摘要
域名系统现有机制无法对域名解析请求和应答的信息来源进行有效确认,使得攻击者能够伪造数据对域名系统进行攻击,该文在对域名系统安全隐患分析的基础上,提出了一种透明代理的安全组件,不需改变现有域名系统的架构与通信机制,实现了对域名解析请求和应答信息的鉴别与过滤。该透明代理运行在2种工作模式即选择性重查询模式和安全标签查询模式,能够根据安全要求和风险水平在2种模式之间进行动态切换。仿真分析表明:这种架构使得攻击域名系统的成功率大为降低,明显提高了系统安全性,同时对系统平均查询时间和网络吞吐率影响较小。
Existing mechanisms in the domain name system(DNS) can not verify the information sources of DNS requests and responses,which means an attacker can forge data to trick the DNS.To address the problem,this study analyzes this DNS hidden danger to develop a security component called "transparent proxy" which verifies and filters DNS requests and responses and can be easily deployed on the existing DNS without modification of the DNS itself.The proxy has two operating modes,a selective re-query mode and a security label query mode.This system dynamically switches between these two modes according to the security requirements and current risk level.Simulations show that the proxy dramatically reduces the success probability of attacks on the DNS,improves system security and has acceptable impact on the mean query time and network throughput.
出处
《清华大学学报(自然科学版)》
EI
CAS
CSCD
北大核心
2011年第10期1318-1322,1328,共6页
Journal of Tsinghua University(Science and Technology)
基金
国家自然科学基金重点资助项目(90818021)
国家"八六三"高技术项目(2010AA012502)
