DNS server may be randomly divided into sets. For example, if 1000 regions exist in the first DNS server and 100 regions are set in each set, the 1000 regions in the first DNS server may be divided into 10 sets.
For another example, the first DNS servers may be divided into multiple sets according to the priority of each zone in the first DNS servers. For example, as shown in table 5, an example of a zone in the first DNS server is shown. The first DNS server includes 10 zones, which are zones 1-10, and each zone can refer to the content shown in table 5 according to the priority level. In the embodiment of the present invention, the regions with priorities in the set level range may be divided into the same set, taking the regions shown in table 5 as an example, the priorities of the regions 1 to 3 are all the first level, and the regions 1 to 3 may be divided into the same set; the priorities of the areas 4-6 are all the second level, and the areas 4-6 can be divided into the same set; the priority of the regions 7-10 are all at a third level, and the regions 7-10 may be divided into the same set.
Table 5: an example of a zone in a first DNS server
Figure BDA0001746570290000101
Figure BDA0001746570290000111
Further, the determination of the priority of each region is various, and can be determined by those skilled in the art according to experience and practical situations; alternatively, the determination may be performed according to the request amount of each zone in the first DNS server and/or the number of domain names to be hung down in each zone, and the specific determination manner may refer to what is described above. Furthermore, the rank range can be set according to the rank of the priority, for example, the first rank is ranked 1-10, the second rank is ranked 11-20, and so on, which are not listed one by one.
It should be noted that the above example is only an example, and in other possible examples, the area with the priority ranking of other bits may be used as the area of the same level, which is not limited specifically.
Step 302, the authorization information of each region included in the first set is modified from the first IP address to a third IP address, and a server corresponding to the third IP address is a third DNS server.
In the embodiment of the present invention, the third DNS server and the second DNS server may be the same DNS server, or may be different DNS servers.
Step 303, judging whether the third DNS server is attacked by DDoS, and if so, executing step 304; if not, step 305 is executed.
Step 304, a first region is determined from the first set.
Step 305, a first region is determined from a set other than the first set from the plurality of sets.
In steps 304 and 305, the manner of determining the first region from the first set, or determining the first region from a set other than the first set, may refer to the manner of determining the first region described above, and will not be described in detail here.
Thus, whether the plurality of regions are attack targets can be detected in batch, detection time can be shortened, and detection efficiency can be improved.
In step 202, after determining the first region, the authorization information of the first region may be modified. Specifically, the authorization information of the first zone may be executed by the upper level DNS server 101 shown in fig. 1, and the upper level DNS server 101 may modify the authorization information of the first zone according to a first IP address corresponding to the first DNS server and a second IP address corresponding to the second DNS server, that is, modify the authorization information of the first zone from the first IP address to the second IP address.
In the embodiment of the present invention, as shown in fig. 4a, the first IP address and the second IP address may be set on the same DNS server, that is, the second DNS server and the first DNS server may be the same DNS server; alternatively, as shown in fig. 4b, which is a second schematic diagram illustrating a relationship between the first IP address and the second IP address, the first IP address and the second IP address may be set on different DNS servers, that is, the second DNS server and the first DNS server may also be different DNS servers, which is not limited specifically.
Further, after the authorization information of the first region is modified, at this time, the first region may be provided with an analysis service by the second DNS server, and further, whether the second DNS server is attacked by DDoS may be determined. If the DDoS attack is received, the attack target is the first area; if the DDoS attack is not received, the attack target is not the first area, namely the first area is a safe area. Further, the authorization information of the first area may be modified from the second IP address corresponding to the second DNS server to a fourth IP address corresponding to a fourth DNS server. By adopting the method, whether the first area is an attack target or not can be effectively distinguished, and the area which is not attacked can be effectively isolated, so that the safety of the first area is ensured, and the first area is prevented from being influenced by DDoS attack.
It should be noted that, as shown in fig. 5a, the first IP address and the second IP address may be set on the same DNS server, and the second IP address (or the first IP address) and the fourth IP address may be set on different DNS servers, that is, the second DNS server and the first DNS server may be the same DNS server, and the second DNS server and the fourth DNS server may be different DNS servers; alternatively, as shown in fig. 5b, which is a second schematic diagram illustrating a relationship among the first IP address, the second IP address, and the third IP address, the first IP address, the second IP address, and the fourth IP address may be respectively set on different DNS servers, that is, the first DNS server, the second DNS server, and the fourth DNS server may be respectively different DNS servers, where the second DNS server may be only used to provide resolution services for the first area.
In step 203, the N first areas may be in the same second DNS server, or may be in different second DNS servers, which is not limited specifically.
By adopting the method, the authorization information of a plurality of areas in the first DNS server can be respectively modified, and whether the second DNS server is attacked by DDoS or not is further judged. For example, if there are 10 zones in the first DNS server, as shown in table 6, an example of whether the zone in the first DNS server is attacked by DDoS after the authorization information is modified is given. As can be seen from the contents shown in table 6, the second DNS server is attacked by DDoS only when the first zone is zone 1.
Table 6: example of whether DDoS attack is received after authorization information is modified in area
Region(s) Whether or not to be attacked by DDoS
Region 1 Is that
Region 2 Whether or not
Region 3 Whether or not
Region 4 Whether or not
Region 5 Whether or not
Region 6 Whether or not
Region 7 Whether or not
Region 8 Whether or not
Region 9 Whether or not
Region 10 Whether or not
Further, the N first regions may provide N different regions of resolution service for the first DNS server, and N is a positive integer. A person skilled in the art can determine the value of N according to experience and practical situations, for example, if the number of the regions in the first DNS server is large, the value of N may be appropriately increased, and if the number of the regions in the first DNS server is small, the value of N may be appropriately decreased. For another example, a person skilled in the art may determine the value of N by presetting a proportionality coefficient between N and the number of the regions in the first DNS server.
For example, still taking the content shown in table 6 as an example, if N is set to 2, since only 1 first zone in the first DNS server modifies the authorization information to the second IP address, and the second DNS server is attacked by DDoS, it may be determined that the attack target has only one first zone (i.e., zone 1 shown in table 6).
For another example, as shown in table 7, another example of whether the domain in the first DNS server is attacked by DDoS after the authorization information is modified is given. As can be seen from the contents shown in table 7, when the first zone is zone 1, zone 5, and zone 9, the second DNS server is subject to DDoS attack. If N is still set to 2, since the second DNS server is attacked by DDoS after the authorization information is modified to the second IP address by 3 first zones in the first DNS server, it can be determined that the attack target is the DNS server.
Table 7: another example of whether a DDoS attack is received after a region modifies authorization information
Region(s) Whether or not to be attacked by DDoS
Region 1 Is that
Region 2 Whether or not
Region 3 Whether or not
Region 4 Whether or not
Region 5 Is that
Region 6 Whether or not
Region 7 Whether or not
Region 8 Whether or not
Region 9 Is that
Region 10 Whether or not
In order to more clearly describe the above DDoS attack target detection method, the flow involved in the embodiment of the present invention is generally described below with reference to fig. 6. As shown in fig. 6, the following steps may be included:
step 601, after determining that the first DNS server is attacked by DDoS, modifying the authorization information of each region in the first DNS server from the first IP address corresponding to the first DNS server to the IP address corresponding to the fifth DNS server, and determining whether the fifth DNS server is attacked by DDoS, if not, executing step 602; if the DDoS attack is received, step 603 is executed.
At step 602, an attack is determined to be directed to a first DNS server.
Step 603, the area in the first DNS server is divided into a plurality of sets according to a set rule.
Step 604, the authorization information of each region included in the first set is modified from the first IP address to a third IP address, and a server corresponding to the third IP address is a third DNS server.
Step 605, judging whether the third DNS server is attacked by DDoS, if yes, executing step 606; if not, step 607 is executed.
Step 606 determines a first region from the first set.
Step 607, determine the first region from the sets other than the first set.
Step 608, modify the authorization information of the first area from the first IP address to the second IP address.
Step 609, judging whether a second DNS server corresponding to the second IP address is attacked by DDoS, if not, executing step 610; if the DDoS attack is received, step 611 is executed.
Step 610, modifying the authorization information of the first area from the second IP address corresponding to the second DNS server to the fourth IP address corresponding to the fourth DNS server, and returning to step 606 or step 607.
Step 611, determine that the attack target is the first region.
Step 612, judging that no more than N first areas are attacked by DDoS in the second DNS server, if yes, executing step 613; if not, go to step 614.
Step 613, determining that the attack targets are the N regions.
Step 614, determining the attack target to be a DNS server.
From another perspective, if it is determined that the first DNS server is attacked by DDoS, the first DNS server may be regarded as an attack area, and the attack area may refer to a DNS server which is being attacked by DDoS by a hacker using a non-DNS message; further, the second DNS server may be regarded as an area to be isolated, the area to be isolated may be a batch of areas selected, the DNS server corresponding to the area to be isolated is used to provide an analysis service, and whether an attacked object is in the area to be isolated is determined by observing whether an attack follows the area to be isolated; further, the fourth DNS server may be regarded as a security zone (or isolation zone), and the security zone may refer to a zone that is not to be confirmed to be attacked, and the DNS server corresponding to the security zone is used to provide resolution service.
Based on the above point, another general description of the flow involved in the embodiment of the present invention can be made with reference to fig. 7. As shown in fig. 7, the following steps may be included:
step 701, judging whether the first DNS server is attacked by DDoS, and if not, executing step 702; if the DDoS attack is received, step 703 is executed.
At step 702, the process ends.
In step 703, the first DNS server is an attack area, and the authorization information of each area in the attack area is modified, so that all areas are provided with resolution services by DNS servers corresponding to the areas to be isolated.
Step 704, judging whether the DNS server corresponding to the to-be-isolated area is attacked by DDoS, and if not, executing step 705; if the DDOS attack is received, step 706 is performed.
Step 705, it is determined that the attack is directed to the first DNS server, and the DNS server corresponding to the to-be-isolated area is a secure area.
Step 706, the DNS server corresponding to the to-be-isolated area is an attack area, the first DNS server is the to-be-isolated area, and the areas in the DNS server corresponding to the attack area are divided into a plurality of sets.
Step 707, modify the authorization information of each region in the first set, so that the region in the first set provides a resolution service by a DNS server corresponding to the to-be-isolated region, where the first set is any one of the multiple sets.
Step 708, judging whether the DNS server corresponding to the to-be-isolated area is attacked by DDoS, and if not, executing step 709; if a DDoS attack is encountered, step 712 is performed.
And 709, modifying the authorization information of the region in the to-be-isolated region to the DNS server corresponding to the security region, wherein the region in the to-be-isolated region is not an attack target.
Step 710, determining whether the attack area has only one area, if yes, executing step 711; if not, return to step 707.
In step 711, the region in the attack area is determined to be the target of the attack.
Step 712, determining whether the DNS server corresponding to the attack area is attacked by DDoS, and if so, executing step 713; if not, step 714 is performed.
Step 713, determining the attack target is a DNS server.
In step 714, the zone in the attack zone is not the attack target, and the authorization information of the zone in the attack zone is modified to the DNS server corresponding to the security zone.
Step 715, the DNS server corresponding to the to-be-isolated area is the attack area, and the step 710 is returned.
Based on the same inventive concept, fig. 8 exemplarily illustrates a detection apparatus for a DDoS attack target provided by an embodiment of the present invention, and as shown in fig. 8, the apparatus includes a determination unit 801, a processing unit 802, and an acquisition unit 803; wherein the content of the first and second substances,
a determining unit 801, configured to determine a first area from a first DNS server after determining that the first DNS server is attacked by DDoS, where the first DNS server is provided with a first IP address; the first area provides any area of resolution service for the first DNS server;
a processing unit 802, configured to modify the authorization information of the first area from the first IP address to a second IP address, and determine whether a second DNS server corresponding to the second IP address is attacked by DDoS; the second DNS server and the first DNS server are the same DNS server or different DNS servers;
the processing unit 802 is further configured to determine that an attack target is N regions if there are no more than N first regions that are all attacked by DDoS in the second DNS server; the N first regions provide N different regions of resolution service for the first DNS server, where N is a positive integer.
In a possible implementation manner, the determining unit 801 is specifically configured to:
dividing the region in the first DNS into a plurality of sets according to a set rule, wherein each set comprises at least one region; modifying the authorization information of each region included in the first set from the first IP address to a third IP address, wherein a server corresponding to the third IP address is a third DNS server; the third DNS server and the second DNS server are the same DNS server or different DNS servers; judging whether the third DNS server is attacked by DDoS, and if so, determining the first region from the first set; and if the DDoS attack is not received, determining the first region from the sets except the first set.
After the determining unit 801 determines that the first DNS server is attacked by DDoS, and before the first zone is determined from the first DNS server, the obtaining unit 803:
the system comprises a first DNS server, a second DNS server and a server, wherein the first DNS server is used for acquiring attribute information of each area in the first DNS server, and the attribute information comprises a request amount and/or the number of domain names to be hung;
the determining unit 801 is specifically configured to:
and according to the priority of each region, taking the region with the highest priority as the first region, wherein the priority of each region is determined according to the request quantity of each region and/or the number of the domain names hung down in each region.
In a possible implementation manner, the determining unit 801 is specifically configured to:
determining the priority of each region according to the request quantity of each region in the first DNS and/or the number of the domain names hung down in each region; and dividing the areas with the priority in a set level range in the first DNS into the same set according to the priority of each area.
In one possible implementation manner, the processing unit 802 is further configured to:
if the second DNS server is not attacked by DDoS, the authorization information of the first region is modified from the second IP address to a fourth IP address, and a server corresponding to the fourth IP address is a fourth DNS server; the first DNS server, the second DNS server and the fourth DNS server are different DNS servers respectively, and the second DNS server is only used for providing resolution service for the first area.
In one possible implementation manner, the processing unit 802 is further configured to:
and if more than N first areas are attacked by DDoS in the second DNS, determining that the attack target is the DNS.
The embodiment of the present application further provides an apparatus, which has a function of implementing the above-described detection method for DDoS attack targets. This function may be implemented by hardware executing corresponding software, and in one possible design, the apparatus includes: a processor, a transceiver, a memory; the memory is used for storing computer execution instructions, the transceiver is used for realizing the communication between the device and other communication entities, the processor is connected with the memory through the bus, and when the device runs, the processor executes the computer execution instructions stored in the memory so as to enable the device to execute the above-described detection method for the DDoS attack target.
An embodiment of the present invention further provides a computer storage medium, where a software program is stored in the storage medium, and the software program, when being read and executed by one or more processors, implements the method for detecting a DDoS attack target described in the foregoing various possible implementation manners.
Embodiments of the present invention further provide a computer program product including instructions, which when run on a computer, causes the computer to execute the method for detecting a DDoS attack target described in the foregoing various possible implementation manners.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (12)

1. A method for detecting a distributed denial of service (DDoS) attack target is characterized by comprising the following steps:
after determining that a first DNS server is attacked by DDoS, dividing regions in the first DNS server into a plurality of sets according to a set rule, wherein each set comprises at least one region; the first DNS server is provided with a first IP address;
modifying the authorization information of each region included in the first set from the first IP address to a third IP address, wherein a server corresponding to the third IP address is a third DNS server; the third DNS server and the second DNS server are the same DNS server or different DNS servers;
judging whether the third DNS server is attacked by DDoS, and if so, determining a first region from the first set; if not, determining the first region from the sets except the first set; the first area provides any area of resolution service for the first DNS server;
modifying the authorization information of the first area from the first IP address to a second IP address, and judging whether a second DNS server corresponding to the second IP address is attacked by DDoS; the second DNS server and the first DNS server are the same DNS server or different DNS servers;
if the number of the first areas is not more than N and the second DNS server is attacked by DDoS, determining that the attack targets are the N areas; the N first regions provide N different regions of resolution service for the first DNS server, where N is a positive integer.
2. The method of claim 1, wherein after the determining that the first DNS server is subject to the DDoS attack, and before determining the first zone from the first DNS server, the method further comprises:
acquiring attribute information of each region in the first DNS, wherein the attribute information comprises a request amount and/or the number of the domain names to be hung;
determining the first region from the first DNS server, including:
and according to the priority of each region, taking the region with the highest priority as the first region, wherein the priority of each region is determined according to the request quantity of each region and/or the number of the domain names hung down in each region.
3. The method of claim 1, wherein dividing the zone in the first DNS server into a plurality of sets according to a set rule comprises:
determining the priority of each region according to the request quantity of each region in the first DNS and/or the number of the domain names hung down in each region;
and according to the priority of each area, dividing the areas with the priority in a set level range in the first DNS into the same set.
4. The method according to claim 1, wherein after determining whether the second DNS server corresponding to the second IP address is attacked by DDoS, the method further comprises:
if the second DNS server is not attacked by DDoS, the authorization information of the first region is modified from the second IP address to a fourth IP address, and a server corresponding to the fourth IP address is a fourth DNS server; the first DNS server, the second DNS server and the fourth DNS server are different DNS servers respectively, and the second DNS server is only used for providing resolution service for the first area.
5. The method according to any one of claims 1 to 4, further comprising:
and if more than N first areas are attacked by DDoS in the second DNS, determining that the attack target is the DNS.
6. A device for detecting a target of a distributed denial of service (DDoS) attack, the device comprising:
the device comprises a determining unit, a determining unit and a processing unit, wherein the determining unit is used for dividing the areas in a first DNS into a plurality of sets according to a set rule after determining that the first DNS is attacked by DDoS, and each set comprises at least one area; the first DNS server is provided with a first IP address;
modifying the authorization information of each region included in the first set from the first IP address to a third IP address, wherein a server corresponding to the third IP address is a third DNS server; the third DNS server and the second DNS server are the same DNS server or different DNS servers;
judging whether the third DNS server is attacked by DDoS, and if so, determining a first region from the first set; if the DDoS attack is not received, determining the first region from the sets except the first set in the plurality of sets, wherein the first DNS server is provided with a first IP address; the first area provides any area of resolution service for the first DNS server;
the processing unit is used for modifying the authorization information of the first area from the first IP address to a second IP address and judging whether a second DNS server corresponding to the second IP address is attacked by DDoS; the second DNS server and the first DNS server are the same DNS server or different DNS servers;
the processing unit is further configured to determine that an attack target is the N regions if there are no more than the N first regions that are all attacked by DDoS in the second DNS server; the N first regions provide N different regions of resolution service for the first DNS server, where N is a positive integer.
7. The apparatus of claim 6, further comprising an acquisition unit;
after the determining unit determines that the first DNS server is attacked by DDoS and before the determining unit determines the first zone from the first DNS server, the acquiring unit:
the system comprises a first DNS server, a second DNS server and a server, wherein the first DNS server is used for acquiring attribute information of each area in the first DNS server, and the attribute information comprises a request amount and/or the number of domain names to be hung;
the determining unit is specifically configured to:
and according to the priority of each region, taking the region with the highest priority as the first region, wherein the priority of each region is determined according to the request quantity of each region and/or the number of the domain names hung down in each region.
8. The apparatus according to claim 6, wherein the determining unit is specifically configured to:
determining the priority of each region according to the request quantity of each region in the first DNS and/or the number of the domain names hung down in each region; and dividing the areas with the priority in a set level range in the first DNS into the same set according to the priority of each area.
9. The apparatus of claim 6, wherein the processing unit is further configured to:
if the second DNS server is not attacked by DDoS, the authorization information of the first region is modified from the second IP address to a fourth IP address, and a server corresponding to the fourth IP address is a fourth DNS server; the first DNS server, the second DNS server and the fourth DNS server are different DNS servers respectively, and the second DNS server is only used for providing resolution service for the first area.
10. The apparatus according to any one of claims 6 to 9, wherein the processing unit is further configured to:
and if more than N first areas are attacked by DDoS in the second DNS, determining that the attack target is the DNS.
11. A computer-readable storage medium, characterized in that the storage medium stores instructions that, when executed on a computer, cause the computer to carry out performing the method of any one of claims 1 to 5.
12. A computer device, comprising:
a memory for storing program instructions;
a processor for calling program instructions stored in said memory to execute the method of any of claims 1 to 5 in accordance with the obtained program.
CN201810845713.6A 2018-07-27 2018-07-27 Method and device for detecting distributed denial of service (DDoS) attack target Expired - Fee Related CN108989320B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810845713.6A CN108989320B (en) 2018-07-27 2018-07-27 Method and device for detecting distributed denial of service (DDoS) attack target

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810845713.6A CN108989320B (en) 2018-07-27 2018-07-27 Method and device for detecting distributed denial of service (DDoS) attack target

Publications (2)

Publication Number Publication Date
CN108989320A CN108989320A (en) 2018-12-11
CN108989320B true CN108989320B (en) 2021-04-16

Family

ID=64551868

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810845713.6A Expired - Fee Related CN108989320B (en) 2018-07-27 2018-07-27 Method and device for detecting distributed denial of service (DDoS) attack target

Country Status (1)

Country Link
CN (1) CN108989320B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102882892A (en) * 2012-10-26 2013-01-16 杭州迪普科技有限公司 Method and device for protecting DNS (Domain Name Server)
US9060020B2 (en) * 2013-04-01 2015-06-16 Arbor Networks, Inc. Adjusting DDoS protection based on traffic type
CN105827594A (en) * 2016-03-08 2016-08-03 北京航空航天大学 Suspicion detection method based on domain name readability and domain name analysis behavior
CN105978890A (en) * 2016-06-23 2016-09-28 贵州白山云科技有限公司 Method and device for locating domain names attacked by SYN
CN107231339A (en) * 2016-03-25 2017-10-03 阿里巴巴集团控股有限公司 The detection method and device of a kind of ddos attack
CN107517195A (en) * 2016-06-17 2017-12-26 阿里巴巴集团控股有限公司 A kind of method and apparatus of content distributing network seat offence domain name

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102882892A (en) * 2012-10-26 2013-01-16 杭州迪普科技有限公司 Method and device for protecting DNS (Domain Name Server)
US9060020B2 (en) * 2013-04-01 2015-06-16 Arbor Networks, Inc. Adjusting DDoS protection based on traffic type
CN105827594A (en) * 2016-03-08 2016-08-03 北京航空航天大学 Suspicion detection method based on domain name readability and domain name analysis behavior
CN107231339A (en) * 2016-03-25 2017-10-03 阿里巴巴集团控股有限公司 The detection method and device of a kind of ddos attack
CN107517195A (en) * 2016-06-17 2017-12-26 阿里巴巴集团控股有限公司 A kind of method and apparatus of content distributing network seat offence domain name
CN105978890A (en) * 2016-06-23 2016-09-28 贵州白山云科技有限公司 Method and device for locating domain names attacked by SYN

Also Published As

Publication number Publication date
CN108989320A (en) 2018-12-11

Similar Documents

Publication Publication Date Title
CN107295116B (en) Domain name resolution method, device and system
US9300684B2 (en) Methods and systems for statistical aberrant behavior detection of time-series data
CN110071941B (en) Network attack detection method, equipment, storage medium and computer equipment
US20210258325A1 (en) Behavioral DNS tunneling identification
WO2013059287A1 (en) System and method for detection of denial of service attacks
CN108833450B (en) Method and device for preventing server from being attacked
WO2015195093A1 (en) Dns based infection scores
CN102291390A (en) Method for defending against denial of service attack based on cloud computation platform
CN107979581B (en) Detection method and device for zombie characteristics
CN108270778B (en) DNS domain name abnormal access detection method and device
CN108616544B (en) Method, system, and medium for detecting updates to a domain name system recording system
EP3316550A1 (en) Network monitoring device and method
CN110875907A (en) Access request control method and device
Wang et al. Alert correlation system with automatic extraction of attack strategies by using dynamic feature weights
EP3496362A1 (en) Firewall device
US11876808B2 (en) Detecting phishing attacks on a network
CN103916379A (en) CC attack identification method and system based on high frequency statistics
CN110619022B (en) Node detection method, device, equipment and storage medium based on block chain network
CN108282446A (en) Identify the method and apparatus of scanner
CN109981533B (en) DDoS attack detection method, device, electronic equipment and storage medium
CN112839005B (en) DNS domain name abnormal access monitoring method and device
CN108667782B (en) DDoS attack defense method and system for DNS service
CN111131166B (en) User behavior prejudging method and related equipment
CN108989320B (en) Method and device for detecting distributed denial of service (DDoS) attack target
US11245720B2 (en) Determining whether domain is benign or malicious

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20210416

CF01 Termination of patent right due to non-payment of annual fee