CN109257373A - A kind of Domain Hijacking recognition methods, apparatus and system - Google Patents

A kind of Domain Hijacking recognition methods, apparatus and system Download PDF

Info

Publication number
CN109257373A
CN109257373A CN201811282673.5A CN201811282673A CN109257373A CN 109257373 A CN109257373 A CN 109257373A CN 201811282673 A CN201811282673 A CN 201811282673A CN 109257373 A CN109257373 A CN 109257373A
Authority
CN
China
Prior art keywords
domain
network
hijacking
name
detected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811282673.5A
Other languages
Chinese (zh)
Other versions
CN109257373B (en
Inventor
江沛合
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201811282673.5A priority Critical patent/CN109257373B/en
Publication of CN109257373A publication Critical patent/CN109257373A/en
Application granted granted Critical
Publication of CN109257373B publication Critical patent/CN109257373B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of Domain Hijacking recognition methods, apparatus and system, which comprises receives the network protocol IP address of name server corresponding to the network to be detected that client is sent;Nslookup is kidnapped with the presence or absence of the IP address of name server corresponding to the network to be detected in IP address library, and domain name kidnaps the IP address that IP address library includes the name server being held as a hostage in history Domain Hijacking event;When the result of inquiry, which is, is, determine that there are Domain Hijackings for the network to be detected;When the result of inquiry is no, Domain Hijacking identification instruction is sent to the client, so that the client end response kidnaps identification instruction execution Domain Hijacking identification operation in domain name, determine the network to be detected with the presence or absence of Domain Hijacking based on the result that domain name kidnaps identification operation.Domain Hijacking phenomenon can be effectively identified using technical solution provided by the invention, promote Network Communicate Security.

Description

A kind of Domain Hijacking recognition methods, apparatus and system
Technical field
The present invention relates to Internet communication technology field more particularly to a kind of Domain Hijacking recognition methods, apparatus and system.
Background technique
With the development of internet and universal, the network access mode of terminal device is also enriched and is continuously improved, Such as two generation mobile networks, 3G, 4G mobile network and wireless network Wifi.But it is frequently run onto during network communication various Internet attack, wherein including Domain Hijacking, Domain Hijacking is by attacking DNS (Domain Name System, domain name system System) server, or the method for forging DNS, targeted website domain name mapping to the address of mistake is reached can not access target net The purpose stood.
On the one hand Domain Hijacking will affect the online experience of user, user is introduced to the website of personation and then can not be normal clear Look at target webpage;Another aspect user, which may be inveigled, log in etc. operation to counterfeit website and lead to leakage privacy of user number According to.Particularly with the biggish website of user volume, baneful influence can constantly expand after domain name is held as a hostage.Accordingly, it is desirable to provide a kind of Reliable and effective Domain Hijacking identifying schemes, to guarantee Network Communicate Security.
Summary of the invention
The present invention provides a kind of Domain Hijacking recognition methods, apparatus and system, can effectively identify Domain Hijacking phenomenon, Promote Network Communicate Security.
In a first aspect, the present invention provides a kind of Domain Hijacking recognition methods, which comprises
Receive the network protocol IP address of name server corresponding to the network to be detected that client is sent;
Nslookup is with kidnapping the IP in IP address library with the presence or absence of name server corresponding to the network to be detected Location, domain name kidnap the IP address that IP address library includes the name server being held as a hostage in history Domain Hijacking event;
When the result of inquiry, which is, is, determine that there are Domain Hijackings for the network to be detected;
When the result of inquiry is no, Domain Hijacking identification instruction is sent to the client, so that the client is rung Identification instruction execution Domain Hijacking identification operation should be kidnapped in domain name, the client is based on domain name and kidnaps identification behaviour The result of work determines the network to be detected with the presence or absence of Domain Hijacking.
Second aspect provides a kind of Domain Hijacking identification device, and described device includes:
Internet protocol address receiving module, for receiving name server corresponding to the network to be detected of client transmission Network protocol IP address;
Data inquiry module is kidnapped in IP address library for nslookup with the presence or absence of corresponding to the network to be detected The IP address of name server, it includes the domain name service being held as a hostage in history Domain Hijacking event that domain name, which kidnaps IP address library, The IP address of device;
First Domain Hijacking determining module, the result for inquiring when the data inquiry module are when being, described in determination There are Domain Hijackings for network to be detected;
Domain Hijacking identifies instruction sending module, when the result for inquiring when the data inquiry module is no, to institute It states client and sends Domain Hijacking identification instruction, so that the client end response kidnaps identification instruction execution domain name in domain name Identification operation is kidnapped, determines that the network to be detected is robbed with the presence or absence of domain name based on the result that domain name kidnaps identification operation It holds.
The third aspect provides a kind of Domain Hijacking identification server, and the server includes processor and memory, institute It states and is stored at least one instruction, at least one section of program, code set or instruction set in memory, at least one instruction, institute At least one section of program, the code set or instruction set is stated to be loaded by the processor and executed to realize as described in relation to the first aspect Domain Hijacking recognition methods.
Fourth aspect, the present invention provides a kind of Domain Hijacking recognition methods, which comprises
The network protocol IP address of name server corresponding to network to be detected is sent to server;
It is inquired in server and domain name service corresponding to the network to be detected is not present in Domain Hijacking IP address library When the IP address of device, receives the Domain Hijacking that server is sent and identify instruction;It includes history domain that domain name, which kidnaps IP address library, The IP address for the name server being held as a hostage in name kidnapping accident;
Identification instruction execution Domain Hijacking identification operation is kidnapped in response to domain name, identification behaviour is kidnapped based on domain name The result of work determines the network to be detected with the presence or absence of Domain Hijacking.
5th aspect provides a kind of Domain Hijacking identification device, and described device includes:
First network protocol address sending module, for sending name server corresponding to network to be detected to server Network protocol IP address;
Domain Hijacking identifies command reception module, and for inquiring in Domain Hijacking IP address library in server, there is no institutes When stating the IP address of name server corresponding to network to be detected, the Domain Hijacking identification instruction of transmission is received;Domain name Kidnap the IP address that IP address library includes the name server being held as a hostage in history Domain Hijacking event;
Third Domain Hijacking determining module, for kidnapping identification instruction execution Domain Hijacking identification behaviour in response to domain name Make, determines the network to be detected with the presence or absence of Domain Hijacking based on the result that domain name kidnaps identification operation.
6th aspect provides a kind of Domain Hijacking identification client, and the client includes processor and memory, institute It states and is stored at least one instruction, at least one section of program, code set or instruction set in memory, at least one instruction, institute At least one section of program, the code set or instruction set is stated to be loaded as the processor and executed to realize as described in fourth aspect Domain Hijacking recognition methods.
7th aspect, the present invention provides a kind of Domain Hijacking recognition methods, which comprises
The network protocol IP address of name server corresponding to network to be detected is sent to server;
It is inquired in server and domain name service corresponding to the network to be detected is not present in Domain Hijacking IP address library When the IP address of device, the website signing certificate acquisition request of transmission is received;It includes history domain name that domain name, which kidnaps IP address library, The IP address for the name server being held as a hostage in kidnapping accident;
The domain name of the first signing certificate and second website that the second website of access is got is sent to server, so that Second website described in domain name access of the server based on second website obtains the second signature card of second website Whether book unanimously determines the network to be detected with the presence or absence of domain based on first signing certificate and second signing certificate Name is kidnapped;
Wherein, when first signing certificate and second signing certificate are inconsistent, the network to be detected is determined There are Domain Hijackings.
Eighth aspect provides a kind of Domain Hijacking identification device, and described device includes:
Second internet protocol address sending module, for sending name server corresponding to network to be detected to server Network protocol IP address;
Certificate acquisition request receiving module, for server inquire in Domain Hijacking IP address library there is no it is described to When detecting the IP address of name server corresponding to network, the website signing certificate acquisition request that server is sent is received;Institute State the IP address that Domain Hijacking IP address library includes the name server being held as a hostage in history Domain Hijacking event;
Data transmission blocks, for sending access the first signing certificate for getting of the second website and described the to server The domain name of two websites, so that the second website described in domain name access of the server based on second website, obtains described Second signing certificate of two websites, based on first signing certificate and second signing certificate whether unanimously determine it is described to Detecting network whether there is Domain Hijacking;
Wherein, when first signing certificate and second signing certificate are inconsistent, the network to be detected is determined There are Domain Hijackings.
9th aspect provides a kind of Domain Hijacking identification client, and the client includes processor and memory, institute It states and is stored at least one instruction, at least one section of program, code set or instruction set in memory, at least one instruction, institute At least one section of program, the code set or instruction set is stated as the processor loads and executes to realize as described in terms of the 7th Domain Hijacking recognition methods.
Tenth aspect provides a kind of Domain Hijacking identifying system, the system comprises: client and server;
The client is used to the IP address of name server corresponding to network to be detected being sent to server;And Domain Hijacking identification instruction execution Domain Hijacking identification operation for sending in response to server, is kidnapped based on domain name and is known The result not operated determines the network to be detected with the presence or absence of Domain Hijacking;
The server is kidnapped in IP address library for nslookup with the presence or absence of domain corresponding to the network to be detected The IP address of name server, it includes the name server being held as a hostage in history Domain Hijacking event that domain name, which kidnaps IP address library, IP address;And when the result of inquiry, which is, is, for determining the network to be detected, there are Domain Hijackings;And when looking into When the result of inquiry is no, for sending Domain Hijacking identification instruction to the client.
Tenth one side provides a kind of Domain Hijacking identifying system, the system comprises: client and server;
The client is used to the IP address of name server corresponding to network to be detected being sent to server;And For sending the domain name of the first signing certificate and second website that the second website of access is got to server;
The server is kidnapped in IP address library for nslookup with the presence or absence of domain corresponding to the network to be detected The IP address of name server, it includes the name server being held as a hostage in history Domain Hijacking event that domain name, which kidnaps IP address library, IP address;And when the result of inquiry, which is, is, for determining the network to be detected, there are Domain Hijackings;And when looking into When the result of inquiry is no, for sending website signing certificate acquisition request to the client;And for being based on described second Second website described in the domain name access of website obtains the second signing certificate of second website, based on the first signature card Whether book and second signing certificate unanimously determine the network to be detected with the presence or absence of Domain Hijacking;
Wherein, when first signing certificate and second signing certificate are inconsistent, the network to be detected is determined There are Domain Hijackings.
Domain Hijacking recognition methods provided by the invention, apparatus and system, have the following technical effect that
The present invention can be realized server and client carries out the identification of Domain Hijacking phenomenon jointly, improve in network communication Domain Hijacking phenomenon discrimination, the risks such as avoid the sensitive information leakage of user, property stolen promote network communication peace Entirely.
Detailed description of the invention
It in order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology and advantage, below will be to implementation Example or attached drawing needed to be used in the description of the prior art are briefly described, it should be apparent that, the accompanying drawings in the following description is only It is only some embodiments of the present invention, for those of ordinary skill in the art, without creative efforts, It can also be obtained according to these attached drawings other attached drawings.
Fig. 1 is a kind of schematic diagram of service system provided in an embodiment of the present invention;
Fig. 2 is a kind of flow diagram of Domain Hijacking recognition methods provided in an embodiment of the present invention;
Fig. 3 is the flow diagram of another Domain Hijacking recognition methods provided in an embodiment of the present invention;
Fig. 4 is the flow diagram of another Domain Hijacking recognition methods provided in an embodiment of the present invention;
Fig. 5 is the flow diagram of another Domain Hijacking recognition methods provided in an embodiment of the present invention;
Fig. 6 is a kind of flow diagram of Domain Hijacking recognition methods provided in an embodiment of the present invention;
Fig. 7 is a kind of flow diagram of Domain Hijacking recognition methods provided in an embodiment of the present invention;
Fig. 8 is the flow diagram of another Domain Hijacking recognition methods provided in an embodiment of the present invention;
Fig. 9 is a kind of structural schematic diagram of Domain Hijacking identification device provided in an embodiment of the present invention;
Figure 10 is the structural schematic diagram of another Domain Hijacking identification device provided in an embodiment of the present invention;
Figure 11 is the structural schematic diagram of another Domain Hijacking identification device provided in an embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, those of ordinary skill in the art without making creative work it is obtained it is all its His embodiment, shall fall within the protection scope of the present invention.
It should be noted that description and claims of this specification and term " first " in above-mentioned attached drawing, " Two " etc. be to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should be understood that using in this way Data be interchangeable under appropriate circumstances so that the embodiment of the present invention described herein can in addition to illustrating herein or Sequence other than those of description is implemented.In addition, term " includes " and " having " and their any deformation, it is intended that cover Cover it is non-exclusive include, for example, containing the process, method of a series of steps or units, system, product or server need not limit In step or unit those of is clearly listed, but may include be not clearly listed or for these process, methods, produce The other step or units of product or equipment inherently.
Referring to Fig. 1, Fig. 1 is a kind of schematic diagram of service system provided in an embodiment of the present invention, as shown in Figure 1, the clothes Business system may include client 01 and server 02.
Specifically, client 01 may include that smart phone, desktop computer, tablet computer, laptop, number help The entity device of the types such as reason, intelligent wearable device, also may include the software run in entity device, such as some clothes Business quotient is supplied to the Webpage of user, or those service providers are supplied to the application of user.
Specifically, the server 02 may include an independently operated server in this specification embodiment, or Distributed server, or the server cluster being made of multiple servers.Server 02 may include have network communication unit, Processor and memory etc..Specifically, the server 02 can provide background service for above-mentioned client.
In practical applications, it can be communicated by network between client 01 and server 02,01 kimonos of client Network connection can be first established between business device 02.It can be into after network connection is established, between client 01 and server 02 Row communication.During network communication, client itself can not be completed from local cache from domain name to IP (Internet Protocol, network protocol) address conversion when, client can from place terminal configure network parameter in obtain local domain Then domain name is sent to local domain name server and goes parsing to obtain corresponding IP address by name server address.
During carrying out domain name mapping above by name server, when name server is held as a hostage, user is obtained To false IP address, it usually will cause the risks such as the sensitive information leakage of user, property be stolen.In this specification embodiment, In order to guarantee the secure network communications of user, the risks such as avoid the sensitive information leakage of user, property stolen can be robbed domain name It holds and is effectively identified.
A kind of specific embodiment of Domain Hijacking recognition methods of the present invention introduced below, Fig. 2 are that the embodiment of the present invention provides A kind of Domain Hijacking recognition methods flow diagram, present description provides as described in embodiment or flow chart method behaviour Make step, but based on routine or may include more or less operating procedure without creative labor.It is arranged in embodiment The step of act, sequence was only one of numerous step execution sequence mode, does not represent and unique executes sequence.In practice System or server product when executing, can execute or parallel execute according to embodiment or method shown in the drawings sequence (such as environment of parallel processor or multiple threads).It is specific as shown in Fig. 2, the method may include:
S201: the IP address of name server corresponding to network to be detected is sent to server by client.
In this specification embodiment, the network to be detected may include carrying out between the client and the server Network used by network communication.Client can obtain local name server from the network parameter that place terminal configures Address;Correspondingly, client can be by the IP address of name server corresponding to network to be detected in this specification embodiment It is sent to server.
S203: server nslookup is kidnapped in IP address library with the presence or absence of the clothes of domain name corresponding to the network to be detected The IP address of business device, domain name kidnap the IP that IP address library includes the name server being held as a hostage in history Domain Hijacking event Address.
In this specification embodiment, server side can safeguard a Domain Hijacking IP address library, and domain name kidnaps IP Address base may include the IP address for the name server being held as a hostage in history Domain Hijacking event.Specifically, the history domain The Domain Hijacking event that name kidnapping accident can occur for system where server, also may include what other systems occurred Domain Hijacking event.
Specifically, can be inquired after the IP address that server receives name server corresponding to network to be detected With the presence or absence of the IP address of name server corresponding to the network to be detected in Domain Hijacking IP address library.
S205: when the result of inquiry, which is, is, server determines the network to be detected, and there are Domain Hijackings.
In this specification embodiment, when step S203 is inquired in Domain Hijacking IP address library, there are the networks to be detected When the IP address of corresponding name server, it can determine that there are Domain Hijackings for the network to be detected.
S207: when the result of inquiry is no, server sends Domain Hijacking identification instruction to the client.
In this specification embodiment, it can be the client executing that server is sent to client that domain name, which kidnaps instruction, The triggering command of Domain Hijacking identification.
Specifically, it may include: default false domain name that domain name, which kidnaps identification instruction,.In this specification embodiment, institute Stating default false domain name can be for according to the domain name of certain rule setting being not present;Correspondingly, domain name abduction instruction can Think based on whether website corresponding to normal access preset falseness domain name carries out the triggering command of Domain Hijacking identification.
Specifically, domain name kidnaps the domain name and verification information that identification instruction may include: default access website;It is described Default access website may include the website of any necessary being, and the verification information may include the default access website True access information.Correspondingly, it can be the access returned based on the access default access website that domain name, which kidnaps instruction, The information triggering command to carry out Domain Hijacking identification whether consistent with verification information.
Specifically, it may include: that network protocol redirects instruction that domain name, which kidnaps identification instruction,;Specifically, the net It may include: the website when client access using https (Hyper TextTransfer that network agreement, which redirects instruction, Protocol over Secure Socket Layer, network protocol) carry out network communication when, i.e., the website need with https When access, which is accessed by http (HyperText Transfer Protocol, hypertext transfer protocol), based on visit Ask that whether being redirected to https mode in the process accesses to carry out the triggering command of Domain Hijacking identification.
S209: client end response kidnaps identification instruction execution Domain Hijacking identification operation in domain name, is based on the domain The result that name kidnaps identification operation determines the network to be detected with the presence or absence of Domain Hijacking.
In this specification embodiment, when the result of step S203 inquiry is no, that is, inquire in Domain Hijacking IP address library There is no the IP address of name server corresponding to the network to be detected.Correspondingly, can be in conjunction with the domain name of client-side Identification operation is kidnapped to detect network to be detected with the presence or absence of Domain Hijacking risk.
In a specific embodiment, when it includes default false domain name that domain name, which kidnaps identification instruction, the visitor Identification instruction execution Domain Hijacking identification operation is kidnapped in response to domain name in family end, kidnaps identification operation based on domain name As a result determine that the network to be detected includes: with the presence or absence of Domain Hijacking
Client end response identifies instruction in the Domain Hijacking for including the default false domain name, detects whether normally to access institute State website corresponding to default false domain name;
When detecting normally to access website corresponding to the default false domain name, the client determines described to be checked There are Domain Hijackings for survey grid network.
Domain Hijacking identification operation may include corresponding to the access default false domain name in this specification embodiment Website.Correspondingly, can be determined to be checked when the website corresponding to the accessible default false domain name being not present of client There are Domain Hijackings for survey grid network, correspondingly, the network to be detected of client-side can be disconnected.
In addition, it is necessary to illustrate, in this specification embodiment, the default false domain name can be handed down to by cloud control Client.
In another specific embodiment, when domain name kidnaps the domain that identification instruction may include default access website When name and verification information,
The client end response kidnaps identification instruction execution Domain Hijacking identification operation in domain name, is based on domain name The result for kidnapping identification operation determines that the network to be detected includes: with the presence or absence of Domain Hijacking
Client end response refers in the Domain Hijacking identification of the domain name and the verification information that include the default access website It enables, presets access website according to the domain name access of the default access website, and detect the default access website and return Access information and the verification information it is whether consistent;
Wherein, when the access information for detecting that the default access website returns is inconsistent with the verification information, institute Client is stated to determine the network to be detected there are Domain Hijackings.
In this specification embodiment, it may include the domain according to the default access website that domain name, which kidnaps identification operation, Name accesses the default access website.Then, the access information and the verification information returned according to the default access website Whether unanimously determine the network to be detected with the presence or absence of Domain Hijacking;When the access information that the default access website returns When consistent with the verification information, it can determine that there are Domain Hijackings for network to be detected.
In addition, it is necessary to illustrate, in this specification embodiment, the domain name and verification information of the default access website can To be handed down to client by cloud control.
In another specific embodiment, kidnapping identification instruction when domain name may include that network protocol redirects instruction When, it is described to kidnap identification instruction execution Domain Hijacking identification operation in response to domain name, identification behaviour is kidnapped based on domain name The result of work determines that the network to be detected includes: with the presence or absence of Domain Hijacking
Network protocol is sent in response to the client in the network to be detected and redirects instruction, judges the first net of access It stands and whether is accessed with network protocol https;
When the result judged is is, first website is accessed by hypertext transfer protocol http mode, detection is visited Ask that whether being redirected to https mode in the process accesses;
Wherein, when detecting that not being redirected to https mode in access process accesses, determine that the network to be detected is deposited In Domain Hijacking.
In this specification embodiment, first website may include times that client accesses in the network to be detected One accesses website in a manner of https.It may include that (mode is accessed using https by http that domain name, which kidnaps identification operation, Carry out the website of network communication.Then, according to whether be redirected in access process https mode access determination it is described to be detected Network whether there is Domain Hijacking.In practical applications, for the website to be accessed by network protocol https, pass through Http mode accesses and can often be redirected to https mode during the website and access, correspondingly, not weighing when in access process When being directed to https mode and accessing, it can determine that there are Domain Hijackings for network to be detected.
In some embodiments, as shown in figure 3, when server determine the network to be detected there are after Domain Hijacking, The method can also include:
S211: server sends Domain Hijacking prompt information to the client.
In this specification embodiment, server determine the network to be detected there are after Domain Hijacking, the server Domain Hijacking prompt information can be sent to the client, so that subsequent user can disconnect the described to be detected of client-side Network.
By the technical solution of above this specification embodiment offer as it can be seen that in this specification embodiment, by server One Domain Hijacking IP address library of middle maintenance, the name server corresponding to the network to be detected for receiving client transmission After IP address, it can be kidnapped by nslookup in IP address library with the presence or absence of name server corresponding to the network to be detected IP address mode come carry out server side Domain Hijacking identification;Correspondingly, when being inquired in Domain Hijacking IP address library To name server corresponding to the network to be detected IP address when, can determine detection network there are Domain Hijackings;When When not inquiring the IP address of name server corresponding to the network to be detected in Domain Hijacking IP address library, server can be with Domain Hijacking identification instruction is sent to client, then, client end response is kidnapped identification instruction execution domain name in domain name and robbed Identification operation is held, determines the network to be detected with the presence or absence of Domain Hijacking based on the result that domain name kidnaps identification operation. Server may be implemented using the technical solution that this specification embodiment provides and client carries out Domain Hijacking phenomenon jointly Identification improves the discrimination of the Domain Hijacking phenomenon in network communication, the wind such as avoid the sensitive information leakage of user, property stolen Danger promotes Network Communicate Security.
The specific embodiment of another Domain Hijacking recognition methods of the present invention introduced below, Fig. 4 is that the embodiment of the present invention mentions The flow diagram of another Domain Hijacking recognition methods supplied, present description provides the sides as described in embodiment or flow chart Method operating procedure, but based on routine or may include more or less operating procedure without creative labor.Embodiment In the step of enumerating sequence be only one of numerous step execution sequences mode, do not represent and unique execute sequence.In reality When system or server product in border execute, it can be executed according to embodiment or method shown in the drawings sequence or parallel It executes (such as environment of parallel processor or multiple threads).It is specific as shown in figure 4, the method may include:
S401: the IP address of name server corresponding to network to be detected is sent to server by client.
S403: server nslookup is kidnapped in IP address library with the presence or absence of the clothes of domain name corresponding to the network to be detected The IP address of business device.
Specifically, it includes the name server being held as a hostage in history Domain Hijacking event that domain name, which kidnaps IP address library, IP address.
S405: when the result of inquiry, which is, is, server determines the network to be detected, and there are Domain Hijackings.
S407: when the result of inquiry is no, server sends website signing certificate acquisition request to the client.
S409: client sends the domain name for accessing the first signing certificate and second website that the second website is got To the server.
In this specification embodiment, second website may include times that client accesses in the network to be detected One website.In practical applications, first signing certificate may include that client accesses the website that a certain website is got Signing certificate, can also include client access the website that a certain website is got signing certificate be encrypted after label Name certificate;Specifically, the cipher mode that mode used by encryption can be appointed for server with client here, with Server is decrypted, obtains original signing certificate.Specifically, the encryption can include but is not limited to adopt It is encrypted with Message Digest 5 MD5 (Message-Digest Algorithm).
S411: the second website described in domain name access of the server based on second website obtains second website Second signing certificate.
In this specification embodiment, second signing certificate can be visited for server based on the domain name of second website Ask second website, the signing certificate of obtained second website.Specifically, server can be according to second website Domain name determine the IP address of second website, and then realize and access second website.
S413: server judges whether first signing certificate and second signing certificate are consistent.
S415: when the judgment result is no, server determines the network to be detected, and there are Domain Hijackings.
In practical applications, if name server corresponding to current network to be detected does not meet with Domain Hijacking, client The IP address for the same domain name that end and server are obtained from name server is identical;Conversely, if current network institute to be detected Corresponding name server meets with Domain Hijacking, the IP address for the same domain name that client and server is obtained from name server It can be different IP address, correspondingly, the signature obtained behind website corresponding to the IP address that access is obtained from name server Certificate is inconsistent.
In some embodiments, as shown in figure 5, determine the network to be detected there are after Domain Hijacking, the side Method can also include:
S417: server sends Domain Hijacking prompt information to the client.
By the technical solution of above this specification embodiment offer as it can be seen that in this specification embodiment, by server One Domain Hijacking IP address library of middle maintenance, the name server corresponding to the network to be detected for receiving client transmission After IP address, it can be kidnapped by nslookup in IP address library with the presence or absence of name server corresponding to the network to be detected IP address mode come carry out server side Domain Hijacking identification;Correspondingly, when being inquired in Domain Hijacking IP address library To name server corresponding to the network to be detected IP address when, can determine detection network there are Domain Hijackings;When When not inquiring the IP address of name server corresponding to the network to be detected in Domain Hijacking IP address library, server can be with Website signing certificate acquisition request is sent to client;Then, client will access the first signing certificate for getting of website and The domain name of the website of access is sent to the server, and website described in domain name access of the server based on the website obtains institute State the second signing certificate of website;Then, by judging whether first signing certificate and second signing certificate are consistent Mode come carry out server side Domain Hijacking identification;When the judgment result is no, server can determine described to be checked There are Domain Hijackings for survey grid network.It is common with client that server may be implemented using the technical solution that this specification embodiment provides The identification of Domain Hijacking phenomenon is carried out, the discrimination of the Domain Hijacking phenomenon in network communication is improved, promotes Network Communicate Security.
A kind of specific embodiment of Domain Hijacking recognition methods of this specification is introduced by executing subject of server below, is schemed 6 be a kind of flow diagram of Domain Hijacking recognition methods provided in an embodiment of the present invention, and present description provides such as embodiments Or method operating procedure described in flow chart, but based on routine or may include more or less without creative labor Operating procedure.The step of enumerating in embodiment sequence is only one of numerous step execution sequences mode, is not represented unique Execute sequence.It, can be according to embodiment or method shown in the drawings when system or server product in practice executes Sequence executes or parallel execution (such as environment of parallel processor or multiple threads).Specifically as shown in fig. 6, described Method may include:
S601: the network protocol IP address of name server corresponding to the network to be detected that client is sent is received.
S603: nslookup is kidnapped in IP address library with the presence or absence of name server corresponding to the network to be detected IP address, domain name kidnap the IP address that IP address library includes the name server being held as a hostage in history Domain Hijacking event;
S605: when the result of inquiry, which is, is, determine that there are Domain Hijackings for the network to be detected;
S607: when the result of inquiry is no, Domain Hijacking identification instruction is sent to the client, so that the client End is kidnapped in response to domain name identifies instruction execution Domain Hijacking identification operation, and the client is based on domain name and kidnaps knowledge The result not operated determines the network to be detected with the presence or absence of Domain Hijacking.
The embodiment of the invention also provides a kind of Domain Hijackings to identify server, which identifies that server includes place Device and memory are managed, is stored at least one instruction, at least one section of program, code set or instruction set in the memory, this is at least One instruction, at least one section of program, the code set or the instruction set are loaded by the processor and are executed to realize such as the above method Domain Hijacking recognition methods provided by embodiment.
A kind of specific embodiment of Domain Hijacking recognition methods of this specification is introduced by executing subject of client below, is schemed 7 be a kind of flow diagram of Domain Hijacking recognition methods provided in an embodiment of the present invention, and present description provides such as embodiments Or method operating procedure described in flow chart, but based on routine or may include more or less without creative labor Operating procedure.The step of enumerating in embodiment sequence is only one of numerous step execution sequences mode, is not represented unique Execute sequence.It, can be according to embodiment or method shown in the drawings when system or server product in practice executes Sequence executes or parallel execution (such as environment of parallel processor or multiple threads).Specifically as shown in fig. 7, described Method may include:
S701: the IP address of name server corresponding to network to be detected is sent to server.
S703: it is inquired in server and domain name corresponding to the network to be detected is not present in Domain Hijacking IP address library When the IP address of server, receives the Domain Hijacking that server is sent and identify instruction;It includes going through that domain name, which kidnaps IP address library, The IP address for the name server being held as a hostage in history Domain Hijacking event;
S705: identification instruction execution Domain Hijacking identification operation is kidnapped in response to domain name, is kidnapped based on domain name The result of identification operation determines the network to be detected with the presence or absence of Domain Hijacking.
The embodiment of the invention also provides a kind of Domain Hijackings to identify client, which identifies that client includes place Device and memory are managed, is stored at least one instruction, at least one section of program, code set or instruction set in the memory, this is at least One instruction, at least one section of program, the code set or the instruction set are loaded by the processor and are executed to realize such as the above method Domain Hijacking recognition methods provided by embodiment.
The specific embodiment of this specification another kind Domain Hijacking recognition methods is introduced using client as executing subject below, Fig. 8 is a kind of flow diagram of Domain Hijacking recognition methods provided in an embodiment of the present invention, and present description provides such as implement Method operating procedure described in example or flow chart, but based on routine or may include more or less without creative labor Operating procedure.The step of enumerating in embodiment sequence is only one of numerous step execution sequences mode, is not represented only One executes sequence.It, can be according to embodiment or side shown in the drawings when system or server product in practice executes Method sequence executes or parallel execution (such as environment of parallel processor or multiple threads).Specifically as shown in figure 8, institute The method of stating may include:
S801: the network protocol IP address of name server corresponding to network to be detected is sent to server;
S803: it is inquired in server and domain name corresponding to the network to be detected is not present in Domain Hijacking IP address library When the IP address of server, the website signing certificate acquisition request that server is sent is received;Domain name kidnaps IP address library packet Include the IP address for the name server being held as a hostage in history Domain Hijacking event;
S805: the domain of the first signing certificate and second website that the second website of access is got is sent to server Name obtains the of second website so that the second website described in domain name access of the server based on second website Whether two signing certificates unanimously determine that the network to be detected is with second signing certificate based on first signing certificate It is no that there are Domain Hijackings;
Wherein, when first signing certificate and second signing certificate are inconsistent, the network to be detected is determined There are Domain Hijackings.
The embodiment of the invention also provides a kind of Domain Hijackings to identify client, which identifies that client includes place Device and memory are managed, is stored at least one instruction, at least one section of program, code set or instruction set in the memory, this is at least One instruction, at least one section of program, the code set or the instruction set are loaded by the processor and are executed to realize such as the above method Domain Hijacking recognition methods provided by embodiment.
In this specification embodiment, the memory can be used for storing software program and module, and processor passes through operation It is stored in the software program and module of memory, thereby executing various function application and data processing.Memory can be main Including storing program area and storage data area, wherein storing program area can application program needed for storage program area, function Deng;Storage data area, which can be stored, uses created data etc. according to the equipment.In addition, memory may include high speed with Machine access memory, can also include nonvolatile memory, a for example, at least disk memory, flush memory device or its His volatile solid-state part.Correspondingly, memory can also include Memory Controller, to provide processor to memory Access.
The embodiment of the invention also provides a kind of Domain Hijacking identification devices, as shown in figure 9, described device includes:
Internet protocol address receiving module 910 can be used for receiving domain corresponding to the network to be detected of client transmission The network protocol IP address of name server;
Data inquiry module 920 can be used for nslookup and kidnap in IP address library with the presence or absence of the network to be detected The IP address of corresponding name server, it includes being held as a hostage in history Domain Hijacking event that domain name, which kidnaps IP address library, The IP address of name server;
First Domain Hijacking determining module 930 can be used for when the result that the data inquiry module is inquired, which is, is, really There are Domain Hijackings for the fixed network to be detected;
Domain Hijacking identifies instruction sending module 940, can be used for when the result of data inquiry module inquiry being no When, Domain Hijacking identification instruction is sent to the client, so that the client end response kidnaps identification instruction in domain name Domain Hijacking identification operation is executed, the result that the client kidnaps identification operation based on domain name determines the survey grid to be checked Network whether there is Domain Hijacking.
In another embodiment, it may include: default false domain name that domain name, which kidnaps identification instruction,;
Correspondingly, described send Domain Hijacking identification instruction to the client, so that the client end response is in described Domain Hijacking identifies instruction execution Domain Hijacking identification operation, and the client kidnaps the result of identification operation based on domain name Determine that the network to be detected includes: with the presence or absence of Domain Hijacking
Sent to the client and include that the Domain Hijacking of default false domain name identifies instruction so that the client according to Whether the default false domain name corresponding to website is normally accessed to determine the network to be detected with the presence or absence of Domain Hijacking;
Wherein, when website corresponding to client normally accesses the default false domain name, the survey grid to be checked is determined There are Domain Hijackings for network.
In another embodiment, domain name kidnaps the domain name and verifying letter that identification instruction may include: default access website Breath;
Correspondingly, described send Domain Hijacking identification instruction to the client, so that the client end response is in described Domain Hijacking identifies instruction execution Domain Hijacking identification operation, based on the result that domain name kidnaps identification operation determine it is described to Network, which is detected, with the presence or absence of Domain Hijacking includes:
Sending to the client includes the Domain Hijacking identification instruction for presetting the domain name and verification information that access website, with The client is set to preset access website according to the domain name access of the default access website, and according to the default access Whether access information and the verification information that website returns unanimously determines the network to be detected with the presence or absence of Domain Hijacking;
Wherein, when the access information and the inconsistent verification information that the default access website returns, described in determination There are Domain Hijackings for network to be detected.
In another embodiment, it may include: that network protocol redirects instruction that domain name, which kidnaps identification instruction,;
Correspondingly, described send Domain Hijacking identification instruction to the client, so that the client end response is in described Domain Hijacking identifies instruction execution Domain Hijacking identification operation, based on the result that domain name kidnaps identification operation determine it is described to Network, which is detected, with the presence or absence of Domain Hijacking includes:
Client into the network to be detected sends network protocol and redirects instruction so that the client end response in The network protocol redirects instruction, when judging the first website of access is accessed with network protocol https, passes through Hypertext transfer protocol http mode accesses first website, visits according to https mode whether is redirected in access process It asks and determines the network to be detected with the presence or absence of Domain Hijacking;
Wherein, when not being redirected to https mode in access process and accessing, determine that there are domain names for the network to be detected It kidnaps.
In another embodiment, described device can also include:
Certificate acquisition request module, when the result for inquiring when the data inquiry module is no, to the client Send website signing certificate acquisition request;
Data reception module, the first signing certificate got for receiving the second website of access that the client is sent With the domain name of second website;
Certificate acquisition module obtains described second for the second website described in the domain name access based on second website Second signing certificate of website;
Judgment module, for judging whether first signing certificate and second signing certificate are consistent;
Second Domain Hijacking determining module when the result for judging when the judgment module is no, determines described to be checked There are Domain Hijackings for survey grid network.
Apparatus and method embodiment in the Installation practice is based on similarly inventive concept.
The embodiment of the invention also provides another Domain Hijacking identification devices, and as shown in Figure 10, described device includes:
First network protocol address sending module 1010 can be used for sending domain corresponding to network to be detected to server The network protocol IP address of name server;
Domain Hijacking identifies command reception module 1020, can be used for inquiring in Domain Hijacking IP address library in server There is no when the IP address of name server corresponding to the network to be detected, receive the Domain Hijacking that server is sent to identify Instruction;Domain name kidnaps the IP address that IP address library includes the name server being held as a hostage in history Domain Hijacking event;
Third Domain Hijacking determining module 1030 can be used for kidnapping identification instruction execution domain name in response to domain name and rob Identification operation is held, determines the network to be detected with the presence or absence of Domain Hijacking based on the result that domain name kidnaps identification operation.
In another embodiment, it may include: default false domain name that domain name, which kidnaps identification instruction,;
Correspondingly, the third Domain Hijacking determining module 1030 may include:
First Domain Hijacking determination unit, for referring in response to the Domain Hijacking identification for including the default false domain name It enables, detects whether normally to access website corresponding to the default false domain name;
Wherein, when detecting normally to access website corresponding to the default false domain name, the survey grid to be checked is determined There are Domain Hijackings for network.
In another embodiment, domain name kidnaps the domain name and verifying letter that identification instruction may include: default access website Breath;
Correspondingly, the third Domain Hijacking determining module 1030 may include:
Second Domain Hijacking determination unit, in response to including that the default domain name for accessing website and the verifying are believed The Domain Hijacking of breath identifies instruction, presets access website according to the domain name access of the default access website, and detect institute Whether access information and the verification information for stating the return of default access website are consistent;
Wherein, when the access information for detecting that the default access website returns is inconsistent with the verification information, really There are Domain Hijackings for the fixed network to be detected.
In another embodiment, it may include: that network protocol redirects instruction that domain name, which kidnaps identification instruction,;
Correspondingly, the third Domain Hijacking determining module 1030 may include:
Third Domain Hijacking determination unit, for sending network protocol weight in response to the client in the network to be detected Directional instructions, judge whether the first website of access is accessed with network protocol https;When the result judged is is, lead to It crosses hypertext transfer protocol http mode and accesses first website, https mode whether is redirected to during test access Access;
Wherein, when detecting that not being redirected to https mode in access process accesses, determine that the network to be detected is deposited In Domain Hijacking.
Apparatus and method embodiment in the Installation practice is based on similarly inventive concept.
The embodiment of the invention also provides another Domain Hijacking identification devices, and as shown in figure 11, described device includes:
Second internet protocol address sending module 1110 can be used for sending domain corresponding to network to be detected to server The network protocol IP address of name server;
Certificate acquisition request receiving module 1120 can be used for inquiring in Domain Hijacking IP address library in server and not deposit When the IP address of the name server corresponding to the network to be detected, receives the website signing certificate that server is sent and obtain Request;Domain name kidnaps the IP address that IP address library includes the name server being held as a hostage in history Domain Hijacking event;
Data transmission blocks 1130 can be used for sending the first signing certificate that the second website of access is got to server With the domain name of second website so that the second website described in domain name access of the server based on second website, obtains It is whether consistent really based on first signing certificate and second signing certificate to the second signing certificate of second website The fixed network to be detected whether there is Domain Hijacking;
Wherein, when first signing certificate and second signing certificate are inconsistent, the network to be detected is determined There are Domain Hijackings.
Apparatus and method embodiment in the Installation practice is based on similarly inventive concept.
The embodiments of the present invention also provide a kind of storage medium, the storage medium be may be disposed among server to protect It deposits for realizing relevant at least one instruction of Domain Hijacking recognition methods a kind of in embodiment of the method, at least one section of program, generation Code collection or instruction set, at least one instruction, at least one section of program, the code set or instruction set are loaded and are held by the processor for this It goes to realize the Domain Hijacking recognition methods of above method embodiment offer.
The embodiments of the present invention also provide a kind of storage medium, the storage medium be may be disposed among client to protect It deposits for realizing relevant at least one instruction of Domain Hijacking recognition methods a kind of in embodiment of the method, at least one section of program, generation Code collection or instruction set, at least one instruction, at least one section of program, the code set or instruction set are loaded and are held by the processor for this It goes to realize the Domain Hijacking recognition methods of above method embodiment offer.
Optionally, in the present embodiment, above-mentioned storage medium can be located in multiple network servers of computer network At least one network server.Optionally, in the present embodiment, above-mentioned storage medium can include but is not limited to: USB flash disk, only Read memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), movement The various media that can store program code such as hard disk, magnetic or disk.
The present invention also provides a kind of Domain Hijacking identifying system, the system comprises: client and server;
The client is used to the IP address of name server corresponding to network to be detected being sent to server;And Domain Hijacking identification instruction execution Domain Hijacking identification operation for sending in response to server, is kidnapped based on domain name and is known The result not operated determines the network to be detected with the presence or absence of Domain Hijacking;
The server is kidnapped in IP address library for nslookup with the presence or absence of domain corresponding to the network to be detected The IP address of name server, it includes the name server being held as a hostage in history Domain Hijacking event that domain name, which kidnaps IP address library, IP address;And when the result of inquiry, which is, is, for determining the network to be detected, there are Domain Hijackings;And when looking into When the result of inquiry is no, for sending Domain Hijacking identification instruction to the client.
The present invention also provides a kind of Domain Hijacking identifying system, the system comprises: client and server;
The client is used to the IP address of name server corresponding to network to be detected being sent to server;And For sending the domain name of the first signing certificate and second website that the second website of access is got to server;
The server is kidnapped in IP address library for nslookup with the presence or absence of domain corresponding to the network to be detected The IP address of name server, it includes the name server being held as a hostage in history Domain Hijacking event that domain name, which kidnaps IP address library, IP address;And when the result of inquiry, which is, is, for determining the network to be detected, there are Domain Hijackings;And when looking into When the result of inquiry is no, for sending website signing certificate acquisition request to the client;And for being based on described second Second website described in the domain name access of website obtains the second signing certificate of second website, based on the first signature card Whether book and second signing certificate unanimously determine the network to be detected with the presence or absence of Domain Hijacking;
Wherein, when first signing certificate and second signing certificate are inconsistent, the network to be detected is determined There are Domain Hijackings.
The embodiment of the Domain Hijacking recognition methods, device, server, client or the system that are provided by aforementioned present invention can See, the present invention can be realized server and client carries out the identification of Domain Hijacking phenomenon jointly, improve the domain in network communication Name kidnaps the discrimination of phenomenon, the risks such as avoid the sensitive information leakage of user, property stolen, promotes Network Communicate Security.
It should be understood that embodiments of the present invention sequencing is for illustration only, do not represent the advantages or disadvantages of the embodiments. And above-mentioned this specification specific embodiment is described.Other embodiments are within the scope of the appended claims.One In a little situations, the movement recorded in detail in the claims or step can be executed according to the sequence being different from embodiment and Still desired result may be implemented.In addition, process depicted in the drawing not necessarily requires the particular order shown or company Continuous sequence is just able to achieve desired result.In some embodiments, multitasking and parallel processing it is also possible or It may be advantageous.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for device, For server, client and system embodiment, since it is substantially similar to the method embodiment, so be described relatively simple, The relevent part can refer to the partial explaination of embodiments of method.
Those of ordinary skill in the art will appreciate that realizing that all or part of the steps of above-described embodiment can pass through hardware It completes, relevant hardware can also be instructed to complete by program, the program can store in a kind of computer-readable In storage medium, storage medium mentioned above can be read-only memory, disk or CD etc..
The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all in spirit of the invention and Within principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.

Claims (15)

1. a kind of Domain Hijacking recognition methods, which is characterized in that the described method includes:
Receive the network protocol IP address of name server corresponding to the network to be detected that client is sent;
Nslookup is kidnapped in IP address library with the presence or absence of the IP address of name server corresponding to the network to be detected, institute State the IP address that Domain Hijacking IP address library includes the name server being held as a hostage in history Domain Hijacking event;
When the result of inquiry, which is, is, determine that there are Domain Hijackings for the network to be detected;
When the result of inquiry be it is no when, to the client send Domain Hijacking identification instruction so that the client end response in Domain name kidnaps identification instruction execution Domain Hijacking identification operation, and the client kidnaps identification operation based on domain name As a result determine the network to be detected with the presence or absence of Domain Hijacking.
2. the method according to claim 1, wherein it includes: default false domain that domain name, which kidnaps identification instruction, Name;
It is described to send Domain Hijacking identification instruction to the client, it is identified so that the client end response is kidnapped in domain name Instruction execution Domain Hijacking identification operation, the result that the client kidnaps identification operation based on domain name determine described to be checked Survey grid network includes: with the presence or absence of Domain Hijacking
Sent to the client and include that the Domain Hijacking of default false domain name identifies instruction so that the client according to whether Access website corresponding to the default false domain name normally to determine the network to be detected with the presence or absence of Domain Hijacking;
Wherein, when website corresponding to client normally accesses the default false domain name, determine that the network to be detected is deposited In Domain Hijacking.
3. the method according to claim 1, wherein it includes: default access net that domain name, which kidnaps identification instruction, The domain name and verification information stood;
It is described to send Domain Hijacking identification instruction to the client, it is identified so that the client end response is kidnapped in domain name Whether instruction execution Domain Hijacking identification operation, the result for kidnapping identification operation based on domain name determine the network to be detected There are Domain Hijackings to include:
Sending to the client includes the Domain Hijacking identification instruction for presetting the domain name and verification information that access website, so that institute It states client and presets access website according to the domain name access of the default access website, and according to the default access website Whether the access information of return and the verification information unanimously determine the network to be detected with the presence or absence of Domain Hijacking;
Wherein, it when the access information and the inconsistent verification information that the default access website returns, determines described to be checked There are Domain Hijackings for survey grid network.
4. the method according to claim 1, wherein it includes: network protocol weight that domain name, which kidnaps identification instruction, Directional instructions;
It is described to send Domain Hijacking identification instruction to the client, it is identified so that the client end response is kidnapped in domain name Whether instruction execution Domain Hijacking identification operation, the result for kidnapping identification operation based on domain name determine the network to be detected There are Domain Hijackings to include:
Client into the network to be detected sends network protocol and redirects instruction, so that the client end response is in described Network protocol redirects instruction, when judging the first website of access is accessed with network protocol https, by super literary This transport protocol http mode accesses first website, accesses really according to https mode whether is redirected in access process The fixed network to be detected whether there is Domain Hijacking;
Wherein, when not being redirected to https mode in access process and accessing, determine that there are domain name misfortunes for the network to be detected It holds.
5. the method according to claim 1, wherein the method also includes:
When the result of inquiry is no, website signing certificate acquisition request is sent to the client;
Receive the domain name of the first signing certificate and second website that the second website of access that the client is sent is got;
Second website described in domain name access based on second website obtains the second signing certificate of second website;
Judge whether first signing certificate and second signing certificate are consistent;
When the judgment result is no, determine that there are Domain Hijackings for the network to be detected.
6. a kind of Domain Hijacking recognition methods, which is characterized in that the described method includes:
The network protocol IP address of name server corresponding to network to be detected is sent to server;
It is inquired in server and name server corresponding to the network to be detected is not present in Domain Hijacking IP address library When IP address, receives the Domain Hijacking that server is sent and identify instruction;It includes that history domain name is robbed that domain name, which kidnaps IP address library, Hold the IP address for the name server being held as a hostage in event;
Identification instruction execution Domain Hijacking identification operation is kidnapped in response to domain name, identification operation is kidnapped based on domain name As a result determine the network to be detected with the presence or absence of Domain Hijacking.
7. according to the method described in claim 6, it is characterized in that, it includes: default false domain that domain name, which kidnaps identification instruction, Name;
It is described to kidnap identification instruction execution Domain Hijacking identification operation in response to domain name, identification behaviour is kidnapped based on domain name The result of work determines that the network to be detected includes: with the presence or absence of Domain Hijacking
Instruction is identified in response to the Domain Hijacking for including the default false domain name, detects whether normally to access the default falseness Website corresponding to domain name;
When detecting normally to access website corresponding to the default false domain name, determine that there are domain names for the network to be detected It kidnaps.
8. according to the method described in claim 6, it is characterized in that, it includes: default access net that domain name, which kidnaps identification instruction, The domain name and verification information stood;
It is described to kidnap identification instruction execution Domain Hijacking identification operation in response to domain name, identification behaviour is kidnapped based on domain name The result of work determines that the network to be detected includes: with the presence or absence of Domain Hijacking
Instruction is identified in response to the Domain Hijacking for including the default domain name and the verification information for accessing website, according to described Access website is preset described in the domain name access of default access website, detects access information and institute that the default access website returns Whether consistent state verification information;
When the access information for detecting that the default access website returns is inconsistent with the verification information, determine described to be checked There are Domain Hijackings for survey grid network.
9. according to the method described in claim 6, it is characterized in that, it includes: network protocol weight that domain name, which kidnaps identification instruction, Directional instructions;
It is described to kidnap identification instruction execution Domain Hijacking identification operation in response to domain name, identification behaviour is kidnapped based on domain name The result of work determines that the network to be detected includes: with the presence or absence of Domain Hijacking
Network protocol is sent in response to the client in the network to be detected and redirects instruction, judges that the first website of access is It is no to be accessed with network protocol https;
When the result judged is is, first website, test access mistake are accessed by hypertext transfer protocol http mode Https mode whether is redirected in journey to access really;
When detecting that not being redirected to https mode in access process accesses, determine that there are domain name misfortunes for the network to be detected It holds.
10. a kind of Domain Hijacking recognition methods, which is characterized in that the described method includes:
The network protocol IP address of name server corresponding to network to be detected is sent to server;
It is inquired in server and name server corresponding to the network to be detected is not present in Domain Hijacking IP address library When IP address, the website signing certificate acquisition request that server is sent is received;It includes history domain that domain name, which kidnaps IP address library, The IP address for the name server being held as a hostage in name kidnapping accident;
The domain name that the first signing certificate and second website that the second website of access is got are sent to server, so that described Second website described in domain name access of the server based on second website, obtains the second signing certificate of second website, Whether unanimously determine the network to be detected with the presence or absence of domain name based on first signing certificate and second signing certificate It kidnaps;
Wherein, when first signing certificate and second signing certificate are inconsistent, determine that the network to be detected exists Domain Hijacking.
11. a kind of Domain Hijacking identification device, which is characterized in that described device includes:
Internet protocol address receiving module, for receiving the net of name server corresponding to the network to be detected of client transmission Network Protocol IP address;
Data inquiry module is kidnapped in IP address library for nslookup with the presence or absence of domain name corresponding to the network to be detected The IP address of server, it includes the name server being held as a hostage in history Domain Hijacking event that domain name, which kidnaps IP address library, IP address;
First Domain Hijacking determining module, the result for inquiring when the data inquiry module are when being, to determine described to be checked There are Domain Hijackings for survey grid network;
Domain Hijacking identifies instruction sending module, when the result for inquiring when the data inquiry module is no, to the visitor Family end sends Domain Hijacking identification instruction, so that the client end response kidnaps identification instruction execution Domain Hijacking in domain name Identification operation determines the network to be detected with the presence or absence of Domain Hijacking based on the result that domain name kidnaps identification operation.
12. a kind of Domain Hijacking identification device, which is characterized in that described device includes:
First network protocol address sending module, for sending the net of name server corresponding to network to be detected to server Network Protocol IP address;
Domain Hijacking identifies command reception module, for server inquire in Domain Hijacking IP address library there is no it is described to When detecting the IP address of name server corresponding to network, receives the Domain Hijacking that server is sent and identify instruction;The domain Name kidnaps the IP address that IP address library includes the name server being held as a hostage in history Domain Hijacking event;
Third Domain Hijacking determining module, for kidnapping identification instruction execution Domain Hijacking identification operation in response to domain name, Determine the network to be detected with the presence or absence of Domain Hijacking based on the result that domain name kidnaps identification operation.
13. a kind of Domain Hijacking identification device, which is characterized in that described device includes:
Second internet protocol address sending module, for sending the net of name server corresponding to network to be detected to server Network Protocol IP address;
Certificate acquisition request receiving module, for inquiring in Domain Hijacking IP address library in server, there is no described to be detected When the IP address of name server corresponding to network, the website signing certificate acquisition request that server is sent is received;The domain Name kidnaps the IP address that IP address library includes the name server being held as a hostage in history Domain Hijacking event;
Data transmission blocks, for sending the first signing certificate and second net that the second website of access is got to server The domain name stood, so that the second website described in domain name access of the server based on second website, obtains second net Whether the second signing certificate stood unanimously is determined based on first signing certificate with second signing certificate described to be detected Network whether there is Domain Hijacking;
Wherein, when first signing certificate and second signing certificate are inconsistent, determine that the network to be detected exists Domain Hijacking.
14. a kind of Domain Hijacking identifying system, which is characterized in that the system comprises: client and server;
The client is used to the IP address of name server corresponding to network to be detected being sent to server;And it is used for In response to the Domain Hijacking identification instruction execution Domain Hijacking identification operation that server is sent, identification behaviour is kidnapped based on domain name The result of work determines the network to be detected with the presence or absence of Domain Hijacking;
The server is kidnapped in IP address library for nslookup with the presence or absence of the clothes of domain name corresponding to the network to be detected The IP address of business device, domain name kidnap the IP that IP address library includes the name server being held as a hostage in history Domain Hijacking event Address;And when the result of inquiry, which is, is, for determining the network to be detected, there are Domain Hijackings;And when inquiry When being as a result no, for sending Domain Hijacking identification instruction to the client.
15. a kind of Domain Hijacking identifying system, which is characterized in that the system comprises: client and server;
The client is used to the IP address of name server corresponding to network to be detected being sent to server;And it is used for The domain name of the first signing certificate and second website that the second website of access is got is sent to server;
The server is kidnapped in IP address library for nslookup with the presence or absence of the clothes of domain name corresponding to the network to be detected The IP address of business device, domain name kidnap the IP that IP address library includes the name server being held as a hostage in history Domain Hijacking event Address;And when the result of inquiry, which is, is, for determining the network to be detected, there are Domain Hijackings;And when inquiry When being as a result no, for sending website signing certificate acquisition request to the client;And for being based on second website Domain name access described in the second website, obtain the second signing certificate of second website, based on first signing certificate with Whether second signing certificate unanimously determines the network to be detected with the presence or absence of Domain Hijacking;
Wherein, when first signing certificate and second signing certificate are inconsistent, determine that the network to be detected exists Domain Hijacking.
CN201811282673.5A 2018-10-31 2018-10-31 Domain name hijacking identification method, device and system Active CN109257373B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811282673.5A CN109257373B (en) 2018-10-31 2018-10-31 Domain name hijacking identification method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811282673.5A CN109257373B (en) 2018-10-31 2018-10-31 Domain name hijacking identification method, device and system

Publications (2)

Publication Number Publication Date
CN109257373A true CN109257373A (en) 2019-01-22
CN109257373B CN109257373B (en) 2020-12-04

Family

ID=65044110

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811282673.5A Active CN109257373B (en) 2018-10-31 2018-10-31 Domain name hijacking identification method, device and system

Country Status (1)

Country Link
CN (1) CN109257373B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110225013A (en) * 2019-05-30 2019-09-10 世纪龙信息网络有限责任公司 The monitoring of certificate of service and more new system
CN110619071A (en) * 2019-08-06 2019-12-27 微梦创科网络科技(中国)有限公司 Account access security monitoring and processing method and device
CN110636072A (en) * 2019-09-26 2019-12-31 腾讯科技(深圳)有限公司 Target domain name scheduling method, device, equipment and storage medium
CN111526129A (en) * 2020-04-01 2020-08-11 五八有限公司 Information reporting method and device
CN111726322A (en) * 2019-03-19 2020-09-29 国家计算机网络与信息安全管理中心 Method and device for detecting file tampering hijacking and storage medium
CN112039829A (en) * 2019-06-04 2020-12-04 阿里巴巴集团控股有限公司 Hijacking detection and reporting method and device for domain name system
CN112671747A (en) * 2020-12-17 2021-04-16 赛尔网络有限公司 Overseas malicious URL statistical method and device, electronic equipment and storage medium
CN113691499A (en) * 2021-07-29 2021-11-23 深圳市天天来玩科技有限公司 Client anti-hijacking method, client, server and system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017004947A1 (en) * 2015-07-07 2017-01-12 安一恒通(北京)科技有限公司 Method and apparatus for preventing domain name hijacking
CN106357841A (en) * 2016-11-02 2017-01-25 腾讯科技(深圳)有限公司 Domain name resolution method, device and system
CN106453436A (en) * 2016-12-21 2017-02-22 北京奇虎科技有限公司 Method and device for detecting network security
US20170171242A1 (en) * 2015-12-15 2017-06-15 Microsoft Technology Licensing, Llc Defense against nxdomain hijacking in domain name systems
CN107147662A (en) * 2017-06-01 2017-09-08 北京云端智度科技有限公司 The method that Domain Hijacking is found
CN108183896A (en) * 2017-12-26 2018-06-19 珠海市君天电子科技有限公司 Page acquisition methods, device and the electronic equipment of browser

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017004947A1 (en) * 2015-07-07 2017-01-12 安一恒通(北京)科技有限公司 Method and apparatus for preventing domain name hijacking
US20170171242A1 (en) * 2015-12-15 2017-06-15 Microsoft Technology Licensing, Llc Defense against nxdomain hijacking in domain name systems
CN106357841A (en) * 2016-11-02 2017-01-25 腾讯科技(深圳)有限公司 Domain name resolution method, device and system
CN106453436A (en) * 2016-12-21 2017-02-22 北京奇虎科技有限公司 Method and device for detecting network security
CN107147662A (en) * 2017-06-01 2017-09-08 北京云端智度科技有限公司 The method that Domain Hijacking is found
CN108183896A (en) * 2017-12-26 2018-06-19 珠海市君天电子科技有限公司 Page acquisition methods, device and the electronic equipment of browser

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
林成虎: ""基于W-Kmeans算法的DNS流量异常检测"", 《计算机工程与设计》 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111726322A (en) * 2019-03-19 2020-09-29 国家计算机网络与信息安全管理中心 Method and device for detecting file tampering hijacking and storage medium
CN110225013A (en) * 2019-05-30 2019-09-10 世纪龙信息网络有限责任公司 The monitoring of certificate of service and more new system
CN110225013B (en) * 2019-05-30 2021-11-09 世纪龙信息网络有限责任公司 Service certificate monitoring and updating system
CN112039829A (en) * 2019-06-04 2020-12-04 阿里巴巴集团控股有限公司 Hijacking detection and reporting method and device for domain name system
CN110619071A (en) * 2019-08-06 2019-12-27 微梦创科网络科技(中国)有限公司 Account access security monitoring and processing method and device
CN110636072A (en) * 2019-09-26 2019-12-31 腾讯科技(深圳)有限公司 Target domain name scheduling method, device, equipment and storage medium
CN111526129A (en) * 2020-04-01 2020-08-11 五八有限公司 Information reporting method and device
CN112671747A (en) * 2020-12-17 2021-04-16 赛尔网络有限公司 Overseas malicious URL statistical method and device, electronic equipment and storage medium
CN112671747B (en) * 2020-12-17 2022-08-30 赛尔网络有限公司 Overseas malicious URL statistical method and device, electronic equipment and storage medium
CN113691499A (en) * 2021-07-29 2021-11-23 深圳市天天来玩科技有限公司 Client anti-hijacking method, client, server and system

Also Published As

Publication number Publication date
CN109257373B (en) 2020-12-04

Similar Documents

Publication Publication Date Title
CN109257373A (en) A kind of Domain Hijacking recognition methods, apparatus and system
CN105939326B (en) Method and device for processing message
US9215242B2 (en) Methods and systems for preventing unauthorized acquisition of user information
US20180219907A1 (en) Method and apparatus for detecting website security
JP5704518B2 (en) Confidential information leakage prevention system, confidential information leakage prevention method, and confidential information leakage prevention program
US9686303B2 (en) Web page vulnerability detection method and apparatus
CN111130930B (en) Dual-network card detection method and device
CN103607385A (en) Method and apparatus for security detection based on browser
CN111786966A (en) Method and device for browsing webpage
CN109802919B (en) Web page access intercepting method and device
CN107395553B (en) Network attack detection method, device and storage medium
CN108063833B (en) HTTP DNS analysis message processing method and device
CN107733853B (en) Page access method, device, computer and medium
CN112165488A (en) Risk assessment method, device and equipment and readable storage medium
CN105635178A (en) Blocking network access method and device for ensuring safety
CN110557358A (en) Honeypot server communication method, SSLStrip man-in-the-middle attack perception method and related device
KR101996471B1 (en) Network Securing Device and Securing method Using The Same
US20150026806A1 (en) Mitigating a Cyber-Security Attack By Changing a Network Address of a System Under Attack
CN110619022B (en) Node detection method, device, equipment and storage medium based on block chain network
CN105262858A (en) Method and device for detecting safety of Domain Name System (DNS) server
CN108737421B (en) Method, system, device and storage medium for discovering potential threats in network
CN106789858A (en) A kind of access control method and device and server
CN110602134A (en) Method, device and system for identifying illegal terminal access based on session label
KR101087291B1 (en) A method for identifying whole terminals using internet and a system thereof
CN108055299B (en) Portal page pushing method, network access server and Portal authentication system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant