Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Security gateway system for resisting DDoS attack for DNS service

A DNS service, DNS server technology, applied in transmission systems, digital transmission systems, data exchange networks, etc., can solve the problems of manslaughtering normal traffic and failing to meet the security requirements of DNS services.

Active Publication Date: 2009-11-04
ZHONGKE INFORMATION SECURITY COMMON TECH NAT ENG RES CENT CO LTD
View PDF0 Cites 141 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Existing DDoS defense methods cannot meet the requirements of DNS service protection. For example, a DDoS detection and defense method based on data mining, which performs data mining on a large number of data packets, extracts features, and deploys the DDoS attack according to the characteristics of the DDoS attack. Filtering, this method can effectively avoid the situation where the server is paralyzed due to attacks, but this method has a big problem in the actual implementation process: it is easy to make some characteristics of normal traffic match the detected characteristics, so as to kill normal traffic by mistake; , this method cannot be based on the characteristics of the DNS service, such as network traffic characteristics, domain name request packet characteristics, etc., but only detects and defends according to the characteristics of the traffic, so it cannot meet the security requirements of the DNS service

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Security gateway system for resisting DDoS attack for DNS service
  • Security gateway system for resisting DDoS attack for DNS service
  • Security gateway system for resisting DDoS attack for DNS service

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0034] The present invention will be further described below with reference to the drawings and embodiments.

[0035] The anti-DDoS security gateway for DNS service provided by the present invention supports two deployment modes: serial mode and bypass mode, respectively figure 1 with figure 2 Shown.

[0036] Such as figure 1 As shown in the serial deployment mode, for a small number of servers or a network with a small export bandwidth, the present invention provides a serial deployment method. Through the anti-DDoS security gateway device "series" the network entrance end, it detects and detects DDoS attacks against DNS services. Analyze and block.

[0037] Such as figure 2 As shown in the bypass deployment mode, the present invention provides a bypass deployment mode for IDC, ICP or critical business systems. Generally, the detector is deployed anywhere on the network, and the filter device "bypass" is deployed at the lower end of the network entrance. The detector mainly pr...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a high-efficiency anti-DDoS security gateway system, which can effectively detect and defend a DNS denial-of-service attack. The system comprises two core components, namely a detector and a filter. The system supports two deploying ways, namely serial connection and bypass. A detecting method is based on the self-learning network flow state statistic and characteristic disinterment, achieves the detection and positioning of the network abnormal flow by setting network performance parameter thresholds, and can effectively identify the suspected attack flow. A defending method carries out a thought of deep defense, and the system is deployed with two defense steps of attack characteristic defense and baseline defense so as to ensure the attack defending effect of thesystem under normal network condition and the basic defense capacity of the system in the individual and severe attack environment. The methods can effectively improve the security and attack resista nce of a DNS server and can ensure the normal operation of the DNS service.

Description

Technical field [0001] The invention relates to computer network security. Specifically, it relates to a method and device for detecting and defending a denial of service (DDoS: Distributed Denial of Service) attack of the DNS service. Background technique [0002] DNS (Domain Name System) is a distributed database system used to manage the mapping of host name and address information. It links names that are easy to remember and understand with boring IP addresses. The entire distributed system is organized in a tree structure. There are 13 root server nodes in the world, which are used to resolve top-level domain domain names, such as com, net, cn, etc., and there are sub-DNS servers at various levels to resolve domain names in their respective jurisdictions such as edu, org, etc., forming a tree structure. When a domain name request occurs, the request first arrives at the preferred DNS server. When there is no corresponding domain name cache information locally, the request i...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): H04L29/06H04L12/26H04L12/56H04L29/12
Inventor 翟征德宗兆伟
Owner ZHONGKE INFORMATION SECURITY COMMON TECH NAT ENG RES CENT CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com