WO2018113594A1 - 防御dns攻击的方法、装置及存储介质 - Google Patents

防御dns攻击的方法、装置及存储介质 Download PDF

Info

Publication number
WO2018113594A1
WO2018113594A1 PCT/CN2017/116436 CN2017116436W WO2018113594A1 WO 2018113594 A1 WO2018113594 A1 WO 2018113594A1 CN 2017116436 W CN2017116436 W CN 2017116436W WO 2018113594 A1 WO2018113594 A1 WO 2018113594A1
Authority
WO
WIPO (PCT)
Prior art keywords
request
dns
domain name
memory
feature value
Prior art date
Application number
PCT/CN2017/116436
Other languages
English (en)
French (fr)
Inventor
陈方舟
姜凤波
Original Assignee
腾讯科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 腾讯科技(深圳)有限公司 filed Critical 腾讯科技(深圳)有限公司
Publication of WO2018113594A1 publication Critical patent/WO2018113594A1/zh
Priority to US16/389,212 priority Critical patent/US11057404B2/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Definitions

  • the present application relates to the field of computer security technologies, and in particular, to a method, an apparatus, and a storage medium for defending against DNS attacks.
  • DNS Domain Name System
  • the domain name server stores the domain name and corresponding IP address of all hosts in the network, and has the function of converting the domain name into an IP address.
  • the domain name must correspond to an IP address, and the IP address does not necessarily have a domain name.
  • Domain names and IP addresses on the Internet correspond one-to-one. Although the domain name is convenient for people to remember, but the machine only recognizes the IP address, the conversion between the two is called domain name resolution.
  • the domain name resolution needs to be completed by a special domain name resolution system.
  • DNS is the system for domain name resolution.
  • the domain name resolution system is located in the user space. After receiving a DNS data packet, it is first received by the hardware, then transmitted to the kernel, and then transmitted to the user space, and the domain name resolution system of the user space is The data packet is parsed, and then the parsed data packet is transmitted to the destination port of the data packet through the kernel and the hardware to complete the parsing work.
  • the present application provides a method, apparatus, and storage medium for defending against DNS attacks to improve the efficiency of DNS attacks.
  • the embodiment of the present application provides a method for defending against a DNS attack, including:
  • the request record information includes: the request source is The number of requests within a predetermined period;
  • the embodiment of the present application provides a method for defending against a DNS attack, including:
  • the request record information includes: the domain name is scheduled The number of requests in the cycle;
  • An embodiment of the present application provides an apparatus for defending against a DNS attack, including: a processor and a memory, where the memory includes a unit that is executed by the processor as follows:
  • a request obtaining unit configured to receive a DNS request sent by the request source, and obtain an address of a request source IP that sends the DNS request;
  • An eigenvalue determining unit configured to determine a feature value of the IP address
  • a first query unit configured to search, in the memory, to obtain preset identifier information corresponding to the feature value
  • a second querying unit configured to: when the identifier information is used to identify a probe identifier that is unsure whether the DNS request has an attack risk, obtain request record information and a decapsulation time corresponding to the feature value, and the request record information
  • the method includes: the number of requests of the request source in a predetermined period;
  • a request number determining unit configured to determine whether the number of requests exceeds a preset request threshold
  • the attack judging unit is configured to determine the DNS request when the number of requests exceeds a preset request threshold, or the number of requests does not exceed the preset request threshold and the current time does not reach a preset decapsulation time Request for an attack;
  • a defense unit configured to discard the DNS request.
  • An embodiment of the present application provides an apparatus for defending against a DNS attack, including: a processor and a memory, where the memory includes a unit that is executed by a processor as follows:
  • the request obtaining unit is configured to receive a DNS request and obtain a domain name included in the DNS request;
  • An eigenvalue determining unit configured to determine a feature value of the domain name
  • a determining unit configured to determine whether the feature value is included in the memory
  • a first querying unit configured to acquire, when the feature value of the domain name is stored in the memory, identifier information corresponding to the feature value
  • a second querying unit configured to: when the identifier information is used to identify a probe identifier that is indeterminate whether the DNS request has an attack risk, obtain request record information and a decapsulation time corresponding to the feature value, where the request record information
  • the method includes: the number of requests of the domain name in a predetermined period;
  • a request number determining unit configured to determine whether the number of requests exceeds a preset request threshold
  • the attack judging unit determines that the DNS request is an attack when the number of requests exceeds a preset request threshold, or the number of requests does not exceed the preset request threshold and the current time does not reach a preset decapsulation time. request;
  • a defense unit configured to discard the DNS request.
  • the embodiment of the present application provides a non-transitory computer readable storage medium storing computer readable instructions, and at least one processor executes the computer readable instructions for performing the above method.
  • the method for defending the DNS attack of the present application After receiving the DNS request, the method for defending the DNS attack of the present application searches for the corresponding identification information in the memory according to the IP address of the request source that sends the DNS request, and performs the number of requests in the predetermined period for the DNS request whose identification information is the probe identifier. It is determined that the DNS request exceeding the request threshold is discarded, the DNS request that does not exceed the request threshold is judged, and the DNS request that has not reached the decapsulation time is discarded. Because the identification information is set in advance, the DNS request for identifying whether the DNS request is in danger of attack is further determined according to the number of requests and the decapsulation time, whether the DNS request is an attack request, simplifying the judgment process of the DNS attack and improving Determine the efficiency of DNS attacks.
  • FIG. 1 is a flowchart of a method for defending against a DNS attack according to an embodiment of the present application
  • FIG. 2 is a flowchart of a method for updating request record information corresponding to feature values in an internal memory according to an embodiment of the present disclosure
  • FIG. 3 is a flowchart of a method for updating identifier information corresponding to feature values in an internal memory according to an embodiment of the present disclosure
  • FIG. 4 is a flowchart of a method for defending against a DNS attack according to an embodiment of the present application
  • FIG. 5 is a flowchart of a method for determining whether a feature value of a domain name is included in a memory according to an embodiment of the present disclosure
  • FIG. 6 is a flowchart of a method for determining whether a DNS request is a DNS attack according to a request number determination result and a decapsulation time according to an embodiment of the present application;
  • FIG. 7 is a schematic diagram of an in-memory hash table disclosed in an embodiment of the present application.
  • FIG. 8 is a flowchart of a method for updating request record information corresponding to feature values in an internal memory according to an embodiment of the present disclosure
  • FIG. 9 is a flowchart of a method for adding a feature value and identification information of a domain name in a memory according to an embodiment of the present disclosure
  • FIG. 10 is a schematic block diagram of an apparatus for defending against a DNS attack according to an embodiment of the present application.
  • FIG. 11 is a schematic block diagram of an apparatus for defending against a DNS attack according to an embodiment of the present application.
  • FIG. 12 is a system architecture diagram of a DNS system disclosed in an embodiment of the present application.
  • FIG. 13 is a schematic structural diagram of a computer system according to an embodiment of the present application.
  • the characteristics of the DNS determine that: first, the DNS query request message and the query response message can be forged.
  • the network attacker can send a DNS query request to the DNS server through the fake source address, and can also hide the identity of the attacker.
  • the DNS server is "required" for the DNS query request, and cannot determine whether a DNS query request is a malicious attack.
  • a DNS attack can cause the DNS server to run heavily overloaded or even fail to respond to normal users' DNS request packets.
  • the DNS attack behavior may be detected by setting a fixed protection domain name and a protection threshold, for example, the number of domain names matching the protection domain name in the statistical detection period, and comparing the quantity with the protection threshold.
  • a protection threshold for example, the number of domain names matching the protection domain name in the statistical detection period
  • the protection threshold is exceeded, it can be determined that the DNS is attacked.
  • the number of detected DNS request packets may not exceed the set guard threshold and the DNS attack behavior cannot be detected because the default guard domain name is fixed.
  • the DNS server is overloaded and even smashed.
  • An obvious feature of DNS attacks is that an attacker uses the attacker's IP to send a large number of request packets, and the DNS needs to respond to a large number of request packets.
  • the method for responding to the DNS attack is to use a firewall to limit the number of requests for the IP address, for example, to control the number of DNS request packets sent by an IP segment, for example, limited to 300 or less per second, which is greater than the number.
  • the request is considered to be an attack and is discarded directly.
  • the judgment efficiency will be reduced.
  • the operating system has kernel space and user space. Kernel function modules run in kernel space, applications run in user space, kernels run at the highest level (kernel state), applications run at lower levels (user mode), user space user processes and kernel space kernel processes Communication via netlink sockets. Taking linux as an example, the ordinary linux system software is in user space and cannot directly interact with the linux system kernel.
  • the user space software iptables can be used to control the software framework netfilter for managing network data packets in the linux kernel.
  • the existing method for defending against DNS attacks is to add a judgment rule to the kernel module of the kernel space, and to process the network data packet by means of the judgment rule. Because the banned judgment process in the kernel mode controlled by iptables is complicated, the rules need to be matched item by item until the match can be determined as a DNS attack. When there are too many rules, the efficiency will be low.
  • the embodiments of the present application provide the following embodiments to overcome the above problems or at least partially solve the above problems.
  • the present embodiment provides a method for defending against DNS attacks, and it should be noted that the steps shown in the flowchart of the accompanying drawings may be executed in a computer system such as a set of computer executable instructions, and although shown in the flowchart The logical order is presented, but in some cases the steps shown or described may be performed in a different order than the ones described herein.
  • FIG. 1 is a flowchart of a method for defending against a DNS attack disclosed in the present application; as shown in the figure, the method for defending against a DNS attack includes the following steps:
  • Step S101 Receive a DNS request sent by the request source, and obtain an IP address of a request source that sends the DNS request.
  • Step S102 determining a feature value of the IP address
  • Step S103 Searching in the memory to obtain preset identification information corresponding to the feature value
  • Step S104 When the identifier information is used to identify a probe identifier that is unsure whether the DNS request has an attack risk, the request record information corresponding to the feature value and the unblocking time are obtained, where the request record information includes: The number of requests for the request source within a predetermined period;
  • Step S105 determining whether the number of requests exceeds a preset request threshold
  • Step S106 When the number of requests exceeds the preset request threshold, or the number of requests does not exceed the preset request threshold and the current time does not reach the preset decapsulation time, the DNS request is determined to be an attack request. ;
  • Step S107 Discard the DNS request.
  • the method may further include: determining whether the data packet data format of the DNS request conforms to a predetermined protocol, and whether the destination port of the DNS request is a predetermined port; , the step of obtaining the source IP address of the request.
  • the solution in this embodiment only focuses on the DNS request packet, wherein the judgment may be that the data packet is a UDP packet, and the destination port is 53. If the condition is not met, the data packet is directly transparently transmitted, thereby not affecting the normal transmission of other data packets.
  • the request source may initiate the terminal request of the DNS request.
  • the judgment basis can be judged according to the DNS format specified by the RFC (Request For Comments), for example, the content of the DNS query request packet is determined by using the contents of the following RFC document: 1034 domain name, concept and function; 1035 domain name, realization And specifications; 1123 Internet host requirements, applications and support; 1886, support IP version 6 DNS extension; 1995, incremental area transfer in DNS; 1996 prompt notification area change mechanism (DNS NOTIFY); 2136, in the domain name system Dynamic update (DNS UPDATE); 2181, description of the DNS specification; 2308, negative cache of DNS queries (DNS NCACHE); 2535, Domain Name System Security Extension (DNSSEC); 2671 DNS extension mechanism (EDNS0); 2782, designated service location DNS RR (DNS SRV).
  • RFC Request For Comments
  • the check items include: checking whether the size of the data packet is normal, whether the domain name is legal, and whether the request type is legal.
  • the method for determining the feature value of the IP address may include: determining the feature value of the IP address according to the first three values of the IP address, or determining the feature value of the IP address according to the last three values of the IP address, or calculating a hash value of the first three digits of the IP address, using the hash value as an eigenvalue of the IP address, or calculating a hash value of the last three digits of the IP address, and using the hash value
  • the characteristic value as an IP address For the Internet, the first three values of the general IP address can already represent the network number and the computer number, which can distinguish different IP sources. For the local area network, the first value of the IP address is the same, which does not help distinguish different IP sources. It is possible to consider only the last three values of the IP address.
  • the specific method for determining the characteristic value of the IP address according to the first three values of the IP address may include: reading the IP address, obtaining the first three values of the IP address, and obtaining a transit IP address and a transit IP address according to the combination of the three values.
  • the value of the first three segments is the same as the value of the first three segments of the IP address, and the value of the fourth segment of the transit IP address is 0.
  • This transit IP address is the characteristic value of the IP address.
  • the specific method for determining the eigenvalue of the IP address according to the last three values of the IP address is similar to the foregoing method. The difference is that the first segment of the transit IP address is 0, and the last three segments are consistent with the last three segments of the IP address. .
  • IP is an abbreviation for English (Internet Protocol), which is a protocol designed to communicate with each other.
  • IP address is used to enable computers connected to the Internet to recognize each other when communicating.
  • Each host on the Internet is assigned a unique 32-bit address, which is called an IP address.
  • the IP address in this embodiment defaults to the IPV4 address.
  • IPV4 addresses there are a total of 255*255*255*255 IPV4 addresses.
  • the kernel module of the operating system can store all IPs and corresponding related information. However, in actual implementation, each IP address needs to be stored in 20-30 bytes, which takes up more than 90G of memory space, and the memory cost is too high.
  • the hash value of the IP segment or the IP segment is stored, so that one feature value corresponds to 256 IP addresses, which can effectively control the memory cost.
  • the IP segments are generally the same organization.
  • the normal DNS requests are generally from the recursive DNS server. Therefore, using the IP segment as the feature value to query the response information does not affect the normal DNS request.
  • FIG. 3 is a flowchart of a method for updating identification information corresponding to feature values in an internal memory according to an embodiment of the present application.
  • the method before the obtaining the identification information of the IP address in the memory according to the feature value, the method further includes:
  • the obtained identifier information is saved as the identifier information corresponding to the feature value.
  • the acquired identifier information may be added to the identifier information corresponding to the feature value in the memory;
  • the system monitors the data traffic from the kernel space to the application space in real time.
  • the DNS request is captured by a hook function registered in the firewall framework of the operating system in advance, or the DNS request log is analyzed to obtain the request amount.
  • the identifier information of the IP address of the request source whose request quantity exceeds the set threshold is recorded as the probe identifier, and the feature value of the IP address is determined by the method described in step S102, and the feature value and the probe identifier are sent to the kernel space through the netlink. It is also possible to manually set the identification information and send it to the kernel space through the user space to perform storage update of the feature value and the identification information.
  • a whitelist identifier and/or a blacklist identifier may be further set for an IP segment.
  • the amount of requests from the back-end address to the authorized DNS server may be relatively high, and the normal requests from these addresses may set a whitelist identifier for the IP segment to which the back-end address belongs. After setting the whitelist ID, the DNS request will not be discarded regardless of the request volume.
  • the specified time is preset in the timer, and when the current time reaches the specified time, that is, when the specified time expires, the decapsulation operation is performed.
  • the probe identifier corresponding to the feature value of the IP address is deleted to no longer identify "not sure whether the DNS request has an attack risk".
  • all request packets are discarded regardless of the request volume, that is, the IP segment is always banned.
  • the identification information of the IP address is searched in the memory according to the characteristic value of the IP address, and the feature values and related information of all IPV4 addresses are recorded in the memory.
  • the memory stores array elements in the form of an array.
  • the array elements include feature values, identification information, request record information, and decapsulation time.
  • the feature value, the identification information, the request record information, and the unsealing time correspond one-to-one.
  • the identifier information may include a whitelist identifier, a blacklist identifier, and a probe identifier.
  • the whitelist identifier indicates that there is no risk of attack. For example, when the recorded DNS request quantity per unit time from the IP address does not exceed a minimum threshold, the identifier is determined. There is no attack risk on the IP address.
  • the blacklist identifier indicates that there is a large risk of attack. For example, when the recorded DNS request amount per unit time from the IP address exceeds the maximum threshold, a blacklist identifier is set for the IP address.
  • the detection identifier represents an uncertainty of whether there is an attack risk, and needs to be further checked. For example, when the recorded DNS request amount per unit time from the IP address is greater than or equal to the minimum threshold and less than the maximum threshold, the IP address is set for the IP address. Probe ID.
  • the identification information corresponding to the feature value may be manually set or may be marked or modified according to the detection result received from the user space.
  • Request record information may include the DNS request time and the number of requests in the predetermined period.
  • the decapsulation time is to release the ban on the IP address corresponding to the feature value after the specified time.
  • the system can set one or more decapsulation times, and configure different banned durations for IP addresses corresponding to different feature values.
  • the banned time is the specified time, that is, the DNS request from the IP address is determined as an attack request within the duration.
  • the decapsulation time can be set to the countdown form. After the countdown is completed, it will automatically return to zero. When the deblocking time is zero, the corresponding IP segment will be banned.
  • the data packet of the DNS request is discarded. If the identification information found in the memory according to the characteristic value of the IP address is a whitelist identifier, the DNS request is accepted.
  • the method further includes: updating the request record information corresponding to the feature value.
  • 2 is a flowchart of a method for updating request record information corresponding to feature values in an internal memory according to an embodiment of the present disclosure.
  • a method for updating request record information corresponding to a feature value includes:
  • the specific method for updating the request time of the DNS request in the request record information may be: replacing the request time in the request record information with the request time of the current DNS request.
  • update the request time of the DNS request in the request record information may be: replacing the request time in the request record information with the request time of the current DNS request.
  • request record information corresponding to the feature value in the memory is empty, save the information of the current DNS request as the request record information. Specifically, the request time and the number of requests of the current DNS request are saved as request record information.
  • Step S104 The request record information obtained by querying in the memory according to the feature value of the IP address is information updated according to the DNS request.
  • Step S106 determining, according to the determination result and the decapsulation time, whether the request source performs a DNS attack, if the number of requests exceeds a request threshold, determining that the request source performs a DNS attack, and resetting the corresponding feature value. Decapsulating time; if the number of requests does not exceed the request threshold, determining whether the decapsulation time corresponding to the feature value times out; if yes, determining that the DNS request is a normal request; if not, determining that the request source performs a DNS attack.
  • the number of requests of the source IP in the predetermined period is determined, and the decapsulation time is reset for the IP address exceeding the request threshold, and the ban time of the IP address is extended. If the IP address of the request threshold is not exceeded, if the decapsulation time is not reached, the ban is processed, that is, the DNS request is determined as an attack request until the decapsulation time is reached, that is, the DNS sent from the IP address is not sent after the ban time expires. Requesting normal processing can improve the efficiency of determining DNS attacks and protect the DNS server.
  • the value of the last request time and the number of requests of the IP address corresponding to the value determine whether the current time to save time exceeds 1 second, if more than 1 second, clear the number of requests; if not more than 1 second, add 1 to the number of requests, If the number of requests exceeds the request threshold (that is, the number of requests within one second exceeds the threshold), the packet of the DNS request is discarded, and a banned time corresponding to the eigenvalue is saved in the memory, and is received again next time. When a request comes from this IP address, if the ban time has not expired, the packet will be directly lost and the ban will continue.
  • step S107 by performing a DNS attack judgment in the kernel space, the DNS attack is found, and the attack request packet is discarded early in the kernel space, thereby improving the real-time performance of the defense attack.
  • the DNS attack of the request source IP address is judged and defended.
  • the identification information is set for each IP address, and the DNS request for the IP address of the whitelist is directly released, and the identifier is blacklisted.
  • the DNS request of the address is directly defended. Only the DNS request whose identification information is the IP address of the probe ID is processed, which avoids checking all IP addresses, which can improve the efficiency of discriminating DNS attacks.
  • the IP of the probe identifier When the DNS request of the address is processed, the combination of the number of request judgments and the decapsulation time is used to discriminate the DNS attack, which can improve the accuracy of identifying the DNS attack, and the decapsulation time is preset and adjusted according to the judgment result of the request times. Can improve the efficiency of determining DNS attacks.
  • the present embodiment provides a method for defending against DNS attacks, and it should be noted that the steps shown in the flowchart of the accompanying drawings may be executed in a computer system such as a set of computer executable instructions, and although shown in the flowchart The logical order is presented, but in some cases the steps shown or described may be performed in a different order than the ones described herein.
  • FIG. 4 is a flowchart of a method for defending against a DNS attack according to an embodiment of the present disclosure; as shown in the figure, the method for defending against a DNS attack includes the following steps:
  • Step S401 Receive a DNS request, and obtain a domain name to be resolved included in the DNS request.
  • Step S402 determining a feature value of the domain name
  • Step S403 determining whether the feature value is included in the memory
  • Step S404 If yes, acquiring identification information corresponding to the feature value
  • Step S405 If the identifier information is used to identify a probe identifier that is unsure whether the DNS request has an attack risk, obtain request record information and a decapsulation time corresponding to the feature value, where the request record information includes the domain name The number of requests within a predetermined period;
  • Step S406 determining whether the number of requests exceeds a preset request threshold
  • Step S407 When the number of requests exceeds the preset request threshold, or the number of requests does not exceed the preset request threshold and the current time does not reach the preset decapsulation time, the DNS request is determined to be an attack request. ;
  • Step S408 Discard the DNS request.
  • the step S401 further includes: determining whether the data packet data format of the DNS request conforms to a predetermined protocol, and whether the destination port of the DNS request is a predetermined port; if yes, the data according to the DNS request
  • the package gets the domain name that the request resolves.
  • the data packet of the DNS request is a UDP (User Datagram Protocol) packet, and the destination port is 53. If the condition is not met, the data packet is directly transparently transmitted, thereby not affecting other data. The normal transmission of the packet.
  • UDP User Datagram Protocol
  • Step S402: determining the feature value of the domain name includes: calculating, by using a first hash algorithm, a first hash value of the domain name, and using a second hash algorithm to calculate a second hash value of the domain name;
  • the hash value and the second hash value are used as feature values of the domain name.
  • Two different hashing algorithms are used to calculate the string of the same domain name, and two hash values are obtained to avoid hash collision. If the first hash value obtained by the first hash algorithm is the same for two different domain names, the second hash value may be used to distinguish the two, and the first hash value and the second hash of the two domain names.
  • the probability that the Greek values are the same and both exist in memory is minimal and negligible, and only the added attacked or attack-prone domain names are stored in memory.
  • FIG. 5 is a flowchart of a method for determining whether a feature value of a domain name is included in a memory in step S403 of the embodiment of the present application.
  • a method for determining whether the feature value is included in the memory includes:
  • S501 Determine a feature value of the domain name, where the feature value includes a first hash value and a second hash value.
  • step S502 determining whether there is a first hash value of the domain name in the memory, if the determination result is yes, go to step S503, if the determination result is no, go to step S506;
  • step S505 if the determination result of step S504 is YES, determine that the feature value of the domain name is included in the memory, if the determination result of step S504 is no, then go to step S506;
  • the DNS request is received. Different from the IP address, the number of domain names is unlimited. Therefore, only the secure, insecure, and suspected domain names are recorded in the memory. It is safe, that is, the domain name tag without the risk of attack is unblocked. That is, the domain name tag banned identifier with a large risk of attack, if there is a problem, that is, the domain name tag detection identifier of the DNS request is not determined to be attack risk, so that when the domain name receiving the DNS request is the unblocking identifier, The DNS request is sent to the DNS resolution system of the user space. When the domain name of the received DNS request is a banned identifier, the data packet of the DNS request is discarded. When the domain name of the received DNS request is a probe identifier, the domain name needs to be further combined. The number of requests and the time of unblocking are judged.
  • the identifier information of the domain name is searched in the memory according to the feature value, and if the identifier information obtained by the search is a banned identifier, the data packet of the DNS request is discarded; if the identifier information obtained by the search is a decapsulation identifier, The DNS request is accepted, and if the obtained identification information is the probe identifier, the number of requests for the domain name and the unblocking time are further determined whether the DNS request is accepted. Setting the identification information can simplify the DNS attack judgment process.
  • FIG. 8 is a flowchart of a method for updating request record information corresponding to feature values in an internal memory according to an embodiment of the present application.
  • updating the request record information corresponding to the feature value includes:
  • the request time of the DNS request in the request record information is updated by replacing the request time recorded in the request record information with the request time of the current DNS request.
  • FIG. 6 is a flowchart of a method for determining whether a DNS request is a DNS attack according to a request number judgment result and a decapsulation time disclosed in the embodiment of the present application.
  • a method for determining whether the DNS request is a DNS attack includes:
  • S602. Determine whether the number of requests exceeds a preset request threshold.
  • the hash value and related information of the domain name are stored in a hash table in the memory, and the entire hash table exists in an array form, and each item of the hash table is saved as a linked list, and each node of each linked list is stored.
  • the information for storing the corresponding domain name may store information such as the second hash value of the domain name, the request record information, and the unblocking time.
  • step S504 it is determined whether the second hash value corresponding to the first hash value in the memory is the same as the second hash value of the domain name, and may be traversed by each node of the linked list where the first hash value is located, The second hash value saved by each node is compared with the second hash value of the domain name, and it is determined whether the second hash value saved in the node is the same as the second hash value of the domain name.
  • the information about the domain name is stored in the memory, and the identifier information, the request record information, and the unblocking time corresponding to the second hash value may be further obtained.
  • FIG. 9 is a flowchart of a method for adding a feature value and identification information of a domain name in a memory according to an embodiment of the present application.
  • the method for adding the feature value and the identification information of the domain name in the memory includes:
  • S901 Acquire a feature value of the domain name and identifier information, where the feature value includes a first hash value of the domain name calculated by using a first hash algorithm and a second hash value calculated by using a second hash algorithm.
  • Hash value includes a first hash value of the domain name calculated by using a first hash algorithm and a second hash value calculated by using a second hash algorithm.
  • the system monitors the data traffic from the kernel space to the application space in real time.
  • the DNS request is captured by a hook function registered in the firewall framework of the operating system in advance, or the DNS request log is analyzed to obtain the request amount.
  • the domain name whose request quantity exceeds the threshold is marked as a detection identifier.
  • the domain name whose request quantity is less than the minimum threshold is marked as the decapsulation identifier
  • the domain name whose request quantity is greater than the maximum threshold is marked as the banned identifier
  • the request quantity is greater than the minimum threshold and is less than
  • the domain name of the maximum threshold is marked as a probe identifier.
  • step S402 is used to determine the feature value of the domain name, and the feature value and the probe identifier are sent to the kernel space through the netlink. It is also possible to manually set the identification information and send it to the kernel space through the user space to perform storage update of the feature value and the identification information.
  • the user space detects that the domain name a.com is a suspicious domain name, records its identification information as a probe identifier, calculates two hash values 32 and 101 of the domain name, and sends the hash value and the probe identifier to the kernel space.
  • the information about the domain name needs to be saved to a hash table in memory.
  • the first hash value of the domain name a.com is 32.
  • the node storing the information related to the domain name a.com at this time no longer points to the empty, but points to the node corresponding to b.com.
  • Each item in the hash table is a linked list.
  • each line represents an item of a hash table, and some lines are relatively long, such as the first line. This is the item specified by the hash value 32. There are already three nodes in the list, and some of the lines are shorter, such as the one specified by the hash value 34.
  • To query whether the eigenvalue of the domain name c.com is stored in the hash table first find the item with the hash value of 32 in the first column, then traverse all the nodes of the linked list corresponding to the column, and find the second hash value.
  • the node of 199 obtains information such as a probe identifier corresponding to the second hash value, request record information, and the like.
  • the method for defending the DNS attack in the embodiment searches for the corresponding identification information in the memory according to the domain name information requested by the DNS, and accepts the DNS request for the decapsulation identifier, and the identification information is the banned identifier.
  • the DNS request is defended, and the number of requests in the predetermined period is determined for the DNS request whose identification information is the probe identifier, the DNS request exceeding the request threshold is defended, and the DNS request that does not exceed the request threshold is judged.
  • the DNS request that arrives at the decapsulation time is accepted, and the DNS request that has not reached the decapsulation time, that is, the preset decapsulation time has not expired is defended.
  • the acceptance or defense processing is directly performed on the determined request source or domain name, and further judgment and detection are performed on the request source or domain name with uncertain factors, which simplifies the judgment process of the DNS attack and improves the judgment.
  • the efficiency of DNS attacks Through the combination of the number of request judgments and the decapsulation time, the accuracy of identifying DNS attacks is improved.
  • the application optimizes the query method for the domain name information corresponding request record, and adopts the multi-level index table query mode, which has good real-time performance and does not reduce the service performance and efficiency.
  • FIG. 10 is a schematic block diagram of an apparatus for defending against DNS attacks according to an embodiment of the present application.
  • the device for defending against DNS attacks shown in FIG. 10 can be used to implement the method for defending against DNS attacks described in the embodiments.
  • the device 100 for defending against DNS attacks may generally include: a request obtaining unit 102, a feature value determining unit 104, a first query unit 106, a second query unit 108, a request number determining unit 120, and an attack determining unit 122.
  • defense unit 124 defense unit 124.
  • the first processing unit 126, the second processing unit 128, the information acquiring unit 130, the identification information determining unit 132, and the identifier are configured.
  • the request obtaining unit 102 is configured to receive a DNS request sent by the request source, and obtain an IP address of the request source that sends the DNS request;
  • the feature value determining unit 104 is configured to calculate a feature value of the IP address;
  • the unit 106 is configured to search, in the memory, the preset identifier information corresponding to the feature value, where the identifier information includes a whitelist identifier, a blacklist identifier, and a probe identifier.
  • the second query unit 108 is configured to use the first query unit.
  • the obtained identification information as the detection identifier for identifying whether the DNS request is not in the attack risk, acquiring the request record information corresponding to the feature value, and the decapsulation time, where the request record information includes the request source being scheduled.
  • the request obtaining unit 102 is configured to perform step S101 in the embodiment of the present application
  • the feature value determining unit 104 is configured to perform step S102 in the embodiment of the present application
  • the first query unit 106 uses In the step S103 in the embodiment of the present application
  • the second query unit 108 is configured to perform step S104 in the embodiment of the present application.
  • the request number determining unit 120 is configured to perform step S105 in the embodiment of the present application
  • the attack determining unit 122 uses In the step S106 in the embodiment of the present application
  • the defense unit 124 is configured to perform step S107 in the embodiment of the present application.
  • the request obtaining unit 102 in this embodiment may include a first verification module and a second verification module.
  • the first verification module is configured to determine whether the data packet data format of the DNS request conforms to a predetermined protocol
  • the second verification module is configured to determine whether the destination port of the DNS request is a predetermined port.
  • the judgment segment condition of the first verification module may be that the data packet is a UDP packet
  • the second verification module may determine that the destination port is 53. This is because the DNS protocol runs on UDP and uses the port number 53.
  • the transport layer TCP provides end-to-end reliable services and provides best-effort delivery services on the UDP side. Its control port acts on UDP port 53.
  • the feature value determining unit 104 may include a first feature value determining module, a second feature value determining module, a third feature value determining module, and a fourth feature value determining module.
  • the first feature value determining module is configured to determine a feature value of the IP address according to the first three segments of the IP address; and the second feature value determining module is configured to determine, according to the last three segments of the IP address, The eigenvalue of the IP address; the third eigenvalue determining module is configured to calculate a hash value of the first three digits of the IP address, and use the hash value as an eigenvalue of the IP address; the fourth eigenvalue determining module is used to Calculating a hash value of the last three segments of the IP address, and using the hash value as an eigenvalue of the IP address.
  • the request record information updating unit 138 is configured to update the request record information corresponding to the feature value.
  • the request record update unit may be configured to: determine whether the request record information corresponding to the feature value in the memory is empty; if it is empty, save the information of the current DNS request as request record information; if not, determine the request Whether the time from the request time of the DNS request recorded in the information to the request time of the current DNS request exceeds a predetermined period, and if so, the request time of the DNS request in the request record information is updated, and the number of requests in the request record information is returned Zero, if not, update the request time of the DNS request in the request record information, and increase the number of requests in the request record information by one.
  • Each array element is stored in an array in the memory, and the array element includes a feature value, identification information, request record information, and decapsulation time, and the feature value, the identification information, the request record information, and the unsealing time are in one-to-one correspondence.
  • the second query unit may be configured to query, in the memory, the requested record information and the unblocking time according to the feature value of the IP address.
  • the attack judging unit 122 is configured to: when the request number determining unit determines that the number of requests exceeds a request threshold, determine that the request source performs a DNS attack, and resets a decapsulation time corresponding to the feature value; When the request number determining unit determines that the number of requests does not exceed the request threshold, it determines whether the decapsulation time corresponding to the feature value is currently reached; if yes, determines that the DNS request is a normal request; if not, determines the request source Perform a DNS attack.
  • the user space may also have a sudden increase in traffic data for a certain period of time. This situation may be caused by a DNS attack, and thus the data traffic from the kernel space to the user space needs to be monitored in real time.
  • the DNS request is captured by a hook function registered in the firewall framework of the operating system in advance, or the DNS request log is analyzed to obtain a request amount, and the IP address with an excessive request amount is regarded as a suspect object, and Recorded as the probe ID, the IP address information and the corresponding identification information are sent to the kernel space for the kernel to process accordingly.
  • the information acquiring unit 130 is configured to obtain the feature value and the identification information of the IP address, and the identifier information determining unit 132 is configured to determine whether the identifier information corresponding to the feature value in the memory is empty; the identifier information adding unit 134 And when the identifier information determining unit determines that the identifier information is empty, the acquired identifier information is saved as the identifier information corresponding to the feature value; the identifier information updating unit 136 is configured to determine, by the identifier information determining unit When the identifier information is not empty, the identifier information corresponding to the feature value is replaced with the acquired identifier information.
  • the first processing unit 126 is configured to discard the data packet of the DNS request when the identifier information obtained by the first query unit is the blacklist identifier, and the second processing unit 128 is configured to search for the identifier information obtained by the first query unit.
  • the DNS request is accepted.
  • FIG. 11 is a schematic block diagram of an apparatus for defending against DNS attacks according to an embodiment of the present application.
  • the device for defending against DNS attacks shown in FIG. 11 can be used to implement the method for defending against DNS attacks described in the embodiments.
  • the apparatus for defending against DNS attacks may include: a request obtaining unit 202, a feature value determining unit 204, a determining unit 206, a first query unit 208, a second query unit 220, a request count determining unit 222, The attack judging unit 224 and the defense unit 210.
  • the first processing unit 226, the second processing unit 228, the third processing unit 230, the information acquiring unit 232, and the features are configured.
  • the request obtaining unit 202 is configured to receive a DNS request, and obtain a domain name to be resolved included in the DNS request; the feature value determining unit 204 is configured to calculate a feature value of the domain name; and the determining unit 206 is configured to determine whether the memory includes the
  • the first query unit 208 is configured to: when the determining unit determines that the feature value is included in the memory, obtain the identifier information corresponding to the feature value, where the identifier information includes an banned identifier, a decapsulation identifier, and a detection identifier;
  • the second querying unit 220 is configured to: when the identifier information that is obtained by the first query unit is used to identify the probe identifier that is not determined whether the DNS request has an attack risk, obtain the request record information and the unblocking time corresponding to the feature value,
  • the request record information includes the number of times the domain name is requested in a predetermined period; the request number determining unit 222 is configured to determine whether the number of requests exceeds a preset request
  • the decapsulation time determining whether the DNS request is a DNS attack, such as when the request is When the number exceeds the preset request threshold, or the number of requests does not exceed the preset request threshold and the current time does not reach the preset decapsulation time, the DNS request is determined to be an attack request; the defense unit 210 is configured to DNS attacks defend against, for example, discarding the DNS request.
  • the request obtaining unit 202 is configured to perform step S401 in the embodiment of the present application
  • the feature value determining unit 204 is configured to perform step S402 in the embodiment of the present application
  • the determining unit 206 is configured to execute
  • the first query unit 208 is configured to perform step S404 in the embodiment of the present application
  • the second query unit 108 is configured to perform step S405 in the embodiment of the present application.
  • the step S406 is performed in the embodiment of the present application.
  • the attack determining unit 224 is configured to perform step S407 in the embodiment of the present application
  • the defense unit 210 is configured to perform step S408 in the embodiment of the present application.
  • the request obtaining unit 202 includes a first check module and a second check module.
  • the first verification module is configured to determine whether the data packet data format of the DNS request conforms to a predetermined protocol
  • the second verification module is configured to determine whether the destination port of the DNS request is a predetermined port.
  • the determining segment condition of the first verification module may be that the data packet is a UDP packet
  • the second verification module may determine that the destination port is 53. This is because the DNS protocol runs on the UDP (User Datagram Protocol). Protocol), using port number 53.
  • the transport layer TCP provides end-to-end reliable services and provides best-effort delivery services on the UDP side. Its control port acts on UDP port 53.
  • the feature value determining unit 204 includes a first calculating module, a second calculating module, and a feature value determining module.
  • the first calculation module is configured to calculate a first hash value of the domain name by using a first hash algorithm
  • the second calculation module is configured to calculate a second hash value of the domain name by using a second hash algorithm
  • the determining module is configured to use the first hash value and the second hash value as the feature values of the domain name.
  • the determining unit 206 includes a determining module, a first determining module, and a second determining the module.
  • a determining module configured to determine whether a first hash value of the domain name exists in the memory; the first determining module is configured to determine, in the determining module, that the first hash value of the domain name does not exist in the memory, and determine a memory
  • the second determining module is configured to: when the determining module determines that the first hash value of the domain name exists in the memory, determining that the memory corresponds to the first hash value Whether the second hash value is the same as the second hash value of the domain name, and if so, determining that the feature value of the domain name is included in the memory, and if not, determining that the feature value of the domain name is not included in the memory.
  • the first processing unit 226 is configured to receive the DNS request when the determining unit determines that the feature value of the domain name is not included in the memory.
  • the memory stores each array element in an array form, each array element is a linked list, the header of the linked list stores a first hash value of the domain name, and each node of the linked list stores a second hash value of the domain name, Identification information, request record information, and unblocking time;
  • the second determining module includes a determining submodule.
  • the determining sub-module is configured to traverse each node of the linked list in which the first hash value is located, and determine whether the second hash value stored in the node is the same as the second hash value of the domain name.
  • the attack determining unit 224 is specifically configured to: when the request number determining unit determines that the number of requests exceeds a request threshold, determine that the DNS request is a DNS attack, and reset a decapsulation time of the domain name; When the number determining unit determines that the number of requests does not exceed the request threshold, it determines whether the domain name is currently blocked. If yes, it determines that the DNS request is a normal request; if not, determines that the DNS request is a DNS attack.
  • the request record update unit 252 is configured to acquire a request time of the DNS request described in the request record information corresponding to the feature value, and determine a time period from the request time of the DNS request recorded in the request record information to the request time of the current DNS request. Whether the predetermined period is exceeded; if yes, updating the request time of the DNS request in the request record information, and zeroing the number of requests in the request record information; if not, updating the request time of the DNS request in the request record information, and The number of requests in the request record information is incremented by one.
  • the information obtaining unit 232 is configured to acquire the feature value of the domain name and the identifier information, where the feature value includes the first hash value of the domain name calculated by using a first hash algorithm and the calculated by using a second hash algorithm. a second hash value of the domain name; the feature value determining unit 234 is configured to determine whether the feature value of the domain name exists in the memory; the storage space management unit 236 is configured to determine, in the feature value determining unit, that the memory does not exist.
  • the feature value of the domain name is used, the first hash value of the domain name is written into the header of the corresponding linked list, the storage space is allocated for the second hash value and the identification information, and the storage pointer of the storage space is saved;
  • the identifier information updating unit 238 is configured to replace the identifier information corresponding to the feature value with the acquired identifier information when the feature value determining unit determines that the feature value of the domain name exists in the memory.
  • the second processing unit 228 is configured to discard the data packet of the DNS request when the identifier information obtained by the first query unit is the banned identifier
  • the third processing unit 230 is configured to find the identifier information obtained by the first query unit as a solution.
  • the DNS request is accepted when the identification is sealed.
  • FIG. 11 is a system architecture diagram of a DNS system according to an embodiment of the present application, which provides a highly reliable, high-protection, high-performance domain name resolution service.
  • the DNS system in this embodiment can start the disaster recovery emergency response mode to ensure that the Internet basically runs normally before the root domain server or the authorized server is repaired, and the system is repaired and restored. Leave enough time.
  • the user can be prompted for the first time, and the user can use the secure DNS for domain name resolution, and can quickly restore the user's DNS to the pre-failure setting after the fault is removed.
  • the DNS system in this embodiment includes one or more DNS security servers (such as DNS servers set up in Beijing Telecom, Shanghai Telecom, Shanghai Unicom, and Beijing Unicom), which are respectively used to issue DNS to user clients.
  • DNS security servers such as DNS servers set up in Beijing Telecom, Shanghai Telecom, Shanghai Unicom, and Beijing Unicom
  • the resolution request is performed for domain name resolution, and the defense device of the DNS attack described in the above embodiment is set in each DNS security server.
  • the DNS security server is provided with a device for defending against DNS attacks, and the device receives the request source to send.
  • the DNS request the request source IP address of the DNS request, the eigenvalue of the IP address, the identifier information of the IP address, and the identifier information, including the whitelist identifier, black a list identifier and a probe identifier; if the identifier information obtained by the search is a probe identifier, acquiring request record information and a decapsulation time corresponding to the feature value, where the request record information includes a request number of the request source in a predetermined period; Whether the number of requests exceeds a preset request threshold; determining whether the request source performs a DNS attack according to the judgment result and the decapsulation time; and defending against the DNS attack.
  • the defense method can use the direct filtering of the overspeed DNS request, or combine the software such as the security guard installed in the user client to perform security protection and prompting.
  • the user client outputs the prompt information in the security suggestion display area or changes the DNS server address to the pre-prefix. Set a secure address.
  • the DNS security server minimizes the parsing delay by using a cache, using cache access optimization, pre-update, and other means to achieve high-speed security parsing.
  • the defense device of the DNS attack automatically analyzes and measures the security association, and the source of the DNS resolution request for the IP is limited.
  • the DNS resolution request verified by the defense device of the DNS attack can be directly processed through the RCS cluster and the disaster recovery system.
  • This embodiment provides a DNS system.
  • the DNS system is used to provide a domain name resolution service with high reliability, high protection, and high performance.
  • the DNS system in this embodiment can start the disaster recovery emergency response mode to ensure that the Internet basically runs normally before the root domain server or the authorized server is repaired, and the system is repaired and restored. Leave enough time.
  • the user can be prompted for the first time, and the user can use the secure DNS for domain name resolution, and can quickly restore the user's DNS to the pre-failure setting after the fault is removed.
  • the DNS system in this embodiment includes one or more DNS security servers for performing domain name resolution on the DNS resolution request sent by the user client, and the DNS described in the foregoing embodiment is set in each DNS security server.
  • Defense device for attack When the user is using the network service, the DNS security server is provided with a device for defending against the DNS attack, the device receives the DNS request, obtains the domain name to be resolved included in the DNS request, determines the feature value of the domain name, and determines whether the memory includes the The eigenvalue; if yes, the identifier information of the domain name is found in the memory according to the eigenvalue, and the identifier information includes a banned identifier, a decapsulation identifier, and a probe identifier; if the identifier information obtained by the search is a probe identifier, the The request record information corresponding to the feature value and the decapsulation time, the request record information includes the number of requests of the domain name in a predetermined period; determining whether the number of requests exceeds a preset request
  • the defense method can use the direct filtering of the overspeed DNS request, or combine the software such as the security guard installed in the user client to perform security protection and prompting.
  • the user client outputs the prompt information in the security suggestion display area or changes the DNS server address to the pre-prefix. Set a secure address.
  • the DNS security server minimizes the parsing delay by using a cache, using cache access optimization, pre-update, and other means to achieve high-speed security parsing.
  • the device that defends against DNS attacks automatically analyzes and measures security associations, sets domain name identification information, and limits the resolution request of the domain name.
  • the DNS resolution request verified by the defense device of the DNS attack can be directly processed through the RCS cluster and the disaster recovery system.
  • the technical solution of the embodiments of the present application may be embodied in the form of a software product in essence or in the form of a software product stored in a storage medium (such as ROM/RAM, magnetic
  • a storage medium such as ROM/RAM, magnetic
  • the disc, the optical disc includes a plurality of instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method described in the various embodiments of the present application.
  • FIG. 13 there is shown a block diagram of a computer system suitable for implementing the DNS server of the embodiments of the present application.
  • computer system 130 includes a central processing unit (CPU) 1301 that can be loaded into a program in random access memory (RAM) 1303 from a program stored in read only memory (ROM) 1302 or from storage portion 1308. And perform various appropriate actions and processes.
  • RAM random access memory
  • ROM read only memory
  • RAM 1303 various programs and data required for the operation of the system 1300 are also stored.
  • the CPU 1301, the ROM 1302, and the RAM 1303 are connected to each other through a bus 1304.
  • An input/output (I/O) interface 1305 is also coupled to bus 1304.
  • the following components are connected to the I/O interface 1305: an input portion 1306 including a keyboard, a mouse, etc.; an output portion 1307 including a cathode ray tube (CRT), a liquid crystal display (LCD), and the like, and a speaker; a storage portion 1308 including a hard disk or the like And a communication portion 13013 including a network interface card such as a LAN card, a modem, or the like.
  • the communication section 13013 performs communication processing via a network such as the Internet.
  • Driver 1310 is also connected to I/O interface 1305 as needed.
  • a removable medium 1311 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory or the like is mounted on the drive 1310 as needed so that a computer program read therefrom is installed into the storage portion 1308 as needed.
  • an embodiment of the present disclosure includes a computer program product comprising a computer program tangibly embodied on a machine readable medium, the computer program comprising program code for executing the method illustrated in the flowchart.
  • the computer program can be downloaded and installed from the network via the communication portion 13013, and/or installed from the removable medium 1311.
  • each block of the flowchart or block diagrams can represent a module, a program segment, or a portion of code that includes one or more logic for implementing the specified.
  • Functional executable instructions can also occur in a different order than that illustrated in the drawings. For example, two successively represented blocks may in fact be executed substantially in parallel, and they may sometimes be executed in the reverse order, depending upon the functionality involved.
  • each block of the block diagrams and/or flowcharts, and combinations of blocks in the block diagrams and/or flowcharts can be implemented in a dedicated hardware-based system that performs the specified function or operation. Or it can be implemented by a combination of dedicated hardware and computer instructions.
  • the units involved in the embodiments of the present application may be implemented by software or by hardware.
  • the described unit may also be disposed in a memory, for example, as a processor executing each unit in the above-described embodiments that may be included in the memory, such as a receiving unit, a requesting unit, a determining unit, and a transmitting unit, performing the above The operations performed by each unit.
  • the names of these units do not in any way constitute a limitation on the unit itself.
  • the embodiment of the present application further provides a non-volatile computer storage medium, which may be a non-volatile computer storage medium included in the device in the foregoing embodiment. Or a non-volatile computer storage medium that exists alone and is not assembled into the terminal.
  • the non-volatile computer storage medium stores one or more programs, and when the one or more programs are executed by one device, causes the device to perform the following steps:
  • the first step is to receive a DNS request sent by the request source, and obtain a request source IP address of the DNS request;
  • the identifier information of the IP address is obtained by searching in the memory according to the feature value, where the identifier information includes a whitelist identifier, a blacklist identifier, and a probe identifier.
  • the request record information corresponding to the feature value and the decapsulation time are obtained, where the request record information includes the number of requests of the request source within a predetermined period;
  • the seventh step is to defend against DNS attacks.
  • the disclosed device for defending against DNS attacks can be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • multiple units or components may be combined or may be Integrate into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, unit or module, and may be electrical or otherwise.
  • the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, i.e., may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

本申请涉及计算机安全技术领域,尤其涉及一种防御DNS攻击的方法、装置及存储介质。该方法在接收到DNS请求后,根据DNS请求的关联数据在内存中查找对应的标识信息,对于探测标识的DNS请求进行预定周期内请求次数的判断,丢弃超出请求阈值的DNS请求,对未超出请求阈值的DNS请求进行解封时间的判断,丢弃未到达解封时间的DNS请求。

Description

防御DNS攻击的方法、装置及存储介质
本申请要求于2016年12月20日提交中国专利局、申请号为201611183849.2、发明名称为“一种防御DNS攻击的方法、装置及系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
技术领域
本申请涉及计算机安全技术领域,尤其涉及一种防御DNS攻击的方法、装置及存储介质。
背景技术
DNS(Domain Name System,域名系统),由解析器和域名服务器组成。域名服务器保存有该网络中的所有主机的域名和对应的IP地址,并具有将域名转换为IP地址的功能。其中,域名必须对应一个IP地址,而IP地址不一定有域名。互联网上域名与IP地址一一对应。域名虽便于人们记忆,但是机器之间只识别IP地址,两者之间的转换工作即称为域名解析,域名解析需要由专门的域名解析系统来完成的,DNS就是进行域名解析的系统。
现有技术中,域名解析的系统位于用户空间,当收到一个DNS数据包之后,先由硬件接收,之后往上传输到内核,再往上传输到用户空间,由用户空间的域名解析系统对该数据包进行解析,然后解析后的数据包再经由内核、硬件传输到该数据包的目的端口,完成解析工作。
发明内容
鉴于上述问题,本申请提供了一种防御DNS攻击的方法、装置及存储介质,以提高DNS攻击的判断效率。
本申请实施例提供了一种防御DNS攻击的方法,包括:
接收请求源发送的DNS请求,获取发送所述DNS请求的请求源的IP地址;
确定所述IP地址的特征值;
在内存中查找得到预设的与所述特征值对应的标识信息;
当所述标识信息为用于标识不确定所述DNS请求是否存在攻击风险的探测标识时,获取所述特征值对应的请求记录信息和解封时间,所述请求记录信息包括:所述请求源在预定周期内的请求次数;
当所述请求次数超过预设请求阈值时,或者所述请求次数未超过所述预设请求阈值且当前时间未到达预设的解封时间时,判定所述DNS请求为攻击请求,丢弃所述DNS请求。
本申请实施例提供了一种防御DNS攻击的方法,包括:
接收DNS请求,获取DNS请求包含的域名;
确定所述域名的特征值;
当确定内存中存储有所述域名的所述特征值时,获取与所述特征值对应的标识信息;
当所述标识信息为用于标识不确定所述DNS请求是否存在攻击风险的探测标识时,获取所述特征值对应的请求记录信息和解封时间,所述请求记录信息包括:所述域名在预定周期内的请求次数;
当所述请求次数超过预设请求阈值时,或者所述请求次数未超过所述预设的请求阈值且当前时间未到达预设的解封时间时,判定所述DNS请求为攻击请求,丢弃所述DNS请求。
本申请实施例提供了一种防御DNS攻击的装置,包括:处理器和存储器,其中存储器包括如下由处理器执行的单元:
请求获取单元,用于接收请求源发送的DNS请求,获取发送所述DNS请求的请求源IP的地址;
特征值确定单元,用于确定所述IP地址的特征值;
第一查询单元,用于在内存中查找得到预设的与所述特征值对应的标识信息;
第二查询单元,用于当所述标识信息为用于标识不确定所述DNS请求是否存在攻击风险的探测标识时,获取所述特征值对应的请求记录信息和解封时间,所述请求记录信息包括:所述请求源在预定周期内的请求次数;
请求次数判断单元,用于判断所述请求次数是否超过预设的请求阈值;
攻击判断单元,用于当所述请求次数超过预设请求阈值时,或者所述请求次数未超过所述预设的请求阈值且当前时间未到达预设的解封时间时,判定所述DNS请 求为攻击请求;
防御单元,用于丢弃所述DNS请求。
本申请实施例提供了一种防御DNS攻击的装置,包括:处理器和存储器,所述存储器包括如下由处理器执行的单元:
请求获取单元,用于接收DNS请求,获取DNS请求包含的域名;
特征值确定单元,用于确定所述域名的特征值;
判断单元,用于判断内存中是否包含所述特征值;
第一查询单元,用于在确定内存中存储有所述域名的所述特征值时,获取与所述特征值对应的标识信息;
第二查询单元,用于在所述标识信息为用于标识不确定所述DNS请求是否存在攻击风险的探测标识时,获取所述特征值对应的请求记录信息和解封时间,所述请求记录信息包括:所述域名在预定周期内的请求次数;
请求次数判断单元,用于判断所述请求次数是否超过预设的请求阈值;
攻击判断单元,当所述请求次数超过预设请求阈值时,或者所述请求次数未超过所述预设的请求阈值且当前时间未到达预设的解封时间时,判定所述DNS请求为攻击请求;
防御单元,用于丢弃所述DNS请求。
本申请实施例提供了一种非易失性计算机可读存储介质,存储有计算机可读指令,至少一个处理器执行所述计算机可读指令用于执行上述方法。
本申请的防御DNS攻击的方法在接收到DNS请求后,根据发送DNS请求的请求源的IP地址在内存中查找对应的标识信息,对于标识信息为探测标识的DNS请求进行预定周期内请求次数的判断,丢弃超出请求阈值的DNS请求,对未超出请求阈值的DNS请求进行解封时间的判断,丢弃未到达解封时间的DNS请求。由于预先设定了标识信息,对于标识为不确定所述DNS请求是否存在攻击风险的DNS请求,进一步根据请求次数和解封时间判断该DNS请求是否为攻击请求,简化了DNS攻击的判断流程,提高了判断DNS攻击的效率。
附图说明
为了更清楚地说明本申请实施例或现有技术中的技术方案和优点,下面将对 实施例或现有技术描述中所需要使用的附图作简单的介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它附图。
图1是本申请实施例揭示的防御DNS攻击的方法的流程图;
图2是本申请实施例揭示的更新内存中特征值对应的请求记录信息的方法的流程图;
图3是本申请实施例揭示的更新内存中特征值对应的标识信息的方法的流程图;
图4是本申请实施例揭示的防御DNS攻击的方法的流程图;
图5是本申请实施例揭示的判断内存中是否包含域名的特征值的方法的流程图;
图6是本申请实施例揭示的根据请求次数判断结果和解封时间判定DNS请求是否为DNS攻击的方法的流程图;
图7是本申请实施例揭示的内存中哈希表的示意图;
图8是本申请实施例揭示的更新内存中特征值对应的请求记录信息的方法的流程图;
图9是本申请实施例揭示的在内存中增加域名的特征值和标识信息的方法的流程图;
图10是本申请实施例揭示的防御DNS攻击的装置的示意框图;
图11是本申请实施例揭示的防御DNS攻击的装置的示意框图;
图12是本申请实施例揭示的DNS系统的系统架构图;
图13是根据本申请实施例的计算机系统的结构示意图。
具体实施方式
为了使本技术领域的人员更好地理解本申请方案,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分的实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都应当属于本申请保护的范围。
需要说明的是,本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本申请的实施例能够以除了在这里图示或描述的那些以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。
DNS的特点决定了:第一、DNS查询请求报文和查询应答报文均可被伪造,网络攻击者可以通过虚假的源地址向DNS服务器发送DNS查询请求,同时还可以隐藏攻击者的身份。第二、DNS服务器对DNS查询请求是“有求必应”,并且无法判断一个DNS查询请求是否为恶意攻击。第三、DNS服务器解析域名时,应答报文比查询报文要大,可以实现放大攻击的效果。DNS攻击会导致DNS服务器严重超负荷运行甚至瘫痪,无法响应正常用户的DNS请求报文。
在本申请一实施例中,可以通过设置固定的防护域名和防护阈值对DNS攻击行为进行检测,比如:统计检测周期内与防护域名相匹配的域名的数量,并将该数量与防护阈值进行比较,当超过该防护阈值时可以确定DNS被攻击了。然而,当攻击者采用变化的域名进行DNS攻击时,由于预设的防护域名是固定的,因此检测到的DNS请求报文的数量可能无法超过设置的防护阈值,从而无法检测到DNS攻击行为,导致DNS服务器超负荷运行甚至瘫痪。
DNS攻击的一个明显特征是攻击者利用被击者的IP发送大量的请求数据包,DNS需要对大量的请求数据包进行回应。
在本申请一实施例中,应对DNS攻击采取的方法是利用防火墙限制IP地址的请求量,例如控制某IP段发送的DNS请求包的数量,例如限制在300个以内每秒,大于该数量的请求被认为可能是攻击,直接丢弃。采取该限制措施,需要对IP地址段设置对应的限制规则,在判断是否为DNS攻击时需要对规则进行逐项匹配,直至匹配成功,当限制规则较多时,判别效率会降低。
操作系统具有内核空间和用户空间。内核功能模块运行在内核空间,应用程序运行在用户空间,内核运行在最高级别(内核态),应用程序运行在较低级别(用户态),用户空间的用户进程和内核空间的内核进程之间通过netlink套接字通信。以 linux为例,普通的linux系统软件处于用户空间,不能直接与linux系统内核交互,用户空间软件iptables可用于控制linux内核中用于管理网络数据包的软件框架netfilter。现有的防御DNS攻击的方法为:向内核空间的内核模块中添加判断规则,依靠判断规则对网络数据包进行处理。由于iptables所控制的内核态中的封禁判断流程比较复杂,需要对规则进行逐项匹配,直到匹配上才能确定为DNS攻击,当规则太多时,效率会较低。
本申请实施例提供如下实施例以克服上述问题或者至少部分地解决上述问题。
本实施例提供一种防御DNS攻击的方法,需要说明的是,在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行,并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。
图1是本申请揭示的防御DNS攻击的方法的流程图;如图所示,该防御DNS攻击的方法包括如下步骤:
步骤S101:接收请求源发送的DNS请求,获取发送所述DNS请求的请求源的IP地址;
步骤S102:确定所述IP地址的特征值;
步骤S103:在内存中查找得到预设的与所述特征值对应的标识信息;
步骤S104:当所述标识信息为用于标识不确定所述DNS请求是否存在攻击风险的探测标识时,获取所述特征值对应的请求记录信息和解封时间,所述请求记录信息包括:所述请求源在预定周期内的请求次数;
步骤S105:判断所述请求次数是否超过预设的请求阈值;
步骤S106:当所述请求次数超过预设请求阈值时,或者所述请求次数未超过所述预设的请求阈值且当前时间未到达预设的解封时间时,判定所述DNS请求为攻击请求;
步骤S107:丢弃所述DNS请求。
其中,步骤S101中接收请求源发送的DNS请求之后还可以包括:分别判断所述DNS请求的数据包数据格式是否符合预定协议,以及所述DNS请求的目的端口是否为预定端口;若均为是,执行获取请求源IP地址的步骤。本实施例方案只关注DNS请求包,其中判断依据可以为数据包是UDP包,并且目的端口是53,若不满 足该条件,直接透传数据包,从而不影响其他数据包的正常传输。在本实施例中该请求源可以发起该DNS请求的终端设备。
判断依据可以根据RFC(Request For Comments,征求修正意见书)规定的DNS格式进行判断,例如使用以下的RFC文档的内容进行DNS查询请求数据包的判断:1034域名,概念和功能;1035域名,实现和规范;1123Internet主机要求,应用和支持;1886,支持IP版本6的DNS扩展名;1995,DNS中的增量区域传输;1996提示通知区域更改的机制(DNS NOTIFY);2136,域名系统中的动态更新(DNS UPDATE);2181,对DNS规范的说明;2308,DNS查询的负缓存(DNS NCACHE);2535,域名系统安全扩展(DNSSEC);2671DNS的扩展机制(EDNS0);2782,指定服务位置的DNS RR(DNS SRV)。
此外,还可以对DNS请求的数据包进行合法性检查,检查项目包括:检查数据包的大小是否正常、域名是否合法、请求类型是否合法等。
步骤S102确定所述IP地址的特征值的方法可以包括:根据IP地址的前三段数值确定IP地址的特征值,或者,根据IP地址的后三段数值确定IP地址的特征值,或者,计算所述IP地址的前三段数值的哈希值,将所述哈希值作为IP地址的特征值,或者,计算所述IP地址的后三段数值的哈希值,将所述哈希值作为IP地址的特征值。对于互联网,一般的IP地址的前三段数值已经可以表示网络号码和计算机号码,可以区分不同IP源,对于局域网,IP地址的第一段数值都相同,无助于区分不同的IP源,因而可以仅考虑IP地址的后三段数值。
根据IP地址的前三段数值确定IP地址的特征值的具体方法可以包括:读取IP地址,获取IP地址的前三段数值,根据这三段数值组合得到一个中转IP地址,中转IP地址的前三段数值与所述IP地址的前三段数值相同,中转IP地址的第四段数值为0,这个中转IP地址就是所述IP地址的特征值。根据IP地址的后三段数值确定IP地址的特征值的具体方法与前述方法类似,区别在于中转IP地址的第一段数值为0,后三段数值与所述IP地址的后三段数值一致。
IP是英文(网络之间互连的协议,Internet Protocol)的缩写,是为计算机网络相互连接进行通信而设计的协议。IP地址是为了使连入Internet的计算机在通信时能够相互识别,Internet中的每一台主机都分配有一个唯一的32位地址,该地址称为IP地址。本实施例中的IP地址默认为IPV4地址。对于IPV4地址,总共有 255*255*255*255个IPV4地址。理论上操作系统的内核模块可以存储全部IP及对应的相关信息,但实际实现中,每个IP地址需要有20-30个字节来保存,大约需占用超过90G的内存空间,内存成本太高,因此本实施例采用存储IP段或IP段的哈希值,使一个特征值对应256个IP地址,可以有效控制内存成本。并且,IP段相同一般属于同一组织机构,正常的DNS请求一般来自递归DNS服务器,所以采用IP段作为特征值来查询响应信息,不会影响正常的DNS请求。
图3是本申请实施例揭示的更新内存中特征值对应的标识信息的方法的流程图。参见图3,在步骤S103根据所述特征值在内存中查找得到所述IP地址的标识信息之前还包括:
S301,获取IP地址的特征值和标识信息;
S302,判断内存中所述特征值对应的标识信息是否为空;
S303,若是,将获取的标识信息保存为所述特征值对应的标识信息,具体地,可以在内存中所述特征值对应的标识信息中添加所述获取的标识信息;
S304,若否,将内存中所述特征值对应的标识信息替换为所述获取的标识信息。
系统实时监控从内核空间到应用空间的数据流量,当某个时段流量异常突增时,通过预先在操作系统的防火墙框架内注册的钩子函数捕捉DNS请求,或者分析DNS请求日志,得到请求量,进而将请求量超过设定阈值的请求源的IP地址的标识信息记录为探测标识,并采用步骤S102所述的方法确定IP地址的特征值,将特征值和探测标识通过netlink发送至内核空间。也可以人工设定标识信息,通过用户空间发送至内核空间,进行特征值和标识信息的存储更新。
在本申请一实施例中,可以进一步针对某IP段设置白名单标识和/或黑名单标识。例如,对于知名的公共递归DNS,其后端地址到授权DNS服务器的请求量可能会比较高,而来自这些地址的都是正常请求,就可以对其后端地址所属IP段设置白名单标识。设置白名单标识后,不论请求量如何都不会丢弃该DNS请求。
不论是手动通过用户层工具设置探测标识,还是自动根据请求量超过阈值而设置探测标识,都会在指定时间之后解封。例如,在定时器中预设指定时间,在当前时间到达该指定时间时,即该指定时间超时时,执行解封操作。例如,删除该IP地址的特征值对应的探测标识,以不再标识“不确定该DNS请求是否存在攻击风险”。对于指定了黑名单标记的IP段,无论请求量如何,所有的请求包都会被丢弃,即对 该IP段一直是封禁的。
步骤S103中根据IP地址的特征值在内存中查找得到所述IP地址的标识信息,内存中记录了所有IPV4地址的特征值和相关信息。内存以数组形式存储各数组元素,数组元素包括特征值、标识信息、请求记录信息和解封时间。特征值、标识信息、请求记录信息和解封时间一一对应。其中,标识信息可以包括白名单标识、黑名单标识和探测标识,白名单标识代表不存在攻击风险,例如,当记录的来自该IP地址的单位时间的DNS请求量不超过最小阈值,则判定该IP地址不存在攻击风险,为该IP地址设置白名单标识。黑名单标识代表存在很大的攻击风险,例如,当记录的来自该IP地址的单位时间的DNS请求量超过最大阈值,则为该IP地址设置黑名单标识。探测标识代表不确定是否存在攻击风险,需要进一步检查,例如,当记录的来自该IP地址的单位时间的DNS请求量大于等于所述最小阈值,且小于所述最大阈值时,为该IP地址设置探测标识。特征值对应的标识信息可以通过手动设定,也可以根据从用户空间接收到的检测结果进行标记或修改。请求记录信息:可以包括DNS请求时间和预定周期内的请求次数,在对请求记录信息进行更新之前,内存中存储的是上一次请求的时间和请求次数。解封时间是指在指定时间之后解除对特征值对应的IP地址的封禁。系统可以设置一个或多个解封时间,针对不同的特征值对应的IP地址配置不同的封禁时长。该封禁时长即上述指定时间,即在该时长内将来自该IP地址的DNS请求判定为攻击请求。解封时间可以设置为倒计时形式,倒计时完成后自动归零,当解封时间为零后,解除对相应IP段的封禁。
此外,若根据IP地址的特征值在内存中查找得的标识信息为黑名单标识,丢弃所述DNS请求的数据包。若根据IP地址的特征值在内存中查找得的标识信息为白名单标识,接受所述DNS请求。
步骤S104中在获取特征值对应的请求记录信息和解封时间之前,还包括:更新所述特征值对应的请求记录信息。图2是本申请实施例揭示的更新内存中特征值对应的请求记录信息的方法的流程图,参见图2,更新特征值对应的请求记录信息的方法包括:
S201,查询内存中所述特征值对应的请求记录信息。
S202,判断所述内存中特征值对应的请求记录信息是否为空。
S203,若内存中特征值对应的请求记录信息不为空,判断请求记录信息中记载 的DNS请求的请求时间到本次DNS请求的请求时间的时长是否超过预定周期。
S204,若超过预定周期,更新所述请求记录信息中DNS请求的请求时间,并将请求记录信息中的请求次数归零。其中,更新所述请求记录信息中DNS请求的请求时间的具体方法可以是:将请求记录信息中的请求时间替换为本次DNS请求的请求时间。
S205,若未超过预定周期,更新所述请求记录信息中DNS请求的请求时间,并将所述请求记录信息中的请求次数加1。其中,更新所述请求记录信息中DNS请求的请求时间的具体方法可以是:将请求记录信息中的请求时间替换为本次DNS请求的请求时间。
S206,若内存中特征值对应的请求记录信息为空,将本次DNS请求的信息保存为请求记录信息。具体的,将本次DNS请求的请求时间和请求次数保存为请求记录信息。
步骤S104按照所述IP地址的特征值在内存中查询得到的请求记录信息为根据所述DNS请求进行更新后的信息。
步骤S106根据判断结果和所述解封时间,判定所述请求源是否进行DNS攻击包括:如果所述请求次数超过请求阈值,判定所述请求源进行DNS攻击,并重置所述特征值对应的解封时间;如果所述请求次数未超过请求阈值,判断所述特征值对应的解封时间是否超时;若是,判定所述DNS请求为正常请求;若否,判定所述请求源进行DNS攻击。对于标识信息为探测标识的特征值对应的IP地址,通过对源IP在预定周期内的请求次数进行判断,对超出请求阈值的IP地址重设解封时间,延长该IP地址的封禁时间,对于未超出请求阈值的IP地址,如果没有到达解封时间,则进行封禁处理,即将该DNS请求判定为攻击请求,直至到达解封时间,即该封禁时间超时后才对从该IP地址发送的DNS请求进行正常处理,可以提高判断DNS攻击的效率,保护DNS服务器。
例:假设设定周期为1秒。每收到一个DNS请求,检测请求源的IP地址,确定该IP地址的特征值,在内存中的找到该特征值对应的各项数据,若特征值对应的标识信息是探测标识,获取该特征值对应的该IP地址的上一次请求时间以及请求次数,判断当前时间到保存的时间是否超过1秒,如果超过1秒,把请求次数清零;如果没有超过1秒,给请求次数加1,如果此时请求次数超过了请求阈值(即1秒 内的请求次数超过了阈值),就丢弃这个DNS请求的数据包,并且在内存中保存该特征值对应的一个封禁时间,下一次再收到来自这个IP地址的请求时,如果封禁时间还没过期,就直接丢包,继续封禁。
在步骤S107中,通过在内核空间进行DNS攻击判断,发现DNS攻击,把攻击请求包及早丢弃在内核空间,提高防御攻击的实时性。
本实施例针对请求源IP地址进行DNS攻击的判断和防御,一方面为各IP地址设置了标识信息,对标识信息为白名单的IP地址的DNS请求直接放行,对标识信息为黑名单的IP地址的DNS请求直接防御,仅对标识信息为探测标识的IP地址的DNS请求进行处理,避免了对所有IP地址进行检查,可以提高判别DNS攻击的效率;另一方面,在对探测标识的IP地址的DNS请求进行处理时,采取请求次数判断结果和解封时间相结合的方式来判别DNS攻击,可以提高识别DNS攻击的准确性,又因解封时间是预先设置的并随请求次数判断结果调整,可提高判断DNS攻击的效率。
本实施例提供一种防御DNS攻击的方法,需要说明的是,在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行,并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。
图4是本申请实施例揭示的防御DNS攻击的方法的流程图;如图所示,该防御DNS攻击的方法包括如下步骤:
步骤S401:接收DNS请求,获取DNS请求包含的待解析域名;
步骤S402:确定所述域名的特征值;
步骤S403:判断内存中是否包含所述特征值;
步骤S404:若是,获取所述特征值对应的标识信息;
步骤S405:若所述标识信息为用于标识不确定所述DNS请求是否存在攻击风险的探测标识,获取所述特征值对应的请求记录信息和解封时间,所述请求记录信息包括所述域名在预定周期内的请求次数;
步骤S406:判断所述请求次数是否超过预设的请求阈值;
步骤S407:当所述请求次数超过预设请求阈值时,或者所述请求次数未超过所述预设的请求阈值且当前时间未到达预设的解封时间时,判定所述DNS请求为攻击 请求;
步骤S408:丢弃所述DNS请求。
其中,步骤S401接收DNS请求之后还包括:分别判断所述DNS请求的数据包数据格式是否符合预定协议,以及所述DNS请求的目的端口是否为预定端口;若均为是,根据DNS请求的数据包获取请求解析的域名。在本申请实施例中,该DNS请求的数据包是UDP(User Datagram Protocol,用户数据报协议)包,并且目的端口是53,若不满足该条件,直接透传数据包,从而不影响其他数据包的正常传输。
步骤S402确定所述域名的特征值包括:采用第一哈希算法计算得到所述域名的第一哈希值,采用第二哈希算法计算得到所述域名的第二哈希值;将第一哈希值和第二哈希值作为所述域名的特征值。采用两种不同的哈希算法来对同一个域名的字符串进行计算,得到两个哈希值,可以避免哈希冲突。如果两个不同的域名通过第一哈希算法得到的第一哈希值相同,则可以通过第二哈希值来对二者进行区分,而两个域名的第一哈希值和第二哈希值都相同并且都存在于内存中的概率是极小的,可以忽略不计,并且,内存中仅存储添加的被攻击过的或具有攻击倾向的域名。
图5是本申请实施例的步骤S403中判断内存中是否包含域名的特征值的方法的流程图。参见图5,判断内存中是否包含所述特征值的方法包括:
S501,确定域名的特征值,所述特征值包括第一哈希值和第二哈希值。
S502,判断内存中是否存在所述域名的第一哈希值,若判断结果为是,转至步骤S503,若判断结果为否,转至步骤S506;
S503,在内存中查找与所述第一哈希值对应的第二哈希值;
S504,判断内存中与所述第一哈希值对应的第二哈希值是否与所述域名的第二哈希值相同;
S505,若步骤S504的判断结果为是,判定内存中包含所述域名的特征值,若步骤S504的判断结果为否,转至步骤S506;
S506,判定内存中不包含所述域名的特征值。
进一步地,若内存中不包含所述域名的特征值,接收所述DNS请求。不同于IP地址,域名的数量是无限的,因而内存中仅记载确定安全的、不安全的和疑似有问题的域名,为安全的,即不存在攻击风险的域名标记解封标识,为不安全,即存在很大攻击风险的域名标记封禁标识,为有问题,即不确定所述DNS请求是否存在攻 击风险的域名标记探测标识,这样,当接收到DNS请求的域名为解封标识时,将该DNS请求发送至用户空间的DNS解析系统,当接收到的DNS请求的域名为封禁标识时,丢弃该DNS请求的数据包,当接收到的DNS请求的域名为探测标识时,需要进一步结合域名的请求次数和解封时间进行判断。
进一步地,根据所述特征值在内存中查找得到所述域名的标识信息,若查找得到的标识信息为封禁标识,丢弃所述DNS请求的数据包;若查找得到的标识信息为解封标识,接受所述DNS请求,若查找得到的标识信息为探测标识,则进一步结合域名的请求次数和解封时间判断是否接受所述DNS请求。设置标识信息可以简化DNS攻击判断流程。
结合域名的请求次数和解封时间判断是否接受所述DNS请求,需要从该请求记录信息中获取域名当前的请求次数和解封时间,而此时内存中保存的还是上一次DNS请求的请求记录信息,因此,需要先对所述特征值对应的请求记录信息进行更新。
图8是本申请实施例揭示的更新内存中特征值对应的请求记录信息的方法的流程图。参见图8,更新所述特征值对应的请求记录信息包括:
S801,获取所述特征值对应的请求记录信息中记载的DNS请求的请求时间;
S802,判断所述请求记录信息中记载的DNS请求的请求时间到本次DNS请求的请求时间的时长是否超过预定周期;
S803,若是,更新所述请求记录信息中DNS请求的请求时间,并将请求记录信息中的请求次数归零;
S804,若否,更新所述请求记录信息中DNS请求的请求时间,并将所述请求记录信息中的请求次数加1。
具体的,通过将请求记录信息中记录的请求时间替换为本次DNS请求的请求时间,来对所述请求记录信息中的DNS请求的请求时间进行更新。
图6是本申请实施例揭示的根据请求次数判断结果和解封时间判定DNS请求是否为DNS攻击的方法的流程图。参见图6,根据判断结果和所述解封时间,判定所述DNS请求是否是DNS攻击的方法包括:
S601,根据域名的特征值在内存中查询获得域名的特征值对应的请求记录信息和解封时间;
S602,判断所述请求次数是否超过预设的请求阈值。
S603,如果所述请求次数未超过请求阈值,判断当前是否到达所述域名的解封时间;
S604,若是,判定所述DNS请求为正常请求;
S605,若否,判定所述DNS请求为DNS攻击请求。
S606,如果所述请求次数超过请求阈值,判定所述DNS请求为攻击请求,丢弃所述DNS请求的数据包,并重置所述域名的解封时间。
作为一种实施方式,内存中以哈希表方式存储域名的哈希值和相关信息,整个哈希表以数组形式存在,哈希表的每个项保存为一个链表,每个链表的各节点用于存储对应域名的信息,可以存储域名的第二哈希值、请求记录信息和解封时间等信息。步骤S504中判断内存中与所述第一哈希值对应的第二哈希值是否与所述域名的第二哈希值相同,可以通过遍历第一哈希值所在链表的每一个节点,将每个节点保存的第二哈希值与所述域名的第二哈希值作比对,判断节点中保存的第二哈希值与所述域名的第二哈希值是否相同,若相同,则说明内存中存储有所述域名的相关信息,可以进一步获取与该第二哈希值对应的标识信息、请求记录信息和解封时间。
图9是本申请实施例揭示的在内存中增加域名的特征值和标识信息的方法的流程图。参见图9,在内存中增加域名的特征值和标识信息的方法包括:
S901,获取域名的特征值和标识信息,所述特征值包括采用第一哈希算法计算得到的所述域名的第一哈希值和采用第二哈希算法计算得到的所述域名的第二哈希值;
S902,判断所述内存中是否存在所述域名的特征值;
S903,若是,将所述特征值对应的标识信息替换为所述获取的标识信息;
S904,若否,将所述域名的第一哈希值写入对应链表的表头,为第二哈希值和标识信息分配存储空间,即节点,并保存所述存储空间的存储指针。
系统实时监控从内核空间到应用空间的数据流量,当某个时段流量异常突增时,通过预先在操作系统的防火墙框架内注册的钩子函数捕捉DNS请求,或者分析DNS请求日志,得到请求量,进而将请求量超过阈值的域名标记为探测标识,例如将请求量小于最小阈值的域名标记为解封标识,将请求量大于最大阈值的域名标记为封禁标识,将请求量大于该最小阈值且小于该最大阈值的域名标记为探测标识。并采 用步骤S402的方法确定域名的特征值,将特征值和探测标识通过netlink发送至内核空间。也可以人工设定标识信息,通过用户空间发送至内核空间,进行特征值和标识信息的存储更新。
例:假设用户空间检测出域名a.com为可疑域名,将其标识信息记作探测标识,计算出域名的两个哈希值32和101,将哈希值和探测标识发送到内核空间,此时,需要将该域名的相关信息保存到内存的哈希表中。域名a.com的第一个哈希值是32,找到哈希表中第一列的哈希值为32的项,将第二哈希值101、探测标识、请求记录信息等存储在一个节点中作为链表的表头,此时,节点后没有其他节点,指向为空。若后续需要存储域名b.com的相关信息,且域名b.com的两个哈希值为32和102时,将域名b.com的第二哈希值、标识信息和请求信息等存储到链表的第二个节点中,此时存储域名a.com相关信息的节点不再指向空,而是指向b.com对应的节点。
内存中的哈希表如图7所示,哈希表中每一项都是一个链表,在图中,每一行表示哈希表的一项,有的行比较长,比如第一行,也就是由哈希值32指定的这一项,这个链表里已经有三个节点,有的行较短,比如由哈希值34指定的这一项。要查询哈希表中是否存储域名c.com的特征值,先找到第一列中哈希值为32的这一项,然后遍历该列对应的链表的所有节点,找到第二哈希值为199的节点,获得与第二哈希值对应的探测标识、请求记录信息等信息。
本实施例的防御DNS攻击的方法在接收到DNS请求后,根据DNS请求的域名信息在内存中查找对应的标识信息,对于标识信息为解封标识的DNS请求进行接受,对于标识信息为封禁标识的DNS请求进行防御,对于标识信息为探测标识的DNS请求进行预定周期内请求次数的判断,对超出请求阈值的DNS请求进行防御,对未超出请求阈值的DNS请求进行解封时间的判断,对到达解封时间的DNS请求进行接受,对未到达解封时间,即预设的解封时间未超时的DNS请求进行防御。由于预先设定了标识信息,对于确定的请求源或域名直接执行接受或防御处理,对于存在不确定因素的请求源或域名才执行进一步的判断检测,简化了DNS攻击的判断流程,提高了判断DNS攻击的效率。通过请求次数判断结果和解封时间相结合的方式,提高了识别DNS攻击的准确性。
进一步地,本申请优化了域名信息对应请求记录的查询方法,采用多级索引表的查询方式,具有实时性好,且不降低服务性能和效率的优势。
图10是本申请实施例揭示的防御DNS攻击的装置的示意框图。图10所示的防御DNS攻击的装置可用于实施实施例所述的防御DNS攻击的方法。参见图10,该防御DNS攻击的装置100一般性地可包括:请求获取单元102、特征值确定单元104、第一查询单元106、第二查询单元108、请求次数判断单元120、攻击判断单元122和防御单元124。在本申请的一些实施例中,根据DNS攻击的防御装置100的功能需求和进一步优化,配置有:第一处理单元126、第二处理单元128、信息获取单元130、标识信息判断单元132、标识信息添加单元134、标识信息更新单元136和请求记录信息更新单元138。
以上功能模块中,请求获取单元102用于接收请求源发送的DNS请求,获取发送该DNS请求的请求源的IP地址;特征值确定单元104用于计算所述IP地址的特征值;第一查询单元106用于在内存中查找得到预设的与所述特征值对应的标识信息,所述标识信息包括白名单标识、黑名单标识和探测标识;第二查询单元108用于在第一查询单元查找得到的标识信息为用于标识不确定所述DNS请求是否存在攻击风险的探测标识时,获取所述特征值对应的请求记录信息和解封时间,所述请求记录信息包括所述请求源在预定周期内的请求次数;请求次数判断单元120用于判断所述请求次数是否超过预设的请求阈值;攻击判断单元122用于根据请求次数判断单元的判断结果和所述解封时间,判定所述请求源是否进行DNS攻击,例如当所述请求次数超过预设请求阈值时,或者所述请求次数未超过所述预设的请求阈值且当前时间未到达预设的解封时间时,判定所述DNS请求为攻击请求;防御单元124用于对DNS攻击进行防御,例如丢弃所述DNS请求。
本实施例的防御DNS攻击的装置中,请求获取单元102用于执行本申请实施例中的步骤S101,特征值确定单元104用于执行本申请实施例中的步骤S102,第一查询单元106用于执行本申请实施例中的步骤S103,第二查询单元108用于执行本申请实施例中的步骤S104,请求次数判断单元120用于执行本申请实施例中的步骤S105,攻击判断单元122用于执行本申请实施例中的步骤S106,防御单元124用于执行本申请实施例中的步骤S107。
本实施例中所述请求获取单元102可以包括第一校验模块、第二校验模块。其中,第一校验模块用于判断所述DNS请求的数据包数据格式是否符合预定协议;第二校验模块用于判断所述DNS请求的目的端口是否为预定端口。所述第一校验模 块的判断段条件可以是数据包是UDP包,第二校验模块的判断条件可以是目的端口是53,这是因为DNS协议运行在UDP,使用端口号53。在传输层TCP提供端到端可靠的服务,在UDP端提供尽力交付的服务。其控制端口作用于UDP端口53。
特征值确定单元104可以包括第一特征值确定模块、第二特征值确定模块、第三特征值确定模块和第四特征值确定模块。其中,第一特征值确定模块用于根据所述IP地址的前三段数值确定所述IP地址的特征值;第二特征值确定模块用于根据所述IP地址的后三段数值确定所述IP地址的特征值;第三特征值确定模块用于计算所述IP地址的前三段数值的哈希值,将所述哈希值作为IP地址的特征值;第四特征值确定模块用于计算所述IP地址的后三段数值的哈希值,将所述哈希值作为IP地址的特征值。
在进行查询后,还需要将本次的访问信息添加至内存中的对应位置,进行访问记录信息的更新。请求记录信息更新单元138用于更新所述特征值对应的请求记录信息。请求记录更新单元可以用于:判断所述内存中所述特征值对应的请求记录信息是否为空;若为空,将本次DNS请求的信息保存为请求记录信息;若非空,判断所述请求记录信息中记载的DNS请求的请求时间到本次DNS请求的请求时间的时长是否超过预定周期,若是,更新所述请求记录信息中DNS请求的请求时间,并将请求记录信息中的请求次数归零,若否,更新所述请求记录信息中DNS请求的请求时间,并将所述请求记录信息中的请求次数加1。
内存中以数组形式存储各数组元素,所述数组元素包括特征值、标识信息、请求记录信息和解封时间,所述特征值、标识信息、请求记录信息和解封时间一一对应。
第二查询单元可以用于按照所述IP地址的特征值在内存中查询得到请求记录信息和解封时间。
攻击判断单元122具体用于:在所述请求次数判断单元判断出所述请求次数超过请求阈值时,判定所述请求源进行DNS攻击,并重置所述特征值对应的解封时间;在所述请求次数判断单元判断出所述请求次数未超过请求阈值时,判断当前是否到达所述特征值对应的解封时间;若是,判定所述DNS请求为正常请求;若否,判定所述请求源进行DNS攻击。
在内核空间对DNS请求进行检查之后,用户空间还可能存在某段时间流量数据 暴增的情况,这种情况有可能是DNS攻击造成的,因而还需要实时监控从内核空间到用户空间的数据流量,以在出现流量暴增时,通过预先在操作系统的防火墙框架内注册的钩子函数捕捉DNS请求,或者分析DNS请求日志,得到请求量,进而将请求量过大的IP地址作为怀疑对象,并记为探测标识,将IP地址信息和对应的标识信息发送至内核空间,以便内核进行相应处理。本实施例中,信息获取单元130用于获取IP地址的特征值和标识信息;标识信息判断单元132用于判断所述内存中所述特征值对应的标识信息是否为空;标识信息添加单元134用于在所述标识信息判断单元判断出所述标识信息为空时,将获取的标识信息保存为所述特征值对应的标识信息;标识信息更新单元136用于在所述标识信息判断单元判断出所述标识信息不为空时,将所述特征值对应的标识信息替换为所述获取的标识信息。
第一处理单元126用于在第一查询单元查找得到的标识信息为黑名单标识时,丢弃所述DNS请求的数据包;第二处理单元128用于在第一查询单元查找得到的标识信息为白名单标识时,接受所述DNS请求。
图11是本申请实施例揭示的防御DNS攻击的装置的示意框图。图11所示的防御DNS攻击的装置可用于实施实施例所述的防御DNS攻击的方法。参见图11,该防御DNS攻击的装置200一般性地可包括:请求获取单元202、特征值确定单元204、判断单元206、第一查询单元208、第二查询单元220、请求次数判断单元222、攻击判断单元224和防御单元210。在本申请的一些实施例中,根据DNS攻击的防御装置200的功能需求和进一步优化,配置有:第一处理单元226、第二处理单元228、第三处理单元230、信息获取单元232、特征值判断单元234、存储空间管理单元236、标识信息更新单元238和请求记录信息更新单元252。
以上功能模块中,请求获取单元202用于接收DNS请求,获取DNS请求包含的待解析域名;特征值确定单元204用于计算所述域名的特征值;判断单元206用于判断内存中是否包含所述特征值;第一查询单元208用于在判断单元判断出内存中包含所述特征值时,获取所述特征值对应的标识信息,所述标识信息包括封禁标识、解封标识和探测标识;第二查询单元220用于在第一查询单元查找得到的标识信息为用于标识不确定所述DNS请求是否存在攻击风险的探测标识时,获取所述特征值对应的请求记录信息和解封时间,所述请求记录信息包括所述域名在预定周期内的请求次数;请求次数判断单元222用于判断所述请求次数是否超过预设的请求 阈值;攻击判断单元224用于根据请求次数判断单元的判断结果和所述解封时间,判定所述DNS请求是否是DNS攻击,例如当所述请求次数超过预设请求阈值时,或者所述请求次数未超过所述预设的请求阈值且当前时间未到达预设的解封时间时,判定所述DNS请求为攻击请求;防御单元210用于对DNS攻击进行防御,例如丢弃所述DNS请求。
本实施例的防御DNS攻击的装置中,请求获取单元202用于执行本申请实施例中的步骤S401,特征值确定单元204用于执行本申请实施例中的步骤S402,判断单元206用于执行本申请实施例中的步骤S403,第一查询单元208用于执行本申请实施例中的步骤S404,第二查询单元108用于执行本申请实施例中的步骤S405,请求次数判断单元222用于执行本申请实施例中的步骤S406,攻击判断单元224用于执行本申请实施例中的步骤S407,防御单元210用于执行本申请实施例中的步骤S408。
本实施例的防御DNS攻击的装置中,所述请求获取单元202包括第一校验模块、第二校验模块。其中,第一校验模块用于判断所述DNS请求的数据包数据格式是否符合预定协议;第二校验模块用于判断所述DNS请求的目的端口是否为预定端口。所述第一校验模块的判断段条件可以是数据包是UDP包,第二校验模块的判断条件可以是目的端口是53,这是因为DNS协议运行在UDP(User Datagram Protocol,用户数据报协议),使用端口号53。在传输层TCP提供端到端可靠的服务,在UDP端提供尽力交付的服务。其控制端口作用于UDP端口53。
特征值确定单元204包括第一计算模块、第二计算模块和特征值确定模块。第一计算模块用于采用第一哈希算法计算得到所述域名的第一哈希值,第二计算模块用于采用第二哈希算法计算得到所述域名的第二哈希值;特征值确定模块用于将第一哈希值和第二哈希值作为所述域名的特征值。
判断单元206包括判断模块、第一确定模块和第二确定该模块。判断模块,用于判断内存中是否存在所述域名的第一哈希值;第一确定模块,用于在判断模块判断出所述内存中不存在所述域名的第一哈希值,判定内存中不包含所述域名的特征值;第二确定模块,用于在判断模块判断出所述内存中存在所述域名的第一哈希值时,判断内存中与所述第一哈希值对应的第二哈希值是否与所述域名的第二哈希值相同,若是,判定内存中包含所述域名的特征值,若否,判定内存中不包含所述域名的特征值。
第一处理单元226用于在判断单元判断出内存中不包含所述域名的特征值时,接收所述DNS请求。
所述内存以数组形式存储各数组元素,每个数组元素是一个链表,所述链表的表头存储域名的第一哈希值,所述链表的每个节点存储域名的第二哈希值、标识信息、请求记录信息和解封时间;
所述第二确定模块包括判断子模块。所述判断子模块用于遍历第一哈希值所在链表的每一个节点,判断节点中保存的第二哈希值与所述域名的第二哈希值是否相同。
攻击判断单元224具体用于:在所述请求次数判断单元判断出所述请求次数超过请求阈值时,判定所述DNS请求为DNS攻击,并重置所述域名的解封时间;在所述请求次数判断单元判断出所述请求次数未超过请求阈值时,判断当前是否到达所述域名的解封时间;若是,判定所述DNS请求为正常请求;若否,判定所述DNS请求为DNS攻击。
请求记录更新单元252用于获取所述特征值对应的请求记录信息中记载的DNS请求的请求时间;判断所述请求记录信息中记载的DNS请求的请求时间到本次DNS请求的请求时间的时长是否超过预定周期;若是,更新所述请求记录信息中DNS请求的请求时间,并将请求记录信息中的请求次数归零;若否,更新所述请求记录信息中DNS请求的请求时间,并将所述请求记录信息中的请求次数加1。
信息获取单元232用于获取域名的特征值和标识信息,所述特征值包括采用第一哈希算法计算得到的所述域名的第一哈希值和采用第二哈希算法计算得到的所述域名的第二哈希值;特征值判断单元234用于判断所述内存中是否存在所述域名的特征值;存储空间管理单元236,用于在特征值判断单元判断出内存中不存在所述域名的特征值时,将所述域名的第一哈希值写入对应链表的表头,为第二哈希值和标识信息分配存储空间,并保存所述存储空间的存储指针;
标识信息更新单元238,用于在特征值判断单元判断出内存中存在所述域名的特征值时,将所述特征值对应的标识信息替换为所述获取的标识信息。
第二处理单元228用于在第一查询单元查找得到的标识信息为封禁标识时,丢弃所述DNS请求的数据包;第三处理单元230用于在第一查询单元查找得到的标识信息为解封标识时,接受所述DNS请求。
图11是根据本申请一个实施例的DNS系统的系统架构图,该DNS系统提供了高可靠、高防护、高性能的域名解析服务。当顶级服务器、根域服务器或授权服务器遭遇攻击或故障时,本实施例的DNS系统可启动灾备紧急应答模式,保障互联网在根域服务器或授权服务器修复之前基本正常运行,为系统抢修和恢复留下足够的时间。与客户端的安全卫士联动,可以第一时间提示用户,并帮助用户使用安全DNS进行域名解析,并能在故障解除之后迅速将用户的DNS恢复为故障前设置。
在本实施例中的DNS系统包括有一个或多个DNS安全服务器(如图中设置于北京电信、上海电信、上海联通、北京联通中的DNS服务器),分别用于对用户客户端的发出的DNS解析请求进行域名解析,在每台DNS安全服务器中设置有上述实施例中介绍的DNS攻击的防御装置。在如图11所示的DNS系统架构中,当上海电信、北京电信、上海联通以及北京联通的用户在使用网络服务时,在DNS安全服务器设置有防御DNS攻击的装置,该装置接收请求源发送的DNS请求,获取DNS请求的请求源IP地址;确定所述IP地址的特征值;根据所述特征值在内存中查找得到所述IP地址的标识信息,所述标识信息包括白名单标识、黑名单标识和探测标识;若查找得到的标识信息为探测标识,获取所述特征值对应的请求记录信息和解封时间,所述请求记录信息包括所述请求源在预定周期内的请求次数;判断所述请求次数是否超过预设的请求阈值;根据判断结果和所述解封时间,判定所述请求源是否进行DNS攻击;对DNS攻击进行防御。防御方法可以使用直接过滤超速的DNS请求,或者结合用户客户端中安装的安全卫士等软件,进行安全防护和提示,例如用户客户端在安全建议显示区域输出提示信息或将DNS服务器地址修改为预设的安全地址。
DNS安全服务器通过使用一个高速缓存,采用缓存存取优化、预更新等各种手段尽量降低了解析时延,实现了高速安全解析。当某一个IP请求源的流量异常突增时,DNS攻击的防御装置自动分析和安全联动措施,对该IP的DNS解析请求源限速。通过DNS攻击的防御装置验证的DNS解析请求,可以直接通过RCS集群和灾备系统进行后续处理。
需要说明的是,本例中提及的上海电信、北京电信、上海联通以及北京联通仅用作示例,并不对实际操作中的用户来源形成限定。
本实施例提供一种DNS系统,参见图12,该DNS系统用于提供高可靠、高防 护、高性能的域名解析服务。当顶级服务器、根域服务器或授权服务器遭遇攻击或故障时,本实施例的DNS系统可启动灾备紧急应答模式,保障互联网在根域服务器或授权服务器修复之前基本正常运行,为系统抢修和恢复留下足够的时间。与客户端的安全卫士联动,可以第一时间提示用户,并帮助用户使用安全DNS进行域名解析,并能在故障解除之后迅速将用户的DNS恢复为故障前设置。
在本实施例中的DNS系统包括有一个或多个DNS安全服务器,分别用于对用户客户端发出的DNS解析请求进行域名解析,在每台DNS安全服务器中设置有上述实施例中介绍的DNS攻击的防御装置。当用户在使用网络服务时,在DNS安全服务器设置有防御DNS攻击的装置,该装置接收DNS请求,获取DNS请求包含的待解析域名;确定所述域名的特征值;判断内存中是否包含所述特征值;若是,根据所述特征值在内存中查找得到所述域名的标识信息,所述标识信息包括封禁标识、解封标识和探测标识;若查找得到的标识信息为探测标识,获取所述特征值对应的请求记录信息和解封时间,所述请求记录信息包括所述域名在预定周期内的请求次数;判断所述请求次数是否超过预设的请求阈值;根据判断结果和所述解封时间,判定所述DNS请求是否是DNS攻击;对DNS攻击进行防御。防御方法可以使用直接过滤超速的DNS请求,或者结合用户客户端中安装的安全卫士等软件,进行安全防护和提示,例如用户客户端在安全建议显示区域输出提示信息或将DNS服务器地址修改为预设的安全地址。
DNS安全服务器通过使用一个高速缓存,采用缓存存取优化、预更新等各种手段尽量降低了解析时延,实现了高速安全解析。当某一个域名的流量异常突增时,防御DNS攻击的装置自动分析和安全联动措施,设置域名标识信息,对该域名的解析请求进行限制。通过DNS攻击的防御装置验证的DNS解析请求,可以直接通过RCS集群和灾备系统进行后续处理。
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到根据上述实施例的方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请实施例的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本 申请各个实施例所述的方法。
下面参考图13,其示出了适用于来实现本申请实施例的DNS服务器的计算机系统的结构示意图。
如图13所示,计算机系统130包括中央处理单元(CPU)1301,其可以根据存储在只读存储器(ROM)1302中的程序或者从存储部分1308加载到随机访问存储器(RAM)1303中的程序而执行各种适当的动作和处理。在RAM1303中,还存储有系统1300操作所需的各种程序和数据。CPU1301、ROM1302以及RAM1303通过总线1304彼此相连。输入/输出(I/O)接口1305也连接至总线1304。
以下部件连接至I/O接口1305:包括键盘、鼠标等的输入部分1306;包括诸如阴极射线管(CRT)、液晶显示器(LCD)等以及扬声器等的输出部分1307;包括硬盘等的存储部分1308;以及包括诸如LAN卡、调制解调器等的网络接口卡的通信部分13013。通信部分13013经由诸如因特网的网络执行通信处理。驱动器1310也根据需要连接至I/O接口1305。可拆卸介质1311,诸如磁盘、光盘、磁光盘、半导体存储器等等,根据需要安装在驱动器1310上,以便于从其上读出的计算机程序根据需要被安装入存储部分1308。
特别地,根据本公开的实施例,上文参考流程图描述的过程可以被实现为计算机软件程序。例如,本公开的实施例包括一种计算机程序产品,其包括有形地包含在机器可读介质上的计算机程序,所述计算机程序包含用于执行流程图所示的方法的程序代码。在这样的实施例中,该计算机程序可以通过通信部分13013从网络上被下载和安装,和/或从可拆卸介质1311被安装。
附图中的流程图和框图,展示了按照本申请各种实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段、或代码的一部分,所述模块、程序段、或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。
描述于本申请实施例中所涉及到的单元可以通过软件的方式实现,也可以通过硬件的方式来实现。所描述的单元也可以设置在存储器中,例如,可以描述为:一种处理器执行存储器中可以包括的上述实施例中的各单元,例如接收单元、请求单元、确定单元、发送单元,执行上述各单元执行的操作。其中,这些单元的名称在某种情况下并不构成对该单元本身的限定。
作为另一方面,本申请实施例还提供了一种非易失性计算机存储介质,该非易失性计算机存储介质可以是上述实施例中所述装置中所包含的非易失性计算机存储介质;也可以是单独存在,未装配入终端中的非易失性计算机存储介质。上述非易失性计算机存储介质存储有一个或者多个程序,当所述一个或者多个程序被一个设备执行时,使得所述设备执行如下步骤:
第一步,接收请求源发送的DNS请求,获取DNS请求的请求源IP地址;
第二步,确定所述IP地址的特征值;
第三步,根据所述特征值在内存中查找得到所述IP地址的标识信息,所述标识信息包括白名单标识、黑名单标识和探测标识;
第四步,若查找得到的标识信息为探测标识,获取所述特征值对应的请求记录信息和解封时间,所述请求记录信息包括所述请求源在预定周期内的请求次数;
第五步,判断所述请求次数是否超过预设的请求阈值;
第六步,根据判断结果和所述解封时间,判定所述请求源是否进行DNS攻击;
第七步,对DNS攻击进行防御。
在本申请的上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。
在本申请所提供的几个实施例中,应该理解到,所揭露的防御DNS攻击的装置,可通过其它的方式实现。其中,以上所描述的装置实施例仅仅是示意性的,例如所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,单元或模块的间接耦合或通信连接,可以是电性或其它的形式。
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分 布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。
以上所述仅是本申请的实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本申请原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本申请的保护范围。

Claims (28)

  1. 一种防御DNS攻击的方法,应用于防御DNS攻击的装置,包括:
    接收请求源发送的DNS请求,获取发送所述DNS请求的请求源的IP地址;
    计算所述IP地址的特征值;
    在内存中查找得到预设的与所述特征值对应的标识信息;
    当所述标识信息为用于标识不确定所述DNS请求是否存在攻击风险的探测标识时,获取所述特征值对应的请求记录信息和解封时间,所述请求记录信息包括:所述请求源在预定周期内的请求次数;
    当所述请求次数超过预设请求阈值时,或者所述请求次数未超过所述预设的请求阈值且当前时间未到达预设的解封时间时,判定所述DNS请求为攻击请求,丢弃所述DNS请求。
  2. 根据权利要求1所述的方法,所述接收所述请求源发送的DNS请求之后还包括:
    当所述DNS请求的数据包的数据格式符合预定协议,且所述DNS请求的目的端口为预定端口时,确定所述IP地址的特征值。
  3. 根据权利要求1所述的方法,所述计算所述IP地址的特征值,包括:
    根据所述IP地址的前三段数值确定所述IP地址的特征值,或者,
    根据所述IP地址的后三段数值确定所述IP地址的特征值,或者,
    计算所述IP地址的前三段数值的哈希值,将所述哈希值作为IP地址的特征值,或者,
    计算所述IP地址的后三段数值的哈希值,将所述哈希值作为IP地址的特征值。
  4. 根据权利要求1所述的方法,所述获取所述特征值对应的请求记录信息和解封时间之前,还包括:
    当所述内存中所述特征值对应的请求记录信息为空时,将本次DNS请求的信息保存为所述请求记录信息;
    当所述内存中所述特征值对应的请求记录信息不为空,且所述请求记录信息中记载的DNS请求的请求时间到本次DNS请求的请求时间的时长超过预定周期时,将所述请求记录信息中DNS请求的请求时间更新为本次DNS请求的请求时间,并 将请求记录信息中的请求次数归零;
    当所述内存中所述特征值对应的请求记录信息不为空,且所述请求记录信息中记载的DNS请求的请求时间到本次DNS请求的请求时间的时长不超过预定周期时,将所述请求记录信息中DNS请求的请求时间更新为本次DNS请求的请求时间,并将所述请求记录信息中的请求次数加1。
  5. 根据权利要求1所述的方法,所述内存以数组形式存储各数组元素,所述数组元素包括:所述特征值、标识信息、请求记录信息和解封时间,所述特征值、标识信息、请求记录信息和解封时间一一对应;
    所述获取所述特征值对应的请求记录信息和解封时间包括:
    按照所述IP地址的特征值在内存中查询得到所述请求记录信息和解封时间。
  6. 根据权利要求1所述的方法,进一步包括:
    当所述请求次数超过所述请求阈值时,判定所述DNS请求为攻击请求,并重置所述特征值对应的解封时间;
    当所述请求次数未超过所述请求阈值,且当前时间到达所述预设的解封时间时,确定所述DNS请求为正常请求。
  7. 根据权利要求1所述的方法,所述在内存中查找得到预设的与所述特征值对应的标识信息之前,还包括:
    获取根据预设时间段内的DNS请求量设置的与所述IP地址对应的标识信息或手动设置的与所述IP地址对应的标识信息;
    当内存中所述特征值对应的标识信息为空时,在所述内存中存储所述获取的标识信息;
    当内存中所述特征值对应的标识信息不为空时,将所述特征值对应的标识信息替换为所述获取的标识信息。
  8. 根据权利要求1所述的方法,进一步包括:
    当所述标识信息为黑名单标识时,丢弃所述DNS请求;
    当所述标识信息为白名单标识时,接受所述DNS请求。
  9. 一种防御DNS攻击的方法,应用于防御DNS攻击的装置,包括:
    接收DNS请求,获取DNS请求包含的域名;
    计算所述域名的特征值;
    当确定内存中存储有所述域名的所述特征值时,获取与所述特征值对应的标识信息;
    当所述标识信息为用于标识不确定所述DNS请求是否存在攻击风险的探测标识时,获取所述特征值对应的请求记录信息和解封时间,所述请求记录信息包括:所述域名在预定周期内的请求次数;
    当所述请求次数超过预设请求阈值时,或者所述请求次数未超过所述预设的请求阈值且当前时间未到达预设的解封时间时,判定所述DNS请求为攻击请求,丢弃所述DNS请求。
  10. 根据权利要求9所述的方法,所述接收所述DNS请求之后还包括:
    当所述DNS请求的数据包的数据格式符合预定协议且所述DNS请求的目的端口为预定端口时,获取所述DNS请求包含的所述域名。
  11. 根据权利要求9所述的方法,所述计算所述域名的特征值包括:
    采用第一哈希算法计算得到所述域名的第一哈希值;
    采用第二哈希算法计算得到所述域名的第二哈希值;
    将第一哈希值和第二哈希值作为所述域名的特征值。
  12. 根据权利要求11所述的方法,确定内存中存储有所述域名的所述特征值包括:
    当所述内存中存储有所述域名的第一哈希值,且所述内存中存储有所述域名的第二哈希值时,确定所述内存中存储有所述域名的所述特征值。
  13. 根据权利要求12所述的方法,当所述内存中存储有所述域名的特征值,接受所述DNS请求。
  14. 根据权利要求12所述的方法,所述内存以数组形式存储各数组元素,每个数组元素是一个链表,所述链表的表头存储所述域名的第一哈希值,所述链表的每个节点分别存储所述域名的第二哈希值、标识信息、请求记录信息和解封时间;
    确定所述内存中存储有所述域名的第二哈希值包括:
    遍历表头中存储有所述第一哈希值的链表的每一个节点,当所述链表的节点中保存有所述域名的第二哈希值时,确定所述内容中存储有所述域名的第二哈希值。
  15. 根据权利要求9所述的方法,进一步包括:
    当所述请求次数超过请求阈值时,判定所述DNS请求为攻击请求,并重置所述 域名的解封时间;
    当所述请求次数未超过所述请求阈值,且当前时间到达所述预设的解封时间时,确定所述DNS请求为正常请求。
  16. 根据权利要求9所述的方法,所述获取所述特征值对应的请求记录信息和解封时间之前,还包括:
    获取所述特征值对应的请求记录信息中记载的DNS请求的请求时间;
    当所述请求记录信息中记载的DNS请求的请求时间到本次DNS请求的请求时间的时长超过预定周期时,将所述请求记录信息中记载的DNS请求的请求时间更新为本次DNS请求的时间,将请求记录信息中的请求次数归零;
    当所述请求记录信息中记载的DNS请求的请求时间到本次DNS请求的请求时间的时长未超过预定周期时,将所述请求记录信息中记载的DNS请求的请求时间更新为本次DNS请求的时间,并将所述请求记录信息中的请求次数加1。
  17. 根据权利要求14所述的方法,进一步包括:
    当所述内存中没有存储所述域名的特征值时,将所述域名的第一哈希值写入所述链表的表头,分别为第二哈希值和标识信息分配节点,并保存所述节点的存储指针;
    当所述内存中存储有所述域名的特征值时,将所述特征值对应的标识信息替换为所述获取的标识信息。
  18. 根据权利要求9所述的方法,
    当所述标识信息为封禁标识时,丢弃所述DNS请求;
    当所述标识信息为解封标识时,接受所述DNS请求。
  19. 一种防御DNS攻击的装置,包括:处理器和存储器,其中存储器包括如下由处理器执行的单元:
    请求获取单元,用于接收请求源发送的DNS请求,获取发送所述DNS请求的请求源的IP地址;
    特征值确定单元,用于计算所述IP地址的特征值;
    第一查询单元,用于在内存中查找得到预设的与所述特征值对应的标识信息;
    第二查询单元,用于当所述标识信息为用于标识不确定所述DNS请求是否存在攻击风险的探测标识时,获取所述特征值对应的请求记录信息和解封时间,所述请 求记录信息包括:所述请求源在预定周期内的请求次数;
    请求次数判断单元,用于判断所述请求次数是否超过预设的请求阈值;
    攻击判断单元,用于当所述请求次数超过预设请求阈值时,或者所述请求次数未超过所述预设的请求阈值且当前时间未到达预设的解封时间时,判定所述DNS请求为攻击请求;
    防御单元,用于丢弃所述DNS请求。
  20. 根据权利要求19所述的装置,所述存储器还包括:
    请求记录信息更新单元,用于
    当所述内存中所述特征值对应的请求记录信息为空时,将本次DNS请求的信息保存为所述请求记录信息;
    当所述内存中所述特征值对应的请求记录信息不为空,且所述请求记录信息中记载的DNS请求的请求时间到本次DNS请求的请求时间的时长超过预定周期时,将所述请求记录信息中DNS请求的请求时间更新为本次DNS请求的请求时间,并将请求记录信息中的请求次数归零;
    当所述内存中所述特征值对应的请求记录信息不为空,且所述请求记录信息中记载的DNS请求的请求时间到本次DNS请求的请求时间的时长不超过预定周期时,将所述请求记录信息中DNS请求的请求时间更新为本次DNS请求的请求时间,并将所述请求记录信息中的请求次数加1。
  21. 根据权利要求19所述的装置,所述存储器还包括:
    第一处理单元,用于在第一查询单元查找得到的标识信息为黑名单标识时,丢弃所述DNS请求;
    第二处理单元,用于在第一查询单元查找得到的标识信息为白名单标识时,接受所述DNS请求。
  22. 一种防御DNS攻击的装置,包括:处理器和存储器,所述存储器包括如下由处理器执行的单元:
    请求获取单元,用于接收DNS请求,获取DNS请求包含的域名;
    特征值确定单元,用于计算所述域名的特征值;
    判断单元,用于判断内存中是否包含所述特征值;
    第一查询单元,用于在确定内存中存储有所述域名的所述特征值时,获取与所 述特征值对应的标识信息;
    第二查询单元,用于在所述标识信息为用于标识不确定所述DNS请求是否存在攻击风险的探测标识时,获取所述特征值对应的请求记录信息和解封时间,所述请求记录信息包括:所述域名在预定周期内的请求次数;
    请求次数判断单元,用于判断所述请求次数是否超过预设的请求阈值;
    攻击判断单元,用于当所述请求次数超过预设请求阈值时,或者所述请求次数未超过所述预设的请求阈值且当前时间未到达预设的解封时间时,判定所述DNS请求为攻击请求;
    防御单元,用于丢弃所述DNS请求。
  23. 根据权利要求22所述的装置,所述存储器包括:
    第一计算模块,用于采用第一哈希算法计算得到所述域名的第一哈希值,
    第二计算模块,用于采用第二哈希算法计算得到所述域名的第二哈希值;
    特征值确定模块,用于将第一哈希值和第二哈希值作为所述域名的特征值。
  24. 根据权利要求23所述的装置,所述存储器进一步包括:
    判断模块,用于判断内存中是否存在所述域名的第一哈希值;
    第一确定模块,用于在判断模块判断出所述内存中不存在所述域名的第一哈希值,判定内存中不包含所述域名的特征值;
    第二确定模块,用于在判断模块判断出所述内存中存在所述域名的第一哈希值时,判断内存中与所述第一哈希值对应的第二哈希值是否与所述计算得到的域名的第二哈希值相同,当所述内存中与所述第一哈希值对应的第二哈希值与所述计算得到的域名的第二哈希值相同时,判定内存中包含所述域名的特征值,当所述内存中与所述第一哈希值对应的第二哈希值与所述计算得到的域名的第二哈希值不相同时,判定内存中不包含所述域名的特征值。
  25. 根据权利要求24所述的装置,所述内存以数组形式存储各数组元素,每个数组元素是一个链表,所述链表的表头存储所述域名的第一哈希值,所述链表的每个节点分别存储所述域名的第二哈希值、标识信息、请求记录信息和解封时间;
    所述存储器进一步包括:
    判断子模块,用于遍历存储有所述第一哈希值的链表的每一个节点,判断所述节点中保存的第二哈希值与所述计算得到的域名的第二哈希值是否相同。
  26. 根据权利要求25所述的装置,所述存储器还包括:
    特征值判断单元,用于判断所述内存中是否存在所述域名的特征值;
    存储空间管理单元,用于在特征值判断单元判断出内存中不存在所述域名的特征值时,将所述域名的第一哈希值写入对应链表的表头,分别为第二哈希值和标识信息分配节点,并保存所述节点的存储指针;
    标识信息更新单元,用于在特征值判断单元判断出内存中存在所述域名的特征值时,将所述特征值对应的标识信息替换为所述获取的标识信息。
  27. 根据权利要求22所述的装置,所述存储器还包括:
    第二处理单元,用于在第一查询单元查找得到的标识信息为封禁标识时,丢弃所述DNS请求;
    第三处理单元,用于在第一查询单元查找得到的标识信息为解封标识时,接受所述DNS请求。
  28. 一种非易失性计算机可读存储介质,存储有计算机可读指令,至少一个处理器执行所述计算机可读指令用于执行权利要求1至18任一项所述的方法。
PCT/CN2017/116436 2016-12-20 2017-12-15 防御dns攻击的方法、装置及存储介质 WO2018113594A1 (zh)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US16/389,212 US11057404B2 (en) 2016-12-20 2019-04-19 Method and apparatus for defending against DNS attack, and storage medium

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201611183849.2A CN108206814B (zh) 2016-12-20 2016-12-20 一种防御dns攻击的方法、装置及系统
CN201611183849.2 2016-12-20

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US16/389,212 Continuation US11057404B2 (en) 2016-12-20 2019-04-19 Method and apparatus for defending against DNS attack, and storage medium

Publications (1)

Publication Number Publication Date
WO2018113594A1 true WO2018113594A1 (zh) 2018-06-28

Family

ID=62603397

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/116436 WO2018113594A1 (zh) 2016-12-20 2017-12-15 防御dns攻击的方法、装置及存储介质

Country Status (3)

Country Link
US (1) US11057404B2 (zh)
CN (1) CN108206814B (zh)
WO (1) WO2018113594A1 (zh)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110868387A (zh) * 2018-08-27 2020-03-06 Ovh公司 用于操作联网设备的系统和方法
CN115314465A (zh) * 2022-07-26 2022-11-08 中国第一汽车股份有限公司 一种域名过滤方法、过滤系统及其私有dns服务器

Families Citing this family (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106790762B (zh) * 2017-01-11 2022-05-24 腾讯科技(深圳)有限公司 域名解析方法和装置
CN108965496A (zh) * 2018-07-20 2018-12-07 网宿科技股份有限公司 一种校验dns请求合法性的方法及装置
CN108833450B (zh) * 2018-08-22 2020-07-10 网宿科技股份有限公司 一种实现服务器防攻击方法及装置
US11095666B1 (en) * 2018-08-28 2021-08-17 Ca, Inc. Systems and methods for detecting covert channels structured in internet protocol transactions
CN109347796A (zh) * 2018-09-11 2019-02-15 聚好看科技股份有限公司 业务访问控制方法及装置
CN109361625B (zh) * 2018-10-24 2021-12-07 新华三技术有限公司合肥分公司 核查转发表项的方法、装置和控制器
CN109587117B (zh) * 2018-11-09 2021-03-30 杭州安恒信息技术股份有限公司 一种全网udp端口扫描的防重放攻击方法
CN109889499B (zh) * 2019-01-17 2021-01-12 Oppo广东移动通信有限公司 报文发送方法及相关装置
CN111478876A (zh) * 2019-01-24 2020-07-31 中国互联网络信息中心 Dns放大攻击检测方法、系统、存储介质和电子设备
CN109672691A (zh) * 2019-01-30 2019-04-23 深圳互联先锋科技有限公司 一种实时监控dns队列请求数的方法及系统
CN109617932B (zh) * 2019-02-21 2021-07-06 北京百度网讯科技有限公司 用于处理数据的方法和装置
CN109729098A (zh) * 2019-03-01 2019-05-07 国网新疆电力有限公司信息通信公司 Dns服务器中自动阻断恶意端口扫描的方法
US10764315B1 (en) * 2019-05-08 2020-09-01 Capital One Services, Llc Virtual private cloud flow log event fingerprinting and aggregation
CN110336805B (zh) * 2019-06-27 2022-02-08 维沃移动通信有限公司 网络访问管理方法和移动终端
CN110445779B (zh) * 2019-08-02 2021-08-17 深圳互联先锋科技有限公司 一种dns系统被攻击时的自动保护方法及系统
CN110661819A (zh) * 2019-10-31 2020-01-07 杭州世导通讯有限公司 一种防ddos系统
CN111901060B (zh) * 2019-12-26 2021-05-07 长扬科技(北京)有限公司 一种让iptables规则支持本地时间的方法及终端
CN111200605B (zh) * 2019-12-31 2022-05-03 网络通信与安全紫金山实验室 一种基于Handle系统的恶意标识防御方法及系统
US11019022B1 (en) * 2020-01-28 2021-05-25 F5 Networks, Inc. Processing packets with returnable values
US11316875B2 (en) * 2020-01-31 2022-04-26 Threatology, Inc. Method and system for analyzing cybersecurity threats and improving defensive intelligence
US11570182B1 (en) * 2020-03-30 2023-01-31 Amazon Technologies, Inc. Compute-less authorization
CN113301001B (zh) * 2020-04-07 2023-05-23 阿里巴巴集团控股有限公司 攻击者确定方法、装置、计算设备和介质
US11711345B2 (en) * 2020-05-02 2023-07-25 Mcafee, Llc Split tunnel-based security
CN114124832A (zh) * 2020-08-31 2022-03-01 中国移动通信集团浙江有限公司 Dns系统业务处理方法及装置
CN112217832B (zh) * 2020-10-21 2022-03-29 新华三信息安全技术有限公司 一种局域网主动防御方法、装置、介质及设备
CN114531257A (zh) * 2020-11-05 2022-05-24 中国联合网络通信集团有限公司 一种网络攻击处置方法及装置
CN113014455B (zh) * 2021-03-15 2022-05-10 读书郎教育科技有限公司 一种监控网络请求频繁的方法
TWI796706B (zh) * 2021-06-11 2023-03-21 安碁資訊股份有限公司 資料外洩偵測方法與裝置
CN115529147A (zh) * 2021-06-25 2022-12-27 安碁资讯股份有限公司 数据外泄检测方法与装置
CN113691987A (zh) * 2021-08-30 2021-11-23 杭州安恒信息技术股份有限公司 一种dns请求处理方法、装置及相关设备
CN114374566B (zh) * 2022-02-10 2023-08-08 中国银联股份有限公司 一种攻击检测方法及装置
CN114944951B (zh) * 2022-05-18 2024-02-06 北京天融信网络安全技术有限公司 一种请求的处理方法及装置、拟态设备、存储介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103607385A (zh) * 2013-11-14 2014-02-26 北京奇虎科技有限公司 基于浏览器进行安全检测的方法和装置
CN103685230A (zh) * 2013-11-01 2014-03-26 上海交通大学 僵尸网络恶意域名的分布式协同检测系统和方法
CN103957195A (zh) * 2014-04-04 2014-07-30 上海聚流软件科技有限公司 Dns系统以及dns攻击的防御方法和防御装置
CN104184585A (zh) * 2013-05-28 2014-12-03 杭州迪普科技有限公司 一种防范dns洪水攻击的装置和方法

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7444371B2 (en) * 2004-03-11 2008-10-28 At&T Intellectual Property Ii, L.P. Method and apparatus for limiting reuse of domain name system response information
US7849142B2 (en) * 2004-05-29 2010-12-07 Ironport Systems, Inc. Managing connections, messages, and directory harvest attacks at a server
US20080127324A1 (en) * 2006-11-24 2008-05-29 Electronics And Telecommunications Research Institute DDoS FLOODING ATTACK RESPONSE APPROACH USING DETERMINISTIC PUSH BACK METHOD
US8224942B1 (en) * 2007-10-02 2012-07-17 Google Inc. Network failure detection
US8122129B2 (en) * 2008-09-09 2012-02-21 Actiance, Inc. Hash-based resource matching
US20100138917A1 (en) * 2008-12-01 2010-06-03 Xia Zhanhong Refresh mechanism for rate-based statistics
KR20120067584A (ko) * 2010-12-16 2012-06-26 한국인터넷진흥원 대량 트래픽 환경에서의 디도스 공격 탐지 및 대응 방법 및 그 장치
US8745737B2 (en) * 2011-12-29 2014-06-03 Verisign, Inc Systems and methods for detecting similarities in network traffic
US9071576B1 (en) * 2013-03-12 2015-06-30 Sprint Communications Comapny L.P. Application rate limiting without overhead
CN103152357B (zh) * 2013-03-22 2015-09-30 北京网御星云信息技术有限公司 一种针对dns服务的防御方法、装置和系统
CN103957285B (zh) * 2014-04-18 2015-09-09 北京奇虎科技有限公司 提供根域名解析服务的方法和系统
CN104079557A (zh) * 2014-05-22 2014-10-01 汉柏科技有限公司 一种cc攻击的防护方法及装置
CN104994117A (zh) * 2015-08-07 2015-10-21 国家计算机网络与信息安全管理中心江苏分中心 一种基于dns解析数据的恶意域名检测方法及系统
US11089111B2 (en) * 2017-10-02 2021-08-10 Vmware, Inc. Layer four optimization for a virtual network defined over public cloud

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104184585A (zh) * 2013-05-28 2014-12-03 杭州迪普科技有限公司 一种防范dns洪水攻击的装置和方法
CN103685230A (zh) * 2013-11-01 2014-03-26 上海交通大学 僵尸网络恶意域名的分布式协同检测系统和方法
CN103607385A (zh) * 2013-11-14 2014-02-26 北京奇虎科技有限公司 基于浏览器进行安全检测的方法和装置
CN103957195A (zh) * 2014-04-04 2014-07-30 上海聚流软件科技有限公司 Dns系统以及dns攻击的防御方法和防御装置

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110868387A (zh) * 2018-08-27 2020-03-06 Ovh公司 用于操作联网设备的系统和方法
CN110868387B (zh) * 2018-08-27 2023-04-25 Ovh公司 用于操作联网设备的系统和方法
US11811733B2 (en) 2018-08-27 2023-11-07 Ovh Systems and methods for operating a networking device
CN115314465A (zh) * 2022-07-26 2022-11-08 中国第一汽车股份有限公司 一种域名过滤方法、过滤系统及其私有dns服务器

Also Published As

Publication number Publication date
CN108206814A (zh) 2018-06-26
US20190245875A1 (en) 2019-08-08
CN108206814B (zh) 2021-03-16
US11057404B2 (en) 2021-07-06

Similar Documents

Publication Publication Date Title
WO2018113594A1 (zh) 防御dns攻击的方法、装置及存储介质
CN109889547B (zh) 一种异常网络设备的检测方法及装置
US10230760B2 (en) Real-time cloud-based detection and mitigation of DNS data exfiltration and DNS tunneling
US9838421B2 (en) Systems and methods utilizing peer measurements to detect and defend against distributed denial of service attacks
US8495737B2 (en) Systems and methods for detecting email spam and variants thereof
US10666672B2 (en) Collecting domain name system traffic
WO2018176874A1 (zh) 一种dns的评价方法和装置
US11290485B2 (en) Method and system for detecting and blocking data transfer using DNS protocol
US10880319B2 (en) Determining potentially malware generated domain names
US20210258325A1 (en) Behavioral DNS tunneling identification
US11271963B2 (en) Defending against domain name system based attacks
US10447715B2 (en) Apparatus and method of detecting distributed reflection denial of service attack based on flow information
EP3618355B1 (en) Systems and methods for operating a networking device
US10764307B2 (en) Extracted data classification to determine if a DNS packet is malicious
CN110061998B (zh) 一种攻击防御方法及装置
US11368430B2 (en) Domain name server based validation of network connections
US20110265181A1 (en) Method, system and gateway for protection against network attacks
US10659497B2 (en) Originator-based network restraint system for identity-oriented networks
US20230208857A1 (en) Techniques for detecting cyber-attack scanners
TW201132055A (en) Routing device and related packet processing circuit
KR102046612B1 (ko) Sdn 기반의 dns 증폭 공격 방어시스템 및 그 방법
US9077639B2 (en) Managing data traffic on a cellular network
CN110768983B (zh) 一种报文处理方法和装置
TWI781852B (zh) 偵測惡意網域名稱的電子裝置和方法
US11595386B2 (en) Method, electronic device and computer program product for storage management

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17882887

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17882887

Country of ref document: EP

Kind code of ref document: A1