CN103685213A - Device, system and method for reducing attacks on DNS - Google Patents
Device, system and method for reducing attacks on DNS Download PDFInfo
- Publication number
- CN103685213A CN103685213A CN201210364612.XA CN201210364612A CN103685213A CN 103685213 A CN103685213 A CN 103685213A CN 201210364612 A CN201210364612 A CN 201210364612A CN 103685213 A CN103685213 A CN 103685213A
- Authority
- CN
- China
- Prior art keywords
- request
- voucher
- name server
- local recurrence
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- 230000004044 response Effects 0.000 claims description 23
- 230000005540 biological transmission Effects 0.000 claims description 8
- 238000001514 detection method Methods 0.000 claims 2
- 230000008569 process Effects 0.000 abstract description 11
- 230000008901 benefit Effects 0.000 abstract description 5
- 230000009286 beneficial effect Effects 0.000 abstract 1
- 238000010276 construction Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000008859 change Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 101000934888 Homo sapiens Succinate dehydrogenase cytochrome b560 subunit, mitochondrial Proteins 0.000 description 1
- 206010033799 Paralysis Diseases 0.000 description 1
- 102100025393 Succinate dehydrogenase cytochrome b560 subunit, mitochondrial Human genes 0.000 description 1
- 230000003321 amplification Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003199 nucleic acid amplification method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
本发明公开了一种减少针对DNS的攻击的方法,包括:本地递归名称服务器接收解析器发来的未携带凭证的第一请求后,为第一请求生成凭证,并向第一请求的源IP地址的解析器发送凭证;本地递归名称服务器接收到解析器重新发送的携带有凭证的第一请求,如果判断第一请求中携带正确的凭证,则继续对第一请求进行处理;如果第一请求中携带错误的凭证,则丢弃第一请求。此外,本发明还公开了一种减少针对DNS的攻击的装置和系统。使用本发明的方法、装置和系统,可以有效地在本地递归名称服务器侧减少针对DNS的攻击,从而避免大量的攻击进入其他的递归名称服务器甚至权威名称服务器,同时,本发明的应用对现有DNS的规范没有改变或者改变很小,具有实施简单、成本低等优点。
The invention discloses a method for reducing attacks on DNS, comprising: after receiving the first request without credentials sent by the resolver, the local recursive name server generates credentials for the first request, and sends the source IP address of the first request The resolver of the address sends the certificate; the local recursive name server receives the first request carrying the certificate resent by the resolver, and if it judges that the first request carries the correct certificate, it continues to process the first request; if the first request If the wrong credential is carried in , the first request is discarded. In addition, the invention also discloses a device and system for reducing attacks on DNS. Using the method, device and system of the present invention can effectively reduce attacks against DNS at the local recursive name server side, thereby avoiding a large number of attacks from entering other recursive name servers or even authoritative name servers. At the same time, the application of the present invention is beneficial to existing The specification of the DNS has not changed or changed little, and has the advantages of simple implementation and low cost.
Description
Technical field
The present invention relates to network security technology, particularly relate to device, the system and method for the attack of a kind of DNS of minimizing.
Background technology
Domain name system (DNS, Domain Name System) is the key factor of the Internet infrastructure, and it carries out the mapping between domain name and IP address.Even the sub-fraction function of DNS is unavailable within the extremely short time, also may affect the use of whole the Internet, because of but completely unacceptable.Yet, because DNS inquires about and responds, be based on User Datagram Protoco (UDP) (UDP mostly, User Data Protocol), and UDP is connectionless, be easy to counterfeiting datagram, and denial of service (DoS, denial of service) based on personation datagram is attacked and to be difficult to stop, and inevitably to DNS, service produces extensive damage.
The attack strategies based on personation packet for DNS mainly contains two kinds.A kind of attack strategies is to send the inquiry request of a large amount of personations so that its overload is for example carried out inquiry request to false object resource record (RR, Resource Record) to dns server.Because the dns server of standard cannot be distinguished the request of personation and non-personation, can only process as far as possible all requests, then when overloading, it abandons without distinction request.Yet legitimate request person it is generally acknowledged that it is to be caused and mandatory retransmission delay by congested that request is fallen behind, thereby greatly reduces the quantity of the legitimate request of overload server.Another kind of attack strategies is that other source IP addresss of personation (third party is attacked main frame) are initiated inquiry request, utilize the feature of DNS working mechanism amplified flow, for example, the response message of the request correspondence of 50 bytes may have 500 bytes, assailant sends a DNS request, and this asks corresponding response meeting to take more resources than request itself.Under this attack, the downlink bandwidth that the DNS flow of amplification may be attacked the bandwidth of dns server and third party main frame exhausts.
Yet, for this type of, attack and also there is no suitable countermeasure at present.
Summary of the invention
The object of the present invention is to provide a kind of minimizing for the methods, devices and systems of the attack of DNS, effectively to suppress the attack for DNS.
According to one embodiment of present invention, a kind of method reducing for the attack of DNS, the method comprises: local recurrence name server receives first request of not carrying voucher that resolver sends, and for this first request generates voucher, and sends this voucher to the source IP address of this first request; Local recurrence name server receives the first request that carries voucher that resolver resends, if judge in this first request resending and carry correct voucher, the first request that continues this to resend is processed; If carry wrong voucher in this first request resending, abandon the first request that this resends.
According to another embodiment of the present invention, a kind of device reducing for the attack of DNS, this device is positioned at the local recurrence name server side of DNS system, comprise request reception unit, voucher generation unit and requesting processing, wherein: first request of not carrying voucher that request reception unit sends for receiving resolver, and first request of not carrying voucher is forwarded to voucher generation unit; Voucher generation unit is used to first request of not carrying voucher to generate voucher, and sends this voucher to the source IP address of this first request; The first request that carries voucher that request reception unit also resends for receiving resolver, and the first request that this is resend is forwarded to requesting processing; Whether requesting processing is correct for the voucher that judges the first request that this resends and carry, if correct, to local recurrence name server, forwards the first request that this resends, otherwise, abandon the first request that this resends.
According to another embodiment of the present invention, a kind of device reducing for the attack of DNS, this device is positioned at the client-side of DNS system, comprise request transmitting unit, voucher receiving element and request retransmission unit, wherein: request transmitting unit, for send first request of not carrying voucher to local recurrence name server; Voucher receiving element is the voucher that described the first request generates for receiving by local recurrence name server; Request retransmission unit, for described voucher being carried to described the first request, and resends the first request that carries voucher to local recurrence name server.
According to still another embodiment of the invention, a kind of system reducing for the attack of DNS, comprise client-side and local recurrence name server side, wherein: client-side, for send first request of not carrying voucher to local recurrence name server side, receive the voucher that local recurrence name server side generates for this first request, and resend to local recurrence name server side the first request that carries this voucher; Local recurrence name server side, first request of not carrying voucher sending for receiving client-side, to the source IP address transmission voucher of this first request, and receives the first request that carries voucher being resend by client-side; If carry correct voucher in this first request resending, the first request that continues this to resend is processed, if carry wrong voucher in this first request resending, abandons the first request that this resends.
According to an embodiment more of the present invention, a kind of system reducing for the attack of DNS, comprise resolver and local recurrence name server, this system also comprises client-side checkout gear and server side checkout gear, wherein: first request of not carrying voucher of client-side checkout gear for sending to local recurrence name server transparent transmission resolver; First request of not carrying voucher that server side checkout gear sends for receiving client-side checkout gear, and send voucher to the source IP address of this first request; Client-side checkout gear, also for receiving described voucher, is carried at described voucher in described the first request, and resends to local recurrence name server the first request that carries described voucher; The first request that server side checkout gear also resends for receiving client-side checkout gear, if carry correct voucher in this first request resending, forwards this first request resending to local recurrence name server; If carry wrong voucher in this first request resending, abandon the first request that this resends.
As can be seen from the above technical solutions, in local recurrence name server side, be that first request of not carrying voucher receiving generates voucher, in resolver side, resend the first request that carries voucher, in local recurrence name server side, judge that whether the voucher carrying in the first request is correct, continue pack processing containing the request of correct voucher, discarded packets is containing the request of wrong voucher.Apply methods, devices and systems of the present invention, make to attack and be inhibited in local recurrence name server side, the recurrence name server that the request of avoiding a large amount of assailants to send enters other even arrives authoritative name server, thereby has effectively suppressed the attack for DNS on source.And embodiments of the invention do not change or change very little to the standard of existing DNS, have and implement simple, low cost and other advantages.
Accompanying drawing explanation
To the person of ordinary skill in the art is more clear that above-mentioned and other feature and advantage of the present invention by describing the preferred embodiments of the present invention in detail with reference to accompanying drawing below, identical label represents identical parts, in accompanying drawing:
Fig. 1 is the schematic diagram of the chief component of DNS system;
Fig. 2 is the schematic diagram of an example of DNS system and RR query processing process;
Fig. 3 is that the minimizing of the embodiment of the present invention one is for the structure chart of the device of the attack of DNS;
Fig. 4 is that the minimizing of the embodiment of the present invention two is for the structure chart of the device of the attack of DNS;
Fig. 5 is that the minimizing of the embodiment of the present invention three is for the system construction drawing of the attack of DNS;
Fig. 6 is that the minimizing of the embodiment of the present invention four is for the system construction drawing of the attack of DNS;
Fig. 7 is that the minimizing of the embodiment of the present invention six is for the method flow diagram of the attack of DNS.
Embodiment
In order to make technical scheme of the present invention and advantage clearer, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein, only in order to the present invention to be described, is not intended to limit the present invention.
The present inventor, when the problem of the attack of the personation packet for DNS existing in the face of prior art, analyzes the type of attacking, and finds that the source IP address of the request that a lot of assailants send is palmed off.Utilize this feature, can send in local recurrence name server (Local Recursive Name Server) side direction the client transmission voucher of the source IP address of request, at client-side, generate the request of carrying voucher, in local recurrence name server side, the voucher carrying in asking is judged, if correct voucher is carried in request, continue to process this request; If wrong voucher is carried in request, abandon request.Like this, attack for the personation source IP address of DNS is just controlled effectively in local recurrence name server side, avoid attacking the even authoritative name server of recurrence name server (Authoritative Name Server) that threatens other, thereby avoided attacking infringement and the paralysis that causes the whole network.
Introduce DNS system and basic operation principle thereof below.
Fig. 1 is the schematic diagram of DNS system.As shown in Figure 1, DNS system generally includes resolver (Resolver), local recurrence name server and authoritative name server.
Normally, local recurrence name server and authoritative name server logically form large portion or the integral body of domain name service, therefore can respectively or be collectively referred to as name server (NS).Resolver can obtain the information in order to the request of customer in response end from name server.
In one embodiment, resolver can be accessed at least one local recurrence name server, and directly answers by the information of local recurrence name server the inquiry request that client is sent.Or the inquiry request that resolver can send client by local recurrence name server is transferred to authoritative name server and carries out recursive query.Particularly, if local recurrence name server can be found the respective record for inquiry request in local buffer memory (cache), directly to resolver, send response; If there is no respective record in the cache of local recurrence name server, the mode of enabling recursive query is transferred to authoritative name server, and to resolver, sends response by authoritative name server.
Resolver can be the program that the user program of a client can directly be accessed, and is preferably system program.Normally, user program is invoke resolver directly, therefore generally between resolver and user program without any specific session protocol.
Local recurrence name server (LRS), both can dispose on the internet and shared by popular institute, can be also to arrange specially for a tissue.Local recurrence name server has two main functions.First, it can serve recursive query.When LRS will answer an inquiry request, if LRS can reply, directly reply this inquiry request, if LRS can not directly reply this inquiry request, can send one or more iteration requests to carry out recursive query to a plurality of authoritative name servers (ANS).Secondly, the answer that local recurrence name server can buffer memory returns from authoritative name server, and only have and while there is no answer in its buffer memory, just inquire authoritative name server.
Authority's name server is a kind of database of safeguarding title and address mapping.Authority's name server is tree structure in store and territory the information relevant with tree structure configuration information conventionally.Authority's name server carries out buffer memory by the structure of any part in the tree in territory or tree structure configuration information, but a common specific authoritative name server is preserved the complete information of a particular subset of domain space, and the pointer that points to other name servers, be used for from other part acquired informations of territory tree.Authority's name server is known the complete information of this part territory tree, and authoritative name server is authority for these parts.
With the example that is treated to resource record (RR) inquiry, introduce the handling process of DNS system below.RR is the resource record in ANS database, can comprise polytype, such as A record, NS record, MX record, etc.
Fig. 2 is the handling process of DNS system to resource record inquiry.In Fig. 2, show the example of three authoritative name servers, three authoritative name servers are respectively root ANS, com territory ANS and ms.com territory ANS.
Exemplarily:
The requirement of client application is answered in resolver expectation, resolves the address of www.ms.com.Resolver sends inquiry request by message 1 to local recurrence name server; Local recurrence name server sends inquiry request by message 2 to root ANS; Root ANS is used name server (NS) record and address (A) record, returns to title and the IP address of com territory ANS in message 3; Local recurrence name server is by message 4 inquiry com territory ANS; Com territory ANS returns to title and the IP address of ms.com territory ANS in message 5; Local recurrence name server sends inquiry request by message 6 to the ANS in ms.com territory; The ANS in ms.com territory returns to the IP address of www.ms.com in message 7; Local recurrence name server returns to the IP address of www.ms.com to resolver by message 8.
In said process, root ANS and com territory ANS only provide the information of switching, and the NS of the authoritative name server in next stage territory records and A record, and ms.com territory ANS provides final authoritative answer.
Below in conjunction with specific embodiment, the present invention will be described in detail.
Above-mentionedly with concrete parse addresses and DNS system architecture, resource request query processing process has been carried out to exemplary illustrated.It will be appreciated by those of skill in the art that this restriction explanation is only used for purposes of illustration, and be not used in embodiment of the present invention is carried out to any restriction.
Embodiment mono-
Fig. 3 is that the minimizing of the embodiment of the present invention one is for the structure chart of the device of the attack of DNS.This device is positioned at the local recurrence name server side of DNS system.As can be seen from Figure 3, this device comprises request reception unit 301, voucher generation unit 302 and requesting processing 303.The request that the resolver that request reception unit 301 receives client is sent, is forwarded to requesting processing 303 by the request of carrying voucher, and the request of not carrying voucher is forwarded to voucher generation unit 302; Voucher generation unit 302 generates voucher for carrying the request of voucher, to the source IP address transmission voucher of request, and stores the voucher generating; Whether the voucher carrying in the request that requesting processing 303 receives according to the voucher judgement of this locality storage is correct, and the request that then correct voucher is carried in forwarding, to local recurrence name server, abandons the request of carrying wrong voucher.
Voucher generation unit 302 can adopt multiple for request generates the mode of voucher, for example, according to one or more in the sign of the packet of requestor's sign of the first request, request content, carrying request and random number, is that the first request generates voucher.
Particularly, when identifying generation voucher according to the requestor of the first request, requestor identifies specifically can comprise requestor IP address or requestor Email address etc.When generating voucher according to request content, can the self attributes based on request content generate voucher, such as when request content is URL, can be using this URL as voucher; When generating voucher according to the sign of the packet of carrying request, the sign of the packet of carrying request specifically can comprise No. ID, sequence number of packet, etc.When according to one or more generation voucher in random number, can determine one or more random number based on various random algorithms, using as voucher.
Exemplarily, in embodiment of the present invention, the concrete manifestation form of voucher can be token.
Further, the quantity of the request of the same resource record that requesting processing 303 is also can record queries failure response corresponding, the number of request of the same resource record that inquiry failure response within the scheduled time is corresponding reaches a predefined threshold value, here claim first threshold, requesting processing 303 abandons the follow-up request of sending for this resource record.
Requesting processing 303 record be generally the quantity of the request of the same resource record that the inquiry failed message that returns of authoritative name server is corresponding.Such as, if the request that source IP address sends for be the inquiry request of non-existent resource record, local recurrence name server can receive the inquiry failed message that name server returns, when inquiring about the request quantity of the same resource record that failure response is corresponding, reach a degree, reach first threshold, illustrate and probably occurred attack, assailant attacks DNS by the inquiry request for non-existent resource record.Now, in requesting processing 303, block this resource record, can avoid more attack to enter network system.In general block a certain resource record and no longer process the subsequent request of sending for this resource record, can directly abandon the subsequent request of sending for this resource record.
Further, requesting processing 303 also can record the quantity from the request of same source IP address, the request from same source IP address within the scheduled time reaches a predefined threshold value, reach Second Threshold, requesting processing 303 abandons the follow-up request that this source IP address is sent.
Second Threshold be requesting processing 303 oneself record for same source IP address, within a period of time, send the maximum permissible value of the quantity of request.Generally, a source IP address sends a large amount of requests, is likely assailant's behavior.A large amount of requests can cause the congested of network, and especially local recurrence name server need to be to the situation of authoritative name server inquiry, more easily causes larger congested.When the quantity that a certain source IP address sends request in the given time reaches some, the source IP address of request is sent in blockade, abandons the follow-up request that this source IP address is sent, and can avoid attacking more entering network system.
The quantity of the above request that same resource record corresponding to first threshold control inquiry response failure is set, with Second Threshold is set controls a source IP address and send a large amount of requests, can in requesting processing 303, realize respectively, also can in requesting processing 303, realize simultaneously.Under different situations and demand, can do flexibly and arrange.
Embodiment bis-
Fig. 4 be the minimizing of the embodiment of the present invention two for the structure chart of the device of the attack of DNS, this device is positioned at the client-side of DNS system.As can be seen from Figure 4, this device comprises request transmitting unit 401, voucher receiving element 402 and request retransmission unit 403.Wherein, request transmitting unit 401, for sending request to local recurrence name server side; Voucher receiving element 402, for receiving the voucher by local recurrence name server adnation one-tenth; Request retransmission unit 403, for described voucher is carried to request, and resends local recurrence name server side by the request that carries described voucher.
Embodiment tri-
Fig. 5 is that the minimizing of the embodiment of the present invention three is for the system construction drawing of the attack of DNS.The minimizing of the present embodiment comprises resolver 501, server side checkout gear 502 and local recurrence name server 503 for the system of the attack of DNS.Server side checkout gear 502 can adopt the device of embodiment mono-.
In the system of the present embodiment, server side checkout gear 502 receives the first request that resolver 501 sends, if voucher is not carried in judgement the first request, is that the first request generates voucher, store this voucher, and send voucher to the resolver 501 of sending the source IP address of the first request; Resolver 501 receives after voucher, generates first request of carrying voucher, and resends to local recurrence name server 503 voucher the first request that carries; Server side checkout gear 502 receives the first request that carries voucher that resolver 501 resends, if carry correct voucher in judgement the first request, first request that forwards is to local recurrence name server 503; If carry wrong voucher in judgement the first request, abandon the first request.
Server side checkout gear 502 can adopt the multiple mode for request generation voucher, for example, according to one or more in the sign of the packet of requestor's sign of the first request, request content, carrying request and random number, be that the first request generates voucher.Particularly, when identifying generation voucher according to the requestor of the first request, requestor identifies specifically can comprise requestor IP address or requestor Email address etc.When generating voucher according to request content, can the self attributes based on request content generate voucher, such as when request content is URL, can be using this URL as voucher; When generating voucher according to the sign of the packet of carrying request, the sign of the packet of carrying request specifically can comprise No. ID, sequence number of packet, etc.When according to one or more generation voucher in random number, can determine one or more random number based on various random algorithms, using as voucher.Exemplarily, the concrete form of implementation of voucher can be token.
Further, the quantity of the request of the same resource record that server side checkout gear 502 is also can record queries failure response corresponding, the number of request of the same resource record that inquiry failure response within the scheduled time is corresponding reaches a predefined threshold value, here claim first threshold, server side checkout gear 502 abandons the follow-up request of sending for this resource record.
Further, server side checkout gear 502 also can record the quantity from the request of same source IP address, the request from same source IP address within the scheduled time reaches a predefined threshold value, reach Second Threshold, server side checkout gear 502 abandons the follow-up request that this source IP address is sent.
The quantity of the above request that same resource record corresponding to first threshold control inquiry response failure is set, with Second Threshold is set controls a source IP address and send a large amount of requests, can in server side checkout gear 502, realize respectively, also can in server side checkout gear 502, realize simultaneously.Under different situations and demand, can do flexibly and arrange.
Embodiment tetra-
Fig. 6 is that the minimizing of the embodiment of the present invention four is for the system construction drawing of the attack of DNS.The minimizing of the present embodiment comprises resolver 601, client-side checkout gear 602, server side checkout gear 603 and local recurrence name server 604 for the system of the attack of DNS.Server side checkout gear 603 can adopt the device of embodiment mono-, and client-side checkout gear 602 can adopt the device of embodiment bis-.
In the system of the present embodiment, the first request that client-side checkout gear 602 sends to local recurrence name server 604 transparent transmission resolvers 601; Server side checkout gear 603 receives the first request that client-side checkout gear 602 sends, if voucher is not carried in the first request, generates voucher, stores this voucher, and sends voucher to the resolver 601 of sending the source IP address of the first request; Client-side checkout gear 602 receives after voucher, generates first request of carrying voucher, and resends to local recurrence name server 604 the first request that carries voucher; Server side checkout gear 603 receives the first request that carries voucher that client-side checkout gear 602 resends, if carry correct voucher in judgement the first request, first request that forwards is to local recurrence name server 604; If carry wrong voucher in judgement the first request, abandon the first request.
Server side checkout gear 603 can adopt the multiple mode for request generation voucher, for example, according to one or more in the sign of the packet of requestor's sign of the first request, request content, carrying request and random number, be that the first request generates voucher.
Further, the quantity of the request of the same resource record that server side checkout gear 603 is also can record queries failure response corresponding, the number of request of the same resource record that inquiry failure response within the scheduled time is corresponding reaches a predefined threshold value, here claim first threshold, server side checkout gear 603 abandons the follow-up request of sending for this resource record.
Further, server side checkout gear 603 also can record the quantity from the request of same source IP address, the request from same source IP address within the scheduled time reaches a predefined threshold value, reach Second Threshold, server side checkout gear 603 abandons the follow-up request that this source IP address is sent.
The quantity of the above request that same resource record corresponding to first threshold control inquiry response failure is set, with Second Threshold is set controls a source IP address and send a large amount of requests, can in server side checkout gear 603, realize respectively, also can in server side checkout gear 603, realize simultaneously.Under different situations and demand, can do flexibly and arrange.
Compare with embodiment tri-, embodiment tetra-has all arranged checkout gear at client-side and local recurrence name server side, without the standard to existing DNS, changes.
Embodiment five
Fig. 7 is that the minimizing of the embodiment of the present invention six is for the method flow diagram of the attack of DNS.As shown in Figure 7, the method for the present embodiment comprises the steps:
In step 701, local recurrence name server receives after first request of not carrying voucher that resolver sends, and is that the first request generates voucher, stores this voucher, and sends voucher to the resolver of the source IP address of the first request;
Can adopt multiplely for request generates the mode of voucher, for example, be that the first request generates voucher according to one or more in the sign of the packet of requestor's sign of the first request, request content, carrying request and random number.
In step 702, resolver receives after voucher, generates first request of carrying voucher, and resends the first request to local recurrence name server;
In step 703, local recurrence name server receives the first request that carries voucher resending, if carry correct voucher in judgement the first request, continues the first request to process; If carry wrong voucher in the first request, abandon the first request.
Further, the method for the present embodiment also comprises:
First threshold is set;
Local recurrence name server records the quantity of the request of the same resource record that failed inquiry response is corresponding;
The number of request of the same resource record that the inquiry response of the failure within the scheduled time is corresponding reaches first threshold, and local recurrence name server abandons the subsequent request of sending for this resource record.
Further, the method for the present embodiment also comprises:
Second Threshold is set;
Local recurrence name server record is from the quantity of the request of same source IP address;
The number of request from same source IP address within the scheduled time reaches Second Threshold, and local recurrence name server abandons the subsequent request that this source IP address is sent.
Based on above-mentioned labor, embodiment of the present invention has also proposed a kind of minimizing for the system of the attack of DNS, and this system comprises client-side and local recurrence name server side, wherein:
Client-side, for send first request of not carrying voucher to local recurrence name server side, receive the voucher that local recurrence name server side generates for this first request, and resend to local recurrence name server side the first request that carries this voucher;
Local recurrence name server side, first request of not carrying voucher sending for receiving client-side, to the source IP address transmission voucher of this first request, and receives the first request that carries voucher being resend by client-side; If carry correct voucher in this first request resending, the first request that continues this to resend is processed, if carry wrong voucher in this first request resending, abandons the first request that this resends.
Preferably, in embodiment of the present invention, the concrete manifestation form of voucher can be token.
Based on foregoing detailed description, embodiment of the present invention can be stored in machine readable media the mode by instruction or instruction set.These computer-readable recording mediums include, but are not limited to: floppy disk, CD, DVD, hard disk, flash memory, USB flash disk, CF card, SD card, mmc card, SM card, memory stick (Memory Stick), xD card etc.In addition, embodiment of the present invention can also be stored in the storage medium based on flash memory (Nand flash) mode by instruction or instruction set, such as USB flash disk, CF card, SD card, SDHC card, mmc card, SM card, memory stick, xD card etc.
In fact, can specifically implement embodiment of the present invention by various ways.Such as, can follow the application programming interfaces of certain standard, embodiment of the present invention is written as to the computer program being stored in local storage medium, also can be encapsulated as web application and be used for downloading.
It should be noted that, in above-mentioned each flow process and each structural representation, be not all step and modules be all necessary, can ignore according to the actual needs some step or module.The execution sequence of each step is not fixed, and can adjust as required.The system configuration of describing in the various embodiments described above can be physical structure, can be also logical construction,, some module may be realized by Same Physical entity, or some module may be divided by a plurality of physical entities and realized, or, can jointly realize by some parts in a plurality of autonomous devices.
In addition, be noted that, the program code that not only can read by object computer, and the operating system that can make by the instruction based on program code to calculate hands-operation etc. completes practical operation partly or completely, thereby realize the function of any one embodiment in above-described embodiment.
In addition, be understandable that, the program code of being read by storage medium write in memory set in the expansion board of inserting in computer or write in the memory arranging in the expanding element being connected with computer, instruction based on program code subsequently makes to be arranged on the CPU on expansion board or expanding element etc. and comes operating part and all practical operations, thereby realizes the function of above-mentioned arbitrary embodiment.
From above description and specific embodiment to invention, can find out, in local recurrence name server side, be that first request of not carrying voucher receiving generates voucher, at resolver adnation, become to carry the first request of voucher, whether the voucher carrying in the first request again sending in local recurrence name server side judgement is correct, continue pack processing containing the request of correct voucher, discarded packets is containing the request of wrong voucher.Application embodiments of the invention, assailant's request is just inhibited in local recurrence name server side, the recurrence name server that the request of avoiding a large amount of assailants to send enters other even arrives authoritative name server, thereby has effectively suppressed the attack for DNS on source.And embodiments of the invention do not change or change very little to the standard of existing DNS, have and implement simple, low cost and other advantages.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, all any modifications of doing within the spirit and principles in the present invention, be equal to and replace and improvement etc., within all should being included in protection scope of the present invention.
Claims (13)
1. minimizing, for a method for the attack of DNS, is characterized in that, the method comprises:
Local recurrence name server receives first request of not carrying voucher that resolver sends, and for this first request generates voucher, and sends this voucher to the source IP address of this first request;
Local recurrence name server receives the first request that carries voucher that resolver resends, if judge in this first request resending and carry correct voucher, the first request that continues this to resend is processed; If carry wrong voucher in this first request resending, abandon the first request that this resends.
2. method according to claim 1, is characterized in that, also comprises:
Local recurrence name server records the quantity of the request of the same resource record that failed inquiry response is corresponding;
The number of request of the same resource record that the inquiry response of the failure within the scheduled time is corresponding reaches first threshold, and local recurrence name server abandons the subsequent request of sending for this resource record.
3. method according to claim 1 and 2, is characterized in that, also comprises:
Local recurrence name server record is from the quantity of the request of same source IP address;
The number of request from same source IP address within the scheduled time reaches Second Threshold, and local recurrence name server abandons the subsequent request that this source IP address is sent.
4. minimizing, for a device for the attack of DNS, is characterized in that, this device is positioned at the local recurrence name server side of DNS system, comprises request reception unit, voucher generation unit and requesting processing, wherein:
First request of not carrying voucher that request reception unit sends for receiving resolver, and first request of not carrying voucher is forwarded to voucher generation unit;
Voucher generation unit is used to first request of not carrying voucher to generate voucher, and sends this voucher to the source IP address of this first request;
The first request that carries voucher that request reception unit also resends for receiving resolver, and the first request that this is resend is forwarded to requesting processing;
Whether requesting processing is correct for the voucher that judges the first request that this resends and carry, if correct, to local recurrence name server, forwards the first request that this resends, otherwise, abandon the first request that this resends.
5. device according to claim 4, it is characterized in that, described request processing unit is also for recording the quantity of the request of the same resource record that failed inquiry response is corresponding, the number of request of the same resource record that the inquiry response of the failure within the scheduled time is corresponding reaches first threshold, abandons the subsequent request of sending for this resource record.
6. according to the device described in claim 4 or 5, it is characterized in that, described request processing unit is also for recording the quantity from the request of same source IP address, and the number of request from same source IP address within the scheduled time reaches Second Threshold, abandons the subsequent request that this source IP address is sent.
7. minimizing, for a device for the attack of DNS, is characterized in that, this device is positioned at the client-side of DNS system, comprises request transmitting unit, voucher receiving element and request retransmission unit, wherein:
Request transmitting unit, for sending first request of not carrying voucher to local recurrence name server;
Voucher receiving element is the voucher that described the first request generates for receiving by local recurrence name server;
Request retransmission unit, for described voucher being carried to described the first request, and resends the first request that carries voucher to local recurrence name server.
8. minimizing, for a system for the attack of DNS, comprises client-side and local recurrence name server side, wherein:
Client-side, for send first request of not carrying voucher to local recurrence name server side, receive the voucher that local recurrence name server side generates for this first request, and resend to local recurrence name server side the first request that carries this voucher;
Local recurrence name server side, first request of not carrying voucher sending for receiving client-side, to the source IP address transmission voucher of this first request, and receives the first request that carries voucher being resend by client-side; If carry correct voucher in this first request resending, the first request that continues this to resend is processed, if carry wrong voucher in this first request resending, abandons the first request that this resends.
9. minimizing, for a system for the attack of DNS, comprises resolver and local recurrence name server, it is characterized in that, also comprises client-side checkout gear and server side checkout gear, wherein:
First request of not carrying voucher of client-side checkout gear for sending to local recurrence name server transparent transmission resolver;
First request of not carrying voucher that server side checkout gear sends for receiving client-side checkout gear, and send voucher to the source IP address of this first request;
Client-side checkout gear, also for receiving described voucher, is carried at described voucher in described the first request, and resends to local recurrence name server the first request that carries described voucher;
The first request that server side checkout gear also resends for receiving client-side checkout gear, if carry correct voucher in this first request resending, forwards this first request resending to local recurrence name server; If carry wrong voucher in this first request resending, abandon the first request that this resends.
10. system according to claim 9, it is characterized in that, the quantity of the request of the same resource record that the inquiry response of described server side detection device records failure is corresponding, the number of request of the same resource record that the inquiry response of the failure within the scheduled time is corresponding reaches first threshold, abandons the subsequent request of sending for this resource record.
11. according to the system described in claim 9 or 10, it is characterized in that, described server side detection device records is from the quantity of the request of same source IP address, and the number of request from same source IP address within the scheduled time reaches Second Threshold, abandons the request that this source IP address is sent.
12. 1 kinds of machine readable medias, is characterized in that, it stores for machine is carried out according to the instruction of method described in claims 1 to 3 any one.
13. 1 kinds of minimizings for the device of the attack of DNS, is characterized in that, comprising:
Memory, for stores executable instructions; And
Processor, for according to stored executable instruction, carries out according to the method described in any one in claims 1 to 3.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210364612.XA CN103685213A (en) | 2012-09-26 | 2012-09-26 | Device, system and method for reducing attacks on DNS |
| PCT/EP2013/068804 WO2014048746A1 (en) | 2012-09-26 | 2013-09-11 | Device, system and method for reducing attacks on dns |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210364612.XA CN103685213A (en) | 2012-09-26 | 2012-09-26 | Device, system and method for reducing attacks on DNS |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103685213A true CN103685213A (en) | 2014-03-26 |
Family
ID=49182238
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210364612.XA Pending CN103685213A (en) | 2012-09-26 | 2012-09-26 | Device, system and method for reducing attacks on DNS |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN103685213A (en) |
| WO (1) | WO2014048746A1 (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103957195A (en) * | 2014-04-04 | 2014-07-30 | 上海聚流软件科技有限公司 | DNS system and defense method and device for DNS attack |
| WO2017075869A1 (en) * | 2015-11-03 | 2017-05-11 | 中国互联网络信息中心 | Configuration method and service method of local dns root server |
| CN105245630B (en) * | 2015-09-25 | 2019-04-23 | 互联网域名系统北京市工程研究中心有限公司 | The method and device of identification and defence DNS SERVFAIL attack |
| CN110313161A (en) * | 2017-02-27 | 2019-10-08 | 微软技术许可有限责任公司 | The detection based on IPFIX to the amplification attack on database |
| CN112968915A (en) * | 2021-05-18 | 2021-06-15 | 卓尔智联(武汉)研究院有限公司 | Processing method, processing system and processing device for DNS (Domain name Server) attack |
| CN114124442A (en) * | 2021-09-30 | 2022-03-01 | 天翼数字生活科技有限公司 | Method and system for defending DDOS attack |
| CN114844656A (en) * | 2021-01-14 | 2022-08-02 | 腾讯科技(深圳)有限公司 | Network access method, apparatus, system, device and storage medium |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9294490B1 (en) * | 2014-10-07 | 2016-03-22 | Cloudmark, Inc. | Apparatus and method for identifying a domain name system resource exhaustion attack |
| US10009336B2 (en) | 2016-05-18 | 2018-06-26 | Cisco Technology, Inc. | Network security system to validate a server certificate |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1459171B1 (en) * | 2001-09-21 | 2012-12-26 | Cisco Technology, Inc. | Protecting network traffic against spoofed domain name system (dns) messages |
| US7725934B2 (en) * | 2004-12-07 | 2010-05-25 | Cisco Technology, Inc. | Network and application attack protection based on application layer message inspection |
| CN101282209A (en) * | 2008-05-13 | 2008-10-08 | 杭州华三通信技术有限公司 | Method and apparatus for preventing DNS request message from flooding attack |
| US9270646B2 (en) * | 2009-04-20 | 2016-02-23 | Citrix Systems, Inc. | Systems and methods for generating a DNS query to improve resistance against a DNS attack |
| US8380870B2 (en) * | 2009-08-05 | 2013-02-19 | Verisign, Inc. | Method and system for filtering of network traffic |
-
2012
- 2012-09-26 CN CN201210364612.XA patent/CN103685213A/en active Pending
-
2013
- 2013-09-11 WO PCT/EP2013/068804 patent/WO2014048746A1/en active Application Filing
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103957195A (en) * | 2014-04-04 | 2014-07-30 | 上海聚流软件科技有限公司 | DNS system and defense method and device for DNS attack |
| CN105245630B (en) * | 2015-09-25 | 2019-04-23 | 互联网域名系统北京市工程研究中心有限公司 | The method and device of identification and defence DNS SERVFAIL attack |
| WO2017075869A1 (en) * | 2015-11-03 | 2017-05-11 | 中国互联网络信息中心 | Configuration method and service method of local dns root server |
| CN110313161A (en) * | 2017-02-27 | 2019-10-08 | 微软技术许可有限责任公司 | The detection based on IPFIX to the amplification attack on database |
| CN114844656A (en) * | 2021-01-14 | 2022-08-02 | 腾讯科技(深圳)有限公司 | Network access method, apparatus, system, device and storage medium |
| CN112968915A (en) * | 2021-05-18 | 2021-06-15 | 卓尔智联(武汉)研究院有限公司 | Processing method, processing system and processing device for DNS (Domain name Server) attack |
| CN114124442A (en) * | 2021-09-30 | 2022-03-01 | 天翼数字生活科技有限公司 | Method and system for defending DDOS attack |
| CN114124442B (en) * | 2021-09-30 | 2024-03-26 | 天翼数字生活科技有限公司 | Method and system for defending DDOS attack |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2014048746A1 (en) | 2014-04-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103685213A (en) | Device, system and method for reducing attacks on DNS | |
| EP2521330B1 (en) | DNSSEC signing server | |
| US9985927B2 (en) | Managing content delivery network service providers by a content broker | |
| KR101850351B1 (en) | Method for Inquiring IoC Information by Use of P2P Protocol | |
| US9525659B1 (en) | Request routing utilizing point of presence load information | |
| EP3113460B1 (en) | Enhanced inter-network monitoring and adaptive management of dns traffic | |
| US10218733B1 (en) | System and method for detecting a malicious activity in a computing environment | |
| WO2017054526A1 (en) | Arp entry generation method and device | |
| JP2017534198A (en) | Apparatus and method for identifying tunneling, outflow and intrusion of domain name system | |
| US10171446B1 (en) | Method and apparatus for limiting traffic rate to an origin server | |
| CN109067936B (en) | Method and device for domain name resolution | |
| US11658995B1 (en) | Methods for dynamically mitigating network attacks and devices thereof | |
| WO2021120355A1 (en) | Domain name parsing method, authoritative domain name server and local domain name server | |
| US11647008B2 (en) | Generating a negative answer to a domain name system query that indicates resource records as existing for the domain name regardless of whether those resource records actually exist | |
| US10021176B2 (en) | Method and server for managing traffic-overload on a server | |
| CN103685168A (en) | Query request service method for DNS (Domain Name System) recursive server | |
| US10462180B1 (en) | System and method for mitigating phishing attacks against a secured computing device | |
| JP6249015B2 (en) | Receiving device, receiving device control method, receiving device control program, network system, network system control method, and network system control program | |
| CN114301872B (en) | Domain name based access method and device, electronic equipment and storage medium | |
| JP6690959B2 (en) | Device and method for reforming TCP handshake | |
| KR101645222B1 (en) | Advanced domain name system and management method | |
| CN107231339B (en) | Method and device for detecting DDoS attack | |
| EP2432163B1 (en) | Method for processing messages and network device | |
| CN110875894B (en) | Communication safety protection system and method and message cache node | |
| HK40025333A (en) | Communication security protection system and method and message cache node |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140326 |