CN109005181A - A kind of detection method, system and the associated component of DNS amplification attack - Google Patents
A kind of detection method, system and the associated component of DNS amplification attack Download PDFInfo
- Publication number
- CN109005181A CN109005181A CN201810913865.5A CN201810913865A CN109005181A CN 109005181 A CN109005181 A CN 109005181A CN 201810913865 A CN201810913865 A CN 201810913865A CN 109005181 A CN109005181 A CN 109005181A
- Authority
- CN
- China
- Prior art keywords
- dns
- data packet
- dns data
- checked
- domain name
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Abstract
This application discloses a kind of detection method of DNS amplification attack, the detection method includes the first DNS data packet quantity that object time is determined according to historical traffic data and the second DNS data packet quantity of historical juncture;Judge whether the first DNS data packet quantity and the ratio of the second DNS data packet quantity are greater than preset value;If so, from the DNS data packet to be checked obtained in historical traffic data in distance objective moment preset time range;Signature analysis is carried out to DNS data packet to be checked and DNS amplification attack is judged whether there is according to signature analysis result;If so, output detects the security incident of DNS amplification attack.This method can accurately detect the DNS amplification attack of different application environment, and then reduce rate of false alarm and rate of failing to report.Disclosed herein as well is a kind of detection system of DNS amplification attack, a kind of computer readable storage medium and a kind of detection devices of DNS amplification attack, have the above beneficial effect.
Description
Technical field
The present invention relates to firewall technology field, in particular to a kind of detection method, system, one kind of DNS amplification attack
Computer readable storage medium and a kind of detection device of DNS amplification attack.
Background technique
DNS (Domain Name System, domain name system) outgoing amplification attack, also referred to as DNS outgoing amplification attack or
Lever attacks (DNS Amplification Attack), is one kind of Denial of Service attack, specifically a kind of data packet
A large amount of variants can generate the communication of a large amount of falseness for a target.DNS amplification attack is used for not guilty the
The fraudulent data packet of tripartite amplifies traffic, the purpose is to exhaust whole bandwidth of victim, has seriously affected business
Normal operation.
In the prior art, security firm is mainly using as follows plus survey means: one threshold values of setting, detect some some when
Between put outgoing data packet frequency whether be more than threshold values, if be more than threshold value if think that there are DNS amplification attacks.But due to difference
Client, different hosts, the network model of access are different, therefore the threshold value in the prior art is difficult to determine, when to all users
It is easy to that wrong report is caused to be failed to report when all using a fixed threshold values.
Therefore, the DNS amplification attack of different application environment how is accurately detected, and then reduction rate of false alarm and rate of failing to report are these
The current technical issues that need to address of field technical staff.
Summary of the invention
The purpose of the application is to provide the detection method, system, a kind of computer-readable storage medium of a kind of DNS amplification attack
Matter and a kind of detection device of DNS amplification attack can accurately detect the DNS amplification attack of different application environment, and then reduce
Rate of false alarm and rate of failing to report.
In order to solve the above technical problems, the application provides a kind of detection method of DNS amplification attack, the detection method packet
It includes:
The first DNS data packet quantity of object time and the 2nd DNS number of historical juncture are determined according to historical traffic data
According to packet quantity;Wherein, the historical juncture is earlier than object time preset duration;
Judge whether the first DNS data packet quantity and the ratio of the second DNS data packet quantity are greater than preset value;
If so, from the DNS data packet to be checked obtained in historical traffic data in distance objective moment preset time range;
Signature analysis is carried out to DNS data packet to be checked and DNS amplification attack is judged whether there is according to signature analysis result;
If so, output detects the security incident of DNS amplification attack.
Optionally, according to historical traffic data determine object time the first DNS data packet quantity and the historical juncture
Two DNS data packet quantity include:
It is generated according to historical traffic data using DNS data packet quantity as the time series of statistical indicator;
Analysis time sequence determines the first DNS data packet quantity of object time and the second DNS data packet of historical juncture
Quantity.
Optionally, DNS data packet to be checked is carried out signature analysis and judges whether there is DNS according to signature analysis result to put
It attacks greatly and includes:
Domain name signature analysis is carried out to DNS data packet to be checked and is judged in the domain name of DNS data packet to be checked with the presence or absence of non-
Method domain name;If so, there are DNS amplification attacks;
Or, to DNS data packet to be checked carry out source IP signature analysis and judge DNS data packet to be checked source IP address whether be
Preset IP address;If it is not, then there is DNS amplification attack;
It analyzes or, being responded when failure rate to DNS data packet to be checked and judges whether response ratio is less than default response
Than and failure rate be greater than default failure rate;If so, there are DNS amplification attacks.
Optionally, illegal domain name is specially the domain name of normal domain name and random string composition.
Present invention also provides a kind of detection system of DNS amplification attack, which includes:
Quantity determining module, for determining the first DNS data packet quantity of object time according to historical traffic data and going through
The second DNS data packet quantity at history moment;Wherein, the historical juncture is earlier than object time preset duration;
Whether abnormal judgment module, the ratio for judging the first DNS data packet quantity and the second DNS data packet quantity are big
In preset value;
Data acquisition module to be checked, for obtaining distance objective from historical traffic data when ratio is greater than preset value
DNS data packet to be checked in moment preset time range;
Characteristics analysis module, for being to DNS data packet to be checked progress signature analysis and according to the judgement of signature analysis result
It is no that there are DNS amplification attacks;If so, output detects the security incident of DNS amplification attack.
Optionally, quantity determining module includes:
Time series generation unit, for being generated according to historical traffic data using DNS data packet quantity as statistical indicator
Time series;
Time series analysis module determines the first DNS data packet quantity of object time for analysis time sequence and goes through
The second DNS data packet quantity at history moment.
Optionally, characteristics analysis module includes:
First analytical unit, for carrying out domain name signature analysis to DNS data packet to be checked and judging the domain name of DNS data packet
In whether there is illegal domain name;If so, there are DNS amplification attacks;
Or, the second analytical unit, for carrying out source IP signature analysis to DNS data packet to be checked and judging DNS data to be checked
Whether the source IP address of packet is preset IP address;If it is not, then there is DNS amplification attack;
Or, third analytical unit, analyzes for being responded when failure rate to DNS data packet to be checked and judge response ratio
Whether it is less than default response ratio and failure rate is greater than default failure rate;If so, there are DNS amplification attacks.
Optionally, illegal domain name is specially the domain name of normal domain name and random string composition.
Present invention also provides a kind of computer readable storage mediums, are stored thereon with computer program, computer program
The step of detection method of above-mentioned DNS amplification attack executes is realized when execution.
Present invention also provides a kind of detection device of DNS amplification attack, including memory and processor, deposited in memory
Computer program is contained, processor realizes the detection method of above-mentioned DNS amplification attack when calling the computer program in memory
The step of execution.
The present invention provides a kind of detection methods of DNS amplification attack, including when determining target according to historical traffic data
The the first DNS data packet quantity and the second DNS data packet quantity of historical juncture carved;Wherein, the historical juncture is earlier than object time
Preset duration;Judge whether the first DNS data packet quantity and the ratio of the second DNS data packet quantity are greater than preset value;If so,
From the DNS data packet to be checked obtained in historical traffic data in distance objective moment preset time range;To DNS data packet to be checked
It carries out signature analysis and DNS amplification attack is judged whether there is according to signature analysis result;If so, output detects that DNS is put
The security incident attacked greatly.
Since DNS data packet quantity abnormal increase is the common characteristic of all DNS amplification attacks, the present invention is first detected
First DNS data packet quantity of object time is with the presence or absence of abnormal situation, and further, the application is by judging the first DNS
Whether the ratio of the second DNS data packet quantity of data packet number and historical juncture is greater than preset value to determine whether there are DNS
The case where data packet number abnormal increase.DNS data packet quantity is judged by one fixed threshold value of setting in the prior art
Whether abnormal increase, but since DNS data packet quantity can be presented cyclically-varying at any time, difficult can pass through a fixation
Threshold value the DNS data packet quantity in all periods evaluated, this namely the prior art be easy to cause wrong report and
The basic reason of failing to report phenomenon.Based on this, the application uses the second DNS data packet number of the historical juncture in historical traffic data
Amount substitutes " threshold value " in the prior art, evaluates the first data packet number of object time, when historical juncture and target
It is separated by preset duration quarter and should basic phase in historical juncture under normal circumstances and the corresponding DNS data packet quantity of object time
It together, therefore can be by the ratio of the first DNS data packet quantity and the second DNS data packet quantity to determine whether there are DNS numbers
The case where according to packet quantity abnormal increase.When determine DNS data count off amount there are after exception again to preset time before and after object time
Interior DNS data packet carries out signature analysis to detect whether that there are DNS amplification attacks.This programme can accurately detect difference and answer
With the DNS amplification attack of environment, and then reduce rate of false alarm and rate of failing to report.The application additionally provides a kind of DNS amplification attack simultaneously
Detection system, a kind of computer readable storage medium and a kind of detection device of DNS amplification attack, have it is above-mentioned beneficial to effect
Fruit, details are not described herein.
Detailed description of the invention
In ord to more clearly illustrate embodiments of the present application, attached drawing needed in the embodiment will be done simply below
It introduces, it should be apparent that, the drawings in the following description are only some examples of the present application, for ordinary skill people
For member, without creative efforts, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of flow chart of the detection method of DNS amplification attack provided by the embodiment of the present application;
Fig. 2 is DNS data packet fluctuation quantity schematic diagram;
Fig. 3 is a kind of structural schematic diagram of the detection system of DNS amplification attack provided by the embodiment of the present application.
Specific embodiment
To keep the purposes, technical schemes and advantages of the embodiment of the present application clearer, below in conjunction with the embodiment of the present application
In attached drawing, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described embodiment is
Some embodiments of the present application, instead of all the embodiments.Based on the embodiment in the application, those of ordinary skill in the art
Every other embodiment obtained without making creative work, shall fall in the protection scope of this application.
Below referring to Figure 1, Fig. 1 is a kind of stream of the detection method of DNS amplification attack provided by the embodiment of the present application
Cheng Tu.
Specific steps may include:
S101: according to historical traffic data determine object time the first DNS data packet quantity and the historical juncture second
DNS data packet quantity;Wherein, the historical juncture is earlier than object time preset duration;
Wherein, the purpose of this step is to obtain the DNS data packet quantity for needing the object time detected and as reference
The DNS data packet quantity of the historical juncture of object.Before this step there is the historical traffic data for obtaining target device in default
Operation, it should be noted that historical traffic data refers to datas on flows all within a certain period of time, what this step was mentioned
Object time and historical juncture belonged in the historical traffic data corresponding period.
Fig. 2 is referred to, Fig. 2 is DNS data packet fluctuation quantity schematic diagram, and horizontal axis is the time in figure, and the longitudinal axis is DNS data packet
Quantity, it is to be understood that the quantity of DNS data packet is periodically variable at any time under normal circumstances, i.e., each period it
Between corresponding moment corresponding DNS data packet quantity it is roughly the same, the trend that DNS data packet quantity changes between each period
It is identical.The period is with this method be application implementation environment it is closely related, for example, DNS data packet quantity variation period
It is one week (7 days), then 12 points of Wednesday of DNS data count off amount of this week and 12 points of Wednesday last week of data count off under normal circumstances
Amount can keep almost the same, and DNS data count off amount in the curve that DNS data count off amount changes over time in this week and upper one week
The curve shape changed over time is similar.In the example enumerated above, the object time mentioned in this step is equivalent to this
12 points of Zhou Zhousan, the historical juncture is equivalent to 12 points of Wednesday last week, and the historical juncture one week earlier than object time time is (i.e. default
Duration).Certainly, the specific value of preset duration is not defined herein, those skilled in the art can be according to reality
Applicable cases flexible choice 24 hours, one week, one month or other suitable durations.Certainly, which may not be
It is only necessary for a cycle of DNS data packet quantity variation, is also possible to multiple periods, but as the longer detection of a period
Effect is bad, it is preferred, therefore, that the preset duration is a cycle of DNS data packet quantity variation.
It should be noted that the second data packet number for defaulting the historical juncture in the present embodiment is normally, that is, to be not present
The case where abnormal increase.Embodiment as one preferred, in this step can first according to historical traffic data generate with
DNS data packet quantity is the time series of statistical indicator;Analysis time sequence determines the first DNS data packet number of object time again
The second DNS data packet quantity of amount and historical juncture.
S102: judge whether the first DNS data packet quantity and the ratio of the second DNS data packet quantity are greater than preset value;If
It is then to enter S103;If it is not, then terminating process;
Wherein, the purpose of this step is judging the case where object time is with the presence or absence of DNS data packet abnormal increase, in S101
Obtained in the first DNS data packet quantity as the information detected, the second DNS data packet quantity is as evaluation first
The reference quantity of DNS data packet quantity calculates the ratio of the first DNS data packet quantity and the second DNS data packet quantity, when the ratio
The phenomenon that then illustrating that there are DNS data packet quantity abnormal increases when greater than preset value, wherein the preset value can be according to using ring
Border is flexibly set.Explanation is needed further exist for, the most basic performance of DNS amplification attack is exactly a certain moment DNS data packet number
The abnormal increase of amount changes abnormal increase and not only shows compared with adjacent moment increase suddenly, key be to show with earlier than
The historical juncture of object time preset duration increases compared to suddenly.The phenomenon that there are fluctuation variations due to DNS data, only
Increasing suddenly compared with adjacent moment according only to object time can not illustrate that there are the corresponding abnormal increases of DNS amplification attack
Phenomenon needs to be compared with the historical juncture earlier than object time preset duration.Fig. 2 is referred to, object time in Fig. 2
DNS data packet quantity significantly increases much compared with historical juncture DNS data packet quantity, therefore the object time in figure exists
The case where DNS data packet quantity abnormal increase.
In this step, if judging the ratio of the first DNS data packet quantity and the second DNS data packet quantity no more than default
Value, it may be considered that the phenomenon that DNS data packet quantity abnormal increase is not present in object time, can terminate process.
S103: from the DNS data packet to be checked obtained in historical traffic data in distance objective moment preset time range;
Wherein, this step, which is built upon, judges that object time there are on the basis of DNS data packet quantity abnormal increase, needs
Illustrate, DNS data packet quantity abnormal increase is the shared characteristic of all DNS amplification attacks, but can not be according to depositing
It just can determine in DNS data packet quantity abnormal increase and certainly exist DNS amplification attack, it can only there are DNS the assertive goal moment
The suspicion of amplification attack needs to carry out signature analysis to relevant DNS data packet.
It is understood that DNS amplification attack is not the attack for existing only in a certain moment, but in certain a period of time
Between all there is DNS amplification attack behavior in section, therefore, have determined object time in S102 there are DNS data packet quantity and is abnormal
On the basis of increasing, it can be initially believed that in the period of object time attachment and be likely to that there are DNS amplification attacks, therefore
It is performed in this step from the DNS data packet to be checked obtained in historical traffic data in distance objective moment preset time range.
For example, when detect 12:00 there are DNS data report abnormal increases the phenomenon that, can analyze before and after 12:00 in half an hour
DNS data packet, i.e., in this step from the DNS data packet obtained in historical traffic data in 11:30 to 12:30, to carry out
The signature analysis of next step.
S104: signature analysis is carried out to DNS data packet to be checked and DNS amplification is judged whether there is according to signature analysis result
Attack;If so, into S105;If it is not, then terminating process;
Wherein, neighbouring DNS data packet carries out at the time of the purpose of this step is to DNS data packet quantity abnormal increase
Signature analysis specifically to judge whether there is the situation of DNS amplification attack, and embodiment as one preferred can be by more
Dimensional feature is analyzed to determine whether that, there are DNS amplification attack, specific method will be described in next embodiment.
S105: output detects the security incident of DNS amplification attack.
Wherein, corresponding security incident can be exported after determining there are DNS amplification attack, to remind related work people
Member or the corresponding processing prediction scheme of starting, minimize to lose.Security incident herein can be network safety event, use
DNS amplification attack is detected in explanation.
Since DNS data packet quantity abnormal increase is the common characteristic of all DNS amplification attacks, the present invention is first detected
First DNS data packet quantity of object time is with the presence or absence of abnormal situation, and further, the present embodiment is by judging first
The ratio of DNS data packet quantity and the second DNS data packet quantity of historical juncture whether be greater than preset value to determine whether in the presence of
The case where DNS data packet quantity abnormal increase.DNS data packet number is judged by one fixed threshold value of setting in the prior art
Amount whether abnormal increase can be difficult solid by one but since DNS data packet quantity can be presented cyclically-varying at any time
Fixed threshold value evaluates the DNS data packet quantity in all periods, this namely the prior art is easy to cause to report by mistake
With the basic reason of failing to report phenomenon.Based on this, the present embodiment uses the second DNS data of the historical juncture in historical traffic data
Packet quantity substitutes " threshold value " in the prior art, evaluates the first data packet number of object time, historical juncture and mesh
The mark moment is separated by preset duration and should base in historical juncture under normal circumstances and the corresponding DNS data packet quantity of object time
This is identical, thus can by the ratio of the first DNS data packet quantity and the second DNS data packet quantity to determine whether in the presence of
The case where DNS data packet quantity abnormal increase.When determining DNS data count off amount, there are preset again to before and after object time after exception
DNS data packet in time carries out signature analysis to detect whether that there are DNS amplification attacks.The present embodiment can be detected accurately
The DNS amplification attack of different application environment, and then reduce rate of false alarm and rate of failing to report.
Embodiment as one preferred, following example have carried out more specifically the S104 in one embodiment
Explanation.
The mode for carrying out multidimensional characteristic analysis includes but is not limited to following manner:
Specific steps may include:
Mode one: domain name signature analysis is carried out to the DNS data packet to be checked and judges the domain of the DNS data packet to be checked
It whether there is illegal domain name in name;If so, there are the DNS amplification attacks;
Which is domain name signature analysis, because to send a large amount of DNS request, many Malwares can be in normal domain name
Before add a random character string, specific illegal domain name is specially the domain name of normal domain name and random string composition.
Mode two: source IP signature analysis is carried out to the DNS data packet to be checked and judges the source of the DNS data packet to be checked
Whether IP address is preset IP address;If it is not, then there is the DNS amplification attack;
Which is source IP signature analysis, if source IP is not the IP address of client, is likely to Malware actively
The attack of initiation, Malware initiate a large amount of DNS request as source IP for by the IP address of attacker.And these DNS requests
After parsing, the server attacked can be all returned to, which is impacted.
Mode three: when failure rate is responded to the DNS data packet to be checked and analyzes and whether judges the response ratio
Less than default response ratio and the failure rate is greater than default failure rate;If so, there are the DNS amplification attacks.
In normal network environment, the ratio of successfully resolved and parsing failure should be it is relatively-stationary, which can divide
For two steps: not receiving response bag with the presence or absence of a large amount of DNS request packet first;If so, may externally initiate at this time
Attack needs to judge whether there is the case where a large amount of DNS request parsing fails again, if so, there are DNS amplifications to attack
It hits.
The above is that the detection mode of three kinds of analysis features of means progress of DNS amplification attack is carried out according to hacker.It needs
Illustrate, can determine acquisition as long as detecting to attack greatly there are DNS by any one in above-mentioned three kinds of modes
There are DNS amplification attacks in distance objective moment preset time range.There may be the combinations of above-mentioned three kinds of steps, such as: when
Method one can not judge there are access method two when DNS amplification attack, when method two can not judge there are when DNS amplification attack into
Enter method three.These three i.e. above-mentioned modes may be constructed the relationship successively executed in logic, be sentenced one by one by the above method
Disconnected, until detecting DNS amplification attack, two specifically judge that order does not limit.It can be held after detecting DNS amplification attack
Row detects the correlation step after DNS amplification attack.
Fig. 3 is referred to, Fig. 3 shows for a kind of structure of the detection system of DNS amplification attack provided by the embodiment of the present application
It is intended to;
The system may include:
Quantity determining module 100, for determined according to historical traffic data object time the first DNS data packet quantity and
The second DNS data packet quantity of historical juncture;Wherein, the historical juncture is earlier than the object time preset duration;
Abnormal judgment module 200, for judging the first DNS data packet quantity and the second DNS data packet quantity
Ratio whether be greater than preset value;
Data acquisition module 300 to be checked is used for when the ratio is greater than the preset value, from the historical traffic data
To be checked DNS data packet of the middle acquisition in the object time preset time range;
Characteristics analysis module 400, for carrying out signature analysis to the DNS data packet to be checked and according to signature analysis result
Judge whether there is DNS amplification attack;If so, output detects the security incident of the DNS amplification attack.
Further, quantity determining module 100 includes:
Time series generation unit, for being generated according to historical traffic data using DNS data packet quantity as statistical indicator
Time series;
Time series analysis module determines the first DNS number of the object time for analyzing the time series
According to the second DNS data packet quantity of packet quantity and the historical juncture;
Further, characteristics analysis module 400 includes:
First analytical unit, for carrying out domain name signature analysis to the DNS data packet to be checked and judging the DNS data
It whether there is illegal domain name in the domain name of packet;If so, there are the DNS amplification attacks;
Or, the second analytical unit, for carrying out source IP signature analysis to the DNS data packet to be checked and judging described to be checked
Whether the source IP address of DNS data packet is preset IP address;If it is not, then there is the DNS amplification attack;
Or, third analytical unit, analyzes for being responded when failure rate to the DNS data packet to be checked and judge institute
State whether response ratio is less than default response ratio and the failure rate is greater than default failure rate;If so, there are DNS amplifications to attack
It hits.
Further, the illegal domain name is specially the domain name of normal domain name and random string composition.
Since the embodiment of components of system as directed is corresponded to each other with the embodiment of method part, the embodiment of components of system as directed is asked
Referring to the description of the embodiment of method part, wouldn't repeat here.
Present invention also provides a kind of computer readable storage mediums, have computer program thereon, the computer program
It is performed and step provided by above-described embodiment may be implemented.The storage medium may include: USB flash disk, mobile hard disk, read-only deposit
Reservoir (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or
The various media that can store program code such as CD.
Present invention also provides a kind of DNS amplification attack detection devices, may include memory and processor, the storage
There is computer program in device, when the processor calls the computer program in the memory, above-mentioned implementation may be implemented
Step provided by example.The detection device of certain DNS amplification attack can also include various network interfaces, the groups such as power supply
Part.
Each embodiment is described in a progressive manner in specification, the highlights of each of the examples are with other realities
The difference of example is applied, the same or similar parts in each embodiment may refer to each other.For system disclosed in embodiment
Speech, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, related place is referring to method part illustration
?.It should be pointed out that for those skilled in the art, under the premise of not departing from the application principle, also
Can to the application, some improvement and modification can also be carried out, these improvement and modification also fall into the protection scope of the claim of this application
It is interior.
It should also be noted that, in the present specification, relational terms such as first and second and the like be used merely to by
One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation
Between there are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant meaning
Covering non-exclusive inclusion, so that the process, method, article or equipment for including a series of elements not only includes that
A little elements, but also including other elements that are not explicitly listed, or further include for this process, method, article or
The intrinsic element of equipment.Under the situation not limited more, the element limited by sentence "including a ..." is not arranged
Except there is also other identical elements in the process, method, article or apparatus that includes the element.
Claims (10)
1. a kind of detection method of DNS amplification attack characterized by comprising
The the first DNS data packet quantity and the second DNS data packet of historical juncture of object time are determined according to historical traffic data
Quantity;Wherein, the historical juncture is earlier than the object time preset duration;
Judge whether the first DNS data packet quantity and the ratio of the second DNS data packet quantity are greater than preset value;
If so, from the DNS number to be checked in the object time preset time range is obtained in the historical traffic data
According to packet;
Signature analysis is carried out to the DNS data packet to be checked and DNS amplification attack is judged whether there is according to signature analysis result;
If so, output detects the security incident of the DNS amplification attack.
2. detection method according to claim 1, which is characterized in that determine the first of object time according to historical traffic data
DNS data packet quantity and the second DNS data packet quantity of historical juncture include:
It is generated according to historical traffic data using DNS data packet quantity as the time series of statistical indicator;
Analyze the time series, determine the object time the first DNS data packet quantity and the historical juncture
The second DNS data packet quantity.
3. detection method according to claim 1, which is characterized in that carry out signature analysis simultaneously to the DNS data packet to be checked
Judging whether there is DNS amplification attack according to signature analysis result includes:
Domain name signature analysis is carried out to the DNS data packet to be checked and judges whether deposit in the domain name of the DNS data packet to be checked
In illegal domain name, if so, there are the DNS amplification attacks;
Or, being to the source IP address that the DNS data packet to be checked carries out source IP signature analysis and judges the DNS data packet to be checked
No is preset IP address, if it is not, then there is the DNS amplification attack;
Or, being responded to the DNS data packet to be checked, when failure rate is analyzed and to judge whether the response ratio is less than default
Response ratio and the failure rate are greater than default failure rate, if so, there are the DNS amplification attacks.
4. detection method according to claim 3, which is characterized in that the illegal domain name is specially normal domain name and random words
The domain name of symbol string composition.
5. a kind of detection system of DNS amplification attack characterized by comprising
Quantity determining module, when for determining the first DNS data packet quantity and history of object time according to historical traffic data
The the second DNS data packet quantity carved;Wherein, the historical juncture is earlier than the object time preset duration;
Abnormal judgment module, for judging that the ratio of the first DNS data packet quantity and the second DNS data packet quantity is
It is no to be greater than preset value;
Data acquisition module to be checked, for being obtained from the historical traffic data when the ratio is greater than the preset value
DNS data packet to be checked in the object time preset time range;
Characteristics analysis module, for being to the DNS data packet progress signature analysis to be checked and according to the judgement of signature analysis result
It is no that there are DNS amplification attacks;If so, output detects the security incident of the DNS amplification attack.
6. detection system according to claim 5, which is characterized in that the quantity determining module includes:
Time series generation unit, for being generated according to historical traffic data using DNS data packet quantity as the time of statistical indicator
Sequence;
Time series analysis module determines the first DNS data packet of the object time for analyzing the time series
The second DNS data packet quantity of quantity and the historical juncture.
7. detection system according to claim 5, which is characterized in that the characteristics analysis module includes:
First analytical unit, for carrying out domain name signature analysis to the DNS data packet to be checked and judging the DNS data packet
It whether there is illegal domain name in domain name, if so, there are the DNS amplification attacks;
Or, the second analytical unit, for carrying out source IP signature analysis to the DNS data packet to be checked and judging the DNS to be checked
Whether the source IP address of data packet is preset IP address, if it is not, then there is the DNS amplification attack;
Or, third analytical unit, analyzes for being responded when failure rate to the DNS data packet to be checked and judge the sound
Should be than whether being less than default response ratio and the failure rate is greater than default failure rate, if so, there are the DNS amplification attacks.
8. detection system according to claim 7, which is characterized in that the illegal domain name is specially normal domain name and random words
The domain name of symbol string composition.
9. a kind of detection device of DNS amplification attack characterized by comprising
Memory, for storing computer program;
Processor executes such as Claims 1-4 described in any item DNS amplification attacks when for executing the computer program
Detection method the step of.
10. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium
Program is realized when the computer program is executed by processor such as the described in any item DNS amplification attacks of Claims 1-4
The step of detection method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810913865.5A CN109005181B (en) | 2018-08-10 | 2018-08-10 | Detection method, system and related components for DNS amplification attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810913865.5A CN109005181B (en) | 2018-08-10 | 2018-08-10 | Detection method, system and related components for DNS amplification attack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109005181A true CN109005181A (en) | 2018-12-14 |
CN109005181B CN109005181B (en) | 2021-07-02 |
Family
ID=64596420
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810913865.5A Active CN109005181B (en) | 2018-08-10 | 2018-08-10 | Detection method, system and related components for DNS amplification attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109005181B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110519290A (en) * | 2019-09-03 | 2019-11-29 | 南京中孚信息技术有限公司 | Anomalous traffic detection method, device and electronic equipment |
CN111756720A (en) * | 2020-06-16 | 2020-10-09 | 深信服科技股份有限公司 | Targeted attack detection method, apparatus thereof and computer-readable storage medium |
WO2024027079A1 (en) * | 2022-08-03 | 2024-02-08 | 中国电信股份有限公司 | Domain-name reflection attack detection method and apparatus, and electronic device and storage medium |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101741847A (en) * | 2009-12-22 | 2010-06-16 | 北京锐安科技有限公司 | Detecting method of DDOS (distributed denial of service) attacks |
US20130227687A1 (en) * | 2012-02-29 | 2013-08-29 | Pantech Co., Ltd. | Mobile terminal to detect network attack and method thereof |
US20160234249A1 (en) * | 2013-05-03 | 2016-08-11 | John Wong | Method and system for mitigation of distributed denial of service (ddos) attacks |
CN106657025A (en) * | 2016-11-29 | 2017-05-10 | 神州网云(北京)信息技术有限公司 | Network attack behavior detection method and device |
CN107124434A (en) * | 2017-07-06 | 2017-09-01 | 中国互联网络信息中心 | A kind of discovery method and system of DNS malicious attacks flow |
CN107135238A (en) * | 2017-07-12 | 2017-09-05 | 中国互联网络信息中心 | A kind of DNS reflection amplification attacks detection method, apparatus and system |
CN107360196A (en) * | 2017-09-08 | 2017-11-17 | 杭州安恒信息技术有限公司 | attack detection method, device and terminal device |
-
2018
- 2018-08-10 CN CN201810913865.5A patent/CN109005181B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101741847A (en) * | 2009-12-22 | 2010-06-16 | 北京锐安科技有限公司 | Detecting method of DDOS (distributed denial of service) attacks |
US20130227687A1 (en) * | 2012-02-29 | 2013-08-29 | Pantech Co., Ltd. | Mobile terminal to detect network attack and method thereof |
US20160234249A1 (en) * | 2013-05-03 | 2016-08-11 | John Wong | Method and system for mitigation of distributed denial of service (ddos) attacks |
CN106657025A (en) * | 2016-11-29 | 2017-05-10 | 神州网云(北京)信息技术有限公司 | Network attack behavior detection method and device |
CN107124434A (en) * | 2017-07-06 | 2017-09-01 | 中国互联网络信息中心 | A kind of discovery method and system of DNS malicious attacks flow |
CN107135238A (en) * | 2017-07-12 | 2017-09-05 | 中国互联网络信息中心 | A kind of DNS reflection amplification attacks detection method, apparatus and system |
CN107360196A (en) * | 2017-09-08 | 2017-11-17 | 杭州安恒信息技术有限公司 | attack detection method, device and terminal device |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110519290A (en) * | 2019-09-03 | 2019-11-29 | 南京中孚信息技术有限公司 | Anomalous traffic detection method, device and electronic equipment |
CN111756720A (en) * | 2020-06-16 | 2020-10-09 | 深信服科技股份有限公司 | Targeted attack detection method, apparatus thereof and computer-readable storage medium |
CN111756720B (en) * | 2020-06-16 | 2023-03-24 | 深信服科技股份有限公司 | Targeted attack detection method, apparatus thereof and computer-readable storage medium |
WO2024027079A1 (en) * | 2022-08-03 | 2024-02-08 | 中国电信股份有限公司 | Domain-name reflection attack detection method and apparatus, and electronic device and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN109005181B (en) | 2021-07-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9836600B2 (en) | Method and apparatus for detecting a multi-stage event | |
CN101355463B (en) | Method, system and equipment for judging network attack | |
CN107888607A (en) | A kind of Cyberthreat detection method, device and network management device | |
KR101070614B1 (en) | Malicious traffic isolation system using botnet infomation and malicious traffic isolation method using botnet infomation | |
US7028338B1 (en) | System, computer program, and method of cooperative response to threat to domain security | |
US20080229421A1 (en) | Adaptive data collection for root-cause analysis and intrusion detection | |
EP3085023B1 (en) | Communications security | |
US10180867B2 (en) | System and method for bruteforce intrusion detection | |
US20090282482A1 (en) | Active Computer System Defense Technology | |
CN109005181A (en) | A kind of detection method, system and the associated component of DNS amplification attack | |
CN101572609A (en) | Method and device for detecting and refusing service attack | |
US20140250221A1 (en) | Methods, Systems, and Computer Program Products for Detecting Communication Anomalies in a Network Based on Overlap Between Sets of Users Communicating with Entities in the Network | |
CN108234486A (en) | A kind of network monitoring method and monitoring server | |
US20150026806A1 (en) | Mitigating a Cyber-Security Attack By Changing a Network Address of a System Under Attack | |
Bellini et al. | Cyber Resilience in IoT network: Methodology and example of assessment through epidemic spreading approach | |
Liu et al. | Real-time diagnosis of network anomaly based on statistical traffic analysis | |
CN108712365B (en) | DDoS attack event detection method and system based on flow log | |
CN113472789B (en) | Attack detection method, attack detection system, storage medium and electronic device | |
EP2747345B1 (en) | Ips detection processing method, network security device and system | |
CN112217777A (en) | Attack backtracking method and equipment | |
Li et al. | A lightweight DDoS flooding attack detection algorithm based on synchronous long flows | |
CN111526109A (en) | Method and device for automatically detecting running state of web threat recognition defense system | |
CN114205169A (en) | Network security defense method, device and system | |
Chen et al. | An Internet-worm early warning system | |
CN109255243B (en) | Method, system, device and storage medium for repairing potential threats in terminal |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |