CN105721387A - Method for preventing network hijack - Google Patents
Method for preventing network hijack Download PDFInfo
- Publication number
- CN105721387A CN105721387A CN201410705413.XA CN201410705413A CN105721387A CN 105721387 A CN105721387 A CN 105721387A CN 201410705413 A CN201410705413 A CN 201410705413A CN 105721387 A CN105721387 A CN 105721387A
- Authority
- CN
- China
- Prior art keywords
- program
- dns
- data
- destination address
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for preventing network hijack. A program injects a designated d11 file into other program using a global hook after being started, wherein the d11 hooks a connect function of the program; when the program needs to be connected to the Internet to call the connect function, the program redirects a destination address to our program, and our program is connected to the destination address; in this case, during data transmission, data is transmitted to our program first and then transmitted to the destination address by our program; when the destination address returns data, the data arrives at our program first and then is filtered by our program and returned to the destination program; thus, all network data passes through our program, and hijacked or abnormal contents in the data can be filtered, so that the purpose of preventing network hijack is fulfilled.
Description
Technical field
The present invention relates to a kind of prevent kidnap method, more specifically for, particularly to one
Prevent the method that network is kidnapped.
Background technology
DNS kidnaps also known as Domain Hijacking, refers to intercept domain name mapping in the network range kidnapped
Request, the domain name of analysis request, beyond examination scope request let pass, otherwise return vacation
IP address or do nothing and make request lose response, its effect is exactly to specific network
Can not react or access is false network address.
Ultimate principle
The effect of DNS (domain name system) is that (domain name, with a character string the network address
Form) correspond to the network address (IP address) that real computer is capable of identify that, in order to meter
Calculation machine can communicate further, transmits network address and content etc..Owing to Domain Hijacking often can only be
Carry out in the network range being specifically held as a hostage, so extraneous name server (DNS) at this
Can return to normal IP address, advanced level user can point to these at network settings DNS
Normal name server is to realize the normal access to network address.So Domain Hijacking is generally accompanied
Measure block normal DNS IP.
If it is known that the real IP address of this domain name, then after directly can replacing domain name with this IP
Conduct interviews.Such as access Baidu's domain name, access can be changed into 202.108.22.5, thus
Get around Domain Hijacking.
Countermeasure
DNS abduction (DNS phishing attack) is the most violent and is not easy to be perceived by the user, and once causes
Maximum nearly 1% client of Banco do Brasil of bank of Brazil is under attack and causes account stolen.This time by state
In leading DNS service business 114DNS take the lead in find DNS hijack attack, hacker utilizes width
As long as User DN S is distorted user and browses hacker and slapped by the defect with router
The WEB page of control, the DNS of its broadband router will be distorted by hacker, because this WEB
The page does not has special malicious code, it is possible to successfully escape fail-safe software detection, causes big
Amount user is by DNS fishing swindle.
Due to some unknown causes, automatically repair unsuccessful in rare cases, it is proposed that your hands
Dynamic amendment.Meanwhile, in order to avoid being again hacked, even if repairing successfully, user also can be according to
360 or the method amendment login username of router of Tengxun computer house keeper prompting and password.Under
Face illustrates that as a example by the TP-link router that user commonly uses (other brands route amending method
Device is similar with the method).
Manual modification DNS
1. input in address field: http: // 192.168.1.1 (can taste if the page can not show
Examination input: http: // 192.168.0.1;
2. fill in the username and password of your router, click on " determination ";
3., in " Dynamic Host Configuration Protocol server-DHCP " services, it is more reliable for filling in primary dns server
114.114.114.114 address, alternative DNS server is 8.8.8.8, click on preserve.
Amendment router password
1. input in address field: http: // 192.168.1.1 (can taste if the page can not show
Examination input: http: // 192.168.0.1);
2. fill in the username and password of your router, the entitled admin of router initial user, close
Code is also admin, if you revised, then fills in amended username and password, clicks on " really
Fixed ";
3., after filling in correctly, the router password amendment page can be entered, repair at system tool
Change the entry password page can complete to revise (original subscriber's name is consistent with fill in password and 2).
Prevention DNS kidnaps
In fact, it not is any fangle that DNS kidnaps, and the most not cannot prevent, Baidu's quilt
The generation of black event discloses the vulnerability of whole world DNS system again, and the Internet manufacturer is described
If only having the security preparedness for self information system, being just not enough to quickly tackle and answering comprehensively
Miscellaneous threat.Therefore, Internet firm should take following measures:
1, Internet firm prepares plural domain name, and once hacker carries out DNS attack,
User can also access another domain name;
2, emergency preplan should be revised by the Internet further, and strengthening is to domain name service business's
Coordinate flow process;
3, Domain Name Registrar and agency are likely to become concentration target of attack the specific period, need
Taken precautions against;
4, domestic have between shutting mechanism coordination and the ditch should quickly set up with overseas have shutting mechanism
Logical, assist domestic enterprise to realize the quick of part as to this and process timely.
DNS kidnaps mutation
A very important strategy of having reached the standard grade is searched for by Baidu, if it find that there is the implanted evil in website
When meaning distorts the code that user route DNS, the page will be intercepted, get prompting!Join according to safety
The statistics of alliance found that the website of ten thousand was hacked, and implants route DNS and kidnaps code, this quantity
Very large.
The past period is it is known that Chuan Yu security study team just captures at least 5 mutation.
The pattern of this kind of attack is usually:
Assailant's night a collection of website;
Assailant implants route DNS abduction code (various deformation) in this batch of website;
Assailant propagates or sits back and waits that targeted customer accesses this batch of website;
After user accesses these websites, browser carries out " route DNS kidnaps code ";
Family/the corporate router of user will be infected if there is leak;
User's surfing flow is kidnapped by " false dns server ", and the phenomenons such as strange advertisement occurs;
Although attacking mainly for Tp-Link router specifically, but the route infected being not only
TP-Link!This Security Association is released DNS and kidnaps special topic, provide detailed for netizen and the head of a station
Solution.
Historical events
Maximum bank of Brazil in 2009 meets with DNS and attacks, and 1% user is gone fishing
On January 12nd, 2010 " Baidu's domain name is held as a hostage " event
Japanese Postal Savings bank in 2012, Sumitomo Mitsui Banking Corporation and Rhizoma Sparganii Tokyo Ufj Bank Ltd. are each
The online banking service provided all is kidnapped by fishing website
In histories in 2013, maximum-norm DNS phishing attack is estimated and is caused 800 general-purpose families infection
Beijing on January 21st, 2014 on January 21st, 2014, the whole nation occurs DNS on a large scale
Fault, during afternoon 15 about 20 points, China's TLD root server breaks down, big portion
Subnetting station is impacted, and this time country TLD .CN is not impacted by fault, all operations
Service is normal
On May 6th, 2013, according to 114DNS official of domestic DNS service provider microblogging (ginseng
Examine data: 114DNS official microblogging) message: new round DNS phishing attack has broken through state
Interior security perimeter, may already lead to domestic millions of customer and infect.This attack utilizes router
Weak passwurd, and the web-based management interface of router attacks, by Start_apply page
Face amendment dns server address is to realize phishing attack, and DNS kidnaps and once caused Brazil the most before this
Big bank paralyses;User can manual modification DNS be 114.114.114.114 (or
114.114.115.115) avoid under attack.114DNS platform director introduces, 114DNS
The ultra-large type DNS platform built together with Nanjing trade wind for multiple telecom operators, freely carries for the public
For the dns resolution that the whole nation is general, provide reliable authority dns resolution for enterprise, be electricity simultaneously
Letter operation provides DNS calamity of meeting an urgent need standby.114DNS is abnormal at the DNS of that association of telecom operators
Monitoring system, takes the lead in being found that this time DNS phishing attack that hacker group starts.
Subsequently, fail-safe software and Tengxun of service provider computer house keeper (reference material: Tengxun computer house keeper
Official website) by official's microblogging (reference material: computer house keeper official of Tengxun microblogging), this message is given
To confirm, show according to Tengxun's computer house keeper's safety monitoring data: at least the whole network user of 4%
It is infected;Estimating with the whole network 200,000,000 user, every day, at least 800 general-purpose families were in DNS
During phishing attack threatens.This DNS hijack attack is carried out by 114DNS and Tengxun computer house keeper
Prevention-Security response, Tengxun computer house keeper has completed the upgrading of product safety strategy, can be effective
Identify the DNS distorted by hacker and intercept the fishing website that this type of DNS points to, carrying for user
For recovery scenario, and have issued security risk warning to users.
2012, according to Japan's " Nikkei computer ", Postal Savings bank of Japan, Sumitomo Mitsui silver
Row and Rhizoma Sparganii Tokyo Ufj Bank Ltd. issue public affairs respectively on October 25th, 2012 and October 26
Accusing and remind user, the online banking service that three banks each provide all is kidnapped by fishing website,
There is requiring the false page of user's input information, after logging in official website, requirement can be ejected
User inputs the window picture of password etc., and the purpose of this false pop-up window page is to steal
Take the password of family online banking service.Bank is also shown on this pop-up window page
Marks etc., on the face of it as genuine.
DNS kidnaps " the Baidu's domain name is held as a hostage " event in 2010 that once manufactures
During the January in 2010 of the morning 7 on the 12nd 40 points, Baidu's homepage logs in generation to have netizen to find
Abnormal conditions.After during the morning 8, on inland of China most area and the ground such as the U.S., Europe all
Cannot the most normally log in www.baidu.com, and the WHOIS host-host protocol quilt of Baidu's domain name
Changing without reason, the domain name of website is replaced two name servers to Yahoo subordinate, part net
The people more find that Website page is tampered into black background and Iran's national flag, display " This simultaneously
Site has been hacked by Iranian Cyber Army " (this website is entered by net army of Iran
Invade) printed words and one section of arabian writing, then jump to English Yahoo homepage, here it is " hundred
Degree domain name is held as a hostage " event.
The maximum bank encountered DNS of Brazil attacks, and 1% user is gone fishing
One Bandesco Banco do Brasil of maximum bank of Brazil in 2009, once suffered DNS cache
Virus attack, becomes " bank's abduction case " in the shock whole world.Affected user can be reset
To the website of bank to a personation, this fake site attempts steal user cipher and install malice
Software.DNS cache virus attack is to utilize the leak in internet domain name system to carry out, and does not has
The ISP having timely patch installing is highly susceptible to attack.Legal IP can be given by some websites and replace,
Even if terminal use inputs correct network address also can be redirected to those malicious websites.Have nearly 1%
Bank client subject to attacks, if these consumer attention have arrived bank's SSL certificate and weighed
The miscue occurred during orientation, would not have dust thrown into the eyes.
Beijing on January 21st, 2014, the whole nation occurs DNS fault on a large scale
Beijing on January 21st, 2014, the whole nation occurs DNS fault on a large scale, during afternoon 15
About 20 points, China's TLD root server breaks down, and major part website is impacted, this
Country TLD .CN is not impacted by secondary fault, and all operation services are normal.
Insider: the DNS name resolution system failure or because of assault
In afternoon yesterday, whole nation DNS name resolution system occurs in that large-scale access fault, entirely
The more than half website of state occurs in that the access fault under different regions, different network environments to some extent.
This time fault is network technology fault, or assault?Netizen accesses these websites and can run into
Which risk, how this tackles?
Visit because of
Once there was assault behavior targeted website
Internet security expert represents, the reason that this time website cannot access is that website domain name analysis is wrong
By mistake.
One technical staff of company of Baidu thinks, website domain name analysis mistake exists several
May.One is that the external root server of assault causes domestic server domain name mapping to be polluted.
Two is owing in data transmission procedure, network node is more, and node is likely to become target of attack.
But if if attacking node, it is more special this time to attack, and " assailant had not both had the map title,
Do not desire to make money or profit, and be directed to an IP address not having particular content." three it is that hacker is attacking
The when of hitting single website, because node is more, causes node to pollute thus have impact on the whole network.
In addition, there is also assault Domestic Carriers and network firewall, or state
Interior Virtual network operator is due to certain operation error causing trouble.
The present invention is a kind of method preventing network from kidnapping, the past prevent the method that network kidnaps
The most not can effectively solve the problem that this problem, method flow is loaded down with trivial details, effect is low, relatively costly,
The present invention solves these problems.
Summary of the invention
It is an object of the invention to provide a kind of method preventing network from kidnapping, by user of the present invention
Can be with easily logging onto the Internet, it is not necessary to other antivirus software preventing network from kidnapping is installed, is also not concerned about
Browse malicious websites, may browse through the virulent file of any band, reach to prevent network from kidnapping
Purpose.
Program can utilize global hook after starting, and the dll file specified is injected into other programs
In, the connect function of dll meeting hook program, when program needs networking to call connect letter
During number, being redirected by destination address, be directed in our program, our program exists
Connect is to destination address, and the most when sending out data, data are sent initially to our program,
Then the program having us is sent to destination address, and when destination address returns data, data are first
Arrive first our program, after program filters, return data to object program, so
All of network data all can be kidnapped or abnormal when finding to have in data through our program
Can be carried out during content filtering.
The invention has the beneficial effects as follows, the Cybersecurity Operation when that user surfing the Net, allow on user
Dictyosome is tested more convenient.
Detailed description of the invention
The present invention relates to a kind of method preventing network from kidnapping.
First program can utilize global hook after starting, and the dll file specified is injected into other
In program, the connect function of dll meeting hook program,
Secondly, when program needs networking to call connect function, destination address is reset
To, be directed in our program, our program at connect to destination address,
The most when sending out data, data are sent initially to our program, then have ours
Program is sent to destination address,
Finally when destination address returns data, data are sent initially to our program, pass through
After program filters, return data to object program.
Claims (2)
1. the method preventing network from kidnapping, it is characterised in that the method is applicable to any system, step is as follows:
1) program can utilize global hook after starting, and is injected in other programs by the dll file specified, the connect function of dll meeting hook program,
2) when program needs networking to call connect function, destination address is redirected, is directed in our program, our program at connect to destination address,
3) when sending out data, data are sent initially to our program, then have our program to be sent to destination address,
4) when destination address returns data, data are sent initially to our program, after program filters, return data to object program.
Prevent the method that network is kidnapped the most as claimed in claim 1, it is characterised in that: the exception in described method can lay down a regulation with oneself.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410705413.XA CN105721387A (en) | 2014-12-01 | 2014-12-01 | Method for preventing network hijack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410705413.XA CN105721387A (en) | 2014-12-01 | 2014-12-01 | Method for preventing network hijack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105721387A true CN105721387A (en) | 2016-06-29 |
Family
ID=56145801
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410705413.XA Withdrawn CN105721387A (en) | 2014-12-01 | 2014-12-01 | Method for preventing network hijack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105721387A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106407812A (en) * | 2016-11-24 | 2017-02-15 | 北京瑞星信息技术股份有限公司 | Linux real-time virus killing method and apparatus |
| CN106557694A (en) * | 2016-11-24 | 2017-04-05 | 北京瑞星信息技术股份有限公司 | Linux file operations monitoring method and device |
| CN110808897A (en) * | 2019-11-06 | 2020-02-18 | 深信服科技股份有限公司 | Proxy access method, user equipment, storage medium, device and system |
| CN111726322A (en) * | 2019-03-19 | 2020-09-29 | 国家计算机网络与信息安全管理中心 | Method and device for detecting file tampering hijacking and storage medium |
| CN114491474A (en) * | 2022-02-15 | 2022-05-13 | 北京时代正邦科技股份有限公司 | Secure interaction method and device for terminal and internet bank U-key |
| WO2023116513A1 (en) * | 2021-12-24 | 2023-06-29 | 北京字节跳动网络技术有限公司 | Network request processing method and apparatus, and device and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102360349A (en) * | 2011-07-21 | 2012-02-22 | 深圳市万兴软件有限公司 | Method and device for acquiring audio/video link address in webpage |
| US8176556B1 (en) * | 2008-10-31 | 2012-05-08 | Symantec Corporation | Methods and systems for tracing web-based attacks |
| CN102831358A (en) * | 2012-09-21 | 2012-12-19 | 北京奇虎科技有限公司 | Method and device for preventing homepage tamper |
| CN103327025A (en) * | 2013-06-28 | 2013-09-25 | 北京奇虎科技有限公司 | Method and device for network access control |
| CN103327134A (en) * | 2013-06-13 | 2013-09-25 | 国家电网公司 | Network data redirection method and device based on DHCP service |
| CN103699840A (en) * | 2013-12-12 | 2014-04-02 | 北京奇虎科技有限公司 | Method and device for detecting page jacking |
| CN104065693A (en) * | 2013-04-16 | 2014-09-24 | 腾讯科技(深圳)有限公司 | Method, device and system for accessing network data in webpage applications |
-
2014
- 2014-12-01 CN CN201410705413.XA patent/CN105721387A/en not_active Withdrawn
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8176556B1 (en) * | 2008-10-31 | 2012-05-08 | Symantec Corporation | Methods and systems for tracing web-based attacks |
| CN102360349A (en) * | 2011-07-21 | 2012-02-22 | 深圳市万兴软件有限公司 | Method and device for acquiring audio/video link address in webpage |
| CN102831358A (en) * | 2012-09-21 | 2012-12-19 | 北京奇虎科技有限公司 | Method and device for preventing homepage tamper |
| CN104065693A (en) * | 2013-04-16 | 2014-09-24 | 腾讯科技(深圳)有限公司 | Method, device and system for accessing network data in webpage applications |
| CN103327134A (en) * | 2013-06-13 | 2013-09-25 | 国家电网公司 | Network data redirection method and device based on DHCP service |
| CN103327025A (en) * | 2013-06-28 | 2013-09-25 | 北京奇虎科技有限公司 | Method and device for network access control |
| CN103699840A (en) * | 2013-12-12 | 2014-04-02 | 北京奇虎科技有限公司 | Method and device for detecting page jacking |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106407812A (en) * | 2016-11-24 | 2017-02-15 | 北京瑞星信息技术股份有限公司 | Linux real-time virus killing method and apparatus |
| CN106557694A (en) * | 2016-11-24 | 2017-04-05 | 北京瑞星信息技术股份有限公司 | Linux file operations monitoring method and device |
| CN106407812B (en) * | 2016-11-24 | 2019-02-12 | 北京瑞星网安技术股份有限公司 | The method and device that Linux kills virus in real time |
| CN111726322A (en) * | 2019-03-19 | 2020-09-29 | 国家计算机网络与信息安全管理中心 | Method and device for detecting file tampering hijacking and storage medium |
| CN110808897A (en) * | 2019-11-06 | 2020-02-18 | 深信服科技股份有限公司 | Proxy access method, user equipment, storage medium, device and system |
| WO2023116513A1 (en) * | 2021-12-24 | 2023-06-29 | 北京字节跳动网络技术有限公司 | Network request processing method and apparatus, and device and storage medium |
| CN114491474A (en) * | 2022-02-15 | 2022-05-13 | 北京时代正邦科技股份有限公司 | Secure interaction method and device for terminal and internet bank U-key |
| CN114491474B (en) * | 2022-02-15 | 2022-10-11 | 北京时代正邦科技股份有限公司 | Terminal and internet bank U-key secure interaction method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10841324B2 (en) | Method and system for uniquely identifying a user computer in real time using a plurality of processing parameters and servers | |
| CN105721387A (en) | Method for preventing network hijack | |
| Acer et al. | Where the wild warnings are: Root causes of Chrome HTTPS certificate errors | |
| US8370407B1 (en) | Systems providing a network resource address reputation service | |
| US8429751B2 (en) | Method and apparatus for phishing and leeching vulnerability detection | |
| Milletary et al. | Technical trends in phishing attacks | |
| US8024804B2 (en) | Correlation engine for detecting network attacks and detection method | |
| US8307431B2 (en) | Method and apparatus for identifying phishing websites in network traffic using generated regular expressions | |
| US9282114B1 (en) | Generation of alerts in an event management system based upon risk | |
| US20120151559A1 (en) | Threat Detection in a Data Processing System | |
| EP3188436A1 (en) | Platform for protecting small and medium enterprises from cyber security threats | |
| CN107634967B (en) | CSRFtoken defense system and method for CSRF attack | |
| US20090100518A1 (en) | System and method for detecting security defects in applications | |
| AU2015201095A1 (en) | Network security system with remediation based on value of attacked assets | |
| WO2010087904A1 (en) | Health-based access to network resources | |
| WO2007047695A2 (en) | B2c authentication | |
| KR20010090014A (en) | system for protecting against network intrusion | |
| CN103139138A (en) | Application layer denial of service (DoS) protective method and system based on client detection | |
| CN111314381A (en) | Safety isolation gateway | |
| US20210314355A1 (en) | Mitigating phishing attempts | |
| CN106209907B (en) | Method and device for detecting malicious attack | |
| CN111556044A (en) | Network security system | |
| Beigh et al. | Intrusion detection and prevention system: issues and challenges | |
| Singh | Detection of Phishing e-mail | |
| Tsow | Phishing with Consumer Electronics-Malicious Home Routers. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20160629 |
|
| WW01 | Invention patent application withdrawn after publication |