CN109005181A - A kind of detection method, system and the associated component of DNS amplification attack - Google Patents

A kind of detection method, system and the associated component of DNS amplification attack Download PDF

Info

Publication number
CN109005181A
CN109005181A CN201810913865.5A CN201810913865A CN109005181A CN 109005181 A CN109005181 A CN 109005181A CN 201810913865 A CN201810913865 A CN 201810913865A CN 109005181 A CN109005181 A CN 109005181A
Authority
CN
China
Prior art keywords
dns
data packet
dns data
checked
domain name
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810913865.5A
Other languages
Chinese (zh)
Other versions
CN109005181B (en
Inventor
张斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201810913865.5A priority Critical patent/CN109005181B/en
Publication of CN109005181A publication Critical patent/CN109005181A/en
Application granted granted Critical
Publication of CN109005181B publication Critical patent/CN109005181B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Abstract

This application discloses a kind of detection method of DNS amplification attack, the detection method includes the first DNS data packet quantity that object time is determined according to historical traffic data and the second DNS data packet quantity of historical juncture;Judge whether the first DNS data packet quantity and the ratio of the second DNS data packet quantity are greater than preset value;If so, from the DNS data packet to be checked obtained in historical traffic data in distance objective moment preset time range;Signature analysis is carried out to DNS data packet to be checked and DNS amplification attack is judged whether there is according to signature analysis result;If so, output detects the security incident of DNS amplification attack.This method can accurately detect the DNS amplification attack of different application environment, and then reduce rate of false alarm and rate of failing to report.Disclosed herein as well is a kind of detection system of DNS amplification attack, a kind of computer readable storage medium and a kind of detection devices of DNS amplification attack, have the above beneficial effect.

Description

A kind of detection method, system and the associated component of DNS amplification attack
Technical field
The present invention relates to firewall technology field, in particular to a kind of detection method, system, one kind of DNS amplification attack Computer readable storage medium and a kind of detection device of DNS amplification attack.
Background technique
DNS (Domain Name System, domain name system) outgoing amplification attack, also referred to as DNS outgoing amplification attack or Lever attacks (DNS Amplification Attack), is one kind of Denial of Service attack, specifically a kind of data packet A large amount of variants can generate the communication of a large amount of falseness for a target.DNS amplification attack is used for not guilty the The fraudulent data packet of tripartite amplifies traffic, the purpose is to exhaust whole bandwidth of victim, has seriously affected business Normal operation.
In the prior art, security firm is mainly using as follows plus survey means: one threshold values of setting, detect some some when Between put outgoing data packet frequency whether be more than threshold values, if be more than threshold value if think that there are DNS amplification attacks.But due to difference Client, different hosts, the network model of access are different, therefore the threshold value in the prior art is difficult to determine, when to all users It is easy to that wrong report is caused to be failed to report when all using a fixed threshold values.
Therefore, the DNS amplification attack of different application environment how is accurately detected, and then reduction rate of false alarm and rate of failing to report are these The current technical issues that need to address of field technical staff.
Summary of the invention
The purpose of the application is to provide the detection method, system, a kind of computer-readable storage medium of a kind of DNS amplification attack Matter and a kind of detection device of DNS amplification attack can accurately detect the DNS amplification attack of different application environment, and then reduce Rate of false alarm and rate of failing to report.
In order to solve the above technical problems, the application provides a kind of detection method of DNS amplification attack, the detection method packet It includes:
The first DNS data packet quantity of object time and the 2nd DNS number of historical juncture are determined according to historical traffic data According to packet quantity;Wherein, the historical juncture is earlier than object time preset duration;
Judge whether the first DNS data packet quantity and the ratio of the second DNS data packet quantity are greater than preset value;
If so, from the DNS data packet to be checked obtained in historical traffic data in distance objective moment preset time range;
Signature analysis is carried out to DNS data packet to be checked and DNS amplification attack is judged whether there is according to signature analysis result; If so, output detects the security incident of DNS amplification attack.
Optionally, according to historical traffic data determine object time the first DNS data packet quantity and the historical juncture Two DNS data packet quantity include:
It is generated according to historical traffic data using DNS data packet quantity as the time series of statistical indicator;
Analysis time sequence determines the first DNS data packet quantity of object time and the second DNS data packet of historical juncture Quantity.
Optionally, DNS data packet to be checked is carried out signature analysis and judges whether there is DNS according to signature analysis result to put It attacks greatly and includes:
Domain name signature analysis is carried out to DNS data packet to be checked and is judged in the domain name of DNS data packet to be checked with the presence or absence of non- Method domain name;If so, there are DNS amplification attacks;
Or, to DNS data packet to be checked carry out source IP signature analysis and judge DNS data packet to be checked source IP address whether be Preset IP address;If it is not, then there is DNS amplification attack;
It analyzes or, being responded when failure rate to DNS data packet to be checked and judges whether response ratio is less than default response Than and failure rate be greater than default failure rate;If so, there are DNS amplification attacks.
Optionally, illegal domain name is specially the domain name of normal domain name and random string composition.
Present invention also provides a kind of detection system of DNS amplification attack, which includes:
Quantity determining module, for determining the first DNS data packet quantity of object time according to historical traffic data and going through The second DNS data packet quantity at history moment;Wherein, the historical juncture is earlier than object time preset duration;
Whether abnormal judgment module, the ratio for judging the first DNS data packet quantity and the second DNS data packet quantity are big In preset value;
Data acquisition module to be checked, for obtaining distance objective from historical traffic data when ratio is greater than preset value DNS data packet to be checked in moment preset time range;
Characteristics analysis module, for being to DNS data packet to be checked progress signature analysis and according to the judgement of signature analysis result It is no that there are DNS amplification attacks;If so, output detects the security incident of DNS amplification attack.
Optionally, quantity determining module includes:
Time series generation unit, for being generated according to historical traffic data using DNS data packet quantity as statistical indicator Time series;
Time series analysis module determines the first DNS data packet quantity of object time for analysis time sequence and goes through The second DNS data packet quantity at history moment.
Optionally, characteristics analysis module includes:
First analytical unit, for carrying out domain name signature analysis to DNS data packet to be checked and judging the domain name of DNS data packet In whether there is illegal domain name;If so, there are DNS amplification attacks;
Or, the second analytical unit, for carrying out source IP signature analysis to DNS data packet to be checked and judging DNS data to be checked Whether the source IP address of packet is preset IP address;If it is not, then there is DNS amplification attack;
Or, third analytical unit, analyzes for being responded when failure rate to DNS data packet to be checked and judge response ratio Whether it is less than default response ratio and failure rate is greater than default failure rate;If so, there are DNS amplification attacks.
Optionally, illegal domain name is specially the domain name of normal domain name and random string composition.
Present invention also provides a kind of computer readable storage mediums, are stored thereon with computer program, computer program The step of detection method of above-mentioned DNS amplification attack executes is realized when execution.
Present invention also provides a kind of detection device of DNS amplification attack, including memory and processor, deposited in memory Computer program is contained, processor realizes the detection method of above-mentioned DNS amplification attack when calling the computer program in memory The step of execution.
The present invention provides a kind of detection methods of DNS amplification attack, including when determining target according to historical traffic data The the first DNS data packet quantity and the second DNS data packet quantity of historical juncture carved;Wherein, the historical juncture is earlier than object time Preset duration;Judge whether the first DNS data packet quantity and the ratio of the second DNS data packet quantity are greater than preset value;If so, From the DNS data packet to be checked obtained in historical traffic data in distance objective moment preset time range;To DNS data packet to be checked It carries out signature analysis and DNS amplification attack is judged whether there is according to signature analysis result;If so, output detects that DNS is put The security incident attacked greatly.
Since DNS data packet quantity abnormal increase is the common characteristic of all DNS amplification attacks, the present invention is first detected First DNS data packet quantity of object time is with the presence or absence of abnormal situation, and further, the application is by judging the first DNS Whether the ratio of the second DNS data packet quantity of data packet number and historical juncture is greater than preset value to determine whether there are DNS The case where data packet number abnormal increase.DNS data packet quantity is judged by one fixed threshold value of setting in the prior art Whether abnormal increase, but since DNS data packet quantity can be presented cyclically-varying at any time, difficult can pass through a fixation Threshold value the DNS data packet quantity in all periods evaluated, this namely the prior art be easy to cause wrong report and The basic reason of failing to report phenomenon.Based on this, the application uses the second DNS data packet number of the historical juncture in historical traffic data Amount substitutes " threshold value " in the prior art, evaluates the first data packet number of object time, when historical juncture and target It is separated by preset duration quarter and should basic phase in historical juncture under normal circumstances and the corresponding DNS data packet quantity of object time It together, therefore can be by the ratio of the first DNS data packet quantity and the second DNS data packet quantity to determine whether there are DNS numbers The case where according to packet quantity abnormal increase.When determine DNS data count off amount there are after exception again to preset time before and after object time Interior DNS data packet carries out signature analysis to detect whether that there are DNS amplification attacks.This programme can accurately detect difference and answer With the DNS amplification attack of environment, and then reduce rate of false alarm and rate of failing to report.The application additionally provides a kind of DNS amplification attack simultaneously Detection system, a kind of computer readable storage medium and a kind of detection device of DNS amplification attack, have it is above-mentioned beneficial to effect Fruit, details are not described herein.
Detailed description of the invention
In ord to more clearly illustrate embodiments of the present application, attached drawing needed in the embodiment will be done simply below It introduces, it should be apparent that, the drawings in the following description are only some examples of the present application, for ordinary skill people For member, without creative efforts, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of flow chart of the detection method of DNS amplification attack provided by the embodiment of the present application;
Fig. 2 is DNS data packet fluctuation quantity schematic diagram;
Fig. 3 is a kind of structural schematic diagram of the detection system of DNS amplification attack provided by the embodiment of the present application.
Specific embodiment
To keep the purposes, technical schemes and advantages of the embodiment of the present application clearer, below in conjunction with the embodiment of the present application In attached drawing, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described embodiment is Some embodiments of the present application, instead of all the embodiments.Based on the embodiment in the application, those of ordinary skill in the art Every other embodiment obtained without making creative work, shall fall in the protection scope of this application.
Below referring to Figure 1, Fig. 1 is a kind of stream of the detection method of DNS amplification attack provided by the embodiment of the present application Cheng Tu.
Specific steps may include:
S101: according to historical traffic data determine object time the first DNS data packet quantity and the historical juncture second DNS data packet quantity;Wherein, the historical juncture is earlier than object time preset duration;
Wherein, the purpose of this step is to obtain the DNS data packet quantity for needing the object time detected and as reference The DNS data packet quantity of the historical juncture of object.Before this step there is the historical traffic data for obtaining target device in default Operation, it should be noted that historical traffic data refers to datas on flows all within a certain period of time, what this step was mentioned Object time and historical juncture belonged in the historical traffic data corresponding period.
Fig. 2 is referred to, Fig. 2 is DNS data packet fluctuation quantity schematic diagram, and horizontal axis is the time in figure, and the longitudinal axis is DNS data packet Quantity, it is to be understood that the quantity of DNS data packet is periodically variable at any time under normal circumstances, i.e., each period it Between corresponding moment corresponding DNS data packet quantity it is roughly the same, the trend that DNS data packet quantity changes between each period It is identical.The period is with this method be application implementation environment it is closely related, for example, DNS data packet quantity variation period It is one week (7 days), then 12 points of Wednesday of DNS data count off amount of this week and 12 points of Wednesday last week of data count off under normal circumstances Amount can keep almost the same, and DNS data count off amount in the curve that DNS data count off amount changes over time in this week and upper one week The curve shape changed over time is similar.In the example enumerated above, the object time mentioned in this step is equivalent to this 12 points of Zhou Zhousan, the historical juncture is equivalent to 12 points of Wednesday last week, and the historical juncture one week earlier than object time time is (i.e. default Duration).Certainly, the specific value of preset duration is not defined herein, those skilled in the art can be according to reality Applicable cases flexible choice 24 hours, one week, one month or other suitable durations.Certainly, which may not be It is only necessary for a cycle of DNS data packet quantity variation, is also possible to multiple periods, but as the longer detection of a period Effect is bad, it is preferred, therefore, that the preset duration is a cycle of DNS data packet quantity variation.
It should be noted that the second data packet number for defaulting the historical juncture in the present embodiment is normally, that is, to be not present The case where abnormal increase.Embodiment as one preferred, in this step can first according to historical traffic data generate with DNS data packet quantity is the time series of statistical indicator;Analysis time sequence determines the first DNS data packet number of object time again The second DNS data packet quantity of amount and historical juncture.
S102: judge whether the first DNS data packet quantity and the ratio of the second DNS data packet quantity are greater than preset value;If It is then to enter S103;If it is not, then terminating process;
Wherein, the purpose of this step is judging the case where object time is with the presence or absence of DNS data packet abnormal increase, in S101 Obtained in the first DNS data packet quantity as the information detected, the second DNS data packet quantity is as evaluation first The reference quantity of DNS data packet quantity calculates the ratio of the first DNS data packet quantity and the second DNS data packet quantity, when the ratio The phenomenon that then illustrating that there are DNS data packet quantity abnormal increases when greater than preset value, wherein the preset value can be according to using ring Border is flexibly set.Explanation is needed further exist for, the most basic performance of DNS amplification attack is exactly a certain moment DNS data packet number The abnormal increase of amount changes abnormal increase and not only shows compared with adjacent moment increase suddenly, key be to show with earlier than The historical juncture of object time preset duration increases compared to suddenly.The phenomenon that there are fluctuation variations due to DNS data, only Increasing suddenly compared with adjacent moment according only to object time can not illustrate that there are the corresponding abnormal increases of DNS amplification attack Phenomenon needs to be compared with the historical juncture earlier than object time preset duration.Fig. 2 is referred to, object time in Fig. 2 DNS data packet quantity significantly increases much compared with historical juncture DNS data packet quantity, therefore the object time in figure exists The case where DNS data packet quantity abnormal increase.
In this step, if judging the ratio of the first DNS data packet quantity and the second DNS data packet quantity no more than default Value, it may be considered that the phenomenon that DNS data packet quantity abnormal increase is not present in object time, can terminate process.
S103: from the DNS data packet to be checked obtained in historical traffic data in distance objective moment preset time range;
Wherein, this step, which is built upon, judges that object time there are on the basis of DNS data packet quantity abnormal increase, needs Illustrate, DNS data packet quantity abnormal increase is the shared characteristic of all DNS amplification attacks, but can not be according to depositing It just can determine in DNS data packet quantity abnormal increase and certainly exist DNS amplification attack, it can only there are DNS the assertive goal moment The suspicion of amplification attack needs to carry out signature analysis to relevant DNS data packet.
It is understood that DNS amplification attack is not the attack for existing only in a certain moment, but in certain a period of time Between all there is DNS amplification attack behavior in section, therefore, have determined object time in S102 there are DNS data packet quantity and is abnormal On the basis of increasing, it can be initially believed that in the period of object time attachment and be likely to that there are DNS amplification attacks, therefore It is performed in this step from the DNS data packet to be checked obtained in historical traffic data in distance objective moment preset time range. For example, when detect 12:00 there are DNS data report abnormal increases the phenomenon that, can analyze before and after 12:00 in half an hour DNS data packet, i.e., in this step from the DNS data packet obtained in historical traffic data in 11:30 to 12:30, to carry out The signature analysis of next step.
S104: signature analysis is carried out to DNS data packet to be checked and DNS amplification is judged whether there is according to signature analysis result Attack;If so, into S105;If it is not, then terminating process;
Wherein, neighbouring DNS data packet carries out at the time of the purpose of this step is to DNS data packet quantity abnormal increase Signature analysis specifically to judge whether there is the situation of DNS amplification attack, and embodiment as one preferred can be by more Dimensional feature is analyzed to determine whether that, there are DNS amplification attack, specific method will be described in next embodiment.
S105: output detects the security incident of DNS amplification attack.
Wherein, corresponding security incident can be exported after determining there are DNS amplification attack, to remind related work people Member or the corresponding processing prediction scheme of starting, minimize to lose.Security incident herein can be network safety event, use DNS amplification attack is detected in explanation.
Since DNS data packet quantity abnormal increase is the common characteristic of all DNS amplification attacks, the present invention is first detected First DNS data packet quantity of object time is with the presence or absence of abnormal situation, and further, the present embodiment is by judging first The ratio of DNS data packet quantity and the second DNS data packet quantity of historical juncture whether be greater than preset value to determine whether in the presence of The case where DNS data packet quantity abnormal increase.DNS data packet number is judged by one fixed threshold value of setting in the prior art Amount whether abnormal increase can be difficult solid by one but since DNS data packet quantity can be presented cyclically-varying at any time Fixed threshold value evaluates the DNS data packet quantity in all periods, this namely the prior art is easy to cause to report by mistake With the basic reason of failing to report phenomenon.Based on this, the present embodiment uses the second DNS data of the historical juncture in historical traffic data Packet quantity substitutes " threshold value " in the prior art, evaluates the first data packet number of object time, historical juncture and mesh The mark moment is separated by preset duration and should base in historical juncture under normal circumstances and the corresponding DNS data packet quantity of object time This is identical, thus can by the ratio of the first DNS data packet quantity and the second DNS data packet quantity to determine whether in the presence of The case where DNS data packet quantity abnormal increase.When determining DNS data count off amount, there are preset again to before and after object time after exception DNS data packet in time carries out signature analysis to detect whether that there are DNS amplification attacks.The present embodiment can be detected accurately The DNS amplification attack of different application environment, and then reduce rate of false alarm and rate of failing to report.
Embodiment as one preferred, following example have carried out more specifically the S104 in one embodiment Explanation.
The mode for carrying out multidimensional characteristic analysis includes but is not limited to following manner:
Specific steps may include:
Mode one: domain name signature analysis is carried out to the DNS data packet to be checked and judges the domain of the DNS data packet to be checked It whether there is illegal domain name in name;If so, there are the DNS amplification attacks;
Which is domain name signature analysis, because to send a large amount of DNS request, many Malwares can be in normal domain name Before add a random character string, specific illegal domain name is specially the domain name of normal domain name and random string composition.
Mode two: source IP signature analysis is carried out to the DNS data packet to be checked and judges the source of the DNS data packet to be checked Whether IP address is preset IP address;If it is not, then there is the DNS amplification attack;
Which is source IP signature analysis, if source IP is not the IP address of client, is likely to Malware actively The attack of initiation, Malware initiate a large amount of DNS request as source IP for by the IP address of attacker.And these DNS requests After parsing, the server attacked can be all returned to, which is impacted.
Mode three: when failure rate is responded to the DNS data packet to be checked and analyzes and whether judges the response ratio Less than default response ratio and the failure rate is greater than default failure rate;If so, there are the DNS amplification attacks.
In normal network environment, the ratio of successfully resolved and parsing failure should be it is relatively-stationary, which can divide For two steps: not receiving response bag with the presence or absence of a large amount of DNS request packet first;If so, may externally initiate at this time Attack needs to judge whether there is the case where a large amount of DNS request parsing fails again, if so, there are DNS amplifications to attack It hits.
The above is that the detection mode of three kinds of analysis features of means progress of DNS amplification attack is carried out according to hacker.It needs Illustrate, can determine acquisition as long as detecting to attack greatly there are DNS by any one in above-mentioned three kinds of modes There are DNS amplification attacks in distance objective moment preset time range.There may be the combinations of above-mentioned three kinds of steps, such as: when Method one can not judge there are access method two when DNS amplification attack, when method two can not judge there are when DNS amplification attack into Enter method three.These three i.e. above-mentioned modes may be constructed the relationship successively executed in logic, be sentenced one by one by the above method Disconnected, until detecting DNS amplification attack, two specifically judge that order does not limit.It can be held after detecting DNS amplification attack Row detects the correlation step after DNS amplification attack.
Fig. 3 is referred to, Fig. 3 shows for a kind of structure of the detection system of DNS amplification attack provided by the embodiment of the present application It is intended to;
The system may include:
Quantity determining module 100, for determined according to historical traffic data object time the first DNS data packet quantity and The second DNS data packet quantity of historical juncture;Wherein, the historical juncture is earlier than the object time preset duration;
Abnormal judgment module 200, for judging the first DNS data packet quantity and the second DNS data packet quantity Ratio whether be greater than preset value;
Data acquisition module 300 to be checked is used for when the ratio is greater than the preset value, from the historical traffic data To be checked DNS data packet of the middle acquisition in the object time preset time range;
Characteristics analysis module 400, for carrying out signature analysis to the DNS data packet to be checked and according to signature analysis result Judge whether there is DNS amplification attack;If so, output detects the security incident of the DNS amplification attack.
Further, quantity determining module 100 includes:
Time series generation unit, for being generated according to historical traffic data using DNS data packet quantity as statistical indicator Time series;
Time series analysis module determines the first DNS number of the object time for analyzing the time series According to the second DNS data packet quantity of packet quantity and the historical juncture;
Further, characteristics analysis module 400 includes:
First analytical unit, for carrying out domain name signature analysis to the DNS data packet to be checked and judging the DNS data It whether there is illegal domain name in the domain name of packet;If so, there are the DNS amplification attacks;
Or, the second analytical unit, for carrying out source IP signature analysis to the DNS data packet to be checked and judging described to be checked Whether the source IP address of DNS data packet is preset IP address;If it is not, then there is the DNS amplification attack;
Or, third analytical unit, analyzes for being responded when failure rate to the DNS data packet to be checked and judge institute State whether response ratio is less than default response ratio and the failure rate is greater than default failure rate;If so, there are DNS amplifications to attack It hits.
Further, the illegal domain name is specially the domain name of normal domain name and random string composition.
Since the embodiment of components of system as directed is corresponded to each other with the embodiment of method part, the embodiment of components of system as directed is asked Referring to the description of the embodiment of method part, wouldn't repeat here.
Present invention also provides a kind of computer readable storage mediums, have computer program thereon, the computer program It is performed and step provided by above-described embodiment may be implemented.The storage medium may include: USB flash disk, mobile hard disk, read-only deposit Reservoir (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or The various media that can store program code such as CD.
Present invention also provides a kind of DNS amplification attack detection devices, may include memory and processor, the storage There is computer program in device, when the processor calls the computer program in the memory, above-mentioned implementation may be implemented Step provided by example.The detection device of certain DNS amplification attack can also include various network interfaces, the groups such as power supply Part.
Each embodiment is described in a progressive manner in specification, the highlights of each of the examples are with other realities The difference of example is applied, the same or similar parts in each embodiment may refer to each other.For system disclosed in embodiment Speech, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, related place is referring to method part illustration ?.It should be pointed out that for those skilled in the art, under the premise of not departing from the application principle, also Can to the application, some improvement and modification can also be carried out, these improvement and modification also fall into the protection scope of the claim of this application It is interior.
It should also be noted that, in the present specification, relational terms such as first and second and the like be used merely to by One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation Between there are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant meaning Covering non-exclusive inclusion, so that the process, method, article or equipment for including a series of elements not only includes that A little elements, but also including other elements that are not explicitly listed, or further include for this process, method, article or The intrinsic element of equipment.Under the situation not limited more, the element limited by sentence "including a ..." is not arranged Except there is also other identical elements in the process, method, article or apparatus that includes the element.

Claims (10)

1. a kind of detection method of DNS amplification attack characterized by comprising
The the first DNS data packet quantity and the second DNS data packet of historical juncture of object time are determined according to historical traffic data Quantity;Wherein, the historical juncture is earlier than the object time preset duration;
Judge whether the first DNS data packet quantity and the ratio of the second DNS data packet quantity are greater than preset value;
If so, from the DNS number to be checked in the object time preset time range is obtained in the historical traffic data According to packet;
Signature analysis is carried out to the DNS data packet to be checked and DNS amplification attack is judged whether there is according to signature analysis result; If so, output detects the security incident of the DNS amplification attack.
2. detection method according to claim 1, which is characterized in that determine the first of object time according to historical traffic data DNS data packet quantity and the second DNS data packet quantity of historical juncture include:
It is generated according to historical traffic data using DNS data packet quantity as the time series of statistical indicator;
Analyze the time series, determine the object time the first DNS data packet quantity and the historical juncture The second DNS data packet quantity.
3. detection method according to claim 1, which is characterized in that carry out signature analysis simultaneously to the DNS data packet to be checked Judging whether there is DNS amplification attack according to signature analysis result includes:
Domain name signature analysis is carried out to the DNS data packet to be checked and judges whether deposit in the domain name of the DNS data packet to be checked In illegal domain name, if so, there are the DNS amplification attacks;
Or, being to the source IP address that the DNS data packet to be checked carries out source IP signature analysis and judges the DNS data packet to be checked No is preset IP address, if it is not, then there is the DNS amplification attack;
Or, being responded to the DNS data packet to be checked, when failure rate is analyzed and to judge whether the response ratio is less than default Response ratio and the failure rate are greater than default failure rate, if so, there are the DNS amplification attacks.
4. detection method according to claim 3, which is characterized in that the illegal domain name is specially normal domain name and random words The domain name of symbol string composition.
5. a kind of detection system of DNS amplification attack characterized by comprising
Quantity determining module, when for determining the first DNS data packet quantity and history of object time according to historical traffic data The the second DNS data packet quantity carved;Wherein, the historical juncture is earlier than the object time preset duration;
Abnormal judgment module, for judging that the ratio of the first DNS data packet quantity and the second DNS data packet quantity is It is no to be greater than preset value;
Data acquisition module to be checked, for being obtained from the historical traffic data when the ratio is greater than the preset value DNS data packet to be checked in the object time preset time range;
Characteristics analysis module, for being to the DNS data packet progress signature analysis to be checked and according to the judgement of signature analysis result It is no that there are DNS amplification attacks;If so, output detects the security incident of the DNS amplification attack.
6. detection system according to claim 5, which is characterized in that the quantity determining module includes:
Time series generation unit, for being generated according to historical traffic data using DNS data packet quantity as the time of statistical indicator Sequence;
Time series analysis module determines the first DNS data packet of the object time for analyzing the time series The second DNS data packet quantity of quantity and the historical juncture.
7. detection system according to claim 5, which is characterized in that the characteristics analysis module includes:
First analytical unit, for carrying out domain name signature analysis to the DNS data packet to be checked and judging the DNS data packet It whether there is illegal domain name in domain name, if so, there are the DNS amplification attacks;
Or, the second analytical unit, for carrying out source IP signature analysis to the DNS data packet to be checked and judging the DNS to be checked Whether the source IP address of data packet is preset IP address, if it is not, then there is the DNS amplification attack;
Or, third analytical unit, analyzes for being responded when failure rate to the DNS data packet to be checked and judge the sound Should be than whether being less than default response ratio and the failure rate is greater than default failure rate, if so, there are the DNS amplification attacks.
8. detection system according to claim 7, which is characterized in that the illegal domain name is specially normal domain name and random words The domain name of symbol string composition.
9. a kind of detection device of DNS amplification attack characterized by comprising
Memory, for storing computer program;
Processor executes such as Claims 1-4 described in any item DNS amplification attacks when for executing the computer program Detection method the step of.
10. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium Program is realized when the computer program is executed by processor such as the described in any item DNS amplification attacks of Claims 1-4 The step of detection method.
CN201810913865.5A 2018-08-10 2018-08-10 Detection method, system and related components for DNS amplification attack Active CN109005181B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810913865.5A CN109005181B (en) 2018-08-10 2018-08-10 Detection method, system and related components for DNS amplification attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810913865.5A CN109005181B (en) 2018-08-10 2018-08-10 Detection method, system and related components for DNS amplification attack

Publications (2)

Publication Number Publication Date
CN109005181A true CN109005181A (en) 2018-12-14
CN109005181B CN109005181B (en) 2021-07-02

Family

ID=64596420

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810913865.5A Active CN109005181B (en) 2018-08-10 2018-08-10 Detection method, system and related components for DNS amplification attack

Country Status (1)

Country Link
CN (1) CN109005181B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110519290A (en) * 2019-09-03 2019-11-29 南京中孚信息技术有限公司 Anomalous traffic detection method, device and electronic equipment
CN111756720A (en) * 2020-06-16 2020-10-09 深信服科技股份有限公司 Targeted attack detection method, apparatus thereof and computer-readable storage medium
WO2024027079A1 (en) * 2022-08-03 2024-02-08 中国电信股份有限公司 Domain-name reflection attack detection method and apparatus, and electronic device and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101741847A (en) * 2009-12-22 2010-06-16 北京锐安科技有限公司 Detecting method of DDOS (distributed denial of service) attacks
US20130227687A1 (en) * 2012-02-29 2013-08-29 Pantech Co., Ltd. Mobile terminal to detect network attack and method thereof
US20160234249A1 (en) * 2013-05-03 2016-08-11 John Wong Method and system for mitigation of distributed denial of service (ddos) attacks
CN106657025A (en) * 2016-11-29 2017-05-10 神州网云(北京)信息技术有限公司 Network attack behavior detection method and device
CN107124434A (en) * 2017-07-06 2017-09-01 中国互联网络信息中心 A kind of discovery method and system of DNS malicious attacks flow
CN107135238A (en) * 2017-07-12 2017-09-05 中国互联网络信息中心 A kind of DNS reflection amplification attacks detection method, apparatus and system
CN107360196A (en) * 2017-09-08 2017-11-17 杭州安恒信息技术有限公司 attack detection method, device and terminal device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101741847A (en) * 2009-12-22 2010-06-16 北京锐安科技有限公司 Detecting method of DDOS (distributed denial of service) attacks
US20130227687A1 (en) * 2012-02-29 2013-08-29 Pantech Co., Ltd. Mobile terminal to detect network attack and method thereof
US20160234249A1 (en) * 2013-05-03 2016-08-11 John Wong Method and system for mitigation of distributed denial of service (ddos) attacks
CN106657025A (en) * 2016-11-29 2017-05-10 神州网云(北京)信息技术有限公司 Network attack behavior detection method and device
CN107124434A (en) * 2017-07-06 2017-09-01 中国互联网络信息中心 A kind of discovery method and system of DNS malicious attacks flow
CN107135238A (en) * 2017-07-12 2017-09-05 中国互联网络信息中心 A kind of DNS reflection amplification attacks detection method, apparatus and system
CN107360196A (en) * 2017-09-08 2017-11-17 杭州安恒信息技术有限公司 attack detection method, device and terminal device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110519290A (en) * 2019-09-03 2019-11-29 南京中孚信息技术有限公司 Anomalous traffic detection method, device and electronic equipment
CN111756720A (en) * 2020-06-16 2020-10-09 深信服科技股份有限公司 Targeted attack detection method, apparatus thereof and computer-readable storage medium
CN111756720B (en) * 2020-06-16 2023-03-24 深信服科技股份有限公司 Targeted attack detection method, apparatus thereof and computer-readable storage medium
WO2024027079A1 (en) * 2022-08-03 2024-02-08 中国电信股份有限公司 Domain-name reflection attack detection method and apparatus, and electronic device and storage medium

Also Published As

Publication number Publication date
CN109005181B (en) 2021-07-02

Similar Documents

Publication Publication Date Title
US9836600B2 (en) Method and apparatus for detecting a multi-stage event
CN101355463B (en) Method, system and equipment for judging network attack
CN107888607A (en) A kind of Cyberthreat detection method, device and network management device
KR101070614B1 (en) Malicious traffic isolation system using botnet infomation and malicious traffic isolation method using botnet infomation
US7028338B1 (en) System, computer program, and method of cooperative response to threat to domain security
US20080229421A1 (en) Adaptive data collection for root-cause analysis and intrusion detection
EP3085023B1 (en) Communications security
US10180867B2 (en) System and method for bruteforce intrusion detection
US20090282482A1 (en) Active Computer System Defense Technology
CN109005181A (en) A kind of detection method, system and the associated component of DNS amplification attack
CN101572609A (en) Method and device for detecting and refusing service attack
US20140250221A1 (en) Methods, Systems, and Computer Program Products for Detecting Communication Anomalies in a Network Based on Overlap Between Sets of Users Communicating with Entities in the Network
CN108234486A (en) A kind of network monitoring method and monitoring server
US20150026806A1 (en) Mitigating a Cyber-Security Attack By Changing a Network Address of a System Under Attack
Bellini et al. Cyber Resilience in IoT network: Methodology and example of assessment through epidemic spreading approach
Liu et al. Real-time diagnosis of network anomaly based on statistical traffic analysis
CN108712365B (en) DDoS attack event detection method and system based on flow log
CN113472789B (en) Attack detection method, attack detection system, storage medium and electronic device
EP2747345B1 (en) Ips detection processing method, network security device and system
CN112217777A (en) Attack backtracking method and equipment
Li et al. A lightweight DDoS flooding attack detection algorithm based on synchronous long flows
CN111526109A (en) Method and device for automatically detecting running state of web threat recognition defense system
CN114205169A (en) Network security defense method, device and system
Chen et al. An Internet-worm early warning system
CN109255243B (en) Method, system, device and storage medium for repairing potential threats in terminal

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant