WO2024045542A1 - Method and apparatus for preventing erroneous blocking in distributed denial of service (ddos) attack - Google Patents

Method and apparatus for preventing erroneous blocking in distributed denial of service (ddos) attack Download PDF

Info

Publication number
WO2024045542A1
WO2024045542A1 PCT/CN2023/080099 CN2023080099W WO2024045542A1 WO 2024045542 A1 WO2024045542 A1 WO 2024045542A1 CN 2023080099 W CN2023080099 W CN 2023080099W WO 2024045542 A1 WO2024045542 A1 WO 2024045542A1
Authority
WO
WIPO (PCT)
Prior art keywords
domain name
target
response message
ddos
cache unit
Prior art date
Application number
PCT/CN2023/080099
Other languages
French (fr)
Chinese (zh)
Inventor
龙卫平
Original Assignee
华为云计算技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为云计算技术有限公司 filed Critical 华为云计算技术有限公司
Publication of WO2024045542A1 publication Critical patent/WO2024045542A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/568Storing data temporarily at an intermediate stage, e.g. caching
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • Embodiments of the present application relate to the field of computers, and in particular to a method and device for preventing accidental killing of distributed denial of service attacks on DDOS.
  • Domain name system is a positioning and scheduling system that important business access on the Internet relies on.
  • DNS Domain name system
  • Pan-domain name attacks refer to large traffic with domain name prefix changes.
  • Domain name resolution request, pan-domain name attack can be a distributed denial of service attack (DDOS).
  • DDOS distributed denial of service attack
  • the DNS server identifies the source IP address of the attack and blacklists the address to prevent attacks.
  • attackers can obtain a large number of virtual machines and corresponding IP addresses. Therefore, the DNS service in the cloud server blocks IPs with poor defense effect.
  • the initiator of the DDOS attack may be a broiler server hijacked by hackers.
  • the broiler server itself may be running normal business, that is, the DDOS attack traffic is mixed with the normal business traffic.
  • the method of blocking IP will cause a large number of accidents to the normal business and cause business damage. .
  • the embodiment of the present application provides a method for preventing manslaughter from distributed denial of service attacks on DDOS, which is used to improve the anti-manslaughter effect of DDOS attacks.
  • the first aspect of the embodiments of this application provides a method for preventing manslaughter from distributed denial of service attacks on DDOS.
  • This method can be executed by a cloud server or by components of the cloud server, such as the processor, chip or chip system of the cloud server. Execution can also be implemented by logic modules or software that can realize all or part of the cloud server functions.
  • the method provided by the first aspect includes the following steps: the cloud server receives the target domain name configured by the user, and the resolution operation of the target domain name is performed by the target resolution server. Specifically, the cloud server receives the domain name resolution request sent by the client, and the domain name resolution request is used to request the IP address corresponding to the target domain name.
  • the cloud server allocates a cache unit for the target domain name according to the user's instructions.
  • the cache unit includes a domain name resolution secure cache DSC.
  • the cache unit is used to store a response message when the target resolution server is in a DDOS state, where the response message is used to respond to a domain name resolution request for the target domain name, and the response message includes the IP address corresponding to the target domain name.
  • the cloud server is based on the cache unit and responds to the domain name resolution request for the target domain name.
  • the response includes reading the IP address corresponding to the target domain name from the cache unit and sending a response message to the user side.
  • the cloud server can provide caching unit caching target parsing server parsing according to the user's instructions. After obtaining the IP address, when the target resolution server is in the DDOS state, the cloud server can obtain the IP address corresponding to the target domain name from the cache unit, thus improving the response speed of the domain name resolution request in the DDOS state and further improving the anti-accidental killing effect of DDOS.
  • the user's instruction includes specification information of the cache unit.
  • the cloud server receives the ordering request sent by the client, and the ordering request is used to obtain the cache unit.
  • the specification information in the order request includes one or more of the following information: domain name suffix information for specifying anti-accidental killing, information on the number of domain names cached by DSC, cache refresh time in DSC, information about the VPC bound to DCS, and purchase duration of the anti-accidental killing service.
  • the cloud server can configure the domain name resolution security cache DSC according to the user's ordering request, thereby providing users with DDOS anti-accidental killing services and improving the convenience of the user side in obtaining DDOS anti-accidental killing services.
  • the user side can select multiple specifications of DCS, increasing the configuration types of cache units.
  • the cache unit stores the DDOS status of the target resolution server. Specifically, after the cloud server receives the client domain name resolution request, the cloud server queries the security status of the cloud server based on DSC. DCS is used to store the security status of the cloud server. The security status includes DDOS status and non-DDOS status. The cloud server can read the security status of the target resolution server from the cache unit and transparently transmit the domain name resolution request based on the security status of the target resolution server.
  • the cloud server can read the security status of the target resolution server from the cache unit DSC, and respond to the domain name resolution request according to the security status of the target resolution server, thereby improving the anti-accidental killing effect of DDOS.
  • the response message is used to resolve the domain name.
  • Request a response.
  • the cache unit when the IP address corresponding to the target domain name is stored in the cache unit, the cache unit generates a response message based on the IP address and sends the response message to the user.
  • the secure cache provided by the cloud server in the embodiment of this application can cache the IP address corresponding to the target domain name, so that when the cloud server receives the user's resolution request corresponding to the target domain name, it directly generates a response message based on the IP address stored in the cache unit to respond to the domain name. parsing requests, thus improving the response efficiency of domain name resolution requests.
  • the cloud server when the cloud server responds to the domain name resolution request for the target domain name based on the cache unit, when there is no response message for the target domain name in the cache unit, the cloud server sends the domain name resolution request to Target resolution server. Get the response message sent by the target resolution server. Respond to the domain name resolution request according to the response status information included in the response message.
  • the cloud server when the IP address corresponding to the target domain name is not cached in the cache unit of the cloud server, the cloud server transparently transmits the domain name resolution request corresponding to the target domain name to the target resolution server. Compared with the method of directly blocking the IP address, Improved the anti-accidental killing effect of DDOS.
  • the domain name resolution request is rate-limited. Specifically, the cloud server adds the domain name resolution request corresponding to the target domain name to the rate limit queue, and the cloud server regularly sends the domain name resolution request to the target resolution server.
  • the cloud service can limit the rate of domain name resolution requests, thereby preventing the target resolution server from being unable to process the domain name resolution requests in DDOS state, thereby improving the effect of preventing DDOS accidental killing.
  • the target resolution server when the cloud server responds to the domain name resolution request based on the response status information included in the response message, when the cloud server determines that the response message is a correct response based on the response status information, the target resolution server The sent response message is stored in the cache unit.
  • the response status information includes the IP address corresponding to the target domain name.
  • the cloud server can store the IP address corresponding to the target domain name that correctly responds to the domain name resolution request in the cache unit.
  • the cloud server receives another domain name resolution request for the target domain name, it can directly store the IP address in the cache unit based on the domain name resolution request.
  • the IP address responds to domain name resolution requests, thereby improving the cloud server's response speed to domain name resolution requests.
  • the cloud server when the cloud server responds to the domain name resolution request based on the response status information included in the response message, when the cloud server determines that the response message is an error response based on the response status information, it updates the target domain name The value in the parsing error counter corresponding to the domain name suffix. When the value in the resolution error counter for the target domain name is greater than or equal to the count threshold, it is determined that the target resolution server is in a DDOS state, and the DDOS state is written to the cache unit.
  • the response status information includes error parameters, which are related parameters used to indicate domain name resolution failure.
  • the parsing error calculator of the cloud server in the embodiment of the present application can determine the number of domain name parsing failures corresponding to the domain name suffix, thereby determining whether the target parsing server is in a DDOS state based on the number of domain name parsing failures for the same domain name suffix, thereby improving the cloud server's identification of DDOS attacks. ability.
  • the DSC includes a domain name system security cache entrance DSC-ingress component, a domain name system security cache egress DSC-egress component, and a domain name system security cache map DSC-map component.
  • the cloud server receives the domain name resolution request sent by the client. In the process, the cloud server receives the domain name resolution request sent by the client based on the DSC-ingress component.
  • the DSC-egress component is used to obtain the domain name resolution record corresponding to the domain name resolution request.
  • the domain name resolution record includes the IP address requested from the target resolution server.
  • the DSC-map component is used to cache domain name resolution records and the security status of the target resolution server.
  • the cache unit of the cloud server includes multiple DSC components, and the multiple DSC components jointly implement the functions in the cache unit, thereby improving the realizability of the solution.
  • the DSC-egress component when the target resolution server is in a non-DDOS state, stores the domain name resolution record to the DSC-map component.
  • the DSC-map component imports domain name resolution records into the DSC-ingress component.
  • the cloud server when the cloud server determines that the target resolution server is in a DDOS state, it can import the cached domain name resolution records in the DSC-map component into the DSC-ingress component, thereby improving the response speed of domain name resolution requests.
  • the second aspect of the embodiment of the present application provides an anti-accidental killing device for distributed denial of service attacks on DDOS.
  • the device includes a transceiver module and a processing module.
  • the transceiver module is used to receive the target domain name configured by the user, and the resolution operation of the target domain name is performed by the target resolution server.
  • the processing module is used to allocate a cache unit to the target domain name according to the user's instructions.
  • the cache unit is used to store the response message when the target resolution server is in the DDOS state, where the response message is used to respond to the domain name resolution request for the target domain name.
  • the processing module is also used to respond to domain name resolution requests for the target domain name based on the cache unit.
  • the user's instruction includes specification information of the cache unit.
  • the cache unit stores the DDOS status of the target resolution server.
  • the processing module is specifically configured to use the response message to respond to the domain name resolution request when the cache unit stores a response message for the target domain name.
  • the processing module is specifically configured to send a domain name resolution request to the target resolution server when the cache unit does not store a response message for the target domain name. Get the response message sent by the target resolution server. Respond to the domain name resolution request according to the response status information included in the response message.
  • the processing module is also configured to limit the rate of the domain name resolution request when the cache unit does not store a response message for the target domain name.
  • the processing module when the cache unit does not store a response message for the target domain name, is specifically configured to determine, based on the response status information, that the response message is a correct response, and then store the response message sent by the target resolution server. The message is stored in the cache unit.
  • the processing module is specifically configured to update the value in the parsing error counter for the target domain name when it is determined that the response message is an error response based on the response status information.
  • the value in the resolution error counter for the target domain name is greater than or equal to the count threshold, it is determined that the target resolution server is in a DDOS state.
  • the third aspect of the embodiment of the present application provides a computer device cluster, including at least one computing device, each computing device includes a processor, and the processor of the at least one computing device is used to execute instructions stored in the memory of the at least one computing device, to The computing device cluster is caused to execute the method described in the above first aspect or any possible implementation manner of the first aspect.
  • the fourth aspect of the embodiments of the present application provides a computer-readable storage medium on which instructions are stored.
  • the computer executes the method described in the above-mentioned first aspect or any possible implementation manner of the first aspect. method.
  • the fifth aspect of the embodiments of the present application provides a computer program product.
  • the computer program product includes instructions, which are characterized in that when the instructions are executed, the computer implements the first aspect or any possible implementation manner of the first aspect. method described.
  • Figure 1a is a schematic system architecture diagram of a DDOS anti-accidental killing system provided by an embodiment of the present application
  • Figure 1b is a schematic system architecture diagram of another DDOS anti-accidental killing system provided by an embodiment of the present application.
  • Figure 2 is a schematic flow chart of a DDOS anti-accidental killing method provided by an embodiment of the present application
  • Figure 3 is a schematic flow chart of another DDOS anti-accidental killing method provided by an embodiment of the present application.
  • Figure 4 is a schematic flow chart of another DDOS anti-accidental killing method provided by an embodiment of the present application.
  • Figure 5 is a schematic flow chart of another DDOS anti-accidental killing method provided by an embodiment of the present application.
  • Figure 6 is a schematic flow chart of another DDOS anti-accidental killing method provided by an embodiment of the present application.
  • Figure 7 is a schematic structural diagram of a DDOS device provided by an embodiment of the present application.
  • Figure 8 is a schematic structural diagram of a computing device provided by an embodiment of the present application.
  • Figure 9 is a schematic structural diagram of a computing device cluster provided by an embodiment of the present application.
  • Figure 10 is a schematic structural diagram of another computing device cluster provided by an embodiment of the present application.
  • Embodiments of the present application provide a method and device for preventing manslaughter of distributed denial of service attacks on DDOS, which are used to improve the anti-manslaughter effect of distributed denial of service attacks on DDOS.
  • DNS Domain name system
  • DNS is a domain name resolution service system on the Internet. DNS is a distributed database that maps domain names and IP addresses to each other, enabling the client to obtain the IP address corresponding to the domain name based on DNS.
  • Pan-domain name attack a large-traffic domain name resolution request with randomly changing prefixes.
  • a distributed denial of service (DDOS) attack refers to multiple attackers in different locations launching attacks against one or several targets at the same time, or an attacker controlling multiple machines in different locations and using these The machine attacks the victim simultaneously.
  • DDOS distributed denial of service
  • Extended Berkeley Packet Filter is a set of general execution engines that provides framework software that can efficiently and securely execute specific code based on system or program events.
  • DSC Domain name system safe cache
  • a full-featured DNS server refers to a server that can provide both local DNS resolution capabilities and recursive DNS resolution capabilities.
  • FIG. 1a is a schematic system architecture diagram of a DDOS anti-accidental killing system provided by an embodiment of the present application.
  • the DDOS anti-accidental killing system 100 includes a cloud server 101 and a client 102.
  • the server 101 is deployed with a domain name system security cache DSC module 1011 and a target resolution server 1012.
  • the DSC module 1011 and target resolution server 1012 may be deployed on different servers.
  • the target resolution server 1012 in the cloud server 101 can provide domain name resolution services and obtain the corresponding IP address based on the target domain name in the domain name resolution request.
  • the domain name resolution service includes a local domain name resolution service and a recursive domain name resolution service.
  • the local domain name resolution service refers to the scenario where the target resolution server 1012 provides the domain name access resolution service.
  • the recursive domain name resolution service refers to the scenario where the target resolution server 1012 provides the domain name resolution service through other resolution servers. Scenarios for performing recursive domain name resolution.
  • the DSC module 1011 in the cloud server 101 is used to provide the target resolution server 1012 with services such as identifying DDOS attacks, caching domain name data, and responding to domain name resolution requests.
  • DSC module 1011 uses the eBPF architecture to quickly process domain name resolution requests in DDOS scenarios without going through the operating system kernel. It can quickly respond to legitimate domain name resolution requests in the early stages of a DDOS attack, limit the rate of suspicious domain name resolution requests, and continuously collect legitimate responses gradually. Reduce manslaughter.
  • the DSC module 1011 includes the domain name system security cache entry DSC-ingress component 1011a, the domain name system security cache egress DSC-egress component 1011b, the domain name system security cache map DSC-map component 1011c, and the domain name system security cache control DSC-control component.
  • the DSC-map component 1011c may be a database external to the DSC module 1011.
  • the DSC-ingress component 1011a is used to process the process of receiving a domain name resolution request. Specifically, when the requested domain name of the domain name resolution request is hit in the cache, the domain name resolution request is responded to, and when the requested domain name is not hit in the cache, transparent transmission and speed limit are performed to the target resolution server 1012, and the transparent transmission process buffer (buffer) is Overflow packet loss and other functions.
  • the DSC-egress component 1011b is used to process the process of responding to domain name resolution requests. Specifically, it includes counting the number of domain name suffix resolution failures to identify the attack status, and caching the obtained domain name resolution record to the DSC-map component 1011c.
  • the domain name resolution record includes the IP address corresponding to the domain name resolution request.
  • the DSC-map component 1011c is used to store the security status of the target resolution server 1012 and cache domain name resolution records.
  • the security status of the target parsing server 1012 is used to indicate that the target parsing server 1012 is in a DDOS state or a non-DDOS state.
  • the DSC-control component 1011c is used to control the DSC-egress component 1011b to cache the acquired domain name resolution records to the DSC-map component 1011c.
  • the client 102 is used to send a domain name resolution request to the cloud server 101.
  • the client 102 may be an independent user device or a virtual machine in a cloud server, and is not specifically limited.
  • Figure 1b is a schematic structural diagram of another DDOS anti-accidental system according to an embodiment of the present application.
  • the DSC module 1011 and the target parsing server 103 are deployed on different servers.
  • the DSC module 1011 is deployed on the cloud server 101
  • the target parsing server 103 and the cloud server 101 are deployed on different servers. .
  • the DDOS anti-accidental service provided by the cloud server 101 and the domain name resolution service provided by the target resolution server 103 may be cloud services provided by different vendors.
  • Figure 2 is a schematic flow chart of a DDOS attack prevention method provided by an embodiment of the present application.
  • the steps shown include, but are not limited to, the following:
  • the cloud server receives the ordering request for the DDOS anti-accidental service sent by the client.
  • the cloud server receives the user's instructions. Specifically, the cloud server can receive the ordering request sent by the client, and the ordering request is used to obtain the anti-accidental killing service of DDOS.
  • the ordering request includes one or more of the following specifications of the cache unit: domain name suffix information that specifies anti-accidental killing, quantity information of DSC cache domain names (that is, the storage capacity of DSC), cache refresh time in DSC, and VPC bound to the DCS. Information and manslaughter prevention service purchase duration.
  • the cloud server allocates cache units according to the order request.
  • the cloud server allocates the target domain name and cache unit according to the user's instructions. Specifically, the cloud server allocates a DSC based on the specification information in the order request sent by the user.
  • the DSC is used to store the response message when the target resolution server is in the DDOS state, that is, to store the domain name resolution record corresponding to the target domain name.
  • the domain name resolution record includes the target domain name.
  • the cloud server will allocate a DSC according to the user's instructions, and the DSC will perform DDOS on the domain name resolution request corresponding to the specified domain name or domain name suffix. Prevent manslaughter.
  • Figure 3 is a schematic flow chart of ordering a DDOS anti-accidental service provided by an embodiment of the present application.
  • the client requests to subscribe to the DDOS anti-accidental killing service from the cloud server.
  • the user can specify the anti-accidental domain name suffix information, the client virtual machine that needs to be bound to DSC, and the time when the DSC service is required.
  • the cloud service only performs accidental killing prevention on domain name resolution requests with the specified domain name suffix.
  • the user when the user does not specify the domain name suffix information to prevent accidental killing, the user needs to further set the number of domain names and IP addresses cached in the DSC, and set the automatic refresh time of the DSC cache.
  • the DSC-egress component regularly refreshes the cached data in the DSC-map component based on the automatic refresh time.
  • the DSC-egress component will refresh the data according to the least recent Use algorithms to clean cached data.
  • the cloud server receives the domain name resolution request sent by the client.
  • the cloud server receives the domain name resolution request sent by the client.
  • the domain name resolution request includes the target domain name.
  • the domain name resolution request is used to request the IP address corresponding to the target domain name.
  • the cloud server queries the security status of the cloud server based on DSC.
  • the security status includes DDOS status and non-DDOS status.
  • the DSC-ingress component of the cloud server receives the domain name resolution request sent by the client, the DSC-ingress component obtains the security status of the cloud server from the DSC-map component, where the DSC-map component stores the security status of the cloud server.
  • Figure 4 is a schematic diagram of the processing flow of a cloud service receiving a domain name resolution request provided by an embodiment of the present application.
  • the DSC-ingress component first processes the domain name resolution request. For example, in steps 1 to 5, the DSC-ingress component reads the security status of the cloud server from the DSC-map component.
  • the DSC-ingress component sends a domain name resolution request to the target resolution server.
  • the target resolution server handles the domain name resolution request.
  • the cloud server responds to the domain name resolution request based on the cache unit.
  • the cloud server responds to domain name resolution requests based on the cache unit.
  • the cache unit stores a response message for the target domain name
  • the cloud server uses the response message to respond to the domain name resolution request.
  • the cloud server sends the domain name resolution request to the target resolution server, obtains the response message sent by the target resolution server, and analyzes the domain name based on the response status information included in the response message. Parse the request and respond.
  • the response status information includes the IP address corresponding to the target domain name and error parameters.
  • the response message is a correct response, that is, the domain name resolution of the target resolution server is successful.
  • the response message is an error response, that is, the target resolution server domain name resolution fails.
  • the DSC-ingress component transparently transmits the domain name resolution request to the target resolution server, and the target resolution server can obtain the target based on the domain name resolution request.
  • the IP address corresponding to the domain name, or the target resolution server can obtain the resolution error parameter corresponding to the target domain name based on the domain name resolution request.
  • the cloud server determines that the target resolution server is in the DDOS state based on the DSC-map component, the cloud server continues to query the DSC to see whether the IP address corresponding to the target domain name in the domain name resolution request is cached.
  • the DSC is used to store the resolved domain name and the corresponding IP address.
  • the DSC adds the domain name resolution request to the rate limit queue and waits to send the domain name resolution request to the target resolution server.
  • the target resolution server when it resolves the IP address corresponding to the target domain name, it can obtain the IP address corresponding to the target domain name based on the local domain name resolution service module, or it can also obtain the IP address based on the external DNS service module by making a recursive request or an iterative request.
  • the IP address corresponding to the target domain name is not specifically limited.
  • the DSC-ingress component reads the cached IP address in the DSC-map component.
  • the DSC-ingress component adds the domain name resolution request to the rate limit queue.
  • the DSC-ingress component regularly sends the domain name resolution request in the rate limit queue to the target resolution server, thereby handling the problem in a DDOS state. Domain name resolution requests that do not have cache records will be processed at a rate limit.
  • the cloud server sends the domain name resolution result corresponding to the target domain name to the client.
  • the cloud server After the cloud server obtains the domain name resolution result corresponding to the target domain name, it sends the domain name resolution result corresponding to the target domain name to the client.
  • the domain name resolution result includes the IP address corresponding to the target domain name or the parsing error parameter. For example, when the cloud server determines that the IP address corresponding to the target domain name exists in the domain name system security cache DSC, the cloud server reads the IP address corresponding to the target domain name cached in the DSC and sends the IP address corresponding to the target domain name to the user.
  • the cloud server determines that the IP address corresponding to the target domain name does not exist in the domain name system security cache DSC, and waits until the cloud server obtains the IP address corresponding to the target domain name sent by the target resolution server, it sends the IP address corresponding to the target domain name to the client.
  • the cloud server when the cloud server determines that the response message is an error response based on the response status information, it updates the value in the parsing error counter for the target domain name.
  • the value in the resolution error counter for the target domain name is greater than or equal to the counting threshold, it is determined that the target resolution server is in the DDOS state, that is, the cloud server determines the security status of the cloud server based on the domain name resolution result of the domain name resolution request.
  • the cloud server determines the security status as DDOS and caches the security status of the target resolution server in the DSC-map component.
  • Figure 5 is a schematic flow chart of a cloud server responding to a domain name resolution request provided by an embodiment of the present application.
  • the target resolution server responds to the domain name resolution request and sends the response result of the domain name resolution request to the DSC-egress component.
  • the DSC-egress component reads the security status stored in the DSC-map component. If the target resolution server is in a non-DDOS state and the IP address requested by the domain name resolution request is resolved successfully, the DSC-egress component will resolve the IP address requested by the domain name resolution request. Sent to client.
  • the cloud server further determines whether the domain name resolution request is resolved successfully. If the IP address requested by the domain name resolution request fails to resolve, the cloud server The server adds 1 to the domain name suffix resolution failure counter for the number of domain name suffix resolution failures corresponding to the resolution request. When the number of failed resolutions for multiple domain name resolution requests corresponding to the same domain name suffix exceeds the preset threshold, the cloud server writes the DDOS status to the DSC-map component and notifies the DSC-control component to send the correct IP address corresponding to the domain name resolution request. Written into the DSC-map component, the correct IP address corresponding to the domain name resolution request is also called authoritative data in this application.
  • the cloud server when the cloud server determines that the response message is a correct response based on the response status information, it stores the response message sent by the target resolution server in the cache unit. That is, the cloud server can store the obtained domain name resolution record in the DSC. Specifically, after the DSC-egress component of the cloud server obtains the correctly parsed domain name data record, it stores the domain name resolution record in the DSC-map component.
  • the caching unit caches the response message when the target resolution server is in the DDOS state. That is, the cloud server can obtain the IP address corresponding to the target domain name and store it in the DSC when the target resolution server is in the DDOS state.
  • the cloud server enables caching of response messages when the target resolution server is in a DDOS state, thereby saving the cache space of the DSC.
  • the DSC-egress component reads the security status stored in the DSC-map component. If the target resolution server is in the DDOS state and the IP address requested by the domain name resolution request is resolved successfully, Then the DSC-egress component reads whether the IP address is cached in the DSC-map component. If the IP address is not cached in the DSC-map component, the DSC-egress component writes the IP address corresponding to the domain name resolution request in the DSC-map component. .
  • the cloud server controls the DSC-map component to import the cached domain name data records into the DSC-ingress component.
  • the cloud server can import based on the DSC-ingress component.
  • the domain name data record responds to the domain name unload request from the user end.
  • the domain name data record has local domain name data records and recursive domain name data records.
  • FIG. 6 is a schematic diagram of the deployment architecture of a DSC in different scenarios provided by an embodiment of the present application.
  • DSC and the target resolution server can be deployed on different nodes, and at the same time, DSC-map can be an external database with DSC.
  • the DSC-ingress component receives the domain name resolution request and sends it to the target resolution server.
  • the target resolution server returns the result corresponding to the domain name resolution request to the DSC-egress component.
  • the DSC-egress component collects all domain name data records and stores them in the DSC-map component.
  • the server controls the DSC-map component to import cached domain name data records into the DSC-ingress component.
  • the DSC-ingress component After receiving the domain name resolution request, the DSC-ingress component directly imports the domain name data record query domain based on the DSC-map component.
  • the IP address corresponding to the name resolution request does not need to be queried from the DSC-map component again, which improves the cloud server's response speed to domain name resolution requests.
  • the cloud server when the target resolution server is in the DDOS state, can obtain the IP address corresponding to the target domain name from the cache unit, thereby improving the response speed of the domain name resolution request in the DDOS state and further improving the anti-accidental killing effect of DDOS.
  • FIG. 7 is a schematic structural diagram of a DDOS anti-accidental killing device provided by an embodiment of the present application. This device is used to implement various steps performed by the cloud server in the above embodiments.
  • the DDOS anti-accidental killing device 700 includes a transceiver module 701 and a processing module 702.
  • the transceiver module 701 is used to receive the target domain name configured by the user, and the resolution operation of the target domain name is performed by the target resolution server.
  • the processing module 702 is used to allocate a cache unit to the target domain name according to the user's instructions.
  • the cache unit is used to store the response message when the target resolution server is in the DDOS state, wherein the response message is used to respond to the domain name resolution request for the target domain name. .
  • the processing module 702 is also configured to respond to the domain name resolution request for the target domain name based on the cache unit.
  • the user's instruction includes specification information of the cache unit.
  • the cache unit stores the DDOS status of the target resolution server.
  • the processing module 702 is specifically configured to use the response message to respond to the domain name resolution request when the cache unit stores a response message for the target domain name.
  • the processing module 702 is specifically configured to send a domain name resolution request to the target resolution server when the cache unit does not store a response message for the target domain name. Get the response message sent by the target resolution server. Respond to the domain name resolution request according to the response status information included in the response message.
  • the processing module 702 is also configured to limit the rate of the domain name resolution request when there is no response message for the target domain name in the cache unit.
  • the processing module 702 when there is no response message for the target domain name in the cache unit, the processing module 702 is specifically configured to determine based on the response status information that the response message is a correct response, and then send the response message sent by the target resolution server.
  • the response message is stored in the cache unit.
  • the processing module 702 is specifically configured to update the value in the parsing error counter for the target domain name when it is determined that the response message is an error response based on the response status information.
  • the value in the resolution error counter for the target domain name is greater than or equal to the count threshold, it is determined that the target resolution server is in a DDOS state.
  • each unit in the device can be implemented in the form of software calling through processing components; they can also all be implemented in the form of hardware; some units can also be implemented in the form of software calling through processing components, and some units can be implemented in the form of hardware.
  • each unit can be a separate processing element, or it can be integrated and implemented in a certain chip of the device.
  • it can also be stored in the memory in the form of a program, and a certain processing element of the device can call and execute the unit. Function.
  • all or part of these units can be integrated Together, they can also be achieved independently.
  • the processing element described here can also be a processor, which can be an integrated circuit with signal processing capabilities.
  • each step of the above method or each unit above can be implemented by an integrated logic circuit of hardware in the processor element or implemented in the form of software calling through the processing element.
  • FIG. 8 is a schematic structural diagram of a computing device provided by an embodiment of the present application.
  • the computing device 800 includes: a processor 801, a memory 802, a communication interface 803 and a bus 804.
  • the processor 801, the memory 802 and the communication interface 803 are coupled through a bus (not labeled in the figure).
  • the memory 802 stores instructions.
  • the computing device 800 executes the method executed by the cloud server in the above method embodiment.
  • the computing device 800 may be one or more integrated circuits configured to implement the above methods, such as one or more application specific integrated circuits (ASICs), or one or more microprocessors (digital signal processors) , DSP), or, one or more field programmable gate arrays (FPGA), or a combination of at least two of these integrated circuit forms.
  • ASICs application specific integrated circuits
  • DSP digital signal processors
  • FPGA field programmable gate arrays
  • the unit in the device can be implemented in the form of a processing element scheduler
  • the processing element can be a general processor, such as a central processing unit (Central Processing Unit, CPU) or other processors that can call programs.
  • CPU central processing unit
  • these units can be integrated together and implemented in the form of a system-on-a-chip (SOC).
  • SOC system-on-a-chip
  • the processor 801 can be a central processing unit (CPU), or other general-purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), or an on-site processor.
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • FPGA Field programmable gate array
  • a general-purpose processor can be a microprocessor or any conventional processor.
  • Memory 802 may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory.
  • the non-volatile memory can be read-only memory (ROM), programmable ROM (PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically removable memory.
  • ROM read-only memory
  • PROM programmable ROM
  • EPROM erasable programmable read-only memory
  • Erase programmable read-only memory electrically EPROM, EEPROM
  • Volatile memory may be random access memory (RAM), which is used as an external cache.
  • RAM static random access memory
  • DRAM dynamic random access memory
  • SDRAM synchronous dynamic random access memory
  • Double data rate synchronous dynamic random access memory double data date SDRAM, DDR SDRAM
  • enhanced synchronous dynamic random access memory enhanced SDRAM, ESDRAM
  • synchronous link dynamic random access memory direct rambus RAM, DR RAM
  • the memory 802 stores executable program code, and the processor 801 executes the executable program code to respectively realize the functions of the aforementioned transceiver module, adaptive module and transcoding module, thereby realizing the above-mentioned live transcoding method. That is, the memory 802 stores instructions for executing the above-mentioned live transcoding method.
  • the communication interface 803 uses transceiver modules such as, but not limited to, network interface cards and transceivers to implement communication between the computing device 800 and other devices or communication networks.
  • the bus 804 may also include a power bus, a control bus, a status signal bus, etc.
  • the bus can be a peripheral component interconnect express (PCIe) bus, an extended industry standard architecture (EISA) bus, a unified bus (unified bus, Ubus or UB), or a computer quick link (compute express link (CXL), cache coherent interconnect for accelerators (CCIX), etc.
  • PCIe peripheral component interconnect express
  • EISA extended industry standard architecture
  • CXL computer quick link
  • CXL cache coherent interconnect for accelerators
  • the bus can be divided into address bus, data bus, control bus, etc.
  • FIG. 9 is a schematic diagram of a computing device cluster provided by an embodiment of the present application.
  • the computing device cluster 900 includes at least one computing device 800 .
  • the computing device 800 may be a server, such as a central server, an edge server, or a local server in a local data center.
  • the computing device 800 may also be a terminal device such as a desktop computer, a laptop computer, or a smartphone.
  • the computing device cluster 900 includes at least one computing device 800 .
  • the memory 802 in one or more computing devices 800 in the computing device cluster 900 may store the same instructions for performing the above live transcoding method.
  • the memory 802 of one or more computing devices 800 in the computing device cluster 900 may also store part of the instructions for executing the above live transcoding method.
  • a combination of one or more computing devices 800 may jointly execute instructions for performing the above-described live transcoding method.
  • the memories 802 in different computing devices 800 in the computing device cluster 900 can store different instructions, which are respectively used to execute some functions of the above-mentioned live transcoding device. That is, the instructions stored in the memory 802 in different computing devices 800 can implement the functions of one or more modules in the transceiver module and the processing module.
  • one or more computing devices 800 in the computing device cluster 900 may be connected through a network.
  • the network may be a wide area network or a local area network, etc.
  • FIG. 10 is a schematic diagram of computer devices in a computer cluster being connected through a network according to an embodiment of the present application.
  • two computing devices 800A and 800B are connected through a network.
  • the connection to the network is made through a communication interface in each computing device.
  • the memory in the computing device 800A stores instructions for performing the functions of the transceiver module.
  • instructions for performing the functions of the processing module are stored in memory in computing device 800B.
  • computing device 800A shown in FIG. 10 may also be performed by multiple computing devices.
  • computing device 800B may also be performed by multiple computing devices.
  • a computer-readable storage medium is also provided.
  • Computer-executable instructions are stored in the computer-readable storage medium.
  • the processor of the device executes the computer-executed instructions
  • the device executes the above method embodiment.
  • a computer program product in another embodiment of the present application, includes a computer program.
  • Computer-executed instructions are stored in a computer-readable storage medium.
  • the processor of the device executes the computer execution instruction
  • the device executes the method executed by the cloud server in the above method embodiment.
  • the disclosed systems, devices and methods can be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components may be combined or can be integrated into another system, or some features can be ignored, or not implemented.
  • the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or they may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional unit in each embodiment of the present application can be integrated into one processing unit, each unit can exist physically alone, or two or more units can be integrated into one unit.
  • the above integrated units can be implemented in the form of hardware or software functional units.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it may be stored in a computer-readable storage medium.
  • the technical solution of the present application is essentially or contributes to the existing technology, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in various embodiments of this application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, read-only memory), random access memory (RAM, random access memory), magnetic disk or optical disk and other media that can store program code. .

Abstract

Disclosed in the embodiments of the present application is a method for preventing erroneous blocking in a distributed denial of service (DDOS) attack, which is used for improving an erroneous blocking prevention effect in a DDOS attack. The method in the embodiments of the present application comprises: receiving a target domain name, which is configured by a user, wherein a resolution operation for the target domain name is executed by a target resolution server; allocating a cache unit to the target domain name according to an instruction from the user, wherein the cache unit is used for storing a reply message when the target resolution server is in a DDOS state, wherein the reply message is used for responding to a domain name resolution request for the target domain name; and responding to the domain name resolution request for the target domain name on the basis of the cache unit.

Description

一种分布式拒绝服务攻击DDOS的防误杀方法及装置An anti-accidental killing method and device for distributed denial-of-service attacks on DDOS
本申请要求于2022年8月31日提交中国专利局、申请号为202211055064.2、发明名称为“一种分布式拒绝服务攻击DDOS的防误杀方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application requests the priority of the Chinese patent application submitted to the China Patent Office on August 31, 2022, with the application number 202211055064.2 and the invention title "A method and device for preventing manslaughter of distributed denial-of-service attacks on DDOS", and its entire contents incorporated herein by reference.
技术领域Technical field
本申请实施例涉及计算机领域,尤其涉及一种分布式拒绝服务攻击DDOS的防误杀方法及装置。Embodiments of the present application relate to the field of computers, and in particular to a method and device for preventing accidental killing of distributed denial of service attacks on DDOS.
背景技术Background technique
域名系统(domain name system,DNS)是一种互联网上重要的业务访问所依赖的定位和调度系统,当前互联网上存在大量的针对DNS的泛域名攻击,泛域名攻击是指域名前缀变化的大流量域名解析请求,泛域名攻击可以是分布式拒绝服务攻击(distributed denial of service attack,DDOS)。Domain name system (DNS) is a positioning and scheduling system that important business access on the Internet relies on. Currently, there are a large number of pan-domain name attacks against DNS on the Internet. Pan-domain name attacks refer to large traffic with domain name prefix changes. Domain name resolution request, pan-domain name attack can be a distributed denial of service attack (DDOS).
目前,DNS服务器面对DDOS攻击时,DNS服务器识别发起攻击的源IP地址,并将该地址列入黑名单,从而达到防攻击的目的。在云场景下,攻击者可以获得大量的虚拟机以及对应的IP地址,因此,云服务器中的DNS服务封禁IP的方式防御效果差。Currently, when a DNS server faces a DDOS attack, the DNS server identifies the source IP address of the attack and blacklists the address to prevent attacks. In a cloud scenario, attackers can obtain a large number of virtual machines and corresponding IP addresses. Therefore, the DNS service in the cloud server blocks IPs with poor defense effect.
同时,DDOS攻击发起者可能是被黑客劫持的肉鸡服务器,肉鸡服务器本身可能正在运行正常业务,即DDOS攻击流量混杂正常的业务流量中,封禁IP的方法将对正常业务造成大量误杀导致业务受损。At the same time, the initiator of the DDOS attack may be a broiler server hijacked by hackers. The broiler server itself may be running normal business, that is, the DDOS attack traffic is mixed with the normal business traffic. The method of blocking IP will cause a large number of accidents to the normal business and cause business damage. .
发明内容Contents of the invention
本申请实施例提供了一种分布式拒绝服务攻击DDOS的防误杀方法,用于提升DDOS攻击的防误杀效果。The embodiment of the present application provides a method for preventing manslaughter from distributed denial of service attacks on DDOS, which is used to improve the anti-manslaughter effect of DDOS attacks.
本申请实施例第一方面提供了一种分布式拒绝服务攻击DDOS的防误杀方法,该方法可以由云服务器执行,也可以由云服务器的部件,例如云服务器的处理器、芯片或芯片系统等执行,还可以由能实现全部或部分云服务器功能的逻辑模块或软件实现。以云服务器执行为例,第一方面提供的方法包括以下步骤:云服务器接收用户配置的目标域名,目标域名的解析操作由目标解析服务器执行。具体的,云服务器接收用户端发送的域名解析请求,域名解析请求用于请求该目标域名对应的IP地址。云服务器根据用户的指令,为目标域名分配缓存单元,缓存单元包括域名解析安全缓存DSC。缓存单元用于在目标解析服务器处于DDOS状态时,存储应答报文,其中,应答报文用于响应针对目标域名的域名解析请求,应答报文中包括目标域名对应的IP地址。云服务器基于缓存单元,对针对目标域名的域名解析请求进行响应,响应包括从缓存单元中读取目标域名对应的IP地址,向用户侧发送应答报文。The first aspect of the embodiments of this application provides a method for preventing manslaughter from distributed denial of service attacks on DDOS. This method can be executed by a cloud server or by components of the cloud server, such as the processor, chip or chip system of the cloud server. Execution can also be implemented by logic modules or software that can realize all or part of the cloud server functions. Taking cloud server execution as an example, the method provided by the first aspect includes the following steps: the cloud server receives the target domain name configured by the user, and the resolution operation of the target domain name is performed by the target resolution server. Specifically, the cloud server receives the domain name resolution request sent by the client, and the domain name resolution request is used to request the IP address corresponding to the target domain name. The cloud server allocates a cache unit for the target domain name according to the user's instructions. The cache unit includes a domain name resolution secure cache DSC. The cache unit is used to store a response message when the target resolution server is in a DDOS state, where the response message is used to respond to a domain name resolution request for the target domain name, and the response message includes the IP address corresponding to the target domain name. The cloud server is based on the cache unit and responds to the domain name resolution request for the target domain name. The response includes reading the IP address corresponding to the target domain name from the cache unit and sending a response message to the user side.
本申请实施例中云服务器能够根据用户的指令提供缓存单元缓存目标解析服务器解析 得到IP地址,当目标解析服务器处于DDOS状态时,云服务器能够从缓存单元中获取目标域名对应的IP地址,从而提升DDOS状态下域名解析请求的响应速度,进一步提升了DDOS的防误杀效果。In the embodiment of this application, the cloud server can provide caching unit caching target parsing server parsing according to the user's instructions. After obtaining the IP address, when the target resolution server is in the DDOS state, the cloud server can obtain the IP address corresponding to the target domain name from the cache unit, thus improving the response speed of the domain name resolution request in the DDOS state and further improving the anti-accidental killing effect of DDOS.
一种可能的实施方式中,用户的指令包括缓存单元的规格信息。具体的,云服务器接收用户端发送的订购请求,订购请求用于获取缓存单元。订购请求中的规格信息包括以下一项或多项信息:指定防误杀的域名后缀信息、DSC缓存域名的数量信息、DSC中缓存刷新时间、绑定DCS的VPC信息和防误杀服务购买时长。In a possible implementation, the user's instruction includes specification information of the cache unit. Specifically, the cloud server receives the ordering request sent by the client, and the ordering request is used to obtain the cache unit. The specification information in the order request includes one or more of the following information: domain name suffix information for specifying anti-accidental killing, information on the number of domain names cached by DSC, cache refresh time in DSC, information about the VPC bound to DCS, and purchase duration of the anti-accidental killing service.
本申请实施例中云服务器能够根据用户的订购请求配置域名解析安全缓存DSC,从为用户提供DDOS的防误杀服务,提升了用户侧获取DDOS防误杀服务的便利性。同时,用户侧能够选择DCS的多种规格信息,增加了缓存单元的配置种类。In the embodiment of this application, the cloud server can configure the domain name resolution security cache DSC according to the user's ordering request, thereby providing users with DDOS anti-accidental killing services and improving the convenience of the user side in obtaining DDOS anti-accidental killing services. At the same time, the user side can select multiple specifications of DCS, increasing the configuration types of cache units.
一种可能的实施方式中,缓存单元中存有目标解析服务器的DDOS状态。具体的,云服务器接收用户端域名解析请求之后,云服务器基于DSC查询云服务器的安全状态,DCS用于存储云服务器的安全状态,安全状态包括DDOS状态和非DDOS状态。云服务器能够从缓存单元中读取目标解析服务器的安全状态,并根据目标解析服务器的安全状态对域名解析请求进行透传。In a possible implementation, the cache unit stores the DDOS status of the target resolution server. Specifically, after the cloud server receives the client domain name resolution request, the cloud server queries the security status of the cloud server based on DSC. DCS is used to store the security status of the cloud server. The security status includes DDOS status and non-DDOS status. The cloud server can read the security status of the target resolution server from the cache unit and transparently transmit the domain name resolution request based on the security status of the target resolution server.
本申请实施例中云服务器能够从缓存单元DSC中读取目标解析服务器的安全状态,并根据目标解析服务器的安全状态执行对域名解析请求进行响应,从而提升DDOS的防误杀效果。In the embodiment of this application, the cloud server can read the security status of the target resolution server from the cache unit DSC, and respond to the domain name resolution request according to the security status of the target resolution server, thereby improving the anti-accidental killing effect of DDOS.
一种可能的实施方式中,云服务器基于缓存单元,对针对目标域名的域名解析请求进行响应的过程中,当缓存单元中存有针对目标域名的应答报文时,利用应答报文对域名解析请求进行响应。具体的,当缓存单元中存储了目标域名对应的IP地址时,缓存单元基于该IP地址生成应答报文,向用户发送应答报文。In a possible implementation, in the process of the cloud server responding to the domain name resolution request for the target domain name based on the cache unit, when there is a response message for the target domain name in the cache unit, the response message is used to resolve the domain name. Request a response. Specifically, when the IP address corresponding to the target domain name is stored in the cache unit, the cache unit generates a response message based on the IP address and sends the response message to the user.
本申请实施例中云服务器提供的安全缓存能够缓存目标域名对应的IP地址,使得云服务器接收到用户对应目标域名的解析请求时,直接基于缓存单元中存储的IP地址生成应答报文,响应域名解析请求,从而提升了域名解析请求的响应效率。The secure cache provided by the cloud server in the embodiment of this application can cache the IP address corresponding to the target domain name, so that when the cloud server receives the user's resolution request corresponding to the target domain name, it directly generates a response message based on the IP address stored in the cache unit to respond to the domain name. parsing requests, thus improving the response efficiency of domain name resolution requests.
一种可能的实施方式中,云服务器基于缓存单元,对针对目标域名的域名解析请求进行响应的过程中,当缓存单元中未存有针对目标域名的应答报文时,将域名解析请求发送至目标解析服务器。获取目标解析服务器发送的应答报文。根据应答报文包括的应答状态信息,对域名解析请求进行响应。In a possible implementation, when the cloud server responds to the domain name resolution request for the target domain name based on the cache unit, when there is no response message for the target domain name in the cache unit, the cloud server sends the domain name resolution request to Target resolution server. Get the response message sent by the target resolution server. Respond to the domain name resolution request according to the response status information included in the response message.
本申请实施例中当云服务器的缓存单元中未缓存有目标域名对应的IP地址时,云服务器将目标域名对应的域名解析请求透传至目标解析服务器,相较于直接封禁IP地址的方式,提升了DDOS的防误杀效果。In the embodiment of this application, when the IP address corresponding to the target domain name is not cached in the cache unit of the cloud server, the cloud server transparently transmits the domain name resolution request corresponding to the target domain name to the target resolution server. Compared with the method of directly blocking the IP address, Improved the anti-accidental killing effect of DDOS.
一种可能的实施方式中,当缓存单元中未存有针对目标域名的应答报文时,并且目标解析服务器处于DDOS状态,对域名解析请求进行限速处理。具体的,云服务器将目标域名对应的域名解析请求加入限速队列,云服务器定期将域名解析请求发送至目标解析服务器。In one possible implementation, when the cache unit does not store a response message for the target domain name and the target resolution server is in a DDOS state, the domain name resolution request is rate-limited. Specifically, the cloud server adds the domain name resolution request corresponding to the target domain name to the rate limit queue, and the cloud server regularly sends the domain name resolution request to the target resolution server.
本申请实施例中云服务能够对域名解析请求进行限速处理,从而避免DDOS状态下目标解析服务器无法处理域名解析请求,从提升了DDOS防误杀的效果。 In the embodiment of this application, the cloud service can limit the rate of domain name resolution requests, thereby preventing the target resolution server from being unable to process the domain name resolution requests in DDOS state, thereby improving the effect of preventing DDOS accidental killing.
一种可能的实施方式中,云服务器根据应答报文包括的应答状态信息,对域名解析请求进行响应的过程中,云服务器根据应答状态信息,确定应答报文为正确应答时,将目标解析服务器发送的应答报文存储至缓存单元。其中应答状态信息包括目标域名对应的IP地址。In a possible implementation, when the cloud server responds to the domain name resolution request based on the response status information included in the response message, when the cloud server determines that the response message is a correct response based on the response status information, the target resolution server The sent response message is stored in the cache unit. The response status information includes the IP address corresponding to the target domain name.
本申请实施例中云服务器能够将域名解析请求正确应答的目标域名对应的IP地址存储在缓存单元中,当云服务器再次接收到针对该目标域名的域名解析请求时,能够直接基于缓存单元中存储IP地址响应域名解析请求,从而提升了云服务器对域名解析请求的响应速度。In the embodiment of this application, the cloud server can store the IP address corresponding to the target domain name that correctly responds to the domain name resolution request in the cache unit. When the cloud server receives another domain name resolution request for the target domain name, it can directly store the IP address in the cache unit based on the domain name resolution request. The IP address responds to domain name resolution requests, thereby improving the cloud server's response speed to domain name resolution requests.
一种可能的实施方式中,云服务器根据应答报文包括的应答状态信息,对域名解析请求进行响应的过程中,云服务器根据应答状态信息,确定应答报文为错误应答时,更新针对目标域名的域名后缀对应的解析错误计数器中的数值。当针对目标域名的解析错误计数器中的数值大于或等于计数阈值时,确定目标解析服务器处于DDOS状态,并将DDOS状态写入缓存单元。其中应答状态信息包括错误参数,该错误参数用于指示域名解析失败的相关参数。In a possible implementation, when the cloud server responds to the domain name resolution request based on the response status information included in the response message, when the cloud server determines that the response message is an error response based on the response status information, it updates the target domain name The value in the parsing error counter corresponding to the domain name suffix. When the value in the resolution error counter for the target domain name is greater than or equal to the count threshold, it is determined that the target resolution server is in a DDOS state, and the DDOS state is written to the cache unit. The response status information includes error parameters, which are related parameters used to indicate domain name resolution failure.
本申请实施例中云服务器的解析错误计算器能够域名后缀对应的域名解析失败次数,从而根据同一域名后缀的域名解析失败次数判断目标解析服务器是否处于DDOS状态,从而提升云服务器对于DDOS攻击的识别能力。The parsing error calculator of the cloud server in the embodiment of the present application can determine the number of domain name parsing failures corresponding to the domain name suffix, thereby determining whether the target parsing server is in a DDOS state based on the number of domain name parsing failures for the same domain name suffix, thereby improving the cloud server's identification of DDOS attacks. ability.
一种可能的实施方式中,DSC包括域名系统安全缓存入口DSC-ingress组件、域名系统安全缓存出口DSC-egress组件和域名系统安全缓存图DSC-map组件,云服务器接收用户端发送的域名解析请求的过程中,云服务器基于DSC-ingress组件接收用户端发送的域名解析请求。DSC-egress组件用于获取域名解析请求对应的域名解析记录,域名解析记录包括向目标解析服务器请求得到的IP地址。DSC-map组件用于缓存域名解析记录和目标解析服务器的安全状态。In a possible implementation, the DSC includes a domain name system security cache entrance DSC-ingress component, a domain name system security cache egress DSC-egress component, and a domain name system security cache map DSC-map component. The cloud server receives the domain name resolution request sent by the client. In the process, the cloud server receives the domain name resolution request sent by the client based on the DSC-ingress component. The DSC-egress component is used to obtain the domain name resolution record corresponding to the domain name resolution request. The domain name resolution record includes the IP address requested from the target resolution server. The DSC-map component is used to cache domain name resolution records and the security status of the target resolution server.
本申请实施例中云服务器的缓存单元包括多个DSC组件,多个DSC组件共同实现缓存单元内的功能,从而提升了方案的可实现性。In the embodiment of the present application, the cache unit of the cloud server includes multiple DSC components, and the multiple DSC components jointly implement the functions in the cache unit, thereby improving the realizability of the solution.
一种可能的实施方式中,当目标解析服务器处于非DDOS状态时,DSC-egress组件将域名解析记录存储至DSC-map组件。当目标解析服务器处于DDOS状态时,DSC-map组件将域名解析记录导入DSC-ingress组件。In a possible implementation, when the target resolution server is in a non-DDOS state, the DSC-egress component stores the domain name resolution record to the DSC-map component. When the target resolution server is in a DDOS state, the DSC-map component imports domain name resolution records into the DSC-ingress component.
本申请实施例中云服务器在确定目标解析服务器处于DDOS状态时能够将DSC-map组件中缓存的域名解析记录导入DSC-ingress组件,从而提升域名解析请求的响应速度。In the embodiment of this application, when the cloud server determines that the target resolution server is in a DDOS state, it can import the cached domain name resolution records in the DSC-map component into the DSC-ingress component, thereby improving the response speed of domain name resolution requests.
本申请实施例第二方面提供了一种分布式拒绝服务攻击DDOS的防误杀装置,该装置包括收发模块和处理模块。其中,收发模块用于接收用户配置的目标域名,目标域名的解析操作由目标解析服务器执行。处理模块用于根据用户的指令,为目标域名分配缓存单元,缓存单元用于在目标解析服务器处于DDOS状态时,存储应答报文,其中,应答报文用于响应针对目标域名的域名解析请求。处理模块还用于基于缓存单元,对针对目标域名的域名解析请求进行响应。 The second aspect of the embodiment of the present application provides an anti-accidental killing device for distributed denial of service attacks on DDOS. The device includes a transceiver module and a processing module. Among them, the transceiver module is used to receive the target domain name configured by the user, and the resolution operation of the target domain name is performed by the target resolution server. The processing module is used to allocate a cache unit to the target domain name according to the user's instructions. The cache unit is used to store the response message when the target resolution server is in the DDOS state, where the response message is used to respond to the domain name resolution request for the target domain name. The processing module is also used to respond to domain name resolution requests for the target domain name based on the cache unit.
一种可能的实施方式中,用户的指令包括缓存单元的规格信息。In a possible implementation, the user's instruction includes specification information of the cache unit.
一种可能的实施方式中,缓存单元中存有目标解析服务器的DDOS状态。In a possible implementation, the cache unit stores the DDOS status of the target resolution server.
一种可能的实施方式中,处理模块具体用于当缓存单元中存有针对目标域名的应答报文时,利用应答报文对域名解析请求进行响应。In a possible implementation, the processing module is specifically configured to use the response message to respond to the domain name resolution request when the cache unit stores a response message for the target domain name.
一种可能的实施方式中,处理模块具体用于当缓存单元中未存有针对目标域名的应答报文时,将域名解析请求发送至目标解析服务器。获取目标解析服务器发送的应答报文。根据应答报文包括的应答状态信息,对域名解析请求进行响应。In a possible implementation, the processing module is specifically configured to send a domain name resolution request to the target resolution server when the cache unit does not store a response message for the target domain name. Get the response message sent by the target resolution server. Respond to the domain name resolution request according to the response status information included in the response message.
一种可能的实施方式中,处理模块还用于当缓存单元中未存有针对目标域名的应答报文时,对域名解析请求进行限速处理。In a possible implementation, the processing module is also configured to limit the rate of the domain name resolution request when the cache unit does not store a response message for the target domain name.
一种可能的实施方式中,当缓存单元中未存有针对目标域名的应答报文时,处理模块具体用于根据应答状态信息,确定应答报文为正确应答时,将目标解析服务器发送的应答报文存储至缓存单元。In a possible implementation, when the cache unit does not store a response message for the target domain name, the processing module is specifically configured to determine, based on the response status information, that the response message is a correct response, and then store the response message sent by the target resolution server. The message is stored in the cache unit.
一种可能的实施方式中,处理模块具体用于根据应答状态信息,确定应答报文为错误应答时,更新针对目标域名的解析错误计数器中的数值。当针对目标域名的解析错误计数器中的数值大于或等于计数阈值时,确定目标解析服务器处于DDOS状态。In a possible implementation, the processing module is specifically configured to update the value in the parsing error counter for the target domain name when it is determined that the response message is an error response based on the response status information. When the value in the resolution error counter for the target domain name is greater than or equal to the count threshold, it is determined that the target resolution server is in a DDOS state.
本申请实施例第三方面提供了一种计算机设备集群,包括至少一个计算设备,每个计算设备包括处理器,至少一个计算设备的处理器用于执行至少一个计算设备的存储器中存储的指令,以使得计算设备集群执行上述第一方面或第一方面任意一种可能的实施方式所述的方法。The third aspect of the embodiment of the present application provides a computer device cluster, including at least one computing device, each computing device includes a processor, and the processor of the at least one computing device is used to execute instructions stored in the memory of the at least one computing device, to The computing device cluster is caused to execute the method described in the above first aspect or any possible implementation manner of the first aspect.
本申请实施例第四方面提供了一种计算机可读存储介质,其上存储有指令,指令被执行时,以使得计算机执行上述第一方面或第一方面任意一种可能的实施方式所述的方法。The fourth aspect of the embodiments of the present application provides a computer-readable storage medium on which instructions are stored. When the instructions are executed, the computer executes the method described in the above-mentioned first aspect or any possible implementation manner of the first aspect. method.
本申请实施例第五方面提供了一种计算机程序产品,计算机程序产品中包括指令,其特征在于,指令被执行时,以使得计算机实现第一方面或第一方面任意一种可能的实施方式所述的方法。The fifth aspect of the embodiments of the present application provides a computer program product. The computer program product includes instructions, which are characterized in that when the instructions are executed, the computer implements the first aspect or any possible implementation manner of the first aspect. method described.
可以理解,上述提供的任意一种计算机设备集群、计算机可读介质或计算机程序产品等所能达到的有益效果可参考对应的方法中的有益效果,此处不再赘述。It can be understood that the beneficial effects that can be achieved by any of the computer equipment clusters, computer readable media, or computer program products provided above can be referred to the beneficial effects in the corresponding methods, and will not be described again here.
附图说明Description of drawings
图1a为本申请实施例提供的一种DDOS防误杀系统的系统架构示意图;Figure 1a is a schematic system architecture diagram of a DDOS anti-accidental killing system provided by an embodiment of the present application;
图1b为本申请实施例提供的另一种DDOS防误杀系统的系统架构示意图;Figure 1b is a schematic system architecture diagram of another DDOS anti-accidental killing system provided by an embodiment of the present application;
图2为本申请实施例提供的一种DDOS防误杀方法的流程示意图;Figure 2 is a schematic flow chart of a DDOS anti-accidental killing method provided by an embodiment of the present application;
图3为本申请实施例提供的另一种DDOS防误杀方法的流程示意图;Figure 3 is a schematic flow chart of another DDOS anti-accidental killing method provided by an embodiment of the present application;
图4为本申请实施例提供的另一种DDOS防误杀方法的流程示意图;Figure 4 is a schematic flow chart of another DDOS anti-accidental killing method provided by an embodiment of the present application;
图5为本申请实施例提供的另一种DDOS防误杀方法的流程示意图;Figure 5 is a schematic flow chart of another DDOS anti-accidental killing method provided by an embodiment of the present application;
图6为本申请实施例提供的一种另DDOS防误杀方法的流程示意图;Figure 6 is a schematic flow chart of another DDOS anti-accidental killing method provided by an embodiment of the present application;
图7为本申请实施例提供的一种DDOS装置的结构示意图; Figure 7 is a schematic structural diagram of a DDOS device provided by an embodiment of the present application;
图8为本申请实施例提供的一种计算设备的结构示意图;Figure 8 is a schematic structural diagram of a computing device provided by an embodiment of the present application;
图9为本申请实施例提供的一种计算设备集群的结构示意图;Figure 9 is a schematic structural diagram of a computing device cluster provided by an embodiment of the present application;
图10为本申请实施例提供的另一种计算设备集群的结构示意图。Figure 10 is a schematic structural diagram of another computing device cluster provided by an embodiment of the present application.
具体实施方式Detailed ways
本申请实施例提供了一种分布式拒绝服务攻击DDOS的防误杀方法以及装置,用于提升分布式拒绝服务攻击DDOS的防误杀的效果。Embodiments of the present application provide a method and device for preventing manslaughter of distributed denial of service attacks on DDOS, which are used to improve the anti-manslaughter effect of distributed denial of service attacks on DDOS.
本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”、“第三”、“第四”等(如果存在)是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的实施例能够以除了在这里图示或描述的内容以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。The terms "first", "second", "third", "fourth", etc. (if present) in the description and claims of this application and the above-mentioned drawings are used to distinguish similar objects without necessarily using Used to describe a specific order or sequence. It is to be understood that the data so used are interchangeable under appropriate circumstances so that the embodiments described herein can be practiced in sequences other than those illustrated or described herein. In addition, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusions, e.g., a process, method, system, product, or apparatus that encompasses a series of steps or units and need not be limited to those explicitly listed. Those steps or elements may instead include other steps or elements not expressly listed or inherent to the process, method, product or apparatus.
在本申请实施例中,“示例性的”或者“例如”等词用于表示作例子、例证或说明。本申请实施例中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言,使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念。In the embodiments of this application, words such as "exemplary" or "for example" are used to represent examples, illustrations or explanations. Any embodiment or design described as "exemplary" or "such as" in the embodiments of the application is not to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the words "exemplary" or "such as" is intended to present the concept in a concrete manner.
首先介绍本申请实施例涉及的相关术语,方便本领域技术人员理解方案。First, the relevant terms involved in the embodiments of this application are introduced to facilitate those skilled in the art to understand the solution.
域名系统(domain name system,DNS)是互联网的一项域名解析服务系统,DNS将域名和IP地址相互映射的一个分布式数据库,能够使用户端基于DNS获取域名对应的IP地址。Domain name system (DNS) is a domain name resolution service system on the Internet. DNS is a distributed database that maps domain names and IP addresses to each other, enabling the client to obtain the IP address corresponding to the domain name based on DNS.
泛域名攻击,一种前缀随机变化的大流量域名解析请求。Pan-domain name attack, a large-traffic domain name resolution request with randomly changing prefixes.
分布式拒绝服务攻击(distributed denial of service,DDOS))是指处于不同位置的多个攻击者同时向一个或数个目标发动攻击,或者一个攻击者控制了位于不同位置的多台机器并利用这些机器对受害者同时实施攻击。A distributed denial of service (DDOS) attack refers to multiple attackers in different locations launching attacks against one or several targets at the same time, or an attacker controlling multiple machines in different locations and using these The machine attacks the victim simultaneously.
扩展伯克利包过滤器(extended berkeleypacket filter,eBPF),是一套通用执行引擎,提供了可基于系统或程序事件高效安全执行特定代码的框架软件。Extended Berkeley Packet Filter (eBPF) is a set of general execution engines that provides framework software that can efficiently and securely execute specific code based on system or program events.
域名系统安全缓存(DNS safe cache,DSC)为本申请实施例提供的一种软件模块,部署在云服务器上,能够为云服务器中的DNS提供IP地址缓存、DDOS攻击识别、DDOS攻击防误杀的功能。Domain name system safe cache (DSC) is a software module provided by the embodiment of this application. It is deployed on a cloud server and can provide IP address caching, DDOS attack identification, and DDOS attack prevention for the DNS in the cloud server. Function.
全功能DNS服务器是指既能够提供本地DNS解析能力,也提供递归DNS解析能力的服务器。A full-featured DNS server refers to a server that can provide both local DNS resolution capabilities and recursive DNS resolution capabilities.
下面结合附图介绍本申请实施例提供的DDOS防误杀方法以及装置。The following describes the DDOS anti-accidental killing method and device provided by the embodiments of the present application with reference to the accompanying drawings.
请参阅图1a,图1a为本申请实施例提供的一种DDOS防误杀系统的系统架构示意图。在图1a所示的示例中,DDOS防误杀系统100包括云服务器101和用户端102,其中,服务器101中部署了域名系统安全缓存DSC模块1011和目标解析服务器1012,DSC模块1011 和目标解析服务器1012可以部署在不同的服务器上。Please refer to Figure 1a, which is a schematic system architecture diagram of a DDOS anti-accidental killing system provided by an embodiment of the present application. In the example shown in Figure 1a, the DDOS anti-accidental killing system 100 includes a cloud server 101 and a client 102. The server 101 is deployed with a domain name system security cache DSC module 1011 and a target resolution server 1012. The DSC module 1011 and target resolution server 1012 may be deployed on different servers.
下面具体介绍DDOS防误杀系统中各个部分的功能。The following is a detailed introduction to the functions of each part of the DDOS anti-manslaughter system.
云服务器101中的目标解析服务器1012能够提供域名解析服务,基于域名解析请求中的目标域名得到对应的IP地址。域名解析服务包括本地域名解析服务以及递归域名解析服务,其中,本地域名解析服务是指由目标解析服务器1012提供域名接解析服务的场景,递归域名解析服务是指由目标解析服务器1012通过其他解析服务器执行递归域名解析的场景。The target resolution server 1012 in the cloud server 101 can provide domain name resolution services and obtain the corresponding IP address based on the target domain name in the domain name resolution request. The domain name resolution service includes a local domain name resolution service and a recursive domain name resolution service. The local domain name resolution service refers to the scenario where the target resolution server 1012 provides the domain name access resolution service. The recursive domain name resolution service refers to the scenario where the target resolution server 1012 provides the domain name resolution service through other resolution servers. Scenarios for performing recursive domain name resolution.
云服务器101中的DSC模块1011用于为目标解析服务器1012提供识别DDOS攻击、缓存域名数据和应答域名解析请求等服务。DSC模块1011是利用eBPF架构在DDOS场景下不经过操作系统内核快速处理域名解析请求,可以在DDOS攻击初期进行合法域名解析请求快速应答,对可疑域名解析请求进行限速,以及不断收集合法应答逐渐降低误杀。The DSC module 1011 in the cloud server 101 is used to provide the target resolution server 1012 with services such as identifying DDOS attacks, caching domain name data, and responding to domain name resolution requests. DSC module 1011 uses the eBPF architecture to quickly process domain name resolution requests in DDOS scenarios without going through the operating system kernel. It can quickly respond to legitimate domain name resolution requests in the early stages of a DDOS attack, limit the rate of suspicious domain name resolution requests, and continuously collect legitimate responses gradually. Reduce manslaughter.
其中,DSC模块1011包括域名系统安全缓存入口DSC-ingress组件1011a、域名系统安全缓存出口DSC-egress组件1011b、域名系统安全缓存图DSC-map组件1011c和域名系统安全缓存控制DSC-control组件。其中DSC-map组件1011c可以是外置于DSC模块1011的数据库。Among them, the DSC module 1011 includes the domain name system security cache entry DSC-ingress component 1011a, the domain name system security cache egress DSC-egress component 1011b, the domain name system security cache map DSC-map component 1011c, and the domain name system security cache control DSC-control component. The DSC-map component 1011c may be a database external to the DSC module 1011.
DSC-ingress组件1011a用于处理接收域名解析请求的流程。具体的,当域名解析请求的所请求的域名在缓存中命中时应答该域名解析请求,当未在缓存中命中时向目标解析服务器1012透传以及限速,以及透传过程缓冲区(buffer)溢出丢包等功能。The DSC-ingress component 1011a is used to process the process of receiving a domain name resolution request. Specifically, when the requested domain name of the domain name resolution request is hit in the cache, the domain name resolution request is responded to, and when the requested domain name is not hit in the cache, transparent transmission and speed limit are performed to the target resolution server 1012, and the transparent transmission process buffer (buffer) is Overflow packet loss and other functions.
DSC-egress组件1011b用于处理应答域名解析请求的流程。具体包括统计域名后缀解析失败次数从而识别攻击状态,以及将获取的域名解析记录缓存至DSC-map组件1011c,域名解析记录包括域名解析请求对应的IP地址。The DSC-egress component 1011b is used to process the process of responding to domain name resolution requests. Specifically, it includes counting the number of domain name suffix resolution failures to identify the attack status, and caching the obtained domain name resolution record to the DSC-map component 1011c. The domain name resolution record includes the IP address corresponding to the domain name resolution request.
DSC-map组件1011c用于存储目标解析服务器1012的安全状态,缓存域名解析记录。其中目标解析服务器1012的安全状态用于指示目标解析服务器1012处于DDOS状态或者非DDOS状态。The DSC-map component 1011c is used to store the security status of the target resolution server 1012 and cache domain name resolution records. The security status of the target parsing server 1012 is used to indicate that the target parsing server 1012 is in a DDOS state or a non-DDOS state.
DSC-control组件1011c用于控制DSC-egress组件1011b将获取的域名解析记录缓存至DSC-map组件1011c。The DSC-control component 1011c is used to control the DSC-egress component 1011b to cache the acquired domain name resolution records to the DSC-map component 1011c.
用户端102用于向云服务器101发送域名解析请求。其中,用户端102可以是独立的用户设备,也可以是云服务器中的虚拟机,具体不作限定。The client 102 is used to send a domain name resolution request to the cloud server 101. The client 102 may be an independent user device or a virtual machine in a cloud server, and is not specifically limited.
请参阅图1b,图1b为本申请实施例提供另一种DDOS防误杀系统结构示意图。在图1b所示的示例中,DSC模块1011和目标解析服务器103部署在不同的服务器上,例如,DSC模块1011部署在云服务器101,目标解析服务器103与云服务器101为部署在不同的服务器上。Please refer to Figure 1b. Figure 1b is a schematic structural diagram of another DDOS anti-accidental system according to an embodiment of the present application. In the example shown in Figure 1b, the DSC module 1011 and the target parsing server 103 are deployed on different servers. For example, the DSC module 1011 is deployed on the cloud server 101, and the target parsing server 103 and the cloud server 101 are deployed on different servers. .
可以理解的是,目标解析服务器103与云服务器101部署在不同的服务器上时,云服务器101提供的DDOS防误杀服务与目标解析服务器103提供的域名解析服务可以是不同厂商提供的云服务。It can be understood that when the target resolution server 103 and the cloud server 101 are deployed on different servers, the DDOS anti-accidental service provided by the cloud server 101 and the domain name resolution service provided by the target resolution server 103 may be cloud services provided by different vendors.
下面介绍本申请实施例提供的DDOS攻击的防误杀方法以及装置。The following is an introduction to the anti-accidental killing method and device for DDOS attacks provided by the embodiments of this application.
请参阅图2,图2为本申请实施例提供的一种DDOS攻击防误杀方的流程示意图。图2 所示的包括但不限于以下步骤:Please refer to Figure 2. Figure 2 is a schematic flow chart of a DDOS attack prevention method provided by an embodiment of the present application. figure 2 The steps shown include, but are not limited to, the following:
201.云服务器接收用户端发送的DDOS防误杀服务的订购请求。201. The cloud server receives the ordering request for the DDOS anti-accidental service sent by the client.
云服务器接收用户的指令。具体的,云服务器能够接收用户端发送的订购请求,订购请求用于获取DDOS的防误杀服务。订购请求包括以下一项或多项缓存单元的规格信息:指定防误杀的域名后缀信息、DSC缓存域名的数量信息(即DSC的存储容量)、DSC中缓存刷新时间、绑定所述DCS的VPC信息和防误杀服务购买时长。The cloud server receives the user's instructions. Specifically, the cloud server can receive the ordering request sent by the client, and the ordering request is used to obtain the anti-accidental killing service of DDOS. The ordering request includes one or more of the following specifications of the cache unit: domain name suffix information that specifies anti-accidental killing, quantity information of DSC cache domain names (that is, the storage capacity of DSC), cache refresh time in DSC, and VPC bound to the DCS. Information and manslaughter prevention service purchase duration.
202.云服务器根据订购请求分配缓存单元。202. The cloud server allocates cache units according to the order request.
云服务器根据用户的指令,分配目标域名分配缓存单元。具体的,云服务器根据用户端发送的订购请求中的规格信息分配DSC,DSC用于在目标解析服务器处于DDOS状态时存储应答报文,即存储目标域名对应的域名解析记录,域名解析记录包括目标域名对应的IP地址。The cloud server allocates the target domain name and cache unit according to the user's instructions. Specifically, the cloud server allocates a DSC based on the specification information in the order request sent by the user. The DSC is used to store the response message when the target resolution server is in the DDOS state, that is, to store the domain name resolution record corresponding to the target domain name. The domain name resolution record includes the target domain name. The IP address corresponding to the domain name.
需要说明的是,当用户端发送的订购请求中指定了防误杀的域名或域名后缀时,云服务器根据用户的指令,云服务器分配DSC,DSC对指定域名或域名后缀对应的域名解析请求进行DDOS防误杀。It should be noted that when the order request sent by the user specifies an anti-accidental domain name or domain name suffix, the cloud server will allocate a DSC according to the user's instructions, and the DSC will perform DDOS on the domain name resolution request corresponding to the specified domain name or domain name suffix. Prevent manslaughter.
请参阅图3,图3为本申请实施例提供的一种订购DDOS防误杀服务的流程示意图。在图3所示的示例中,用户端向云服务器请求订购DDOS防误杀服务,用户可以指定防误杀的域名后缀信息、需要绑定DSC的用户端虚拟机和需要DSC服务的时间。当用户端指定了防误杀的域名后缀信息,则云服务仅对指定域名后缀的域名解析请求进行防误杀。Please refer to Figure 3. Figure 3 is a schematic flow chart of ordering a DDOS anti-accidental service provided by an embodiment of the present application. In the example shown in Figure 3, the client requests to subscribe to the DDOS anti-accidental killing service from the cloud server. The user can specify the anti-accidental domain name suffix information, the client virtual machine that needs to be bound to DSC, and the time when the DSC service is required. When the user specifies the domain name suffix information to prevent accidental killing, the cloud service only performs accidental killing prevention on domain name resolution requests with the specified domain name suffix.
在图3所示的示例中,当用户端未指定防误杀的域名后缀信息,则用户端需要进一步设置DSC中缓存的域名以及IP地址的数量,并设置DSC缓存的自动刷新时间。此时,DSC-egress组件基于该自动刷新时间定期刷新DSC-map组件中的缓存的数据,并且,当缓存的域名以及IP地址的数量超过用户端的设置数量时,DSC-egress组件会按照最少最近使用算法清理缓存的数据。In the example shown in Figure 3, when the user does not specify the domain name suffix information to prevent accidental killing, the user needs to further set the number of domain names and IP addresses cached in the DSC, and set the automatic refresh time of the DSC cache. At this time, the DSC-egress component regularly refreshes the cached data in the DSC-map component based on the automatic refresh time. Moreover, when the number of cached domain names and IP addresses exceeds the number set by the user, the DSC-egress component will refresh the data according to the least recent Use algorithms to clean cached data.
203.云服务器接收用户端发送的域名解析请求。203. The cloud server receives the domain name resolution request sent by the client.
云服务器接收用户端发送的域名解析请求,域名解析请求包括目标域名,该域名解析请求用于请求目标域名对应的IP地址。云服务器接收域名解析请求之后,基于DSC查询云服务器的安全状态,安全状态包括DDOS状态和非DDOS状态。具体的,云服务器的DSC-ingress组件接收用户端发送的域名解析请求之后,DSC-ingress组件从DSC-map组件获取云服务器的安全状态,其中DSC-map组件存储了云服务器的安全状态。The cloud server receives the domain name resolution request sent by the client. The domain name resolution request includes the target domain name. The domain name resolution request is used to request the IP address corresponding to the target domain name. After the cloud server receives the domain name resolution request, it queries the security status of the cloud server based on DSC. The security status includes DDOS status and non-DDOS status. Specifically, after the DSC-ingress component of the cloud server receives the domain name resolution request sent by the client, the DSC-ingress component obtains the security status of the cloud server from the DSC-map component, where the DSC-map component stores the security status of the cloud server.
请参阅图4,图4本申请实施例提供的一种云服务接收域名解析请求处理流程示意图。在图4所示的示例中,云服务器通过网卡接收到域名解析请求之后,将域名解析请求发送至目标解析服务器之前,先由DSC-ingress组件对域名解析请求进行处理。例如,在步骤1至5中,DSC-ingress组件从DSC-map组件中读取云服务器的安全状态,当目标解析服务器处于DDOS状态时,则DSC-ingress组件向目标解析服务器发送域名解析请求,由目标解析服务器处理该域名解析请求。Please refer to Figure 4, which is a schematic diagram of the processing flow of a cloud service receiving a domain name resolution request provided by an embodiment of the present application. In the example shown in Figure 4, after the cloud server receives the domain name resolution request through the network card, and before sending the domain name resolution request to the target resolution server, the DSC-ingress component first processes the domain name resolution request. For example, in steps 1 to 5, the DSC-ingress component reads the security status of the cloud server from the DSC-map component. When the target resolution server is in the DDOS state, the DSC-ingress component sends a domain name resolution request to the target resolution server. The target resolution server handles the domain name resolution request.
204.云服务器基于缓存单元响应域名解析请求。204. The cloud server responds to the domain name resolution request based on the cache unit.
云服务器基于缓存单元响应域名解析请求。当缓存单元中存有针对目标域名的应答报 文时,云服务器利用应答报文对域名解析请求进行响应。当缓存单元中未存有针对目标域名的应答报文时,云服务器将域名解析请求发送至目标解析服务器,获取目标解析服务器发送的应答报文,根据应答报文包括的应答状态信息,对域名解析请求进行响应。The cloud server responds to domain name resolution requests based on the cache unit. When the cache unit stores a response message for the target domain name When sending a message, the cloud server uses the response message to respond to the domain name resolution request. When there is no response message for the target domain name in the cache unit, the cloud server sends the domain name resolution request to the target resolution server, obtains the response message sent by the target resolution server, and analyzes the domain name based on the response status information included in the response message. Parse the request and respond.
其中,应答状态信息包括目标域名对应的IP地址和错误参数。当应答状态信息为目标域名对应的IP地址时,应答报文为正确应答,即目标解析服务器域名解析成功。当应答状态信息为错误参数时,应答报文为错误应答,即目标解析服务器域名解析失败。Among them, the response status information includes the IP address corresponding to the target domain name and error parameters. When the response status information is the IP address corresponding to the target domain name, the response message is a correct response, that is, the domain name resolution of the target resolution server is successful. When the response status information is an error parameter, the response message is an error response, that is, the target resolution server domain name resolution fails.
具体的,DSC-ingress组件获取云服务器的安全状态之后,当目标解析服务器处于非DDOS状态时,DSC-ingress组件向目标解析服务器透传该域名解析请求,目标解析服务器可以基于域名解析请求得到目标域名对应的IP地址,或者目标解析服务器可以基于域名解析请求得到目标域名对应的解析错误参数。Specifically, after the DSC-ingress component obtains the security status of the cloud server, when the target resolution server is in a non-DDOS state, the DSC-ingress component transparently transmits the domain name resolution request to the target resolution server, and the target resolution server can obtain the target based on the domain name resolution request. The IP address corresponding to the domain name, or the target resolution server can obtain the resolution error parameter corresponding to the target domain name based on the domain name resolution request.
当云服务器基于DSC-map组件确定目标解析服务器处于DDOS状态后,云服务器继续查询DSC中是否缓存了域名解析请求中目标域名对应的IP地址,该DSC用于存储已经解析过的域名和对应的IP地址。当DSC中不存在目标域名对应的IP的地址,则DSC将该域名解析请求加入限速队列中,等待将该域名解析请求发送至目标解析服务器。When the cloud server determines that the target resolution server is in the DDOS state based on the DSC-map component, the cloud server continues to query the DSC to see whether the IP address corresponding to the target domain name in the domain name resolution request is cached. The DSC is used to store the resolved domain name and the corresponding IP address. When the IP address corresponding to the target domain name does not exist in the DSC, the DSC adds the domain name resolution request to the rate limit queue and waits to send the domain name resolution request to the target resolution server.
本申请实施例中目标解析服务器在解析目标域名对应的IP地址时的过程中,可以基于本地域名解析服务模块得到目标域名对应的IP地址,也可以基于外部DNS服务模块进行递归请求或者迭代请求得到目标域名对应的IP地址,具体不做限定。In the embodiment of this application, when the target resolution server resolves the IP address corresponding to the target domain name, it can obtain the IP address corresponding to the target domain name based on the local domain name resolution service module, or it can also obtain the IP address based on the external DNS service module by making a recursive request or an iterative request. The IP address corresponding to the target domain name is not specifically limited.
请继续参阅图4,在图4所示的示例中,例如步骤6、7、10至12中,DSC-ingress组件读取DSC-map组件中缓存的IP地址,当DSC-map中未缓存域名解析请求中目标域名对应的IP地址时,DSC-ingress组件将域名解析请求加入限速队列,DSC-ingress组件定期将限速队列中的域名解析请求发送至目标解析服务器,从而在DDOS状态下对不存在缓存记录的域名解析请求进行限速处理。Please continue to refer to Figure 4. In the example shown in Figure 4, for example, in steps 6, 7, 10 to 12, the DSC-ingress component reads the cached IP address in the DSC-map component. When the domain name is not cached in the DSC-map When parsing the IP address corresponding to the target domain name in the request, the DSC-ingress component adds the domain name resolution request to the rate limit queue. The DSC-ingress component regularly sends the domain name resolution request in the rate limit queue to the target resolution server, thereby handling the problem in a DDOS state. Domain name resolution requests that do not have cache records will be processed at a rate limit.
205.云服务器向用户端发送目标域名对应的域名解析结果。205. The cloud server sends the domain name resolution result corresponding to the target domain name to the client.
云服务器获取目标域名对应的域名解析结果之后,向用户端发送目标域名对应的域名解析结果,域名解析结果包括目标域名对应IP地址或解析错误参数。例如,当云服务器确定域名系统安全缓存DSC中存在目标域名对应的IP地址,则云服务器读取DSC中缓存的目标域名对应的IP地址,并向用户端发送该目标域名对应的IP地址。After the cloud server obtains the domain name resolution result corresponding to the target domain name, it sends the domain name resolution result corresponding to the target domain name to the client. The domain name resolution result includes the IP address corresponding to the target domain name or the parsing error parameter. For example, when the cloud server determines that the IP address corresponding to the target domain name exists in the domain name system security cache DSC, the cloud server reads the IP address corresponding to the target domain name cached in the DSC and sends the IP address corresponding to the target domain name to the user.
当云服务器确定域名系统安全缓存DSC中不存在目标域名对应的IP地址,等到云服务器获取目标解析服务器发送的目标域名对应的IP地址时,向用户端发送该目标域名对应的IP地址。When the cloud server determines that the IP address corresponding to the target domain name does not exist in the domain name system security cache DSC, and waits until the cloud server obtains the IP address corresponding to the target domain name sent by the target resolution server, it sends the IP address corresponding to the target domain name to the client.
请继续参阅图4,在图4所示的示例中,例如步骤7至9中,当DSC缓存了域名解析请求中目标域名对应的IP地址时,则读取DSC中缓存的目标域名对应的IP地址,并向用户端发送目标域名对应的IP地址。Please continue to refer to Figure 4. In the example shown in Figure 4, for example, in steps 7 to 9, when the DSC caches the IP address corresponding to the target domain name in the domain name resolution request, the IP address corresponding to the target domain name cached in the DSC is read. address, and sends the IP address corresponding to the target domain name to the client.
本申请实施例中云服务器根据应答状态信息,确定应答报文为错误应答时,更新针对目标域名的解析错误计数器中的数值。当针对目标域名的解析错误计数器中的数值大于或等于计数阈值时,确定目标解析服务器处于DDOS状态,即云服务器基于域名解析请求的域名解析结果确定云服务器的安全状态。具体的,当同一个域名后缀对应的多个域名解析请 求解析失败的次数超过计数阈值时,则云服务器将安全状态确定为DDOS状态,并将目标解析服务器的安全状态缓存在DSC-map组件。In the embodiment of this application, when the cloud server determines that the response message is an error response based on the response status information, it updates the value in the parsing error counter for the target domain name. When the value in the resolution error counter for the target domain name is greater than or equal to the counting threshold, it is determined that the target resolution server is in the DDOS state, that is, the cloud server determines the security status of the cloud server based on the domain name resolution result of the domain name resolution request. Specifically, when multiple domain names corresponding to the same domain name suffix are resolved, please When the number of failed resolutions exceeds the count threshold, the cloud server determines the security status as DDOS and caches the security status of the target resolution server in the DSC-map component.
请参阅图5,图5为本申请实施例提供的一种云服务器应答域名解析请求的流程示意图。在图5所示的示例中,云服务器的DSC-ingress组件将域名解析请求透传至目标解析服务器之后,目标解析服务器应答域名解析请求,并将域名解析请求的应答结果发送至DSC-egress组件。DSC-egress组件读取DSC-map组件中存储的安全状态,若目标解析服务器处于非DDOS状态并且域名解析请求所请求的IP地址解析成功,则DSC-egress组件将域名解析请求所请求的IP地址发送至用户端。Please refer to Figure 5. Figure 5 is a schematic flow chart of a cloud server responding to a domain name resolution request provided by an embodiment of the present application. In the example shown in Figure 5, after the DSC-ingress component of the cloud server transparently transmits the domain name resolution request to the target resolution server, the target resolution server responds to the domain name resolution request and sends the response result of the domain name resolution request to the DSC-egress component. . The DSC-egress component reads the security status stored in the DSC-map component. If the target resolution server is in a non-DDOS state and the IP address requested by the domain name resolution request is resolved successfully, the DSC-egress component will resolve the IP address requested by the domain name resolution request. Sent to client.
在图5的示例中,DSC-egress组件读取DSC-map组件中存储的安全状态之后,云服务器进一步确定域名解析请求的是否解析成功,若域名解析请求所请求的IP地址解析失败,则云服务器在域名后缀解析失败计数器中对该解析请求所对应的域名后缀解析失败次数加1。当同一个域名后缀对应的多个域名解析请求解析失败的次数超过预设阈值时,云服务器将DDOS状态写入DSC-map组件,并且通知DSC-control组件将域名解析请求对应的正确的IP地址写入DSC-map组件,该域名解析请求对应的正确的IP地址在本申请中也称作权威数据。In the example in Figure 5, after the DSC-egress component reads the security status stored in the DSC-map component, the cloud server further determines whether the domain name resolution request is resolved successfully. If the IP address requested by the domain name resolution request fails to resolve, the cloud server The server adds 1 to the domain name suffix resolution failure counter for the number of domain name suffix resolution failures corresponding to the resolution request. When the number of failed resolutions for multiple domain name resolution requests corresponding to the same domain name suffix exceeds the preset threshold, the cloud server writes the DDOS status to the DSC-map component and notifies the DSC-control component to send the correct IP address corresponding to the domain name resolution request. Written into the DSC-map component, the correct IP address corresponding to the domain name resolution request is also called authoritative data in this application.
本申请实施例中云服务器根据应答状态信息,确定应答报文为正确应答时,将目标解析服务器发送的应答报文存储至缓存单元,即云服务器能够将获取的域名解析记录储存至DSC。具体的,云服务器的DSC-egress组件获取解析正确的域名数据记录之后,将域名解析记录存储至DSC-map组件。In the embodiment of this application, when the cloud server determines that the response message is a correct response based on the response status information, it stores the response message sent by the target resolution server in the cache unit. That is, the cloud server can store the obtained domain name resolution record in the DSC. Specifically, after the DSC-egress component of the cloud server obtains the correctly parsed domain name data record, it stores the domain name resolution record in the DSC-map component.
本申请实施例中缓存单元在目标解析服务器处于DDOS状态时缓存应答报文,即云服务器能够在目标解析服务器处于DDOS状态时,获取目标域名对应的IP地址并储存至DSC。云服务器在目标解析服务器处于DDOS状态时开启缓存应答报文,从而节约DSC的缓存空间。In the embodiment of the present application, the caching unit caches the response message when the target resolution server is in the DDOS state. That is, the cloud server can obtain the IP address corresponding to the target domain name and store it in the DSC when the target resolution server is in the DDOS state. The cloud server enables caching of response messages when the target resolution server is in a DDOS state, thereby saving the cache space of the DSC.
请继续参阅图5,在图5所示的示例中,DSC-egress组件读取DSC-map组件中存储的安全状态,若目标解析服务器处于DDOS状态并且域名解析请求所请求的IP地址解析成功,则DSC-egress组件读取DSC-map组件中是否缓存该IP地址,若DSC-map组件中未缓存该IP地址,则DSC-egress组件在DSC-map组件写入该域名解析请求对应的IP地址。Please continue to refer to Figure 5. In the example shown in Figure 5, the DSC-egress component reads the security status stored in the DSC-map component. If the target resolution server is in the DDOS state and the IP address requested by the domain name resolution request is resolved successfully, Then the DSC-egress component reads whether the IP address is cached in the DSC-map component. If the IP address is not cached in the DSC-map component, the DSC-egress component writes the IP address corresponding to the domain name resolution request in the DSC-map component. .
本申请实施例中云服务器的安全状态从非DDOS状态切换至DDOS状态后,云服务器控制DSC-map组件将缓存域名数据记录导入DSC-ingress组件,此时云服务器可以基于DSC-ingress组件中导入域名数据记录应答来自用户端的域名接卸请求,该域名数据记录拥有本地域名数据记录和递归域名数据记录。In the embodiment of this application, after the security state of the cloud server switches from the non-DDOS state to the DDOS state, the cloud server controls the DSC-map component to import the cached domain name data records into the DSC-ingress component. At this time, the cloud server can import based on the DSC-ingress component. The domain name data record responds to the domain name unload request from the user end. The domain name data record has local domain name data records and recursive domain name data records.
请参阅图6,图6为本申请实施例提供的一种DSC在不同场景下的部署架构示意图。在图6所示示例中,DSC和目标解析服务器可以部署在不同的节点上,同时,DSC-map可以是外置与DSC的数据库。在非DDOS场景下,DSC-ingress组件接收域名解析请求并发送至目标解析服务器,目标解析服务器向DSC-egress组件返回域名解析请求对应的结果。DSC-egress组件收集所有域名数据记录并存入DSC-map组件。Please refer to Figure 6, which is a schematic diagram of the deployment architecture of a DSC in different scenarios provided by an embodiment of the present application. In the example shown in Figure 6, DSC and the target resolution server can be deployed on different nodes, and at the same time, DSC-map can be an external database with DSC. In a non-DDOS scenario, the DSC-ingress component receives the domain name resolution request and sends it to the target resolution server. The target resolution server returns the result corresponding to the domain name resolution request to the DSC-egress component. The DSC-egress component collects all domain name data records and stores them in the DSC-map component.
在DDOS场景下,服务器控制DSC-map组件将缓存域名数据记录导入DSC-ingress组件,DSC-ingress组件接收域名解析请求后,直接基于DSC-map组件导入域名数据记录查询域 名解析请求对应的IP地址,无需再次向DSC-map组件查询,提升云服务器对域名解析请求的应答速度。In a DDOS scenario, the server controls the DSC-map component to import cached domain name data records into the DSC-ingress component. After receiving the domain name resolution request, the DSC-ingress component directly imports the domain name data record query domain based on the DSC-map component. The IP address corresponding to the name resolution request does not need to be queried from the DSC-map component again, which improves the cloud server's response speed to domain name resolution requests.
本申请实施例中当目标解析服务器处于DDOS状态时,云服务器能够从缓存单元中获取目标域名对应的IP地址,从而提升DDOS状态下域名解析请求的响应速度,进一步提升了DDOS的防误杀效果。In the embodiment of this application, when the target resolution server is in the DDOS state, the cloud server can obtain the IP address corresponding to the target domain name from the cache unit, thereby improving the response speed of the domain name resolution request in the DDOS state and further improving the anti-accidental killing effect of DDOS.
以上介绍了本申请实施例提供的DDOS防误杀方法,下面结合附图介绍本申请实施例提供的装置。The above has introduced the DDOS anti-accidental killing method provided by the embodiment of the present application. The device provided by the embodiment of the present application will be introduced below with reference to the accompanying drawings.
请参阅图7,图7为本申请实施例提供的一种DDOS防误杀装置的结构示意图。该装置用于实现上述各实施例中云服务器所执行的各个步骤,如图7所示,该DDOS防误杀装置700包括收发模块701和处理模块702。Please refer to FIG. 7 , which is a schematic structural diagram of a DDOS anti-accidental killing device provided by an embodiment of the present application. This device is used to implement various steps performed by the cloud server in the above embodiments. As shown in Figure 7, the DDOS anti-accidental killing device 700 includes a transceiver module 701 and a processing module 702.
其中,收发模块701用于接收用户配置的目标域名,目标域名的解析操作由目标解析服务器执行。处理模块702用于根据用户的指令,为目标域名分配缓存单元,缓存单元用于在目标解析服务器处于DDOS状态时,存储应答报文,其中,应答报文用于响应针对目标域名的域名解析请求。处理模块702还用于基于缓存单元,对针对目标域名的域名解析请求进行响应。Among them, the transceiver module 701 is used to receive the target domain name configured by the user, and the resolution operation of the target domain name is performed by the target resolution server. The processing module 702 is used to allocate a cache unit to the target domain name according to the user's instructions. The cache unit is used to store the response message when the target resolution server is in the DDOS state, wherein the response message is used to respond to the domain name resolution request for the target domain name. . The processing module 702 is also configured to respond to the domain name resolution request for the target domain name based on the cache unit.
一种可能的实施方式中,用户的指令包括缓存单元的规格信息。In a possible implementation, the user's instruction includes specification information of the cache unit.
一种可能的实施方式中,缓存单元中存有目标解析服务器的DDOS状态。In a possible implementation, the cache unit stores the DDOS status of the target resolution server.
一种可能的实施方式中,处理模块702具体用于当缓存单元中存有针对目标域名的应答报文时,利用应答报文对域名解析请求进行响应。In one possible implementation, the processing module 702 is specifically configured to use the response message to respond to the domain name resolution request when the cache unit stores a response message for the target domain name.
一种可能的实施方式中,处理模块702具体用于当缓存单元中未存有针对目标域名的应答报文时,将域名解析请求发送至目标解析服务器。获取目标解析服务器发送的应答报文。根据应答报文包括的应答状态信息,对域名解析请求进行响应。In one possible implementation, the processing module 702 is specifically configured to send a domain name resolution request to the target resolution server when the cache unit does not store a response message for the target domain name. Get the response message sent by the target resolution server. Respond to the domain name resolution request according to the response status information included in the response message.
一种可能的实施方式中,处理模块702还用于当缓存单元中未存有针对目标域名的应答报文时,对域名解析请求进行限速处理。In one possible implementation, the processing module 702 is also configured to limit the rate of the domain name resolution request when there is no response message for the target domain name in the cache unit.
一种可能的实施方式中,当缓存单元中未存有针对目标域名的应答报文时,处理模块702具体用于根据应答状态信息,确定应答报文为正确应答时,将目标解析服务器发送的应答报文存储至缓存单元。In a possible implementation, when there is no response message for the target domain name in the cache unit, the processing module 702 is specifically configured to determine based on the response status information that the response message is a correct response, and then send the response message sent by the target resolution server. The response message is stored in the cache unit.
一种可能的实施方式中,处理模块702具体用于根据应答状态信息,确定应答报文为错误应答时,更新针对目标域名的解析错误计数器中的数值。当针对目标域名的解析错误计数器中的数值大于或等于计数阈值时,确定目标解析服务器处于DDOS状态。In one possible implementation, the processing module 702 is specifically configured to update the value in the parsing error counter for the target domain name when it is determined that the response message is an error response based on the response status information. When the value in the resolution error counter for the target domain name is greater than or equal to the count threshold, it is determined that the target resolution server is in a DDOS state.
应理解以上装置中单元的划分仅仅是一种逻辑功能的划分,实际实现时可以全部或部分集成到一个物理实体上,也可以物理上分开。且装置中的单元可以全部以软件通过处理元件调用的形式实现;也可以全部以硬件的形式实现;还可以部分单元以软件通过处理元件调用的形式实现,部分单元以硬件的形式实现。例如,各个单元可以为单独设立的处理元件,也可以集成在装置的某一个芯片中实现,此外,也可以以程序的形式存储于存储器中,由装置的某一个处理元件调用并执行该单元的功能。此外这些单元全部或部分可以集 成在一起,也可以独立实现。这里所述的处理元件又可以成为处理器,可以是一种具有信号的处理能力的集成电路。在实现过程中,上述方法的各步骤或以上各个单元可以通过处理器元件中的硬件的集成逻辑电路实现或者以软件通过处理元件调用的形式实现。It should be understood that the division of units in the above device is only a division of logical functions. In actual implementation, all or part of the units may be integrated into a physical entity or physically separated. And the units in the device can all be implemented in the form of software calling through processing components; they can also all be implemented in the form of hardware; some units can also be implemented in the form of software calling through processing components, and some units can be implemented in the form of hardware. For example, each unit can be a separate processing element, or it can be integrated and implemented in a certain chip of the device. In addition, it can also be stored in the memory in the form of a program, and a certain processing element of the device can call and execute the unit. Function. In addition, all or part of these units can be integrated Together, they can also be achieved independently. The processing element described here can also be a processor, which can be an integrated circuit with signal processing capabilities. During the implementation process, each step of the above method or each unit above can be implemented by an integrated logic circuit of hardware in the processor element or implemented in the form of software calling through the processing element.
值得说明的是,对于上述方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本发明本申请并不受所描述的动作顺序的限制,其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作并不一定是本发明本申请所必须的。It is worth noting that for the above method embodiments, for the sake of simple description, they are all expressed as a series of action combinations. However, those skilled in the art should know that the present invention is not limited by the described action sequence. Secondly, those skilled in the art should also know that the embodiments described in the specification are all preferred embodiments, and the actions involved are not necessarily necessary for the present application.
本领域的技术人员根据以上描述的内容,能够想到的其他合理的步骤组合,也属于本发明本申请的保护范围内。其次,本领域技术人员也应该熟悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作并不一定是本发明本申请所必须的。Based on the above description, those skilled in the art can think of other reasonable step combinations, which also fall within the protection scope of the present invention. Secondly, those skilled in the art should also be familiar with the fact that the embodiments described in the specification are all preferred embodiments, and the actions involved are not necessarily necessary for the present application.
请参阅图8,图8为本申请实施例提供的一种计算设备的结构示意图。如图8所示,该计算设备800包括:处理器801、存储器802、通信接口803和总线804,处理器801、存储器802与通信接口803通过总线(图中未标注)耦合。存储器802存储有指令,当存储器802中的执行指令被执行时,计算设备800执行上述方法实施例中云服务器所执行的方法。Please refer to FIG. 8 , which is a schematic structural diagram of a computing device provided by an embodiment of the present application. As shown in Figure 8, the computing device 800 includes: a processor 801, a memory 802, a communication interface 803 and a bus 804. The processor 801, the memory 802 and the communication interface 803 are coupled through a bus (not labeled in the figure). The memory 802 stores instructions. When the execution instructions in the memory 802 are executed, the computing device 800 executes the method executed by the cloud server in the above method embodiment.
计算设备800可以是被配置成实施以上方法的一个或多个集成电路,例如:一个或多个特定集成电路(application specific integrated circuit,ASIC),或,一个或多个微处理器(digital signal processor,DSP),或,一个或者多个现场可编程门阵列(field programmable gate array,FPGA),或这些集成电路形式中至少两种的组合。再如,当装置中的单元可以通过处理元件调度程序的形式实现时,该处理元件可以是通用处理器,例如中央处理器(central processing unit,CPU)或其它可以调用程序的处理器。再如,这些单元可以集成在一起,以片上系统(system-on-a-chip,SOC)的形式实现。The computing device 800 may be one or more integrated circuits configured to implement the above methods, such as one or more application specific integrated circuits (ASICs), or one or more microprocessors (digital signal processors) , DSP), or, one or more field programmable gate arrays (FPGA), or a combination of at least two of these integrated circuit forms. For another example, when the unit in the device can be implemented in the form of a processing element scheduler, the processing element can be a general processor, such as a central processing unit (Central Processing Unit, CPU) or other processors that can call programs. For another example, these units can be integrated together and implemented in the form of a system-on-a-chip (SOC).
处理器801可以是中央处理单元(central processing unit,CPU),还可以是其它通用处理器、数字信号处理器(digital signal processor,DSP)、专用集成电路(application specific integrated circuit,ASIC)、现场可编程门阵列(field programmable gate array,FPGA)或者其它可编程逻辑器件、晶体管逻辑器件,硬件部件或者其任意组合。通用处理器可以是微处理器,也可以是任何常规的处理器。The processor 801 can be a central processing unit (CPU), or other general-purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), or an on-site processor. Field programmable gate array (FPGA) or other programmable logic devices, transistor logic devices, hardware components or any combination thereof. A general-purpose processor can be a microprocessor or any conventional processor.
存储器802可以是易失性存储器或非易失性存储器,或可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(read-only memory,ROM)、可编程只读存储器(programmable ROM,PROM)、可擦除可编程只读存储器(erasable PROM,EPROM)、电可擦除可编程只读存储器(electrically EPROM,EEPROM)或闪存。易失性存储器可以是随机存取存储器(random access memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(static RAM,SRAM)、动态随机存取存储器(DRAM)、同步动态随机存取存储器(synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(double data date SDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(synchlink DRAM,SLDRAM)和直接内存总线随机存取存储器(direct rambus RAM,DR RAM)。 Memory 802 may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. Among them, the non-volatile memory can be read-only memory (ROM), programmable ROM (PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically removable memory. Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory. Volatile memory may be random access memory (RAM), which is used as an external cache. By way of illustration, but not limitation, many forms of RAM are available, such as static random access memory (SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (synchronous DRAM, SDRAM), Double data rate synchronous dynamic random access memory (double data date SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous link dynamic random access memory (synchlink DRAM, SLDRAM) and direct Memory bus random access memory (direct rambus RAM, DR RAM).
存储器802中存储有可执行的程序代码,处理器801执行该可执行的程序代码以分别实现前述收发模块、自适应模块和转码模块的功能,从而实现上述直播转码方法。也即,存储器802上存有用于执行上述直播转码方法的指令。The memory 802 stores executable program code, and the processor 801 executes the executable program code to respectively realize the functions of the aforementioned transceiver module, adaptive module and transcoding module, thereby realizing the above-mentioned live transcoding method. That is, the memory 802 stores instructions for executing the above-mentioned live transcoding method.
通信接口803使用例如但不限于网络接口卡、收发器一类的收发模块,来实现计算设备800与其他设备或通信网络之间的通信。The communication interface 803 uses transceiver modules such as, but not limited to, network interface cards and transceivers to implement communication between the computing device 800 and other devices or communication networks.
总线804除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。总线可以是快捷外围部件互连标准(peripheral component interconnect express,PCIe)总线,或扩展工业标准结构(extended industry standard architecture,EISA)总线、统一总线(unified bus,Ubus或UB)、计算机快速链接(compute express link,CXL)、缓存一致互联协议(cache coherent interconnect for accelerators,CCIX)等。总线可以分为地址总线、数据总线、控制总线等。In addition to the data bus, the bus 804 may also include a power bus, a control bus, a status signal bus, etc. The bus can be a peripheral component interconnect express (PCIe) bus, an extended industry standard architecture (EISA) bus, a unified bus (unified bus, Ubus or UB), or a computer quick link (compute express link (CXL), cache coherent interconnect for accelerators (CCIX), etc. The bus can be divided into address bus, data bus, control bus, etc.
请参阅图9,图9为本申请实施例提供的一种计算设备集群的示意图。如图9所示,该计算设备集群900包括至少一台计算设备800。该计算设备800可以是服务器,例如是中心服务器、边缘服务器,或者是本地数据中心中的本地服务器。在一些实施例中,计算设备800也可以是台式机、笔记本电脑或者智能手机等终端设备。Please refer to FIG. 9 , which is a schematic diagram of a computing device cluster provided by an embodiment of the present application. As shown in FIG. 9 , the computing device cluster 900 includes at least one computing device 800 . The computing device 800 may be a server, such as a central server, an edge server, or a local server in a local data center. In some embodiments, the computing device 800 may also be a terminal device such as a desktop computer, a laptop computer, or a smartphone.
如图9所示,所述计算设备集群900包括至少一个计算设备800。计算设备集群900中的一个或多个计算设备800中的存储器802中可以存有相同的用于执行上述直播转码方法的指令。As shown in FIG. 9 , the computing device cluster 900 includes at least one computing device 800 . The memory 802 in one or more computing devices 800 in the computing device cluster 900 may store the same instructions for performing the above live transcoding method.
在一些可能的实现方式中,该计算设备集群900中的一个或多个计算设备800的存储器802中也可以分别存有用于执行上述直播转码方法的部分指令。换言之,一个或多个计算设备800的组合可以共同执行用于执行上述直播转码方法的指令。In some possible implementations, the memory 802 of one or more computing devices 800 in the computing device cluster 900 may also store part of the instructions for executing the above live transcoding method. In other words, a combination of one or more computing devices 800 may jointly execute instructions for performing the above-described live transcoding method.
需要说明的是,计算设备集群900中的不同的计算设备800中的存储器802可以存储不同的指令,分别用于执行上述直播转码装置的部分功能。也即,不同的计算设备800中的存储器802存储的指令可以实现收发模块和处理模块中的一个或多个模块的功能。It should be noted that the memories 802 in different computing devices 800 in the computing device cluster 900 can store different instructions, which are respectively used to execute some functions of the above-mentioned live transcoding device. That is, the instructions stored in the memory 802 in different computing devices 800 can implement the functions of one or more modules in the transceiver module and the processing module.
在一些可能的实现方式中,计算设备集群900中的一个或多个计算设备800可以通过网络连接。其中,所述网络可以是广域网或局域网等等。In some possible implementations, one or more computing devices 800 in the computing device cluster 900 may be connected through a network. Wherein, the network may be a wide area network or a local area network, etc.
请参阅图10,图10为本申请实施例提供的一种计算机集群中的计算机设备通过网络连接的示意图。如图10所示,两个计算设备800A和800B之间通过网络进行连接。具体地,通过各个计算设备中的通信接口与所述网络进行连接。Please refer to FIG. 10 , which is a schematic diagram of computer devices in a computer cluster being connected through a network according to an embodiment of the present application. As shown in Figure 10, two computing devices 800A and 800B are connected through a network. Specifically, the connection to the network is made through a communication interface in each computing device.
在一种可能的实现方式中,计算设备800A中的存储器中存有执行收发模块的功能的指令。同时,计算设备800B中的存储器中存有执行处理模块的功能的指令。In a possible implementation, the memory in the computing device 800A stores instructions for performing the functions of the transceiver module. At the same time, instructions for performing the functions of the processing module are stored in memory in computing device 800B.
应理解,图10中示出的计算设备800A的功能也可以由多个计算设备完成。同样,计算设备800B的功能也可以由多个计算设备完成。It should be understood that the functions of computing device 800A shown in FIG. 10 may also be performed by multiple computing devices. Likewise, the functions of computing device 800B may also be performed by multiple computing devices.
在本申请的另一个实施例中,还提供一种计算机可读存储介质,计算机可读存储介质中存储有计算机执行指令,当设备的处理器执行该计算机执行指令时,设备执行上述方法实施例中云服务器所执行的方法。In another embodiment of the present application, a computer-readable storage medium is also provided. Computer-executable instructions are stored in the computer-readable storage medium. When the processor of the device executes the computer-executed instructions, the device executes the above method embodiment. The method executed by the cloud server.
在本申请的另一个实施例中,还提供一种计算机程序产品,该计算机程序产品包括计 算机执行指令,该计算机执行指令存储在计算机可读存储介质中。当设备的处理器执行该计算机执行指令时,设备执行上述方法实施例中云服务器所执行的方法。In another embodiment of the present application, a computer program product is also provided. The computer program product includes a computer program. Computer-executed instructions are stored in a computer-readable storage medium. When the processor of the device executes the computer execution instruction, the device executes the method executed by the cloud server in the above method embodiment.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and simplicity of description, the specific working processes of the systems, devices and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be described again here.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed systems, devices and methods can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or they may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application can be integrated into one processing unit, each unit can exist physically alone, or two or more units can be integrated into one unit. The above integrated units can be implemented in the form of hardware or software functional units.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,read-only memory)、随机存取存储器(RAM,random access memory)、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or contributes to the existing technology, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in various embodiments of this application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, read-only memory), random access memory (RAM, random access memory), magnetic disk or optical disk and other media that can store program code. .
最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的保护范围。 Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that it can still be used Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent substitutions are made to some of the technical features; however, these modifications or substitutions do not cause the essence of the corresponding technical solutions to depart from the protection scope of the technical solutions of the various embodiments of the present invention.

Claims (19)

  1. 一种分布式拒绝服务攻击DDOS的防误杀方法,其特征在于,包括:An anti-accidental killing method for distributed denial-of-service attacks on DDOS, which is characterized by including:
    接收用户配置的目标域名,所述目标域名的解析操作由目标解析服务器执行;Receive the target domain name configured by the user, and the resolution operation of the target domain name is performed by the target resolution server;
    根据所述用户的指令,为所述目标域名分配缓存单元,所述缓存单元用于在所述目标解析服务器处于DDOS状态时,存储应答报文,其中,所述应答报文用于响应针对所述目标域名的域名解析请求;According to the user's instructions, a cache unit is allocated to the target domain name. The cache unit is used to store a response message when the target resolution server is in a DDOS state. The response message is used to respond to the request for the target domain name. Domain name resolution request for the target domain name;
    基于所述缓存单元,对针对所述目标域名的域名解析请求进行响应。Based on the cache unit, respond to the domain name resolution request for the target domain name.
  2. 根据权利要求1所述的方法,其特征在于,所述用户的指令包括所述缓存单元的规格信息。The method of claim 1, wherein the user's instruction includes specification information of the cache unit.
  3. 根据权利要求1或2所述的方法,其特征在于,所述方法还包括:The method according to claim 1 or 2, characterized in that, the method further includes:
    所述缓存单元中存有所述目标解析服务器的DDOS状态。The cache unit stores the DDOS status of the target parsing server.
  4. 根据权利要求1至3所述的方法,其特征在于,所述基于所述缓存单元,对针对所述目标域名的域名解析请求进行响应,包括:The method according to claims 1 to 3, characterized in that, based on the cache unit, responding to a domain name resolution request for the target domain name includes:
    当所述缓存单元中存有针对所述目标域名的应答报文时,利用所述应答报文对所述域名解析请求进行响应。When the cache unit stores a response message for the target domain name, the response message is used to respond to the domain name resolution request.
  5. 根据权利要求1至3所述的方法,其特征在于,所述基于所述缓存单元,对针对所述目标域名的域名解析请求进行响应,包括:The method according to claims 1 to 3, characterized in that, based on the cache unit, responding to a domain name resolution request for the target domain name includes:
    当所述缓存单元中未存有针对所述目标域名的应答报文时,将所述域名解析请求发送至所述目标解析服务器;When the cache unit does not store a response message for the target domain name, send the domain name resolution request to the target resolution server;
    获取所述目标解析服务器发送的应答报文;Obtain the response message sent by the target resolution server;
    根据所述应答报文包括的应答状态信息,对所述域名解析请求进行响应。Respond to the domain name resolution request according to the response status information included in the response message.
  6. 根据权利要求5所述的方法,其特征在于,所述方法还包括:The method of claim 5, further comprising:
    对所述域名解析请求进行限速处理。Rate-limit the domain name resolution request.
  7. 根据权利要求5或6所述的方法,其特征在于,所述根据所述应答报文包括的应答状态信息,对所述域名解析请求进行响应,包括:The method according to claim 5 or 6, characterized in that, responding to the domain name resolution request according to the response status information included in the response message includes:
    根据所述应答状态信息,确定所述应答报文为正确应答时,将所述目标解析服务器发送的应答报文存储至所述缓存单元。According to the response status information, when it is determined that the response message is a correct response, the response message sent by the target parsing server is stored in the cache unit.
  8. 根据权利要求5或6所述的方法,其特征在于,所述根据所述应答报文包括的应答状态信息,对所述域名解析请求进行响应,包括:The method according to claim 5 or 6, characterized in that, responding to the domain name resolution request according to the response status information included in the response message includes:
    根据所述应答状态信息,确定所述应答报文为错误应答时,更新针对目标域名的解析错误计数器中的数值;According to the response status information, when it is determined that the response message is an error response, update the value in the parsing error counter for the target domain name;
    当所述针对目标域名的解析错误计数器中的数值大于或等于计数阈值时,确定所述目标解析服务器处于DDOS状态。When the value in the parsing error counter for the target domain name is greater than or equal to the counting threshold, it is determined that the target parsing server is in a DDOS state.
  9. 一种分布式拒绝服务攻击DDOS的防误杀装置,其特征在于,包括:An anti-accidental killing device for distributed denial-of-service attacks on DDOS, which is characterized by including:
    收发模块,用于接收用户配置的目标域名,所述目标域名的解析操作由目标解析服务器执行;The transceiver module is used to receive the target domain name configured by the user, and the resolution operation of the target domain name is performed by the target resolution server;
    处理模块,用于根据所述用户的指令,为所述目标域名分配缓存单元,所述缓存单元 用于在所述目标解析服务器处于DDOS状态时,存储应答报文,其中,所述应答报文用于响应针对所述目标域名的域名解析请求;A processing module, configured to allocate a cache unit to the target domain name according to the user's instruction, the cache unit Used to store a response message when the target resolution server is in a DDOS state, wherein the response message is used to respond to a domain name resolution request for the target domain name;
    所述处理模块还用于基于所述缓存单元,对针对所述目标域名的域名解析请求进行响应。The processing module is also configured to respond to a domain name resolution request for the target domain name based on the cache unit.
  10. 根据权利要求9所述的装置,其特征在于,所述用户的指令包括所述缓存单元的规格信息。The device according to claim 9, wherein the user's instruction includes specification information of the cache unit.
  11. 根据权利要求9或10所述的装置,其特征在于,所述缓存单元中存有所述目标解析服务器的DDOS状态。The device according to claim 9 or 10, characterized in that the cache unit stores the DDOS status of the target resolution server.
  12. 根据权利要求9至11所述的装置,其特征在于,所述处理模块具体用于:The device according to claims 9 to 11, characterized in that the processing module is specifically used for:
    当所述缓存单元中存有针对所述目标域名的应答报文时,利用所述应答报文对所述域名解析请求进行响应。When the cache unit stores a response message for the target domain name, the response message is used to respond to the domain name resolution request.
  13. 根据权利要求9至11所述的装置,其特征在于,所述处理模块具体用于:The device according to claims 9 to 11, characterized in that the processing module is specifically used for:
    当所述缓存单元中未存有针对所述目标域名的应答报文时,将所述域名解析请求发送至所述目标解析服务器;When the cache unit does not store a response message for the target domain name, send the domain name resolution request to the target resolution server;
    获取所述目标解析服务器发送的应答报文;Obtain the response message sent by the target resolution server;
    根据所述应答报文包括的应答状态信息,对所述域名解析请求进行响应。Respond to the domain name resolution request according to the response status information included in the response message.
  14. 根据权利要求13所述的装置,其特征在于,所述处理模块还用于:The device according to claim 13, characterized in that the processing module is also used to:
    对所述域名解析请求进行限速处理。Rate-limit the domain name resolution request.
  15. 根据权利要求13或14所述的装置,其特征在于,所述处理模块具体用于:The device according to claim 13 or 14, characterized in that the processing module is specifically used for:
    根据所述应答状态信息,确定所述应答报文为正确应答时,将所述目标解析服务器发送的应答报文存储至所述缓存单元。According to the response status information, when it is determined that the response message is a correct response, the response message sent by the target parsing server is stored in the cache unit.
  16. 根据权利要求13或14所述的装置,其特征在于,所述处理模块具体用于:The device according to claim 13 or 14, characterized in that the processing module is specifically used for:
    根据所述应答状态信息,确定所述应答报文为错误应答时,更新针对目标域名的解析错误计数器中的数值;According to the response status information, when it is determined that the response message is an error response, update the value in the parsing error counter for the target domain name;
    当所述针对目标域名的解析错误计数器中的数值大于或等于计数阈值时,确定所述目标解析服务器处于DDOS状态。When the value in the parsing error counter for the target domain name is greater than or equal to the counting threshold, it is determined that the target parsing server is in a DDOS state.
  17. 一种计算机设备集群,其特征在于,包括至少一个计算设备,每个计算设备包括处理器,所述至少一个计算设备的处理器用于执行所述至少一个计算设备的存储器中存储的指令,以使得所述计算设备集群执行如权利要求1至8中任一项所述的方法。A computer device cluster, characterized in that it includes at least one computing device, each computing device includes a processor, the processor of the at least one computing device is used to execute instructions stored in the memory of the at least one computing device, such that The cluster of computing devices performs a method as claimed in any one of claims 1 to 8.
  18. 一种计算机可读存储介质,其上存储有指令,其特征在于,所述指令被执行时,以使得计算机执行权利要求1至8中任一项所述的方法。A computer-readable storage medium with instructions stored thereon, characterized in that when the instructions are executed, the computer executes the method described in any one of claims 1 to 8.
  19. 一种计算机程序产品,所述计算机程序产品中包括指令,其特征在于,所述指令被执行时,以使得计算机实现权利要求1至8中任一项所述的方法。 A computer program product, the computer program product includes instructions, characterized in that when the instructions are executed, the computer implements the method according to any one of claims 1 to 8.
PCT/CN2023/080099 2022-08-31 2023-03-07 Method and apparatus for preventing erroneous blocking in distributed denial of service (ddos) attack WO2024045542A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202211055064.2 2022-08-31
CN202211055064.2A CN117675248A (en) 2022-08-31 2022-08-31 Method and device for preventing false killing of distributed denial of service attack DDOS

Publications (1)

Publication Number Publication Date
WO2024045542A1 true WO2024045542A1 (en) 2024-03-07

Family

ID=90071983

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/080099 WO2024045542A1 (en) 2022-08-31 2023-03-07 Method and apparatus for preventing erroneous blocking in distributed denial of service (ddos) attack

Country Status (2)

Country Link
CN (1) CN117675248A (en)
WO (1) WO2024045542A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102413201A (en) * 2011-11-10 2012-04-11 上海牙木通讯技术有限公司 Processing method and equipment for domain name system (DNS) query request
CN104468244A (en) * 2014-12-31 2015-03-25 北京奇虎科技有限公司 Domain name resolution system disaster recovery construction method and device
EP3462712A1 (en) * 2017-10-02 2019-04-03 Nokia Solutions and Networks Oy Method for mitigating dns-ddos attacks
CN110855633A (en) * 2019-10-24 2020-02-28 华为终端有限公司 Method, device and system for protecting distributed denial of service (DDOS) attack
CN111565195A (en) * 2020-05-21 2020-08-21 杭州安恒信息技术股份有限公司 Challenge black hole attack defense method of distributed system and distributed system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102413201A (en) * 2011-11-10 2012-04-11 上海牙木通讯技术有限公司 Processing method and equipment for domain name system (DNS) query request
CN104468244A (en) * 2014-12-31 2015-03-25 北京奇虎科技有限公司 Domain name resolution system disaster recovery construction method and device
EP3462712A1 (en) * 2017-10-02 2019-04-03 Nokia Solutions and Networks Oy Method for mitigating dns-ddos attacks
CN110855633A (en) * 2019-10-24 2020-02-28 华为终端有限公司 Method, device and system for protecting distributed denial of service (DDOS) attack
CN111565195A (en) * 2020-05-21 2020-08-21 杭州安恒信息技术股份有限公司 Challenge black hole attack defense method of distributed system and distributed system

Also Published As

Publication number Publication date
CN117675248A (en) 2024-03-08

Similar Documents

Publication Publication Date Title
US20210344714A1 (en) Cyber threat deception method and system, and forwarding device
EP3085064B1 (en) Countering security threats with domain name system
JP7299415B2 (en) Security vulnerability protection methods and devices
US11671402B2 (en) Service resource scheduling method and apparatus
US20190245875A1 (en) Method and apparatus for defending against dns attack, and storage medium
US8661522B2 (en) Method and apparatus for probabilistic matching to authenticate hosts during distributed denial of service attack
US9794282B1 (en) Server with queuing layer mechanism for changing treatment of client connections
US11503073B2 (en) Live state transition using deception systems
CN107666473B (en) Attack detection method and controller
US10148676B2 (en) Method and device for defending DHCP attack
US20120144483A1 (en) Method and apparatus for preventing network attack
US11451582B2 (en) Detecting malicious packets in edge network devices
CN111371920A (en) DNS front-end analysis method and system
WO2020037781A1 (en) Anti-attack method and device for server
US11271963B2 (en) Defending against domain name system based attacks
KR101200906B1 (en) High Performance System and Method for Blocking Harmful Sites Access on the basis of Network
WO2024045542A1 (en) Method and apparatus for preventing erroneous blocking in distributed denial of service (ddos) attack
US11658995B1 (en) Methods for dynamically mitigating network attacks and devices thereof
CN112532610B (en) Intrusion prevention detection method and device based on TCP segmentation
CN113014682A (en) Method, system, terminal device and storage medium for realizing network dynamics
US10182071B2 (en) Probabilistic tracking of host characteristics
US20230269236A1 (en) Automatic proxy system, automatic proxy method and non-transitory computer readable medium
WO2023060881A1 (en) Method and apparatus for identifying source address of message
KR20050011191A (en) high speed network system and operation method of the same

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23858585

Country of ref document: EP

Kind code of ref document: A1