CN108989320B - Method and device for detecting distributed denial of service (DDoS) attack target - Google Patents
Method and device for detecting distributed denial of service (DDoS) attack target Download PDFInfo
- Publication number
- CN108989320B CN108989320B CN201810845713.6A CN201810845713A CN108989320B CN 108989320 B CN108989320 B CN 108989320B CN 201810845713 A CN201810845713 A CN 201810845713A CN 108989320 B CN108989320 B CN 108989320B
- Authority
- CN
- China
- Prior art keywords
- dns server
- region
- dns
- address
- ddos
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Abstract
The invention discloses a method and a device for detecting a distributed denial of service (DDoS) attack target. The method comprises the following steps: after determining that a first DNS server is attacked by DDoS, determining a first region from the first DNS server, and modifying authorization information of the first region, so that whether a second DNS server corresponding to the first region modified the authorization information is attacked by DDoS is judged, and when determining that no more than N first regions are attacked by DDoS in the second DNS server, determining that an attack target is N regions can be effectively detected, and further, specific regions of the attack target can be attacked; furthermore, the embodiment of the invention takes the IP address as the identification of the attacked area, thereby avoiding the problem that the attacked target can not be accurately distinguished when the domain name is unavailable, further distinguishing the attacked target from the non-attacked target and improving the efficiency of attack detection.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method and a device for detecting a distributed denial of service (DDoS) attack target.
Background
The Domain Name System (DNS), which is a distributed database on the internet as a mapping between Domain names and IP addresses, enables users to access the internet more conveniently. The importance of DNS as an addressing means for the vast majority of applications in the internet is self-evident. Attacks against DNS servers are also more and more frequent and larger in size.
Distributed Denial of Service (DDoS) attacks are used as an attack for a DNS server, and a plurality of computers can be combined together as an attack platform by means of a client/server technology to launch a DDoS attack on one or more targets, so that the attack power is increased exponentially, and the whole DNS server is paralyzed. However, some DDoS attacks are non-DNS message attacks, and when the attacks launch an attack to an authoritative DNS server, a manufacturer providing an authoritative DNS service cannot even determine which target is attacked by the DDoS attack because of missing key information of a domain name, so it is difficult to take a corresponding effective defense measure, and only a passive hard-defense is available, and once the attack exceeds the protection capability of the whole platform, a serious consequence that the whole platform is broken down and all regions cannot be resolved is likely to be brought.
Based on this, a detection method of DDoS attack targets is needed at present to solve the problem of DNS server paralysis caused by incapability of determining the attack targets in the prior art.
Disclosure of Invention
The embodiment of the invention provides a method and a device for detecting a distributed denial of service (DDoS) attack target, which are used for solving the technical problem that a Domain Name System (DNS) server is paralyzed because the attack target cannot be determined in the prior art.
The embodiment of the invention provides a method for detecting a distributed denial of service (DDoS) attack target, which comprises the following steps:
after determining that a first DNS server is attacked by DDoS, determining a first region from the first DNS server, wherein the first DNS server is provided with a first IP address; the first area provides any area of resolution service for the first DNS server;
modifying the authorization information of the first area from the first IP address to a second IP address, and judging whether a second DNS server corresponding to the second IP address is attacked by DDoS; the second DNS server and the first DNS server are the same DNS server or different DNS servers;
if the number of the first areas is not more than N and the second DNS server is attacked by DDoS, determining that the attack targets are the N areas; the N first regions provide N different regions of resolution service for the first DNS server, where N is a positive integer.
Thus, the authorization information of each region is modified to the DNS server using another IP address by modifying the authorization information of each region, so that whether each region is attacked by DDoS can be detected, and the specific region of an attack target can be determined; furthermore, the embodiment of the invention takes the IP address as the identification of the attacked area, thereby avoiding the problem that the attacked target can not be accurately distinguished when the domain name is unavailable, effectively distinguishing the attacked target from the non-attacked target and improving the efficiency of attack detection.
In one possible implementation manner, determining the first area from the first DNS server includes:
dividing the region in the first DNS into a plurality of sets according to a set rule, wherein each set comprises at least one region;
modifying the authorization information of each region included in the first set from the first IP address to a third IP address, wherein a server corresponding to the third IP address is a third DNS server; the third DNS server and the second DNS server are the same DNS server or different DNS servers;
judging whether the third DNS server is attacked by DDoS, and if so, determining the first region from the first set; and if the DDoS attack is not received, determining the first region from the sets except the first set.
Thus, whether the plurality of regions are attack targets can be detected in batch, detection time can be shortened, and detection efficiency can be improved.
In a possible implementation manner, before determining the first zone from the first DNS server after determining that the first DNS server is attacked by DDoS, the method further includes:
acquiring attribute information of each region in the first DNS, wherein the attribute information comprises a request amount and/or the number of the domain names to be hung;
determining the first region from the first DNS server, including:
and according to the priority of each region, taking the region with the highest priority as the first region, wherein the priority of each region is determined according to the request quantity of each region and/or the number of the domain names hung down in each region.
In this way, the first region can be determined according to the level of the priority, so that the region with high priority can be processed with priority.
In a possible implementation manner, dividing the area in the first DNS server into a plurality of sets according to a set rule includes:
determining the priority of each region according to the request quantity of each region in the first DNS and/or the number of the domain names hung down in each region;
and according to the priority of each area, dividing the areas with the priority in a set level range in the first DNS into the same set.
In this way, the first set can be determined according to the priority level, so as to ensure that a plurality of areas with high priority levels can be processed preferentially.
In a possible implementation manner, after determining whether the second DNS server corresponding to the second IP address is attacked by DDoS, the method further includes:
if the second DNS server is not attacked by DDoS, the authorization information of the first region is modified from the second IP address to a fourth IP address, and a server corresponding to the fourth IP address is a fourth DNS server; the first DNS server, the second DNS server and the fourth DNS server are different DNS servers respectively, and the second DNS server is only used for providing resolution service for the first area.
By adopting the method, whether the first area is an attack target or not can be effectively distinguished, and the area which is not attacked can be effectively isolated, so that the safety of the first area is ensured, and the first area is prevented from being influenced by DDoS attack.
In one possible implementation, the method further includes:
and if more than N first areas are attacked by DDoS in the second DNS, determining that the attack target is the DNS.
The embodiment of the invention provides a device for detecting a distributed denial of service (DDoS) attack target, which comprises:
the device comprises a determining unit, a determining unit and a processing unit, wherein the determining unit is used for determining a first area from a first DNS (domain name system) server after determining that the first DNS server is attacked by DDoS (distributed denial of service), and the first DNS server is provided with a first IP (Internet protocol) address; the first area provides any area of resolution service for the first DNS server;
the processing unit is used for modifying the authorization information of the first area from the first IP address to a second IP address and judging whether a second DNS server corresponding to the second IP address is attacked by DDoS; the second DNS server and the first DNS server are the same DNS server or different DNS servers;
the processing unit is further configured to determine that an attack target is the N regions if there are no more than the N first regions that are all attacked by DDoS in the second DNS server; the N first regions provide N different regions of resolution service for the first DNS server, where N is a positive integer.
In a possible implementation manner, the determining unit is specifically configured to:
dividing the region in the first DNS into a plurality of sets according to a set rule, wherein each set comprises at least one region; modifying the authorization information of each region included in the first set from the first IP address to a third IP address, wherein a server corresponding to the third IP address is a third DNS server; the third DNS server and the second DNS server are the same DNS server or different DNS servers; judging whether the third DNS server is attacked by DDoS, and if so, determining the first region from the first set; and if the DDoS attack is not received, determining the first region from the sets except the first set.
In a possible implementation manner, the apparatus further includes an obtaining unit;
after the determining unit determines that the first DNS server is attacked by DDoS and before the determining unit determines the first zone from the first DNS server, the acquiring unit:
the system comprises a first DNS server, a second DNS server and a server, wherein the first DNS server is used for acquiring attribute information of each area in the first DNS server, and the attribute information comprises a request amount and/or the number of domain names to be hung;
the determining unit is specifically configured to:
and according to the priority of each region, taking the region with the highest priority as the first region, wherein the priority of each region is determined according to the request quantity of each region and/or the number of the domain names hung down in each region.
In a possible implementation manner, the determining unit is specifically configured to:
determining the priority of each region according to the request quantity of each region in the first DNS and/or the number of the domain names hung down in each region; and dividing the areas with the priority in a set level range in the first DNS into the same set according to the priority of each area.
In one possible implementation, the processing unit is further configured to:
if the second DNS server is not attacked by DDoS, the authorization information of the first region is modified from the second IP address to a fourth IP address, and a server corresponding to the fourth IP address is a fourth DNS server; the first DNS server, the second DNS server and the fourth DNS server are different DNS servers respectively, and the second DNS server is only used for providing resolution service for the first area.
In one possible implementation, the processing unit is further configured to:
and if more than N first areas are attacked by DDoS in the second DNS, determining that the attack target is the DNS.
The embodiment of the present application further provides an apparatus, which has a function of implementing the above-described detection method for DDoS attack targets. This function may be implemented by hardware executing corresponding software, and in one possible design, the apparatus includes: a processor, a transceiver, a memory; the memory is used for storing computer execution instructions, the transceiver is used for realizing the communication between the device and other communication entities, the processor is connected with the memory through the bus, and when the device runs, the processor executes the computer execution instructions stored in the memory so as to enable the device to execute the above-described detection method for the DDoS attack target.
An embodiment of the present invention further provides a computer storage medium, where a software program is stored in the storage medium, and the software program, when being read and executed by one or more processors, implements the method for detecting a DDoS attack target described in the foregoing various possible implementation manners.
Embodiments of the present invention further provide a computer program product including instructions, which when run on a computer, causes the computer to execute the method for detecting a DDoS attack target described in the foregoing various possible implementation manners.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings that are required to be used in the description of the embodiments will be briefly described below.
FIG. 1 is a diagram of a system architecture suitable for use with embodiments of the present invention;
fig. 2 is a schematic flowchart corresponding to a method for detecting a DDoS attack target according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a process for determining a first area according to an embodiment of the present invention;
FIG. 4a is one of the schematic diagrams of the relationship between the first IP address and the second IP address;
FIG. 4b is a second schematic diagram illustrating the relationship between the first IP address and the second IP address;
FIG. 5a is one of the relationship diagrams of the first IP address, the second IP address and the third IP address;
FIG. 5b is a second schematic diagram illustrating the relationship between the first IP address, the second IP address and the third IP address;
FIG. 6 is a schematic diagram of an overall process involved in an embodiment of the present invention;
FIG. 7 is a schematic diagram of another overall process involved in an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a device for detecting a DDoS attack target according to an embodiment of the present invention.
Detailed Description
The present application will be described in detail below with reference to the accompanying drawings, and the specific operation methods in the method embodiments can also be applied to the apparatus embodiments.
Fig. 1 illustrates an architecture diagram of a system to which an embodiment of the present invention is applicable, and as shown in fig. 1, the system 100 includes an upper level DNS server 101 and a plurality of DNS servers, for example, a DNS server 102, a DNS server 103, a DNS server 104, and a DNS server 105 shown in fig. 1. The upper level DNS server 101 may be connected to any of the plurality of DNS servers via a network, and may also manage any of the plurality of DNS servers, for example, the upper level DNS server 101 may be in contact with the DNS server 102 via a network, and may manage the DNS server 102 (for example, may manage authorization information of each area in the DNS server 102).
Further, each DNS server may provide resolution services for one or more zones (zones). For example, as shown in fig. 1, the DNS server 102 may provide resolution services for the area 1021, the area 1022, and the area 1023, and accordingly, in the upper server 101, authorization information of each area in the DNS server 102 may be stored, as shown in table 1, which is an example of authorization information of each area.
Table 1: one example of authorization information for each region
Region(s) | |
Region | |
1021 | Resolving the zone by |
|
Resolving the zone by |
|
Resolving the zone by |
In the embodiment of the present invention, the DNS server may be an authoritative DNS server, such as a root authoritative DNS server, a COM authoritative DNS server, and the like, which is not limited specifically.
Based on the system architecture shown in fig. 1, fig. 2 exemplarily shows a flow diagram corresponding to a method for detecting a DDoS attack target provided by an embodiment of the present invention, which includes the following steps:
It should be noted that the above steps 201 to 203 may be executed by the upper level DNS server 101 shown in fig. 1; alternatively, the above steps 201 to 203 may also be executed by any DNS server shown in fig. 1, for example, the DNS server 102, and after it is determined that the DNS server 102 is attacked by DDoS, the first area may be determined from the DNS server 102, and an authorization information modification request may be sent to the upper level DNS server 101, and an attack condition of the second DNS server may be obtained, so as to determine an attack target of the DDoS attack.
Thus, the authorization information of each region is modified to the DNS server using another IP address by modifying the authorization information of each region, so that whether each region is attacked by DDoS can be detected, and the specific region of an attack target can be determined; furthermore, the embodiment of the invention takes the IP address as the identification of the attacked area, thereby avoiding the problem that the attacked target can not be accurately distinguished when the domain name is unavailable, effectively distinguishing the attacked target from the non-attacked target and improving the efficiency of attack detection.
Specifically, before step 201 is executed, the authorization information of each region in the first DNS server may be modified from the first IP address corresponding to the first DNS server to the IP address corresponding to the other DNS server, and it may be determined whether the DNS server after the authorization information modification is attacked by DDoS. If the modified DNS server is not attacked by DDoS, the first DNS server may be considered as being attacked by the DNS server, and subsequent steps 201 to 202 do not need to be executed; if the modified DNS server is still attacked by DDoS, the subsequent steps 201 to 202 may be continuously performed.
In step 201, there are various ways to determine the first region from the first DNS server, for example, the first region may be determined from the first DNS server by adopting a randomly selected way, that is, the first region may be any region that provides resolution service for the first DNS server; alternatively, the first zone may be determined from the first DNS server according to the priority of each zone, which is not limited specifically.
Taking the manner of determining the first zone according to the priority of each zone as an example, before performing step 201, the attribute information of each zone in the first DNS server may be obtained. The attribute information may include a request amount and/or a number of domain names to be hung down. In one example, the priority of each zone is determined according to the size of the request quantity of each zone by the zone in the first DNS server. As shown in table 2, is an example one of the priority of each region. If the request amount of the area 1 (which may be average daily request amount, total request amount, etc.) is 10000 times, the request amount of the area 2 is 5000 times, and the request amount of the area 3 is 2000 times, the priorities of the three areas are ranked as follows: region 1 > region 2 > region 3. Further, since the priority of the area 1 is the highest, the area 1 may be regarded as the first area.
Table 2: example of priority of each region
Region(s) | Request volume | Priority ranking |
Region 1 | 10,000 times | 1 st position |
Region 2 | 5,000 times | Position 2 |
Region 3 | 1,000 times | Position 3 |
In yet another example, the zone in the first DNS server is used to determine the priority level of each zone according to the number of domain names to be hung down in each zone. As shown in table 3, example two of the priority of each region. If the number of the domain names to be hung in the region 1 is 10, the number of the domain names to be hung in the region 2 is 15, and the number of the domain names to be hung in the region 3 is 20, the priorities of the three regions are ranked as follows: region 3 > region 2 > region 1. Further, since the priority of the area 3 is the highest, the area 3 can be regarded as the first area.
Table 3: example two of priority for each region
Region(s) | Number of domain names to be hung down | Priority ranking |
Region 1 | 10 are provided with | Position 3 |
Region 2 | 15 are provided with | Position 2 |
Region 3 | 20 are provided with | 1 st position |
In another example, the priority of each zone is determined according to the request quantity of each zone and the quantity of the domain names hung down by the zone in the first DNS server. As shown in table 4, example three of the priority of each region. If the request amount of the region 1 is 10000 times, the number of the down-hanging domain names is 10; the request amount of the area 2 is 5000 times, and the number of the down-hung domain names is 15; the request amount of the area 3 is 2000 times, and the number of the domain names to be hung down is 20; the weight of each region can be calculated according to the request amount and the number of the domain names to be hung, and then the priority of each region can be determined according to the size of the weight. As shown in table 4, the priorities of the three regions are ranked as follows according to their weights: region 2 > region 1 > region 3, since region 2 has the highest priority, region 2 can be regarded as the first region. The specific calculation method of the weight may refer to an existing weight calculation method, and is not described in detail herein.
Table 4: example three of priority for each region
Region(s) | Request volume | Number of domain names to be hung down | Weight of | Priority ranking |
Region 1 | 10,000 times | 10 are provided with | 0.8 | Position 2 |
Region 2 | 5,000 times | 15 are provided with | 1 | 1 st position |
Region 3 | 1,000 times | 20 are provided with | 0.6 | Position 3 |
In this way, the first region can be determined according to the level of the priority, so that the region with high priority can be processed with priority.
In consideration of the fact that a large number of areas may exist in the DNS server, the embodiments of the present invention may also divide a plurality of areas in the first DNS server into a plurality of sets, and then determine the first area from the plurality of sets. Specifically, as shown in fig. 3, a schematic flow chart for determining a first area is provided for the embodiment of the present invention, which specifically includes the following steps:
In the embodiments of the present invention, there are various methods for dividing the area in the first DNS server into a plurality of sets. For example, the zones in the first DNS server may be randomly divided into sets. For example, if 1000 regions exist in the first DNS server and 100 regions are set in each set, the 1000 regions in the first DNS server may be divided into 10 sets.
For another example, the first DNS servers may be divided into multiple sets according to the priority of each zone in the first DNS servers. For example, as shown in table 5, an example of a zone in the first DNS server is shown. The first DNS server includes 10 zones, which are zones 1-10, and each zone can refer to the content shown in table 5 according to the priority level. In the embodiment of the present invention, the regions with priorities in the set level range may be divided into the same set, taking the regions shown in table 5 as an example, the priorities of the regions 1 to 3 are all the first level, and the regions 1 to 3 may be divided into the same set; the priorities of the areas 4-6 are all the second level, and the areas 4-6 can be divided into the same set; the priority of the regions 7-10 are all at a third level, and the regions 7-10 may be divided into the same set.
Table 5: an example of a zone in a first DNS server
Further, the determination of the priority of each region is various, and can be determined by those skilled in the art according to experience and practical situations; alternatively, the determination may be performed according to the request amount of each zone in the first DNS server and/or the number of domain names to be hung down in each zone, and the specific determination manner may refer to what is described above. Furthermore, the rank range can be set according to the rank of the priority, for example, the first rank is ranked 1-10, the second rank is ranked 11-20, and so on, which are not listed one by one.
It should be noted that the above example is only an example, and in other possible examples, the area with the priority ranking of other bits may be used as the area of the same level, which is not limited specifically.
In the embodiment of the present invention, the third DNS server and the second DNS server may be the same DNS server, or may be different DNS servers.
In steps 304 and 305, the manner of determining the first region from the first set, or determining the first region from a set other than the first set, may refer to the manner of determining the first region described above, and will not be described in detail here.
Thus, whether the plurality of regions are attack targets can be detected in batch, detection time can be shortened, and detection efficiency can be improved.
In step 202, after determining the first region, the authorization information of the first region may be modified. Specifically, the authorization information of the first zone may be executed by the upper level DNS server 101 shown in fig. 1, and the upper level DNS server 101 may modify the authorization information of the first zone according to a first IP address corresponding to the first DNS server and a second IP address corresponding to the second DNS server, that is, modify the authorization information of the first zone from the first IP address to the second IP address.
In the embodiment of the present invention, as shown in fig. 4a, the first IP address and the second IP address may be set on the same DNS server, that is, the second DNS server and the first DNS server may be the same DNS server; alternatively, as shown in fig. 4b, which is a second schematic diagram illustrating a relationship between the first IP address and the second IP address, the first IP address and the second IP address may be set on different DNS servers, that is, the second DNS server and the first DNS server may also be different DNS servers, which is not limited specifically.
Further, after the authorization information of the first region is modified, at this time, the first region may be provided with an analysis service by the second DNS server, and further, whether the second DNS server is attacked by DDoS may be determined. If the DDoS attack is received, the attack target is the first area; if the DDoS attack is not received, the attack target is not the first area, namely the first area is a safe area. Further, the authorization information of the first area may be modified from the second IP address corresponding to the second DNS server to a fourth IP address corresponding to a fourth DNS server. By adopting the method, whether the first area is an attack target or not can be effectively distinguished, and the area which is not attacked can be effectively isolated, so that the safety of the first area is ensured, and the first area is prevented from being influenced by DDoS attack.
It should be noted that, as shown in fig. 5a, the first IP address and the second IP address may be set on the same DNS server, and the second IP address (or the first IP address) and the fourth IP address may be set on different DNS servers, that is, the second DNS server and the first DNS server may be the same DNS server, and the second DNS server and the fourth DNS server may be different DNS servers; alternatively, as shown in fig. 5b, which is a second schematic diagram illustrating a relationship among the first IP address, the second IP address, and the third IP address, the first IP address, the second IP address, and the fourth IP address may be respectively set on different DNS servers, that is, the first DNS server, the second DNS server, and the fourth DNS server may be respectively different DNS servers, where the second DNS server may be only used to provide resolution services for the first area.
In step 203, the N first areas may be in the same second DNS server, or may be in different second DNS servers, which is not limited specifically.
By adopting the method, the authorization information of a plurality of areas in the first DNS server can be respectively modified, and whether the second DNS server is attacked by DDoS or not is further judged. For example, if there are 10 zones in the first DNS server, as shown in table 6, an example of whether the zone in the first DNS server is attacked by DDoS after the authorization information is modified is given. As can be seen from the contents shown in table 6, the second DNS server is attacked by DDoS only when the first zone is zone 1.
Table 6: example of whether DDoS attack is received after authorization information is modified in area
Region(s) | Whether or not to be attacked by DDoS |
Region 1 | Is that |
Region 2 | Whether or not |
Region 3 | Whether or not |
Region 4 | Whether or not |
Region 5 | Whether or not |
Region 6 | Whether or not |
Region 7 | Whether or not |
Region 8 | Whether or not |
Region 9 | Whether or not |
Region 10 | Whether or not |
Further, the N first regions may provide N different regions of resolution service for the first DNS server, and N is a positive integer. A person skilled in the art can determine the value of N according to experience and practical situations, for example, if the number of the regions in the first DNS server is large, the value of N may be appropriately increased, and if the number of the regions in the first DNS server is small, the value of N may be appropriately decreased. For another example, a person skilled in the art may determine the value of N by presetting a proportionality coefficient between N and the number of the regions in the first DNS server.
For example, still taking the content shown in table 6 as an example, if N is set to 2, since only 1 first zone in the first DNS server modifies the authorization information to the second IP address, and the second DNS server is attacked by DDoS, it may be determined that the attack target has only one first zone (i.e., zone 1 shown in table 6).
For another example, as shown in table 7, another example of whether the domain in the first DNS server is attacked by DDoS after the authorization information is modified is given. As can be seen from the contents shown in table 7, when the first zone is zone 1, zone 5, and zone 9, the second DNS server is subject to DDoS attack. If N is still set to 2, since the second DNS server is attacked by DDoS after the authorization information is modified to the second IP address by 3 first zones in the first DNS server, it can be determined that the attack target is the DNS server.
Table 7: another example of whether a DDoS attack is received after a region modifies authorization information
Region(s) | Whether or not to be attacked by DDoS |
Region 1 | Is that |
Region 2 | Whether or not |
Region 3 | Whether or not |
Region 4 | Whether or not |
Region 5 | Is that |
Region 6 | Whether or not |
Region 7 | Whether or not |
Region 8 | Whether or not |
Region 9 | Is that |
Region 10 | Whether or not |
In order to more clearly describe the above DDoS attack target detection method, the flow involved in the embodiment of the present invention is generally described below with reference to fig. 6. As shown in fig. 6, the following steps may be included:
At step 602, an attack is determined to be directed to a first DNS server.
Step 606 determines a first region from the first set.
From another perspective, if it is determined that the first DNS server is attacked by DDoS, the first DNS server may be regarded as an attack area, and the attack area may refer to a DNS server which is being attacked by DDoS by a hacker using a non-DNS message; further, the second DNS server may be regarded as an area to be isolated, the area to be isolated may be a batch of areas selected, the DNS server corresponding to the area to be isolated is used to provide an analysis service, and whether an attacked object is in the area to be isolated is determined by observing whether an attack follows the area to be isolated; further, the fourth DNS server may be regarded as a security zone (or isolation zone), and the security zone may refer to a zone that is not to be confirmed to be attacked, and the DNS server corresponding to the security zone is used to provide resolution service.
Based on the above point, another general description of the flow involved in the embodiment of the present invention can be made with reference to fig. 7. As shown in fig. 7, the following steps may be included:
At step 702, the process ends.
In step 703, the first DNS server is an attack area, and the authorization information of each area in the attack area is modified, so that all areas are provided with resolution services by DNS servers corresponding to the areas to be isolated.
And 709, modifying the authorization information of the region in the to-be-isolated region to the DNS server corresponding to the security region, wherein the region in the to-be-isolated region is not an attack target.
In step 711, the region in the attack area is determined to be the target of the attack.
In step 714, the zone in the attack zone is not the attack target, and the authorization information of the zone in the attack zone is modified to the DNS server corresponding to the security zone.
Based on the same inventive concept, fig. 8 exemplarily illustrates a detection apparatus for a DDoS attack target provided by an embodiment of the present invention, and as shown in fig. 8, the apparatus includes a determination unit 801, a processing unit 802, and an acquisition unit 803; wherein the content of the first and second substances,
a determining unit 801, configured to determine a first area from a first DNS server after determining that the first DNS server is attacked by DDoS, where the first DNS server is provided with a first IP address; the first area provides any area of resolution service for the first DNS server;
a processing unit 802, configured to modify the authorization information of the first area from the first IP address to a second IP address, and determine whether a second DNS server corresponding to the second IP address is attacked by DDoS; the second DNS server and the first DNS server are the same DNS server or different DNS servers;
the processing unit 802 is further configured to determine that an attack target is N regions if there are no more than N first regions that are all attacked by DDoS in the second DNS server; the N first regions provide N different regions of resolution service for the first DNS server, where N is a positive integer.
In a possible implementation manner, the determining unit 801 is specifically configured to:
dividing the region in the first DNS into a plurality of sets according to a set rule, wherein each set comprises at least one region; modifying the authorization information of each region included in the first set from the first IP address to a third IP address, wherein a server corresponding to the third IP address is a third DNS server; the third DNS server and the second DNS server are the same DNS server or different DNS servers; judging whether the third DNS server is attacked by DDoS, and if so, determining the first region from the first set; and if the DDoS attack is not received, determining the first region from the sets except the first set.
After the determining unit 801 determines that the first DNS server is attacked by DDoS, and before the first zone is determined from the first DNS server, the obtaining unit 803:
the system comprises a first DNS server, a second DNS server and a server, wherein the first DNS server is used for acquiring attribute information of each area in the first DNS server, and the attribute information comprises a request amount and/or the number of domain names to be hung;
the determining unit 801 is specifically configured to:
and according to the priority of each region, taking the region with the highest priority as the first region, wherein the priority of each region is determined according to the request quantity of each region and/or the number of the domain names hung down in each region.
In a possible implementation manner, the determining unit 801 is specifically configured to:
determining the priority of each region according to the request quantity of each region in the first DNS and/or the number of the domain names hung down in each region; and dividing the areas with the priority in a set level range in the first DNS into the same set according to the priority of each area.
In one possible implementation manner, the processing unit 802 is further configured to:
if the second DNS server is not attacked by DDoS, the authorization information of the first region is modified from the second IP address to a fourth IP address, and a server corresponding to the fourth IP address is a fourth DNS server; the first DNS server, the second DNS server and the fourth DNS server are different DNS servers respectively, and the second DNS server is only used for providing resolution service for the first area.
In one possible implementation manner, the processing unit 802 is further configured to:
and if more than N first areas are attacked by DDoS in the second DNS, determining that the attack target is the DNS.
The embodiment of the present application further provides an apparatus, which has a function of implementing the above-described detection method for DDoS attack targets. This function may be implemented by hardware executing corresponding software, and in one possible design, the apparatus includes: a processor, a transceiver, a memory; the memory is used for storing computer execution instructions, the transceiver is used for realizing the communication between the device and other communication entities, the processor is connected with the memory through the bus, and when the device runs, the processor executes the computer execution instructions stored in the memory so as to enable the device to execute the above-described detection method for the DDoS attack target.
An embodiment of the present invention further provides a computer storage medium, where a software program is stored in the storage medium, and the software program, when being read and executed by one or more processors, implements the method for detecting a DDoS attack target described in the foregoing various possible implementation manners.
Embodiments of the present invention further provide a computer program product including instructions, which when run on a computer, causes the computer to execute the method for detecting a DDoS attack target described in the foregoing various possible implementation manners.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (12)
1. A method for detecting a distributed denial of service (DDoS) attack target is characterized by comprising the following steps:
after determining that a first DNS server is attacked by DDoS, dividing regions in the first DNS server into a plurality of sets according to a set rule, wherein each set comprises at least one region; the first DNS server is provided with a first IP address;
modifying the authorization information of each region included in the first set from the first IP address to a third IP address, wherein a server corresponding to the third IP address is a third DNS server; the third DNS server and the second DNS server are the same DNS server or different DNS servers;
judging whether the third DNS server is attacked by DDoS, and if so, determining a first region from the first set; if not, determining the first region from the sets except the first set; the first area provides any area of resolution service for the first DNS server;
modifying the authorization information of the first area from the first IP address to a second IP address, and judging whether a second DNS server corresponding to the second IP address is attacked by DDoS; the second DNS server and the first DNS server are the same DNS server or different DNS servers;
if the number of the first areas is not more than N and the second DNS server is attacked by DDoS, determining that the attack targets are the N areas; the N first regions provide N different regions of resolution service for the first DNS server, where N is a positive integer.
2. The method of claim 1, wherein after the determining that the first DNS server is subject to the DDoS attack, and before determining the first zone from the first DNS server, the method further comprises:
acquiring attribute information of each region in the first DNS, wherein the attribute information comprises a request amount and/or the number of the domain names to be hung;
determining the first region from the first DNS server, including:
and according to the priority of each region, taking the region with the highest priority as the first region, wherein the priority of each region is determined according to the request quantity of each region and/or the number of the domain names hung down in each region.
3. The method of claim 1, wherein dividing the zone in the first DNS server into a plurality of sets according to a set rule comprises:
determining the priority of each region according to the request quantity of each region in the first DNS and/or the number of the domain names hung down in each region;
and according to the priority of each area, dividing the areas with the priority in a set level range in the first DNS into the same set.
4. The method according to claim 1, wherein after determining whether the second DNS server corresponding to the second IP address is attacked by DDoS, the method further comprises:
if the second DNS server is not attacked by DDoS, the authorization information of the first region is modified from the second IP address to a fourth IP address, and a server corresponding to the fourth IP address is a fourth DNS server; the first DNS server, the second DNS server and the fourth DNS server are different DNS servers respectively, and the second DNS server is only used for providing resolution service for the first area.
5. The method according to any one of claims 1 to 4, further comprising:
and if more than N first areas are attacked by DDoS in the second DNS, determining that the attack target is the DNS.
6. A device for detecting a target of a distributed denial of service (DDoS) attack, the device comprising:
the device comprises a determining unit, a determining unit and a processing unit, wherein the determining unit is used for dividing the areas in a first DNS into a plurality of sets according to a set rule after determining that the first DNS is attacked by DDoS, and each set comprises at least one area; the first DNS server is provided with a first IP address;
modifying the authorization information of each region included in the first set from the first IP address to a third IP address, wherein a server corresponding to the third IP address is a third DNS server; the third DNS server and the second DNS server are the same DNS server or different DNS servers;
judging whether the third DNS server is attacked by DDoS, and if so, determining a first region from the first set; if the DDoS attack is not received, determining the first region from the sets except the first set in the plurality of sets, wherein the first DNS server is provided with a first IP address; the first area provides any area of resolution service for the first DNS server;
the processing unit is used for modifying the authorization information of the first area from the first IP address to a second IP address and judging whether a second DNS server corresponding to the second IP address is attacked by DDoS; the second DNS server and the first DNS server are the same DNS server or different DNS servers;
the processing unit is further configured to determine that an attack target is the N regions if there are no more than the N first regions that are all attacked by DDoS in the second DNS server; the N first regions provide N different regions of resolution service for the first DNS server, where N is a positive integer.
7. The apparatus of claim 6, further comprising an acquisition unit;
after the determining unit determines that the first DNS server is attacked by DDoS and before the determining unit determines the first zone from the first DNS server, the acquiring unit:
the system comprises a first DNS server, a second DNS server and a server, wherein the first DNS server is used for acquiring attribute information of each area in the first DNS server, and the attribute information comprises a request amount and/or the number of domain names to be hung;
the determining unit is specifically configured to:
and according to the priority of each region, taking the region with the highest priority as the first region, wherein the priority of each region is determined according to the request quantity of each region and/or the number of the domain names hung down in each region.
8. The apparatus according to claim 6, wherein the determining unit is specifically configured to:
determining the priority of each region according to the request quantity of each region in the first DNS and/or the number of the domain names hung down in each region; and dividing the areas with the priority in a set level range in the first DNS into the same set according to the priority of each area.
9. The apparatus of claim 6, wherein the processing unit is further configured to:
if the second DNS server is not attacked by DDoS, the authorization information of the first region is modified from the second IP address to a fourth IP address, and a server corresponding to the fourth IP address is a fourth DNS server; the first DNS server, the second DNS server and the fourth DNS server are different DNS servers respectively, and the second DNS server is only used for providing resolution service for the first area.
10. The apparatus according to any one of claims 6 to 9, wherein the processing unit is further configured to:
and if more than N first areas are attacked by DDoS in the second DNS, determining that the attack target is the DNS.
11. A computer-readable storage medium, characterized in that the storage medium stores instructions that, when executed on a computer, cause the computer to carry out performing the method of any one of claims 1 to 5.
12. A computer device, comprising:
a memory for storing program instructions;
a processor for calling program instructions stored in said memory to execute the method of any of claims 1 to 5 in accordance with the obtained program.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810845713.6A CN108989320B (en) | 2018-07-27 | 2018-07-27 | Method and device for detecting distributed denial of service (DDoS) attack target |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810845713.6A CN108989320B (en) | 2018-07-27 | 2018-07-27 | Method and device for detecting distributed denial of service (DDoS) attack target |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108989320A CN108989320A (en) | 2018-12-11 |
CN108989320B true CN108989320B (en) | 2021-04-16 |
Family
ID=64551868
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810845713.6A Expired - Fee Related CN108989320B (en) | 2018-07-27 | 2018-07-27 | Method and device for detecting distributed denial of service (DDoS) attack target |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108989320B (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102882892A (en) * | 2012-10-26 | 2013-01-16 | 杭州迪普科技有限公司 | Method and device for protecting DNS (Domain Name Server) |
US9060020B2 (en) * | 2013-04-01 | 2015-06-16 | Arbor Networks, Inc. | Adjusting DDoS protection based on traffic type |
CN105827594A (en) * | 2016-03-08 | 2016-08-03 | 北京航空航天大学 | Suspicion detection method based on domain name readability and domain name analysis behavior |
CN105978890A (en) * | 2016-06-23 | 2016-09-28 | 贵州白山云科技有限公司 | Method and device for locating domain names attacked by SYN |
CN107231339A (en) * | 2016-03-25 | 2017-10-03 | 阿里巴巴集团控股有限公司 | The detection method and device of a kind of ddos attack |
CN107517195A (en) * | 2016-06-17 | 2017-12-26 | 阿里巴巴集团控股有限公司 | A kind of method and apparatus of content distributing network seat offence domain name |
-
2018
- 2018-07-27 CN CN201810845713.6A patent/CN108989320B/en not_active Expired - Fee Related
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102882892A (en) * | 2012-10-26 | 2013-01-16 | 杭州迪普科技有限公司 | Method and device for protecting DNS (Domain Name Server) |
US9060020B2 (en) * | 2013-04-01 | 2015-06-16 | Arbor Networks, Inc. | Adjusting DDoS protection based on traffic type |
CN105827594A (en) * | 2016-03-08 | 2016-08-03 | 北京航空航天大学 | Suspicion detection method based on domain name readability and domain name analysis behavior |
CN107231339A (en) * | 2016-03-25 | 2017-10-03 | 阿里巴巴集团控股有限公司 | The detection method and device of a kind of ddos attack |
CN107517195A (en) * | 2016-06-17 | 2017-12-26 | 阿里巴巴集团控股有限公司 | A kind of method and apparatus of content distributing network seat offence domain name |
CN105978890A (en) * | 2016-06-23 | 2016-09-28 | 贵州白山云科技有限公司 | Method and device for locating domain names attacked by SYN |
Also Published As
Publication number | Publication date |
---|---|
CN108989320A (en) | 2018-12-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107295116B (en) | Domain name resolution method, device and system | |
US9300684B2 (en) | Methods and systems for statistical aberrant behavior detection of time-series data | |
CN110071941B (en) | Network attack detection method, equipment, storage medium and computer equipment | |
US20210258325A1 (en) | Behavioral DNS tunneling identification | |
WO2013059287A1 (en) | System and method for detection of denial of service attacks | |
CN108833450B (en) | Method and device for preventing server from being attacked | |
WO2015195093A1 (en) | Dns based infection scores | |
CN102291390A (en) | Method for defending against denial of service attack based on cloud computation platform | |
CN107979581B (en) | Detection method and device for zombie characteristics | |
CN108270778B (en) | DNS domain name abnormal access detection method and device | |
CN108616544B (en) | Method, system, and medium for detecting updates to a domain name system recording system | |
EP3316550A1 (en) | Network monitoring device and method | |
CN110875907A (en) | Access request control method and device | |
Wang et al. | Alert correlation system with automatic extraction of attack strategies by using dynamic feature weights | |
EP3496362A1 (en) | Firewall device | |
US11876808B2 (en) | Detecting phishing attacks on a network | |
CN103916379A (en) | CC attack identification method and system based on high frequency statistics | |
CN110619022B (en) | Node detection method, device, equipment and storage medium based on block chain network | |
CN108282446A (en) | Identify the method and apparatus of scanner | |
CN109981533B (en) | DDoS attack detection method, device, electronic equipment and storage medium | |
CN112839005B (en) | DNS domain name abnormal access monitoring method and device | |
CN108667782B (en) | DDoS attack defense method and system for DNS service | |
CN111131166B (en) | User behavior prejudging method and related equipment | |
CN108989320B (en) | Method and device for detecting distributed denial of service (DDoS) attack target | |
US11245720B2 (en) | Determining whether domain is benign or malicious |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20210416 |
|
CF01 | Termination of patent right due to non-payment of annual fee |