| CPC H04L 63/1458 (2013.01) [H04L 43/0894 (2013.01); H04L 47/263 (2013.01); H04L 61/4511 (2022.05); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01)] | 20 Claims |
|
10. A system comprising:
a network monitoring device connected to a communications network, the network monitoring device configured to monitor network traffic transmitted to and from a domain name system (DNS) server across the communications network and comprising one or more processors coupled with memory, the memory storing executable instructions that, when executed by one or more processors, cause the one or more processors to:
store a probabilistic data structure storing one or more domain names;
receive a response data packet from the DNS server, the response data packet comprising a first domain name transmitted in a query to the DNS server and an affirmative response code;
responsive to identifying the affirmative response code in the response data packet, update the probabilistic data structure with the first domain name identified from the response data packet;
responsive to detecting an attack on the network, retrieve a query message transmitted by a computing device intended for the DNS server, the query message containing a second domain name;
query the updated probabilistic data structure using the second domain name; and
responsive to determining the second domain name is not stored in the updated probabilistic data structure based on the query, restrict transmission of the query message or communication by the computing device with the DNS server,
wherein execution of the instructions further causes the one or more processors to:
monitor response data packets transmitted by the DNS server for a first defined time period, wherein the one or more processors receive the response data packet transmitted by the DNS server during the first defined time period;
generate the probabilistic data structure from domain names of response data packets transmitted by the DNS server only during the first defined time period;
detect an end to the first defined time period; and
responsive to detecting the end to the first defined time period, generate a second probabilistic data structure separate from the probabilistic data structure from domain names of response data packets transmitted by the DNS server only during a second defined time period subsequent to the first defined time period.
|