CN104980408A - Blocking method, device and system for malicious website - Google Patents
Blocking method, device and system for malicious website Download PDFInfo
- Publication number
- CN104980408A CN104980408A CN201410146365.5A CN201410146365A CN104980408A CN 104980408 A CN104980408 A CN 104980408A CN 201410146365 A CN201410146365 A CN 201410146365A CN 104980408 A CN104980408 A CN 104980408A
- Authority
- CN
- China
- Prior art keywords
- egress router
- mobile network
- server
- network egress
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides a blocking method, a blocking device and a blocking system for a malicious website. The blocking method for the malicious website comprises the steps as follows: distributing data for a terminal to interact with a server via a mobile network egress router of the terminal and a gateway general packet radio service support node GGSN connected with the mobile network egress router; analyzing the distributed data, obtaining an address of a server; matching in a malicious website library according to the analyzed address of the server; transmitting a blocking data package to the mobile network egress router if the matching is successful so as to block the connection between the terminal and the server. By using a bypass blocking technique, the method, the device and the system of the invention avoids a phenomenon that the flow of the terminal is increased greatly and the network is blocked because the terminal will still transmit a request after the website is blocked.
Description
Technical field
The present invention relates to mobile Internet security fields, refer to the method for blocking of malicious websites, device and system especially.
Background technology
Now in the art, following several scheme is had in mobile Internet safe practice:
One, mobile phone Malware monitoring scheme, mobile phone Malware monitoring system is the mobile phone Malware propagation condition of monitoring in mobile Internet packet domain, mobile phone Malware infects user situation and monitor the URL information of doubtful Malware.
Its two, existing shutoff means are flame monitoring system, refuse messages and garbage multimedia messages system.Refuse messages and garbage multimedia messages system can only by the short breath of rubbish and garbage multimedia messages content, send number and carry out shutoff, its for be advertisement, illegal, the propagation that relates to the content such as Huang, Concern Mafia, can play a role to the mobile phone Malware propagated by refuse messages, garbage multimedia messages, this circulation way proportion is less.Flame monitoring system can propagate URL by shutoff Malware, by simple shutoff url, the continuation access of cellphone subscriber can only be blocked, but, rogue program on mobile phone terminal still can constantly ask these websites, cause the surge of flowing of access thus, a large amount of losses of customer flow, even cause the clogging of network.
Its three, part plugging system adopts the serial connection interrupter technique of fluidic device.Fluidic device serial connection in a network, mobile phone viruses management system for monitoring manages fluidic device, issue IP address stream regulatory control then and user-defined IP address stream regulatory control then, flow-control equipment carries out traffic management and control according to address.Be specially: prior art adopts the serial connection interrupter technique of fluidic device.Fluidic device is serially connected between GGSN and CMNET, according to the IP address stream regulatory control issued then and user-defined IP address stream regulatory control then carry out clearance and the shutoff of the behavior of mobile phone Malware.
Summary of the invention
The invention provides a kind of method for blocking of malicious websites, device and system.Avoid website still can constantly be sent request by terminal after shutoff, thus cause the phenomenon generation of the surge of terminal flow, network blockage.
On the one hand, the method for blocking of described malicious websites is provided, comprises:
The data of terminal by mobile network egress router and the GGSN be connected with described mobile network egress router and server interaction are shunted;
The described data of shunting are resolved, obtains the address of described server;
According to the address of the described server parsed, mate in malicious websites storehouse;
If the match is successful, then send to described mobile network egress router and block packet, make described mobile network egress router block connection between described terminal and described server.
The described step blocking packet to described mobile network egress router transmission comprises:
To the described decoding data of shunting, obtain IP agreement and http protocol information;
According to described IP agreement and http protocol information, generate transmission control protocol blocking TCP RST packet;
TCP RST packet is sent to described mobile network egress router.
Described malicious websites storehouse comprises: the domain name of malicious websites and/or uniform resource locator URL.
On the other hand, a kind of plugging device of malicious websites is provided, comprises:
Dividing cell, shunts the data of terminal by mobile network egress router and the GGSN be connected with described mobile network egress router and server interaction;
Resolution unit, resolves the described data of shunting, obtains the address of described server;
Matching unit, according to the address of the described server parsed, mates in malicious websites storehouse;
Transmitting element, if the match is successful, then sends to described mobile network egress router and blocks packet, makes described mobile network egress router block connection between described terminal and described server.
Described transmitting element comprises:
Decoding subelement, to the described decoding data of shunting, obtains IP agreement and http protocol information;
Generate subelement, according to described IP agreement and http protocol information, generate transmission control protocol blocking TCP RST packet;
Send subelement, send TCP RST packet to described mobile network egress router.
Described malicious websites storehouse comprises: the domain name of malicious websites and/or uniform resource locator URL.
On the other hand, a kind of plugging system of malicious websites is provided, comprises: server and the terminal connected successively, mobile network egress router and GGSN, also comprise: the plugging device of malicious websites;
The plugging device of described malicious websites, shunts the data of described terminal by fast mobile terminal net egress router and the GGSN be connected with described mobile network egress router and server interaction; The described data of shunting are resolved, obtains the address of described server; According to the address of the described server parsed, mate in malicious websites storehouse; If the match is successful, then send to described mobile network egress router and block packet, make described mobile network egress router block connection between described terminal and described server.
Beneficial effect of the present invention is as follows:
The data of described terminal and server interaction are shunted; The described data of shunting are resolved, obtains the address of described server; When the address judging described server is malicious websites, sends to described mobile network egress router and block packet, make described mobile network egress router block connection between described terminal and described server.That is, this programme have employed bypass interrupter technique, plugging system is other to be connected on Gi router, according to the strategy that shutoff management system issues, by sending the mode blocking bag, realize the blocking-up to terminal access website, when terminal sends connection request, plugging device mates with shutoff strategy according to the user's request content monitored, if match shutoff strategy, blocking-up bag is sent to mobile network egress router by plugging device, notification terminal user website is unreachable, website is avoided still can constantly to be sent request by terminal after shutoff, thus cause terminal flow to increase sharply, the phenomenon of network blockage occurs.
Accompanying drawing explanation
Fig. 1 is the flow chart of the method for blocking of malicious websites of the present invention;
Fig. 2 is the flow chart of the application scenarios of the method for blocking of malicious websites of the present invention;
Fig. 3 is the deployment scheme schematic diagram of each parts in the application scenarios of the method for blocking of malicious websites of the present invention;
Fig. 4 is the connection diagram of the plugging device of malicious websites of the present invention;
Fig. 5 is the connection diagram of the plugging system of malicious websites of the present invention.
Embodiment
For making the object of the embodiment of the present invention, technical scheme and advantage clearly, below in conjunction with the accompanying drawing of the embodiment of the present invention, the technical scheme of the embodiment of the present invention is clearly and completely described.Obviously, described embodiment is a part of embodiment of the present invention, instead of whole embodiments.Based on described embodiments of the invention, the every other embodiment that those of ordinary skill in the art obtain, all belongs to the scope of protection of the invention.
As shown in Figure 1, be the method for blocking of described malicious websites of the present invention, comprise:
Step 11, shunts the data of terminal by mobile network egress router and the GGSN be connected with described mobile network egress router and server interaction; The mode of light splitting or mirror image can be adopted to carry out streamed data.
Step 12, resolves the described data of shunting, obtains the address of described server;
Step 13, according to the address of the described server parsed, mates in malicious websites storehouse; Wherein, described malicious websites storehouse comprises: the domain name of malicious websites and/or uniform resource locator URL.
Step 14, if the match is successful, then sends to described mobile network egress router and blocks packet, makes described mobile network egress router block connection between described terminal and described server.
Step 14 comprises:
To the described decoding data of shunting, obtain IP agreement and http protocol information;
According to described IP agreement and http protocol information, generate transmission control protocol blocking TCP RST packet;
TCP RST packet is sent to described mobile network egress router.
Application scenarios of the present invention is below described.This application scene take terminal as mobile phone is example, mobile phone Malware plugging system is described, this programme is by the company's of tearing open mode, block the connection of network control end and mobile phone terminal rogue program, send TCP Reset bag simultaneously and realize generation response, that is, send Reset bag by occluding device, avoid both sides and do not contact the continuous access caused, realize the blocking-up of safety.This kind of Method compare is suitable for URL and controls.
As shown in Figure 2, be the blocking processing flow chart of this application scenarios, comprise the following steps:
First, gather and obtain content, being specially: by light splitting/mirror-image fashion, Real-time Collection being carried out to the flow in monitoring link;
Then, access flow, is specially: the flow of light splitting is issued interception equipment.
Then, data analysis is filtered, and is specially: analyze the application data in flow, if the viral data such as IPURL, then filters according to the domain name in blacklist and URL.If the match is successful, then perform next step; If mate unsuccessful, then do not process.Wherein, block blacklist: provided by mobile phone viruses monitoring system or system self-defined.Blacklist is herein equal to above-mentioned malicious websites storehouse.
Then, send and block packet, be specially: blacklist is after the match is successful, the IP obtained according to decoding and http protocol information, send TCP RST and block packet, block this http session, user normally can not receive the web page contents that server returns, and block successfully.
As shown in Figure 3, be deployment scheme and the workflow diagram thereof of plugging device.In this application scene, each unit occurs with the form of self-contained unit.Above-mentioned dividing cell is equal to optical splitter herein; Above-mentioned resolution unit is equal to Malware code stream analysis equipment herein; Above-mentioned matching unit is equal to protection server herein; Above-mentioned transmitting element is equal to plugging device herein.The effect of each parts is as follows:
Optical splitter, is deployed in Gi mouth, and that is, optical splitter carries out data link light splitting at Gn mouth, and Gn data traffic converges to shunting platform; Flow shunt is to Malware code stream analysis equipment;
Malware code stream analysis equipment, gather and monitoring Gn mouth data, monitoring result is sent to protection server; That is, analysis result and sample data are transferred to protection server;
Protection server, for monitoring result, issues shutoff strategy to plugging device; Further, protect server present analysis result and export;
Plugging device, after receiving shutoff strategy, filters according to the domain name in blacklist and url; Meanwhile, URL comparing result and shutoff result are fed back to protection server by plugging device;
Plugging device, blacklist after the match is successful, according to the information that decoding obtains, sends specific blocking-up packet and carries out link blocking-up to mobile network egress router.That is, plugging device is according to shutoff strategy execution URL and domain name coupling, and the match is successful issues and block bag and carry out tearing open chain and block.
As described in Figure 4, be the plugging device of a kind of malicious websites of the present invention, comprise:
Dividing cell 21, shunts the data of terminal by mobile network egress router and the GGSN be connected with described mobile network egress router and server interaction;
Resolution unit 22, resolves the described data of shunting, obtains the address of described server;
Matching unit 23, according to the address of the described server parsed, mates in malicious websites storehouse;
Transmitting element 24, if the match is successful, then sends to described mobile network egress router and blocks packet, makes described mobile network egress router block connection between described terminal and described server.
Described transmitting element 24 comprises:
Decoding subelement, to the described decoding data of shunting, obtains IP agreement and http protocol information;
Generate subelement, according to described IP agreement and http protocol information, generate transmission control protocol blocking TCP RST packet;
Send subelement, send TCP RST packet to described mobile network egress router.
Described malicious websites storehouse comprises: the domain name of malicious websites and/or uniform resource locator URL.
As described in Figure 5, be the plugging system of malicious websites of the present invention, comprise: terminal 31 and the GGSN34 connected successively, mobile network egress router 33 and server 32, also comprise: the plugging device 35 of malicious websites;
The plugging device 35 of described malicious websites, is shunted by the data that GGSN34, mobile network egress router 33 and server 32 are mutual described terminal 31; The described data of shunting are resolved, obtains the address of described server; According to the address of the described server parsed, mate in malicious websites storehouse; If the match is successful, then send to described mobile network egress router and block packet, make described mobile network egress router block connection between described terminal and described server.
Terminal of the present invention can be the mobile terminal such as mobile phone, PAD.
The present invention has following beneficial effect:
(1) this programme have employed bypass interrupter technique, plugging system is other to be connected on Gi router, according to the strategy that shutoff management system issues, by beating the mode that TCP Reset wraps, realize the blocking-up to mobile phone access URL, avoid website still can constantly be sent request by mobile phone after shutoff, thus cause the phenomenon generation of the surge of terminal flow, network blockage.
(2) compared to the interrupter technique of fluidic device serial connection, this programme has the advantages that investment is little, utilance is high, fail safe is high.The serial connection fluidic device of prior art needs the expansion along with GGSN, carries out synchronous expansion.Then there is not this problem in bypass interrupter technique of the present invention, does not need the expansion of corresponding scale.Further, if fluidic device breaks down, then the online of whole GGSN user all will be affected, and bypass interrupter technique of the present invention does not then exist this problem, and the system failure is on the online of user without impact, and just shutoff function cannot play a role.
The above is only embodiments of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (7)
1. a method for blocking for malicious websites, is characterized in that, comprising:
The data of terminal by fast mobile terminal net egress router and the gateway general grouping service wireless support node GGSN be connected with described mobile network egress router and server interaction are shunted;
The described data of shunting are resolved, obtains the address of described server;
According to the address of the described server parsed, mate in malicious websites storehouse;
If the match is successful, then send to described mobile network egress router and block packet, make described mobile network egress router block connection between described terminal and described server.
2. method according to claim 1, is characterized in that, the described step blocking packet to described mobile network egress router transmission comprises:
To the described decoding data of shunting, obtain IP agreement and http protocol information;
According to described IP agreement and http protocol information, generate transmission control protocol blocking TCP RST packet;
Described TCP RST packet is sent to described mobile network egress router.
3. method according to claim 1, is characterized in that,
Described malicious websites storehouse comprises: the domain name of malicious websites and/or uniform resource locator URL.
4. a plugging device for malicious websites, is characterized in that, comprising:
Dividing cell, shunts the data of terminal by mobile network egress router and the GGSN be connected with described mobile network egress router and server interaction;
Resolution unit, resolves the described data of shunting, obtains the address of described server;
Matching unit, according to the address of the described server parsed, mates in malicious websites storehouse;
Transmitting element, if the match is successful, then sends to described mobile network egress router and blocks packet, makes described mobile network egress router block connection between described terminal and described server.
5. device according to claim 4, is characterized in that, described transmitting element comprises:
Decoding subelement, to the described decoding data of shunting, obtains IP agreement and http protocol information;
Generate subelement, according to described IP agreement and http protocol information, generate transmission control protocol blocking TCP RST packet;
Send subelement, send TCP RST packet to described mobile network egress router.
6. device according to claim 4, is characterized in that,
Described malicious websites storehouse comprises: the domain name of malicious websites and/or uniform resource locator URL.
7. a plugging system for malicious websites, comprising: server and the terminal connected successively, mobile network egress router and GGSN, is characterized in that, also comprise: the plugging device of malicious websites;
The plugging device of described malicious websites, shunts the data of described terminal by fast mobile terminal net egress router and the GGSN be connected with described mobile network egress router and server interaction; The described data of shunting are resolved, obtains the address of described server; According to the address of the described server parsed, mate in malicious websites storehouse; If the match is successful, then send to described mobile network egress router and block packet, make described mobile network egress router block connection between described terminal and described server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410146365.5A CN104980408A (en) | 2014-04-11 | 2014-04-11 | Blocking method, device and system for malicious website |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410146365.5A CN104980408A (en) | 2014-04-11 | 2014-04-11 | Blocking method, device and system for malicious website |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104980408A true CN104980408A (en) | 2015-10-14 |
Family
ID=54276518
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410146365.5A Pending CN104980408A (en) | 2014-04-11 | 2014-04-11 | Blocking method, device and system for malicious website |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104980408A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107645470A (en) * | 2016-07-20 | 2018-01-30 | 阿里巴巴集团控股有限公司 | A kind of method for blocking bypass by, device, system, electronic equipment |
| CN108616594A (en) * | 2018-05-04 | 2018-10-02 | 广东唯网络科技有限公司 | HTTP method for blocking bypass by based on DPDK |
| CN109672651A (en) * | 2017-10-17 | 2019-04-23 | 阿里巴巴集团控股有限公司 | Intercepting processing method, system and the data processing method of website visiting |
| CN111405083A (en) * | 2020-03-25 | 2020-07-10 | 深信服科技股份有限公司 | DNS (Domain name Server) analysis method, device, equipment and readable storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350765A (en) * | 2007-07-20 | 2009-01-21 | 中国科学院声学研究所 | Network flow detection method |
| CN101350746A (en) * | 2007-07-20 | 2009-01-21 | 莱克斯信息技术(北京)有限公司 | By-path interdiction TCP connection |
| CN101577729A (en) * | 2009-06-10 | 2009-11-11 | 上海宝信软件股份有限公司 | Method for blocking bypass by combining DNS redirection with Http redirection |
| CN101789941A (en) * | 2010-01-29 | 2010-07-28 | 蓝盾信息安全技术股份有限公司 | Network safety equipment linkage method and system |
| CN102801697A (en) * | 2011-12-20 | 2012-11-28 | 北京安天电子设备有限公司 | Malicious code detection method and system based on plurality of URLs (Uniform Resource Locator) |
-
2014
- 2014-04-11 CN CN201410146365.5A patent/CN104980408A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350765A (en) * | 2007-07-20 | 2009-01-21 | 中国科学院声学研究所 | Network flow detection method |
| CN101350746A (en) * | 2007-07-20 | 2009-01-21 | 莱克斯信息技术(北京)有限公司 | By-path interdiction TCP connection |
| CN101577729A (en) * | 2009-06-10 | 2009-11-11 | 上海宝信软件股份有限公司 | Method for blocking bypass by combining DNS redirection with Http redirection |
| CN101789941A (en) * | 2010-01-29 | 2010-07-28 | 蓝盾信息安全技术股份有限公司 | Network safety equipment linkage method and system |
| CN102801697A (en) * | 2011-12-20 | 2012-11-28 | 北京安天电子设备有限公司 | Malicious code detection method and system based on plurality of URLs (Uniform Resource Locator) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107645470A (en) * | 2016-07-20 | 2018-01-30 | 阿里巴巴集团控股有限公司 | A kind of method for blocking bypass by, device, system, electronic equipment |
| CN107645470B (en) * | 2016-07-20 | 2020-11-03 | 阿里巴巴集团控股有限公司 | Bypass blocking method, device, system and electronic equipment |
| CN109672651A (en) * | 2017-10-17 | 2019-04-23 | 阿里巴巴集团控股有限公司 | Intercepting processing method, system and the data processing method of website visiting |
| CN108616594A (en) * | 2018-05-04 | 2018-10-02 | 广东唯网络科技有限公司 | HTTP method for blocking bypass by based on DPDK |
| CN108616594B (en) * | 2018-05-04 | 2021-05-07 | 广东唯一网络科技有限公司 | HTTP bypass blocking method based on DPDK |
| CN111405083A (en) * | 2020-03-25 | 2020-07-10 | 深信服科技股份有限公司 | DNS (Domain name Server) analysis method, device, equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101399749B (en) | Method, system and device for packet filtering | |
| CN108063765B (en) | SDN system suitable for solving network security | |
| KR101662605B1 (en) | System and method for correlating network information with subscriber information in a mobile network environment | |
| CN107623661B (en) | System, method and device for blocking access request and server | |
| CN101599963B (en) | Suspected network threat information screener and screening and processing method | |
| CN104660582B (en) | The network architecture of the software definition of DDoS identifications, protection and path optimization | |
| US20130198845A1 (en) | Monitoring a wireless network for a distributed denial of service attack | |
| CN101505219B (en) | Method and protecting apparatus for defending denial of service attack | |
| WO2018108052A1 (en) | Ddos attack defense method, system and related equipment | |
| CN102404741B (en) | Method and device for detecting abnormal online of mobile terminal | |
| CN102263788A (en) | Method and equipment for defending against denial of service (DDoS) attack to multi-service system | |
| CN104980408A (en) | Blocking method, device and system for malicious website | |
| CN106357685A (en) | Method and device for defending distributed denial of service attack | |
| KR101711022B1 (en) | Detecting device for industrial control network intrusion and detecting method of the same | |
| CN109561051A (en) | Content distributing network safety detection method and system | |
| TW201124876A (en) | System and method for guarding against dispersive blocking attacks | |
| CN102594780B (en) | The detection of mobile terminal virus, sweep-out method and device | |
| CN104348749B (en) | A kind of flow control methods, apparatus and system | |
| US8312530B2 (en) | System and method for providing security in a network environment using accounting information | |
| KR101284584B1 (en) | System and method for managing signaling traffic | |
| CN107222359A (en) | Link method for detecting abnormality and system in a kind of IS IS networks | |
| CN104579832B (en) | A kind of OpenFlow network security detection methods and system | |
| KR101534161B1 (en) | Apparatus and method for user session management in 4G mobile network | |
| CN104579851B (en) | A kind of evidence-obtaining system for the interconnected core network of Large-scale Mobile | |
| CN113285937B (en) | Safety audit method and system based on traditional substation configuration file and IEC103 protocol flow |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20151014 |
|
| RJ01 | Rejection of invention patent application after publication |