Network attack filtering method and device

Abstract

The invention provides a network attack filtering method which is applied to a safety device and used for providing a service for filtering network attacks to a domain name server (DNS). The method comprises the following steps: A. judging whether the first sending is conducted when a DNS request message of a user is received, if no, transferring to a step B to process; or, abandoning the message and storing the DNS conversation information and an user behavioral parameter in a DNS conversation table; B. obtaining a user behavioral parameter corresponding to the conversation information brought by a current DNS request message from the DNS conversation table, judging whether the difference between the user behavioral parameter brought by the current message and the user behavioral parameter recorded in the DNS conversation table is in accordance with the standard of normal user behavior; if so, judging the message to be legal; and otherwise, abandoning the message. According to the behavioral characteristics of a user protocol stack, the attack to the DNS server is effectively filtered.

Description

technical field [0001] The invention relates to a network security technology, in particular to a network attack filtering method and device applied to a security device to protect a DNS server. Background technique [0002] People's work and life are benefiting from the continuous advancement of network technology. However, with the rapid expansion of the network scale, network security issues have become increasingly serious. Various attacks on the network emerge in an endless stream, and DoS (Denial of Service) attack is one of the most typical network attacks. Since DDoS (distributed denial of service) attacks first appeared in 2000, DDoS attacks have occurred every day, and they have become more and more serious. Many individual users and various corporate networks are subject to DDoS attacks. DDos attacks can cause network congestion, servers or other hosts to stop processing user requests, corporate websites go down, corporate networks don't work, and more. These p...

AI Technical Summary

Problems solved by technology

[0007] Mechanism A needs to monitor the number of DNS request packets of each user, that is, it needs to maintain the statistics of the number of request packets of each user, and the difficulty of maintenance increases exponentially when faced with tens of thousands of users

Moreover, a malicious attacker may pretend to be a normal user and send a large number of fake DNS request packets. At this time, the speed limit mechanism may cause the normal user to be unable to use the network normally.

Moreover, if malicious attackers adopt distributed and discrete attack methods, mechanism A cannot distinguish between normal access and malicious access, and can only limit the overall speed through mechanism B. However, the speed limit means of mechanism B will also cause normal access users to be restricted. speed impact

[0008] In addition, no matter whether it is mechanism A or mechanism B, there is the problem that the detection may not be timely. When the attack presents a burst and a large number of characteristics, although it can be detected by the security device, due to the possible lag in detection, a large amount of malicious attack traffic The DNS server may be accessed by bypassing the security device during this period of detection lag, and the DNS server may also be paralyzed due to a large amount of sudden attack traffic in an instant, and the protection of the security device is meaningless

Images