| Domain Name System, serving as the “GPS” for identifying electrical bearing ofcomputers, maps both domain name and IP address into a distributed database respectively.Countless applications such as World-Wide-Web, E-mail, News network, IM, p2p, VoIP, alldepend on the resource record stored in the database. The importance of DNS leads to thefact that any intentional attack or destroy may affect the normal operation of the wholeInternet. Historical reasons give rise to the complexity and vulnerability of DNS, hencewhen confronted with all the abnormalities, security researchers should stay calm, divideand conquer all the problems.Considering the fact there exist various attacks and destroys aiming at or based onDNS, this article only focuses on two kinds of DNS anomaly set: Frequent DNS Queriesand Numerous DNS Failures, and refers to them as FDQ and NDF anomaly, for thepurpose of convenient description. Instead of representing a specific abnormality, they canstand for all abnormal behaviors with unified characteristics.Through theoretical analysis and simulation towards data of DNS query and DNSfailure, this article established the normal DNS query model and DNS failure model undersmaller time granularity. It is actually the first time that DNS failure model is establishedamong current DNS researches. The modeling result indicates that normal DNS query dataobeys heavy-tail distribution, while normal DNS failure data obeys binomial distribution.Based on the above observation, this article takes actual DNS traffic as an example, furtherdiscusses how to judge the occurrence of FDQ and NDF abnormality. The methodssuccessfully qualify the difference between normal and abnormal DNS query, and definethe difference between normal and abnormal DNS failure.Considering the bottleneck of current abnormal DNS detection in backbone networkand the fact that abnormality judgment can only provide the time and position of abnormalpoints while fails to provide more details, this article proposes a Counting Bloom Filterbased detection algorithm, which utilizes hash aggregation, breaks the limitation associated with standard Counting Bloom Filter, hashing based on direct bit selecting mappingfunction towards domain name and IP character string. It not only reduces the falsepositive rate, but also renders the reversed hash process much more easier. The comparisonand analysis between this algorithm and other common algorithms reveals its advantage inboth time assumption and space occupation.Finally, by applying all the above research results to actual backbone network data, iteffectively proves reasonability of judgment standard and validity of algorithm, also itreveals the complete scene information while pointing out the abnormal points. |
PDF Full Text Request