CN102404334A - Method and device for preventing denial of service attack - Google Patents
Method and device for preventing denial of service attack Download PDFInfo
- Publication number
- CN102404334A CN102404334A CN2011104043816A CN201110404381A CN102404334A CN 102404334 A CN102404334 A CN 102404334A CN 2011104043816 A CN2011104043816 A CN 2011104043816A CN 201110404381 A CN201110404381 A CN 201110404381A CN 102404334 A CN102404334 A CN 102404334A
- Authority
- CN
- China
- Prior art keywords
- local
- firewall
- dns
- address
- cookie
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 40
- 230000004044 response Effects 0.000 claims abstract description 38
- 238000012795 verification Methods 0.000 claims abstract description 8
- 235000014510 cooky Nutrition 0.000 claims description 60
- 230000005540 biological transmission Effects 0.000 claims description 11
- 230000001012 protector Effects 0.000 claims description 4
- 238000004458 analytical method Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 238000013508 migration Methods 0.000 description 6
- 230000005012 migration Effects 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 5
- 238000013507 mapping Methods 0.000 description 5
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000001914 filtration Methods 0.000 description 3
- 238000010200 validation analysis Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000016571 aggressive behavior Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012797 qualification Methods 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a device for preventing denial of service attack, wherein the method comprises the following steps: firewall receives a DNS request packet sent by a Local PC; firewall returns a response message to the Local PC; firewall judges whether the Local PC feeds back the response message, if so, the verification is passed; firewall sends the DNS request packet passing the verification to the DNS server. The invention can solve the technical problems that a DNS server is attacked by DOS/DDOS, so that network blockage is caused or server resources are exhausted, so that service is refused, and a legal user cannot normally access the server resources.
Description
Technical field
The present invention relates to the communications field, in particular to a kind of refused service attack protection method and device.
Background technology
DOS (Denial of Service) is denial of service, and every to cause the behavior that validated user can not the service of normal access network all be Denial of Service attack; DDOS (Distributed Denial of Service) is distributed denial of service; DDOS mainly sends to victim host through a large amount of " corpse main frames " and seems legal network packet in a large number; Thereby cause network congestion or server resource to exhaust and cause denial of service, distributed denial of service attack is in case implement, and attacking network will be poured into victim host as flood; Thereby flood the network packet of validated user, cause the validated user can't the normal access server resource.Therefore, Denial of Service attack is known as " extensive aggression " again.
UDP Flood is that the flow type DOS/DDOS that is becoming increasingly rampant attacks, and principle is very simple.Common situation is to utilize a large amount of UDP parcel to impact dns server or Radius certificate server, streaming media video server.Because UDP is connectionless agreement, so the assailant can copy numerous IP address transmission data bag.
It is to send a large amount of domain name mapping requests to the server that quilt is attacked that UDP DNS Query Flood attacks the method that adopts; Usually the domain name of request analysis be generate at random or network world on non-existent at all domain name; The dns server of being attacked can search on server at first whether corresponding cache is arranged when receiving the domain name mapping request; If search less than and this domain name can't be directly by server parses the time, dns server can be to its upper strata dns server recursive query domain-name information.The process of domain name mapping has been brought very big load to server, and domain name mapping request each second surpasses certain quantity and will cause dns server parsing domain name overtime.
According to the statistics of Microsoft, the upper limit of the DDNS inquiry that dns server can bear is 9000 requests each second.And at present, on the PC of a P3, can construct several ten thousand domain name mapping requests each second easily, and be enough to make a dns server paralysis that Hardware configuration is high, this shows the fragility of dns server.
, the solution dns server causes denial of service for thereby suffering the DOS/DDOS attack to cause network congestion or server resource to exhaust; Validated user can't the normal access server resource technical problem; Correlation technique provides a kind of speed limit function of doing based on access frequency through safeguard to limit the technical scheme to the visit capacity of server, and is concrete, mainly is based on the restriction of the threshold value of access frequency; After access frequency reaches user's preset threshold, just abandon follow-up data.
Its sketch map sees also Fig. 1, and the DNS request package arrives domain name server (DNS) server through fire compartment wall Firewall, and wherein, the dotted line representative amounts to flow, and solid line is represented normal discharge, promptly non-attack traffic.If the threshold value that the user is provided with is N (inferior)/second, after the DNS of the Firewall that flows through request package number of times reached this frequency N time/second, Firewall can abandon the DNS request package above this threshold value.Whether exceeding that N time/second this frequency Firewall can't go to discern is the attack traffic of DDOS, and all DNS request package are all abandoned.
The correlation technique shortcoming is, can't discern false IP address, and it is not accurate enough to discern attack traffic simultaneously, has a large amount of attack traffics and flows to server, can abandon a large amount of normal access flows simultaneously.
Correlation technique also provides other a kind of solution, ensures providing of normal service through increase bandwidth, increase DNS Server redundance unit.But second workaround increases operation cost greatly, the increase of the fryer quantity that is used for attacking along with the hacker, and needing to increase more redundance unit provide service.
Thereby attacked by DOS/DDOS to cause network congestion or server resource to exhaust and cause denial of service to dns server in the correlation technique, the technical problem that validated user can't the normal access server resource does not propose effective solution at present as yet.
Summary of the invention
Thereby attacked by DOS/DDOS to cause network congestion or server resource to exhaust and cause denial of service to dns server; Validated user can't the normal access server resource technical problem; The invention provides a kind of refused service attack protection method and device, to address the above problem at least.
According to an aspect of the present invention, a kind of refused service attack protection method is provided, has comprised: fire compartment wall Firewall receives the domain name server (DNS) request package that PC Local PC sends; Said Firewall is to said Local PC echo reply message; Said Firewall judges whether said Local PC feeds back said response message, if feedback, then checking is passed through; Said Firewall will verify that the DNS request package of passing through is sent to said dns server server.
Preferably, said response message comprises: the buffer memory COOKIE of said Firewall structure, wherein, the domain name that said COOKIE responds for the DNS referral.
Preferably, said Firewall judges whether said Local PC feeds back said response message, if feedback; Then checking is passed through; Comprise: said Firewall receives the Query Information that said Local PC sends, and wherein, said Query Information is used to inquire about the address of said COOKIE; Said Firewall returns the address of said COOKIE to said Local PC; Said Firewall receives said Local PC when the said DNS request package that sends the address of said COOKIE, confirms that the DNS request package security verification that said Local PC sends passes through.
Preferably, the address of said COOKIE is the address of DNS server or the address of said Firewall.
Preferably, said Firewall also comprises after judging that said Local PC checking is passed through: said Firewall continues to receive said Local PC when the said DNS request package that sends the address of said COOKIE, directly with its transparent transmission to said DNSserver.
Preferably; Said Firewall will verify that the DNS request package of passing through is sent to said DNS server; Comprise: it is the address of said DNS server to the destination address of the said DNS request package of the address of said COOKIE transmission that said Firewall revises said Local PC, and amended DNS request package is sent to said DNS server.
Preferably; Said Firewall sends to amended DNS request package after the said DNS server; Also comprise: said Firewall receives the response message that said DNS server returns; The address that the source IP address of said response message is revised as said Firewall, and amended response message is sent to said Local PC.
According to a further aspect in the invention, a kind of Denial of Service attack protector is provided, has been arranged among the fire compartment wall Firewall, having comprised: receiver module is used to receive the domain name server (DNS) request package that PC Local PC sends; Responder module is used for to said Local PC echo reply message; Authentication module is used to judge whether said Local PC feeds back said response message, if feedback, then checking is passed through; Sending module is used for the DNS request package that checking is passed through is sent to said dns server server.
Preferably, said authentication module comprises: receiving element, be used to receive the Query Information that said Local PC sends, and wherein, said Query Information is used to inquire about the address of COOKIE, wherein, the domain name that said COOKIE responds for the DNS referral; The address transmitting element is used for returning to said Local PC the address of said COOKIE; Confirm the unit, be used to receive said Local PC when the said DNS request package that sends the address of said COOKIE, confirm that the DNS request package security verification that said Local PC sends passes through.
Preferably, said receiver module also is used to continue to receive the said DNS request package that said Local PC sends to the address of said COOKIE; Said sending module also is used for directly said DNS request package transparent transmission to said DNS server.
In embodiments of the present invention; Firewall receives the DNS request package that Local PC sends; To Local PC echo reply message, and then Firewall judges whether Local PC feeds back response message, if feedback; Then checking is passed through, and Firewall will verify that the DNS request package of passing through is sent to DNS server afterwards.That is, in embodiments of the present invention, connect row to the nothing of DNS request; Become connection is arranged; Making like this in request and answering increases alternately, and Firewall judges whether Local PC feeds back response message, and the DNS request package that the Local PC that can only feed back sends just quilt checking is passed through.If Local PC is feedback not, then think attack traffic.Because reciprocal process has been arranged, the DNS request that send the address of can Direct Filtration falling to forge, mutual through in request and the answering accomplished client validation work; Can filter out the attack packets of sending like this through the automation attack tool.Even the follow-on attack instrument increases full protocol analysis function, the refused service attack protection method that the embodiment of the invention provides also can greatly reduce its attack rate, makes it be difficult to reach the purpose of attack.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, and illustrative examples of the present invention and explanation thereof are used to explain the present invention, do not constitute improper qualification of the present invention.In the accompanying drawings:
Fig. 1 is the network architecture diagram according to first kind of solution of correlation technique;
Fig. 2 is the flow chart according to the refused service attack protection method of the embodiment of the invention;
Fig. 3 is the flow chart according to the embodiment one of the embodiment of the invention;
Fig. 4 is the flow chart according to the embodiment two of the embodiment of the invention;
Fig. 5 transmits sketch map according to the fire compartment wall on-premise network figure of the embodiment three of the embodiment of the invention and request package;
Fig. 6 is the structural representation according to the Denial of Service attack protector of the embodiment of the invention;
Fig. 7 is the structural representation according to the authentication module of the embodiment of the invention.
Embodiment
Hereinafter will and combine embodiment to specify the present invention with reference to accompanying drawing.Need to prove that under the situation of not conflicting, embodiment and the characteristic among the embodiment among the application can make up each other.
Mention in the correlation technique; DOS mainly sends to victim host through a large amount of " corpse main frames " and seems legal network packet in a large number; Thereby cause network congestion or server resource to exhaust and cause denial of service, distributed denial of service attack is in case implement, and attacking network will be poured into victim host as flood; Thereby flood the network packet of validated user, cause the validated user can't the normal access server resource.
Generally, if the DNS request package less than 512 bytes, is then used udp protocol, only the request package greater than 512 bytes adopts Transmission Control Protocol to transmit.The hacker has utilized the characteristic of udp protocol itself to carry out DOS/DDOS just and has attacked.UDP itself is connectionless, and DNS request also is connectionless, when doing the DNS request, normally one answers the mode answered, and user end to server sends a Query bag, Request bag of server response.
Therefore, the embodiment of the invention solves when being the DNS request owing to use udp protocol, because the no connectivity of UDP itself causes the hacker to utilize fryer that dns server is carried out the DDOS attack.The topmost characteristics of automation DDOS attack tool must can be sent lot of data exactly; With DNS query flood attack tool is example; In order to send high-frequency attack packets; No matter the UDP message that automation DDOS attack tool is sent all is based on the principle of sending the back, promptly only be responsible for sending packet, response packet is not handled.
For solving the problems of the technologies described above, the embodiment of the invention provides a kind of refused service attack protection method, and its schematic flow sheet is as shown in Figure 2, comprising:
Step S202, Firewall receive the DNS request package that Local PC sends;
Step S204, Firewall are to Local PC echo reply message;
Step S206, Firewall judge whether Local PC feeds back response message, if feedback, then checking is passed through;
Step S208, Firewall will verify that the DNS request package of passing through is sent to DNS server.
In embodiments of the present invention; Firewall receives the DNS request package that Local PC sends; To Local PC echo reply message, and then Firewall judges whether Local PC feeds back response message, if feedback; Then checking is passed through, and Firewall will verify that the DNS request package of passing through is sent to DNS server afterwards.That is, in embodiments of the present invention, connect row to the nothing of DNS request; Become connection is arranged; Making like this in request and answering increases alternately, and Firewall judges whether Local PC feeds back response message, and the DNS request package that the Local PC that can only feed back sends just quilt checking is passed through.If Local PC is feedback not, then think attack traffic.Because reciprocal process has been arranged, the DNS request that send the address of can Direct Filtration falling to forge, mutual through in request and the answering accomplished client validation work; Can filter out the attack packets of sending like this through the automation attack tool.Even the follow-on attack instrument increases full protocol analysis function, the refused service attack protection method that the embodiment of the invention provides also can greatly reduce its attack rate, makes it be difficult to reach the purpose of attack.
In embodiments of the present invention, response message comprises: the buffer memory (COOKIE) of Firewall structure, wherein, the domain name that COOKIE responds for the DNS referral.The COOKIE here only is a sign, can use other titles.At this moment, Firewall judges that Local PC is whether following to the concrete operations that response message is fed back:
Steps A, Firewall receive the Query Information that Local PC sends, and wherein, Query Information is used to inquire about the address of COOKIE;
Step B, Firewall return the address of COOKIE to Local PC;
Step C, Firewall receive Local PC when the DNS request package that sends the address of COOKIE, confirm that the DNS request package security verification that Local PC sends passes through.
In step B, the address of the COOKIE that Firewall returns is the address of DNS server or the address of Firewall.
In a preferred embodiment, after Firewall judged that Local PC checking is passed through, Firewall was if continue to receive the DNS request package that Local PC sends to the address of COOKIE, then directly with its transparent transmission to DNS server.
In another preferred embodiment; Firewall will verify that the DNS request package of passing through is sent to DNS server; During enforcement; It is the address of DNS server to the destination address of the DNS request package of the address of COOKIE transmission that Firewall can revise Local PC, and amended DNS request package is sent to DNS server.Accordingly, Firewall receives the response message that DNS server returns, the address that the source IP address of response message is revised as Firewall, and amended response message is sent to Local PC.That is, Firewall reaches the effect of protection in the present embodiment through the modified address.
Clearer clearer for the refused service attack protection method elaboration ground that the embodiment of the invention is provided, with several specific embodiments it is described at present.
Embodiment one
The process chart of present embodiment is as shown in Figure 3, comprises that step S302 is to step S316.
The DNS request package that step S302, Local PC send www.example.com.
Step S304, Firewall replace DNS Server to respond the COOKIE (this name can arbitrarily be constructed) of a structure.
The address of step S306, Local PC inquiry COOKIE.
Step S308, Firewall return the address of COOKIE to Local PC, and this address can be that the IP address of DNS Server also can be the address of Firewall.
Step S310, Local PC are to the corresponding IP address lookup www.example.com corresponding address of COOKIE.
Step S312, Firewall will verify that the DNS request of passing through is transmitted to DNS Server.
Step S314, DNS Server return the result after the parsing.
The result that step S316, Firewall return DNS Server is transmitted to Local PC.
As shown in Figure 3, fire compartment wall receives the DNS request package (302) from Local PC, if primary request; Then be not transmitted to DNS Server to this request package, but construct a COOKIE, COOKIE is by following formula calculated value key; COOKIE=key (source_IP+dns_seq+request_domain), wherein, source_IP is a source IP address; Dns_seq is the sequence number of DNS request package, and request_domain is the domain name of request; Analog D NS Server responds one and turns to response packet (304) then, turns to domain name structure Domain_name=COOKIE+request_domain.
Local PC receives the IP address (306) that can ask Domain_name behind this response packet; So because verify Domain_name=COOKIE+request_domain at this moment the COOKIE value among the Domain_name, if checking through the IP address of returning DNS Server to Local PC (308).
Such proof procedure passes through; Follow-up Local PC can continue request analysis request_domain (310) according to the return results of (308); Because empirical tests has been passed through in (306) step, so be transmitted to DNS Server (312) to the request of Local PC according to the checking result of (306).
DNS Server can return to fire compartment wall (314) to the result who resolves subsequently, and fire compartment wall is transmitted to Local PC (316) to this result again.
The workflow that this routine Firewall plays safeguard function is following:
Receive the DNS request package of client (Local PC), search the connection table, if initial request does not have session and sets up;
If initial request, then the sequence number according to the domain name of asking, source IP address, DNS request package calculates the COOKIE value, and vergence domain name Domain_name, in the connection table, writes down current state simultaneously;
Return to client to the Domain_name of structure, migration simultaneously connects table status.
If under current state, receive the request package of the request Domain_name of (306) among Fig. 3, then verify the COOKIE value among the Domain_name;
If checking is passed through, then return the IP address of Domain_name, and migration connects table status;
If under current state, receive the real DNS request package of (310) among Fig. 3, then proving current is a normal request, is transmitted to DNS Server to current request, and migration connects table status;
If receive the response packet from DNS Server of (314) among Fig. 3, then be transmitted to client, whole process finishes.
If find the connection table, then this request of explanation is not an initial request, according to current connection table status; Packet is verified; Have only (306) or (310) two kinds of situation among Fig. 3 to be only normal condition, if the packet of (306) among Fig. 3, then execution in step S306; If the packet of (310) among Fig. 3, then execution in step S310.
Embodiment two
On the basis of embodiment one, Firewall can be configured to the safeguard function of proxy mode, and particular flow sheet sees also Fig. 4, comprises that step S402 is to step S420.
The DNS request package that step S402, Local PC send www.example.com.
Step S404, Firewall replace DNS Server to respond a name servername (this name can arbitrarily be constructed) who has embedded through the COOKIE of structure.
The address of step S406, Local PC inquiry servername.
Step S408, Firewall return the IP address of Firewall oneself to Local PC.
Step S410, Local PC are to Firewall request domain name analysis.
Step S412, Firewall will verify through and revise the IP address that its purpose IP is DNS Server.
Step S414, Firewall are transmitted to DNS Server with amended DNS request.
Step S416, DNS Server return to Firewall to the result who returns.
The result's that step S418, Fierwall return DNS Server source IP address changes the IP address of oneself into.
Step S420, Firewall are transmitted to Local PC to amended result.
As shown in Figure 4; Firewall receives the DNS request package (402) from Local PC, if primary request then is not transmitted to DNS Server to this request package; But construct a COOKIE, COOKIE=key (source_IP+dns_seq+request_domain); Analog D NS Server responds one and turns to response packet (404) then, turns to domain name structure Domain_name=COOKIE+servername (this name can arbitrarily be constructed).
Local PC receives the IP address (404) that can ask Domain_name behind this response packet; Because Domain_name=COOKIE+servername; So can verify the COOKIE value among the Domain_name this moment, if checking through the IP address of returning Firewall to Local PC (408).
This moment, a proof procedure finished; Follow-up Local PC can continue request analysis request_domain (410) according to the return results of (408); Because empirical tests has been passed through in (406) step, so be the purpose IP address modification of this request package the IP address (412) of DNS Server according to the checking result of (406).Be transmitted to DNSServer (414) to amended request.DNS Server can return to fire compartment wall (416) to the result who resolves subsequently, and fire compartment wall is revised as (418) behind oneself the IP address to the source IP address of response packet again, at last this result is transmitted to Local PC (420).
The workflow that this routine Firewall plays safeguard function is following:
1, receives the DNS request package of client (Local PC), search the connection table, if initial request does not have session and sets up;
2 if initial request, and then the sequence number according to the domain name of request, source IP address, DNS request package calculates COOKIE value, and vergence domain name Domain_name, and the while is write down current state in the connection table;
3, return to client to the Domain_name of structure, migration simultaneously connects table status.
If 4, under current state, receive the request package of the request Domain_name of (406) among Fig. 4, then verify the COOKIE value among the Domain_name;
If 5 checkings are passed through, then return the IP address (this IP address is the address of Firewall itself) of Domain_name, and migration connects table status;
If 6, under current state, receive the real DNS request package of (410) among Fig. 4; Prove that then current is a normal request; The purpose IP address of revising this request package is the IP address of DNS Server, and is transmitted to DNSServer to current request, and migration connects table status;
If 7 receive the response packet from DNS Server of (416) among Fig. 4, then revising its source IP address is the IP address of Firewall itself, and is transmitted to client, and whole process finishes.
If 8 find the connection table, then this request of explanation is not an initial request, according to current connection table status; Packet is verified; Have only (406) or (410) two kinds of situation among Fig. 4 to be only normal condition, if the packet of (406) among Fig. 4, then execution in step S406; If the packet of (410) among Fig. 4, then execution in step S410.
Embodiment three
This preferred embodiment provides a kind of concrete application scenarios, and means of defence is described.
Certain company will protect dns server through fire compartment wall, and priority of protection is exactly that DNS DDOS attacks; Demand is following:
The DNS DDOS that can effectively protect based on UDP attacks;
IP attacked in record;
The false address of attacking of identification;
False Rate is low;
Not influencing original network sets up and topology.
Fire compartment wall on-premise network figure and request package transmit sketch map and see also Fig. 5 in this example, and wherein, the solid line representative is from the attack traffic of real IP, and the representative of the dotted line of broad is from the attack traffic of false source IP at interval, and the dotted line that point is formed is represented normal discharge.Can find out that from figure line the dotted line of solid line and interval broad all can't arrive DNS server, a dotted line of only a bit forming can pass through the DNS server that Firewall arrives opposite side.This shows that Firewall has played the effect of protection, will all tackle from the attack traffic of real IP and from the attack traffic of false source IP.
From economy with practical standpoint; Dns server is the infrastructure of network service, no matter belongs to enterprise or government, is all carrying the infrastructure service in the network service; If dns server is attacked by DDOS, bring huge economy, business and reputation loss can for enterprise or government.And attacking in order to resist DDOS of mentioning in the correlation technique, operator adopts a large amount of redundance units and the method for load equipment, can bring pressure to operator economically, and can increase loan, causes the very big wasting of resources.
And the refused service attack protection method that the embodiment of the invention provides can provide protection for enterprise, government and operator, protects the availability of server to greatest extent, reduces the each side loss with this.
Based on same inventive concept, the embodiment of the invention also provides a kind of Denial of Service attack protector, is arranged among the Firewall, and its structural representation is as shown in Figure 6, comprising:
Sending module 604 with authentication module 603 couplings, is used for the DNS request package that checking is passed through is sent to dns server server.
In a preferred embodiment, as shown in Figure 7, authentication module 603 can comprise:
Receiving element 701 is used to receive the Query Information that Local PC sends, and wherein, Query Information is used to inquire about the address of COOKIE, wherein, and the domain name that COOKIE responds for the DNS referral;
Address transmitting element 702 is used for returning to Local PC the address of COOKIE;
In a preferred embodiment, receiver module 601 can also be used to continue to receive the DNS request package that Local PC sends to the address of COOKIE; Sending module 604 can also be used for directly DNS request package transparent transmission to DNS server.
From above description, can find out that the present invention has realized following technique effect:
In embodiments of the present invention; Firewall receives the DNS request package that Local PC sends; To Local PC echo reply message, and then Firewall judges whether Local PC feeds back response message, if feedback; Then checking is passed through, and Firewall will verify that the DNS request package of passing through is sent to DNS server afterwards.That is, in embodiments of the present invention, connect row to the nothing of DNS request; Become connection is arranged; Making like this in request and answering increases alternately, and Firewall judges whether Local PC feeds back response message, and the DNS request package that the Local PC that can only feed back sends just quilt checking is passed through.If Local PC is feedback not, then think attack traffic.Because reciprocal process has been arranged, the DNS request that send the address of can Direct Filtration falling to forge, mutual through in request and the answering accomplished client validation work; Can filter out the attack packets of sending like this through the automation attack tool.Even the follow-on attack instrument increases full protocol analysis function, the refused service attack protection method that the embodiment of the invention provides also can greatly reduce its attack rate, makes it be difficult to reach the purpose of attack.
Obviously, it is apparent to those skilled in the art that above-mentioned each module of the present invention or each step can realize with the general calculation device; They can concentrate on the single calculation element; Perhaps be distributed on the network that a plurality of calculation element forms, alternatively, they can be realized with the executable program code of calculation element; Thereby; Can they be stored in the storage device and carry out, and in some cases, can carry out step shown or that describe with the order that is different from here by calculation element; Perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize.Like this, the present invention is not restricted to any specific hardware and software combination.
The above is merely the preferred embodiments of the present invention, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.All within spirit of the present invention and principle, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. a refused service attack protection method is characterized in that, comprising:
Fire compartment wall Firewall receives the domain name server (DNS) request package that PC Local PC sends;
Said Firewall is to said Local PC echo reply message;
Said Firewall judges whether said Local PC feeds back said response message, if feedback, then checking is passed through;
Said Firewall will verify that the DNS request package of passing through is sent to said dns server server.
2. method according to claim 1 is characterized in that, said response message comprises: the buffer memory COOKIE of said Firewall structure, wherein, the domain name that said COOKIE responds for the DNS referral.
3. method according to claim 2 is characterized in that, said Firewall judges whether said Local PC feeds back said response message, if feedback, then checking is passed through, and comprising:
Said Firewall receives the Query Information that said Local PC sends, and wherein, said Query Information is used to inquire about the address of said COOKIE;
Said Firewall returns the address of said COOKIE to said Local PC;
Said Firewall receives said Local PC when the said DNS request package that sends the address of said COOKIE, confirms that the DNS request package security verification that said Local PC sends passes through.
4. method according to claim 3 is characterized in that, the address of said COOKIE is the address of DNS server or the address of said Firewall.
5. according to claim 3 or 4 described methods, it is characterized in that said Firewall also comprises after judging that said Local PC checking is passed through:
Said Firewall continues to receive said Local PC when the said DNS request package that sends the address of said COOKIE, directly with its transparent transmission to said DNS server.
6. method according to claim 2 is characterized in that, said Firewall will verify that the DNS request package of passing through is sent to said DNS server, comprising:
It is the address of said DNS server to the destination address of the said DNS request package of the address of said COOKIE transmission that said Firewall revises said Local PC, and amended DNS request package is sent to said DNS server.
7. method according to claim 6 is characterized in that, said Firewall sends to amended DNS request package after the said DNS server, also comprises:
Said Firewall receives the response message that said DNS server returns, the address that the source IP address of said response message is revised as said Firewall, and amended response message is sent to said Local PC.
8. a Denial of Service attack protector is characterized in that, is arranged among the fire compartment wall Firewall, comprising:
Receiver module is used to receive the domain name server (DNS) request package that PC Local PC sends;
Responder module is used for to said Local PC echo reply message;
Authentication module is used to judge whether said Local PC feeds back said response message, if feedback, then checking is passed through;
Sending module is used for the DNS request package that checking is passed through is sent to said dns server server.
9. said according to Claim 8 device is characterized in that said authentication module comprises:
Receiving element is used to receive the Query Information that said Local PC sends, and wherein, said Query Information is used to inquire about the address of COOKIE, wherein, and the domain name that said COOKIE responds for the DNS referral;
The address transmitting element is used for returning to said Local PC the address of said COOKIE;
Confirm the unit, be used to receive said Local PC when the said DNS request package that sends the address of said COOKIE, confirm that the DNS request package security verification that said Local PC sends passes through.
10. according to Claim 8 or 9 described devices, it is characterized in that said receiver module also is used to continue to receive the said DNS request package that said LocalPC sends to the address of said COOKIE;
Said sending module also is used for directly said DNS request package transparent transmission to said DNS server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011104043816A CN102404334A (en) | 2011-12-07 | 2011-12-07 | Method and device for preventing denial of service attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011104043816A CN102404334A (en) | 2011-12-07 | 2011-12-07 | Method and device for preventing denial of service attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102404334A true CN102404334A (en) | 2012-04-04 |
Family
ID=45886120
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011104043816A Pending CN102404334A (en) | 2011-12-07 | 2011-12-07 | Method and device for preventing denial of service attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102404334A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103391272A (en) * | 2012-05-08 | 2013-11-13 | 深圳市腾讯计算机系统有限公司 | Method and system for detecting false attack sources |
| CN103957195A (en) * | 2014-04-04 | 2014-07-30 | 上海聚流软件科技有限公司 | DNS system and defense method and device for DNS attack |
| CN104219335A (en) * | 2013-05-30 | 2014-12-17 | 张大顺 | A DNS request processing method, device and system |
| CN105610852A (en) * | 2016-01-15 | 2016-05-25 | 腾讯科技(深圳)有限公司 | Method and device for processing ACK (Acknowledgement) flooding attack |
| CN106953830A (en) * | 2016-01-06 | 2017-07-14 | 中国移动通信集团福建有限公司 | DNS security means of defence, device and DNS |
| CN107454065A (en) * | 2017-07-12 | 2017-12-08 | 北京神州绿盟信息安全科技股份有限公司 | A kind of means of defence and device of UDP Flood attacks |
| CN103747005B (en) * | 2014-01-17 | 2018-01-05 | 山石网科通信技术有限公司 | The means of defence and equipment that DNS cache is poisoned |
| CN108769284A (en) * | 2018-05-04 | 2018-11-06 | 网宿科技股份有限公司 | A kind of domain name analytic method, server and system |
| CN109561172A (en) * | 2019-01-29 | 2019-04-02 | 迈普通信技术股份有限公司 | A kind of DNS transparent proxy method, device, equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1578218A (en) * | 2003-06-30 | 2005-02-09 | 微软公司 | Reducing network configuration complexity with transparent virtual private networks |
| CN101047697A (en) * | 2006-03-29 | 2007-10-03 | 华为技术有限公司 | Method and equipment for prevent DDOS offence to web server |
| CN101282209A (en) * | 2008-05-13 | 2008-10-08 | 杭州华三通信技术有限公司 | Method and apparatus for preventing DNS request message from flooding attack |
| JP4284248B2 (en) * | 2004-08-20 | 2009-06-24 | 日本電信電話株式会社 | Application service rejection attack prevention method, system, and program |
| CN101764799A (en) * | 2008-12-24 | 2010-06-30 | 丛林网络公司 | Using a server's capability profile to establish a connection |
-
2011
- 2011-12-07 CN CN2011104043816A patent/CN102404334A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1578218A (en) * | 2003-06-30 | 2005-02-09 | 微软公司 | Reducing network configuration complexity with transparent virtual private networks |
| JP4284248B2 (en) * | 2004-08-20 | 2009-06-24 | 日本電信電話株式会社 | Application service rejection attack prevention method, system, and program |
| CN101047697A (en) * | 2006-03-29 | 2007-10-03 | 华为技术有限公司 | Method and equipment for prevent DDOS offence to web server |
| CN101282209A (en) * | 2008-05-13 | 2008-10-08 | 杭州华三通信技术有限公司 | Method and apparatus for preventing DNS request message from flooding attack |
| CN101764799A (en) * | 2008-12-24 | 2010-06-30 | 丛林网络公司 | Using a server's capability profile to establish a connection |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103391272A (en) * | 2012-05-08 | 2013-11-13 | 深圳市腾讯计算机系统有限公司 | Method and system for detecting false attack sources |
| CN103391272B (en) * | 2012-05-08 | 2015-12-16 | 深圳市腾讯计算机系统有限公司 | The method and system of detection of false attack source |
| CN104219335A (en) * | 2013-05-30 | 2014-12-17 | 张大顺 | A DNS request processing method, device and system |
| CN103747005B (en) * | 2014-01-17 | 2018-01-05 | 山石网科通信技术有限公司 | The means of defence and equipment that DNS cache is poisoned |
| CN103957195A (en) * | 2014-04-04 | 2014-07-30 | 上海聚流软件科技有限公司 | DNS system and defense method and device for DNS attack |
| CN103957195B (en) * | 2014-04-04 | 2017-11-03 | 北京奇虎科技有限公司 | DNS systems and the defence method and defence installation of DNS attacks |
| CN106953830A (en) * | 2016-01-06 | 2017-07-14 | 中国移动通信集团福建有限公司 | DNS security means of defence, device and DNS |
| CN105610852A (en) * | 2016-01-15 | 2016-05-25 | 腾讯科技(深圳)有限公司 | Method and device for processing ACK (Acknowledgement) flooding attack |
| CN107454065A (en) * | 2017-07-12 | 2017-12-08 | 北京神州绿盟信息安全科技股份有限公司 | A kind of means of defence and device of UDP Flood attacks |
| CN108769284A (en) * | 2018-05-04 | 2018-11-06 | 网宿科技股份有限公司 | A kind of domain name analytic method, server and system |
| CN109561172A (en) * | 2019-01-29 | 2019-04-02 | 迈普通信技术股份有限公司 | A kind of DNS transparent proxy method, device, equipment and storage medium |
| CN109561172B (en) * | 2019-01-29 | 2022-02-25 | 迈普通信技术股份有限公司 | DNS transparent proxy method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102404334A (en) | Method and device for preventing denial of service attack | |
| US12074908B2 (en) | Cyber threat deception method and system, and forwarding device | |
| CN101420433B (en) | Method and device for domain name system cheating attack defense | |
| CN101180826B (en) | Upper-level protocol authentication | |
| Yao et al. | Source address validation solution with OpenFlow/NOX architecture | |
| CN103067385B (en) | The method of defence Hijack Attack and fire compartment wall | |
| US10469532B2 (en) | Preventing DNS cache poisoning | |
| CN102132532B (en) | Method and apparatus for avoiding unwanted data packets | |
| Ullrich et al. | {IPv6} security: Attacks and countermeasures in a nutshell | |
| JP2013501466A (en) | Method and system for filtering network traffic | |
| TWI506472B (en) | Network device and method for avoiding arp attacks | |
| Tripathi et al. | Analysis of various ARP poisoning mitigation techniques: A comparison | |
| CN101820432A (en) | Safety control method and device of stateless address configuration | |
| CN105119906A (en) | Method, device and system for defending DNS recursive attack | |
| CN113746788A (en) | Data processing method and device | |
| CN108881233A (en) | anti-attack processing method, device, equipment and storage medium | |
| Lu et al. | A novel path‐based approach for single‐packet IP traceback | |
| RU2690749C1 (en) | Method of protecting computer networks | |
| Dakhane et al. | Active warden for TCP sequence number base covert channel | |
| CN107071075B (en) | Device and method for dynamically jumping network address | |
| CN102752266B (en) | Access control method and equipment thereof | |
| Wübbeling et al. | Inter-AS routing anomalies: Improved detection and classification | |
| Al-Duwairi et al. | Distributed packet pairing for reflector based DDoS attack mitigation | |
| CN110401646A (en) | CGA parameter detection method and device in IPv6 safety neighbor discovering transitional environment | |
| CN110505176A (en) | Determination, sending method and device, the route system of message priority |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20120404 Assignee: Suzhou Shanshi Network Co., Ltd. Assignor: Hillstone Networks Communication Technology (Beijing) Co., Ltd. Contract record no.: 2012990000129 Denomination of invention: Method and device for preventing denial of service attacks License type: Exclusive License Record date: 20120326 |
|
| LICC | Enforcement, change and cancellation of record of contracts on the licence for exploitation of a patent or utility model | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20120404 |