DNS Protocol Restore System for Security Analysis Based on Large-scale Network

doi:10.3969/j.issn.1671-1122.2019.05.010

Abstract

Abstract:

Network traffic restoration is the foundation of network security analysis. A DNS protocol restoration systemfor security analysis based on Storm was proposed aiming at the real-time response to massive data in big data network environment. The system obtains original data packets from the message system, parses the data packet layer by layer, and serializes the restored DNS data to the message system for subsequent security analysis. Based on the restoration, the data which used the protocol’s vulnerabilities or had an abnormal format would be researched and the system has the function to tell the packets which are abnormal in format, using UDP’s relaxation space injection or using Null to cheat and send message. The results of the experiment showed that the system had efficient real-time processing capabilities in the 10Gbps real big data network environment with the average processing delay within 5ms, and the ability to recognize and process abnormally formatted DNS packets.

Key words: DNS, protocol restore, storm, big data, streaming processing

CLC Number:

TP309

Yi WEN, Xingshu CHEN, Xuemei ZENG, Yonggang LUO. DNS Protocol Restore System for Security Analysis Based on Large-scale Network[J]. Netinfo Security, 2019, 19(5): 77-83.

Figures/Tables 10

References 16

[1]	LI Juntao, SHI Yong, XUE Zhi.APT Detection based on DNS Traffic and Threat Intelligence[J]. Information Security and Communications Privacy, 2016, 16(7): 84-88.
	李骏韬,施勇,薛质.基于DNS流量和威胁情报的APT检测[J]. 信息安全与通信保密,2016,16(7):84-88.
[2]	NUSSBAUM L, NEYRON P, RICHARD O.On Robust Covert Channels inside DNS[C]//IFIP. 24th IFIP TC 11 International Information Security Conference, May 18-20, 2009, Pafos, Cyprus. Berlin: Springer, 2009: 51-62.
[3]	GU Chuanzheng, WANG Yijun, XUE Zhi.Study on Covert Channel based on the DNS Protocol[J]. Information Security and Communications Privacy, 2012, 12(1): 81-82, 85.
	谷传征,王轶骏,薛质.基于DNS 协议的隐蔽信道研究[J]. 信息安全与通信保密,2012,12(1):81-82,85.
[4]	ZHANG Siyu, ZOU Futai, WANG Luhua, et al.Detecting DNS-based Covert Channel on Live Traffic[J]. Journal on Communications. 2013, 34(5): 143-151
	章思宇,邹福泰,王鲁华,等.基于DNS 的隐蔽通道流量检测[J]. 通信学报,2013,34(5):143-151.
[5]	ZHANG Siyu, WANG Luhua, ZOU Futai.Evading DNS Monitoring System with NULL Character[J]. Netinfo Security, 2012, 12(4): 47-50.
	章思宇,王鲁华,邹福泰. NULL字符欺骗 DNS 监控系统的研究[J]. 信息网络安全,2012,12(4):47-50.
[6]	BORN K. PSUDP: A Passive Approach to Network-wide Covert Communication [EB/OL]. , 2010-7-10.
[7]	China Internet Network Information. The 41th Statistical Report on Internet Development in China[EB/OL]. , 2018-3-5.
[8]	LEIBIUSKY J, EISBRUCH G, SIMONASSI D.Getting Started With Storm[M]. US: O’Reilly Media, 2012.
[9]	WU G.Spark: the Light of Big Data Era[J]. Programmer, 2013, 13(7): 100-104.
[10]	WANG Mingkun, YUAN Shaoguang, ZHU Yongli, et al.Real-time Clustering for Massive Data Using Storm[J]. Journal of Computer Applications, 2014, 34(11): 3078-3081.
	王铭坤,袁少光,朱永利,等.基于Storm的海量数据实时聚类[J]. 计算机应用,2014,34(11):3078-3081.
[11]	CHEN Xingshu, WANG Yue, LUO Yonggang, et al.Protocol Restore Framework Based on Storm[J]. Journal of Huazhong University of Science and Technology(Natural Science Edition), 2018, 46(1): 1-5, 21.
	陈兴蜀,王岳,罗永刚,等.基于Storm的协议还原框架[J]. 华中科技大学学报(自然科学版),2018,46(1):1-5,21.
[12]	The Apache Software Foundation. Apache Zookeeper[EB/OL]. , 2010-7-15.
[13]	ANDERSON Q.Storm Real-time Processing Cookbook[M]. Birmingham: PacktPublishing, 2013.
[14]	MOCKAPETRIS P. RFC1034 Domain Names-Concepts and Facilities[EB/OL]. , 1987-10-16.
[15]	MOCKAPETRIS P. RFC1035 Domain Names-Implementation and Specification[EB/OL]. , 1987-10-16.
[16]	MARLINSPIKE M. Null Prefix Attacks Against SSL/TLS Certificates[EB/OL]. , 2009-7-29/2012-2-23.

服务器	CPU主频/GHz	CPU核数	内存/GB	硬盘/TB
1	3.5	8	128	1
2	2.4	20	256	16
3	2.5	8	128	8
4	2.5	8	32	1

时间窗口	总包数	DNS回复包数量	解析异常比
1 min	2,850,000	257,181	0.613%
10 min	28,894,000	2,343,545	0.661%
2 hour	349,176,000	27,662,412	0.922%
1 day	3,057,770,000	318,841,632	0.781%

检测工具	NULL字符欺骗	UDP松弛空间注入
Wireshark	异常（格式错误）	无异常
Dnstop	无异常	无异常
Tcpdump	无异常	无异常
本文方法	异常（Null字符欺骗）	异常（UDP松弛空间注入）