CN110401644A - A kind of attack guarding method and device - Google Patents

A kind of attack guarding method and device Download PDF

Info

Publication number
CN110401644A
CN110401644A CN201910629348.XA CN201910629348A CN110401644A CN 110401644 A CN110401644 A CN 110401644A CN 201910629348 A CN201910629348 A CN 201910629348A CN 110401644 A CN110401644 A CN 110401644A
Authority
CN
China
Prior art keywords
response message
domain name
dns
fails
match
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910629348.XA
Other languages
Chinese (zh)
Inventor
邢涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201910629348.XA priority Critical patent/CN110401644A/en
Publication of CN110401644A publication Critical patent/CN110401644A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a kind of attack guarding method and device, which comprises the inquiry of the domain name request that forwarding terminal is sent, wherein inquiry of the domain name request includes source port number and the first DNS ID;Judge the 2nd DNS ID in received first response message in the first DNS ID, the first response message destination slogan and source port number it is whether consistent;If inconsistent, the first response message is abandoned, and corresponding it fails to match that number counts to inquiry of the domain name request;When it fails to match number reaches preset threshold when, the response message received is detected according to the IP address response message in source port number, the first DNS ID and the first response message.By the technical solution of the application, can solve can not carry out the technical issues of fully effective protection intercepts to attack message in the related technology, help to improve attack protection efficiency.

Description

A kind of attack guarding method and device
Technical field
This application involves network technique fields, and in particular to a kind of attack guarding method and device.
Background technique
Domain name system (Domain Name System, abbreviation: DNS) is as one for mutually mapping domain name and IP address Distributed data base, so that user can easily access internet without remembeing many and diverse IP number string.In dns server In Distributed Design, the top level domain such as com, net, org, edu, gov are licensed to other dns servers and born by root server Duty, authorized dns server again licenses to second level domain other dns servers, and so on development downwards.Cause This is then needed when the inquiry request that dns server receives not is the information of local host to the authority for holding host information Server inquiry.
During dns server carries out inquiry of the domain name, dns server carries out five yuan to received response message Group information matching, will be stored in DNS cache (DNSCache), and abandon subsequent arrive by the inquiry of the domain name message of information matches The response message reached.Therefore, attacker often carries out the opportunity of buffer update using dns server, passes through the DNS response of forgery Message pollutes DNS cache, replaces original correct IP address information mesh using false IP address information to reach , so that in the inquiry of the domain name request for receiving terminal transmission, the IP address response letter of mistake is returned to terminal for dns server The guidance of breath, and then the personal information of user, property safety etc. are caused to seriously threaten.
Summary of the invention
In view of this, the application provides a kind of attack guarding method and device, with solve in the related technology can not be to attack Message carries out the technical issues of fully effective protection intercepts.
To achieve the above object, it is as follows to provide technical solution by the application:
According to a first aspect of the present application, a kind of attack guarding method is proposed, safeguard, the method packet are applied to It includes:
The inquiry of the domain name request that forwarding terminal is sent, wherein domain name inquiry request includes source port number and the first DNS ID;
Judgement institute received first response message in the 2nd DNS ID and the first DNS ID, it is described first response report Whether the destination slogan and the source port number in text are consistent;If inconsistent, first response message is abandoned, and to institute Stating inquiry of the domain name request, corresponding it fails to match that number is counted;
When it is described it fails to match number reaches preset threshold when, according to the source port number, the first DNS ID and institute The IP address response message stated in the first response message detects the response message received.
According to a second aspect of the present application, a kind of attack protective device is proposed, safeguard, described device packet are applied to It includes:
Transmission unit, the inquiry of the domain name request that forwarding terminal is sent, wherein domain name inquiry request includes source port number With the first DNS ID;
Statistic unit, judge the 2nd DNS ID and the first DNS ID in received first response message, described Whether the destination slogan and the source port number in the first response message are consistent;If inconsistent, first response is abandoned Message, and corresponding it fails to match that number counts to domain name inquiry request;
First detection unit, when it is described it fails to match number reaches preset threshold when, according to the source port number, described IP address response message in one DNS ID and first response message detects the response message received.
By above technical scheme as it can be seen that requesting related response message, safeguard with inquiry of the domain name for received Counting statistics can be carried out to DNS ID and the destination slogan response message that it fails to match, and then number reaches when it fails to match After statistical threshold, the detection of reply content is carried out to subsequently received response message, i.e., number reaches threshold using it fails to match The corresponding source port number of the response message of value, DNS ID and IP address response message, to being wrapped in subsequently received response message Destination slogan, DNS ID and the IP address response message contained is compared, so by filtered out containing identical IP The response message of location response message is determined as the false response message of attacker's transmission, realizes the response message improved to camouflage Identification accuracy technical effect.
Detailed description of the invention
Fig. 1 is the application scenario diagram according to the attack guarding method in one exemplary embodiment of the application;
Fig. 2 is a kind of flow chart of the attack guarding method provided according to one exemplary embodiment of the application;
Fig. 3 is the flow chart of another attack guarding method provided according to one exemplary embodiment of the application;
Fig. 4 is the schematic configuration diagram according to one of one exemplary embodiment of the application electronic equipment;
Fig. 5 is the block diagram that protective device is attacked according to one of one exemplary embodiment of the application.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended The example of the consistent device and method of some aspects be described in detail in claims, the application.
It is only to be not intended to be limiting the application merely for for the purpose of describing particular embodiments in term used in this application. It is also intended in the application and the "an" of singular used in the attached claims, " described " and "the" including majority Form, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein refers to and wraps It may be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application A little information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not departing from In the case where the application range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ... When " or " in response to determination ".
In the Distributed Design of dns server, root server is the top level domain authorization such as com, net, org, edu, gov It to be responsible for other dns servers, authorized dns server again licenses to second level domain other dns servers, with Such to push lower development to, the distributed design of DNS determines that dns server, by means of the mode of recursive query, is needed in inquiry To illustrate that the technical solution of the application can be used for except root authoritative server etc. without the authoritative server inquired upwards it Local dns server etc. where outer dns server, such as forwarding server, terminal, below with reference to Fig. 1 to inquiry of the domain name Journey is illustrated, and Fig. 1 is according to the application scenario diagram of the attack guarding method in one exemplary embodiment of the application, such as Fig. 1 institute Show, may include terminal 101, safeguard 102 and for providing the sheet of domain name mapping information for terminal in the application scenarios Ground dns server 103, root authoritative server 104, top authoritative server 105, second level authoritative server 106, three-level authority clothes Business device 107.
Safeguard 102 can be set between terminal 101 and local dns server 103, in terminal 101 and safeguard Between 102, between safeguard 102 and local dns server 103, local dns server 103 and root authoritative server 104 it Between, between local dns server 103 and top authoritative server 105, local dns server 103 and second level authoritative server Between 106, the logical of information can be realized between local dns server 103 and three-level authoritative server 107 by network connection Letter.The network may include wired or wireless telecommunication installation, such as the network may include local area network (" LAN "), wide area Net (" WAN "), intranet, internet, mobile telephone network, Virtual Private Network (VPN), honeycomb fashion or other mobile radio communications Network, bluetooth, NFC or any combination thereof.
Terminal 101 can send domain name analysis request, in specific transmission process, the domain to local dns server 103 Name analysis request can be forwarded to local dns server 103 via safeguard 102, local dns server 103 receive by It, can be in its local DNS cache in the domain name mapping request received after the domain name mapping request of safeguard forwarding Domain-name information is inquired, and based on the parsing information inquired from caching to the transmission response message of safeguard 102, and by The domain name mapping received is requested corresponding response message to be back to terminal 101 by safeguard 102.
If not inquiring domain name mapping in the dns cache requests corresponding parsing information, local dns server 103 can be with To authoritative server send domain name request message, and based on authoritative server return inquiry of the domain name server address continue into Row recursive query, until obtaining the corresponding IP address of domain-name information.
Application scenario diagram as shown in connection with fig. 1 is illustrated by taking www.***.com domain name as an example, if local dns server 103 domain name mappings about www.***.com domain name for receiving the transmission of terminal 101 are requested, and local dns server 103 The corresponding parsing information of www.***.com domain name is not found in local cache, then sends DNS to root authoritative server 104 and asks Message is sought to inquire com domain name, the top authoritative server comprising top level domain com that root authoritative server 104 will inquire The response message of 105 IP address is back to local dns server 103, to include into response message from local server 104 Top authoritative server 105 IP address send about inquiry second level domain * * * .com DNS request message, it is similar, this Ground dns server 103 can receive the IP address information of the second level authoritative server 106 comprising second level domain * * * .com Response message, and so on, local dns server 103 includes to the transmission of the IP address of the second level authoritative server 106 received The DNS request message of three-level domain name www.***.com, and can receive transmitted by second level authoritative server 106 comprising three The response message of the IP address of grade authoritative server 107, it is so far, authoritative to received three-level in local dns server 103 After the IP address of server 107 is sent about the DNS request message of www.***.com domain name, the three-level that can be received is authoritative The response message comprising the corresponding IP address of www.***.com domain name that server 107 is sent, and then local dns server 103 The IP address information received can be back to safeguard 102, and then the response message that will be received by safeguard 102 It is back to terminal 101, to complete the response process of the domain name mapping request of terminal 101.
However, attacker is sent using local dns server 103 about the response after the DNS request message of domain-name information Waiting process forges a large amount of response message to attempt preferentially to support before real response message reaches local dns server Up to local dns server, when the forgery response message received by the local dns server 103 passes through five-tuple information matches, Local dns server 103 will refuse the subsequent response message based on same five-tuple information so that local dns server without Method receives correct response message, and so far, attacker just successfully polluted the caching (DNS of local dns server ), Cache to achieve the purpose that replace true IP address information with the IP address information in the false response message forged. The corresponding response message of local dns server construction domain name analysis request is simultaneously back to terminal 101 by safeguard 102, makes The false IP address information that must be replaced feeds back to terminal 101, and terminal user will then be connected to the corresponding net of false IP address In page, so that personal information, the property safety etc. to user cause to seriously threaten.
In addition, safeguard 102 can also be set between local dns server and authoritative server, so that protection is set It is anti-that the attack guarding method that standby 102 service the response message returned for authority can equally be proposed based on the application carry out attack Shield, specifically, can between local dns server 103 and root authoritative server 104, local dns server 103 with it is top Between authoritative server 105, between local dns server 103 and second level authoritative server 106, local dns server 103 with A safeguard is respectively set between three-level authoritative server 107, or a safeguard 102 is only set as shown in Figure 1, Two protection safeguards can certainly be correspondingly set, and the application is to safeguard according to the load capacity of safeguard 102 specific setting positions or setting quantity are with no restriction.
In view of this, the application provides a kind of attack guarding method, what solution in the related technology can not be fully effective attacks against each other Hit the problem of message is protected.
With reference to the accompanying drawing, the specific embodiment of the application is described in detail.
For the application is further described, the following example is provided:
Fig. 2 is a kind of flow chart for attack guarding method that one exemplary embodiment of the application provides, as shown in Figure 1, should Method is applied to safeguard, may comprise steps of:
Step 201, the inquiry of the domain name request that forwarding terminal is sent, wherein domain name inquiry request includes source port number With the first DNS ID.
In transmitted domain name request message, source IP address, purpose IP address, source port number, destination may include Slogan, transport protocol message and DNS ID, wherein DNS ID can be generated at random by dns server, i.e., raw in dns server When at DNS request message, just generating DNS ID or DNS an ID at random based on the algorithm pre-seted can be by dns server The serial number of DNS domain name request message, specific life of the application to DNS ID are sequentially generated based on generated request message With no restrictions at mode.
Step 202, judge the 2nd DNS ID in received first response message and the first DNS ID, described the Whether the destination slogan and the source port number in one response message are consistent;If inconsistent, the first response report is abandoned Text, and corresponding it fails to match that number counts to domain name inquiry request.
Due to the IP address often external disclosure of local dns server, thus in order to improve matching efficiency, protection is set The standby received response message from local dns server, DNS ID and destination that can preferentially to the response message Slogan is verified so that recognizing received DNS ID or destination slogan wherein any one there are unmatched feelings Under condition, just it fails to match for the determining response message received.
In one embodiment, the statistical form that corresponding dns query message can be requested to pre-save according to inquiry of the domain name , it may include that domain-name information, the IP address response message of response message reply and matching are lost in the statistics list item being pre-created The corresponding relationship of number is lost, counting can pre-save based on experience and the domain-name information of determination and its corresponding falseness in list item The corresponding relationship of IP address response message and it fails to match number is imitated to improve the screening to false IP address response message Rate.
If finding domain-name information from statistics list item, illustrates that safeguard not receives for the first time and believe about the domain name Breath can not correct matched response message, can by domain-name information it is corresponding it fails to match that number increases preset value, to pass through It fails to match after variation number reflection domain-name information the case where it fails to match.
If not finding domain name information from the statistics list item, domain name information is added to the statistics In list item, and by domain name information it is corresponding it fails to match that number is set to initial value, to show the domain-name information, there are 1 time The case where with failure.
It through the foregoing embodiment, can be by the record matching frequency of failure in statistics list item, to quantify each domain name Information it fails to match situation records convenient for the iteration to domain-name information it fails to match situation, in order to it fails to match number The domain-name information for reaching threshold value is handled in time.
Step 203, when it is described it fails to match number reaches preset threshold when, according to the source port number, the first DNS IP address response message in ID and first response message detects the response message received.
In one embodiment, it can recorde the first IP address response message that the first response message includes, if institute is received The 3rd DNS ID in second response message is consistent with the first DNS ID, and destination port number and source in the second response message Slogan is consistent, then judge the second IP address response message that the second response message includes and the first IP address response message whether one It causes;If consistent, the second response message is abandoned, otherwise determines that the second response message passes through detection.
The domain-name information for the fixation for including in a large amount of false response messages forged for attacker and IP address response letter Breath, the reply content for including in the response message that it fails to match of any one in DNS ID and destination slogan can be remembered Record, reply content may include domain-name information and the corresponding IP address response message of domain-name information.
For subsequently received response message, in the successful situation of five-tuple information matches, use what is recorded to return Multiple content further detects response message.Specifically, when the reply content in response message and the matching recorded Under the reply content unanimous circumstances that the response message of failure includes, determine that the response message is forged from attacker False response message, to realize that the prevention to the reply content of attack message is screened, improve prevention to attack message at Power.
It in another embodiment, can be there are statistical counting variation, just to the statistics meter completed after changing Several domain-name informations is corresponding, and it fails to match whether number reach threshold value is judged, specifically, can be in it fails to match number After increasing preset value, it fails to match whether number is more than threshold value for judgement;Statistical form can also be traversed according to the preset time interval Each domain-name information and its corresponding it fails to match number recorded in, and then whether number reaches threshold value to it fails to match Judged.When it fails to match number is more than threshold value, it is determined that the domain-name information is corresponding, and it fails to match that number is more than threshold value.
Further, it can be more than that protection state is arranged in the domain-name information of threshold value to it fails to match number, be received with identifying To the response message about the domain-name information it fails to match that number has reached threshold value, which has most probably been subjected to DNS cache attack from attacker, then for receiving comprising the response message for the domain-name information being in protection state Above-mentioned reply content detection is carried out, i.e., the IP address that the response message that it fails to match according to recorded in statistics list item includes is answered Information is answered, the IP address response message that the response message received includes is compared, if the two is consistent, it is determined that response report The false response message that text is most probably forged by attacker.
In another embodiment, after the five-tuple information of response message, reply content information pass through detection, can sentence Whether received again in preset early warning duration of breaking containing the another of the identical IP address response message about same domain-name information One response message shows that the previous response message by five-tuple information, reply content infomation detection is still if receiving The false response message that attacker is forged, correspondingly, the side such as information pop-up, work log record, alarm information can be passed through Formula issues alarm prompt, to issue the alarm prompt of the response message about successful respond to administrator.
Through the foregoing embodiment, related response message is requested with inquiry of the domain name for received, dns server can be with Counting statistics are carried out to DNS ID and the destination slogan response message that it fails to match, and then number reaches statistics when it fails to match After threshold value, the detection of reply content is carried out to subsequently received response message, i.e., number reaches threshold value using it fails to match The corresponding source port number of response message, DNS ID and IP address response message, to the purpose for including in the response message received Port numbers, DNS ID and IP address response message are compared, and then by the identical response message of the reply content filtered out It is determined as the false response message of attacker's transmission, realizes to improve and the technology of the identification accuracy of the response message of camouflage is imitated Fruit.
In order to make it easy to understand, being described in detail below with reference to process of the Fig. 3 to attack protection, Fig. 3 is according to the application The flow chart for another attack guarding method that one exemplary embodiment provides, as shown in figure 3, this method may include:
Step 301, the domain name request message that forwarding terminal is sent includes at least source port number, DNS in domain name request message Id information.
Step 302, the corresponding response message of domain name request message that dns server is sent is received.
Dns server for transmitted domain name request message, can receive the return of upper level dns server about The response message of domain-name information to be checked, and in the response message that corresponding to domain name request message, receives comprising DNS ID so that dns server can the response message that receives of DNS ID verifying of message according to response whether be domain name request The corresponding correct response message of message.
Step 303, the destination slogan of response message and the source port number of domain name request message, response message are matched Whether DNS ID and the DNS ID of domain name request message are consistent, if inconsistent, enter step 304;If consistent, enter step 307。
In one embodiment, since the source IP address of dns server is often disclosed, thus the response that attacker forges Seldom there is the situation inconsistent with the source IP address in domain name request message in purpose IP address in message, so existing In the mode that DNS poisons, attacker mainly attempts the combination of a variety of DNS ID and source port, in this regard, dns server can be preferential Destination slogan, the DNS ID of response message are obtained, with the destination slogan and domain name request message of priority match response message Source port number, response message DNS ID and domain name request message both DNS ID it is whether consistent respectively, to improve pair The screening efficiency of attack message.
Step 304, the domain-name information and IP address response message for including to the response message that it fails to match carry out counting system Meter.
In one embodiment, statistics list item can be preset, for recording domain-name information, the IP that response message is replied Location response message and corresponding it fails to match the number of domain-name information can believe domain name based on experience in set statistics list item It is pre-recorded to cease the corresponding IP address response message progress for having been determined as falseness, and it is threshold that corresponding matching times, which are arranged, Value, so that just directly can determine and receive after receiving the IP address response message of the corresponding falseness of the domain-name information again IP address response message be false response message, without waiting matching times to reach threshold value, to improve to containing The screening efficiency of the response message of false IP address response message.
When receiving the source port number of destination slogan and domain name request message, the DNS of DNS ID and domain name request message When the inconsistent response message of ID, then the domain-name information for including in received response message is domain-name information to be recorded, The statistics list item that the dns query message that can included according to the response message pre-saves.
If finding domain-name information to be recorded in the statistics list item, illustrate that dns server not receives for the first time About the domain-name information can not correct matched response message, can be recorded in statistics list item about the domain-name information Increase preset value on the basis of it fails to match number, wherein preset value can be 1 or 10, and the application is increased to institute default Value is not construed as limiting, furthermore, it is possible to the IP address response message replied in response message be compared, with domain-name information pair in statistics list item Whether the IP address response message answered is identical, when IP address response message and the IP address information difference being pre-stored, then will ring It answers the IP address response message in message to supplement to be added in statistics list item.Referring to the following table 1, for the example for counting list item, In the information matches of destination port, DNS ID, and the response message institute are unsatisfactory for about the response message of www.***.com domain name The IP address response message of reply is 192.168.1.201, then passes through corresponding it fails to match the number of the www.***.com domain name Crossing after increase preset value 1 becomes 3, and the IP address response message that the response message that it fails to match is replied from 2 192.168.1.201 being added in list item.
Domain-name information It fails to match number IP address response message
www.***.com 3 192.168.1.203,192.168.1.201
Table 1
If not finding domain-name information to be recorded from statistics list item, which can be added to statistical form Xiang Zhong, and by domain-name information it is corresponding it fails to match that number is set to initial value, such as can be by the corresponding matching of the domain-name information The frequency of failure is set to 1 or 10, it is readily appreciated that all to should belong in the protection scope of the application as the initial value counted.Such as When the response message about www.*bs*.com domain name that safeguard receives, and the destination port of the response message with prestore Source port, the DNS ID of the response message of the domain name request message of the www.*bs*.com domain name of storage are corresponding with what is be pre-stored In the case that the DNSID of domain name request message is inconsistent, then the IP address response message and domain name replied the response message Information is added in statistics list item, and corresponding it fails to match that number is set to initial value by domain-name information.It may refer to the following table 2, Such as the IP address response message of the response message about www.*bs*.com domain name received is 192.168.1.1, then may be used With the list item after being recorded are as follows:
Domain-name information It fails to match number IP address response message
www.***.com 3 192.168.1.203,192.168.1.201
www.*bs*.com 1 192.168.1.1
Table 2
Step 305, judge whether the number that it fails to match is more than threshold value, if so then execute step 306, otherwise, return to step Rapid 302.
It in one embodiment, can be there are statistical counting variation, just to the statistical counting completed after changing Domain-name information it is corresponding it fails to match whether number reach threshold value is judged, when it fails to match number increases preset value after it is super When crossing threshold value, it is determined that the domain-name information is corresponding, and it fails to match that number is more than otherwise threshold value is then not above threshold value.
In another embodiment, each domain name recorded in statistics list item can be traversed according to the preset time interval Information and its corresponding it fails to match number, and then whether number reach threshold value judges to it fails to match.
Step 306, the domain-name information that it fails to match number is more than threshold value is set as protection state.
It in one embodiment, can be by the way that protection mark be arranged to the domain-name information, to indicate to receive about the domain The response message of name information it fails to match number has reached threshold value, i.e., greatly may be used for the buffer update of the domain-name information There can be the risk that DNS cache attack is carried out by attacker.It is worth noting that: it can be in any rank for receiving response message Increase the process to protection mark judgement in section, which can be such that safeguard efficiently determines in the message being currently received Domain-name information whether have reached that it fails to match number be more than the state of threshold value, to improve to the message of it fails to match number Screening efficiency.
Step 307, when receiving the respond request comprising the domain-name information in the protection state, judge to receive Whether the IP address response message that response message includes and the IP address response message recorded in statistics list item are identical, if not phase Together, then 308 are entered step;Otherwise the received response message of institute and return step 302 are abandoned.
Attacker often through a large amount of attack message of composite construction for attempting different DNS ID and destination port, but this The domain-name information and IP address response message for including in a little attack messages are then identical.
Thus, in order to avoid attacker is by sending the response message response largely pretended success, when response message DNS ID and source port number in DNS ID and destination slogan and domain name request message be when it fails to match, record matching failure The domain-name information and IP address response message for including in response message, thus to the domain-name information in the response message of successful match With IP address response message with recorded domain-name information that the response message that it fails to match includes and IP address response message into Row comparison, if the two is identical, even if the response message of successful match is also considered from attacker.
Step 308, the domain-name information of recording responses message and IP address response message.
In one embodiment, can be believed by creating the domain name that the response message for successfully passing through monitoring is included by early warning list item Breath and IP address response message are recorded, further to detect to the response message of correct response.
It in another embodiment, can be in list item of the domain-name information extension for early warning and monitoring in statistics list item, to just IP address response message in the response message that should indeed be answered is recorded, so as to further to the response report of correct response Text is detected.
Step 309, judge whether receive the response message containing identical reply content in preset early warning duration, if It is then to issue alarm prompt;Otherwise, it determines the IP address response message of the response message received is the domain name solution that terminal is sent The corresponding IP address response message of domain-name information in analysis request.
In one embodiment, reply content can be the content comprising domain-name information, IP address response message.Work as attacker The DNS of domain name request message can be correctly matched with the response message that the combination producing of destination slogan pretends by DNS ID ID and when source port number information, attacker be unable to learn in time within a certain period of time camouflage response message whether successful respond, and Often transmission constructs the camouflage message containing same domain-name information and IP address response message and continues to sound out, then when DNS takes When business device continues to the response message containing identical IP address response message and domain-name information in early warning duration, show The response message of a upper successful respond of the response message and same domain-name information is all from response report transmitted by attacker Text, and then the alarm prompt of the response message about successful respond can be issued to administrator.
If being not received by the response report containing same domain name information, IP address response message in preset early warning duration Text is then believed the IP address response message in received response message as the parsing of the corresponding IP address of domain-name information Breath based on the response message that identified parsing information structuring domain name mapping is requested, and is back to terminal.
In one embodiment, alarm prompt can be embodied in log recording, to check day by administrator When will records, knows alarm prompt and make corresponding processing.
In another embodiment, the warning information for prompt can be popped up by pop-up, or by alarm prompt It is sent to pre-stored communication contact mode, in a manner of jingle bell, vibration, prompt information etc. to pass through portable terminal by administrator Equipment knows prompt information immediately.
In this application, aging mechanism can also be set, and the response message or word to the correct response by detection are sent out It send inquiry of the domain name request to start, is carried out more than the corresponding session of domain name request message that preset duration is not received by correct response Aging ensures the technical effect of the operational efficiency of dns server by removing immediately to reach the available space of release.
Fig. 4 is the schematic configuration diagram according to one of one exemplary embodiment of the application electronic equipment.Referring to FIG. 4, In hardware view, which includes processor, internal bus, network interface, memory and nonvolatile memory, certainly It is also possible that hardware required for other business.Processor read from nonvolatile memory corresponding computer program to It is then run in memory, forms attack protective device on logic level.Certainly, other than software realization mode, the application Other implementations, such as logical device or the mode of software and hardware combining etc. is not precluded, that is to say, that following processing stream The executing subject of journey is not limited to each logic unit, is also possible to hardware or logical device.
Referring to FIG. 5, Fig. 5 is the block diagram for attacking protective device according to one of one exemplary embodiment of the application, such as Shown in Fig. 5, in Software Implementation, which may include:
Transmission unit 501, the inquiry of the domain name request that forwarding terminal is sent, wherein domain name inquiry request includes source Slogan and the first DNS ID;
Statistic unit 502, judge the 2nd DNS ID and the first DNS ID, institute in received first response message It states destination slogan in the first response message and whether the source port number is consistent;If inconsistent, first sound is abandoned Answer message, and corresponding it fails to match that number counts to domain name inquiry request;
First detection unit 503, when it is described it fails to match number reaches preset threshold when, according to the source port number, institute The IP address response message stated in the first DNS ID and first response message detects the response message received.
Optionally, the detection unit is specifically used for:
Recording unit 504 records the first IP address response message that first response message includes;
Second detection unit 505, if the 3rd DNS ID and the first DNS ID in received second response message Unanimously, the destination port number and in second response message is consistent with the source port number, then judges the second response report Whether the second IP address response message that text includes and the first IP address response message are consistent;If consistent, described in discarding Otherwise second response message determines that second response message passes through detection.
Optionally, further includes:
Receiving unit 506, if whether second response message judges to receive in preset time and include by detection The third response message of the second IP address response message;
Prompt unit 507 prompts the alarm about second response message if receiving the third response message Information.
Optionally, the statistic unit is specifically used for:
Query unit 508, according to the statistics list item that the corresponding dns query message of domain name inquiry request pre-saves, It include domain name information, the IP address response message of first response message reply and the matching in the statistics list item The corresponding relationship of the frequency of failure;
Number changes unit 509, if domain name information is found from the statistics list item, by domain name information Corresponding it fails to match number increases preset value;
Adding unit 510 adds domain name information if not finding domain name information from the statistics list item It is added in the statistics list item, and corresponding it fails to match that number is set to initial value by domain name information.
Optionally, further includes:
Time recording unit 511 records the sending time of domain name inquiry request;
Aged cell 512, after preset duration, the corresponding session of aging domain name inquiry request.
Described device corresponds to the above method, and more identical details no longer repeat one by one.
In a typical configuration, calculating equipment includes one or more processors (CPU), input/output interface, net Network interface and memory.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/or The forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable medium Example.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method Or technology come realize information store.Information can be computer readable instructions, data structure, the module of program or other data. The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory (SRAM), moves State random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electric erasable Programmable read only memory (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM), Digital versatile disc (DVD) or other optical storage, magnetic cassettes, tape magnetic disk storage or other magnetic storage devices Or any other non-transmission medium, can be used for storage can be accessed by a computing device information.As defined in this article, it calculates Machine readable medium does not include temporary computer readable media (transitory media), such as the data-signal and carrier wave of modulation.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit The unit of explanation may or may not be physically separated, and component shown as a unit can be or can also be with It is not physical unit, it can it is in one place, or may be distributed over multiple network units.It can be according to actual The purpose for needing to select some or all of the modules therein to realize application scheme.Those of ordinary skill in the art are not paying Out in the case where creative work, it can understand and implement.
Although this specification includes many specific implementation details, these are not necessarily to be construed as the model for limiting any invention It encloses or range claimed, and is primarily used for describing the feature of the specific embodiment of specific invention.In this specification Certain features described in multiple embodiments can also be combined implementation in a single embodiment.On the other hand, individually implementing Various features described in example can also be performed separately in various embodiments or be implemented with any suitable sub-portfolio.This Outside, although feature can work in certain combinations as described above and even initially so be claimed, institute is come from One or more features in claimed combination can be removed from the combination in some cases, and claimed Combination can be directed toward the modification of sub-portfolio or sub-portfolio.
The foregoing is merely the preferred embodiments of the application, not to limit the application, all essences in the application Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the application protection.

Claims (10)

1. a kind of attack guarding method, which is characterized in that be applied to safeguard, which comprises
The inquiry of the domain name request that forwarding terminal is sent, wherein domain name inquiry request includes source port number and the first DNS ID;
The 2nd DNS ID and the first DNS ID in received first response message of judgement institute, in first response message Destination slogan and the source port number it is whether consistent;If inconsistent, first response message is abandoned, and to the domain Name inquiry request is corresponding, and it fails to match that number is counted;
When it is described it fails to match number reaches preset threshold when, according to the source port number, the first DNS ID and described IP address response message in one response message detects the response message received.
2. method according to claim 1, which is characterized in that it is described according to the source port number, the first DNS ID and IP address response message in first response message detects the response message received, comprising:
Record the first IP address response message that first response message includes;
If the 3rd DNS ID in received second response message it is consistent with the first DNS ID, and the second response report Destination port number in text is consistent with the source port number, then judges the second IP address response that second response message includes Whether information and the first IP address response message are consistent;If consistent, second response message is abandoned, otherwise determines institute It states the second response message and passes through detection.
3. method according to claim 2, which is characterized in that further include:
If whether second response message is judged to receive in preset time and be answered comprising second IP address by detection Answer the third response message of information;
If receiving the third response message, the warning information about second response message is prompted.
4. method according to claim 1, which is characterized in that described corresponding to domain name inquiry request it fails to match time Number is counted, comprising:
According to the statistics list item that the corresponding dns query message of domain name inquiry request pre-saves, wrapped in the statistics list item Domain name information, the IP address response message that first response message is replied and the corresponding of it fails to match the number is included to close System;
If finding domain name information from the statistics list item, corresponding it fails to match the number of domain name information is increased Add preset value;
If not finding domain name information from the statistics list item, domain name information is added to the statistics list item In, and corresponding it fails to match that number is set to initial value by domain name information.
5. method according to claim 1, which is characterized in that further include:
Record the sending time of domain name inquiry request;
After preset duration, the corresponding session of aging domain name inquiry request.
6. a kind of attack protective device, which is characterized in that be applied to safeguard, described device includes:
Transmission unit, the inquiry of the domain name request that forwarding terminal is sent, wherein domain name inquiry request includes source port number and the One DNS ID;
Statistic unit, judge the 2nd DNS ID and the first DNS ID, described first in received first response message Whether the destination slogan and the source port number in response message are consistent;If inconsistent, first response message is abandoned, And corresponding it fails to match that number counts to domain name inquiry request;
First detection unit, when it is described it fails to match number reaches preset threshold when, according to the source port number, described first IP address response message in DNS ID and first response message detects the response message received.
7. device according to claim 6, which is characterized in that the detection unit is specifically used for:
Recording unit records the first IP address response message that first response message includes;
Second detection unit, if the 3rd DNS ID in received second response message it is consistent with the first DNS ID, and Destination port number in second response message is consistent with the source port number, then judges that second response message includes Whether the second IP address response message and the first IP address response message are consistent;If consistent, second response is abandoned Otherwise message determines that second response message passes through detection.
8. device according to claim 7, which is characterized in that further include:
Receiving unit, if whether second response message by detection, judges to receive in preset time comprising described the The third response message of two IP address response messages;
Prompt unit prompts the warning information about second response message if receiving the third response message.
9. device according to claim 6, which is characterized in that the statistic unit is specifically used for:
Query unit, according to the statistics list item that the corresponding dns query message of domain name inquiry request pre-saves, the system Counting includes IP address response message that domain name information, first response message are replied in list item and described it fails to match time Several corresponding relationships;
Number changes unit, if finding domain name information from the statistics list item, domain name information is corresponding It fails to match, and number increases preset value;
Domain name information is added to institute if not finding domain name information from the statistics list item by adding unit It states in statistics list item, and corresponding it fails to match that number is set to initial value by domain name information.
10. device according to claim 6, which is characterized in that further include:
Time recording unit records the sending time of domain name inquiry request;
Aged cell, after preset duration, the corresponding session of aging domain name inquiry request.
CN201910629348.XA 2019-07-12 2019-07-12 A kind of attack guarding method and device Pending CN110401644A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910629348.XA CN110401644A (en) 2019-07-12 2019-07-12 A kind of attack guarding method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910629348.XA CN110401644A (en) 2019-07-12 2019-07-12 A kind of attack guarding method and device

Publications (1)

Publication Number Publication Date
CN110401644A true CN110401644A (en) 2019-11-01

Family

ID=68325384

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910629348.XA Pending CN110401644A (en) 2019-07-12 2019-07-12 A kind of attack guarding method and device

Country Status (1)

Country Link
CN (1) CN110401644A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112511499A (en) * 2020-11-12 2021-03-16 视若飞信息科技(上海)有限公司 Method and device for processing AIT in HBBTV terminal
CN112910839A (en) * 2021-01-12 2021-06-04 杭州迪普科技股份有限公司 DNS attack defense method and device
CN113810510A (en) * 2021-07-30 2021-12-17 绿盟科技集团股份有限公司 Domain name access method and device and electronic equipment
CN114070596A (en) * 2021-11-10 2022-02-18 上海钧正网络科技有限公司 Performance optimization method, system, terminal and medium of Web application protection system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102404317A (en) * 2011-10-31 2012-04-04 杭州迪普科技有限公司 Method and device for preventing DNS (domain name system) cache attack
CN102714663A (en) * 2010-01-19 2012-10-03 阿尔卡特朗讯公司 Method and system for preventing DNS cache poisoning
CN105939346A (en) * 2016-05-04 2016-09-14 杭州迪普科技有限公司 Method and device for preventing DNS (Domain Name System) cache attack
CN105939337A (en) * 2016-03-09 2016-09-14 杭州迪普科技有限公司 DNS cache poisoning protection method and device
US20160366176A1 (en) * 2015-06-11 2016-12-15 Northrop Grumman Systems Corporation High-level reputation scoring architecture

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102714663A (en) * 2010-01-19 2012-10-03 阿尔卡特朗讯公司 Method and system for preventing DNS cache poisoning
CN102404317A (en) * 2011-10-31 2012-04-04 杭州迪普科技有限公司 Method and device for preventing DNS (domain name system) cache attack
US20160366176A1 (en) * 2015-06-11 2016-12-15 Northrop Grumman Systems Corporation High-level reputation scoring architecture
CN105939337A (en) * 2016-03-09 2016-09-14 杭州迪普科技有限公司 DNS cache poisoning protection method and device
CN105939346A (en) * 2016-05-04 2016-09-14 杭州迪普科技有限公司 Method and device for preventing DNS (Domain Name System) cache attack

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112511499A (en) * 2020-11-12 2021-03-16 视若飞信息科技(上海)有限公司 Method and device for processing AIT in HBBTV terminal
CN112511499B (en) * 2020-11-12 2023-03-24 视若飞信息科技(上海)有限公司 Method and device for processing AIT in HBBTV terminal
CN112910839A (en) * 2021-01-12 2021-06-04 杭州迪普科技股份有限公司 DNS attack defense method and device
CN113810510A (en) * 2021-07-30 2021-12-17 绿盟科技集团股份有限公司 Domain name access method and device and electronic equipment
CN114070596A (en) * 2021-11-10 2022-02-18 上海钧正网络科技有限公司 Performance optimization method, system, terminal and medium of Web application protection system

Similar Documents

Publication Publication Date Title
CN110401644A (en) A kind of attack guarding method and device
US9762543B2 (en) Using DNS communications to filter domain names
CN104519018B (en) A kind of methods, devices and systems preventing the malicious requests for server
CN104184713B (en) Terminal identification method, machine identifier register method and corresponding system, equipment
US9462009B1 (en) Detecting risky domains
CN103634786B (en) A kind of method and system for security detection and repair of wireless network
CN109474575B (en) DNS tunnel detection method and device
CN105939337B (en) The means of defence and device that DNS cache is poisoned
WO2015158193A1 (en) Method and system for providing root domain name resolution service
CN104506525B (en) Prevent the method and protective device that malice captures
US20070118669A1 (en) Domain name system security network
CN103701793B (en) The recognition methods of server broiler chicken and device
US20150249638A1 (en) Registration and use of patterns defined by expressions as domain names
CN114598525A (en) IP automatic blocking method and device for network attack
JP2015167039A (en) System and method for developing risk profile for internet resource
CN102404741B (en) Method and device for detecting abnormal online of mobile terminal
WO2014063520A1 (en) Method and apparatus for determining phishing website
WO2017067443A1 (en) Security domain name system and fault processing method therefor
US20210051176A1 (en) Systems and methods for protection from phishing attacks
WO2016155373A1 (en) Dns security query method and device
KR101576632B1 (en) System, apparatus, method and computer readable recording medium for detecting and treating illegal access
CN109660552A (en) A kind of Web defence method combining address jump and WAF technology
CN106790073B (en) Blocking method and device for malicious attack of Web server and firewall
CN112769739A (en) Database operation violation processing method, device and equipment
CN110266684A (en) A kind of domain name system security means of defence and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20191101