DNS攻击检测技术研究

发布时间：2018-03-20 04:08

本文选题：DNS　切入点：DNS　出处：《扬州大学》2014年硕士论文　论文类型：学位论文

【摘要】：DNS作为互联网上最为基础的服务系统,在保证互联网正常运行的同时为用户提供便利的网络服务。但随着互联网的快速发展,DNS的安全问题日益突出,而且各种针对DNS的攻击事件频发,对整个网络运行的效率造成极大的影响。因此,及时检测出网络中存在的攻击行为就变得尤为重要。由于DNS在设计之初就对自身的安全因素欠缺考虑,致使DNS系统时常面临各种攻击的威胁。本文首先简单介绍了DNS系统结构、DNS协议和工作原理,并且针对DNS的漏洞介绍了几种常见的DNS攻击方式。目前,国内外针对DNS攻击检测技术的研究也取得了许多成果,但还有很多的检测方法需要完善。本文在总结前人研究的基础上,针对两种DNS攻击方式提出相应的检测算法。第一,DNS Query Flood攻击是向DNS服务器发送大量伪造的域名解析请求,消耗DNS服务器的资源,造成拒绝服务。及时检测到此类攻击的存在至关重要。本文在研究DNS解析过程的基础上,总结出DNS Query Flood攻击的特点。其特点主要是在攻击发生时,网络中的流量会迅速增加,并且域名解析的成功率降低。即可根据这两个攻击的特点结合信息熵判断网络是否出现异常,再利用滑动窗口机制来确定是否存在攻击。第二,DNS欺骗攻击是目前针对DNS系统攻击比较流行的一种方式,主要是通过监听网络中的DNS请求数据报后,根据DNS请求数据报中的ID标识号伪造DNS应答数据报提前发送到客户端,将用户重定向到其他的网站。根据DNS欺骗攻击的原理,总结出其攻击的特点：在正常情况下,DNS系统不会对同一个域名请求做出多个应答,而在攻击发生时,客户端会收到多个应答数据报。并且攻击发生时攻击者返回的应答数据报要比正常的数据包简单,往往没有授权域和附加域等资源记录。本文根据这两点提出基于监听统计的检测算法来判断网络中是否存在攻击,并给出简单的防御方法。本文在提出两种检测算法的同时也通过实验仿真来验证算法的有效性,实验结果表明,上述的两种检测算法能够较好的检测出相应的DNS攻击。
[Abstract]:As the most basic service system on the Internet, DNS not only guarantees the normal operation of the Internet, but also provides convenient network services for users, but with the rapid development of the Internet, the security problems of DNS become increasingly prominent. And all kinds of attacks against DNS occur frequently, which have a great impact on the efficiency of the whole network. It is particularly important to detect attacks in the network in time. Because DNS has not considered its own security factors from the beginning of its design, This paper introduces the architecture of DNS system and its working principle, and introduces several common DNS attack methods aiming at the vulnerabilities of DNS. Many achievements have been made in the research of DNS attack detection technology at home and abroad, but there are still many detection methods that need to be improved. This paper puts forward the corresponding detection algorithms for two kinds of DNS attack methods. The first one is to send a large number of fake domain name resolution requests to the DNS server and consume the resources of the DNS server, the first one is to send a large number of fake domain name resolution requests to the DNS server. It is very important to detect the existence of such attacks in time. Based on the study of DNS parsing process, this paper summarizes the characteristics of DNS Query Flood attacks. And the success rate of domain name resolution is reduced. According to the characteristics of these two attacks and information entropy, we can judge whether the network is abnormal or not. The second DNS spoofing attack is a popular way to attack the DNS system, mainly by listening to the DNS request Datagram in the network. According to the ID identification number in the DNS request Datagram, the DNS reply Datagram is sent to the client in advance, and the user is redirected to other websites. According to the principle of DNS spoofing attack, The characteristics of the attack are summarized: under normal circumstances, the DNS system does not respond to multiple requests for the same domain name, but when the attack occurs, The client receives multiple reply Datagrams. And the reply Datagram returned by the attacker at the time of the attack is simpler than the normal packet. There are no resource records, such as authorization domain and additional domain. In this paper, a detection algorithm based on sniffing statistics is proposed to determine whether there is an attack in the network. At the same time, two detection algorithms are proposed to verify the effectiveness of the algorithm. The experimental results show that the above two detection algorithms can detect the corresponding DNS attacks.
【学位授予单位】：扬州大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【相似文献】