| 基于透明代理的域名系统隐患分析与防御策略 |
| |
| 引用本文: | 彭勇,范乐君,陈冬青,程学旗. 基于透明代理的域名系统隐患分析与防御策略[J]. 清华大学学报(自然科学版), 2011, 0(10): 1318-1322,1328 |
| |
| 作者姓名: | 彭勇 范乐君 陈冬青 程学旗 |
| |
| 作者单位: | 中国信息安全测评中心;中国科学院计算技术研究所;中国科学院研究生院; |
| |
| 基金项目: | 国家自然科学基金重点资助项目(90818021); 国家“八六三”高技术项目(2010AA012502) |
| |
| 摘 要: | 域名系统现有机制无法对域名解析请求和应答的信息来源进行有效确认,使得攻击者能够伪造数据对域名系统进行攻击,该文在对域名系统安全隐患分析的基础上,提出了一种透明代理的安全组件,不需改变现有域名系统的架构与通信机制,实现了对域名解析请求和应答信息的鉴别与过滤。该透明代理运行在2种工作模式即选择性重查询模式和安全标签查询模式,能够根据安全要求和风险水平在2种模式之间进行动态切换。仿真分析表明:这种架构使得攻击域名系统的成功率大为降低,明显提高了系统安全性,同时对系统平均查询时间和网络吞吐率影响较小。
|
| 关 键 词: | 透明代理 选择性重查询模式 安全标签查询模式 |
DNS hidden danger analysis and defense strategy based on transparent proxies |
| |
| PENG Yong,FAN Lejun,,CHEN Dongqing,CHENG Xueqi. DNS hidden danger analysis and defense strategy based on transparent proxies[J]. Journal of Tsinghua University(Science and Technology), 2011, 0(10): 1318-1322,1328 |
| |
| Authors: | PENG Yong FAN Lejun CHEN Dongqing CHENG Xueqi |
| |
| Affiliation: | PENG Yong1,FAN Lejun2,3,CHEN Dongqing1,CHENG Xueqi2(1.China Information Technology Security Evaluation Center,Beijing 100085,China,2.Institute of Computing Technology,Chinese Academy of Sciences,Beijing 100190,3.Graduate University of the Chinese Academy of Sciences,China) |
| |
| Abstract: | Existing mechanisms in the domain name system(DNS) can not verify the information sources of DNS requests and responses,which means an attacker can forge data to trick the DNS.To address the problem,this study analyzes this DNS hidden danger to develop a security component called transparent proxy which verifies and filters DNS requests and responses and can be easily deployed on the existing DNS without modification of the DNS itself.The proxy has two operating modes,a selective re-query mode and a securit... |
| |
| Keywords: | transparent proxy selective re-query mode security label query mode |
| 本文献已被 CNKI 等数据库收录! |
|
