A cache optimization method and system for resisting persistent domain name prefix attack

Abstract

The invention relates to a caching optimization method and system for resisting attacks of continuously changing domain name prefixes. The method includes: every set period of time, caching domain name server statistics records of non-existing domain names, and starting automatic aggregation of domain names when the records of non-existing domain names exceed a set threshold; The exact match of the domain name is divided into multiple aggregation categories. If the number of elements in the aggregation category exceeds the set threshold, all the domain names in the aggregation category will be aggregated into an aggregate domain name prefixed with *; for a new domain name query request, if the caching domain name server If there is no corresponding specific record in , it will be matched with the aggregated domain name. If the match is successful, a response that the domain name does not exist will be returned. Otherwise, the domain name query will be made to the authorized domain name server. The method of the invention has the advantages of strong cache stability, high real-time performance, saving cache space and the like.

Description

technical field [0001] The invention belongs to the technical field of network protection, and in particular relates to a caching optimization method and system for caching domain name servers to resist attacks of continuously changing domain name prefixes. Background technique [0002] A domain name is the name of a computer or computer group on the Internet consisting of a string of dot-separated names, used to identify the electronic location of the computer during data transmission (sometimes also refers to geographical location, geographical domain name, refers to A local area of ​​​​administrative autonomy), is the "mask" of the IP address. Domain names can be divided into multiple levels, and the part to the right of the last "." is called the top-level domain name, such as .com, .net, .org, etc. The part to the left of the last "." is called the second-level domain name, such as abc.com, trueland.net, etc. The left part of the second-level domain name is called the...

AI Technical Summary

Problems solved by technology

If the total number of times or the change frequency of the destination IP exceeds the set threshold, it is considered that a domain name prefix change attack has occurred, and the strategy of discarding packets or sending false response packets is adopted. The disadvantages are: (1) High overhead: a bypass traffic analysis system needs to be established in real time Capture and store domain name query data packets, statistically analyze the number of destination IPs of all data packets, the calculation overhead and storage overhead are large

(2) Poor stability: The threshold setting of the total number of times or change frequency of the target IP is not unique, and has certain variability, which has a greater impact on the overall

At the same time, there is also the possibility of forging data packets, which will interfere with the method of analyzing the destination IP, resulting in poor stability

[0013] These two types of defense strategies do not directly optimize the caching domain name server itself, but notify the caching domain name server to take specific measures to deal with the attack after analyzing it through an external auxiliary device

Images