CN109257373A - A kind of Domain Hijacking recognition methods, apparatus and system - Google Patents
A kind of Domain Hijacking recognition methods, apparatus and system Download PDFInfo
- Publication number
- CN109257373A CN109257373A CN201811282673.5A CN201811282673A CN109257373A CN 109257373 A CN109257373 A CN 109257373A CN 201811282673 A CN201811282673 A CN 201811282673A CN 109257373 A CN109257373 A CN 109257373A
- Authority
- CN
- China
- Prior art keywords
- domain
- network
- hijacking
- name
- detected
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of Domain Hijacking recognition methods, apparatus and system, which comprises receives the network protocol IP address of name server corresponding to the network to be detected that client is sent;Nslookup is kidnapped with the presence or absence of the IP address of name server corresponding to the network to be detected in IP address library, and domain name kidnaps the IP address that IP address library includes the name server being held as a hostage in history Domain Hijacking event;When the result of inquiry, which is, is, determine that there are Domain Hijackings for the network to be detected;When the result of inquiry is no, Domain Hijacking identification instruction is sent to the client, so that the client end response kidnaps identification instruction execution Domain Hijacking identification operation in domain name, determine the network to be detected with the presence or absence of Domain Hijacking based on the result that domain name kidnaps identification operation.Domain Hijacking phenomenon can be effectively identified using technical solution provided by the invention, promote Network Communicate Security.
Description
Technical field
The present invention relates to Internet communication technology field more particularly to a kind of Domain Hijacking recognition methods, apparatus and system.
Background technique
With the development of internet and universal, the network access mode of terminal device is also enriched and is continuously improved,
Such as two generation mobile networks, 3G, 4G mobile network and wireless network Wifi.But it is frequently run onto during network communication various
Internet attack, wherein including Domain Hijacking, Domain Hijacking is by attacking DNS (Domain Name System, domain name system
System) server, or the method for forging DNS, targeted website domain name mapping to the address of mistake is reached can not access target net
The purpose stood.
On the one hand Domain Hijacking will affect the online experience of user, user is introduced to the website of personation and then can not be normal clear
Look at target webpage;Another aspect user, which may be inveigled, log in etc. operation to counterfeit website and lead to leakage privacy of user number
According to.Particularly with the biggish website of user volume, baneful influence can constantly expand after domain name is held as a hostage.Accordingly, it is desirable to provide a kind of
Reliable and effective Domain Hijacking identifying schemes, to guarantee Network Communicate Security.
Summary of the invention
The present invention provides a kind of Domain Hijacking recognition methods, apparatus and system, can effectively identify Domain Hijacking phenomenon,
Promote Network Communicate Security.
In a first aspect, the present invention provides a kind of Domain Hijacking recognition methods, which comprises
Receive the network protocol IP address of name server corresponding to the network to be detected that client is sent;
Nslookup is with kidnapping the IP in IP address library with the presence or absence of name server corresponding to the network to be detected
Location, domain name kidnap the IP address that IP address library includes the name server being held as a hostage in history Domain Hijacking event;
When the result of inquiry, which is, is, determine that there are Domain Hijackings for the network to be detected;
When the result of inquiry is no, Domain Hijacking identification instruction is sent to the client, so that the client is rung
Identification instruction execution Domain Hijacking identification operation should be kidnapped in domain name, the client is based on domain name and kidnaps identification behaviour
The result of work determines the network to be detected with the presence or absence of Domain Hijacking.
Second aspect provides a kind of Domain Hijacking identification device, and described device includes:
Internet protocol address receiving module, for receiving name server corresponding to the network to be detected of client transmission
Network protocol IP address;
Data inquiry module is kidnapped in IP address library for nslookup with the presence or absence of corresponding to the network to be detected
The IP address of name server, it includes the domain name service being held as a hostage in history Domain Hijacking event that domain name, which kidnaps IP address library,
The IP address of device;
First Domain Hijacking determining module, the result for inquiring when the data inquiry module are when being, described in determination
There are Domain Hijackings for network to be detected;
Domain Hijacking identifies instruction sending module, when the result for inquiring when the data inquiry module is no, to institute
It states client and sends Domain Hijacking identification instruction, so that the client end response kidnaps identification instruction execution domain name in domain name
Identification operation is kidnapped, determines that the network to be detected is robbed with the presence or absence of domain name based on the result that domain name kidnaps identification operation
It holds.
The third aspect provides a kind of Domain Hijacking identification server, and the server includes processor and memory, institute
It states and is stored at least one instruction, at least one section of program, code set or instruction set in memory, at least one instruction, institute
At least one section of program, the code set or instruction set is stated to be loaded by the processor and executed to realize as described in relation to the first aspect
Domain Hijacking recognition methods.
Fourth aspect, the present invention provides a kind of Domain Hijacking recognition methods, which comprises
The network protocol IP address of name server corresponding to network to be detected is sent to server;
It is inquired in server and domain name service corresponding to the network to be detected is not present in Domain Hijacking IP address library
When the IP address of device, receives the Domain Hijacking that server is sent and identify instruction;It includes history domain that domain name, which kidnaps IP address library,
The IP address for the name server being held as a hostage in name kidnapping accident;
Identification instruction execution Domain Hijacking identification operation is kidnapped in response to domain name, identification behaviour is kidnapped based on domain name
The result of work determines the network to be detected with the presence or absence of Domain Hijacking.
5th aspect provides a kind of Domain Hijacking identification device, and described device includes:
First network protocol address sending module, for sending name server corresponding to network to be detected to server
Network protocol IP address;
Domain Hijacking identifies command reception module, and for inquiring in Domain Hijacking IP address library in server, there is no institutes
When stating the IP address of name server corresponding to network to be detected, the Domain Hijacking identification instruction of transmission is received;Domain name
Kidnap the IP address that IP address library includes the name server being held as a hostage in history Domain Hijacking event;
Third Domain Hijacking determining module, for kidnapping identification instruction execution Domain Hijacking identification behaviour in response to domain name
Make, determines the network to be detected with the presence or absence of Domain Hijacking based on the result that domain name kidnaps identification operation.
6th aspect provides a kind of Domain Hijacking identification client, and the client includes processor and memory, institute
It states and is stored at least one instruction, at least one section of program, code set or instruction set in memory, at least one instruction, institute
At least one section of program, the code set or instruction set is stated to be loaded as the processor and executed to realize as described in fourth aspect
Domain Hijacking recognition methods.
7th aspect, the present invention provides a kind of Domain Hijacking recognition methods, which comprises
The network protocol IP address of name server corresponding to network to be detected is sent to server;
It is inquired in server and domain name service corresponding to the network to be detected is not present in Domain Hijacking IP address library
When the IP address of device, the website signing certificate acquisition request of transmission is received;It includes history domain name that domain name, which kidnaps IP address library,
The IP address for the name server being held as a hostage in kidnapping accident;
The domain name of the first signing certificate and second website that the second website of access is got is sent to server, so that
Second website described in domain name access of the server based on second website obtains the second signature card of second website
Whether book unanimously determines the network to be detected with the presence or absence of domain based on first signing certificate and second signing certificate
Name is kidnapped;
Wherein, when first signing certificate and second signing certificate are inconsistent, the network to be detected is determined
There are Domain Hijackings.
Eighth aspect provides a kind of Domain Hijacking identification device, and described device includes:
Second internet protocol address sending module, for sending name server corresponding to network to be detected to server
Network protocol IP address;
Certificate acquisition request receiving module, for server inquire in Domain Hijacking IP address library there is no it is described to
When detecting the IP address of name server corresponding to network, the website signing certificate acquisition request that server is sent is received;Institute
State the IP address that Domain Hijacking IP address library includes the name server being held as a hostage in history Domain Hijacking event;
Data transmission blocks, for sending access the first signing certificate for getting of the second website and described the to server
The domain name of two websites, so that the second website described in domain name access of the server based on second website, obtains described
Second signing certificate of two websites, based on first signing certificate and second signing certificate whether unanimously determine it is described to
Detecting network whether there is Domain Hijacking;
Wherein, when first signing certificate and second signing certificate are inconsistent, the network to be detected is determined
There are Domain Hijackings.
9th aspect provides a kind of Domain Hijacking identification client, and the client includes processor and memory, institute
It states and is stored at least one instruction, at least one section of program, code set or instruction set in memory, at least one instruction, institute
At least one section of program, the code set or instruction set is stated as the processor loads and executes to realize as described in terms of the 7th
Domain Hijacking recognition methods.
Tenth aspect provides a kind of Domain Hijacking identifying system, the system comprises: client and server;
The client is used to the IP address of name server corresponding to network to be detected being sent to server;And
Domain Hijacking identification instruction execution Domain Hijacking identification operation for sending in response to server, is kidnapped based on domain name and is known
The result not operated determines the network to be detected with the presence or absence of Domain Hijacking;
The server is kidnapped in IP address library for nslookup with the presence or absence of domain corresponding to the network to be detected
The IP address of name server, it includes the name server being held as a hostage in history Domain Hijacking event that domain name, which kidnaps IP address library,
IP address;And when the result of inquiry, which is, is, for determining the network to be detected, there are Domain Hijackings;And when looking into
When the result of inquiry is no, for sending Domain Hijacking identification instruction to the client.
Tenth one side provides a kind of Domain Hijacking identifying system, the system comprises: client and server;
The client is used to the IP address of name server corresponding to network to be detected being sent to server;And
For sending the domain name of the first signing certificate and second website that the second website of access is got to server;
The server is kidnapped in IP address library for nslookup with the presence or absence of domain corresponding to the network to be detected
The IP address of name server, it includes the name server being held as a hostage in history Domain Hijacking event that domain name, which kidnaps IP address library,
IP address;And when the result of inquiry, which is, is, for determining the network to be detected, there are Domain Hijackings;And when looking into
When the result of inquiry is no, for sending website signing certificate acquisition request to the client;And for being based on described second
Second website described in the domain name access of website obtains the second signing certificate of second website, based on the first signature card
Whether book and second signing certificate unanimously determine the network to be detected with the presence or absence of Domain Hijacking;
Wherein, when first signing certificate and second signing certificate are inconsistent, the network to be detected is determined
There are Domain Hijackings.
Domain Hijacking recognition methods provided by the invention, apparatus and system, have the following technical effect that
The present invention can be realized server and client carries out the identification of Domain Hijacking phenomenon jointly, improve in network communication
Domain Hijacking phenomenon discrimination, the risks such as avoid the sensitive information leakage of user, property stolen promote network communication peace
Entirely.
Detailed description of the invention
It in order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology and advantage, below will be to implementation
Example or attached drawing needed to be used in the description of the prior art are briefly described, it should be apparent that, the accompanying drawings in the following description is only
It is only some embodiments of the present invention, for those of ordinary skill in the art, without creative efforts,
It can also be obtained according to these attached drawings other attached drawings.
Fig. 1 is a kind of schematic diagram of service system provided in an embodiment of the present invention;
Fig. 2 is a kind of flow diagram of Domain Hijacking recognition methods provided in an embodiment of the present invention;
Fig. 3 is the flow diagram of another Domain Hijacking recognition methods provided in an embodiment of the present invention;
Fig. 4 is the flow diagram of another Domain Hijacking recognition methods provided in an embodiment of the present invention;
Fig. 5 is the flow diagram of another Domain Hijacking recognition methods provided in an embodiment of the present invention;
Fig. 6 is a kind of flow diagram of Domain Hijacking recognition methods provided in an embodiment of the present invention;
Fig. 7 is a kind of flow diagram of Domain Hijacking recognition methods provided in an embodiment of the present invention;
Fig. 8 is the flow diagram of another Domain Hijacking recognition methods provided in an embodiment of the present invention;
Fig. 9 is a kind of structural schematic diagram of Domain Hijacking identification device provided in an embodiment of the present invention;
Figure 10 is the structural schematic diagram of another Domain Hijacking identification device provided in an embodiment of the present invention;
Figure 11 is the structural schematic diagram of another Domain Hijacking identification device provided in an embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art without making creative work it is obtained it is all its
His embodiment, shall fall within the protection scope of the present invention.
It should be noted that description and claims of this specification and term " first " in above-mentioned attached drawing, "
Two " etc. be to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should be understood that using in this way
Data be interchangeable under appropriate circumstances so that the embodiment of the present invention described herein can in addition to illustrating herein or
Sequence other than those of description is implemented.In addition, term " includes " and " having " and their any deformation, it is intended that cover
Cover it is non-exclusive include, for example, containing the process, method of a series of steps or units, system, product or server need not limit
In step or unit those of is clearly listed, but may include be not clearly listed or for these process, methods, produce
The other step or units of product or equipment inherently.
Referring to Fig. 1, Fig. 1 is a kind of schematic diagram of service system provided in an embodiment of the present invention, as shown in Figure 1, the clothes
Business system may include client 01 and server 02.
Specifically, client 01 may include that smart phone, desktop computer, tablet computer, laptop, number help
The entity device of the types such as reason, intelligent wearable device, also may include the software run in entity device, such as some clothes
Business quotient is supplied to the Webpage of user, or those service providers are supplied to the application of user.
Specifically, the server 02 may include an independently operated server in this specification embodiment, or
Distributed server, or the server cluster being made of multiple servers.Server 02 may include have network communication unit,
Processor and memory etc..Specifically, the server 02 can provide background service for above-mentioned client.
In practical applications, it can be communicated by network between client 01 and server 02,01 kimonos of client
Network connection can be first established between business device 02.It can be into after network connection is established, between client 01 and server 02
Row communication.During network communication, client itself can not be completed from local cache from domain name to IP (Internet
Protocol, network protocol) address conversion when, client can from place terminal configure network parameter in obtain local domain
Then domain name is sent to local domain name server and goes parsing to obtain corresponding IP address by name server address.
During carrying out domain name mapping above by name server, when name server is held as a hostage, user is obtained
To false IP address, it usually will cause the risks such as the sensitive information leakage of user, property be stolen.In this specification embodiment,
In order to guarantee the secure network communications of user, the risks such as avoid the sensitive information leakage of user, property stolen can be robbed domain name
It holds and is effectively identified.
A kind of specific embodiment of Domain Hijacking recognition methods of the present invention introduced below, Fig. 2 are that the embodiment of the present invention provides
A kind of Domain Hijacking recognition methods flow diagram, present description provides as described in embodiment or flow chart method behaviour
Make step, but based on routine or may include more or less operating procedure without creative labor.It is arranged in embodiment
The step of act, sequence was only one of numerous step execution sequence mode, does not represent and unique executes sequence.In practice
System or server product when executing, can execute or parallel execute according to embodiment or method shown in the drawings sequence
(such as environment of parallel processor or multiple threads).It is specific as shown in Fig. 2, the method may include:
S201: the IP address of name server corresponding to network to be detected is sent to server by client.
In this specification embodiment, the network to be detected may include carrying out between the client and the server
Network used by network communication.Client can obtain local name server from the network parameter that place terminal configures
Address;Correspondingly, client can be by the IP address of name server corresponding to network to be detected in this specification embodiment
It is sent to server.
S203: server nslookup is kidnapped in IP address library with the presence or absence of the clothes of domain name corresponding to the network to be detected
The IP address of business device, domain name kidnap the IP that IP address library includes the name server being held as a hostage in history Domain Hijacking event
Address.
In this specification embodiment, server side can safeguard a Domain Hijacking IP address library, and domain name kidnaps IP
Address base may include the IP address for the name server being held as a hostage in history Domain Hijacking event.Specifically, the history domain
The Domain Hijacking event that name kidnapping accident can occur for system where server, also may include what other systems occurred
Domain Hijacking event.
Specifically, can be inquired after the IP address that server receives name server corresponding to network to be detected
With the presence or absence of the IP address of name server corresponding to the network to be detected in Domain Hijacking IP address library.
S205: when the result of inquiry, which is, is, server determines the network to be detected, and there are Domain Hijackings.
In this specification embodiment, when step S203 is inquired in Domain Hijacking IP address library, there are the networks to be detected
When the IP address of corresponding name server, it can determine that there are Domain Hijackings for the network to be detected.
S207: when the result of inquiry is no, server sends Domain Hijacking identification instruction to the client.
In this specification embodiment, it can be the client executing that server is sent to client that domain name, which kidnaps instruction,
The triggering command of Domain Hijacking identification.
Specifically, it may include: default false domain name that domain name, which kidnaps identification instruction,.In this specification embodiment, institute
Stating default false domain name can be for according to the domain name of certain rule setting being not present;Correspondingly, domain name abduction instruction can
Think based on whether website corresponding to normal access preset falseness domain name carries out the triggering command of Domain Hijacking identification.
Specifically, domain name kidnaps the domain name and verification information that identification instruction may include: default access website;It is described
Default access website may include the website of any necessary being, and the verification information may include the default access website
True access information.Correspondingly, it can be the access returned based on the access default access website that domain name, which kidnaps instruction,
The information triggering command to carry out Domain Hijacking identification whether consistent with verification information.
Specifically, it may include: that network protocol redirects instruction that domain name, which kidnaps identification instruction,;Specifically, the net
It may include: the website when client access using https (Hyper TextTransfer that network agreement, which redirects instruction,
Protocol over Secure Socket Layer, network protocol) carry out network communication when, i.e., the website need with https
When access, which is accessed by http (HyperText Transfer Protocol, hypertext transfer protocol), based on visit
Ask that whether being redirected to https mode in the process accesses to carry out the triggering command of Domain Hijacking identification.
S209: client end response kidnaps identification instruction execution Domain Hijacking identification operation in domain name, is based on the domain
The result that name kidnaps identification operation determines the network to be detected with the presence or absence of Domain Hijacking.
In this specification embodiment, when the result of step S203 inquiry is no, that is, inquire in Domain Hijacking IP address library
There is no the IP address of name server corresponding to the network to be detected.Correspondingly, can be in conjunction with the domain name of client-side
Identification operation is kidnapped to detect network to be detected with the presence or absence of Domain Hijacking risk.
In a specific embodiment, when it includes default false domain name that domain name, which kidnaps identification instruction, the visitor
Identification instruction execution Domain Hijacking identification operation is kidnapped in response to domain name in family end, kidnaps identification operation based on domain name
As a result determine that the network to be detected includes: with the presence or absence of Domain Hijacking
Client end response identifies instruction in the Domain Hijacking for including the default false domain name, detects whether normally to access institute
State website corresponding to default false domain name;
When detecting normally to access website corresponding to the default false domain name, the client determines described to be checked
There are Domain Hijackings for survey grid network.
Domain Hijacking identification operation may include corresponding to the access default false domain name in this specification embodiment
Website.Correspondingly, can be determined to be checked when the website corresponding to the accessible default false domain name being not present of client
There are Domain Hijackings for survey grid network, correspondingly, the network to be detected of client-side can be disconnected.
In addition, it is necessary to illustrate, in this specification embodiment, the default false domain name can be handed down to by cloud control
Client.
In another specific embodiment, when domain name kidnaps the domain that identification instruction may include default access website
When name and verification information,
The client end response kidnaps identification instruction execution Domain Hijacking identification operation in domain name, is based on domain name
The result for kidnapping identification operation determines that the network to be detected includes: with the presence or absence of Domain Hijacking
Client end response refers in the Domain Hijacking identification of the domain name and the verification information that include the default access website
It enables, presets access website according to the domain name access of the default access website, and detect the default access website and return
Access information and the verification information it is whether consistent;
Wherein, when the access information for detecting that the default access website returns is inconsistent with the verification information, institute
Client is stated to determine the network to be detected there are Domain Hijackings.
In this specification embodiment, it may include the domain according to the default access website that domain name, which kidnaps identification operation,
Name accesses the default access website.Then, the access information and the verification information returned according to the default access website
Whether unanimously determine the network to be detected with the presence or absence of Domain Hijacking;When the access information that the default access website returns
When consistent with the verification information, it can determine that there are Domain Hijackings for network to be detected.
In addition, it is necessary to illustrate, in this specification embodiment, the domain name and verification information of the default access website can
To be handed down to client by cloud control.
In another specific embodiment, kidnapping identification instruction when domain name may include that network protocol redirects instruction
When, it is described to kidnap identification instruction execution Domain Hijacking identification operation in response to domain name, identification behaviour is kidnapped based on domain name
The result of work determines that the network to be detected includes: with the presence or absence of Domain Hijacking
Network protocol is sent in response to the client in the network to be detected and redirects instruction, judges the first net of access
It stands and whether is accessed with network protocol https;
When the result judged is is, first website is accessed by hypertext transfer protocol http mode, detection is visited
Ask that whether being redirected to https mode in the process accesses;
Wherein, when detecting that not being redirected to https mode in access process accesses, determine that the network to be detected is deposited
In Domain Hijacking.
In this specification embodiment, first website may include times that client accesses in the network to be detected
One accesses website in a manner of https.It may include that (mode is accessed using https by http that domain name, which kidnaps identification operation,
Carry out the website of network communication.Then, according to whether be redirected in access process https mode access determination it is described to be detected
Network whether there is Domain Hijacking.In practical applications, for the website to be accessed by network protocol https, pass through
Http mode accesses and can often be redirected to https mode during the website and access, correspondingly, not weighing when in access process
When being directed to https mode and accessing, it can determine that there are Domain Hijackings for network to be detected.
In some embodiments, as shown in figure 3, when server determine the network to be detected there are after Domain Hijacking,
The method can also include:
S211: server sends Domain Hijacking prompt information to the client.
In this specification embodiment, server determine the network to be detected there are after Domain Hijacking, the server
Domain Hijacking prompt information can be sent to the client, so that subsequent user can disconnect the described to be detected of client-side
Network.
By the technical solution of above this specification embodiment offer as it can be seen that in this specification embodiment, by server
One Domain Hijacking IP address library of middle maintenance, the name server corresponding to the network to be detected for receiving client transmission
After IP address, it can be kidnapped by nslookup in IP address library with the presence or absence of name server corresponding to the network to be detected
IP address mode come carry out server side Domain Hijacking identification;Correspondingly, when being inquired in Domain Hijacking IP address library
To name server corresponding to the network to be detected IP address when, can determine detection network there are Domain Hijackings;When
When not inquiring the IP address of name server corresponding to the network to be detected in Domain Hijacking IP address library, server can be with
Domain Hijacking identification instruction is sent to client, then, client end response is kidnapped identification instruction execution domain name in domain name and robbed
Identification operation is held, determines the network to be detected with the presence or absence of Domain Hijacking based on the result that domain name kidnaps identification operation.
Server may be implemented using the technical solution that this specification embodiment provides and client carries out Domain Hijacking phenomenon jointly
Identification improves the discrimination of the Domain Hijacking phenomenon in network communication, the wind such as avoid the sensitive information leakage of user, property stolen
Danger promotes Network Communicate Security.
The specific embodiment of another Domain Hijacking recognition methods of the present invention introduced below, Fig. 4 is that the embodiment of the present invention mentions
The flow diagram of another Domain Hijacking recognition methods supplied, present description provides the sides as described in embodiment or flow chart
Method operating procedure, but based on routine or may include more or less operating procedure without creative labor.Embodiment
In the step of enumerating sequence be only one of numerous step execution sequences mode, do not represent and unique execute sequence.In reality
When system or server product in border execute, it can be executed according to embodiment or method shown in the drawings sequence or parallel
It executes (such as environment of parallel processor or multiple threads).It is specific as shown in figure 4, the method may include:
S401: the IP address of name server corresponding to network to be detected is sent to server by client.
S403: server nslookup is kidnapped in IP address library with the presence or absence of the clothes of domain name corresponding to the network to be detected
The IP address of business device.
Specifically, it includes the name server being held as a hostage in history Domain Hijacking event that domain name, which kidnaps IP address library,
IP address.
S405: when the result of inquiry, which is, is, server determines the network to be detected, and there are Domain Hijackings.
S407: when the result of inquiry is no, server sends website signing certificate acquisition request to the client.
S409: client sends the domain name for accessing the first signing certificate and second website that the second website is got
To the server.
In this specification embodiment, second website may include times that client accesses in the network to be detected
One website.In practical applications, first signing certificate may include that client accesses the website that a certain website is got
Signing certificate, can also include client access the website that a certain website is got signing certificate be encrypted after label
Name certificate;Specifically, the cipher mode that mode used by encryption can be appointed for server with client here, with
Server is decrypted, obtains original signing certificate.Specifically, the encryption can include but is not limited to adopt
It is encrypted with Message Digest 5 MD5 (Message-Digest Algorithm).
S411: the second website described in domain name access of the server based on second website obtains second website
Second signing certificate.
In this specification embodiment, second signing certificate can be visited for server based on the domain name of second website
Ask second website, the signing certificate of obtained second website.Specifically, server can be according to second website
Domain name determine the IP address of second website, and then realize and access second website.
S413: server judges whether first signing certificate and second signing certificate are consistent.
S415: when the judgment result is no, server determines the network to be detected, and there are Domain Hijackings.
In practical applications, if name server corresponding to current network to be detected does not meet with Domain Hijacking, client
The IP address for the same domain name that end and server are obtained from name server is identical;Conversely, if current network institute to be detected
Corresponding name server meets with Domain Hijacking, the IP address for the same domain name that client and server is obtained from name server
It can be different IP address, correspondingly, the signature obtained behind website corresponding to the IP address that access is obtained from name server
Certificate is inconsistent.
In some embodiments, as shown in figure 5, determine the network to be detected there are after Domain Hijacking, the side
Method can also include:
S417: server sends Domain Hijacking prompt information to the client.
By the technical solution of above this specification embodiment offer as it can be seen that in this specification embodiment, by server
One Domain Hijacking IP address library of middle maintenance, the name server corresponding to the network to be detected for receiving client transmission
After IP address, it can be kidnapped by nslookup in IP address library with the presence or absence of name server corresponding to the network to be detected
IP address mode come carry out server side Domain Hijacking identification;Correspondingly, when being inquired in Domain Hijacking IP address library
To name server corresponding to the network to be detected IP address when, can determine detection network there are Domain Hijackings;When
When not inquiring the IP address of name server corresponding to the network to be detected in Domain Hijacking IP address library, server can be with
Website signing certificate acquisition request is sent to client;Then, client will access the first signing certificate for getting of website and
The domain name of the website of access is sent to the server, and website described in domain name access of the server based on the website obtains institute
State the second signing certificate of website;Then, by judging whether first signing certificate and second signing certificate are consistent
Mode come carry out server side Domain Hijacking identification;When the judgment result is no, server can determine described to be checked
There are Domain Hijackings for survey grid network.It is common with client that server may be implemented using the technical solution that this specification embodiment provides
The identification of Domain Hijacking phenomenon is carried out, the discrimination of the Domain Hijacking phenomenon in network communication is improved, promotes Network Communicate Security.
A kind of specific embodiment of Domain Hijacking recognition methods of this specification is introduced by executing subject of server below, is schemed
6 be a kind of flow diagram of Domain Hijacking recognition methods provided in an embodiment of the present invention, and present description provides such as embodiments
Or method operating procedure described in flow chart, but based on routine or may include more or less without creative labor
Operating procedure.The step of enumerating in embodiment sequence is only one of numerous step execution sequences mode, is not represented unique
Execute sequence.It, can be according to embodiment or method shown in the drawings when system or server product in practice executes
Sequence executes or parallel execution (such as environment of parallel processor or multiple threads).Specifically as shown in fig. 6, described
Method may include:
S601: the network protocol IP address of name server corresponding to the network to be detected that client is sent is received.
S603: nslookup is kidnapped in IP address library with the presence or absence of name server corresponding to the network to be detected
IP address, domain name kidnap the IP address that IP address library includes the name server being held as a hostage in history Domain Hijacking event;
S605: when the result of inquiry, which is, is, determine that there are Domain Hijackings for the network to be detected;
S607: when the result of inquiry is no, Domain Hijacking identification instruction is sent to the client, so that the client
End is kidnapped in response to domain name identifies instruction execution Domain Hijacking identification operation, and the client is based on domain name and kidnaps knowledge
The result not operated determines the network to be detected with the presence or absence of Domain Hijacking.
The embodiment of the invention also provides a kind of Domain Hijackings to identify server, which identifies that server includes place
Device and memory are managed, is stored at least one instruction, at least one section of program, code set or instruction set in the memory, this is at least
One instruction, at least one section of program, the code set or the instruction set are loaded by the processor and are executed to realize such as the above method
Domain Hijacking recognition methods provided by embodiment.
A kind of specific embodiment of Domain Hijacking recognition methods of this specification is introduced by executing subject of client below, is schemed
7 be a kind of flow diagram of Domain Hijacking recognition methods provided in an embodiment of the present invention, and present description provides such as embodiments
Or method operating procedure described in flow chart, but based on routine or may include more or less without creative labor
Operating procedure.The step of enumerating in embodiment sequence is only one of numerous step execution sequences mode, is not represented unique
Execute sequence.It, can be according to embodiment or method shown in the drawings when system or server product in practice executes
Sequence executes or parallel execution (such as environment of parallel processor or multiple threads).Specifically as shown in fig. 7, described
Method may include:
S701: the IP address of name server corresponding to network to be detected is sent to server.
S703: it is inquired in server and domain name corresponding to the network to be detected is not present in Domain Hijacking IP address library
When the IP address of server, receives the Domain Hijacking that server is sent and identify instruction;It includes going through that domain name, which kidnaps IP address library,
The IP address for the name server being held as a hostage in history Domain Hijacking event;
S705: identification instruction execution Domain Hijacking identification operation is kidnapped in response to domain name, is kidnapped based on domain name
The result of identification operation determines the network to be detected with the presence or absence of Domain Hijacking.
The embodiment of the invention also provides a kind of Domain Hijackings to identify client, which identifies that client includes place
Device and memory are managed, is stored at least one instruction, at least one section of program, code set or instruction set in the memory, this is at least
One instruction, at least one section of program, the code set or the instruction set are loaded by the processor and are executed to realize such as the above method
Domain Hijacking recognition methods provided by embodiment.
The specific embodiment of this specification another kind Domain Hijacking recognition methods is introduced using client as executing subject below,
Fig. 8 is a kind of flow diagram of Domain Hijacking recognition methods provided in an embodiment of the present invention, and present description provides such as implement
Method operating procedure described in example or flow chart, but based on routine or may include more or less without creative labor
Operating procedure.The step of enumerating in embodiment sequence is only one of numerous step execution sequences mode, is not represented only
One executes sequence.It, can be according to embodiment or side shown in the drawings when system or server product in practice executes
Method sequence executes or parallel execution (such as environment of parallel processor or multiple threads).Specifically as shown in figure 8, institute
The method of stating may include:
S801: the network protocol IP address of name server corresponding to network to be detected is sent to server;
S803: it is inquired in server and domain name corresponding to the network to be detected is not present in Domain Hijacking IP address library
When the IP address of server, the website signing certificate acquisition request that server is sent is received;Domain name kidnaps IP address library packet
Include the IP address for the name server being held as a hostage in history Domain Hijacking event;
S805: the domain of the first signing certificate and second website that the second website of access is got is sent to server
Name obtains the of second website so that the second website described in domain name access of the server based on second website
Whether two signing certificates unanimously determine that the network to be detected is with second signing certificate based on first signing certificate
It is no that there are Domain Hijackings;
Wherein, when first signing certificate and second signing certificate are inconsistent, the network to be detected is determined
There are Domain Hijackings.
The embodiment of the invention also provides a kind of Domain Hijackings to identify client, which identifies that client includes place
Device and memory are managed, is stored at least one instruction, at least one section of program, code set or instruction set in the memory, this is at least
One instruction, at least one section of program, the code set or the instruction set are loaded by the processor and are executed to realize such as the above method
Domain Hijacking recognition methods provided by embodiment.
In this specification embodiment, the memory can be used for storing software program and module, and processor passes through operation
It is stored in the software program and module of memory, thereby executing various function application and data processing.Memory can be main
Including storing program area and storage data area, wherein storing program area can application program needed for storage program area, function
Deng;Storage data area, which can be stored, uses created data etc. according to the equipment.In addition, memory may include high speed with
Machine access memory, can also include nonvolatile memory, a for example, at least disk memory, flush memory device or its
His volatile solid-state part.Correspondingly, memory can also include Memory Controller, to provide processor to memory
Access.
The embodiment of the invention also provides a kind of Domain Hijacking identification devices, as shown in figure 9, described device includes:
Internet protocol address receiving module 910 can be used for receiving domain corresponding to the network to be detected of client transmission
The network protocol IP address of name server;
Data inquiry module 920 can be used for nslookup and kidnap in IP address library with the presence or absence of the network to be detected
The IP address of corresponding name server, it includes being held as a hostage in history Domain Hijacking event that domain name, which kidnaps IP address library,
The IP address of name server;
First Domain Hijacking determining module 930 can be used for when the result that the data inquiry module is inquired, which is, is, really
There are Domain Hijackings for the fixed network to be detected;
Domain Hijacking identifies instruction sending module 940, can be used for when the result of data inquiry module inquiry being no
When, Domain Hijacking identification instruction is sent to the client, so that the client end response kidnaps identification instruction in domain name
Domain Hijacking identification operation is executed, the result that the client kidnaps identification operation based on domain name determines the survey grid to be checked
Network whether there is Domain Hijacking.
In another embodiment, it may include: default false domain name that domain name, which kidnaps identification instruction,;
Correspondingly, described send Domain Hijacking identification instruction to the client, so that the client end response is in described
Domain Hijacking identifies instruction execution Domain Hijacking identification operation, and the client kidnaps the result of identification operation based on domain name
Determine that the network to be detected includes: with the presence or absence of Domain Hijacking
Sent to the client and include that the Domain Hijacking of default false domain name identifies instruction so that the client according to
Whether the default false domain name corresponding to website is normally accessed to determine the network to be detected with the presence or absence of Domain Hijacking;
Wherein, when website corresponding to client normally accesses the default false domain name, the survey grid to be checked is determined
There are Domain Hijackings for network.
In another embodiment, domain name kidnaps the domain name and verifying letter that identification instruction may include: default access website
Breath;
Correspondingly, described send Domain Hijacking identification instruction to the client, so that the client end response is in described
Domain Hijacking identifies instruction execution Domain Hijacking identification operation, based on the result that domain name kidnaps identification operation determine it is described to
Network, which is detected, with the presence or absence of Domain Hijacking includes:
Sending to the client includes the Domain Hijacking identification instruction for presetting the domain name and verification information that access website, with
The client is set to preset access website according to the domain name access of the default access website, and according to the default access
Whether access information and the verification information that website returns unanimously determines the network to be detected with the presence or absence of Domain Hijacking;
Wherein, when the access information and the inconsistent verification information that the default access website returns, described in determination
There are Domain Hijackings for network to be detected.
In another embodiment, it may include: that network protocol redirects instruction that domain name, which kidnaps identification instruction,;
Correspondingly, described send Domain Hijacking identification instruction to the client, so that the client end response is in described
Domain Hijacking identifies instruction execution Domain Hijacking identification operation, based on the result that domain name kidnaps identification operation determine it is described to
Network, which is detected, with the presence or absence of Domain Hijacking includes:
Client into the network to be detected sends network protocol and redirects instruction so that the client end response in
The network protocol redirects instruction, when judging the first website of access is accessed with network protocol https, passes through
Hypertext transfer protocol http mode accesses first website, visits according to https mode whether is redirected in access process
It asks and determines the network to be detected with the presence or absence of Domain Hijacking;
Wherein, when not being redirected to https mode in access process and accessing, determine that there are domain names for the network to be detected
It kidnaps.
In another embodiment, described device can also include:
Certificate acquisition request module, when the result for inquiring when the data inquiry module is no, to the client
Send website signing certificate acquisition request;
Data reception module, the first signing certificate got for receiving the second website of access that the client is sent
With the domain name of second website;
Certificate acquisition module obtains described second for the second website described in the domain name access based on second website
Second signing certificate of website;
Judgment module, for judging whether first signing certificate and second signing certificate are consistent;
Second Domain Hijacking determining module when the result for judging when the judgment module is no, determines described to be checked
There are Domain Hijackings for survey grid network.
Apparatus and method embodiment in the Installation practice is based on similarly inventive concept.
The embodiment of the invention also provides another Domain Hijacking identification devices, and as shown in Figure 10, described device includes:
First network protocol address sending module 1010 can be used for sending domain corresponding to network to be detected to server
The network protocol IP address of name server;
Domain Hijacking identifies command reception module 1020, can be used for inquiring in Domain Hijacking IP address library in server
There is no when the IP address of name server corresponding to the network to be detected, receive the Domain Hijacking that server is sent to identify
Instruction;Domain name kidnaps the IP address that IP address library includes the name server being held as a hostage in history Domain Hijacking event;
Third Domain Hijacking determining module 1030 can be used for kidnapping identification instruction execution domain name in response to domain name and rob
Identification operation is held, determines the network to be detected with the presence or absence of Domain Hijacking based on the result that domain name kidnaps identification operation.
In another embodiment, it may include: default false domain name that domain name, which kidnaps identification instruction,;
Correspondingly, the third Domain Hijacking determining module 1030 may include:
First Domain Hijacking determination unit, for referring in response to the Domain Hijacking identification for including the default false domain name
It enables, detects whether normally to access website corresponding to the default false domain name;
Wherein, when detecting normally to access website corresponding to the default false domain name, the survey grid to be checked is determined
There are Domain Hijackings for network.
In another embodiment, domain name kidnaps the domain name and verifying letter that identification instruction may include: default access website
Breath;
Correspondingly, the third Domain Hijacking determining module 1030 may include:
Second Domain Hijacking determination unit, in response to including that the default domain name for accessing website and the verifying are believed
The Domain Hijacking of breath identifies instruction, presets access website according to the domain name access of the default access website, and detect institute
Whether access information and the verification information for stating the return of default access website are consistent;
Wherein, when the access information for detecting that the default access website returns is inconsistent with the verification information, really
There are Domain Hijackings for the fixed network to be detected.
In another embodiment, it may include: that network protocol redirects instruction that domain name, which kidnaps identification instruction,;
Correspondingly, the third Domain Hijacking determining module 1030 may include:
Third Domain Hijacking determination unit, for sending network protocol weight in response to the client in the network to be detected
Directional instructions, judge whether the first website of access is accessed with network protocol https;When the result judged is is, lead to
It crosses hypertext transfer protocol http mode and accesses first website, https mode whether is redirected to during test access
Access;
Wherein, when detecting that not being redirected to https mode in access process accesses, determine that the network to be detected is deposited
In Domain Hijacking.
Apparatus and method embodiment in the Installation practice is based on similarly inventive concept.
The embodiment of the invention also provides another Domain Hijacking identification devices, and as shown in figure 11, described device includes:
Second internet protocol address sending module 1110 can be used for sending domain corresponding to network to be detected to server
The network protocol IP address of name server;
Certificate acquisition request receiving module 1120 can be used for inquiring in Domain Hijacking IP address library in server and not deposit
When the IP address of the name server corresponding to the network to be detected, receives the website signing certificate that server is sent and obtain
Request;Domain name kidnaps the IP address that IP address library includes the name server being held as a hostage in history Domain Hijacking event;
Data transmission blocks 1130 can be used for sending the first signing certificate that the second website of access is got to server
With the domain name of second website so that the second website described in domain name access of the server based on second website, obtains
It is whether consistent really based on first signing certificate and second signing certificate to the second signing certificate of second website
The fixed network to be detected whether there is Domain Hijacking;
Wherein, when first signing certificate and second signing certificate are inconsistent, the network to be detected is determined
There are Domain Hijackings.
Apparatus and method embodiment in the Installation practice is based on similarly inventive concept.
The embodiments of the present invention also provide a kind of storage medium, the storage medium be may be disposed among server to protect
It deposits for realizing relevant at least one instruction of Domain Hijacking recognition methods a kind of in embodiment of the method, at least one section of program, generation
Code collection or instruction set, at least one instruction, at least one section of program, the code set or instruction set are loaded and are held by the processor for this
It goes to realize the Domain Hijacking recognition methods of above method embodiment offer.
The embodiments of the present invention also provide a kind of storage medium, the storage medium be may be disposed among client to protect
It deposits for realizing relevant at least one instruction of Domain Hijacking recognition methods a kind of in embodiment of the method, at least one section of program, generation
Code collection or instruction set, at least one instruction, at least one section of program, the code set or instruction set are loaded and are held by the processor for this
It goes to realize the Domain Hijacking recognition methods of above method embodiment offer.
Optionally, in the present embodiment, above-mentioned storage medium can be located in multiple network servers of computer network
At least one network server.Optionally, in the present embodiment, above-mentioned storage medium can include but is not limited to: USB flash disk, only
Read memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), movement
The various media that can store program code such as hard disk, magnetic or disk.
The present invention also provides a kind of Domain Hijacking identifying system, the system comprises: client and server;
The client is used to the IP address of name server corresponding to network to be detected being sent to server;And
Domain Hijacking identification instruction execution Domain Hijacking identification operation for sending in response to server, is kidnapped based on domain name and is known
The result not operated determines the network to be detected with the presence or absence of Domain Hijacking;
The server is kidnapped in IP address library for nslookup with the presence or absence of domain corresponding to the network to be detected
The IP address of name server, it includes the name server being held as a hostage in history Domain Hijacking event that domain name, which kidnaps IP address library,
IP address;And when the result of inquiry, which is, is, for determining the network to be detected, there are Domain Hijackings;And when looking into
When the result of inquiry is no, for sending Domain Hijacking identification instruction to the client.
The present invention also provides a kind of Domain Hijacking identifying system, the system comprises: client and server;
The client is used to the IP address of name server corresponding to network to be detected being sent to server;And
For sending the domain name of the first signing certificate and second website that the second website of access is got to server;
The server is kidnapped in IP address library for nslookup with the presence or absence of domain corresponding to the network to be detected
The IP address of name server, it includes the name server being held as a hostage in history Domain Hijacking event that domain name, which kidnaps IP address library,
IP address;And when the result of inquiry, which is, is, for determining the network to be detected, there are Domain Hijackings;And when looking into
When the result of inquiry is no, for sending website signing certificate acquisition request to the client;And for being based on described second
Second website described in the domain name access of website obtains the second signing certificate of second website, based on the first signature card
Whether book and second signing certificate unanimously determine the network to be detected with the presence or absence of Domain Hijacking;
Wherein, when first signing certificate and second signing certificate are inconsistent, the network to be detected is determined
There are Domain Hijackings.
The embodiment of the Domain Hijacking recognition methods, device, server, client or the system that are provided by aforementioned present invention can
See, the present invention can be realized server and client carries out the identification of Domain Hijacking phenomenon jointly, improve the domain in network communication
Name kidnaps the discrimination of phenomenon, the risks such as avoid the sensitive information leakage of user, property stolen, promotes Network Communicate Security.
It should be understood that embodiments of the present invention sequencing is for illustration only, do not represent the advantages or disadvantages of the embodiments.
And above-mentioned this specification specific embodiment is described.Other embodiments are within the scope of the appended claims.One
In a little situations, the movement recorded in detail in the claims or step can be executed according to the sequence being different from embodiment and
Still desired result may be implemented.In addition, process depicted in the drawing not necessarily requires the particular order shown or company
Continuous sequence is just able to achieve desired result.In some embodiments, multitasking and parallel processing it is also possible or
It may be advantageous.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for device,
For server, client and system embodiment, since it is substantially similar to the method embodiment, so be described relatively simple,
The relevent part can refer to the partial explaination of embodiments of method.
Those of ordinary skill in the art will appreciate that realizing that all or part of the steps of above-described embodiment can pass through hardware
It completes, relevant hardware can also be instructed to complete by program, the program can store in a kind of computer-readable
In storage medium, storage medium mentioned above can be read-only memory, disk or CD etc..
The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all in spirit of the invention and
Within principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.
Claims (15)
1. a kind of Domain Hijacking recognition methods, which is characterized in that the described method includes:
Receive the network protocol IP address of name server corresponding to the network to be detected that client is sent;
Nslookup is kidnapped in IP address library with the presence or absence of the IP address of name server corresponding to the network to be detected, institute
State the IP address that Domain Hijacking IP address library includes the name server being held as a hostage in history Domain Hijacking event;
When the result of inquiry, which is, is, determine that there are Domain Hijackings for the network to be detected;
When the result of inquiry be it is no when, to the client send Domain Hijacking identification instruction so that the client end response in
Domain name kidnaps identification instruction execution Domain Hijacking identification operation, and the client kidnaps identification operation based on domain name
As a result determine the network to be detected with the presence or absence of Domain Hijacking.
2. the method according to claim 1, wherein it includes: default false domain that domain name, which kidnaps identification instruction,
Name;
It is described to send Domain Hijacking identification instruction to the client, it is identified so that the client end response is kidnapped in domain name
Instruction execution Domain Hijacking identification operation, the result that the client kidnaps identification operation based on domain name determine described to be checked
Survey grid network includes: with the presence or absence of Domain Hijacking
Sent to the client and include that the Domain Hijacking of default false domain name identifies instruction so that the client according to whether
Access website corresponding to the default false domain name normally to determine the network to be detected with the presence or absence of Domain Hijacking;
Wherein, when website corresponding to client normally accesses the default false domain name, determine that the network to be detected is deposited
In Domain Hijacking.
3. the method according to claim 1, wherein it includes: default access net that domain name, which kidnaps identification instruction,
The domain name and verification information stood;
It is described to send Domain Hijacking identification instruction to the client, it is identified so that the client end response is kidnapped in domain name
Whether instruction execution Domain Hijacking identification operation, the result for kidnapping identification operation based on domain name determine the network to be detected
There are Domain Hijackings to include:
Sending to the client includes the Domain Hijacking identification instruction for presetting the domain name and verification information that access website, so that institute
It states client and presets access website according to the domain name access of the default access website, and according to the default access website
Whether the access information of return and the verification information unanimously determine the network to be detected with the presence or absence of Domain Hijacking;
Wherein, it when the access information and the inconsistent verification information that the default access website returns, determines described to be checked
There are Domain Hijackings for survey grid network.
4. the method according to claim 1, wherein it includes: network protocol weight that domain name, which kidnaps identification instruction,
Directional instructions;
It is described to send Domain Hijacking identification instruction to the client, it is identified so that the client end response is kidnapped in domain name
Whether instruction execution Domain Hijacking identification operation, the result for kidnapping identification operation based on domain name determine the network to be detected
There are Domain Hijackings to include:
Client into the network to be detected sends network protocol and redirects instruction, so that the client end response is in described
Network protocol redirects instruction, when judging the first website of access is accessed with network protocol https, by super literary
This transport protocol http mode accesses first website, accesses really according to https mode whether is redirected in access process
The fixed network to be detected whether there is Domain Hijacking;
Wherein, when not being redirected to https mode in access process and accessing, determine that there are domain name misfortunes for the network to be detected
It holds.
5. the method according to claim 1, wherein the method also includes:
When the result of inquiry is no, website signing certificate acquisition request is sent to the client;
Receive the domain name of the first signing certificate and second website that the second website of access that the client is sent is got;
Second website described in domain name access based on second website obtains the second signing certificate of second website;
Judge whether first signing certificate and second signing certificate are consistent;
When the judgment result is no, determine that there are Domain Hijackings for the network to be detected.
6. a kind of Domain Hijacking recognition methods, which is characterized in that the described method includes:
The network protocol IP address of name server corresponding to network to be detected is sent to server;
It is inquired in server and name server corresponding to the network to be detected is not present in Domain Hijacking IP address library
When IP address, receives the Domain Hijacking that server is sent and identify instruction;It includes that history domain name is robbed that domain name, which kidnaps IP address library,
Hold the IP address for the name server being held as a hostage in event;
Identification instruction execution Domain Hijacking identification operation is kidnapped in response to domain name, identification operation is kidnapped based on domain name
As a result determine the network to be detected with the presence or absence of Domain Hijacking.
7. according to the method described in claim 6, it is characterized in that, it includes: default false domain that domain name, which kidnaps identification instruction,
Name;
It is described to kidnap identification instruction execution Domain Hijacking identification operation in response to domain name, identification behaviour is kidnapped based on domain name
The result of work determines that the network to be detected includes: with the presence or absence of Domain Hijacking
Instruction is identified in response to the Domain Hijacking for including the default false domain name, detects whether normally to access the default falseness
Website corresponding to domain name;
When detecting normally to access website corresponding to the default false domain name, determine that there are domain names for the network to be detected
It kidnaps.
8. according to the method described in claim 6, it is characterized in that, it includes: default access net that domain name, which kidnaps identification instruction,
The domain name and verification information stood;
It is described to kidnap identification instruction execution Domain Hijacking identification operation in response to domain name, identification behaviour is kidnapped based on domain name
The result of work determines that the network to be detected includes: with the presence or absence of Domain Hijacking
Instruction is identified in response to the Domain Hijacking for including the default domain name and the verification information for accessing website, according to described
Access website is preset described in the domain name access of default access website, detects access information and institute that the default access website returns
Whether consistent state verification information;
When the access information for detecting that the default access website returns is inconsistent with the verification information, determine described to be checked
There are Domain Hijackings for survey grid network.
9. according to the method described in claim 6, it is characterized in that, it includes: network protocol weight that domain name, which kidnaps identification instruction,
Directional instructions;
It is described to kidnap identification instruction execution Domain Hijacking identification operation in response to domain name, identification behaviour is kidnapped based on domain name
The result of work determines that the network to be detected includes: with the presence or absence of Domain Hijacking
Network protocol is sent in response to the client in the network to be detected and redirects instruction, judges that the first website of access is
It is no to be accessed with network protocol https;
When the result judged is is, first website, test access mistake are accessed by hypertext transfer protocol http mode
Https mode whether is redirected in journey to access really;
When detecting that not being redirected to https mode in access process accesses, determine that there are domain name misfortunes for the network to be detected
It holds.
10. a kind of Domain Hijacking recognition methods, which is characterized in that the described method includes:
The network protocol IP address of name server corresponding to network to be detected is sent to server;
It is inquired in server and name server corresponding to the network to be detected is not present in Domain Hijacking IP address library
When IP address, the website signing certificate acquisition request that server is sent is received;It includes history domain that domain name, which kidnaps IP address library,
The IP address for the name server being held as a hostage in name kidnapping accident;
The domain name that the first signing certificate and second website that the second website of access is got are sent to server, so that described
Second website described in domain name access of the server based on second website, obtains the second signing certificate of second website,
Whether unanimously determine the network to be detected with the presence or absence of domain name based on first signing certificate and second signing certificate
It kidnaps;
Wherein, when first signing certificate and second signing certificate are inconsistent, determine that the network to be detected exists
Domain Hijacking.
11. a kind of Domain Hijacking identification device, which is characterized in that described device includes:
Internet protocol address receiving module, for receiving the net of name server corresponding to the network to be detected of client transmission
Network Protocol IP address;
Data inquiry module is kidnapped in IP address library for nslookup with the presence or absence of domain name corresponding to the network to be detected
The IP address of server, it includes the name server being held as a hostage in history Domain Hijacking event that domain name, which kidnaps IP address library,
IP address;
First Domain Hijacking determining module, the result for inquiring when the data inquiry module are when being, to determine described to be checked
There are Domain Hijackings for survey grid network;
Domain Hijacking identifies instruction sending module, when the result for inquiring when the data inquiry module is no, to the visitor
Family end sends Domain Hijacking identification instruction, so that the client end response kidnaps identification instruction execution Domain Hijacking in domain name
Identification operation determines the network to be detected with the presence or absence of Domain Hijacking based on the result that domain name kidnaps identification operation.
12. a kind of Domain Hijacking identification device, which is characterized in that described device includes:
First network protocol address sending module, for sending the net of name server corresponding to network to be detected to server
Network Protocol IP address;
Domain Hijacking identifies command reception module, for server inquire in Domain Hijacking IP address library there is no it is described to
When detecting the IP address of name server corresponding to network, receives the Domain Hijacking that server is sent and identify instruction;The domain
Name kidnaps the IP address that IP address library includes the name server being held as a hostage in history Domain Hijacking event;
Third Domain Hijacking determining module, for kidnapping identification instruction execution Domain Hijacking identification operation in response to domain name,
Determine the network to be detected with the presence or absence of Domain Hijacking based on the result that domain name kidnaps identification operation.
13. a kind of Domain Hijacking identification device, which is characterized in that described device includes:
Second internet protocol address sending module, for sending the net of name server corresponding to network to be detected to server
Network Protocol IP address;
Certificate acquisition request receiving module, for inquiring in Domain Hijacking IP address library in server, there is no described to be detected
When the IP address of name server corresponding to network, the website signing certificate acquisition request that server is sent is received;The domain
Name kidnaps the IP address that IP address library includes the name server being held as a hostage in history Domain Hijacking event;
Data transmission blocks, for sending the first signing certificate and second net that the second website of access is got to server
The domain name stood, so that the second website described in domain name access of the server based on second website, obtains second net
Whether the second signing certificate stood unanimously is determined based on first signing certificate with second signing certificate described to be detected
Network whether there is Domain Hijacking;
Wherein, when first signing certificate and second signing certificate are inconsistent, determine that the network to be detected exists
Domain Hijacking.
14. a kind of Domain Hijacking identifying system, which is characterized in that the system comprises: client and server;
The client is used to the IP address of name server corresponding to network to be detected being sent to server;And it is used for
In response to the Domain Hijacking identification instruction execution Domain Hijacking identification operation that server is sent, identification behaviour is kidnapped based on domain name
The result of work determines the network to be detected with the presence or absence of Domain Hijacking;
The server is kidnapped in IP address library for nslookup with the presence or absence of the clothes of domain name corresponding to the network to be detected
The IP address of business device, domain name kidnap the IP that IP address library includes the name server being held as a hostage in history Domain Hijacking event
Address;And when the result of inquiry, which is, is, for determining the network to be detected, there are Domain Hijackings;And when inquiry
When being as a result no, for sending Domain Hijacking identification instruction to the client.
15. a kind of Domain Hijacking identifying system, which is characterized in that the system comprises: client and server;
The client is used to the IP address of name server corresponding to network to be detected being sent to server;And it is used for
The domain name of the first signing certificate and second website that the second website of access is got is sent to server;
The server is kidnapped in IP address library for nslookup with the presence or absence of the clothes of domain name corresponding to the network to be detected
The IP address of business device, domain name kidnap the IP that IP address library includes the name server being held as a hostage in history Domain Hijacking event
Address;And when the result of inquiry, which is, is, for determining the network to be detected, there are Domain Hijackings;And when inquiry
When being as a result no, for sending website signing certificate acquisition request to the client;And for being based on second website
Domain name access described in the second website, obtain the second signing certificate of second website, based on first signing certificate with
Whether second signing certificate unanimously determines the network to be detected with the presence or absence of Domain Hijacking;
Wherein, when first signing certificate and second signing certificate are inconsistent, determine that the network to be detected exists
Domain Hijacking.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811282673.5A CN109257373B (en) | 2018-10-31 | 2018-10-31 | Domain name hijacking identification method, device and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811282673.5A CN109257373B (en) | 2018-10-31 | 2018-10-31 | Domain name hijacking identification method, device and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109257373A true CN109257373A (en) | 2019-01-22 |
CN109257373B CN109257373B (en) | 2020-12-04 |
Family
ID=65044110
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811282673.5A Active CN109257373B (en) | 2018-10-31 | 2018-10-31 | Domain name hijacking identification method, device and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109257373B (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110225013A (en) * | 2019-05-30 | 2019-09-10 | 世纪龙信息网络有限责任公司 | The monitoring of certificate of service and more new system |
CN110619071A (en) * | 2019-08-06 | 2019-12-27 | 微梦创科网络科技(中国)有限公司 | Account access security monitoring and processing method and device |
CN110636072A (en) * | 2019-09-26 | 2019-12-31 | 腾讯科技(深圳)有限公司 | Target domain name scheduling method, device, equipment and storage medium |
CN111526129A (en) * | 2020-04-01 | 2020-08-11 | 五八有限公司 | Information reporting method and device |
CN111726322A (en) * | 2019-03-19 | 2020-09-29 | 国家计算机网络与信息安全管理中心 | Method and device for detecting file tampering hijacking and storage medium |
CN112039829A (en) * | 2019-06-04 | 2020-12-04 | 阿里巴巴集团控股有限公司 | Hijacking detection and reporting method and device for domain name system |
CN112671747A (en) * | 2020-12-17 | 2021-04-16 | 赛尔网络有限公司 | Overseas malicious URL statistical method and device, electronic equipment and storage medium |
CN113691499A (en) * | 2021-07-29 | 2021-11-23 | 深圳市天天来玩科技有限公司 | Client anti-hijacking method, client, server and system |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2017004947A1 (en) * | 2015-07-07 | 2017-01-12 | 安一恒通(北京)科技有限公司 | Method and apparatus for preventing domain name hijacking |
CN106357841A (en) * | 2016-11-02 | 2017-01-25 | 腾讯科技(深圳)有限公司 | Domain name resolution method, device and system |
CN106453436A (en) * | 2016-12-21 | 2017-02-22 | 北京奇虎科技有限公司 | Method and device for detecting network security |
US20170171242A1 (en) * | 2015-12-15 | 2017-06-15 | Microsoft Technology Licensing, Llc | Defense against nxdomain hijacking in domain name systems |
CN107147662A (en) * | 2017-06-01 | 2017-09-08 | 北京云端智度科技有限公司 | The method that Domain Hijacking is found |
CN108183896A (en) * | 2017-12-26 | 2018-06-19 | 珠海市君天电子科技有限公司 | Page acquisition methods, device and the electronic equipment of browser |
-
2018
- 2018-10-31 CN CN201811282673.5A patent/CN109257373B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2017004947A1 (en) * | 2015-07-07 | 2017-01-12 | 安一恒通(北京)科技有限公司 | Method and apparatus for preventing domain name hijacking |
US20170171242A1 (en) * | 2015-12-15 | 2017-06-15 | Microsoft Technology Licensing, Llc | Defense against nxdomain hijacking in domain name systems |
CN106357841A (en) * | 2016-11-02 | 2017-01-25 | 腾讯科技(深圳)有限公司 | Domain name resolution method, device and system |
CN106453436A (en) * | 2016-12-21 | 2017-02-22 | 北京奇虎科技有限公司 | Method and device for detecting network security |
CN107147662A (en) * | 2017-06-01 | 2017-09-08 | 北京云端智度科技有限公司 | The method that Domain Hijacking is found |
CN108183896A (en) * | 2017-12-26 | 2018-06-19 | 珠海市君天电子科技有限公司 | Page acquisition methods, device and the electronic equipment of browser |
Non-Patent Citations (1)
Title |
---|
林成虎: ""基于W-Kmeans算法的DNS流量异常检测"", 《计算机工程与设计》 * |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111726322A (en) * | 2019-03-19 | 2020-09-29 | 国家计算机网络与信息安全管理中心 | Method and device for detecting file tampering hijacking and storage medium |
CN110225013A (en) * | 2019-05-30 | 2019-09-10 | 世纪龙信息网络有限责任公司 | The monitoring of certificate of service and more new system |
CN110225013B (en) * | 2019-05-30 | 2021-11-09 | 世纪龙信息网络有限责任公司 | Service certificate monitoring and updating system |
CN112039829A (en) * | 2019-06-04 | 2020-12-04 | 阿里巴巴集团控股有限公司 | Hijacking detection and reporting method and device for domain name system |
CN110619071A (en) * | 2019-08-06 | 2019-12-27 | 微梦创科网络科技(中国)有限公司 | Account access security monitoring and processing method and device |
CN110636072A (en) * | 2019-09-26 | 2019-12-31 | 腾讯科技(深圳)有限公司 | Target domain name scheduling method, device, equipment and storage medium |
CN111526129A (en) * | 2020-04-01 | 2020-08-11 | 五八有限公司 | Information reporting method and device |
CN112671747A (en) * | 2020-12-17 | 2021-04-16 | 赛尔网络有限公司 | Overseas malicious URL statistical method and device, electronic equipment and storage medium |
CN112671747B (en) * | 2020-12-17 | 2022-08-30 | 赛尔网络有限公司 | Overseas malicious URL statistical method and device, electronic equipment and storage medium |
CN113691499A (en) * | 2021-07-29 | 2021-11-23 | 深圳市天天来玩科技有限公司 | Client anti-hijacking method, client, server and system |
Also Published As
Publication number | Publication date |
---|---|
CN109257373B (en) | 2020-12-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109257373A (en) | A kind of Domain Hijacking recognition methods, apparatus and system | |
CN105939326B (en) | Method and device for processing message | |
US9215242B2 (en) | Methods and systems for preventing unauthorized acquisition of user information | |
US20180219907A1 (en) | Method and apparatus for detecting website security | |
JP5704518B2 (en) | Confidential information leakage prevention system, confidential information leakage prevention method, and confidential information leakage prevention program | |
US9686303B2 (en) | Web page vulnerability detection method and apparatus | |
CN111130930B (en) | Dual-network card detection method and device | |
CN103607385A (en) | Method and apparatus for security detection based on browser | |
CN111786966A (en) | Method and device for browsing webpage | |
CN109802919B (en) | Web page access intercepting method and device | |
CN107395553B (en) | Network attack detection method, device and storage medium | |
CN108063833B (en) | HTTP DNS analysis message processing method and device | |
CN107733853B (en) | Page access method, device, computer and medium | |
CN112165488A (en) | Risk assessment method, device and equipment and readable storage medium | |
CN105635178A (en) | Blocking network access method and device for ensuring safety | |
CN110557358A (en) | Honeypot server communication method, SSLStrip man-in-the-middle attack perception method and related device | |
KR101996471B1 (en) | Network Securing Device and Securing method Using The Same | |
US20150026806A1 (en) | Mitigating a Cyber-Security Attack By Changing a Network Address of a System Under Attack | |
CN110619022B (en) | Node detection method, device, equipment and storage medium based on block chain network | |
CN105262858A (en) | Method and device for detecting safety of Domain Name System (DNS) server | |
CN108737421B (en) | Method, system, device and storage medium for discovering potential threats in network | |
CN106789858A (en) | A kind of access control method and device and server | |
CN110602134A (en) | Method, device and system for identifying illegal terminal access based on session label | |
KR101087291B1 (en) | A method for identifying whole terminals using internet and a system thereof | |
CN108055299B (en) | Portal page pushing method, network access server and Portal authentication system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |