WO2021077811A1 - 分布式拒绝服务ddos攻击的防护方法、装置及系统 - Google Patents
分布式拒绝服务ddos攻击的防护方法、装置及系统 Download PDFInfo
- Publication number
- WO2021077811A1 WO2021077811A1 PCT/CN2020/102076 CN2020102076W WO2021077811A1 WO 2021077811 A1 WO2021077811 A1 WO 2021077811A1 CN 2020102076 W CN2020102076 W CN 2020102076W WO 2021077811 A1 WO2021077811 A1 WO 2021077811A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- server
- domain name
- service
- target domain
- address
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Definitions
- the embodiments of this application relate to the field of software protection technology, and in particular to a distributed denial of service DDOS attack prevention
- DNS cache server is DDOS Attacks are paralyzed, which affects the Internet access of the entire network; frequent DDOS attacks occupy the enterprise's bandwidth for a long time, causing enterprises to have to expand capacity and increase investment pressure.
- the embodiments of the present application provide a method, device, and system for preventing distributed denial-of-service DDOS attacks, so as to solve the technical problem of long service interruption time when switching high defense in the prior art.
- the embodiments of the present application provide a method for preventing distributed denial of service DDOS attacks.
- the method includes: the terminal sends a resolution request containing the target domain name to the DNS server of the primary domain name resolution system;
- the Internet Protocol IP address of the business server corresponding to the target domain name sends business request data to the business server; in the case of a DDOS attack on the business server, the terminal accesses the business server with an error; the terminal sends a resolution request containing the target domain name to the backup DNS server;
- the backup DNS server resolves the target domain name to the IP address of the high defense server; among them, when the business server is attacked by DDOS, the business end informs the backup DNS server to set the resolution address for the target domain name to the IP address of the high defense server; terminal According to the IP address of the anti-defense server fed back by the backup DNS server, the service request data is sent to the anti-defense server.
- a backup DNS server is added.
- the backup DNS server modifies the IP address, and uses the trigger mechanism set by the terminal to trigger when an access error is detected. Request the resolution of the backup DNS server instead of the primary DNS server. Therefore, there is no need to wait for the aging time of the DNS cache server. This achieves the effect that the terminal can quickly obtain the IP address of the high-defense server and solves the problem of switching the high-defense server in the existing technology. Technical problems with long business interruptions.
- the method further includes: the security server performs traffic cleaning on the service request data sent by the terminal, forwards the cleaned data to the service server, and The service response data fed back by the service server is forwarded to the terminal.
- the cleaning of the high-defense server reduces the pressure on the service server and ensures that users who normally send service request data can receive normal feedback data.
- the access to the target domain name is executed by the client installed in the terminal.
- the method further includes: if the client is not closed, if the terminal receives To access the operation request of the target domain name, the terminal sends a resolution request containing the target domain name to the backup DNS server.
- the terminal's client is not closed, if the terminal again receives an operation request to access the service server corresponding to the target domain name, the terminal still sends the resolution request of the target domain name to the backup DNS server to prevent The terminal has service interruption due to IP address switching, which improves user experience.
- the access to the target domain name is executed by the client installed in the terminal.
- the method further includes: if the terminal is restarted after being closed, if the terminal is restarted Upon receiving the operation request for accessing the target domain name, the terminal sends a resolution request containing the target domain name to the main DNS server.
- the resolution request of the target domain name is sent to the primary DNS server by default, so that the switch can be switched when the DDOS attack on the service server has stopped. To obtain the resolution address of the target domain name from the primary DNS server.
- the method further includes: the business end determines that the backup DNS server has resolved the target domain name The address is set to the IP address of the high-defense server; the business side informs the operator of the main DNS server, and instructs the operator of the main DNS server to notify the main DNS server to block the IP address of the business server.
- the IP address of the service server is blocked after being attacked, and the terminal is prevented from sending service request data to the service server from continuing to occupy bandwidth, and the export bandwidth of the service server can be saved.
- the method further includes: the business side notifies the operator of the primary DNS server, and instructs the operator of the primary DNS server to notify the primary DNS server to change the business server
- the IP address is unblocked.
- the embodiment of the present application provides a protection system for distributed denial of service DDOS attacks.
- the system includes: a terminal, which is used to send a resolution request containing the target domain name to the main DNS server, according to the target domain name fed back by the main DNS server
- the IP address of the corresponding business server sends the business request data to the business server; in the case of an error in accessing the business server, the resolution request containing the target domain name is sent to the backup DNS server; the IP address of the security server according to the feedback from the backup DNS server , To send business request data to the high defense server; the business side, used to notify the backup DNS server to set the resolution address for the target domain name to the IP address of the high defense server when the business server is attacked by DDOS; the backup DNS server uses After receiving the notification from the business end, the resolution address for the target domain name is set to the IP address of the security server; after the resolution address for the target domain name is set to the IP address of the security server, the target domain name is sent to the terminal
- a backup DNS server is added.
- the backup DNS server modifies the IP address, and uses the trigger mechanism set by the terminal to trigger when an access error is detected. Request the resolution of the backup DNS server instead of the primary DNS server. Therefore, there is no need to wait for the aging time of the DNS cache server. This achieves the effect that the terminal can quickly obtain the IP address of the high-defense server and solves the problem of switching the high-defense server in the existing technology. Technical problems with long business interruptions.
- the system also includes a high-defense server for performing traffic cleaning on the service request data sent by the terminal, forwarding the cleaned data to the service server, and forwarding the service response data fed back by the service server to the service server. terminal.
- the embodiments of the present application provide a domain name access method against a distributed denial of service DDOS attack.
- the method is applied to a terminal.
- the method includes receiving an operation request to access a business server corresponding to the target domain name; in response to the operation request, Send a resolution request containing the target domain name to the main DNS server; send service request data to the service server according to the IP address of the service server corresponding to the target domain name fed back by the main DNS server; determine to access the service server when the service server is attacked by DDOS Error; send the resolution request containing the target domain name to the backup DNS server; according to the IP address of the high defense server corresponding to the target domain name fed back by the backup DNS server, send the service request data to the high defense server; among them, the business server is attacked by DDOS
- the backup DNS server is configured to resolve the target domain name to the IP address of the high defense server.
- the trigger mechanism set in the terminal triggers the request for the resolution of the backup DNS server when an access error is sensed, without requesting the resolution of the primary DNS server, so there is no need to wait for the aging time of the DNS cache server, which enables the terminal to be able to
- the effect of quickly obtaining the IP address of the high-defense server solves the technical problem of long service interruption time when switching the high-defense server in the prior art.
- the terminal is installed with a client that integrates the SDK function; the SDK function is used to configure the terminal to send a resolution request containing the target domain name to the backup DNS server that contains the target domain name when an error occurs when accessing the business server. Parse the request.
- the integrated SDK function is used to execute the trigger mechanism of the backup DNS server, which facilitates the integration of the SDK function into other applications.
- the SDK function is used to encapsulate the information of the target domain name in the target information format to obtain the resolution request sent to the backup DNS server.
- the information carried in the analysis request also includes the identification of the terminal and/or the error code returned by the IP address of the access service server.
- the resolution request received by the backup DNS server contains more information, which can be used for subsequent analysis.
- the method further includes: according to the backup DNS The server resolves the target domain name to obtain the IP address of the business server, and sends the business request data to the business server; among them, the backup DNS server is used to set the resolution address for the target domain name as the business server's address when the business server is not attacked by DDOS.
- the IP address of the service server is fed back to the terminal; if it is determined that there is an error in accessing the service server, it will include the target domain name
- the resolution request is sent to the backup DNS server.
- the terminal sends a resolution request to the backup DNS server, but the backup DNS server does not switch the IP address of the high-defense server before retrying to send the resolution request to the backup DNS server, which improves the access success rate .
- the access target domain name is executed by the client installed in the terminal. After sending the service request data to the high defense server, the method further includes: if the client is not closed, if the access target is received The domain name operation request sends the resolution request containing the target domain name to the backup DNS server.
- the terminal's client is not closed, if the terminal again receives an operation request to access the service server corresponding to the target domain name, the terminal still sends the resolution request of the target domain name to the backup DNS server to prevent The terminal has service interruption due to IP address switching, which improves user experience.
- the access to the target domain name is executed by the client installed in the terminal.
- the method further includes: if the client is restarted after being closed, if it receives The operation request for accessing the target domain name is to send the resolution request containing the target domain name to the primary DNS server containing the resolution request of the target domain name.
- the embodiment of the present application provides a method for protecting a distributed denial-of-service DDOS attack.
- the method is applied to the business end.
- the method includes: determining the business server corresponding to the target domain name in the resolution request sent by the terminal to the primary DNS server Subject to DDOS attack; notify the backup DNS server to resolve the target domain name to the IP address of the high-defense server, so that the terminal that sends the resolution request containing the target domain name to the primary DNS server changes to the backup DNS server after sending the resolution request containing the target domain name , Obtain the IP address of the high defense server corresponding to the target domain name resolved by the backup DNS server.
- a backup DNS server is added.
- the backup DNS server modifies the IP address, so that the terminal triggers a request for resolution of the backup DNS server when it senses an access error. There is no need to request the main DNS server to resolve, so there is no need to wait for the aging time of the DNS cache server, which realizes the effect that the terminal can quickly obtain the IP address of the high-defense server, and solves the long service interruption time when switching the high-defense server in the existing technology Technical issues.
- determining that the service server is attacked by DDOS includes: determining that the upstream bandwidth of the service server exceeds a preset threshold.
- the method further includes: notifying the operator of the primary DNS server, and instructing the operator of the primary DNS server to notify the primary DNS server Block the IP address of the business server.
- the method further includes: notifying the operator of the primary DNS server, and instructing the operator of the primary DNS server to notify the primary DNS server to change the IP of the business server The address is unblocked.
- the service end and the service server share the network exit, and the communication priority of the notification message sent by the service end to the operator of the main DNS server is configured to be at least higher than the communication priority of the service server and the terminal.
- the notification message is a message that the business end notifies the operator of the primary DNS server to notify the primary DNS server to block or unblock the block.
- instructing the backup DNS server to resolve the target domain name to the IP address of the high defense server includes: instructing the dispatch end through the dispatcher to notify the backup DNS server to resolve the target domain name to the IP address of the high defense server.
- an embodiment of the present application provides a domain name access device for a distributed denial of service DDOS attack.
- the device is applied to a terminal.
- the device includes: a receiving module for receiving an operation request to access a service server corresponding to the target domain name ;
- the first sending module is used to send a resolution request containing the target domain name to the main DNS server in response to the operation request;
- the second sending module is used to send the service to the service according to the IP address of the service server corresponding to the target domain name fed back by the main DNS server
- the server sends the service request data;
- the determining module is used to determine that there is an error in accessing the service server when the service server is attacked by DDOS;
- the third sending module is used to send the resolution request containing the target domain name to the backup DNS server;
- the fourth sending The module is used to send service request data to the high defense server according to the IP address of the high defense server corresponding to the target domain name fed back by the backup DNS server; among them, when the
- the trigger mechanism set in the terminal triggers the request for the resolution of the backup DNS server when an access error is sensed, without requesting the resolution of the primary DNS server, so there is no need to wait for the aging time of the DNS cache server, which enables the terminal to be able to
- the effect of quickly obtaining the IP address of the high-defense server solves the technical problem of long service interruption time when switching the high-defense server in the prior art.
- the device further includes: a configuration module, configured to configure the terminal to send a resolution request containing the target domain name to the backup DNS server in the case of an error in accessing the business server, wherein ,
- the configuration module is a client-side integrated SDK function installed in the terminal.
- the configuration module includes: an encapsulation unit, configured to encapsulate the information of the target domain name in a target information format to obtain a resolution request sent to the backup DNS server.
- the information carried in the analysis request also includes the identification of the terminal and/or the error code returned by the IP address of the access service server.
- the resolution request received by the backup DNS server contains more information, which can be used for subsequent analysis.
- the device further includes: a fifth sending module, which is used to send the resolution request containing the target domain name to the backup DNS server, after sending the resolution request containing the target domain name to the backup DNS server, the security server corresponding to the target domain name resolved by the backup DNS server Before the IP address, according to the IP address of the business server obtained by the backup DNS server parsing the target domain name, send business request data to the business server; among them, the backup DNS server is used to target the target domain name when the business server is not attacked by DDOS.
- a fifth sending module which is used to send the resolution request containing the target domain name to the backup DNS server, after sending the resolution request containing the target domain name to the backup DNS server, the security server corresponding to the target domain name resolved by the backup DNS server Before the IP address, according to the IP address of the business server obtained by the backup DNS server parsing the target domain name, send business request data to the business server; among them, the backup DNS server is used to target the target domain name when the business server is not attacked by DDOS.
- the resolution address is set to the IP address of the business server, and if the resolution address for the target domain name is not successfully set to the IP address of the high defense server, the IP address of the business server is fed back to the terminal; the sixth sending module is used to When it is determined that there is an error in accessing the business server, the resolution request containing the target domain name is sent to the backup DNS server.
- the terminal sends a resolution request to the backup DNS server, but the backup DNS server does not switch the IP address of the high-defense server before retrying to send the resolution request to the backup DNS server, which improves the access success rate .
- the access to the target domain name is executed by the client installed in the terminal, and the device further includes: a seventh sending module, which is used to send the service request data to the high defense server when the client is not closed
- a seventh sending module which is used to send the service request data to the high defense server when the client is not closed
- the resolution request containing the target domain name is sent to the backup DNS server.
- the access to the target domain name is executed by the client installed in the terminal, and the device further includes: an eighth sending module, which is used to restart the client after the client is closed after sending the service request data to the high defense server In the case of, if an operation request to access the target domain name is received, the resolution request containing the target domain name is sent to the primary DNS server that contains the resolution request of the target domain name.
- an embodiment of the present application provides a protection device against distributed denial of service DDOS attacks.
- the device is applied to the business end.
- the device includes: a determining module for determining the resolution request sent by the terminal to the primary DNS server.
- the business server corresponding to the target domain name is attacked by DDOS; the first notification module is used to notify the backup DNS server to resolve the target domain name to the IP address of the high defense server, so that the terminal that sends the resolution request containing the target domain name to the primary DNS server is changing
- the IP address of the high defense server corresponding to the target domain name resolved by the backup DNS server is obtained.
- a backup DNS server is added.
- the backup DNS server modifies the IP address, so that the terminal triggers a request for resolution of the backup DNS server when it senses an access error. There is no need to request the main DNS server to resolve, so there is no need to wait for the aging time of the DNS cache server, which realizes the effect that the terminal can quickly obtain the IP address of the high-defense server, and solves the long service interruption time when switching the high-defense server in the existing technology Technical issues.
- the determining module includes: a determining unit, configured to determine that the uplink bandwidth of the service server exceeds a preset threshold.
- the device further includes: a second notification module for notifying the operator of the primary DNS server to instruct the primary DNS server after notifying the backup DNS server to resolve the target domain name to the IP address of the high defense server
- the operator instructs the main DNS server to block the IP address of the business server.
- the device further includes: a third notification module, which is used to notify the operator of the primary DNS server when the DDOS attack on the service server has stopped, and instruct the operator of the primary DNS server to notify the host
- the DNS server unblocks the IP address of the business server.
- the service end and the service server share the network exit, and the communication priority of the notification message sent by the service end to the operator of the main DNS server is configured to be at least higher than the communication priority of the service server and the terminal.
- the first notification module includes: a notification unit for instructing the dispatching terminal to notify the backup DNS server to resolve the target domain name to the IP address of the high defense server through the dispatching terminal.
- an embodiment of the present application provides a computer-readable storage medium in which a computer program is stored, and when it runs on a computer, the computer executes the method described in the third aspect.
- an embodiment of the present application provides a communication device including: a processor; a memory; an application program; wherein the application program is stored in the memory, and the application program includes instructions.
- the device executes such as The method described in the third aspect.
- an embodiment of the present application provides a computer-readable storage medium in which a computer program is stored, and when it runs on a computer, the computer executes the method described in the fourth aspect.
- an embodiment of the present application provides a communication device, including: a processor; a memory; an application program; wherein the application program is stored in the memory, and the application program includes instructions.
- the device executes such as The method of the fourth invention.
- Figure 1 is a schematic diagram of the architecture of an optional distributed denial-of-service DDOS attack protection system in the prior art
- FIG. 2 is a schematic diagram of an optional protection method for distributed denial of service DDOS attacks in the prior art
- FIG. 3 is a schematic diagram of an optional distributed denial-of-service DDOS attack protection system provided by an embodiment of the application;
- FIG. 4 is a schematic diagram of another optional distributed denial-of-service DDOS attack protection system provided by an embodiment of the application;
- FIG. 5 is a schematic diagram of another optional distributed denial-of-service DDOS attack protection system provided by an embodiment of the application;
- FIG. 6 is a schematic diagram of a sequence of an optional distributed denial-of-service DDOS attack protection method provided by an embodiment of the application;
- FIG. 7 is a schematic sequence diagram of another optional distributed denial-of-service DDOS attack protection method provided by an embodiment of the application.
- FIG. 8 is a sequence diagram of another optional method for protecting against distributed denial of service DDOS attacks provided by an embodiment of the application.
- FIG. 9 is a schematic diagram of an optional domain name access device for a distributed denial of service DDOS attack provided by an embodiment of the application.
- FIG. 10 is a schematic diagram of an optional device for protecting against distributed denial of service DDOS attacks according to an embodiment of the application.
- FIG. 11 is a schematic diagram of an optional communication device provided by an embodiment of this application.
- FIG. 12 is a schematic diagram of another optional communication device provided by an embodiment of this application.
- DDOS Distributed Denial of Service
- DOS Delivery of Service, Denial of Service
- a single DOS attack generally uses a one-to-one approach.
- DDOS distributed denial of service attack
- DN also known as domain name, domain name, the abbreviation of Domain Name
- domain name is a string of characters separated by ".”, it is the name of a computer or computer group on the Internet (that is, the Internet), used in the data Identifies the computer’s electronic location (sometimes also referred to as geographic location) during transmission.
- www.wikipedia.org is a domain name.
- DNS the abbreviation of Domain Name System
- DNS is a service of the Internet. It is a distributed database that maps domain names and IP (full name Internet Protocol) addresses to each other, which can make it easier for people to access the Internet.
- DNS uses TCP and UDP port 53. To put it simply, DNS is a system that translates domain names into IP addresses. IP addresses are digital identifiers used as routing addressing of Internet hosts, which are not easy for people to remember, so a character type identifier of domain names is created. For example, www.wikipedia.org is a domain name corresponding to the IP address 208.80.152.2. DNS is like an automatic telephone directory.
- time to live is the time that a domain name resolution record is stored in the DNS server.
- the DNS servers in various places receive the resolution request, they will send the resolution request to the NS server (authoritative domain name server) designated by the domain name to obtain the resolution record. After obtaining the resolution record, the record will be stored in the DNS server (caching server in various places, also called recursive domain name server) for a period of time.
- TTL has a longer time.
- APP application program, short for Application, can also be called application.
- the client refers to the application corresponding to the server, which provides local services for the client on the terminal, and needs to cooperate with the server to run.
- SDK the abbreviation of Software Development Kit, can extend the functions of applications by using SDK software, and can be easily integrated into different applications through interfaces.
- DC the abbreviation of Data Center
- the main purpose of a data center is to run applications to process the data of business and operational organizations (such as enterprises).
- Such systems belong to and are developed internally by the organization, or from enterprise software vendors buy.
- CNAME short for Canonical name, canonical name, also known as alias record. This type of recording allows multiple names to be mapped to the same computer.
- a high-defense server can provide security maintenance for a single customer. Simply put, it is a type of server that can help website denial-of-service attacks. All can be defined as high-defense servers.
- the high-defense server has a large bandwidth and can withstand large traffic attacks.
- Flow cleaning is the real-time monitoring of the data flow entering the data center DC, and timely detection of abnormal traffic including DOS attacks.
- Traffic cleaning services can be provided by software operators to customers who use data centers.
- At least one refers to one or more, and “multiple” refers to two or more.
- “And/or” describes the association relationship of the associated objects, indicating that there can be three relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, and B exists alone, where A, B can be singular or plural.
- the character “/” generally indicates that the associated objects before and after are in an “or” relationship.
- the following at least one item (a)” or similar expressions refers to any combination of these items, including any combination of a single item (a) or a plurality of items (a).
- at least one item (a) of a, b, or c can mean: a, b, c, ab, ac, bc, or abc, where a, b, and c can be single or multiple .
- FIG 1 is a schematic diagram of the architecture of an optional distributed denial of service DDOS attack protection system in the prior art.
- the architecture of the system includes a DNS side, a local business side, a high-defense server and a terminal.
- the DNS side includes a DNS server operator and a DNS server managed by the DNS server operator.
- the business side includes the business side and the business server managed by the business side.
- the operator refers to a service provider that provides corresponding server services, and the operator can manage and maintain the corresponding server.
- the DNS server operator mentioned in the embodiment of this application refers to the software used to manage the DNS server Management platform, the software platform can be mounted on the managed DNS server or other hardware devices that can communicate with the managed DNS server.
- the business end described in the embodiments of the present application refers to a software management platform used to manage the business server. The business end can be mounted on the business server or can be mounted on a hardware device capable of communicating with the business server.
- the server described in the embodiment of the present application may be one server or a server cluster including multiple servers, which is not specifically limited in the embodiment of the present application.
- the terminal and the service server can communicate through the communication link shown by the dotted line.
- a user opens the browser APP installed in the mobile phone, enters or clicks the web address (that is, the domain name) "www.xxxx.com" that needs to be accessed, the browser APP will send the domain name resolution request carrying the domain name to the DNS server.
- the DNS server In response to the request, the DNS server returns the IP address of the service server corresponding to the domain name (that is, the server that provides the content corresponding to the URL "www.xxxx.com") to the user's mobile phone, and the browser APP can directly connect to the corresponding domain name based on the IP address
- the service server requests access to the domain name, and the service server searches for the content corresponding to the domain name in the service server and feeds it back to the user's mobile phone, so that the user's mobile phone can display the content of the domain name.
- the upstream bandwidth of the network exit on the business side (that is, the bandwidth from the terminal to the business server communication direction) will be largely occupied, and the attack traffic can reach a maximum of T (full name Terabyte, abbreviated as Terabyte).
- the maintenance personnel can notify the DNS server operator, so that the DNS server operator can modify the resolution IP addresses of multiple domain names corresponding to the service server to the IP address of the high-defense server, so that the terminal can report to the DNS server
- the IP of the high-defense server is obtained, and the data services are exchanged with the high-defense server to direct the service traffic of the user terminal to the service server to the high-defense server (or the high-defense server cluster/high-defense computer room).
- the attacker can attack the business server through the control terminal, after the IP address returned by the DNS server resolution becomes the high defense server, the attacker can also perceive that the IP address has been switched to the high defense server by capturing the data packet returned by the DNS server The IP address of the server may continue to attack the high-defense server, sending a large amount of attack traffic data to occupy the bandwidth of the high-defense server. At this time, normal user traffic and attack traffic will be directed to the high defense server.
- the high-defense server has a large bandwidth, it can accommodate large traffic attacks, and can perform traffic cleaning processing methods such as near-source cleaning on the traffic, so as to retain the real business data in the received data and clean the attack data.
- traffic cleaning processing methods such as near-source cleaning on the traffic
- the real business data is sent to the business server.
- the upstream bandwidth of the service server has been unoccupied, and the real business data provided by the high defense server can be processed and responded to, and the response data will be fed back to the high defense server.
- the server distributes to the terminal.
- the communication link of the service server after being attacked is shown as the solid line in Figure 1. After artificially determining that the attack is over, the business side then informs the DNS server operator to switch the domain name resolution in the DNS server back to the IP address of the business server.
- the CANME mechanism When changing the IP address corresponding to the domain name in the DNS server, the CANME mechanism can be used. The following information needs to be pre-configured:
- the manager configures the IP address of the high defense server, the IP address of the business server and the domain name A on the business side.
- Step 1001 The terminal receives an operation request for accessing the target domain name.
- Step 1002 The terminal sends a resolution request of the target domain name to the DNS server.
- Step 1003 The DNS server returns the IP address of the service server to the terminal.
- Step 1004 The terminal sends service request data to the service server according to the IP address of the service server.
- Step 1005 When the service server is attacked by DDOS, terminal access error occurs, which may be due to access timeout or access failure.
- the business end is a software management platform that manages the business server.
- Step 2001 can be executed to detect whether the business server is attacked in real time.
- step 2002 when the service server is attacked by DDOS, the service end detects that the service server is attacked.
- step 2003 the business end notifies the operator of the DNS server, and the operator of the DNS server notifies the DNS server to change the resolved IP address of the domain name A on the DNS server to the IP address of the high defense server.
- step 2004 the DNS server operator notifies the DNS server to modify all the resolved IP addresses of the relevant domain names on the business side to the IP addresses of the high defense server.
- the DNS server modifies the IP address of domain name A to the IP address of the anti-defense server, when all terminals request the DNS server to resolve the domain name, the IP address obtained is the IP address of the anti-defense server, and all the traffic sent by the terminal is directed to High-defense server, the high-defense server performs traffic cleaning.
- the DNS server will not refresh the IP address during the TTL update period, that is, the update time of the resolved IP address corresponding to the domain name in the DNS server is longer, for example , 2 to 10 minutes. If it is an Internet service provider, the TTL time may be longer, reaching one hour or even one or two days. The switching time of the domain name resolution IP address in the DNS server is too slow, resulting in a long-term interruption of the service server.
- the terminal provides business services.
- step 1006 the terminal sends a resolution request of the target domain name to the DNS server.
- the IP address cached in the DNS server is still that of the business server. IP address, go to step 1007, the DNS server returns the IP address of the service server, the terminal still accesses the service server, and the result is still an access error. Only after waiting for the TTL time and the resolution record for domain name A in the DNS server becomes invalid, will the resolution address of domain name A be updated to the IP address of the high defense server, as shown in step 1010 and step 1011 in Figure 2.
- the terminal sends the service request data to the high defense server, and the high defense server performs traffic cleaning on the service request data, forwards it to the service server, and forwards the service response data returned by the service server to the terminal, as shown in step 1012 in Figure 2 ⁇ 1016. Therefore, since it takes a long time for the DNS server to switch to the IP address of the high-defense server and is restricted by the TTL time set by the operator, the terminal’s business will be interrupted for a long time and the user experience will be poor.
- the embodiment of the present application provides a distributed denial-of-service DDOS attack protection system, which includes at least a terminal and a service terminal.
- DDOS attack protection system which includes at least a terminal and a service terminal.
- Figure 3 is a schematic diagram of the application scenario of an optional distributed denial-of-service DDOS attack protection system provided by an embodiment of the application.
- the application scenario shown in Figure 3 it is divided into the primary DNS side (including the primary DNS).
- Server operator and main DNS server local business side (including business side and business server), terminal side (including terminal), cloud side (including backup DNS server), high defense server side (including high defense server).
- Figure 3 only provides an exemplary system architecture. In other application scenarios, you can configure more or less components than the distributed denial-of-service DDOS attack protection system shown in Figure 3 Parts, and/or part of them may be implemented in combination or separately.
- the distributed denial-of-service DDOS attack protection system provided by some vendors only includes the above-mentioned business end and terminal.
- the distributed denial-of-service DDOS attack provided by other vendors can also include at least one of the above servers: namely, a backup DNS server, a business server, and a high-defense server.
- the terminal side includes a terminal, and optionally, may also include other terminals.
- the terminal may be a terminal device with communication function such as a mobile phone or a tablet computer.
- the main DNS side includes a main DNS server (or a main DNS server cluster).
- the main DNS server is a DNS server used by the terminal by default. It is optional and can also be a DNS server set by the user or the terminal.
- the main DNS server can be managed and maintained by the main DNS server operator.
- the primary DNS server operator may be a local Internet service provider of the network where the terminal device carrying the client is located (for example, mobile, telecommunications, etc.). It should be noted that the primary DNS server operator mentioned in the embodiments of this application may refer to a software management platform that manages the primary DNS server, or a device equipped with the software management platform, and the software management platform can be mounted on the platform
- the managed primary DNS server can also be mounted on other hardware devices that can communicate with the primary DNS server managed by the platform.
- the primary DNS server operator can be used to configure the primary DNS server.
- the primary DNS server is used to respond to the request for resolving the target domain name sent by the terminal, resolve the target domain name to obtain the IP address of the business server, and feed it back to the terminal.
- the client of the terminal can access the service server based on the IP address. For example, the terminal requests to access the domain name "www.xxxx.com", the main DNS server resolves the domain name to obtain the IP address corresponding to the business server as "111.11.1.111", and sends the resolved IP address to the terminal.
- the primary DNS server can be used as a domain name server for the terminal to request domain name resolution under the normal working condition of the service server without DDOS attack.
- the local business side can be a government/enterprise data center DC, including a business end, a business server (or a business server cluster).
- the business end is used to manage the business server, and it can be a software management platform mounted on the business server or other terminal devices that can communicate with the business server.
- the service server is used to exchange service data with the terminal. When the service server is not attacked by DDOS and can respond normally, the data exchange path is shown by the dotted line in Figure 3.
- the service server receives the service request data sent by the terminal and sends it to the terminal Feedback business response data. For example, after receiving the IP address of the business server fed back by the main DNS server, the terminal can communicate with the business server based on the IP address and request access to the content of the directory where the domain name in the business server is located.
- the upstream bandwidth of the network outlet on the local business side will be heavily occupied, and the attack traffic can reach the level of terabytes, causing the business server to respond slowly to the terminal or stop responding, so that normal users cannot access the business. .
- the method of detecting whether the service server is attacked by DDOS can be judged by the service side based on the detection result of the status parameter (such as export bandwidth) of the local service side.
- the local business side shares the network exit.
- the local business side can also deploy a bandwidth detection device (not shown in Figure 2).
- the bandwidth detection device mirrors the network exit of the network by means of light splitting.
- Incoming traffic can sense the inbound bandwidth (uplink bandwidth) of the network outlet in real time.
- the business end can judge whether the business server is attacked by DDOS based on the state parameters detected by the bandwidth detection device. If the upstream bandwidth exceeds the threshold, the business server is determined to be DDOS attacked. attack.
- a backup DNS server is added in this embodiment of the application.
- the backup DNS server is set on the cloud side.
- the backup DNS server can be a cloud configured by the enterprise itself.
- Server or server cluster
- the backup DNS server resolves the target domain name to the IP address of the high-defense server at least after the business server is attacked.
- the high-defense server will perform traffic cleaning on all received data and retain the real business request data.
- the attack traffic data is cleaned, and the cleaned data is sent to the business server to reduce the load on the network bandwidth of the business server.
- the client of the terminal is configured to send a domain name resolution request to the backup DNS server when an error occurs when the terminal accesses the service server (for example, access timeout, or 404 error code, etc.).
- the service server for example, access timeout, or 404 error code, etc.
- the business end determines whether the business server is under attack, and the business end notifies the backup DNS server to set the resolution result of the target domain name as the IP address of the high defense server.
- the backup DNS server backs up the domain name resolution data of the primary DNS server in real time, and periodically synchronizes it with the primary DNS server. After the business server is attacked, the business end notifies the backup DNS server to change the relevant domain name of the business server ( At least including the target domain name) the resolved IP address is changed to the IP address of the high-defense server.
- the TTL time of the backup DNS server can be set to a shorter period, for example, 3 seconds, thereby reducing the waiting time for the backup DNS server to modify the IP address.
- the resolution record is used to resolve the target domain name (or a related domain name including the target domain name) to the IP address of the anti-defense server, and give priority to the resolution record.
- the level is set higher than the priority of the original resolution record (resolving the target domain name to the IP address of the business server), so that the resolution request for the target domain name sent to the backup DNS server is resolved to the IP address of the high defense server first.
- the business end after the business end notifies the backup DNS server to set the resolution result of the target domain name as the IP address of the anti-defense server, if the business end determines that the backup DNS server has set the resolution result of the target domain name as the IP address of the anti-defense server, Then the business end notifies the operator of the primary DNS server, so that the operator of the primary DNS server notifies the primary DNS server to block the IP address of the business server.
- the IP address of the business server in the main DNS server is blacked out, other terminals cannot query the IP address of the business server when requesting to resolve the target domain name from the main DNS server, and cannot find the business server corresponding to the target domain name. Establishing a connection with the business server will not occupy the upstream bandwidth of the business server.
- the corresponding terminal will also trigger access to the backup DNS server, request the backup DNS server to resolve the target domain name, and obtain the IP address of the high defense server.
- the business side determines that the business server stops being attacked by DDOS
- the business side informs the operator of the primary DNS server so that the operator of the primary DNS server informs the primary DNS server to unblock the IP address of the business server.
- the blackout is lifted, other terminals that send resolution requests to the main DNS server will obtain the IP address of the service server, and the terminal can exchange service data with the service server, so that the service server gradually resumes its normal working state.
- a trigger mechanism for changing the DNS server is set in the client terminal of the terminal in advance, and when the terminal senses an error in accessing the target domain name, it triggers a request for the backup DNS server to resolve the target domain name.
- the backup DNS server resolves the IP address corresponding to the domain name to the IP address of the high defense server
- the terminal sends the service request data expected to be sent to the service server to the high defense server, and the high defense server cleans the service request data sent by the terminal.
- the cleaned data is forwarded to the service server, and the service server sends the service response data for the cleaned data to the high defense server, and the high defense server forwards it to the terminal to realize normal business logic.
- the trigger mechanism for changing the DNS server can be executed by the client-integrated SDK function installed in the terminal.
- a client integrated with the SDK function is installed in the terminal.
- the client is used to access the target domain name.
- the client can be an application.
- browser APPs and video apps based on the Android system the client is integrated with SDK functions, since the SDK functions can be integrated in different clients to facilitate the implementation of the embodiments of the present application.
- the SDK function is used to configure the terminal to send a resolution request containing the target domain name to the backup DNS server when it is determined that there is an error in accessing the business server.
- the SDK encapsulates the domain name, terminal identification, access error code and other information in the protocol information format, and sends the encapsulated resolution request to the backup DNS server.
- the backup DNS server does not complete the operation of modifying the IP address at this time, and still resolves the IP address corresponding to the target domain name to the IP address of the business server, the client will still fail to access the business server, and the client is integrated
- the SDK function continues to send the resolution request to the backup DNS server until the backup DNS server resolves the target domain name to the IP address of the high defense server.
- the backup DNS server can quickly switch the IP address, and the terminal does not request the primary DNS server to resolve the target domain name, so there is no need to wait for the long TTL time of the primary DNS server.
- the business side detects the attack within 1 second; the business side informs the backup DNS server to switch to the high defense server's IP address within 2 seconds; the main DNS server blocks the business server's IP address within 3 seconds.
- the perception time of the terminal ranges from slow or failed access to the business server, to the timeout waiting for access to trigger the backup DNS mechanism, to receiving the resolved IP address of the high-defense server to access the high-defense server, so as to access the business normally. After testing the entire process of the terminal From 2 to 10 minutes or even longer time is shortened to less than 12 seconds.
- the method for the business side to notify the backup DNS server can be any of the following: 1
- the business side can only notify the backup DNS server that the domain name that resolves the IP address needs to be modified, and the backup DNS server is pre-configured with the IP address of the high defense server ;
- 2After the service server is attacked the business side informs the backup DNS server that the domain name of the IP address and the IP address of the high defense server need to be modified; or, the business side enables the IP of the high defense server pre-configured in the backup DNS server
- the mapping between the address and the target domain name, etc. is not specifically limited in the embodiment of the present application, and can be configured according to actual conditions.
- FIG. 4 is a schematic diagram of the application scenario of another optional distributed denial-of-service DDOS attack protection system provided by an embodiment of the application, compared with the distributed denial-of-service DDOS attack protection system provided in Embodiment 1.
- a dispatch terminal is added on the cloud side, as shown in Figure 4.
- the dispatch terminal is used as the dispatch center of the backup DNS server.
- the business terminal detects that the export bandwidth of the business server is occupied, it will notify the dispatch terminal, and the dispatch terminal will notify the backup DNS server to change the resolution IP address of the domain name to the IP of the high defense server. address.
- the dispatcher can determine whether the backup DNS server has set the resolution result of the target domain name to the IP address of the anti-defense server. Optionally, on the dispatcher, make sure that the backup DNS server has set the resolution result of the target domain name to the IP address of the anti-defense server. After that, the dispatcher informs the operator of the main DNS server, so that the operator of the main DNS server informs the main DNS server to black out the IP address of the business server, as shown in the communication link shown in Figure 4; alternatively, the dispatcher The service end informs the service end, and then the service end informs the operator of the primary DNS server to black out (the corresponding communication link is not shown in Fig. 4).
- the service end can notify the dispatch end, and the dispatch end notifies the operator of the primary DNS server to unblock the IP address of the service server.
- the dispatcher can manage the backup DNS server to continue to synchronize the resolution records from the primary DNS server, so that the resolution records in the backup DNS server can be resolved with the primary DNS server.
- the records are kept in sync.
- FIG. 5 is a schematic diagram of the application scenario of another optional distributed denial-of-service DDOS attack protection system provided by an embodiment of the application, compared with the distributed denial-of-service DDOS attack protection system provided in Embodiment 2.
- a local protection platform is added to the local service side.
- the service side determines that the upstream bandwidth of the network outlet on the local service side (the link direction sent by the terminal to the service server is upstream) occupies a threshold less than
- switch to high-defense server cleaning traffic After the upstream bandwidth is higher than the preset threshold, switch to high-defense server cleaning traffic.
- the system provided in this embodiment can prevent frequent switching of high-defense servers, reduce the number of switching to high-defense servers, and thereby reduce the number of service interruptions.
- the preset threshold is configured to be 80% of the bandwidth at the service end (optionally, the percentage of the preset threshold to the bandwidth can also be configured to be adjusted according to the actual current situation). If the preset bandwidth threshold is not reached, it is considered that the attack has not reached the endurance of the local bandwidth, and there is no need to switch to a high-defense server. Within the preset threshold, protection can be performed locally.
- the distributed denial-of-service DDOS attack protection system may also include an authoritative DNS server for the target domain name, and the authoritative DNS server for the target domain name may be set on the local business side, and the target domain name
- the authoritative DNS server for the target domain name is used to provide authoritative resolution for the target domain name.
- the authoritative DNS server for the target domain name can also be used to provide authoritative resolution for other domain names, for example, other domain names corresponding to the business server of the target domain name, or other services The domain name corresponding to the server, etc.
- the backup DNS server is synchronized, the analysis record is not synchronized from the primary DNS server, but from the authoritative DNS server. In the case of an attack on the service server, at least modify the resolution IP address of the target domain name in the backup DNS server to the IP address of the high-defense server.
- the terminal may be a mobile terminal such as a mobile phone or a tablet computer, and a client may be installed in the terminal.
- the terminal side may also include an attack terminal, which may be carried in devices such as computers, cloud hosts, and IoT (The Internet of Things) devices.
- the local business side can be the data center of the enterprise, and the enterprise can build its own computer room or lease the computer room, and deploy its own network equipment, security equipment, and business.
- Servers and application systems, etc. in order to provide services to users, users can access the data center of the enterprise via the Internet through the terminal.
- an enterprise can have multiple data centers.
- the backup DNS server since the backup DNS server is deployed on the cloud side, it can ensure that the backup DNS server and the terminal are under attack when the local service side is attacked and the uplink bandwidth is occupied. Stable communication.
- the embodiment of the present application also provides a protection method for a distributed denial of service DDOS attack, which can be executed by the distributed denial of service DDOS attack protection system provided by the embodiment of the present application.
- a protection method for a distributed denial of service DDOS attack which can be executed by the distributed denial of service DDOS attack protection system provided by the embodiment of the present application.
- an embodiment of the present application provides a sequence diagram of a protection method for distributed denial of service DDOS attacks as shown in FIG. 6, which specifically includes the following steps:
- Step 101 The terminal receives an operation request for accessing the target domain name
- Step 102 The terminal sends a resolution request of the target domain name to the primary DNS server;
- Step 103 The main DNS server returns the IP address of the service server to the terminal;
- Step 104 The terminal sends service request data to the service server;
- Step 105 When the service server is attacked by DDOS, the terminal access error; the direction of step 105 in FIG. 5 indicates that when the service server is attacked by DDOS, the service end may not respond to the terminal, or the response time is slow.
- Step 106 The terminal sends a resolution request of the target domain name to the alternate DNS server.
- the business end will perform step 201 on the business server in real time in a preset period: real-time detection of whether the business server is attacked;
- Step 202 the business end detects that the business server is attacked
- step 203 after detecting the attack, the business end notifies the backup DNS server to set to resolve the target domain name to the IP address of the high defense server.
- step 106 and step 203 the backup DNS server executes step 107 and returns the IP address of the high defense server to the terminal;
- Step 108 The terminal sends service request data to the IP address of the high defense server
- Step 109 The high defense server performs traffic cleaning on the service request data
- Step 110 The high defense server sends the cleaned data to the business server;
- Step 111 The service server returns service response data to the high defense server
- Step 112 The service server forwards the service response data to the terminal.
- step 204 the backup DNS server executes step 204 to notify the service side that the setting is successful.
- step 205 the business end notifies the operator of the primary DNS server, and the primary DNS server operator informs the primary DNS server to block the IP address of the business server in the primary DNS server.
- step 206 the main DNS server operator notifies the main DNS server to block the IP address of the service server.
- Step 207 since the service end detects whether the attack is in real time, the service end can detect the attack when the attack stops.
- step 208 the business end notifies the operator of the primary DNS server, and the primary DNS server operator notifies the primary DNS server to unblock the IP address of the business server.
- Step 209 The operator of the primary DNS server notifies the primary DNS server to remove the blackout.
- the stop of the attack detected in step 207 may also be manually judged.
- an embodiment of the present application provides a sequence diagram of a method for protecting against distributed denial of service DDOS attacks as shown in FIG. 7. Since the system provided in embodiment 2 adds a scheduling terminal compared to the system provided in embodiment 1, this embodiment is different from the method provided in embodiment 4 in steps 203, 204, 205, and 208, and Step 207' is added: the business end notifies the dispatch end of the attack to stop. In step 203, after detecting the attack, the service end notifies the dispatch end, and the dispatch end notifies the backup DNS server to modify the resolved IP address. In step 204, step 205, and step 208, what is executed by the service end is changed to be executed by the dispatch end.
- an embodiment of the present application provides a method for protecting against distributed denial of service DDOS attacks.
- the sequence diagram is shown in FIG. 8. Since the system provided in embodiment 3 has added local protection compared to the system provided in embodiment 2, after performing step 201 on the service side to detect whether the service server is attacked in real time, steps 2011 and 2012 are added to the method provided in embodiment 4. If the business end detects that the upstream traffic is less than the preset threshold, the local protection will perform traffic cleaning on the incoming traffic. After the business end detects that the upstream traffic is higher than the preset threshold, it is determined that the business server is under attack.
- the embodiment of the application also provides a domain name access method applied to the above-mentioned terminal in a distributed denial of service DDOS attack.
- the method provided in this embodiment may include the following steps:
- Step 301 Determine that an operation request to access the business server corresponding to the target domain name is received
- Step 302 Send the resolution request of the target domain name to the primary DNS server
- Step 303 Obtain the IP address of the business server corresponding to the target domain name obtained by the primary DNS server parsing the target domain name;
- Step 304 Send the service request data to the IP address of the service server
- Step 305 It is determined that an error occurred when accessing the service server
- Step 306 Send the resolution request of the target domain name to the backup DNS server;
- Step 307 Obtain the IP address of the high defense server obtained by the backup DNS server analyzing the target domain name;
- Step 308 Send the service request data to the IP address of the high defense server.
- step 302 when performing step 302 to send the resolution request of the target domain name to the backup DNS server, call the integrated target SDK function to perform the following steps: encapsulate the information including the target domain name in the target information format to obtain the resolution request; send the resolution request To the backup DNS server.
- the information carried in the analysis request further includes the identification of the terminal and/or the error code returned by the IP address of the access service server.
- the method further includes:
- Step 3071 Obtain the IP address of the business server obtained by the backup DNS server parsing the target domain name, where the backup DNS server sets the IP address resolved for the target domain name as the IP address of the business server before determining that the business server is attacked by DDOS;
- Step 3072 Send the service request data to the IP address of the service server
- Step 3073 In the case of determining that there is an error in accessing the service server, retry sending the resolution request of the target domain name to the backup DNS server.
- the access to the target domain name can be executed by the client installed in the terminal.
- step 308 to send the service request data to the IP address of the high defense server
- the client of the terminal is not closed, if it is determined to receive the service again
- the resolution request of the target domain name is sent to the backup DNS server to prevent the terminal from interrupting the service due to the IP address switch, and improve the user experience; the case of restarting after the terminal client is closed
- the resolution request of the target domain name is sent to the main DNS server, so that it can be switched to the business server when the DDOS attack on the business server has stopped IP address for the interaction of business data.
- the embodiment of the present application also provides an embodiment of a method for protecting against a distributed denial of service DDOS attack applied to the business end.
- the method provided in this embodiment includes the following steps:
- Step 601 Determine that the business server corresponding to the target domain name is attacked by DDOS;
- Step 602 Notify the backup DNS server to set the resolution result of the target domain name as the IP address of the anti-defense server, so that the resolution request for the target domain name sent to the backup DNS server is resolved to the IP address of the anti-defense server.
- the backup DNS server is used to back up the domain name resolution data of the primary DNS server in a preset period
- the high defense server is used to perform traffic cleaning on the service request data sent by the terminal, forward the cleaned data to the service server, and transfer the service server The service response data in response to the cleaned data is forwarded to the corresponding terminal.
- the operator of the primary DNS server can also be notified, so that the operator of the primary DNS server informs the primary DNS server to block the service The IP address of the server.
- the method further includes:
- Step 6011 Determine that the service server stops being attacked by DDOS
- step 6012 the operator of the main DNS server is notified, so that the operator of the main DNS server informs the main DNS server to unblock the IP address of the service server.
- the business end shares the network exit with the business server.
- the operation from the business end to the main DNS server can be set
- the communication priority of the blackout message and the notification message for removing blackout sent by the merchant is at least higher than the communication priority of the service server and the terminal. Even when the export bandwidth of the service server is congested, the communication priority between the service terminal and the main DNS server Communication messages can also be transmitted preferentially.
- an optional implementation manner in which the backup DNS server is notified to set the resolution result of the target domain name as the IP address of the high-defense server In order to notify the dispatcher, the dispatcher informs the backup DNS server to change the resolution IP address of the domain name to the IP address of the high-defense server.
- the dispatcher is used to notify the backup DNS server of the resolution result of the target domain name according to the preset configuration information. Set to the IP address of the high-defense server, where the preset configuration information includes the IP address of the high-defense server.
- the business end may send information such as the attacked domain name, attacked IP, attack type, attack time and other information to the dispatch end.
- the dispatcher will notify the backup DNS server to set the resolution result of the target domain name to the IP address of the high-defense server according to the preset configuration information.
- the method may further include the following steps:
- Step 701 The dispatcher determines that the backup DNS server has set the resolution result of the target domain name as the IP address of the high defense server;
- step 702 the dispatching terminal notifies the operator of the main DNS server, and the dispatching terminal is notified by the operator of the main DNS server to notify the main DNS server to block the IP address of the service server.
- an optional specific implementation manner for the backup DNS server to set the IP address of the high defense server is to perform the following steps after notifying the backup DNS server to set the resolution result of the target domain name to the IP address of the high defense server:
- Step 801 Back up the resolution record of the newly added target domain name of the DNS server and the IP address of the high defense server;
- Step 802 The backup DNS server sets the priority of the newly added resolution record higher than the resolution record backed up from the primary DNS server.
- Fig. 9 is a schematic block diagram of an optional domain name access device for distributed denial of service DDOS attacks according to an embodiment of the present application. It should be understood that the device can execute the method embodiment provided in Embodiment 7 and the steps in the optional implementation manners thereof, and can be applied to the terminal of the foregoing system embodiment. In order to avoid repetition, it will not be described in detail here.
- the domain name access device for distributed denial of service DDOS attacks as shown in FIG. 9 includes: a receiving module 11, a first sending module 12, a second sending module 13, a determining module 14, a third sending module 15 and a fourth sending module 16 .
- the receiving module is used to receive an operation request to access the business server corresponding to the target domain name; the first sending module is used to send a resolution request containing the target domain name to the main DNS server in response to the operation request; the second sending module uses According to the IP address of the business server corresponding to the target domain name fed back by the main DNS server, the business request data is sent to the business server; the determining module is used to determine that there is an error in accessing the business server when the business server is attacked by DDOS; the third sending module , Used to send the resolution request containing the target domain name to the backup DNS server; the fourth sending module, used to send the service request data to the high defense server according to the IP address of the high defense server corresponding to the target domain name fed back by the backup DNS server; where When the business server is attacked by DDOS, the backup DNS server is configured to resolve the target domain name to the IP address of the high defense server.
- the trigger mechanism set in the terminal triggers the request for the resolution of the backup DNS server when an access error is sensed, without requesting the resolution of the primary DNS server, so there is no need to wait for the aging time of the DNS cache server, which enables the terminal to be able to
- the effect of quickly obtaining the IP address of the high-defense server solves the technical problem of long service interruption time when switching the high-defense server in the prior art.
- the device further includes: a configuration module, configured to configure the terminal to send a resolution request containing the target domain name to the backup DNS server in the case of an error in accessing the service server.
- the resolution request containing the target domain name is sent to the backup DNS server.
- the configuration module is a client-side integrated SDK function installed in the terminal.
- the encapsulated SDK function is used to execute the trigger mechanism of the backup DNS server, which facilitates the integration of the SDK function into other applications.
- the configuration module includes: an encapsulation unit, configured to encapsulate the information of the target domain name in a target information format to obtain a resolution request sent to the backup DNS server.
- the information carried in the analysis request further includes the identification of the terminal and/or the error code returned by the IP address of the access service server.
- the resolution request received by the backup DNS server contains more information, which can be used for subsequent analysis.
- the device further includes: a fifth sending module, configured to send the resolution request containing the target domain name to the backup DNS server, and then perform the high-definition system corresponding to the target domain name resolved by the backup DNS server after sending the resolution request containing the target domain name to the backup DNS server.
- a fifth sending module configured to send the resolution request containing the target domain name to the backup DNS server, and then perform the high-definition system corresponding to the target domain name resolved by the backup DNS server after sending the resolution request containing the target domain name to the backup DNS server.
- a fifth sending module configured to send the resolution request containing the target domain name to the backup DNS server, and then perform the high-definition system corresponding to the target domain name resolved by the backup DNS server after sending the resolution request containing the target domain name to the backup DNS server.
- the resolution address of the domain name is set to the IP address of the business server, and if the resolution address for the target domain name is not successfully set to the IP address of the high defense server, the IP address of the business server is fed back to the terminal; the sixth sending module uses In the case where it is determined that there is an error in accessing the business server, the resolution request containing the target domain name is sent to the backup DNS server.
- the terminal sends a resolution request to the backup DNS server, but the backup DNS server does not switch the IP address of the high-defense server before retrying to send the resolution request to the backup DNS server, which improves the access success rate .
- the access to the target domain name is executed by a client installed in the terminal, and the device further includes: a seventh sending module, configured to send service request data to the high defense server without closing the client
- a seventh sending module configured to send service request data to the high defense server without closing the client
- the resolution request containing the target domain name is sent to the backup DNS server.
- the access to the target domain name is executed by a client installed in the terminal, and the device further includes: an eighth sending module, configured to send service request data to the high defense server and after the client is closed In the case of restarting, if an operation request to access the target domain name is received, the resolution request containing the target domain name is sent to the primary DNS server that contains the resolution request of the target domain name.
- domain name access device for the distributed denial of service DDOS attack provided in the foregoing embodiment is embodied in the form of a functional module or a functional unit.
- the term "unit” or “module” herein can be implemented in the form of software and/or hardware, and there is no specific limitation on this.
- “unit” or “module” can be a software program, a hardware circuit, or a combination of the two that realize the above-mentioned functions.
- Hardware circuits may include application specific integrated circuits (ASICs), electronic circuits, and processors used to execute one or more software or firmware programs (such as shared processors, proprietary processors, or group processors, etc.) And memory, merging logic circuits, and/or other suitable components that support the described functions.
- ASICs application specific integrated circuits
- electronic circuits electronic circuits
- processors used to execute one or more software or firmware programs (such as shared processors, proprietary processors, or group processors, etc.)
- memory merging logic circuits, and/or other suitable components that support the described functions.
- the units of the examples described in the embodiments of the present application can be implemented by electronic hardware or a combination of computer software and electronic hardware. Whether these functions are performed by hardware or software depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered as going beyond the scope of the embodiments of the present application.
- Fig. 10 is a schematic block diagram of an optional device for protecting against distributed denial of service DDOS attacks according to an embodiment of the present application. It should be understood that the device can execute each step in the method embodiment provided in Embodiment 8 and its optional implementation manners, and in order to avoid repetition, details are not described herein again.
- the protection device against distributed denial of service DDOS attacks as shown in FIG. 10 includes a determination module 21 and a first notification module 22.
- the determining module is used to determine that the business server corresponding to the target domain name in the resolution request sent by the terminal to the primary DNS server is attacked by DDOS; the first notification module is used to notify the backup DNS server to resolve the target domain name to the IP of the high defense server Address, so that the terminal that sends a resolution request containing the target domain name to the primary DNS server, after sending a resolution request containing the target domain name to the backup DNS server instead, obtains the security server's information that is resolved by the backup DNS server and corresponds to the target domain name. IP address.
- a backup DNS server is added.
- the backup DNS server modifies the IP address, so that the terminal triggers a request for resolution of the backup DNS server when it senses an access error. There is no need to request the main DNS server to resolve, so there is no need to wait for the aging time of the DNS cache server, which realizes the effect that the terminal can quickly obtain the IP address of the high-defense server, and solves the long service interruption time when switching the high-defense server in the existing technology Technical issues.
- the determining module includes: a determining unit, configured to determine that the uplink bandwidth of the service server exceeds a preset threshold.
- the device further includes: a second notification module, configured to notify the operator of the primary DNS server after notifying the backup DNS server to resolve the target domain name to the IP address of the high defense server
- the operator of the primary DNS server informs the primary DNS server to block the IP address of the business server.
- the device further includes: a third notification module, configured to notify the operator of the main DNS server when the DDOS attack on the service server has stopped, so that the operation of the main DNS server The provider informs the main DNS server to unblock the IP address of the business server.
- a third notification module configured to notify the operator of the main DNS server when the DDOS attack on the service server has stopped, so that the operation of the main DNS server The provider informs the main DNS server to unblock the IP address of the business server.
- the business end and the business server share the network exit, and the communication priority of the notification message sent by the business end to the operator of the primary DNS server is configured to be at least higher than the communication priority of the business server and the terminal.
- the first notification module includes: a notification unit, configured to use the dispatch terminal to make the dispatch terminal notify the backup DNS server to resolve the target domain name into the IP address of the high defense server.
- a notification unit configured to use the dispatch terminal to make the dispatch terminal notify the backup DNS server to resolve the target domain name into the IP address of the high defense server.
- the protection device against distributed denial of service DDOS attacks is embodied in the form of functional modules or functional units.
- the term “unit” or “module” herein can be implemented in the form of software and/or hardware, and there is no specific limitation on this.
- “unit” or “module” can be a software program, a hardware circuit, or a combination of the two that realize the above-mentioned functions.
- Hardware circuits may include application specific integrated circuits (ASICs), electronic circuits, and processors used to execute one or more software or firmware programs (such as shared processors, proprietary processors, or group processors, etc.) And memory, merging logic circuits, and/or other suitable components that support the described functions.
- the units of the examples described in the embodiments of the present application can be implemented by electronic hardware or a combination of computer software and electronic hardware. Whether these functions are performed by hardware or software depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered as going beyond the scope of the embodiments of the present application.
- the embodiment of the present application also provides a communication device.
- the domain name access method for distributed denial of service DDOS attack applied to the terminal provided in the embodiment of the present application can be executed by the communication device provided in the eleventh embodiment.
- Fig. 11 is a schematic structural diagram of an optional communication device.
- the communication device shown in FIG. 11 may be a communication device such as a mobile phone and a tablet computer.
- the communication device 900 includes a processor 910 and a transceiver 920.
- the communication device 900 may further include a memory 930.
- the processor 910, the transceiver 920, and the memory 930 can communicate with each other through an internal connection path to transfer control and/or data signals.
- the memory 930 is used to store computer programs, and the processor 910 is used to download from the memory 930. Call and run the computer program.
- the communication device 900 may further include an antenna 940 for transmitting the wireless signal output by the transceiver 920.
- the above-mentioned processor 910 and the memory 930 may be integrated into a processing device, and more commonly, are components independent of each other.
- the processor 910 is configured to execute the program code stored in the memory 930 to implement the above-mentioned functions.
- the memory 930 may also be integrated in the processor 910, or independent of the processor 910.
- the communication device 900 may also include one or more of an input unit 960, a display unit 970, an audio circuit 980, a camera 990, and a sensor 901.
- the circuit may also include a speaker 982, a microphone 984, and so on.
- the display unit 970 may include a display screen, and the display screen may be a touch-sensitive display screen, and the touch-sensitive display screen may receive a touch operation to determine whether an operation request to access the target domain name is received.
- the aforementioned communication device 900 may further include a power supply 950 for providing power to various devices or circuits in the communication device.
- the communication device 900 shown in FIG. 11 can implement each process of the method provided in Embodiment 7.
- the operations and/or functions of the various modules in the communication device 900 are respectively intended to implement the corresponding processes in the foregoing method embodiments.
- processor 910 in the communication device 900 shown in FIG. 11 may be a system-on-chip SOC, and the processor 910 may include a central processing unit (Central Processing Unit; hereinafter referred to as: CPU), and may further include other types of Processor, for example: Graphics Processing Unit (hereinafter referred to as GPU), etc.
- CPU Central Processing Unit
- GPU Graphics Processing Unit
- each part of the processor or processing unit inside the processor 910 can cooperate to implement the previous method flow, and the corresponding software program of each part of the processor or processing unit can be stored in the memory 930.
- the embodiment of the present application also provides a communication device.
- the method for protecting against distributed denial of service DDOS attacks applied to the business end provided in the embodiment of the present application can be executed by the communication device provided in the twelfth embodiment.
- FIG. 12 is a schematic structural diagram of an optional communication device.
- the communication device 1200 includes: one or more processors 1202; a memory 1203; a communication module 1201; and one or more computer programs 1204.
- the above-mentioned devices may be connected through one or more communication buses 1005.
- the aforementioned one or more computer programs 1204 are stored in the aforementioned memory 1203 and are configured to be executed by the one or more processors 1202, and the one or more computer programs 1204 include instructions, and the aforementioned instructions can be used to execute the aforementioned Each step performed by the smart home device in the embodiment should be followed.
- the communication device 1200 shown in FIG. 12 may be a communication device such as a computer, a personal computer, a workstation, and a server.
- the communication device 1200 shown in FIG. 12 can implement each process of the method provided in Embodiment 8.
- the operation and/or function of each module in the communication device 1200 is to implement the corresponding process in the foregoing method embodiment.
- the embodiments of the present application also provide a computer-readable storage medium in which a computer program is stored, and when the computer program is run on a computer, the computer executes the method described in the above-mentioned embodiment.
- embodiments of the present application also provide a computer program product, which includes a computer program, which when running on a computer, causes the computer to execute the method described in the foregoing embodiment.
- the computer may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
- software it can be implemented in the form of a computer program product in whole or in part.
- the computer program product includes one or more computer instructions.
- the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices.
- the computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium.
- the computer instructions may be transmitted from a website, computer, server, or data center.
- the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or a data center integrated with one or more available media.
- the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium (for example, a DVD), or a semiconductor medium (for example, a solid state disk).
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims (38)
- 一种分布式拒绝服务DDOS攻击的防护方法,其特征在于,所述方法包括:终端将包含目标域名的解析请求发送至主域名解析系统DNS服务器;所述终端根据所述主DNS服务器反馈的所述目标域名对应的业务服务器的互联网协议IP地址,向所述业务服务器发送业务请求数据;在所述业务服务器受到DDOS攻击的情况下,所述终端访问所述业务服务器出错;所述终端将包含所述目标域名的解析请求发送至备份DNS服务器;所述备份DNS服务器将所述目标域名解析为高防服务器的IP地址;其中,在所述业务服务器受到DDOS攻击的情况下,业务端通知所述备份DNS服务器将针对所述目标域名的解析地址设置为所述高防服务器的IP地址;所述终端根据所述备份DNS服务器反馈的所述高防服务器的IP地址,向所述高防服务器发送所述业务请求数据。
- 如权利要求1所述的方法,其特征在于,在所述终端向所述高防服务器发送所述业务请求数据之后,所述方法还包括:所述高防服务器对所述终端发送的所述业务请求数据执行流量清洗,将清洗后的数据转发至所述业务服务器,并将所述业务服务器反馈的业务响应数据转发至所述终端。
- 如权利要求1所述的方法,其特征在于,访问所述目标域名由所述终端中安装的客户端执行,在所述终端向所述高防服务器发送所述业务请求数据之后,所述方法还包括:在所述客户端未关闭的情况下,如果所述终端接收到访问所述目标域名的操作请求,所述终端将包含所述目标域名的解析请求发送至所述备份DNS服务器。
- 如权利要求1所述的方法,其特征在于,访问所述目标域名由所述终端中安装的客户端执行,在所述终端向所述高防服务器发送所述业务请求数据之后,所述方法还包括:在所述客户端关闭后再次启动的情况下,如果所述终端接收到访问所述目标域名的操作请求,所述终端将包含所述目标域名的解析请求发送至所述主DNS服务器。
- 如权利要求1所述的方法,其特征在于,在所述业务端通知所述备份DNS服务器将针对所述目标域名的解析地址设置为所述高防服务器的IP地址之后,所述方法还包括:所述业务端确定所述备份DNS服务器已将针对所述目标域名的解析地址设置为所述高防服务器的IP地址;所述业务端通知所述主DNS服务器的运营商,指示所述主DNS服务器的运营商通知所述主DNS服务器将所述业务服务器的IP地址拉黑。
- 如权利要求5所述的方法,其特征在于,在所述业务服务器受到的所述DDOS攻击已停止的情况下,所述方法还包括:所述业务端通知所述主DNS服务器的运营商,指示所述主DNS服务器的运营商通知所述主DNS服务器将所述业务服务器的IP地址解除拉黑。
- 一种分布式拒绝服务DDOS攻击的防护系统,其特征在于,所述系统包括:终端,用于将包含目标域名的解析请求发送至主DNS服务器,根据所述主DNS服务器反馈的所述目标域名对应的业务服务器的IP地址,向所述业务服务器发送业务请求数据;在访问所述业务服务器出错的情况下,将包含所述目标域名的解析请求发送至备份DNS服务器;根据所述备份DNS服务器反馈的所述高防服务器的IP地址,向所述高防服务器发送所述业务请求数据;业务端,用于在所述业务服务器受到DDOS攻击的情况下,通知所述备份DNS服务器将针对所述目标域名的解析地址设置为所述高防服务器的IP地址;所述备份DNS服务器,用于在接收到所述业务端的通知之后,将针对所述目标域名的解析地址设置为所述高防服务器的IP地址;在将针对所述目标域名的解析地址设置为所述高防服务器的IP地址之后,针对所述终端发送的包含所述目标域名的解析请求解析为所述高防服务器的IP地址反馈给所述终端。
- 如权利要求7所述的系统,其特征在于,所述系统还包括所述高防服务器,用于对所述终端发送的所述业务请求数据执行流量清洗,将清洗后的数据转发至所述业务服务器,并将所述业务服务器反馈的业务响应数据转发至所述终端。
- 一种针对分布式拒绝服务DDOS攻击的域名访问方法,所述方法应用于终端,其特征在于,所述方法包括:接收到访问目标域名对应的业务服务器的操作请求;响应于所述操作请求,向主DNS服务器发送包含所述目标域名的解析请求;根据所述主DNS服务器反馈的所述目标域名对应的业务服务器的IP地址,向所述业务服务器发送业务请求数据;在所述业务服务器受到DDOS攻击的情况下,确定访问所述业务服务器出错;将包含所述目标域名的解析请求发送至备份DNS服务器;根据所述备份DNS服务器反馈的所述目标域名对应的高防服务器的IP地址,向所述高防服务器发送所述业务请求数据;其中,在所述业务服务器受到DDOS攻击的情况下,所述备份DNS服务器被配置为将所述目标域名解析为所述高防服务器的IP地址。
- 如权利要求9所述的方法,其特征在于,所述终端安装有集成SDK函数的客户端;所述SDK函数用于配置所述终端在确定访问所述业务服务器出错的情况下,将包含所述目标域名的解析请求发送至所述备份DNS服务器包含所述目标域名的解析请求。
- 如权利要求10所述的方法,其特征在于,所述SDK函数用于以目标信息格式封装所述目标域名的信息,得到发送至所述备份DNS服务器的所述解析请求。
- 如权利要求9-11任一项所述的方法,其特征在于,所述解析请求携带的信息还包括所述终端的标识和/或访问所述业务服务器的IP地址返回的错误代码。
- 如权利要求9所述的方法,其特征在于,在将包含所述目标域名的解析请求发送至备份DNS服务器之后,在根据所述备份DNS服务器解析的所述目标域名对应的高防服务器的IP地址之前,所述方法还包括:根据所述备份DNS服务器解析所述目标域名得到的所述业务服务器的IP地址,向所述业务服务器发送所述业务请求数据;其中,所述备份DNS服务器用于在所述业务服务器未受到DDOS攻击的情况下,将针对所述目标域名的解析地址设置为所述业务服务器的IP 地址,并在未成功将针对所述目标域名的解析地址设置为所述高防服务器的IP地址的情况下,向所述终端反馈所述业务服务器的IP地址;在确定访问所述业务服务器出错的情况下,将包含所述目标域名的解析请求发送至所述备份DNS服务器。
- 如权利要求9至13任一项所述的方法,其特征在于,访问所述目标域名由所述终端中安装的客户端执行,在向所述高防服务器发送所述业务请求数据之后,所述方法还包括:在所述客户端未关闭的情况下,如果接收到访问所述目标域名的操作请求,将包含所述目标域名的解析请求发送至所述备份DNS服务器。
- 如权利要求9至13任一项所述的方法,其特征在于,访问所述目标域名由所述终端中安装的客户端执行,在向所述高防服务器发送所述业务请求数据之后,所述方法还包括:在所述客户端关闭之后再次启动的情况下,如果接收到访问所述目标域名的操作请求,将包含所述目标域名的解析请求发送至所述主DNS服务器包含所述目标域名的解析请求。
- 一种分布式拒绝服务DDOS攻击的防护方法,所述方法应用于业务端,其特征在于,所述方法包括:确定终端向主DNS服务器发送的解析请求中的目标域名对应的业务服务器受到所述DDOS攻击;通知备份DNS服务器将所述目标域名解析为高防服务器的IP地址,以使得向所述主DNS服务器发送包含所述目标域名的解析请求的终端在改为向所述备份DNS服务器发送包含所述目标域名的解析请求之后,获取到所述备份DNS服务器解析出的、所述目标域名对应的所述高防服务器的IP地址。
- 如权利要求16所述的方法,其特征在于,所述确定所述业务服务器受到所述DDOS攻击,包括:确定所述业务服务器的上行带宽超过预设阈值。
- 如权利要求16或17所述的方法,其特征在于,在通知备份DNS服务器将所述目标域名解析为高防服务器的IP地址之后,所述方法还包括:通知所述主DNS服务器的运营商,指示所述主DNS服务器的运营商通知所述主DNS服务器将所述业务服务器的IP地址拉黑。
- 如权利要求18所述的方法,其特征在于,在所述业务服务器受到的所述DDOS攻击已停止的情况下,所述方法还包括:通知所述主DNS服务器的运营商,指示所述主DNS服务器的运营商通知所述主DNS服务器将所述业务服务器的IP地址解除拉黑。
- 如权利要求18所述的方法,其特征在于,所述业务端与所述业务服务器共享网络出口,所述业务端向所述主DNS服务器的运营商发送的通知报文的通讯优先级被配置为至少高于所述业务服务器与所述终端的通讯优先级。
- 如权利要求14所述的方法,其特征在于,通知备份DNS服务器将所述目标域名解析为高防服务器的IP地址,包括:通过调度端指示所述调度端通知所述备份DNS服务器将所述目标域名解析为所述高防服务器的IP地址。
- 一种针对分布式拒绝服务DDOS攻击的域名访问装置,所述装置应用于终端,其特征在于,所述装置包括:接收模块,用于接收到访问目标域名对应的业务服务器的操作请求;第一发送模块,用于响应于所述操作请求,向主DNS服务器发送包含所述目标域名的解析请求;第二发送模块,用于根据所述主DNS服务器反馈的所述目标域名对应的业务服务器的IP地址,向所述业务服务器发送业务请求数据;确定模块,用于在所述业务服务器受到DDOS攻击的情况下,确定访问所述业务服务器出错;第三发送模块,用于将包含所述目标域名的解析请求发送至备份DNS服务器;第四发送模块,用于根据所述备份DNS服务器反馈的所述目标域名对应的高防服务器的IP地址,向所述高防服务器发送所述业务请求数据;其中,在所述业务服务器受到DDOS攻击的情况下,所述备份DNS服务器被配置为将所述目标域名解析为所述高防服务器的IP地址。
- 如权利要求22所述的装置,其特征在于,所述装置还包括:配置模块,用于配置所述终端在确定访问所述业务服务器出错的情况下,将包含所述目标域名的解析请求发送至所述备份DNS服务器包含所述目标域名的解析请求,其中,所述配置模块为所述终端中安装的客户端集成的SDK函数。
- 如权利要求23所述的装置,其特征在于,所述配置模块包括:封装单元,用于以目标信息格式封装所述目标域名的信息,得到发送至所述备份DNS服务器的所述解析请求。
- 如权利要求22-24任一项所述的装置,其特征在于,所述解析请求携带的信息还包括所述终端的标识和/或访问所述业务服务器的IP地址返回的错误代码。
- 如权利要求22所述的装置,其特征在于,所述装置还包括:第五发送模块,用于在将包含所述目标域名的解析请求发送至备份DNS服务器之后,在根据所述备份DNS服务器解析的所述目标域名对应的高防服务器的IP地址之前,根据所述备份DNS服务器解析所述目标域名得到的所述业务服务器的IP地址,向所述业务服务器发送所述业务请求数据;其中,所述备份DNS服务器用于在所述业务服务器未受到DDOS攻击的情况下,将针对所述目标域名的解析地址设置为所述业务服务器的IP地址,并在未成功将针对所述目标域名的解析地址设置为所述高防服务器的IP地址的情况下,向所述终端反馈所述业务服务器的IP地址;第六发送模块,用于在确定访问所述业务服务器出错的情况下,将包含所述目标域名的解析请求发送至所述备份DNS服务器。
- 如权利要求22至26任一项所述的装置,其特征在于,访问所述目标域名由所述终端中安装的客户端执行,所述装置还包括:第七发送模块,用于在向所述高防服务器发送所述业务请求数据之后,在所述客户端未关闭的情况下,如果接收到访问所述目标域名的操作请求,将包含所述目标域名的解析请求发送至所述备份DNS服务器。
- 如权利要求22至26任一项所述的装置,其特征在于,访问所述目标域名由所述终端中安装的客户端执行,所述装置还包括:第八发送模块,用于在向所述高防服务器发送所述业务请求数据之后,在所述客户端关闭之后再次启动的情况下,如果接收到访问所述目标域名的操作请求,将包含所述目标域名的解析请求发送至所述主DNS服务器包含所述目标域名的解析请求。
- 一种分布式拒绝服务DDOS攻击的防护装置,所述装置应用于业务端,其特征在于,所述装置包括:确定模块,用于确定终端向主DNS服务器发送的解析请求中的目标域名对应的业务服务器受到所述DDOS攻击;第一通知模块,用于通知备份DNS服务器将所述目标域名解析为高防服务器的IP地址,以使得向所述主DNS服务器发送包含所述目标域名的解析请求的终端在改为向所述备份DNS服务器发送包含所述目标域名的解析请求之后,获取到所述备份DNS服务器解析出的、所述目标域名对应的所述高防服务器的IP地址。
- 如权利要求29所述的装置,其特征在于,所述确定模块包括:确定单元,用于确定所述业务服务器的上行带宽超过预设阈值。
- 如权利要求29或30所述的装置,其特征在于,所述装置还包括:第二通知模块,用于在通知备份DNS服务器将所述目标域名解析为高防服务器的IP地址之后,通知所述主DNS服务器的运营商,指示所述主DNS服务器的运营商通知所述主DNS服务器将所述业务服务器的IP地址拉黑。
- 如权利要求31所述的装置,其特征在于,所述装置还包括:第三通知模块,用于在所述业务服务器受到的所述DDOS攻击已停止的情况下,通知所述主DNS服务器的运营商,指示所述主DNS服务器的运营商通知所述主DNS服务器将所述业务服务器的IP地址解除拉黑。
- 如权利要求31所述的装置,其特征在于,所述业务端与所述业务服务器共享网络出口,所述业务端向所述主DNS服务器的运营商发送的通知报文的通讯优先级被配置为至少高于所述业务服务器与所述终端的通讯优先级。
- 如权利要求29所述的装置,其特征在于,所述第一通知模块包括:通知单元,用于通过调度端指示所述调度端通知所述备份DNS服务器将所述目标域名解析为所述高防服务器的IP地址。
- 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有计算机程序,当其在计算机上运行时,使得计算机执行如权利要求9-15任一项所述的方法。
- 一种通信设备,其特征在于,所述通信设备包括:处理器;存储器;应用程序;其中,所述应用程序被存储在所述存储器中,所述应用程序包括指令,当所述指令被所述设备执行时,使得所述设备执行如权利要求9-15任一项所述的方法。
- 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有计算机程序,当其在计算机上运行时,使得计算机执行如权利要求16-21任一项所述的方法。
- 一种通信设备,其特征在于,所述通信设备包括:处理器;存储器;应用程序;其中,所述应用程序被存储在所述存储器中,所述应用程序包括指令,当所述指令被所述设备执行时,使得所述设备执行如权利要求16-21任一项所述的方法。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911019057.5 | 2019-10-24 | ||
CN201911019057.5A CN110855633B (zh) | 2019-10-24 | 2019-10-24 | Ddos攻击的防护方法、装置、系统、通信设备和存储介质 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021077811A1 true WO2021077811A1 (zh) | 2021-04-29 |
Family
ID=69597936
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2020/102076 WO2021077811A1 (zh) | 2019-10-24 | 2020-07-15 | 分布式拒绝服务ddos攻击的防护方法、装置及系统 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN110855633B (zh) |
WO (1) | WO2021077811A1 (zh) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113285953A (zh) * | 2021-05-31 | 2021-08-20 | 西安交通大学 | 可用于DDoS攻击的DNS反射器检测方法、系统、设备及可读存储介质 |
CN113904866A (zh) * | 2021-10-29 | 2022-01-07 | 中国电信股份有限公司 | Sd-wan业务流量安全处置引流方法、设备、系统以及介质 |
CN114338630A (zh) * | 2021-12-13 | 2022-04-12 | 海尔优家智能科技(北京)有限公司 | 域名访问方法、装置、电子设备、存储介质及程序产品 |
CN116155545A (zh) * | 2022-12-21 | 2023-05-23 | 广东天耘科技有限公司 | 使用多叉树和蜜罐系统构架的动态DDos防御方法和系统 |
WO2024149022A1 (zh) * | 2023-01-09 | 2024-07-18 | 中国银联股份有限公司 | 数据中心及域名的切换方法、装置、设备及介质 |
Families Citing this family (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110855633B (zh) * | 2019-10-24 | 2021-10-15 | 华为终端有限公司 | Ddos攻击的防护方法、装置、系统、通信设备和存储介质 |
CN113301001B (zh) * | 2020-04-07 | 2023-05-23 | 阿里巴巴集团控股有限公司 | 攻击者确定方法、装置、计算设备和介质 |
CN112804230B (zh) * | 2020-05-12 | 2023-01-24 | 上海有孚智数云创数字科技有限公司 | 分布式拒绝服务攻击的监控方法、系统、设备及存储介质 |
CN112073409A (zh) * | 2020-09-04 | 2020-12-11 | 杭州安恒信息技术股份有限公司 | 攻击流量清洗方法、装置、设备及计算机可读存储介质 |
CN114257566B (zh) * | 2020-09-11 | 2024-07-09 | 北京金山云网络技术有限公司 | 域名访问方法、装置和电子设备 |
CN112351012A (zh) * | 2020-10-28 | 2021-02-09 | 杭州安恒信息技术股份有限公司 | 一种网络安全防护方法、装置及系统 |
CN113114682A (zh) * | 2021-04-14 | 2021-07-13 | 杭州安恒信息技术股份有限公司 | 基于DDoS攻击的信息传输方法、装置、设备及介质 |
CN117675248A (zh) * | 2022-08-31 | 2024-03-08 | 华为云计算技术有限公司 | 一种分布式拒绝服务攻击ddos的防误杀方法及装置 |
CN116319676B (zh) * | 2023-05-23 | 2023-10-20 | 阿里云计算有限公司 | 域名解析方法、设备、存储介质和系统 |
CN116827684B (zh) * | 2023-08-25 | 2023-11-21 | 卓望数码技术(深圳)有限公司 | DDoS攻击防御方法、系统、设备及存储介质 |
CN118353704A (zh) * | 2024-05-11 | 2024-07-16 | 深圳市润迅通投资有限公司 | 一种网络攻击防御系统及其控制方法 |
CN118377219B (zh) * | 2024-06-24 | 2024-08-30 | 国网浙江省电力有限公司丽水供电公司 | 一种抵御有界fdi攻击的温控负荷安全控制方法及系统 |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140130152A1 (en) * | 2012-11-07 | 2014-05-08 | Trusteer Ltd. | Defense against dns dos attack |
CN107426230A (zh) * | 2017-08-03 | 2017-12-01 | 上海优刻得信息科技有限公司 | 服务器调度方法、装置、系统、存储介质及设备 |
CN108809910A (zh) * | 2017-05-04 | 2018-11-13 | 贵州白山云科技有限公司 | 一种域名系统服务器调度方法和系统 |
CN109617932A (zh) * | 2019-02-21 | 2019-04-12 | 北京百度网讯科技有限公司 | 用于处理数据的方法和装置 |
CN110324295A (zh) * | 2018-03-30 | 2019-10-11 | 阿里巴巴集团控股有限公司 | 一种域名系统泛洪攻击的防御方法和装置 |
CN110855633A (zh) * | 2019-10-24 | 2020-02-28 | 华为终端有限公司 | 分布式拒绝服务ddos攻击的防护方法、装置及系统 |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103023924B (zh) * | 2012-12-31 | 2015-10-14 | 网宿科技股份有限公司 | 基于内容分发网络的云分发平台的DDoS攻击防护方法和系统 |
CN106302313B (zh) * | 2015-05-14 | 2019-10-08 | 阿里巴巴集团控股有限公司 | 基于调度系统的DDoS防御方法和DDoS防御系统 |
US20190280963A1 (en) * | 2017-01-31 | 2019-09-12 | The Mode Group | High performance software-defined core network |
CN108366077B (zh) * | 2018-04-23 | 2023-07-04 | 沈康 | 裂变式防攻击网络接入系统 |
-
2019
- 2019-10-24 CN CN201911019057.5A patent/CN110855633B/zh active Active
-
2020
- 2020-07-15 WO PCT/CN2020/102076 patent/WO2021077811A1/zh active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140130152A1 (en) * | 2012-11-07 | 2014-05-08 | Trusteer Ltd. | Defense against dns dos attack |
CN108809910A (zh) * | 2017-05-04 | 2018-11-13 | 贵州白山云科技有限公司 | 一种域名系统服务器调度方法和系统 |
CN107426230A (zh) * | 2017-08-03 | 2017-12-01 | 上海优刻得信息科技有限公司 | 服务器调度方法、装置、系统、存储介质及设备 |
CN110324295A (zh) * | 2018-03-30 | 2019-10-11 | 阿里巴巴集团控股有限公司 | 一种域名系统泛洪攻击的防御方法和装置 |
CN109617932A (zh) * | 2019-02-21 | 2019-04-12 | 北京百度网讯科技有限公司 | 用于处理数据的方法和装置 |
CN110855633A (zh) * | 2019-10-24 | 2020-02-28 | 华为终端有限公司 | 分布式拒绝服务ddos攻击的防护方法、装置及系统 |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113285953A (zh) * | 2021-05-31 | 2021-08-20 | 西安交通大学 | 可用于DDoS攻击的DNS反射器检测方法、系统、设备及可读存储介质 |
CN113904866A (zh) * | 2021-10-29 | 2022-01-07 | 中国电信股份有限公司 | Sd-wan业务流量安全处置引流方法、设备、系统以及介质 |
CN113904866B (zh) * | 2021-10-29 | 2024-02-09 | 中国电信股份有限公司 | Sd-wan业务流量安全处置引流方法、设备、系统以及介质 |
CN114338630A (zh) * | 2021-12-13 | 2022-04-12 | 海尔优家智能科技(北京)有限公司 | 域名访问方法、装置、电子设备、存储介质及程序产品 |
CN114338630B (zh) * | 2021-12-13 | 2024-04-19 | 海尔优家智能科技(北京)有限公司 | 域名访问方法、装置、电子设备、存储介质及程序产品 |
CN116155545A (zh) * | 2022-12-21 | 2023-05-23 | 广东天耘科技有限公司 | 使用多叉树和蜜罐系统构架的动态DDos防御方法和系统 |
CN116155545B (zh) * | 2022-12-21 | 2023-08-04 | 广东天耘科技有限公司 | 使用多叉树和蜜罐系统构架的动态DDos防御方法和系统 |
WO2024149022A1 (zh) * | 2023-01-09 | 2024-07-18 | 中国银联股份有限公司 | 数据中心及域名的切换方法、装置、设备及介质 |
Also Published As
Publication number | Publication date |
---|---|
CN110855633B (zh) | 2021-10-15 |
CN110855633A (zh) | 2020-02-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2021077811A1 (zh) | 分布式拒绝服务ddos攻击的防护方法、装置及系统 | |
US10834049B2 (en) | Systems and methods for dynamically registering endpoints in a network | |
US11172023B2 (en) | Data synchronization method and system | |
CA2699314C (en) | Failover in a host concurrently supporting multiple virtual ip addresses across multiple adapters | |
CN102025798B (zh) | 地址分配处理方法、装置和系统 | |
US9154557B2 (en) | Automatic proxy registration and discovery in a multi-proxy communication system | |
US11516177B1 (en) | Detecting and remediating non-responsive customer premise equipment | |
EP3544232B1 (en) | Processing method, device and system for nf component abnormality | |
CN111970362B (zh) | 基于lvs的车联网网关集群方法及系统 | |
US20030105801A1 (en) | Method, system and agent for connecting event consumers to event producers in a distributed event management system | |
US10931529B2 (en) | Terminal device management method, server, and terminal device for managing terminal devices in local area network | |
CN103825868B (zh) | 一种本地语音逃生的方法、本地网关及系统 | |
WO2020057445A1 (zh) | 一种通信系统、方法及装置 | |
US11057475B2 (en) | Methods, apparatus and systems for resuming transmission link | |
CN108833149A (zh) | 一种快递柜网络可用性监控与自愈的方法及系统 | |
CN114640633B (zh) | 负载均衡器及其实现方法、负载均衡的方法、网关系统 | |
CN108989420A (zh) | 注册服务的方法及系统、调用服务的方法及系统 | |
US20190036793A1 (en) | Network service implementation method, service controller, and communications system | |
WO2013159492A1 (zh) | 信息上报与下载的方法及系统 | |
CN111817953A (zh) | 基于虚拟路由器冗余协议vrrp的主设备选举方法及装置 | |
CN113824595B (zh) | 链路切换控制方法、装置和网关设备 | |
CN115174528A (zh) | 一种设备地址管控方法、装置及系统 | |
CN114025010A (zh) | 建立连接的方法和网络设备 | |
CN105610619A (zh) | 一种网元设备管理方法和装置 | |
WO2022037049A1 (zh) | 用户端保活的方法及装置 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20879877 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20879877 Country of ref document: EP Kind code of ref document: A1 |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 07/10/2022) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20879877 Country of ref document: EP Kind code of ref document: A1 |