DNS攻击检测与安全防护研究综述

doi:10.11959/j.issn.1000-0801.2022248

摘要/Abstract

摘要：

随着传统互联网逐渐向“互联网+”演变，域名系统（domain name system，DNS）从基础的地址解析向全面感知、可靠传输等新模式不断扩展。新场景下的DNS由于功能的多样性和覆盖领域的广泛性，一旦受到攻击会造成严重的后果，因此DNS攻击检测与安全防护方面的研究持续进行并越来越受到重视。首先介绍了几种常见的DNS攻击，包括DNS欺骗攻击、DNS隐蔽信道攻击、DNS DDoS（distributed denial of service）攻击、DNS 反射放大攻击、恶意 DGA 域名；然后，从机器学习的角度出发对这些攻击的检测技术进行了系统性的分析和总结；接着，从DNS去中心化、DNS加密认证、DNS解析限制3个方面详细介绍了DNS的安全防护技术；最后，对未来的研究方向进行了展望。

关键词: 域名系统, DNS攻击检测, 安全防护, 机器学习

Abstract:

With the gradual evolution of the traditional Internet to “Internet+”, the domain name system (DNS) had been continuously expanding from basic address resolution to new models such as comprehensive perception and reliable transmission.Due to the diverse functions and the extensive coverage of DNS in the new scenario, it will cause serious consequences once attacked.Therefore, the research on DNS attack detection and security protection continues and attracts more and more attention.Firstly, several common DNS attacks were introduced, including DNS spoofing, DNS covert channel, DNS distributed denial of service (DDoS) attack, DNS reflection amplification attacks, and malicious DGA domain names.Subsequently, these DNS attack detection technologies were systematically analyzed and summarized from the machine learning perspective.Then, the DNS security protection technologies were sorted out in decentralization, authenticated encryption and limited resolution.Finally, some future research directions were proposed.

Key words: domain name system, DNS attack detection, security protection, machine learning

中图分类号:

TP393

章坚武, 安彦军, 邓黄燕. DNS攻击检测与安全防护研究综述[J]. 电信科学, 2022, 38(9): 1-17.

Jianwu ZHANG, Yanjun AN, Huangyan DENG. A survey on DNS attack detection and security protection[J]. Telecommunications Science, 2022, 38(9): 1-17.

图/表 8

图1

图2

图3

表1

表2

表3

表4

表5

参考文献 20

[20]	WANG H . Research on machine learning based abnormal DNS traffic detection[D]. Nanjing:Nanjing University of Posts and Telecommunications, 2019.
[21]	戴云伟, 沈春苗 . DNS的RPZ安全防护系统的构建配置与验证[J]. 计算机系统应用, 2022,31(3): 129-135.
	DAI Y W , SHEN C M . Construction,configuration and verification of DNS RPZ protection system[J]. Computer Systems ＆Applications, 2022,31(3): 129-135.
[22]	DAS A , SHEN M Y , SHASHANKA M ,et al. Detection of exfiltration and tunneling over DNS[C]// Proceedings of 2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA). Piscataway:IEEE Press, 2017: 737-742.
[23]	AIELLO M , MONGELLI M , PAPALEO G . Basic classifiers for DNS tunneling detection[C]// Proceedings of 2013 IEEE Symposium on Computers and Communications (ISCC). Piscataway:IEEE Press, 2013: 880-885.
[24]	ALMUSAWI A , AMINTOOSI H . DNS tunneling detection method based on multilabel support vector machine[J]. Security and Communication Networks, 2018.
[25]	BUCZAK A L , HANKE P A , CANCRO G J ,et al. Detection of tunnels in PCAP data by random forests[C]// Proceedings of the 11th Annual Cyber and Information Security Research Conference.[S.l.:s.n.], 2016: 1-4.
[26]	章思宇, 邹福泰, 王鲁华 ,等. 基于 DNS 的隐蔽通道流量检测[J]. 通信学报, 2013,34(5): 143-151.
	ZHANG S Y , ZOU F T , WANG L H ,et al. Detecting DNS-based covert channel on live traffic[J]. Journal on Communications, 2013,34(5): 143-151.
[27]	YANG P , LI Y , ZHANG Y . Detecting DNS covert channels using stacking model[J]. China Communications, 2020,17(10): 183-194.
[28]	BUBNOV Y . DNS tunneling detection using feed forward neural network[J]. European Journal of Engineering and Technology Research, 2018,3(11): 16-19.
[29]	PALAU F , CATANIA C , GUERRA J ,et al. Detecting DNS threats:a deep learning model to rule them all[C]// Proceedings of Simposio Argentino de Inteligencia Artificial.[S.l.:s.n.], 2019: 1-12.
[30]	张猛, 孙昊良, 杨鹏 . 基于改进卷积神经网络识别DNS隐蔽信道[J]. 通信学报, 2020,41(1): 169-179.
	ZHANG M , SUN H L , YANG P . Identification of DNS covert channel based on improved convolutional neural network[J]. Journal on Communications, 2020,41(1): 169-179.
[31]	LIU C , DAI L , CUI W ,et al. A byte-level CNN method to detect DNS tunnels[C]// Proceedings of 2019 IEEE 38th International Performance Computing and Communications Conference (IPCCC). Piscataway:IEEE Press, 2019: 1-8.
[32]	CHEN S , LANG B , LIU H ,et al. DNS covert channel detection method using the LSTM model[J]. Computers ＆ Security, 2021(104): 102095.
[33]	TAKEUCHI Y , YOSHIDA T , KOBAYASHI R ,et al. Detection of the DNS water torture attack by analyzing features of the subdomain name[J]. Journal of Information Processing, 2016,24(5): 793-801.
[34]	CHEN L , ZHANG Y , ZHAO Q ,et al. Detection of DNS DDoS attacks with random forest algorithm on spark[J]. Procedia Computer Science, 2018(134): 310-315.
[35]	TREJO L A , FERMAN V , MEDINA M A ,et al. DNS-ADVP:a machine learning anomaly detection and visual platform to protect top-level domain name servers against DDoS attacks[J]. IEEE Access, 2019(7): 116358-116369.
[36]	BALLANI H , FRANCIS P . Mitigating DNSDoS attacks[C]// Proceedings of the 15th ACM Conference on Computer and Communications Security. New York:ACM Press, 2008: 189-198.
[37]	WEI M L , LU Y C , ZHEN M L . Alleviating the impact of DNS DDoS attacks[C]// Proceedings of 2010 Second International Conference on Networks Security,Wireless Communications and Trusted Computing. Piscataway:IEEE Press, 2010: 240-243.
[38]	MAHJABIN T , XIAO Y , LI T ,et al. Load distributed and benign-bot mitigation methods for IoT DNS flood attacks[J]. IEEE Internet of Things Journal, 2019,7(2): 986-1000.
[39]	JARI A , AVOKH A . PSO-based sink placement and load-balanced anycast routing in multi-sink WSNs considering compressive sensing theory[J]. Engineering Applications of Artificial Intelligence, 2021(100): 104164.
[40]	WANG Z . An elastic and resiliency defense against DDoS attacks on the critical DNS authoritative infrastructure[J]. Journal of Computer and System Sciences, 2019(99): 1-26.
[41]	YIN D , ZHANG L , YANG K . A DDoS attack detection and mitigation with software-defined Internet of Things framework[J]. IEEE Access, 2018(6): 24694-24705.
[42]	LAL S , TALEB T , DUTTA A . NFV:Security threats and best practices[J]. IEEE Communications Magazine, 2017,55(8): 211-217.
[43]	TOURANI R , MISRA S , Mick T ,et al. Security,privacy,and access control in information-centric networking:a survey[J]. IEEE communications surveys ＆ tutorials, 2017,20(1): 566-600.
[44]	陶乃勇 . DDoS 放大攻击原理及防护方法[J]. 电信网技术, 2017(10): 89-93.
	TAO N Y . The principle and protection methods of DDoS amplification attack[J]. Telecommunications Network Technology, 2017(10): 89-93.
[45]	MOWBRAY M , HAGEN J . Finding domain-generation algorithms by looking at length distribution[C]// Proceedings of 2014 IEEE International Symposium on Software Reliability Engineering Workshops. Piscataway:IEEE Press, 2014: 395-400.
[46]	AHLUWALIA A , TRAORE I , GANAME K ,et al. Detecting broad length algorithmically generated domains[C]// Procee dings of International Conference on Intelligent,Secure,and Dependable Systems in Distributed and Cloud Environments.[S.l.:s.n.], 2017: 19-34.
[47]	AGYEPONG E , BUCHANAN W J , JONES K . Detection of algorithmically generated malicious domain[C]// Proceedings of 6th International Conference of Advanced Computer Science ＆Information Technology.[S.l.:s.n.], 2018.
[48]	ANTONAKAKIS M , PERDISCI R , NADJI Y ,et al. From throw-away traffic to bots:detecting the rise of DGA-based malware[C]// Proceedings of 21st Security Symposium.[S.l.:s.n.], 2012: 491-506.
[49]	ZHOU Y , LI Q , MIAO Q ,et al. DGA-based botnet detection using DNS traffic[J]. Journal of Internet Services and Information Security. 2013,3(3/4): 116-123.
[50]	BISIO F , SAELI S , LOMBARDO P ,et al. Real-time behavioral DGA detection through machine learning[C]// Proceedings of 2017 International Carnahan Conference on Security Technology (ICCST). Piscataway:IEEE Press, 2017: 1-6.
[51]	PU Y , CHEN X , PU Y ,et al. A clustering approach for detecting auto-generated Botnet domains[C]// Proceedings of International Conference on Applications and Techniques in Information Security.[S.l.:s.n.], 2015: 269-279.
[52]	LUO X , WANG L , XU Z ,et al. DGAsensor:fast detection for DGA-based malwares[C]// Proceedings of the 5th International Conference on Communications and Broadband Networking.[S.l.:s.n.], 2017: 47-53.
[53]	XU S , LI S Q , MENG K ,et al. An adaptive malicious domain detection mechanism with DNS traffic[C]// Proceedings of the 2017 VI International Conference on Network,Communication and Computing.[S.l.:s.n.], 2017: 86-91.
[54]	STEVANOVIC M , PEDERSEN J M , ALCONZO a ,et al. A method for identifying compromised clients based on DNS traffic analysis[J]. International Journal of Information Security, 2017,16(2): 115-132.
[55]	BILGE L , SEN S , BALZAROTTI D ,et al. Exposure:A passive DNS analysis service to detect and report malicious domains[J]. ACM Transactions on Information and System Security, 2014,16(4): 1-28.
[56]	BARUCH M , DAVID G . Domain generation algorithm detection using machine learning methods[M]. Cyber security:power and technology.[S.l.:s.n.], 2018: 133-161.
[57]	MAC H , TRAN D , TONG V ,et al. DGA botnet detection using supervised learning methods[C]// Proceedings of the Eighth International Symposium on Information and Communication Technology.[S.l.:s.n.], 2017: 211-218.
[58]	WOODBRIDGE J , ANDERSON H S , AHUJA A ,et al. Predicting domain generation algorithms with long short-term memory networks[J]. arXiv preprint,2016,arXiv:1611.00791.
[59]	TRAN D , MAC H , TONG V ,et al. A LSTM based framework for handling multiclass imbalance in DGA botnet detection[J]. Neurocomputing, 2018(275): 2401-2413.
[60]	CHEN Y , PANG B , SHAO G ,et al. DGA-based botnet detection toward imbalanced multiclass learning[J]. Tsinghua Science and Technology, 2021,26(4): 387-402.
[61]	VINAYAKUMAR R , SOMAN K P , POORNACHANDRAN P ,et al. Evaluating deep learning approaches to characterize and classify the DGAs at scale[J]. Journal of Intelligent ＆ Fuzzy Systems, 2018,34(3): 1265-1276.
[62]	ANDERSON H S , WOODBRIDGE J , FILAR B . DeepDGA:adversarially-tuned domain generation and detection[C]// Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security. New York:ACM Press, 2016: 13-21.
[63]	王媛媛, 吴春江, 刘启和 ,等. 恶意域名检测研究与应用综述[J]. 计算机应用与软件, 2019,36(9): 310-316.
	WANG Y Y , WU C J , LIU Q H ,et al. Overview of malicious domain Name detection and application[J]. Computer Applications and Software, 2019,36(9): 310-316.
[64]	BENSHOOF B , ROSEN A , BOURGEOIS A G ,et al. Distributed decentralized domain name service[C]// Proceedings of 2016 IEEE International Parallel and Distributed Processing Symposium Workshops (IPDPSW). Piscataway:IEEE Press, 2016: 1279-1287.
[65]	YIN S , TENG Y , HU N ,et al. Decentralization of DNS:old problems and new challenges[C]// Proceedings of the 2020 International Conference on Cyberspace Innovation of Advanced Technologies.[S.l.:s.n.], 2020: 335-341.
[66]	陈烨, 许冬瑾, 肖亮 . 基于区块链的网络安全技术综述[J]. 电信科学, 2018,34(3): 10-16.
	CHEN Y , XU D J , XIAO L . Survey on network security based on blockchain[J]. Telecommunications Science, 2018,34(3): 10-16.
[67]	KIM J Y . A comparative study of block chain:Bitcoin· Namecoin· MediBloc[J]. Journal of Science and Technology Studies, 2018,18(3): 217-255.
[68]	ALI M , NELSON J , SHEA R ,et al. Blockstack:a global naming and storage system secured by blockchains[C]// Proceedings of 2016 USENIX Annual Technical Conference (USENIX ATC 16).[S.l.:s.n.], 2016: 181-194.
[69]	胡宁, 邓文平, 姚苏 . 互联网 DNS 安全研究现状与挑战[J]. 网络与信息安全学报, 2017,3(3): 13-21.
	HU N , DENG W P , YAO S . Issues and challenges of Internet DNS security[J]. Chinese Journal of Network and Information Security, 2017,3(3): 13-21.
[70]	CHUNG T , VAN R , CHOFFNES D ,et al. Understanding the role of registrars in DNSSEC deployment[C]// Proceedings of the 2017 Internet Measurement Conference.[S.l.:s.n.], 2017: 369-383.
[71]	ZOU F , ZHANG S , PEI B ,et al. Survey on domain name system security[C]// Proceedings of 2016 IEEE First International Conference on Data Science in Cyberspace (DSC). Piscataway:IEEE Press, 2016: 602-607.
[72]	YU L , ZHANG W , WANG J ,et al. Seqgan:sequence generative adversarial nets with policy gradient[C]// Proceedings of the AAAI Conference on Artificial Intelligence.[S.l.:s.n.], 2017,31(1).
[73]	NADLER A , AMINOV A , SHABTAI A . Detection of malicious and low throughput data exfiltration over the DNS protocol[J]. Computers ＆ Security, 2019,80: 36-53.
[74]	ZHUANG T , LIU W F , DONG L I . DNS root domain name analysis system based on block chain[J]. Telecommunications Science, 2018,34(3): 17.
[75]	ZARRIN J , PHANG H W , SAHEER L B ,et al. Blockchain for decentralization of internet:prospects,trends and challenges[J]. Cluster Computing, 2021: 1-26.
[76]	MISHRA S , TRIPATHY N , MISHRA B K ,et al. Analysis of security issues in cloud environment[J]. Security Designs for the Cloud,IoT,and Social Networking, 2019: 19-41.
[77]	POPLI M , . A survey on cloud security issues and challenges[C]// Proceedings of 2019 6th International Conference on Computing for Sustainable Global Development (INDIACom). Piscataway:IEEE Press, 2019: 230-235.
[78]	ALLMAN M , . Comments on DNS robustness[C]// Proceedings of the Internet Measurement Conference 2018.[S.l.:s.n.], 2018: 84-90.
[1]	KHANNA A , KAUR S . Internet of things (IoT),applications and challenges:a comprehensive review[J]. Wireless Personal Communications, 2020,114(2): 1687-1762.
[2]	LIU Y , XIAO F . Intelligent monitoring system of residential environment based on cloud computing and Internet of things[J]. IEEE Access, 2021(99): 58378-58389.
[3]	ZENG Z , QI L . “Internet + artificial intelligence” human resource information management system construction innovation and research[J]. Mathematical Problems in Engineering, 2021,2021(6): 1-11.
[4]	倪思洁 . 互联网域名系统国家工程研究中心主任毛伟：网络根基恐被“卡脖子”,下一步往哪走[N]. 中国科学报, 2022-01-06(3).
	NI S J . Director of the National Engineering Research Center for the Internet Domain Name System:the foundation of the Internet may be stuck,where to go next[N]. China Science Daily, 2022 2022-01-06(3).
[5]	王文通, 胡宁, 刘波 ,等. DNS安全防护技术研究综述[J]. 软件学报, 2020,31(7): 2205-2220.
	WANG W T , HU N , LIU B ,et al. Survey on technology of security enhancement for DNS[J]. Journal of Software, 2020,31(7): 2205-2220.
[6]	VACCARI I , NARTENI S , AIELLO M ,et al. Exploiting Internet of things protocols for malicious data exfiltration activities[J]. IEEE Access, 2021(9): 104261-104280.
[7]	TUSHIR B , DALAL Y , DEZFOULI B ,et al. A quantitative study of DDoS and E-DDoS attacks on Wi-Fi smart home devices[J]. IEEE Internet of Things Journal, 2020,8(8): 6282-6292.
[8]	ABHISHTA A , VAN R , NIEUWENHUIS L J M . Measuring the impact of a successful DDoS attack on the customer behaviour of managed DNS service providers[J]. ACM SIGCOMM Computer Communication Review, 2019,48(5): 70-76.
[9]	域名国家工程研究中心. 下一代DNS,牢筑关键信息基础设施安全[EB]. 2022.
	Domain Name National Engineering Research Center. Next-generation DNS,strengthening the security of critical information infrastructure[EB]. 2022.
[10]	李杰 . DNS欺骗和缓存中毒攻击的检测[D]. 成都:电子科技大学, 2015.
	LI J . The detection of DNS spoofing and cache poisoning attack[D]. Chengdu:University of electronic science and technology of China, 2015.
[11]	LAMPSON B W . A note on the confinement problem[J]. Communications of the ACM, 1973,16(10): 613-615.
[12]	李彦峰, 丁丽萍, 吴敬征 ,等. 网络隐蔽信道关键技术研究综述[J]. 软件学报, 2019,30(8): 2470-2490.
	LI Y F , DING L P , WU J Z ,et al. Survey on key issues in networks covert channel[J]. Journal of Software, 2019,30(8): 2470-2490.
[13]	WANY Y , ZHOU A , LIAO S ,et al. A comprehensive survey on DNS tunnel detection[J]. Computer Networks, 2021(197): 108322.
[14]	FARNHAM G , ATLASIS A . Detecting DNS tunneling[J]. SANS Institute InfoSec Reading Room, 2013(9): 1-32.
[15]	AHMED J , GHARAKHEILI H H , RAZA Q ,et al. Monitoring enterprise DNS queries for detecting data exfiltration from internal hosts[J]. IEEE Transactions on Network and Service Management, 2019,17(1): 265-279.
[16]	KOLIAS C , KAMBOURAKIS G , STAVROU A ,et al. DDoS in the IoT:Mirai and other botnets[J]. Computer, 2017,50(7): 80-84.
[17]	JOW J , XIAO Y , HAN W . A survey of intrusion detection systems in smart grid[J]. International Journal of Sensor Networks, 2017,23(3): 170-186.
[18]	GREENSTEIN S . The aftermath of the Dyn DDoS attack[J]. IEEE Micro, 2019,39(4): 66-68.
[19]	PATSAKIS C , CASINO F , KATOS V . Encrypted and covert DNS queries for botnets:challenges and countermeasures[J]. Computers ＆ Security, 2020(88): 101614.
[20]	王浩 . 基于机器学习的异常 DNS 流量检测研究[D]. 南京:南京邮电大学, 2019.

攻击方式	攻击原理	攻击后果
DNS欺骗	修改DNS缓存或劫持DNS请求	网络钓鱼、信息窃取
DNS隐蔽信道	利用DNS数据包封装信息	发送恶意指令，窃取隐私信息
DNS DDoS攻击	直接耗尽服务器带宽资源	丧失网络服务能力，造成经济损失
DNS反射放大攻击	间接耗尽服务器带宽资源	丧失网络服务能力，造成经济损失
恶意DGA域名	使用DGA生成大量恶意域名	网络中存在大量恶意域名，破坏系统安全性能
漏洞攻击	利用缓存区溢出、访问权限等漏洞	破坏系统安全性能
域名渗透攻击	注册合法顶点域名的子域名	网络钓鱼、信息窃取
蠕虫攻击	基于各种木马病毒	传播计算机病毒、勒索病毒

特征		描述
载荷特征	DNS请求/响应的大小	隐蔽信道通常在请求和响应中放入尽可能多的数据导致长域名
	主机名的熵	隐蔽域名无意义表现为每个字符的均匀使用，具有较高的熵
	域名中数字字符所占百分比	合法域名很少使用数字，经过编码的域名会含有大量的数字
	最长有意义字符串百分比	合法域名通常具有一定含义，隐蔽信道域名随机性强、无意义
	域名中不同字符个数	域名中不同字符过多时通常存在隐蔽信道
	字符频率	合法域名是通用语言的体现，遵循齐普夫定律，字符会集中到高频字符
	连续的辅音字母	合法域名为了方便发音不会使用连续的辅音字母
	不常用资源记录类型	正常信道一般没有TXT记录，DNS隐蔽信道可能会存在大量的TXT记录
流量特征	每个IP地址的DNS流量总量	特定客户端IP地址由于轮询服务器产生大量流量
	每个域名的DNS流量总量	DNS隐蔽信道通过特定受控的域名传输数据，造成该域名流量较大
	DNS服务器的地理位置	大量的DNS流量流向无关未知区域，很可能是隐蔽信道造成的
	历史域名信息	隐蔽信道域名通常是最近生成的，造成最近添加的未知的NS/A记录
	孤独的DNS请求	DNS请求通常在另一个请求之前发出，例如通过HTTP的Web页面请求

机器学习类型	文献	所用算法	分类方式	依赖特征提取
传统机器学习	文献[23]	SVM	二分类	是
	文献[24]	Multi-SVM	多分类	是
	文献[25]	RF	二分类	是
	文献[26]	DT	二分类	是
	文献[27]	KNN、SVM、RF	二分类	是
深度学习	文献[28]	CNN	多分类	是
	文献[24]	MC-CNN	二分类	是
	文献[30]	Letnet-5	二分类	是
	文献[31]	BYTE-CNN	二分类	否
	文献[32]	LSTM	二分类	否

网络	优点	缺点
RNN	具有一定记忆能力，对序列特征学习具有一定优势	只有短期记忆能力，容易出现梯度消失、梯度爆炸现象，且对随机性低的域名产生较高的误报
LSTM	相比 RNN 具有长期学习能力，在文本学习和自然语言处理等领域被广泛应用	对随机性低的域名产生较高的误报
GAN	通过对生成对抗样本的训练，具有一定预测未来 DGA变体域名的能力	处理离散序列数据存在生成器难以传递梯度更新，判别器难以评估完整的序列数据的缺陷

学习方式	机器学习类型	文献	所用算法	分类方式	依赖特征提取	代价敏感
无监督学习		文献[50]	K-means	二分类	是	否
		文献[51]	K-means	二分类	是	否
监督学习	传统机器学习	文献[52]	RF	多分类	是	否
		文献[53]	RF	二分类	是	否
		文献[54]	DT RF	二分类	是	否
		文献[55]	DT	二分类	是	否
		文献[56]	SVM KNN	二分类	是	否
		文献[57]	SVM	多分类	是	否
	深度学习	文献[58]	LSTM	多分类	否	否
		文献[59]	LSTM	多分类	否	是
		文献[60]	LSTM	多分类	否	是
		文献[61]	RNN	二分类	否	否
		文献[62]	GAN	二分类	否	否