CN106603464A - Network detection method, system and device - Google Patents

Network detection method, system and device Download PDF

Info

Publication number
CN106603464A
CN106603464A CN201510662480.2A CN201510662480A CN106603464A CN 106603464 A CN106603464 A CN 106603464A CN 201510662480 A CN201510662480 A CN 201510662480A CN 106603464 A CN106603464 A CN 106603464A
Authority
CN
China
Prior art keywords
character string
detection
response
monitored
domain name
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510662480.2A
Other languages
Chinese (zh)
Inventor
高阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Gridsum Technology Co Ltd
Original Assignee
Beijing Gridsum Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Gridsum Technology Co Ltd filed Critical Beijing Gridsum Technology Co Ltd
Priority to CN201510662480.2A priority Critical patent/CN106603464A/en
Publication of CN106603464A publication Critical patent/CN106603464A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Abstract

The embodiment of the invention discloses a network detection method, system and device. The method comprises a step of sending a detection character string to the dynamic URL in a monitored domain name through the detection device, wherein the monitored domain name is the domain name used by a monitored server, and a step of identifying whether the monitored server has network link hijacking according to the a condition whether a returned response character string for the detection character string is received or not and whether the received response character string and a preset character string are the same. According to the embodiment of the invention, the discovery rate of the network link hijacking can be improved, and the labor cost is saved.

Description

Network detecting method and system, device
Technical field
The present invention relates to Internet technology, especially a kind of network detecting method and system, device.
Background technology
During user accesses website, it may occur that network kidnaps phenomenon.Wherein, network link Abduction is that a kind of relatively common network kidnaps means.Network link kidnap ultimate principle be:In user When sending connection request to IP (Internet Protocol, the Internet protocol) address of website, hijacker In the IP address that the website must be forged on Jing links of the connection request, and the connection request is responded, responded Web page contents would generally hang with the viruses such as substantial amounts of advertisement link or wooden horse.
During the present invention is realized, inventor has found, no matter network link is kidnapped to the network user also Be the development of website be all a pernicious presence, and there is no in prior art and existing kidnapped to network link Technology as carrying out active monitoring, it is impossible to be actively discovered network link and kidnap phenomenon, can only occur in website During the doubtful abnormal phenomena such as webpage is abnormal, web page contents are relatively wondered, passive carries out manual analyses to divide Distinguish that whether network link occurs is kidnapped phenomenon.More than it is passive, whether there is network link by artificial cognition The mode of abduction, needs to expend substantial amounts of human cost, and the discovery rate that network link is kidnapped is low.
The content of the invention
An embodiment of the present invention technical problem to be solved is:A kind of network detecting method is provided and is System, device, to improve the discovery rate of network link abduction, and save human cost.
For solve above-mentioned technical problem, one side according to embodiments of the present invention, there is provided a kind of network Detection method, including:
Detection character is sent to the dynamic unity URLs URL under monitored domain name by detection means String, the domain name that the monitored domain name is used for monitored server;
According to whether receiving the response character string returned for the detection character string and receiving Whether response character string is identical with expected character string, recognizes whether the monitored server occurs lattice chain Mugging is held.
In based on another embodiment of said method, also include:
Preset algorithm is set on detection means in advance and the detection character of the detection means is uniquely corresponding to String;
The detection means is calculated to the detection character string by the preset algorithm, obtains unique Corresponding to the expected character string of the detection character string, the expected character string includes the detection character string Or different from the new character strings of the detection character string.
In based on another embodiment of said method, the dynamic URL under monitored domain name sends inspection Surveying character string transmission detection character string includes:HTTP is sent to the dynamic URL under monitored domain name please Ask, the HTTP request includes the detection character string;
The response character string returned for the detection character string that receives includes:Receive for institute Effective http response of HTTP request return is stated, the http response includes response character string.
In based on another embodiment of said method, also include:
The preset algorithm is set on the monitored server in advance;And
HTTP request in response to receiving detection means transmission, the monitored server is by described Preset algorithm is calculated to the detection character string, is obtained response character string and is returned by http response Return the detection means.
In based on another embodiment of said method, also include:
Sent to the IP address that the monitored server is used according to default detection cycle by detection means Internet Control Message Protocol icmp echo request packet, and receive what the monitored server was returned Icmp echo reply packet, the icmp echo reply packet include life span TTL word Segment value;
Ttl field value in the comparison icmp echo reply packet with the history ttl value for storing is It is no consistent;
In response to the ttl field value in the icmp echo reply packet and the history ttl value for storing It is inconsistent, perform the behaviour for sending detection character string by detection means to the URL under monitored domain name Make;And
In response to identifying that the monitored server does not occur network link abduction, by history TTL Value is updated to the ttl field value in the icmp echo reply packet.
In based on another embodiment of said method, also include:
Kidnap in response to identifying that the monitored server occurs network link, export the monitored clothes There is the warning message that network link is kidnapped in business device.
For solve above-mentioned technical problem, other side according to embodiments of the present invention, there is provided a kind of net Network detecting system, including detection means and processing meanss;Wherein:
The detection means, for sending inspection to the dynamic unity URLs URL under monitored domain name Survey character string;The domain name that the monitored domain name is used for monitored server, the dynamic URL are institute State the address of processing meanss;And according to whether receive the response word returned for the detection character string Whether symbol string, the response character string for receiving are identical with expected character string, recognize the monitored server Whether network link abduction there is;
The processing meanss, coupling are arranged in the monitored server, for receiving detection dress When putting the detection character string of transmission, response character is returned to the detection means for the detection character string String.
Based in another embodiment of said system, the detection means is additionally operable to by preset algorithm pair The detection character string is calculated, and acquisition is uniquely corresponding to the expected character string of the detection character string, The expected character string includes the detection character string or the new character strings different from the detection character string;
The processing meanss, are additionally operable to calculate the detection character string by the preset algorithm, Obtain response character string.
Based in another embodiment of said system, the detection means is additionally operable to:
Send to the IP address that the monitored server is used according to default detection cycle message is controlled between net Agreement icmp echo request packet, and receive ICMP echos that the monitored server returns should Packet is answered, the icmp echo reply packet includes life span ttl field value;
Ttl field value in the comparison icmp echo reply packet with the history ttl value for storing is It is no consistent;
In response to the ttl field value in the icmp echo reply packet and the history ttl value for storing It is inconsistent, perform the operation that the URL under monitored domain name sends detection character string;And
In response to identifying that the monitored server does not occur network link abduction, by history TTL Value is updated to the ttl field value in the icmp echo reply packet.
For solve above-mentioned technical problem, another aspect according to embodiments of the present invention, there is provided a kind of net Network detection means, including:
First transmitting element, for sending inspection to the dynamic unity URLs URL under monitored domain name Survey character string, the domain name that the monitored domain name is used for monitored server;
First receiving unit, for receiving response character string;
Recognition unit, for returning for the detection character string according to whether the first receiving unit receives Response character string and the response character string that receives it is whether identical with expected character string, identification is described Whether monitored server there is network link abduction.
In based on another embodiment of said apparatus, also include:
First memory element, for storing the preset algorithm for pre-setting, being uniquely corresponding to the lattice chain The detection character string of detection means and expected character string are held in mugging;
First computing unit, for being calculated to the detection character string by the preset algorithm, is obtained The expected character string of the detection character string must be uniquely corresponding to and be stored in first memory element, The expected character string includes the detection character string or the new character strings different from the detection character string.
In based on another embodiment of said apparatus, first transmitting element, specifically for monitored Dynamic URL under domain name sends HTTP request, and the HTTP request includes the detection character String;
First receiving unit, is specifically receiving for the effective of HTTP request return During http response, the response character string returned for the detection character string, the HTTP are received Response includes response character string, and the response character string is by monitored server by the preset algorithm Calculating acquisition is carried out to the detection character string.
In based on another embodiment of said apparatus, also including comparing unit and updating block;
First transmitting element, is additionally operable to use to the monitored server according to default detection cycle IP address send Internet Control Message Protocol icmp echo request packet;And specifically for basis The comparative result of comparing unit, the ttl field value in the icmp echo reply packet and storage History ttl value it is inconsistent when, perform the URL under monitored domain name and send detection character string Operation;
First receiving unit, the ICMP echos for being additionally operable to receive the monitored server return should Packet is answered, the icmp echo reply packet includes life span ttl field value;
The comparing unit, for the ttl field value in the comparison icmp echo reply packet with Whether the history ttl value of storage is consistent;
The updating block, for the recognition result according to recognition unit, is identifying the monitored clothes When business device does not occur network link abduction, the history ttl value is updated to into the icmp echo reply Ttl field value in packet.
In based on another embodiment of said apparatus, also include:
Alarm unit, for the recognition result according to recognition unit, is identifying the monitored server When generation network link is kidnapped, the warning for exporting the monitored server generation network link abduction disappears Breath.
To solve above-mentioned technical problem, in terms of another according to embodiments of the present invention, there is provided a kind of net Network link kidnaps processing meanss, including:
Second memory element, for storing preset algorithm;
Second receiving unit, kidnaps the detection character string that detection means sends for receiving network link;
Second computing unit, for being calculated to the detection character string by the preset algorithm, is obtained Obtain response character string;
Second transmitting element, returns the response character for kidnapping detection means to the network link String.
No matter it is all a pernicious presence that network link is kidnapped to the network user or website development, based on this The network detecting method that invention above-described embodiment is provided and system, device, there is provided one kind is actively, automatically The method whether detection service device occurs network link abduction, by detection means under monitored domain name URL sends detection character string, according to whether receiving the response character returned for the detection character string String, and the response character string that receives it is whether identical with expected character string, recognize that monitored server is No generation network link is kidnapped, passive relative to prior art, whether lattice chain occur by artificial cognition The mode that mugging is held, improves the discovery rate of network link abduction, and saves human cost.
Below by drawings and Examples, technical scheme is described in further detail.
Description of the drawings
The Description of Drawings embodiments of the invention of a part for description are constituted, and together with description For explaining the principle of the present invention.
Referring to the drawings, according to detailed description below, the present invention can be more clearly understood from, wherein:
Flow charts of the Fig. 1 for inventive network detection method one embodiment.
Fig. 2 is the flow chart of another embodiment of inventive network detection method.
Fig. 3 is the flow chart of another embodiment of inventive network detection method.
Structural representations of the Fig. 4 for inventive network detection means one embodiment.
Fig. 5 is the structural representation of another embodiment of inventive network detection means.
Fig. 6 is the structural representation that inventive network link kidnaps processing meanss one embodiment.
Structural representations of the Fig. 7 for inventive network detecting system one embodiment.
Specific embodiment
Describe the various exemplary embodiments of the present invention now with reference to accompanying drawing in detail.It should be noted that:Remove It is non-to illustrate in addition, the part that otherwise illustrates in these embodiments and step it is positioned opposite, digital Expression formula and numerical value are not limited the scope of the invention.
Simultaneously, it should be appreciated that for the ease of description, the size of the various pieces shown in accompanying drawing is not It is to draw according to actual proportionate relationship.
It is illustrative, never conduct to the description only actually of at least one exemplary embodiment below To the present invention and its application or any restriction for using.
For known to person of ordinary skill in the relevant, technology, method and apparatus may not be begged in detail By, but in the appropriate case, the technology, method and apparatus should be considered a part for description.
It should be noted that:Similar label and letter represent similar terms in following accompanying drawing, therefore, once It is defined in a certain Xiang Yi accompanying drawing, then which need not be further begged in subsequent accompanying drawing By.
Flow charts of the Fig. 1 for inventive network detection method one embodiment.As shown in figure 1, the enforcement The network detecting method of example includes:
102, by detection means to dynamic URL (the Uniform Resource under monitored domain name Locator, URL) send detection character string.
Wherein, the domain name that the domain name that is monitored is used for monitored server.
The detection means of the embodiment of the present invention can be distributed in the network for being respectively easy to that network link is kidnapped In, such as in home network or carrier network, more specifically, can be the access of carrier network In net.
104, according to whether receiving for detecting response character string and receive that character string returns Whether response character string is identical with expected character string, and whether identification monitored server occurs lattice chain mugging Hold.
The web page contents for forging real IP address issue always have unexpected content, such as using true A URL content is updated on the real server source of IP address, the server source for forging IP address will not Upgrade in time.The network detecting method that the above embodiment of the present invention is provided, by detection means to monitored Dynamic URL under domain name sends a detection character string, according to whether receiving for the detection character string Whether the response character string of return and the response character string for receiving are identical with expected character string, identification Whether monitored server there is network link abduction, there is provided a kind of active, automatic detection server are No there is the implementation that network link is kidnapped, it is passive relative to prior art, by artificial cognition whether Occur network link kidnap mode, improve network link abduction discovery rate, and save manpower into This.
In another embodiment of inventive network detection method, can also set on detection means in advance Put preset algorithm and be uniquely corresponding to the detection character string of the detection means, detection character string therein is for example It can be the device identifier of one detection means of globally unique numbering or unique mark being randomly assigned; And the detection character string being provided with is calculated by the preset algorithm by detection means, obtain unique Corresponding to an expected character string of the detection character string, the expection character string can be the detection character string In itself, or different from a new character strings of the detection character string.
An identical algorithm is set in detection means and monitored server in advance, i.e.,:It is of the invention real The preset algorithm in example is applied, due to the detection character string difference in different detection means, different detection means The expected character string for calculating acquisition is not carried out also not to the detection character string being provided with by the preset algorithm Together, but some detection means and monitored server by preset algorithm to same detection character string It is identical to calculate the expected character string for obtaining, and is not in different situations.So, detection means is led to Cross whether compare the response character string that receives identical with expected character string, just effectively can recognize monitored Whether server there is network link abduction;Also, it is different from the detection character string in expected character string New character strings when, it is to avoid forge the server intercepts of IP address and return to detection means and detect Character string, improves the safety and reliability of detection.
It is unrestricted according to a specific example of each embodiment of inventive network detection method, operation 102 When the middle dynamic URL under monitored domain name sends detection character string and sends detection character string, specifically can be with To the dynamic URL under monitored domain name send HTTP (Hyper Text Transport Protocol, it is super literary This host-host protocol) to ask, the HTTP request includes detecting character string.
It is unrestricted according to another specific example of each embodiment of inventive network detection method, operation In 104, can be when the effective http response for HTTP request return be received, it is believed that receive To the response character string that detection character string is returned is directed to, http response therein includes response character String.Effectively http response refer to the http response it is readable, and the web page address that wherein carries can visit Ask.
In another embodiment of inventive network detection method, can also be in advance in monitored server Upper setting and identical preset algorithm in detection means.In the detection character string for receiving detection means transmission Or during HTTP request, monitored server can be by preset algorithm to directly transmit, or HTTP The detection character string carried in request is calculated, obtain response character string and directly return, or pass through Http response returns above-mentioned detection device.
In the further embodiment of inventive network detection method, can be identifying monitored service When device occurs network link abduction, export monitored server and the warning message that network link is kidnapped occurs.
Specifically, above-mentioned supervised can be sent to recipient according to default type of alarm and recipient address There is the warning message that network link is kidnapped in control server.Type of alarm therein can for example be mail, The modes such as note, IM (Instant Messaging, instant message), recipient address can be correspondingly Email address, phone number, instant message user number etc..
Fig. 2 is the flow chart of another embodiment of inventive network detection method.As shown in Fig. 2 the reality The network detecting method for applying example includes:
202, by detection means according to default detection cycle, to the IP address that monitored server is used Send ICMP (Internet Control Messages Protocol, Internet Control Message Protocol) to ask back Aobvious packet, and the icmp echo reply packet of monitored server return is received, the ICMP is returned Aobvious reply data bag includes TTL (Time to Live, life span) field value, i.e.,:By TTL The ttl value that field is carried.
TTL is the time that a packet can be survived on network, different web server systems (i.e.:The operating system that server is used) have different TTL initially, the TTL initial values are behaviour Make system specifications, the TTL initial values of such as Windows operating system are 128, (SuSE) Linux OS TTL initial values be 64, the network user and server in transmission over networks packet often through a road By device, the network segment or hop count, ttl value can subtract 1, and the server for forging IP address is typically deployed at use In the middle of the IP links of family and actual site server, so a packet is from real Website server IP Address is sent to the remaining ttl value of user terminal, in most cases the clothes all with forgery IP address It is different that business device is sent to the remaining ttl value of user terminal.
Wherein, according to default detection cycle, periodically triggering is performed for the operation 202.
204, compare the ttl field value in icmp echo reply packet and storage in the detection means History ttl value it is whether consistent.
The history ttl value for wherein storing is that above-mentioned monitored server does not occur when network link is kidnapped one Individual newest ttl value.
If the ttl field value in icmp echo reply packet is inconsistent with the history ttl value of storage, Illustrate last detection visit monitored server using IP address link and this monitored server make The link of IP address is inconsistent, and this network link adjustment for being likely to be operator causes packet to pass Defeated middle multi-hop has jumped several routes less, so as to consuming more or consuming ttl value less, it is also possible to be to send out Network link abduction is given birth to, i.e.,:The IP address that this detection is accessed is not that true monitored server is used IP address, in order to exclude wrong report, perform operation 206.Otherwise, if icmp echo reply packet In ttl field value with storage history ttl value it is consistent, it is believed that network link is without exception, does not continue Perform the operation of the embodiment of the present invention.
206, by the dynamic under the monitored domain name that detection means is used to above-mentioned monitored server URL sends detection character string.
208, according to whether receiving for detecting response character string and receive that character string returns Whether response character string is identical with expected character string, and whether identification monitored server occurs lattice chain mugging Hold.
If identifying there is no network link abduction in monitored server, perform operation 210.Otherwise, if Identify that monitored server occurs network link and kidnaps, further can selectively perform operation 212。
210, ttl field value history ttl value being updated in icmp echo reply packet, with Just based on newest history ttl value, next detection cycle judges whether that network link occurs to be kidnapped.
Afterwards, subsequent operation is not performed.
212, export above-mentioned monitored server and the warning message that network link is kidnapped occurs.
Fig. 3 is the flow chart of another embodiment of inventive network detection method.The embodiment has with one Illustrate as a example by body example, those skilled in the art's record according to embodiments of the present invention can know this Other implementations of inventive embodiments.As shown in figure 3, the network detecting method of the embodiment specifically may be used To be performed by detection means, which includes following operation:
302, domain name and IP address that monitored server is used are configured with detection means, according to default Detection cycle such as 4~8 hours, sends icmp echo request to the IP address that monitored server is used Packet, and the icmp echo reply packet of monitored server return is received, the ICMP is echoed Reply data bag includes ttl field value.
Wherein, the operation 302 is performed according to the triggering of default detection cycle.
304, compare the ttl field value in icmp echo reply packet and storage in the detection means History ttl value it is whether consistent.
If the ttl field value in icmp echo reply packet is inconsistent with the history ttl value of storage, Perform operation 306.Otherwise, if the ttl field value in icmp echo reply packet and going through for storing History ttl value is consistent, does not continue executing with the operation of the embodiment of the present invention.
306, using the device identifier of the detection means as detection character string, sent by HTTP request A dynamic URL under the monitored domain name used to above-mentioned monitored server.
For example, HTTP request specifically can be sent to above-mentioned quilt by POST method by detection means Monitoring server.Wherein, POST method is generally used to send renewal request to destination server, and attached There is request entity, in the embodiment of the present invention, submitted to specified dynamic URL resources by POST method Detection character string in HTTP request to be processed.
308, judge that in default reception duration whether receiving monitored server returns for HTTP request The http response of the carrying response character string for returning.
If receiving the http response for carrying response character string, operation 310 is performed.Otherwise, if not connecing Receive the http response for carrying response character string, it is believed that the monitored server occurs lattice chain mugging Hold, perform operation 316.
310, whether the web page address carried in judging the http response for receiving can access, i.e.,:Phase The webpage answered whether there is, whether web page contents can access.
If the web page address carried in the http response for receiving can be accessed, operation 312 is performed.It is no Then, if the web page address carried in the http response for receiving cannot be accessed, perform operation 316.
312, judge whether the response character string in http response is identical with expected character string.
If the response character string in http response is identical with expected character string, it is believed that monitored server is not Generation network link is kidnapped, and performs operation 314.Otherwise, if the response character string in http response with Expected character string is differed, it is believed that monitored server occurs network link and kidnaps, and further can select Property execution operation 312.
314, the history ttl value of storage is updated to into the ttl field in icmp echo reply packet Value.
Afterwards, the subsequent operation of the present embodiment is not performed.
316, export above-mentioned monitored server and the warning message that network link is kidnapped occurs.
One of ordinary skill in the art will appreciate that:Realize all or part of step of said method embodiment Can be completed by the related hardware of programmed instruction, aforesaid program can be stored in a computer-readable Take in storage medium, the program upon execution, performs the step of including said method embodiment;And it is aforementioned Storage medium include:ROM, RAM, magnetic disc or CD etc. are various can be with Jie of store program codes Matter.
Structural representations of the Fig. 4 for inventive network detection means one embodiment.The network of the embodiment Detection means can be used to realize above-mentioned each method embodiment of the invention.As shown in figure 4, the net of the embodiment Network detection means includes the first transmitting element 402, the first receiving unit 404 and recognition unit 406.Its In:
First transmitting element 402, for sending detection character string to the URL under monitored domain name, wherein The domain name that uses for monitored server of monitored domain name.
First receiving unit 404, for receiving response character string.
Recognition unit 406, for whether being received for detecting character string according to the first receiving unit 404 Whether the response character string of return and the response character string for receiving are identical with expected character string, identification Whether above-mentioned monitored server there is network link abduction.
The network detection means that the above embodiment of the present invention is provided, by the dynamic under monitored domain name URL sends a detection character string, according to whether receiving the response word returned for the detection character string Symbol string, and the response character string that receives it is whether identical with expected character string, identification monitored server Whether network link abduction there is, there is provided whether a kind of active, automatic detection server occur lattice chain The implementation that mugging is held, it is passive relative to prior art, whether network link occur by artificial cognition The mode of abduction, improves the discovery rate of network link abduction, and saves human cost.
Fig. 5 is the structural representation of another embodiment of inventive network detection means.As shown in figure 5, Compared with the embodiment shown in Fig. 4, the network detection means of the embodiment also includes the first memory element 502 and first computing unit 504.Wherein:
First memory element 502, for storing the preset algorithm for pre-setting, being uniquely corresponding to the network The detection character string of detection means and expected character string.Expected character string therein is by the network detection dress Put and be calculated to detecting character string by above-mentioned preset algorithm.
First computing unit 504, based on being carried out to above-mentioned detection character string by above-mentioned preset algorithm Calculate, acquisition is uniquely corresponding to the expected character string of the detection character string and is stored in the first memory element 502 In, the expection character string can detect that character string itself can also be different from the detection character string Individual new character strings.
It is unrestricted according to a specific example of the above-mentioned each network detection means embodiment of the present invention, first Transmitting element 402, should specifically for sending HTTP request to the dynamic URL under monitored domain name HTTP request includes detecting character string.Accordingly, the first receiving unit 404 is specifically receiving pin During the effective http response returned to the HTTP request, it is believed that receive and return for the detection character string The response character string for returning, http response therein include response character string, and the response character string is by quilt Monitoring server carries out calculating acquisition to detecting character string by preset algorithm.
In addition, referring back to Fig. 5, in another embodiment of inventive network detection means, also including Comparing unit 506 and updating block 508.In the embodiment, the first transmitting element 402, be additionally operable to according to Default detection cycle sends icmp echo request packet to the IP address that monitored server is used;With And with specific reference to the comparative result of comparing unit 506, the TTL words in icmp echo reply packet When segment value is inconsistent with the history ttl value of storage, performs to the URL under monitored domain name and send detection The operation of character string.First receiving unit 404, is additionally operable to receive the ICMP that monitored server is returned Echo reply data bag, the icmp echo reply packet include life span ttl field value.Phase Ying Di, comparing unit 506, for comparing the ttl field value in icmp echo reply packet and depositing Whether the history ttl value of storage is consistent.Updating block 508, for being tied according to the identification of recognition unit 406 Really, when identifying that the monitored server does not occur network link abduction, the history ttl value that will be stored The ttl field value being updated in icmp echo reply packet.
Further, referring back to Fig. 5, in the further embodiment of inventive network detection means, also Alarm unit 510 can be included, for the recognition result according to recognition unit 406, supervised identifying When control server occurs network link abduction, export the monitored server and the report that network link is kidnapped occurs Alarm message.
Fig. 6 is the structural representation that inventive network link kidnaps processing meanss one embodiment.The enforcement The network link abduction processing meanss of example can be coupled and are arranged in monitored server, realize that the present invention is above-mentioned The corresponding function of monitored server in each method embodiment.As shown in fig. 6, the lattice chain of the embodiment Processing meanss are held in mugging includes the second memory element 602, the second receiving unit 604, the second computing unit 606 and second transmitting element 608.Wherein:
Second memory element 602, for storing preset algorithm, in the preset algorithm and network detection means Preset algorithm it is consistent.
Second receiving unit 604, for receiving the detection character string of network detection means transmission.
Second computing unit 606, for being connect to second by the preset algorithm in the second memory element 602 The detection character string that receipts unit 604 is received is calculated, and obtains response character string.
Second transmitting element 608, calculates for returning the second computing unit 606 to network detection means The response character string for arriving.
The network link that the above embodiment of the present invention is provided kidnaps processing meanss, can pass through preset algorithm pair The detection character string for receiving is calculated, and is obtained response character string and is returned detection means, to detect Whether device identification monitored server there is network link abduction, there is provided a kind of active, automatic detection Whether server there is the implementation of network link abduction, passive relative to prior art, by artificial Identify whether the mode for network link abduction occur, improve the discovery rate of network link abduction, and save Human cost.
Structural representations of the Fig. 7 for inventive network detecting system one embodiment.The network of the embodiment Detecting system can be used to realize above-mentioned each method embodiment of the invention.As shown in fig. 7, the net of the embodiment Network detecting system includes detection means 10 and processing meanss 20.Wherein:
Detection means 10, for sending detection character string to the URL under monitored domain name, this is monitored The domain name that domain name is used for monitored server, dynamic URL are that coupling is arranged in monitored server The address of processing meanss 20;And according to whether receive the response character for detecting character string return Whether string, the response character string for receiving are identical with expected character string, whether recognize the monitored server Generation network link is kidnapped.
The detection means of the embodiment of the present invention can arrange multiple according to demand, be arranged in a distributed manner each easy In it there is the network that network link is kidnapped, for example in home network or carrier network, more specifically Ground, can be carrier network access network in.
Processing meanss 20, coupling are arranged in monitored server, for receiving detection means 10 During the detection character string of transmission, response character string is returned to detection means 10 for the detection character string.
The network detection system that the above embodiment of the present invention is provided, by detection means under monitored domain name Dynamic URL send a detection character string, according to whether receiving what is returned for the detection character string Whether response character string and the response character string for receiving are identical with expected character string, and identification is monitored Whether server there is network link abduction, there is provided whether a kind of active, automatic detection server occur The implementation that network link is kidnapped, it is passive relative to prior art, whether existing network is gone out by artificial cognition The mode that network link is kidnapped, improves the discovery rate of network link abduction, and saves human cost.This The detection means of inventive embodiments can arrange multiple according to detection demand, be arranged in a distributed manner and be respectively easy to Occur in the network that network link is kidnapped, network detection is carried out by the timing of each detection means, so as to actively The network link abduction action that has found that it is likely that simultaneously is reported to the police, and actively improves the discovery of Web-site links abduction Rate.
In another embodiment of above-mentioned network detection system of the invention, detection means 10 is additionally operable to lead to Cross preset algorithm to calculate to detecting character string, acquisition is uniquely corresponding to the expected character for detecting character string String, the expection character string can be above-mentioned detection character string itself, or be different from above-mentioned detection word One new character strings of symbol string.Correspondingly, processing meanss 20, are additionally operable to by preset algorithm to receiving Detection character string calculated, obtain response character string.
In another embodiment of above-mentioned network detection system of the invention, detection means 10 is additionally operable to: Icmp echo request data are sent to the IP address that monitored server is used according to default detection cycle Bag, and receive the icmp echo reply packet of monitored server return, the icmp echo reply Packet includes life span ttl field value;TTL words relatively in icmp echo reply packet Whether segment value is consistent with the history ttl value of storage;In response to the TTL in icmp echo reply packet Field value is inconsistent with the history ttl value of storage, performs to the URL under monitored domain name and sends detection The operation of character string;And in response to identifying that monitored server does not occur network link abduction, will deposit The history ttl value of storage is updated to the ttl field value in icmp echo reply packet.
In this specification, each embodiment is described by the way of progressive, what each embodiment was stressed All it is the difference with other embodiments, same or analogous part cross-reference between each embodiment .It is for device, system embodiment, substantially corresponding with embodiment of the method due to which, so retouching That what is stated is fairly simple, and related part is illustrated referring to the part of embodiment of the method.
The method of the present invention, system and device may be achieved in many ways.For example, can pass through soft Part, hardware, firmware or software, hardware, any combinations of firmware are realizing the method for the present invention, be System and device.For said sequence the step of methods described merely to illustrating, the side of the present invention The step of method, is not limited to order described in detail above, unless specifically stated otherwise.Additionally, In some embodiments, also the present invention can be embodied as recording program in the recording medium, these program bags Include for realizing the machine readable instructions of the method according to the invention.Thus, the present invention also covers storage and uses In the recording medium of the program for performing the method according to the invention.
Description of the invention in order to example and description for the sake of and be given, and be not exhaustively or Limit the invention to disclosed form.Many modifications and variations are for one of ordinary skill in the art Speech is obvious.Select and describe embodiment be in order to more preferably illustrate the present invention principle and practical application, And one of ordinary skill in the art is made it will be appreciated that the present invention is suitable to carrying for special-purpose so as to design The various embodiments of various modifications.

Claims (10)

1. a kind of network detecting method, it is characterised in that include:
Detection character is sent to the dynamic unity URLs URL under monitored domain name by detection means String, the domain name that the monitored domain name is used for monitored server;
According to whether receiving the response character string returned for the detection character string and receiving Whether response character string is identical with expected character string, recognizes whether the monitored server occurs lattice chain Mugging is held.
2. method according to claim 1, it is characterised in that also include:
Preset algorithm is set on detection means in advance and the detection character of the detection means is uniquely corresponding to String;
The detection means is calculated to the detection character string by the preset algorithm, obtains unique Corresponding to the expected character string of the detection character string, the expected character string includes the detection character string Or different from the new character strings of the detection character string.
3. method according to claim 1 and 2, it is characterised in that described under monitored domain name Dynamic URL send detection character string and send detection character string and include:Dynamic under monitored domain name URL sends HTTP request, and the HTTP request includes the detection character string;
The response character string returned for the detection character string that receives includes:Receive for institute Effective http response of HTTP request return is stated, the http response includes response character string.
4. method according to claim 3, it is characterised in that also include:
The preset algorithm is set on the monitored server in advance;And
HTTP request in response to receiving detection means transmission, the monitored server is by described Preset algorithm is calculated to the detection character string, is obtained response character string and is returned by http response Return the detection means.
5. method according to claim 1 and 2, it is characterised in that also include:
Sent to the IP address that the monitored server is used according to default detection cycle by detection means Internet Control Message Protocol icmp echo request packet, and receive what the monitored server was returned Icmp echo reply packet, the icmp echo reply packet include life span TTL word Segment value;
Ttl field value in the comparison icmp echo reply packet with the history ttl value for storing is It is no consistent;
In response to the ttl field value in the icmp echo reply packet and the history ttl value for storing It is inconsistent, perform the behaviour for sending detection character string by detection means to the URL under monitored domain name Make;And
In response to identifying that the monitored server does not occur network link abduction, by history TTL Value is updated to the ttl field value in the icmp echo reply packet.
6. method according to claim 1 and 2, it is characterised in that also include:
Kidnap in response to identifying that the monitored server occurs network link, export the monitored clothes There is the warning message that network link is kidnapped in business device.
7. a kind of network detection system, it is characterised in that including detection means and processing meanss;Wherein:
The detection means, for sending inspection to the dynamic unity URLs URL under monitored domain name Survey character string;The domain name that the monitored domain name is used for monitored server, the dynamic URL are institute State the address of processing meanss;And according to whether receive the response word returned for the detection character string Whether symbol string, the response character string for receiving are identical with expected character string, recognize the monitored server Whether network link abduction there is;
The processing meanss, coupling are arranged in the monitored server, for receiving detection dress When putting the detection character string of transmission, response character is returned to the detection means for the detection character string String.
8. system according to claim 7, it is characterised in that the detection means, is additionally operable to lead to Cross preset algorithm to calculate the detection character string, acquisition is uniquely corresponding to the detection character string Expected character string, the expected character string include the detection character string or are different from the detection character string New character strings;
The processing meanss, are additionally operable to calculate the detection character string by the preset algorithm, Obtain response character string.
9. the system according to claim 7 or 8, it is characterised in that the detection means, also uses In:
Send to the IP address that the monitored server is used according to default detection cycle message is controlled between net Agreement icmp echo request packet, and receive ICMP echos that the monitored server returns should Packet is answered, the icmp echo reply packet includes life span ttl field value;
Ttl field value in the comparison icmp echo reply packet with the history ttl value for storing is It is no consistent;
In response to the ttl field value in the icmp echo reply packet and the history ttl value for storing It is inconsistent, perform the operation that the URL under monitored domain name sends detection character string;And
In response to identifying that the monitored server does not occur network link abduction, by history TTL Value is updated to the ttl field value in the icmp echo reply packet.
10. a kind of network detection means, it is characterised in that include:
First transmitting element, for sending inspection to the dynamic unity URLs URL under monitored domain name Survey character string, the domain name that the monitored domain name is used for monitored server;
First receiving unit, for receiving response character string;
Recognition unit, for returning for the detection character string according to whether the first receiving unit receives Response character string and the response character string that receives it is whether identical with expected character string, identification is described Whether monitored server there is network link abduction.
CN201510662480.2A 2015-10-14 2015-10-14 Network detection method, system and device Pending CN106603464A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510662480.2A CN106603464A (en) 2015-10-14 2015-10-14 Network detection method, system and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510662480.2A CN106603464A (en) 2015-10-14 2015-10-14 Network detection method, system and device

Publications (1)

Publication Number Publication Date
CN106603464A true CN106603464A (en) 2017-04-26

Family

ID=58551873

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510662480.2A Pending CN106603464A (en) 2015-10-14 2015-10-14 Network detection method, system and device

Country Status (1)

Country Link
CN (1) CN106603464A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107018156A (en) * 2017-06-01 2017-08-04 北京云端智度科技有限公司 The defence support method of Domain Hijacking
CN107294803A (en) * 2017-06-15 2017-10-24 北京小度信息科技有限公司 Response message conformance test method and device
CN107360187A (en) * 2017-08-21 2017-11-17 网宿科技股份有限公司 A kind of processing method of network abduction, apparatus and system
CN109218270A (en) * 2017-07-06 2019-01-15 北京京东尚科信息技术有限公司 A kind of method and apparatus handling request of being held as a hostage
CN109474587A (en) * 2018-11-01 2019-03-15 北京亚鸿世纪科技发展有限公司 The method that HTTP based on letter peace system kidnaps monitoring analysis and positioning
CN112311724A (en) * 2019-07-26 2021-02-02 贵州白山云科技股份有限公司 Method, device, medium and equipment for positioning HTTP hijacking

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103095681A (en) * 2012-12-03 2013-05-08 微梦创科网络科技(中国)有限公司 Loophole detection method and device
CN103401836A (en) * 2013-07-01 2013-11-20 北京卓易讯畅科技有限公司 Method and device used for judging whether webpage is hijacked by ISP (internet service provider) or not
CN103546590A (en) * 2013-10-18 2014-01-29 北京奇虎科技有限公司 Method and device for choosing DNS (domain name server)
CN103685584A (en) * 2012-09-07 2014-03-26 中国科学院计算机网络信息中心 Method and system of resisting domain name hijacking based on tunnelling
CN104092647A (en) * 2013-11-25 2014-10-08 腾讯科技(深圳)有限公司 Network access method, system and client
CN104239577A (en) * 2014-10-09 2014-12-24 北京奇虎科技有限公司 Method and device for detecting authenticity of webpage data

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103685584A (en) * 2012-09-07 2014-03-26 中国科学院计算机网络信息中心 Method and system of resisting domain name hijacking based on tunnelling
CN103095681A (en) * 2012-12-03 2013-05-08 微梦创科网络科技(中国)有限公司 Loophole detection method and device
CN103401836A (en) * 2013-07-01 2013-11-20 北京卓易讯畅科技有限公司 Method and device used for judging whether webpage is hijacked by ISP (internet service provider) or not
CN103546590A (en) * 2013-10-18 2014-01-29 北京奇虎科技有限公司 Method and device for choosing DNS (domain name server)
CN104092647A (en) * 2013-11-25 2014-10-08 腾讯科技(深圳)有限公司 Network access method, system and client
CN104239577A (en) * 2014-10-09 2014-12-24 北京奇虎科技有限公司 Method and device for detecting authenticity of webpage data

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
LAKE2: ""链路劫持攻击一二三"", 《腾讯安全应急响应中心》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107018156A (en) * 2017-06-01 2017-08-04 北京云端智度科技有限公司 The defence support method of Domain Hijacking
CN107294803A (en) * 2017-06-15 2017-10-24 北京小度信息科技有限公司 Response message conformance test method and device
CN109218270A (en) * 2017-07-06 2019-01-15 北京京东尚科信息技术有限公司 A kind of method and apparatus handling request of being held as a hostage
CN107360187A (en) * 2017-08-21 2017-11-17 网宿科技股份有限公司 A kind of processing method of network abduction, apparatus and system
CN107360187B (en) * 2017-08-21 2020-09-25 网宿科技股份有限公司 Network hijacking processing method, device and system
CN109474587A (en) * 2018-11-01 2019-03-15 北京亚鸿世纪科技发展有限公司 The method that HTTP based on letter peace system kidnaps monitoring analysis and positioning
CN112311724A (en) * 2019-07-26 2021-02-02 贵州白山云科技股份有限公司 Method, device, medium and equipment for positioning HTTP hijacking

Similar Documents

Publication Publication Date Title
CN106603464A (en) Network detection method, system and device
US10243989B1 (en) Systems and methods for inspecting emails for malicious content
CN103794033B (en) Monitoring alarm method and device
CN101741643B (en) Content delivery network node detecting method and system
CN104348803B (en) Link kidnaps detection method, device, user equipment, Analysis server and system
CN105897947B (en) The Network Access Method and device of mobile terminal
CN104573520B (en) The method and apparatus for detecting resident formula cross site scripting loophole
US9251367B2 (en) Device, method and program for preventing information leakage
CN110768999B (en) Method and device for detecting illegal external connection of equipment
CN113489734A (en) Phishing mail detection method and device and electronic device
CN104753730A (en) Vulnerability detection method and device
CN105871509A (en) Data transmission method and device
CN112804358B (en) Method and device for transferring data in cross-link mode based on relay equipment network
CN109600362A (en) Zombie host recognition methods, identification equipment and medium based on identification model
CN102447707A (en) DDoS (Distributed Denial of Service) detection and response method based on mapping request
CN109660552A (en) A kind of Web defence method combining address jump and WAF technology
CN106230775A (en) Prevent from attacking method and the device of URL rule base
CN107547505B (en) Message processing method and device
US9385993B1 (en) Media for detecting common suspicious activity occurring on a computer network using firewall data and reports from a network filter device
CN108040036A (en) A kind of industry cloud Webshell safety protecting methods
CN105812324B (en) The method, apparatus and system of IDC information security management
CN103685298A (en) Deep packet inspection based SSL (Secure Sockets Layer) man-in-the-middle attack discovering method
CN106506553B (en) A kind of Internet protocol IP filter method and system
CN107786531B (en) APT attack detection method and device
KR101473652B1 (en) Method and appratus for detecting malicious message

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 100083 No. 401, 4th Floor, Haitai Building, 229 North Fourth Ring Road, Haidian District, Beijing

Applicant after: Beijing Guoshuang Technology Co.,Ltd.

Address before: 100086 Cuigong Hotel, 76 Zhichun Road, Shuangyushu District, Haidian District, Beijing

Applicant before: Beijing Guoshuang Technology Co.,Ltd.

CB02 Change of applicant information
RJ01 Rejection of invention patent application after publication

Application publication date: 20170426

RJ01 Rejection of invention patent application after publication