1. Field
The present invention generally relates to a malicious BOT measures method and its system.
2. Related Technology
A BOT refers to one of software for performing or controlling a predetermined operation by a specific event or a specific command as a script code having various functions including a remote function for specific objects. Moreover, a malicious BOT refers to a BOT for performing a malicious operation by a malicious user to intrude other computers or systems, thereby causing damages. The malicious BOT intrudes computers or systems which are in poor security to execute commands onto these systems, attacks other computers or systems, or discloses information from the compromised systems.
When the malicious BOT attacks a specific network or system, it generates more data than the capacity of the target network or system so as to disable the normal service.
The malicious BOT performs a DNS query for an IP address of a target system to a DNS server so as to obtain the IP address of the target system. An excessive traffic generated from the computer infected by the malicious BOT may cause damages to the network as well as the target system. In order to prevent these damages, a contents filtering system has been recently used.
When the computer or system infected by malicious BOT performs a DNS query so as to obtain an IP address, the contents filtering system checks out the contents of the query. The contents filtering system checks out the contents to generate a DNS query blocking rule set, and deals with malicious BOTs by dropping the DNS query from the malicious BOTs.
But there is a problem that the source station generating an abnormal DNS query can repeatedly generate the same query, because the contents filtering system drops the abnormal DNS queries. The re-generation of queries causes heavy traffic so that the service is disabled by overload of network equipments.