KR102187136B1 - DNS Backend Processing For Network Traffic Isolation And Apparatus Therefor - Google Patents

Abstract

An apparatus and method for distributing traffic to a cloud-based server by client traffic isolation is disclosed. The present invention provides a DNS server that provides an optional IP address among a plurality of IP addresses of a server corresponding to the DNS query in response to a DNS query of a client, wherein the DNS server includes a plurality of servers related to the DNS query of the client. Node data; And a rule set for providing a DNS response to the IP address of the server node related to the DNS query according to the IP address of the client. According to the present invention, it is possible to apply a different DNS response policy for each client group. Accordingly, it is possible to provide smooth services to normal users by isolating traffic to different service servers for each client service group.

Description

DNS Backend Processing For Network Traffic Isolation And Apparatus Therefor}

The present invention relates to a method for managing network traffic such as distributed denial of service attacks and a server load resulting therefrom, and more particularly, to a method and apparatus for distributing traffic to a cloud-based server by isolating client traffic.

Distributed denial of service attack is one of the hacking methods that attack a specific site by distributing and operating multiple attackers at the same time. In this method, tools for service attack are planted in multiple computers, and the network performance is degraded or the system is paralyzed by flooding a large amount of packets at the same time that the computer system of the target site cannot handle.

The existing DDoS attack defense technique focused on blocking and discarding traffic using certain rules of DDoS attack. However, the recent DDoS attack method is similar to the normal traffic pattern, so even if such a rule is applied, a large amount of malicious traffic still reaches the attack target server. In addition, in the case of using such a rule-based response method, when normal traffic concentration such as flash crowds occurs, it may be mistaken for malicious traffic.

Meanwhile, Korean Patent Registration No. 900491 consists of a plurality of servers including an origin server, and when the traffic state of the origin server is determined to be a distributed denial of service attack state, the IP address of the origin server is used as It proposes a countermeasure method of reducing the load on the origin server by changing it.

However, such a load balancing-based traffic bypass mechanism makes it difficult to guarantee continuous service to normal users when traffic is congested.

In order to solve the problems of the prior art, an object of the present invention is to provide a DNS service policy based on traffic isolation rather than load balancing.

In addition, an object of the present invention is to provide access to different service servers for each user group according to a pre-set DNS policy of a network operator.

In addition, it is an object of the present invention to provide a DNS backend processing method for directing a user to a server having a different address.

In addition, an object of the present invention is to provide a DNS server for performing the above-described DNS backend processing.

In addition, an object of the present invention is to provide a user classification scheme capable of minimizing user inconvenience despite traffic separation.

In order to achieve the above technical problem, the present invention provides a DNS server providing an optional IP address among a plurality of IP addresses of a server corresponding to the DNS query in response to a DNS query of a client, wherein the DNS server comprises: Node data of a plurality of servers related to the DNS query of the server; And a rule set for providing a DNS response to the IP address of the server node related to the DNS query according to the IP address of the client.

In the present invention, the rule set may include a script that associates the server node with the clients grouped into a plurality of groups.

In the present invention, the node data includes data on a main server and a replication server, and a default mode in which an IP address of the main server is responded to the DNS query of the client; And in response to the client's DNS query, operating in a traffic isolation mode in which the client's access to the main server is selectively blocked according to a group to which the client's IP belongs.

In the present invention, the node data is data corresponding to the ID of the server node and the IP of the server node.

In addition, the rule set may include a script that responds to the IP address of the server node corresponding to the IP address of the client.

In the present invention, the plurality of groups are classified according to priority of access to the main server when traffic is congested. In this case, the plurality of groups may include: a first group ensuring the highest priority access to the main server; A second group blocking access to the main server; And at least a third group that guarantees access to the replication server.

In addition, the third group may be classified according to whether the IP address of the client has a history of past access to the main server or the replica server, and more specifically, whether an IP address with a past access history and an IP prefix are the same. have.

In the present invention, the DNS server may be preferably implemented as a PDNS.

In addition, in order to achieve the above other technical problem, the present invention provides the steps of inputting node data for a plurality of servers including a main server, a replication server, and a quarantine server corresponding to a domain name to a DNS server, and Inputting a rule set related to the plurality of server nodes to be answered in correspondence with the IP address and the client IP address; Setting to provide an IP address of the server node corresponding to the IP address of the client in response to a DNS query of the client, based on the node data and the rule set, when notified that the network traffic is in an abnormal state; And responding to a DNS query of a client according to the above setting.

According to the present invention, a client service group is classified into a static white list, a dynamic white list, a black list, and a dynamic white list based on the behavior of a client, so that a different DNS response policy can be applied for each client group. Accordingly, it is possible to provide a smooth service to a normal user by isolating traffic from a client's traffic request to a different service server.

In addition, the classification of user groups according to the present invention can minimize service access damage of normal users even in the case of a malicious request using an IP spoofing technique.

1 is a diagram schematically showing an overall system configuration for implementing an attack traffic distribution method according to a preferred embodiment of the present invention.
2 is a diagram schematically illustrating a procedure for operating and distributing traffic of a replication server according to a preferred embodiment of the present invention.
3 is a diagram schematically showing a classification apparatus for classifying a user group as a premise of traffic separation.
4 is a diagram schematically showing an example of user classification for DNS backend processing according to the present invention.
5 is a diagram illustrating a blacklist report created by a list creation unit as an example.
6 is a diagram showing a system architecture for explaining traffic separation according to a preferred embodiment of the present invention.
7 shows a backend processing procedure of a DNS server according to a preferred embodiment of the present invention.

Hereinafter, with reference to the accompanying drawings, the present invention will be described in detail so that those of ordinary skill in the art can easily implement the present invention. However, the present invention may be implemented in a form different from that illustrated below and is not limited to the embodiments described herein. In addition, parts not related to the description are omitted in the drawings in order to clearly describe the present invention, and similar reference numerals are attached to similar parts throughout the specification.

In describing the present invention, when it is determined that a detailed description of a related known configuration or function may obscure the subject matter of the present invention, a detailed description thereof will be omitted.

1 is a diagram schematically showing an overall system configuration for implementing an attack traffic distribution method according to a preferred embodiment of the present invention.

As shown, the main server (SM) and a plurality of replication servers (R11, R12, R21, R23) are distributed in a network (Network 10) provided by an Internet service provider (Internet Service Provider).

In the present invention, the main server SM may be a web server that implements a service on a web page with a domain name such as'www.naver.com'.

The replication server (R11, R12, R21, R23) refers to a server capable of providing the function of the main server (R11, R12, R21, R23) by having a copy of all or part of the original content held by the main server. .

Replication servers (R11, R12, R21, R23) can be implemented in various types. First, the replication server may be configured in the form of copying the entire contents of the main server to the replication server. Although it takes a long time to duplicate and requires a lot of storage device resources, the most stable service can be provided to users.

In contrast, the replication server can be configured in a form in which a specific content that is frequently requested by a user is copied to the replication server. Such an interest-based replication server may determine whether or not a user request is a frequent content, based on the number of requests from a user for the content. The interest-based replication server requires relatively few resources, but the service provider must monitor which content users are interested in, and update the contents of the replication server accordingly.

In addition, it may be configured as a content type-based replication server that stores content by dividing the type of content into a multimedia file, a document file, and a user file. That is, one replication server is responsible for more than one content type. In this case, the content type may be a file format of the content, or may be a preset content classification.

In the present invention, the replication servers R11, R12, R21, R23 may be implemented with cloud computing technology. Cloud computing is a technology that integrates and provides the resources of computers in different physical locations with virtualization technology.It enables efficient use of the resources of the replication server, and uses the resources of the server in the virtual space. Make it possible to build. Physically, the replication server may be located in a data center managed by a main server administrator or a data center of another operator who has an agreement with the administrator.

In the present invention, the replication server does not necessarily have to be implemented with cloud computing technology, but may be configured with separate internal or external resources.

According to the present invention, network traffic including a user U and an attacker A connected to the network 10 are properly separated.

In the normal operation mode, a normal packet transmitted by the user U is transmitted to the main server SM through a path on the network 10.

In case of traffic congestion such as flooding of Attack Packets due to DDoS attack of malicious user (A), the replication server is activated at an appropriate location on the network path to the main server. The replication server may be activated by an initiation message including the capacity, number and activation time of servers transmitted to the manager of the data center related to the location to be activated. The replication server is synchronized with the main server. A separate network, such as a content delivery network (CDN), may be configured for synchronization between the replication server and the main server.

During a DDoS attack, an attack flood is redirected to the active replication servers R11 and R12 located on the network path to the main server.

In the present invention, a separate means such as the replication server management device 100 is added to a location adjacent to the main server (SM) of the network 10 in order to determine the activated location and required resources of the replication server. Can be.

The replication server management apparatus 100 monitors the traffic of the network 10 and the state of the main server SM, and manages resources related to the replication server based on this. The replication server management apparatus 100 may receive information on whether a DDoS attack from a separate Intrusion Detection System (IDS) in order to determine whether to initiate the replication server, and refer to the determination of whether to start the replication server. .

As described above with reference to FIG. 1, the traffic of the attacker (A) and users (U1, U2, U3) is distributed to several servers including a replication server. A method of distributing traffic according to the present invention will be described later.

2 is a diagram schematically illustrating a procedure for operating and distributing traffic of a replication server according to a preferred embodiment of the present invention.

Referring to FIG. 2, when traffic congestion occurs by a malicious attacker or the like, an abnormal state is detected by means such as an Intrusion Detection System (IDS) (S100). When an abnormal state is detected, replication servers scattered in the network are invoked (S110). When the replication server is started, the client traffic is divided into a plurality of replication servers (S120). In this case, as described later, a traffic isolation method based on DNS backend process is applied. When the attack ends and the network traffic returns to the normal state, the replication server is stopped (S130).

3 is a diagram schematically showing a classification apparatus for classifying a user group as a premise of traffic separation.

Referring to the drawings, the user group classification apparatus 200 may include a monitoring unit 210, an IP extraction unit 220, and a list creation unit 230.

In the present invention, the monitoring unit 210 receives a DDoS detection notification rule from IDS or monitors the connection record of the client IP to the main server.

When an abnormal state message such as a DDoS detection notification is received from the IDS, the IP extraction unit 220 extracts an IP address involved in the DDoS attack from the message. The list creation unit 230 may create a black list based on the extracted IP address.

In addition, the monitoring unit 210 monitors a list of IPs connected to the main server and/or the replication server, and the IP extraction unit 220 manages the connection record of the extracted IP. For example, the IP extraction unit 220 may record the prefix and access frequency of the connected IP.

5 is a diagram illustrating a blacklist report created by a list creation unit as an example.

As shown, in the first column (D1) of the report, the date and time of creation of the report is recorded, and the number of new IP addresses added in the report is indicated. For example, "0" is written in column D1 of FIG. 5 to indicate that no new IP has been added compared to the previous report.

In addition, the DDoS attack frequency and the corresponding IP address are listed below the second column of the report. For example, "25: 192. 168. 1. 14" indicates that there were a total of 25 attack attempts from the IP address 192. 168. 1. 14.

As described above, the user classification apparatus classifies a user who has accessed by interworking with an external system such as IDS, a main server, and/or a replication server according to appropriate criteria. Of course, in the present invention, the user classification device 200 may be implemented as a part of the main server related to FIG. 1 or as a separate component such as the replication server management device 100. In addition, the user classification device 100 may be implemented as a component integrated with the replication server management device 100.

In the present invention, users can be classified into three types. First, a group of clients with the highest priority may be classified into a white list. Next, the group with the lowest priority may be classified as a blacklist. In addition, the rest of the clients will be able to be incorporated into the Vine list. This group has normal priority and is a group that is potentially whitelisted or blacklisted.

According to the present invention, a white list, a black list and a blank list can be automatically generated. For example, the white list may include specific clients selected as VIP clients such as corporate customers. In addition, the black list is a group that has participated in or abused the DDoS attack in the past. Accordingly, the white list and the black list can be classified by using the past attack history and customer information, and all of the remaining clients can be classified into the Vine list.

In the present invention, the client group can be further subdivided based on the user's past behavior. 4 is a diagram schematically showing an example of user classification for DNS backend processing according to the present invention.

In FIG. 4, each client group is classified as follows.

SW: Static White List

DW: Dynamic White List

BL: Black List

BN: Benign List

MW: Mixed White List

SG: Static Gray List

DG: Dynamic Gray List

GL: Gray List

SW refers to a specific group selected as a VIP customer group. This group is mostly a group of clients with static IP addresses. BL is a group of clients with IP addresses used in the past DDoS attack.

The DW consists of a client with an IP address with a record of past access. More preferably, a client IP having the same prefix as an IP address with a connection record may be included in the DW. To this end, a table including the IP address prefix and the number of connections can be used for DW classification as follows. The table of Table 1 may be obtained by the above-described user classification device.

IP Prefix Frequency
(# of connection) 98. 24. 64. * 10 140. 22. 29. * 5 … …

User classification of DW group based on IP prefix has the following advantages. Statistically, it can be estimated that more than 99% of the connections from IP addresses with the same prefix as the IP addresses with previous connection history are legitimate users. Therefore, organizing clients into DW groups using access records and IP prefixes can be an important way to identify legitimate users. However, it is desirable that services for these groups have a lower priority than that of the SW group.

In the present invention, clients having attributes belonging to the above DW, SW, and BL groups can be further subdivided. Clients whose client IP belongs to both SW and DW are classified into MW group. This group can give higher service priority compared to DW. In addition, client IPs belonging to both SW and BL are classified as SG groups, and client IPs belonging to both DW and BL are classified as DG. Each of these groups may be given a higher service priority than the BL group. In addition, clients belonging to the SW, DW, and BL groups at the same time are classified as GL, and may be given higher priority compared to SG and DG. Meanwhile, clients that do not have other IP access records may be classified into BN groups. The BN group has a lower priority of isolation to the quarantine server than that of the BL, DG, SG and GL groups, and the priority of traffic isolation to the main server is also lower than that of SW, MW and DW.

The priority to which traffic isolation from the main server is applied to each client group is as follows.

Priority group One BL 2 DG 3 SG 4 GL 5 BN 6 DW 7 MW 8 SW

6 is a diagram showing a system architecture for explaining traffic separation according to a preferred embodiment of the present invention.

Referring to FIG. 6, the DNS server responds to a DNS query from a client.

The DNS server may preferably be implemented with PDNS (Power DNS). The PDNS may have a backend script that enables various responses according to the source IP included in the query of the client.

6 shows an input for the DNS server to perform traffic separation. The inputs include node data 310, rule set 320, and abnormal data 330.

The node data 310 includes ID and address information of a main server and a replication server for providing a service. In addition, additional information may be included in the node data. For example, the additional information may include the name or description of the server, the size of the server, and other additional data. For example, the node data may be configured as shown in Table 3 below.

The node data 310 may be transmitted from the above-described main server or replication server management apparatus.

Node ID IP Address Reserved 0 192.168.1.10 Main Server/capacity/additional data One 192.168.1.100 Replica #1/capacity/additional data 2 192.168.1.101 Replica #2/capacity/additional data

The rule set refers to rules in the form of a file that logically describes rules for implementing a backend script of a DNS server.

For example, the rules include information on which DNS response to provide to a source IP related to a query according to the aforementioned user classification of the corresponding IP.

Rules can be separated by a newline character such as'\n' as follows.

(if $ip eq "192.168.1.12") && ($qtype eq "A" || $qtype eq "ANY") ＼n

… … .. ＼n

EOF

For example, the rules may include a script that transmits to a specific node (eg, a quarantine server node) when the input IP is an IP classified as a blacklist. In addition, for IP classified as a white list, a script for transmitting to another node (eg, a main server node) may be included. In addition, it may include a script that transmits the IP classified as a dynamic whitelist to another node (for example, a replication server).

The rules may be created based on the above-described report of the user classification device. Also, the rules may be created by a system operator or transmitted from an external system.

Additionally, abnormal data may be input to the DNS server. The abnormal data includes information on the type of traffic abnormality. For example, the abnormal data may include information on which DDoS attack type. The information on the abnormal state may be reflected in the above-described rule set and referred to for performing traffic isolation.

The DNS server extracts the IP address or packet source IP address of the client from the query packet from the client. An appropriate DNS response is provided for the extracted IP address based on the above-described rule set.

7 shows a backend processing procedure of a DNS server according to a preferred embodiment of the present invention.

Referring to FIG. 7, node data (S210) and rule set (S210) are first provided to a DNS server (S210 and S212).

It is determined whether the network traffic is in an abnormal state based on information provided by the IDS or the like (S214). If it is not in an abnormal state, the DNS server operates with the DNS function of the default mode (S216).

In the abnormal state, the traffic isolation mode for DNS queries is initiated.

DDoS attack type information is input to the DNS server (S220), and an appropriate DNS response is provided based on the input rule set and node data for the DNS query of the client.

When the corresponding IP address is classified as a blacklist based on the IP address of the client related to the query (S224), a DNS response that directs the client to the address of the quarantine server is provided (S226).

If the IP address is classified as a static whitelist (S228), it is provided in a DNS response directed to the address of the main server (S230), and if the IP address is classified as a dynamic whitelist (S232), the client is transferred to the replication server. A leading DNS response is provided (S234).

Although not shown, an appropriate DNS response may be provided for a client query of another IP address group described in connection with FIG. 5.

A attacker
U user
R replication server
10 network
100 Replication Server Resource Management Device
200 user classification devices
210 IP extraction unit
220 List Maker
300 DNS servers
310 node data
320 rule set
330 abnormal data

Claims (11)

In response to a DNS query of a client, a DNS server providing an optional IP address among IP addresses of a main server and a replication server corresponding to the DNS query,
The DNS server,
Operates in a traffic isolation mode that selectively blocks access of the client to the main server according to the group to which the client's IP address belongs,
The DNS server,
Node data including IP addresses of the main server and the replica server for DNS response to the client's DNS query; And
And a rule set for determining a group to which the client belongs according to the IP address of the client, and providing an IP address of a main server or a replication server corresponding to the group as the DNS response.
delete The method of claim 1,
And a default mode in which the IP address of the main server is responded to the DNS query of the client.
The method of claim 1,
The node data,
DNS server, characterized in that the ID and the IP address of the main server and the replication server respectively correspond.
The method of claim 1,
The rule set,
DNS server comprising a script for providing the IP address of the main server or the replication server corresponding to the IP address of the client in the DNS response.
The method of claim 1,
The group to which the client belongs is classified according to a priority of access to the main server when traffic is congested.
In response to a DNS query of a client, a DNS server providing an optional IP address among a plurality of IP addresses of a server corresponding to the DNS query,
The DNS server,
Node data of a plurality of servers related to the client's DNS query; And
Having a rule set for providing a DNS response to the IP address of the server related to the DNS query according to the IP address of the client,
The rule set above is
The server is mapped to the client grouped into a plurality of groups,
The node data includes data on the main server and the replication server,
A default mode in which the IP address of the main server is responded to the DNS query of the client; And
As a response to the client's DNS query, operating in a traffic isolation mode in which the client's access to the main server is selectively blocked according to a group to which the client's IP belongs,
The plurality of groups are classified according to priority of access to the main server when traffic is congested,
The plurality of groups,
A first group ensuring the highest priority access to the main server;
A second group blocking access to the main server; And
DNS server, characterized in that it comprises a third group that guarantees access to at least the replication server.
The method of claim 7,
The third group,
DNS server, characterized in that the IP address of the client is classified according to whether there is a history of past access to the main server or the replication server.
The method of claim 7,
The third group,
DNS server, characterized in that the IP address of the client is classified according to whether or not an IP address having a past access history to the main server or a replication server and an IP prefix are the same.
The method of claim 1,
DNS server, characterized in that the DNS server is implemented as a PDNS.
Inputting node data for a plurality of servers including a main server, a replication server, and a quarantine server corresponding to the domain name in the DNS server;
Inputting, to the DNS server, an IP address of a client and a rule set for the plurality of servers to be answered in correspondence to the client IP address;
When notified that the network traffic is abnormal, operates in a traffic isolation mode that selectively blocks access of the client to the main server according to the group to which the client's IP address belongs, and the node data and the rule set On the basis of, setting to provide an IP address of the server corresponding to the IP address of the client in response to the client's DNS query; And
Including the step of responding to the DNS query of the client according to the setting,
The node data is
For a DNS response to the client's DNS query, including the IP addresses of the plurality of servers,
The rule set above is
And determining a group to which the client belongs according to the IP address of the client, and providing an IP address of a server corresponding to the group as the DNS response.

Images