CN104935556B - A kind of network security processing method, apparatus and system - Google Patents

A kind of network security processing method, apparatus and system Download PDF

Info

Publication number
CN104935556B
CN104935556B CN201410105388.1A CN201410105388A CN104935556B CN 104935556 B CN104935556 B CN 104935556B CN 201410105388 A CN201410105388 A CN 201410105388A CN 104935556 B CN104935556 B CN 104935556B
Authority
CN
China
Prior art keywords
dns
modification
server
event
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410105388.1A
Other languages
Chinese (zh)
Other versions
CN104935556A (en
Inventor
贺燕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Tencent Cloud Computing Beijing Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201410105388.1A priority Critical patent/CN104935556B/en
Publication of CN104935556A publication Critical patent/CN104935556A/en
Application granted granted Critical
Publication of CN104935556B publication Critical patent/CN104935556B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5076Update or notification mechanisms, e.g. DynDNS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Abstract

The embodiment of the invention discloses a kind of network security processing methods, apparatus and system, wherein, the described method includes: client is when the domain name system DNS for detecting client router modifies event, the site link information for obtaining the corresponding modification link information of the modification event and being accessed, and it is sent to server;The server extracts access site identity from the site link information, and obtains the target DNS mark where the modification links corresponding website according to the modification link information;The server is identified according to the access site identity and the target DNS, and detection determines the legitimacy to the DNS modification event of the client router.Using the present invention, it can more in time, comprehensively determine illegal DNS modification event, determine suspicious DNS, ensure network security to a certain extent.

Description

A kind of network security processing method, apparatus and system
Technical field
The present invention relates to computer network security technology field more particularly to a kind of network security processing method, device and System.
Background technique
DNS(Domain Name System, domain name system), refer on internet, is between domain name and IP address Correspondingly, the corresponding relationship based on IP address and domain name can find corresponding website by the domain name in access request IP address, domain name mapping needs completed by special domain name analysis system, DNS is exactly the system for carrying out domain name mapping.
DNS is kidnapped, also known as Domain Hijacking, and by modifying the DNS of user, the original domain name of change customer service is directed toward, will User is directed to the IP address that hijacker specifies, to change business wishes that information in front of the user is presented, reduces user's body It tests, the interests of business and user is made all to incur loss.The means that DNS is kidnapped are by modifying the original normal DNS of router For specific malice DNS realization.
It whether is at present that the judgement of malice relies primarily on and artificially collects user feedback to DNS modification, when user surfs the Internet When experience occurs abnormal, reversed search is the discovery that the reason is that DNS is modified, then by manual verification, determines the DNS for malice.
Drawback of the prior art is that the identification to DNS occurs after exception occurs in user's online experience, and identify Period is longer, occurs from a malice DNS to there is user feedback, generally requires one very long process of experience.
Summary of the invention
The technical problem to be solved by the embodiment of the invention is that providing a kind of network security processing method, device and being System can in time, quickly be detected the network security to ensure user to the modification event of DNS.
In order to solve the above-mentioned technical problem, the embodiment of the invention provides a kind of network security processing methods, comprising:
It is corresponding to obtain the modification event when the domain name system DNS for detecting client router modifies event for client Modification link information and the site link information that is accessed, and be sent to server;
The server extracts access site identity from the modification link information, and according to the website of the access Link information obtains the target DNS mark where the website of the access;
The server is identified according to the access site identity and the target DNS, and detection is determined to the client The legitimacy of the DNS modification event of router.
The embodiment of the invention also provides another network security processing methods, comprising:
Receive the site link information of the modification link information and access of client;
Access site identity is extracted from the site link information, and this is obtained according to the modification link information and is repaired Change the target DNS mark where linking corresponding website;
It is identified according to the access site identity and the target DNS, detection determines the DNS to the client router The legitimacy of modification event;
The modification link information and the site link information of access are that the client is detecting client router Domain name system DNS modification event when obtain and send.
The embodiment of the present invention additionally provides another network security processing method, comprising:
During accessing website, the modification event of the domain name system DNS of local terminal router is detected;
When detecting the modification event of DNS, the corresponding station modifying link information and being accessed of the modification event is obtained Point link information;
The modification link information that will acquire and the site link information accessed are sent to server.
Correspondingly, the embodiment of the present invention additionally provides a kind of network safety processing equipment, comprising:
Receiving module, the site link information of modification link information and access for receiving client, the modification chain The site link information for connecing information and access is modification of the client in the domain name system DNS for detecting client router It obtains when event and sends;
Processing module, for extracting access site identity from the site link information, and according to the modification chain The target DNS where the acquisition of information modification links corresponding website is met to identify;
Detection module, for being identified according to the access site identity and the target DNS, detection is determined to the client Hold the legitimacy of the DNS modification event of router.
The embodiment of the invention also provides another network safety processing equipments, comprising:
Event checking module, for detecting the domain name system DNS of local terminal router during accessing website Modification event;
Module is obtained, for when detecting the modification event of DNS, obtaining the corresponding modification link information of the modification event With the site link information accessed;
Sending module, the modification link information for will acquire are sent to server with the site link information accessed.
Correspondingly, the embodiment of the present invention additionally provides a kind of network security processing system, comprising: client and service Device, wherein
The client, for obtaining the modification when the domain name system DNS for detecting client router modifies event Site link information event corresponding modification link information and accessed, and it is sent to the server;
The server, for extracting access site identity from the modification link information, and according to the access The site link acquisition of information access website where target DNS mark;And according to the access site identity and described Target DNS mark, detection determine the legitimacy to the DNS modification event of the client router.
The embodiment of the present invention passes through the client station that acquisition is modified link information and accessed when generating DNS and modifying event Point link information, is detected based on modification link information and the site link information accessed to the client road by server By the legitimacy of the DNS modification event of device, so as to more in time, comprehensively determine that illegal DNS modifies event, determination can Doubtful DNS, ensures network security to a certain extent.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with It obtains other drawings based on these drawings.
Fig. 1 is a kind of flow diagram of network security processing method of the embodiment of the present invention;
Fig. 2 is the flow diagram of another network security processing method of the embodiment of the present invention;
Fig. 3 is the flow diagram of another network security processing method of the embodiment of the present invention;
Fig. 4 is the flow diagram of another network security processing method of the embodiment of the present invention;
Fig. 5 is a kind of structural schematic diagram of network safety processing equipment of the embodiment of the present invention;
Fig. 6 is a kind of structural schematic diagram of server of the embodiment of the present invention;
Fig. 7 is another network safety processing equipment of the embodiment of the present invention;
Fig. 8 is a kind of structural schematic diagram of user terminal of the embodiment of the present invention;
Fig. 9 is a kind of structural schematic diagram of network security processing system of the embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
Referring to Figure 1, be the embodiment of the present invention a kind of network security processing method flow diagram, the present invention implement The method of example can be applicable between client and the server of all types of network security monitorings, specifically, the method Include:
S101: client obtains the modification event when the domain name system DNS for detecting client router modifies event Corresponding modification link information and the site link information accessed, and it is sent to server.
Access of the client to websites certain in network is by DNS(Domain Name System, domain name system System) server realizes after executing domain name to the conversion process of IP address.Under normal circumstances, problem is had already appeared for some Dns server, associated stations can improve access speed by the reparation to DNS in client.Event is modified for DNS Detection, a kind of implementation can be client and is modified to abnormal IP address in the IP address for the DNS for detecting local terminal When, it can determine and produce the DNS modification event of router.
Specifically for example, it is accessed site link information (hereinafter referred to as A), A that certain user, which accesses website www.xx.com, Jump to http: it is (following that // 192.168.1.1/hello dns_server=114.114.114.114 modifies link information Abbreviation B), then the referer of B just includes A.All URL that client can access user are detected, and detecting it is not It is local ip address access (such as 192.168 beginnings), when client detects B, is the discovery that 192.168 beginnings URL, it is believed that this may be a DNS modification event.
After detecting modification event, client can obtain the modification link information for initiating the modification and active user The site link information accessed by browser.And transmit these information to server, i.e., by above-mentioned B and B Referer:A sends jointly to server.
S102: the server extracts access site identity from the site link information, and according to the modification The target DNS that link information obtains where the modification links corresponding website is identified.
The access site identity is mainly the title etc. of the accessed website of user, as in above-mentioned www.xx.com xx;
And the target DNS mark is then the DNS etc. indicated in modification link, as in above-mentioned modification link information " 114.114.114.114 " in http: // 192.168.1.1/hello dns_server=114.114.114.114.
S103: the server is identified according to the access site identity and the target DNS, and detection is determined to the visitor The legitimacy of the DNS modification event of family end router.
The legitimacy for detecting the DNS modification event of the client router can be divided into detection and determine that this modification is legal With it is illegal, when detection is determined as illegal modifications, it is believed that the client produces DNS kidnapping accident, at this time can will The IP address that DNS is corresponded to after this modification is recorded as illegal DNS, and initiates security control to the client.
Specifically it can be set a legitimate site identification sets i.e. white list, corresponding to each site identity in white list Website can help user to repair problematic DNS to promote access speed, these modifications are benign modifications, and legitimate site mark Knowing the DNS modification that the website other than collection generates can then be initially believed that it is suspicious DNS modification.Certainly, when legitimate site identifies After the enough legitimate sites of concentrated setting, as long as when access site identity is not in the legitimate site identification sets, it can Directly to think that this is revised as illegally.
After being initially believed that the DNS modification to client is suspicious, indicated according further to target DNS mark Dns server port information and/or location region determine the conjunction to the DNS modification event of the client router Method.It is specific:
The server judges that the target DNS is identified in the port information of indicated dns server, specified target Whether port is turned on, if being turned on, the server determines that the DNS modification event to the client router is illegal behaviour Make event;It specifically can be and the port opened in corresponding dns server is identified to the target DNS of modification judge, if Target DNS opens 80 ports, then it is assumed that target DNS is very suspicious.And/or
The server judges the location of the indicated dns server of the target DNS mark region and the visitor Whether the location of the current IP address in family end region meets preset condition for validity, if being unsatisfactory for determining pair of the server The DNS modification event of the client router is illegal operation event.It specifically can be region where User IP and target The region DNS compares, if User IP is at home, but target DNS at abroad, if think that the target DNS of the secondary modification is It is very suspicious.
Certainly, the S103 can also include: the server according to the access site identity in other embodiments, The target DNS mark and preset legitimacy mode decision scheme determine that the DNS modification event to the client router is Illegal operation event specifically includes any one or more steps below:
When the access site identity is not recorded in preset legitimate site identification sets, determine to the client road It is illegal operation event by the DNS modification event of device;
When the target port specified in the port information of the indicated dns server of target DNS mark is turned on, Determine that the DNS modification event to the client router is illegal operation event;
As the location of the indicated dns server of the target DNS mark region and the current IP of the client When the location of address region is unsatisfactory for preset condition for validity, determines and event is modified to the DNS of the client router For illegal operation event.
The embodiment of the present invention passes through the client station that acquisition is modified link information and accessed when generating DNS and modifying event Point link information, is detected based on modification link information and the site link information accessed to the client road by server By the legitimacy of the DNS modification event of device, so as to more in time, comprehensively determine that illegal DNS modifies event, determination can Doubtful DNS, ensures network security to a certain extent.
Fig. 2 is referred to again, is the flow diagram of another network security processing method of the embodiment of the present invention, the present invention The method of embodiment can be applicable between client and the server of all types of network security monitorings, specifically, described Method includes:
S201: client obtains the modification event when the domain name system DNS for detecting client router modifies event Corresponding modification link information and the site link information accessed, and it is sent to server.
It, can be with before the S201 further include: the client detects generation during accessing website Whether the network address information modified in link information is abnormal address, if so, determining the domain name for generating client router The modification event of system DNS.
S202: the server extracts access site identity from the site link information, and according to the modification The target DNS that link information obtains where the modification links corresponding website is identified.
The IP address etc. for accessing site identity and predominantly generating the website of above-mentioned modification event, and the target DNS mark is then the IP address etc. of the dns server where the website of client user's current accessed.
S203: the server judges whether the access site identity is recorded in preset legitimate site identification sets.
Legitimate site identification sets, that is, the white list, website corresponding to each site identity in white list can help User repairs problematic DNS to promote access speed, these modifications are benign modifications, and the station other than legitimate site identification sets Point, which generates DNS modification, can then be initially believed that it is suspicious DNS modification.
If the access site identity is recorded in the legitimate site identification sets, this DNS generated modifies event It is legal modifications event.If the access site identity is not recorded in the legitimate site identification sets, at the beginning of the server Step determines that the DNS modification event to the client router is illegal operation event, executes following S204.
S204: the server judges the location of the indicated dns server of the target DNS mark region and institute State whether the location of the current IP address of client region meets preset condition for validity.
Region belonging to the indicated dns server of target DNS mark is judged in the S204, and determines that client is worked as Region belonging to preceding IP address.Wherein, it is existing for determining that it corresponds to affiliated region according to DNS mark and client ip address Technology, this will not be repeated here.
Whether meet condition for validity in the embodiment of the present invention to specifically refer to: region belonging to dns server and client is No specifically, if dns server is located at foreign countries, and region belonging to client is located at the country in effective range, then can be with Determine that the two is unsatisfactory for condition for validity.Whether effective mode decision scheme can need to modify according to user, can be by position It is determined as effective server apart from one or more closer dns server of some user, the dns server in remaining region is equal It is determined as condition for validity that is invalid, that is, being unsatisfactory for described.
If the judging result of the S204 is to meet condition for validity, this modification is legal modifications event, corresponding DNS For normal DNS.If being unsatisfactory for condition for validity, following S205 is executed.
S205: the server judges to specify in the port information of the indicated dns server of the target DNS mark Target port whether be turned on.
It specifically can be and the port opened in corresponding dns server is identified to the target DNS of modification judge, if Target DNS opens 80 ports, then it is assumed that target DNS is very suspicious, executes following S206 to S207.If being not turned on, Then this modification is legal modifications event, and corresponding DNS is normal DNS.
S206: the server determines that the DNS modification event to the client router is illegal operation event.
S207: when the determining DNS modification event except to the client router of detection is illegal operation event, record The target DNS mark.
When detection is determined as illegal operation event, it is believed that the client produces DNS kidnapping accident, at this time may be used With by this modify after correspond to the IP address of DNS and be recorded as illegal DNS, and security control is initiated to the client.
It should be noted that in other embodiments, under the scene stringenter for the security requirement of DNS monitoring, The combination of any one or any two step in S203, S204 and S205 can be only executed, as long as that is, therein one A or two contents determine illegal operation event.
The embodiment of the present invention passes through the client station that acquisition is modified link information and accessed when generating DNS and modifying event Point link information, is detected based on modification link information and the site link information accessed to the client road by server By the legitimacy of the DNS modification event of device, so as to more in time, comprehensively determine that illegal DNS modifies event, determination can Doubtful DNS, ensures network security to a certain extent.Wherein, by modifying the marks such as IP address and target DNS of website The mark such as IP address more can accurately check out malice DNS modification, preferably ensure that the accuracy that can be confirmed with DNS.
Fig. 3 is referred to again, is the flow diagram of another network security processing method of the embodiment of the present invention, the present invention The method of embodiment can be applicable in the server of all types of network security monitorings, specifically, the described method includes:
S301: the site link information of the modification link information and access of client is received;
The modification link information and the site link information of access are that the client is detecting client router Domain name system DNS modification event when obtain and send.Its concrete implementation can refer to the description of above-described embodiment.Service Realization communication interaction between device and client is achieved by the prior art.
S302: access site identity is extracted from the site link information, and is obtained according to the modification link information Target DNS mark where taking the modification to link corresponding website.
The access site identity is mainly to generate the IP address etc. of the website of modification event, and the target DNS is identified It is then the IP address etc. of the dns server where the website of client user's current accessed.
S303: identifying according to the access site identity and the target DNS, and detection is determined to the client router DNS modification event legitimacy.
The S303 can specifically include: according to the access site identity, the target DNS mark and preset conjunction Method mode decision scheme determines that the DNS modification event to the client router is illegal operation event;Including below any One or more steps:
When the access site identity is not recorded in preset legitimate site identification sets, determine to the client road It is illegal operation event by the DNS modification event of device;
When the target port specified in the port information of the indicated dns server of target DNS mark is turned on, Determine that the DNS modification event to the client router is illegal operation event;
As the location of the indicated dns server of the target DNS mark region and the current IP of the client When the location of address region is unsatisfactory for preset condition for validity, determines and event is modified to the DNS of the client router For illegal operation event.
Alternatively, the S303 also may comprise steps of:
The server judges whether the access site identity is recorded in preset legitimate site identification sets;
If being not recorded in preset legitimate site identification sets, the server is primarily determined to the client router DNS modification event be illegal operation event, further believed according to the indicated dns server port of target DNS mark Breath and/or location region determine the legitimacy to the DNS modification event of the client router.
Wherein, the port information of the dns server indicated according to target DNS mark and/or locating position Region is set, determines the legitimacy to the DNS modification event of the client router, comprising:
The server judges that the target DNS is identified in the port information of indicated dns server, specified target Whether port is turned on, if being turned on, the server determines that the DNS modification event to the client router is illegal behaviour Make event;And/or
The server judges the location of the indicated dns server of the target DNS mark region and the visitor Whether the location of the current IP address in family end region meets preset condition for validity, if not satisfied, the server determines DNS modification event to the client router is illegal operation event.
The embodiment of the present invention passes through the client station that acquisition is modified link information and accessed when generating DNS and modifying event Point link information, is detected based on modification link information and the site link information accessed to the client road by server By the legitimacy of the DNS modification event of device, so as to more in time, comprehensively determine that illegal DNS modifies event, determination can Doubtful DNS, ensures network security to a certain extent.
Fig. 4 is referred to again, is the flow diagram of another network security processing method of the embodiment of the present invention, the present invention The method of embodiment can be applicable in all types of clients for parsing domain name by dns server, specifically, the side Method includes:
S401: the client detects repairing for the domain name system DNS of local terminal router during accessing website Change event.
Access of the client to websites certain in network is by DNS(Domain Name System, domain name system System) server realizes after executing domain name to the conversion process of IP address.Under normal circumstances, problem is had already appeared for some Dns server, associated stations can improve access speed by the reparation to DNS in client.Event is modified for DNS Detection, a kind of implementation can be client and is modified to abnormal IP address in the IP address for the DNS for detecting local terminal When, it can determine and produce the DNS modification event of router.
S402: it when detecting the modification event of DNS, obtains the corresponding modification link information of the modification event and is accessed Site link information.
S403: the modification link information that will acquire and the site link information accessed are sent to server.
The embodiment of the present invention, when generating DNS modification event, can acquire modification link by client accurately and in time Information and the site link information accessed are sent to server and are detected, and determine in time so as to more illegal DNS modifies event, determines suspicious DNS, ensures user network safety to a certain extent.
The network safety processing equipment of the embodiment of the present invention and system are described in detail below.
Fig. 5 is referred to, is a kind of structural schematic diagram of network safety processing equipment of the embodiment of the present invention, the present invention is implemented The described device of example may be provided in the server of all types of network security monitorings, specifically, described device includes:
Receiving module 11, the site link information of modification link information and access for receiving client, the modification Link information and the site link information of access are the client repairing in the domain name system DNS for detecting client router It obtains and sends when changing event;
Processing module 12, for extracting access site identity from the site link information, and according to the modification The target DNS that link information obtains where the modification links corresponding website is identified;
Detection module 13, for being identified according to the access site identity and the target DNS, detection is determined to the visitor The legitimacy of the DNS modification event of family end router.
Access of the client to websites certain in network is by DNS(Domain Name System, domain name system System) server realizes after executing domain name to the conversion process of IP address.Under normal circumstances, problem is had already appeared for some Dns server, associated stations can improve access speed by the reparation to DNS in client.Event is modified for DNS Detection, a kind of implementation can be client and is modified to abnormal IP address in the IP address for the DNS for detecting local terminal When, it can determine and produce the DNS modification event of router.
After detecting modification event, client can obtain the modification link information for initiating the modification and active user The site link information accessed by browser.And transmit these information to server.
The processing module 12 handles the title etc. that the obtained access site identity is mainly the accessed website of user, And the target DNS mark is then the DNS etc. indicated in modification link.
It is true that the legitimacy that the detection module 13 detects the DNS modification event of the client router can be divided into detection This fixed modification it is legal with it is illegal, when detection is determined as illegal modifications, it is believed that the client produces DNS abduction thing Part, the IP address that DNS is corresponded to after can modifying this at this time is recorded as illegal DNS, and initiates safety control to the client System.
A legitimate site identification sets i.e. white list, each station in white list specifically can be set in the detection module 13 Website corresponding to point identification can help user to repair problematic DNS to promote access speed, these modifications are benign repair Change, and the DNS modification that the website other than legitimate site identification sets generates can then be initially believed that it is suspicious DNS modification.Certainly, After being provided with enough legitimate sites in legitimate site identification sets, as long as when access site identity is not in the legitimate site In identification sets, then it is fair to consider that this is revised as illegally.
The detection module 13 is after being initially believed that the DNS modification to client is suspicious, according further to the target DNS mark indicated dns server port information and/or location region, determine to the client router The legitimacy of DNS modification event.It is specific:
The detection module 13 judges in the port information of the indicated dns server of the target DNS mark, specified Whether target port is turned on, if being turned on, the server determines that the DNS modification event to the client router is non- Method action event;It specifically can be and the port opened in corresponding dns server is identified to the target DNS of modification judge, If target DNS opens 80 ports, then it is assumed that target DNS is very suspicious.And/or
The detection module 13 judges the location of the indicated dns server of the target DNS mark region and institute State whether the location of the current IP address of client region meets preset condition for validity, if it is true to be unsatisfactory for the server The fixed DNS modification event to the client router is illegal operation event.Specifically can be by region where User IP with The region target DNS compares, if User IP is at home, but target DNS at abroad, if think the target of the secondary modification DNS is very suspicious.
It should be noted that in other embodiments, under the scene stringenter for the security requirement of DNS monitoring, The detection module 12 can only detect the combination of any one in above content or any two, if that is, one of those Or two contents determine illegal operation event.
Fig. 6 specifically is referred to, is a kind of structural schematic diagram of server of the embodiment of the present invention, the institute of the embodiment of the present invention Stating server includes: at least one processor 1001, such as CPU, at least one communication bus 1002, at least one network interface 1003, memory 1004.Wherein, communication bus 1002 is for realizing the connection communication between these components.Wherein, the network Interface 1003 optionally may include standard wireline interface and wireless interface (such as WI-FI, mobile communication interface).It is described to deposit Reservoir 1004 can be high speed RAM memory, be also possible to non-labile memory (non-volatile memory), example Such as at least one magnetic disk storage.The memory 1004 optionally can also be that at least one is located remotely from aforementioned processor 1001 storage device.As shown in fig. 6, as be stored in a kind of memory 1004 of computer storage medium operating system, Network communication module, and it is stored with network security processing application program and other programs.
Specifically, the processor 1001 can be used for that the network security stored in the memory 1004 processing is called to answer With program, following steps are executed:
Receive the site link information of the modification link information and access of client;
Access site identity is extracted from the site link information, and this is obtained according to the modification link information and is repaired Change the target DNS mark where linking corresponding website;
It is identified according to the access site identity and the target DNS, detection determines the DNS to the client router The legitimacy of modification event;
The modification link information and the site link information of access are that the client is detecting client router Domain name system DNS modification event when obtain and send.
The embodiment of the present invention passes through the client station that acquisition is modified link information and accessed when generating DNS and modifying event Point link information, is detected based on modification link information and the site link information accessed to the client road by server By the legitimacy of the DNS modification event of device, so as to more in time, comprehensively determine that illegal DNS modifies event, determination can Doubtful DNS, ensures network security to a certain extent.
Refer to Fig. 7 again, be another network safety processing equipment of the embodiment of the present invention, the embodiment of the present invention it is described Device may be provided in all types of clients for parsing domain name by dns server, specifically, described device includes:
Event checking module 21, for detecting the domain name system DNS of local terminal router during accessing website Modification event;
Module 22 is obtained, for when detecting the modification event of DNS, obtaining the corresponding modification link letter of the modification event Breath and the site link information accessed;
Sending module 23, the modification link information for will acquire are sent to service with the site link information accessed Device.
Access of the client to websites certain in network is by DNS(Domain Name System, domain name system System) server realizes after executing domain name to the conversion process of IP address.Under normal circumstances, problem is had already appeared for some Dns server, associated stations can improve access speed by the reparation to DNS in client.Event is modified for DNS Detection, the event checking module 21 can be the IP address in the DNS for detecting local terminal and is modified to abnormal IP address When, so that it is determined that producing the DNS modification event of router.
Fig. 8 specifically is referred to, is a kind of structural schematic diagram of user terminal of the embodiment of the present invention, the embodiment of the present invention The user terminal can be the mobile intelligence such as tablet computer, mobile phone, electronic reader, remote controler, mobile unit, wearable device It can equipment.
The user terminal includes: at least one processor 2001, such as CPU, at least one communication bus 2002, at least One network interface 2003, memory 2004.Wherein, communication bus 2002 is for realizing the connection communication between these components. Wherein, the network interface 2003 optionally may include that (such as WI-FI, mobile communication connects standard wireline interface and wireless interface Mouthful etc.).The memory 2004 can be high speed RAM memory, be also possible to non-labile memory (non-volatile Memory), a for example, at least magnetic disk storage.Before the memory 2004 optionally can also be that at least one is located remotely from State the storage device of processor 2001.As shown in figure 8, as behaviour is stored in a kind of memory 2004 of computer storage medium Make system, network communication module, and is stored with network security processing application program and other programs.
Specifically, the processor 2001 can be used for that the network security stored in the memory 2004 processing is called to answer With program, following steps are executed:
During accessing website, the modification event of the domain name system DNS of local terminal router is detected;
When detecting the modification event of DNS, the corresponding station modifying link information and being accessed of the modification event is obtained Point link information;
The modification link information that will acquire and the site link information accessed are sent to server.
The embodiment of the present invention, when generating DNS modification event, can acquire modification link by client accurately and in time Information and the site link information accessed are sent to server and are detected, and determine in time so as to more illegal DNS modifies event, determines suspicious DNS, ensures user network safety to a certain extent.
Fig. 9 is referred to again, is a kind of structural schematic diagram of network security processing system of the embodiment of the present invention, and the present invention is real Apply example the system comprises client 2 and servers 1, wherein the client 2 is all types of to pass through dns server solution The client of domain name is analysed, and the server 1 is then the server of all types of network security monitorings.It is specific:
The client 2, for obtaining this and repairing when the domain name system DNS for detecting client router modifies event The site link information for changing the corresponding modification link information of event and being accessed, and it is sent to the server 1;
The server 1, for extracting access site identity from the site link information, according to the modification chain The target DNS where the acquisition of information modification links corresponding website is met to identify;And according to the access site identity and the mesh DNS mark is marked, detection determines the legitimacy to the DNS modification event of the client router.
Wherein, when detecting DNS modification event, the client is also used to during accessing website, detection Whether the network address information in the modification link information of generation is abnormal address, generates client router if so, determining Domain name system DNS modification event.
The access site identity is mainly the title etc. of the accessed website of user, and target DNS mark is then to repair Change the DNS etc. indicated in link.After the server obtains access site identity and target DNS mark, visitor described herein is detected When whether the DNS modification event at family end is legal, the server, for judging it is preset whether the access site identity is recorded in Legitimate site identification sets in;If being not recorded in preset legitimate site identification sets, primarily determine to the client road It is illegal operation event by the DNS modification event of device, further according to dns server end indicated by target DNS mark Message breath and/or location region determine the legitimacy to the DNS modification event of the client router.
Wherein, in the dns server port information and/or location area indicated according to target DNS mark Domain, when determining the legitimacy to the DNS modification event of the client router, the server, for judging the target In the port information of the indicated dns server of DNS mark, whether specified target port is turned on, if being turned on, the clothes The determining DNS modification event to the client router of device of being engaged in is illegal operation event;And/or the server, for sentencing Locating for the location of the indicated dns server of the target DNS mark of breaking region and the current IP address of the client The band of position whether meet preset condition for validity, if not satisfied, the server determine to the client router It is illegal operation event that DNS, which modifies event,.
The server is also used to determine in detection except the DNS modification event to the client router is illegal behaviour When making event, the target DNS mark is recorded.
When detection is determined as illegal operation event, it is believed that the client produces DNS kidnapping accident, at this time may be used With by this modify after correspond to the IP address of DNS and be recorded as illegal DNS, and security control is initiated to the client.
The specific implementation of the client and server can refer to the description of above-mentioned Fig. 1 to Fig. 8 corresponding embodiment.
The embodiment of the present invention passes through the client station that acquisition is modified link information and accessed when generating DNS and modifying event Point link information, is detected based on modification link information and the site link information accessed to the client road by server By the legitimacy of the DNS modification event of device, so as to more in time, comprehensively determine that illegal DNS modifies event, determination can Doubtful DNS, ensures network security to a certain extent.Wherein, by modifying the marks such as IP address and target DNS of website The mark such as IP address more can accurately check out malice DNS modification, preferably ensure that the accuracy that can be confirmed with DNS.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with Relevant hardware is instructed to complete by computer program, the program can be stored in a computer-readable storage medium In, the program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, the storage medium can be magnetic Dish, CD, read-only memory (Read-Only Memory, ROM) or random access memory (Random Access Memory, RAM) etc..
The above disclosure is only the preferred embodiments of the present invention, cannot limit the right model of the present invention with this certainly It encloses, therefore equivalent changes made in accordance with the claims of the present invention, is still within the scope of the present invention.

Claims (14)

1. a kind of network security processing method characterized by comprising
Client obtains this modification event is corresponding and repair when the domain name system DNS for detecting client router modifies event The site link information for changing link information and being accessed, and it is sent to server;
The server extracts access site identity from the site link information, and is obtained according to the modification link information Target DNS mark where taking the modification to link corresponding website;
The server is identified according to the access site identity and the target DNS, and detection, which determines, routes the client The legitimacy of the DNS modification event of device;
Wherein, when detection determines that the access site identity is not recorded in preset legitimate site identification sets, and/or when inspection When survey determines that target port specified in the port information of the indicated dns server of the target DNS mark is turned on, and/ Or when detection determines that the location of indicated dns server of target DNS mark region and the client are current When the location of IP address region is unsatisfactory for preset condition for validity, determines and thing is modified to the DNS of the client router Part is illegal operation event.
2. the method as described in claim 1, which is characterized in that in the client in the domain name for detecting client router When system DNS modifies event, the site link information for obtaining the corresponding modification link information of the modification event and being accessed, concurrently Before giving server, further includes:
During accessing website, the network address information detected in the modification link information of generation is the client No is abnormal address, if so, determining the modification event for generating the domain name system DNS of client router.
3. the method as described in claim 1, which is characterized in that the server is according to the access site identity and the mesh DNS mark is marked, detection determines the legitimacy to the DNS modification event of the client router, comprising:
The server judges whether the access site identity is recorded in preset legitimate site identification sets;
If being not recorded in preset legitimate site identification sets, the server is primarily determined to the client router It is illegal operation event that DNS, which modifies event, further the dns server port information indicated according to target DNS mark And/or location region, determine the legitimacy to the DNS modification event of the client router.
4. method as claimed in claim 3, which is characterized in that the DNS service indicated according to target DNS mark The port information of device and/or location region determine the legitimacy to the DNS modification event of the client router, Include:
The server judges that the target DNS is identified in the port information of indicated dns server, specified target port Whether it is turned on, if being turned on, the server determines that the DNS modification event to the client router is illegal operation thing Part;And/or
The server judges the location of the indicated dns server of the target DNS mark region and the client Whether the location of current IP address region meets preset condition for validity, if not satisfied, the server is determined to institute The DNS modification event for stating client router is illegal operation event.
5. such as the described in any item methods of Claims 1-4, which is characterized in that further include:
The server is when the determining DNS modification event except to the client router of detection is illegal operation event, note Record the target DNS mark.
6. a kind of network security processing method characterized by comprising
Receive the site link information of the modification link information and access of client;
Access site identity is extracted from the site link information, and the modification chain is obtained according to the modification link information Connect the target DNS mark where corresponding website;
It is identified according to the access site identity and the target DNS, detection, which determines, modifies the DNS of the client router The legitimacy of event;
The modification link information and the site link information of access are the clients in the domain for detecting client router It obtains and sends when the modification event of name system DNS;
Wherein, when detection determines that the access site identity is not recorded in preset legitimate site identification sets, and/or when inspection Survey when the target port specified in the port information for determining the indicated dns server of target DNS mark is turned on and/ Or when detection determines that the location of indicated dns server of target DNS mark region and the client are current When the location of IP address region is unsatisfactory for preset condition for validity, determines and thing is modified to the DNS of the client router Part is illegal operation event.
7. a kind of network security processing method characterized by comprising
During accessing website, the modification event of the domain name system DNS of client router is detected;
When detecting the modification event of DNS, the corresponding website chain modifying link information and being accessed of the modification event is obtained Connect information;
The modification link information that will acquire and the site link information accessed are sent to server, in order to the server root It is marked according to from the access site identity extracted in the site link information and the target DNS obtained from the modification link information Know, detection determines the legitimacy to the DNS modification event of the client router;
Wherein, the server is worked as the determining access site identity of detection and is not recorded in preset legitimate site identification sets When, and/or when the target port specified in the port information that detection determines the indicated dns server of the target DNS mark When being turned on, and/or when detection determine the location of the indicated dns server of target DNS mark region with it is described When the location of the current IP address of client region is unsatisfactory for preset condition for validity, determine to the client router DNS modification event be illegal operation event.
8. a kind of network safety processing equipment characterized by comprising
Receiving module, the site link information of modification link information and access for receiving client, the modification link letter Breath and the site link information of access are modification event of the client in the domain name system DNS for detecting client router When obtain and send;
Processing module for extracting access site identity from the site link information, and links according to the modification and believes The target DNS that breath obtains where the modification links corresponding website is identified;
Detection module, for being identified according to the access site identity and the target DNS, detection is determined to the client road By the legitimacy of the DNS modification event of device;
Wherein, the detection module is specifically when detection determines that the access site identity is not recorded in preset legitimate site mark Know when concentrating, and/or when the mesh specified in the port information that detection determines the indicated dns server of the target DNS mark When mark port is turned on, and/or when detection determines the location of the indicated dns server of target DNS mark region When the location of current IP address region is unsatisfactory for preset condition for validity with the client, determine to the client The DNS modification event of router is illegal operation event.
9. a kind of network safety processing equipment characterized by comprising
Event checking module, for detecting repairing for the domain name system DNS of client router during accessing website Change event;
Module is obtained, for when detecting the modification event of DNS, obtaining the corresponding modification link information of the modification event and institute The site link information of access;
Sending module, the modification link information for will acquire are sent to server with the site link information accessed, so as to In the server according to from the access site identity extracted in the site link information and from the modification link information The target DNS of acquisition is identified, and detection determines the legitimacy to the DNS modification event of the client router;
Wherein, the server is worked as the determining access site identity of detection and is not recorded in preset legitimate site identification sets When, and/or when the target port specified in the port information that detection determines the indicated dns server of target DNS mark When being turned on, and/or when detection determine the location of the indicated dns server of target DNS mark region with it is described When the location of the current IP address of client region is unsatisfactory for preset condition for validity, determine to the client router DNS modification event be illegal operation event.
10. a kind of network security processing system characterized by comprising client and server, wherein
The client, for obtaining the modification event when the domain name system DNS for detecting client router modifies event Corresponding modification link information and the site link information accessed, and it is sent to the server;
The server links according to the modification and believes for extracting access site identity from the site link information The target DNS that breath obtains where the modification links corresponding website is identified;And according to the access site identity and the target DNS Mark, detection determine the legitimacy to the DNS modification event of the client router;
Wherein, the server is worked as the determining access site identity of detection and is not recorded in preset legitimate site identification sets When, and/or when the target port specified in the port information that detection determines the indicated dns server of target DNS mark When being turned on, and/or when detection determine the location of the indicated dns server of target DNS mark region with it is described When the location of the current IP address of client region is unsatisfactory for preset condition for validity, determine to the client router DNS modification event be illegal operation event.
11. system as claimed in claim 10, which is characterized in that
The client is also used to during accessing website, with detecting the network in the modification link information of generation Whether location information is abnormal address, if so, determining the modification event for generating the domain name system DNS of client router.
12. system as claimed in claim 10, which is characterized in that
The server, for judging whether the access site identity is recorded in preset legitimate site identification sets;If not It is recorded in preset legitimate site identification sets, then primarily determines that the DNS modification event to the client router is illegal Action event, further according to dns server port information and/or location area indicated by target DNS mark Domain determines the legitimacy to the DNS modification event of the client router.
13. system as claimed in claim 12, which is characterized in that
The server, for judging that the target DNS is identified in the port information of indicated dns server, specified mesh Whether mark port is turned on, if being turned on, the server determines that the DNS modification event to the client router is illegal Action event;And/or
The server, for judging the location of the indicated dns server of the target DNS mark region and the visitor Whether the location of the current IP address in family end region meets preset condition for validity, if not satisfied, the server determines DNS modification event to the client router is illegal operation event.
14. such as the described in any item systems of claim 10 to 13, which is characterized in that
The server is also used to determine in detection except the DNS modification event to the client router is illegal operation thing When part, the target DNS mark is recorded.
CN201410105388.1A 2014-03-20 2014-03-20 A kind of network security processing method, apparatus and system Active CN104935556B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410105388.1A CN104935556B (en) 2014-03-20 2014-03-20 A kind of network security processing method, apparatus and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410105388.1A CN104935556B (en) 2014-03-20 2014-03-20 A kind of network security processing method, apparatus and system

Publications (2)

Publication Number Publication Date
CN104935556A CN104935556A (en) 2015-09-23
CN104935556B true CN104935556B (en) 2019-06-07

Family

ID=54122529

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410105388.1A Active CN104935556B (en) 2014-03-20 2014-03-20 A kind of network security processing method, apparatus and system

Country Status (1)

Country Link
CN (1) CN104935556B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106911652B (en) * 2015-12-23 2021-06-04 北京奇虎科技有限公司 Method and device for preventing configuration information of wireless router from being tampered
CN106534149A (en) * 2016-11-29 2017-03-22 北京小米移动软件有限公司 DNS anti-hijacking method and device, terminal and server
CN111756731B (en) * 2020-06-23 2022-06-28 全球能源互联网研究院有限公司 Credibility measuring method and system for private network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101669347A (en) * 2007-04-23 2010-03-10 国际商业机器公司 Method and apparatus for detecting port scans with fake source address
CN102301682A (en) * 2011-04-29 2011-12-28 华为技术有限公司 Method and system for network caching, domain name system redirection sub-system thereof
CN102577252A (en) * 2009-10-21 2012-07-11 瑞科网信科技有限公司 Method and system to determine an application delivery server based on geo-location information
CN103607385A (en) * 2013-11-14 2014-02-26 北京奇虎科技有限公司 Method and apparatus for security detection based on browser

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101669347A (en) * 2007-04-23 2010-03-10 国际商业机器公司 Method and apparatus for detecting port scans with fake source address
CN102577252A (en) * 2009-10-21 2012-07-11 瑞科网信科技有限公司 Method and system to determine an application delivery server based on geo-location information
CN102301682A (en) * 2011-04-29 2011-12-28 华为技术有限公司 Method and system for network caching, domain name system redirection sub-system thereof
CN103607385A (en) * 2013-11-14 2014-02-26 北京奇虎科技有限公司 Method and apparatus for security detection based on browser

Also Published As

Publication number Publication date
CN104935556A (en) 2015-09-23

Similar Documents

Publication Publication Date Title
CN108737327B (en) Method, device and system for intercepting malicious website and memory
US10248782B2 (en) Systems and methods for access control to web applications and identification of web browsers
US8392963B2 (en) Techniques for tracking actual users in web application security systems
CN103067385B (en) The method of defence Hijack Attack and fire compartment wall
CN103916490B (en) DNS tamper-proof method and device
CN104811462B (en) A kind of access gateway reorientation method and access gateway
CN107770226B (en) Control method and device for smart home, home gateway and mobile terminal
CN104144163B (en) Auth method, apparatus and system
CN109039987A (en) A kind of user account login method, device, electronic equipment and storage medium
CN104811449A (en) Base collision attack detecting method and system
CN104168339A (en) Method and device for preventing domain name from being intercepted
CN103825895A (en) Information processing method and electronic device
CN104580553B (en) Method and device for identifying network address translation equipment
CN104935551B (en) A kind of webpage tamper protective device and method
CN105763388A (en) Fault detection method and fault detection system
WO2015014215A1 (en) Domain name resolution method, system and device
CN107276983A (en) A kind of the traffic security control method and system synchronous with cloud based on DPI
CN106411644A (en) Network sharing device detection method and system based on DPI technology
CN109450690B (en) Method and device for quickly locking lost host in networking
CN104935556B (en) A kind of network security processing method, apparatus and system
CN105392137A (en) Household WIFI embezzlement preventing method, wireless router and terminal equipment
KR101341596B1 (en) Apparatus and method for monitoring of wep application telecommunication data by user
CN102045310B (en) Industrial Internet intrusion detection as well as defense method and device
CN112231679B (en) Terminal equipment verification method and device and storage medium
CN103312724A (en) Domain name system (DNS) request authentication method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20230625

Address after: 518057 Tencent Building, No. 1 High-tech Zone, Nanshan District, Shenzhen City, Guangdong Province, 35 floors

Patentee after: TENCENT TECHNOLOGY (SHENZHEN) Co.,Ltd.

Patentee after: TENCENT CLOUD COMPUTING (BEIJING) Co.,Ltd.

Address before: 2, 518000, East 403 room, SEG science and Technology Park, Zhenxing Road, Shenzhen, Guangdong, Futian District

Patentee before: TENCENT TECHNOLOGY (SHENZHEN) Co.,Ltd.