基于DNS应答价值评估的DDoS防御研究

doi:10.3969/j.issn.1671-1122.2019.09.012

信息网络安全 ›› 2019, Vol. 19 ›› Issue (9): 56-60.doi: 10.3969/j.issn.1671-1122.2019.09.012

基于DNS应答价值评估的DDoS防御研究

岳巧丽, 吕万波, 胡卫宏, 张海阔

中国互联网络信息中心,北京 100190

收稿日期:2019-07-15 出版日期:2019-09-10 发布日期:2020-05-11
作者简介:
作者简介：岳巧丽（1985—）,女,河北,硕士,主要研究方向为域名系统;吕万波（1986—）,男,黑龙江,工程师,主要研究方向为域名系统;胡卫宏（1979—）,男,陕西,博士,主要研究方向为网络通信协议与网络信息安全;张海阔（1981—）,男,河北,博士,主要研究方向为域名系统、分布式计算、并行计算。
基金资助:
国家自然科学基金[61303242]

Mitigating DDoS Attack Based on DNS Response Value Assessment

Qiaoli YUE, Wanbo LV, Weihong HU, Haikuo ZHANG

China Internet Network Information Center, Beijing 100190, China

Received:2019-07-15 Online:2019-09-10 Published:2020-05-11

摘要/Abstract

摘要：

针对DDoS攻击的防御策略主要是基于流量特征分析对攻击进行识别,在攻击流量到达目标主机之前进行过滤。然而这种防御策略忽略了攻击流量对于域名服务出口网络的影响。文章提出一种基于层次分析法的DNS应答价值评估方法,通过丢弃攻击流量以及优先处理高价值应答来进行防御,从而提高DNS服务质量。

关键词: DNS应答价值, 放大攻击, DDoS防御

Abstract:

The prevalent defense mechanisms against DDoS focus on detecting and filtering the attack traffic before it can reach the target host based on the traffic patterns. However, this strategy overlooks the impact of attack traffic on the outbound bandwidth of name servers. In this paper, we proposed a method for assessing DNS response value based on analytic hierarchy process. The authoritative servers can be protected by discarding low-value traffic and prioritizing to serve high-value responses, thereby improving the quality of DNS service.

Key words: DNS response value, amplification attack, DDoS defense

中图分类号:

TP309

岳巧丽, 吕万波, 胡卫宏, 张海阔. 基于DNS应答价值评估的DDoS防御研究[J]. 信息网络安全, 2019, 19(9): 56-60.

Qiaoli YUE, Wanbo LV, Weihong HU, Haikuo ZHANG. Mitigating DDoS Attack Based on DNS Response Value Assessment[J]. Netinfo Security, 2019, 19(9): 56-60.

图/表 1

参考文献 17

[1]	YUAN Pengpeng, WANG Changqing.Research on DNS Security Threats and Countermeasures[J]. Information Security and Technology, 2018, 9(5): 50-54.
	苑朋朋,王常青. DNS安全威胁及应对措施研究[J].网络空间安全,2018,9(5):50-54.
[2]	THOMAS D R, CLAYTON R, BERESFORD A R.1000 Days of UDP Amplification DDoS Attacks[C]//IEEE. 2017 APWG Symposium on Electronic Crime Research, April 25-27, 2017, Scottsdale, AZ, USA. New York: IEEE, 2017: 79-84.
[3]	ALIEYAN K, KADHUM M M, ANBAR M, et al.An Overview of DDoS Attacks Based on DNS[C]//IEEE. 7th International Conference on Information and Communication Technology Convergence, October 19-21, 2016, Jeju, South Korea. New York: IEEE, 2016: 276-280.
[4]	ANAGNOSTOPOULOS M, KAMBOURAKIS G, GRITZALIS S, et al.Never Say Never: Authoritative TLD Nameserver-powered DNS Amplification[C]//IEEE. 16th IEEE/IFIP Network Operations and Management Symposium, April 23-27, 2018, Taipei, China. New York: IEEE, 2018: 1-9.
[5]	LI Heng, SHEN Huawei, CHENG Xueqi, et al.Review of Network High Flow Distributed Denial of Service Attack and Defense Mechanisms[J]. Netinfo Security, 2017, 17(5): 37-43.
	李恒,沈华伟,程学旗,等.网络高流量分布式拒绝服务攻击防御机制研究综述[J].信息网络安全,2017,17(5): 37-43.
[6]	VIXIE P. Extension Mechanisms for DNS (EDNS0)[EB/OL]. , 1999-8-1.
[7]	MA Xinlei, CHEN Yonghong.DDoS Detection Method Based on Chaos Analysis of Network Traffic Entropy[J]. IEEE Communications Letters, 2013, 18(1): 114-117.
[8]	LIU C, ALBITZ P.DNS and Bind (5th Edition)[M]. Sebastopol, CA, USA: O’Reilly Media, 2006.
[9]	DONNERHACKE L. DNS Dampening[EB/OL]. , 2012-9-23.
[10]	GUO Fanglu, CHEN Jiawu, CHIUEH T.Spoof Detection for Preventing DoS Attacks against DNS Servers[C]//IEEE. 26th IEEE International Conference on Distributed Computing Systems, July 4-7, 2006, Lisboa, Portugal. New York: IEEE, 2006: 37-37.
[11]	ARENDS R, AUSTEIN R, LARSON M, et al. Protocol Modifications for the DNS Security Extensions[EB/OL]. , 2005-3-1.
[12]	ARENDS R, AUSTEIN R, LARSON M, et al. Resource Records for the DNS Security Extensions[EB/OL]. , 2005-3-1.
[13]	VAN RIJSWIJK-DEIJ R, SPEROTTO A, PRAS A. DNSSEC and its Potential for DDoS Attacks: A Comprehensive Measurement Study[C]//ACM. The 2014 Internet Measurement Conference, November 5-7, 2014, Vancouver, BC, Canada. New York: ACM, 2014: 449-460.
[14]	VAUGHN R, EVRON G. DNS Amplification Attacks (Preliminary Release)[EB/OL]., 2006-3-17.
[15]	LIAN W, RESCORLA E, SHACHAM H, et al.Measuring the Practical Impact of DNSSEC Deployment[C]//USENIX. 22nd USENIX Conference on Security, August 14-16, 2013, Washington, DC. Berkeley, CA, USA: USENIX Association, 2013: 573-588.
[16]	BLACKA D, LAURIE B, SISSON G, et al. DNS Security (DNSSEC) Hashed Authenticated Denial of Existence[EB/OL]. , 2008-3-1.
[17]	SAATY T L.How to Make a Decision: The Analytic Hierarchy Process[J]. European Journal of Operational Research, 1990, 48(1): 9-26.

影响因素	评价分数	解释说明
用户影响X	0,1,2	0：终止类、其他类型 1：指向类;2：确定类
带宽成本Y	Y=100-AF	放大因子（AF）越大分数越低, AF>100时评价分数为0
计算成本Z	0,1	0：需要NSEC3计算 1：不需要NSEC3计算
系统资源W	0,1	0：利用TCP回应 1：利用UDP回应

基于DNS应答价值评估的DDoS防御研究

Mitigating DDoS Attack Based on DNS Response Value Assessment

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 1

参考文献 17

相关文章 1

编辑推荐

Metrics

本文评价