[go: up one dir, main page]

CN108270755A - A kind of method and apparatus of the adaptive anti-DDOS attack of domain name grade - Google Patents

A kind of method and apparatus of the adaptive anti-DDOS attack of domain name grade Download PDF

Info

Publication number
CN108270755A
CN108270755A CN201710001398.4A CN201710001398A CN108270755A CN 108270755 A CN108270755 A CN 108270755A CN 201710001398 A CN201710001398 A CN 201710001398A CN 108270755 A CN108270755 A CN 108270755A
Authority
CN
China
Prior art keywords
domain name
designated domain
attack
request
designated
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710001398.4A
Other languages
Chinese (zh)
Other versions
CN108270755B (en
Inventor
粟栗
文静
李倩
宋振宇
王庆栋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Communication Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Communication Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Communication Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201710001398.4A priority Critical patent/CN108270755B/en
Publication of CN108270755A publication Critical patent/CN108270755A/en
Application granted granted Critical
Publication of CN108270755B publication Critical patent/CN108270755B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An embodiment of the present invention provides a kind of method and apparatus of the adaptive anti-DDOS attack of domain name grade, this method includes:The access request of designated domain name is received, and determines the request visitation frequency of the designated domain name in the specified period;Threshold value is accessed according to the request of the request visitation frequency of the designated domain name and the designated domain name, determines the attacks results decision result of the designated domain name;According to the attacks results decision as a result, determining the parsing period of the designated domain name, the parsing period refers to parse the time that the designated domain name is needed to wait for;According to the parsing period, resolution response is carried out to the access request of the designated domain name, is realized to being alleviated by the parsing of attack domain name, while ensure the normal parsing of non-attack domain name.

Description

一种域名级的自适应抗DDOS攻击的方法和装置A Domain-level Adaptive Anti-DDOS Attack Method and Device

技术领域technical field

本发明涉及通信技术领域,尤其涉及一种应用CDN(Content Delivery Network,内容分发网络)系统中域名级的自适应抗DDOS(Distributed Denial of Service,分布式拒绝服务)攻击的方法和装置。The present invention relates to the field of communication technology, in particular to a method and device for adaptively resisting DDOS (Distributed Denial of Service) attacks at the domain level in a CDN (Content Delivery Network, Content Distribution Network) system.

背景技术Background technique

CDN的全称是Content Delivery Network,即内容分发网络。参见图1,内容分发网络能够将源服务器中的内容分发至分布式部署的服务节点(边缘节点)中,并支持多样化流量调度技术,可按照指定策略将用户请求自动指向到全局最优的边缘节点,由该节点就近为用户提供数据服务。CDN技术的核心是通过在网络各处放置节点服务器,能够实时地根据网络流量和各节点的连接、负载状况以及到用户的距离和响应时间等综合信息将用户的请求重新导向离用户最近的服务节点上。其目的是使用户可就近取得所需内容,解决Internet网络拥挤的状况,提高用户访问网站的响应速度。The full name of CDN is Content Delivery Network, that is, content distribution network. Referring to Figure 1, the content distribution network can distribute the content in the source server to distributed service nodes (edge nodes), and supports diversified traffic scheduling technology, which can automatically point user requests to the globally optimal network according to the specified strategy. An edge node, which provides data services to users nearby. The core of CDN technology is that by placing node servers all over the network, it is possible to redirect user requests to the service closest to the user based on comprehensive information such as network traffic, connection of each node, load status, distance to the user, and response time in real time. on the node. Its purpose is to enable users to obtain the required content nearby, solve the congestion situation of the Internet network, and improve the response speed of users' access to websites.

一方面,CDN分散了用户的访问请求,将用户访问分散到了各个服务节点,但另一方面,由于各个服务节点均将调度请求发送到CDN调度中心进行处置,CDN的调度任务非常繁重,一旦调度能力失效将会造成严重影响,可能导致整个CDN系统瘫痪。On the one hand, CDN disperses user access requests and distributes user access to each service node, but on the other hand, since each service node sends the scheduling request to the CDN dispatching center for processing, the scheduling task of CDN is very heavy. Capability failure will have a serious impact and may cause the entire CDN system to be paralyzed.

对CDN的业务处理流程说明如下。CDN中解析调度的处理业务流程有下面两种。The CDN service processing flow is described as follows. There are the following two types of business processes for parsing and scheduling in the CDN.

方式1:DNS CNAME(别名),如图2所示。Method 1: DNS CNAME (alias), as shown in Figure 2.

(1)终端访问URL为http://icp.com/Web/main.html,向Local DNS发起icp.com的域名解析(1) The terminal access URL is http://icp.com/Web/main.html, initiate icp.com domain name resolution to Local DNS

(2)Local DNS经过递归,向源站授权DNS服务器解析域名icp.com;(2) Local DNS recursively authorizes the DNS server of the origin site to resolve the domain name icp.com;

(3)网站授权DNS以CNAME方式返回重新构建的业务域名(icp.com.cmcdn.com);(3) The website authorizes the DNS to return the reconstructed business domain name (icp.com.cmcdn.com) in the form of CNAME;

(4)Local DNS向全局调度中心发起请求解析icp.com.cmcdn.com;(4) Local DNS initiates a request to the global dispatch center to resolve icp.com.cmcdn.com;

(5)调度控制中心根据Local DNS的地址及调度策略,选择最优的边缘节点返回给Local DNS;(5) The scheduling control center selects the optimal edge node and returns it to the Local DNS according to the address and scheduling strategy of the Local DNS;

(6)Local DNS向终端返回对应的DNS Response,其中携带内容网络边缘节点的IP地址。(6) The Local DNS returns the corresponding DNS Response to the terminal, which carries the IP address of the edge node of the content network.

方式2:DNS Forward,如图3所示。Method 2: DNS Forward, as shown in Figure 3.

(1)Local DNS中将icp.com配置到Forward First名单中;(1) Configure icp.com in the Forward First list in Local DNS;

(2)终端访问URL为http://icp.com/Web/main.html,向Local DNS发起icp.com的域名解析;(2) The terminal access URL is http://icp.com/Web/main.html, and the domain name resolution of icp.com is initiated to Local DNS;

(3)LocalDNS匹配Forward名单,发现匹配一致,向全局调度中心发起DNS请求,解析icp.com;(3) LocalDNS matches the Forward list, finds that the match is consistent, initiates a DNS request to the global dispatch center, and resolves icp.com;

(4)调度控制子系统根据Local DNS的地址匹配调度策略,选择一个最优的边缘节点返回给Local DNS;(4) The scheduling control subsystem selects an optimal edge node to return to the Local DNS according to the address matching scheduling strategy of the Local DNS;

(5)LocalDNS向终端返回对应的DNS Response,其中携带内容网络边缘节点的IP地址。(5) The LocalDNS returns a corresponding DNS Response to the terminal, which carries the IP address of the edge node of the content network.

从上面两种方式不难看出,无论CDN系统采用哪种方式,均需要通过全局调度中心将用户请求定位到某台边缘节点的服务器上(例如a.b.c.d),DNS仅需要转发用户请求即可。而全局调度中心需要对域名进行解析,查看所有提供服务的边缘节点的资源占用等情况并通过算法确定调度到哪台服务器,该工作在整个流程中非常繁重。It is not difficult to see from the above two methods that no matter which method is adopted by the CDN system, the user request needs to be located on a certain edge node server (such as a.b.c.d) through the global dispatch center, and the DNS only needs to forward the user request. The global dispatch center needs to analyze the domain name, check the resource occupancy of all edge nodes that provide services, and determine which server to dispatch to through an algorithm. This work is very heavy in the entire process.

因此,针对CDN的DDOS攻击的重点由原有的DNS攻击、服务器流量访问攻击逐步转移到针对调度中心的攻击。Therefore, the focus of DDOS attacks against CDN has gradually shifted from the original DNS attacks and server traffic access attacks to attacks against the dispatch center.

现有的DDOS防护方案有三类。There are three types of existing DDOS protection schemes.

第一类:在机房自建抗DDOS设备The first category: self-built anti-DDOS equipment in the computer room

目前主流的抗DDOS设备可防护各类基于网络层、传输层及应用层的拒绝服务攻击(如SYN Flood、UDP Flood、UDP DNS Query Flood、(M)Stream Flood、ICMP Flood、HTTPGet Flood以及连接耗尽等)。抗DDOS设备一般部署在路由器内侧,与路由器协同进行攻击的发现与流量的清洗。The current mainstream anti-DDOS equipment can protect against various denial-of-service attacks based on the network layer, transport layer, and application layer (such as SYN Flood, UDP Flood, UDP DNS Query Flood, (M)Stream Flood, ICMP Flood, HTTPGet Flood, and connection consumption. wait). Anti-DDOS devices are generally deployed inside the router, and cooperate with the router to discover attacks and clean traffic.

第二类:反向代理(云防护/加速方式)。云防护/加速方式是采用专用的云平台实现DDOS攻击检测与过滤的能力,当系统发现流量异常时,主动将流量转向云加速服务器,由云防护设备进行清洗后再回注到业务系统的路由器。The second category: reverse proxy (cloud protection/acceleration method). The cloud protection/acceleration method uses a dedicated cloud platform to realize the ability to detect and filter DDOS attacks. When the system finds abnormal traffic, it actively transfers the traffic to the cloud acceleration server, and the cloud protection device cleans it and then re-injects it into the router of the business system. .

第三类:抗DDOS联动处置。采用联动处置的方式是单独建设一套系统,对不同的抗DDOS设备发出的攻击告警等数据统一进行分析,并协调进行处置。The third category: anti-DDOS linkage processing. The method of joint disposal is to build a separate system to analyze the data such as attack alarms issued by different anti-DDOS devices, and coordinate the disposal.

上述三种技术在防护单个机房、网络全局各有优势,但在进行CDN系统防护中均不能起到有效作用。现有技术的主要:The above three technologies have their own advantages in the protection of a single computer room and the overall network, but they cannot play an effective role in the protection of CDN systems. Major prior art:

不能实现精准管控。一般来说,针对CDN系统的调度需求只有数量不多的域名(一般数十到数百个),一旦对某个域名发起攻击,可能导致调度失效,从而所有在CDN中缓存的域名均不能访问。Precise control cannot be achieved. Generally speaking, the scheduling requirements for the CDN system are only a small number of domain names (usually dozens to hundreds). Once an attack is launched on a domain name, the scheduling may fail, so that all domain names cached in the CDN cannot be accessed. .

发明内容Contents of the invention

鉴于上述技术问题,本发明实施例提供一种域名级的自适应抗DDOS攻击的方法和装置,实现对被攻击域名的解析进行缓解,同时保障非攻击域名的正常解析。In view of the above technical problems, embodiments of the present invention provide a method and device for adaptively resisting DDOS attacks at the domain name level, so as to alleviate the resolution of attacked domain names and ensure the normal resolution of non-attack domain names.

依据本发明实施例的第一个方面,提供了一种域名级的自适应抗DDOS攻击的方法,包括:According to the first aspect of the embodiments of the present invention, a domain name-level adaptive anti-DDOS attack method is provided, including:

接收指定域名的访问请求,并确定指定周期内所述指定域名的请求访问频次;Receive the access request of the specified domain name, and determine the request access frequency of the specified domain name within the specified period;

根据所述指定域名的请求访问频次和所述指定域名的请求访问门限值,确定所述指定域名的攻击判定结果;determining the attack judgment result of the specified domain name according to the access frequency of the specified domain name and the access request threshold of the specified domain name;

根据所述攻击判定结果,确定所述指定域名的解析周期,所述解析周期是指解析所述指定域名所需等待的时间;Determine the resolution cycle of the specified domain name according to the attack determination result, where the resolution cycle refers to the waiting time for resolving the specified domain name;

根据所述解析周期,对所述指定域名的访问请求进行解析响应。According to the resolution period, a resolution response is made to the access request of the specified domain name.

可选地,所述根据所述攻击判定结果,确定所述指定域名的解析周期,包括:Optionally, the determining the resolution cycle of the specified domain name according to the attack determination result includes:

若所述指定域名的请求访问频次大于或等于所述指定域名的请求访问门限值,所述攻击判定结果为疑似攻击,确定所述指定域名的第一解析周期;If the requested access frequency of the specified domain name is greater than or equal to the requested access threshold of the specified domain name, the attack determination result is a suspected attack, and the first resolution cycle of the specified domain name is determined;

若所述指定域名的请求访问频次小于所述指定域名的请求访问门限值,所述攻击判定结果为正常访问,确定所述指定域名的第二解析周期。If the requested access frequency of the specified domain name is less than the requested access threshold value of the specified domain name, the attack determination result is normal access, and the second resolution cycle of the specified domain name is determined.

可选地,所述确定所述指定域名的第一解析周期,包括:Optionally, the determining the first resolution period of the specified domain name includes:

根据所述指定域名的请求访问频次、所述指定域名的正常访问频次的统计值以及所述指定域名的正常访问频次的峰值倍数,计算出所述指定域名的攻击强度;Calculate the attack strength of the specified domain name according to the requested access frequency of the specified domain name, the statistical value of the normal access frequency of the specified domain name, and the peak multiple of the normal access frequency of the specified domain name;

根据所述指定域名的攻击强度、所述指定域名的正常访问频次的统计值以及所述指定域名的正常访问频次的峰值倍数,计算出所述指定域名的攻击缓解因子;Calculate the attack mitigation factor of the specified domain name according to the attack strength of the specified domain name, the statistical value of the normal access frequency of the specified domain name, and the peak multiple of the normal access frequency of the specified domain name;

根据所述攻击缓解因子确定所述指定域名的第一解析周期。The first resolution period of the specified domain name is determined according to the attack mitigation factor.

可选地,所述根据所述指定域名的请求访问频次、所述指定域名的正常访问频次的统计值以及所述指定域名的正常访问频次的峰值倍数,计算出所述指定域名的攻击强度,包括:Optionally, the attack strength of the specified domain name is calculated according to the request visit frequency of the specified domain name, the statistical value of the normal visit frequency of the specified domain name, and the peak multiple of the normal visit frequency of the specified domain name, include:

根据以下公式计算所述指定域名的攻击强度;Calculate the attack strength of the specified domain name according to the following formula;

公式I=Fre/NormalFre×NFormula I=Fre/NormalFre×N

其中,I表示攻击强度;Among them, I represents the attack intensity;

Fre表示所述指定域名的请求访问频次;Fre represents the request access frequency of the specified domain name;

NormalFre表示所述指定域名的正常访问频次的统计值;NormalFre represents the statistical value of the normal access frequency of the specified domain name;

N表示所述指定域名的正常访问频次的峰值倍数。N represents the peak multiple of the normal access frequency of the specified domain name.

可选地,所述根据所述指定域名的攻击强度、所述指定域名的正常访问频次的统计值以及所述指定域名的正常访问频次的峰值倍数计算出所述指定域名的攻击缓解因子,包括:Optionally, the calculation of the attack mitigation factor of the specified domain name according to the attack strength of the specified domain name, the statistical value of the normal access frequency of the specified domain name, and the peak multiple of the normal access frequency of the specified domain name includes :

根据以下公式计算出所述指定域名的攻击缓解因子;Calculate the attack mitigation factor of the specified domain name according to the following formula;

公式REL=NormalFre×N×Ratio×ZI×Adj Formula REL=NormalFre×N×Ratio×Z I×Adj

其中,F表示攻击缓解因子;Among them, F represents the attack mitigation factor;

NormalFre表示所述指定域名的正常访问频次的统计值;NormalFre represents the statistical value of the normal access frequency of the specified domain name;

N表示所述指定域名的正常访问频次的峰值倍数;N represents the peak multiple of the normal access frequency of the specified domain name;

Ratio表示固定系数;Ratio represents a fixed coefficient;

Z表示指数函数的底数;Z represents the base of the exponential function;

I表示所述指定域名的攻击强度;I represents the attack intensity of the specified domain name;

Adj表示用于指数权重调节的调节参数。Adj represents an adjustment parameter for index weight adjustment.

可选地,所述根据所述攻击缓解因子确定所述指定域名的第一解析周期,包括:Optionally, the determining the first resolution period of the specified domain name according to the attack mitigation factor includes:

根据以下公式计算所述指定域名的第一解析周期;Calculate the first resolution cycle of the specified domain name according to the following formula;

公式Interval=Q×IFormula Interval=Q×I

其中,Interval表示解析周期;Among them, Interval represents the analysis cycle;

Q表示预定的间隔时间值;Q represents a predetermined interval time value;

I表示攻击缓解因子。I represents the attack mitigation factor.

可选地,所述方法还包括:Optionally, the method also includes:

对正常业务请求状态的各个域名的访问请求,按照域名访问频次统计周期进行统计,得到包含所有缓存域名的访问阈值配置列表,所述访问阈值配置列表中记录有域名的正常访问频次的统计值以及域名的正常访问频次的峰值倍数。For the access requests of each domain name in the normal business request state, statistics are made according to the domain name access frequency statistics cycle, and an access threshold configuration list including all cached domain names is obtained. The access threshold configuration list records the domain name’s normal access frequency statistics and The peak multiple of normal access frequency of the domain name.

依据本发明实施例的第二个方面,还提供了一种域名级的自适应抗DDOS攻击的装置,包括:According to the second aspect of the embodiment of the present invention, there is also provided a domain name-level adaptive anti-DDOS attack device, including:

域名访问频次统计模块,用于接收指定域名的访问请求,并确定指定周期内所述指定域名的请求访问频次;A domain name access frequency statistics module, configured to receive an access request for a specified domain name, and determine the requested access frequency of the specified domain name within a specified period;

攻击分析模块,用于根据所述指定域名的请求访问频次和所述指定域名的请求访问门限值,确定所述指定域名的攻击判定结果;根据所述攻击判定结果,确定所述指定域名的解析周期;An attack analysis module, configured to determine the attack determination result of the specified domain name according to the requested access frequency of the specified domain name and the requested access threshold value of the specified domain name; determine the attack determination result of the specified domain name according to the attack determination result analysis cycle;

全局解析与调度模块,用于根据所述解析周期,对所述指定域名的访问请求进行解析响应。The global parsing and dispatching module is used for parsing and responding to the access request of the specified domain name according to the parsing period.

可选地,所述攻击分析模块包括:Optionally, the attack analysis module includes:

攻击判定子模块,用于根据所述指定域名的请求访问频次和所述指定域名的请求访问门限值,确定所述指定域名的攻击判定结果;The attack determination submodule is used to determine the attack determination result of the specified domain name according to the access frequency of the specified domain name and the access request threshold value of the specified domain name;

攻击缓解子模块,用于若所述指定域名的请求访问频次大于或等于所述指定域名的请求访问门限值,所述攻击判定结果为疑似攻击,确定所述指定域名的第一解析周期;若所述指定域名的请求访问频次小于所述指定域名的请求访问门限值,所述攻击判定结果为正常访问,确定所述指定域名的第二解析周期。The attack mitigation sub-module is used to determine the first resolution cycle of the specified domain name if the frequency of requested access of the specified domain name is greater than or equal to the requested access threshold of the specified domain name, and the attack determination result is a suspected attack; If the requested access frequency of the specified domain name is less than the requested access threshold value of the specified domain name, the attack determination result is normal access, and the second resolution cycle of the specified domain name is determined.

可选地,所述攻击判定子模块包括:Optionally, the attack determination submodule includes:

攻击强度计算单元,用于根据所述指定域名的请求访问频次、所述指定域名的正常访问频次的统计值以及所述指定域名的正常访问频次的峰值倍数,计算出所述指定域名的攻击强度;An attack strength calculation unit, configured to calculate the attack strength of the designated domain name according to the request visit frequency of the designated domain name, the statistical value of the normal visit frequency of the designated domain name, and the peak multiple of the normal visit frequency of the designated domain name ;

攻击缓解因子计算单元,根据所述指定域名的攻击强度、所述指定域名的正常访问频次的统计值以及所述指定域名的正常访问频次的峰值倍数,计算出所述指定域名的攻击缓解因子;The attack mitigation factor calculation unit calculates the attack mitigation factor of the specified domain name according to the attack strength of the specified domain name, the statistical value of the normal access frequency of the specified domain name, and the peak multiple of the normal access frequency of the specified domain name;

解析周期计算单元,用于根据所述攻击缓解因子确定所述指定域名的第一解析周期。A resolution cycle calculation unit, configured to determine the first resolution cycle of the specified domain name according to the attack mitigation factor.

可选地,所述攻击强度计算单元进一步用于:Optionally, the attack strength calculation unit is further used for:

根据以下公式计算所述指定域名的攻击强度;Calculate the attack strength of the specified domain name according to the following formula;

公式I=Fre/NormalFre×NFormula I=Fre/NormalFre×N

其中,I表示攻击强度;Among them, I represents the attack intensity;

Fre表示所述指定域名的请求访问频次;Fre represents the request access frequency of the specified domain name;

NormalFre表示所述指定域名的正常访问频次的统计值;NormalFre represents the statistical value of the normal access frequency of the specified domain name;

N表示所述指定域名的正常访问频次的峰值倍数。N represents the peak multiple of the normal access frequency of the specified domain name.

可选地,所述攻击缓解因子计算单元进一步用于:Optionally, the attack mitigation factor calculation unit is further used for:

根据以下公式计算出所述指定域名的攻击缓解因子;Calculate the attack mitigation factor of the specified domain name according to the following formula;

公式F=NormalFre×N×P×ZI×b Formula F=NormalFre×N×P×Z I×b

其中,F表示攻击缓解因子;Among them, F represents the attack mitigation factor;

NormalFre表示所述指定域名的正常访问频次的统计值;NormalFre represents the statistical value of the normal access frequency of the specified domain name;

N表示所述指定域名的正常访问频次的峰值倍数;N represents the peak multiple of the normal access frequency of the specified domain name;

P表示固定系数;P represents the fixed coefficient;

Z表示指数函数的底数;Z represents the base of the exponential function;

I表示所述指定域名的攻击强度;I represents the attack intensity of the specified domain name;

b表示用于指数权重调节的调节参数。b represents the adjustment parameter for index weight adjustment.

可选地,所述解析周期计算单元进一步用于:Optionally, the analysis cycle calculation unit is further used for:

根据以下公式计算所述指定域名的第一解析周期;Calculate the first resolution cycle of the specified domain name according to the following formula;

公式Interval=Q×IFormula Interval=Q×I

其中,Interval表示解析周期;Among them, Interval represents the analysis cycle;

Q表示预定的间隔时间值;Q represents a predetermined interval time value;

I表示攻击缓解因子。I represents the attack mitigation factor.

可选地,所述攻击分析模块还包括:Optionally, the attack analysis module also includes:

日志分析子模块,用于对正常业务请求状态的各个域名的访问请求,按照域名访问频次统计周期进行统计,得到包含所有缓存域名的访问阈值配置列表,所述访问阈值配置列表中记录有域名的正常访问频次的统计值以及域名的正常访问频次的峰值倍数。The log analysis sub-module is used to make statistics on the access requests of each domain name in the normal business request state according to the domain name access frequency statistics cycle, and obtain the access threshold configuration list including all cached domain names, and the access threshold configuration list records the domain names in the access threshold configuration list The statistical value of normal visit frequency and the peak multiple of normal visit frequency of the domain name.

上述技术方案中的一个技术方案具有如下优点或有益效果:针对可能发起的攻击,以域名为粒度,设置请求访问门限值(或者称为流量阈值),然后基于指定域名的请求访问频次和请求访问门限值,确定攻击判定结果,再根据该攻击判定结果确定该指定域名的解析周期,基于该解析周期对指定域名的解析进行缓解,从而实现对被攻击域名的解析进行缓解,同时保障非攻击域名的正常解析,可配合边缘节点DNS的超时机制,限制用户对被攻击网站的解析请求频次。One of the technical solutions above has the following advantages or beneficial effects: for possible attacks, set the request access threshold (or traffic threshold) based on the domain name, and then based on the request access frequency and request of the specified domain name access threshold, determine the attack judgment result, and then determine the resolution cycle of the specified domain name based on the attack judgment result, and mitigate the resolution of the specified domain name based on the resolution cycle, so as to alleviate the resolution of the attacked domain name and ensure that non- The normal resolution of the attack domain name can cooperate with the timeout mechanism of the edge node DNS to limit the frequency of user resolution requests for the attacked website.

附图说明Description of drawings

图1为现有的CDN结构示意图;FIG. 1 is a schematic diagram of an existing CDN structure;

图2为DNS CNAME方式的示意图;Figure 2 is a schematic diagram of the DNS CNAME method;

图3为DNS Forward方式的示意图;Fig. 3 is a schematic diagram of DNS Forward mode;

图4为本发明实施例一中域名级的自适应抗DDOS攻击的方法的流程图;FIG. 4 is a flow chart of a method for adaptively resisting DDOS attacks at the domain name level in Embodiment 1 of the present invention;

图5为本发明实施例一中确定攻击判定结果为疑似攻击的指定域名的解析周期的流程图;5 is a flow chart of the analysis cycle of a designated domain name whose attack determination result is a suspected attack in Embodiment 1 of the present invention;

图6为本发明实施例二中域名级的自适应抗DDOS攻击的装置的框图;FIG. 6 is a block diagram of an adaptive anti-DDOS attack device at the domain name level in Embodiment 2 of the present invention;

图7为别发明实施例二中域名级的自适应抗DDOS攻击的装置执行的流程图。FIG. 7 is a flow chart of the implementation of the domain-level adaptive anti-DDOS attack device in the second embodiment of the invention.

具体实施方式Detailed ways

下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以各种形式实现本公开而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本公开,并且能够将本公开的范围完整的传达给本领域的技术人员。Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.

本领域技术人员知道,本发明的实施方式可以实现为一种系统、装置、设备、方法或计算机程序产品。因此,本发明的实施例可以具体实现为以下形式:完全的硬件、完全的软件(包括固件、驻留软件、微代码等),或者硬件和软件结合的形式。Those skilled in the art know that the embodiments of the present invention can be implemented as a system, device, device, method or computer program product. Therefore, the embodiments of the present invention can be implemented in the following forms: complete hardware, complete software (including firmware, resident software, microcode, etc.), or a combination of hardware and software.

实施例一Embodiment one

参见图4,图中示出了一种域名级的自适应抗DDOS攻击的方法,具体步骤如下:Referring to Fig. 4, a kind of adaptive anti-DDOS attack method of domain name level is shown in the figure, and concrete steps are as follows:

步骤401、接收指定域名的访问请求,并确定指定周期内所述指定域名的请求访问频次;Step 401: Receive an access request for a specified domain name, and determine the requested access frequency of the specified domain name within a specified period;

在本实施例中,可以按指定周期T对访问的域名解析请求进行统计,并生成动态域名访问频次列表,上述指定周期T为域名访问频次统计的固定周期,该指定周期T可配置,例如可以是1分钟、15分钟或1小时,当然也并不限于此。In this embodiment, the domain name resolution requests accessed can be counted according to a specified period T, and a dynamic domain name access frequency list can be generated. The specified period T is a fixed period for domain name access frequency statistics. The specified period T can be configured, for example, It is 1 minute, 15 minutes or 1 hour, and of course it is not limited thereto.

步骤402、根据所述指定域名的请求访问频次和所述指定域名的请求访问门限值,确定所述指定域名的攻击判定结果;Step 402: Determine the attack determination result of the specified domain name according to the access frequency of the specified domain name and the access request threshold of the specified domain name;

上述攻击判定结果用于表示该指定域名是否存在被攻击的可能性。The above attack determination result is used to indicate whether the specified domain name has the possibility of being attacked.

例如:若所述指定域名的请求访问频次大于或等于所述指定域名的请求访问门限值,所述攻击判定结果为疑似攻击。若所述指定域名的请求访问频次小于所述指定域名的请求访问门限值,所述攻击判定结果为正常访问。For example: if the request access frequency of the specified domain name is greater than or equal to the request access threshold value of the specified domain name, the attack determination result is a suspected attack. If the requested access frequency of the specified domain name is less than the requested access threshold value of the specified domain name, the attack determination result is normal access.

步骤403、根据所述攻击判定结果,确定所述指定域名的解析周期;Step 403: Determine the resolution cycle of the specified domain name according to the attack determination result;

上述解析周期是指解析该指定域名所需等待的时间。The above-mentioned resolution period refers to the waiting time for resolving the specified domain name.

例如:若所述指定域名的请求访问频次大于或等于所述指定域名的请求访问门限值,所述攻击判定结果为疑似攻击,确定所述指定域名的第一解析周期,例如该第一解析周期可以为大于零的值;For example: if the request access frequency of the specified domain name is greater than or equal to the request access threshold value of the specified domain name, the attack determination result is a suspected attack, and the first resolution cycle of the specified domain name is determined, for example, the first resolution period can be a value greater than zero;

若所述指定域名的请求访问频次小于所述指定域名的请求访问门限值,所述攻击判定结果为正常访问,确定所述指定域名的第二解析周期,例如该第二解析周期可以为零。If the requested access frequency of the specified domain name is less than the requested access threshold value of the specified domain name, the attack determination result is normal access, and the second resolution cycle of the specified domain name is determined, for example, the second resolution cycle can be zero .

步骤404、根据所述解析周期,对所述指定域名的访问请求进行解析响应。Step 404: Perform a resolution response to the access request of the specified domain name according to the resolution period.

若指定域名的解析周期为大于零的值,则需要间隔该解析周期,然后才能对该指定域名的访问请求进行解析,然后反馈解析响应到Local DNS。If the resolution period of the specified domain name is a value greater than zero, the resolution period needs to be interrupted before the access request of the specified domain name can be resolved, and then the resolution response is fed back to Local DNS.

若指定域名的解析周期为零,则正常解析该指定域名反馈解析响应到Local DNSIf the resolution period of the specified domain name is zero, the specified domain name will be resolved normally and the resolution response will be sent to Local DNS

在本实施例中是针对可能发起的攻击,以域名为粒度,设置请求访问门限值(或者称为流量阈值),然后基于指定域名的请求访问频次和请求访问门限值,确定攻击判定结果,再根据该攻击判定结果确定该指定域名的解析周期,基于该解析周期对指定域名的解析进行缓解,从而实现对被攻击域名的解析进行缓解,同时保障非攻击域名的正常解析,可配合边缘节点DNS的超时机制,限制用户对被攻击网站的解析请求频次。In this embodiment, for possible attacks, set the request access threshold (or traffic threshold) with the domain name as the granularity, and then determine the attack judgment result based on the request access frequency and request access threshold of the specified domain name , and then determine the resolution cycle of the specified domain name according to the attack judgment result, and mitigate the resolution of the specified domain name based on the resolution cycle, so as to alleviate the resolution of the attacked domain name and ensure the normal resolution of the non-attack domain name, which can cooperate with the edge The timeout mechanism of the node DNS limits the frequency of user resolution requests to the attacked website.

在本实施例中,可根据以下流程确定攻击判定结果为疑似攻击的指定域名的解析周期,参见图5。In this embodiment, the resolution cycle of a specified domain name whose attack determination result is a suspected attack can be determined according to the following process, see FIG. 5 .

步骤501、根据所述指定域名的请求访问频次、所述指定域名的正常访问频次的统计值以及所述指定域名的正常访问频次的峰值倍数,计算出所述指定域名的攻击强度;Step 501: Calculate the attack strength of the specified domain name according to the requested access frequency of the specified domain name, the statistical value of the normal access frequency of the specified domain name, and the peak multiple of the normal access frequency of the specified domain name;

根据以下公式计算所述指定域名的攻击强度;Calculate the attack strength of the specified domain name according to the following formula;

公式I=Fre/NormalFre×NFormula I=Fre/NormalFre×N

其中,I表示攻击强度;Among them, I represents the attack intensity;

Fre表示所述指定域名的请求访问频次;Fre represents the request access frequency of the specified domain name;

NormalFre表示所述指定域名的正常访问频次的统计值;NormalFre represents the statistical value of the normal access frequency of the specified domain name;

N表示所述指定域名的正常访问频次的峰值倍数。N represents the peak multiple of the normal access frequency of the specified domain name.

例如,以域名AA为例,假设NormalFre_AA=3000,N=3,FreAA=10000,可计算I_AA=1.11。For example, taking the domain name AA as an example, assuming NormalFre_AA=3000, N=3, FreAA=10000, I_AA=1.11 can be calculated.

步骤502、根据所述指定域名的攻击强度、所述指定域名的正常访问频次的统计值以及所述指定域名的正常访问频次的峰值倍数,计算出所述指定域名的攻击缓解因子;Step 502: Calculate the attack mitigation factor of the specified domain name according to the attack strength of the specified domain name, the statistical value of the normal access frequency of the specified domain name, and the peak multiple of the normal access frequency of the specified domain name;

根据以下公式计算出所述指定域名的攻击缓解因子;Calculate the attack mitigation factor of the specified domain name according to the following formula;

公式REL=NormalFre×N×Ratio×ZI×Adj Formula REL=NormalFre×N×Ratio×Z I×Adj

其中,REL表示攻击缓解因子;Among them, REL represents the attack mitigation factor;

NormalFre表示所述指定域名的正常访问频次的统计值;NormalFre represents the statistical value of the normal access frequency of the specified domain name;

N表示所述指定域名的正常访问频次的峰值倍数;N represents the peak multiple of the normal access frequency of the specified domain name;

Ratio表示固定系数,与系统的容量和处理能力相关,例如Ratio=0.0001;Ratio represents a fixed coefficient, which is related to the capacity and processing capability of the system, for example, Ratio=0.0001;

Z表示指数函数的底数,例如Z=2;Z represents the base number of the exponential function, for example Z=2;

I表示所述指定域名的攻击强度;I represents the attack intensity of the specified domain name;

Adj表示用于指数权重调节的调节参数,例如Adj=2。Adj represents an adjustment parameter used for index weight adjustment, for example Adj=2.

例如,以域名AA为例,REL=F(NormalFre_AA,N,I_AA),其中F函数为攻击缓解算法,可自定义。在本实施例中依据实际经验定义为指数函数。For example, taking the domain name AA as an example, REL=F(NormalFre_AA, N, I_AA), where the F function is an attack mitigation algorithm, which can be customized. In this embodiment, it is defined as an exponential function based on actual experience.

假设NormalFre_AA=3000,N=3,I_AA=1.11。Assume NormalFre_AA=3000, N=3, I_AA=1.11.

可计算出:REL=3000×3×0.0001×21.11×2=3.78。It can be calculated: REL=3000×3×0.0001×2 1.11×2 =3.78.

步骤503、根据所述攻击缓解因子确定所述指定域名的第一解析周期。Step 503. Determine the first resolution period of the specified domain name according to the attack mitigation factor.

根据以下公式计算所述指定域名的第一解析周期;Calculate the first resolution cycle of the specified domain name according to the following formula;

公式Interval=Q×RELFormula Interval=Q×REL

其中,Interval表示解析周期;Among them, Interval represents the analysis cycle;

Q表示预定的间隔时间值,例如Q=1秒;Q represents a predetermined interval time value, for example Q=1 second;

REL表示攻击缓解因子。REL stands for attack mitigation factor.

例如,以域名AA为例,REL_AA=3.78,假设默认的Q=1秒,则Interval_AA=3.78秒。For example, taking the domain name AA as an example, REL_AA=3.78, assuming the default Q=1 second, then Interval_AA=3.78 seconds.

在本实施例中,所述方法还包括:In this embodiment, the method also includes:

对正常业务请求状态的各个域名的访问请求,按照域名访问频次统计周期进行统计,得到包含所有缓存域名的访问阈值配置列表,所述访问阈值配置列表中记录有域名的正常访问频次的统计值以及域名的正常访问频次的峰值倍数。For the access requests of each domain name in the normal business request state, statistics are made according to the domain name access frequency statistics cycle, and an access threshold configuration list including all cached domain names is obtained. The access threshold configuration list records the domain name’s normal access frequency statistics and The peak multiple of normal access frequency of the domain name.

实施例二Embodiment two

参见图6,图中示出了一种域名级的自适应抗DDOS攻击的装置,该装置(例如称为全局调度中心)包括:Referring to Fig. 6, a kind of adaptive anti-DDOS attack device of domain name level is shown in the figure, and this device (for example called global dispatch center) comprises:

域名访问频次统计模块601,用于接收指定域名的访问请求,并确定指定周期内所述指定域名的请求访问频次;A domain name access frequency statistics module 601, configured to receive an access request for a specified domain name, and determine the requested access frequency of the specified domain name within a specified period;

攻击分析模块602,用于根据所述指定域名的请求访问频次和所述指定域名的请求访问门限值,确定所述指定域名的攻击判定结果;根据所述攻击判定结果,确定所述指定域名的解析周期;The attack analysis module 602 is configured to determine the attack judgment result of the designated domain name according to the requested access frequency of the designated domain name and the requested access threshold value of the designated domain name; determine the designated domain name according to the attack judgment result analysis cycle;

全局解析与调度模块603,用于根据所述解析周期,对所述指定域名的访问请求进行解析响应。The global parsing and dispatching module 603 is used for parsing and responding to the access request of the specified domain name according to the parsing period.

在本实施例中,域名访问频次统计模块601可以按指定周期T对访问的域名解析请求进行统计,并生成动态域名访问频次列表,上述指定周期T为域名访问频次统计的固定周期,该指定周期T可配置,例如可以是1分钟、15分钟或1小时,当然也并不限于此。In this embodiment, the domain name access frequency statistics module 601 can count the domain name resolution requests accessed according to the specified period T, and generate a dynamic domain name access frequency list. The specified period T is a fixed period for domain name access frequency statistics. The specified period T is configurable, for example, it can be 1 minute, 15 minutes or 1 hour, but of course it is not limited thereto.

所述攻击分析模块602包括:The attack analysis module 602 includes:

攻击判定子模块6021,用于根据所述指定域名的请求访问频次和所述指定域名的请求访问门限值,确定所述指定域名的攻击判定结果;The attack determination sub-module 6021 is configured to determine the attack determination result of the specified domain name according to the access frequency of the specified domain name and the access request threshold of the specified domain name;

攻击缓解子模块6022,用于若所述指定域名的请求访问频次大于或等于所述指定域名的请求访问门限值,所述攻击判定结果为疑似攻击,确定所述指定域名的第一解析周期;若所述指定域名的请求访问频次小于所述指定域名的请求访问门限值,所述攻击判定结果为正常访问,确定所述指定域名的第二解析周期。The attack mitigation sub-module 6022 is configured to determine the first resolution period of the specified domain name if the frequency of access requests of the specified domain name is greater than or equal to the threshold value of the request access of the specified domain name, the attack determination result is a suspected attack ; If the requested access frequency of the specified domain name is less than the requested access threshold value of the specified domain name, the attack determination result is normal access, and the second resolution cycle of the specified domain name is determined.

在本实施例中,可选地,所述攻击分析模块602还包括:In this embodiment, optionally, the attack analysis module 602 further includes:

日志分析子模块6023,用于对正常业务请求状态的各个域名的访问请求,按照域名访问频次统计周期进行统计,得到包含所有缓存域名的访问阈值配置列表,所述访问阈值配置列表中记录有域名的正常访问频次的统计值以及域名的正常访问频次的峰值倍数。The log analysis sub-module 6023 is used to make statistics on the access requests of each domain name in the normal business request state according to the domain name access frequency statistics cycle, and obtain the access threshold configuration list including all cached domain names, and the access threshold configuration list records domain names The statistical value of the normal visit frequency of the domain name and the peak multiple of the normal visit frequency of the domain name.

在本实施例中,可选地,所述攻击判定子模块包括:In this embodiment, optionally, the attack determination submodule includes:

攻击强度计算单元,用于根据所述指定域名的请求访问频次、所述指定域名的正常访问频次的统计值以及所述指定域名的正常访问频次的峰值倍数,计算出所述指定域名的攻击强度;An attack strength calculation unit, configured to calculate the attack strength of the designated domain name according to the request visit frequency of the designated domain name, the statistical value of the normal visit frequency of the designated domain name, and the peak multiple of the normal visit frequency of the designated domain name ;

攻击缓解因子计算单元,根据所述指定域名的攻击强度、所述指定域名的正常访问频次的统计值以及所述指定域名的正常访问频次的峰值倍数,计算出所述指定域名的攻击缓解因子;The attack mitigation factor calculation unit calculates the attack mitigation factor of the specified domain name according to the attack strength of the specified domain name, the statistical value of the normal access frequency of the specified domain name, and the peak multiple of the normal access frequency of the specified domain name;

解析周期计算单元,用于根据所述攻击缓解因子确定所述指定域名的第一解析周期。A resolution cycle calculation unit, configured to determine the first resolution cycle of the specified domain name according to the attack mitigation factor.

在本实施例中,可选地,所述攻击强度计算单元进一步用于:In this embodiment, optionally, the attack strength calculation unit is further used for:

根据以下公式计算所述指定域名的攻击强度;Calculate the attack strength of the specified domain name according to the following formula;

公式I=Fre/NormalFre×NFormula I=Fre/NormalFre×N

其中,I表示攻击强度;Among them, I represents the attack intensity;

Fre表示所述指定域名的请求访问频次;Fre represents the request access frequency of the specified domain name;

NormalFre表示所述指定域名的正常访问频次的统计值;NormalFre represents the statistical value of the normal access frequency of the specified domain name;

N表示所述指定域名的正常访问频次的峰值倍数。N represents the peak multiple of the normal access frequency of the specified domain name.

在本实施例中,可选地,所述攻击缓解因子计算单元进一步用于:In this embodiment, optionally, the attack mitigation factor calculation unit is further used for:

根据以下公式计算出所述指定域名的攻击缓解因子;Calculate the attack mitigation factor of the specified domain name according to the following formula;

公式F=NormalFre×N×P×ZI×b Formula F=NormalFre×N×P×Z I×b

其中,F表示攻击缓解因子;Among them, F represents the attack mitigation factor;

NormalFre表示所述指定域名的正常访问频次的统计值;NormalFre represents the statistical value of the normal access frequency of the specified domain name;

N表示所述指定域名的正常访问频次的峰值倍数;N represents the peak multiple of the normal access frequency of the specified domain name;

P表示固定系数;P represents the fixed coefficient;

Z表示指数函数的底数;Z represents the base of the exponential function;

I表示所述指定域名的攻击强度;I represents the attack intensity of the specified domain name;

b表示用于指数权重调节的调节参数。b represents the adjustment parameter for index weight adjustment.

在本实施例中,可选地,所述解析周期计算单元进一步用于:In this embodiment, optionally, the analysis cycle calculation unit is further used for:

根据以下公式计算所述指定域名的第一解析周期;Calculate the first resolution cycle of the specified domain name according to the following formula;

公式Interval=Q×IFormula Interval=Q×I

其中,Interval表示解析周期;Among them, Interval represents the analysis cycle;

Q表示预定的间隔时间值;Q represents a predetermined interval time value;

I表示攻击缓解因子。I represents the attack mitigation factor.

下面以域名AA为例:Take the domain name AA as an example:

当Local DNS(本地DNS)提交域名AA的访问请求时,域名访问频次统计模块601按指定周期T的访问频次进行计算得出域名AA的请求访问频次FreAA,并生成请求信息Request=(AA,FreAA)发送到攻击分析模块602。When the Local DNS (local DNS) submits the access request of the domain name AA, the domain name access frequency statistical module 601 calculates the access frequency FreAA of the domain name AA according to the access frequency of the specified period T, and generates request information Request=(AA, FreAA ) is sent to the attack analysis module 602.

日志分析子模块6023对正常业务请求状态下的各域名的访问请求进行周期性统计,并按域名访问频次统计周期T(例如1分钟)对各缓存域名配置列(DomainList)进行分析与统计。The log analysis sub-module 6023 conducts periodic statistics on the access requests of each domain name under the normal service request state, and analyzes and counts each cached domain name configuration column (DomainList) according to the domain name access frequency statistics period T (for example, 1 minute).

经过一段时间的学习与统计,计算得出正常访问频次统计结果,形成包含所有缓存域名的访问阈值配置列表(DomainFreList)。After a period of study and statistics, the statistical results of normal access frequency are calculated, and an access threshold configuration list (DomainFreList) including all cached domain names is formed.

域名domain name NormalFre(次/T)NormalFre(times/T) NN AAAAA 30003000 33 BBBB 60006000 33 CCCC 200200 22

上述AA、BB、CC为示例域名名称。The above-mentioned AA, BB, and CC are example domain names.

上述N表示:正常访问频次的峰值倍数,N可以依据不同域名访问的波动情况进行不同配置。The above N means: the peak multiple of the normal access frequency, and N can be configured differently according to the fluctuation of access to different domain names.

在本实施例中,攻击判定子模块6021接收域名访问频次统计模块601发送的请求信息,根据该请求信息Request=(AA,FreAA),指定域名AA的访问频次FreAA是否超过限定的访问频次,若超过限定的访问频次,将疑似攻击请求消息发送给攻击缓解子模块6022,该疑似攻击请求消息包含指定域名的攻击强度、指定域名的正常访问频次的统计值以及指定域名的正常访问频次的峰值倍数;若没有超过限定的访问频次,判定为正常访问,将判定结果直接反馈给全局解析与调度模块603。In this embodiment, the attack determination submodule 6021 receives the request information sent by the domain name access frequency statistics module 601, and according to the request information Request=(AA, FreAA), whether the access frequency FreAA of the specified domain name AA exceeds the limited access frequency, if If the access frequency exceeds the limit, send a suspected attack request message to the attack mitigation sub-module 6022. The suspected attack request message includes the attack strength of the specified domain name, the statistical value of the normal access frequency of the specified domain name, and the peak multiple of the normal access frequency of the specified domain name ; If the access frequency does not exceed the limited access frequency, it is determined to be a normal access, and the determination result is directly fed back to the global analysis and scheduling module 603 .

举例说明:for example:

若FreAA>=NormalFre_AA×N_AA,则判定为攻击,计算攻击强度I_AA=FreAA/NormalFre×N_AA,其中I_AA表示域名AA的攻击强度,NormalFre_AA表示域名AA正常访问频次的统计值,N_AA表示域名AA的正常访问频次的峰值倍数。If FreAA>=NormalFre_AA×N_AA, it is determined to be an attack, and the attack strength is calculated as I_AA=FreAA/NormalFre×N_AA, where I_AA represents the attack strength of the domain name AA, NormalFre_AA represents the statistical value of the normal access frequency of the domain name AA, and N_AA represents the normal frequency of the domain name AA The peak multiple of access frequency.

假设NormalFre_AA=3000,N=3,FreAA=10000,可计算I_AA=1.11,将疑似攻击请求消息Request_ATT=(AA,FreAA,N,I_AA)发送到攻击缓解子模块。Assuming NormalFre_AA=3000, N=3, FreAA=10000, I_AA=1.11 can be calculated, and the suspected attack request message Request_ATT=(AA, FreAA, N, I_AA) is sent to the attack mitigation submodule.

若FreAA<NormalFre_AA×N_AA,判定为正常访问,将判定结果直接反馈全局解析与调度模块603,例如判定结果Result=(AA,0),其中“0”表示全局解析与调度模块603解析域名AA所需要等待的时间为0秒。If FreAA<NormalFre_AA×N_AA, it is determined to be a normal access, and the result of the determination is directly fed back to the global analysis and scheduling module 603, for example, the determination result Result=(AA, 0), where "0" indicates that the global analysis and scheduling module 603 resolves the domain name AA The time to wait is 0 seconds.

攻击缓解子模块6022,用于在接收到疑似攻击请求消息后根据所述指定域名的攻击强度、所述指定域名的正常访问频次的统计值以及所述指定域名的正常访问频次的峰值倍数计算出所述指定域名的攻击缓解因子。The attack mitigation sub-module 6022 is configured to calculate according to the attack strength of the specified domain name, the statistical value of the normal access frequency of the specified domain name and the peak multiple of the normal access frequency of the specified domain name after receiving the suspected attack request message The attack mitigation factor of the specified domain name.

举例说明:for example:

当攻击环节子模块6022接收到疑似攻击请求消息Request_ATT=(AA,NormalFre_AA,N,I_AA)后,执行攻击缓解因子计算REL=F(NormalFre_AA,N,I_AA)。When the attack link sub-module 6022 receives the suspected attack request message Request_ATT=(AA, NormalFre_AA, N, I_AA), it executes the attack mitigation factor calculation REL=F(NormalFre_AA, N, I_AA).

上述REL表示:攻击缓解因子,默认为0。The above REL means: attack mitigation factor, the default is 0.

上述F()函数为攻击缓解算法,可自定义。在实施例中,依据实际经验将F()函数定义为指数函数。The above F() function is an attack mitigation algorithm, which can be customized. In an embodiment, the F() function is defined as an exponential function based on actual experience.

F=NormalFre_AA×N×Ratio×ZI_AA×Adj F=NormalFre_AA×N×Ratio×Z I_AA×Adj

Ratio为固定系数,与系统的容量和处理能力相关,例如0.0001;Ratio is a fixed coefficient, which is related to the capacity and processing capacity of the system, such as 0.0001;

Z:指数函数的底数,例如Z=2;Z: the base of the exponential function, for example Z=2;

Adj:调节参数,用于指数权重调节,例如Adj=2。Adj: an adjustment parameter, used for index weight adjustment, for example Adj=2.

举例说明:for example:

REL=3000×3×0.0001×21.11×2=3.78REL=3000×3×0.0001×2 1.11×2 =3.78

在本实施例中,攻击缓解子模块6022将指定域名的分析结果发送至反馈全局解析与调度模块603,该分析结果中包含指定域名的攻击缓解因子,例如攻击缓解子模块6022将指定域名AA的分析结果Result=(AA,3.78)发送至反馈全局解析与调度模块603。In this embodiment, the attack mitigation submodule 6022 sends the analysis result of the specified domain name to the feedback global analysis and scheduling module 603, and the analysis result includes the attack mitigation factor of the specified domain name, for example, the attack mitigation submodule 6022 sends the specified domain name AA The analysis result Result=(AA, 3.78) is sent to the feedback global analysis and scheduling module 603 .

在本实施例中,全局解析与调度模块603依据攻击分析模块602发送的分析结果进行解析调度。In this embodiment, the global parsing and scheduling module 603 performs parsing and scheduling according to the analysis results sent by the attack analysis module 602 .

若分析结果Result中的REL=0,则正常进行解析与反馈Response到Local DNS;If REL=0 in the analysis result Result, the analysis will be performed normally and the Response will be fed back to the Local DNS;

若REL不为0,说明存在攻击,则间隔一定的解析周期Interval_AA=Interval×REL后进行解析响应。上述Interval:默认解析间隔周期,可配置。If the REL is not 0, it means that there is an attack, and the parsing response is performed after a certain parsing period Interval_AA=Interval×REL. The above Interval: the default parsing interval period, which is configurable.

例如针对Result_AA=(AA,3.78),假设默认的Interval=1秒,则Interval_AA=3.78秒。For example, for Result_AA=(AA, 3.78), assuming the default Interval=1 second, then Interval_AA=3.78 seconds.

下面结合图6和图7,详细介绍本实施例中的域名级的自适应抗DDOS攻击流程,具体步骤如下:Below in conjunction with Fig. 6 and Fig. 7, introduce in detail the self-adaptive anti-DDOS attack process of domain name level in the present embodiment, concrete steps are as follows:

步骤701、Local DNS发送指定域名的访问请求;Step 701, Local DNS sends an access request for a specified domain name;

步骤702、域名访问频次统计模块计算指定域名访问频次;Step 702, the domain name visit frequency statistics module calculates the designated domain name visit frequency;

步骤703、攻击判定子模块执行访问频次对比,若超过阈值,进入步骤704;否则711;Step 703, the attack determination sub-module performs access frequency comparison, if it exceeds the threshold, enter step 704; otherwise, step 711;

步骤704、攻击缓解子模块计算缓解因子,并将信息反馈访问频次统计模块;Step 704, the attack mitigation sub-module calculates the mitigation factor, and feeds the information back to the access frequency statistics module;

步骤705、向全局解析与调度模块执行解析请求;Step 705, execute the parsing request to the global parsing and scheduling module;

步骤706、依据域名、缓解因子执行解析,然后进入步骤707,或者进入步骤710;Step 706, perform analysis according to the domain name and mitigation factor, and then enter step 707, or enter step 710;

步骤707、存储调度日志;Step 707, storing scheduling logs;

步骤708、日志分析;Step 708, log analysis;

步骤709、访问阈值配置列表,然后返回步骤703;Step 709, access the threshold configuration list, and then return to step 703;

步骤710、反馈访问频次统计模块解析结果;Step 710, Feedback the analysis result of the access frequency statistics module;

步骤711、反馈Local DNS解析结果。Step 711, feeding back the Local DNS resolution result.

采用该方案,可针对不同的域名进行细粒度控制,例如针对AA域名有攻击行为时,Result_AA=(AA,1.944);而此时若针对BB网站无攻击行为,则Result_BB=(AA,0)。With this scheme, fine-grained control can be carried out for different domain names. For example, when there is an attack on the AA domain name, Result_AA=(AA, 1.944); and at this time, if there is no attack on the BB website, then Result_BB=(AA, 0) .

从用户的角度看,当用户向Local DNS发送AA的请求后,需要1.944秒(不包括网络延迟)才收到反馈;用户访问BB则实时收到解析反馈。From the user's point of view, after the user sends a request for AA to Local DNS, it takes 1.944 seconds (excluding network delay) to receive the feedback; when the user accesses BB, the user receives the resolution feedback in real time.

由上可知,采用该技术能有效防止针对CDN系统的DDOS攻击,并能实现对CDN不同缓存网站的细粒度控制,能尽可能保证CDN的正常运行。It can be seen from the above that adopting this technology can effectively prevent DDOS attacks against the CDN system, and can realize fine-grained control of different cache websites of the CDN, and can ensure the normal operation of the CDN as much as possible.

应理解,说明书通篇中提到的“一个实施例”或“一实施例”意味着与实施例有关的特定特征、结构或特性包括在本发明的至少一个实施例中。因此,在整个说明书各处出现的“在一个实施例中”或“在一实施例中”未必一定指相同的实施例。此外,这些特定的特征、结构或特性可以任意适合的方式结合在一个或多个实施例中。It should be understood that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic related to the embodiment is included in at least one embodiment of the present invention. Thus, appearances of "in one embodiment" or "in an embodiment" in various places throughout the specification are not necessarily referring to the same embodiment. Furthermore, the particular features, structures or characteristics may be combined in any suitable manner in one or more embodiments.

在本发明的各种实施例中,应理解,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定In various embodiments of the present invention, it should be understood that the sequence numbers of the above-mentioned processes do not mean the order of execution, and the execution order of each process should be determined by its functions and internal logic, rather than by the embodiment of the present invention. The implementation process constitutes any limitation

另外,本文中术语“系统”和“网络”在本文中常可互换使用。Additionally, the terms "system" and "network" are often used interchangeably herein.

应理解,本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。It should be understood that the term "and/or" in this article is only an association relationship describing associated objects, which means that there may be three relationships, for example, A and/or B may mean: A exists alone, and A and B exist at the same time , there are three cases of B alone. In addition, the character "/" in this article generally indicates that the contextual objects are an "or" relationship.

在本申请所提供的实施例中,应理解,“与A相应的B”表示B与A相关联,根据A可以确定B。但还应理解,根据A确定B并不意味着仅仅根据A确定B,还可以根据A和/或其它信息确定B。In the embodiments provided in the present application, it should be understood that "B corresponding to A" means that B is associated with A, and B can be determined according to A. However, it should also be understood that determining B according to A does not mean determining B only according to A, and B may also be determined according to A and/or other information.

在本申请所提供的几个实施例中,应该理解到,所揭露方法和装置,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed methods and devices may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.

另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理包括,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, each unit may be physically included separately, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware, or in the form of hardware plus software functional units.

上述以软件功能单元的形式实现的集成的单元,可以存储在一个计算机可读取存储介质中。上述软件功能单元存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述收发方法的部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,简称ROM)、随机存取存储器(Random Access Memory,简称RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The above-mentioned integrated units implemented in the form of software functional units may be stored in a computer-readable storage medium. The above-mentioned software functional units are stored in a storage medium, and include several instructions to enable a computer device (which may be a personal computer, server, or network device, etc.) to execute some steps of the sending and receiving methods described in various embodiments of the present invention. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM for short), random access memory (Random Access Memory, RAM for short), magnetic disk or optical disk, etc., which can store program codes. medium.

以上所述的是本发明的优选实施方式,应当指出对于本技术领域的普通人员来说,在不脱离本发明所述的原理前提下还可以做出若干改进和润饰,这些改进和润饰也在本发明的保护范围内。What has been described above is a preferred embodiment of the present invention. It should be pointed out that for those skilled in the art, some improvements and modifications can be made without departing from the principles described in the present invention. These improvements and modifications are also described in within the protection scope of the present invention.

Claims (14)

1. a kind of method of the adaptive anti-DDOS attack of domain name grade, which is characterized in that including:
The access request of designated domain name is received, and determines the request visitation frequency of the designated domain name in the specified period;
Threshold value is accessed according to the request of the request visitation frequency of the designated domain name and the designated domain name, is determined described specified The attacks results decision result of domain name;
According to the attacks results decision as a result, determining the parsing period of the designated domain name, the parsing period refers to described in parsing The time that designated domain name is needed to wait for;
According to the parsing period, resolution response is carried out to the access request of the designated domain name.
2. according to the method described in claim 1, it is characterized in that, it is described according to the attacks results decision as a result, determine the finger The parsing period of localization name, including:
If the request that the request visitation frequency of the designated domain name is greater than or equal to the designated domain name accesses threshold value, described to attack It is doubtful attack to hit judgement result, determines the first parsing period of the designated domain name;
If the request that the request visitation frequency of the designated domain name is less than the designated domain name accesses threshold value, the attacks results decision As a result it is accessed to be normal, determines the second parsing period of the designated domain name.
3. according to the method described in claim 2, it is characterized in that, it is described determine the designated domain name first parsing the period, Including:
According to the request visitation frequency of the designated domain name, the statistical value of normal visitation frequency of the designated domain name and described The peak value multiple of the normal visitation frequency of designated domain name calculates the attack strength of the designated domain name;
According to the attack strength of the designated domain name, the statistical value of the normal visitation frequency of the designated domain name and described specified The peak value multiple of the normal visitation frequency of domain name calculates the attack relief factor of the designated domain name;
The first parsing period of the designated domain name is determined according to the attack relief factor.
4. according to the method described in claim 3, it is characterized in that, the request visitation frequency according to the designated domain name, The peak value multiple of the statistical value of the normal visitation frequency of the designated domain name and the normal visitation frequency of the designated domain name, meter The attack strength of the designated domain name is calculated, including:
The attack strength of the designated domain name is calculated according to the following formula;
Formula I=Fre/NormalFre × N
Wherein, I represents attack strength;
Fre represents the request visitation frequency of the designated domain name;
NormalFre represents the statistical value of the normal visitation frequency of the designated domain name;
N represents the peak value multiple of the normal visitation frequency of the designated domain name.
It is 5. according to the method described in claim 3, it is characterized in that, the attack strength according to the designated domain name, described The peak value multiple of the statistical value of the normal visitation frequency of designated domain name and the normal visitation frequency of the designated domain name calculates The attack relief factor of the designated domain name, including:
The attack relief factor of the designated domain name is calculated according to the following formula;
Formula REL=NormalFre × N × Ratio × ZI×Adj
Wherein, F represents attack relief factor;
NormalFre represents the statistical value of the normal visitation frequency of the designated domain name;
N represents the peak value multiple of the normal visitation frequency of the designated domain name;
Ratio represents fixed coefficient;
Z represents the truth of a matter of exponential function;
I represents the attack strength of the designated domain name;
Adj represents the adjustment parameter adjusted for index weight.
6. according to the method described in claim 3, it is characterized in that, described determine described specify according to the attack relief factor The first parsing period of domain name, including:
The first parsing period of the designated domain name is calculated according to the following formula;
Formula Interval=Q × I
Wherein, Interval represents the parsing period;
Q represents scheduled interval time value;
I represents attack relief factor.
7. according to the method described in claim 3, it is characterized in that, the method further includes:
To the access request of each domain name of regular traffic solicited status, counted according to the domain name access frequency statistics period, Obtain including the access thresholds configured list of all caching domain names, record has the normal of domain name in the access thresholds configured list The peak value multiple of the statistical value of visitation frequency and the normal visitation frequency of domain name.
8. a kind of device of the adaptive anti-DDOS attack of domain name grade, which is characterized in that including:
Domain name access frequency statistics module for receiving the access request of designated domain name, and determines described specified in the specified period The request visitation frequency of domain name;
Attack analysis module, for according to the request visitation frequency of the designated domain name and the request access door of the designated domain name Limit value determines the attacks results decision result of the designated domain name;According to the attacks results decision as a result, determining the solution of the designated domain name Analyse the period;
Global parsing and scheduler module, for according to the parsing period, being parsed to the access request of the designated domain name Response.
9. device according to claim 8, which is characterized in that the attack analysis module includes:
Attacks results decision submodule accesses for the request visitation frequency according to the designated domain name and the request of the designated domain name Threshold value determines the attacks results decision result of the designated domain name;
Submodule is alleviated in attack, if the request visitation frequency for the designated domain name is greater than or equal to asking for the designated domain name Access threshold value is sought, the attacks results decision result is doubtful attack, determines the first parsing period of the designated domain name;It is if described The request that the request visitation frequency of designated domain name is less than the designated domain name accesses threshold value, and the attacks results decision result is normal It accesses, determines the second parsing period of the designated domain name.
10. device according to claim 9, which is characterized in that the attacks results decision submodule includes:
Attack strength computing unit, for the positive frequentation of request visitation frequency, the designated domain name according to the designated domain name It asks the peak value multiple of the statistical value of the frequency and the normal visitation frequency of the designated domain name, calculates attacking for the designated domain name Hit intensity;
Relief factor computing unit is attacked, frequency is accessed according to the attack strength of the designated domain name, the normal of the designated domain name Secondary statistical value and the peak value multiple of the normal visitation frequency of the designated domain name, the attack for calculating the designated domain name are delayed Solve the factor;
Computation of Period unit is parsed, for determining the first parsing period of the designated domain name according to the attack relief factor.
11. device according to claim 10, which is characterized in that the attack strength computing unit is further used for:
The attack strength of the designated domain name is calculated according to the following formula;
Formula I=Fre/NormalFre × N
Wherein, I represents attack strength;
Fre represents the request visitation frequency of the designated domain name;
NormalFre represents the statistical value of the normal visitation frequency of the designated domain name;
N represents the peak value multiple of the normal visitation frequency of the designated domain name.
12. device according to claim 10, which is characterized in that the attack relief factor computing unit is further used In:
The attack relief factor of the designated domain name is calculated according to the following formula;
Formula F=NormalFre × N × P × ZI×b
Wherein, F represents attack relief factor;
NormalFre represents the statistical value of the normal visitation frequency of the designated domain name;
N represents the peak value multiple of the normal visitation frequency of the designated domain name;
P represents fixed coefficient;
Z represents the truth of a matter of exponential function;
I represents the attack strength of the designated domain name;
B represents the adjustment parameter adjusted for index weight.
13. device according to claim 10, which is characterized in that the parsing computation of Period unit is further used for:
The first parsing period of the designated domain name is calculated according to the following formula;
Formula Interval=Q × I
Wherein, Interval represents the parsing period;
Q represents scheduled interval time value;
I represents attack relief factor.
14. device according to claim 9, which is characterized in that the attack analysis module further includes:
Log analysis submodule, for the access request of each domain name to regular traffic solicited status, according to domain name access frequency Secondary measurement period is counted, and obtains including the access thresholds configured list of all caching domain names, the access thresholds configuration row Record has the peak value multiple of the statistical value of the normal visitation frequency of domain name and the normal visitation frequency of domain name in table.
CN201710001398.4A 2017-01-03 2017-01-03 Domain name level adaptive DDOS attack resisting method and device Active CN108270755B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710001398.4A CN108270755B (en) 2017-01-03 2017-01-03 Domain name level adaptive DDOS attack resisting method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710001398.4A CN108270755B (en) 2017-01-03 2017-01-03 Domain name level adaptive DDOS attack resisting method and device

Publications (2)

Publication Number Publication Date
CN108270755A true CN108270755A (en) 2018-07-10
CN108270755B CN108270755B (en) 2021-01-15

Family

ID=62770608

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710001398.4A Active CN108270755B (en) 2017-01-03 2017-01-03 Domain name level adaptive DDOS attack resisting method and device

Country Status (1)

Country Link
CN (1) CN108270755B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109981656A (en) * 2019-03-29 2019-07-05 成都知道创宇信息技术有限公司 A kind of CC means of defence based on CDN node log
CN111092966A (en) * 2019-12-30 2020-05-01 中国联合网络通信集团有限公司 Domain name system, domain name access method and device
CN111193715A (en) * 2019-12-09 2020-05-22 北京邮电大学 Service scheduling method and device of passive optical network, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7620733B1 (en) * 2005-03-30 2009-11-17 Cisco Technology, Inc. DNS anti-spoofing using UDP
CN101789940A (en) * 2010-01-28 2010-07-28 联想网御科技(北京)有限公司 Method for preventing flood attack of DNS request message and device thereof
CN101980510A (en) * 2010-10-08 2011-02-23 中国科学院计算机网络信息中心 Domain name query request processing method, recursive server and domain name system
CN104079421A (en) * 2013-03-27 2014-10-01 中国移动通信集团北京有限公司 Method and system for protecting domain name system (DNS)
CN106101104A (en) * 2016-06-15 2016-11-09 国家计算机网络与信息安全管理中心 A kind of malice domain name detection method based on domain name mapping and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7620733B1 (en) * 2005-03-30 2009-11-17 Cisco Technology, Inc. DNS anti-spoofing using UDP
CN101789940A (en) * 2010-01-28 2010-07-28 联想网御科技(北京)有限公司 Method for preventing flood attack of DNS request message and device thereof
CN101980510A (en) * 2010-10-08 2011-02-23 中国科学院计算机网络信息中心 Domain name query request processing method, recursive server and domain name system
CN104079421A (en) * 2013-03-27 2014-10-01 中国移动通信集团北京有限公司 Method and system for protecting domain name system (DNS)
CN106101104A (en) * 2016-06-15 2016-11-09 国家计算机网络与信息安全管理中心 A kind of malice domain name detection method based on domain name mapping and system

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109981656A (en) * 2019-03-29 2019-07-05 成都知道创宇信息技术有限公司 A kind of CC means of defence based on CDN node log
CN109981656B (en) * 2019-03-29 2021-03-19 成都知道创宇信息技术有限公司 CC protection method based on CDN node log
CN111193715A (en) * 2019-12-09 2020-05-22 北京邮电大学 Service scheduling method and device of passive optical network, electronic equipment and storage medium
CN111193715B (en) * 2019-12-09 2021-06-29 北京邮电大学 Service scheduling method, device, electronic device and storage medium for passive optical network
CN111092966A (en) * 2019-12-30 2020-05-01 中国联合网络通信集团有限公司 Domain name system, domain name access method and device
CN111092966B (en) * 2019-12-30 2022-04-26 中国联合网络通信集团有限公司 Domain name system, domain name access method and device

Also Published As

Publication number Publication date
CN108270755B (en) 2021-01-15

Similar Documents

Publication Publication Date Title
US10200402B2 (en) Mitigating network attacks
US10097566B1 (en) Identifying targets of network attacks
US9794281B1 (en) Identifying sources of network attacks
US8935744B2 (en) White listing DNS top-talkers
Babcock et al. Distributed top-k monitoring
EP2263163B1 (en) Content management
WO2018121331A1 (en) Attack request determination method, apparatus and server
CN109981805B (en) Method and device for domain name resolution
US10560422B2 (en) Enhanced inter-network monitoring and adaptive management of DNS traffic
CN103685168B (en) A kind of inquiry request method of servicing of DNS recursion server
EP2835955A2 (en) Detecting co-occurrence patterns in DNS
US20160344751A1 (en) Customized record handling in a content delivery network
CN108040085A (en) Method for network access, device and server
US10326794B2 (en) Anycast-based spoofed traffic detection and mitigation
WO2015039475A1 (en) Method, server, and system for domain name resolution
EP2779591A2 (en) Method and apparatus for creating a list of trustworthy DNS clients
CN108270778A (en) A kind of DNS domain name abnormal access detection method and device
US10021176B2 (en) Method and server for managing traffic-overload on a server
CN108234632A (en) A kind of data distributing method and device of content distributing network CDN
CN110708385A (en) CDN scheduling algorithm and system based on network delay
CN114785555A (en) Protection method and system for coping DDoS attack
CN108270755A (en) A kind of method and apparatus of the adaptive anti-DDOS attack of domain name grade
CN109951426A (en) Abnormal domain name determines method, abnormal flow processing method, apparatus and system
AbdAllah et al. Detection and prevention of malicious requests in ICN routing and caching
US20100121903A1 (en) Distributed denial of service deterrence using outbound packet rewriting

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant