Method, device and system for processing DNS behavior
First Claim
1. A method for processing Domain Name System (DNS) behavior, comprising:
- parsing a received network data packet;
determining a DNS behavior type corresponding to the network data packet according to a parse result;
determining a processing body according to the DNS behavior type, wherein the processing body comprises at least one of a kernel and an application layer;
transferring the network data packet to the determined processing body;
processing the network data packet by the determined processing body, wherein the processing the network data packet by the determined processing body further comprises;
when the determined processing body is the kernel,detecting the network data packet and filtering a DNS attack behavior carried in the network data packet by the kernel, andtransferring the filtered network data packet to the application layer for processing;
wherein the method further comprises following steps to determine that the DNS attack behavior is carried in the network data packet;
calculating a feature code of the network data packet;
judging whether the feature code is a feature code of the DNS attack behavior;
if yes, then determining that the DNS attack behavior is carried in the network data packet; and
if not, then determining that the DNS attack behavior is not carried in the network data packet.
1 Assignment
0 Petitions
Accused Products
Abstract
The invention provides a method, device and system for processing DNS behavior. The method comprises: resolving received network data packet; judging a DNS behavior type corresponding to the network data packet according to the resolution result; determining a processing body according to the DNS behavior type, wherein the processing body comprises a kernel and/or an application layer; and transferring the network data packet to the determined processing body, and processing the network data packet by the determined processing body. The method in the disclosure can improve the DNS defense capability, while improving the service processing capability of a single machine.
-
Citations
13 Claims
-
1. A method for processing Domain Name System (DNS) behavior, comprising:
-
parsing a received network data packet; determining a DNS behavior type corresponding to the network data packet according to a parse result; determining a processing body according to the DNS behavior type, wherein the processing body comprises at least one of a kernel and an application layer; transferring the network data packet to the determined processing body; processing the network data packet by the determined processing body, wherein the processing the network data packet by the determined processing body further comprises;
when the determined processing body is the kernel,detecting the network data packet and filtering a DNS attack behavior carried in the network data packet by the kernel, and transferring the filtered network data packet to the application layer for processing; wherein the method further comprises following steps to determine that the DNS attack behavior is carried in the network data packet; calculating a feature code of the network data packet; judging whether the feature code is a feature code of the DNS attack behavior; if yes, then determining that the DNS attack behavior is carried in the network data packet; and if not, then determining that the DNS attack behavior is not carried in the network data packet. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computing device, comprising:
-
a memory having instructions stored thereon; a processor configured to execute the instructions to perform operations for processing Domain Name System (DNS) behavior, the operations comprising; parsing a received network data packet; determining a DNS behavior type corresponding to the network data packet according to a parse result; determining a processing body according to the DNS behavior type, wherein the processing body comprises at least one of a kernel and an application layer; transferring the network data packet to the determined processing body; processing the network data packet by the determined processing body; wherein the processor is further configured to execute instructions to perform following operations so as to determine that a DNS attack behavior is carried in the network data packet; calculating a feature code of the network data packet; judging whether the feature code is a feature code of the DNS attack behavior; if yes, then determining that the DNS attack behavior is carried in the network data packet; and if not, then determining that the DNS attack behavior is not carried in the network data packet. - View Dependent Claims (7, 8)
-
-
9. A non-transitory computer readable medium having computer programs stored thereon that, when executed by one or more processors of a computing device, cause the computing device to perform:
-
parsing a received network data packet; determining a Domain Name System (DNS) behavior type corresponding to the network data packet according to a parse result; determining a processing body according to the DNS behavior type, wherein the processing body comprises at least one of a kernel and an application layer; transferring the network data packet to the determined processing body; processing the network data packet by the determined processing body, wherein the processing the network data packet by the determined processing body further comprises;
when the determined processing body is the kernel,detecting the network data packet and filtering a DNS attack behavior carried in the network data packet by the kernel, and transferring the filtered network data packet to the application layer for processing; wherein the non-transitory computer readable medium further comprises computer programs stored thereon that, when executed by one or more processors of a computing device, cause the computing device to perform following steps to determine that the DNS attack behavior is carried in the network data packet; calculating a feature code of the network data packet; judging whether the feature code is a feature code of the DNS attack behavior; if yes, then determining that the DNS attack behavior is carried in the network data packet; and if not, then determining that the DNS attack behavior is not carried in the network data packet. - View Dependent Claims (10, 11, 12, 13)
-
Specification