Defense method, device and system for DNS (Domain Name System) services

Abstract

The invention provides a defense method, a defense device and a defense system for DNS (Domain Name System) services. The method comprises: monitoring a DNS data query request message flux of a DNS recursive server network gateway within unit time; judging whether the DNS data query request message flux exceeds a predetermined safety access flux threshold value or not; obtaining a proportional value between the quantity of DNS data query request messages containing top-level domain addresses and the DNS data query request message flux; in the case of judging the proportional value to exceed the predetermined value, recording the top-level domain addresses as attacked addresses; transmitting the DNS data query request messages of which the domain addresses are not the attacked addresses; judging whether second-level domain addresses of the DNS data query request messages corresponding to the attacked addresses exist in a normal domain name list or not; and performing defense processing on the DNS data query request messages of which the second-level domain name addresses do not exist in the normal domain name list. The transmission of attack messages can be effectively decreased, so that the defense of a DNS server is realized; and meanwhile, the normal DNS data query request is not affected.

Description

technical field [0001] The invention relates to the field of DNS services, in particular to a defense method, device and system for DNS services. Background technique [0002] With the continuous improvement of science and technology, the Internet has surpassed traditional media and has become an important part of people's daily work and life. However, with the rapid development of the Internet, some network viruses, malicious programs, and hacker software have also appeared in large numbers. So far, the issue of Internet network security has been paid more and more attention by people. [0003] In Internet network security issues, preventing malicious attacks on servers in the network is one of the important contents. [0004] The following is an introduction to common DNS services on the Internet and common attacks against DNS services: [0005] DNS, the Chinese name is Computer Domain Name System (Domain Name System or Domain Name Service), which is composed of a resolv...

AI Technical Summary

Problems solved by technology

A large number of random domain names are generated, exhausting the resources of the recursive resolver, so that normal domain name requests cannot be recursively resolved

[0019] The second type: amplification attack

The detection of this type of attack is relatively easy to do, but it is often difficult to control after the traffic is aggregated. Even the analysis requires a lot of resources. The difficulty of defending against this type of attack lies in how to limit the speed and explore the source of the attack. not how to monitor

[0021] The third category: springboard attack

[0024] To sum up, DDoS attacks will cause DNS server service paralysis, crash and other results, seriously affecting the normal use of the network by users

[0025] In the prior art, methods for DNS attack defense include: DNS redirection, recursive query that does not support out-of-domain resolution requests, limiting the number of domain name resolution requests per second, counting the frequency of domain name resolution, etc., but these methods can only Defense against DDoS attacks against DNS recursive servers

As for the methods of detecting the length of the message, the number of queries for the same request, and establishing a traffic model, its disadvantage is that it can only defend against the amplification attack on the system outside the DNS using the DNS server as a springboard, but cannot effectively defend against the above-mentioned The third type of springboard attack

Images