CN117118746B - DNS attack defense method, system, medium and device based on dynamic DNAT - Google Patents
DNS attack defense method, system, medium and device based on dynamic DNAT Download PDFInfo
- Publication number
- CN117118746B CN117118746B CN202311360598.0A CN202311360598A CN117118746B CN 117118746 B CN117118746 B CN 117118746B CN 202311360598 A CN202311360598 A CN 202311360598A CN 117118746 B CN117118746 B CN 117118746B
- Authority
- CN
- China
- Prior art keywords
- dnat
- address
- dynamic
- module
- dns
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- 230000007123 defense Effects 0.000 title claims abstract description 25
- 238000004891 communication Methods 0.000 claims abstract description 9
- 238000013507 mapping Methods 0.000 claims description 26
- 238000012544 monitoring process Methods 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 11
- 230000002159 abnormal effect Effects 0.000 claims description 8
- 230000001960 triggered effect Effects 0.000 claims description 8
- 238000001514 detection method Methods 0.000 claims description 7
- 230000000737 periodic effect Effects 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 239000000523 sample Substances 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000011144 upstream manufacturing Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
- H04L69/162—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The invention discloses a DNS attack defense method, a system, a medium and equipment based on dynamic DNAT, wherein the system comprises a DNAT module, a Socket client and a Socket server, the Socket client is in communication connection with the DNAT module, and the Socket client is in communication connection with the Socket server through a Socket channel. The invention aims at the safety linkage control function added to the authoritative DNS domain name resolution, can effectively relieve the exposure face of the network asset and reduce the possibility of being attacked.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a DNS attack defense method, a system, a medium and equipment based on dynamic DNAT.
Background
DNS is one of the key infrastructure for internet access, and DNS is a navigation directory for internet access. DNS is a server that resolves a domain name (e.g., www.jd.com) and an IP address (IP address 2408:8730:500:10:8000:3, 218.60.105.3) corresponding thereto. The DNS stores a mapping table of a domain name and an IP address corresponding to the domain name, the DNS responds to a client request, corresponding information of the corresponding domain name and the IP address is returned, and the client accesses corresponding WEB service according to the domain name resolution record IP.
The DNS server mainly comprises an authoritative DNS and a forwarding DNS, the authoritative DNS is authorized to modify the relationship between the domain name and the IP address (also called resource record) controlled by the authoritative DNS, the forwarding DNS has no local domain name management capability, and domain name resolution records corresponding to the domain name and the IP address acquired from the upstream DNS need to be cached. The DNS inquires a local authority domain name resource record and a cache resource record according to the client resolution request, if the client has a hit record, the local authority domain name resource record and the cache resource record are directly fed back to the client, if the client does not have the hit record, the domain name resolution request is forwarded to the upstream DNS, and after the feedback resource record is obtained, the feedback resource record is fed back to the client. The analysis flow of the DNS only takes charge of feedback of the one-to-one correspondence matching relation of the domain name and the IP, and is not responsible for subsequent access security.
In the security penetration test attack model, target investigation and weaponization are always taken as the primary steps, information collection is carried out, and the information collection is needed before scanning is carried out so as to know the basic information of a target system and possible vulnerabilities. The information collection method comprises DNS query and Whois query, and the information such as the target IP address to be attacked, the open service port, the application version and the like is discovered through an automatic scanning and detecting tool, so that a corresponding weapon library attack method is adopted, and the attack is carried out.
Disclosure of Invention
Therefore, the technical problem to be solved by the invention is to provide a DNS attack defense method, a system, a medium and equipment based on dynamic DNAT, aiming at the safety linkage control function added to the authoritative DNS domain name resolution, the exposure surface of the network asset can be effectively relieved, and the possibility of being attacked is reduced.
In order to solve the technical problems, the invention provides the following technical scheme:
a DNS attack defending method based on dynamic DNAT comprises the following steps:
s1) monitoring the forwarding data by a DNAT module, and triggering the DNAT module by abnormal data or triggering the DNAT module automatically or triggering the DNAT module by other passive modes to update dynamic DNAT rules; other passive triggering modes comprise triggering of a network safety monitoring module;
s2) the Socket client monitors the change of the dynamic DNAT rule, and when the dynamic DNAT rule changes, the Socket client transmits the latest DNAT mapping relation between the intranet IP address and the public IP address of the application service to the Socket server through a Socket channel; the change of DNAT mapping relation between the intranet IP address and the public network IP address of the application service is the change of DNAT mapping relation between the intranet IP address and the public network IP address of the application service caused when the public network IP address of the application service is changed;
s3) after the Socket server obtains the latest DNAT mapping relation between the internal network IP address and the public network IP address of the application service, automatically modifying DNS domain name configuration parameters, and modifying a corresponding domain name record value into the latest public network IP address, wherein the latest public network IP address is the public network IP address of the application service in the latest DNAT mapping relation between the internal network IP address and the public network IP address of the application service;
s4) the public network user sends a domain name resolution request to the authoritative DNS through a standard DNS procedure and the authoritative DNS performs domain name resolution.
In the above method, in step S1), the abnormal data trigger includes a DDoS attack trigger suffered by the application server or a scan probe exceeding a corresponding threshold trigger, and the automatic trigger includes a periodic trigger and a manual trigger.
The method comprises the steps that the public network IP address of the application service is an IPv6 address; wherein, the public network IP address of the application service issued by the DNAT module is also an IPv6 address.
According to the method, the DNAT module randomly generates the mapping relation between the intranet IP address and the public network IP address of the application service when the dynamic DNAT rule is updated.
According to the method, the DNAT module forwards the data packet sent by the public network user to the public network IP address of the application service to the corresponding equipment in the network where the application service is located according to DNAT rules, wherein the network where the application service is located can be a server where the application service is located or a local area network where the server is located.
A system for defending against DNS attacks by using the DNS attack defending method based on dynamic DNAT comprises:
the DNAT module is used for forwarding data sent by a public network user to a public network IP of the application service to corresponding equipment in a network where the application service is located and updating a dynamic DNAT rule after being triggered;
the Socket client is used for monitoring the update of the dynamic DNAT rule;
the Socket server is used for modifying the DNS domain name configuration parameters according to the updated dynamic DNAT rule;
the Socket client is in communication connection with the DNAT module, and the Socket client is in communication connection with the Socket server through a Socket channel.
In the system, a timing sub-module for timing the time interval duration of the regular updating of the adjacent two dynamic DNAT is arranged in the DNAT module; when the time interval duration of updating the adjacent two dynamic DNAT rules is equal to a preset time threshold, the timing submodule triggers a dynamic DNAT rule generation submodule in the DNAT module to generate a new dynamic DNAT rule.
The system comprises a dynamic DNAT rule generation submodule, a dynamic DNAT rule generation submodule and a dynamic DNAT rule generation submodule.
A computer readable storage medium having stored thereon a computer program which when executed by a processor implements the above method.
Computer device comprising a readable storage medium, a processor and a computer program stored on the readable storage medium and executable on the processor, which computer program, when executed by the processor, implements the method described above.
The technical scheme of the invention has the following beneficial technical effects:
1. when the method is used, when the corresponding scanning detection frequency and behavior of a hacker are identified again, the dynamic DNAT rule is triggered again, the random IPv6 address DNAT mapping relation is regenerated, the IPv6 domain name information corresponding to the application one by one is modified again through the authoritative DNS, so that the IPv6 address information of the public network entrance of the application is modified, the scanning detection before hacking is trapped in repeated idle work cycles, and the method is used for reducing the asset exposure area and the possibility of being attacked.
2. The security characteristics brought by the huge IPv6 address space are fully utilized, the exposure of terminal assets is effectively avoided, and the possibility of being attacked is reduced.
Drawings
FIG. 1 is a schematic diagram of the dynamic DNAT-based DNS attack defense system of the present invention;
FIG. 2 is another working schematic diagram of a dynamic DNAT-based DNS attack defense system according to the present invention;
FIG. 3 is another schematic diagram of the dynamic DNAT-based DNS attack defense system of the present invention;
FIG. 4 is a flow chart of the dynamic DNAT-based DNS attack defense in accordance with the present invention;
fig. 5 is a schematic diagram of the operation of a computer device capable of performing DNS attack defense based on dynamic DNAT according to the present invention.
Detailed Description
The invention is further described below with reference to examples.
As shown in fig. 1, in the present invention, a DNS attack defense system based on a dynamic DNAT includes a DNAT module, a Socket client, and a Socket server, where the Socket client is in communication connection with the DNAT module, and the Socket client is in communication connection with the Socket server through a Socket channel.
The DNAT module is used for forwarding data sent by a public network user to a public network IP of the application service to corresponding equipment in a network where the application service is located, and updating a dynamic DNAT rule after being triggered, the Socket client is used for monitoring the updating of the dynamic DNAT rule, and the Socket server is used for modifying DNS domain name configuration parameters according to the updated dynamic DNAT rule.
In this embodiment, a dynamic DNAT rule generating sub-module and a timing sub-module for timing the time interval duration of two adjacent dynamic DNAT rule updating are provided in the DNAT module; when the time interval duration of updating the adjacent two dynamic DNAT rules is equal to a preset time threshold, the timing submodule triggers the dynamic DNAT rule generation submodule in the DNAT module to randomly generate a new dynamic DNAT rule.
In this embodiment, a DNS attack defense system based on dynamic DNAT is also provided, as shown in fig. 2. In the DNS attack defense system based on the dynamic DNAT, the DNAT module is arranged in the Socket client, when the DNAT module updates the dynamic DNAT rule, the updated dynamic DNAT rule can be directly reported to the Socket client, and then the Socket client transmits the latest DNAT mapping relation between the intranet IP address of the application service and the IP address of the public network to the Socket server through a Socket channel. And the DNAT module is arranged in the Socket client, so that the DNAT-based DNS attack defense system is conveniently deployed in an application service or a server.
In this embodiment, a DNS attack defense system based on dynamic DNAT is also provided, as shown in fig. 3. In the DNS attack defending system based on the dynamic DNAT, a network security monitoring module for monitoring network attacks is also arranged. When the network security monitoring module monitors that network attacks exist, such as DNS attacks, DDoS attacks and the like, the network security monitoring module sends a trigger command to the DNAT module, so that the DNAT module is triggered to update dynamic DNAT rules.
When the DNS attack defense system based on the dynamic DNAT is used for performing DNS attack defense, as shown in fig. 4, the DNS attack defense system based on the dynamic DNAT performs the following operations:
s1) monitoring the forwarding data by a DNAT module, and triggering the DNAT module by abnormal data or triggering the DNAT module automatically or triggering the DNAT module by other passive modes to update dynamic DNAT rules; other passive triggering modes comprise triggering of a network safety monitoring module;
s2) the Socket client monitors the change of the dynamic DNAT rule, and when the dynamic DNAT rule changes, the Socket client transmits the latest DNAT mapping relation between the intranet IP address and the public IP address of the application service to the Socket server through a Socket channel;
s3) after the Socket server obtains the latest DNAT mapping relation between the internal network IP address and the public network IP address of the application service, automatically modifying DNS domain name configuration parameters, and modifying a corresponding domain name record value into the latest public network IP address, wherein the latest public network IP address is the public network IP address of the application service in the latest DNAT mapping relation between the internal network IP address and the public network IP address of the application service;
s4) the public network user sends a domain name resolution request to the authoritative DNS through a standard DNS procedure and the authoritative DNS performs domain name resolution.
In step S1), the abnormal data trigger includes a DDoS attack trigger suffered by the application server or a scan probe exceeding a corresponding threshold trigger, and the automatic trigger includes a periodic trigger and a manual trigger.
In this embodiment, the technology adopted by the dynamic DNAT rule generating sub-module of the DNAT module is a dynamic DNAT technology, which is a dynamic network address conversion technology, and the working principle of DNAT is to convert a destination network address (i.e. a target IP address) into an equipment IP address in the network where the application server is located. When the external network user sends data to the public network IP address, the DNAT module forwards the data packet to the corresponding equipment in the network where the application service is located according to DNAT rules. When the method is applied to the defense of the public network based on IPv6, the advantage of huge address space of the IPv6 public network can be utilized, the public network IP address is deployed in an address resource pool mode, for example 2408:DAC0:64 public network resource pool is taken as an example, and the private network IP address can be an IPv6 or IPv4 address, namely the real IP address information (kept unchanged) of the application server. When DDoS attack or scanning detection is recognized to exceed the corresponding threshold value, a DNAT module is triggered to switch the dynamic DNAT rule, and a new IPv6 address is randomly generated in 2408:DAC0:64 and used for replacing the existing DNAT mapping relation, namely, the DNAT mapping relation between the intranet IP address and the public network IP address of the new application service is generated. Because of the large space of the IPv6 public network address resource pool, the feasibility of the public network IPv6 address generated based on the dynamic DNAT rule is relatively unlimited. In addition, the DNAT module can be triggered automatically as required, and a user selects a corresponding triggering mode and triggering conditions according to actual conditions.
The DNAT module switches the dynamic DNAT rules only to change DNAT mapping information between intranet IP and public network IPv6 addresses of the application service, but the public network user is unaware of the change, so that modification of DNS of the application domain name is required. In this embodiment, a Socket client is deployed at an application server, a Socket server is deployed at a DNS end, and a Socket channel is deployed between an authoritative DNS and an application server for an application domain name. When the Socket client senses that the dynamic DNAT rule changes, the latest DNAT mapping relation between the intranet IP address and the public network IP address of the application service is transmitted to the Socket server through a Socket channel. After the Socket server obtains the latest DNAT mapping relation between the intranet IP address and the public network IP address of the application service, the DNS domain name configuration parameters are automatically modified through a program, and the corresponding domain name record value is modified into the latest public network IPv6 address. At this time, when the public network user accesses the application, the cached IPv6 address corresponding to the domain name cannot access the target application, and the authoritative DNS can only be found for domain name resolution in a mode of resolving the standard DNS flow, and a hacker tool attempting to determine an attack target and an attack mode through automatic scanning detection can lose the target IPv6 address, and corresponding subsequent continuous and automatic scanning can be invalid, so that the defense on the DNS attack is realized. If it is desired to continue scanning probes for the domain name application, a hacker is required to manually reset the targets, rescan the open ports and services.
After the Socket server automatically modifies the DNS domain name configuration parameters through a program, if the superior DNS does not update the domain name, the public network user may obtain the original IP address because the original domain name is in the cache, so that poor experience such as obvious reaction delay occurs when the public network user accesses the application service of which the DNS domain name configuration parameters are modified, and therefore, in order to reduce the influence of the Socket server on the modification of the DNS domain name configuration parameters caused by the update of the dynamic DNAT rules, the domain name update can be performed on the superior DNS. There are two modes of performing domain name updating on the upper level DNS, one is that the lower level DNS sends a domain name updating request to the upper level DNS and the upper level DNS performs domain name updating, and the other is that the TTL value of the DNS record is set, for example, the TTL value is modified from 24 hours to 10 minutes, at this time, if no one continuously accesses the DNS in the cache, the DNS in the cache automatically disappears after 10 minutes, and if the authority DNS needs to be requested to perform domain name resolution when the DNS needs to be accessed. For setting the TTL value of the DNS record, a small TTL value facilitates automatic refreshing after the DNS in the cache expires, and a large TTL value can delay the attack of a hacker (increase the time for the hacker to acquire the target IP). In order to balance the automatic refreshing and the deferring of the attack of the hacker after the expiration of the DNS in the cache, the TTL value may be adjusted by using a truncated exponential backoff algorithm, that is, when the application service is attacked, the TTL value becomes larger with the increase of the attack times, so that the IP address acquired by the hacker during the continuous attack period is the IP address before the change, thereby deferring or reducing the attack of the hacker on the application service. The truncated exponential backoff algorithm is a common algorithm in the fields of computer networks and communications, and is used for solving the problems of repeated transmission, network congestion avoidance, and the like. The algorithm is improved on the basis of an exponential backoff algorithm, and the core idea is as follows: when repeated transmission or other errors occur, the waiting time not only increases exponentially, but also stops increasing after a certain threshold is reached, so that the situation that data cannot be transmitted due to overlong waiting time is avoided.
In order to maintain the security of the authoritative DNS, the authoritative DNS may be set to only respond to the IP address resolution request of the specified superior DNS, so that the hacker may be prevented from obtaining the target IP address to a certain extent by combining the manner of adjusting the TTL value by using the truncated exponential backoff algorithm.
When the corresponding scanning detection frequency and behavior of the hacker are identified again, the DNAT module is triggered again, the latest DNAT mapping relation between the intranet IP address and the public network IP address of the random application service is regenerated, the IPv6 domain name information of the application DNS is modified again through the authoritative DNS, so that the IPv6 address information of the public network entrance of the application is modified, the scanning detection before the hacking is trapped in repeated idle cycles, and the method is used for reducing the exposure surface of the asset and the possibility of being attacked.
In practical application, one server may provide a plurality of application services to the outside, or one server cluster may provide a plurality of application services to the outside, at this time, one Socket client (with a DNAT module built in) may be set on each application service, and then the plurality of Socket clients are connected to one Socket server, so as to implement one-to-many centralized management service.
Based on the DNS attack defense method based on DNAT, correspondingly, in this example, there is also provided a computer readable storage medium storing a computer program, where the computer program when executed by a processor implements the steps of: monitoring data sent to a public network IP address by an external network user, triggering abnormal data or automatically triggering a DNAT module to update a dynamic DNAT rule, after a Socket client monitors the dynamic DNAT rule, transmitting an latest DNAT mapping relation between an internal network IP address of an application service and the public network IP address to a Socket server through a Socket channel, and after the Socket server acquires the latest DNAT mapping relation between the internal network IP address of the application service and the public network IP address, automatically modifying DNS domain name configuration parameters and modifying a corresponding domain name record value into the latest public network IP address.
As shown in fig. 5, based on the DNS attack defense method based on DNAT and the computer readable storage medium, in this embodiment, there is further provided a computer device, which includes a readable storage medium, a processor, and a computer program stored on the readable storage medium and executable on the processor, where the readable storage medium and the processor are both disposed on a bus, and when the processor executes the computer program, the processor implements the following steps: monitoring data sent to a public network IP address by an external network user, triggering abnormal data or automatically triggering a DNAT module to update a dynamic DNAT rule, after a Socket client monitors the dynamic DNAT rule, transmitting an latest DNAT mapping relation between an internal network IP address of an application service and the public network IP address to a Socket server through a Socket channel, and after the Socket server acquires the latest DNAT mapping relation between the internal network IP address of the application service and the public network IP address, automatically modifying DNS domain name configuration parameters and modifying a corresponding domain name record value into the latest public network IP address.
It is apparent that the above examples are given by way of illustration only and are not limiting of the embodiments. Other variations or modifications of the above teachings will be apparent to those of ordinary skill in the art. It is not necessary here nor is it exhaustive of all embodiments. While the obvious variations or modifications which are extended therefrom remain within the scope of the claims of this patent application.
Claims (9)
1. The DNS attack defense method based on the dynamic DNAT is characterized by comprising the following steps:
s1) monitoring the forwarding data by a DNAT module, and triggering the DNAT module by abnormal data or triggering the DNAT module automatically or triggering the DNAT module by other passive modes to update dynamic DNAT rules; other passive triggering modes comprise network security monitoring module triggering, abnormal data triggering comprises DDoS attack triggering suffered by an application server or scanning detection exceeding a corresponding threshold value triggering, and automatic triggering comprises periodic triggering and manual triggering;
s2) the Socket client monitors the change of the dynamic DNAT rule, and when the dynamic DNAT rule changes, the Socket client transmits the latest DNAT mapping relation between the intranet IP address and the public IP address of the application service to the Socket server through a Socket channel;
s3) after the Socket server obtains the latest DNAT mapping relation between the internal network IP address and the public network IP address of the application service, automatically modifying DNS domain name configuration parameters, and modifying a corresponding domain name record value into the latest public network IP address, wherein the latest public network IP address is the public network IP address of the application service in the latest DNAT mapping relation between the internal network IP address and the public network IP address of the application service;
s4) the public network user sends a domain name resolution request to the authoritative DNS through a standard DNS procedure and the authoritative DNS performs domain name resolution.
2. The method of claim 1, wherein the public network IP address of the application service is an IPv6 address.
3. The method of claim 1, wherein the DNAT module randomly generates a mapping between an intranet IP address and a public network IP address of the application service when updating the dynamic DNAT rules.
4. The method of claim 1, wherein the DNAT module forwards the data packet sent by the public network user to the public network IP address of the application service to the corresponding device in the network where the application service is located according to DNAT rules.
5. A system for DNS attack defense using the dynamic DNAT-based DNS attack defense method of claim 1, comprising:
the DNAT module is used for forwarding data sent by a public network user to a public network IP of the application service to corresponding equipment in a network where the application service is located and updating a dynamic DNAT rule after being triggered;
the Socket client is used for monitoring the update of the dynamic DNAT rule;
the Socket server is used for modifying the DNS domain name configuration parameters according to the updated dynamic DNAT rule;
the Socket client is in communication connection with the DNAT module, and the Socket client is in communication connection with the Socket server through a Socket channel.
6. The system according to claim 5, wherein a timing sub-module for timing the time interval duration of two adjacent dynamic DNAT rule updates is provided in the DNAT module; when the time interval duration of updating the adjacent two dynamic DNAT rules is equal to a preset time threshold, the timing submodule triggers a dynamic DNAT rule generation submodule in the DNAT module to generate a new dynamic DNAT rule.
7. The system of claim 6, wherein the dynamic DNAT rule generation submodule randomly generates new dynamic DNAT rules.
8. A computer readable storage medium having stored thereon a computer program, characterized in that the computer program, when executed by a processor, implements the method of any of claims 1-4.
9. Computer device comprising a readable storage medium, a processor and a computer program stored on the readable storage medium and executable on the processor, characterized in that the computer program when executed by the processor implements the method according to any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311360598.0A CN117118746B (en) | 2023-10-20 | 2023-10-20 | DNS attack defense method, system, medium and device based on dynamic DNAT |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311360598.0A CN117118746B (en) | 2023-10-20 | 2023-10-20 | DNS attack defense method, system, medium and device based on dynamic DNAT |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117118746A CN117118746A (en) | 2023-11-24 |
| CN117118746B true CN117118746B (en) | 2024-01-09 |
Family
ID=88796908
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311360598.0A Active CN117118746B (en) | 2023-10-20 | 2023-10-20 | DNS attack defense method, system, medium and device based on dynamic DNAT |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117118746B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1411248A (en) * | 2002-11-05 | 2003-04-16 | 浙江大学 | IPV9/IPV4NAT routing apparatus |
| CN102238243A (en) * | 2010-05-05 | 2011-11-09 | 华为终端有限公司 | Data transmission method and system, address access method, terminal device and server |
| CN105227686A (en) * | 2014-06-20 | 2016-01-06 | 中国电信股份有限公司 | The Dynamic Configuration of cloud host domain name and system |
| CN105721457A (en) * | 2016-01-30 | 2016-06-29 | 耿童童 | Network security defense system and network security defense method based on dynamic transformation |
| CN106209799A (en) * | 2016-06-29 | 2016-12-07 | 深圳市先河系统技术有限公司 | A kind of method, system and dynamic firewall realizing dynamic network protection |
| WO2019179634A1 (en) * | 2018-03-23 | 2019-09-26 | Nokia Solutions And Networks Oy | Method and apparatus for dynamic network address translation |
| CN116032919A (en) * | 2022-12-13 | 2023-04-28 | 杭州安恒信息技术股份有限公司 | DNAT mapping method, DNAT mapping device, DNAT mapping equipment and storage medium |
| CN116405301A (en) * | 2023-04-19 | 2023-07-07 | 上海众种生态科技有限公司 | Block chain-based multi-fusion terminal and DDoS attack prevention method thereof |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9015833B2 (en) * | 2012-11-07 | 2015-04-21 | Trusteer, Ltd. | Defense against DNS DoS attack |
| US20170374088A1 (en) * | 2016-06-22 | 2017-12-28 | Sable Networks, Inc. | Individually assigned server alias address for contacting a server |
| CN114531417B (en) * | 2020-10-30 | 2023-09-22 | 华为技术有限公司 | Communication method and device |
-
2023
- 2023-10-20 CN CN202311360598.0A patent/CN117118746B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1411248A (en) * | 2002-11-05 | 2003-04-16 | 浙江大学 | IPV9/IPV4NAT routing apparatus |
| CN102238243A (en) * | 2010-05-05 | 2011-11-09 | 华为终端有限公司 | Data transmission method and system, address access method, terminal device and server |
| CN105227686A (en) * | 2014-06-20 | 2016-01-06 | 中国电信股份有限公司 | The Dynamic Configuration of cloud host domain name and system |
| CN105721457A (en) * | 2016-01-30 | 2016-06-29 | 耿童童 | Network security defense system and network security defense method based on dynamic transformation |
| CN106209799A (en) * | 2016-06-29 | 2016-12-07 | 深圳市先河系统技术有限公司 | A kind of method, system and dynamic firewall realizing dynamic network protection |
| WO2019179634A1 (en) * | 2018-03-23 | 2019-09-26 | Nokia Solutions And Networks Oy | Method and apparatus for dynamic network address translation |
| CN116032919A (en) * | 2022-12-13 | 2023-04-28 | 杭州安恒信息技术股份有限公司 | DNAT mapping method, DNAT mapping device, DNAT mapping equipment and storage medium |
| CN116405301A (en) * | 2023-04-19 | 2023-07-07 | 上海众种生态科技有限公司 | Block chain-based multi-fusion terminal and DDoS attack prevention method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117118746A (en) | 2023-11-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10911399B2 (en) | Robust domain name resolution | |
| US8935744B2 (en) | White listing DNS top-talkers | |
| US8584195B2 (en) | Identities correlation infrastructure for passive network monitoring | |
| KR100780494B1 (en) | User terminal management apparatus, recording medium recording user terminal management program, and user terminal management system | |
| US20180159820A1 (en) | Configuring dns clients | |
| US20170353331A1 (en) | System And Method For Suppressing DNS Requests | |
| US20180287992A1 (en) | System And Method For Suppressing DNS Requests | |
| KR100908320B1 (en) | Method for protecting and searching host in internet protocol version 6 network | |
| US10560422B2 (en) | Enhanced inter-network monitoring and adaptive management of DNS traffic | |
| Gondim et al. | Mirror saturation in amplified reflection Distributed Denial of Service: A case of study using SNMP, SSDP, NTP and DNS protocols | |
| US20160218978A1 (en) | System and method for suppressing dns requests | |
| Trostle et al. | Protecting against DNS cache poisoning attacks | |
| EP2557759A1 (en) | White listing dns top-talkers | |
| CN117118746B (en) | DNS attack defense method, system, medium and device based on dynamic DNAT | |
| WO2001033364A1 (en) | Device for searching name of communication node device in communication network | |
| KR20190053170A (en) | System and method for suppressing DNS requests | |
| KR20120110852A (en) | Method and apparatus for detecting botnet | |
| RU2716220C1 (en) | Method of protecting of computer networks | |
| CN113014682B (en) | Method, system, terminal equipment and storage medium for realizing network dynamic property | |
| Al-Dalky et al. | Practical challenge-response for DNS | |
| JPWO2009110327A1 (en) | Network monitoring system, network monitoring method, and network monitoring program | |
| RU2503059C1 (en) | Method for remote monitoring and control of networking information security based on use of domain name system | |
| CN113596186B (en) | DNS access resolution method and system based on scene | |
| Krishnan et al. | Privacy Considerations for DHCPv6 | |
| Hasegawa et al. | Collaborative Defense Framework Using FQDN-Based Allowlist Filter Against DNS Water Torture Attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |