CPC H04L 63/1458 (2013.01) [H04L 61/4511 (2022.05); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/1441 (2013.01); H04L 67/145 (2013.01)] | 16 Claims |
1. A method of delaying computer network clients from sending Domain Name System (DNS) queries, the method comprising:
receiving a DNS query from a client;
consulting at least one of a client record in a client record database that stores information about the client and a flow record in a flow record database that stores information about a flow, wherein the information about the flow includes information about one or more previous DNS queries and/or responses in a flow to which the DNS query is assigned;
formulating a response to the DNS query as a function of the information about the client and/or the information about the flow, wherein the DNS query includes a question, the response is intentionally defective or incomplete, and the response causes the client to be delayed in sending another DNS query as part of an attack;
updating at least one of the client record with information about the client and the flow record with information about the DNS query and the response as formulated;
transmitting the response as formulated to the client;
analyzing observed behavior of the client, including analyzing the client record and/or the flow record and analyzing subsequent DNS queries or lack of DNS queries by the client subsequent to one or more transmitted responses; and
formulating a new response to one of the subsequent DNS queries that is likely to cause the client to continue outputting DNS queries based on the analysis of the observed behavior of the client,
wherein when the analysis reveals that the client does not continue outputting the subsequent DNS queries upon receiving the formulated new response, a field in client record and/or the flow record is set to indicate that future DNS queries from the client are to be dropped without a response.
|