| 摘要 |
A DNS server DDoS attack mitigation system is provided, comprising a DNS cache module. A DNS query or UDP data packet from an originating source intended for a DNS server is to be diverted to the DNS cache module. The DNS cache module validates the DNS query or UDP data packet and discard it if it is malformed. The DNS cache module then extracts from the DNS query or UDP data packet a domain name and virtual IP address (VIP) of the requested destination resource, and source IP (SIP). Using the domain name, VIP, and SIP to find and retrieve from its cache the matching DNS record and respond with a response message according the matched DNS record type. If a match is not found, the DNS query or UDP data packet is dropped, dropped and responded to with a customizable message, or forwarded to the DNS server. |
| 主权项 |
1. A computer implemented method for mitigating distributed denial of service (DDoS) attacks against domain name system (DNS) servers, comprising:
diverting a DNS query or UDP data packet that is to be processed by a DNS server, to a DNS cache module; receiving, by the DNS cache module, the DNS query or UDP data packet; discarding, by the DNS cache module, the DNS query or UDP data packet if it is malformed; extracting, by the DNS cache module, from the DNS query or UDP data packet, a domain name of a requested destination resource, a virtual IP (VIP) of the requested destination resource, and a source IP (SIP) of the DNS query or UDP data packet originating source; matching, by the DNS cache module, the domain name, VIP, and SIP to DNS records and meta data stored in the DNS cache module and retrieving the matched DNS record; if a match is found, the DNS cache module responding to the DNS query or UDP data packet originating source with a response message based on the matched DNS record type; if a match is not found, DNS query or UDP data packet is being
a.) dropped,b.) dropped and responded to with a customizable message, orc.) forwarded to the DNS server. |
