| Domain Name System,or DNS,provides a service for users to provide mapping between Domain names and IP addresses.DNS is an integral part of the current Internet.In the Internet,many applications require the support of DNS,and the security of DNS determines the security of the Internet to a great extent.From another perspective,the DNS message also contains user information.Therefore,filtering DNS attack messages and ensuring the security of DNS operation is also critical for the security of the entire Internet system.At present the most popular DNS attack is fast-flux.It is a structure of a new kind of attack technology building on the botnet.Because of its concealment and robustness of multi-level structure,it has a lot of hidden danger on the security of network.Also,the behavior of fast-flux is similar to the behavior of the transformation of multiple servers IP between the servers serving for a large website.It adds much difficulty to distinguish the purpose in messages.So this thesis will focus on DNS message from fast-flux attacker,and find the difference between attack messages and normal messages.The accuracy of the algorithm is greatly improved and the false alarm rate is reduced.The main content of the thesis includes:(1)It puts out the DNS related protocol and explains the structure and the detail of DNS message.With the structure of botnet being foundation,the operational method and the attack behavior of fast-flux is clear.(2)With analyzing the reason of fast-flux being hard to be detected,it puts out two conceptions which is current-carrying balance and load avoidance,to distinguish two behaviors using the same conversion IP technology one of which is to provide service and one is to attack.(3)By finding four characteristics of fast-flux DNS message and proved with large amount data,this thesis improves logistic regression algorithm for the research and uses it to calculate the probability of the domain name exceptions. |
PDF Full Text Request