CN112968915B

CN112968915B - Processing method, processing system and processing device for DNS (Domain name Server) attack

Info

Publication number: CN112968915B
Application number: CN202110541580.5A
Authority: CN
Inventors: 向舜
Original assignee: Zhuo Erzhi Lian Wuhan Research Institute Co Ltd
Current assignee: Zhuo Erzhi Lian Wuhan Research Institute Co Ltd
Priority date: 2021-05-18
Filing date: 2021-05-18
Publication date: 2021-08-06
Anticipated expiration: 2041-05-18
Also published as: CN112968915A

Abstract

The application relates to a processing method for DNS domain name server attack, which is applied to a block chain link point with a first alliance chain, and comprises the following steps: receiving a domain name resolution request sent by a client; counting the number of domain name resolution requests from the same client within a preset time length; and when the number of the domain name resolution requests of the same client reaches a preset threshold value, refusing to forward the domain name resolution requests of the client to the block chain node of a second alliance chain for domain name resolution, wherein the first alliance chain and the second alliance chain are two different alliance chains. Thus, the first alliance chain filters out the part of the domain name resolution request which maliciously attacks the DNS domain name server (for example, the number of the domain name resolution requests from the same client reaches a preset threshold), so that the second alliance chain can only resolve the domain name resolution request which is not maliciously attacked, the occupation of the part of the domain name resolution request which maliciously attacks the network bandwidth is reduced, and the domain name resolution efficiency is improved.

Description

Processing method, processing system and processing device for DNS (Domain name Server) attack

Technical Field

The present invention relates to the field of information technology, and in particular, to a method and a system for processing a DNS nameserver attack, a device and a terminal for processing a DNS nameserver attack, and a storage medium.

Background

When acquiring web page information of a certain web page of the internet, generally, a Domain Name Server (DNS) is needed to resolve a Domain Name to acquire an IP address corresponding to the Domain Name. And then accessing the server where the analyzed IP address is located to acquire the webpage information. However, on the internet platform, some malicious clients often attack the DNS server and send a large amount of dense domain name resolution requests to the DNS server to occupy the network bandwidth of the server, thereby affecting the normal operation function of the DNS server.

Disclosure of Invention

In view of this, embodiments of the present application are expected to provide a method for processing a DNS nameserver attack, a system for processing a DNS nameserver attack, a device, a terminal, and a storage medium for processing a DNS nameserver attack.

The technical scheme of the application is realized as follows:

in one aspect, the present application provides a method for processing a DNS nameserver attack.

The processing method for the DNS domain name server attack provided by the embodiment of the application is applied to a blockchain node with a first alliance chain, and comprises the following steps:

receiving a domain name resolution request sent by a client;

counting the number of domain name resolution requests from the same client within a preset time length;

and when the number of the domain name resolution requests of the same client reaches a preset threshold value, refusing to forward the domain name resolution requests of the client to a block chain node of a second alliance chain for domain name resolution, wherein the first alliance chain and the second alliance chain are two different alliance chains.

In some embodiments, the method further comprises:

and when the number of the domain name resolution requests of the same client is smaller than a preset threshold value, forwarding the domain name resolution requests of the client to the blockchain node of the second alliance chain.

In some embodiments, said forwarding the domain name resolution request of the client to the block link point of the second federation chain comprises:

sending a domain name resolution request of the client to a block link point of the second alliance chain with a first network protocol IP address; and sending the response message of the domain name resolution request to the client based on the second IP address.

On the other hand, the present application also provides another DNS nameserver attack processing method, which is applied to a blockchain node deployed with a second federation chain, and the method includes:

receiving domain name resolution requests forwarded when the block link points of the first alliance chain determine that the number of the domain name resolution requests sent within the preset time of the same client is smaller than or equal to a preset threshold;

responding to the domain name resolution request, and determining a target IP address corresponding to the domain name resolution request;

and returning the target IP address to the client.

In some embodiments, the determining, in response to the domain name resolution request, a target IP address corresponding to a domain name requested to be resolved includes:

generating a query request conforming to an intelligent contract based on the domain name resolution request;

querying the target IP address on a blockchain node of the second federation chain based on the query request; the query request at least comprises a domain name to be resolved; the intelligent contract is used for establishing data interaction among the blockchain nodes according to a determined protocol.

In some embodiments, the method further comprises:

when the corresponding relation between the domain name to be analyzed and the target IP address stored in the second alliance chain is invalid, sending an updating request for updating the corresponding relation to a third alliance chain, and receiving data which indicates the updated corresponding relation and is returned based on the updating request;

the determining, in response to the domain name resolution request, a target IP address corresponding to a domain name requested to be resolved includes:

responding to the domain name resolution request based on the data indicating the updated correspondence.

In some embodiments, the receiving a domain name resolution request forwarded by a block link node of a first federation chain includes: receiving the domain name resolution request forwarded by the block connection node of the first alliance chain by taking the first IP address as a destination address;

the returning the target IP address to the client includes:

and sending a response message of the domain name resolution request carrying the destination IP address to the client by taking the second IP address as a source address.

The application provides a processing system for DNS domain name server attack, the processing system at least comprises:

a first blockchain network deployed with a first federation chain; wherein the first blockchain network comprises blockchain link points of at least one first federation chain;

a second blockchain network connected to the first blockchain network and having a second federation chain deployed; wherein the second blockchain network comprises blockchain link points of at least one second federation chain; the first federation chain and the second federation chain are two different federation chains; wherein:

the block link points of the first alliance chain are used for filtering domain name resolution requests of which the number of the requests from the same client reaches a preset threshold value, and forwarding the domain name resolution requests of which the number of the requests is less than the preset threshold value to the second alliance chain;

and the block chain link point of the second alliance chain is used for responding to the domain name resolution request and determining a target IP address corresponding to the domain name resolution request.

In some embodiments, the system further comprises:

a third block chain network connected to the second block chain network and having a third alliance chain deployed; wherein:

and the data of the corresponding relation between the domain name to be resolved and the target IP address is stored on the blockchain node of the third alliance chain, and is used for updating the corresponding relation data stored on the second alliance chain based on the updating request sent by the second alliance chain.

In some embodiments of the present invention, the,

the block link point of the first alliance chain is specifically configured to, when the number of domain name resolution requests of the same client reaches a preset threshold, refuse to forward the domain name resolution request of the client to a block link node of a second alliance chain for domain name resolution.

In some embodiments, the blockchain node of the second federation chain is specifically configured to generate, based on the domain name resolution request, a query request that conforms to an intelligent contract;

In some embodiments, the blockchain node of the second federation chain is further configured to send, to the third federation chain, an update request for updating the correspondence when the correspondence between the domain name to be resolved and the target IP address stored in the second federation chain is invalid, and receive data indicating the updated correspondence returned based on the update request;

The application provides a processing apparatus of DNS domain name server attack, is applied to and deploys the block chain link point of first alliance chain, the device includes:

the first processing unit is used for receiving a domain name resolution request sent by a client;

the second processing unit is used for counting the number of domain name resolution requests from the same client within a preset time length;

and the third processing unit is configured to, when the number of domain name resolution requests of the same client reaches a preset threshold, refuse to forward the domain name resolution request of the client to a blockchain node of a second alliance chain for domain name resolution, where the first alliance chain and the second alliance chain are two different alliance chains.

In some embodiments, the apparatus further comprises:

and the fourth processing unit is configured to forward the domain name resolution request of the client to the blockchain node of the second alliance chain when the number of the domain name resolution requests of the same client is smaller than a preset threshold.

In some embodiments of the present invention, the,

the fourth processing unit is specifically configured to send the domain name resolution request of the client to the block link point of the second federation chain having the first network protocol IP address when the number of the domain name resolution requests of the same client is smaller than a preset threshold; and sending the response message of the domain name resolution request to the client based on the second IP address.

The present application further provides another processing apparatus for DNS nameserver attack, which is applied to a blockchain node deployed with a second federation chain, where the apparatus includes:

the first processing unit is used for receiving domain name resolution requests forwarded when the number of domain name resolution requests sent by block link points of a first alliance chain within the preset time length of the same client is determined to be smaller than or equal to a preset threshold value;

the second processing unit is used for responding to the domain name resolution request and determining a target IP address corresponding to the domain name resolution request;

and the third processing unit is used for returning the target IP address to the client.

In some embodiments, the second processing unit is specifically configured to generate, based on the domain name resolution request, a query request conforming to an intelligent contract;

In some embodiments, the apparatus further comprises:

a fourth processing unit, configured to send, when a correspondence between a domain name to be resolved and the target IP address stored in the second federation chain is invalid, an update request for updating the correspondence to a third federation chain, and receive data indicating an updated correspondence returned based on the update request;

In some embodiments, the first processing unit is specifically configured to receive the domain name resolution request forwarded by a block connection node of the first federation chain with a first IP address as a destination address;

the third processing unit is specifically configured to send a response message carrying the domain name resolution request of the destination IP address to the client using the second IP address as a source address.

In another aspect, the present application further provides a terminal.

The terminal provided by the embodiment of the application comprises: the processing method comprises a processor and a memory for storing a computer program capable of running on the processor, wherein the processor is used for executing the steps of the processing method for the DNS nameserver attack provided by the embodiment of the present application when the computer program is run.

In yet another aspect, the present application further provides a computer-readable storage medium.

The computer-readable storage medium provided in the embodiments of the present application stores thereon a computer program, and when the computer program is executed by a processor, the computer program implements the steps of the method for processing the DNS nameserver attack provided in the embodiments of the present application on the one hand.

The processing method for the DNS domain name server attack, which is applied to the block chain link point with the first alliance chain, comprises the following steps: receiving a domain name resolution request sent by a client; counting the number of domain name resolution requests from the same client within a preset time length; and when the number of the domain name resolution requests of the same client reaches a preset threshold value, refusing to forward the domain name resolution requests of the client to the block chain node of a second alliance chain for domain name resolution, wherein the first alliance chain and the second alliance chain are two different alliance chains. In the application, a first alliance chain and a second alliance chain with different functions are deployed in a domain name server cluster, a part of malicious attacks on a domain name server in a domain name resolution request is determined through the first alliance chain (for example, the number of domain name resolution requests from the same client reaches a preset threshold), and the part of the domain name resolution request is refused to be forwarded to a block link point of the second alliance chain for domain name resolution. Therefore, the function of the DNS for directly receiving the domain name resolution request by the DNS domain name server and performing resolution can be split through the first alliance chain and the second alliance chain, so that the malicious request is filtered by the first alliance chain, the second alliance chain can only perform resolution on the domain name resolution request which is not attacked maliciously, resources required by domain name resolution cannot be occupied by responding to the malicious attack request, occupation of the malicious attack request on network bandwidth is reduced, and domain name resolution of a normal domain name resolution request is guaranteed.

Drawings

Fig. 1 is a flowchart illustrating a method for handling a DNS nameserver attack in accordance with an exemplary embodiment;

FIG. 2 is a flowchart illustrating a method of handling a DNS name server attack in accordance with an illustrative embodiment;

fig. 3 is a flowchart illustrating a method of handling a DNS nameserver attack in accordance with an exemplary embodiment;

fig. 4 is a first schematic diagram illustrating a processing apparatus for DNS nameserver attack according to an exemplary embodiment;

fig. 5 is a schematic diagram of a processing apparatus for DNS nameserver attack according to an exemplary embodiment;

FIG. 6 is a federation chain system build flow diagram shown in accordance with an exemplary embodiment;

fig. 7 is a schematic diagram of a terminal structure shown in accordance with an example embodiment.

Detailed Description

The technical solution of the present invention is further described in detail with reference to the drawings and the specific embodiments of the specification. Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present invention. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the invention, as detailed in the appended claims.

Denial of service attack (DoS/DDoS) is a common internet-based means, which means that an attacker directly or indirectly makes a request to a target host, and occupies a large amount of network bandwidth or system resources, so that the attacker cannot respond to the request of a normal user. Saturated traffic attacks refer to denial of service attacks where the attack traffic exceeds the upper bandwidth limit of the network. Since the attack traffic and the user query traffic exceed the upper limit of the network bandwidth before entering the target server, the routing system will randomly perform undifferentiated packet loss, resulting in that the target server cannot receive normal user requests.

The application provides a processing method for DNS domain name server attacks, which is applied to block chain nodes with a first alliance chain. Fig. 1 is a first flowchart illustrating a method for handling a DNS nameserver attack according to an exemplary embodiment. As shown in fig. 1, the method for processing DNS nameserver attacks includes:

step 10, receiving a domain name resolution request sent by a client;

step 11, counting the number of domain name resolution requests from the same client within a preset time length;

and step 12, when the number of the domain name resolution requests of the same client reaches a preset threshold value, refusing to forward the domain name resolution requests of the client to a blockchain node of a second alliance chain for domain name resolution, wherein the first alliance chain and the second alliance chain are two different alliance chains.

In the exemplary embodiment, domain name resolution is a Protocol for pointing domain names to a web space IP (Internet Protocol), which allows people to conveniently access a service of a web site through registered domain names. The IP address is a digital address for identifying a station on the network, and a domain name is adopted to replace the IP address to identify the station address for the convenience of memory. Domain name resolution is the process of converting a domain name to an IP address. The resolution work of the domain name is completed by the DNS server. The domain name resolution request is a request for domain name resolution sent by the client to the DNS server.

In the exemplary embodiment, a federation chain refers to a blockchain in which several enterprises are jointly involved in management, each enterprise operating one or more blockchain nodes, wherein data only allows different enterprises in the system to read, write and send transactions, and jointly records transaction data. The plurality of institutions comprise an internet service provider, a public recursion service institution, an authority analysis service institution, an application service provider and a multilateral coordination committee.

In the exemplary embodiment, when the first federation chain and the second federation chain are deployed, the first federation chain and the second federation chain may be deployed on different physical machines, or different hardware resources and/or software resources may be allocated when the physical machines are shared. For example, a first federated chain is deployed on physical machine A, physical machine B, physical machine C, and a second federated chain is deployed on physical machine D, physical machine E, physical machine F. Or the like, or, alternatively,

the first federation chain is deployed in a first storage area of physical machine A, and the second federation chain is deployed in a second storage area of physical machine A. The first storage area and the second storage area are two different storage areas of the physical machine a.

In the present exemplary embodiment, the multi-party coordination committee may establish the first federation chain and the second federation chain by modifying the network configuration. The method specifically comprises the steps of respectively creating a flow cleaning channel and an edge analysis channel, adding a queuing node, nodes of alliances and a client into the channels according to a specified rule in channel configuration, and completing the establishment of a first alliance chain network (corresponding to the flow cleaning channel) and a second alliance chain network (corresponding to the edge analysis channel and used for domain name analysis). Wherein the multi-edge coordination committee has the highest configuration authority in the federation chain.

In the exemplary embodiment, normally, the domain name resolution request sent by a client within a preset time duration is generally within a preset threshold. Network congestion is easily caused when the domain name resolution request exceeds a preset threshold value within a preset time length. However, the DNS attack is a server attack by sending a large number of dense domain name resolution requests to occupy network bandwidth and performing network congestion in a short time. Therefore, when the domain name resolution request sent by the same client within the preset time reaches the preset threshold, the domain name resolution request sent by the client can be considered as a malicious attack request. For example, the preset time period may be 1 second, the preset threshold may be 100, and the like. If the number of domain name resolution requests sent by a client in one second exceeds 100, the domain name resolution requests sent by the client can be considered to be malicious requests.

The number of terminals corresponding to one client may be one or more, and these terminals may share one IP address, and thus may be regarded as one client.

In the processing method for DNS nameserver attack in the embodiment of the present application, a first federation chain and a second federation chain with different functions are deployed in a DNS nameserver cluster, a part of a DNS nameserver that is maliciously attacked in a domain name resolution request is determined by the first federation chain (for example, the number of domain name resolution requests from the same client reaches a preset threshold), and the part of the domain name resolution request is rejected to be forwarded to a block link point of the second federation chain for domain name resolution. Therefore, the function of the DNS for directly receiving the domain name resolution request by the DNS domain name server and performing resolution can be split through the first alliance chain and the second alliance chain, so that the second alliance chain can only perform resolution on the domain name resolution request which is not attacked maliciously, resources required by the domain name resolution can not be occupied by responding to the maliciously attacked request, the occupation of the network bandwidth by the maliciously attacked request is reduced, and the domain name resolution of the normal domain name resolution request is ensured.

In some embodiments, the method further comprises:

In this exemplary embodiment, when the number of domain name resolution requests of the same client is smaller than a preset threshold, the domain name resolution request of the client may be considered as a normal request, and the first federation chain forwards the request to a blockchain node of a second federation chain, so that the second federation chain performs domain name resolution on the normal request, which is beneficial to ensuring normal operation of the DNS server.

In the present exemplary embodiment, the first IP address is an IP address used when the block chain node of the second alliance chain receives the domain name resolution request forwarded by the block chain node of the first alliance chain; the second IP address is an IP address used when the blockchain node of the second alliance chain feeds back the target IP address to the client. In the application, the first IP address and the second IP address are two different IP addresses, so that the first IP address and the second IP address are separated, and hiding of the second IP address is facilitated compared with the case that the first IP address and the second IP address adopt the same IP address. If the first IP address and the second IP address are the same IP address, when the first IP address is exposed and attacked, the second IP address is necessarily attacked synchronously, which obviously is not favorable for feeding back the target IP address obtained by analysis to the client by using the second IP address as the source address. Therefore, the separation of the first IP address and the second IP address is more beneficial to reducing the probability of the exposure of the second IP address and the possibility of the attack on the second IP address, thereby being beneficial to the smooth feedback of the target IP address.

On the other hand, the application also provides another processing method for the DNS domain name server attack, which is applied to the blockchain node with the second alliance chain. Fig. 2 is a flowchart of a method for handling a DNS nameserver attack according to an exemplary embodiment. As shown in fig. 2, the method includes:

step 20, receiving domain name resolution requests forwarded when the block link points of the first alliance chain determine that the number of the domain name resolution requests sent within the preset time length of the same client is smaller than or equal to a preset threshold value;

step 21, responding to the domain name resolution request, and determining a target IP address corresponding to the domain name resolution request;

and step 22, returning the target IP address to the client.

In this exemplary embodiment, when the number of domain name resolution requests of the same client is less than or equal to the preset threshold, the domain name resolution request of the client may be considered as a normal request, and the first federation chain forwards the request to the blockchain node of the second federation chain. The block link point of the second federation chain receives the domain name resolution request forwarded by the block link point of the first federation chain. Responding to the domain name resolution request, and determining a target IP address corresponding to the domain name resolution request; and returning the target IP address to the client, thereby realizing the domain name resolution of the normal domain name resolution request.

In the present exemplary embodiment, the block chain node of the second federation chain stores the domain name to be resolved and the correspondence of the domain name to the target IP address. And responding to the domain name resolution request, directly determining a target IP address corresponding to the domain name resolution request at the block chain link point of the second alliance chain, and performing step-by-step query without passing through the domain name grade of the domain name server, thereby effectively improving the domain name resolution efficiency of the server and reducing the user traffic forwarding rate.

In the present exemplary embodiment, a Smart contract (Smart contract) is a computer protocol intended to propagate, verify, or execute contracts in an informational manner. Smart contracts allow trusted transactions to be conducted without third parties, which transactions are traceable and irreversible. Namely, data interaction among all the blockchain nodes is established by a determined protocol.

The intelligent contracts based on the block chains comprise a transaction processing and saving mechanism and a complete state machine, and are used for receiving and processing various intelligent contracts; and both the saving and state processing of the transaction are done on the blockchain. The transaction mainly comprises data needing to be sent; events are descriptive information of the data, including rules for processing the data. The data processing rule may be that a preset data resource is automatically issued from the intelligent contract when a trigger condition contained in the event description information is satisfied.

The intelligent contract is a system formed by a transaction processing module and a state machine, and does not generate the intelligent contract or modify the intelligent contract; it exists to allow a complex set of digitized commitments with trigger conditions to be correctly executed at the discretion of the participant.

In the present exemplary embodiment, the intelligent contract at least includes the domain name to be resolved, the target IP address, and the correspondence between the domain name and the target IP. After the intelligent contract is established, the intelligent contract is diffused through a P2P network and stored in a block chain. In the intelligent contract, the trigger condition in the event description information includes a query request including a domain name to be resolved. The data to be sent contained in the transaction is a target IP address corresponding to the domain name to be resolved. Based on the query request, the block link point automatically sends out the data resource corresponding to the trigger condition, namely the target IP address corresponding to the domain name to be resolved through an intelligent contract, so that the target IP address corresponding to the domain name to be resolved is queried on the block link node of the second alliance chain.

In the present exemplary embodiment, when the pre-stored data resources (the domain name to be resolved, the target IP address, and the corresponding relationship between the domain name and the target IP) are greater than the preset memory, part of the pre-stored data resources may be stored in different block link points of the second federation chain, respectively. For example, since the memory of a blockchain node is limited, all data resources cannot be stored. At this time, partial data resources may be separately stored on each blockchain node. The data resources stored on each blockchain node may be different, i.e., different domain names and corresponding relationships between domain names and target IP addresses are stored. When the target IP address is inquired, when the corresponding target IP address is not inquired on one blockchain node, synchronous inquiry can be carried out on other blockchain nodes, so that the target IP address corresponding to the domain name can be quickly inquired under the condition that a large number of domain names are stored, and further the domain name resolution efficiency of the server is favorably improved.

In some embodiments, the method further comprises:

In this exemplary embodiment, the correspondence between the domain name to be resolved and the target IP address stored in the second federation chain is invalid, including that the correspondence between the domain name to be resolved and the target IP address is changed.

In the present exemplary embodiment, the third federation chain is a different federation chain from the first federation chain and the second federation chain, and is used for storing the latest updated correspondence data of the domain name and the target IP address. When data updating is performed, the corresponding relation data in the local server may update the stored data in the third federation chain. The second federation chain sends an update request to the third federation chain to update data. And the third alliance chain updates the corresponding relation data stored on the second alliance chain according to the updating request. And the second alliance chain responds to the domain name resolution request according to the updated data of the corresponding relation.

In this exemplary embodiment, the correspondence between the domain name to be resolved and the target IP address stored in the second federation chain is invalid, and the storage file of the correspondence data is damaged, so that the data cannot be accessed. At this time, the correspondence data stored in the second federation chain may be updated based on the stored data in the third federation chain, and the data may be restored. The stored data in the third alliance chain may be corresponding relationship data directly uploaded by a local server, or corresponding relationship data stored when the data on the mirror image second alliance chain is valid. Therefore, when the data fails, the data can be updated through the third alliance chain, and the smooth completion of domain name resolution can be guaranteed.

In some embodiments, the receiving a domain name resolution request forwarded by a block link node of a first federation chain includes receiving the domain name resolution request forwarded by a block connected node of the first federation chain with a first IP address as a destination address;

the returning the target IP address to the client includes:

In the present exemplary embodiment, when a target IP address query is made, the target IP address query may be performed using a bloom filter. A bloom filter may be used to retrieve whether an element is in a collection. When data query is carried out, the bloom filter can greatly improve the query efficiency. The space efficiency and the query time are more efficient than those of the general algorithm. Thus, a bloom filter can be constructed by the domain name. And querying the target IP address through the bloom filter.

In some embodiments, the method further comprises:

and when the target IP address is not inquired on the blockchain node of the second alliance chain, sending a step-by-step inquiry request to a domain name server by taking the second IP address as a source address according to the domain name level.

In the present exemplary embodiment, a method of sending a step-by-step query request to a domain name server according to a domain name level, and performing step-by-step query to obtain a final target IP address is also referred to as iterative query, that is, a final target IP address is found according to a sequence from a root domain server to a top-level domain to a second-level domain to a sub-domain. That is, the query request may be sent to the server managing the root domain, and if the root domain name server cannot resolve the IP address of the domain name, the root domain name server may query the top-level domain name server. If no, the authority domain name server is inquired by the top level domain name server until the target IP address is inquired.

In the application, the IP address for receiving the domain name resolution request forwarded by the first alliance chain and the IP address for sending the step-by-step query request outwards are two different IP addresses, so that the target IP address cannot be queried on the blockchain node of the second alliance chain, and when the DNS server receives the denial of service attack, the server can be ensured to normally receive the target IP address obtained by the step-by-step query. The domain name server performing the step-by-step query may be a server in the server cluster where the second federation chain is not deployed.

In some embodiments, the second federation chain stores a corresponding relationship between a first domain name and the target IP address, and the third federation chain stores at least a corresponding relationship between a second domain name and the target IP address, where the first domain name is a domain name whose access frequency exceeds a preset frequency within a preset time period, and the second domain name is a domain name whose access frequency does not exceed the preset frequency within the preset time period;

the method further comprises the following steps:

and when the access times of the domain names in the second class of domain names in a preset time period exceed the preset times, sending an updating request for updating the corresponding relationship to the third alliance chain, and updating the corresponding relationship between the domain names with the access times exceeding the preset times in the second class of domain names and the IP addresses to the second alliance chain.

And when the access times of the domain names in the first class of domain names stored in the second alliance chain within a preset time period do not exceed the preset times, deleting the corresponding relation between the domain names with the access times not exceeding the preset times and the IP addresses, or updating the corresponding relation between the domain names with the access times not exceeding the preset times and the IP addresses to the third alliance chain.

In the present exemplary embodiment, the first class of domain names may be hotspot domain names, which belong to frequently visited domain names relative to non-hotspot domain names. I.e. domain names that have been accessed more than a preset number of times within a preset time period. The second class of domain names may be non-hotspot domain names, belonging to domain names that are not frequently visited. Namely, the domain name with the access times not exceeding the preset times in the preset time period.

In this way, only the domain name with a higher access frequency (the first-class domain name) needs to be stored in the second alliance chain, when the access frequency of the domain name with a lower access frequency (the second-class domain name) is higher in a preset time period, the corresponding relation between the domain name and the IP address can be updated in the second alliance chain in time through the third alliance chain, and when the access frequency of the first-class domain name stored in the second alliance chain is reduced and the domain name is changed into the second-class domain name, the corresponding relation between the domain name and the IP address is deleted. Therefore, under the condition of ensuring that the limited memory resource of the second federation chain is utilized, the resolution efficiency of the hotspot domain name can be effectively improved.

In this exemplary embodiment, when the third federation chain stores the corresponding relationship between the first-class domain name and the target IP address, and the corresponding relationship between the second-class domain name and the target IP address; and when the access times of the domain names in the first class of domain names stored in the second alliance chain in a preset time period do not exceed the preset times, deleting the corresponding relation between the domain names with the access times not exceeding the preset times and the IP addresses.

In this exemplary embodiment, when the third federation chain only stores the correspondence between the second-class domain name and the target IP address; when the number of times of access of the domain name in the first class of domain name stored in the second alliance chain in a preset time period does not exceed the preset number of times, updating the corresponding relation between the domain name with the number of times of access not exceeding the preset number of times and the IP address to the third alliance chain, and deleting the corresponding relation between the domain name with the number of times of access not exceeding the preset number of times and the IP address in the second alliance chain.

In some embodiments, the method further comprises:

when the client requests to analyze the second domain name and the corresponding target IP address cannot be inquired in the second alliance chain, the target IP address corresponding to the second domain name can be inquired in the third alliance chain step by step in a step-by-step inquiring mode.

Fig. 3 is a flowchart illustrating a method for handling a DNS nameserver attack according to an exemplary embodiment. As shown in fig. 3, the method includes:

a client A sends a large amount of dense domain name resolution requests to a DNS (domain name server) by a pseudo IP (Internet protocol), and a client B sends a normal domain name resolution request to the DNS;

after block chain link points of a first alliance link deployed on a DNS domain name server cluster receive a large quantity of intensive domain name resolution requests sent by a client A, filtering the requests;

after receiving a domain name resolution request sent by a client B, a first alliance chain (a block chain node on a specific chain) deployed on a DNS domain name server cluster forwards the request to a second alliance chain (a block chain node on the specific chain) deployed on the DNS domain name server cluster;

responding to a domain name resolution request sent by the client B by a second alliance chain (a block chain node on a specific chain), and resolving to obtain a target IP address corresponding to a domain name;

the second federation chain (blockchain node on a particular chain) returns the target IP address to client B.

In the present exemplary embodiment, a first blockchain network and a second blockchain network are formed in a server cluster. A first blockchain network is deployed with a first federation chain. The second block chain network is connected with the first block chain network and is provided with a second union chain. Data interaction can be carried out between the block chain nodes of the first alliance chain and the block chain link nodes of the second alliance chain.

In the exemplary embodiment, a federation chain refers to a blockchain in which several enterprises, each operating one or more nodes, participate in management together, and in which data only allows different enterprises in the system to perform read-write and transmit transactions and to record transaction data together. The plurality of institutions comprise an internet service provider, a public recursion service institution, an authority analysis service institution, an application service provider and a multilateral coordination committee.

The multi-party coordination committee establishes a first federation chain and a second federation chain by modifying the network configuration. The method specifically comprises the steps of respectively creating a flow cleaning channel and an edge analysis channel, adding a queuing node, nodes of alliances and a client into the channels according to a specified rule in channel configuration, and completing the establishment of a first alliance chain network (corresponding to the flow cleaning channel) and a second alliance chain network (corresponding to the edge analysis channel and used for domain name analysis). Wherein the multi-edge coordination committee has the highest configuration authority in the federation chain.

The processing system for the DNS domain name server attack realizes the deployment of a first alliance chain and a second alliance chain with different functions in a DNS domain name server cluster. The method comprises the steps of determining a part of domain name resolution requests for malicious attack on a DNS (domain name server) through a first alliance chain (for example, the number of the domain name resolution requests from the same client reaches a preset threshold), filtering the part of the requests, and forwarding the domain name resolution requests of which the number is smaller than the preset threshold to a second alliance chain. Therefore, the function of the DNS for directly receiving the domain name resolution request and resolving the domain name resolution request can be split through the first alliance chain and the second alliance chain, the malicious request is filtered by the first alliance chain, the second alliance chain can only resolve the domain name resolution request which is not attacked maliciously, the occupation of the malicious attacking part in the domain name resolution request on network bandwidth is reduced, and the domain name resolution efficiency is improved.

In some embodiments, the system further comprises:

In the present exemplary embodiment, the third federation chain is a different federation chain from the first federation chain and the second federation chain, and is used for storing the latest updated correspondence data of the domain name and the target IP address. When data updating is performed, the corresponding relation data in the local server may update the stored data in the third federation chain. The second federation chain sends an update request to the third federation chain to update data. And the third alliance chain updates the corresponding relation data stored on the second alliance chain according to the updating request.

In some embodiments, the block link points of the first federation chain are configured to filter domain name resolution requests from the same client whose number of requests reaches a preset threshold, and include:

In this exemplary embodiment, when the number of domain name resolution requests of the same client reaches a preset threshold, the domain name resolution request sent by the client may be considered as a malicious attack request. At this time, the block chain link point of the first alliance chain refuses to forward the domain name resolution request of the client to the block chain node of the second alliance chain for domain name resolution, so that the situation that a large number of malicious requests occupy network bandwidth is relieved, and the DNS domain name server is guaranteed to complete domain name resolution of normal requests.

In some embodiments, the block link point of the second federation chain, configured to determine, in response to the domain name resolution request, a target IP address corresponding to a domain name requested to be resolved, includes:

the block chain node of the second alliance chain is specifically used for generating a query request conforming to an intelligent contract based on the domain name resolution request;

In the present exemplary embodiment, a Smart contract (Smart contract) is a computer protocol intended to propagate, verify, or execute contracts in an informational manner. Smart contracts allow trusted transactions, which are traceable and irreversible, to be conducted without a third party. Namely, data interaction among all the blockchain nodes is established by a determined protocol.

The application provides a processing device for DNS domain name server attack, which is applied to a blockchain node with a first alliance chain. Fig. 4 is a first schematic diagram illustrating a configuration of a processing device for DNS nameserver attack according to an exemplary embodiment. As shown in fig. 4, the apparatus includes:

a first processing unit 41, configured to receive a domain name resolution request sent by a client;

the second processing unit 42 is configured to count the number of domain name resolution requests from the same client within a preset time duration;

a third processing unit 43, configured to, when the number of domain name resolution requests of the same client reaches a preset threshold, refuse to forward the domain name resolution request of the client to a blockchain node of a second federation chain for domain name resolution, where the first federation chain and the second federation chain are two different federation chains.

The processing device for DNS nameserver attack according to the embodiment of the present application deploys a first federation chain and a second federation chain with different functions in a DNS nameserver cluster, determines, by the first federation chain, a part of a DNS nameserver in a domain name resolution request that is maliciously attacked (for example, the number of domain name resolution requests from the same client reaches a preset threshold), and rejects to forward the part of the domain name resolution request to a block link point of the second federation chain for domain name resolution. Therefore, the function of the DNS for directly receiving the domain name resolution request by the DNS domain name server and performing resolution can be split through the first alliance chain and the second alliance chain, so that the second alliance chain can only perform resolution on the domain name resolution request which is not attacked maliciously, resources required by the domain name resolution can not be occupied by responding to the maliciously attacked request, the occupation of the network bandwidth by the maliciously attacked request is reduced, and the domain name resolution of the normal domain name resolution request is ensured.

In some embodiments, as shown in fig. 4, the apparatus further comprises:

a fourth processing unit 44, configured to forward the domain name resolution request of the client to the blockchain node of the second alliance chain when the number of domain name resolution requests of the same client is smaller than a preset threshold.

In some embodiments, the fourth processing unit, configured to forward the domain name resolution request of the client to the block link point of the second federation chain, includes:

The application also provides another processing device for DNS domain name server attack, which is applied to the blockchain node with the second alliance chain. Fig. 5 is a schematic diagram illustrating a structure of a processing device for DNS nameserver attack according to an exemplary embodiment. As shown in fig. 5, the apparatus includes:

the first processing unit 51 is configured to receive a domain name resolution request forwarded when it is determined that the number of domain name resolution requests sent within a preset time duration of the same client by block link points of a first alliance chain is smaller than or equal to a preset threshold;

a second processing unit 52, configured to determine, in response to the domain name resolution request, a target IP address corresponding to a domain name requested to be resolved;

a third processing unit 53, configured to return the target IP address to the client.

In some embodiments, the second processing unit, configured to determine, in response to the domain name resolution request, a target IP address corresponding to a domain name requested to be resolved, includes:

the second processing unit is specifically configured to generate a query request conforming to an intelligent contract based on the domain name resolution request;

In some embodiments, as shown in fig. 5, the apparatus further comprises:

a fourth processing unit 54, configured to send, when the correspondence between the domain name to be resolved and the target IP address stored in the second federation chain is invalid, an update request for updating the correspondence to a third federation chain, and receive data indicating an updated correspondence returned based on the update request;

In some embodiments, the third processing unit, configured to return the target IP address to the client, includes:

the third processing unit is specifically configured to, after receiving the domain name resolution request forwarded by the block connection node of the first alliance chain using the first IP address as the destination address, send a response message carrying the domain name resolution request of the destination IP address to the client using the second IP address as the source address.

FIG. 6 is a federation chain system build flow diagram shown in accordance with an exemplary embodiment. As shown in fig. 6, includes:

step 60, establishing a alliance chain in the DNS server cluster, and deploying an intelligent contract;

step 61, constructing a flow cleaning module for executing the first alliance chain to filter the malicious request sent by the client A;

step 62, constructing an edge resolution module, which is used for executing a normal domain name resolution request sent by the second federation chain resolution client A;

and step 63, constructing a mirror image module for executing the third alliance chain mirror image to store the corresponding relation data of the domain name and the target IP address.

The application also provides a terminal. Fig. 7 is a schematic diagram of a terminal structure shown in accordance with an example embodiment. As shown in fig. 7, a terminal provided in an embodiment of the present application includes: a processor 730 and a memory 720 for storing a computer program capable of running on the processor, wherein the processor 730 is configured to execute the steps of the method provided by the embodiments described above when running the computer program.

The present application also provides a computer-readable storage medium. The computer-readable storage medium provided by the embodiments of the present application stores thereon a computer program, which when executed by a processor implements the steps of the method provided by the above-mentioned embodiments.

In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, all the functional units in the embodiments of the present invention may be integrated into one processing module, or each unit may be separately used as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.

In some cases, any two of the above technical features may be combined into a new method solution without conflict.

In some cases, any two of the above technical features may be combined into a new device solution without conflict.

Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: various media capable of storing program codes, such as a removable Memory device, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, and an optical disk.

The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims

1. A processing method for DNS domain name server attack is applied to a blockchain node deployed with a first alliance chain, and comprises the following steps:

receiving a domain name resolution request sent by a client;

when the number of the domain name resolution requests of the same client reaches a preset threshold value, refusing to forward the domain name resolution requests of the client to a block link point of a second alliance chain for domain name resolution;

when the number of the domain name resolution requests of the same client is smaller than a preset threshold value, sending the domain name resolution requests of the client to the block link points of the second federation chain with the first network protocol IP address; the first federation chain and the second federation chain are two different federation chains, and the response message of the domain name resolution request is sent to the client based on a second IP address.

2. The DNS nameserver attack processing method according to claim 1, wherein the first federation chain and the second federation chain are deployed on different physical machines; or the like, or, alternatively,

the first federation chain and the second federation chain deploy allocation of different hardware resources and/or software resources when sharing a physical machine.

3. A processing method for DNS domain name server attack is applied to a blockchain node with a second alliance chain, and the method comprises the following steps:

receiving a domain name resolution request forwarded by taking a first IP address as a destination address when the block link point of a first alliance chain determines that the number of domain name resolution requests sent within a preset time length of the same client is less than or equal to a preset threshold;

and sending a response message of the domain name resolution request carrying the target IP address to the client by taking the second IP address as a source address.

4. The method for processing DNS nameserver attack according to claim 3, wherein the determining, in response to the request for domain name resolution, a target IP address corresponding to a domain name requested to be resolved includes:

5. The DNS nameserver attack processing method according to claim 4, further comprising:

6. A system for handling DNS nameserver attacks, comprising:

the block link points of the first alliance chain are used for filtering domain name resolution requests of which the number of the requests from the same client reaches a preset threshold value, and forwarding the domain name resolution requests of which the number of the requests is less than the preset threshold value to the second alliance chain by taking the first IP address as a destination address;

and the block link point of the second alliance chain is used for responding to the domain name resolution request, determining a target IP address corresponding to the domain name resolution request, and sending a response message of the domain name resolution request carrying the target IP address to the client by taking the second IP address as a source address.

7. The DNS nameserver attack processing system according to claim 6, further comprising:

8. The system according to claim 7, wherein the block link point of the first alliance chain is specifically configured to, when the number of domain name resolution requests of the same client reaches a preset threshold, refuse to forward the domain name resolution request of the client to the block link node of the second alliance chain where domain name resolution is performed.

9. The system according to claim 8, wherein the blockchain node of the second federation chain is specifically configured to generate, based on the domain name resolution request, a query request conforming to an intelligent contract;

10. The system according to claim 9, wherein the blockchain node of the second federation chain is further configured to, when the correspondence between the domain name to be resolved and the target IP address stored in the second federation chain is invalid, send an update request for updating the correspondence to the third federation chain, and receive data indicating the updated correspondence returned based on the update request;

11. A device for processing DNS domain name server attack, which is applied to a block chain node deployed with a first alliance chain, the device comprises:

the third processing unit is used for refusing to forward the domain name resolution request of the client to the block link point of the second alliance chain for domain name resolution when the number of the domain name resolution requests of the same client reaches a preset threshold value;

the fourth processing unit is configured to send the domain name resolution request of the client to the block link point of the second federation chain having the first network protocol IP address when the number of the domain name resolution requests of the same client is smaller than a preset threshold; wherein the first federation chain and the second federation chain are two different federation chains; and the response message of the domain name resolution request is sent to the client based on the second IP address.

12. The apparatus for handling DNS nameserver attacks according to claim 11, wherein the first federation chain and the second federation chain are deployed on different physical machines; or the like, or, alternatively,

13. A processing device for DNS domain name server attack is applied to a blockchain node deployed with a second alliance chain, and the device comprises:

the first processing unit is used for receiving the domain name resolution request forwarded by taking the first IP address as the destination address when the block link points of the first alliance chain determine that the number of the domain name resolution requests sent within the preset time length of the same client is less than or equal to a preset threshold value;

and the third processing unit is used for sending a response message of the domain name resolution request carrying the target IP address to the client by taking the second IP address as a source address.

14. The device according to claim 13, wherein the second processing unit is specifically configured to generate, based on the domain name resolution request, an inquiry request conforming to an intelligent contract;

15. The apparatus for handling DNS nameserver attacks according to claim 13, wherein said apparatus further comprises:

16. A terminal, comprising: a processor and a memory for storing a computer program operable on the processor, wherein the processor is operable to perform the steps of the method of any of claims 1 to 5 when the computer program is run.

17. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 5.