WO2018113732A1 - Method and apparatus for detecting dns full traffic hijack risk - Google Patents

Method and apparatus for detecting dns full traffic hijack risk Download PDF

Info

Publication number
WO2018113732A1
WO2018113732A1 PCT/CN2017/117696 CN2017117696W WO2018113732A1 WO 2018113732 A1 WO2018113732 A1 WO 2018113732A1 CN 2017117696 W CN2017117696 W CN 2017117696W WO 2018113732 A1 WO2018113732 A1 WO 2018113732A1
Authority
WO
WIPO (PCT)
Prior art keywords
target
addresses
domain names
dns
risk
Prior art date
Application number
PCT/CN2017/117696
Other languages
French (fr)
Chinese (zh)
Inventor
高永岗
张建新
刘天
Original Assignee
北京奇虎科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇虎科技有限公司 filed Critical 北京奇虎科技有限公司
Publication of WO2018113732A1 publication Critical patent/WO2018113732A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Definitions

  • the present disclosure relates to the field of computer technologies, and in particular, to a method and apparatus for detecting a full traffic hijacking risk of a DNS.
  • DNS Domain Name System
  • Some related technologies are detected by the following methods: First, the electronic device or server stores the blacklist library, and the blacklist library records multiple DNS full traffic hijacking risks. IP (Internet Protocol, Internet Protocol) address. The target domain name is parsed out to the corresponding IP address, and then the parsed IP address is compared in the blacklist library. If the resolved IP address is not in the IP address blacklist, it is determined that there is no DNS full traffic hijacking risk.
  • IP Internet Protocol, Internet Protocol
  • the embodiments of the present disclosure provide a method and a device for detecting a full traffic hijacking risk of a DNS, which are used to improve the detection accuracy of the full traffic hijacking risk of the DNS.
  • the present disclosure provides a method for detecting a full traffic hijacking risk of a DNS, including:
  • One or more target domain names are specifically WAN domain names;
  • the present disclosure provides a method for detecting a full traffic hijacking risk of a DNS, including:
  • the present disclosure provides a method for detecting a full traffic hijacking risk of a DNS, including:
  • target domain names for detecting the risk of DNS full traffic hijacking of the domain name system; wherein one or more target domain names are specifically WAN domain names, and the known Internet Protocol IP addresses corresponding to one or more target domain names are not the same;
  • the disclosure provides a detecting device for a DNS full traffic hijacking risk, including:
  • Obtaining a module configured to obtain one or more target domain names for detecting a risk of DNS full traffic hijacking of the domain name system; wherein, one or more target domain names are specifically a wide area network domain name;
  • the parsing module is configured to perform DNS resolution on one or more target domain names, obtain a target Internet Protocol IP address corresponding to each target domain name, and obtain one or more target IP addresses;
  • a first determining module configured to determine whether a local area network exists in one or more target IP addresses site
  • the first determining module is configured to determine that the user equipment UE has a risk of DNS full traffic hijacking when a local area network address exists in one or more target IP addresses.
  • the disclosure provides a detecting device for a DNS full traffic hijacking risk, including:
  • Obtaining a module configured to obtain one or more target domain names for detecting a full traffic hijacking risk of the domain name system; wherein, the known IP addresses corresponding to the one or more target domain names are different;
  • the parsing module is configured to perform DNS resolution on one or more target domain names, obtain a target Internet Protocol IP address corresponding to each target domain name, and obtain one or more target IP addresses;
  • a first determining module configured to determine whether the same address exists in one or more target IP addresses
  • the first determining module is configured to determine that the UE has a full traffic hijacking risk when the same address exists in one or more target IP addresses.
  • the disclosure provides a device for detecting a full traffic hijacking risk of a DNS, including:
  • Obtaining a module configured to obtain one or more target domain names for detecting a risk of DNS full traffic hijacking of the domain name system; wherein the one or more target domain names are specifically a WAN domain name, and the known Internet corresponding to the one or more target domain names Protocol IP addresses are not the same;
  • the parsing module is configured to perform DNS resolution on one or more target domain names, obtain a target IP address corresponding to each target domain name, and obtain one or more target IP addresses;
  • a determining module configured to determine whether a local area network address exists in one or more target IP addresses, and whether the same address exists in one or more target IP addresses;
  • the determining module is configured to determine that the user equipment UE has a risk of DNS full traffic hijacking when a local area network address exists in one or more target IP addresses, or when the same address exists in one or more target IP addresses.
  • the present disclosure provides a computer program comprising:
  • Computer readable code when the computer readable code is run on a computing device, causes the computing device to perform the aforementioned method of detecting the risk of full DNS traffic hijacking.
  • the present disclosure provides a computer readable medium, comprising:
  • a computer program for performing the above-described detection method for performing the above-mentioned DNS full traffic hijacking risk is stored.
  • one is obtained for detecting the risk of DNS full traffic hijacking
  • One or more target domain names wherein one or more target domain names in the embodiment of the present disclosure are specifically a wide area network domain name, and then perform DNS resolution on one or more target domain names to obtain a target IP address corresponding to each target domain name, and further Obtain one or more target IP addresses, and then determine whether a local area network address exists in the one or more target IP addresses. Since the IP address corresponding to the target domain name is a wide area network address, when a local area network address exists in one or more target IP addresses, it is determined that the UE has a full traffic hijacking risk of the DNS.
  • the target IP address resolved by the target domain name is not in the blacklist database, if the target IP address is a local area network address, it indicates that the network currently accessed by the UE may be hijacked by full traffic, and thus the risk of DNS full traffic hijacking of the UE may be determined. Therefore, through the above technical solutions, the detection accuracy of improving the risk of DNS full traffic hijacking is realized.
  • the technical solution of the embodiment of the present disclosure does not need to be compared with a huge blacklist database, and thus does not need to store a blacklist database, thereby saving the device resources occupied by the storage blacklist database.
  • the technical solution in the embodiment of the present disclosure can be executed by the UE without the participation of the server, it is possible to prevent the illegal agent from hijacking the DNS and monitor the interaction between the UE and the server, thereby detecting the interference and even transmitting the representation to the UE. False information about network security.
  • FIG. 1 is a flow chart of a method for detecting a full DNS traffic hijacking risk in the first embodiment of the present disclosure
  • FIG. 2 is a flow chart of a method for detecting a full DNS traffic hijacking risk according to an embodiment of the present disclosure
  • FIG. 3 is a flowchart of a method for detecting a third DNS full traffic hijacking risk according to an embodiment of the present disclosure
  • FIG. 4 is a schematic structural diagram of a first DNS full traffic hijacking risk detecting apparatus according to an embodiment of the present disclosure
  • FIG. 5 is a schematic structural diagram of a second DNS full traffic hijacking risk detecting apparatus according to an embodiment of the present disclosure
  • FIG. 6 is a schematic structural diagram of a third DNS full traffic hijacking risk detecting apparatus according to an embodiment of the present disclosure
  • FIG. 7 schematically illustrates a block diagram of a computing device for performing a DNS full traffic hijacking detection method in accordance with an embodiment of the present disclosure
  • FIG. 8 schematically illustrates a storage unit for maintaining or carrying program code that implements a DNS full traffic hijacking detection method in accordance with an embodiment of the present disclosure.
  • the embodiments of the present disclosure provide a method and a device for detecting a full traffic hijacking risk of a DNS, which are used to improve the detection accuracy of the full traffic hijacking risk of the DNS.
  • one or more target domain names for detecting a risk of DNS full traffic hijacking are obtained, and then one or more target domain names are subjected to DNS resolution to obtain a target IP address corresponding to each target domain name.
  • Obtaining one or more target IP addresses and then, if one or more target domain names are WAN domain names, determining whether there is a local area network address in the one or more target IP addresses, and if there is a local area network address, determining that the UE has a full DNS address Traffic hijacking risk; or, if one or more target domain names are domain names with different known IP addresses, it is determined whether the same address exists in the one or more target IP addresses, and if the same address exists, it is determined that the UE has a full DNS Traffic hijacking risk; or, if one or more target domain names are WAN domain names, and the known IP addresses of the one or more target domain names are different, determining whether a local area network address exists in the one or more target IP addresses, and Whether the
  • the first aspect of the disclosure provides a method for detecting the risk of DNS full traffic hijacking, please refer to the figure. 1.
  • S101 Obtain one or more target domain names for detecting a risk of DNS full traffic hijacking of the domain name system; wherein, one or more target domain names are specifically WAN domain names;
  • S102 Perform DNS resolution on one or more target domain names, obtain a target Internet Protocol IP address corresponding to each target domain name, and obtain one or more target IP addresses.
  • S104 When a local area network address exists in one or more target IP addresses, determine that the user equipment UE has a risk of DNS full traffic hijacking.
  • One or more target domain names in the embodiments of the present disclosure are one or a group of test domain names for detecting DNS full traffic hijacking.
  • each target domain name is specifically a wide area network domain name.
  • the UE may obtain one or more target domain names when it is required to detect the risk of DNS full traffic hijacking, or may obtain one or more target domain names in advance when there is no need to detect the risk of DNS full traffic hijacking. Make specific restrictions.
  • the time of detecting the full traffic hijacking of the DNS in S102 to S104 may be any time when the UE is powered on, or may be started every preset interval, for example, every hour, or may be used for each time accessing the network. . Or, before S102, it also includes:
  • the step of performing DNS resolution on one or more target domain names is performed.
  • the second AP is the new AP, and the second AP is the new AP.
  • the second AP is the new AP.
  • the second AP is the new AP.
  • the UE does not access any AP before T1, and accesses the third AP at time T1, and the third AP is a new AP.
  • the SSID Service Set Identifier
  • the UE accesses the new AP.
  • the UE cannot confirm the currently accessed network, that is, whether the network where the new AP is located has the risk of full DNS traffic hijacking. Therefore, S102 is executed at this time, and then the DNS full traffic hijacking risk detection is started. In other words, when the UE switches the new network, the risk of the full network DNS full traffic hijacking is detected in S102 to S104.
  • the UE when the UE is not switched to the access AP, the UE cannot confirm whether the currently accessed network has the risk of full DNS traffic hijacking. Therefore, S102 is executed at this time, and then the DNS full traffic hijacking is started. Risk detection. In other words, when the UE initially accesses the network, the network DNS full traffic hijacking risk is detected in S102 to S104.
  • S101 of the embodiment of the present disclosure may be implemented by the following process:
  • one or more domain names satisfying the preset condition are determined to be one or more target domain names.
  • the one or more target domain names obtained by the UE in the embodiment of the present disclosure may be delivered by the server, or may be configured and selected by the UE, and may be delivered by part of the target domain name receiving server, and at the same time, part of the target is configured. domain name.
  • the specific implementation process those skilled in the art to which the present disclosure belongs may make selection according to actual conditions, and the disclosure does not specifically limit.
  • the target domain name in the embodiment of the present disclosure is the WAN domain name.
  • the server selects one or more WAN domain names as the target domain name
  • the server delivers the target domain name to the UE at any time.
  • the UE stores one or more target domain names in its own storage space, and then reads the one or more storage spaces from the storage space when the target domain name needs to be obtained.
  • the target domain name is OK.
  • the server sends the following JSON structure data to the UE.
  • the UE After receiving the data of the above JSON structure, the UE parses baifubao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn and Www.cmbc.com.cn ten target domain names, and then store the ten target domain names in the storage space of the UE.
  • the target domain name baifubao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com, so.cn, ccb.com are read from the storage space. Icbc.com.cn and www.cmbc.com.cn.
  • the UE determines one or more domain names that meet the preset condition from the multiple candidate domain names as the target domain name.
  • the alternate domain name is a domain name visited by the UE, or a domain name that can be accessed currently, and the disclosure does not specifically limit the disclosure.
  • the preset condition is specifically a WAN domain name, and the UE selects one or more WAN domain names from the plurality of candidate domain names as the target domain name.
  • one of ordinary skill in the art to which the present disclosure belongs may select any one of the above two methods for obtaining the target domain name, or may combine the two methods, and the present disclosure does not specifically limit the disclosure.
  • the UE After obtaining one or more target domain names in S101, the UE performs DNS resolution on each domain name in S102, and obtains an IP address corresponding to each target domain name.
  • the IP address resolved by the target domain name through the DNS is referred to as a target IP address.
  • the method for determining whether a target IP address is a local area network IP address is to determine whether the target IP address is in any one of ClassA, ClassB, or ClassC.
  • the address range of the ClassA interval is 10.0.0.0 ⁇ 10.255.255.255
  • the address range of the ClassB interval is 172.16.0.0-172.31.255.255
  • the address range of the ClassC interval is 192.168.0.0-192.168.255.255. If the destination IP address is in any of the ClassA, ClassB, or ClassC intervals, the destination IP address is the LAN address. Otherwise, if the destination IP address is not in the ClassA, ClassB, and ClassC intervals, the destination IP address is not the LAN address. .
  • the target domain name in the embodiment of the present disclosure is a WAN domain name
  • the IP address corresponding to the WAN domain name is a WAN address
  • the AP or AC accessed by the UE may be hijacked. Therefore, when a local area network address exists in one or more target IP addresses, the UE is determined in S104. There is a risk of DNS full traffic hijacking.
  • the IP address corresponding to the target domain name is a wide area network address
  • the technical solution of the embodiment of the present disclosure does not need to be compared with the huge blacklist database, and thus the blacklist database is not stored in the electronic device or the server, thereby saving the device resources occupied by the blacklist database. .
  • the foregoing S101 to S104 may be performed by the UE, or the S101 to S102 are performed by the UE, and then the S101 to S104 are executed by the server, that is, the UE parses the target IP address and reports it to the server for detection and determination.
  • the UE parses the target IP address and reports it to the server for detection and determination.
  • the present disclosure can further prevent the illegal agent from hijacking the DNS and monitor the interaction between the UE and the server, thereby interfering with detection and even The UE sends false information indicating network security.
  • the method further includes:
  • the target domain name is not only a wide area network domain name, but the known IP address of the target domain name is different.
  • the target domain name is specifically a WAN domain name corresponding to a different IP address.
  • the server selects one or more WAN domain names with different IP addresses and sends them to the UE as the target domain name, so that the UE stores the target domain name.
  • the UE reads out one or more wide area network domain names whose known IP addresses are different from the storage space.
  • the server determines that there are baifubao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn
  • the IP addresses corresponding to the ten WAN domain names of www.cmbc.com.cn are different.
  • the ten domain names and the IP addresses corresponding to each domain name are shown in Table 1.
  • the server sends the following JSON structure data to the UE.
  • the UE After receiving the data of the above JSON structure, the UE parses baifubao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn and Www.cmbc.com.cn ten target domain names, and then store the ten target domain names in the storage space of the UE.
  • the target domain name baifubao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com is read from the storage space. So.cn, ccb.com, icbc.com.cn and www.cmbc.com.cn.
  • the preset condition is specifically a WAN domain name corresponding to the different IP addresses, and then multiple DNS domain names are parsed, and one or more IP addresses corresponding to each candidate domain name are parsed, and then Select the same IP address as the empty set, and the alternate domain name of the WAN domain name as the target domain name.
  • the IP address returned by the criminal to the UE may also be a wide area network address. Therefore, in the embodiment of the present disclosure, when there is no local area network address in one or more target IP addresses, one or more further determinations are made. Whether the same address exists in the target IP address to detect the risk of DNS full traffic hijacking.
  • the target IP address specifically includes 123.125.112.202, 220.181.12.208, 111.206.227.118, 110.76.19.33, and 123.125.112.202.
  • the first target IP address and The fifth destination IP address is the same, so it is determined that the same address exists in the target IP address, thereby determining that the UE has a full traffic hijacking risk.
  • the target IP address specifically includes 123.125.112.202, 110.76.19.33, 111.206.227.118, 110.76.19.33, and 123.125.112.202.
  • the first target The IP address is the same as the fifth destination IP address
  • the second destination IP address is the same as the fourth destination IP address. Therefore, it is determined that the same address exists in the target IP address, thereby determining that the UE has a full DNS traffic hijacking risk.
  • the detection accuracy of the embodiment of the present disclosure is further improved by determining whether a local area network address exists in the target IP address, and further determining whether the same address exists in the target IP address when there is no local area network address to detect the risk of DNS full traffic hijacking. .
  • the method in the embodiment of the present disclosure further includes:
  • each target domain name can be accurately resolved to a different WAN IP address, so that the possibility of DNS full traffic hijacking occurs at this time. Low, so if there is no LAN address in one or more target IP addresses, and there is no further same address, it is determined that the UE does not have the risk of DNS full traffic hijacking.
  • the second aspect of the present disclosure provides another method for detecting a DNS full traffic hijacking risk.
  • FIG. 2 a flow chart of a method for detecting a full DNS traffic hijacking risk in the second embodiment of the present disclosure is provided. The method includes:
  • S201 Obtain one or more target domain names for detecting a full traffic hijacking risk of the domain name system; wherein, the known IP addresses corresponding to the one or more target domain names are different;
  • S202 Perform DNS resolution on one or more target domain names, obtain a target Internet Protocol IP address corresponding to each target domain name, and obtain one or more target IP addresses.
  • S203 Determine whether the same address exists in one or more target IP addresses.
  • the detection method of detecting the second DNS full traffic hijacking risk to detect the network security is the same as the detection method of the first DNS full traffic hijacking risk detection method, and will not be repeated here.
  • S201 is similar to S101
  • S202 is similar to S102. Since S101 and S102 have been described in detail above, the description of the embodiments of the present disclosure will not be repeated.
  • S201 is different from S101 in that the target domain name in the embodiment of the present disclosure is specifically a domain name with a different IP address. Therefore, if the target domain name is delivered by the server, the server selects one or more corresponding ones by parsing and verifying. A domain name with a different IP address is delivered to the UE as the target domain name, so that the UE stores, and when the target domain name is obtained, the UE reads one or more target domain names with different known IP addresses from the storage space.
  • the server determines that there are baifubao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn
  • the IP addresses corresponding to the ten domain names of www.cmbc.com.cn are different, as shown in Table 1.
  • the server sends the following JSON structure data to the UE.
  • the UE After receiving the data of the above JSON structure, the UE parses baifubao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn and Www.cmbc.com.cn ten target domain names, and then store the ten target domain names in the storage space of the UE.
  • the target domain name baifubao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com, so.cn, ccb.com are read from the storage space. Icbc.com.cn and www.cmbc.com.cn.
  • S201 is different from S101 in that the target domain name in the embodiment of the present disclosure is specifically a domain name with a different IP address. Therefore, if the target domain name is determined by the UE, the preset condition is specifically that the IP address corresponding to the domain name is different. Then, the DNS is parsed for multiple alternate domain names, and one or more IP addresses corresponding to each alternate domain name are parsed, and then the alternate domain name with the same IP address as the empty set is selected as the target domain name.
  • S203 it is determined whether one or more target IP addresses have the same address. Specifically, when a hijacking of the entire DNS process occurs, accessing all domain names will return the same IP address of the UE. At the same time, sometimes the criminals randomly return an IP address from a set of IP addresses to the UE in order to avoid being discovered. This set of IP addresses is actually the IP address of the server controlled by the criminal. Therefore, if the same address exists in one or more target IP addresses, it indicates that the AP or AC accessed by the UE may be hijacked at this time. Therefore, when the same address exists in one or more target IP addresses, it is determined in S204 that the UE has a DNS full traffic hijacking risk.
  • the target IP address specifically includes 123.125.112.202, 220.181.12.208, 111.206.227.118, 110.76.19.33, and 123.125.112.202, and the first target IP address and the fifth target IP address are the same, so the target IP address is determined. The same address exists in the middle, thereby determining that the UE has a full traffic hijacking risk.
  • the target IP address specifically includes 123.125.112.202, 110.76.19.33, 111.206.227.118, 110.76.19.33, and 123.125.112.202, the first target.
  • the IP address is the same as the fifth destination IP address
  • the second destination IP address is the same as the fourth destination IP address. Therefore, it is determined that the same address exists in the target IP address, thereby determining that the UE has a full DNS traffic hijacking risk.
  • the technical solution in the embodiment of the present disclosure improves the detection accuracy of the DNS full traffic hijacking risk.
  • the technical solution of the embodiment of the present disclosure does not need to be compared with the huge blacklist database, and thus the blacklist database is not stored in the electronic device or the server, thereby saving the device resources occupied by the blacklist database. .
  • the foregoing S201 to S204 may be performed by the UE, or the S201 to S202 are performed by the UE, and then the S201 to S204 are performed by the server, that is, the UE parses the target IP address and reports it to the server for detection and determination.
  • the UE parses the target IP address and reports it to the server for detection and determination.
  • the present disclosure can further prevent the illegal agent from hijacking the DNS and monitor the interaction between the UE and the server, thereby interfering with detection and even The UE sends false information indicating network security.
  • the method further includes:
  • the target domain name is not only a domain name with a known IP address, but the target domain name is also a WAN domain name.
  • the target domain name is specifically a WAN domain name corresponding to a different IP address.
  • the server selects one or more WAN domain names with different IP addresses and sends them to the UE as the target domain name, so that the UE stores the target domain name.
  • the UE reads out from the storage space that one or more known IP addresses are different, and is the target domain name of the WAN domain name.
  • the preset condition is specifically a WAN domain name with a different IP address, and then multiple DNS domain names are parsed, and one or more IP addresses corresponding to each candidate domain name are parsed. Then select the same IP address as an empty set, and the alternate domain name of the WAN domain name as the target domain name.
  • the criminals may return different target IP addresses to the UE, but the local area network addresses in the target IP addresses may also expose the hijacking. Therefore, in the embodiment of the present disclosure, when one or more targets are When the same address does not exist in the IP address, it is further determined whether a local area network address exists in one or more target IP addresses to detect the risk of DNS full traffic hijacking.
  • the IP address corresponding to the WAN domain name is a WAN address, so if a local area network address exists in one or more target IP addresses, this indicates The AP or AC accessed by the UE may be hijacked. Therefore, when there is no same address in one or more target IP addresses, but there is a local area network address, it is determined that the UE has a risk of DNS full traffic hijacking.
  • the detection accuracy of the embodiment of the present disclosure is further improved by determining whether the same address exists in the target IP address, and further determining whether the local area network address exists in the target IP address when the same address does not exist to detect the risk of DNS full traffic hijacking. .
  • the method in the embodiment of the present disclosure further includes:
  • the third aspect of the present disclosure provides another method for detecting the risk of DNS full traffic hijacking.
  • FIG. 3 it is a flowchart of a method for detecting a third DNS full traffic hijacking risk according to an embodiment of the present disclosure.
  • the Methods include:
  • S301 Obtain one or more target domain names for detecting a full traffic hijacking risk of the domain name system.
  • the one or more target domain names are specifically WAN domain names, and the known Internet Protocol IP addresses corresponding to the one or more target domain names. Are not the same;
  • S302 Perform DNS resolution on one or more target domain names, obtain a target IP address corresponding to each target domain name, and obtain one or more target IP addresses.
  • S303 Determine whether a local area network address exists in one or more target IP addresses, and whether the same address exists in one or more target IP addresses;
  • S304 When there is a local area network address in one or more target IP addresses, or the same address exists in one or more target IP addresses, it is determined that the user equipment UE has a risk of DNS full traffic hijacking.
  • the detection method of the third DNS full traffic hijacking risk is detected in the specific implementation process to detect the network security at the same time as the detection method of the first and second DNS full traffic hijacking risks, and the description will not be repeated here. It is.
  • S301 is similar to S101 and S201
  • S302 is similar to S102 and S202. Since S101 and S102 have been described in detail above, the description of the embodiments of the present disclosure will not be repeated.
  • S301 is different from S101 in that the target domain name in the embodiment of the present disclosure is specifically a WAN domain name, and the known IP addresses are different. Therefore, if the target domain name is delivered by the server, the server selects one or more by parsing and verifying. The WAN domain name with the corresponding IP address is delivered to the UE as the target domain name, so that the UE stores, and when the target domain name is obtained, the UE reads one or more known IP addresses from the storage space, and is The target domain name of the WAN domain name.
  • the preset condition is specifically a WAN with a different IP address, and then multiple DNS domains are parsed, and one or more IP addresses corresponding to each alternate domain name are parsed, and then Select the same IP address as the empty set, and the alternate domain name of the WAN domain name as the target domain name.
  • S303 it is determined whether one or more target IP addresses have a local area network address and whether the same address exists. If a local area network address exists in one or more target IP addresses, or the same address exists, it indicates that the AP or AC accessed by the UE may be hijacked at this time. Therefore, when there is a local area network address in one or more target IP addresses, or if the same address exists, it is determined in S304 that the UE has a DNS full traffic hijacking risk.
  • the target IP address specifically includes 123.125.112.202, 220.181.12.208, 111.206.227.118, 110.76.19.33 and 123.125.112.202.
  • the five target IP addresses are all WAN addresses, and the first target IP address and the fifth target IP address are the same, and it is determined that the UE has a full DNS traffic hijacking risk.
  • the target IP address specifically includes 123.125.112.202, 220.181.12.208, 111.206.227.118, 175.25.168.40, and 192.168.1.1.
  • the five target IP addresses are different, and the fifth target IP address is the local area network.
  • the address determines the risk of DNS full traffic hijacking in the UE.
  • the target IP address specifically includes 123.125.112.202, 123.125.112.202, 111.206.227.118, 175.25.168.40, and 192.168.1.1
  • the fifth destination IP address is the local area network address
  • the first destination IP address and
  • the second target IP address is the same, thereby determining that the UE has a full DNS traffic hijacking risk.
  • the target domain name is known to correspond to different known IP addresses, and each known IP address is known to be a wide area network address, a local area network address exists in one or more target IP addresses, or exists.
  • the same target IP address is used, it is determined that the UE has a DNS full traffic hijacking risk. Therefore, even if the target IP address resolved by the target domain name is not in the blacklist library, it can be determined that the UE has a full traffic hijacking risk. Therefore, the technical solution in the embodiment of the present disclosure improves the detection accuracy of the DNS full traffic hijacking risk.
  • the technical solution of the embodiment of the present disclosure does not need to be compared with the huge blacklist database, and thus the blacklist database is not stored in the electronic device or the server, thereby saving the device resources occupied by the blacklist database. .
  • the foregoing S301 to S304 may be performed by the UE, or the S1 to S302 are performed by the UE, and then the S303 to S304 are performed by the server, that is, the UE parses the target IP address and reports it to the server for detection and determination.
  • the UE parses the target IP address and reports it to the server for detection and determination.
  • the present disclosure can further prevent the illegal agent from hijacking the DNS and monitor the interaction between the UE and the server, thereby interfering with detection and even The UE sends false information indicating network security.
  • the method in the embodiment of the present disclosure further includes:
  • the fourth aspect of the present disclosure provides the first DNS full traffic hijacking risk detecting device, as shown in FIG. 4, including:
  • the obtaining module 101 is configured to obtain one or more target domain names for detecting a full traffic hijacking risk of the domain name system DNS; wherein, the one or more target domain names are specifically a wide area network domain name;
  • the parsing module 102 is configured to perform DNS resolution on one or more target domain names, obtain a target Internet Protocol IP address corresponding to each target domain name, and obtain one or more target IP addresses;
  • the first determining module 103 is configured to determine whether a local area network address exists in one or more target IP addresses;
  • the first determining module 104 is configured to determine that the user equipment UE has a DNS full traffic hijacking risk when a local area network address exists in one or more target IP addresses.
  • the device in the embodiment of the present disclosure further includes:
  • a second determining module configured to determine whether the same address exists in one or more target IP addresses; wherein the known IP addresses corresponding to the one or more target domain names are different;
  • the second determining module is configured to determine that the UE has a full traffic hijacking risk when the same address exists in one or more target IP addresses.
  • the device in the embodiment of the present disclosure further includes:
  • the third determining module is configured to determine that the UE does not have a DNS full traffic hijacking risk when the same address does not exist in the one or more target IP addresses.
  • the obtaining module 101 is configured to read one or more target domain names that are sent by the server corresponding to the UE and stored in the storage space of the UE, or determine that the preset is satisfied from the multiple candidate domain names.
  • One or more domain names of the condition are one or more target domain names.
  • the device in the embodiment of the present disclosure further includes:
  • a third determining module configured to determine whether the UE accesses the new wireless access point AP before performing DNS resolution on the one or more target domain names
  • the notification parsing module When the UE accesses the new AP, the notification parsing module performs DNS resolution on one or more target domain names.
  • the fifth aspect of the present disclosure provides a second DNS full traffic hijacking risk detecting apparatus, as shown in FIG. 5, including:
  • the obtaining module 201 is configured to obtain one or more target domain names for detecting a full traffic hijacking risk of the domain name system; wherein the known IP addresses corresponding to the one or more target domain names are different;
  • the parsing module 202 is configured to perform DNS resolution on one or more target domain names, obtain a target Internet Protocol IP address corresponding to each target domain name, and obtain one or more target IP addresses.
  • the first determining module 203 is configured to determine whether the same address exists in one or more target IP addresses
  • the first determining module 204 is configured to determine that the UE has a full DNS traffic hijacking risk when the same address exists in one or more target IP addresses.
  • the apparatus in the embodiment of the present disclosure further includes:
  • a second determining module configured to determine whether a local area network address exists in one or more target IP addresses; wherein the one or more target domain names are specifically a wide area network domain name;
  • the second determining module is configured to determine that the UE has a full traffic hijacking risk when a local area network address exists in one or more target IP addresses.
  • the device in the embodiment of the present disclosure further includes:
  • the third determining module is configured to determine that the UE does not have a DNS full traffic hijacking risk when the local area network address does not exist in the one or more target IP addresses.
  • the obtaining module 201 is configured to read one or more target domain names that are sent by the server corresponding to the UE and stored in the storage space of the UE, or determine that the preset condition is met from the multiple candidate domain names.
  • One or more domain names are one or more target domain names.
  • the device in the embodiment of the present disclosure further includes:
  • a third determining module configured to determine whether the UE accesses the new wireless access point AP before performing DNS resolution on the one or more target domain names
  • the notification parsing module When the UE accesses the new AP, the notification parsing module performs DNS resolution on one or more target domain names.
  • the sixth aspect of the present disclosure provides a third DNS full traffic hijacking risk detecting apparatus, as shown in FIG. 6, including:
  • the obtaining module 301 is configured to obtain one or more target domain names for detecting a full traffic hijacking risk of the domain name system DNS; wherein, one or more target domain names are specifically WAN domain names, and one or more target domain names are correspondingly known Internet protocol IP addresses are not the same;
  • the parsing module 302 is configured to perform DNS resolution on one or more target domain names, obtain a target IP address corresponding to each target domain name, and obtain one or more target IP addresses.
  • the determining module 303 is configured to determine whether a local area network address exists in one or more target IP addresses, and whether the same address exists in one or more target IP addresses;
  • the determining module 304 is configured to determine that the user equipment UE has a DNS full traffic hijacking risk when a local area network address exists in one or more target IP addresses, or when the same address exists in one or more target IP addresses.
  • FIG. 7 illustrates a computing device that can implement a method of detecting a DNS full traffic hijacking risk in accordance with the present disclosure.
  • the computing device has traditionally been included
  • Storage device 720 can be an electronic memory such as flash memory, EEPROM (Electrically Erasable Programmable Read Only Memory), EPROM, hard disk, or ROM.
  • Storage device 720 has a storage space 730 that stores program code 731 for performing any of the method steps described above.
  • storage space 730 storing program code may include various program code 731 for implementing various steps in the above methods, respectively.
  • the program code can be read from or written to one or more computer program products.
  • These computer program products include program code carriers such as a hard disk, a compact disk (CD), a memory card, or a floppy disk.
  • Such a computer program product is typically a portable or fixed storage unit such as that shown in FIG.
  • the storage unit may have storage segments, storage spaces, and the like that are similarly arranged to storage device 720 in the computing device of FIG.
  • the program code can be compressed, for example, in an appropriate form.
  • a storage unit includes computer readable code 731' for performing the steps of the method in accordance with the present disclosure, ie, code that can be read by a processor, such as 710, that when executed by a computing device causes the computing device Perform the various steps in the method described above.
  • one or more target domain names for detecting a risk of DNS full traffic hijacking are obtained, where one or more target domain names in the embodiment of the present disclosure are specifically a wide area network domain name, and then one or The plurality of target domain names are subjected to DNS resolution, obtaining a target IP address corresponding to each target domain name, thereby obtaining one or more target IP addresses, and then determining whether a local area network address exists in the one or more target IP addresses. Since the IP address corresponding to the target domain name is a wide area network address, when a local area network address exists in one or more target IP addresses, it is determined that the UE has a full traffic hijacking risk of the DNS.
  • the target IP address resolved by the target domain name is not in the blacklist database, if the target IP address is a local area network address, it indicates that the network currently accessed by the UE may be hijacked by full traffic, and thus the risk of DNS full traffic hijacking of the UE may be determined. Therefore, through the above technical solutions, the detection accuracy of improving the risk of DNS full traffic hijacking is realized.
  • the technical solution of the embodiment of the present disclosure does not need to be compared with a huge blacklist database, and thus does not need to store a blacklist database, thereby saving the device resources occupied by the storage blacklist database.
  • the participation of the server can prevent the illegal elements from hijacking the DNS and monitor the interaction between the UE and the server, thereby interfering with the detection and even sending false information indicating network security to the UE.
  • modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment.
  • the modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components.
  • any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined.
  • Each feature disclosed in this specification (including the accompanying claims, the abstract and the drawings) may be replaced by alternative features that provide the same, equivalent or similar purpose.
  • Various component embodiments of the present disclosure may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof.
  • a microprocessor or digital signal processor may be used in practice to implement some or all of the functionality of a gateway, proxy server, some or all of the components in accordance with embodiments of the present disclosure.
  • the present disclosure may also be implemented as a device or device program (eg, a computer program and a computer program product) for performing some or all of the methods described herein.
  • Such a program implementing the present disclosure may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Embodiments of the present disclosure provide a method and apparatus for detecting a DNS full traffic hijack risk. The method comprises: obtaining one or more target domain names for detecting a domain name system DNS full traffic hijack risk, the one or more target domain names being wide area network domain names; performing DNS analysis on the one or more target domain names, and obtaining a target Internet protocol (IP) address corresponding to each target domain name, so as to further obtain one or more target IP addresses; determining whether a local area network address exists among the one or more target IP addresses; and when the local area network addresses exists among the one or more target IP addresses, determining that the UE has a DNS full traffic hijack risk.

Description

DNS全流量劫持风险的检测方法和装置Method and device for detecting DNS full traffic hijacking risk
相关申请的交叉参考Cross-reference to related applications
本申请要求于2016年12月21日提交中国专利局、申请号为201611195637.6、名称为“一种DNS全流量劫持风险的检测方法和装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to Chinese Patent Application No. 201611195637.6, entitled "A Method and Apparatus for Detecting the Risk of DNS Full Traffic Hijacking", filed on December 21, 2016, the entire contents of which are incorporated by reference. In this application.
技术领域Technical field
本公开涉及计算机技术领域,尤其涉及一种DNS全流量劫持风险的检测方法和装置。The present disclosure relates to the field of computer technologies, and in particular, to a method and apparatus for detecting a full traffic hijacking risk of a DNS.
背景技术Background technique
随着网络的推广和深度应用,人们日常生活中的各类信息与网络更为紧密地结合在一起。正因如此,对于网络安全的检测就得更加重要。With the promotion and in-depth application of the network, various types of information in people's daily lives are more closely integrated with the network. For this reason, the detection of network security is even more important.
以DNS(域名系统,Domain Name System)全流量劫持检测为例,一些相关技术通过如下方式检测:首先在电子设备或者服务器存储黑名单库,黑名单库中记录了多个具有DNS全流量劫持风险的IP(互联网协议,Internet Protocol)地址。将目标域名解析出对应的IP地址,然后比对解析出的IP地址是否在黑名单库中。如果解析出的IP地址不在IP地址黑名单库中,则判断当前不存在DNS全流量劫持风险。Take the DNS (Domain Name System) full traffic hijacking detection as an example. Some related technologies are detected by the following methods: First, the electronic device or server stores the blacklist library, and the blacklist library records multiple DNS full traffic hijacking risks. IP (Internet Protocol, Internet Protocol) address. The target domain name is parsed out to the corresponding IP address, and then the parsed IP address is compared in the blacklist library. If the resolved IP address is not in the IP address blacklist, it is determined that there is no DNS full traffic hijacking risk.
然而,不法分子通常控制着多个IP地址,甚至会不断劫持新的IP地址,导致黑名单库无法记录全部具有风险的IP地址。所以通过上述方法检测DNS全流量劫持风险,存在检测准确率低的技术问题。However, criminals usually control multiple IP addresses and even hijack new IP addresses, causing the blacklist to fail to record all risky IP addresses. Therefore, the above method is used to detect the risk of DNS full traffic hijacking, and there is a technical problem that the detection accuracy is low.
发明内容Summary of the invention
本公开实施例提供了一种DNS全流量劫持风险的检测方法和装置,用于提高DNS全流量劫持风险的检测准确率。The embodiments of the present disclosure provide a method and a device for detecting a full traffic hijacking risk of a DNS, which are used to improve the detection accuracy of the full traffic hijacking risk of the DNS.
第一方面,本公开提供了一种DNS全流量劫持风险的检测方法,包括:In a first aspect, the present disclosure provides a method for detecting a full traffic hijacking risk of a DNS, including:
获得用于检测域名系统DNS全流量劫持风险的一个或多个目标域名;其 中,一个或多个目标域名具体为广域网域名;Obtain one or more target domain names for detecting the risk of DNS full traffic hijacking in the domain name system; One or more target domain names are specifically WAN domain names;
对一个或多个目标域名进行DNS解析,获得每个目标域名对应的目标互联网协议IP地址,进而获得一个或多个目标IP地址;Performing DNS resolution on one or more target domain names to obtain a target Internet Protocol IP address corresponding to each target domain name, thereby obtaining one or more target IP addresses;
判断一个或多个目标IP地址中是否存在局域网地址;Determining whether a local area network address exists in one or more target IP addresses;
当一个或多个目标IP地址中存在局域网地址时,确定用户设备UE存在DNS全流量劫持风险。When a local area network address exists in one or more target IP addresses, it is determined that the user equipment UE has a risk of DNS full traffic hijacking.
第二方面,本公开提供了一种DNS全流量劫持风险的检测方法,包括:In a second aspect, the present disclosure provides a method for detecting a full traffic hijacking risk of a DNS, including:
获得用于检测域名系统DNS全流量劫持风险的一个或多个目标域名;其中,一个或多个目标域名所对应的已知IP地址均不相同;Obtaining one or more target domain names for detecting the risk of DNS full traffic hijacking of the domain name system; wherein the known IP addresses corresponding to one or more target domain names are different;
对一个或多个目标域名进行DNS解析,获得每个目标域名对应的目标互联网协议IP地址,进而获得一个或多个目标IP地址;Performing DNS resolution on one or more target domain names to obtain a target Internet Protocol IP address corresponding to each target domain name, thereby obtaining one or more target IP addresses;
判断一个或多个目标IP地址中是否存在相同地址;Determining whether the same address exists in one or more target IP addresses;
当一个或多个目标IP地址中存在相同地址时,确定UE存在DNS全流量劫持风险。When the same address exists in one or more target IP addresses, it is determined that the UE has a risk of DNS full traffic hijacking.
第三方面,本公开提供了一种DNS全流量劫持风险的检测方法,包括:In a third aspect, the present disclosure provides a method for detecting a full traffic hijacking risk of a DNS, including:
获得用于检测域名系统DNS全流量劫持风险的一个或多个目标域名;其中,一个或多个目标域名具体为广域网域名,并且一个或多个目标域名所对应的已知互联网协议IP地址均不相同;Obtaining one or more target domain names for detecting the risk of DNS full traffic hijacking of the domain name system; wherein one or more target domain names are specifically WAN domain names, and the known Internet Protocol IP addresses corresponding to one or more target domain names are not the same;
对一个或多个目标域名进行DNS解析,获得每个目标域名对应的目标IP地址,进而获得一个或多个目标IP地址;Performing DNS resolution on one or more target domain names to obtain a target IP address corresponding to each target domain name, thereby obtaining one or more target IP addresses;
判断一个或多个目标IP地址中是否存在局域网地址,以及一个或多个目标IP地址中是否存在相同地址;Determining whether a local area network address exists in one or more target IP addresses, and whether the same address exists in one or more target IP addresses;
当一个或多个目标IP地址中存在局域网地址,或者一个或多个目标IP地址中存在相同地址时,确定用户设备UE存在DNS全流量劫持风险。When there is a local area network address in one or more target IP addresses, or the same address exists in one or more target IP addresses, it is determined that the user equipment UE has a risk of DNS full traffic hijacking.
第四方面,本公开提供了一种DNS全流量劫持风险的检测装置,包括:In a fourth aspect, the disclosure provides a detecting device for a DNS full traffic hijacking risk, including:
获得模块,用于获得用于检测域名系统DNS全流量劫持风险的一个或多个目标域名;其中,一个或多个目标域名具体为广域网域名;Obtaining a module, configured to obtain one or more target domain names for detecting a risk of DNS full traffic hijacking of the domain name system; wherein, one or more target domain names are specifically a wide area network domain name;
解析模块,用于对一个或多个目标域名进行DNS解析,获得每个目标域名对应的目标互联网协议IP地址,进而获得一个或多个目标IP地址;The parsing module is configured to perform DNS resolution on one or more target domain names, obtain a target Internet Protocol IP address corresponding to each target domain name, and obtain one or more target IP addresses;
第一判断模块,用于判断一个或多个目标IP地址中是否存在局域网地 址;a first determining module, configured to determine whether a local area network exists in one or more target IP addresses site;
第一确定模块,用于当一个或多个目标IP地址中存在局域网地址时,确定用户设备UE存在DNS全流量劫持风险。The first determining module is configured to determine that the user equipment UE has a risk of DNS full traffic hijacking when a local area network address exists in one or more target IP addresses.
第五方面,本公开提供了一种DNS全流量劫持风险的检测装置,包括:In a fifth aspect, the disclosure provides a detecting device for a DNS full traffic hijacking risk, including:
获得模块,用于获得用于检测域名系统DNS全流量劫持风险的一个或多个目标域名;其中,一个或多个目标域名所对应的已知IP地址均不相同;Obtaining a module, configured to obtain one or more target domain names for detecting a full traffic hijacking risk of the domain name system; wherein, the known IP addresses corresponding to the one or more target domain names are different;
解析模块,用于对一个或多个目标域名进行DNS解析,获得每个目标域名对应的目标互联网协议IP地址,进而获得一个或多个目标IP地址;The parsing module is configured to perform DNS resolution on one or more target domain names, obtain a target Internet Protocol IP address corresponding to each target domain name, and obtain one or more target IP addresses;
第一判断模块,用于判断一个或多个目标IP地址中是否存在相同地址;a first determining module, configured to determine whether the same address exists in one or more target IP addresses;
第一确定模块,用于当一个或多个目标IP地址中存在相同地址时,确定UE存在DNS全流量劫持风险。The first determining module is configured to determine that the UE has a full traffic hijacking risk when the same address exists in one or more target IP addresses.
第六方面,本公开提供了一种DNS全流量劫持风险的检测装置,包括:In a sixth aspect, the disclosure provides a device for detecting a full traffic hijacking risk of a DNS, including:
获得模块,用于获得用于检测域名系统DNS全流量劫持风险的一个或多个目标域名;其中,一个或多个目标域名具体为广域网域名,并且一个或多个目标域名所对应的已知互联网协议IP地址均不相同;Obtaining a module, configured to obtain one or more target domain names for detecting a risk of DNS full traffic hijacking of the domain name system; wherein the one or more target domain names are specifically a WAN domain name, and the known Internet corresponding to the one or more target domain names Protocol IP addresses are not the same;
解析模块,用于对一个或多个目标域名进行DNS解析,获得每个目标域名对应的目标IP地址,进而获得一个或多个目标IP地址;The parsing module is configured to perform DNS resolution on one or more target domain names, obtain a target IP address corresponding to each target domain name, and obtain one or more target IP addresses;
判断模块,用于判断一个或多个目标IP地址中是否存在局域网地址,以及一个或多个目标IP地址中是否存在相同地址;a determining module, configured to determine whether a local area network address exists in one or more target IP addresses, and whether the same address exists in one or more target IP addresses;
确定模块,用于当一个或多个目标IP地址中存在局域网地址,或者一个或多个目标IP地址中存在相同地址时,确定用户设备UE存在DNS全流量劫持风险。The determining module is configured to determine that the user equipment UE has a risk of DNS full traffic hijacking when a local area network address exists in one or more target IP addresses, or when the same address exists in one or more target IP addresses.
第七方面,本公开提供了一种计算机程序,包括:In a seventh aspect, the present disclosure provides a computer program comprising:
计算机可读代码,当计算机可读代码在计算设备上运行时,导致计算设备执行上述DNS全流量劫持风险的检测方法。Computer readable code, when the computer readable code is run on a computing device, causes the computing device to perform the aforementioned method of detecting the risk of full DNS traffic hijacking.
第八方面,本公开提供了一种计算机可读介质,包括:In an eighth aspect, the present disclosure provides a computer readable medium, comprising:
存储了上述执行上述DNS全流量劫持风险的检测方法的计算机程序。A computer program for performing the above-described detection method for performing the above-mentioned DNS full traffic hijacking risk is stored.
本公开实施例中的上述一个或多个技术方案,至少具有如下一种或多种技术效果:The above one or more technical solutions in the embodiments of the present disclosure have at least one or more of the following technical effects:
在本公开实施例的技术方案中,获得用于检测DNS全流量劫持风险的一 个或多个目标域名,其中,本公开实施例中的一个或多个目标域名具体为广域网域名,然后对一个或多个目标域名进行DNS解析,获得每个目标域名对应的目标IP地址,进而获得一个或多个目标IP地址,接着判断该一个或多个目标IP地址中是否存在局域网地址。由于目标域名对应的IP地址为广域网地址,所以当一个或多个目标IP地址中存在局域网地址时,确定UE存在DNS全流量劫持风险。因此,即使目标域名解析出的目标IP地址不在黑名单库中,如果目标IP地址为局域网地址,则表明UE当前接入的网络可能被全流量劫持,进而可以确定UE存在DNS全流量劫持风险。所以,通过上述技术方案,实现了提高DNS全流量劫持风险的检测准确率。In the technical solution of the embodiment of the present disclosure, one is obtained for detecting the risk of DNS full traffic hijacking One or more target domain names, wherein one or more target domain names in the embodiment of the present disclosure are specifically a wide area network domain name, and then perform DNS resolution on one or more target domain names to obtain a target IP address corresponding to each target domain name, and further Obtain one or more target IP addresses, and then determine whether a local area network address exists in the one or more target IP addresses. Since the IP address corresponding to the target domain name is a wide area network address, when a local area network address exists in one or more target IP addresses, it is determined that the UE has a full traffic hijacking risk of the DNS. Therefore, even if the target IP address resolved by the target domain name is not in the blacklist database, if the target IP address is a local area network address, it indicates that the network currently accessed by the UE may be hijacked by full traffic, and thus the risk of DNS full traffic hijacking of the UE may be determined. Therefore, through the above technical solutions, the detection accuracy of improving the risk of DNS full traffic hijacking is realized.
进一步,由于本公开实施例的技术方案不需要与庞大的黑名单数据库进行对比,进而也就不需要存储黑名单数据库,由此节约了存储黑名单数据库所占用的设备资源。Further, the technical solution of the embodiment of the present disclosure does not need to be compared with a huge blacklist database, and thus does not need to store a blacklist database, thereby saving the device resources occupied by the storage blacklist database.
更进一步,由于本公开实施例中的技术方案可以由UE执行,而不需要服务器的参与,所以可以防止不法分子劫持DNS后对UE与服务器的交互进行监控,从而干扰检测,甚至向UE发送表示网络安全的虚假信息。Further, since the technical solution in the embodiment of the present disclosure can be executed by the UE without the participation of the server, it is possible to prevent the illegal agent from hijacking the DNS and monitor the interaction between the UE and the server, thereby detecting the interference and even transmitting the representation to the UE. False information about network security.
附图概述BRIEF abstract
通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的,而并不认为是对本公开的限制。而且在整个附图中,用相同的参考符号表示相同的部件。在附图中:Various other advantages and benefits will become apparent to those skilled in the art from a The drawings are only for the purpose of illustrating the preferred embodiments and are not to be considered as limiting. Throughout the drawings, the same reference numerals are used to refer to the same parts. In the drawing:
图1为本公开实施例中第一种DNS全流量劫持风险检测的方法流程图;1 is a flow chart of a method for detecting a full DNS traffic hijacking risk in the first embodiment of the present disclosure;
图2为本公开实施例中第二种DNS全流量劫持风险检测的方法流程图;2 is a flow chart of a method for detecting a full DNS traffic hijacking risk according to an embodiment of the present disclosure;
图3为本公开实施例中第三种DNS全流量劫持风险检测的方法流程图;3 is a flowchart of a method for detecting a third DNS full traffic hijacking risk according to an embodiment of the present disclosure;
图4为本公开实施例中第一种DNS全流量劫持风险检测装置结构示意图;4 is a schematic structural diagram of a first DNS full traffic hijacking risk detecting apparatus according to an embodiment of the present disclosure;
图5为本公开实施例中第二种DNS全流量劫持风险检测装置结构示意图;FIG. 5 is a schematic structural diagram of a second DNS full traffic hijacking risk detecting apparatus according to an embodiment of the present disclosure;
图6为本公开实施例中第三种DNS全流量劫持风险检测装置结构示意图; 6 is a schematic structural diagram of a third DNS full traffic hijacking risk detecting apparatus according to an embodiment of the present disclosure;
图7示意性地示出了用于执行根据本公开实施例的DNS全流量劫持检测方法的计算设备的框图;以及FIG. 7 schematically illustrates a block diagram of a computing device for performing a DNS full traffic hijacking detection method in accordance with an embodiment of the present disclosure;
图8示意性地示出了用于保持或者携带实现根据本公开实施例的DNS全流量劫持检测方法的程序代码的存储单元。FIG. 8 schematically illustrates a storage unit for maintaining or carrying program code that implements a DNS full traffic hijacking detection method in accordance with an embodiment of the present disclosure.
本发明的较佳实施方式Preferred embodiment of the invention
本公开实施例提供了一种DNS全流量劫持风险的检测方法和装置,用于提高DNS全流量劫持风险的检测准确率。The embodiments of the present disclosure provide a method and a device for detecting a full traffic hijacking risk of a DNS, which are used to improve the detection accuracy of the full traffic hijacking risk of the DNS.
为了解决上述技术问题,本公开提供的技术方案总体思路如下:In order to solve the above technical problem, the general idea of the technical solution provided by the present disclosure is as follows:
在本公开实施例的技术方案中,获得用于检测DNS全流量劫持风险的一个或多个目标域名,然后对一个或多个目标域名进行DNS解析,获得每个目标域名对应的目标IP地址,进而获得一个或多个目标IP地址,接着,如果一个或多个目标域名为广域网域名,则判断该一个或多个目标IP地址中是否存在局域网地址,如果存在局域网地址,则确定UE存在DNS全流量劫持风险;或者,如果一个或多个目标域名为已知IP地址不相同的域名,则判断该一个或多个目标IP地址中是否存在相同地址,如果存在相同地址,则确定UE存在DNS全流量劫持风险;或者,如果一个或多个目标域名为广域网域名,并且该一个或多个目标域名的已知IP地址不相同,则判断该一个或多个目标IP地址中是否存在局域网地址,以及是否存在相同地址,如果一个或多个目标IP地址中存在局域网地址或者相同地址,则确定UE存在DNS全流量劫持风险。In the technical solution of the embodiment of the present disclosure, one or more target domain names for detecting a risk of DNS full traffic hijacking are obtained, and then one or more target domain names are subjected to DNS resolution to obtain a target IP address corresponding to each target domain name. Obtaining one or more target IP addresses, and then, if one or more target domain names are WAN domain names, determining whether there is a local area network address in the one or more target IP addresses, and if there is a local area network address, determining that the UE has a full DNS address Traffic hijacking risk; or, if one or more target domain names are domain names with different known IP addresses, it is determined whether the same address exists in the one or more target IP addresses, and if the same address exists, it is determined that the UE has a full DNS Traffic hijacking risk; or, if one or more target domain names are WAN domain names, and the known IP addresses of the one or more target domain names are different, determining whether a local area network address exists in the one or more target IP addresses, and Whether the same address exists, if there is a LAN address in one or more destination IP addresses or Same address, it is determined that there is full flow DNS hijacking risk UE.
下面通过附图以及具体实施例对本公开技术方案做详细的说明,应当理解本公开实施例以及实施例中的具体特征是对本公开技术方案的详细的说明,而不是对本公开技术方案的限定,在不冲突的情况下,本公开实施例以及实施例中的技术特征可以相互组合。The technical solutions of the present disclosure are described in detail below with reference to the accompanying drawings and specific embodiments. It is understood that the specific features of the embodiments and the embodiments of the present disclosure are the detailed description of the technical solutions of the present disclosure, and In the case of no conflict, the technical features of the embodiments of the present disclosure and the embodiments may be combined with each other.
本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。The term "and/or" in this context is merely an association describing the associated object, indicating that there may be three relationships, for example, A and / or B, which may indicate that A exists separately, and both A and B exist, respectively. B these three situations. In addition, the character "/" in this article generally indicates that the contextual object is an "or" relationship.
本公开第一方面提供了一种DNS全流量劫持风险的检测方法,请参考图 1,为本公开实施例中第一种DNS全流量劫持风险检测的方法流程图。该方法包括:The first aspect of the disclosure provides a method for detecting the risk of DNS full traffic hijacking, please refer to the figure. 1. A flowchart of a method for detecting a full DNS traffic hijacking risk in the embodiment of the present disclosure. The method includes:
S101:获得用于检测域名系统DNS全流量劫持风险的一个或多个目标域名;其中,一个或多个目标域名具体为广域网域名;S101: Obtain one or more target domain names for detecting a risk of DNS full traffic hijacking of the domain name system; wherein, one or more target domain names are specifically WAN domain names;
S102:对一个或多个目标域名进行DNS解析,获得每个目标域名对应的目标互联网协议IP地址,进而获得一个或多个目标IP地址;S102: Perform DNS resolution on one or more target domain names, obtain a target Internet Protocol IP address corresponding to each target domain name, and obtain one or more target IP addresses.
S103:判断一个或多个目标IP地址中是否存在局域网地址;S103: Determine whether a local area network address exists in one or more target IP addresses;
S104:当一个或多个目标IP地址中存在局域网地址时,确定用户设备UE存在DNS全流量劫持风险。S104: When a local area network address exists in one or more target IP addresses, determine that the user equipment UE has a risk of DNS full traffic hijacking.
本公开实施例中的一个或多个目标域名为用于检测DNS全流量劫持的一个或者一组测试用域名。为了能够通过该一个或一组目标域名检测DNS全流量劫持风险,在本公开实施例中,每个目标域名具体为广域网域名。在具体实现过程中,UE可以在需要检测DNS全流量劫持风险时获取一个或多个目标域名,也可以在没有需要检测DNS全流量劫持风险的时候预先获得一个或多个目标域名,本公开不做具体限制。One or more target domain names in the embodiments of the present disclosure are one or a group of test domain names for detecting DNS full traffic hijacking. In order to be able to detect the risk of DNS full traffic hijacking through the one or a group of target domain names, in the embodiment of the present disclosure, each target domain name is specifically a wide area network domain name. In a specific implementation process, the UE may obtain one or more target domain names when it is required to detect the risk of DNS full traffic hijacking, or may obtain one or more target domain names in advance when there is no need to detect the risk of DNS full traffic hijacking. Make specific restrictions.
而执行S102至S104中检测DNS全流量劫持的时刻可以为UE上电的任意时刻,也可以为每隔预设间隔,例如每隔1小时启动一次检测,还可以为每次接入网络的时刻。或者,在S102之前,还包括:The time of detecting the full traffic hijacking of the DNS in S102 to S104 may be any time when the UE is powered on, or may be started every preset interval, for example, every hour, or may be used for each time accessing the network. . Or, before S102, it also includes:
判断UE是否接入了新的无线接入点AP;Determining whether the UE accesses a new wireless access point AP;
当UE接入了新的AP时,执行在对一个或多个目标域名进行DNS解析的步骤。When the UE accesses the new AP, the step of performing DNS resolution on one or more target domain names is performed.
具体来讲,在本公开实施例中,新的AP(无线接入点,Access Point)具体有两种。以T1时刻表示任意时刻,第一种,UE在T1之前接入的是第一AP,在该任意时刻切换了与第一AP不同的第二AP,则第二AP为新的AP;第二种,UE在T1之前未接入任何AP,在T1时刻接入了第三AP,则第三AP为新的AP。Specifically, in the embodiment of the present disclosure, there are two specific types of APs (Access Points). The second AP is the new AP, and the second AP is the new AP. The second AP is the new AP. The second AP is the new AP. The UE does not access any AP before T1, and accesses the third AP at time T1, and the third AP is a new AP.
对于上述第一种情况,当UE切换了AP或者AC(接入控制器,Access Control)时,获得切换后接入的AP或AC的SSID(服务集标识,Service Set Identifier)以及切换前接入的AP或AC的SSID。然后,判断切换后接入的AP或者AC的SSID是否与切换前接入的AP或AC的SSID相同。如果切换 后接入的AP或AC的SSID与切换前接入的AP或AC的SSID不同,则表示UE接入了新的AP。此时UE并不能确认当前接入的网络,即新的AP所在的网络是否存在DNS全流量劫持风险,所以,此时执行S102,进而启动DNS全流量劫持风险检测。换言之,当UE切换了新的网络时,执行S102至S104中对新网络DNS全流量劫持风险进行检测。For the first case, when the UE switches the AP or the AC (Access Control), the SSID (Service Set Identifier) of the AP or AC accessed after the handover is obtained, and the access is performed before the handover. SSID of the AP or AC. Then, it is determined whether the SSID of the AP or AC accessed after the handover is the same as the SSID of the AP or AC accessed before the handover. If switching If the SSID of the AP or AC that is accessed later is different from the SSID of the AP or AC that is accessed before the handover, the UE accesses the new AP. At this time, the UE cannot confirm the currently accessed network, that is, whether the network where the new AP is located has the risk of full DNS traffic hijacking. Therefore, S102 is executed at this time, and then the DNS full traffic hijacking risk detection is started. In other words, when the UE switches the new network, the risk of the full network DNS full traffic hijacking is detected in S102 to S104.
对于上述第二种情况,当UE从未接入AP切换到接入AP,由于UE不能确认当前接入的网络是否存在DNS全流量劫持风险,所以,此时执行S102,进而启动DNS全流量劫持风险检测。换言之,当UE初始接入网络时,执行S102至S104中对网络DNS全流量劫持风险进行检测。For the second case, when the UE is not switched to the access AP, the UE cannot confirm whether the currently accessed network has the risk of full DNS traffic hijacking. Therefore, S102 is executed at this time, and then the DNS full traffic hijacking is started. Risk detection. In other words, when the UE initially accesses the network, the network DNS full traffic hijacking risk is detected in S102 to S104.
在S101中获得目标域名的方法有多种,下面介绍其中两种。具体来讲,本公开实施例的S101可以通过如下过程实现:There are various methods for obtaining the target domain name in S101, and two of them are described below. Specifically, S101 of the embodiment of the present disclosure may be implemented by the following process:
读取接收与UE对应的服务器下发并存储在UE的存储空间中的一个或多个目标域名;或者Reading one or more target domain names that are received by the server corresponding to the UE and stored in the storage space of the UE; or
从多个备选域名中,确定满足预设条件的一个或多个域名为一个或多个目标域名。From among the plurality of alternative domain names, one or more domain names satisfying the preset condition are determined to be one or more target domain names.
具体来讲,本公开实施例中的UE所获得的一个或多个目标域名可以由服务器下发,也可以由UE自行配置和选择,还可以部分目标域名接收服务器下发,同时自行配置部分目标域名。在具体实现过程中,本公开所属领域的普通技术人员可以根据实际进行选择,本公开不做具体限制。Specifically, the one or more target domain names obtained by the UE in the embodiment of the present disclosure may be delivered by the server, or may be configured and selected by the UE, and may be delivered by part of the target domain name receiving server, and at the same time, part of the target is configured. domain name. In the specific implementation process, those skilled in the art to which the present disclosure belongs may make selection according to actual conditions, and the disclosure does not specifically limit.
具体来讲,如果由服务器下发目标域名,由于本公开实施例中的目标域名为广域网域名,所以服务器选择出一个或多个广域网域名作为目标域名后,在任意时刻向UE下发目标域名。UE在接收到服务器下发的一个或多个目标域名后,将一个或多个目标域名存储在自身的存储空间中,进而在需要获得目标域名时从存储空间中读取出该一个或多个目标域名即可。Specifically, if the target domain name is delivered by the server, the target domain name in the embodiment of the present disclosure is the WAN domain name. After the server selects one or more WAN domain names as the target domain name, the server delivers the target domain name to the UE at any time. After receiving the one or more target domain names sent by the server, the UE stores one or more target domain names in its own storage space, and then reads the one or more storage spaces from the storage space when the target domain name needs to be obtained. The target domain name is OK.
举例来说,服务器向UE下发如下JSON结构的数据,For example, the server sends the following JSON structure data to the UE.
{{
"domains":["baifubao.com","mail.163.com","jd.com","suning.com","alipay.com","95516.com","so.cn","ccb.com","icbc.com.cn","www.cmbc.com.cn"]"domains":["baifubao.com","mail.163.com","jd.com","suning.com","alipay.com","95516.com","so.cn"," Ccb.com","icbc.com.cn","www.cmbc.com.cn"]
} }
UE接收上述JSON结构的数据后解析出baifubao.com,mail.163.com,jd.com,suning.com,alipay.com,95516.com,so.cn,ccb.com,icbc.com.cn和www.cmbc.com.cn十个目标域名,进而将该十个目标域名存储在UE的存储空间中。在需要获得目标域名时,从存储空间中读取出目标域名baifubao.com,mail.163.com,jd.com,suning.com,alipay.com,95516.com,so.cn,ccb.com,icbc.com.cn和www.cmbc.com.cn。After receiving the data of the above JSON structure, the UE parses baifubao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn and Www.cmbc.com.cn ten target domain names, and then store the ten target domain names in the storage space of the UE. When the target domain name needs to be obtained, the target domain name baifubao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com, so.cn, ccb.com, are read from the storage space. Icbc.com.cn and www.cmbc.com.cn.
而如果由UE自行配置目标域名,则UE从多个备选域名中确定出满足预设条件的一个或多个域名作为目标域名。具体来讲,备选域名为UE历史访问过的,或者当前能够接入的域名等,本公开不做具体限制。在公开实施例中,由于目标域名为广域网域名,因此预设条件具体就是广域网域名,进而UE从多个备选域名中选择一个或多个广域网域名作为目标域名。If the target domain name is configured by the UE, the UE determines one or more domain names that meet the preset condition from the multiple candidate domain names as the target domain name. Specifically, the alternate domain name is a domain name visited by the UE, or a domain name that can be accessed currently, and the disclosure does not specifically limit the disclosure. In the public embodiment, since the target domain name is a WAN domain name, the preset condition is specifically a WAN domain name, and the UE selects one or more WAN domain names from the plurality of candidate domain names as the target domain name.
在具体实现过程中,本公开所属领域的普通技术人员可以根据实际选择上述两种获得目标域名的方法中的任一种,也可以选择两种方法结合,本公开不做具体限制。In the specific implementation process, one of ordinary skill in the art to which the present disclosure belongs may select any one of the above two methods for obtaining the target domain name, or may combine the two methods, and the present disclosure does not specifically limit the disclosure.
S101中获得一个或多个目标域名后,在S102中UE对每个域名进行DNS解析,获得每个目标域名对应的IP地址。在本公开实施例中,将目标域名通过DNS解析出来的IP地址称为目标IP地址。After obtaining one or more target domain names in S101, the UE performs DNS resolution on each domain name in S102, and obtains an IP address corresponding to each target domain name. In the embodiment of the present disclosure, the IP address resolved by the target domain name through the DNS is referred to as a target IP address.
接下来,在S103中,判断所有目标IP地址中是否存在局域网地址。具体来讲,判断一个目标IP地址是否为局域网IP地址的方法为判断该目标IP地址是否在ClassA、ClassB或ClassC中的任意一个区间。其中,ClassA区间的地址范围为10.0.0.0~10.255.255.255,ClassB区间的地址范围为172.16.0.0-172.31.255.255,ClassC区间的地址范围为192.168.0.0-192.168.255.255。如果目标IP地址位于ClassA、ClassB或ClassC中的任意一个区间中,则表示目标IP地址为局域网地址;反之,如果目标IP地址不在ClassA、ClassB和ClassC区间中,则表示目标IP地址不为局域网地址。Next, in S103, it is judged whether or not the local area network address exists in all the target IP addresses. Specifically, the method for determining whether a target IP address is a local area network IP address is to determine whether the target IP address is in any one of ClassA, ClassB, or ClassC. The address range of the ClassA interval is 10.0.0.0~10.255.255.255, the address range of the ClassB interval is 172.16.0.0-172.31.255.255, and the address range of the ClassC interval is 192.168.0.0-192.168.255.255. If the destination IP address is in any of the ClassA, ClassB, or ClassC intervals, the destination IP address is the LAN address. Otherwise, if the destination IP address is not in the ClassA, ClassB, and ClassC intervals, the destination IP address is not the LAN address. .
由于本公开实施例中的目标域名为广域网域名,而在安全情况下,广域网域名所对应的IP地址为广域网地址,所以,如果在一个或多个目标IP地址中存在局域网地址时,则表明此时UE所接入的AP或者AC可能被劫持。所以,当一个或多个目标IP地址中存在局域网地址时,在S104中确定UE 存在DNS全流量劫持风险。Since the target domain name in the embodiment of the present disclosure is a WAN domain name, and in a security situation, the IP address corresponding to the WAN domain name is a WAN address, so if a local area network address exists in one or more target IP addresses, this indicates The AP or AC accessed by the UE may be hijacked. Therefore, when a local area network address exists in one or more target IP addresses, the UE is determined in S104. There is a risk of DNS full traffic hijacking.
由上述描述可以看出,由于目标域名对应的IP地址为广域网地址,所以当一个或多个目标IP地址中存在局域网地址时,确定UE存在DNS全流量劫持风险。因此,即使目标域名解析出的目标IP地址不在黑名单库中,仍然可以确定UE存在DNS全流量劫持风险。所以,通过本公开实施例中的技术方案,提高了DNS全流量劫持风险的检测准确率。As can be seen from the above description, since the IP address corresponding to the target domain name is a wide area network address, when a local area network address exists in one or more target IP addresses, it is determined that the UE has a DNS full traffic hijacking risk. Therefore, even if the target IP address resolved by the target domain name is not in the blacklist library, it can be determined that the UE has a full traffic hijacking risk. Therefore, the technical solution in the embodiment of the present disclosure improves the detection accuracy of the DNS full traffic hijacking risk.
进一步,由于本公开实施例的技术方案不需要与庞大的黑名单数据库进行对比,进而也就不需要在电子设备或者服务器中存储黑名单数据库,由此节约了存储黑名单数据库所占用的设备资源。Further, the technical solution of the embodiment of the present disclosure does not need to be compared with the huge blacklist database, and thus the blacklist database is not stored in the electronic device or the server, thereby saving the device resources occupied by the blacklist database. .
在具体实现过程中,上述S101至S104均可以由UE执行,或者,由UE执行S101至S102,然后由服务器执行S103至S104,即UE解析出目标IP地址后上报给服务器进行检测判断。对于UE单独执行S101至S104,由于在检测DNS全流量劫持风险时UE不需要服务器的参与,所以本公开进一步还可以防止不法分子劫持DNS后对UE与服务器交互进行监控,从而干扰检测,甚至向UE发送表示网络安全的虚假信息。In the specific implementation process, the foregoing S101 to S104 may be performed by the UE, or the S101 to S102 are performed by the UE, and then the S101 to S104 are executed by the server, that is, the UE parses the target IP address and reports it to the server for detection and determination. For the UE to perform S101 to S104 separately, since the UE does not need the participation of the server when detecting the risk of DNS full traffic hijacking, the present disclosure can further prevent the illegal agent from hijacking the DNS and monitor the interaction between the UE and the server, thereby interfering with detection and even The UE sends false information indicating network security.
进一步,作为一种可选的实施例,为了进一步检测DNS全流量劫持的风险,当一个或多个目标IP地址中不存在局域网地址时,还可以进一步包括:Further, as an optional embodiment, in order to further detect the risk of DNS full traffic hijacking, when there is no LAN address in one or more target IP addresses, the method further includes:
判断一个或多个目标IP地址中是否存在相同地址;其中,一个或多个目标域名所对应的已知IP地址均不相同;Determining whether the same address exists in one or more target IP addresses; wherein the known IP addresses corresponding to the one or more target domain names are different;
当一个或多个目标IP地址中存在相同地址时,确定UE存在DNS全流量劫持风险。When the same address exists in one or more target IP addresses, it is determined that the UE has a risk of DNS full traffic hijacking.
具体来讲,在本公开实施例中,目标域名不仅为广域网域名,并且目标域名的已知IP地址均不同。换言之,目标域名具体为对应着不同IP地址的广域网域名。Specifically, in the embodiment of the present disclosure, the target domain name is not only a wide area network domain name, but the known IP address of the target domain name is different. In other words, the target domain name is specifically a WAN domain name corresponding to a different IP address.
因此,如果目标域名由服务器下发,则服务器通过解析验证,选择出一个或多个所对应的IP地址不同的广域网域名下发到UE作为目标域名,使UE存储,进而在获得目标域名时,UE从存储空间中读取出一个或多个已知IP地址均不相同的广域网域名。Therefore, if the target domain name is delivered by the server, the server selects one or more WAN domain names with different IP addresses and sends them to the UE as the target domain name, so that the UE stores the target domain name. The UE reads out one or more wide area network domain names whose known IP addresses are different from the storage space.
举例来说,通过解析验证,服务器确定有baifubao.com,mail.163.com,jd.com,suning.com,alipay.com,95516.com,so.cn,ccb.com,icbc.com.cn 和www.cmbc.com.cn十个广域网域名对应的IP地址不同。该十个域名以及每个域名对应的IP地址如表1所示。For example, through parsing and verification, the server determines that there are baifubao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn The IP addresses corresponding to the ten WAN domain names of www.cmbc.com.cn are different. The ten domain names and the IP addresses corresponding to each domain name are shown in Table 1.
表1Table 1
1、域名1. Domain name 2、对应的IP地址2, the corresponding IP address
3、baifubao.com3, baifubao.com 4、123.125.112.2024, 123.125.112.202
5、mail.163.com5, mail.163.com 6、220.181.12.2086, 220.181.12.208
7、jd.com7, jd.com 8、111.206.227.1188, 111.206.227.118
9、suning.com9, suning.com 10、175.25.168.4010, 175.25.168.40
11、alipay.com11, alipay.com 12、110.76.19.3312, 110.76.19.33
13、95516.com13, 95516.com 14、119.90.19.4414, 119.90.19.44
15、so.com15, so.com 16、106.120.160.13416, 106.120.160.134
17、ccb.com17, ccb.com 18、124.127.108.10618, 124.127.108.106
19、icbc.com.cn19, icbc.com.cn 20、60.247.99.120, 60.247.99.1
21、www.cmbc.com.cn21, www.cmbc.com.cn 22、175.25.171.1722, 175.25.171.17
因此,服务器向UE下发如下JSON结构的数据,Therefore, the server sends the following JSON structure data to the UE.
{{
"domains":["baifubao.com","mail.163.com","jd.com","suning.com","alipay.com","95516.com","so.cn","ccb.com","icbc.com.cn","www.cmbc.com.cn"]"domains":["baifubao.com","mail.163.com","jd.com","suning.com","alipay.com","95516.com","so.cn"," Ccb.com","icbc.com.cn","www.cmbc.com.cn"]
}}
UE接收上述JSON结构的数据后解析出baifubao.com,mail.163.com,jd.com,suning.com,alipay.com,95516.com,so.cn,ccb.com,icbc.com.cn和www.cmbc.com.cn十个目标域名,进而将该十个目标域名存储在UE的存储空间中。在需要获得目标域名时,从存储空间中读取出目标域名baifubao.com,mail.163.com,jd.com,suning.com,alipay.com,95516.com, so.cn,ccb.com,icbc.com.cn和www.cmbc.com.cn。After receiving the data of the above JSON structure, the UE parses baifubao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn and Www.cmbc.com.cn ten target domain names, and then store the ten target domain names in the storage space of the UE. When the target domain name needs to be obtained, the target domain name baifubao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com is read from the storage space. So.cn, ccb.com, icbc.com.cn and www.cmbc.com.cn.
而如果目标域名由UE确定,则预设条件具体为对应IP地址不同的广域网域名,进而对多个备选域名进行DNS解析,解析出每个备选域名对应的一个或多个IP地址,然后选择出相同IP地址为空集,且为广域网域名的备选域名作为目标域名。If the target domain name is determined by the UE, the preset condition is specifically a WAN domain name corresponding to the different IP addresses, and then multiple DNS domain names are parsed, and one or more IP addresses corresponding to each candidate domain name are parsed, and then Select the same IP address as the empty set, and the alternate domain name of the WAN domain name as the target domain name.
在具体实现过程中,不法分子向UE返回的IP地址也可能为广域网地址,所以,在本公开实施例中,当一个或多个目标IP地址中不存在局域网地址时,进一步判断一个或多个目标IP地址中是否存在相同地址来检测DNS全流量劫持的风险。In a specific implementation process, the IP address returned by the criminal to the UE may also be a wide area network address. Therefore, in the embodiment of the present disclosure, when there is no local area network address in one or more target IP addresses, one or more further determinations are made. Whether the same address exists in the target IP address to detect the risk of DNS full traffic hijacking.
在发生DNS全流量的劫持时,访问所有的域名都将返回UE同一个IP地址。同时,有时候不法分子为了避免被发现,会从一组IP地址随机返回一个IP地址给UE,而这组IP地址都是不法分子控制的服务器的IP地址。所以,如果一个或多个目标IP地中存在相同地址,则表明此时UE所接入的AP或者AC可能被劫持。所以,当一个或多个目标IP地址中不存在局域网地址,但是存在相同地址时,确定UE存在DNS全流量劫持风险。When a DNS full traffic hijacking occurs, accessing all domain names will return the same IP address of the UE. At the same time, sometimes the criminals randomly return an IP address from a set of IP addresses to the UE in order to avoid being discovered, and this set of IP addresses is the IP address of the server controlled by the criminal. Therefore, if the same address exists in one or more target IP addresses, it indicates that the AP or AC accessed by the UE may be hijacked at this time. Therefore, when there is no local area network address in one or more target IP addresses, but the same address exists, it is determined that the UE has a risk of DNS full traffic hijacking.
举例来说,假设目标IP地址具体包括123.125.112.202,220.181.12.208,111.206.227.118,110.76.19.33和123.125.112.202。5个目标IP地址中不存在均局域网地址,但是第1个目标IP地址和第5个目标IP地址相同,所以确定目标IP地址中存在相同地址,进而确定UE存在DNS全流量劫持风险。For example, suppose the target IP address specifically includes 123.125.112.202, 220.181.12.208, 111.206.227.118, 110.76.19.33, and 123.125.112.202. There is no local area network address among the five target IP addresses, but the first target IP address and The fifth destination IP address is the same, so it is determined that the same address exists in the target IP address, thereby determining that the UE has a full traffic hijacking risk.
或者,再举例来说,假设目标IP地址具体包括123.125.112.202,110.76.19.33,111.206.227.118,110.76.19.33和123.125.112.202。5个目标IP地址中不存在均局域网地址,但是第1个目标IP地址和第5个目标IP地址相同,第2个目标IP地址和第4个目标IP地址相同,所以确定目标IP地址中存在相同地址,进而确定UE存在DNS全流量劫持风险。Or, for example, assume that the target IP address specifically includes 123.125.112.202, 110.76.19.33, 111.206.227.118, 110.76.19.33, and 123.125.112.202. There is no local area network address among the five target IP addresses, but the first target The IP address is the same as the fifth destination IP address, and the second destination IP address is the same as the fourth destination IP address. Therefore, it is determined that the same address exists in the target IP address, thereby determining that the UE has a full DNS traffic hijacking risk.
由上述描述可以看出,当UE解析出的目标IP地址中不存在局域网地址时,进一步判断目标IP地址中是否相同地址,如果存在相同地址,则确定UE存在DNS全流量劫持风险。所以,通过判断目标IP地址中是否存在局域网地址,并且在不存在局域网地址的时候进一步判断目标IP地址中是否存在相同地址来检测DNS全流量劫持风险,进一步提高了本公开实施例的检测准确率。 It can be seen from the above description that when there is no local area network address in the target IP address parsed by the UE, it is further determined whether the target IP address has the same address, and if the same address exists, it is determined that the UE has a DNS full traffic hijacking risk. Therefore, the detection accuracy of the embodiment of the present disclosure is further improved by determining whether a local area network address exists in the target IP address, and further determining whether the same address exists in the target IP address when there is no local area network address to detect the risk of DNS full traffic hijacking. .
进一步,结合上述实施例,本公开实施例中的方法还包括:Further, in combination with the foregoing embodiments, the method in the embodiment of the present disclosure further includes:
当一个或多个目标IP地址中不存在相同地址时,确定UE不存在DNS全流量劫持风险。When the same address does not exist in one or more target IP addresses, it is determined that the UE does not have a DNS full traffic hijacking risk.
具体来讲,当一个或多个目标IP地址中不存在相同地址时,表示当前每个目标域名都能被准确解析到不同的广域网IP地址上,因此此时发生DNS全流量劫持的可能性较低,所以在一个或多个目标IP地址中不存在局域网地址,进一步也不存在相同地址时,确定UE不存在DNS全流量劫持风险。Specifically, when the same address does not exist in one or more target IP addresses, it indicates that each target domain name can be accurately resolved to a different WAN IP address, so that the possibility of DNS full traffic hijacking occurs at this time. Low, so if there is no LAN address in one or more target IP addresses, and there is no further same address, it is determined that the UE does not have the risk of DNS full traffic hijacking.
本公开第二方面提供了另一种DNS全流量劫持风险的检测方法,请参考图2,为本公开实施例中第二种DNS全流量劫持风险检测的方法流程图。该方法包括:The second aspect of the present disclosure provides another method for detecting a DNS full traffic hijacking risk. Referring to FIG. 2, a flow chart of a method for detecting a full DNS traffic hijacking risk in the second embodiment of the present disclosure is provided. The method includes:
S201:获得用于检测域名系统DNS全流量劫持风险的一个或多个目标域名;其中,一个或多个目标域名所对应的已知IP地址均不相同;S201: Obtain one or more target domain names for detecting a full traffic hijacking risk of the domain name system; wherein, the known IP addresses corresponding to the one or more target domain names are different;
S202:对一个或多个目标域名进行DNS解析,获得每个目标域名对应的目标互联网协议IP地址,进而获得一个或多个目标IP地址;S202: Perform DNS resolution on one or more target domain names, obtain a target Internet Protocol IP address corresponding to each target domain name, and obtain one or more target IP addresses.
S203:判断一个或多个目标IP地址中是否存在相同地址;S203: Determine whether the same address exists in one or more target IP addresses.
S204:当一个或多个目标IP地址中存在相同地址时,确定UE存在DNS全流量劫持风险。S204: When there is the same address in one or more target IP addresses, determine that the UE has a risk of DNS full traffic hijacking.
在具体实现过程中启动第二种DNS全流量劫持风险的检测方法来检测网络安全的时刻与第一种DNS全流量劫持风险的检测方法启动时刻相同,此处就不再重复赘述了。在上述步骤中,S201与S101类似,S202与S102类似,由于上述中已经对S101和S102进行了详细描述,因此本公开实施例对相同之处就不再重复赘述。In the specific implementation process, the detection method of detecting the second DNS full traffic hijacking risk to detect the network security is the same as the detection method of the first DNS full traffic hijacking risk detection method, and will not be repeated here. In the above steps, S201 is similar to S101, and S202 is similar to S102. Since S101 and S102 have been described in detail above, the description of the embodiments of the present disclosure will not be repeated.
S201与S101不同之处在于,本公开实施例中的目标域名具体为已知IP地址不同的域名,因此如果目标域名由服务器下发,则服务器通过解析验证,选择出一个或多个所对应的IP地址不同的域名下发到UE作为目标域名,使UE存储,进而在获得目标域名时,UE从存储空间中读取出一个或多个已知对应的IP地址不同的目标域名。S201 is different from S101 in that the target domain name in the embodiment of the present disclosure is specifically a domain name with a different IP address. Therefore, if the target domain name is delivered by the server, the server selects one or more corresponding ones by parsing and verifying. A domain name with a different IP address is delivered to the UE as the target domain name, so that the UE stores, and when the target domain name is obtained, the UE reads one or more target domain names with different known IP addresses from the storage space.
举例来说,通过解析验证,服务器确定有baifubao.com,mail.163.com,jd.com,suning.com,alipay.com,95516.com,so.cn,ccb.com,icbc.com.cn和www.cmbc.com.cn十个域名对应的IP地址不同,如表1所示。 For example, through parsing and verification, the server determines that there are baifubao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn The IP addresses corresponding to the ten domain names of www.cmbc.com.cn are different, as shown in Table 1.
因此,服务器向UE下发如下JSON结构的数据,Therefore, the server sends the following JSON structure data to the UE.
{{
"domains":["baifubao.com","mail.163.com","jd.com","suning.com","alipay.com","95516.com","so.cn","ccb.com","icbc.com.cn","www.cmbc.com.cn"]"domains":["baifubao.com","mail.163.com","jd.com","suning.com","alipay.com","95516.com","so.cn"," Ccb.com","icbc.com.cn","www.cmbc.com.cn"]
}}
UE接收上述JSON结构的数据后解析出baifubao.com,mail.163.com,jd.com,suning.com,alipay.com,95516.com,so.cn,ccb.com,icbc.com.cn和www.cmbc.com.cn十个目标域名,进而将该十个目标域名存储在UE的存储空间中。在需要获得目标域名时,从存储空间中读取出目标域名baifubao.com,mail.163.com,jd.com,suning.com,alipay.com,95516.com,so.cn,ccb.com,icbc.com.cn和www.cmbc.com.cn。After receiving the data of the above JSON structure, the UE parses baifubao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn and Www.cmbc.com.cn ten target domain names, and then store the ten target domain names in the storage space of the UE. When the target domain name needs to be obtained, the target domain name baifubao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com, so.cn, ccb.com, are read from the storage space. Icbc.com.cn and www.cmbc.com.cn.
另外,S201与S101不同之处还在于,本公开实施例中的目标域名具体为已知IP地址不同的域名,因此如果目标域名由UE确定,则预设条件具体为域名对应的IP地址不同,进而对多个备选域名进行DNS解析,解析出每个备选域名对应的一个或多个IP地址,然后选择相同IP地址为空集的备选域名作为目标域名。In addition, S201 is different from S101 in that the target domain name in the embodiment of the present disclosure is specifically a domain name with a different IP address. Therefore, if the target domain name is determined by the UE, the preset condition is specifically that the IP address corresponding to the domain name is different. Then, the DNS is parsed for multiple alternate domain names, and one or more IP addresses corresponding to each alternate domain name are parsed, and then the alternate domain name with the same IP address as the empty set is selected as the target domain name.
接下来,在S203中,判断一个或多个目标IP地址是否存在相同地址。具体来讲,在发生DNS全流程的劫持时,访问所有的域名都将返回UE同一个IP地址。同时,有时候不法分子为了避免被发现,会从一组IP地址随机返回一个IP地址给UE,而这组IP地址其实都是不法分子控制的服务器的IP地址。所以,如果一个或多个目标IP地中存在相同地址,则表明此时UE所接入的AP或者AC可能被劫持。所以,当一个或多个目标IP地址中存在相同地址时,在S204中确定UE存在DNS全流量劫持风险。Next, in S203, it is determined whether one or more target IP addresses have the same address. Specifically, when a hijacking of the entire DNS process occurs, accessing all domain names will return the same IP address of the UE. At the same time, sometimes the criminals randomly return an IP address from a set of IP addresses to the UE in order to avoid being discovered. This set of IP addresses is actually the IP address of the server controlled by the criminal. Therefore, if the same address exists in one or more target IP addresses, it indicates that the AP or AC accessed by the UE may be hijacked at this time. Therefore, when the same address exists in one or more target IP addresses, it is determined in S204 that the UE has a DNS full traffic hijacking risk.
举例来说,假设目标IP地址具体包括123.125.112.202,220.181.12.208,111.206.227.118,110.76.19.33和123.125.112.202,第1个目标IP地址和第5个目标IP地址相同,所以确定目标IP地址中存在相同地址,进而确定UE存在DNS全流量劫持风险。For example, suppose the target IP address specifically includes 123.125.112.202, 220.181.12.208, 111.206.227.118, 110.76.19.33, and 123.125.112.202, and the first target IP address and the fifth target IP address are the same, so the target IP address is determined. The same address exists in the middle, thereby determining that the UE has a full traffic hijacking risk.
或者,再举例来说,假设目标IP地址具体包括123.125.112.202,110.76.19.33,111.206.227.118,110.76.19.33和123.125.112.202,第1个目标 IP地址和第5个目标IP地址相同,第2个目标IP地址和第4个目标IP地址相同,所以确定目标IP地址中存在相同地址,进而确定UE存在DNS全流量劫持风险。Or, for example, assume that the target IP address specifically includes 123.125.112.202, 110.76.19.33, 111.206.227.118, 110.76.19.33, and 123.125.112.202, the first target. The IP address is the same as the fifth destination IP address, and the second destination IP address is the same as the fourth destination IP address. Therefore, it is determined that the same address exists in the target IP address, thereby determining that the UE has a full DNS traffic hijacking risk.
由上述描述可以看出,由于已知目标域名对应的IP地址均不相同,所以当一个或多个目标IP地址中存在相同地址时,确定UE存在DNS全流量劫持风险。因此,即使目标域名解析出的目标IP地址不在黑名单库中,仍然可以确定UE存在DNS全流量劫持风险。所以,通过本公开实施例中的技术方案,提高了DNS全流量劫持风险的检测准确率。As can be seen from the above description, since the IP addresses corresponding to the known target domain names are different, when there is the same address in one or more target IP addresses, it is determined that the UE has a DNS full traffic hijacking risk. Therefore, even if the target IP address resolved by the target domain name is not in the blacklist library, it can be determined that the UE has a full traffic hijacking risk. Therefore, the technical solution in the embodiment of the present disclosure improves the detection accuracy of the DNS full traffic hijacking risk.
进一步,由于本公开实施例的技术方案不需要与庞大的黑名单数据库进行对比,进而也就不需要在电子设备或者服务器中存储黑名单数据库,由此节约了存储黑名单数据库所占用的设备资源。Further, the technical solution of the embodiment of the present disclosure does not need to be compared with the huge blacklist database, and thus the blacklist database is not stored in the electronic device or the server, thereby saving the device resources occupied by the blacklist database. .
在具体实现过程中,上述S201至S204均可以由UE执行,或者,由UE执行S201至S202,然后由服务器执行S203至S204,即UE解析出目标IP地址后上报给服务器进行检测判断。对于UE单独执行S201至S204,由于在检测DNS全流量劫持风险时UE不需要服务器的参与,所以本公开进一步还可以防止不法分子劫持DNS后对UE与服务器交互进行监控,从而干扰检测,甚至向UE发送表示网络安全的虚假信息。In the specific implementation process, the foregoing S201 to S204 may be performed by the UE, or the S201 to S202 are performed by the UE, and then the S201 to S204 are performed by the server, that is, the UE parses the target IP address and reports it to the server for detection and determination. For the UE to perform S201 to S204 separately, since the UE does not need the participation of the server when detecting the risk of DNS full traffic hijacking, the present disclosure can further prevent the illegal agent from hijacking the DNS and monitor the interaction between the UE and the server, thereby interfering with detection and even The UE sends false information indicating network security.
进一步,作为一种可选的实施例,为了进一步检测DNS全流量劫持的风险,当一个或多个目标IP地址中不存在相同地址时,还可以进一步包括:Further, as an optional embodiment, in order to further detect the risk of DNS full traffic hijacking, when the same address does not exist in one or more target IP addresses, the method further includes:
判断一个或多个目标IP地址中是否存在局域网地址;其中,一个或多个目标域名具体为广域网域名;Determining whether a local area network address exists in one or more target IP addresses; wherein the one or more target domain names are specifically a wide area network domain name;
当一个或多个目标IP地址中存在局域网地址时,确定UE存在DNS全流量劫持风险。When there is a local area network address in one or more target IP addresses, it is determined that the UE has a risk of DNS full traffic hijacking.
具体来讲,在本公开实施例中,目标域名不仅为已知IP地址均不同的域名,并且目标域名还为广域网域名。换言之,目标域名具体为对应着不同IP地址的广域网域名。Specifically, in the embodiment of the present disclosure, the target domain name is not only a domain name with a known IP address, but the target domain name is also a WAN domain name. In other words, the target domain name is specifically a WAN domain name corresponding to a different IP address.
因此,如果目标域名由服务器下发,则服务器通过解析验证,选择出一个或多个所对应的IP地址不同的广域网域名下发到UE作为目标域名,使UE存储,进而在获得目标域名时,UE从存储空间中读取出一个或多个已知IP地址均不相同,且为广域网域名的目标域名。 Therefore, if the target domain name is delivered by the server, the server selects one or more WAN domain names with different IP addresses and sends them to the UE as the target domain name, so that the UE stores the target domain name. The UE reads out from the storage space that one or more known IP addresses are different, and is the target domain name of the WAN domain name.
而如果目标域名由UE确定,则预设条件具体为对应的IP地址不同的广域网域名,进而对多个备选域名进行DNS解析,解析出每个备选域名对应的一个或多个IP地址,然后选择出相同IP地址为空集,且为广域网域名的备选域名作为目标域名。If the target domain name is determined by the UE, the preset condition is specifically a WAN domain name with a different IP address, and then multiple DNS domain names are parsed, and one or more IP addresses corresponding to each candidate domain name are parsed. Then select the same IP address as an empty set, and the alternate domain name of the WAN domain name as the target domain name.
在具体实现过程中,不法分子可能恰好向UE返回均不相同的目标IP地址,但是这些目标IP地址中的局域网地址同样可以暴露劫持,所以,在本公开实施例中,当一个或多个目标IP地址中不存在相同地址时,进一步判断一个或多个目标IP地址中是否存在局域网地址来检测DNS全流量劫持的风险。In a specific implementation process, the criminals may return different target IP addresses to the UE, but the local area network addresses in the target IP addresses may also expose the hijacking. Therefore, in the embodiment of the present disclosure, when one or more targets are When the same address does not exist in the IP address, it is further determined whether a local area network address exists in one or more target IP addresses to detect the risk of DNS full traffic hijacking.
判断一个或多个目标IP地址是否为局域网IP地址的方法在上文中已经进行了详细介绍,因此这里就不再重复赘述了。The method of judging whether one or more target IP addresses are LAN IP addresses has been described in detail above, and therefore will not be repeated here.
由于本公开实施例中的目标域名为广域网域名,而在安全情况下,广域网域名所对应的IP地址为广域网地址,所以,如果在一个或多个目标IP地址中存在局域网地址时,则表明此时UE所接入的AP或者AC可能被劫持。所以,当一个或多个目标IP地址中不存在相同地址,但是存在局域网地址时,确定UE存在DNS全流量劫持风险。Since the target domain name in the embodiment of the present disclosure is a WAN domain name, and in a security situation, the IP address corresponding to the WAN domain name is a WAN address, so if a local area network address exists in one or more target IP addresses, this indicates The AP or AC accessed by the UE may be hijacked. Therefore, when there is no same address in one or more target IP addresses, but there is a local area network address, it is determined that the UE has a risk of DNS full traffic hijacking.
由上述描述可以看出,当UE解析出的目标IP地址中不存在相同地址时,进一步判断目标IP地址中是否局域网地址,如果存在局域网地址,则确定UE存在DNS全流量劫持风险。所以,通过判断目标IP地址中是否存在相同地址,并且在不存在相同地址的时候进一步判断目标IP地址中是否存在局域网地址来检测DNS全流量劫持风险,进一步提高了本公开实施例的检测准确率。It can be seen from the above description that when the same address does not exist in the target IP address parsed by the UE, it is further determined whether the local IP address is in the target IP address, and if there is a local area network address, it is determined that the UE has a full traffic hijacking risk. Therefore, the detection accuracy of the embodiment of the present disclosure is further improved by determining whether the same address exists in the target IP address, and further determining whether the local area network address exists in the target IP address when the same address does not exist to detect the risk of DNS full traffic hijacking. .
进一步,结合上述实施例,本公开实施例中的方法还包括:Further, in combination with the foregoing embodiments, the method in the embodiment of the present disclosure further includes:
当一个或多个目标IP地址中不存在局域网地址时,确定UE不存在DNS全流量劫持风险。When there is no local area network address in one or more target IP addresses, it is determined that the UE does not have a DNS full traffic hijacking risk.
具体来讲,当一个或多个目标IP地址中不存在局域网地址时,表示当前每个目标域名都能被准确解析到不同的广域网IP地址上,因此此时发生DNS全流量劫持的可能性较低,所以在一个或多个目标IP地址中不存在相同地址时,进一步也不存在局域网地址时,确定UE不存在DNS全流量劫持风险。Specifically, when there is no LAN address in one or more target IP addresses, it indicates that each target domain name can be accurately resolved to different WAN IP addresses, so the possibility of DNS full traffic hijacking occurs at this time. Low, so when there is no same address in one or more target IP addresses, and there is no further LAN address, it is determined that the UE does not have the risk of DNS full traffic hijacking.
本公开第三方面提供了另一种DNS全流量劫持风险的检测方法,请参考图3,为本公开实施例中第三种DNS全流量劫持风险检测的方法流程图。该 方法包括:The third aspect of the present disclosure provides another method for detecting the risk of DNS full traffic hijacking. Referring to FIG. 3, it is a flowchart of a method for detecting a third DNS full traffic hijacking risk according to an embodiment of the present disclosure. The Methods include:
S301:获得用于检测域名系统DNS全流量劫持风险的一个或多个目标域名;其中,一个或多个目标域名具体为广域网域名,并且一个或多个目标域名所对应的已知互联网协议IP地址均不相同;S301: Obtain one or more target domain names for detecting a full traffic hijacking risk of the domain name system. The one or more target domain names are specifically WAN domain names, and the known Internet Protocol IP addresses corresponding to the one or more target domain names. Are not the same;
S302:对一个或多个目标域名进行DNS解析,获得每个目标域名对应的目标IP地址,进而获得一个或多个目标IP地址;S302: Perform DNS resolution on one or more target domain names, obtain a target IP address corresponding to each target domain name, and obtain one or more target IP addresses.
S303:判断一个或多个目标IP地址中是否存在局域网地址,以及一个或多个目标IP地址中是否存在相同地址;S303: Determine whether a local area network address exists in one or more target IP addresses, and whether the same address exists in one or more target IP addresses;
S304:当一个或多个目标IP地址中存在局域网地址,或者一个或多个目标IP地址中存在相同地址时,确定用户设备UE存在DNS全流量劫持风险。S304: When there is a local area network address in one or more target IP addresses, or the same address exists in one or more target IP addresses, it is determined that the user equipment UE has a risk of DNS full traffic hijacking.
在具体实现过程中启动第三种DNS全流量劫持风险的检测方法来检测网络安全的时刻与第一种和第二种DNS全流量劫持风险的检测方法启动时刻相同,此处就不再重复赘述了。在上述步骤中,S301与S101和S201类似,S302与S102和S202类似,由于上述中已经对S101和S102进行了详细描述,因此本公开实施例对相同之处就不再重复赘述。The detection method of the third DNS full traffic hijacking risk is detected in the specific implementation process to detect the network security at the same time as the detection method of the first and second DNS full traffic hijacking risks, and the description will not be repeated here. It is. In the above steps, S301 is similar to S101 and S201, and S302 is similar to S102 and S202. Since S101 and S102 have been described in detail above, the description of the embodiments of the present disclosure will not be repeated.
S301与S101不同之处在于,本公开实施例中的目标域名具体为广域网域名,并且已知IP地址均不相同,因此如果目标域名由服务器下发,则服务器通过解析验证,选择出一个或多个所对应IP地址不同的广域网域名下发到UE作为目标域名,使UE存储,进而在获得目标域名时,UE从存储空间中读取出一个或多个已知IP地址均不相同,且为广域网域名的目标域名。S301 is different from S101 in that the target domain name in the embodiment of the present disclosure is specifically a WAN domain name, and the known IP addresses are different. Therefore, if the target domain name is delivered by the server, the server selects one or more by parsing and verifying. The WAN domain name with the corresponding IP address is delivered to the UE as the target domain name, so that the UE stores, and when the target domain name is obtained, the UE reads one or more known IP addresses from the storage space, and is The target domain name of the WAN domain name.
而如果目标域名由UE确定,则预设条件具体为对应的IP地址不同的广域网,进而对多个备选域名进行DNS解析,解析出每个备选域名对应的一个或多个IP地址,然后选择出相同IP地址为空集,且为广域网域名的备选域名作为目标域名。If the target domain name is determined by the UE, the preset condition is specifically a WAN with a different IP address, and then multiple DNS domains are parsed, and one or more IP addresses corresponding to each alternate domain name are parsed, and then Select the same IP address as the empty set, and the alternate domain name of the WAN domain name as the target domain name.
接下来,在S303中,判断一个或多个目标IP地址是否存在局域网地址,以及是否存在相同地址。如果一个或多个目标IP地中存在局域网地址,或者存在相同地址,则表明此时UE所接入的AP或者AC可能被劫持。所以,当一个或多个目标IP地址中存在局域网地址,或者存在相同地址时,在S304中确定UE存在DNS全流量劫持风险。Next, in S303, it is determined whether one or more target IP addresses have a local area network address and whether the same address exists. If a local area network address exists in one or more target IP addresses, or the same address exists, it indicates that the AP or AC accessed by the UE may be hijacked at this time. Therefore, when there is a local area network address in one or more target IP addresses, or if the same address exists, it is determined in S304 that the UE has a DNS full traffic hijacking risk.
举例来说,假设目标IP地址具体包括123.125.112.202,220.181.12.208, 111.206.227.118,110.76.19.33和123.125.112.202。5个目标IP地址均为广域网地址,第1个目标IP地址和第5个目标IP地址相同,确定UE存在DNS全流量劫持风险。For example, suppose the target IP address specifically includes 123.125.112.202, 220.181.12.208, 111.206.227.118, 110.76.19.33 and 123.125.112.202. The five target IP addresses are all WAN addresses, and the first target IP address and the fifth target IP address are the same, and it is determined that the UE has a full DNS traffic hijacking risk.
或者,再举例来说,假设目标IP地址具体包括123.125.112.202,220.181.12.208,111.206.227.118,175.25.168.40和192.168.1.1。5个目标IP地址均不相同,第5个目标IP地址为局域网地址,进而确定UE存在DNS全流量劫持风险。Or, for example, assume that the target IP address specifically includes 123.125.112.202, 220.181.12.208, 111.206.227.118, 175.25.168.40, and 192.168.1.1. The five target IP addresses are different, and the fifth target IP address is the local area network. The address, in turn, determines the risk of DNS full traffic hijacking in the UE.
或者,再举例来说,假设目标IP地址具体包括123.125.112.202,123.125.112.202,111.206.227.118,175.25.168.40和192.168.1.1,第5个目标IP地址为局域网地址,第1个目标IP地址和第2个目标IP地址相同,进而确定UE存在DNS全流量劫持风险。Or, for example, assume that the target IP address specifically includes 123.125.112.202, 123.125.112.202, 111.206.227.118, 175.25.168.40, and 192.168.1.1, the fifth destination IP address is the local area network address, the first destination IP address, and The second target IP address is the same, thereby determining that the UE has a full DNS traffic hijacking risk.
由上述描述可以看出,由于已知目标域名对应不同的已知IP地址,且已知每个已知IP地址均为广域网地址,所以当一个或多个目标IP地址中存在局域网地址,或者存在相同目标IP地址时,确定UE存在DNS全流量劫持风险。因此,即使目标域名解析出的目标IP地址不在黑名单库中,仍然可以确定UE存在DNS全流量劫持风险。所以,通过本公开实施例中的技术方案,提高了DNS全流量劫持风险的检测准确率。As can be seen from the above description, since the target domain name is known to correspond to different known IP addresses, and each known IP address is known to be a wide area network address, a local area network address exists in one or more target IP addresses, or exists. When the same target IP address is used, it is determined that the UE has a DNS full traffic hijacking risk. Therefore, even if the target IP address resolved by the target domain name is not in the blacklist library, it can be determined that the UE has a full traffic hijacking risk. Therefore, the technical solution in the embodiment of the present disclosure improves the detection accuracy of the DNS full traffic hijacking risk.
进一步,由于本公开实施例的技术方案不需要与庞大的黑名单数据库进行对比,进而也就不需要在电子设备或者服务器中存储黑名单数据库,由此节约了存储黑名单数据库所占用的设备资源。Further, the technical solution of the embodiment of the present disclosure does not need to be compared with the huge blacklist database, and thus the blacklist database is not stored in the electronic device or the server, thereby saving the device resources occupied by the blacklist database. .
在具体实现过程中,上述S301至S304均可以由UE执行,或者,由UE执行S301至S302,然后由服务器执行S303至S304,即UE解析出目标IP地址后上报给服务器进行检测判断。对于UE单独执行S301至S304,由于在检测DNS全流量劫持风险时UE不需要服务器的参与,所以本公开进一步还可以防止不法分子劫持DNS后对UE与服务器交互进行监控,从而干扰检测,甚至向UE发送表示网络安全的虚假信息。In the specific implementation process, the foregoing S301 to S304 may be performed by the UE, or the S1 to S302 are performed by the UE, and then the S303 to S304 are performed by the server, that is, the UE parses the target IP address and reports it to the server for detection and determination. For the UE to perform S301 to S304 separately, since the UE does not need the participation of the server when detecting the risk of DNS full traffic hijacking, the present disclosure can further prevent the illegal agent from hijacking the DNS and monitor the interaction between the UE and the server, thereby interfering with detection and even The UE sends false information indicating network security.
进一步,结合上述实施例,本公开实施例中的方法还包括:Further, in combination with the foregoing embodiments, the method in the embodiment of the present disclosure further includes:
当一个或多个目标IP地址中不存在局域网地址,并且一个或多个目标IP地址中不存在相同地址时,确定UE不存在DNS全流量劫持风险。When there is no local area network address in one or more target IP addresses, and the same address does not exist in one or more target IP addresses, it is determined that the UE does not have a DNS full traffic hijacking risk.
具体来讲,当一个或多个目标IP地址中不存在局域网地址,且不存在相 同地址时,表示当前每个目标域名都能被准确解析到不同的广域网IP地址上,因此此时发生DNS全流量劫持的可能性较低,所以在一个或多个目标IP地址中不存在局域网地址,且不存在相同地址时,确定UE不存在DNS全流量劫持风险。Specifically, when there is no local area network address in one or more target IP addresses, and there is no phase The same address indicates that each target domain name can be accurately resolved to different WAN IP addresses. Therefore, the possibility of DNS full traffic hijacking is low at this time, so there is no LAN in one or more destination IP addresses. If the address does not exist, it is determined that the UE does not have a full DNS traffic hijacking risk.
基于与第一方面中DNS全流量劫持风险的检测方法同样的公开构思,本公开第四方面提供了第一种DNS全流量劫持风险的检测装置,如图4所示,包括:Based on the same disclosure concept as the detection method of the DNS full traffic hijacking risk in the first aspect, the fourth aspect of the present disclosure provides the first DNS full traffic hijacking risk detecting device, as shown in FIG. 4, including:
获得模块101,用于获得用于检测域名系统DNS全流量劫持风险的一个或多个目标域名;其中,一个或多个目标域名具体为广域网域名;The obtaining module 101 is configured to obtain one or more target domain names for detecting a full traffic hijacking risk of the domain name system DNS; wherein, the one or more target domain names are specifically a wide area network domain name;
解析模块102,用于对一个或多个目标域名进行DNS解析,获得每个目标域名对应的目标互联网协议IP地址,进而获得一个或多个目标IP地址;The parsing module 102 is configured to perform DNS resolution on one or more target domain names, obtain a target Internet Protocol IP address corresponding to each target domain name, and obtain one or more target IP addresses;
第一判断模块103,用于判断一个或多个目标IP地址中是否存在局域网地址;The first determining module 103 is configured to determine whether a local area network address exists in one or more target IP addresses;
第一确定模块104,用于当一个或多个目标IP地址中存在局域网地址时,确定用户设备UE存在DNS全流量劫持风险。The first determining module 104 is configured to determine that the user equipment UE has a DNS full traffic hijacking risk when a local area network address exists in one or more target IP addresses.
进一步,当一个或多个目标IP地址中不存在局域网地址时,本公开实施例中的装置还包括:Further, when there is no local area network address in the one or more target IP addresses, the device in the embodiment of the present disclosure further includes:
第二判断模块,用于判断一个或多个目标IP地址中是否存在相同地址;其中,一个或多个目标域名所对应的已知IP地址均不相同;a second determining module, configured to determine whether the same address exists in one or more target IP addresses; wherein the known IP addresses corresponding to the one or more target domain names are different;
第二确定模块,用于当一个或多个目标IP地址中存在相同地址时,确定UE存在DNS全流量劫持风险。The second determining module is configured to determine that the UE has a full traffic hijacking risk when the same address exists in one or more target IP addresses.
更进一步,本公开实施例中的装置还包括:Further, the device in the embodiment of the present disclosure further includes:
第三确定模块,用于当一个或多个目标IP地址中不存在相同地址时,确定UE不存在DNS全流量劫持风险。The third determining module is configured to determine that the UE does not have a DNS full traffic hijacking risk when the same address does not exist in the one or more target IP addresses.
其中,具体来讲,获得模块101用于读取接收与UE对应的服务器下发并存储在UE的存储空间中的一个或多个目标域名;或者从多个备选域名中,确定满足预设条件的一个或多个域名为一个或多个目标域名。Specifically, the obtaining module 101 is configured to read one or more target domain names that are sent by the server corresponding to the UE and stored in the storage space of the UE, or determine that the preset is satisfied from the multiple candidate domain names. One or more domain names of the condition are one or more target domain names.
进一步,本公开实施例中的装置还包括:Further, the device in the embodiment of the present disclosure further includes:
第三判断模块,用于在对一个或多个目标域名进行DNS解析之前,判断UE是否接入了新的无线接入点AP; a third determining module, configured to determine whether the UE accesses the new wireless access point AP before performing DNS resolution on the one or more target domain names;
当UE接入了新的AP时,通知解析模块对一个或多个目标域名进行DNS解析。When the UE accesses the new AP, the notification parsing module performs DNS resolution on one or more target domain names.
前述图1实施例中的第一种DNS全流量劫持风险的检测方法的各种变化方式和具体实例同样适用于本实施例的DNS全流量劫持风险的检测装置,通过前述对DNS全流量劫持风险的检测方法的详细描述,本领域技术人员可以清楚的知道本实施例中DNS全流量劫持风险的检测装置的实施方法,所以为了说明书的简洁,在此不再详述。The foregoing various manners and specific examples of the method for detecting the full-rate DNS traffic hijacking risk in the foregoing embodiment of FIG. 1 are also applicable to the detecting device for the full traffic hijacking risk of the DNS in this embodiment, and the risk of full traffic hijacking of the DNS is adopted. For a detailed description of the detection method, those skilled in the art can clearly understand the implementation method of the detection device for the DNS full traffic hijacking risk in this embodiment, so for the sake of brevity of the description, it will not be described in detail herein.
基于与第二方面中DNS全流量劫持风险的检测方法同样的公开构思,本公开第五方面提供了第二种DNS全流量劫持风险的检测装置,如图5所示,包括:Based on the same disclosure concept as the detection method of the DNS full traffic hijacking risk in the second aspect, the fifth aspect of the present disclosure provides a second DNS full traffic hijacking risk detecting apparatus, as shown in FIG. 5, including:
获得模块201,用于获得用于检测域名系统DNS全流量劫持风险的一个或多个目标域名;其中,一个或多个目标域名所对应的已知IP地址均不相同;The obtaining module 201 is configured to obtain one or more target domain names for detecting a full traffic hijacking risk of the domain name system; wherein the known IP addresses corresponding to the one or more target domain names are different;
解析模块202,用于对一个或多个目标域名进行DNS解析,获得每个目标域名对应的目标互联网协议IP地址,进而获得一个或多个目标IP地址;The parsing module 202 is configured to perform DNS resolution on one or more target domain names, obtain a target Internet Protocol IP address corresponding to each target domain name, and obtain one or more target IP addresses.
第一判断模块203,用于判断一个或多个目标IP地址中是否存在相同地址;The first determining module 203 is configured to determine whether the same address exists in one or more target IP addresses;
第一确定模块204,用于当一个或多个目标IP地址中存在相同地址时,确定UE存在DNS全流量劫持风险。The first determining module 204 is configured to determine that the UE has a full DNS traffic hijacking risk when the same address exists in one or more target IP addresses.
进一步,当一个或多个目标IP地址中不存在相同地址时,本公开实施例中的装置还包括:Further, when the same address does not exist in the one or more target IP addresses, the apparatus in the embodiment of the present disclosure further includes:
第二判断模块,用于判断一个或多个目标IP地址中是否存在局域网地址;其中,一个或多个目标域名具体为广域网域名;a second determining module, configured to determine whether a local area network address exists in one or more target IP addresses; wherein the one or more target domain names are specifically a wide area network domain name;
第二确定模块,用于当一个或多个目标IP地址中存在局域网地址时,确定UE存在DNS全流量劫持风险。The second determining module is configured to determine that the UE has a full traffic hijacking risk when a local area network address exists in one or more target IP addresses.
更进一步,本公开实施例中的装置还包括:Further, the device in the embodiment of the present disclosure further includes:
第三确定模块,用于当一个或多个目标IP地址中不存在局域网地址时,确定UE不存在DNS全流量劫持风险。The third determining module is configured to determine that the UE does not have a DNS full traffic hijacking risk when the local area network address does not exist in the one or more target IP addresses.
具体来讲,获得模块201用于读取接收与UE对应的服务器下发并存储在UE的存储空间中的一个或多个目标域名;或者从多个备选域名中,确定满足预设条件的一个或多个域名为一个或多个目标域名。 Specifically, the obtaining module 201 is configured to read one or more target domain names that are sent by the server corresponding to the UE and stored in the storage space of the UE, or determine that the preset condition is met from the multiple candidate domain names. One or more domain names are one or more target domain names.
更进一步,本公开实施例中的装置还包括:Further, the device in the embodiment of the present disclosure further includes:
第三判断模块,用于在对一个或多个目标域名进行DNS解析之前,判断UE是否接入了新的无线接入点AP;a third determining module, configured to determine whether the UE accesses the new wireless access point AP before performing DNS resolution on the one or more target domain names;
当UE接入了新的AP时,通知解析模块对一个或多个目标域名进行DNS解析。When the UE accesses the new AP, the notification parsing module performs DNS resolution on one or more target domain names.
前述图2实施例中的第二种DNS全流量劫持风险的检测方法的各种变化方式和具体实例同样适用于本实施例的DNS全流量劫持风险的检测装置,通过前述对DNS全流量劫持风险的检测方法的详细描述,本领域技术人员可以清楚的知道本实施例中DNS全流量劫持风险的检测装置的实施方法,所以为了说明书的简洁,在此不再详述。The foregoing various variants and specific examples of the method for detecting the full-risk traffic risk of the DNS in the foregoing embodiment of FIG. 2 are also applicable to the detecting device for the full traffic hijacking risk of the DNS in this embodiment, and the risk of full traffic hijacking of the DNS is adopted. For a detailed description of the detection method, those skilled in the art can clearly understand the implementation method of the detection device for the DNS full traffic hijacking risk in this embodiment, so for the sake of brevity of the description, it will not be described in detail herein.
基于与第三方面中DNS全流量劫持风险的检测方法同样的公开构思,本公开第六方面提供了第三种DNS全流量劫持风险的检测装置,如图6所示,包括:Based on the same disclosure concept as the detection method of the DNS full traffic hijacking risk in the third aspect, the sixth aspect of the present disclosure provides a third DNS full traffic hijacking risk detecting apparatus, as shown in FIG. 6, including:
获得模块301,用于获得用于检测域名系统DNS全流量劫持风险的一个或多个目标域名;其中,一个或多个目标域名具体为广域网域名,并且一个或多个目标域名所对应的已知互联网协议IP地址均不相同;The obtaining module 301 is configured to obtain one or more target domain names for detecting a full traffic hijacking risk of the domain name system DNS; wherein, one or more target domain names are specifically WAN domain names, and one or more target domain names are correspondingly known Internet protocol IP addresses are not the same;
解析模块302,用于对一个或多个目标域名进行DNS解析,获得每个目标域名对应的目标IP地址,进而获得一个或多个目标IP地址;The parsing module 302 is configured to perform DNS resolution on one or more target domain names, obtain a target IP address corresponding to each target domain name, and obtain one or more target IP addresses.
判断模块303,用于判断一个或多个目标IP地址中是否存在局域网地址,以及一个或多个目标IP地址中是否存在相同地址;The determining module 303 is configured to determine whether a local area network address exists in one or more target IP addresses, and whether the same address exists in one or more target IP addresses;
确定模块304,用于当一个或多个目标IP地址中存在局域网地址,或者一个或多个目标IP地址中存在相同地址时,确定用户设备UE存在DNS全流量劫持风险。The determining module 304 is configured to determine that the user equipment UE has a DNS full traffic hijacking risk when a local area network address exists in one or more target IP addresses, or when the same address exists in one or more target IP addresses.
前述图3实施例中的第三种DNS全流量劫持风险的检测方法的各种变化方式和具体实例同样适用于本实施例的DNS全流量劫持风险的检测装置,通过前述对DNS全流量劫持风险的检测方法的详细描述,本领域技术人员可以清楚的知道本实施例中DNS全流量劫持风险的检测装置的实施方法,所以为了说明书的简洁,在此不再详述。The various changes and specific examples of the method for detecting the third DNS full traffic hijacking risk in the foregoing embodiment of FIG. 3 are also applicable to the detecting device for the full traffic hijacking risk of the DNS in the foregoing embodiment. For a detailed description of the detection method, those skilled in the art can clearly understand the implementation method of the detection device for the DNS full traffic hijacking risk in this embodiment, so for the sake of brevity of the description, it will not be described in detail herein.
本公开第七方面提供了一种计算机程序,图7示出了可以实现根据本公开的DNS全流量劫持风险的检测方法的计算设备。该计算设备传统上包括处 理器710和以存储设备720形式的计算机程序产品或者计算机可读介质。存储设备720可以是诸如闪存、EEPROM(电可擦除可编程只读存储器)、EPROM、硬盘或者ROM之类的电子存储器。存储设备720具有存储用于执行上述方法中的任何方法步骤的程序代码731的存储空间730。例如,存储程序代码的存储空间730可以包括分别用于实现上面的方法中的各种步骤的各个程序代码731。这些程序代码可以从一个或者多个计算机程序产品中读出或者写入到这一个或者多个计算机程序产品中。这些计算机程序产品包括诸如硬盘、紧致盘(CD)、存储卡或者软盘之类的程序代码载体。这样的计算机程序产品通常为例如图8所示的便携式或者固定存储单元。该存储单元可以具有与图7的计算设备中的存储设备720类似布置的存储段、存储空间等。程序代码可以例如以适当形式进行压缩。通常,存储单元包括用于执行根据本公开的方法步骤的计算机可读代码731',即可以由诸如710之类的处理器读取的代码,当这些代码由计算设备运行时,导致该计算设备执行上面所描述的方法中的各个步骤。A seventh aspect of the present disclosure provides a computer program, and FIG. 7 illustrates a computing device that can implement a method of detecting a DNS full traffic hijacking risk in accordance with the present disclosure. The computing device has traditionally been included The processor 710 and a computer program product or computer readable medium in the form of a storage device 720. Storage device 720 can be an electronic memory such as flash memory, EEPROM (Electrically Erasable Programmable Read Only Memory), EPROM, hard disk, or ROM. Storage device 720 has a storage space 730 that stores program code 731 for performing any of the method steps described above. For example, storage space 730 storing program code may include various program code 731 for implementing various steps in the above methods, respectively. The program code can be read from or written to one or more computer program products. These computer program products include program code carriers such as a hard disk, a compact disk (CD), a memory card, or a floppy disk. Such a computer program product is typically a portable or fixed storage unit such as that shown in FIG. The storage unit may have storage segments, storage spaces, and the like that are similarly arranged to storage device 720 in the computing device of FIG. The program code can be compressed, for example, in an appropriate form. Generally, a storage unit includes computer readable code 731' for performing the steps of the method in accordance with the present disclosure, ie, code that can be read by a processor, such as 710, that when executed by a computing device causes the computing device Perform the various steps in the method described above.
本公开实施例中的上述一个或多个技术方案,至少具有如下一种或多种技术效果:The above one or more technical solutions in the embodiments of the present disclosure have at least one or more of the following technical effects:
在本公开实施例的技术方案中,获得用于检测DNS全流量劫持风险的一个或多个目标域名,其中,本公开实施例中的一个或多个目标域名具体为广域网域名,然后对一个或多个目标域名进行DNS解析,获得每个目标域名对应的目标IP地址,进而获得一个或多个目标IP地址,接着判断该一个或多个目标IP地址中是否存在局域网地址。由于目标域名对应的IP地址为广域网地址,所以当一个或多个目标IP地址中存在局域网地址时,确定UE存在DNS全流量劫持风险。因此,即使目标域名解析出的目标IP地址不在黑名单库中,如果目标IP地址为局域网地址,则表明UE当前接入的网络可能被全流量劫持,进而可以确定UE存在DNS全流量劫持风险。所以,通过上述技术方案,实现了提高DNS全流量劫持风险的检测准确率。In the technical solution of the embodiment of the present disclosure, one or more target domain names for detecting a risk of DNS full traffic hijacking are obtained, where one or more target domain names in the embodiment of the present disclosure are specifically a wide area network domain name, and then one or The plurality of target domain names are subjected to DNS resolution, obtaining a target IP address corresponding to each target domain name, thereby obtaining one or more target IP addresses, and then determining whether a local area network address exists in the one or more target IP addresses. Since the IP address corresponding to the target domain name is a wide area network address, when a local area network address exists in one or more target IP addresses, it is determined that the UE has a full traffic hijacking risk of the DNS. Therefore, even if the target IP address resolved by the target domain name is not in the blacklist database, if the target IP address is a local area network address, it indicates that the network currently accessed by the UE may be hijacked by full traffic, and thus the risk of DNS full traffic hijacking of the UE may be determined. Therefore, through the above technical solutions, the detection accuracy of improving the risk of DNS full traffic hijacking is realized.
进一步,由于本公开实施例的技术方案不需要与庞大的黑名单数据库进行对比,进而也就不需要存储黑名单数据库,由此节约了存储黑名单数据库所占用的设备资源。Further, the technical solution of the embodiment of the present disclosure does not need to be compared with a huge blacklist database, and thus does not need to store a blacklist database, thereby saving the device resources occupied by the storage blacklist database.
更进一步,由于本公开实施例中的技术方案可以由UE执行,而不需要 服务器的参与,所以可以防止不法分子劫持DNS后对UE与服务器的交互进行监控,从而干扰检测,甚至向UE发送表示网络安全的虚假信息。Further, since the technical solutions in the embodiments of the present disclosure may be performed by the UE, The participation of the server can prevent the illegal elements from hijacking the DNS and monitor the interaction between the UE and the server, thereby interfering with the detection and even sending false information indicating network security to the UE.
在此提供的算法和显示不与任何特定计算机、虚拟系统或者其它设备固有相关。各种通用系统也可以与基于在此的示教一起使用。根据上面的描述,构造这类系统所要求的结构是显而易见的。此外,本公开也不针对任何特定编程语言。应当明白,可以利用各种编程语言实现在此描述的本公开的内容,并且上面对特定语言所做的描述是为了披露本公开的最佳实施方式。The algorithms and displays provided herein are not inherently related to any particular computer, virtual system, or other device. Various general purpose systems can also be used with the teaching based on the teachings herein. The structure required to construct such a system is apparent from the above description. Moreover, the present disclosure is not directed to any particular programming language. It is to be understood that the subject matter of the present disclosure, which is described herein, may be described in a particular language.
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本公开的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. However, it is understood that the embodiments of the present disclosure may be practiced without these specific details. In some instances, well-known methods, structures, and techniques are not shown in detail so as not to obscure the understanding of the description.
类似地,应当理解,为了精简本公开并帮助理解各个公开方面中的一个或多个,在上面对本公开的示例性实施例的描述中,本公开的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本公开要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如下面的权利要求书所反映的那样,公开方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本公开的单独实施例。In the description of the exemplary embodiments of the present disclosure, the various features of the present disclosure are sometimes grouped together into a single embodiment, Figure, or a description of it. However, the method disclosed is not to be interpreted as reflecting the intention that the claimed invention requires more features than those recited in the claims. Rather, as disclosed in the following claims, the disclosed aspects are less than all features of the single embodiments disclosed herein. Therefore, the claims following the specific embodiments are hereby explicitly incorporated into the specific embodiments, and each of the claims as a separate embodiment of the present disclosure.
本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art will appreciate that the modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components. In addition to such features and/or at least some of the processes or units being mutually exclusive, any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined. Each feature disclosed in this specification (including the accompanying claims, the abstract and the drawings) may be replaced by alternative features that provide the same, equivalent or similar purpose.
此外,本领域的技术人员能够理解,尽管在此的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本公开的范围之内并且形成不同的实施例。例如,在下面的权利要 求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。In addition, those skilled in the art will appreciate that, although some embodiments herein include certain features that are included in other embodiments and not in other features, combinations of features of different embodiments are intended to be within the scope of the present disclosure. And different embodiments are formed. For example, in the following rights Any one of the claimed embodiments may be used in any combination.
本公开的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本公开实施例的网关、代理服务器、系统中的一些或者全部部件的一些或者全部功能。本公开还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本公开的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。Various component embodiments of the present disclosure may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or digital signal processor (DSP) may be used in practice to implement some or all of the functionality of a gateway, proxy server, some or all of the components in accordance with embodiments of the present disclosure. The present disclosure may also be implemented as a device or device program (eg, a computer program and a computer program product) for performing some or all of the methods described herein. Such a program implementing the present disclosure may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
应该注意的是上述实施例对本公开进行说明而不是对本公开进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本公开可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。 It should be noted that the above-described embodiments are illustrative of the present disclosure and are not intended to limit the scope of the disclosure, and those skilled in the art can devise alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as a limitation. The word "comprising" does not exclude the presence of the elements or steps that are not recited in the claims. The word "a" or "an" The present disclosure can be implemented by means of hardware comprising several distinct elements and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means can be embodied by the same hardware item. The use of the words first, second, and third does not indicate any order. These words can be interpreted as names.

Claims (16)

  1. 一种DNS全流量劫持风险的检测方法,其特征在于,包括:A method for detecting a full traffic hijacking risk of a DNS, characterized in that it comprises:
    获得用于检测域名系统DNS全流量劫持风险的一个或多个目标域名;其中,所述一个或多个目标域名具体为广域网域名;Obtaining one or more target domain names for detecting the risk of DNS full traffic hijacking of the domain name system; wherein the one or more target domain names are specifically WAN domain names;
    对所述一个或多个目标域名进行DNS解析,获得每个所述目标域名对应的目标互联网协议IP地址,进而获得一个或多个目标IP地址;Performing DNS resolution on the one or more target domain names to obtain a target Internet Protocol IP address corresponding to each of the target domain names, thereby obtaining one or more target IP addresses;
    判断所述一个或多个目标IP地址中是否存在局域网地址;Determining whether a local area network address exists in the one or more target IP addresses;
    当所述一个或多个目标IP地址中存在局域网地址时,确定用户设备UE存在DNS全流量劫持风险。When a local area network address exists in the one or more target IP addresses, it is determined that the user equipment UE has a DNS full traffic hijacking risk.
  2. 如权利要求1所述的方法,其特征在于,当所述一个或多个目标IP地址中不存在局域网地址时,所述方法还包括:The method of claim 1, wherein when there is no local area network address in the one or more target IP addresses, the method further comprises:
    判断所述一个或多个目标IP地址中是否存在相同地址;其中,所述一个或多个目标域名所对应的已知IP地址均不相同;Determining whether the same address exists in the one or more target IP addresses; wherein the known IP addresses corresponding to the one or more target domain names are different;
    当所述一个或多个目标IP地址中存在相同地址时,确定所述UE存在DNS全流量劫持风险。When the same address exists in the one or more target IP addresses, it is determined that the UE has a DNS full traffic hijacking risk.
  3. 如权利要求2所述的方法,其特征在于,所述方法还包括:The method of claim 2, wherein the method further comprises:
    当所述一个或多个目标IP地址中不存在相同地址时,确定所述UE不存在DNS全流量劫持风险。When the same address does not exist in the one or more target IP addresses, it is determined that the UE does not have a DNS full traffic hijacking risk.
  4. 如权利要求1-3任一项所述的方法,其特征在于,获得用于检测域名系统DNS全流量劫持风险的一个或多个目标域名,包括:The method according to any one of claims 1 to 3, characterized in that one or more target domain names for detecting the risk of DNS full traffic hijacking of the domain name system are obtained, including:
    读取接收与所述UE对应的服务器下发并存储在所述UE的存储空间中的所述一个或多个目标域名;或者Reading the one or more target domain names that are sent by the server corresponding to the UE and stored in a storage space of the UE; or
    从多个备选域名中,确定满足预设条件的一个或多个域名为所述一个或多个目标域名。From among the plurality of alternative domain names, determining one or more domain names satisfying the preset condition is the one or more target domain names.
  5. 如权利要求1-3任一项所述的方法,其特征在于,在对所述一个或多个目标域名进行DNS解析之前,还包括:The method according to any one of claims 1-3, further comprising: before performing DNS resolution on the one or more target domain names,
    判断所述UE是否接入了新的无线接入点AP;Determining whether the UE accesses a new wireless access point AP;
    当所述UE接入了新的AP时,执行所述在对所述一个或多个目标域名进行DNS解析的步骤。 When the UE accesses a new AP, performing the step of performing DNS resolution on the one or more target domain names.
  6. 一种DNS全流量劫持风险的检测方法,其特征在于,包括:A method for detecting a full traffic hijacking risk of a DNS, characterized in that it comprises:
    获得用于检测域名系统DNS全流量劫持风险的一个或多个目标域名;其中,所述一个或多个目标域名具体为广域网域名,并且所述一个或多个目标域名所对应的已知互联网协议IP地址均不相同;Obtaining one or more target domain names for detecting the risk of DNS full traffic hijacking of the domain name system; wherein the one or more target domain names are specifically a wide area network domain name, and the known Internet protocol corresponding to the one or more target domain names IP addresses are not the same;
    对所述一个或多个目标域名进行DNS解析,获得每个所述目标域名对应的目标IP地址,进而获得一个或多个目标IP地址;Performing DNS resolution on the one or more target domain names to obtain a target IP address corresponding to each of the target domain names, thereby obtaining one or more target IP addresses;
    判断所述一个或多个目标IP地址中是否存在局域网地址,以及所述一个或多个目标IP地址中是否存在相同地址;Determining whether a local area network address exists in the one or more target IP addresses, and whether the same address exists in the one or more target IP addresses;
    当所述一个或多个目标IP地址中存在局域网地址,或者所述一个或多个目标IP地址中存在相同地址时,确定用户设备UE存在DNS全流量劫持风险。When the local area network address exists in the one or more target IP addresses, or the same address exists in the one or more target IP addresses, it is determined that the user equipment UE has a DNS full traffic hijacking risk.
  7. 一种DNS全流量劫持风险的检测装置,其特征在于,包括:A device for detecting the risk of DNS full traffic hijacking, comprising:
    获得模块,用于获得用于检测域名系统DNS全流量劫持风险的一个或多个目标域名;其中,所述一个或多个目标域名具体为广域网域名;An obtaining module, configured to obtain one or more target domain names for detecting a risk of DNS full traffic hijacking of the domain name system; wherein the one or more target domain names are specifically a wide area network domain name;
    解析模块,用于对所述一个或多个目标域名进行DNS解析,获得每个所述目标域名对应的目标互联网协议IP地址,进而获得一个或多个目标IP地址;a parsing module, configured to perform DNS resolution on the one or more target domain names, obtain a target Internet Protocol IP address corresponding to each of the target domain names, and obtain one or more target IP addresses;
    第一判断模块,用于判断所述一个或多个目标IP地址中是否存在局域网地址;a first determining module, configured to determine whether a local area network address exists in the one or more target IP addresses;
    第一确定模块,用于当所述一个或多个目标IP地址中存在局域网地址时,确定用户设备UE存在DNS全流量劫持风险。The first determining module is configured to determine that the user equipment UE has a DNS full traffic hijacking risk when the local area network address exists in the one or more target IP addresses.
  8. 如权利要求7所述的装置,其特征在于,当所述一个或多个目标IP地址中不存在局域网地址时,所述装置还包括:The device of claim 7, wherein when the local area network address does not exist in the one or more target IP addresses, the apparatus further comprises:
    第二判断模块,用于判断所述一个或多个目标IP地址中是否存在相同地址;其中,所述一个或多个目标域名所对应的已知IP地址均不相同;a second determining module, configured to determine whether the same address exists in the one or more target IP addresses, where the known IP addresses corresponding to the one or more target domain names are different;
    第二确定模块,用于当所述一个或多个目标IP地址中存在相同地址时,确定所述UE存在DNS全流量劫持风险。The second determining module is configured to determine that the UE has a full traffic hijacking risk when the same address exists in the one or more target IP addresses.
  9. 如权利要求8所述的装置,其特征在于,所述装置还包括:The device of claim 8 further comprising:
    第三确定模块,用于当所述一个或多个目标IP地址中不存在相同地址时,确定所述UE不存在DNS全流量劫持风险。 The third determining module is configured to determine that the UE does not have a DNS full traffic hijacking risk when the same address does not exist in the one or more target IP addresses.
  10. 如权利要求7-9任一项所述的装置,其特征在于,所述获得模块用于读取接收与所述UE对应的服务器下发并存储在所述UE的存储空间中的所述一个或多个目标域名;或者从多个备选域名中,确定满足预设条件的一个或多个域名为所述一个或多个目标域名。The device according to any one of claims 7 to 9, wherein the obtaining module is configured to read and receive the one that is sent by a server corresponding to the UE and stored in a storage space of the UE. Or a plurality of target domain names; or from among the plurality of candidate domain names, determining one or more domain names satisfying the preset condition as the one or more target domain names.
  11. 如权利要求7-9任一项所述的装置,其特征在于,所述装置还包括:The device of any of claims 7-9, wherein the device further comprises:
    第三判断模块,用于在对所述一个或多个目标域名进行DNS解析之前,判断所述UE是否接入了新的无线接入点AP;a third determining module, configured to determine whether the UE accesses a new wireless access point AP before performing DNS resolution on the one or more target domain names;
    当所述UE接入了新的AP时,通知所述解析模块对所述一个或多个目标域名进行DNS解析。When the UE accesses the new AP, the parsing module is notified to perform DNS resolution on the one or more target domain names.
  12. 一种DNS全流量劫持风险的检测装置,其特征在于,包括:A device for detecting the risk of DNS full traffic hijacking, comprising:
    获得模块,用于获得用于检测域名系统DNS全流量劫持风险的一个或多个目标域名;其中,所述一个或多个目标域名具体为广域网域名,并且所述一个或多个目标域名所对应的已知互联网协议IP地址均不相同;And an obtaining module, configured to obtain one or more target domain names for detecting a full traffic hijacking risk of the domain name system; wherein the one or more target domain names are specifically a wide area network domain name, and the one or more target domain names correspond to Known Internet Protocol IP addresses are not the same;
    解析模块,用于对所述一个或多个目标域名进行DNS解析,获得每个所述目标域名对应的目标IP地址,进而获得一个或多个目标IP地址;a parsing module, configured to perform DNS resolution on the one or more target domain names, obtain a target IP address corresponding to each of the target domain names, and obtain one or more target IP addresses;
    判断模块,用于判断所述一个或多个目标IP地址中是否存在局域网地址,以及所述一个或多个目标IP地址中是否存在相同地址;a determining module, configured to determine whether a local area network address exists in the one or more target IP addresses, and whether the same address exists in the one or more target IP addresses;
    确定模块,用于当所述一个或多个目标IP地址中存在局域网地址,或者所述一个或多个目标IP地址中存在相同地址时,确定用户设备UE存在DNS全流量劫持风险。And a determining module, configured to determine that the user equipment UE has a DNS full traffic hijacking risk when a local area network address exists in the one or more target IP addresses, or the same address exists in the one or more target IP addresses.
  13. 一种计算机程序,包括计算机可读代码,当所述计算机可读代码在计算设备上运行时,导致所述计算设备执行根据权利要求1-5中的任一项所述的DNS全流量劫持风险的检测方法。A computer program comprising computer readable code causing the computing device to perform a DNS full traffic hijacking risk according to any one of claims 1-5 when the computer readable code is run on a computing device Detection method.
  14. 一种计算机可读介质,其中存储了如权利要求13所述的计算机程序。A computer readable medium storing the computer program of claim 13.
  15. 一种计算机程序,包括计算机可读代码,当所述计算机可读代码在计算设备上运行时,导致所述计算设备执行根据权利要求6中的所述的DNS全流量劫持风险的检测方法。A computer program comprising computer readable code, when said computer readable code is run on a computing device, causing said computing device to perform a method of detecting a DNS full traffic hijacking risk according to claim 6.
  16. 一种计算机可读介质,其中存储了如权利要求15所述的计算机程序。 A computer readable medium storing the computer program of claim 15.
PCT/CN2017/117696 2016-12-21 2017-12-21 Method and apparatus for detecting dns full traffic hijack risk WO2018113732A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201611195637.6 2016-12-21
CN201611195637.6A CN106790077B (en) 2016-12-21 2016-12-21 Method and device for detecting DNS full-flow hijacking risk

Publications (1)

Publication Number Publication Date
WO2018113732A1 true WO2018113732A1 (en) 2018-06-28

Family

ID=58899341

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/117696 WO2018113732A1 (en) 2016-12-21 2017-12-21 Method and apparatus for detecting dns full traffic hijack risk

Country Status (2)

Country Link
CN (1) CN106790077B (en)
WO (1) WO2018113732A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113630409A (en) * 2021-08-05 2021-11-09 哈尔滨工业大学(威海) Abnormal traffic identification method based on fusion analysis of DNS analysis traffic and IP traffic

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106790077B (en) * 2016-12-21 2020-05-26 北京奇虎科技有限公司 Method and device for detecting DNS full-flow hijacking risk
CN107566420B (en) * 2017-10-27 2020-04-14 深信服科技股份有限公司 Method and equipment for positioning host infected by malicious code
CN108848076B (en) * 2018-05-31 2020-09-25 上海连尚网络科技有限公司 Method and equipment for detecting DNS hijacking through user equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110078517A1 (en) * 2009-09-29 2011-03-31 Hon Hai Precision Industry Co., Ltd. Network connection device and method for detecting network errors
CN104065762A (en) * 2014-05-30 2014-09-24 小米科技有限责任公司 Method and device for detecting hijacking of DNS (Domain Name Server)
CN104468860A (en) * 2014-12-04 2015-03-25 北京奇虎科技有限公司 Method and device for recognizing risk of domain name resolution server
CN105681358A (en) * 2016-03-31 2016-06-15 北京奇虎科技有限公司 Domain name hijacking detection method, device and system
CN106790077A (en) * 2016-12-21 2017-05-31 北京奇虎科技有限公司 A kind of DNS full flows kidnap the detection method and device of risk
CN106790071A (en) * 2016-12-21 2017-05-31 北京奇虎科技有限公司 A kind of DNS full flows kidnap the detection method and device of risk

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110078517A1 (en) * 2009-09-29 2011-03-31 Hon Hai Precision Industry Co., Ltd. Network connection device and method for detecting network errors
CN104065762A (en) * 2014-05-30 2014-09-24 小米科技有限责任公司 Method and device for detecting hijacking of DNS (Domain Name Server)
CN104468860A (en) * 2014-12-04 2015-03-25 北京奇虎科技有限公司 Method and device for recognizing risk of domain name resolution server
CN105681358A (en) * 2016-03-31 2016-06-15 北京奇虎科技有限公司 Domain name hijacking detection method, device and system
CN106790077A (en) * 2016-12-21 2017-05-31 北京奇虎科技有限公司 A kind of DNS full flows kidnap the detection method and device of risk
CN106790071A (en) * 2016-12-21 2017-05-31 北京奇虎科技有限公司 A kind of DNS full flows kidnap the detection method and device of risk

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113630409A (en) * 2021-08-05 2021-11-09 哈尔滨工业大学(威海) Abnormal traffic identification method based on fusion analysis of DNS analysis traffic and IP traffic

Also Published As

Publication number Publication date
CN106790077B (en) 2020-05-26
CN106790077A (en) 2017-05-31

Similar Documents

Publication Publication Date Title
WO2018113732A1 (en) Method and apparatus for detecting dns full traffic hijack risk
WO2015051720A1 (en) Method and device for detecting suspicious dns, and method and system for processing suspicious dns
TWI745473B (en) Network verification method and device
WO2018113730A1 (en) Method and apparatus for detecting network security
US8782745B2 (en) Detection of unauthorized wireless access points
CN101827136B (en) Defense method for domain name system server buffer infection and network outlet equipment
US20130291101A1 (en) Detecting and blocking domain name system cache poisoning attacks
WO2016086763A1 (en) Wireless access node detecting method, wireless network detecting system and server
CN109802919B (en) Web page access intercepting method and device
WO2015078388A1 (en) Processing method and device for denial of service attacks
WO2018113728A1 (en) Method and device for determining risk of phishing attack in public wifi network
CN112272164B (en) Message processing method and device
US20160234205A1 (en) Method for providing security service for wireless device and apparatus thereof
WO2017101874A1 (en) Detection method for apt attack, terminal device, server and system
WO2018113731A1 (en) Method and device for reducing risk of dns hijacking
CN106790071B (en) Method and device for detecting DNS full-flow hijacking risk
CN115086208A (en) Network card detection method and device, electronic equipment and storage medium
CN113301155B (en) Data routing method, device, equipment and storage medium
WO2018113727A1 (en) Method and apparatus for reducing the risk of dns hijacking
WO2018113726A1 (en) Ap risk detection method and apparatus
US11811806B2 (en) System and apparatus for internet traffic inspection via localized DNS caching
US9819690B2 (en) Malicious virtual machine alert generator
CN105515882B (en) Website security detection method and device
CN108848076B (en) Method and equipment for detecting DNS hijacking through user equipment
US10242318B2 (en) System and method for hierarchical and chained internet security analysis

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17882427

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17882427

Country of ref document: EP

Kind code of ref document: A1