Method, device and system for processing DNS behavior

US 9,967,269 B2
Filed: 03/19/2015
Issued: 05/08/2018
Est. Priority Date: 04/04/2014
Status: Active Grant

First Claim

Patent Images

1. A method for processing Domain Name System (DNS) behavior, comprising:

parsing a received network data packet;

determining a DNS behavior type corresponding to the network data packet according to a parse result;

determining a processing body according to the DNS behavior type, wherein the processing body comprises at least one of a kernel and an application layer;

transferring the network data packet to the determined processing body;

processing the network data packet by the determined processing body, wherein the processing the network data packet by the determined processing body further comprises;

when the determined processing body is the kernel,detecting the network data packet and filtering a DNS attack behavior carried in the network data packet by the kernel, andtransferring the filtered network data packet to the application layer for processing;

wherein the method further comprises following steps to determine that the DNS attack behavior is carried in the network data packet;

calculating a feature code of the network data packet;

judging whether the feature code is a feature code of the DNS attack behavior;

if yes, then determining that the DNS attack behavior is carried in the network data packet; and

if not, then determining that the DNS attack behavior is not carried in the network data packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides a method, device and system for processing DNS behavior. The method comprises: resolving received network data packet; judging a DNS behavior type corresponding to the network data packet according to the resolution result; determining a processing body according to the DNS behavior type, wherein the processing body comprises a kernel and/or an application layer; and transferring the network data packet to the determined processing body, and processing the network data packet by the determined processing body. The method in the disclosure can improve the DNS defense capability, while improving the service processing capability of a single machine.

Citations

13 Claims

1. A method for processing Domain Name System (DNS) behavior, comprising:
- parsing a received network data packet;
  
  determining a DNS behavior type corresponding to the network data packet according to a parse result;
  
  determining a processing body according to the DNS behavior type, wherein the processing body comprises at least one of a kernel and an application layer;
  
  transferring the network data packet to the determined processing body;
  
  processing the network data packet by the determined processing body, wherein the processing the network data packet by the determined processing body further comprises;
  
  when the determined processing body is the kernel,detecting the network data packet and filtering a DNS attack behavior carried in the network data packet by the kernel, andtransferring the filtered network data packet to the application layer for processing;
  
  wherein the method further comprises following steps to determine that the DNS attack behavior is carried in the network data packet;
  
  calculating a feature code of the network data packet;
  
  judging whether the feature code is a feature code of the DNS attack behavior;
  
  if yes, then determining that the DNS attack behavior is carried in the network data packet; and
  
  if not, then determining that the DNS attack behavior is not carried in the network data packet.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method according to claim 1, wherein the step of determining a processing body according to the DNS behavior type, comprises:
    - when the DNS behavior type is an attack behavior, determining the processing body to be the kernel; and
      
      when the DNS behavior type is a domain name resolution behavior, determining the processing body to be the application layer.
  - 3. The method according to claim 1, wherein the feature code comprises:
    - a number of received network data packets from one IP within a designated period; and
      
      a number of received network data packets from one domain name within a designated period.
  - 4. The method according to claim 1, wherein after the transferring the filtered network data packet to the application layer for processing, the method further comprises:
    - when a root node or other corresponding domain name resolution is abnormal, constructing a virtual root system by an authorization database through a BGP Anycast mode, and guiding all visits to a root domain name server to a virtual root domain node server to externally provide DNS resolution services.
  - 5. The method according to claim 4, wherein when a DNS server fails and is unable to be repaired in time, the DNS of a user is repaired onto a resolvable safe DNS, so as to ensure that the user on network is able to use the network;
    - andafter the failure of the DNS server is repaired, the DNS configuration of the user is restored onto the DNS server.

6. A computing device, comprising:
- a memory having instructions stored thereon;
  
  a processor configured to execute the instructions to perform operations for processing Domain Name System (DNS) behavior, the operations comprising;
  
  parsing a received network data packet;
  
  determining a DNS behavior type corresponding to the network data packet according to a parse result;
  
  determining a processing body according to the DNS behavior type, wherein the processing body comprises at least one of a kernel and an application layer;
  
  transferring the network data packet to the determined processing body;
  
  processing the network data packet by the determined processing body;
  
  wherein the processor is further configured to execute instructions to perform following operations so as to determine that a DNS attack behavior is carried in the network data packet;
  
  calculating a feature code of the network data packet;
  
  judging whether the feature code is a feature code of the DNS attack behavior;
  
  if yes, then determining that the DNS attack behavior is carried in the network data packet; and
  
  if not, then determining that the DNS attack behavior is not carried in the network data packet.
- View Dependent Claims (7, 8)
- - 7. The computing device according claim 6, wherein the determining a processing body according to the DNS behavior type further comprises:
    - when the DNS behavior type is an attack behavior, determining the processing body to be kernel; and
      
      when the DNS behavior type is a domain name resolution behavior, determining the processing body to be the application layer.
  - 8. The computing device according claim 7, wherein the feature code comprises:
    - a number of received network data packets from one IP within a designated period; and
      
      a number of received network data packets from one domain name within a designated period.

9. A non-transitory computer readable medium having computer programs stored thereon that, when executed by one or more processors of a computing device, cause the computing device to perform:
- parsing a received network data packet;
  
  determining a Domain Name System (DNS) behavior type corresponding to the network data packet according to a parse result;
  
  determining a processing body according to the DNS behavior type, wherein the processing body comprises at least one of a kernel and an application layer;
  
  transferring the network data packet to the determined processing body;
  
  processing the network data packet by the determined processing body, wherein the processing the network data packet by the determined processing body further comprises;
  
  when the determined processing body is the kernel,detecting the network data packet and filtering a DNS attack behavior carried in the network data packet by the kernel, andtransferring the filtered network data packet to the application layer for processing;
  
  wherein the non-transitory computer readable medium further comprises computer programs stored thereon that, when executed by one or more processors of a computing device, cause the computing device to perform following steps to determine that the DNS attack behavior is carried in the network data packet;
  
  calculating a feature code of the network data packet;
  
  judging whether the feature code is a feature code of the DNS attack behavior;
  
  if yes, then determining that the DNS attack behavior is carried in the network data packet; and
  
  if not, then determining that the DNS attack behavior is not carried in the network data packet.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The non-transitory computer readable medium according to claim 9, wherein the determining a processing body according to the DNS behavior type, comprises:
    - when the DNS behavior type is an attack behavior, determining the processing body to be the kernel; and
      
      when the DNS behavior type is a domain name resolution behavior, determining the processing body to be the application layer.
  - 11. The non-transitory computer readable medium according to claim 9, wherein the feature code comprises:
    - a number of received network data packets from one IP within a designated period; and
      
      a number of received network data packets from one domain name within a designated period.
  - 12. The non-transitory computer readable medium according to claim 9, wherein after the transferring the filtered network data packet to the application layer for processing, the computing device is further caused to perform:
    - when a root node or other corresponding domain name resolution is abnormal, constructing a virtual root system by an authorization database through a BGP Anycast mode, and guiding all visits to a root domain name server to a virtual root domain node server to externally provide DNS resolution services.
  - 13. The non-transitory computer readable medium according to claim 12, wherein when a DNS server fails and is unable to be repaired in time, the DNS of a user is repaired onto a resolvable safe DNS, so as to ensure that the user on network is able to use the network;
    - andafter the failure of the DNS server is repaired, the DNS configuration of the user is restored onto the DNS server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Beijing Qihu Technology Co. Ltd. (360 Security Technology, Inc.)
Original Assignee
Beijing Qihu Technology Co. Ltd. (360 Security Technology, Inc.)
Inventors
Zhou, Hongyi, Pu, Can, Tan, Xiaosheng
Primary Examiner(s)
Mehedi, Morshed

Application Number

US15/301,938
Publication Number

US 20170118232A1
Time in Patent Office

1,146 Days
Field of Search
US Class Current
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/0245   Filtering by information in...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

Method, device and system for processing DNS behavior

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Method, device and system for processing DNS behavior

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links