电子学报 ›› 2017, Vol. 45 ›› Issue (11): 2705-2714.DOI: 10.3969/j.issn.0372-2112.2017.11.018

• 学术论文 • 上一篇    下一篇

一种基于拟态安全防御的DNS框架设计

王禛鹏, 扈红超, 程国振   

  1. 国家数字交换系统工程技术研究中心(NDSC), 河南郑州 450003
  • 收稿日期:2016-10-28 修回日期:2016-12-06 出版日期:2017-11-25
    • 通讯作者:
    • 程国振
    • 作者简介:
    • 王禛鹏,男,1993年出生于湖北黄冈.现为国家数字交换系统工程技术研究中心硕士研究生.主要研究方向为拟态安全防御.E-mail:whuwzp@whu.edu.cn;扈红超,男,1982年出生于河南商丘.现为国家数字交换系统工程技术研究中心副研究员.主要研究方向为网络安全防御和新型网络体系结构.E-mail:13633833568@139.com
    • 基金资助:
    • 国家自然科学基金青年基金 (No.61309020,No.61602509); 国家自然科学基金创新群体项目 (No.61521003); 国家重点研发计划项目 (网络空间拟态防御技术机制研究) (No.2016YFB0800100,No.2016YFB0800101)

A DNS Architecture Based on Mimic Security Defense

WANG Zhen-peng, HU Hong-chao, CHENG Guo-zhen   

  1. National Digital Switching System Engineering & Technological R & D Center, Zhengzhou, Henan 450003, China
  • Received:2016-10-28 Revised:2016-12-06 Online:2017-11-25 Published:2017-11-25
    • Supported by:
    • Youth Fund of National Natural Science Foundation of China (No.61309020, No.61602509); NSFC Innovation Research Group (No.61521003); National Key Research and Development Program of China  (Research on the technology mechanism of mimic defense in Cyberspace)

摘要: 目前针对DNS服务器的恶意攻击频发,如DNS缓存投毒攻击,而DNS安全拓展协议(DNSSEC)在大规模部署时仍面临许多难题.本文提出一种简单易部署的,具有入侵容忍能力的主动防御架构——拟态DNS(Mimic DNS,M-DNS)——保证DNS安全.该架构由选调器和包含多个异构DNS服务器的服务器池组成.首先选调器动态选取若干服务器并行处理请求,然后对各服务器的处理结果采用投票机制决定最终的有效响应.实验仿真表明,相比当前传统架构,M-DNS可以降低缓存投毒攻击成功率约10个数量级.

关键词: DNS, DNS缓存投毒攻击, 拟态安全防御, 动态异构冗余

Abstract: A simple and practical approach is required immediately to safeguard the Domain Name System (DNS) because there are increasing attacks on DNS (such as DNS cache poisoning) and various problems when deploying Domain Name System Security Extensions (DNSSEC) on a large scale.In this paper,we present Mimic DNS (M-DNS),a non-intrusive,tolerant and proactive security architecture,to deal with it.M-DNS is comprised of a scheduler and a server pool which consists of several heterogeneous DNS servers.The scheduler dynamically schedules the DNS servers to handle the requests in parallel and adopts the vote results from the majority of the servers to determine valid responses.Simulation results demonstrate that compared with current traditional frameworks,approximating 10 orders of magnitude reduction in cache poisoning attack probability is acquired when employing M-DNS.

Key words: DNS, DNS cache poisoning attack, mimic security defense, dynamic heterogeneous redundancy

中图分类号: