1. Industry background and demand

With the continuous development of Internet business, the competition in the industry is becoming more and more fierce, and malicious attacks between websites emerge in endlessly. These attacks often use the way of false domain name request. As the receiver of DNS request in metropolitan area network, the operator DNS system is often attacked by this kind of attack, which results in the failure of Internet service in the whole network. On May 19, 2009, because of the DDoS attack, DNS has failed in six provinces across the country and has been unable to access the Internet for several hours. At the same time, all kinds of DNS security problems continue to emerge, June 22, 2009. New network interconnection issued a notice confirming that the DNS server was attacked, and Baidu DNS service was hijacked on January 12, 2010. These security problems not only caused economic losses to the units and companies involved, but also caused huge credit damage.

Typical DNS attacks in a network include:

DNS Query Flood attack

The most common type of DDoS attack specifically directed at DNS servers. Hacker-controlled botnet hosts constantly issue DNS Query query packets, which are often queried by domain names that cannot exist. We call this type of attack a fake domain name query attack. Since there is no such domain name resolution in the cache of the local DNS, each address requires a full iterative query. When this kind of attack reaches a certain level, the CPU utilization will increase and the response will slow, the query request of the normal user will not get the response of the DNS server. These false domain search domain / IP constantly changes, further increased the difficulty of blocking.

DNS cache poisoning

An attacker can fake the response of a DNS authoritative server by guessing fields such as message sequence number and transport layer port number during DNS parsing. This kind of attack will eventually result in the contaminated DNS server will provide the wrong parsing result, which will draw the user to the wrong network address, such as phishing site, etc.

Attack against BIND system

At present, most DNS servers use the BIND system, an open source DNS server software developed by the University of California, Berkeley, under the full name of Berkeley Internet Name Domain.Although the binder system has now entered the V9 version, And has made a series of function and performance improvement, but is constrained by the historical reason, and because now DNS server already has tens of thousands, spreads all over the world, is closely related to each other, it is very difficult to carry on the large-scale rectification, therefore, The whole DNS system is faced with a serious security hazard for a long time.

The importance of DNS system as the basis of Internet service is self-evident. In order to ensure the performance and reliability of DNS system, some technical measures can be adopted, including system capacity expansion and DNS processing performance; The firewall is used to protect the system, the system architecture is separated by recursion and cache, and the load sharing mode based on IPAnycast is used. But most of these methods only enhance the processing ability of the DNS system, and can not block all kinds of malicious attack packets, especially the false domain name attack, in the DNS system.

2. DPtech solution

DPtech DNS protection system, from the aspects of improving the performance of DNS system and enhancing the ability of system protection, forms the most reliable solution of DNS system protection.

Networking scheme: IPAnycast or layer 4 switch server cluster is adopted in the internal network of cache service node. In the group network, DNS protection scheme of Depp technology adopts transparent series-connection mode to deploy. Smooth access to the above two networking modes.

DPtech DNS protection scheme has a variety of means of protection, can effectively protect the DNS system:

DDoS attack protection

The DNS requests are counted based on the dimensions of IPP, region, domain name and so on, and the abnormal changes of traffic are detected in time, and the malicious messages and malicious users are screened and blocked by means of intelligent fingerprint identification, behavior feature judgment, client active detection and so on. In addition to cleaning the DNS Query Flood, it can also defend against all kinds of DDoS attacks such as TCP flooding, SYN FloodFloodFloodFloodCy Get and so on.

Flow speed limit

Can be based on IP, domain name, request type and other functions such as traffic alarm, speed limit, etc. For example, according to the QPS threshold of each source IP attack identification and defense, It is effective to defend a small number of sources from sending a large number of DNS requests. The attack is identified and defended according to the QPS threshold of each domain name (full domain name or second / third order domain name) to effectively defend against the occurrence of events similar to Storm Player.

There are many types of requests for request type filtering: DNS. Normal requests should contain only query requests. By adding the type of domain name to the rule of judgment, packet filtering based on request type can be realized.

DNS cache

The DNS protection device has the capability of DNS cache at the same time, reduces the system cache service performance requirement, and can recognize and filter the packets that need to be processed by the recursive server, so as to protect the recursive server effectively.

Error domain name redirection

In order to enhance the capacity of traffic management, the invalid domain name request can be redirected to a pre-established web page to increase traffic management.

Three. Why would you choose DPtech?

Prominent protective capacity

The DNS protective equipment of DPtech Technology has a variety of protection technologies, and through the combination of different technical means, it effectively blocks all kinds of attacks against the DNS system, including the blocking of illegal IPs, illegal UDPs, illegal DNS-PTRN DNS SDSs, caching of malicious attack messages such as poisoning, false domain names, etc. Provide IP, domain name based QPS traffic alarm and speed limit, and so on.

Rich DNS business features

DPtech DNS protection equipment can provide a large number of highly customized services for the deep development of DNS services. Typical customized services include: error domain name redirection, DNS system backup and traffic forwarding, DNS traffic analysis and data mining, and so on.

Both security and cache capabilities

The DNS protective device of Depp technology has DNS cache module, which can greatly reduce the performance requirement of DNS system cache service, and can restrict the recursive request caused by false domain name accurately, and effectively protect the recursive server.

High performance

The DNS protective equipment of DPtech technology has the capability of millions of buffer response and security protection, which fully meets the performance requirements of the provincial DNS nodes of the existing major operators, and meets the continuous development of future services.

One-stop scheme

DPtech DNS protective equipment can provide a one-stop solution for DNS protection, load balancing and other functions, simplify the network structure, reduce the difficulty of system operation and maintenance management, and enhance the reliability of the system.