CN102868773A - Method, device and system for detecting domain name system (DNS) black hole hijack - Google Patents
Method, device and system for detecting domain name system (DNS) black hole hijack Download PDFInfo
- Publication number
- CN102868773A CN102868773A CN2012103009475A CN201210300947A CN102868773A CN 102868773 A CN102868773 A CN 102868773A CN 2012103009475 A CN2012103009475 A CN 2012103009475A CN 201210300947 A CN201210300947 A CN 201210300947A CN 102868773 A CN102868773 A CN 102868773A
- Authority
- CN
- China
- Prior art keywords
- address
- black hole
- dns
- dns black
- carrying
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Information Transfer Between Computers (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method, a device and a system for detecting domain name system (DNS) black hole hijack. The method comprises the following steps of: capturing hyper text transfer protocol (HTTP) connection data packets corresponding to webpage access requests in a network, extracting domain names and Internet protocol (IP) addresses which correspond to webpages in the data packets, and recording the corresponding relationships between the domain names and the IP addresses; counting captured results, and acquiring the quantity of different domain names corresponding to the same IP address; determining IP addresses which are used for performing black hole hijack according to the quantity of the different domain names corresponding to the same IP address, and storing the IP addresses which are used for performing the DNS black hole hijack; when the webpage access request of a user generates the current HTTP connection data packet, extracting an IP address in the current HTTP connection data packet; and if the extracted IP address appears in the stored IP addresses which are used for performing the DNS black hole hijack, determining that the webpage access request is subjected to the DNS black hole hijack. By the method, the device and the system, the phenomenon that the user is disturbed by a DNS black hole hijack webpage is avoided.
Description
Technical field
The present invention relates to field of information security technology, particularly relate to and detect method, the Apparatus and system that kidnap in the DNS black hole.
Background technology
Along with popularizing of the Internet, the user is increasing to the demand of network.And domestic consumer's modal method when daily accesses network website is to pass through domain name access, what can read is the IP address of main frame and machine is actual, will relate to the problem of a domain name mapping this moment, this will use DNS (Domain Name System, computer domain name system).DNS is comprised of resolver and name server.Wherein, name server refers to preserve domain name and the corresponding IP address of All hosts in this network, and has the server that domain name is converted to the IP address function.By DNS, can make people access more easily the Internet, do not remember the IP address digit string that can directly be read by machine and do not spend.
But, in actual applications, often the situation that domain name can't normally be resolved can appear.When domain name can't normally be resolved, website just can't normally be accessed.This moment, some Virtual network operator just may be carried out the abduction of DNS black hole, the domain name that also soon can't resolve is redirected to the IP address of Virtual network operator oneself, and when the user connects this IP address, show that to the user advertisement or the navigation page etc. substitute the page that can't access, in order to reach purposes such as increasing self advertising income.But this advertisement or the navigation page also can cause interference to the user simultaneously, cause the user to dislike.
Therefore, the technical problem that solves in the urgent need to those skilled in the art just is, how in the process of user's accessed web page, detects the DNS black hole and kidnaps behavior, and then avoid the user to be subject to the interference that advertisement or the navigation page etc. are kidnapped the pages.
Summary of the invention
The invention provides and detect method, the Apparatus and system that kidnap in the DNS black hole, can detect the DNS black hole and kidnap behavior, and then avoid the user to be subject to the interference that advertisement or the navigation page etc. are kidnapped the page.
The invention provides following scheme:
A kind of method that detects the abduction of DNS black hole comprises:
HTML (Hypertext Markup Language) HTTP connection packet corresponding to web access requests in the crawl network extracted corresponding domain name and the IP address of webpage from described packet, and the corresponding relation between record domain name and the I P address;
The result who grabs is added up, obtain the quantity of different domain names corresponding to same IP address;
According to the quantity of different domain names corresponding to same IP address, be identified for carrying out the IP address that kidnap in the DNS black hole, and preserve the IP address that is used for carrying out the abduction of DNS black hole of determining;
When user's web access requests produces current HTTP connection packet, from described current HTTP connection packet, extract the IP address;
If the IP address that extracts appears at the IP address that is used for carrying out the abduction of DNS black hole of preserving, determine that then user's web access requests is subjected to the abduction of DNS black hole.
The DNS black hole is kidnapped the DNS black hole and is kidnapped the abduction DNS black hole abduction of DNS black hole
Optionally, described quantity according to different domain names corresponding to same IP address, the IP address that is identified for carrying out kidnapping in the DNS black hole comprises:
The quantity of extracting corresponding different domain names reaches the IP address of prerequisite as IP to be verified address;
Obtain server response message corresponding to described IP to be verified address;
According to described server response message described IP to be verified address is verified, if the verification passes, then IP to be verified address is defined as the IP address of kidnapping be used to carrying out the DNS black hole.
Optionally, comprise the web content data bag in the described server response message, described described IP to be verified address the checking according to described server response message comprises:
From web content data bag corresponding to described IP to be verified address, extract web page contents, with the web page contents that extracts with known be to compare be used to web page contents corresponding to the IP address of carrying out kidnapping in the DNS black hole, if similarity reaches preset threshold value, then checking is passed through.
Optionally, comprise web page code in the described server response message, described described IP to be verified address the checking according to described server response message comprises:
Judge whether comprise the key code that presets in the described web page code, if comprise, then checking is passed through.
Optionally, the described key code that presets comprises the jump instruction code.
A kind of device that detects the abduction of DNS black hole comprises:
Placement unit for the HTML (Hypertext Markup Language) HTTP connection packet corresponding to web access requests of crawl network, extracts corresponding domain name and the IP address of webpage from described packet, and the corresponding relation between record domain name and the IP address;
Statistic unit is used for the result who grabs is added up, and obtains the quantity of different domain names corresponding to same IP address;
The IP address determining unit that is used for abduction is used for the quantity according to different domain names corresponding to same IP address, is identified for carrying out the IP address that kidnap in the DNS black hole, and preserves the IP address that is used for carrying out the abduction of DNS black hole of determining;
IP address extraction unit is used for extracting the IP address from described current HTTP connection packet when user's web access requests produces current HTTP connection packet;
Detecting unit if the IP address that is used for extracting appears at the IP address that is used for carrying out the abduction of DNS black hole of preserving, determines that then user's web access requests is subjected to the abduction of DNS black hole.
Optionally, described IP address determining unit for kidnapping comprises:
Extract subelement, reach the IP address of preset threshold value as IP to be verified address for the quantity of extracting corresponding different domain names;
The response information acquisition subelement is used for obtaining server response message corresponding to described IP to be verified address;
The checking subelement is used for according to described server response message described IP to be verified address being verified, if the verification passes, then IP to be verified address is defined as the IP address of kidnapping be used to carrying out the DNS black hole.
Optionally, comprise the web content data bag in the described server response message, described checking subelement comprises:
The first checking subelement, be used for extracting web page contents from web content data bag corresponding to described IP to be verified address, with the web page contents that extracts with known be to compare be used to web page contents corresponding to the IP address of carrying out kidnapping in the DNS black hole, if similarity reaches preset threshold value, then checking is passed through.
Optionally, comprise web page code in the described server response message, described checking subelement comprises:
The second checking subelement is used for judging whether described web page code comprises the key code that presets, if comprise, then checking is passed through.
A kind of system that detects the abduction of DNS black hole comprises server end and client, and wherein, described server end comprises:
Placement unit for the HTML (Hypertext Markup Language) HTTP connection packet corresponding to web access requests of crawl network, extracts corresponding domain name and the IP address of webpage from described packet, and the corresponding relation between record domain name and the IP address;
Statistic unit is used for the result who grabs is added up, and obtains the quantity of different domain names corresponding to same IP address;
The IP address determining unit that is used for abduction is used for the quantity according to different domain names corresponding to same IP address, is identified for carrying out the IP address that kidnap in the DNS black hole, and preserves the IP address that is used for carrying out the abduction of DNS black hole of determining;
Described client comprises:
IP address extraction unit is used for extracting the IP address from described current HTTP connection packet when user's web access requests produces current HTTP connection packet;
Uploading unit is for end that the IP address that extracts is uploaded onto the server;
Described server end also comprises:
Detecting unit if the IP address that is used for extracting appears at the IP address that is used for carrying out the abduction of DNS black hole of preserving, determines that then user's web access requests is subjected to the abduction of DNS black hole.
According to specific embodiment provided by the invention, the invention discloses following technique effect:
By the present invention, by collecting a large amount of HTTP packets, therefrom extract the corresponding relation of domain name and IP address, and it is added up, drawing may be the IP address of kidnapping be used to carrying out the DNS black hole, and then when user's accessed web page, can extract the IP address in the HTTP packet, judge whether it appears at the IP address of kidnapping for carrying out the DNS black hole, if so, can conclude that then user's web page access has been subject to the abduction of DNS black hole.As seen, in the process of user's accessed web page, can detect the DNS black hole and kidnap behavior, and then avoid the user to be subject to the interference that advertisement or the navigation page etc. are kidnapped the page.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, the below will do to introduce simply to the accompanying drawing of required use among the embodiment, apparently, accompanying drawing in the following describes only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the flow chart of the method that provides of the embodiment of the invention;
Fig. 2 is the schematic diagram of the device that provides of the embodiment of the invention;
Fig. 3 is the schematic diagram of the system that provides of the embodiment of the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, the every other embodiment that those of ordinary skills obtain belongs to the scope of protection of the invention.
For fear of causing conceptual confusion, at first need to prove, although see to seem Webpage on the presentation of DNS black hole, from technological essence, this behavior also is based on this step of dns resolution to be carried out, but kidnaps also different with DNS.Also namely, kidnap from the DNS black hole in the DNS black hole, DNS abduction etc. all is different concepts, and the below simply introduces respectively.
So-called " webpage abductions " or cry " Pagejack " is that machine has access to correct web page server, and web page server has returned the correct page, can be in the process of the machine but pass at the page, in some links by other people replacement or modification.
It is then more thorough that DNS kidnaps, abduction be exactly dns server itself, when that is to say dns resolution, the parsing that itself is provided by the dns server of a mistake exactly, the naturally wrong page after being replaced namely that finally returns.
So-called DNS black hole then is the analysis service that is provided by correct dns server, just taken wrong IP address in this step of dns resolution, what cause that HTTP access time has access to is exactly wrong web page server, and then what obtain also is the page of mistake.
On another angle, DNS kidnaps and the webpage abduction is generally all caused by virus or hacker attacks, the DNS black hole then is a kind of service that legal operator provides mostly, the page of being kidnapped by the DNS black hole also only limits to this domain name and can't resolve in the situation of (that is to say that domain name is invalid), for the user returns the alternative page, the domain name that can normally resolve can not kidnapped by the DNS black hole.
Referring to Fig. 1, the method that kidnap in the detection DNS black hole that the embodiment of the invention provides can may further comprise the steps:
S101: HTTP(Hypertext Transfer Protocol corresponding to web access requests in the crawl network, HTML (Hypertext Markup Language)) connection packet, from described packet, extract corresponding domain name and the IP address of webpage, and the corresponding relation between record domain name and the IP address;
Use in the process of browser access webpage the user, can produce web access requests, afterwards can be at first convert the URL of accessed webpage to the IP address by dns server, and generation HTTP packet, IP address can preserve conversion in the HTTP packet after is in order to send to web page server corresponding to this IP address with web access requests.In this process, situation about can't normally resolve if there is domain name then may be replaced to the IP address of kidnapping be used to carrying out the DNS black hole by Virtual network operator etc.That is to say, the IP address that comprises in the HTTP packet might be the actual corresponding IP address of URL of webpage, also might be the IP address after being replaced.In embodiments of the present invention, just can collect this HTTP packet, therefrom extract domain name and the IP address of webpage, and record this corresponding relation of domain name and IP address.
Wherein, a certain computer or calculate the title of unit on the Internet that domain name is comprised of a string name of separating with point identifies the electronic bearing of computer, such as abc.com when being used for transfer of data on the internet.Briefly, domain name is the title that computer or calculating unit are registered on the internet, and the user can have access to by the title of this registration corresponding computer or calculate unit.This title can comprise some information of registrant, such as company or organization name, service content etc.Domain name also has other difference of level simultaneously, and abc.com described above is a TLD, and TLD is distributed by special international organization, and second level domain, three grades of domain names can be arranged under the TLD, is a second level domain such as news.abc.com.Some second level domains, especially the second level domain of registering for some establishment, usually can be used for difference and outstanding different business plate, otherwise the different business plate often can reflect by different second level domains, news.abc.com described above can represent the news plate, and sports.abc.com can represent the physical culture plate of this website.
For the user, a domain name has represented a website usually, each webpage that the user browses, it then is the file that certain file of downloading in the server of from then on website presets, network address by user's browsing page, can obtain the domain-name information that comprises in this network address, for example the network address of user's access is sports.abc.com/football/fifa2010/123.htm, and the domain name that can wherein be comprised is: sports.abc.com.
In embodiments of the present invention, in order to grasp the HTTP packet in the network, can realize based on the cloud engine of browser.So-called cloud engine namely refers to the browser program in server end operation, this program can with the browser program cooperating in the subscriber's local operation, jointly finish the access task of webpage for the user.For example, in the situation that use the cloud engine, the user is after initiating a web access requests, and this request can not be directly to send to web page server, but sends to first the cloud engine of browser, sends to web page server by the cloud engine.Like this, each user of this browser is in the process of accessed web page in the network, the cloud engine of browser can get access to web access requests, like this, just can collect a large amount of HTTP packets by the cloud engine of browser, and therefrom extract respectively the corresponding relation of domain name and IP address, be used for follow-up processing operation.Perhaps, under other implementation, the browser of subscriber's local also can copy the HTTP packet cloud engine that portion sends to browser, for the collection of the information of carrying out, etc.
Need to prove why will grasp the HTTP packet and detect, is because the purpose in DNS black hole itself is exactly to kidnap specific webpage, shows the page of oneself.And this must since the browser resolves http data reach the purpose of displaying.The data of non-http protocol can't can directly be showed by browser as HTTP, so also there is not the meaning of abduction.Can have kidnap meaning only have HTTP and two kinds of agreements of HTTPS, but the communication process of HTTPS encrypts, interior data can't be obtained fully, the analysis of also having no way of, thus grasp in the embodiment of the invention only have the HTTP data.
S102: the result who grabs is added up, obtain the quantity of different domain names corresponding to same IP address;
Owing to having grabbed the corresponding relation between a large amount of domain names and the IP address, therefore just can add up based on these data, may be the IP address of kidnapping be used to carrying out the DNS black hole to therefrom getting access to.Because Virtual network operator is when carrying out the abduction of DNS black hole, generally can use one or several fixing IP address, as long as the domain name mapping deviant circumstance occurs, just all be redirected to this one or several fixing IP address, but it is a plurality of that the domain name that can not normally resolve may have, therefore, just may find by statistics, there are a plurality of domain name correspondences same IP address, also be, a lot of domain names all jump to same IP, and this is likely because these domain names can't normally be resolved, and caused by the abduction of DNS black hole, at this moment, just can judge this IP address might be the IP address of kidnapping be used to carrying out the DNS black hole, because under normal circumstances, generally all is that a domain name all is that unique correspondence an IP address.Therefore, after the corresponding relation that grabs between a large amount of domain names and the IP address, just can add up, obtain the respectively domain name quantity of correspondence of each IP address.For example, in certain the HTTP packet that grabs, the domain name that extracts is domain name A, its correspondence be certain IP address, in another HTTP packet that grabs, the domain name that extracts is domain name B, its correspondence also be this IP address, at this moment, domain name quantity corresponding to this IP address is exactly 2, by that analogy.
S103: according to the quantity of different domain names corresponding to same IP address, be identified for carrying out the IP address that kidnap in the DNS black hole, and preserve the IP address that is used for carrying out the abduction of DNS black hole of determining;
After the quantity of determining different domain names corresponding to each IP address, can the quantity of different domain names corresponding to each IP be sorted, several IP addresses that quantity is maximum are defined as be used to the IP address of carrying out the abduction of DNS black hole, perhaps, the IP address that also quantity of the different domain names of correspondence can be reached certain threshold value that presets is defined as be used to the IP address of carrying out the abduction of DNS black hole, etc.
In actual applications, also may have following situation: owing to the reasons such as restriction of network facet, possibly can't directly access some special webpages, at this moment, the user may conduct interviews by means of acting server.Acting server is used to connect the INTERNET(Internet mostly) and the INTRANET(local area network (LAN)).For example, in China, so-called Chinese multimedia public information network and education network all are large-scale national local area network (LAN)s independently, and be isolated with Internet.For various needs, some group or individual have offered acting server between two nets, if know the address of these acting servers, just can utilize it to arrive external website.The user of local area network (LAN) inside only is mapped as an IP address when accessing extraneous webpage by acting server, at this moment, when resolving the HTTP packet, the situation of the corresponding a plurality of domain names in an IP address also can occur.
Therefore, in order to distinguish mutually with above-mentioned situation, in embodiments of the present invention, after finding the corresponding a plurality of domain names in certain IP address, can also verify further whether this IP address is the IP address of kidnapping be used to carrying out the DNS black hole.Specifically can be: obtain web page server response message corresponding to IP to be verified address, then according to this server response message IP to be verified address is verified, if the verification passes, then IP to be verified address is defined as be used to the IP address of carrying out the abduction of DNS black hole.Wherein, the content-data that can comprise webpage in the web page server response message, therefore, wherein a kind of concrete verification mode can the time: from web content data bag corresponding to IP to be verified address, extract web page contents, with the web page contents that extracts with known be to compare be used to web page contents corresponding to the IP address of carrying out kidnapping in the DNS black hole, if similarity reaches preset threshold value, then checking is passed through.That is to say, can obtain in advance and determine to belong to be used to web page contents corresponding to the IP address of carrying out kidnapping in the DNS black hole (may be certain advertising page of Virtual network operator or navigation page etc.), if web page contents corresponding to IP to be verified address is identical with these web page contents or similarity acquires a certain degree, can think that then IP to be verified address is exactly the IP address of kidnapping be used to carrying out the DNS black hole.And if IP to be verified address is the IP address of acting server, then web page contents corresponding to this IP address can not have high similitude with certain advertising page or the navigation page of Virtual network operator, therefore, can accordingly this IP address be foreclosed.Wherein, content of pages is one section text data in essence, is specifically carrying out webpage similarity when contrast, can compare based on the hash value of webpage etc., also can use and calculate cosine apart from the algorithm that waits the text similarity coupling is to calculate the cosine distance, concrete not as limit.
Perhaps, under another kind of implementation, consider for web page code corresponding to the IP address of carrying out the network address abduction and generally all can comprise one section special code, this special code generally is the javascrIPt code, corresponding certain jump instruction, the code that all needs to be written to when carrying out the abduction of DNS black hole in the webpage, for example:
This code can be used for jumping to the abc.com.cn domain name, and this domain name is held for certain Virtual network operator.Therefore, can from server response message corresponding to IP to be verified address, extract web page code, judge whether comprise the key code that presets in the web page code, if comprise, can conclude that then IP to be verified address is used for carrying out the IP address that kidnap in the DNS black hole for this Virtual network operator.Certainly, jump instruction is one of them of above-mentioned key code, when specific implementation, can also be keyword that appointment is arranged (this keyword may be one section character string but not executable instruction).
After finding the IP address that is used for carrying out kidnapping in the DNS black hole, can preserve in modes such as tabulations, in order to kidnap the basis for estimation of behavior as detection DNS black hole.In actual applications, this tabulation can be kept at the cloud engine end of browser.
S104: when user's web access requests produces current HTTP connection packet, from described current HTTP connection packet, extract the IP address;
After having preserved the IP address that is used for carrying out kidnapping in the DNS black hole, just can detect the abduction behavior of DNS black hole accordingly.Specifically when detecting, can produce in user's accessed web page request after the HTTP packet, equally therefrom extract the IP address.Same, the actual corresponding IP address of the URL that this IP address may be accessed webpage also may be being used for after being redirected to carry out the IP address that kidnap in the DNS black hole.
S105: if the IP address that extracts appears at the IP address that is used for carrying out the abduction of DNS black hole of preserving, determine that then user's web access requests is subjected to the abduction of DNS black hole.
After the IP address that in extracting the HTTP packet, comprises, just can compare with each IP address that is used for carrying out kidnapping in the DNS black hole of pre-save, if there is being used for carrying out the IP address that kidnap in the DNS black hole at these, prove that then user's web access requests is kidnapped by the DNS black hole.After this situation of discovery, can be directly with this HTTP data packet discarding, so that this HTTP request can't arrive the IP address after being redirected; Perhaps, can also eject prompting message to the user, kidnap in the current DNS black hole that may suffer of prompting user, whether the inquiry user continues, perhaps finish this visit, if user selection continues, this HTTP packet can let pass, make it arrive IP address after being redirected, and return corresponding web page contents to the user and represent, if user selection finishes this visit, then can be with the HTTP data packet discarding, etc., certainly, can also adopt other adjustment mode, enumerate no longer one by one here.
In a word, in embodiments of the present invention, can by collect a large amount of HTTP packets, therefrom extract the corresponding relation of domain name and IP address, and it is added up, drawing may be the IP address of kidnapping be used to carrying out the DNS black hole, and then when user's accessed web page, can extract the IP address in the HTTP packet, judge whether it appears at the IP address of kidnapping for carrying out the DNS black hole, if so, the web page access that then can conclude the user has been subject to the DNS black hole and has kidnapped.As seen, in the process of user's accessed web page, can detect the DNS black hole and kidnap behavior, and then avoid the user to be subject to the interference that advertisement or the navigation page etc. are kidnapped the page.
The method of kidnapping behavior with the detection DNS black hole that the embodiment of the invention provides is corresponding, and the embodiment of the invention also provides a kind of DNS of detection black hole to kidnap the device of behavior, and referring to Fig. 2, this device can comprise:
The IP address determining unit 203 that is used for abduction is used for the quantity according to different domain names corresponding to same IP address, is identified for carrying out the IP address that kidnap in the DNS black hole, and preserves the IP address that is used for carrying out the abduction of DNS black hole of determining;
IP address extraction unit 204 is used for extracting the IP address from described current HTTP connection packet when user's web access requests produces current HTTP connection packet;
Detecting unit 205 if the IP address that is used for extracting appears at the IP address that is used for carrying out the abduction of DNS black hole of preserving, determines that then user's web access requests is subjected to the abduction of DNS black hole.
Perhaps, described IP address determining unit 203 for kidnapping also can comprise:
Extract subelement, reach the IP address of preset threshold value as IP to be verified address for the quantity of extracting corresponding different domain names;
The response information acquisition subelement is used for obtaining server response message corresponding to described IP to be verified address;
The checking subelement is used for according to described server response message described IP to be verified address being verified, if the verification passes, then IP to be verified address is defined as the IP address of kidnapping be used to carrying out the DNS black hole.
During specific implementation, comprise the web content data bag in the described server response message, at this moment, described checking subelement can comprise:
The first checking subelement, be used for extracting web page contents from web content data bag corresponding to described IP to be verified address, with the web page contents that extracts with known be to compare be used to web page contents corresponding to the IP address of carrying out kidnapping in the DNS black hole, if similarity reaches preset threshold value, then checking is passed through.
Perhaps, under another kind of verification mode, owing to also comprising web page code in the described server response message, therefore, described checking subelement can comprise:
The second checking subelement is used for judging whether described web page code comprises the jump instruction code, if comprise, then checking is passed through.
Corresponding with the device that kidnap in aforementioned detection DNS black hole, the system that the embodiment of the invention also provides a kind of DNS of detection black hole to kidnap, referring to Fig. 3, this system can comprise server end 301 and client 302, wherein, described server end 301 comprises:
The IP address determining unit 3013 that is used for abduction is used for the quantity according to different domain names corresponding to same IP address, is identified for carrying out the IP address that kidnap in the DNS black hole, and preserves the IP address that is used for carrying out the abduction of DNS black hole of determining;
Described client 302 comprises:
IP address extraction unit 3021 is used for extracting the IP address from described current HTTP connection packet when user's web access requests produces current HTTP connection packet;
Uploading unit 3022 is for end that the IP address that extracts is uploaded onto the server;
Described server end 301 also comprises:
Detecting unit 3014 if the IP address that is used for extracting appears at the IP address that is used for carrying out the abduction of DNS black hole of preserving, determines that then user's web access requests is subjected to the abduction of DNS black hole.
In said apparatus and system that the embodiment of the invention provides, can be by collecting a large amount of HTTP packets, therefrom extract the corresponding relation of domain name and IP address, and it is added up, drawing may be the IP address of kidnapping be used to carrying out the DNS black hole, and then when user's accessed web page, can extract the IP address in the HTTP packet, judge whether it appears at the IP address of kidnapping for carrying out the DNS black hole, if so, the web page access that then can conclude the user has been subject to the DNS black hole and has kidnapped.As seen, in the process of user's accessed web page, can detect the DNS black hole and kidnap behavior, and then avoid the user to be subject to the interference that advertisement or the navigation page etc. are kidnapped the page.
As seen through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product can be stored in the storage medium, such as ROM/RAM, magnetic disc, CD etc., comprise that some instructions are with so that a computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of some part of each embodiment of the present invention or embodiment.
Each embodiment in this specification all adopts the mode of going forward one by one to describe, and identical similar part is mutually referring to getting final product between each embodiment, and each embodiment stresses is difference with other embodiment.Especially, for device or system embodiment, because its basic simlarity is in embodiment of the method, so describe fairly simplely, relevant part gets final product referring to the part explanation of embodiment of the method.Apparatus and system embodiment described above only is schematic, wherein said unit as the separating component explanation can or can not be physically to separate also, the parts that show as the unit can be or can not be physical locations also, namely can be positioned at a place, perhaps also can be distributed on a plurality of network element.Can select according to the actual needs wherein some or all of module to realize the purpose of the present embodiment scheme.Those of ordinary skills namely can understand and implement in the situation that do not pay creative work.
Above method, the Apparatus and system that detection DNS provided by the present invention black hole is kidnapped, be described in detail, used specific case herein principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications.In sum, this description should not be construed as limitation of the present invention.
Claims (10)
1. one kind is detected the method that kidnap in the DNS black hole, comprising:
HTML (Hypertext Markup Language) HTTP connection packet corresponding to web access requests in the crawl network extracted corresponding domain name and the IP address of webpage from described packet, and the corresponding relation between record domain name and the I P address;
The result who grabs is added up, obtain the quantity of different domain names corresponding to same IP address;
According to the quantity of different domain names corresponding to same IP address, be identified for carrying out the IP address that kidnap in the DNS black hole, and preserve the IP address that is used for carrying out the abduction of DNS black hole of determining;
When user's web access requests produces current HTTP connection packet, from described current HTTP connection packet, extract the IP address;
If the IP address that extracts appears at the IP address that is used for carrying out the abduction of DNS black hole of preserving, determine that then user's web access requests is subjected to the abduction of DNS black hole.
The DNS black hole is kidnapped the DNS black hole and is kidnapped the abduction DNS black hole abduction of DNS black hole
2. method according to claim 1, described quantity according to different domain names corresponding to same IP address, the IP address that is identified for carrying out kidnapping in the DNS black hole comprises:
The quantity of extracting corresponding different domain names reaches the IP address of prerequisite as IP to be verified address;
Obtain server response message corresponding to described IP to be verified address;
According to described server response message described IP to be verified address is verified, if the verification passes, then IP to be verified address is defined as the IP address of kidnapping be used to carrying out the DNS black hole.
3. method according to claim 2 comprises the web content data bag in the described server response message, and described described IP to be verified address the checking according to described server response message comprises:
From web content data bag corresponding to described IP to be verified address, extract web page contents, with the web page contents that extracts with known be to compare be used to web page contents corresponding to the IP address of carrying out kidnapping in the DNS black hole, if similarity reaches preset threshold value, then checking is passed through.
4. method according to claim 2 comprises web page code in the described server response message, and described described IP to be verified address the checking according to described server response message comprises:
Judge whether comprise the key code that presets in the described web page code, if comprise, then checking is passed through.
5. method according to claim 4 is characterized in that, the described key code that presets comprises the jump instruction code.
6. one kind is detected the device that kidnap in the DNS black hole, comprising:
Placement unit for the HTML (Hypertext Markup Language) HTTP connection packet corresponding to web access requests of crawl network, extracts corresponding domain name and the IP address of webpage from described packet, and the corresponding relation between record domain name and the IP address;
Statistic unit is used for the result who grabs is added up, and obtains the quantity of different domain names corresponding to same IP address;
The IP address determining unit that is used for abduction is used for the quantity according to different domain names corresponding to same IP address, is identified for carrying out the IP address that kidnap in the DNS black hole, and preserves the IP address that is used for carrying out the abduction of DNS black hole of determining;
IP address extraction unit is used for extracting the IP address from described current HTTP connection packet when user's web access requests produces current HTTP connection packet;
Detecting unit if the IP address that is used for extracting appears at the IP address that is used for carrying out the abduction of DNS black hole of preserving, determines that then user's web access requests is subjected to the abduction of DNS black hole.
7. device according to claim 6, described IP address determining unit for kidnapping comprises:
Extract subelement, reach the IP address of preset threshold value as IP to be verified address for the quantity of extracting corresponding different domain names;
The response information acquisition subelement is used for obtaining server response message corresponding to described IP to be verified address;
The checking subelement is used for according to described server response message described IP to be verified address being verified, if the verification passes, then IP to be verified address is defined as the IP address of kidnapping be used to carrying out the DNS black hole.
8. device according to claim 7 comprises the web content data bag in the described server response message, and described checking subelement comprises:
The first checking subelement, be used for extracting web page contents from web content data bag corresponding to described IP to be verified address, with the web page contents that extracts with known be to compare be used to web page contents corresponding to the IP address of carrying out kidnapping in the DNS black hole, if similarity reaches preset threshold value, then checking is passed through.
9. device according to claim 7 comprises web page code in the described server response message, and described checking subelement comprises:
The second checking subelement is used for judging whether described web page code comprises the key code that presets, if comprise, then checking is passed through.
10. one kind is detected the system that kidnap in the DNS black hole, comprises server end and client, and wherein, described server end comprises:
Placement unit for the HTML (Hypertext Markup Language) HTTP connection packet corresponding to web access requests of crawl network, extracts corresponding domain name and the IP address of webpage from described packet, and the corresponding relation between record domain name and the IP address;
Statistic unit is used for the result who grabs is added up, and obtains the quantity of different domain names corresponding to same IP address;
The IP address determining unit that is used for abduction is used for the quantity according to different domain names corresponding to same IP address, is identified for carrying out the IP address that kidnap in the DNS black hole, and preserves the IP address that is used for carrying out the abduction of DNS black hole of determining;
Described client comprises:
IP address extraction unit is used for extracting the IP address from described current HTTP connection packet when user's web access requests produces current HTTP connection packet;
Uploading unit is for end that the IP address that extracts is uploaded onto the server;
Described server end also comprises:
Detecting unit if the IP address that is used for extracting appears at the IP address that is used for carrying out the abduction of DNS black hole of preserving, determines that then user's web access requests is subjected to the abduction of DNS black hole.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210300947.5A CN102868773B (en) | 2012-08-22 | 2012-08-22 | Method, device and system for detecting domain name system (DNS) black hole hijack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210300947.5A CN102868773B (en) | 2012-08-22 | 2012-08-22 | Method, device and system for detecting domain name system (DNS) black hole hijack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102868773A true CN102868773A (en) | 2013-01-09 |
| CN102868773B CN102868773B (en) | 2015-04-15 |
Family
ID=47447358
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210300947.5A Active CN102868773B (en) | 2012-08-22 | 2012-08-22 | Method, device and system for detecting domain name system (DNS) black hole hijack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102868773B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103561120A (en) * | 2013-10-08 | 2014-02-05 | 北京奇虎科技有限公司 | Method and device for detecting suspicious DNS and method and system for processing suspicious DNS |
| CN103634422A (en) * | 2013-11-29 | 2014-03-12 | 北京奇虎科技有限公司 | IP (Internet Protocol) address recognition method and device for CDN (Content Distribution Network) source station |
| CN104065762A (en) * | 2014-05-30 | 2014-09-24 | 小米科技有限责任公司 | Method and device for detecting hijacking of DNS (Domain Name Server) |
| CN104486140A (en) * | 2014-11-28 | 2015-04-01 | 华北电力大学 | Device and method for detecting hijacking of web page |
| CN104506525A (en) * | 2014-12-22 | 2015-04-08 | 北京奇虎科技有限公司 | Method for preventing malicious grabbing and protection device |
| CN105323210A (en) * | 2014-06-10 | 2016-02-10 | 腾讯科技(深圳)有限公司 | Method, apparatus and cloud server for detecting website security |
| CN106330849A (en) * | 2015-07-07 | 2017-01-11 | 安恒通(北京)科技有限公司 | Method and device for preventing domain name hijack |
| CN106411819A (en) * | 2015-07-30 | 2017-02-15 | 阿里巴巴集团控股有限公司 | Method and apparatus for recognizing proxy Internet protocol address |
| US20180007088A1 (en) * | 2016-06-29 | 2018-01-04 | AVAST Software s.r.o. | Detection of domain name system hijacking |
| CN111526129A (en) * | 2020-04-01 | 2020-08-11 | 五八有限公司 | Information reporting method and device |
| CN114168945A (en) * | 2021-12-09 | 2022-03-11 | 绿盟科技集团股份有限公司 | Method and device for detecting potential risk of sub-domain name |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101815105A (en) * | 2010-03-25 | 2010-08-25 | 上海交通大学 | Domain name resolution service system with intelligent buffer and service method thereof |
| CN102082836A (en) * | 2009-11-30 | 2011-06-01 | 中国移动通信集团四川有限公司 | DNS (Domain Name Server) safety monitoring system and method |
| CN102255778A (en) * | 2011-09-06 | 2011-11-23 | 网宿科技股份有限公司 | Anti-hijacking domain name authorization monitoring system |
| CN102271168A (en) * | 2011-09-14 | 2011-12-07 | 吴兴利 | Method of shielding and hijacking internet popup window by modifying approach of DNS (domain name system) replying IP (internet protocol) |
| CN102571770A (en) * | 2011-12-27 | 2012-07-11 | 北京神州绿盟信息安全科技股份有限公司 | Man-in-the-middle attack detection method, device, server and system |
-
2012
- 2012-08-22 CN CN201210300947.5A patent/CN102868773B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102082836A (en) * | 2009-11-30 | 2011-06-01 | 中国移动通信集团四川有限公司 | DNS (Domain Name Server) safety monitoring system and method |
| CN101815105A (en) * | 2010-03-25 | 2010-08-25 | 上海交通大学 | Domain name resolution service system with intelligent buffer and service method thereof |
| CN102255778A (en) * | 2011-09-06 | 2011-11-23 | 网宿科技股份有限公司 | Anti-hijacking domain name authorization monitoring system |
| CN102271168A (en) * | 2011-09-14 | 2011-12-07 | 吴兴利 | Method of shielding and hijacking internet popup window by modifying approach of DNS (domain name system) replying IP (internet protocol) |
| CN102571770A (en) * | 2011-12-27 | 2012-07-11 | 北京神州绿盟信息安全科技股份有限公司 | Man-in-the-middle attack detection method, device, server and system |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103561120A (en) * | 2013-10-08 | 2014-02-05 | 北京奇虎科技有限公司 | Method and device for detecting suspicious DNS and method and system for processing suspicious DNS |
| CN103561120B (en) * | 2013-10-08 | 2017-06-06 | 北京奇虎科技有限公司 | Detect method, the processing method of device and suspicious DNS, the system of suspicious DNS |
| CN103634422B (en) * | 2013-11-29 | 2017-03-08 | 北京奇安信科技有限公司 | A kind of IP address recognition methodss of CDN source station and device |
| CN103634422A (en) * | 2013-11-29 | 2014-03-12 | 北京奇虎科技有限公司 | IP (Internet Protocol) address recognition method and device for CDN (Content Distribution Network) source station |
| CN104065762A (en) * | 2014-05-30 | 2014-09-24 | 小米科技有限责任公司 | Method and device for detecting hijacking of DNS (Domain Name Server) |
| CN105323210A (en) * | 2014-06-10 | 2016-02-10 | 腾讯科技(深圳)有限公司 | Method, apparatus and cloud server for detecting website security |
| CN104486140A (en) * | 2014-11-28 | 2015-04-01 | 华北电力大学 | Device and method for detecting hijacking of web page |
| CN104486140B (en) * | 2014-11-28 | 2017-12-19 | 华北电力大学 | It is a kind of to detect device and its detection method that webpage is held as a hostage |
| CN104506525A (en) * | 2014-12-22 | 2015-04-08 | 北京奇虎科技有限公司 | Method for preventing malicious grabbing and protection device |
| CN104506525B (en) * | 2014-12-22 | 2018-04-20 | 北京奇安信科技有限公司 | Prevent the method and protective device that malice captures |
| CN106330849A (en) * | 2015-07-07 | 2017-01-11 | 安恒通(北京)科技有限公司 | Method and device for preventing domain name hijack |
| CN106411819A (en) * | 2015-07-30 | 2017-02-15 | 阿里巴巴集团控股有限公司 | Method and apparatus for recognizing proxy Internet protocol address |
| CN106411819B (en) * | 2015-07-30 | 2020-09-11 | 阿里巴巴集团控股有限公司 | Method and device for identifying proxy internet protocol address |
| US20180007088A1 (en) * | 2016-06-29 | 2018-01-04 | AVAST Software s.r.o. | Detection of domain name system hijacking |
| US10594728B2 (en) * | 2016-06-29 | 2020-03-17 | AVAST Software s.r.o. | Detection of domain name system hijacking |
| CN111526129A (en) * | 2020-04-01 | 2020-08-11 | 五八有限公司 | Information reporting method and device |
| CN114168945A (en) * | 2021-12-09 | 2022-03-11 | 绿盟科技集团股份有限公司 | Method and device for detecting potential risk of sub-domain name |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102868773B (en) | 2015-04-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102868773B (en) | Method, device and system for detecting domain name system (DNS) black hole hijack | |
| CN102663000B (en) | The maliciously recognition methods of the method for building up of network address database, maliciously network address and device | |
| CN102957664B (en) | A kind of method and device identifying fishing website | |
| CN106657044B (en) | It is a kind of for improving the web page address jump method of web station system Prevention-Security | |
| CN104125209B (en) | Malice website prompt method and router | |
| US9218482B2 (en) | Method and device for detecting phishing web page | |
| Maggi et al. | Two years of short urls internet measurement: security threats and countermeasures | |
| CN102200980B (en) | Method and system for providing network resources | |
| CN103023712B (en) | Method and system for monitoring malicious property of webpage | |
| US20130007882A1 (en) | Methods of detecting and removing bidirectional network traffic malware | |
| US20130007870A1 (en) | Systems for bi-directional network traffic malware detection and removal | |
| CN102594934A (en) | Method and device for identifying hijacked website | |
| CN108574742B (en) | Domain name information collection method and domain name information collection device | |
| CN110430188B (en) | Rapid URL filtering method and device | |
| CN103888490A (en) | Automatic WEB client man-machine identification method | |
| CN105376217B (en) | A kind of malice jumps and the automatic judging method of malice nested class objectionable website | |
| CN105635064B (en) | CSRF attack detection method and device | |
| CN102750352A (en) | Method and device for classified collection of historical access records in browser | |
| WO2013013475A1 (en) | Phishing detection method and device | |
| CN103927480A (en) | Method, device and system for identifying malicious web page | |
| CN104199962A (en) | Trusted webpage forensics system and trusted webpage forensics method based on three-layer trusted webpage forensic model | |
| US10931688B2 (en) | Malicious website discovery using web analytics identifiers | |
| CN102664872A (en) | System used for detecting and preventing attack to server in computer network and method thereof | |
| CN102882889A (en) | Method and system for concentrated IP (Internet Protocol) collection and identification of phishing websites | |
| CN112804369A (en) | Network system, network access security detection method and device and related equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee after: Beijing Qizhi Business Consulting Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220413 Address after: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Beijing Qizhi Business Consulting Co.,Ltd. |