TWI787168B - Defense method, device and system for network attack - Google Patents
Defense method, device and system for network attack Download PDFInfo
- Publication number
- TWI787168B TWI787168B TW106101921A TW106101921A TWI787168B TW I787168 B TWI787168 B TW I787168B TW 106101921 A TW106101921 A TW 106101921A TW 106101921 A TW106101921 A TW 106101921A TW I787168 B TWI787168 B TW I787168B
- Authority
- TW
- Taiwan
- Prior art keywords
- dns response
- response message
- domain name
- target
- network device
- Prior art date
Links
Images
Abstract
本申請案提供了一種網路攻擊的防禦方法、裝置及系統,其中方法包括:接收外網設備旨在向內網設備發送的目標DNS回應訊息;在動態白名單包含所述目標DNS回應訊息中的源位址的情況下,判斷所述目標DNS回應訊息是否滿足預設條件;若所述目標DNS回應訊息滿足預設條件,則丟棄所述目標DNS回應訊息;其中,所述預設條件至少包括:所述目標DNS回應訊息中的目標網域名稱不包含在歷史網域名稱記錄中,所述歷史網域名稱記錄中的每個歷史網域名稱均從所述外網設備所發送的歷史DNS回應訊息中提取。本申請案可以過濾掉真實源以不同網域名稱的方式來攻擊內網設備的DNS回應訊息,從而緩解DNS回應攻擊對服務和網路造成的衝擊。 This application provides a network attack defense method, device and system, wherein the method includes: receiving a target DNS response message sent by an external network device to an internal network device; including the target DNS response message in the dynamic whitelist In the case of the source address, it is judged whether the target DNS response message meets the preset condition; if the target DNS response message meets the preset condition, the target DNS response message is discarded; wherein the preset condition is at least Including: the target domain name in the target DNS response message is not included in the historical domain name record, and each historical domain name in the historical domain name record is the historical domain name sent from the external network device Extracted from the DNS response message. This application can filter out DNS response messages from real sources attacking intranet devices with different network domain names, thereby alleviating the impact of DNS response attacks on services and networks.
Description
本申請案涉及網路技術領域,尤其涉及一種網路攻擊的防禦方法、裝置及系統。 The present application relates to the field of network technology, in particular to a method, device and system for defending against network attacks.
隨著網路技術的不斷進步,網路領域中的網路攻擊也越來越多。目前,在眾多網路攻擊中分散式拒絕服務攻擊(Distributed Denial of Service,DDoS)已經成為較為嚴重的攻擊手段。在DDOS攻擊中DNS回應攻擊已成為主流攻擊類型,DNS回應攻擊又可以稱為網域名稱系統(DNS,Domain Name System)回應攻擊。 With the continuous advancement of network technology, there are more and more network attacks in the network field. At present, distributed denial of service attack (Distributed Denial of Service, DDoS) has become a relatively serious attack method in many network attacks. In the DDOS attack, the DNS response attack has become a mainstream attack type, and the DNS response attack can also be called a Domain Name System (DNS, Domain Name System) response attack.
為了防範DNS回應攻擊,可以在原有系統中加入清洗設備進而形成防禦系統。參見圖1為一種防禦系統結構示意圖,在圖示中可以看出清洗設備旁路設置在路由設備的一側。 In order to prevent DNS response attacks, cleaning devices can be added to the original system to form a defense system. Referring to FIG. 1 , it is a schematic structural diagram of a defense system. It can be seen from the illustration that the bypass of the cleaning equipment is set on one side of the routing equipment.
在清洗設備旁路設置的情況下,可以使用源探測的方式來清洗外網設備向內網設備發送的具有攻擊性的DNS回應訊息。具體清洗過程可以為:清洗設備接收外網設備向內網設備發送的DNS回應訊息後,提取其中的源位 址,並判斷源位址是否包含在動態白名單中。如果源位址沒有包含在動態白名單中,則向外網設備發送一個DNS Request訊息作為探測訊息,如果未接收到外網設備回饋的DNS回應訊息,則確定外網設備為虛假源,丟棄DNS回應訊息;如果接收到外網設備回饋的DNS回應訊息,且DNS回應訊息中的網域名稱滿足一定條件,則確定外網設備為真實源,將外網設備的IP位址加入至動態白名單中。如果源位址包含在動態白名單中,即外網設備為真實源,則轉發DNS回應訊息。 In the case of cleaning device bypass settings, source detection can be used to clean the aggressive DNS response messages sent from external network devices to internal network devices. The specific cleaning process can be as follows: After the cleaning device receives the DNS response message sent by the external network device to the internal network device, it extracts the source address and determines whether the source address is included in the dynamic white list. If the source address is not included in the dynamic whitelist, then send a DNS Request message to the external network device as a detection message, if no DNS response message from the external network device is received, determine that the external network device is a false source, and discard the DNS Response message; if the DNS response message fed back by the external network device is received, and the domain name in the DNS response message meets certain conditions, then the external network device is determined to be the real source, and the IP address of the external network device is added to the dynamic white list middle. If the source address is included in the dynamic white list, that is, the external network device is the real source, the DNS response message will be forwarded.
DNS回應攻擊按攻擊類型又可以分為:真實源攻擊和虛假源攻擊。由於動態白名單中僅包含真實源的IP位址,不包含虛假源的IP位址,所以源探測方式僅能夠清洗虛假源發起的DNS回應攻擊,而不能夠清洗掉真實源發起的DNS回應攻擊。 DNS response attacks can be divided into attack types: real source attacks and false source attacks. Since the dynamic whitelist only contains IP addresses of real sources and does not contain IP addresses of false sources, the source detection method can only clean DNS response attacks initiated by false sources, but not DNS response attacks initiated by real sources. .
鑒於此,現在需要一種方法來清洗真實源發起的DNS回應攻擊,以緩解DNS回應攻擊對服務和網路造成的衝擊。 In view of this, there is a need for a method to clean DNS response attacks initiated by real sources, so as to alleviate the impact of DNS response attacks on services and networks.
本申請案提供了一種網路攻擊的防禦方法、裝置及系統,清洗真實源發起的DNS回應攻擊,以緩解DNS回應攻擊對服務和網路造成的衝擊。 This application provides a network attack defense method, device and system, which cleans DNS response attacks initiated by real sources, so as to alleviate the impact of DNS response attacks on services and networks.
為了實現上述目的,本申請案提供了以下技術手段:一種網路攻擊的防禦方法,包括: 接收外網設備旨在向內網設備發送的目標DNS回應訊息;在動態白名單包含所述目標DNS回應訊息中的源位址的情況下,判斷所述目標DNS回應訊息是否滿足預設條件;若所述目標DNS回應訊息滿足預設條件,則丟棄所述目標DNS回應訊息;其中,所述預設條件至少包括:所述目標DNS回應訊息中的目標網域名稱不包含在歷史網域名稱記錄中,所述歷史網域名稱記錄中的每個歷史網域名稱均從所述外網設備所發送的歷史DNS回應訊息中提取。 In order to achieve the above purpose, this application provides the following technical means: a method for defending against network attacks, including: receiving a target DNS response message sent by an external network device to an internal network device; including the target DNS in the dynamic whitelist In the case of the source address in the response message, it is judged whether the target DNS response message meets the preset condition; if the target DNS response message meets the preset condition, the target DNS response message is discarded; wherein, the preset The set conditions at least include: the target domain name in the target DNS response message is not included in the historical domain name record, and each historical domain name in the historical domain name record is obtained from the external network device Extract from historical DNS response messages sent.
較佳的,所述預設條件還包括:所述外網設備發起訪問所述目標網域名稱的第一發送時間與第二發送時間的時間間隔小於預設時間間隔;其中,所述第一發送時間為所述目標DNS回應訊息的發送時間,所述第二發送時間為所述外網設備在所述第一發送時間之前最近一次發送包含所述目標網域名稱的DNS回應訊息的時間。 Preferably, the preset condition further includes: the time interval between the first sending time and the second sending time when the external network device initiates access to the target network domain name is less than a preset time interval; wherein, the first The sending time is the sending time of the target DNS response message, and the second sending time is the latest time when the external network device sent the DNS response message containing the target domain name before the first sending time.
較佳的,還包括:在所述時間間隔不小於預設時間間隔情況下,將所述目標DNS回應訊息轉發給所述內網設備。 Preferably, the method further includes: forwarding the target DNS response message to the intranet device when the time interval is not less than a preset time interval.
較佳的,還包括:若所述目標DNS回應訊息中的目標網域名稱不包含在歷史網域名稱記錄中,則將所述目標網域名稱和所述目 標DNS回應訊息的發送時間,儲存在所述歷史網域名稱記錄中。 Preferably, it also includes: if the target domain name in the target DNS response message is not included in the historical domain name record, storing the target domain name and the sending time of the target DNS response message in the historical domain name record.
較佳的,還包括:依據與所述外網設備的源位址對應的所述歷史網域名稱記錄,計算命中次數超過預設次數的網域名稱數量與所有網域名稱數量的比值;其中,所述歷史網域名稱記錄中包含所述外網設備所發送的歷史DNS回應訊息中所有網域名稱以及每個網域名稱的命中次數;所述預設次數為不小於3的自然數;若所述比值大於預設比值,則刪除所述動態白名單中的所述外網設備的源位址;將所述外網設備的源位址添加至動態黑名單中。 Preferably, it also includes: according to the historical domain name record corresponding to the source address of the external network device, calculating the ratio of the number of domain names whose number of hits exceeds the preset number to the number of all domain names; wherein , the historical domain name record includes all domain names in the historical DNS response message sent by the external network device and the number of hits of each domain name; the preset number of times is a natural number not less than 3; If the ratio is greater than the preset ratio, delete the source address of the external network device in the dynamic white list; add the source address of the external network device to the dynamic black list.
較佳的,所述歷史網域名稱記錄中每個網域名稱的命中次數的計算方式包括:在接收一個DNS回應訊息之後,在所述歷史網域名稱記錄中查找該DNS回應訊息中的網域名稱;將所述網域名稱的命中次數增加1;其中,每個網域名稱的命中次數的初始值為零。 Preferably, the method for calculating the number of hits of each domain name in the historical domain name record includes: after receiving a DNS response message, searching for the domain name in the DNS response message in the historical domain name record domain name; increasing the number of hits of said domain name by 1; wherein, the initial value of the number of hits of each domain name is zero.
較佳的,所述預設條件還包括:所述目標DNS回應訊息的流量值及歷史DNS回應訊息的流量值的總和流量值大於所述預設流量值;其中,所述歷史DNS回應訊息為所述外網設備在發送目標DNS回應訊息之前所發送的所有DNS回應訊息。 Preferably, the preset condition further includes: the total flow value of the traffic value of the target DNS response message and the traffic value of the historical DNS response message is greater than the preset traffic value; wherein, the historical DNS response message is All DNS response messages sent by the external network device before sending the target DNS response messages.
較佳的,還包括: 在所述總和流量值大於所述預設流量值的情況下,刪除所述動態白名單中的所述源地址;將所述源位址加入至動態黑名單中。 Preferably, the method further includes: when the total traffic value is greater than the preset traffic value, deleting the source address in the dynamic whitelist; adding the source address to a dynamic blacklist.
較佳的,所述歷史DNS回應訊息的流量值計算過程包括:在所述外網設備的源位址發送一個DNS回應訊息之後,在所述歷史DNS回應訊息的流量值上疊加該DNS回應訊息的流量值;所述歷史DNS回應訊息的流量值的初始值為零。 Preferably, the calculation process of the traffic value of the historical DNS response message includes: after the source address of the external network device sends a DNS response message, superimposing the DNS response message on the traffic value of the historical DNS response message the flow value of the historical DNS response message; the initial value of the flow value of the historical DNS response message is zero.
較佳的,還包括:在動態黑名單中包含所述目標DNS回應訊息中的源位址的情況下,丟棄所述目標DNS回應訊息。 Preferably, the method further includes: discarding the target DNS response message when the source address in the target DNS response message is included in the dynamic blacklist.
一種網路攻擊的防禦裝置,包括:接收單元,用於接收外網設備旨在向內網設備發送的目標DNS回應訊息;判斷單元,用於在動態白名單包含所述目標DNS回應訊息中的源位址的情況下,判斷所述目標DNS回應訊息是否滿足預設條件;第一丟棄單元,用於若所述目標DNS回應訊息滿足預設條件,則丟棄所述目標DNS回應訊息;其中,所述預設條件至少包括:所述目標DNS回應訊息中的目標網域名稱不包含在歷史網域名稱記錄中,所述歷史網域名稱記錄中的每個歷史網域名稱均從所述外網設備所發送的歷史DNS回應訊息中提取。 A network attack defense device, comprising: a receiving unit, configured to receive a target DNS response message sent by an external network device to an internal network device; a judging unit, configured to include the target DNS response message in a dynamic whitelist In the case of the source address, judging whether the target DNS response message meets a preset condition; a first discarding unit, configured to discard the target DNS response message if the target DNS response message meets a preset condition; wherein, The preset condition at least includes: the target domain name in the target DNS response message is not included in the historical domain name record, and each historical domain name in the historical domain name record is obtained from the foreign Extract from historical DNS response messages sent by network devices.
較佳的,所述預設條件還包括:所述外網設備發起訪問所述目標網域名稱的第一發送時間與第二發送時間的時間間隔小於預設時間間隔;其中,所述第一發送時間為所述目標DNS回應訊息的發送時間,所述第二發送時間為所述外網設備在所述第一發送時間之前最近一次發送包含所述目標網域名稱的DNS回應訊息的時間。 Preferably, the preset condition further includes: the time interval between the first sending time and the second sending time when the external network device initiates access to the target network domain name is less than a preset time interval; wherein, the first The sending time is the sending time of the target DNS response message, and the second sending time is the latest time when the external network device sent the DNS response message containing the target domain name before the first sending time.
較佳的,還包括:轉發單元,用於在所述時間間隔不小於預設時間間隔情況下,將所述目標DNS回應訊息轉發給所述內網設備。 Preferably, it further includes: a forwarding unit, configured to forward the target DNS response message to the intranet device when the time interval is not less than a preset time interval.
較佳的,還包括:儲存單元,用於若所述目標DNS回應訊息中的目標網域名稱不包含在歷史網域名稱記錄中,則將所述目標網域名稱和所述目標DNS回應訊息的發送時間,儲存在所述歷史網域名稱記錄中。 Preferably, it also includes: a storage unit, used to save the target domain name and the target DNS response message if the target domain name in the target DNS response message is not included in the historical domain name record The sending time of is stored in the historical domain name record.
較佳的,還包括:比值計算單元,用於依據與所述外網設備的源位址對應的所述歷史網域名稱記錄,計算命中次數超過預設次數的網域名稱數量與所有網域名稱數量的比值;其中,所述歷史網域名稱記錄中包含所述外網設備所發送的歷史DNS回應訊息中所有網域名稱以及每個網域名稱的命中次數;所述預設次數為不小於3的自然數;第一刪除單元,用於若所述比值大於預設比值,則刪 除所述動態白名單中的所述外網設備的源位址;第一添加單元,用於將所述外網設備的源位址添加至動態黑名單中。 Preferably, it also includes: a ratio calculation unit, configured to calculate the number of domain names whose hit times exceed a preset number and all domain names according to the historical domain name records corresponding to the source address of the external network device. The ratio of the number of names; wherein, the historical domain name records include all domain names and the number of hits of each domain name in the historical DNS response message sent by the external network device; the preset number of times is not a natural number less than 3; the first deletion unit is used to delete the source address of the external network device in the dynamic white list if the ratio is greater than the preset ratio; the first addition unit is used to add the Add the source address of the external network device to the dynamic blacklist.
較佳的,還包括:命中次數計算單元,用於在接收一個DNS回應訊息之後,在所述歷史網域名稱記錄中查找該DNS回應訊息中的網域名稱;將所述網域名稱的命中次數增加1;其中,每個網域名稱的命中次數的初始值為零。 Preferably, it also includes: a hit count calculation unit, which is used to search the historical domain name record for the domain name in the DNS response message after receiving a DNS response message; The count is incremented by 1; where the hit count for each domain name is initially zero.
較佳的,所述預設條件還包括:所述目標DNS回應訊息的流量值及歷史DNS回應訊息的流量值的總和流量值大於所述預設流量值;其中,所述歷史DNS回應訊息為所述外網設備在發送目標DNS回應訊息之前所發送的所有DNS回應訊息。 Preferably, the preset condition further includes: the total flow value of the traffic value of the target DNS response message and the traffic value of the historical DNS response message is greater than the preset traffic value; wherein, the historical DNS response message is All DNS response messages sent by the external network device before sending the target DNS response messages.
較佳的,還包括:第二刪除單元,用於在所述總和流量值大於所述預設流量值的情況下,刪除所述動態白名單中的所述源地址;第二添加單元,用於將所述源位址加入至動態黑名單中。 Preferably, it also includes: a second deleting unit, configured to delete the source address in the dynamic whitelist when the total traffic value is greater than the preset traffic value; a second adding unit, using Then add the source address to the dynamic blacklist.
較佳的,還包括:流量計算單元,用於在所述外網設備的源位址發送一個DNS回應訊息之後,在所述歷史DNS回應訊息的流量值上疊加該DNS回應訊息的流量值;所述歷史DNS回應訊息的流量值的初始值為零。 Preferably, it also includes: a traffic calculation unit, configured to superimpose the traffic value of the DNS response message on the traffic value of the historical DNS response message after the source address of the external network device sends a DNS response message; The initial value of the flow value of the historical DNS response message is zero.
較佳的,還包括: 第二丟棄單元,用於在動態黑名單中包含所述目標DNS回應訊息中的源位址的情況下,丟棄所述目標DNS回應訊息。 Preferably, it further includes: a second discarding unit, configured to discard the target DNS response message when the source address in the target DNS response message is included in the dynamic blacklist.
一種網路攻擊的防禦系統,包括:外網設備、清洗設備和內網設備;所述外網設備,用於向清洗設備發送旨在向內網設備發送的目標DNS回應訊息;所述清洗設備,用於接收外網設備旨在向內網設備發送的目標DNS回應訊息;在動態白名單包含所述目標DNS回應訊息中的源位址的情況下,判斷所述目標DNS回應訊息是否滿足預設條件;若所述目標DNS回應訊息滿足預設條件,則丟棄所述目標DNS回應訊息;其中,所述預設條件至少包括:所述目標DNS回應訊息中的目標網域名稱不包含在歷史網域名稱記錄中,所述歷史網域名稱記錄中的每個歷史網域名稱均從所述外網設備所發送的歷史DNS回應訊息中提取;內網設備,用於接收清洗設備清洗後的DNS回應訊息。 A network attack defense system, comprising: external network equipment, cleaning equipment and internal network equipment; the external network equipment is used to send to the cleaning equipment a target DNS response message intended to be sent to the internal network equipment; the cleaning equipment is used to receive the target DNS response message that the external network device intends to send to the internal network device; if the dynamic whitelist includes the source address in the target DNS response message, determine whether the target DNS response message satisfies the predetermined Set a condition; if the target DNS response message meets a preset condition, then discard the target DNS response message; wherein, the preset condition includes at least: the target domain name in the target DNS response message is not included in the history In the domain name record, each historical domain name in the historical domain name record is extracted from the historical DNS response message sent by the external network device; the internal network device is used to receive the cleaning device after cleaning DNS response message.
從以上技術內容可以看出本申請案具有以下有益效果: As can be seen from the above technical content, the application has the following beneficial effects:
本申請案實施例在確認目標DNS回應訊息中源位址在動態白名單內後,即可確認發起目標DNS回應訊息的外網設備非虛假源而是真實源。真實源發起DNS回應攻擊的一種方式為,頻繁發送包含不同網域名稱的DNS回 應訊息來攻擊內網設備。因此本申請案中設有一個歷史網域名稱記錄,其中記錄有外網設備所發送的所有網域名稱。 In the embodiment of this application, after confirming that the source address in the target DNS response message is in the dynamic whitelist, it can be confirmed that the external network device that initiated the target DNS response message is not a false source but a real source. One way for the real source to initiate DNS response attacks is to frequently send DNS response messages containing different domain names to attack intranet devices. Therefore, there is a historical domain name record in this application, which records all domain names sent by external network devices.
當目標DNS回應訊息中的目標網域名稱不包含在歷史網域名稱記錄中時,則表明外網設備為首次發送包含目標網域名稱的DNS回應訊息。在此情況下,目標DNS回應訊息可能是由外網設備以不同網域名稱方式發起DNS回應攻擊,為了避免內網設備遭受攻擊,此時丟棄所述目標DNS回應訊息。 When the target domain name in the target DNS response message is not included in the historical domain name record, it indicates that the external network device sends the DNS response message containing the target domain name for the first time. In this case, the target DNS response message may be a DNS response attack initiated by an external network device using a different domain name. In order to prevent the internal network device from being attacked, the target DNS response message is discarded at this time.
由於正常的外網設備具有自動重發機制,如果正常的外網設備發送的DNS回應訊息被丟棄之後,正常的外網設備會在接收到內網設備重發的DNS Request訊息之後,重新發送目標DNS回應訊息,因此本申請案不會影響正常的DNS回應訊息發送至內網設備。而具有攻擊性的外網設備則不具有重發機制,所以本申請案可以過濾掉真實源以不同網域名稱的方式來攻擊內網設備的DNS回應訊息,從而緩解DNS回應攻擊對服務和網路造成的衝擊。 Since normal external network devices have an automatic retransmission mechanism, if the DNS response message sent by the normal external network device is discarded, the normal external network device will resend the target DNS request message after receiving the resent DNS Request message from the internal network device. DNS response message, so this application will not affect the normal DNS response message sent to the intranet device. Attacking external network devices do not have a retransmission mechanism, so this application can filter out DNS response messages from real sources attacking internal network devices with different network domain names, thereby alleviating the impact of DNS response attacks on services and networks. road impact.
61‧‧‧接收單元 61‧‧‧receiving unit
62‧‧‧判斷單元 62‧‧‧judgment unit
63‧‧‧第一丟棄單元 63‧‧‧The first discard unit
64‧‧‧轉發單元 64‧‧‧Forwarding unit
65‧‧‧儲存單元 65‧‧‧storage unit
66‧‧‧比值計算單元 66‧‧‧ratio calculation unit
67‧‧‧第一刪除單元 67‧‧‧The first deletion unit
68‧‧‧第一添加單元 68‧‧‧The first addition unit
69‧‧‧命中次數計算單元 69‧‧‧Hit Count Calculation Unit
71‧‧‧流量計算單元 71‧‧‧Flow calculation unit
72‧‧‧第二刪除單元 72‧‧‧The second deletion unit
73‧‧‧第二添加單元 73‧‧‧The second addition unit
74‧‧‧第二丟棄單元 74‧‧‧The second discarding unit
100‧‧‧外網設備 100‧‧‧Internet equipment
200‧‧‧路由設備 200‧‧‧routing equipment
300‧‧‧內網設備 300‧‧‧Intranet equipment
400‧‧‧清洗設備 400‧‧‧Cleaning equipment
為了更清楚地說明本申請案實施例或現有技術中的技術方案,下面將對實施例或現有技術描述中所需要使用的附圖作簡單地介紹,顯而易見地,下面描述中的附圖僅僅是本申請案的一些實施例,對於本領域普通技術人員來講,在不付出進步性勞動的前提下,還可以根據這些附圖 獲得其他的附圖。 In order to more clearly illustrate the technical solutions in the embodiments of the present application or the prior art, the accompanying drawings that need to be used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the accompanying drawings in the following description are only For some embodiments of the present application, those skilled in the art can also obtain other drawings according to these drawings without making progressive efforts.
圖1為一種防禦系統的結構示意圖;圖2為本申請案實施例公開的一種網路攻擊的防禦方法的流程圖;圖3為本申請案實施例公開的又一種網路攻擊的防禦方法的流程圖;圖4為本申請案實施例公開的一種網路攻擊的防禦方法中更改動態白名單的流程圖;圖5為本申請案實施例公開的又一種網路攻擊的防禦方法的流程圖;圖6為本申請案實施例公開的一種網路攻擊的防禦裝置的結構示意圖;圖7為本申請案實施例公開的又一種網路攻擊的防禦裝置的結構示意圖;圖8為本申請案實施例公開的又一種網路攻擊的防禦裝置的結構示意圖。 Fig. 1 is a schematic structural diagram of a defense system; Fig. 2 is a flow chart of a defense method for a network attack disclosed in an embodiment of the present application; Fig. 3 is a diagram of another defense method for a network attack disclosed in an embodiment of the present application Flow chart; FIG. 4 is a flow chart of changing the dynamic whitelist in a defense method of a network attack disclosed in the embodiment of the application; FIG. 5 is a flow chart of another network attack defense method disclosed in the embodiment of the application ; FIG. 6 is a schematic structural diagram of a network attack defense device disclosed in the embodiment of the present application; FIG. 7 is a structural schematic diagram of another network attack defense device disclosed in the embodiment of the present application; A schematic structural diagram of another network attack defense device disclosed in the embodiment.
下面將結合本申請案實施例中的附圖,對本申請案實施例中的技術方案進行清楚、完整地描述,顯然,所描述的實施例僅僅是本申請案一部分實施例,而不是全部的實施例。基於本申請案中的實施例,本領域普通技術人員在沒有做出進步性勞動前提下所獲得的所有其他實施例,都屬於本申請案保護的範圍。 The technical solution in the embodiment of the application will be clearly and completely described below in conjunction with the accompanying drawings in the embodiment of the application. Obviously, the described embodiment is only a part of the embodiment of the application, not all implementation example. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without making progressive efforts belong to the scope of protection of this application.
為了清楚介紹本申請案的應用場景,參見圖1,為一種網路攻擊的防禦系統,所述系統具體包括外網設備100、路由設備200、內網設備300和與路由設備200旁路設置的清洗設備400。 In order to clearly introduce the application scenario of this application, see Figure 1, which is a network attack defense system, which specifically includes an
其中,外網設備100用於向清洗設備400發送旨在向內網設備300發送的DNS回應訊息;外網設備所發送的DNS回應訊息中可能在正常的DNS回應訊息中加雜有攻擊的DNS回應訊息。因此清洗設備400用於清洗掉外網設備正常的DNS回應訊息中具有攻擊性的DNS回應訊息,然後將清洗掉具有攻擊性的DNS回應訊息之後的正常的DNS回應訊息,轉發至內網設備300。 Among them, the
在圖1所示的網路攻擊的防禦系統的基礎上,本申請案提供了一種網路攻擊的防禦方法。本申請案中僅針對一個外網設備和該外網設備所要訪問的一個內網設備進行詳細說明,可以理解的是,其它外網設備和內網設備的實施方式與本申請案提供的方法一致。 On the basis of the network attack defense system shown in FIG. 1 , the present application provides a network attack defense method. In this application, only an external network device and an internal network device to be accessed by the external network device will be described in detail. It can be understood that the implementation methods of other external network devices and internal network devices are consistent with the methods provided in this application .
如圖2所示,本申請案提供一種網路攻擊的防禦方法,應用於清洗設備,所述方法具體以下步驟S201~S203: As shown in Figure 2, this application provides a defense method for network attacks, which is applied to cleaning equipment, and the method specifically follows steps S201~S203:
步驟S201:接收外網設備旨在向內網設備發送的目標DNS回應訊息。 Step S201: Receive a target DNS response message that the external network device intends to send to the internal network device.
外網設備在接收到目標DNS回應訊息發送指令後,會向清洗設備發送旨在向內網設備發送的目標DNS回應訊息。目標DNS回應訊息中包括:發送目標DNS回應訊 息的外網設備的源位址(IP位址),以及,外網設備需要訪問內網設備的目標網域名稱。清洗設備在接收目標DNS回應訊息後,可以對目標DNS回應訊息進行判斷,以確定目標DNS回應訊息是否為具有攻擊性的DNS回應訊息。 After the external network device receives the target DNS response message sending instruction, it will send the target DNS response message intended to be sent to the internal network device to the cleaning device. The target DNS response message includes: the source address (IP address) of the external network device that sends the target DNS response message, and the target domain name that the external network device needs to access the internal network device. After receiving the target DNS response message, the cleaning device can judge the target DNS response message to determine whether the target DNS response message is an offensive DNS response message.
步驟S202:在動態白名單包含所述目標DNS回應訊息中的源位址的情況下,判斷所述目標DNS回應訊息是否滿足預設條件。 Step S202: If the dynamic whitelist includes the source address in the target DNS response message, determine whether the target DNS response message satisfies a preset condition.
清洗設備中設有一個動態白名單,該動態白名單中儲存有暫時不具有攻擊性的真實源的IP位址。動態白名單中不具有攻擊性的IP位址是暫時的,當某一個IP位址隨著本申請案的判斷條件已經改變為具有攻擊性的IP位址時,則將該IP位址在動態白名單中刪除。即本申請案中的動態白名單中的IP位址不是固定的,而是動態變化的,所以稱為動態白名單。清洗設備在接收目標DNS回應訊息之後,在目標DNS回應訊息中提取外網設備的源位址,然後判斷動態白名單中是否包含有外網設備的源位址。 A dynamic whitelist is set in the cleaning device, and the IP addresses of real sources that are temporarily not offensive are stored in the dynamic whitelist. The non-aggressive IP addresses in the dynamic whitelist are temporary. When an IP address has changed to an offensive IP address according to the judgment conditions of this application, the IP address will be listed in the dynamic whitelist. removed from the whitelist. That is, the IP addresses in the dynamic whitelist in this application are not fixed, but change dynamically, so it is called a dynamic whitelist. After the cleaning device receives the target DNS response message, it extracts the source address of the external network device from the target DNS response message, and then determines whether the dynamic whitelist contains the source address of the external network device.
如果動態白名單中不包含有外網設備的源位址,則使用源探測方式來確定源位址對應的外網設備是否為虛假源;如果外網設備為虛假源則目標DNS回應訊息為虛假源發送的具有攻擊性的DNS回應訊息,此時丟棄目標DNS回應訊息。 If the source address of the external network device is not included in the dynamic white list, use the source detection method to determine whether the external network device corresponding to the source address is a false source; if the external network device is a false source, the target DNS response message is false The source sends an aggressive DNS response message, and the target DNS response message is discarded at this time.
如果動態白名單中包含有外網設備的源位址,則表示 外網設備為真實源;目標DNS回應訊息為真實源發送的DNS回應訊息。隨著攻擊技術的發展,真實源也可以被攻擊人員作為攻擊源,所以在確定外網設備為真實源後需要採取進一步判斷,來確定目標DNS回應訊息是否為具有攻擊性的訊息。 If the source address of the external network device is included in the dynamic white list, it means that the external network device is the real source; the target DNS response message is the DNS response message sent by the real source. With the development of attack technology, the real source can also be used as the attack source by attackers. Therefore, after confirming that the external network device is the real source, it is necessary to take further judgment to determine whether the target DNS response message is an offensive message.
由於真實源發起DNS回應攻擊的方式一為,頻繁發送包含不同網域名稱的DNS回應訊息來攻擊內網設備,因此本申請案中清洗設備為動態白名單中的每一個IP位址構建一個歷史網域名稱記錄。歷史網域名稱記錄用於記錄每個IP位址所發送的DNS回應訊息中所包含的網域名稱。可見,本實施例中在清洗設備也存在一個與外網設備對應歷史網域名稱記錄,其中記錄有外網設備所發送的歷史DNS回應訊息中所出現過的網域名稱。 Since the first way for the real source to initiate DNS response attacks is to frequently send DNS response messages containing different domain names to attack intranet devices, the cleaning device in this application builds a history for each IP address in the dynamic whitelist Domain name records. The historical domain name record is used to record the domain name contained in the DNS response message sent by each IP address. It can be seen that in this embodiment, the cleaning device also has a historical domain name record corresponding to the external network device, which records the domain name that appeared in the historical DNS response message sent by the external network device.
為了進一步確定目標DNS回應訊息是否為具有攻擊性的訊息,本實施例預先設定預設條件。預設條件至少包括:所述目標DNS回應訊息中的目標網域名稱不包含在歷史網域名稱記錄中,所述歷史網域名稱記錄中的每個歷史網域名稱均從所述外網設備所發送的歷史DNS回應訊息中提取。 In order to further determine whether the target DNS response message is an offensive message, a preset condition is preset in this embodiment. The preset conditions at least include: the target domain name in the target DNS response message is not included in the historical domain name record, and each historical domain name in the historical domain name record is obtained from the external network device Extracted from the historical DNS response messages sent.
在確定動態白名單中包含有目標DNS回應訊息的源位址之後,提取目標DNS回應訊息中的目標網域名稱,然後進一步判斷與源位址對應的歷史網域名稱記錄中是否包含目標網域名稱,即判斷目標DNS回應訊息是否滿足預設條件。 After determining that the dynamic whitelist contains the source address of the target DNS response message, extract the target domain name in the target DNS response message, and then further determine whether the historical domain name record corresponding to the source address contains the target domain name Name, which is to judge whether the target DNS response message satisfies the preset condition.
步驟S203:若所述目標DNS回應訊息滿足預設條件,則丟棄所述目標DNS回應訊息。若所述目標DNS回應訊息不滿足預設條件,則執行其它處理。 Step S203: discarding the target DNS response message if the target DNS response message satisfies a preset condition. If the target DNS response message does not satisfy the preset condition, other processing is performed.
如果歷史網域名稱記錄中不包含目標網域名稱,則表明外網設備首次發送包含目標網域名稱的DNS回應訊息。在此情況下,目標DNS回應訊息可能是由外網設備以不同網域名稱方式發起DNS回應攻擊,所以,歷史網域名稱記錄中不存在目標網域名稱。在此情況下,為了避免內網設備遭受攻擊,此時丟棄目標DNS回應訊息。此過程可稱為“首包丟棄機制”。 If the historical domain name record does not contain the target domain name, it indicates that the external network device sends a DNS response message containing the target domain name for the first time. In this case, the target DNS response message may be a DNS response attack initiated by an external device using a different domain name, so the target domain name does not exist in the historical domain name record. In this case, in order to prevent the intranet device from being attacked, the target DNS response message is discarded at this time. This process may be referred to as the "first packet drop mechanism".
可以理解的是,目標DNS回應訊息還可能是正常的外網設備發起的(外網設備第一次訪問目標網域名稱對應的內網設備),在本申請案假設目標DNS回應訊息是正常,在本步驟中也會被丟棄。鑒於此,在丟棄目標DNS回應訊息之後,將目標網域名稱儲存在歷史網域名稱記錄中,以便正常的外網設備在重發機制下再次發送的包含目標DNS回應訊息中的目標網域名稱會包含在歷史網域名稱記錄中,即歷史網域名稱記錄中的目標網域名稱被命中,從而保證正常的DNS訊息不會因為“首包丟棄機制”被丟棄。 It is understandable that the target DNS response message may also be initiated by a normal external network device (the external network device accesses the internal network device corresponding to the target domain name for the first time). In this application, it is assumed that the target DNS response message is normal. It is also discarded in this step. In view of this, after discarding the target DNS response message, store the target domain name in the historical domain name record, so that the normal external network device can resend the target domain name in the target DNS response message under the retransmission mechanism It will be included in the historical domain name record, that is, the target domain name in the historical domain name record is hit, so as to ensure that normal DNS messages will not be discarded due to the "first packet discarding mechanism".
由於正常的外網設備具有重發機制,即內網設備在向外網設備發送DNS請求之後,沒有接收到外網設備發送的DNS回應訊息,內網設備會向外網發送DNS Request訊息,在DNS Request訊息的觸發下,正常的外網設備會 重新發送目標DNS回應訊息。當清洗設備再次接收到目標網域名稱時,由於歷史網域名稱記錄中已有目標網域名稱,所以不會再次因為“首包丟棄機制”的原因被再次丟棄,從而保證正常DNS回應訊息不受影響。 Since the normal external network device has a retransmission mechanism, that is, after the internal network device sends a DNS request to the external network device, but does not receive the DNS response message sent by the external network device, the internal network device will send a DNS Request message to the external network. Triggered by the DNS Request message, the normal external network device will resend the target DNS response message. When the cleaning device receives the target domain name again, since the target domain name already exists in the historical domain name record, it will not be discarded again due to the "first packet discarding mechanism", thus ensuring that the normal DNS response message will not Affected.
具有攻擊性的外網設備不具有重發機制,所以針對真實源以不同網域名稱的方式來攻擊內網設備的DNS回應訊息,本申請案可以準確的清洗掉,從而緩解DNS回應攻擊對服務和網路造成的衝擊。 Aggressive external network devices do not have a retransmission mechanism, so this application can accurately clean up the DNS response messages of the real source to attack internal network devices in the form of different network domain names, thereby alleviating the impact of DNS response attacks on services and the impact of the Internet.
下面介紹本申請案提供一種網路攻擊的防禦方法的實施例二。如圖3所示,所述方法包括步驟S301~S304: Embodiment 2 of a network attack defense method provided by the present application is introduced below. As shown in Figure 3, the method includes steps S301 ~ S304:
步驟S301:接收外網設備旨在向內網設備發送的目標DNS回應訊息。 Step S301: Receive a target DNS response message that the external network device intends to send to the internal network device.
步驟S302:在動態白名單包含所述目標DNS回應訊息中的源位址的情況下,判斷所述目標DNS回應訊息是否滿足第一預設條件;所述第一預設條件為所述目標DNS回應訊息中的目標網域名稱不包含在歷史網域名稱記錄中。若不滿足第一預設條件,則進入步驟S303;若滿足第一預設條件,則進入步驟S304。 Step S302: If the dynamic whitelist includes the source address in the target DNS response message, determine whether the target DNS response message satisfies a first preset condition; the first preset condition is that the target DNS The target domain name in the response message is not included in the historical domain name record. If the first preset condition is not met, go to step S303; if the first preset condition is met, go to step S304.
本步驟的具體執行過程已在圖2所示的實施例中進行詳細說明,在此不再贅述。 The specific execution process of this step has been described in detail in the embodiment shown in FIG. 2 , and will not be repeated here.
步驟S303:判斷所述目標DNS回應訊息是否滿足第二預設條件;所述第二預設條件為:外網設備發起訪問所述目標網域名稱的第一發送時間與第二發送時間的時間間隔小於預設時間間隔。其中,所述第一發送時間為所述目 標DNS回應訊息的發送時間,所述第二發送時間為所述外網設備在所述第一發送時間之前最近一次發送包含所述目標網域名稱的DNS回應訊息的時間。若滿足第二預設條件則進入步驟S304。若不滿足第二預設條件,則進入步驟S305。 Step S303: Determine whether the target DNS response message satisfies a second preset condition; the second preset condition is: the time between the first sending time and the second sending time when the external network device initiates access to the target domain name The interval is less than the preset time interval. Wherein, the first sending time is the sending time of the target DNS response message, and the second sending time is the latest sending time of the external network device including the target domain name before the first sending time. Time for the DNS to respond to the message. If the second preset condition is met, go to step S304. If the second preset condition is not met, go to step S305.
真實源發起DNS回應攻擊的方式二為,以有限個網域名稱或者相同網域名稱頻繁發送DNS回應訊息。由於真實源發送DNS回應訊息的頻率較高,所以在此情況下,包含相同網域名稱的DNS回應訊息的間隔時間會非常短。因此本申請案設定一個預設時間間隔,例如1S。預設時間間隔為正常的外網設備相鄰兩次發送相同網域名稱的DNS回應訊息時,所應該具有的時間間隔。 The second way for the real source to initiate a DNS response attack is to frequently send DNS response messages with a limited number of domain names or the same domain name. Since the real source sends DNS response messages frequently, in this case, the interval between DNS response messages containing the same domain name will be very short. Therefore, the present application sets a preset time interval, such as 1S. The preset time interval is the time interval that a normal external network device should have when sending DNS response messages with the same domain name twice.
在歷史網域名稱記錄中包含目標網域名稱的情況下,判定目標DNS回應訊息的預設條件還包括:所述外網設備發起訪問所述目標網域名稱的第一發送時間與第二發送時間的時間間隔小於預設時間間隔。 In the case that the historical domain name record contains the target domain name, the preset condition for determining the target DNS response message also includes: the first sending time and the second sending time when the external network device initiates access to the target domain name The time interval of time is less than the preset time interval.
清洗設備在接收目標DNS回應訊息時,將當前時間作為目標DNS回應訊息的發送時間,即第一發送時間。清洗設備的歷史網域名稱記錄中會記錄有包含目標網域名稱的DNS回應訊息最近一次的發送時間,即第二發送時間。 When the cleaning device receives the target DNS response message, it uses the current time as the sending time of the target DNS response message, that is, the first sending time. The historical domain name record of the cleaning device will record the latest sending time of the DNS response message containing the target domain name, that is, the second sending time.
如果第一發送時間和第二發送時間的時間間隔小於預設時間間隔,則說明外網設備頻繁發送包含相同網域名稱的DNS回應訊息,也就是,外網設備發送相同網域名稱 的DNS回應訊息的頻率過高,此時可能是外網設備以有限個網域名稱或者相同網域名稱頻繁發送DNS回應訊息的攻擊方式來攻擊內網設備。因此,清洗設備丟棄目標DNS回應訊息,以保護內網設備免受攻擊。 If the time interval between the first sending time and the second sending time is less than the preset time interval, it means that the external network device frequently sends DNS response messages containing the same domain name, that is, the external network device sends DNS responses with the same domain name The frequency of the message is too high. At this time, the external network device may attack the internal network device by sending DNS response messages frequently with a limited number of domain names or the same domain name. Therefore, the cleaning device discards the target DNS response message to protect intranet devices from attacks.
步驟S304:丟棄所述目標DNS回應訊息。 Step S304: Discard the target DNS response message.
步驟S305:將所述目標DNS回應訊息轉發至內網設備。 Step S305: Forward the target DNS response message to the intranet device.
如果第一發送時間和第二發送時間的時間間隔不小於預設時間間隔,則說明目標DNS回應訊息暫且為正常外網設備發送的DNS回應訊息,因此轉發DNS回應訊息至內網設備。 If the time interval between the first sending time and the second sending time is not less than the preset time interval, it means that the target DNS response message is temporarily sent by a normal external network device, so the DNS response message is forwarded to the internal network device.
在上述圖2和圖3的實施例中所使用的動態白名單中的IP位址僅是暫時不具有攻擊性的設備,所以,需要定期檢測動態白名單中的IP位址是否已經轉換為攻擊性的設備,以便更新動態白名單。具體的可以採用以下方式: The IP addresses in the dynamic whitelist used in the above-mentioned embodiments of FIG. 2 and FIG. 3 are only temporarily non-aggressive devices. Therefore, it is necessary to regularly detect whether the IP addresses in the dynamic whitelist have been converted into attacks. permanent devices to update the dynamic whitelist. Specifically, the following methods can be used:
在動態白名單中的真實源可以發起DNS回應攻擊的方式三:發送的DNS回應訊息中的網域名稱比較多但是週期性變化,並且相同網域名稱攻擊訊息之間的間隔大於1秒。在此情況下,上述兩個預設條件均不能清洗掉此種具有攻擊性DNS回應訊息。因此採用下述方式來解決方式三的攻擊: The real source in the dynamic whitelist can initiate a DNS response attack method three: the domain name in the sent DNS response message is relatively large but changes periodically, and the interval between the same domain name attack messages is greater than 1 second. In this case, neither of the above two preset conditions can clean up such offensive DNS response messages. Therefore, the following method is adopted to solve the attack of method 3:
在圖2或3所示的實施例的基礎上,本申請案的提供的實施例還包括:針對外網設備所發送的DNS回應訊息,清洗設備在接收一個DNS回應訊息之後,在所述歷 史網域名稱記錄中查找該DNS回應訊息中的網域名稱;如果在歷史網域名稱中查找到DNS回應訊息中網域名稱,則說明該網域名稱被命中,因此將所述網域名稱的命中次數增加1;其中,每個網域名稱的命中次數的初始值為零。所以,歷史網域名稱記錄中記錄有外網設備所發送的所有網域名稱,以及每個網域名稱被命中的總次數。 On the basis of the embodiment shown in Figure 2 or 3, the embodiment provided by this application also includes: for the DNS response message sent by the external network device, after the cleaning device receives a DNS response message, the history Find the domain name in the DNS response message in the domain name record; if the domain name in the DNS response message is found in the historical domain name, it means that the domain name is hit, so the domain name of the domain name The number of hits is incremented by 1; where the number of hits for each domain name is initially zero. Therefore, the historical domain name records record all domain names sent by external network devices, and the total number of times each domain name is hit.
本申請案設定一個預設命中次數,該命中次數至少為3次。因為一般情況下,正常的DNS回應訊息最多發送2兩次包含相同網域名稱的DNS回應訊息。當一個網域名稱對應的DNS回應訊息的命中次數超過預設命中次數之後,則說明該網域名稱被頻繁用於向內網設備發送DNS回應訊息,所以可以認為該網域名稱被作為攻擊網域名稱來攻擊內網設備。 In this application, a preset number of hits is set, and the number of hits is at least 3 times. Because under normal circumstances, a normal DNS response message will send at most 2 DNS response messages containing the same domain name twice. When the number of hits of DNS response messages corresponding to a domain name exceeds the preset number of hits, it means that the domain name is frequently used to send DNS response messages to intranet devices, so it can be considered that the domain name is used as an attack network. Domain names to attack intranet devices.
如圖4所示,在圖2或圖3所示的實施例的基礎上,清洗設備會定期執行以下步驟: As shown in Figure 4, on the basis of the embodiment shown in Figure 2 or Figure 3, the cleaning equipment will regularly perform the following steps:
步驟S401:依據與所述外網設備的源位址對應的所述歷史網域名稱記錄,計算命中次數超過預設次數的網域名稱數量與所有網域名稱數量的比值;其中,所述歷史網域名稱記錄中包含所述外網設備所發送的歷史DNS回應訊息中所有網域名稱以及每個網域名稱的命中次數。 Step S401: According to the historical domain name record corresponding to the source address of the external network device, calculate the ratio of the number of domain names whose hit times exceed the preset number to the number of all domain names; wherein, the historical The domain name record includes all domain names in the historical DNS response messages sent by the external network device and the number of hits for each domain name.
在歷史網域名稱記錄中統計命中次數超過預設次數的網域名稱數量(第一數量),這樣做的目的是統計外網設備所發送的攻擊網域名稱的數量;然後再統計外網設備所發送的所有網域名稱的數量(第二數量);計算第一數量 和第二數量的比值,以確定外網設備中發送攻擊網域名稱與所有網域名稱的比值。 Count the number of domain names whose hit times exceed the preset number of times (the first number) in the historical domain name records. The purpose of this is to count the number of attack domain names sent by external network devices; and then count external network devices The quantity of all network domain names sent (the second quantity); calculate the ratio of the first quantity and the second quantity, so as to determine the ratio of the attack domain name and all network domain names sent by the external network device.
步驟S402:判斷所述比值是否大於預設比值,若是,則進入步驟S403,否則執行其它處理。 Step S402: Determine whether the ratio is greater than a preset ratio, if yes, go to step S403, otherwise perform other processing.
本申請案可以設定一個預設比值,例如0.5,用於表示正常情況下攻擊網域名稱在所有網域名稱中佔有的比值。 This application can set a preset ratio, such as 0.5, which is used to represent the ratio of attacking domain names to all domain names under normal circumstances.
步驟S403:刪除所述動態白名單中的所述外網設備的源位址。 Step S403: Delete the source address of the external network device in the dynamic white list.
當S401中計算得到的比值大於預設比值時,則說明外網設備頻繁發送包含攻擊網域名稱的DNS回應訊息,即外網設備現在已轉換為具有攻擊性的外網設備,所以將外網設備的源位址在動態白名單中刪除。 When the ratio calculated in S401 is greater than the preset ratio, it means that the external network device frequently sends DNS response messages containing the name of the attacking domain name, that is, the external network device has now been transformed into an aggressive external network device, so the external network The source address of the device is deleted in the dynamic whitelist.
步驟S404:將所述外網設備的源位址添加至動態黑名單中。 Step S404: Add the source address of the external network device to the dynamic blacklist.
定期將動態白名單中的具有攻擊性的外網設備的源位址添加至動態黑名單中,以便外網設備再次發送DNS回應訊息時,丟棄外網設備所發送的DNS回應訊息,從而保護內網設備免受攻擊。 Regularly add the source addresses of aggressive external network devices in the dynamic whitelist to the dynamic blacklist, so that when the external network device sends a DNS response message again, the DNS response message sent by the external network device is discarded, thereby protecting internal Network devices are protected from attacks.
圖4所示的實施例以目標DNS回應訊息中的目標網域名稱為出發點,來確定外網設備發送的目標DNS回應訊息是否為具有攻擊性,從而實現更新動態白名單的目的。除了採用網域名稱的方式,本申請案還提供了採用流量的方式,來更新動態白名單。 The embodiment shown in FIG. 4 uses the target domain name in the target DNS response message as the starting point to determine whether the target DNS response message sent by the external network device is offensive, thereby achieving the purpose of updating the dynamic whitelist. In addition to the method of using the domain name, this application also provides a method of using the traffic to update the dynamic white list.
具體的可以為:外網設備的源位址發送一個DNS回應訊息且源位址包含在動態白名單中,在歷史DNS回應訊息的流量值上疊加該DNS回應訊息的流量值;所述歷史DNS回應訊息的流量值的初始值為零。即這樣做的目的為不斷統計外網設備發送DNS回應訊息的流量值。 Specifically, it may be: the source address of the external network device sends a DNS response message and the source address is included in the dynamic whitelist, and the traffic value of the DNS response message is superimposed on the traffic value of the historical DNS response message; the historical DNS The initial value of the flow value of the response message is zero. That is, the purpose of doing this is to continuously count the traffic value of DNS response messages sent by external network devices.
在此情況下,所述預設條件還包括:所述目標DNS回應訊息的流量值及歷史DNS回應訊息的流量值的總和流量值大於所述預設流量值;其中,所述歷史DNS回應訊息為所述外網設備在發送目標DNS回應訊息之前所發送的所有DNS回應訊息。 In this case, the preset condition further includes: the total flow value of the traffic value of the target DNS response message and the traffic value of the historical DNS response message is greater than the preset traffic value; wherein, the historical DNS response message All DNS response messages sent by the external network device before sending the target DNS response message.
本申請案設定一個預設流量值,用於表示正常外網設備在一段時間內所發送的流量值總和。當一段時間內,外網設備所發送的DNS回應訊息的流量值超過預設流量值,則說明該外網設備頻繁發送DNS回應訊息。在此情況下,表明動態白名單中的外網設備已經轉換為具有攻擊性外網設備,因此在所述總和流量值大於所述預設流量值的情況下,刪除所述動態白名單中的所述源地址;將所述源位址加入至動態黑名單中。 This application sets a preset traffic value, which is used to represent the sum of traffic values sent by normal external network devices within a period of time. When the traffic value of the DNS response messages sent by the external network device exceeds the preset traffic value within a period of time, it means that the external network device frequently sends DNS response messages. In this case, it indicates that the external network device in the dynamic whitelist has been converted into an aggressive external network device, so when the total traffic value is greater than the preset traffic value, delete the external network device in the dynamic whitelist The source address; adding the source address to a dynamic blacklist.
針對真實源發起DNS回應攻擊的方式三(發送的DNS回應訊息中的網域名稱比較多但是週期性變化,並且相同網域名稱攻擊訊息之間的間隔大於1秒),儘管在圖2或圖3所示的實施例中沒有辦法及時清除,但是通過定期查看外網設備所發送的流量值總和的方式,或者,採用攻擊網域名稱的命中次數超過預設比值的方式,便能夠確 定外網設備是否為具有攻擊性的設備。如果是具有攻擊性的設備,則將外網設備對應的源位址加入至動態黑名單中,以便下次外網設備再發送DNS回應訊息時,則可以立即丟棄訊息。 Method 3 of initiating a DNS response attack against the real source (there are many domain names in the DNS response message sent but change periodically, and the interval between attack messages of the same domain name is greater than 1 second), although in Figure 2 or Figure 2 In the embodiment shown in 3, there is no way to clear it in time, but by regularly checking the sum of the traffic values sent by the external network equipment, or by using the method that the number of hits of the attacking domain name exceeds the preset ratio, the external network can be determined. Whether the device is an aggressive device. If it is an aggressive device, add the source address corresponding to the external network device to the dynamic blacklist, so that the next time the external network device sends a DNS response message, the message can be discarded immediately.
下面介紹本申請案提供一種網路攻擊的防禦方法的實施例三。如圖5所示,所述方法包括步驟S501~S504: Embodiment 3 of a network attack defense method provided by the present application is introduced below. As shown in Figure 5, the method includes steps S501 to S504:
步驟S501:接收外網設備旨在向內網設備發送的目標DNS回應訊息。 Step S501: Receive a target DNS response message that the external network device intends to send to the internal network device.
步驟S502:判斷動態黑名單中是否包含有所述目標DNS回應訊息中的源位址;如果是,則進入步驟S512;如果否,則進入步驟S503。 Step S502: Determine whether the source address in the target DNS response message is included in the dynamic blacklist; if yes, proceed to step S512; if not, proceed to step S503.
清洗設備接收到一個外網設備發送的DNS回應訊息之後,根據訊息的目的地址(IP位址)查詢該目的地址對應的內網設備是否處於防禦狀態。如果,內網設備處於防禦狀態,則可以執行本實施例中的過程。 After the cleaning device receives a DNS response message sent by an external network device, it inquires whether the internal network device corresponding to the destination address is in a defensive state according to the destination address (IP address) of the message. If the intranet device is in the defense state, the process in this embodiment can be executed.
動態黑名單中儲存的為具有攻擊性的外網設備的源位址,所以當外網設備的源位址命中動態黑名單之後,則確定目標DNS回應訊息為具有攻擊性的訊息,此時丟棄目標DNS回應訊息。 The source address of the offensive external network device is stored in the dynamic blacklist, so when the source address of the external network device hits the dynamic blacklist, it is determined that the target DNS response message is an offensive message, and discarded at this time Target DNS response message.
步驟S503:判斷動態白名單是否包含所述目標DNS回應訊息中的源位址;如果是,則進入步驟S508以及步驟S514,否則進入步驟S504。 Step S503: Determine whether the dynamic whitelist includes the source address in the target DNS response message; if yes, go to step S508 and step S514, otherwise go to step S504.
步驟S504:向外網設備發送一個包含特殊網域名稱的DNS Request訊息作為探測訊息。 Step S504: Send a DNS Request message including a special domain name to the external network device as a detection message.
清洗設備會構造一個DNS Request訊息作為探測訊息發送給外網設備,其中,DNS Request訊息中的網域名稱可由目標DNS回應訊息中的五元組資訊和網域名稱資訊通過一定雜湊方式構造而來,並保證構造的網域名稱是現網中不存在的網域名稱。 The cleaning device will construct a DNS Request message as a detection message and send it to the external network device. The domain name in the DNS Request message can be constructed from the quintuple information and domain name information in the target DNS response message through a certain hash method. , and ensure that the constructed domain name is a domain name that does not exist in the live network.
步驟S505:清洗設備判斷是否接收到外網設備回饋的包含特殊網域名稱的DNS回應訊息;如果是,則進入步驟S506,否則進入步驟S507。 Step S505: The cleaning device judges whether it has received a DNS response message including the special domain name fed back by the external network device; if yes, proceed to step S506, otherwise proceed to step S507.
清洗設備再次接收該外網設備發送的DNS回應訊息後,查看訊息中網域名稱是否是由步驟S504中的方式構造而來的。如果是正常的外網設備在接收DNS Request訊息後,會將其中的網域名稱載入在依據DNS Request訊息所生成的DNS回應訊息中。所以如果再次接收到的DNS回應訊息中包含特殊網域名稱,則表示該外網設備是正常的外網設備,否則表示該外網設備是具有攻擊性的外網設備。 After the cleaning device receives the DNS response message sent by the external network device again, it checks whether the domain name in the message is constructed by the method in step S504. If it is a normal external network device, after receiving the DNS Request message, it will load the domain name in the DNS response message generated according to the DNS Request message. Therefore, if the DNS response message received again contains the special domain name, it means that the external network device is a normal external network device, otherwise it indicates that the external network device is an aggressive external network device.
步驟S506:將外網設備的IP位址加入至動態白名單中,並為外網設備的IP位址構建歷史網域名稱記錄,以及流量監控表。 Step S506: Add the IP address of the external network device into the dynamic white list, and construct a historical domain name record and a traffic monitoring table for the IP address of the external network device.
步驟S507:將外網設備對應的IP位址加入至動態黑名單中。 Step S507: Add the IP address corresponding to the external network device into the dynamic blacklist.
步驟S508:判斷所述目標DNS回應訊息是否滿足第一預設條件;所述第一預設條件為所述目標DNS回應訊息中的目標網域名稱不包含在歷史網域名稱記錄中。若不 滿足第一預設條件,則進入步驟S509;若滿足第一預設條件,則進入步驟S511。 Step S508: Determine whether the target DNS response message satisfies a first preset condition; the first preset condition is that the target domain name in the target DNS response message is not included in the historical domain name record. If the first preset condition is not met, then enter step S509; if the first preset condition is met, then enter step S511.
步驟S509:將歷史網域名稱記錄中目標DNS回應訊息中目標網域名稱的命中次數加1。 Step S509: Add 1 to the hit count of the target domain name in the target DNS response message in the historical domain name record.
步驟S510:判斷所述目標DNS回應訊息是否滿足第二預設條件;所述第二預設條件為:外網設備發起訪問所述目標網域名稱的第一發送時間與第二發送時間的時間間隔小於預設時間間隔。若滿足第二預設條件則進入步驟S512。若不滿足第二預設條件,則進入步驟S513。 Step S510: Determine whether the target DNS response message satisfies a second preset condition; the second preset condition is: the time between the first sending time and the second sending time when the external network device initiates access to the target domain name The interval is less than the preset time interval. If the second preset condition is met, go to step S512. If the second preset condition is not met, go to step S513.
步驟S511:將目標網域名稱以及包含目標網域名稱的發送時間,添加至外網設備的歷史網域名稱記錄中,並設置目標網域名稱的命中次數為1。 Step S511: Add the target domain name and the sending time including the target domain name to the historical domain name record of the external network device, and set the hit count of the target domain name to 1.
步驟S512:丟棄所述目標DNS回應訊息。 Step S512: Discard the target DNS response message.
步驟S513:將目標DNS回應訊息轉發至內網設備。 Step S513: Forward the target DNS response message to the intranet device.
步驟S514:將目標DNS回應訊息的流量值添加至流量監控表中。 Step S514: Add the traffic value of the target DNS response message to the traffic monitoring table.
步驟S515:如果流量監控表中的流量值是否大於預設流量值,則在動態白名單中刪除外網設備的源位址,並將外網設備的源位址加入至動態黑名單中。 Step S515: If the flow value in the flow monitoring table is greater than the preset flow value, delete the source address of the external network device in the dynamic whitelist, and add the source address of the external network device to the dynamic blacklist.
步驟S516:定期計算命中次數超過預設次數的網域名稱數量與所有網域名稱數量的比值。 Step S516: Periodically calculate the ratio of the number of domain names whose number of hits exceeds a preset number to the number of all domain names.
步驟S517:如果比值大於預設比值,則刪除所述動態白名單中的所述外網設備的源位址,將所述外網設備的源位址添加至動態黑名單中。 Step S517: If the ratio is greater than the preset ratio, delete the source address of the external network device in the dynamic whitelist, and add the source address of the external network device to the dynamic blacklist.
通過圖5所示的實施例,可以過濾所有類型的DNS回應攻擊: Through the embodiment shown in Figure 5, all types of DNS response attacks can be filtered:
針對虛假源類型的DNS回應攻擊:通過步驟S503動態白名單的方式即可過濾掉;針對真實源的DNS回應攻擊方式一(攻擊訊息中的網域名稱隨機變化),採用步驟S508的方式(網域名稱首包丟棄機制)即可過濾掉;針對真實源的DNS回應攻擊的方式二(攻擊訊息中的網域名稱個數有限或不變,相同網域名稱攻擊訊息之間的間隔小於1秒),通過步驟S510的判斷即可過濾掉;針對真實源的DNS回應攻擊的方式三(攻擊訊息中的網域名稱比較多但是週期性變化,相同網域名稱攻擊訊息之間的間隔大於1秒),通過步驟S515-S517即可過濾掉。 For the DNS response attack of false source type: can be filtered out by the mode of step S503 dynamic white list; For the DNS response attack mode one (the domain name in the attack message changes randomly) of the true source, adopt the mode of step S508 (network Domain name first packet discarding mechanism) can be filtered out; DNS response attack method for the real source (the number of domain names in the attack message is limited or unchanged, and the interval between attack messages with the same domain name is less than 1 second ), can be filtered out by the judgment of step S510; mode three for the DNS response attack of the real source (the domain name in the attack message is more but changes periodically, and the interval between the attack messages of the same domain name is greater than 1 second ), which can be filtered out through steps S515-S517.
因此本申請案可以過濾所有類型的DNS回應攻擊,從而緩解DNS回應攻擊對服務和網路造成的衝擊。 Therefore, this application can filter all types of DNS response attacks, thereby alleviating the impact of DNS response attacks on services and networks.
與本申請案提供的一種網路攻擊的防禦方法相對應,本申請案還提供了一種網路攻擊的防禦裝置。如圖6所示,本裝置包括:接收單元61,用於接收外網設備旨在向內網設備發送的目標DNS回應訊息;判斷單元62,用於在動態白名單包含所述目標DNS回應訊息中的源位址的情況下,判斷所述目標DNS回應訊息是否滿足預設條件;第一丟棄單元63,用於若所述目標DNS回應訊息滿足預設條件,則丟棄所述目標DNS回應訊息; 其中,所述預設條件至少包括:所述目標DNS回應訊息中的目標網域名稱不包含在歷史網域名稱記錄中,所述歷史網域名稱記錄中的每個歷史網域名稱均從所述外網設備所發送的歷史DNS回應訊息中提取。 Corresponding to the network attack defense method provided in the present application, the present application also provides a network attack defense device. As shown in FIG. 6 , the device includes: a receiving
所述預設條件還包括:所述外網設備發起訪問所述目標網域名稱的第一發送時間與第二發送時間的時間間隔小於預設時間間隔。其中,所述第一發送時間為所述目標DNS回應訊息的發送時間,所述第二發送時間為所述外網設備在所述第一發送時間之前最近一次發送包含所述目標網域名稱的DNS回應訊息的時間。 The preset condition further includes: the time interval between the first sending time and the second sending time when the external network device initiates access to the target network domain name is less than a preset time interval. Wherein, the first sending time is the sending time of the target DNS response message, and the second sending time is the latest sending time of the external network device including the target domain name before the first sending time. The time for the DNS to respond to the message.
所述預設條件還包括:所述目標DNS回應訊息的流量值及歷史DNS回應訊息的流量值的總和流量值大於所述預設流量值;其中,所述歷史DNS回應訊息為所述外網設備在發送目標DNS回應訊息之前所發送的所有DNS回應訊息。 The preset condition also includes: the total flow value of the traffic value of the target DNS response message and the traffic value of the historical DNS response message is greater than the preset traffic value; wherein, the historical DNS response message is the external network All DNS response messages sent by the device before sending the target DNS response message.
如圖7所示,本申請案還提供的一種網路攻擊的防禦裝置,還包括: 轉發單元64,用於在所述時間間隔不小於預設時間間隔情況下,將所述目標DNS回應訊息轉發給所述內網設備。 As shown in FIG. 7 , the present application also provides a network attack defense device, which further includes: a forwarding
儲存單元65,用於若所述目標DNS回應訊息中的目標網域名稱不包含在歷史網域名稱記錄中,則將所述目標網域名稱和所述目標DNS回應訊息的發送時間,儲存在所述歷史網域名稱記錄中。 a
比值計算單元66,用於依據與所述外網設備的源位址對應的所述歷史網域名稱記錄,計算命中次數超過預設次數的網域名稱數量與所有網域名稱數量的比值;其中,所述歷史網域名稱記錄中包含所述外網設備所發送的歷史DNS回應訊息中所有網域名稱以及每個網域名稱的命中次數;第一刪除單元67,用於若所述比值大於預設比值,則刪除所述動態白名單中的所述外網設備的源位址;第一添加單元68,用於將所述外網設備的源位址添加至動態黑名單中。 The
命中次數計算單元69,用於在一個DNS回應訊息被丟棄之後,在所述歷史網域名稱記錄中查找該DNS回應訊息中的網域名稱;將所述網域名稱的命中次數增加1;其中,每個網域名稱的命中次數的初始值為零。 The number of
由以上內容可以看出,本申請案具有以下有益效果: As can be seen from the above, the application has the following beneficial effects:
本申請案實施例在確認目標DNS回應訊息中源位址在動態白名單內後,即可確認發起目標DNS回應訊息的外網設備非虛假源而是真實源。真實源發起DNS回應攻擊的一種方式為,頻繁發送包含不同網域名稱的DNS回應訊息來攻擊內網設備。因此本申請案中設有一個歷史網域名稱記錄,其中記錄有外網設備所發送的所有網域名稱。 In the embodiment of this application, after confirming that the source address in the target DNS response message is in the dynamic whitelist, it can be confirmed that the external network device that initiated the target DNS response message is not a false source but a real source. One way for the real source to initiate DNS response attacks is to frequently send DNS response messages containing different domain names to attack intranet devices. Therefore, there is a historical domain name record in this application, which records all domain names sent by external network devices.
當目標DNS回應訊息中的目標網域名稱不包含在歷史網域名稱記錄中時,則表明外網設備為首次發送包含目 標網域名稱的DNS回應訊息。在此情況下,目標DNS回應訊息可能是由外網設備以不同網域名稱方式發起DNS回應攻擊,為了避免內網設備遭受攻擊,此時丟棄所述目標DNS回應訊息。 When the target domain name in the target DNS response message is not included in the historical domain name record, it indicates that the external network device is sending a DNS response message containing the target domain name for the first time. In this case, the target DNS response message may be a DNS response attack initiated by an external network device using a different domain name. In order to prevent the internal network device from being attacked, the target DNS response message is discarded at this time.
由於正常的外網設備具有自動重發機制,如果正常的外網設備發送的DNS回應訊息被丟棄之後,正常的外網設備會重新發送目標DNS回應訊息,從而不影響正常的DNS回應訊息發送至內網設備。而具有攻擊性的外網設備則不具有自動重發機制,所以本申請案可以過濾掉真實源以不同網域名稱的方式來攻擊內網設備的DNS回應訊息,從而緩解DNS回應攻擊對服務和網路造成的衝擊。 Since normal external network devices have an automatic retransmission mechanism, if the DNS response message sent by the normal external network device is discarded, the normal external network device will resend the target DNS response message, so as not to affect the normal DNS response message sent to Intranet equipment. Attacking external network devices do not have an automatic retransmission mechanism, so this application can filter out DNS response messages from real sources attacking internal network devices with different network domain names, thereby alleviating the impact of DNS response attacks on services and Internet impact.
如圖8所示,本申請案還提供的一種網路攻擊的防禦裝置,還包括: 流量計算單元71,用於在所述外網設備的源位址發送一個DNS回應訊息之後,在所述歷史DNS回應訊息的流量值上疊加該DNS回應訊息的流量值;所述歷史DNS回應訊息的流量值的初始值為零。 As shown in FIG. 8 , the present application also provides a network attack defense device, which further includes: a
第二刪除單元72,用於在所述總和流量值大於所述預設流量值的情況下,刪除所述動態白名單中的所述源地址; 第二添加單元73,用於將所述源位址加入至動態黑名單中。 The second deleting
第二丟棄單元74,用於在動態黑名單中包含所述目標DNS回應訊息中的源位址的情況下,丟棄所述目標 DNS回應訊息。 The second discarding unit 74 is configured to discard the target DNS response message when the source address in the target DNS response message is included in the dynamic blacklist.
參見圖1,本申請案提供了一種網路攻擊的防禦系統,包括:外網設備100、路由設備200,清洗設備400和內網設備300;所述外網設備100,用於向清洗設備400發送旨在向內網設備300發送的目標DNS回應訊息。 Referring to FIG. 1 , the present application provides a network attack defense system, including: an
所述清洗設備400,用於接收外網設備旨在向內網設備發送的目標DNS回應訊息;在動態白名單包含所述目標DNS回應訊息中的源位址的情況下,判斷所述目標DNS回應訊息是否滿足預設條件;若所述目標DNS回應訊息滿足預設條件,則丟棄所述目標DNS回應訊息;其中,所述預設條件至少包括:所述目標DNS回應訊息中的目標網域名稱不包含在歷史網域名稱記錄中,所述歷史網域名稱記錄中的每個歷史網域名稱均從所述外網設備所發送的歷史DNS回應訊息中提取;內網設備300,用於接收清洗設備清洗後的DNS回應訊息。 The
本系統具有以下有益效果: The system has the following beneficial effects:
本申請案實施例在確認目標DNS回應訊息中源位址在動態白名單內後,即可確認發起目標DNS回應訊息的外網設備非虛假源而是真實源。真實源發起DNS回應攻擊的一種方式為,頻繁發送包含不同網域名稱的DNS回應訊息來攻擊內網設備。因此本申請案中設有一個歷史網域名稱記錄,其中記錄有外網設備所發送的所有網域名 稱。 In the embodiment of this application, after confirming that the source address in the target DNS response message is in the dynamic whitelist, it can be confirmed that the external network device that initiated the target DNS response message is not a false source but a real source. One way for the real source to initiate DNS response attacks is to frequently send DNS response messages containing different domain names to attack intranet devices. Therefore, there is a historical domain name record in this application, which records all domain names sent by external network devices.
當目標DNS回應訊息中的目標網域名稱不包含在歷史網域名稱記錄中時,則表明外網設備為首次發送包含目標網域名稱的DNS回應訊息。在此情況下,目標DNS回應訊息可能是由外網設備以不同網域名稱方式發起DNS回應攻擊,為了避免內網設備遭受攻擊,此時丟棄所述目標DNS回應訊息。 When the target domain name in the target DNS response message is not included in the historical domain name record, it indicates that the external network device sends the DNS response message containing the target domain name for the first time. In this case, the target DNS response message may be a DNS response attack initiated by an external network device using a different domain name. In order to prevent the internal network device from being attacked, the target DNS response message is discarded at this time.
由於正常的外網設備具有自動重發機制,如果正常的外網設備發送的DNS回應訊息被丟棄之後,正常的外網設備會重新發送目標DNS回應訊息,從而不影響正常的DNS回應訊息發送至內網設備。而具有攻擊性的外網設備則不具有自動重發機制,所以本申請案可以過濾掉真實源以不同網域名稱的方式來攻擊內網設備的DNS回應訊息,從而緩解DNS回應攻擊對服務和網路造成的衝擊。 Since normal external network devices have an automatic retransmission mechanism, if the DNS response message sent by the normal external network device is discarded, the normal external network device will resend the target DNS response message, so as not to affect the normal DNS response message sent to Intranet equipment. Attacking external network devices do not have an automatic retransmission mechanism, so this application can filter out DNS response messages from real sources attacking internal network devices with different network domain names, thereby alleviating the impact of DNS response attacks on services and Internet impact.
本實施例方法所述的功能如果以軟體功能單元的形式實現並作為獨立的產品銷售或使用時,可以儲存在一個計算設備可讀取儲存媒體中。基於這樣的理解,本申請案實施例對現有技術做出貢獻的部分或者該技術方案的部分可以以軟體產品的形式體現出來,該軟體產品儲存在一個儲存媒體中,包括若干指令用以使得一台計算設備(可以是個人電腦,伺服器,行動計算裝置或者網路設備等)執行本申請案各個實施例所述方法的全部或部分步驟。而前述的儲存媒體包括:U盤、移動硬碟、唯讀記憶體(ROM,Read-Only Memory)、隨機存取記憶體(RAM,Random Access Memory)、磁碟或者光碟等各種可以儲存程式碼的媒體。 If the functions described in the method of this embodiment are realized in the form of software function units and sold or used as independent products, they can be stored in a computing device readable storage medium. Based on this understanding, the part of the embodiment of the application that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, which is stored in a storage medium and includes several instructions to make a A computing device (which may be a personal computer, a server, a mobile computing device or a network device, etc.) executes all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk, etc., which can store program codes. media.
本說明書中各個實施例採用遞進的方式描述,每個實施例重點說明的都是與其它實施例的不同之處,各個實施例之間相同或相似部分互相參見即可。 Each embodiment in this specification is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same or similar parts of each embodiment can be referred to each other.
對所公開的實施例的上述說明,使本領域專業技術人員能夠實現或使用本申請案。對這些實施例的多種修改對本領域的專業技術人員來說將是顯而易見的,本文中所定義的一般原理可以在不脫離本申請案的精神或範圍的情況下,在其它實施例中實現。因此,本申請案將不會被限制於本文所示的這些實施例,而是要符合與本文所公開的原理和新穎特點相一致的最寬的範圍。 The above description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of the application. Accordingly, the present application will not be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (19)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW106101921A TWI787168B (en) | 2017-01-19 | 2017-01-19 | Defense method, device and system for network attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW106101921A TWI787168B (en) | 2017-01-19 | 2017-01-19 | Defense method, device and system for network attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TW201828140A TW201828140A (en) | 2018-08-01 |
| TWI787168B true TWI787168B (en) | 2022-12-21 |
Family
ID=63960554
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW106101921A TWI787168B (en) | 2017-01-19 | 2017-01-19 | Defense method, device and system for network attack |
Country Status (1)
| Country | Link |
|---|---|
| TW (1) | TWI787168B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI769748B (en) * | 2021-03-22 | 2022-07-01 | 廣達電腦股份有限公司 | Hacking detection method and computer program product |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060075491A1 (en) * | 2004-10-01 | 2006-04-06 | Barrett Lyon | Network overload detection and mitigation system and method |
| TW200803385A (en) * | 2005-10-11 | 2008-01-01 | Ibm | Method and system for protecting an internet user from fraudulent IP addresses on a DNS server |
| CN102075592A (en) * | 2010-12-30 | 2011-05-25 | 吕晓雯 | Method for screening DNS (Domain Name System) request |
| US20130031626A1 (en) * | 2011-07-29 | 2013-01-31 | Electronics And Telecommunications Research Institute | Methods of detecting dns flooding attack according to characteristics of type of attack traffic |
| CN103856487A (en) * | 2014-02-28 | 2014-06-11 | 汉柏科技有限公司 | Method and system for protecting authorization DNS |
| US20150326530A1 (en) * | 2014-05-12 | 2015-11-12 | Michael C. Wood | Firewall Security for Computers with Internet Access and Method |
-
2017
- 2017-01-19 TW TW106101921A patent/TWI787168B/en active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060075491A1 (en) * | 2004-10-01 | 2006-04-06 | Barrett Lyon | Network overload detection and mitigation system and method |
| TW200803385A (en) * | 2005-10-11 | 2008-01-01 | Ibm | Method and system for protecting an internet user from fraudulent IP addresses on a DNS server |
| CN102075592A (en) * | 2010-12-30 | 2011-05-25 | 吕晓雯 | Method for screening DNS (Domain Name System) request |
| US20130031626A1 (en) * | 2011-07-29 | 2013-01-31 | Electronics And Telecommunications Research Institute | Methods of detecting dns flooding attack according to characteristics of type of attack traffic |
| CN103856487A (en) * | 2014-02-28 | 2014-06-11 | 汉柏科技有限公司 | Method and system for protecting authorization DNS |
| US20150326530A1 (en) * | 2014-05-12 | 2015-11-12 | Michael C. Wood | Firewall Security for Computers with Internet Access and Method |
Also Published As
| Publication number | Publication date |
|---|---|
| TW201828140A (en) | 2018-08-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2017024977A1 (en) | Network attack prevention method, apparatus and system | |
| US10171491B2 (en) | Near real-time detection of denial-of-service attacks | |
| CN104468624B (en) | SDN controllers, routing/exchanging equipment and network defense method | |
| TW201738796A (en) | Prevention and control method, apparatus and system for network attack | |
| JP4768020B2 (en) | Method of defending against DoS attack by target victim self-identification and control in IP network | |
| US20050278779A1 (en) | System and method for identifying the source of a denial-of-service attack | |
| CN108234473B (en) | Message anti-attack method and device | |
| CN108809923A (en) | The system and method for traffic filtering when detecting ddos attack | |
| JP2015528263A (en) | Network traffic processing system | |
| CN102137111A (en) | Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server | |
| CN109587167B (en) | Message processing method and device | |
| CN110266650B (en) | Identification method of Conpot industrial control honeypot | |
| KR101409758B1 (en) | Apparatus and method of detecting denial of service in content centric network | |
| TWI787168B (en) | Defense method, device and system for network attack | |
| CN106101088B (en) | The method of cleaning equipment, detection device, routing device and prevention DNS attack | |
| WO2019096104A1 (en) | Attack prevention | |
| Shahzad et al. | Towards automated distributed containment of zero-day network worms | |
| JP2014023143A (en) | System and method for creating network traffic profile based on bgp route for detecting spoofed traffic | |
| Cheng et al. | Detecting and mitigating a sophisticated interest flooding attack in NDN from the network-wide view | |
| WO2015027523A1 (en) | Method and device for determining tcp port scanning | |
| Chen et al. | DAW: A distributed antiworm system | |
| CN113810398B (en) | Attack protection method, device, equipment and storage medium | |
| Wang et al. | On the effectiveness of secure overlay forwarding systems under intelligent distributed DoS attacks | |
| TW201132055A (en) | Routing device and related packet processing circuit | |
| JP3949610B2 (en) | Attack packet countermeasure system and attack packet countermeasure method |