Field of the Invention
The present invention relates generally to data networks, and more particularly to a data network being protected from a DNS denial of service attack.
Description of the Related Art
Data network security is an important and critical component of the Internet. In particular, the proper operation of a Domain Name System (DNS) data network is crucial to the operation of the Internet, public cloud networks, mobile broadband networks, as well as private networks. Attacks to DNS data networks are common. Often such attacks address individual websites or a number of companies. Sometimes, attacks are targeted to major infrastructure of an Internet Service Provider (ISP). Many of these DNS attacks are in the form of a denial of service (DOS) attack. If an attack is successful, one or more DNS servers will be under stress and cannot serve legitimate DNS requests from client computers. The client computers, not able to determine the application servers for the DNS requests, in turn deny services to the users, rendering Internet services, such as web services, email services, document services, or video services, offered by those application servers unavailable. Often times, the stressed DNS servers may take hours or days to recover to normal operation, causing major disruption of services, as well as financial damage to merchants and inconvenience to clients.
A typical DNS denial of service attack is presented in a form of malformed DNS requests using unknown or unanswerable domain names, and perhaps invalid network addresses. Each malformed DNS request is intended to cause a DNS server to spend computation resources to resolve an unanswerable domain name. Through sending a large number of malformed DNS requests in a short period of time, a DNS server would have to spend all of its computation resource to handle these DNS requests.
The present invention proposes a method and system to handle the massive malformed DNS requests with little or no involvement of a DNS server, and therefore protects the DNS server from these nasty DNS denial of service attacks.
It should be apparent from the foregoing that there is a need to provide a method to protect a data network from DNS denial of service attacks.