一种基于拟态安全防御的DNS框架设计

doi:10.3969/j.issn.0372-2112.2017.11.018

电子学报 ›› 2017, Vol. 45 ›› Issue (11): 2705-2714.DOI: 10.3969/j.issn.0372-2112.2017.11.018

一种基于拟态安全防御的DNS框架设计

王禛鹏, 扈红超, 程国振

国家数字交换系统工程技术研究中心(NDSC), 河南郑州 450003

收稿日期:2016-10-28 修回日期:2016-12-06 出版日期:2017-11-25
- 通讯作者:
- 程国振
- 作者简介:
- 王禛鹏,男,1993年出生于湖北黄冈.现为国家数字交换系统工程技术研究中心硕士研究生.主要研究方向为拟态安全防御.E-mail:whuwzp@whu.edu.cn;扈红超,男,1982年出生于河南商丘.现为国家数字交换系统工程技术研究中心副研究员.主要研究方向为网络安全防御和新型网络体系结构.E-mail:13633833568@139.com
- 基金资助:
- 国家自然科学基金青年基金 (No.61309020，No.61602509）; 国家自然科学基金创新群体项目 (No.61521003）; 国家重点研发计划项目 (网络空间拟态防御技术机制研究） (No.2016YFB0800100，No.2016YFB0800101）

A DNS Architecture Based on Mimic Security Defense

WANG Zhen-peng, HU Hong-chao, CHENG Guo-zhen

National Digital Switching System Engineering & Technological R & D Center, Zhengzhou, Henan 450003, China

Received:2016-10-28 Revised:2016-12-06 Online:2017-11-25 Published:2017-11-25
- Supported by:
- Youth Fund of National Natural Science Foundation of China (No.61309020, No.61602509); NSFC Innovation Research Group (No.61521003); National Key Research and Development Program of China (Research on the technology mechanism of mimic defense in Cyberspace)

摘要/Abstract

摘要： 目前针对DNS服务器的恶意攻击频发，如DNS缓存投毒攻击，而DNS安全拓展协议（DNSSEC）在大规模部署时仍面临许多难题.本文提出一种简单易部署的，具有入侵容忍能力的主动防御架构——拟态DNS（Mimic DNS，M-DNS）——保证DNS安全.该架构由选调器和包含多个异构DNS服务器的服务器池组成.首先选调器动态选取若干服务器并行处理请求，然后对各服务器的处理结果采用投票机制决定最终的有效响应.实验仿真表明，相比当前传统架构，M-DNS可以降低缓存投毒攻击成功率约10个数量级.

关键词: DNS, DNS缓存投毒攻击, 拟态安全防御, 动态异构冗余

Abstract: A simple and practical approach is required immediately to safeguard the Domain Name System (DNS) because there are increasing attacks on DNS (such as DNS cache poisoning) and various problems when deploying Domain Name System Security Extensions (DNSSEC) on a large scale.In this paper,we present Mimic DNS (M-DNS),a non-intrusive,tolerant and proactive security architecture,to deal with it.M-DNS is comprised of a scheduler and a server pool which consists of several heterogeneous DNS servers.The scheduler dynamically schedules the DNS servers to handle the requests in parallel and adopts the vote results from the majority of the servers to determine valid responses.Simulation results demonstrate that compared with current traditional frameworks,approximating 10 orders of magnitude reduction in cache poisoning attack probability is acquired when employing M-DNS.

Key words: DNS, DNS cache poisoning attack, mimic security defense, dynamic heterogeneous redundancy

中图分类号:

TP393

王禛鹏, 扈红超, 程国振. 一种基于拟态安全防御的DNS框架设计[J]. 电子学报, 2017, 45(11): 2705-2714.

WANG Zhen-peng, HU Hong-chao, CHENG Guo-zhen . A DNS Architecture Based on Mimic Security Defense[J]. Acta Electronica Sinica, 2017, 45(11): 2705-2714.

参考文献

[1] Jin C,Hao Z Y,Wu Z G.Principles and defense strategies of DNS cache poisoning[J].China Communications,2009,6(4):17-22.
[2] Bassil R,Hobeica R.Security analysis and solution for thwarting cache poisoning attacks in the domain name system[A].Proceedings of the 19th International Conference on Telecommunications[C].Piscataway,USA:IEEE,2012.1-6.
[3] Herzberg A,Shulmanz H.Fragmentation considered poisonous,or:one-domain-to-rule-them-all.org[A].Proceedings of IEEE Conference on Communications and Network Security[C].Washington,USA:IEEE,2013.224-232.
[4] Gilad Y,Herzberg A.Fragmentation considered vulnerable[J].ACM Trans on Information and System Security,2013,15(4):1-31.
[5] Van Rijswijkdeij R,Sperotto A,Pras A.DNSSEC and its potential for DDoS attacks[A].Proceedings of the Internet Measurement Conference[C].New York,USA:ACM/USENIX,2014.449-460.
[6] Wu H,Dang X L,Zhang L,et al.Kalman Filter based DNS cache poisoning attack detection[A].Proceedings of IEEE International Conference on Automation Science and Engineering[C].Piscataway,USA:IEEE,2015.1594-1600.
[7] Wu H,Dang X L,Wang L.D,et al.Information fusion-based method for distributed domain name system cache poisoning attack detection and identification[J].Institution of Engineering and Technology Information Security,2016,10(1):37-44.
[8] 王秀利,王永吉.基于命令紧密度的用户伪装入侵检测方法[J].电子学报,2014,42(6):1225-1229. WANG Xiuli,WANG Yongji.Masquerader detection based on command closeness model[J].Acta Electronica Sinica,2014,42(6):1225-1229.(in Chinese)
[9] Perdisci R,Antonakakis M,Luo X P,et al.WSEC DNS:protecting recursive DNS resolvers from poisoning attacks[A].International Conference on Dependable Systems and Networks[C].Piscataway,USA:IEEE,2009.3-12.
[10] Dagon D,Antonakakis M,Vixie P,et al.Increased DNS forgery resistance through 0x20-bit encoding[A].Proceedings of ACM Conference on Computer and Communications Security[C].Alexandria,USA:ACM,2008.211-222.
[11] Yuan L H,Kant K,Mohapatra P,et al.DoX:a Peer-to-Peer antidote for DNS cache poisoning attacks[A].Proceedings of International Conference on Communications[C].Piscataway,USA:IEEE,2006.2345-2350.
[12] Yuan L,Chen C C,Mohapatra P,et al.A proxy view of quality of domain name service,poisoning attacks and survival strategies[J].ACM Trans on Internet Technology,2013,12(3):321-329.
[13] Fan L J,Wang Y.Z,Cheng X Q,et al.Prevent DNS cache poisoning using security proxy[A].Proceedings of 12th International Conference on Parallel and Distributed Computing,Applications and Technologies[C].Piscataway,USA:IEEE,2011.387-393.
[14] Mohan J,Puranik S,Chandrasekaran K.Reducing DNS cache poisoning attacks[A].Proceedings of International Conference on Advanced Computing and Communication Systems[C].Piscataway,USA:IEEE,2015.1-6.
[15] 邬江兴.拟态计算与拟态安全防御的原意和愿景[J].电信科学,2014:30(7):2-7. Wu Jiangxin.Meaning and vision of mimic computing and mimic security defense[J].Telecommunications Science,2014,30(7):2-7.(in Chinese)
[16] 邬江兴.网络空间拟态防御研究[J].信息安全学报,2016,1(4):1-10. Wu Jiangxin.Research on cyber mimic defense[J].Journal of Cyber Security,2016,1(4):1-10.(in Chinese)
[17] 扈红超,陈福才,王禛鹏.拟态防御DHR模型若干问题探讨和性能评估[J].信息安全学报,2016,1(4):40-51. Hu Hongchao,Chen Fucai,Wang Zhenpeng.Performance evaluations on DHR for cyberspace mimic defense[J].Journal of Cyber Security,2016,1(4):40-51.(in Chinese)
[18] Akhshabi S,Dovrolis C.The evolution of layered protocol stacks leads to an hourglass-shaped architecture[A].Proceedings of ACM Special Interest Group on Data Communication[C].New York,NY:ACM,2011.206-217.
[19] 孔政,姜秀柱.DNS欺骗原理及其防御方案[J].计算机工程,2010,36(3):125-127. Kong Zhu,Jiang Xiuzhu.DNS spoofing principle and its defense scheme[J].Computer Engineering,2010,36(3):125-127.(in Chinese)
[20] Gummadi K,Saroiu S,Gribble S.King:Estimating latency between arbitrary Internet end hosts[A].Proceedings of ACM Internet Measurement Workshop[C].New York,USA:ACM,2002.5-18.

一种基于拟态安全防御的DNS框架设计

A DNS Architecture Based on Mimic Security Defense

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 2

编辑推荐

Metrics

[1]	郑秋华, 胡程楠, 崔婷婷, 申延召, 曾英佩, 吴铤. 一种基于概率分析的DHR模型安全性分析方法[J]. 电子学报, 2021, 49(8): 1586-1598.
[2]	朱维军, 郭渊博, 黄伯虎. 动态异构冗余结构的拟态防御自动机模型[J]. 电子学报, 2019, 47(10): 2025-2031.