| Domain name system (DNS) is the critical infrastructure of the Internet. The security of DNS ensures the network working in order. Recently, hackers put the DDoS attack target to the DNS, which makes the attacks aimed to DNS servers happen frequently, and cause great loss to more and more corporations and organizations. Thus the study of how to defense against DNS DDoS attack is of theoretical and practical significance. This thesis analyses the principles and the methods of the DDoS attacks against DNS, and improves the present defense strategies. At last a defense system against DNS DDoS attack is designed and implemented.Firstly, this thesis introduces the architecture and the working principle of DNS. Then combining with the source codes of attack program, the basic principles and methods of two main DDoS attacks against DNS are discussed, and for further, the characteristics of these two attacks are analyzed. Sequentially, on defending against DNS amplification attacks, this thesis improves the strategy of characteristic-information validation, and proposes a new defense system model. By detailedly analysing the randomicity of each possible character-field, a new characteristic-information electing method is proposed. Hashtable is designed as its structure for designing a high-efficency characteristic-information buffer. To defense against DNS query DDoS attacks, this thesis makes practical improvement to the hop filter strategy. Hashtable based time update is used as its hop table structure. Besides, using the ratio of false-flow and correct-flow after DNS resolution, a simple effective and easy to implement method is presented for its detection. The later experiment proves that this method could detect the present attack exactly. At last, in order to validate the feasibility of the scheme, and to migrate it to the relevant hardware platform, this thesis designs a defense system against DNS DDoS attack in linux system with modular design method. |
PDF Full Text Request