CN101800746A - Method, device and system for detecting domain name of control host machine in botnets - Google Patents
Method, device and system for detecting domain name of control host machine in botnets Download PDFInfo
- Publication number
- CN101800746A CN101800746A CN201010109069A CN201010109069A CN101800746A CN 101800746 A CN101800746 A CN 101800746A CN 201010109069 A CN201010109069 A CN 201010109069A CN 201010109069 A CN201010109069 A CN 201010109069A CN 101800746 A CN101800746 A CN 101800746A
- Authority
- CN
- China
- Prior art keywords
- domain name
- address
- response message
- botnet
- dns response
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention discloses a method, a device and a system for detecting a domain name of a host machine in botnets, aiming at solving the problem of obtained non-unique mark of the control host machine caused by frequent change of IP addresses of the control host machine. The method for detecting the domain name of the control host machine in botnets comprises the steps of: detecting botnets according to a network message, and obtaining an IP address of the control host machine in the botnets; and obtaining and analyzing a DNS response message returned by a domain name server according to a domain name service DNS request message inquired by the IP address or the domain name, and obtaining the domain name corresponding to the IP address from the DNS response message. The information of the domain name of the control host machine is not chanted so that the domain name doesn't change even though the IP address of the control host machine is possibly changed, i.e. the domain name and the control host machine are in one-to-one relationship. Therefore, the unique mark of the control host machine can be obtained, and the basis for subsequent processing is well established.
Description
Technical field
The present invention relates to the Network Communicate Security technical field, more particularly, relate to the methods, devices and systems that detect main control system domain name in the Botnet.
Background technology
Botnet (Botnet) is to adopt one or more communication means to make a large amount of main frames infect corpse Bot (corpse instrument) programs, thus at effector's (being main control system) and infected main frame (being the corpse main frame) but between form the network that an one-to-many is controlled.
Above-mentioned main control system often adopts the mode of dynamic IP that the corpse main frame is controlled, so the IP address of main control system changes through regular meeting.In order to allow corpse main frame ratio be easier to find, usually the domain-name information that has this main control system in the Bot program, generally speaking, the corpse main frame is reached the standard grade at every turn and the domain name of main control system can be placed in domain name service (DNS) request message, and this message sent to name server with the IP address of inquiring about this domain name correspondence (promptly sending IP address lookup DNS request message to name server), name server is placed on the corresponding IP of this domain name address in the DNS response message and returns (also being to record IP address and domain-name information in the DNS response message), the corpse main frame can communicate according to IP address and the main control system in the DNS response message, sends various IP packets.In addition, also can send inquiry of the domain name DNS request message and utilize the counter domain name of looking into this IP address correspondence in IP address to name server.
For the Botnet of existing network, can pass through DPI (Deep Packet Inspection, deep-packet detection) technology at present network message is detected.Yet, in the process of implementing the invention, the inventor finds, the DPI technology often can only be found the IP address and the port information of main control system, and owing to the IP address of main control system probably changes when reaching the standard grade at every turn, therefore different IP addresses may corresponding same main control system, and promptly IP address and main control system may be many-to-one relation, and therefore the main control system that gets access to identifies not unique.
Summary of the invention
In view of this, embodiment of the invention purpose is to provide the methods, devices and systems that detect main control system domain name in the Botnet, identifies not unique problem to solve because of main control system IP address often changes the main control system that gets access to that causes.
For achieving the above object, the invention provides following technical scheme:
A kind of method that detects main control system domain name in the Botnet comprises:
Detect Botnet according to network message, and obtain the procotol IP address of main control system in the described Botnet;
Obtain and resolve the DNS response message of name server, obtain the domain name of described IP address correspondence from described DNS response message, described DNS response message is that name server is to request of IP address lookup or inquiry of the domain name request responding.
A kind of network equipment comprises:
Detecting unit is used for detecting Botnet according to network message, and obtains the IP address of main control system in the described Botnet;
First acquiring unit, be used to obtain and resolve the DNS response message of name server, obtain the domain name of described IP address correspondence from described DNS response message, described DNS response message is that name server is to request of IP address lookup or inquiry of the domain name request responding.
A kind of system that detects main control system domain name in the Botnet, network enabled device and name server, wherein:
The described network equipment is used for the procotol IP address that detects Botnet, obtain described Botnet main control system according to network message, and obtain and resolve at the domain name service DNS request message of IP address lookup or inquiry of the domain name and the DNS response message that returns, therefrom obtain the domain name of described IP address correspondence;
The domain name server is used to receive the domain name service DNS request message of IP address lookup or inquiry of the domain name, and returns the DNS response message.
A kind of system that detects main control system domain name in the Botnet comprises deep-packet detection DPI equipment and gateway device, and described DPI equipment comprises detecting unit, and described gateway device comprises first acquiring unit, wherein:
Described detecting unit is used for detecting Botnet according to network message, and obtains the IP address of main control system in the described Botnet and send to first acquiring unit;
Described first acquiring unit is used to obtain and resolve name server at the domain name service DNS request message of IP address lookup or inquiry of the domain name and the DNS response message that returns, and therefrom obtains the domain name of the IP address correspondence that described detecting unit obtains.
As seen, the method for main control system domain name in the detection Botnet that technique scheme provides can be obtained the domain name of the IP address correspondence of main control system from the DNS response message that name server returns after detecting the IP address of main control system.Because the domain-name information of main control system is constant, therefore, although the IP address of main control system probably changes when reaching the standard grade at every turn, but its domain name can not change, be that domain name and main control system are man-to-man relation, thereby can obtain unique main control system sign, and establish down good basis for follow-up processing.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the basic structure of the Botnet that the embodiment of the invention provided;
Fig. 2 is the flow chart of the corpse host access main control system that the embodiment of the invention provided;
Fig. 3 is the flow chart of the method for main control system domain name in the detection Botnet that the embodiment of the invention provided;
Fig. 4 is the structural representation of the network equipment that the embodiment of the invention provided;
Fig. 5 is another structural representation of the network equipment that the embodiment of the invention provided;
Fig. 6 detects submethod one flow chart for the domain name that the embodiment of the invention provided;
Fig. 7 is the another structural representation of the network equipment that the embodiment of the invention provided;
Fig. 8 detects the flow chart of main control system field name method for the use monitoring form that the embodiment of the invention provided;
Fig. 9 detects another flow chart of main control system field name method for the use monitoring form that the embodiment of the invention provided;
Figure 10 is the flow chart of the method for the monitoring Botnet that the embodiment of the invention provided;
Figure 11 is the structural representation of the system of the monitoring Botnet that the embodiment of the invention provided;
Figure 12 is the structural representation of the network monitoring device that the embodiment of the invention provided;
Figure 13 detects submethod two flow charts for the domain name that the embodiment of the invention provided;
Figure 14 is the another structural representation of the network equipment that the embodiment of the invention provided;
Figure 15 detects the another flow chart of main control system field name method in the Botnet for the use monitoring form that the embodiment of the invention provided;
Figure 16 detects the another flow chart of main control system field name method in the Botnet for the use monitoring form that the embodiment of the invention provided;
Figure 17 for the method for the monitoring Botnet that the embodiment of the invention provided another flow chart;
Figure 18 is another structural representation of the system of the monitoring Botnet that the embodiment of the invention provided;
Figure 19 is another structural representation of the network monitoring device that the embodiment of the invention provided;
Figure 20 is the structural representation of the system of main control system domain name in the detection Botnet that the embodiment of the invention provided.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
For quote and know for the purpose of, hereinafter the technical term of Shi Yonging, write a Chinese character in simplified form or abridge to sum up and be explained as follows:
DDOS, Distributed Denial of Service, distributed denial of service attack;
Bot, robot, corpse instrument, Bot be can automatically perform predefined function, can scheduled justice order institute's Long-distance Control and have the program of certain artificial intelligence;
Zombie, the corpse main frame contains Bot or other remote control programs, but the computer of victim Long-distance Control;
Botnet, Botnet is meant and adopts one or more communication means to make a large amount of main frames infect corpse Bot programs, thereby at effector and infected main frame (being the corpse main frame) but between the network of formed one-to-many control;
IP, Internet Protocol, procotol;
DPI, Deep Packet Inspection, deep-packet detection, so-called " degree of depth " is to compare with common message analysis level, " common message detection " be the content (comprise source address, destination address, source port, destination interface and protocol type) of layer below 4 of analyzing IP packet only, and DPI has also increased application layer analysis except the step analysis to the front, discerns various application and content thereof.At present, DPI can be divided into single bag coupling and many bag coupling dual modes: for most of IP packet, just can detect by the feature to a network message in the IP packet.Conventional method is the traversal rule tree, and message and each rule are mated one by one.And, only depending on the single message of detection accurately to detect for part IP packet, a plurality of messages that at this moment need to analyze a stream could accurately detect;
DN, Domain Name, domain name, domain name are the titles of a certain computer or computer set on the internet, are used for identifying when transfer of data its electronic bearing (also referring to the geographical position sometimes);
DNS, Domain Name Service, domain name service;
DNS, Domain Name System, DNS, a certain computer or computer set both can use the domain name sign also can use the IP address designation.The user more is ready to use the domain name of being convenient to remember, and router then only uses the length IP address of structure of fixing, have levels.For coordinating this two kinds of different demands, the directory service that needs a domain name and IP address to exchange, the main task of DNS that Here it is;
DNS, Domain Name Server, name server, name server are the main frames that DNS is housed.
Botnet has constituted an attack platform, its basic network topology as shown in Figure 1, the assailant utilizes this platform can initiate various attacks effectively, can cause whole Back ground Information network or important application systemic breakdown, also can cause a large amount of secrets or individual privacy to be leaked, can also be used to being engaged in other illegal activities such as network fraud.DDOS, send spam, steal secret, the abuse resource is the attack that utilizes Botnet to start that has been found that, these behaviors still are that user self has caused more serious harm to whole network.Along with various new attack types occurring in the future, Botnet also may be used to initiate new unknown attack.Therefore exploring effective Botnet detection and method for supervising is very important.
Before addressed the domain-name information that has main control system in the Bot program usually.Referring to Fig. 2, the inventor finds: generally speaking, the corpse main frame is reached the standard grade at every turn and can be sent IP address lookup DNS request message to name server, name server is placed on the corresponding IP of this domain name address in the DNS response message and returns, the corpse main frame can communicate according to IP address and the main control system in the DNS response message, sends various IP packets.
The inventor finds simultaneously: the domain-name information of main control system can not change easily.In case this is because the domain-name information of main control system is changed, Zombie can't find main control system by means of the former domain-name information that self Bot has.Even main control system can be issued the corpse main frame with new domain name information before the change domain name, but, therefore there is the risk of loss Zombie quantity owing to can't guarantee that when main control system sent this information, all Zombie were online.Above-mentioned these have determined the domain name of main control system can not change easily.The embodiment of the invention promptly designs according to these characteristics.
Fig. 3 shows a kind of method of main control system domain name in the detection Botnet that the embodiment of the invention provides, and this method may further comprise the steps at least:
S31, detect Botnet, and obtain the IP address of main control system in this Botnet according to network message;
S32, obtain and resolve name server at the domain name service DNS request message of IP address lookup or inquiry of the domain name and the DNS response message that returns, therefrom obtain the domain name of described IP address correspondence.
For ease of understanding, now DNS request message and DNS response message are simply introduced.It is (convenient for calling that DNS request message and DNS response message all belong to network message, now DNS request message and DNS response message are referred to as the DNS message), and form by the header of 12 bytes and 4 adjustable length fields (inquiry problem, answer, mandate and four fields of extraneous information), its general form is as shown in the table:
Table 1
Inquiry problem field wherein mainly is made up of problem name, problem types and query type:
The name that the problem name normally will be searched is the sequence of one or more identifiers.Each identifier illustrates the byte length of identifier subsequently with the count value of first byte, and each name is 0 to finish with last byte, and length is that 0 identifier is the root identifier.Each identifier maximum length is 63, and whole query name random length need not filled character.For example, as the domain name that will search is www.heike.com, this domain name is expressed as: [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0], and be 44.33.88.123.in-addr.arpa as domain name, then be expressed as: [2|4|4|2|3|3|2|8|8|3|1|2|3|7|i|n|-|a|d|d|r|4|a|r|p | a|0];
Problem types is generally query type, promptly according to the type (the DNS request message of the type is an IP address lookup DNS request message) of inquiry of the domain name IP address, certainly, also can be reverse inquiry, promptly according to the type of IP address lookup domain name (the DNS request message of the type is a domain name addresses inquiry DNS request message);
It is 1 that query type adds usually, the expression internet address.
Answer field as for the DNS message has then write down the answer of having done at above-mentioned inquiry problem field usually, also promptly when the problem name of inquiry problem field is domain name (according to inquiry of the domain name IP address), the content of answering field record is the IP address of this domain name correspondence, and (according to the anti-nslookup in IP address) answers the domain name of the content of field record for this IP address correspondence when the problem name of inquiry problem field is the IP address.
Be understandable that the answer field in the DNS request message is generally sky, and the inquiry problem field of DNS response message and answer field generally all are not empty, we can say that the DNS response message has reflected the corresponding relation of IP address and domain name yet.
Step S32 has promptly utilized the characteristics of DNS response message, obtains the domain name of main control system IP address correspondence from the DNS response message that name server returns.
Because the domain-name information of main control system is constant, therefore, although the IP address of main control system probably changes when reaching the standard grade at every turn, but its domain name can not change, be that domain name and main control system are man-to-man relation, thereby can obtain unique main control system sign, and establish down good basis for follow-up processing.For example: the domain name to the main control system of Botnet is implemented shielding, with more direct, avoid other computers to join in the Botnet apace.
In another embodiment of the present invention, above-mentioned detection method also can comprise the steps:
Obtain the information of the network equipment that is connected with main control system with domain name according to network message;
Determine the topological structure of described Botnet according to described information.
Behind the topological structure of having determined Botnet, can monitor Botnet even the revertive control Botnet according to this topological structure.
Corresponding with the method for main control system domain name in the above-mentioned detection Botnet, the embodiment of the invention also provides a kind of network equipment, and Fig. 4 shows a kind of structure of this network equipment 401, comprising:
Detecting unit 402 is used for detecting Botnet according to network message, and obtains the IP address of main control system in the described Botnet;
First acquiring unit 403 is used to obtain and resolve name server at the domain name service DNS request message of IP address lookup or inquiry of the domain name and the DNS response message that returns, and therefrom obtains the domain name of described IP address correspondence.
In another embodiment of the present invention, the above-mentioned network equipment also can comprise second acquisition unit and determining unit, and wherein, second acquisition unit can be used for obtaining according to network message the information of the network equipment that is connected with the main control system with domain name; And determining unit can be used for determining according to above-mentioned information the topological structure of described Botnet.
In another embodiment of the present invention, referring to Fig. 5, the above-mentioned network equipment 401 also can comprise aging unit 501 and memory cell 502, wherein:
Aging unit 501 is used for after getting access to above-mentioned domain name, aging current detection, perhaps, and when after surpassing the time started predetermined amount of time of current detection, not getting access to domain name yet, aging current detection.
In addition, aging unit 501 and/or memory cell 502 also can be independent of outside the detecting unit 402 and first acquiring unit 403, do not give unnecessary details at this.
Above-mentioned domain name, IP address, any one or combination in any can be recorded in default monitoring form, word document, the board etc. in the time started, and are stored in the memory cell 502.
In view of the DNS request message is divided into two types of IP address lookup and inquiries of the domain name, therefore above-mentioned domain name detection method specifically can be divided into two kinds of submethods, will be introduced these two kinds of submethods respectively below:
Domain name detects submethod one:
Referring to Fig. 6, domain name detects submethod one and comprises the steps: at least
S61, detect Botnet, and obtain the IP address of main control system in the described Botnet according to network message;
S62, from described network message, search the domain name server at the IP address lookup DNS request message of corpse main frame in the described Botnet and the DNS response message that returns;
S63, resolve described DNS response message, therefrom obtain the domain name of described IP address correspondence.
In another embodiment of the present invention, referring to Fig. 6, above-mentioned detection method also can comprise the steps:
S64, obtain the information of the network equipment that is connected with main control system according to network message with domain name;
S65, determine the topological structure of described Botnet according to described information.
General, the DNS message of each host query can fall in natural aging, and therefore only otherwise roll off the production line, the main frame compartment time will send the DNS request message to DNS, and DNS also can return the DNS response message.That is to say, generally always have and comprise the DNS response message in the IP packet.But sometimes for various reasons, can not find name server for a long time, also just can't get access to the domain name of main control system at the DNS response message that the IP address lookup DNS request message of the Zombie of Botnet returns.In this case, for taking the detection resource less, when can not get access to domain name yet after surpassing the time started predetermined amount of time of current detection, current detection wears out.Certainly, also can be after getting access to domain name, aging current detection.
Corresponding with above-mentioned domain name detection submethod one, referring to Fig. 7, the embodiment of the invention also provides a kind of network equipment 701, and this equipment comprises the detecting unit 702 and first acquiring unit 703, first acquiring unit 703 comprises again to be searched subelement 704 and resolves subelement 705, wherein:
Detecting unit 702 is used for detecting Botnet according to network message, and obtains the IP address of main control system among this Botnet;
Searching subelement 704 is used for searching name server at the IP address lookup DNS request message of Zombie the above-mentioned Botnet and the DNS response message that returns from above-mentioned network message;
Resolve subelement 705, be used to resolve described DNS response message, therefrom obtain the domain name of described IP address correspondence.
In other embodiments of the invention, the network equipment 701 also can comprise second acquisition unit and determining unit, and wherein, second acquisition unit is used for obtaining according to network message the information of the network equipment that is connected with the main control system with domain name; Determining unit then is used for determining according to described information the topological structure of described Botnet.
The above-mentioned network equipment also can comprise aging unit and memory cell, wherein, aging unit is used for behind the topological structure that gets access to above-mentioned domain name or definite Botnet, aging current detection, perhaps, when after surpassing the time started predetermined amount of time of current detection, not getting access to the topological structure of domain name or definite Botnet yet, aging current detection; Memory cell is used for storing any one or combination in any of above-mentioned domain name, IP address or time started.
When specific implementation, the function of the network equipment 701 can specifically be realized by DPI equipment, gateway device or other network equipments, and can be deployed on the forthright or bypass of network.For obtaining of network message, can adopt prior art means such as packet capturing to be realized or the like.
Illustrate that before domain name, IP address, any one or combination in any can be recorded in the default monitoring form in the time started.In embodiments of the present invention, using default monitoring form that the domain name of main control system in a certain Botnet is detected can have multiple mode, is described in detail below in conjunction with different modes:
Mode one:
See also Fig. 8, testing process comprises the steps:
S81, on default monitoring form, note time started of current detection;
Suppose that default monitoring form form is shown in table 2 or table 3:
Table 2
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3 | ??D3 | ??T3 |
Table 3
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3 | ??T3 |
Wherein, what CCIP one row write down is detected main control system IP address, CCDomain one row record be the domain name word string of IP address correspondence, InsertTime one row record be insert certain once/time of current detection, promptly certain once/time started of current detection.
Behind the completing steps S81, monitoring form is updated to table 4 or table 5:
Table 4
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3 | ??D3 | ??T3 |
| ??T4 |
Table 5
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3 | ??T3 | |
| ??T4 |
S82, obtain network message;
S83, detect Botnet, and obtain the IP address of main control system among the Botnet according to network message;
S84, search the DNS response message that whether has name server to return in the above-mentioned network message at the IP address lookup DNS request message of Zombie among the above-mentioned Botnet, if, change S86, otherwise, S85 changeed;
Whether S85, judgement have surpassed the time started predetermined amount of time (as 24 hours) of current detection this moment, if, change step S810, otherwise, step S82 returned;
S86, the above-mentioned DNS response message of parsing;
S87, the IP address that the IP address in the DNS response message and monitoring form have been write down compare, judge in the monitoring form the IP address whether with the DNS response message in the IP address repeat mutually, if, change step S88, otherwise, change step S89;
The corresponding relation of S88, completion above-mentioned IP address and domain name;
Suppose that the corresponding relation of IP address and domain name is IP3-D4 in the DNS response message, at this moment, IP3 in the DNS response message and IP3 in the default monitoring form repeat, time difference between T4 and T3 is not more than predetermined value, as 24 hours, keep T3, D4 is inserted pairing CCDomain one row of IP3 in the default monitoring form, default monitoring form is updated to table 6 or table 7:
Table 6
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3 | ??D3,D4 | ??T3 |
Table 7
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3 | ??D4 | ??T3 |
When time difference between T4 and the T3 during greater than predetermined value, replace T3 with T4, D4 is inserted in the monitoring form, monitoring form is updated to table 8 or table 9:
Table 8
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3 | ??D3,D4 | ??T4 |
Table 9
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3 | ??D4 | ??T4 |
S89, insert IP address in the DNS response message and domain name in the monitoring form respectively;
Suppose that the corresponding relation of IP address and domain name is IP4-D4 in the DNS response message, at this moment, does not repeat the IP address of being write down in IP4 in the DNS response message and the monitoring form, and IP4 and D4 are inserted respectively in the monitoring form, and monitoring form is updated to table 10 or table 11:
Table 10
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3 | ??D3 | ??T3 |
| ??IP4 | ??D4 | ??T4 |
Table 11
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3 | ??T3 | |
| ??IP4 | ??D4 | ??T4 |
S810, aging current detection;
S811, report monitoring form.
Mode two:
See also Fig. 9, this mode comprises the steps:
The time started of S91, record current detection;
Suppose that default monitoring form form is as shown in the table:
Table 12
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3 | ??D3 | ??T3 |
Behind the completing steps S91, default monitoring form is updated to:
Table 13
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3 | ??D3 | ??T3 |
| ??T4 |
S92, obtain network message;
S93, detect Botnet, and obtain the IP address of main control system in this Botnet according to network message;
S94, search the DNS response message that whether has name server to return in the above-mentioned network message at the IP address lookup DNS request message of Zombie among the above-mentioned Botnet, if, change S96, otherwise, S95 changeed;
Whether S95, judgement have surpassed the time started predetermined amount of time (as 24 hours) of current detection this moment, if, change step S910, otherwise, step S92 returned;
S96, the above-mentioned DNS response message of parsing;
S97, the domain name that the domain name in the DNS response message and monitoring form have been write down compare, judge in the monitoring form domain name whether with the DNS response message in domain name repeat mutually, if, change step S98, otherwise, change step S99;
The corresponding relation of S98, completion IP address and domain name;
Suppose that the corresponding relation of IP address and domain name is IP4-D3 in the DNS response message, at this moment, D3 in the DNS response message and the D3 in the monitoring form repeat, time difference between T4 and T3 is not more than predetermined value, as 24 hours, keeps T3, IP4 is inserted CCIp one row, and monitoring form is updated to:
Table 14
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP2 | ??D2 | ??T2 |
| ??IP3,IP4 | ??D3 | ??T3 |
And, T3 is replaced to T4 when time difference between T4 and the T3 during greater than predetermined value, and IP4 is inserted CCIp one row, monitoring form is updated to:
Table 15
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3,IP4 | ??D3 | ??T4 |
S99, insert IP address in the DNS response message and domain name in the monitoring form respectively;
Suppose that the corresponding relation of IP address and domain name is IP4-D4 in the DNS response message, at this moment, the domain name that is write down in domain name D4 in the DNS response message and the monitoring form does not repeat, and IP4 and D4 are inserted respectively in the monitoring form, and monitoring form is updated to:
Table 16
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3 | ??D3 | ??T3 |
| ??IP4 | ??D4 | ??T4 |
S910, aging current detection;
S911, report monitoring form.
Corresponding with above-mentioned detection submethod one, referring to Figure 10, the embodiment of the invention also discloses a kind of method of monitoring Botnet simultaneously, may further comprise the steps:
S101, detect Botnet, and obtain the procotol IP address of main control system in the described Botnet according to network message;
S102, from described network message, search the domain name server at the IP address lookup DNS request message of corpse main frame in the described Botnet and the DNS response message that returns;
S103, resolve described DNS response message, therefrom obtain the domain name of described IP address correspondence;
S104, obtain the information of the network equipment that is connected with main control system according to network message with domain name;
S105, determine the topological structure of described Botnet according to described information;
S106, described Botnet is monitored according to above-mentioned topological structure and domain name.
Because the domain-name information of main control system is constant, therefore, although the IP address of main control system probably changes when reaching the standard grade at every turn, but its domain name can not change, be that domain name and main control system are man-to-man relation, thereby can obtain unique main control system sign, and establish down good basis for follow-up processing.In addition, the embodiment of the invention as the monitoring foundation, can not judged the problem that become exist a plurality of Botnets thereby can not appear under the situation of the corresponding same main control system in different IP address with domain name, makes the monitoring of Botnet become simple.
For taking the monitoring resource less,, can stop current monitoring in time started that surpasses current monitoring during predetermined amount of time.Specifically comprise two kinds of situations: when surpassing the scheduled time (as 24 hours), when not getting access to the topological structure of domain name or definite Botnet yet, can stop current monitoring.Even got access to domain name or determined the topological structure of Botnet, for the purpose of cost savings, monitoring each time all has the life-span of himself, in case overtime, also to stop current monitoring.
And above-mentioned domain name, IP address, any one or combination in any can be recorded in default monitoring form, word document, the board etc. in the time started.
Corresponding with above-mentioned method for supervising, the embodiment of the invention also provides a kind of system that monitors Botnet, referring to Figure 11, comprises foreground system 111 and background system 112, and foreground system 111 comprises:
Detecting unit 113 is used for detecting Botnet according to network message, and obtains the IP address of main control system in this Botnet;
Search subelement 114, be used for searching name server at the IP address lookup DNS request message of Zombie the above-mentioned Botnet and the DNS response message that returns from above-mentioned network message;
Resolve subelement 115, be used to resolve above-mentioned DNS response message, therefrom obtain the domain name of described IP address correspondence;
Background system 112 comprises:
Second acquisition unit 116 is used for obtaining according to network message the information of the network equipment that is connected with the main control system with domain name;
Determining unit 117 is used for determining according to described information the topological structure of described Botnet;
Monitoring unit 118 is used for according to above-mentioned topological structure and domain name described Botnet being monitored.
Corresponding with above-mentioned method for supervising, referring to Figure 12, the embodiment of the invention also provides a kind of network monitoring device 121, and this equipment comprises:
Detecting unit 122 is used for detecting Botnet according to network message, and obtains the IP address of main control system in the described Botnet;
Search subelement 123, be used for searching name server at the IP address lookup DNS request message of Zombie the above-mentioned Botnet and the DNS response message that returns from above-mentioned network message;
Resolve subelement 124, be used to resolve above-mentioned DNS response message, therefrom obtain the domain name of described IP address correspondence;
Second acquisition unit 125 is used for obtaining according to network message the information of the network equipment that is connected with the main control system with domain name;
Determining unit 126 is used for determining according to described information the topological structure of described Botnet;
Monitoring unit 127 is used for according to above-mentioned topological structure and domain name described Botnet being monitored.
In other embodiments, network monitoring device 121 also can comprise and stop unit and memory cell, wherein, stops the unit and is used for stopping current monitoring in time started that surpasses current monitoring during predetermined amount of time; Memory cell is used for storing time started any one or the combination in any of above-mentioned domain name, IP address, current monitoring.
When specific implementation, network monitoring device 121 specifically can be DPI equipment, gateway device or other can realize the network equipment of above-mentioned functions.
Domain name detects submethod two:
Referring to Figure 13, domain name detects submethod two and may further comprise the steps at least:
S131, detect Botnet, and obtain the IP address of main control system in the described Botnet according to network message;
S132, send the DNS request message of the corresponding domain name in the described IP of inquiry address to name server;
The DNS response message that S133, reception domain name server return;
S134, resolve described DNS response message, therefrom obtain the domain name of described IP address correspondence.
Because the domain-name information of main control system is constant, therefore, although the IP address of main control system probably changes when reaching the standard grade at every turn, but its domain name can not change, be that domain name and main control system are man-to-man relation, thereby can obtain unique main control system sign, and establish down good basis for follow-up processing.In addition, because after detecting the IP address of main control system, the embodiment of the invention is directly inquired about the domain name of this IP address correspondence to name server, rather than wait for that name server returns to the DNS response message of corpse main frame, when can not find name server for a long time when returning to the DNS response message of Zombie among the above-mentioned Botnet, the method that present embodiment provided has more the advantage of saving of time.
In another embodiment of the present invention, above-mentioned domain name detects submethod two and also can comprise the steps:
Obtain the information of the network equipment that is connected with main control system with domain name according to network message;
Determine the topological structure of described Botnet according to described information.
In order to take the detection resource less, said method also can be after getting access to domain name, aging current detection.Certainly, when can after surpassing the time started predetermined amount of time of current detection, not get access to domain name yet yet, aging current detection.
Above-mentioned domain name, IP address, any one or combination in any can be recorded in default monitoring form, word document, the board etc. in the time started.
Corresponding with above-mentioned domain name detection submethod two, referring to Figure 14, the embodiment of the invention also provides a kind of network equipment 141, this equipment comprises the detecting unit 142 and first acquiring unit 143, first acquiring unit 143 comprises transmission subelement 144 again, receives subelement 145 and parsing subelement 146, wherein:
Detecting unit 142 is used for detecting Botnet according to network message, and obtains the IP address of main control system among this Botnet;
Send subelement 144, be used for sending the DNS request message of the corresponding domain name in the described IP of inquiry address to name server;
Receive subelement 145, be used to receive the DNS response message that the domain name server returns;
In other embodiments of the invention, the network equipment 141 also can comprise second acquisition unit and determining unit, and wherein, second acquisition unit is used for obtaining according to network message the information of the network equipment that is connected with the main control system with domain name; Determining unit then is used for determining according to described information the topological structure of described Botnet.
In different embodiments of the invention, the detection domain name of using default monitoring form to carry out main control system in the Botnet can have multiple mode, below in conjunction with this different modes, the embodiment of the invention is described in detail:
Mode one:
See also Figure 15, this mode comprises the steps:
The time started of S151, record current detection;
Suppose that default monitoring form form is table 17 or table 18:
Table 17
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3 | ??D3 | ??T3 |
Table 18
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3 | ??T3 |
Behind the completing steps S151, default monitoring form is updated to table 19 or table 20:
Table 19
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3 | ??D3 | ??T3 |
| ??T4 |
Table 20
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3 | ??T3 | |
| ??T4 |
S152, detect Botnet, and obtain the IP address of main control system in this Botnet according to network message;
S153, send the DNS request message of the corresponding domain name in the described IP of inquiry address to name server;
S154, judge whether the DNS response message of receiving that name server returns, if, change S156, if not, change S155;
Whether the number of times that S155, judgement send the DNS request message surpasses pre-determined number (as 3 times), if, change step S1510, if not, return step S153;
S156, resolve the DNS response message that name server returns, therefrom obtain the domain name of IP address correspondence;
S157, the IP address that the IP address in the DNS response message and monitoring form have been write down compare, judge in the monitoring form the IP address whether with the DNS response message in the IP address repeat mutually, if, change step S158, if not, change step S159;
The corresponding relation of S158, completion above-mentioned IP address and domain name;
Suppose that the corresponding relation of IP address and domain name is IP3-D4 in the DNS response message, at this moment, IP3 in the DNS response message and the IP3 in the monitoring form repeat, time difference between T4 and T3 is not more than predetermined value, as 24 hours, keep T3, D4 is inserted pairing CCDomain one row of IP3 in the monitoring form, monitoring form is updated to table 21 or table 22:
Table 21
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3 | ??D3,D4 | ??T3 |
Table 22
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP3 | ??D4 | ??T3 |
When time difference between T4 and the T3 during greater than predetermined value, T3 is replaced to T4, D4 is inserted pairing CCDomain one row of IP3 in the monitoring form, monitoring form is updated to table 23 or table 24:
Table 23
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3 | ??D3,D4 | ??T4 |
Table 24
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3 | ??D4 | ??T4 |
S159, insert IP address in the DNS response message and domain name in the monitoring form respectively;
Suppose that the corresponding relation of IP address and domain name is IP4-D4 in the DNS response message, at this moment, does not repeat the IP address of being write down in IP4 in the DNS response message and the monitoring form, and IP4 and D4 are inserted respectively in the monitoring form, and monitoring form is updated to table 25 or table 26:
Table 25
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3 | ??D3 | ??T3 |
| ??IP4 | ??D4 | ??T4 |
Table 26
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3 | ??T3 | |
| ??IP4 | ??D4 | ??T4 |
S1510, aging current detection;
S1511, report monitoring form.
Mode two:
See also Figure 16, this mode comprises the steps:
The time started of S161, record current detection;
Suppose that default monitoring form form is a table 27:
Table 27
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3 | ??D3 | ??T3 |
Behind the completing steps S161, default monitoring form is updated to table 28:
Table 28
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3 | ??D3 | ??T3 |
| ??T4 |
S162, detect Botnet, and obtain the IP address of main control system in this Botnet according to network message;
S163, send the DNS request message of the corresponding domain name in the described IP of inquiry address to name server;
S164, judge whether the DNS response message of receiving that name server returns, if, change S166, if not, change S165;
Whether the number of times that S165, judgement send the DNS request message surpasses pre-determined number (as 3 times), if, change step S1610, if not, return step S163;
S166, resolve the DNS response message that name server returns, therefrom obtain the domain name of IP address correspondence;
S167, the domain name that the domain name in the DNS response message and monitoring form have been write down compare, judge whether to repeat mutually, if, change step S168, if not, change step S169;
The corresponding relation of S168, completion IP address and domain name;
Suppose that the corresponding relation of IP address and domain name is IP4-D3 in the DNS response message, at this moment, D3 in the DNS response message and the D3 in the monitoring form repeat, time difference between T4 and T3 is not more than predetermined value, as 24 hours, keeps T3, IP4 is inserted CCIp one row, and monitoring form is updated to:
Table 29
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3,IP4 | ??D3 | ??T3 |
And, T3 is replaced to T4 when time difference between T4 and the T3 during greater than predetermined value, and IP4 is inserted CCIp one row, monitoring form is updated to:
Table 30
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??IP3,IP4 | ??D3 | ??T4 |
S169, insert IP address in the DNS response message and domain name in the monitoring form respectively;
Suppose that the corresponding relation of IP address and domain name is IP4-D4 in the DNS response message, at this moment, the domain name that is write down in domain name D4 in the DNS response message and the monitoring form does not repeat, and IP4 and D4 are inserted respectively in the monitoring form, and monitoring form is updated to:
Table 31
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP1 | ??D1 | ??T1 |
| ??IP2 | ??D2 | ??T2 |
| ??CCIp | ??CCDomain | ??InsertTime |
| ??IP3 | ??D3 | ??T3 |
| ??IP4 | ??D4 | ??T4 |
S1610, aging current detection;
S1611, report monitoring form.
Corresponding with above-mentioned detection submethod two, referring to Figure 17, the embodiment of the invention also discloses a kind of method of monitoring Botnet simultaneously, may further comprise the steps:
S171, detect Botnet, and obtain the procotol IP address of main control system in the described Botnet according to network message;
S172, send the DNS request message of the corresponding domain name in the described IP of inquiry address to name server;
The DNS response message that S173, reception domain name server return;
S174, resolve described DNS response message, therefrom obtain the domain name of described IP address correspondence;
S175, the information of obtaining the network equipment that is connected with the main control system with domain name according to network message determine that the all-network equipment be connected with the main control system with above-mentioned domain name belongs to same Botnet;
S176, determine the topological structure of described Botnet according to described information;
S177, described Botnet is monitored according to above-mentioned topological structure and domain name.
As seen, in the IP address that detects main control system, the embodiment of the invention is directly inquired about the domain name of this IP address correspondence to name server, rather than waits for that name server returns to the DNS response message of corpse main frame, thereby has saved the stand-by period.Although the IP address of main control system probably changes when reaching the standard grade at every turn, because the domain name and the main control system of main control system are man-to-man relation, thereby can obtain unique main control system sign, and establish down good basis for follow-up processing.In addition, the embodiment of the invention as the monitoring foundation, can not judged the problem that become exist a plurality of Botnets thereby can not appear under the situation of the corresponding same main control system in different IP address with domain name, makes the monitoring of Botnet become simple.
For taking the detection resource less, can stop current monitoring in time started that surpasses current monitoring during predetermined amount of time, perhaps, when after sending described DNS request message pre-determined number, not receiving the DNS response message yet, stop current monitoring.
Corresponding with above-mentioned method for supervising, the embodiment of the invention also provides a kind of system that monitors Botnet, and referring to Figure 18, this system comprises foreground system 181 and background system 182.
Detecting unit 183 is used for detecting Botnet according to network message, and obtains the IP address of main control system in this Botnet;
Send subelement 185, be used for sending the DNS request message of the corresponding domain name in the described IP of inquiry address to name server;
Receive subelement 186, be used to receive the DNS response message that the domain name server returns;
Determining unit 189 is used for determining according to described information the topological structure of described Botnet;
Corresponding with above-mentioned method for supervising, referring to Figure 19, the embodiment of the invention also provides a kind of network monitoring device 191, and this equipment comprises:
Detecting unit 192 is used for detecting Botnet according to network message, and obtains the IP address of main control system in this Botnet;
Send subelement 193, be used for sending the DNS request message of the corresponding domain name in the described IP of inquiry address to name server;
Receive subelement 194, be used to receive the DNS response message that the domain name server returns;
Determining unit 197 is used for determining according to described information the topological structure of described Botnet;
When specific implementation, the network equipment 191 specifically can be DPI equipment, gateway device or other can realize the network equipment of above-mentioned functions.
Corresponding with the method for main control system domain name in the above-mentioned detection Botnet, the embodiment of the invention also provides a kind of system that detects main control system domain name in the Botnet simultaneously, this system has the network equipment and the name server of arbitrary embodiment among above all embodiment, wherein:
The network equipment is used for the procotol IP address that detects Botnet, obtain described Botnet main control system according to network message, and obtain and resolve at the domain name service DNS request message of IP address lookup or inquiry of the domain name and the DNS response message that returns, therefrom obtain the domain name of described IP address correspondence;
Name server is used to receive the domain name service DNS request message of IP address lookup or inquiry of the domain name, and returns the DNS response message.
Corresponding with the method for main control system domain name in the above-mentioned detection Botnet, the embodiment of the invention also provides the system of main control system domain name in the another kind of detection Botnet simultaneously, referring to Figure 20, this system comprises DPI equipment 201 and gateway device 202, DPI equipment 201 comprises detecting unit 203, gateway device 202 comprises first acquiring unit 204, wherein:
Detecting unit 203 is used for detecting Botnet according to network message, and obtains the IP address of main control system in the described Botnet;
First acquiring unit 204 is used to obtain and resolve name server at the domain name service DNS request message of IP address lookup or inquiry of the domain name and the DNS response message that returns, and therefrom obtains the domain name of described IP address correspondence.
Need to prove that each embodiment adopts the mode of going forward one by one to describe in this specification, what each embodiment stressed all is and the difference of other embodiment that identical similar part is mutually referring to getting final product between each embodiment.For the disclosed device of embodiment, because it is corresponding with the embodiment disclosed method, so description is fairly simple, relevant part partly illustrates referring to method and gets final product.
One of ordinary skill in the art will appreciate that all or part of flow process that realizes in the foregoing description method, be to instruct relevant hardware to finish by computer program, described program can be stored in the computer read/write memory medium, described program can comprise the flow process as the embodiment of above-mentioned each side method when carrying out.Wherein, described storage medium can be magnetic disc, CD, read-only storage memory body (Read-Only Memory, ROM) or at random store memory body (Random AccessMemory, RAM) etc.
To the above-mentioned explanation of the disclosed embodiments, make this area professional and technical personnel can realize or use the present invention.Multiple modification to these embodiment will be conspicuous concerning those skilled in the art, and defined herein General Principle can realize under the situation that does not break away from the spirit or scope of the present invention in other embodiments.Therefore, the present invention will can not be restricted to these embodiment shown in this article, but will meet and principle disclosed herein and features of novelty the wideest corresponding to scope.
Claims (10)
1. a method that detects main control system domain name in the Botnet is characterized in that, comprising:
Detect Botnet according to network message, and obtain the procotol IP address of main control system in the described Botnet;
Obtain and resolve the DNS response message of name server, obtain the domain name of described IP address correspondence from described DNS response message, described DNS response message is that name server is to request of IP address lookup or inquiry of the domain name request responding.
2. the method for claim 1 is characterized in that, the described DNS response message that obtains and resolve name server, and the domain name of obtaining described IP address correspondence from described DNS response message comprises:
Search the DNS response message of domain name server from described network message, described DNS response message returns at the IP address lookup DNS request message of corpse main frame in the described Botnet;
Resolve described DNS response message, therefrom obtain the domain name of described IP address correspondence.
3. the method for claim 1 is characterized in that, the described DNS response message that obtains and resolve name server, and the domain name of obtaining described IP address correspondence from described DNS response message comprises:
Send the DNS request message of the corresponding domain name in the described IP of inquiry address to name server;
Receive the DNS response message that the domain name server returns;
Resolve described DNS response message, therefrom obtain the domain name of described IP address correspondence.
4. as claim 1,2 or 3 described methods, it is characterized in that, also comprise:
Obtain the information of the network equipment that is connected with main control system with domain name according to network message;
Determine the topological structure of described Botnet according to described information.
5. a network equipment is characterized in that, comprising:
Detecting unit is used for detecting Botnet according to network message, and obtains the IP address of main control system in the described Botnet;
First acquiring unit, be used to obtain and resolve the DNS response message of name server, obtain the domain name of described IP address correspondence from described DNS response message, described DNS response message is that name server is to request of IP address lookup or inquiry of the domain name request responding.
6. equipment as claimed in claim 5 is characterized in that, described first acquiring unit comprises:
Search subelement, be used for searching from described network message the DNS response message of domain name server, described DNS response message returns at the IP address lookup DNS request message of corpse main frame in the described Botnet;
Resolve subelement, be used to resolve described DNS response message, therefrom obtain the domain name of described IP address correspondence.
7. equipment as claimed in claim 5 is characterized in that, described first acquiring unit comprises:
Send subelement, be used for sending the DNS request message of the corresponding domain name in the described IP of inquiry address to name server;
Receive subelement, be used to receive the DNS response message that the domain name server returns;
Resolve subelement, be used to resolve described DNS response message, therefrom obtain the domain name of described IP address correspondence.
8. as claim 5 or 6 or 7 described equipment, it is characterized in that, also comprise:
Second acquisition unit is used for obtaining according to network message the information of the network equipment that is connected with the main control system with domain name;
Determining unit is used for determining according to described information the topological structure of described Botnet.
9. a system that detects main control system domain name in the Botnet is characterized in that, has each described network equipment and name server as claim 5-8, wherein:
The described network equipment is used for the procotol IP address that detects Botnet, obtain described Botnet main control system according to network message, and obtain and resolve at the domain name service DNS request message of IP address lookup or inquiry of the domain name and the DNS response message that returns, therefrom obtain the domain name of described IP address correspondence;
The domain name server is used to receive the domain name service DNS request message of IP address lookup or inquiry of the domain name, and returns the DNS response message.
10. a system that detects main control system domain name in the Botnet is characterized in that, comprises deep-packet detection DPI equipment and gateway device, and described DPI equipment comprises detecting unit, and described gateway device comprises first acquiring unit, wherein:
Described detecting unit is used for detecting Botnet according to network message, obtains the IP address of main control system in the described Botnet and sends to first acquiring unit;
Described first acquiring unit is used to obtain and resolve name server at the domain name service DNS request message of IP address lookup or inquiry of the domain name and the DNS response message that returns, and therefrom obtains the domain name of the IP address correspondence that described detecting unit obtains.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010109069XA CN101800746B (en) | 2010-02-04 | 2010-02-04 | Method, device and system for detecting domain name of control host machine in botnets |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010109069XA CN101800746B (en) | 2010-02-04 | 2010-02-04 | Method, device and system for detecting domain name of control host machine in botnets |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101800746A true CN101800746A (en) | 2010-08-11 |
| CN101800746B CN101800746B (en) | 2013-12-04 |
Family
ID=42596238
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010109069XA Active CN101800746B (en) | 2010-02-04 | 2010-02-04 | Method, device and system for detecting domain name of control host machine in botnets |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101800746B (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102026146A (en) * | 2010-10-11 | 2011-04-20 | 华为技术有限公司 | Method, host and system for sending control message |
| CN102223422A (en) * | 2011-08-02 | 2011-10-19 | 杭州迪普科技有限公司 | Domain name system (DNS) message processing method and network safety equipment |
| CN102571487A (en) * | 2011-12-20 | 2012-07-11 | 东南大学 | Distributed bot network scale measuring and tracking method based on multiple data sources |
| CN103002070A (en) * | 2012-12-25 | 2013-03-27 | 上海牙木通讯技术有限公司 | Domain name resolution method and device |
| CN103078968A (en) * | 2013-01-22 | 2013-05-01 | 华为技术有限公司 | Domain name querying method, IP (Internet Protocol) grouping method, device and equipment |
| CN104639391A (en) * | 2015-01-04 | 2015-05-20 | 中国联合网络通信集团有限公司 | Method for generating network flow record and corresponding flow detection equipment |
| CN104717226A (en) * | 2012-06-06 | 2015-06-17 | 北京奇虎科技有限公司 | Method and device for detecting website address |
| CN106576058A (en) * | 2014-08-22 | 2017-04-19 | 迈克菲股份有限公司 | System and method to detect domain generation algorithm malware and systems infected by such malware |
| CN106713371A (en) * | 2016-12-08 | 2017-05-24 | 中国电子科技网络信息安全有限公司 | Fast Flux botnet detection method based on DNS anomaly mining |
| CN109314664A (en) * | 2016-06-23 | 2019-02-05 | 日本电信电话株式会社 | Corpse main controller finds system and method |
| CN110928709A (en) * | 2019-11-21 | 2020-03-27 | 中国民航信息网络股份有限公司 | Service calling method and device under micro-service framework and server |
| CN113179260A (en) * | 2021-04-21 | 2021-07-27 | 国家计算机网络与信息安全管理中心河北分中心 | Botnet detection method, device, equipment and medium |
-
2010
- 2010-02-04 CN CN201010109069XA patent/CN101800746B/en active Active
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102026146A (en) * | 2010-10-11 | 2011-04-20 | 华为技术有限公司 | Method, host and system for sending control message |
| CN102026146B (en) * | 2010-10-11 | 2014-11-19 | 华为技术有限公司 | Method, host and system for sending control message |
| CN102223422B (en) * | 2011-08-02 | 2014-07-09 | 杭州迪普科技有限公司 | Domain name system (DNS) message processing method and network safety equipment |
| CN102223422A (en) * | 2011-08-02 | 2011-10-19 | 杭州迪普科技有限公司 | Domain name system (DNS) message processing method and network safety equipment |
| CN102571487A (en) * | 2011-12-20 | 2012-07-11 | 东南大学 | Distributed bot network scale measuring and tracking method based on multiple data sources |
| CN102571487B (en) * | 2011-12-20 | 2014-05-07 | 东南大学 | Distributed bot network scale measuring and tracking method based on multiple data sources |
| CN104717226A (en) * | 2012-06-06 | 2015-06-17 | 北京奇虎科技有限公司 | Method and device for detecting website address |
| CN103002070B (en) * | 2012-12-25 | 2015-05-20 | 上海牙木通讯技术有限公司 | Domain name resolution method and device |
| CN103002070A (en) * | 2012-12-25 | 2013-03-27 | 上海牙木通讯技术有限公司 | Domain name resolution method and device |
| CN103078968B (en) * | 2013-01-22 | 2015-12-02 | 华为技术有限公司 | Domain name inquiry method, IP divide race's method, device and equipment |
| CN103078968A (en) * | 2013-01-22 | 2013-05-01 | 华为技术有限公司 | Domain name querying method, IP (Internet Protocol) grouping method, device and equipment |
| CN106576058B (en) * | 2014-08-22 | 2021-01-08 | 迈克菲有限公司 | System and method for detecting domain generation algorithm malware and systems infected with such malware |
| CN106576058A (en) * | 2014-08-22 | 2017-04-19 | 迈克菲股份有限公司 | System and method to detect domain generation algorithm malware and systems infected by such malware |
| CN104639391A (en) * | 2015-01-04 | 2015-05-20 | 中国联合网络通信集团有限公司 | Method for generating network flow record and corresponding flow detection equipment |
| CN109314664A (en) * | 2016-06-23 | 2019-02-05 | 日本电信电话株式会社 | Corpse main controller finds system and method |
| CN106713371A (en) * | 2016-12-08 | 2017-05-24 | 中国电子科技网络信息安全有限公司 | Fast Flux botnet detection method based on DNS anomaly mining |
| CN106713371B (en) * | 2016-12-08 | 2020-04-21 | 中国电子科技网络信息安全有限公司 | Fast Flux botnet detection method based on DNS abnormal mining |
| CN110928709A (en) * | 2019-11-21 | 2020-03-27 | 中国民航信息网络股份有限公司 | Service calling method and device under micro-service framework and server |
| CN110928709B (en) * | 2019-11-21 | 2023-08-29 | 中国民航信息网络股份有限公司 | Service calling method and device under micro-service framework and server |
| CN113179260A (en) * | 2021-04-21 | 2021-07-27 | 国家计算机网络与信息安全管理中心河北分中心 | Botnet detection method, device, equipment and medium |
| CN113179260B (en) * | 2021-04-21 | 2022-09-23 | 国家计算机网络与信息安全管理中心河北分中心 | Botnet detection method, device, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101800746B (en) | 2013-12-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101800746B (en) | Method, device and system for detecting domain name of control host machine in botnets | |
| US10609051B2 (en) | Network security analysis for smart appliances | |
| CN103607399B (en) | Private IP network network safety monitoring system and method based on darknet | |
| US7352289B1 (en) | System and method for detecting the connection state of a network cable connector | |
| CN106487879A (en) | A kind of network equipment recognition methodss based on device-fingerprint storehouse and device | |
| CN100563149C (en) | A kind of DHCP monitor method and device thereof | |
| CN102045215B (en) | Botnet detection method and device | |
| CN102148854B (en) | Method and device for identifying peer-to-peer (P2P) shared flows | |
| CA2469169A1 (en) | Method and apparatus for determination of network topology | |
| CN107682470B (en) | Method and device for detecting public network IP availability in NAT address pool | |
| KR101416523B1 (en) | Security system and operating method thereof | |
| CN109561111A (en) | A kind of determination method and device of attack source | |
| JP2008113409A (en) | Traffic control system and management server | |
| CN108234473A (en) | A kind of message anti-attack method and device | |
| CN111835681B (en) | Large-scale flow abnormal host detection method and device | |
| CN101599857B (en) | Method, device and network detection system for detecting number of host computers accessed to sharing | |
| CN101610266A (en) | A kind of method and device that detects ARP message validity | |
| CN102223422A (en) | Domain name system (DNS) message processing method and network safety equipment | |
| US10097418B2 (en) | Discovering network nodes | |
| CN101931627A (en) | Security detection method, security detection device and network equipment | |
| CN106534141A (en) | Method and system for preventing domain name server from being attacked and firewall | |
| JP2005142800A (en) | Terminal for monitoring and network monitor system | |
| CN102685133B (en) | Maine engine mark tracing method and system as well as terminal and central server | |
| CN108322444B (en) | Method, device and system for detecting command and control channel | |
| CN115334044A (en) | Internet of things-oriented large-scale IPv6 address survivability detection method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD. Free format text: FORMER NAME: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee after: HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd. Address before: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee before: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20220824 Address after: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee after: HUAWEI TECHNOLOGIES Co.,Ltd. Address before: 611731 Qingshui River District, Chengdu hi tech Zone, Sichuan, China Patentee before: HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd. |
|
| TR01 | Transfer of patent right |