DNS denial of service attack protection

US 9,756,071 B1
Filed: 09/16/2014
Issued: 09/05/2017
Est. Priority Date: 09/16/2014
Status: Active Grant

First Claim

Patent Images

1. A method for a Domain Name System proxy server to protect a data network from a Domain Name Service (DNS) denial of service attack, the method comprising:

receiving a first DNS request from a client for a domain name, the first DNS request being a DNS User Datagram Protocol (UDP) request;

determining the domain name included in the DNS UDP request does not match with a plurality of domain names in a DNS entry table at a shared cache in the DNS proxy server, wherein the determining further comprises one or more of;

detecting a pre-determined plurality of unanswerable DNS requests from the client, a burst of unanswerable DNS requests within a short period of time from the client, or a plurality of unanswerable DNS requests from suspected clients or network address sources;

responding to the client to retry the DNS UDP request as a second DNS request via a DNS Transmission Control Protocol (TCP) request;

querying a DNS server for the domain name in the DNS TCP request;

receiving a DNS response from the DNS server; and

determining, based at least on the DNS response, that the first DNS UDP request from the client is characteristic of a DNS denial of service attack.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Exemplary embodiments for protecting a data network from a DNS denial of service attack are disclosed. The systems and methods provide for the use of a shared DNS cache between DNS UDP and DNS TCP proxy servers, to enable detection and mitigation of DNS denial of service attacks.

198 Citations

19 Claims

1. A method for a Domain Name System proxy server to protect a data network from a Domain Name Service (DNS) denial of service attack, the method comprising:
- receiving a first DNS request from a client for a domain name, the first DNS request being a DNS User Datagram Protocol (UDP) request;
  
  determining the domain name included in the DNS UDP request does not match with a plurality of domain names in a DNS entry table at a shared cache in the DNS proxy server, wherein the determining further comprises one or more of;
  
  detecting a pre-determined plurality of unanswerable DNS requests from the client, a burst of unanswerable DNS requests within a short period of time from the client, or a plurality of unanswerable DNS requests from suspected clients or network address sources;
  
  responding to the client to retry the DNS UDP request as a second DNS request via a DNS Transmission Control Protocol (TCP) request;
  
  querying a DNS server for the domain name in the DNS TCP request;
  
  receiving a DNS response from the DNS server; and
  
  determining, based at least on the DNS response, that the first DNS UDP request from the client is characteristic of a DNS denial of service attack.
- View Dependent Claims (2)
- - 2. The method of claim 1, wherein the responding to the client to retry the DNS UDP request as a DNS TCP request comprises responding to the client with a truncated (TC) bit set.

3. A method for a Domain Name System proxy server to protect a data network from a Domain Name Service (DNS) denial of service attack, the method comprising:
- receiving a first DNS request from a client for a domain name, the first DNS request being a DNS User Datagram Protocol (UDP) request;
  
  determining the domain name included in the DNS UDP request does not match with a plurality of domain names in a DNS entry table of a shared cache at the DNS proxy server, wherein the determining further comprises one or more of;
  
  detecting a pre-determined plurality of unanswerable DNS requests from the client, a burst of unanswerable DNS requests within a short period of time from the client, or a plurality of unanswerable DNS requests from suspected clients or network address sources;
  
  responding to the client to retry the DNS UDP request as a second DNS request via a DNS Transmission Control Protocol (TCP) request;
  
  querying a DNS server for the domain name in the DNS TCP request;
  
  receiving a DNS response from the DNS server in response to the DNS TCP request;
  
  determining from the DNS response to the second DNS TCP request that the first DNS UDP request from the client is not characteristic of a DNS denial of service attack; and
  
  forwarding the received DNS response to the client.
- View Dependent Claims (4, 5, 6)
- - 4. The method of claim 3, wherein the DNS proxy server creates a DNS entry in the DNS entry table of the shared cache of the DNS proxy server for the DNS response to the DNS TCP request.
  - 5. The method of claim 3, wherein the shared cache at the DNS proxy server is used to respond to future DNS TCP requests and future DNS UDP requests.
  - 6. The method of claim 3, further comprising:
    - receiving a DNS UDP request from a second client;
      
      determining a domain name included in the DNS UDP request does match with a plurality of domain names in a DNS entry table at the shared cache of the DNS proxy server; and
      
      responding to the client with a DNS response.

7. A system for protecting a data network from a Domain Name Service (DNS) denial of service attack, the system comprising:
- a DNS proxy server configured to;
  
  receive a first DNS request from a client for a domain name, the first DNS request being a DNS User Datagram Protocol (UDP) request;
  
  determine the domain name included in the DNS UDP request does not match a plurality of domain names in a DNS entry table at a shared cache of the DNS proxy server, the determination comprising one or more of;
  
  detecting a pre-determined plurality of unanswerable DNS requests from the client, a burst of unanswerable DNS requests within a short period of time from the client, or a plurality of unanswerable DNS requests from suspected clients or network address sources; and
  
  respond to the client to retry the DNS UDP request as a second DNS request via a DNS Transmission Control Protocol (TCP) request;
  
  query a DNS server for the domain name in the DNS TCP request;
  
  receive a DNS response from the DNS server; and
  
  determine based at least on the DNS response, that the first DNS UDP request from the client is characteristic of a DNS denial of service attack.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The system of claim 7, wherein the DNS proxy server responding to the client to retry the first DNS UDP request as a second DNS TCP request comprises responding to the client with a truncated (TC) bit set.
  - 9. The system of claim 7, wherein the DNS proxy server is further configured to:
    - query a DNS server for the domain name in the DNS TCP request;
      
      receive a DNS response from the DNS server; and
      
      forward the DNS response to the client.
  - 10. The system of claim 9, wherein the DNS proxy server creates a DNS entry in the DNS entry table of the DNS proxy server for the DNS response.
  - 11. The system of claim 9, wherein the DNS proxy server stores the DNS entry from the DNS response in the DNS entry table in order to respond to future DNS requests.
  - 12. The system of claim 7, wherein if there is a match between the domain name in the DNS request and a domain name of a DNS entry of DNS entry table, the DNS proxy server sends a DNS response using the DNS entry to the client.
  - 13. The system of claim 7, wherein the DNS proxy server is further configured to:
    - query a network controller for the domain name in the DNS TCP request;
      
      receive DNS information from the network controller; and
      
      forward the DNS information to the client.

14. A system for protecting a data network from a Domain Name Service (DNS) denial of service attack, the system comprising:
- a DNS proxy server with a plurality of ports, the DNS proxy server configured to;
  
  receive a DNS request from a client at a first port of the DNS proxy server;
  
  determine a domain name included in the DNS request does not match a plurality of domain names in a DNS entry table at a shared cache of the DNS proxy server, wherein the determining further comprises one or more of;
  
  detecting a pre-determined plurality of unanswerable DNS requests from the client, a burst of unanswerable DNS requests within a short period of time from the client, or a plurality of unanswerable DNS requests from suspected clients or network address sources; and
  
  respond to the client to retry the DNS request at a second port of the DNS proxy server;
  
  receive a DNS request at the second port of the DNS proxy server;
  
  query a DNS server for the domain name in the DNS request received at the second port of the DNS proxy server;
  
  receive a DNS response from the DNS server; and
  
  determine, based at least on the DNS response, that the DNS request received at the first port of the DNS server is characteristic of a DNS denial of service attack.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The system of claim 14, wherein the received DNS request is a UDP request.
  - 16. The system of claim 14, wherein the received DNS request is a TCP request.
  - 17. The system of claim 14, wherein the domain name in the DNS request is a name of a network device.
  - 18. The system of claim 14, wherein the DNS proxy server creates a DNS entry in the DNS entry table of the DNS proxy server for the DNS response.
  - 19. The system of claim 14, wherein the DNS proxy server stores the DNS entry from the DNS response in the DNS entry table in order to respond to future DNS requests.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Golshan, Ali
Primary Examiner(s)
Doan, Trang

Application Number

US14/487,834
Time in Patent Office

1,085 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

H04L 61/4511   using domain name system [DNS]

H04L 61/58   Caching of addresses or names

H04L 63/0281   Proxies

H04L 63/1458   Denial of Service

DNS denial of service attack protection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

198 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

DNS denial of service attack protection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

198 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others