WO2024045542A1 - Appareil et procédé pour prévenir un blocage erroné dans une attaque par déni de service distribué (ddos) - Google Patents

Appareil et procédé pour prévenir un blocage erroné dans une attaque par déni de service distribué (ddos) Download PDF

Info

Publication number
WO2024045542A1
WO2024045542A1 PCT/CN2023/080099 CN2023080099W WO2024045542A1 WO 2024045542 A1 WO2024045542 A1 WO 2024045542A1 CN 2023080099 W CN2023080099 W CN 2023080099W WO 2024045542 A1 WO2024045542 A1 WO 2024045542A1
Authority
WO
WIPO (PCT)
Prior art keywords
domain name
target
response message
ddos
cache unit
Prior art date
Application number
PCT/CN2023/080099
Other languages
English (en)
Chinese (zh)
Inventor
龙卫平
Original Assignee
华为云计算技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为云计算技术有限公司 filed Critical 华为云计算技术有限公司
Publication of WO2024045542A1 publication Critical patent/WO2024045542A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/568Storing data temporarily at an intermediate stage, e.g. caching
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • Embodiments of the present application relate to the field of computers, and in particular to a method and device for preventing accidental killing of distributed denial of service attacks on DDOS.
  • Domain name system is a positioning and scheduling system that important business access on the Internet relies on.
  • DNS Domain name system
  • Pan-domain name attacks refer to large traffic with domain name prefix changes.
  • Domain name resolution request, pan-domain name attack can be a distributed denial of service attack (DDOS).
  • DDOS distributed denial of service attack
  • the DNS server identifies the source IP address of the attack and blacklists the address to prevent attacks.
  • attackers can obtain a large number of virtual machines and corresponding IP addresses. Therefore, the DNS service in the cloud server blocks IPs with poor defense effect.
  • the initiator of the DDOS attack may be a broiler server hijacked by hackers.
  • the broiler server itself may be running normal business, that is, the DDOS attack traffic is mixed with the normal business traffic.
  • the method of blocking IP will cause a large number of accidents to the normal business and cause business damage. .
  • the embodiment of the present application provides a method for preventing manslaughter from distributed denial of service attacks on DDOS, which is used to improve the anti-manslaughter effect of DDOS attacks.
  • the first aspect of the embodiments of this application provides a method for preventing manslaughter from distributed denial of service attacks on DDOS.
  • This method can be executed by a cloud server or by components of the cloud server, such as the processor, chip or chip system of the cloud server. Execution can also be implemented by logic modules or software that can realize all or part of the cloud server functions.
  • the method provided by the first aspect includes the following steps: the cloud server receives the target domain name configured by the user, and the resolution operation of the target domain name is performed by the target resolution server. Specifically, the cloud server receives the domain name resolution request sent by the client, and the domain name resolution request is used to request the IP address corresponding to the target domain name.
  • the cloud server allocates a cache unit for the target domain name according to the user's instructions.
  • the cache unit includes a domain name resolution secure cache DSC.
  • the cache unit is used to store a response message when the target resolution server is in a DDOS state, where the response message is used to respond to a domain name resolution request for the target domain name, and the response message includes the IP address corresponding to the target domain name.
  • the cloud server is based on the cache unit and responds to the domain name resolution request for the target domain name.
  • the response includes reading the IP address corresponding to the target domain name from the cache unit and sending a response message to the user side.
  • the cloud server can provide caching unit caching target parsing server parsing according to the user's instructions. After obtaining the IP address, when the target resolution server is in the DDOS state, the cloud server can obtain the IP address corresponding to the target domain name from the cache unit, thus improving the response speed of the domain name resolution request in the DDOS state and further improving the anti-accidental killing effect of DDOS.
  • the user's instruction includes specification information of the cache unit.
  • the cloud server receives the ordering request sent by the client, and the ordering request is used to obtain the cache unit.
  • the specification information in the order request includes one or more of the following information: domain name suffix information for specifying anti-accidental killing, information on the number of domain names cached by DSC, cache refresh time in DSC, information about the VPC bound to DCS, and purchase duration of the anti-accidental killing service.
  • the cloud server can configure the domain name resolution security cache DSC according to the user's ordering request, thereby providing users with DDOS anti-accidental killing services and improving the convenience of the user side in obtaining DDOS anti-accidental killing services.
  • the user side can select multiple specifications of DCS, increasing the configuration types of cache units.
  • the cache unit stores the DDOS status of the target resolution server. Specifically, after the cloud server receives the client domain name resolution request, the cloud server queries the security status of the cloud server based on DSC. DCS is used to store the security status of the cloud server. The security status includes DDOS status and non-DDOS status. The cloud server can read the security status of the target resolution server from the cache unit and transparently transmit the domain name resolution request based on the security status of the target resolution server.
  • the cloud server can read the security status of the target resolution server from the cache unit DSC, and respond to the domain name resolution request according to the security status of the target resolution server, thereby improving the anti-accidental killing effect of DDOS.
  • the response message is used to resolve the domain name.
  • Request a response.
  • the cache unit when the IP address corresponding to the target domain name is stored in the cache unit, the cache unit generates a response message based on the IP address and sends the response message to the user.
  • the secure cache provided by the cloud server in the embodiment of this application can cache the IP address corresponding to the target domain name, so that when the cloud server receives the user's resolution request corresponding to the target domain name, it directly generates a response message based on the IP address stored in the cache unit to respond to the domain name. parsing requests, thus improving the response efficiency of domain name resolution requests.
  • the cloud server when the cloud server responds to the domain name resolution request for the target domain name based on the cache unit, when there is no response message for the target domain name in the cache unit, the cloud server sends the domain name resolution request to Target resolution server. Get the response message sent by the target resolution server. Respond to the domain name resolution request according to the response status information included in the response message.
  • the cloud server when the IP address corresponding to the target domain name is not cached in the cache unit of the cloud server, the cloud server transparently transmits the domain name resolution request corresponding to the target domain name to the target resolution server. Compared with the method of directly blocking the IP address, Improved the anti-accidental killing effect of DDOS.
  • the domain name resolution request is rate-limited. Specifically, the cloud server adds the domain name resolution request corresponding to the target domain name to the rate limit queue, and the cloud server regularly sends the domain name resolution request to the target resolution server.
  • the cloud service can limit the rate of domain name resolution requests, thereby preventing the target resolution server from being unable to process the domain name resolution requests in DDOS state, thereby improving the effect of preventing DDOS accidental killing.
  • the target resolution server when the cloud server responds to the domain name resolution request based on the response status information included in the response message, when the cloud server determines that the response message is a correct response based on the response status information, the target resolution server The sent response message is stored in the cache unit.
  • the response status information includes the IP address corresponding to the target domain name.
  • the cloud server can store the IP address corresponding to the target domain name that correctly responds to the domain name resolution request in the cache unit.
  • the cloud server receives another domain name resolution request for the target domain name, it can directly store the IP address in the cache unit based on the domain name resolution request.
  • the IP address responds to domain name resolution requests, thereby improving the cloud server's response speed to domain name resolution requests.
  • the cloud server when the cloud server responds to the domain name resolution request based on the response status information included in the response message, when the cloud server determines that the response message is an error response based on the response status information, it updates the target domain name The value in the parsing error counter corresponding to the domain name suffix. When the value in the resolution error counter for the target domain name is greater than or equal to the count threshold, it is determined that the target resolution server is in a DDOS state, and the DDOS state is written to the cache unit.
  • the response status information includes error parameters, which are related parameters used to indicate domain name resolution failure.
  • the parsing error calculator of the cloud server in the embodiment of the present application can determine the number of domain name parsing failures corresponding to the domain name suffix, thereby determining whether the target parsing server is in a DDOS state based on the number of domain name parsing failures for the same domain name suffix, thereby improving the cloud server's identification of DDOS attacks. ability.
  • the DSC includes a domain name system security cache entrance DSC-ingress component, a domain name system security cache egress DSC-egress component, and a domain name system security cache map DSC-map component.
  • the cloud server receives the domain name resolution request sent by the client. In the process, the cloud server receives the domain name resolution request sent by the client based on the DSC-ingress component.
  • the DSC-egress component is used to obtain the domain name resolution record corresponding to the domain name resolution request.
  • the domain name resolution record includes the IP address requested from the target resolution server.
  • the DSC-map component is used to cache domain name resolution records and the security status of the target resolution server.
  • the cache unit of the cloud server includes multiple DSC components, and the multiple DSC components jointly implement the functions in the cache unit, thereby improving the realizability of the solution.
  • the DSC-egress component when the target resolution server is in a non-DDOS state, stores the domain name resolution record to the DSC-map component.
  • the DSC-map component imports domain name resolution records into the DSC-ingress component.
  • the cloud server when the cloud server determines that the target resolution server is in a DDOS state, it can import the cached domain name resolution records in the DSC-map component into the DSC-ingress component, thereby improving the response speed of domain name resolution requests.
  • the second aspect of the embodiment of the present application provides an anti-accidental killing device for distributed denial of service attacks on DDOS.
  • the device includes a transceiver module and a processing module.
  • the transceiver module is used to receive the target domain name configured by the user, and the resolution operation of the target domain name is performed by the target resolution server.
  • the processing module is used to allocate a cache unit to the target domain name according to the user's instructions.
  • the cache unit is used to store the response message when the target resolution server is in the DDOS state, where the response message is used to respond to the domain name resolution request for the target domain name.
  • the processing module is also used to respond to domain name resolution requests for the target domain name based on the cache unit.
  • the user's instruction includes specification information of the cache unit.
  • the cache unit stores the DDOS status of the target resolution server.
  • the processing module is specifically configured to use the response message to respond to the domain name resolution request when the cache unit stores a response message for the target domain name.
  • the processing module is specifically configured to send a domain name resolution request to the target resolution server when the cache unit does not store a response message for the target domain name. Get the response message sent by the target resolution server. Respond to the domain name resolution request according to the response status information included in the response message.
  • the processing module is also configured to limit the rate of the domain name resolution request when the cache unit does not store a response message for the target domain name.
  • the processing module when the cache unit does not store a response message for the target domain name, is specifically configured to determine, based on the response status information, that the response message is a correct response, and then store the response message sent by the target resolution server. The message is stored in the cache unit.
  • the processing module is specifically configured to update the value in the parsing error counter for the target domain name when it is determined that the response message is an error response based on the response status information.
  • the value in the resolution error counter for the target domain name is greater than or equal to the count threshold, it is determined that the target resolution server is in a DDOS state.
  • the third aspect of the embodiment of the present application provides a computer device cluster, including at least one computing device, each computing device includes a processor, and the processor of the at least one computing device is used to execute instructions stored in the memory of the at least one computing device, to The computing device cluster is caused to execute the method described in the above first aspect or any possible implementation manner of the first aspect.
  • the fourth aspect of the embodiments of the present application provides a computer-readable storage medium on which instructions are stored.
  • the computer executes the method described in the above-mentioned first aspect or any possible implementation manner of the first aspect. method.
  • the fifth aspect of the embodiments of the present application provides a computer program product.
  • the computer program product includes instructions, which are characterized in that when the instructions are executed, the computer implements the first aspect or any possible implementation manner of the first aspect. method described.
  • Figure 1a is a schematic system architecture diagram of a DDOS anti-accidental killing system provided by an embodiment of the present application
  • Figure 1b is a schematic system architecture diagram of another DDOS anti-accidental killing system provided by an embodiment of the present application.
  • Figure 2 is a schematic flow chart of a DDOS anti-accidental killing method provided by an embodiment of the present application
  • Figure 3 is a schematic flow chart of another DDOS anti-accidental killing method provided by an embodiment of the present application.
  • Figure 4 is a schematic flow chart of another DDOS anti-accidental killing method provided by an embodiment of the present application.
  • Figure 5 is a schematic flow chart of another DDOS anti-accidental killing method provided by an embodiment of the present application.
  • Figure 6 is a schematic flow chart of another DDOS anti-accidental killing method provided by an embodiment of the present application.
  • Figure 7 is a schematic structural diagram of a DDOS device provided by an embodiment of the present application.
  • Figure 8 is a schematic structural diagram of a computing device provided by an embodiment of the present application.
  • Figure 9 is a schematic structural diagram of a computing device cluster provided by an embodiment of the present application.
  • Figure 10 is a schematic structural diagram of another computing device cluster provided by an embodiment of the present application.
  • Embodiments of the present application provide a method and device for preventing manslaughter of distributed denial of service attacks on DDOS, which are used to improve the anti-manslaughter effect of distributed denial of service attacks on DDOS.
  • DNS Domain name system
  • DNS is a domain name resolution service system on the Internet. DNS is a distributed database that maps domain names and IP addresses to each other, enabling the client to obtain the IP address corresponding to the domain name based on DNS.
  • Pan-domain name attack a large-traffic domain name resolution request with randomly changing prefixes.
  • a distributed denial of service (DDOS) attack refers to multiple attackers in different locations launching attacks against one or several targets at the same time, or an attacker controlling multiple machines in different locations and using these The machine attacks the victim simultaneously.
  • DDOS distributed denial of service
  • Extended Berkeley Packet Filter is a set of general execution engines that provides framework software that can efficiently and securely execute specific code based on system or program events.
  • DSC Domain name system safe cache
  • a full-featured DNS server refers to a server that can provide both local DNS resolution capabilities and recursive DNS resolution capabilities.
  • FIG. 1a is a schematic system architecture diagram of a DDOS anti-accidental killing system provided by an embodiment of the present application.
  • the DDOS anti-accidental killing system 100 includes a cloud server 101 and a client 102.
  • the server 101 is deployed with a domain name system security cache DSC module 1011 and a target resolution server 1012.
  • the DSC module 1011 and target resolution server 1012 may be deployed on different servers.
  • the target resolution server 1012 in the cloud server 101 can provide domain name resolution services and obtain the corresponding IP address based on the target domain name in the domain name resolution request.
  • the domain name resolution service includes a local domain name resolution service and a recursive domain name resolution service.
  • the local domain name resolution service refers to the scenario where the target resolution server 1012 provides the domain name access resolution service.
  • the recursive domain name resolution service refers to the scenario where the target resolution server 1012 provides the domain name resolution service through other resolution servers. Scenarios for performing recursive domain name resolution.
  • the DSC module 1011 in the cloud server 101 is used to provide the target resolution server 1012 with services such as identifying DDOS attacks, caching domain name data, and responding to domain name resolution requests.
  • DSC module 1011 uses the eBPF architecture to quickly process domain name resolution requests in DDOS scenarios without going through the operating system kernel. It can quickly respond to legitimate domain name resolution requests in the early stages of a DDOS attack, limit the rate of suspicious domain name resolution requests, and continuously collect legitimate responses gradually. Reduce manslaughter.
  • the DSC module 1011 includes the domain name system security cache entry DSC-ingress component 1011a, the domain name system security cache egress DSC-egress component 1011b, the domain name system security cache map DSC-map component 1011c, and the domain name system security cache control DSC-control component.
  • the DSC-map component 1011c may be a database external to the DSC module 1011.
  • the DSC-ingress component 1011a is used to process the process of receiving a domain name resolution request. Specifically, when the requested domain name of the domain name resolution request is hit in the cache, the domain name resolution request is responded to, and when the requested domain name is not hit in the cache, transparent transmission and speed limit are performed to the target resolution server 1012, and the transparent transmission process buffer (buffer) is Overflow packet loss and other functions.
  • the DSC-egress component 1011b is used to process the process of responding to domain name resolution requests. Specifically, it includes counting the number of domain name suffix resolution failures to identify the attack status, and caching the obtained domain name resolution record to the DSC-map component 1011c.
  • the domain name resolution record includes the IP address corresponding to the domain name resolution request.
  • the DSC-map component 1011c is used to store the security status of the target resolution server 1012 and cache domain name resolution records.
  • the security status of the target parsing server 1012 is used to indicate that the target parsing server 1012 is in a DDOS state or a non-DDOS state.
  • the DSC-control component 1011c is used to control the DSC-egress component 1011b to cache the acquired domain name resolution records to the DSC-map component 1011c.
  • the client 102 is used to send a domain name resolution request to the cloud server 101.
  • the client 102 may be an independent user device or a virtual machine in a cloud server, and is not specifically limited.
  • Figure 1b is a schematic structural diagram of another DDOS anti-accidental system according to an embodiment of the present application.
  • the DSC module 1011 and the target parsing server 103 are deployed on different servers.
  • the DSC module 1011 is deployed on the cloud server 101
  • the target parsing server 103 and the cloud server 101 are deployed on different servers. .
  • the DDOS anti-accidental service provided by the cloud server 101 and the domain name resolution service provided by the target resolution server 103 may be cloud services provided by different vendors.
  • Figure 2 is a schematic flow chart of a DDOS attack prevention method provided by an embodiment of the present application.
  • the steps shown include, but are not limited to, the following:
  • the cloud server receives the ordering request for the DDOS anti-accidental service sent by the client.
  • the cloud server receives the user's instructions. Specifically, the cloud server can receive the ordering request sent by the client, and the ordering request is used to obtain the anti-accidental killing service of DDOS.
  • the ordering request includes one or more of the following specifications of the cache unit: domain name suffix information that specifies anti-accidental killing, quantity information of DSC cache domain names (that is, the storage capacity of DSC), cache refresh time in DSC, and VPC bound to the DCS. Information and manslaughter prevention service purchase duration.
  • the cloud server allocates cache units according to the order request.
  • the cloud server allocates the target domain name and cache unit according to the user's instructions. Specifically, the cloud server allocates a DSC based on the specification information in the order request sent by the user.
  • the DSC is used to store the response message when the target resolution server is in the DDOS state, that is, to store the domain name resolution record corresponding to the target domain name.
  • the domain name resolution record includes the target domain name.
  • the cloud server will allocate a DSC according to the user's instructions, and the DSC will perform DDOS on the domain name resolution request corresponding to the specified domain name or domain name suffix. Prevent manslaughter.
  • Figure 3 is a schematic flow chart of ordering a DDOS anti-accidental service provided by an embodiment of the present application.
  • the client requests to subscribe to the DDOS anti-accidental killing service from the cloud server.
  • the user can specify the anti-accidental domain name suffix information, the client virtual machine that needs to be bound to DSC, and the time when the DSC service is required.
  • the cloud service only performs accidental killing prevention on domain name resolution requests with the specified domain name suffix.
  • the user when the user does not specify the domain name suffix information to prevent accidental killing, the user needs to further set the number of domain names and IP addresses cached in the DSC, and set the automatic refresh time of the DSC cache.
  • the DSC-egress component regularly refreshes the cached data in the DSC-map component based on the automatic refresh time.
  • the DSC-egress component will refresh the data according to the least recent Use algorithms to clean cached data.
  • the cloud server receives the domain name resolution request sent by the client.
  • the cloud server receives the domain name resolution request sent by the client.
  • the domain name resolution request includes the target domain name.
  • the domain name resolution request is used to request the IP address corresponding to the target domain name.
  • the cloud server queries the security status of the cloud server based on DSC.
  • the security status includes DDOS status and non-DDOS status.
  • the DSC-ingress component of the cloud server receives the domain name resolution request sent by the client, the DSC-ingress component obtains the security status of the cloud server from the DSC-map component, where the DSC-map component stores the security status of the cloud server.
  • Figure 4 is a schematic diagram of the processing flow of a cloud service receiving a domain name resolution request provided by an embodiment of the present application.
  • the DSC-ingress component first processes the domain name resolution request. For example, in steps 1 to 5, the DSC-ingress component reads the security status of the cloud server from the DSC-map component.
  • the DSC-ingress component sends a domain name resolution request to the target resolution server.
  • the target resolution server handles the domain name resolution request.
  • the cloud server responds to the domain name resolution request based on the cache unit.
  • the cloud server responds to domain name resolution requests based on the cache unit.
  • the cache unit stores a response message for the target domain name
  • the cloud server uses the response message to respond to the domain name resolution request.
  • the cloud server sends the domain name resolution request to the target resolution server, obtains the response message sent by the target resolution server, and analyzes the domain name based on the response status information included in the response message. Parse the request and respond.
  • the response status information includes the IP address corresponding to the target domain name and error parameters.
  • the response message is a correct response, that is, the domain name resolution of the target resolution server is successful.
  • the response message is an error response, that is, the target resolution server domain name resolution fails.
  • the DSC-ingress component transparently transmits the domain name resolution request to the target resolution server, and the target resolution server can obtain the target based on the domain name resolution request.
  • the IP address corresponding to the domain name, or the target resolution server can obtain the resolution error parameter corresponding to the target domain name based on the domain name resolution request.
  • the cloud server determines that the target resolution server is in the DDOS state based on the DSC-map component, the cloud server continues to query the DSC to see whether the IP address corresponding to the target domain name in the domain name resolution request is cached.
  • the DSC is used to store the resolved domain name and the corresponding IP address.
  • the DSC adds the domain name resolution request to the rate limit queue and waits to send the domain name resolution request to the target resolution server.
  • the target resolution server when it resolves the IP address corresponding to the target domain name, it can obtain the IP address corresponding to the target domain name based on the local domain name resolution service module, or it can also obtain the IP address based on the external DNS service module by making a recursive request or an iterative request.
  • the IP address corresponding to the target domain name is not specifically limited.
  • the DSC-ingress component reads the cached IP address in the DSC-map component.
  • the DSC-ingress component adds the domain name resolution request to the rate limit queue.
  • the DSC-ingress component regularly sends the domain name resolution request in the rate limit queue to the target resolution server, thereby handling the problem in a DDOS state. Domain name resolution requests that do not have cache records will be processed at a rate limit.
  • the cloud server sends the domain name resolution result corresponding to the target domain name to the client.
  • the cloud server After the cloud server obtains the domain name resolution result corresponding to the target domain name, it sends the domain name resolution result corresponding to the target domain name to the client.
  • the domain name resolution result includes the IP address corresponding to the target domain name or the parsing error parameter. For example, when the cloud server determines that the IP address corresponding to the target domain name exists in the domain name system security cache DSC, the cloud server reads the IP address corresponding to the target domain name cached in the DSC and sends the IP address corresponding to the target domain name to the user.
  • the cloud server determines that the IP address corresponding to the target domain name does not exist in the domain name system security cache DSC, and waits until the cloud server obtains the IP address corresponding to the target domain name sent by the target resolution server, it sends the IP address corresponding to the target domain name to the client.
  • the cloud server when the cloud server determines that the response message is an error response based on the response status information, it updates the value in the parsing error counter for the target domain name.
  • the value in the resolution error counter for the target domain name is greater than or equal to the counting threshold, it is determined that the target resolution server is in the DDOS state, that is, the cloud server determines the security status of the cloud server based on the domain name resolution result of the domain name resolution request.
  • the cloud server determines the security status as DDOS and caches the security status of the target resolution server in the DSC-map component.
  • Figure 5 is a schematic flow chart of a cloud server responding to a domain name resolution request provided by an embodiment of the present application.
  • the target resolution server responds to the domain name resolution request and sends the response result of the domain name resolution request to the DSC-egress component.
  • the DSC-egress component reads the security status stored in the DSC-map component. If the target resolution server is in a non-DDOS state and the IP address requested by the domain name resolution request is resolved successfully, the DSC-egress component will resolve the IP address requested by the domain name resolution request. Sent to client.
  • the cloud server further determines whether the domain name resolution request is resolved successfully. If the IP address requested by the domain name resolution request fails to resolve, the cloud server The server adds 1 to the domain name suffix resolution failure counter for the number of domain name suffix resolution failures corresponding to the resolution request. When the number of failed resolutions for multiple domain name resolution requests corresponding to the same domain name suffix exceeds the preset threshold, the cloud server writes the DDOS status to the DSC-map component and notifies the DSC-control component to send the correct IP address corresponding to the domain name resolution request. Written into the DSC-map component, the correct IP address corresponding to the domain name resolution request is also called authoritative data in this application.
  • the cloud server when the cloud server determines that the response message is a correct response based on the response status information, it stores the response message sent by the target resolution server in the cache unit. That is, the cloud server can store the obtained domain name resolution record in the DSC. Specifically, after the DSC-egress component of the cloud server obtains the correctly parsed domain name data record, it stores the domain name resolution record in the DSC-map component.
  • the caching unit caches the response message when the target resolution server is in the DDOS state. That is, the cloud server can obtain the IP address corresponding to the target domain name and store it in the DSC when the target resolution server is in the DDOS state.
  • the cloud server enables caching of response messages when the target resolution server is in a DDOS state, thereby saving the cache space of the DSC.
  • the DSC-egress component reads the security status stored in the DSC-map component. If the target resolution server is in the DDOS state and the IP address requested by the domain name resolution request is resolved successfully, Then the DSC-egress component reads whether the IP address is cached in the DSC-map component. If the IP address is not cached in the DSC-map component, the DSC-egress component writes the IP address corresponding to the domain name resolution request in the DSC-map component. .
  • the cloud server controls the DSC-map component to import the cached domain name data records into the DSC-ingress component.
  • the cloud server can import based on the DSC-ingress component.
  • the domain name data record responds to the domain name unload request from the user end.
  • the domain name data record has local domain name data records and recursive domain name data records.
  • FIG. 6 is a schematic diagram of the deployment architecture of a DSC in different scenarios provided by an embodiment of the present application.
  • DSC and the target resolution server can be deployed on different nodes, and at the same time, DSC-map can be an external database with DSC.
  • the DSC-ingress component receives the domain name resolution request and sends it to the target resolution server.
  • the target resolution server returns the result corresponding to the domain name resolution request to the DSC-egress component.
  • the DSC-egress component collects all domain name data records and stores them in the DSC-map component.
  • the server controls the DSC-map component to import cached domain name data records into the DSC-ingress component.
  • the DSC-ingress component After receiving the domain name resolution request, the DSC-ingress component directly imports the domain name data record query domain based on the DSC-map component.
  • the IP address corresponding to the name resolution request does not need to be queried from the DSC-map component again, which improves the cloud server's response speed to domain name resolution requests.
  • the cloud server when the target resolution server is in the DDOS state, can obtain the IP address corresponding to the target domain name from the cache unit, thereby improving the response speed of the domain name resolution request in the DDOS state and further improving the anti-accidental killing effect of DDOS.
  • FIG. 7 is a schematic structural diagram of a DDOS anti-accidental killing device provided by an embodiment of the present application. This device is used to implement various steps performed by the cloud server in the above embodiments.
  • the DDOS anti-accidental killing device 700 includes a transceiver module 701 and a processing module 702.
  • the transceiver module 701 is used to receive the target domain name configured by the user, and the resolution operation of the target domain name is performed by the target resolution server.
  • the processing module 702 is used to allocate a cache unit to the target domain name according to the user's instructions.
  • the cache unit is used to store the response message when the target resolution server is in the DDOS state, wherein the response message is used to respond to the domain name resolution request for the target domain name. .
  • the processing module 702 is also configured to respond to the domain name resolution request for the target domain name based on the cache unit.
  • the user's instruction includes specification information of the cache unit.
  • the cache unit stores the DDOS status of the target resolution server.
  • the processing module 702 is specifically configured to use the response message to respond to the domain name resolution request when the cache unit stores a response message for the target domain name.
  • the processing module 702 is specifically configured to send a domain name resolution request to the target resolution server when the cache unit does not store a response message for the target domain name. Get the response message sent by the target resolution server. Respond to the domain name resolution request according to the response status information included in the response message.
  • the processing module 702 is also configured to limit the rate of the domain name resolution request when there is no response message for the target domain name in the cache unit.
  • the processing module 702 when there is no response message for the target domain name in the cache unit, the processing module 702 is specifically configured to determine based on the response status information that the response message is a correct response, and then send the response message sent by the target resolution server.
  • the response message is stored in the cache unit.
  • the processing module 702 is specifically configured to update the value in the parsing error counter for the target domain name when it is determined that the response message is an error response based on the response status information.
  • the value in the resolution error counter for the target domain name is greater than or equal to the count threshold, it is determined that the target resolution server is in a DDOS state.
  • each unit in the device can be implemented in the form of software calling through processing components; they can also all be implemented in the form of hardware; some units can also be implemented in the form of software calling through processing components, and some units can be implemented in the form of hardware.
  • each unit can be a separate processing element, or it can be integrated and implemented in a certain chip of the device.
  • it can also be stored in the memory in the form of a program, and a certain processing element of the device can call and execute the unit. Function.
  • all or part of these units can be integrated Together, they can also be achieved independently.
  • the processing element described here can also be a processor, which can be an integrated circuit with signal processing capabilities.
  • each step of the above method or each unit above can be implemented by an integrated logic circuit of hardware in the processor element or implemented in the form of software calling through the processing element.
  • FIG. 8 is a schematic structural diagram of a computing device provided by an embodiment of the present application.
  • the computing device 800 includes: a processor 801, a memory 802, a communication interface 803 and a bus 804.
  • the processor 801, the memory 802 and the communication interface 803 are coupled through a bus (not labeled in the figure).
  • the memory 802 stores instructions.
  • the computing device 800 executes the method executed by the cloud server in the above method embodiment.
  • the computing device 800 may be one or more integrated circuits configured to implement the above methods, such as one or more application specific integrated circuits (ASICs), or one or more microprocessors (digital signal processors) , DSP), or, one or more field programmable gate arrays (FPGA), or a combination of at least two of these integrated circuit forms.
  • ASICs application specific integrated circuits
  • DSP digital signal processors
  • FPGA field programmable gate arrays
  • the unit in the device can be implemented in the form of a processing element scheduler
  • the processing element can be a general processor, such as a central processing unit (Central Processing Unit, CPU) or other processors that can call programs.
  • CPU central processing unit
  • these units can be integrated together and implemented in the form of a system-on-a-chip (SOC).
  • SOC system-on-a-chip
  • the processor 801 can be a central processing unit (CPU), or other general-purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), or an on-site processor.
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • FPGA Field programmable gate array
  • a general-purpose processor can be a microprocessor or any conventional processor.
  • Memory 802 may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory.
  • the non-volatile memory can be read-only memory (ROM), programmable ROM (PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically removable memory.
  • ROM read-only memory
  • PROM programmable ROM
  • EPROM erasable programmable read-only memory
  • Erase programmable read-only memory electrically EPROM, EEPROM
  • Volatile memory may be random access memory (RAM), which is used as an external cache.
  • RAM static random access memory
  • DRAM dynamic random access memory
  • SDRAM synchronous dynamic random access memory
  • Double data rate synchronous dynamic random access memory double data date SDRAM, DDR SDRAM
  • enhanced synchronous dynamic random access memory enhanced SDRAM, ESDRAM
  • synchronous link dynamic random access memory direct rambus RAM, DR RAM
  • the memory 802 stores executable program code, and the processor 801 executes the executable program code to respectively realize the functions of the aforementioned transceiver module, adaptive module and transcoding module, thereby realizing the above-mentioned live transcoding method. That is, the memory 802 stores instructions for executing the above-mentioned live transcoding method.
  • the communication interface 803 uses transceiver modules such as, but not limited to, network interface cards and transceivers to implement communication between the computing device 800 and other devices or communication networks.
  • the bus 804 may also include a power bus, a control bus, a status signal bus, etc.
  • the bus can be a peripheral component interconnect express (PCIe) bus, an extended industry standard architecture (EISA) bus, a unified bus (unified bus, Ubus or UB), or a computer quick link (compute express link (CXL), cache coherent interconnect for accelerators (CCIX), etc.
  • PCIe peripheral component interconnect express
  • EISA extended industry standard architecture
  • CXL computer quick link
  • CXL cache coherent interconnect for accelerators
  • the bus can be divided into address bus, data bus, control bus, etc.
  • FIG. 9 is a schematic diagram of a computing device cluster provided by an embodiment of the present application.
  • the computing device cluster 900 includes at least one computing device 800 .
  • the computing device 800 may be a server, such as a central server, an edge server, or a local server in a local data center.
  • the computing device 800 may also be a terminal device such as a desktop computer, a laptop computer, or a smartphone.
  • the computing device cluster 900 includes at least one computing device 800 .
  • the memory 802 in one or more computing devices 800 in the computing device cluster 900 may store the same instructions for performing the above live transcoding method.
  • the memory 802 of one or more computing devices 800 in the computing device cluster 900 may also store part of the instructions for executing the above live transcoding method.
  • a combination of one or more computing devices 800 may jointly execute instructions for performing the above-described live transcoding method.
  • the memories 802 in different computing devices 800 in the computing device cluster 900 can store different instructions, which are respectively used to execute some functions of the above-mentioned live transcoding device. That is, the instructions stored in the memory 802 in different computing devices 800 can implement the functions of one or more modules in the transceiver module and the processing module.
  • one or more computing devices 800 in the computing device cluster 900 may be connected through a network.
  • the network may be a wide area network or a local area network, etc.
  • FIG. 10 is a schematic diagram of computer devices in a computer cluster being connected through a network according to an embodiment of the present application.
  • two computing devices 800A and 800B are connected through a network.
  • the connection to the network is made through a communication interface in each computing device.
  • the memory in the computing device 800A stores instructions for performing the functions of the transceiver module.
  • instructions for performing the functions of the processing module are stored in memory in computing device 800B.
  • computing device 800A shown in FIG. 10 may also be performed by multiple computing devices.
  • computing device 800B may also be performed by multiple computing devices.
  • a computer-readable storage medium is also provided.
  • Computer-executable instructions are stored in the computer-readable storage medium.
  • the processor of the device executes the computer-executed instructions
  • the device executes the above method embodiment.
  • a computer program product in another embodiment of the present application, includes a computer program.
  • Computer-executed instructions are stored in a computer-readable storage medium.
  • the processor of the device executes the computer execution instruction
  • the device executes the method executed by the cloud server in the above method embodiment.
  • the disclosed systems, devices and methods can be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components may be combined or can be integrated into another system, or some features can be ignored, or not implemented.
  • the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or they may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional unit in each embodiment of the present application can be integrated into one processing unit, each unit can exist physically alone, or two or more units can be integrated into one unit.
  • the above integrated units can be implemented in the form of hardware or software functional units.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it may be stored in a computer-readable storage medium.
  • the technical solution of the present application is essentially or contributes to the existing technology, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in various embodiments of this application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, read-only memory), random access memory (RAM, random access memory), magnetic disk or optical disk and other media that can store program code. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne selon des modes de réalisation un procédé pour prévenir un blocage erroné dans une attaque par déni de service distribué (DDOS), lequel procédé est utilisé pour améliorer un effet de prévention de blocage erronné dans une attaque DDOS. Le procédé selon les modes de réalisation de la présente demande consiste à : recevoir un nom de domaine cible, qui est configuré par un utilisateur, une opération de résolution du nom de domaine cible étant exécutée par un serveur de résolution cible; attribuer une unité de mémoire cache au nom de domaine cible en fonction d'une instruction émanant de l'utilisateur, l'unité de mémoire cache étant utilisée pour stocker un message de réponse lorsque le serveur de résolution cible se trouve dans un état de DDOS, le message de réponse étant utilisé pour répondre à une demande de résolution de nom de domaine du nom de domaine cible; et répondre à la demande de résolution de nom de domaine du nom de domaine cible sur la base de l'unité de mémoire cache.
PCT/CN2023/080099 2022-08-31 2023-03-07 Appareil et procédé pour prévenir un blocage erroné dans une attaque par déni de service distribué (ddos) WO2024045542A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202211055064.2A CN117675248A (zh) 2022-08-31 2022-08-31 一种分布式拒绝服务攻击ddos的防误杀方法及装置
CN202211055064.2 2022-08-31

Publications (1)

Publication Number Publication Date
WO2024045542A1 true WO2024045542A1 (fr) 2024-03-07

Family

ID=90071983

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/080099 WO2024045542A1 (fr) 2022-08-31 2023-03-07 Appareil et procédé pour prévenir un blocage erroné dans une attaque par déni de service distribué (ddos)

Country Status (2)

Country Link
CN (1) CN117675248A (fr)
WO (1) WO2024045542A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102413201A (zh) * 2011-11-10 2012-04-11 上海牙木通讯技术有限公司 一种dns查询请求的处理方法及设备
CN104468244A (zh) * 2014-12-31 2015-03-25 北京奇虎科技有限公司 域名解析系统灾备建构方法及装置
EP3462712A1 (fr) * 2017-10-02 2019-04-03 Nokia Solutions and Networks Oy Procédé pour atténuer des attaques dns-ddos
CN110855633A (zh) * 2019-10-24 2020-02-28 华为终端有限公司 分布式拒绝服务ddos攻击的防护方法、装置及系统
CN111565195A (zh) * 2020-05-21 2020-08-21 杭州安恒信息技术股份有限公司 分布式系统的挑战黑洞攻击防御方法和分布式系统

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102413201A (zh) * 2011-11-10 2012-04-11 上海牙木通讯技术有限公司 一种dns查询请求的处理方法及设备
CN104468244A (zh) * 2014-12-31 2015-03-25 北京奇虎科技有限公司 域名解析系统灾备建构方法及装置
EP3462712A1 (fr) * 2017-10-02 2019-04-03 Nokia Solutions and Networks Oy Procédé pour atténuer des attaques dns-ddos
CN110855633A (zh) * 2019-10-24 2020-02-28 华为终端有限公司 分布式拒绝服务ddos攻击的防护方法、装置及系统
CN111565195A (zh) * 2020-05-21 2020-08-21 杭州安恒信息技术股份有限公司 分布式系统的挑战黑洞攻击防御方法和分布式系统

Also Published As

Publication number Publication date
CN117675248A (zh) 2024-03-08

Similar Documents

Publication Publication Date Title
US11057404B2 (en) Method and apparatus for defending against DNS attack, and storage medium
EP3923551A1 (fr) Procédé et système permettant de piéger une menace de réseau et dispositif de transfert
EP3085064B1 (fr) Blocage de menaces de sécurité au moyen d'un système de nom de domaine
JP7299415B2 (ja) セキュリティ脆弱性防御方法およびデバイス
US11671402B2 (en) Service resource scheduling method and apparatus
US8661522B2 (en) Method and apparatus for probabilistic matching to authenticate hosts during distributed denial of service attack
US9794282B1 (en) Server with queuing layer mechanism for changing treatment of client connections
US11503073B2 (en) Live state transition using deception systems
CN107666473B (zh) 一种攻击检测的方法及控制器
US10148676B2 (en) Method and device for defending DHCP attack
US20120144483A1 (en) Method and apparatus for preventing network attack
US11451582B2 (en) Detecting malicious packets in edge network devices
CN111371920A (zh) Dns前端解析方法及系统
WO2020037781A1 (fr) Procédé et dispositif anti-attaques pour serveur
US11271963B2 (en) Defending against domain name system based attacks
KR101200906B1 (ko) 네트워크 기반 고성능 유해사이트 차단 시스템 및 방법
WO2024045542A1 (fr) Appareil et procédé pour prévenir un blocage erroné dans une attaque par déni de service distribué (ddos)
US11658995B1 (en) Methods for dynamically mitigating network attacks and devices thereof
CN112532610B (zh) 一种基于tcp分段的入侵防御检测方法及装置
WO2021121027A1 (fr) Procédé de réalisation d'architecture collaborative dynamique, système, dispositif terminal et support de stockage
US10182071B2 (en) Probabilistic tracking of host characteristics
US20230269236A1 (en) Automatic proxy system, automatic proxy method and non-transitory computer readable medium
WO2023060881A1 (fr) Procédé et appareil d'identification d'adresse source de message
KR20050011191A (ko) 고속 네트워크 시스템 및 그 운영방법

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23858585

Country of ref document: EP

Kind code of ref document: A1