WO2014048746A1 - Device, system and method for reducing attacks on dns - Google Patents

Device, system and method for reducing attacks on dns Download PDF

Info

Publication number
WO2014048746A1
WO2014048746A1 PCT/EP2013/068804 EP2013068804W WO2014048746A1 WO 2014048746 A1 WO2014048746 A1 WO 2014048746A1 EP 2013068804 W EP2013068804 W EP 2013068804W WO 2014048746 A1 WO2014048746 A1 WO 2014048746A1
Authority
WO
WIPO (PCT)
Prior art keywords
request
certificate
name server
resent
recursive name
Prior art date
Application number
PCT/EP2013/068804
Other languages
French (fr)
Inventor
Dai Fei Guo
Ai Fen Sui
Original Assignee
Siemens Aktiengesellschaft
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Aktiengesellschaft filed Critical Siemens Aktiengesellschaft
Publication of WO2014048746A1 publication Critical patent/WO2014048746A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Definitions

  • the present invention relates to network security technology, in particular to a device, system and method for reducing attacks on a DNS .
  • DNS Domain Name System
  • One type of attack strategy is to send a large amount of fake query requests to a DNS server in order to overload it, for instance by sending query requests directed at a bogus target resource record (RR) . Since a standard DNS server is unable to distinguish between fake and genuine requests, it has no option but to make its best effort to process all requests, and then discard requests
  • RR target resource record
  • Another type of attack strategy is to pose as another source IP address (third party attacked host) and initiate a query request, and exploit the traffic amplification which is a feature of the DNS
  • corresponding to a request of 50 bytes may be 500 bytes long, so when the attacker sends a DNS request, the response
  • the amplified DNS traffic may exhaust the bandwidth of the DNS server and the downlink bandwidth of the third party attacked host.
  • the object of the present invention is to provide a method, device and system for reducing attacks on a DNS, in order to curb attacks on the DNS effectively.
  • a method for reducing attacks on a DNS comprises:
  • a local recursive name server receiving a first request which carries no certificate and was sent by a resolver
  • the local recursive name server generating a certificate for the first request, and sending the certificate to the source IP address of the first request
  • the local recursive name server receiving a first request resent by the resolver with a certificate carried therein;
  • a device for reducing attacks on a DNS is adapted to be located on a local recursive name server side of a DNS system.
  • the device comprises a request receiving unit, a certificate generating unit and a request processing unit.
  • the request receiving unit is used for receiving a first request which carries no certificate and was sent by a resolver, and for forwarding the first request which carries no certificate to the certificate generating unit.
  • the certificate generating unit is used for generating a certificate for the first request which carries no certificate, and for sending the certificate to the source IP address of the first request.
  • the request receiving unit is further used for receiving a first request resent by the resolver with a certificate carried therein, and for forwarding the resent first request to the request
  • the request processing unit is used for determining whether the certificate carried in the resent first request is correct, and if it is correct, forwarding the resent first request to the local recursive name server, otherwise discarding the resent first request.
  • a device for reducing attacks on a DNS is adapted to be located on the client side of a DNS system.
  • the device comprises a request sending unit, a certificate receiving unit and a request retransmission unit.
  • the request sending unit is used for sending a first request which carries no certificate to a local recursive name server.
  • the certificate receiving unit is used for receiving a certificate generated for the first request by the local recursive name server.
  • retransmission unit is used for carrying the certificate in the first request, and resending a first request carrying the certificate to the local recursive name server.
  • a system for reducing attacks on a DNS comprises a client side and a local recursive name server side, wherein: the client side is used for sending a first request carrying no
  • the local recursive name server side is used for receiving a first request which carries no certificate and was sent by the client side, for sending a certificate to the source IP address of the first request, and for receiving the first request resent by the client side with a certificate carried therein. If the resent first request carries the correct certificate, continuing to process the resent first request, and if the resent first request carries the wrong certificate, discarding the resent first request.
  • a system for reducing attacks on a DNS comprises a resolver and a local recursive name server, and further comprises a client side detection device and a server side detection device, wherein: the client side detection device is used for
  • the server side detection device is used for
  • the client side detection device is further used for receiving the certificate, inserting the certificate in a first request, and resending that first request with the certificate carried therein to the local recursive name server.
  • the server side detection device is further used for receiving the first request resent by the client side detection device, and if the resent first request carries the correct certificate,
  • Fig. 1 is a schematic diagram of the main component parts of a DNS system
  • Fig. 2 is a schematic diagram of one example of a DNS system and the RR query processing procedure
  • Fig. 3 is a structural diagram of a device for reducing attacks on a DNS in embodiment 1 of the present invention
  • Fig. 4 is a structural diagram of a device for reducing attacks on a DNS in embodiment 2 of the present invention
  • Fig. 5 is a structural diagram of a system for reducing attacks on a DNS in embodiment 3 of the present invention
  • Fig. 6 is a structural diagram of a system for reducing attacks on a DNS in embodiment 4 of the present invention.
  • Fig. 7 is a flow chart of a method for reducing attacks on a DNS in embodiment 5 of the present invention.
  • a certificate can be sent from the local recursive name server side to the client of the source IP address which sent a request, a request carrying a certificate can be generated at the client side, and a judgment can be performed on the certificate carried in the request at the local recursive name server side. If the request carries the correct certificate, the request is processed further; if the request carries the wrong certificate, the request is
  • Fig. 1 is a schematic diagram of a DNS system.
  • a DNS system generally comprises a resolver, a local recursive name server and an authoritative name server.
  • the local recursive name server and authoritative name server logically constitute most or all of the domain name service, and so can be referred to separately or together as name servers (NS) .
  • the resolver can obtain information for responding to client requests from the name servers.
  • the resolver can access at least one local recursive name server, and use information therefrom to respond directly to a query request sent by a client.
  • the resolver can transfer the query request sent by the client to an authoritative name server via the local recursive name server for recursive querying to be performed.
  • the local recursive name server can find a record corresponding to a query request in the local cache, it sends a response to the resolver directly; if there is no corresponding record in the cache of the local recursive name server, the local
  • recursive name server starts using the method of recursive querying and transfers the query request to an authoritative name server, which sends a response to the resolver.
  • the resolver may be a program which can be directly accessed by a user program of a client, and is preferably a system program.
  • the user program can call the resolver directly, thus there is no need for any specific dialogue protocol between the resolver and the user protocol in general.
  • LRS Local recursive name servers
  • a local recursive name server has two main functions. Firstly, it can serve recursive querying. When an LRS wishes to respond to a query request, if the LRS is able to respond then it responds directly to the query request, but if the LRS is unable to respond directly to the query request then it can send one or more iterative requests to multiple authoritative name servers (ANS) to perform recursive querying. Secondly, the local recursive name server can cache answers returned by an authoritative name server, and only make an enquiry of an authoritative name server when its cache does not contain an answer.
  • ANS authoritative name servers
  • Authoritative name servers are a type of database which
  • An authoritative name server generally stores information related to domain tree structures and tree structure setup information.
  • authoritative name server caches information about the
  • one specific authoritative name server stores complete information about one specific subset of a domain space, together with pointers which point to other name servers for the purpose of obtaining information from other parts of the domain tree. As the authoritative name server knows
  • the authoritative name server is authoritative with regard to these parts .
  • RRs are resource records in an ANS database, and may include many types such as A records, NS records, MX records, etc .
  • Fig. 2 is a procedure for processing a resource record request in a DNS system.
  • Fig. 2 shows the example of three
  • authoritative name servers which are a root ANS, a com domain ANS and an ms.com domain ANS.
  • the resolver wishes to resolve the address www.ms.com at the request of an application program at the client end.
  • the resolver sends a query request to the local recursive name server by means of message 1;
  • the local recursive name server sends the query request to the root ANS by means of message 2 ;
  • the root ANS uses a name server (NS) record and address (A) record, and returns the name and IP address of the com domain ANS in message 3;
  • the local recursive name server makes an enquiry of the com domain ANS by means of message 4;
  • the com domain ANS returns the name and IP address of the ms.com domain ANS in message 5;
  • the local recursive name server sends the query request to the ms.com domain ANS by means of message 6;
  • the ms.com domain ANS returns the IP address of www.ms.com in message 7; and
  • the local recursive name server returns the IP address of www.ms.com to the
  • the root ANS and com domain ANS only provide transfer information, i . e. the NS record and A record of the authoritative name server of the domain at the next level down, whereas the ms.com domain ANS provides the final authoritative answer.
  • Embodiment 1 Fig. 3 is a structural diagram of a device for reducing attacks on a DNS in embodiment 1 of the present invention.
  • the device is located on the local recursive name server side of the DNS system. It can be seen from Fig. 3 that the device comprises a request receiving unit 301, a certificate generating unit 302 and a request processing unit 303.
  • the request receiving unit 301 receives a request sent by the resolver of the client, forwards a request carrying a certificate to the request processing unit 303, and forwards a request carrying no
  • certificate generating unit 302 generates a certificate for the request carrying no certificate, sends a certificate to the source IP address of the request, and stores the certificate generated; the request processing unit 303 determines whether the certificate carried in a received request is correct on the basis of a locally stored certificate, and then forwards requests carrying correct certificates to the local recursive name server while discarding requests which carry wrong
  • the certificate generating unit 302 can employ various methods of generating certificates for requests; for instance, it can generate a certificate for a first request on the basis of an identifier of the party making the first request, the request content, an identifier of the data packet carrying the request, and one or more random numbers .
  • the identifier of the requesting party may
  • the certificate may be generated on the basis of the attributes of the request content itself, e.g. when the request content is a URL, the URL can be used as a certificate.
  • the identifier of the data packet In the case where a certificate is generated on the basis of an identifier of the data packet carrying the request, the identifier of the data packet
  • carrying the request may specifically include the ID number or sequence number of the data packet, etc.
  • one or more random numbers can be determined on the basis of various random algorithms, to serve as a certificate.
  • the certificate may specifically take the form of a token .
  • the request processing unit 303 may also record the number of requests directed at one and the same resource record corresponding to a query failure response; when the number of requests directed at one and the same resource record corresponding to a query failure response reaches a preset threshold (here referred to as the first threshold) within a predetermined time, the request processing unit 303 discards subsequent incoming requests directed at that resource record.
  • a preset threshold here referred to as the first threshold
  • the request processing unit 303 records the number of requests directed at one and the same resource record corresponding to a query failure message returned by an
  • the local recursive name server will receive a query failure message returned by a name server, and when the number of requests directed at one and the same resource record corresponding to a query failure response reaches a certain level, i.e. the first threshold, this indicates that it is very likely that an attack has occurred, with the attacker attacking the DNS using query requests directed at a non-existent
  • the request processing unit 303 may also record the number of requests from one and the same source IP address; when the number of requests from one and the same source IP address reaches a preset threshold, i.e. reaches a second threshold, within a predetermined time, the request processing unit 303 discards subsequent requests sent by that source IP address .
  • the second threshold is the maximum permitted number of
  • requests which can be sent by the same source IP address within a given period of time, recorded by the request processing unit 303 itself.
  • a large number of requests being sent by one source IP address is very likely to be the activity of an attacker.
  • a large number of requests will cause network congestion; in particular, more severe congestion is more likely to result when the local recursive name server needs to make an enquiry of an authoritative name server.
  • the source IP address sending the requests is blocked, i.e. subsequent requests sent by the source IP address are discarded, and the entry of further attacks into the network system can be
  • the setting of a second threshold to control the sending of a large number of requests by one source IP address as described above may be realized separately or simultaneously in the request processing unit 303.
  • the setting may be done flexibly depending on the situation and requirements.
  • Embodiment 2 Fig. 4 is a structural diagram of a device for reducing attacks on a DNS in embodiment 2 of the present invention, wherein the device is located at the client side of the DNS system.
  • the device comprises a request sending unit 401, a certificate receiving unit 402 and a request retransmission unit 403.
  • the request sending unit 401 is used for sending a request to the local recursive name server;
  • the certificate receiving unit 402 is used for receiving a
  • the request retransmission unit 403 is used for carrying the certificate in a request, and resending the request with the certificate carried therein to the local recursive name server.
  • Fig. 5 is a structural diagram of a system for reducing attacks on a DNS in embodiment 3 of the present invention.
  • the system for reducing attacks on a DNS in this embodiment comprises a resolver 501, a server side detection device 502 and a local recursive name server 503.
  • the server side detection device 502 may be the device of embodiment 1.
  • the server side detection device 502 receives a first request sent by the resolver 501, and if it determines that the first request carries no
  • the resolver 501 After receiving the certificate, the resolver 501 generates a first request carrying the certificate, and resends the first request carrying the certificate to the local
  • the server side detection device 502 receives the first request which carries a certificate and was resent by the resolver 501, and if it determines that the first request carries the correct certificate, forwards the first request to the local recursive name server 503; if the server side detection device determines that the first request carries the wrong certificate, it discards the first request.
  • the server side detection device 502 can employ various methods of generating certificates for requests; for instance, it can generate a certificate for a first request on the basis of an identifier of the party making the first request, the request content, an identifier of the data packet carrying the request, and one or more random numbers. Specifically, in the case where a certificate is generated on the basis of an identifier of the party making the first request, the identifier of the
  • the requesting party may specifically include the IP address or Email address of the requesting party, etc.
  • the certificate may be generated on the basis of the attributes of the request content itself, e.g. when the request content is a URL, the URL can be used as a certificate.
  • the identifier of the data packet carrying the request may specifically include the ID number or sequence number of the data packet, etc.
  • one or more random numbers can be determined on the basis of various random algorithms, to serve as a
  • the certificate may specifically take the form of a token.
  • the server side detection device 502 may also record the number of requests directed at one and the same resource record corresponding to a query failure response; when the number of requests directed at one and the same resource record corresponding to a query failure response reaches a preset threshold (here referred to as the first threshold) within a predetermined time, the server side detection device 502 discards subsequent incoming requests directed at this resource record. Furthermore, the server side detection device 502 may also record the number of requests from one and the same source IP address; when the number of requests from one and the same source IP address reaches a preset threshold, i.e. reaches a second threshold, within a predetermined time, the server side detection device 502 discards subsequent requests sent by that source IP address.
  • a preset threshold herein.
  • the setting of a second threshold to control the sending of a large number of requests by one source IP address as described above may be realized separately or simultaneously in the server side detection device 502.
  • the setting may be done flexibly
  • Fig. 6 is a structural diagram of a system for reducing attacks on a DNS in embodiment 4 of the present invention.
  • the system for reducing attacks on a DNS in this embodiment comprises a resolver 601, a client side detection device 602, a server side detection device 603 and a local recursive name server 604.
  • the server side detection device 603 may be the device of
  • the client side detection device 602 may be the device of embodiment 2.
  • the client side detection device 602 transparently transmits a first request issued by the resolver 601 to the local recursive name server 604.
  • the server side detection device 603 receives the first request sent by the client side detection device 602, and if the first request carries no certificate, generates a certificate, stores the certificate, and sends the certificate to the resolver 601 of the source IP address which sent the first request.
  • the client side detection device 602 After receiving the certificate, the client side detection device 602 generates a first request carrying the certificate, and resends the first request carrying the certificate to the local
  • the server side detection device 603 receives the first request which carries a certificate and was resent by the client side detection device 602, and if it determines that the first request carries the correct
  • the server side detection device 603 can employ various methods of generating certificates for requests; for instance, it can generate a certificate for a first request on the basis of an identifier of the party making the first request, the request content, an identifier of the data packet carrying the request, and one or more random numbers .
  • the server side detection device 603 may also record the number of requests directed at one and the same resource record corresponding to a query failure response; when the number of requests directed at one and the same resource record corresponding to a query failure response reaches a preset threshold (here referred to as the first threshold) within a predetermined time, the server side detection device 603 discards subsequent incoming requests directed at this resource record.
  • a preset threshold here referred to as the first threshold
  • the server side detection device 603 may also record the number of requests from one and the same source IP address; when the number of requests from one and the same source IP address reaches a preset threshold, i.e. reaches a second threshold, within a predetermined time, the server side detection device 603 discards subsequent requests sent by that source IP address.
  • a preset threshold i.e. reaches a second threshold
  • the setting of a second threshold to control the sending of a large number of requests by one source IP address as described above may be realized separately or simultaneously in the server side detection device 603.
  • the setting may be done flexibly
  • both the client side and the local recursive name server side are provided with a detection device in embodiment 4, so there is no need to alter the existing DNS specification.
  • Fig. 7 is a flow chart of a method for reducing attacks on a DNS in embodiment 5 of the present invention. As Fig. 7 shows, the method of this embodiment comprises the following steps:
  • a local recursive name server After receiving a first request which carries no certificate and was sent by a resolver, a local recursive name server generates a certificate for the first request, stores the certificate, and sends the certificate to the resolver of the source IP address of the first request.
  • a certificate can be generated for a first request on the basis of an identifier of the party making the first request, the request content, an identifier of the data packet carrying the request, and one or more random numbers .
  • step 702 after receiving the certificate, the resolver generates a first request carrying the certificate, and resends the first request to the local recursive name server.
  • step 703 the local recursive name server receives the resent first request carrying a certificate, and if it determines that the first request carries the correct certificate, continues to process the first request; if the first request carries the wrong certificate, the local recursive name server discards the first request.
  • the method of this embodiment also comprises: setting a first threshold; the local recursive name server recording the number of requests directed at one and the same resource record corresponding to a failed query response; when the number of requests directed at one and the same resource record corresponding to a failed query response reaches the first threshold within a predetermined time, the local recursive name server discarding subsequent incoming requests directed at that resource record.
  • the method of this embodiment also comprises: setting a second threshold; the local recursive name server recording the number of requests from one and the same source IP address; when the number of requests from one and the same source IP address reaches the second threshold within a predetermined time, the local recursive name server discarding subsequent requests sent by that source IP address.
  • a system for reducing attacks on a DNS comprising a client side and a local recursive name server side, wherein: the client side is used for sending a first request which carries no certificate to the local recursive name server side, receiving a certificate generated for the first request by the local recursive name server side, and resending the first request with the certificate carried therein to the local recursive name server side; the local recursive name server side is used for receiving a first request which carries no certificate and was sent by the client side, sending a certificate to the source IP address of the first request, and receiving the first request with a certificate carried therein which is resent by the client side; if the resent first request carries the correct certificate, continuing to process the resent first request, and if the resent first request carries the wrong certificate, discarding the resent first request.
  • the certificate may specifically take the form of a token.
  • the embodiments of the present invention may be stored in a machine-readable medium in the form of commands or command sets.
  • Such machine-readable media include but are not restricted to: floppy disks, optical disks, DVDs, hard disks, flash memory, USB sticks, CF cards, SD cards, MMC cards, SM cards, memory sticks and xD cards, etc.
  • the embodiments of the present invention may also be stored in the form of commands or command sets in a storage medium based on flash memory (Nand flash), e.g. USB sticks, CF cards, SD cards, SDHC cards, MMC cards, SM cards, memory sticks and xD cards, etc.
  • an application programming interface of a certain specification may be followed to write the embodiments of the present invention as a computer program stored in a local storage medium, or the embodiments of the present invention may be encapsulated as a network application program to be downloaded for use.
  • embodiments may be physical structures or logic structures; i.e. some modules may be realized as the same physical entity, or as multiple physical entities separately, or as certain components in multiple independent devices jointly.
  • program code read out from the storage medium is written into a memory installed in an expansion board inserted in the computer, or written into a memory installed in an expansion unit connected to the
  • a certificate is generated for a first request received with no certificate carried therein at the local recursive name server side, a first request carrying a certificate is generated at the resolver side, and it is determined whether the certificate carried in the resent first request is correct at the local recursive name server side, with requests containing correct certificates being processed further and requests containing wrong

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Disclosed in the present invention is a method for reducing attacks on a DNS, comprising: a local recursive name server receiving a first request which carries no certificate and was sent by a resolver, generating a certificate for the first request, and sending the certificate to the resolver of the source IP address of the first request; the local recursive name server receiving the first request resent by the resolver with a certificate carried therein; if it is determined that the first request carries the correct certificate, continuing to process the first request; if the first request carries the wrong certificate, discarding the first request. Also disclosed in the present invention are a device and system for reducing attacks on a DNS. Using the method, device and system of the present invention enables attacks on a DNS to be reduced effectively at the local recursive name server side, thereby preventing large numbers of attacks from entering other recursive name servers or even an authoritative name server. Moreover, the use of the present invention does not alter the existing DNS specification, or changes it only slightly, and has such advantages as simplicity of implementation and low costs.

Description

Description
Device, system and method for reducing attacks on DNS Technical field
The present invention relates to network security technology, in particular to a device, system and method for reducing attacks on a DNS .
Background art
The Domain Name System (DNS) is a key element of internet infrastructure, performing mapping between domain names and IP addresses. It is completely unacceptable for even a small part of DNS functionality to be unavailable for a very short time, as use of the entire internet may be affected as a result.
However, since most DNS queries and responses are based on the User Data Protocol (UDP) which is unconnected, data packets are easily faked, and DoS (denial of service) attacks based on fake data packets are difficult to prevent, and inevitably cause significant damage to the DNS service.
Strategies for attack on the DNS based on fake data packets fall into two main types. One type of attack strategy is to send a large amount of fake query requests to a DNS server in order to overload it, for instance by sending query requests directed at a bogus target resource record (RR) . Since a standard DNS server is unable to distinguish between fake and genuine requests, it has no option but to make its best effort to process all requests, and then discard requests
indiscriminately when it reaches overload. However, legitimate requesting parties generally believe that the reason for requests falling behind is congestion, and adopt compulsory retransmission delay, so that the number of legitimate requests to the overloaded server is greatly reduced. Another type of attack strategy is to pose as another source IP address (third party attacked host) and initiate a query request, and exploit the traffic amplification which is a feature of the DNS
operating mechanism. For example, a response message
corresponding to a request of 50 bytes may be 500 bytes long, so when the attacker sends a DNS request, the response
corresponding to that request will take up more resources than the request itself. Under such an attack, the amplified DNS traffic may exhaust the bandwidth of the DNS server and the downlink bandwidth of the third party attacked host.
However, as yet there is still no suitable strategy for dealing with such attacks.
Content of the invention
The object of the present invention is to provide a method, device and system for reducing attacks on a DNS, in order to curb attacks on the DNS effectively.
According to one embodiment of the present invention, a method for reducing attacks on a DNS comprises:
a local recursive name server receiving a first request which carries no certificate and was sent by a resolver,
the local recursive name server generating a certificate for the first request, and sending the certificate to the source IP address of the first request,
the local recursive name server receiving a first request resent by the resolver with a certificate carried therein;
if it is determined that the resent first request carries the correct certificate, continuing to process the resent first request ;
if the resent first request carries the wrong certificate, discarding the resent first request.
According to another embodiment of the present invention, a device for reducing attacks on a DNS is adapted to be located on a local recursive name server side of a DNS system. The device comprises a request receiving unit, a certificate generating unit and a request processing unit. The request receiving unit is used for receiving a first request which carries no certificate and was sent by a resolver, and for forwarding the first request which carries no certificate to the certificate generating unit. The certificate generating unit is used for generating a certificate for the first request which carries no certificate, and for sending the certificate to the source IP address of the first request. The request receiving unit is further used for receiving a first request resent by the resolver with a certificate carried therein, and for forwarding the resent first request to the request
processing unit. The request processing unit is used for determining whether the certificate carried in the resent first request is correct, and if it is correct, forwarding the resent first request to the local recursive name server, otherwise discarding the resent first request.
According to another embodiment of the present invention, a device for reducing attacks on a DNS is adapted to be located on the client side of a DNS system. The device comprises a request sending unit, a certificate receiving unit and a request retransmission unit. The request sending unit is used for sending a first request which carries no certificate to a local recursive name server. The certificate receiving unit is used for receiving a certificate generated for the first request by the local recursive name server. The request
retransmission unit is used for carrying the certificate in the first request, and resending a first request carrying the certificate to the local recursive name server.
According to another embodiment of the present invention, a system for reducing attacks on a DNS comprises a client side and a local recursive name server side, wherein: the client side is used for sending a first request carrying no
certificate to the local recursive name server side, for receiving a certificate generated for the first request by the local recursive name server side, and for resending the first request with the certificate carried therein to the local recursive name server side. The local recursive name server side is used for receiving a first request which carries no certificate and was sent by the client side, for sending a certificate to the source IP address of the first request, and for receiving the first request resent by the client side with a certificate carried therein. If the resent first request carries the correct certificate, continuing to process the resent first request, and if the resent first request carries the wrong certificate, discarding the resent first request.
According to another embodiment of the present invention, a system for reducing attacks on a DNS comprises a resolver and a local recursive name server, and further comprises a client side detection device and a server side detection device, wherein: the client side detection device is used for
transparent transmission to a local recursive name server of a first request which carries no certificate and was sent by the resolver. The server side detection device is used for
receiving the first request which carries no certificate and was sent by the client side detection device, and for sending a certificate to the source IP address of the first request. The client side detection device is further used for receiving the certificate, inserting the certificate in a first request, and resending that first request with the certificate carried therein to the local recursive name server. The server side detection device is further used for receiving the first request resent by the client side detection device, and if the resent first request carries the correct certificate,
forwarding the resent first request to the local recursive name server, but if the resent first request carries the wrong certificate, discarding the resent first request.
It can be seen from the above technical solution that a
certificate is generated for a first request received with no certificate carried therein at the local recursive name server side, a first request is resent with a certificate carried therein from the resolver side, and it is determined whether the certificate carried in the first request is correct at the local recursive name server side, with requests containing correct certificates being processed further and requests containing wrong certificates being discarded. Adopting the method, device and system of the present invention allows attacks to be curbed on the local recursive name server side, preventing large numbers of requests sent by attackers from entering other recursive name servers or even reaching an authoritative name server, thus attacks on the DNS are curbed effectively at source. Moreover, the embodiments of the present invention do not alter the existing DNS specification, or change it only slightly, and boast advantages such as
simplicity of implementation and low costs.
Description of the accompanying drawings
Preferred embodiments of the present invention will be
described in detail below with reference to the accompanying drawings, to give those skilled in the art a clearer
understanding of the above and other features and advantages of the present invention. Identical labels indicate identical components. In the drawings:
Fig. 1 is a schematic diagram of the main component parts of a DNS system;
Fig. 2 is a schematic diagram of one example of a DNS system and the RR query processing procedure;
Fig. 3 is a structural diagram of a device for reducing attacks on a DNS in embodiment 1 of the present invention;
Fig. 4 is a structural diagram of a device for reducing attacks on a DNS in embodiment 2 of the present invention; Fig. 5 is a structural diagram of a system for reducing attacks on a DNS in embodiment 3 of the present invention;
Fig. 6 is a structural diagram of a system for reducing attacks on a DNS in embodiment 4 of the present invention;
Fig. 7 is a flow chart of a method for reducing attacks on a DNS in embodiment 5 of the present invention.
Particular embodiments
The present invention is explained in further detail below with reference to the accompanying drawings and embodiments, in order to clarify the technical solution and advantages thereof. It should be understood that the particular embodiments
described here are intended merely to illustrate the present invention and not to limit it.
Faced with the problem of attacks on the DNS with fake data packets in the prior art, the inventors of the present
invention analyzed the categories of attack and found that many requests sent by attackers had a fake source IP address.
Exploiting this feature, a certificate can be sent from the local recursive name server side to the client of the source IP address which sent a request, a request carrying a certificate can be generated at the client side, and a judgment can be performed on the certificate carried in the request at the local recursive name server side. If the request carries the correct certificate, the request is processed further; if the request carries the wrong certificate, the request is
discarded. In this way, attacks on the DNS from fake source IP addresses are controlled effectively at the local recursive name server side, preventing attacks from threatening other recursive name servers or even an authoritative name server, and thereby preventing attacks from damaging and paralyzing the entire network. A DNS system and the basic operating principles thereof are presented below.
Fig. 1 is a schematic diagram of a DNS system. As Fig. 1 shows, a DNS system generally comprises a resolver, a local recursive name server and an authoritative name server.
Generally, the local recursive name server and authoritative name server logically constitute most or all of the domain name service, and so can be referred to separately or together as name servers (NS) . The resolver can obtain information for responding to client requests from the name servers.
In one embodiment, the resolver can access at least one local recursive name server, and use information therefrom to respond directly to a query request sent by a client. Alternatively, the resolver can transfer the query request sent by the client to an authoritative name server via the local recursive name server for recursive querying to be performed. Specifically, if the local recursive name server can find a record corresponding to a query request in the local cache, it sends a response to the resolver directly; if there is no corresponding record in the cache of the local recursive name server, the local
recursive name server starts using the method of recursive querying and transfers the query request to an authoritative name server, which sends a response to the resolver.
The resolver may be a program which can be directly accessed by a user program of a client, and is preferably a system program. Generally, the user program can call the resolver directly, thus there is no need for any specific dialogue protocol between the resolver and the user protocol in general.
Local recursive name servers (LRS) can either be deployed on the internet to be shared by the public, or be set up specially for a single organization. A local recursive name server has two main functions. Firstly, it can serve recursive querying. When an LRS wishes to respond to a query request, if the LRS is able to respond then it responds directly to the query request, but if the LRS is unable to respond directly to the query request then it can send one or more iterative requests to multiple authoritative name servers (ANS) to perform recursive querying. Secondly, the local recursive name server can cache answers returned by an authoritative name server, and only make an enquiry of an authoritative name server when its cache does not contain an answer.
Authoritative name servers are a type of database which
maintains mappings of names and addresses. An authoritative name server generally stores information related to domain tree structures and tree structure setup information. The
authoritative name server caches information about the
structure of any part of a domain tree or tree structure setup, but in general, one specific authoritative name server stores complete information about one specific subset of a domain space, together with pointers which point to other name servers for the purpose of obtaining information from other parts of the domain tree. As the authoritative name server knows
complete information about this part of the domain tree, the authoritative name server is authoritative with regard to these parts .
The processing procedure of a DNS system is presented below taking the processing of a resource record (RR) query as an example. RRs are resource records in an ANS database, and may include many types such as A records, NS records, MX records, etc .
Fig. 2 is a procedure for processing a resource record request in a DNS system. Fig. 2 shows the example of three
authoritative name servers, which are a root ANS, a com domain ANS and an ms.com domain ANS.
By way of demonstration: The resolver wishes to resolve the address www.ms.com at the request of an application program at the client end. The resolver sends a query request to the local recursive name server by means of message 1; the local recursive name server sends the query request to the root ANS by means of message 2 ; the root ANS uses a name server (NS) record and address (A) record, and returns the name and IP address of the com domain ANS in message 3; the local recursive name server makes an enquiry of the com domain ANS by means of message 4; the com domain ANS returns the name and IP address of the ms.com domain ANS in message 5; the local recursive name server sends the query request to the ms.com domain ANS by means of message 6; the ms.com domain ANS returns the IP address of www.ms.com in message 7; and the local recursive name server returns the IP address of www.ms.com to the resolver by means of message 8.
In the above process, the root ANS and com domain ANS only provide transfer information, i . e. the NS record and A record of the authoritative name server of the domain at the next level down, whereas the ms.com domain ANS provides the final authoritative answer.
The present invention is explained in detail below
reference to particular embodiments.
The procedure for processing a resource request query is illustrated above using a specific resolved address and DNS system architecture by way of demonstration. Those skilled in the art will realize that such a restrictive illustration is employed solely for the purpose of elaboration, and is by no means intended to limit the embodiments of the present
invention in any way.
Embodiment 1 Fig. 3 is a structural diagram of a device for reducing attacks on a DNS in embodiment 1 of the present invention. The device is located on the local recursive name server side of the DNS system. It can be seen from Fig. 3 that the device comprises a request receiving unit 301, a certificate generating unit 302 and a request processing unit 303. The request receiving unit 301 receives a request sent by the resolver of the client, forwards a request carrying a certificate to the request processing unit 303, and forwards a request carrying no
certificate to the certificate generating unit 302; the
certificate generating unit 302 generates a certificate for the request carrying no certificate, sends a certificate to the source IP address of the request, and stores the certificate generated; the request processing unit 303 determines whether the certificate carried in a received request is correct on the basis of a locally stored certificate, and then forwards requests carrying correct certificates to the local recursive name server while discarding requests which carry wrong
certificates .
The certificate generating unit 302 can employ various methods of generating certificates for requests; for instance, it can generate a certificate for a first request on the basis of an identifier of the party making the first request, the request content, an identifier of the data packet carrying the request, and one or more random numbers .
Specifically, in the case where a certificate is generated on the basis of an identifier of the party making the first request, the identifier of the requesting party may
specifically include the IP address or Email address of the requesting party, etc. In the case where a certificate is generated on the basis of request content, the certificate may be generated on the basis of the attributes of the request content itself, e.g. when the request content is a URL, the URL can be used as a certificate. In the case where a certificate is generated on the basis of an identifier of the data packet carrying the request, the identifier of the data packet
carrying the request may specifically include the ID number or sequence number of the data packet, etc. In the case where a certificate is generated on the basis of one or more random numbers, one or more random numbers can be determined on the basis of various random algorithms, to serve as a certificate.
By way of demonstration, in the embodiments of the present invention, the certificate may specifically take the form of a token .
Furthermore, the request processing unit 303 may also record the number of requests directed at one and the same resource record corresponding to a query failure response; when the number of requests directed at one and the same resource record corresponding to a query failure response reaches a preset threshold (here referred to as the first threshold) within a predetermined time, the request processing unit 303 discards subsequent incoming requests directed at that resource record.
In general, the request processing unit 303 records the number of requests directed at one and the same resource record corresponding to a query failure message returned by an
authoritative name server. For instance, if a request sent by a source IP address is a query request directed at a non-existent resource record, the local recursive name server will receive a query failure message returned by a name server, and when the number of requests directed at one and the same resource record corresponding to a query failure response reaches a certain level, i.e. the first threshold, this indicates that it is very likely that an attack has occurred, with the attacker attacking the DNS using query requests directed at a non-existent
resource record. At this point, when the request processing unit 303 blocks this resource record, the entry of further attacks into the network system can be avoided. In general, when a resource record is blocked, i.e. subsequent incoming requests directed at that resource record are no longer processed, subsequent incoming requests directed at that resource record can be discarded directly.
Furthermore, the request processing unit 303 may also record the number of requests from one and the same source IP address; when the number of requests from one and the same source IP address reaches a preset threshold, i.e. reaches a second threshold, within a predetermined time, the request processing unit 303 discards subsequent requests sent by that source IP address .
The second threshold is the maximum permitted number of
requests which can be sent by the same source IP address within a given period of time, recorded by the request processing unit 303 itself. In general, a large number of requests being sent by one source IP address is very likely to be the activity of an attacker. A large number of requests will cause network congestion; in particular, more severe congestion is more likely to result when the local recursive name server needs to make an enquiry of an authoritative name server. When the number of requests sent by a source IP address reaches a certain value within a predetermined time, the source IP address sending the requests is blocked, i.e. subsequent requests sent by the source IP address are discarded, and the entry of further attacks into the network system can be
avoided .
The setting of a first threshold to control the number of requests directed at one and the same resource record
corresponding to a query response failure and the setting of a second threshold to control the sending of a large number of requests by one source IP address as described above may be realized separately or simultaneously in the request processing unit 303. The setting may be done flexibly depending on the situation and requirements.
Embodiment 2 Fig. 4 is a structural diagram of a device for reducing attacks on a DNS in embodiment 2 of the present invention, wherein the device is located at the client side of the DNS system. As can be seen from Fig. 4, the device comprises a request sending unit 401, a certificate receiving unit 402 and a request retransmission unit 403. The request sending unit 401 is used for sending a request to the local recursive name server; the certificate receiving unit 402 is used for receiving a
certificate generated by the local recursive name server side; the request retransmission unit 403 is used for carrying the certificate in a request, and resending the request with the certificate carried therein to the local recursive name server.
Embodiment 3
Fig. 5 is a structural diagram of a system for reducing attacks on a DNS in embodiment 3 of the present invention. The system for reducing attacks on a DNS in this embodiment comprises a resolver 501, a server side detection device 502 and a local recursive name server 503. The server side detection device 502 may be the device of embodiment 1.
In the system of this embodiment, the server side detection device 502 receives a first request sent by the resolver 501, and if it determines that the first request carries no
certificate, generates a certificate for the first request, stores the certificate, and sends the certificate to the resolver 501 of the source IP address which sent the first request. After receiving the certificate, the resolver 501 generates a first request carrying the certificate, and resends the first request carrying the certificate to the local
recursive name server 503. The server side detection device 502 receives the first request which carries a certificate and was resent by the resolver 501, and if it determines that the first request carries the correct certificate, forwards the first request to the local recursive name server 503; if the server side detection device determines that the first request carries the wrong certificate, it discards the first request.
The server side detection device 502 can employ various methods of generating certificates for requests; for instance, it can generate a certificate for a first request on the basis of an identifier of the party making the first request, the request content, an identifier of the data packet carrying the request, and one or more random numbers. Specifically, in the case where a certificate is generated on the basis of an identifier of the party making the first request, the identifier of the
requesting party may specifically include the IP address or Email address of the requesting party, etc. In the case where a certificate is generated on the basis of request content, the certificate may be generated on the basis of the attributes of the request content itself, e.g. when the request content is a URL, the URL can be used as a certificate. In the case where a certificate is generated on the basis of an identifier of the data packet carrying the request, the identifier of the data packet carrying the request may specifically include the ID number or sequence number of the data packet, etc. In the case where a certificate is generated on the basis of one or more random numbers, one or more random numbers can be determined on the basis of various random algorithms, to serve as a
certificate. By way of demonstration, the certificate may specifically take the form of a token.
Furthermore, the server side detection device 502 may also record the number of requests directed at one and the same resource record corresponding to a query failure response; when the number of requests directed at one and the same resource record corresponding to a query failure response reaches a preset threshold (here referred to as the first threshold) within a predetermined time, the server side detection device 502 discards subsequent incoming requests directed at this resource record. Furthermore, the server side detection device 502 may also record the number of requests from one and the same source IP address; when the number of requests from one and the same source IP address reaches a preset threshold, i.e. reaches a second threshold, within a predetermined time, the server side detection device 502 discards subsequent requests sent by that source IP address.
The setting of a first threshold to control the number of requests directed at one and the same resource record
corresponding to a query response failure and the setting of a second threshold to control the sending of a large number of requests by one source IP address as described above may be realized separately or simultaneously in the server side detection device 502. The setting may be done flexibly
depending on the situation and requirements.
Embodiment 4
Fig. 6 is a structural diagram of a system for reducing attacks on a DNS in embodiment 4 of the present invention. The system for reducing attacks on a DNS in this embodiment comprises a resolver 601, a client side detection device 602, a server side detection device 603 and a local recursive name server 604. The server side detection device 603 may be the device of
embodiment 1, while the client side detection device 602 may be the device of embodiment 2.
In the system of this embodiment, the client side detection device 602 transparently transmits a first request issued by the resolver 601 to the local recursive name server 604. The server side detection device 603 receives the first request sent by the client side detection device 602, and if the first request carries no certificate, generates a certificate, stores the certificate, and sends the certificate to the resolver 601 of the source IP address which sent the first request. After receiving the certificate, the client side detection device 602 generates a first request carrying the certificate, and resends the first request carrying the certificate to the local
recursive name server 604. The server side detection device 603 receives the first request which carries a certificate and was resent by the client side detection device 602, and if it determines that the first request carries the correct
certificate, forwards the first request to the local recursive name server 604; if the server side detection device determines that the first request carries the wrong certificate, it discards the first request.
The server side detection device 603 can employ various methods of generating certificates for requests; for instance, it can generate a certificate for a first request on the basis of an identifier of the party making the first request, the request content, an identifier of the data packet carrying the request, and one or more random numbers .
Furthermore, the server side detection device 603 may also record the number of requests directed at one and the same resource record corresponding to a query failure response; when the number of requests directed at one and the same resource record corresponding to a query failure response reaches a preset threshold (here referred to as the first threshold) within a predetermined time, the server side detection device 603 discards subsequent incoming requests directed at this resource record.
Furthermore, the server side detection device 603 may also record the number of requests from one and the same source IP address; when the number of requests from one and the same source IP address reaches a preset threshold, i.e. reaches a second threshold, within a predetermined time, the server side detection device 603 discards subsequent requests sent by that source IP address. The setting of a first threshold to control the number of requests directed at one and the same resource record
corresponding to a query response failure and the setting of a second threshold to control the sending of a large number of requests by one source IP address as described above may be realized separately or simultaneously in the server side detection device 603. The setting may be done flexibly
depending on the situation and requirements.
As compared with embodiment 3, both the client side and the local recursive name server side are provided with a detection device in embodiment 4, so there is no need to alter the existing DNS specification.
Embodiment 5
Fig. 7 is a flow chart of a method for reducing attacks on a DNS in embodiment 5 of the present invention. As Fig. 7 shows, the method of this embodiment comprises the following steps:
In step 701, after receiving a first request which carries no certificate and was sent by a resolver, a local recursive name server generates a certificate for the first request, stores the certificate, and sends the certificate to the resolver of the source IP address of the first request.
Various methods of generating certificates for requests may be employed; for instance, a certificate can be generated for a first request on the basis of an identifier of the party making the first request, the request content, an identifier of the data packet carrying the request, and one or more random numbers .
In step 702, after receiving the certificate, the resolver generates a first request carrying the certificate, and resends the first request to the local recursive name server. In step 703, the local recursive name server receives the resent first request carrying a certificate, and if it determines that the first request carries the correct certificate, continues to process the first request; if the first request carries the wrong certificate, the local recursive name server discards the first request.
Furthermore, the method of this embodiment also comprises: setting a first threshold; the local recursive name server recording the number of requests directed at one and the same resource record corresponding to a failed query response; when the number of requests directed at one and the same resource record corresponding to a failed query response reaches the first threshold within a predetermined time, the local recursive name server discarding subsequent incoming requests directed at that resource record.
Furthermore, the method of this embodiment also comprises: setting a second threshold; the local recursive name server recording the number of requests from one and the same source IP address; when the number of requests from one and the same source IP address reaches the second threshold within a predetermined time, the local recursive name server discarding subsequent requests sent by that source IP address.
Based on the above detailed analysis, a system for reducing attacks on a DNS is also proposed in the embodiments of the present invention, the system comprising a client side and a local recursive name server side, wherein: the client side is used for sending a first request which carries no certificate to the local recursive name server side, receiving a certificate generated for the first request by the local recursive name server side, and resending the first request with the certificate carried therein to the local recursive name server side; the local recursive name server side is used for receiving a first request which carries no certificate and was sent by the client side, sending a certificate to the source IP address of the first request, and receiving the first request with a certificate carried therein which is resent by the client side; if the resent first request carries the correct certificate, continuing to process the resent first request, and if the resent first request carries the wrong certificate, discarding the resent first request.
Preferably, in the embodiments of the present invention, the certificate may specifically take the form of a token.
Based on the above detailed description, the embodiments of the present invention may be stored in a machine-readable medium in the form of commands or command sets. Such machine-readable media include but are not restricted to: floppy disks, optical disks, DVDs, hard disks, flash memory, USB sticks, CF cards, SD cards, MMC cards, SM cards, memory sticks and xD cards, etc. In addition, the embodiments of the present invention may also be stored in the form of commands or command sets in a storage medium based on flash memory (Nand flash), e.g. USB sticks, CF cards, SD cards, SDHC cards, MMC cards, SM cards, memory sticks and xD cards, etc.
In fact, specific implementations of the embodiments of the present invention may take a variety of forms. For example, an application programming interface of a certain specification may be followed to write the embodiments of the present invention as a computer program stored in a local storage medium, or the embodiments of the present invention may be encapsulated as a network application program to be downloaded for use.
It must be explained that it is by no means the case that all steps and modules in the above procedures and schematic
structural diagrams are necessary; certain steps or modules may be omitted depending on actual requirements. The order in which the steps are performed is not fixed, but may be adjusted as required. The system structures described in the above
embodiments may be physical structures or logic structures; i.e. some modules may be realized as the same physical entity, or as multiple physical entities separately, or as certain components in multiple independent devices jointly.
In addition, it should be clear that not only can part or all of an actual operation be completed by executing program code read out by a computer, but an operating system operating on a computer can also be made to complete part or all of the actual operation by means of commands based on the program code, so as to realize the function of any one of the above embodiments.
In addition, it can be appreciated that program code read out from the storage medium is written into a memory installed in an expansion board inserted in the computer, or written into a memory installed in an expansion unit connected to the
computer, and thereafter commands based on the program code make a CPU etc. installed on the expansion board or expansion unit execute part or all of an actual operation, so as to realize the function of any one of the above embodiments.
It can be seen from the description of the invention and the particular embodiments above that a certificate is generated for a first request received with no certificate carried therein at the local recursive name server side, a first request carrying a certificate is generated at the resolver side, and it is determined whether the certificate carried in the resent first request is correct at the local recursive name server side, with requests containing correct certificates being processed further and requests containing wrong
certificates being discarded. Adopting the embodiments of the present invention allows requests from attackers to be curbed on the local recursive name server side, preventing large numbers of requests sent by attackers from entering other recursive name servers or even reaching an authoritative name server, thus attacks on the DNS are curbed effectively at source. Moreover, the embodiments of the present invention do not alter the existing DNS specification, or change it only slightly, and boast advantages such as simplicity of
implementation and low costs.
The above are merely preferred embodiments of the present invention, and are not intended to limit it. All modifications, equivalent substitutions and improvements etc. made without departing from the spirit and principles of the present
invention should be included within the scope of protection thereof .

Claims

Claims
1. A method for reducing an attack to a DNS, comprising:
receiving, by a local recursive name server, a first request which does not carry a certificate and is sent by a resolver;
generating by the local recursive name server, a
certificate for the first request, and sending the certificate to a source IP address of the first request; and
receiving, by the local recursive name server, a first request which carries a certificate and is resent by the resolver;
if it is determined that the resent first request carries a correct certificate, continuing to process the resent first request; and if the resent first request carries a wrong certificate, discarding the resent first request.
2. The method as claimed in claim 1, further comprising:
the local recursive name server recording the number of requests directed at the same resource record corresponding to a failed query response;
when the number of requests directed at the same resource record corresponding to a failed query response reaches a first threshold within a predetermined time, the local recursive name server discarding subsequent incoming requests directed at that resource record.
3. The method as claimed in claim 1 or 2, further comprising: the local recursive name server recording the number of requests from the same source IP address;
when the number of requests from the same source IP address reaches a second threshold within a predetermined time, the local recursive name server discarding subsequent requests sent by that source IP address.
4. A device for reducing attacks on a DNS, characterized in that :
the device is adapted to be located on a local recursive name server side of a DNS system, and comprises a request receiving unit, a certificate generating unit and a request processing unit, wherein:
the request receiving unit is used for receiving a first request which carries no certificate and was sent by a
resolver, and for forwarding the first request which carries no certificate to the certificate generating unit;
the certificate generating unit is used for generating a certificate for the first request which carries no certificate, and for sending the certificate to the source IP address of the first request;
the request receiving unit is further used for receiving a first request resent by the resolver with a certificate carried therein, and for forwarding the resent first request to the request processing unit;
the request processing unit is used for determining whether the certificate carried in the resent first request is correct, and if it is correct, for forwarding the resent first request to the local recursive name server, otherwise
discarding the resent first request.
5. The device as claimed in claim 4, characterized in that the request processing unit is further used for recording the number of requests directed at the same resource record
corresponding to a failed query response, and when the number of requests directed at the same resource record corresponding to a failed query response reaches a first threshold within a predetermined time, discarding subsequent incoming requests directed at that resource record.
6. The device as claimed in claim 4 or 5, characterized in that the request processing unit is further used for recording the number of requests from the same source IP address, and when the number of requests from the same source IP address reaches a second threshold within a predetermined time, discarding subsequent requests sent by that source IP address.
7. A device for reducing attacks on a DNS, characterized in that :
the device is adapted to be located on a client side of a DNS system, and comprises a request sending unit, a certificate receiving unit and a request retransmission unit, wherein:
the request sending unit is used for sending a first request which carries no certificate to a local recursive name server ;
the certificate receiving unit is used for receiving a certificate generated for the first request by the local recursive name server;
the request retransmission unit is used for inserting the certificate in a first request, and resending the first request carrying the certificate to the local recursive name server.
8. A system for reducing attacks on a DNS, comprising:
a client side and a local recursive name server side, wherein :
the client side is used for sending a first request carrying no certificate to the local recursive name server side, for receiving a certificate generated for the first request by the local recursive name server side, and resending a first request with the certificate carried therein to the local recursive name server side;
the local recursive name server side is used for receiving a first request which carries no certificate and was sent by the client side, for sending a certificate to the source IP address of the first request, and for receiving a first request resent by the client side with a certificate carried therein; if the resent first request carries the correct certificate, continuing to process the resent first request, and if the resent first request carries the wrong certificate, discarding the resent first request.
9. A system for reducing attacks on a DNS, comprising a
resolver and a local recursive name server, characterized by: a client side detection device and a server side detection device, wherein:
the client side detection device is used for transparent transmission to a local recursive name server of a first request which carries no certificate and was sent by the resolver;
the server side detection device is used for receiving the first request which carries no certificate and was sent by the client side detection device, and sending a certificate to the source IP address of the first request;
the client side detection device is further used for receiving the certificate, inserting the certificate in a first request, and resending the first request with the certificate carried therein to the local recursive name server;
the server side detection device is further used for receiving the first request resent by the client side detection device, and if the resent first request carries the correct certificate, forwarding the resent first request to the local recursive name server, but if the resent first request carries the wrong certificate, discarding the resent first request.
10. The system as claimed in claim 9, characterized in that the server side detection device records the number of requests directed at the same resource record corresponding to a failed query response, and when the number of requests directed at the same resource record corresponding to a failed query response reaches a first threshold within a predetermined time, discards subsequent incoming requests directed at that resource record.
11. The system as claimed in claim 9 or 10, characterized in that the server side detection device records the number of requests from the same source IP address, and when the number of requests from the same source IP address reaches a second threshold within a predetermined time, discards requests sent by that source IP address.
12. A machine-readable medium, characterized by storing commands used to make a machine perform the method as claimed in any one of claims 1 to 3.
13. A device for reducing attacks on a DNS, characterized by comprising :
a memory, for storing executable commands; and
a processor, for performing the method as claimed in any one of claims 1 to 3 according to the stored executable commands .
PCT/EP2013/068804 2012-09-26 2013-09-11 Device, system and method for reducing attacks on dns WO2014048746A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201210364612.X 2012-09-26
CN201210364612.XA CN103685213A (en) 2012-09-26 2012-09-26 Device, system and method for reducing attacks on DNS

Publications (1)

Publication Number Publication Date
WO2014048746A1 true WO2014048746A1 (en) 2014-04-03

Family

ID=49182238

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2013/068804 WO2014048746A1 (en) 2012-09-26 2013-09-11 Device, system and method for reducing attacks on dns

Country Status (2)

Country Link
CN (1) CN103685213A (en)
WO (1) WO2014048746A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3204884A4 (en) * 2014-10-07 2018-06-13 Cloudmark, Inc Apparatus and method for identifying a domain name system resource exhaustion attack
US10009336B2 (en) 2016-05-18 2018-06-26 Cisco Technology, Inc. Network security system to validate a server certificate

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103957195B (en) * 2014-04-04 2017-11-03 北京奇虎科技有限公司 DNS systems and the defence method and defence installation of DNS attacks
CN105245630B (en) * 2015-09-25 2019-04-23 互联网域名系统北京市工程研究中心有限公司 The method and device of identification and defence DNS SERVFAIL attack
CN105282269B (en) * 2015-11-03 2018-07-06 中国互联网络信息中心 A kind of configuration method and method of servicing of local dns root server
US10404738B2 (en) * 2017-02-27 2019-09-03 Microsoft Technology Licensing, Llc IPFIX-based detection of amplification attacks on databases
CN112968915B (en) * 2021-05-18 2021-08-06 卓尔智联(武汉)研究院有限公司 Processing method, processing system and processing device for DNS (Domain name Server) attack
CN114124442B (en) * 2021-09-30 2024-03-26 天翼数字生活科技有限公司 Method and system for defending DDOS attack

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003025697A2 (en) * 2001-09-21 2003-03-27 Riverhead Networks Inc. Protecting network traffic against spoofed domain name system (dns) messages
US20060123479A1 (en) * 2004-12-07 2006-06-08 Sandeep Kumar Network and application attack protection based on application layer message inspection
CN101282209A (en) * 2008-05-13 2008-10-08 杭州华三通信技术有限公司 Method and apparatus for preventing DNS request message from flooding attack
US20100269174A1 (en) * 2009-04-20 2010-10-21 Art Shelest Systems and methods for generating a dns query to improve resistance against a dns attack
US20110035469A1 (en) * 2009-08-05 2011-02-10 Verisign, Inc. Method and system for filtering of network traffic

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003025697A2 (en) * 2001-09-21 2003-03-27 Riverhead Networks Inc. Protecting network traffic against spoofed domain name system (dns) messages
US20060123479A1 (en) * 2004-12-07 2006-06-08 Sandeep Kumar Network and application attack protection based on application layer message inspection
CN101282209A (en) * 2008-05-13 2008-10-08 杭州华三通信技术有限公司 Method and apparatus for preventing DNS request message from flooding attack
US20100269174A1 (en) * 2009-04-20 2010-10-21 Art Shelest Systems and methods for generating a dns query to improve resistance against a dns attack
US20110035469A1 (en) * 2009-08-05 2011-02-10 Verisign, Inc. Method and system for filtering of network traffic

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3204884A4 (en) * 2014-10-07 2018-06-13 Cloudmark, Inc Apparatus and method for identifying a domain name system resource exhaustion attack
US10009336B2 (en) 2016-05-18 2018-06-26 Cisco Technology, Inc. Network security system to validate a server certificate

Also Published As

Publication number Publication date
CN103685213A (en) 2014-03-26

Similar Documents

Publication Publication Date Title
WO2014048746A1 (en) Device, system and method for reducing attacks on dns
Alharbi et al. Collaborative client-side dns cache poisoning attack
US8336087B2 (en) Robust digest authentication method
WO2017004947A1 (en) Method and apparatus for preventing domain name hijacking
US8234376B2 (en) Server apparatus and method of preventing denial of service attacks, and computer program product
US10218733B1 (en) System and method for detecting a malicious activity in a computing environment
WO2017054526A1 (en) Arp entry generation method and device
US10218717B1 (en) System and method for detecting a malicious activity in a computing environment
US20170264590A1 (en) Preventing dns cache poisoning
US8955123B2 (en) Method and system for preventing malicious communication
CN105939347B (en) Defend the method and device of domain name attack
CN102790809B (en) Domain name system resolution, device and client
CN103269389A (en) Method and device for detecting and repairing malicious DNS setting
WO2015078388A1 (en) Processing method and device for denial of service attacks
WO2016155373A1 (en) Dns security query method and device
CN113179280B (en) Deception defense method and device based on malicious code external connection behaviors and electronic equipment
WO2017067443A1 (en) Security domain name system and fault processing method therefor
US11658995B1 (en) Methods for dynamically mitigating network attacks and devices thereof
CN110266673B (en) Security policy optimization processing method and device based on big data
Alharbi et al. DNS poisoning of operating system caches: Attacks and mitigations
CN111935123B (en) Method, equipment and storage medium for detecting DNS spoofing attack
US20180295142A1 (en) Extracted data classification to determine if a dns packet is malicious
CN107306255A (en) Defend flow attacking method, the presets list generation method, device and cleaning equipment
US20110265181A1 (en) Method, system and gateway for protection against network attacks
US10320784B1 (en) Methods for utilizing fingerprinting to manage network security and devices thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13762794

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13762794

Country of ref document: EP

Kind code of ref document: A1