| As the basic service of the Internet,the main function of Domain Name System(DNS)is to provide a mapping between domain names and IP addresses.Almost all Internet activities start with DNS queries.Therefore,the security of DNS is related to the safe and stable operation of the global Internet.Unfortunately,the DNS protocol lacked security considerations at the beginning of its design,making it vulnerable to attacks.Improper deployment of domain name servers exacerbated the risk of attack in real-world.In February of 2019,Google,ISC,Power DNS,Cisco,Cloudflare and many other world-famous DNS software and service providers jointly launched the promotion of Extension Mechanisms for DNS(EDNS0)mandatory deployment.If a DNS server doesn't support the EDNS0 extension,then it is marked as service unavailable and the domain name could not be parsed properly.The number of DNS servers with potential availability issues is not known and the impact on the availability and efficiency of global domain name services cannot be assessed.As an important mean of analyzing and understanding the network,network measurement can fully understand the network operation status and security status,and is of great significance for maintaining network security and stability.However,existing research has the limitations of data set,lack of measurement of DNS extension and incomplete measurement of security threats.Regarding above problems,this thesis proposes the DNS extension and multiple security threat measurement methods,and designs and implements a measurement prototype system based on the above measurement methods.The measurement method is validated and verified by large-scale network measurement.Finally,this thesis constructs a DNS malicious traffic dataset through the data accumulation of the prototype system,which provides a data source for the research of DNS traffic detection and attack analysis.The main work and results of this thesis are as follows:(1)Propose a set of measurement technology that uses active detection technology to implement multiple types of security threats and extended support for DNS servers.In view of the limitations of existing research measurement data sets,lack of measurement of DNS extension and incomplete safety measurement,this thesis proposes a new DNS extension and security threat measurement method using Passive DNS as the data set.Passive DNS has accumulated domain names that have appeared on the network in the past four years,and the coverage of data sets has been greatly improved.Based on the actual network deployment example,the DNS extended availability measurement method is proposed based on the analysis of the impact of the network intermediate device on the measurement.The repetitive steps in the single security threat measurement are optimized,and the comprehensive measurement method for the authoritative server security problem is formed.In addition,the mitigation measures for the impact on the measured target during the measurement process are proposed.Compared with existing research,the measurement method has the advantages of fast and accurate,comprehensive measurement and strong scalability.(2)Build a prototype system for scalability and security threat measurement of DNS servers under large-scale networks.Aiming at the problem of large amount of raw data and low data quality of Passive DNS data set,according to the characteristics of hierarchical structure of DNS,this thesis proposes a data cleaning method for checking the validity of second-level domain name,which effectively improves the data cleaning effect and reduces the scale of data set.At the same time,the system proposes multi-point measurement which improve measurement accuracy by analyzing and integrating the results of each measurement point.The measurement prototype system consists of a domain name data processing module,a network measurement module,and a database module.The effectiveness of the measurement method was confirmed by the authoritative server measurement experiment of China Education Network.At present,the system has processed more than 300 million Passive DNS data,which verifies the availability and stability of large-scale network-wide measurement of the system.(3)Design and implement a set of DNS malicious traffic data set generation and processing scheme.In view of the difficulty of generating various malicious traffic and the immature processing of traffic data anonymization,the scheme obtains malicious traffic from the measurement prototype system,network honeypot,and malware sandbox,and obtains background traffic from the authoritative server of edu.cn and the entrance and exit of the campus network.At the same time,avoiding the risk of privacy leakage caused by traffic in the data set as well as exposing the vulnerable servers,the data packets from the data link layer to the application layer are strictly anonymized.In addition,in order to avoid malicious traffic identification through the side channel method,the method of generalizing the network card hardware parameters and time stamp correction is adopted,which further enriches and deepens the anonymization processing scheme,and retains the DNS malicious traffic characteristics under the premise of fully protecting data privacy.Tsinghua University and Qi'anxin Group successfully used this program to successfully host the DataCon Secure Big Data Competition,which proved the effectiveness of the data processing solution... |
PDF Full Text Request