CN112583692B - Method, device and equipment for cleaning flow and computer storage medium - Google Patents

Method, device and equipment for cleaning flow and computer storage medium Download PDF

Info

Publication number
CN112583692B
CN112583692B CN202011403148.1A CN202011403148A CN112583692B CN 112583692 B CN112583692 B CN 112583692B CN 202011403148 A CN202011403148 A CN 202011403148A CN 112583692 B CN112583692 B CN 112583692B
Authority
CN
China
Prior art keywords
data packet
dns
cleaning
domain name
packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011403148.1A
Other languages
Chinese (zh)
Other versions
CN112583692A (en
Inventor
张广宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Heilongjiang Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Heilongjiang Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Heilongjiang Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202011403148.1A priority Critical patent/CN112583692B/en
Publication of CN112583692A publication Critical patent/CN112583692A/en
Application granted granted Critical
Publication of CN112583692B publication Critical patent/CN112583692B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/50Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Abstract

The embodiment of the application provides a method, a device, equipment and a computer storage medium for cleaning traffic, the method, the device, the equipment and the computer storage medium are used for acquiring a data packet, cleaning a non-Domain Name System (DNS) data packet and a data packet of which domain name does not meet a preset condition in the data packet to obtain a first DNS data packet, ensuring that the first DNS data packet is a non-malformed DNS data packet, cleaning field contents of a quintuple in the first DNS data packet which is not matched with a preset dynamic feature library to obtain a second DNS data packet, performing deep analysis on the first DNS data packet, cleaning the second DNS data packet according to a preset authorized domain name white list to obtain a third DNS data packet, accurately identifying the DNS data packet, accurately protecting against traffic attack and effectively reducing the false killing rate of traffic cleaning.

Description

Method, device and equipment for cleaning flow and computer storage medium
Technical Field
The present application relates to the field of network security, and in particular, to a method, an apparatus, a device, and a computer storage medium for traffic cleaning.
Background
At present, each operator deploys a traffic cleaning device to combat Distributed Denial of Service (DDoS) attacks, and although a conventional traffic cleaning has a Protocol identification capability of 2-7 layers, traffic cleaning of a User Data Packet (UDP) Protocol of a Domain Name System (DNS) can only achieve identification of a coarse granularity, and cannot achieve deep identification of the Domain Name granularity, so that a false kill situation is easily caused.
Disclosure of Invention
The embodiment of the application provides a method, a device and equipment for flow cleaning and a computer storage medium, which can accurately identify DNS data packets and accurately protect flow attacks.
In a first aspect, an embodiment of the present application provides a method for flow cleaning, where the method includes:
acquiring a data packet;
cleaning a non-domain name system DNS data packet and a data packet of which the domain name does not meet a preset condition in the data packet to obtain a first DNS data packet;
cleaning the field content of the quintuple in the first DNS data packet which is not matched with the preset dynamic feature library to obtain a second DNS data packet;
and cleaning the second DNS data packet according to a preset authorized domain name white list to obtain a third DNS data packet.
In some possible implementations, obtaining the data packet includes:
the non-DNS packet is obtained from the port with the destination port number 53.
In some possible implementations, the data packet includes a DNS data packet; the method for cleaning the data packet of which the domain name does not meet the preset condition in the data packet to obtain the first DNS data packet comprises the following steps:
and cleaning a data packet of which the domain name in the DNS data packet does not meet the requirements of DNS specification, and a data packet of which the message header field in the DNS data packet does not meet the requirements of serial number-scheduled file RFC specification to obtain a first DNS data packet.
In some possible implementations, the data packet includes a DNS data packet; the method for cleaning the data packet of which the domain name does not meet the preset condition in the data packet to obtain the first DNS data packet comprises the following steps:
and cleaning the data packet of which the domain name character does not meet the preset domain name character in the DNS data packet to obtain a first DNS data packet.
In some possible implementation manners, the cleaning the second DNS packet according to the preset authorized domain white list to obtain third DNS data includes:
and cleaning the request domain name in the second DNS data packet in a preset authorized domain name white list and the data packet meeting the preset speed limit condition to obtain third DNS data.
In some possible implementations, after obtaining the third DNS packet, the third DNS packet is sent to the cache server.
In a second aspect, an embodiment of the present application provides an apparatus for flow cleaning, the apparatus including:
the acquisition module is used for acquiring the data packet;
the first cleaning module is used for cleaning a non-domain name system DNS data packet and a data packet of which the domain name does not meet the preset condition in the data packet to obtain a first DNS data packet;
the second cleaning module is used for cleaning the field content of the quintuple in the first DNS data packet which is not matched with the preset dynamic feature library to obtain a second DNS data packet;
and the third cleaning module is used for cleaning the second DNS data packet according to the preset authorized domain name white list to obtain a third DNS data packet.
In some possible implementations, the obtaining module is specifically configured to obtain the non-DNS packet from a port with a destination port number of 53.
In a third aspect, an embodiment of the present application provides a flow cleaning device, where the flow cleaning device includes: a processor, and a memory storing computer program instructions; the processor reads and executes the computer program instructions to implement the method of flow cleansing of the first aspect or any one of the possible implementations of the first aspect.
In a fourth aspect, an embodiment of the present application provides a computer storage medium, where computer program instructions are stored on the computer storage medium, and when the computer program instructions are executed by a processor, the method for cleaning a flow in the first aspect or any one of the possible implementation manners of the first aspect is implemented.
The method, the device, the equipment and the computer storage medium for cleaning the flow rate, provided by the embodiment of the application, are used for acquiring a data packet, cleaning a non-Domain Name System (DNS) data packet and a data packet of which the domain name does not meet a preset condition in the data packet to obtain a first DNS data packet, ensuring that the first DNS data packet is a non-malformed DNS data packet, cleaning field contents of a quintuple in the first DNS data packet which is not matched with a preset dynamic feature library to obtain a second DNS data packet, performing deep analysis on the first DNS data packet, cleaning the second DNS data packet according to a preset authorized domain name white list to obtain a third DNS data packet, accurately identifying the DNS data packet, accurately protecting against flow rate attack and effectively reducing the false killing rate of flow rate cleaning.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the embodiments of the present application will be briefly described below, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic structural diagram of a flow cleaning system according to an embodiment of the present disclosure;
FIG. 2 is a schematic flow chart of a method for flow cleaning according to an embodiment of the present disclosure;
fig. 3 is a schematic flow chart of a filter matching service flow provided in an embodiment of the present application;
FIG. 4 is a schematic structural diagram of a flow cleaning apparatus according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of a flow cleaning apparatus according to an embodiment of the present application.
Detailed Description
Features of various aspects and exemplary embodiments of the present application will be described in detail below, and in order to make objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail below with reference to the accompanying drawings and specific embodiments. It should be understood that the specific embodiments described herein are merely illustrative of, and not restrictive on, the present application. It will be apparent to one skilled in the art that the present application may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the present application by illustrating examples thereof.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising 8230; \8230;" comprises 8230; "does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
A Domain Name System (DNS) is one of basic systems of the whole Internet service, and is responsible for converting an Internet Domain Name accessed by a person into an Internet Protocol (IP) address, and a conversion process is called "Domain Name resolution", so the DNS is also called "Domain Name resolution System" and is equivalent to a destination board for network access. The DNS bears all Internet access and intelligent scheduling, and is vividly a dispatcher of Internet basic services, and plays a very important role in Internet access. All internet traffic relies on DNS, which can lead to internet breakdown if DNS fails.
The DNS is usually built in a centralized mode, namely, a single province only has 2-4 DNS nodes, and meanwhile, the DNS has weak security protection capability and is often the most easily targeted by an attacker. In recent years, several DNS attack cases with significant influence appear, which are as follows:
(1) In 2009 storm video events led to the network outage in six provinces.
(2) The hundredth domain name was hijacked by Iran Army 1 month 12 2010.
(3) On 27 months 1 in 2013, a DNS failure by some known CDN service provider resulted in many large customers going offline for more than an hour, and access to known websites including 163, tencent, phoenix, baidu, multi-Play, m1905, video and 12306 were affected in some areas.
(4) And 8, 25 months and 8 months in 2013, the CN domain name resolution node is attacked by denial of service, the root domain of the CN authorizes the DNS to have a full-line fault, and all CN domain names cannot be resolved.
(5) The CVE-2015-5477 TKEY vulnerability involved almost all bind versions in 2015.
(6) In 2016 Dyn was subjected to more than half of the United states "outages" by historical maximum-scale DDos attacks.
The above DNS attack cases and security problems occurring in daily applications can be roughly classified into the following reasons:
(1) At present, all operators also deploy DNS safety protection equipment, but most of the operators adopt symmetrical deployment, namely a 10GE entrance and a 10GE exit, and when a large-flow DDoS attack exceeding 10GE occurs, the bandwidth of the attack entrance is crowded by attack flow, so that normal flow cannot access cache service.
(2) At present, each operator deploys traffic cleaning equipment to resist DDoS attacks, but although the traditional traffic cleaning has protocol identification capability of 2-7 layers, the traditional traffic cleaning of UDP protocol of DNS can only achieve coarse-grained identification, and cannot achieve deep identification aiming at domain name granularity, so that false killing is easily caused.
(3) The unconventional domain name application occupies a large amount of cache space, and the domain name is characterized by long TTL value, small access amount and long-term occupation of the cache space.
(4) Invalid top-level domain names erode recursive service capabilities.
In order to solve the prior art problems, embodiments of the present application provide a method, an apparatus, a device, and a computer storage medium for flow cleaning.
In the embodiment of the present application, as shown in fig. 1, a switch 120 is connected to a routing device 130 through 20G, the switch 120 is connected to a cache server 140 through 10G, a traffic cleansing device 110 is deployed in a bypass mode, and is connected to the switch 120 through 40G and 10G, a DNS service IP is sent to the internet, and DNS request traffic is pulled from the routing device 130 to the traffic cleansing device 110, because an uplink of the switch 120 is 20G, in order to avoid a single point of failure, the traffic cleansing device needs to enter through a 40G interface and enter through a 40G interface. And the flow is cleaned through the cleaning strategy, the clean and normal flow is forwarded to the cache server 140 through the 10G port, and the cache server 140 performs request response.
The flow cleaning equipment obtains a data packet, a non-Domain Name System (DNS) data packet and a data packet of which the domain name does not meet a preset condition in the data packet are cleaned, a first DNS data packet is obtained, the first DNS data packet is guaranteed to be a non-malformed DNS data packet, field contents of quintuple in the first DNS data packet which is not matched with a preset dynamic feature library are cleaned, a second DNS data packet is obtained, the first DNS data packet is subjected to deep analysis, the second DNS data packet is cleaned according to a preset authorized domain name white list, a third DNS data packet is obtained, the DNS data packet can be accurately identified, flow attack is accurately protected, and the false killing rate of flow cleaning is effectively reduced.
The method for flow cleaning provided by the embodiment of the present application is first described below.
Fig. 2 is a flow chart illustrating a method of flow cleaning according to an embodiment of the present application. As shown in fig. 2, the method may include the steps of:
s210, acquiring the data packet.
The flow cleaning equipment acquires data packets, wherein the data packets comprise DNS data packets and non-DNS data packets, and the non-DNS data packets are acquired from a port with a target port of 53.
S220, cleaning the non-domain name system DNS data packet and the data packet of which the domain name does not meet the preset condition in the data packet to obtain a first DNS data packet.
And when the domain name in the data packet does not meet the preset condition, indicating that the data packet does not meet the related standard requirement and is a malformed packet. And a large amount of cache space is occupied by the malformed packets and the non-DNS data packets, so that the utilization rate of the cache space is reduced.
The traffic cleaning device cleans non-DNS data packets with a target port of 53 in the data packets, and can effectively filter and confirm flooding attacks such as character flooding attack, control Message (ICMP) flooding attack, UDP flooding attack and the like.
The flow cleaning equipment cleans non-DNS data packets and malformed packets to obtain a first DNS data packet, so that the utilization rate of a cache space can be improved, and the efficiency of conventional domain name requests is ensured.
And S230, cleaning the field content of the quintuple in the first DNS data packet which is not matched with the preset dynamic feature library to obtain a second DNS data packet.
The quintuple comprises a domain name, a Time To Live (TTL) value, an information type, a resource record type and a resource record value. And establishing a dynamic feature library aiming at the message features in the NDS data packet, wherein the dynamic feature library can be automatically learned and perfected, and illegal messages which are not matched with the dynamic feature library are directly discarded.
And detecting and judging the quintuple in the first DNS data packet through the dynamic feature library, and detecting whether the contents of each field of the quintuple are matched with the dynamic feature library through a packet-by-packet matching method of DNS data features.
And when the field content of the five-tuple in the first DNS data packet is not matched with the dynamic feature library, judging the first DNS data packet as the attack traffic. If the five-tuple in the first DNS packet lacks a field content, or the field content of the five-tuple in the first DNS packet is not matched with the dynamic feature library, the first DNS packet is also determined as an attack traffic and is flushed. By carrying out deep analysis on the first DNS data packet, the false killing rate of the flow cleaning equipment is reduced.
S240, the second DNS data packet is cleaned according to a preset authorized domain name white list, and a third DNS data packet is obtained.
Based on the long-term maintenance of the DNS, it can be found from the statistical point of view that the number of visits of a domain name ranked after 300 ten thousand is basically about one digit per day, that is, normally, 99.99% of domain names visited by users are mainly concentrated on domain names within 300 ten thousand.
The access behavior of the domain name is automatically analyzed by adopting technical means of machine learning and DNS log data analysis to judge whether the domain name is a credit domain name or a top-level domain name, and when an attacker launches a large number of normal DNS inquiry attacks with constantly changing domain name prefixes, accurate domain name identification is achieved, and the security risk that recursive resources are exhausted is solved.
The authorized Domain name white list comprises an authorized Domain name library and a general Top-level Domain (gTLD) library, and the accessed Domain name is accurately identified by presetting the authorized Domain name white list. When the request domain name of the second DNS data packet is not in the authorized domain name white list, the data packet is not authorized to be accessed and may be an attacker, so that the second DNS data packet with the domain name not in the authorized domain name white list is cleaned, and a third DNS data packet is obtained and is clean flow.
In the embodiment of the application, the data packets are obtained, the non-domain name system DNS data packet and the data packet of which the domain name does not meet the preset condition in the data packets are cleaned, the first DNS data packet is obtained, the first DNS data packet is guaranteed to be a non-malformed DNS data packet, the field content of the quintuple in the first DNS data packet which is not matched with the preset dynamic feature library is cleaned, the second DNS data packet is obtained, the first DNS data packet is subjected to deep analysis, the second DNS data packet is cleaned according to the preset authorized domain name white list, the third DNS data packet is obtained, the DNS data packet can be accurately identified, flow attack is accurately protected, and the false killing rate of flow cleaning is effectively reduced.
In some embodiments, before performing packet cleaning, it is first detected whether a DNS request packet in a packet meets an Access Control List (ACL) policy standard, and a determination is made according to a source IP, a source port, and a destination port. For example, the system can specify which users are to be serviced only, and requests sent to non-specified users are discarded directly, as determined by user source address identification, so that clients that can use the system can be specified. Or, the system can also identify and judge the service address, specify the specific service address and the destination address of the DNS request message, if the specific service address is not the specified service address, the specific service address and the destination address are directly discarded, so that the access of non-service addresses such as recursive addresses, interface addresses and the like of the system used by some clients can be prevented.
Some security measures can be taken for non-DNS traffic data, for example, traffic differentiation is performed according to a frame type, an IP header main field, a source port, and a destination port; one of three strategies, drop, pass, and rate limit, is specified for each type of traffic.
In some embodiments, when the DNS request message in the packet conforms to the ACL policy standard, the DNS request message is based on whether the domain name in the DNS packet conforms to the DNS specification requirements and whether the message header field in the DNS packet conforms to the RFC specification.
And judging whether the request message entering the traffic cleaning equipment is a request message of a DNS (domain name system) protocol through a protocol stack layer, and cleaning if the request message is a request message of a non-DNS protocol, so that an attacker is prevented from constructing an attack through a 53-port. If the request message is the request message of the normal DNS protocol, the message format is cleaned, so that an attacker is prevented from constructing an attack which does not conform to the DNS format specification. And ensuring that the data packet is a non-malformed DNS data packet through a cleaning algorithm of two layers.
Specifically, the step of cleaning the data packet whose domain name does not meet the preset condition in the data packet to obtain a first DNS data packet includes:
and cleaning a data packet of which the name of a domain name in the DNS data packet does not meet the requirement of DNS specification, and a data packet of which the header field of a message in the DNS data packet does not meet the requirement of serial number-scheduled RFC specification of a file, so as to obtain a first DNS data packet, wherein the first DNS data packet is a data packet for screening out malformed packets.
The data packets in which the domain name naming does not meet the requirements of the DNS specification and the data packets in which the header field of the packet in the DNS data packet does not meet the requirements of the serial number-arranged RFC specification of the file can be collectively referred to as an abnormal DNS format packet, which includes an abnormal DNS format packet for a user query and an abnormal DNS format packet for a recursive response.
The abnormal DNS format packet queried by the user includes a destination port 53 response packet, a query packet with the number of problem records greater than 1, a query packet with a size exceeding 512 bytes, a query packet with the number of response records not 0, a query packet with the number of authorized records not 0, a query packet with a header smaller than 12 bytes, a query packet with the number of additional problem records greater than 1, a query packet with a UDP payload smaller than 12 bytes, and the like.
Normally sending out a DNS inquiry, wherein the head of a DNS request message has a problem record number field, the field is 1, the attack message is generally a message constructed by an attacker, only the content of the message is constructed, and the field information of the message head is ignored, so that whether the message is a malformed packet is judged by judging the field, and the inquiry packet with the problem record number larger than 1 is a malformed packet.
The query packet size must not exceed 512 bytes according to the RFC specification, and thus, a query packet having a size exceeding 512 bytes is a malformed packet.
When a DNS query packet is normally sent out, the header of the DNS request packet has a response field, because the DNS request packet is a query packet and no response is obtained yet, the response field is 0, and a packet header other than 0 is determined to be a malformed packet, and therefore, a query packet whose number of response records is other than 0 is a malformed packet.
The number of authorized records indicates that several authorizations can respond to the request in the DNS response packet, and the field in the query packet is 0 under normal conditions, because no specific response is obtained, and the message header other than 0 is determined to be a malformed message, so the query packet with the number of authorized records other than 0 is a malformed packet.
The RFC specification requires that the header information of the DNS request message is 12 bytes, and the header less than 12 bytes does not comply with the RFC specification, so that the data packet with the header less than 12 bytes is a malformed packet.
The additional problem record field indicates the number of IP addresses corresponding to the authoritative name server, according to the RFC specification, the DNS can only inquire 1 authoritative address, if the field is greater than 1, the DNS is judged to be a malformed message, and therefore, the inquiry packet with the additional problem record number greater than 1 is a malformed packet.
When the UDP payload is less than 12 bytes, the RFC specification requirements are not met.
The abnormal DNS format packet of the recursive response includes a source port 53 query packet, a recursive response packet whose problem record number is greater than 1, a recursive response packet whose size exceeds 512 bytes, a recursive response packet whose response record number is not 0, a recursive response packet whose authorization record number is not 0, a recursive response packet whose header is less than 12 bytes, a recursive response packet whose additional problem record number is greater than 1, a recursive response packet whose UDP payload is less than 12 bytes, and the like.
And cleaning the abnormal DNS format packet queried by the user and the abnormal DNS format packet recursively responded to obtain a first DNS data packet.
In some embodiments, the data packets comprise DNS data packets; the method for cleaning the data packet of which the domain name does not meet the preset condition in the data packet to obtain the first DNS data packet comprises the following steps:
and cleaning the data packet of which the domain name character does not meet the preset domain name character in the DNS data packet to obtain a first DNS data packet.
When the domain names are named, the domain characters in the Chinese domain name are different from those in the English domain name, some domain characters appearing in the Chinese domain name cannot be used in the English domain name, some domain characters appearing in the English domain name cannot be used in the Chinese domain name, and the combination of the characters in the domain name is limited. Different preset domain name characters are set according to different languages of the used domain names, when the domain name characters in the DNS data packet do not accord with the correct domain name using standard, the data packet is indicated to be a malformed packet, and the malformed packet in the data packet is cleaned to obtain a first DNS data packet.
In some embodiments, the cleaning the second DNS packet according to the preset authorized domain white list to obtain third DNS data includes:
and cleaning the request domain name in the second DNS data packet in a preset authorized domain name white list and the data packet meeting the preset speed limit condition to obtain third DNS data.
When detecting that the data packets may have potential danger, the data packets are limited in speed, and different speed limiting strategies are adopted according to different requirements. For example, the global IP default speed limit policy sets, for each source IP user, the number of Query Per Second (QPS) of the maximum service Per Second; the IP section speed limit strategy is characterized in that aiming at a set source IP, the QPS number of the maximum service per second is set; setting a maximum QPS number of requests allowed per second for each domain name according to a global domain name default speed limit strategy; the domain/domain speed limit strategy can specify the maximum number of request QPS allowed per second for a specific domain, a certain secondary suffix domain and a certain tertiary suffix domain; and authorizing the QPS total speed limit strategy, and setting the QPS number of the maximum service per second aiming at authorization.
When a request domain name in a second DNS data packet is in a preset authorized domain name white list, the second DNS data packet is not necessarily clean flow, whether a speed limit condition is met or not is further judged, when the preset speed limit condition is met, the data packet is limited by the speed limit of a non-trusted domain name and is possibly subjected to DDOS attack of a normal domain name, for the sake of safety, the data packet of the type needs to be cleaned, the DNS hash attack is accurately protected, and the situation that cache bandwidth is crowded and occupied during DDOS attack, and normal service cannot be guaranteed is avoided.
In some embodiments, after obtaining the third DNS packet, the third DNS packet is sent to the cache server, that is, the cleaned traffic is forwarded to the cache server through the load balancing algorithm, and the cache server responds.
When encountering the virus input of the cache, starting a cache virus input defense function, generating an alarm, and discarding the DNS request message subjected to the virus input. Meanwhile, whether the linkage measure after the alarm is started or not can be selected, after the linkage measure is started, the poisoned domain name enters a protection state in the cache, and the updating operation cannot be carried out within a period of time; it is also possible to choose whether to turn on the 0X20 technology to actively enhance the defense mechanism of cache poisoning.
In some embodiments, DNS traffic, i.e., DNS packets, passing through the traffic cleansing device may identify traffic based on exception packets, request type, user source address, service address, and authoritative domain name whitelist. For example, a message with an abnormal IP header, an abnormal UDP header and a DNS message format which does not conform to the RFC specification can be identified; the method can configure whether the request message of the text document TXT, the NULL value NULL and other types is cleaned or not according to the request type; the system can specify which users are only served, and directly discards requests sent by non-specified users; specific service addresses and destination addresses of DNS request messages can be appointed, and if the specific service addresses are not the appointed service addresses, the specific service addresses and the destination addresses are directly discarded; and accurately identifying the access domain name through the authorized domain name white list.
After DNS traffic is identified, a traffic forwarding strategy is defined on the basis of filters, a plurality of filters are supported to be defined, and logic relations among the filters are not defined.
Taking the example of cleaning the traffic, the traffic is identified and then enters the filter as the original traffic. As shown in fig. 3, the original traffic may enter multiple filters, each filter has no association with another filter, and the filters determine whether the service traffic matches the forwarding policy according to the security policy, and send the matching traffic and the non-matching traffic to the forwarding policy and the network port distributor for corresponding processing. If the service flow is matched flow, the service flow is used as a normal service, the service flow is forwarded to a cache server through a load balancing algorithm, and the cache server responds; and if the service flow is the non-matching flow, discarding or limiting the speed of the service flow.
Fig. 4 is a schematic structural diagram of a flow cleaning apparatus according to an embodiment of the present disclosure. As shown in fig. 4, the flow washer 400 may include an acquisition module 410, a first washer module 420, a second washer module 430, and a third washer module 440.
An obtaining module 410, configured to obtain a data packet;
the first cleaning module 420 is configured to clean a non-domain name system DNS packet and a packet whose domain name does not meet a preset condition in the packets, to obtain a first DNS packet;
a second cleaning module 430, configured to clean field contents of a five-tuple in the first DNS packet that does not match the preset dynamic feature library, to obtain a second DNS packet;
and a third cleaning module 440, configured to clean the second DNS packet according to a preset authorized domain name white list, to obtain a third DNS packet.
In the embodiment of the application, the DNS data packet can be accurately identified, the flow attack can be accurately protected, and the false killing rate of flow cleaning is effectively reduced.
In some embodiments, the obtaining module 410 is specifically configured to obtain the non-DNS packet from the port with the destination port number 53.
In some embodiments, the data packets comprise DNS data packets; the first cleaning module 420 is specifically configured to clean a data packet, in the DNS data packet, for which the name does not meet the requirements of the DNS specification, and a data packet, in the DNS data packet, for which the header field of the packet does not meet the requirements of the serial number-scheduled RFC specification of the file, so as to obtain a first DNS data packet.
In some embodiments, the data packets comprise DNS data packets; the first cleaning module 420 is specifically configured to clean a data packet in the DNS data packet, where the domain name character does not meet the preset domain name character, to obtain a first DNS data packet.
In some embodiments, the third cleaning module 440 is specifically configured to clean the data packet, in which the requested domain name in the second DNS data packet is in the preset authorized domain name white list and meets the preset speed limit condition, to obtain third DNS data.
In some embodiments, after obtaining the third DNS packet, the third DNS packet is sent to the cache server.
Each module in the apparatus shown in fig. 4 has a function of implementing each step in fig. 2, and can achieve the corresponding technical effect, and for brevity, is not described again here.
Fig. 5 shows a hardware structure diagram of a flow cleaning device provided in an embodiment of the present application.
The flow cleaning apparatus may include a processor 501 and a memory 502 storing computer program instructions.
Specifically, the processor 501 may include a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement the embodiments of the present Application.
Memory 502 may include a mass storage for data or instructions. By way of example, and not limitation, memory 502 may include a Hard Disk Drive (HDD), a floppy Disk Drive, flash memory, an optical Disk, a magneto-optical Disk, tape, or a Universal Serial Bus (USB) Drive or a combination of two or more of these. In one example, memory 502 can include removable or non-removable (or fixed) media, or memory 502 is non-volatile solid-state memory. The memory 502 may be internal or external to the integrated gateway disaster recovery device.
In one example, memory 502 may include Read Only Memory (ROM), random Access Memory (RAM), magnetic disk storage media devices, optical storage media devices, flash memory devices, electrical, optical, or other physical/tangible memory storage devices. Thus, in general, the memory 502 comprises one or more tangible (non-transitory) computer-readable storage media (e.g., a memory device) encoded with software comprising computer-executable instructions and when the software is executed (e.g., by one or more processors), it is operable to perform operations described with reference to the methods according to an aspect of the present application.
The processor 501 reads and executes the computer program instructions stored in the memory 502 to implement steps S210 to S240 in the embodiment shown in fig. 2, and achieve the corresponding technical effect achieved by executing the steps in the example shown in fig. 2, which is not described herein again for brevity.
In one example, the flow cleansing apparatus may also include a communication interface 503 and a bus 510. As shown in fig. 5, the processor 501, the memory 502, and the communication interface 503 are connected via a bus 510 to complete communication therebetween.
The communication interface 503 is mainly used for implementing communication between modules, apparatuses, units and/or devices in the embodiments of the present application.
Bus 510 includes hardware, software, or both to couple the components of the flow cleaning apparatus to one another. By way of example, and not limitation, a Bus may include an Accelerated Graphics Port (AGP) or other Graphics Bus, an Enhanced Industry Standard Architecture (EISA) Bus, a Front-Side Bus (Front Side Bus, FSB), a HyperTransport (HT) interconnect, an Industry Standard Architecture (ISA) Bus, an InfiniBand interconnect, a Low Pin Count (LPC) Bus, a memory Bus, a Micro Channel Architecture (MCA) Bus, a Peripheral Component Interconnect (PCI) Bus, a PCI-Express (PCI-X) Bus, a Serial Advanced Technology Attachment (SATA) Bus, a video electronics standards Association local (VLB) Bus, or other suitable Bus or a combination of two or more of these. Bus 510 may include one or more buses, where appropriate. Although specific buses are described and shown in the embodiments of the application, any suitable buses or interconnects are contemplated by the application.
The traffic cleansing apparatus may execute the traffic cleansing method in the embodiment of the present application based on the acquired data packet, thereby implementing the traffic cleansing method described in conjunction with fig. 2.
In addition, in combination with the flow cleaning method in the foregoing embodiments, the embodiments of the present application may provide a computer storage medium to implement. The computer storage medium having computer program instructions stored thereon; the computer program instructions, when executed by a processor, implement any of the above embodiments in a flow cleansing method.
It is to be understood that the present application is not limited to the particular arrangements and instrumentality described above and shown in the attached drawings. A detailed description of known methods is omitted herein for the sake of brevity. In the above embodiments, several specific steps are described and shown as examples. However, the method processes of the present application are not limited to the specific steps described and illustrated, and those skilled in the art can make various changes, modifications, and additions or change the order between the steps after comprehending the spirit of the present application.
The functional blocks shown in the above-described structural block diagrams may be implemented as hardware, software, firmware, or a combination thereof. When implemented in hardware, it may be, for example, an electronic Circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, plug-in, function card, or the like. When implemented in software, the elements of the present application are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine-readable medium or transmitted by a data signal carried in a carrier wave over a transmission medium or a communication link. A "machine-readable medium" may include any medium that can store or transfer information. Examples of a machine-readable medium include electronic circuits, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, radio Frequency (RF) links, and so forth. The code segments may be downloaded via computer networks such as the internet, intranets, etc.
It should also be noted that the exemplary embodiments mentioned in this application describe some methods or systems based on a series of steps or devices. However, the present application is not limited to the order of the above-described steps, that is, the steps may be performed in the order mentioned in the embodiments, may be performed in an order different from the order in the embodiments, or may be performed simultaneously.
Aspects of the present application are described above with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, enable the implementation of the functions/acts specified in the flowchart and/or block diagram block or blocks. Such a processor may be, but is not limited to, a general purpose processor, a special purpose processor, an application specific processor, or a field programmable logic circuit. It will also be understood that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware for performing the specified functions or acts, or combinations of special purpose hardware and computer instructions.
As described above, only the specific embodiments of the present application are provided, and it can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the system, the module and the unit described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again. It should be understood that the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive various equivalent modifications or substitutions within the technical scope of the present application, and these modifications or substitutions should be covered within the scope of the present application.

Claims (10)

1. A method of flow cleansing, comprising:
acquiring a data packet;
cleaning a non-domain name system DNS data packet and a data packet of which the domain name does not meet a preset condition in the data packet to obtain a first DNS data packet;
cleaning the field content of the quintuple in the first DNS data packet which is not matched with the preset dynamic feature library to obtain a second DNS data packet;
cleaning the second DNS data packet according to a preset authority domain name white list to obtain a third DNS data packet;
the preset dynamic feature library is established based on message features in a DNS data packet;
wherein, the cleaning of the field content of the quintuple in the first DNS packet that is not matched with the preset dynamic feature library to obtain a second DNS packet includes:
and cleaning a data packet of which the five-tuple lacks field content in the first DNS data packet and cleaning a data packet of which the field content of the five-tuple in the first DNS data packet is not matched with a preset dynamic feature library.
2. The method of claim 1, wherein obtaining the data packet comprises:
the non-DNS packet is obtained from the port with the destination port number 53.
3. The method of claim 1, wherein the data packet comprises a DNS data packet; the cleaning of the data packet with the domain name not meeting the preset condition in the data packet to obtain a first DNS data packet comprises the following steps:
and cleaning the data packet of which the domain name does not meet the requirement of DNS specification in the DNS data packet and the data packet of which the message header field does not meet the requirement of serial number-scheduled file RFC specification in the DNS data packet to obtain a first DNS data packet.
4. The method of claim 1, wherein the data packet comprises a DNS packet; the cleaning of the data packet with the domain name not meeting the preset condition in the data packet to obtain a first DNS data packet comprises the following steps:
and cleaning the data packet of which the domain name character does not meet the preset domain name character in the DNS data packet to obtain the first DNS data packet.
5. The method of claim 1, wherein the cleaning the second DNS packet according to a preset authorized domain name white list to obtain third DNS data comprises:
and cleaning the data packets of which the request domain name in the second DNS data packet is in the preset authorized domain name white list and meets the preset speed limit condition to obtain third DNS data.
6. The method of claim 1, wherein after obtaining the third DNS packet, sending the third DNS packet to a cache server.
7. An apparatus for flow cleansing, the apparatus comprising:
the acquisition module is used for acquiring the data packet;
the first cleaning module is used for cleaning a non-domain name system DNS data packet and a data packet of which the domain name does not meet the preset condition in the data packets to obtain a first DNS data packet;
the second cleaning module is used for cleaning the field content of the quintuple in the first DNS data packet which is not matched with the preset dynamic feature library to obtain a second DNS data packet;
the third cleaning module is used for cleaning the second DNS data packet according to a preset authorized domain name white list to obtain a third DNS data packet;
the preset dynamic feature library is established based on message features in a DNS data packet;
wherein, the second cleaning module is specifically configured to:
and cleaning a data packet of which the five-tuple lacks field content in the first DNS data packet and cleaning a data packet of which the field content of the five-tuple in the first DNS data packet is not matched with a preset dynamic feature library.
8. The apparatus according to claim 7, wherein the obtaining module is specifically configured to obtain the non-DNS packet from a port with a destination port number of 53.
9. A flow cleaning apparatus, comprising: a processor, and a memory storing computer program instructions; the processor reads and executes the computer program instructions to implement the method of flow cleansing as claimed in any one of claims 1-6.
10. A computer storage medium having computer program instructions stored thereon that, when executed by a processor, implement the method of flow cleansing as claimed in any one of claims 1-6.
CN202011403148.1A 2020-12-04 2020-12-04 Method, device and equipment for cleaning flow and computer storage medium Active CN112583692B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011403148.1A CN112583692B (en) 2020-12-04 2020-12-04 Method, device and equipment for cleaning flow and computer storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011403148.1A CN112583692B (en) 2020-12-04 2020-12-04 Method, device and equipment for cleaning flow and computer storage medium

Publications (2)

Publication Number Publication Date
CN112583692A CN112583692A (en) 2021-03-30
CN112583692B true CN112583692B (en) 2023-03-24

Family

ID=75127603

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011403148.1A Active CN112583692B (en) 2020-12-04 2020-12-04 Method, device and equipment for cleaning flow and computer storage medium

Country Status (1)

Country Link
CN (1) CN112583692B (en)

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102045331B (en) * 2009-10-22 2014-01-22 成都市华为赛门铁克科技有限公司 Method, device and system for processing inquiry request message
CN103051743B (en) * 2012-12-27 2015-11-11 茂名市群英网络有限公司 A kind of DNS system of defense based on distributed hierarchy and method
CN103634315B (en) * 2013-11-29 2017-11-10 哈尔滨工业大学(威海) The front-end control method and system of name server
CN106101088B (en) * 2016-06-04 2019-05-24 北京兰云科技有限公司 The method of cleaning equipment, detection device, routing device and prevention DNS attack
CN108848201A (en) * 2018-06-14 2018-11-20 深信服科技股份有限公司 Detection utilizes the method, system and device of DNS tunnel transmission secret data
US11095671B2 (en) * 2018-07-09 2021-08-17 Arbor Networks, Inc. DNS misuse detection through attribute cardinality tracking

Also Published As

Publication number Publication date
CN112583692A (en) 2021-03-30

Similar Documents

Publication Publication Date Title
US8661544B2 (en) Detecting botnets
JP5826920B2 (en) Defense method against spoofing attacks using blocking server
KR100800370B1 (en) Network attack signature generation
US8175096B2 (en) Device for protection against illegal communications and network system thereof
US20180091547A1 (en) Ddos mitigation black/white listing based on target feedback
EP3355514B1 (en) Method and device for transmitting network attack defense policy and method and device for defending against network attack
US20100095351A1 (en) Method, device for identifying service flows and method, system for protecting against deny of service attack
US20130198845A1 (en) Monitoring a wireless network for a distributed denial of service attack
US10257213B2 (en) Extraction criterion determination method, communication monitoring system, extraction criterion determination apparatus and extraction criterion determination program
EP2939454A1 (en) System and method for correlating network information with subscriber information in a mobile network environment
KR20060116741A (en) Method and apparatus for identifying and disabling worms in communication networks
CN109327426A (en) A kind of firewall attack defense method
US20090240804A1 (en) Method and apparatus for preventing igmp packet attack
KR101064382B1 (en) Arp attack blocking system in communication network and method thereof
WO2014062629A1 (en) System and method for correlating security events with subscriber information in a mobile network environment
Lee et al. Study of detection method for spoofed IP against DDoS attacks
Nehra et al. FICUR: Employing SDN programmability to secure ARP
Wang et al. Efficient and low‐cost defense against distributed denial‐of‐service attacks in SDN‐based networks
EP4293550A1 (en) Traffic processing method and protection system
Almaini et al. Delegation of authentication to the data plane in software-defined networks
RU2576488C1 (en) METHOD OF CONSTRUCTING DATA NETWORKS WITH HIGH LEVEL OF SECURITY FROM DDoS ATTACKS
CN112583692B (en) Method, device and equipment for cleaning flow and computer storage medium
KR101351998B1 (en) Method and apparatus for detecting botnet
KR20030009887A (en) A system and method for intercepting DoS attack
JP4641848B2 (en) Unauthorized access search method and apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant