CN106603464A - Network detection method, system and device - Google Patents
Network detection method, system and device Download PDFInfo
- Publication number
- CN106603464A CN106603464A CN201510662480.2A CN201510662480A CN106603464A CN 106603464 A CN106603464 A CN 106603464A CN 201510662480 A CN201510662480 A CN 201510662480A CN 106603464 A CN106603464 A CN 106603464A
- Authority
- CN
- China
- Prior art keywords
- character string
- detection
- response
- monitored
- domain name
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
Abstract
The embodiment of the invention discloses a network detection method, system and device. The method comprises a step of sending a detection character string to the dynamic URL in a monitored domain name through the detection device, wherein the monitored domain name is the domain name used by a monitored server, and a step of identifying whether the monitored server has network link hijacking according to the a condition whether a returned response character string for the detection character string is received or not and whether the received response character string and a preset character string are the same. According to the embodiment of the invention, the discovery rate of the network link hijacking can be improved, and the labor cost is saved.
Description
Technical field
The present invention relates to Internet technology, especially a kind of network detecting method and system, device.
Background technology
During user accesses website, it may occur that network kidnaps phenomenon.Wherein, network link
Abduction is that a kind of relatively common network kidnaps means.Network link kidnap ultimate principle be:In user
When sending connection request to IP (Internet Protocol, the Internet protocol) address of website, hijacker
In the IP address that the website must be forged on Jing links of the connection request, and the connection request is responded, responded
Web page contents would generally hang with the viruses such as substantial amounts of advertisement link or wooden horse.
During the present invention is realized, inventor has found, no matter network link is kidnapped to the network user also
Be the development of website be all a pernicious presence, and there is no in prior art and existing kidnapped to network link
Technology as carrying out active monitoring, it is impossible to be actively discovered network link and kidnap phenomenon, can only occur in website
During the doubtful abnormal phenomena such as webpage is abnormal, web page contents are relatively wondered, passive carries out manual analyses to divide
Distinguish that whether network link occurs is kidnapped phenomenon.More than it is passive, whether there is network link by artificial cognition
The mode of abduction, needs to expend substantial amounts of human cost, and the discovery rate that network link is kidnapped is low.
The content of the invention
An embodiment of the present invention technical problem to be solved is:A kind of network detecting method is provided and is
System, device, to improve the discovery rate of network link abduction, and save human cost.
For solve above-mentioned technical problem, one side according to embodiments of the present invention, there is provided a kind of network
Detection method, including:
Detection character is sent to the dynamic unity URLs URL under monitored domain name by detection means
String, the domain name that the monitored domain name is used for monitored server;
According to whether receiving the response character string returned for the detection character string and receiving
Whether response character string is identical with expected character string, recognizes whether the monitored server occurs lattice chain
Mugging is held.
In based on another embodiment of said method, also include:
Preset algorithm is set on detection means in advance and the detection character of the detection means is uniquely corresponding to
String;
The detection means is calculated to the detection character string by the preset algorithm, obtains unique
Corresponding to the expected character string of the detection character string, the expected character string includes the detection character string
Or different from the new character strings of the detection character string.
In based on another embodiment of said method, the dynamic URL under monitored domain name sends inspection
Surveying character string transmission detection character string includes:HTTP is sent to the dynamic URL under monitored domain name please
Ask, the HTTP request includes the detection character string;
The response character string returned for the detection character string that receives includes:Receive for institute
Effective http response of HTTP request return is stated, the http response includes response character string.
In based on another embodiment of said method, also include:
The preset algorithm is set on the monitored server in advance;And
HTTP request in response to receiving detection means transmission, the monitored server is by described
Preset algorithm is calculated to the detection character string, is obtained response character string and is returned by http response
Return the detection means.
In based on another embodiment of said method, also include:
Sent to the IP address that the monitored server is used according to default detection cycle by detection means
Internet Control Message Protocol icmp echo request packet, and receive what the monitored server was returned
Icmp echo reply packet, the icmp echo reply packet include life span TTL word
Segment value;
Ttl field value in the comparison icmp echo reply packet with the history ttl value for storing is
It is no consistent;
In response to the ttl field value in the icmp echo reply packet and the history ttl value for storing
It is inconsistent, perform the behaviour for sending detection character string by detection means to the URL under monitored domain name
Make;And
In response to identifying that the monitored server does not occur network link abduction, by history TTL
Value is updated to the ttl field value in the icmp echo reply packet.
In based on another embodiment of said method, also include:
Kidnap in response to identifying that the monitored server occurs network link, export the monitored clothes
There is the warning message that network link is kidnapped in business device.
For solve above-mentioned technical problem, other side according to embodiments of the present invention, there is provided a kind of net
Network detecting system, including detection means and processing meanss;Wherein:
The detection means, for sending inspection to the dynamic unity URLs URL under monitored domain name
Survey character string;The domain name that the monitored domain name is used for monitored server, the dynamic URL are institute
State the address of processing meanss;And according to whether receive the response word returned for the detection character string
Whether symbol string, the response character string for receiving are identical with expected character string, recognize the monitored server
Whether network link abduction there is;
The processing meanss, coupling are arranged in the monitored server, for receiving detection dress
When putting the detection character string of transmission, response character is returned to the detection means for the detection character string
String.
Based in another embodiment of said system, the detection means is additionally operable to by preset algorithm pair
The detection character string is calculated, and acquisition is uniquely corresponding to the expected character string of the detection character string,
The expected character string includes the detection character string or the new character strings different from the detection character string;
The processing meanss, are additionally operable to calculate the detection character string by the preset algorithm,
Obtain response character string.
Based in another embodiment of said system, the detection means is additionally operable to:
Send to the IP address that the monitored server is used according to default detection cycle message is controlled between net
Agreement icmp echo request packet, and receive ICMP echos that the monitored server returns should
Packet is answered, the icmp echo reply packet includes life span ttl field value;
Ttl field value in the comparison icmp echo reply packet with the history ttl value for storing is
It is no consistent;
In response to the ttl field value in the icmp echo reply packet and the history ttl value for storing
It is inconsistent, perform the operation that the URL under monitored domain name sends detection character string;And
In response to identifying that the monitored server does not occur network link abduction, by history TTL
Value is updated to the ttl field value in the icmp echo reply packet.
For solve above-mentioned technical problem, another aspect according to embodiments of the present invention, there is provided a kind of net
Network detection means, including:
First transmitting element, for sending inspection to the dynamic unity URLs URL under monitored domain name
Survey character string, the domain name that the monitored domain name is used for monitored server;
First receiving unit, for receiving response character string;
Recognition unit, for returning for the detection character string according to whether the first receiving unit receives
Response character string and the response character string that receives it is whether identical with expected character string, identification is described
Whether monitored server there is network link abduction.
In based on another embodiment of said apparatus, also include:
First memory element, for storing the preset algorithm for pre-setting, being uniquely corresponding to the lattice chain
The detection character string of detection means and expected character string are held in mugging;
First computing unit, for being calculated to the detection character string by the preset algorithm, is obtained
The expected character string of the detection character string must be uniquely corresponding to and be stored in first memory element,
The expected character string includes the detection character string or the new character strings different from the detection character string.
In based on another embodiment of said apparatus, first transmitting element, specifically for monitored
Dynamic URL under domain name sends HTTP request, and the HTTP request includes the detection character
String;
First receiving unit, is specifically receiving for the effective of HTTP request return
During http response, the response character string returned for the detection character string, the HTTP are received
Response includes response character string, and the response character string is by monitored server by the preset algorithm
Calculating acquisition is carried out to the detection character string.
In based on another embodiment of said apparatus, also including comparing unit and updating block;
First transmitting element, is additionally operable to use to the monitored server according to default detection cycle
IP address send Internet Control Message Protocol icmp echo request packet;And specifically for basis
The comparative result of comparing unit, the ttl field value in the icmp echo reply packet and storage
History ttl value it is inconsistent when, perform the URL under monitored domain name and send detection character string
Operation;
First receiving unit, the ICMP echos for being additionally operable to receive the monitored server return should
Packet is answered, the icmp echo reply packet includes life span ttl field value;
The comparing unit, for the ttl field value in the comparison icmp echo reply packet with
Whether the history ttl value of storage is consistent;
The updating block, for the recognition result according to recognition unit, is identifying the monitored clothes
When business device does not occur network link abduction, the history ttl value is updated to into the icmp echo reply
Ttl field value in packet.
In based on another embodiment of said apparatus, also include:
Alarm unit, for the recognition result according to recognition unit, is identifying the monitored server
When generation network link is kidnapped, the warning for exporting the monitored server generation network link abduction disappears
Breath.
To solve above-mentioned technical problem, in terms of another according to embodiments of the present invention, there is provided a kind of net
Network link kidnaps processing meanss, including:
Second memory element, for storing preset algorithm;
Second receiving unit, kidnaps the detection character string that detection means sends for receiving network link;
Second computing unit, for being calculated to the detection character string by the preset algorithm, is obtained
Obtain response character string;
Second transmitting element, returns the response character for kidnapping detection means to the network link
String.
No matter it is all a pernicious presence that network link is kidnapped to the network user or website development, based on this
The network detecting method that invention above-described embodiment is provided and system, device, there is provided one kind is actively, automatically
The method whether detection service device occurs network link abduction, by detection means under monitored domain name
URL sends detection character string, according to whether receiving the response character returned for the detection character string
String, and the response character string that receives it is whether identical with expected character string, recognize that monitored server is
No generation network link is kidnapped, passive relative to prior art, whether lattice chain occur by artificial cognition
The mode that mugging is held, improves the discovery rate of network link abduction, and saves human cost.
Below by drawings and Examples, technical scheme is described in further detail.
Description of the drawings
The Description of Drawings embodiments of the invention of a part for description are constituted, and together with description
For explaining the principle of the present invention.
Referring to the drawings, according to detailed description below, the present invention can be more clearly understood from, wherein:
Flow charts of the Fig. 1 for inventive network detection method one embodiment.
Fig. 2 is the flow chart of another embodiment of inventive network detection method.
Fig. 3 is the flow chart of another embodiment of inventive network detection method.
Structural representations of the Fig. 4 for inventive network detection means one embodiment.
Fig. 5 is the structural representation of another embodiment of inventive network detection means.
Fig. 6 is the structural representation that inventive network link kidnaps processing meanss one embodiment.
Structural representations of the Fig. 7 for inventive network detecting system one embodiment.
Specific embodiment
Describe the various exemplary embodiments of the present invention now with reference to accompanying drawing in detail.It should be noted that:Remove
It is non-to illustrate in addition, the part that otherwise illustrates in these embodiments and step it is positioned opposite, digital
Expression formula and numerical value are not limited the scope of the invention.
Simultaneously, it should be appreciated that for the ease of description, the size of the various pieces shown in accompanying drawing is not
It is to draw according to actual proportionate relationship.
It is illustrative, never conduct to the description only actually of at least one exemplary embodiment below
To the present invention and its application or any restriction for using.
For known to person of ordinary skill in the relevant, technology, method and apparatus may not be begged in detail
By, but in the appropriate case, the technology, method and apparatus should be considered a part for description.
It should be noted that:Similar label and letter represent similar terms in following accompanying drawing, therefore, once
It is defined in a certain Xiang Yi accompanying drawing, then which need not be further begged in subsequent accompanying drawing
By.
Flow charts of the Fig. 1 for inventive network detection method one embodiment.As shown in figure 1, the enforcement
The network detecting method of example includes:
102, by detection means to dynamic URL (the Uniform Resource under monitored domain name
Locator, URL) send detection character string.
Wherein, the domain name that the domain name that is monitored is used for monitored server.
The detection means of the embodiment of the present invention can be distributed in the network for being respectively easy to that network link is kidnapped
In, such as in home network or carrier network, more specifically, can be the access of carrier network
In net.
104, according to whether receiving for detecting response character string and receive that character string returns
Whether response character string is identical with expected character string, and whether identification monitored server occurs lattice chain mugging
Hold.
The web page contents for forging real IP address issue always have unexpected content, such as using true
A URL content is updated on the real server source of IP address, the server source for forging IP address will not
Upgrade in time.The network detecting method that the above embodiment of the present invention is provided, by detection means to monitored
Dynamic URL under domain name sends a detection character string, according to whether receiving for the detection character string
Whether the response character string of return and the response character string for receiving are identical with expected character string, identification
Whether monitored server there is network link abduction, there is provided a kind of active, automatic detection server are
No there is the implementation that network link is kidnapped, it is passive relative to prior art, by artificial cognition whether
Occur network link kidnap mode, improve network link abduction discovery rate, and save manpower into
This.
In another embodiment of inventive network detection method, can also set on detection means in advance
Put preset algorithm and be uniquely corresponding to the detection character string of the detection means, detection character string therein is for example
It can be the device identifier of one detection means of globally unique numbering or unique mark being randomly assigned;
And the detection character string being provided with is calculated by the preset algorithm by detection means, obtain unique
Corresponding to an expected character string of the detection character string, the expection character string can be the detection character string
In itself, or different from a new character strings of the detection character string.
An identical algorithm is set in detection means and monitored server in advance, i.e.,:It is of the invention real
The preset algorithm in example is applied, due to the detection character string difference in different detection means, different detection means
The expected character string for calculating acquisition is not carried out also not to the detection character string being provided with by the preset algorithm
Together, but some detection means and monitored server by preset algorithm to same detection character string
It is identical to calculate the expected character string for obtaining, and is not in different situations.So, detection means is led to
Cross whether compare the response character string that receives identical with expected character string, just effectively can recognize monitored
Whether server there is network link abduction;Also, it is different from the detection character string in expected character string
New character strings when, it is to avoid forge the server intercepts of IP address and return to detection means and detect
Character string, improves the safety and reliability of detection.
It is unrestricted according to a specific example of each embodiment of inventive network detection method, operation 102
When the middle dynamic URL under monitored domain name sends detection character string and sends detection character string, specifically can be with
To the dynamic URL under monitored domain name send HTTP (Hyper Text Transport Protocol, it is super literary
This host-host protocol) to ask, the HTTP request includes detecting character string.
It is unrestricted according to another specific example of each embodiment of inventive network detection method, operation
In 104, can be when the effective http response for HTTP request return be received, it is believed that receive
To the response character string that detection character string is returned is directed to, http response therein includes response character
String.Effectively http response refer to the http response it is readable, and the web page address that wherein carries can visit
Ask.
In another embodiment of inventive network detection method, can also be in advance in monitored server
Upper setting and identical preset algorithm in detection means.In the detection character string for receiving detection means transmission
Or during HTTP request, monitored server can be by preset algorithm to directly transmit, or HTTP
The detection character string carried in request is calculated, obtain response character string and directly return, or pass through
Http response returns above-mentioned detection device.
In the further embodiment of inventive network detection method, can be identifying monitored service
When device occurs network link abduction, export monitored server and the warning message that network link is kidnapped occurs.
Specifically, above-mentioned supervised can be sent to recipient according to default type of alarm and recipient address
There is the warning message that network link is kidnapped in control server.Type of alarm therein can for example be mail,
The modes such as note, IM (Instant Messaging, instant message), recipient address can be correspondingly
Email address, phone number, instant message user number etc..
Fig. 2 is the flow chart of another embodiment of inventive network detection method.As shown in Fig. 2 the reality
The network detecting method for applying example includes:
202, by detection means according to default detection cycle, to the IP address that monitored server is used
Send ICMP (Internet Control Messages Protocol, Internet Control Message Protocol) to ask back
Aobvious packet, and the icmp echo reply packet of monitored server return is received, the ICMP is returned
Aobvious reply data bag includes TTL (Time to Live, life span) field value, i.e.,:By TTL
The ttl value that field is carried.
TTL is the time that a packet can be survived on network, different web server systems
(i.e.:The operating system that server is used) have different TTL initially, the TTL initial values are behaviour
Make system specifications, the TTL initial values of such as Windows operating system are 128, (SuSE) Linux OS
TTL initial values be 64, the network user and server in transmission over networks packet often through a road
By device, the network segment or hop count, ttl value can subtract 1, and the server for forging IP address is typically deployed at use
In the middle of the IP links of family and actual site server, so a packet is from real Website server IP
Address is sent to the remaining ttl value of user terminal, in most cases the clothes all with forgery IP address
It is different that business device is sent to the remaining ttl value of user terminal.
Wherein, according to default detection cycle, periodically triggering is performed for the operation 202.
204, compare the ttl field value in icmp echo reply packet and storage in the detection means
History ttl value it is whether consistent.
The history ttl value for wherein storing is that above-mentioned monitored server does not occur when network link is kidnapped one
Individual newest ttl value.
If the ttl field value in icmp echo reply packet is inconsistent with the history ttl value of storage,
Illustrate last detection visit monitored server using IP address link and this monitored server make
The link of IP address is inconsistent, and this network link adjustment for being likely to be operator causes packet to pass
Defeated middle multi-hop has jumped several routes less, so as to consuming more or consuming ttl value less, it is also possible to be to send out
Network link abduction is given birth to, i.e.,:The IP address that this detection is accessed is not that true monitored server is used
IP address, in order to exclude wrong report, perform operation 206.Otherwise, if icmp echo reply packet
In ttl field value with storage history ttl value it is consistent, it is believed that network link is without exception, does not continue
Perform the operation of the embodiment of the present invention.
206, by the dynamic under the monitored domain name that detection means is used to above-mentioned monitored server
URL sends detection character string.
208, according to whether receiving for detecting response character string and receive that character string returns
Whether response character string is identical with expected character string, and whether identification monitored server occurs lattice chain mugging
Hold.
If identifying there is no network link abduction in monitored server, perform operation 210.Otherwise, if
Identify that monitored server occurs network link and kidnaps, further can selectively perform operation
212。
210, ttl field value history ttl value being updated in icmp echo reply packet, with
Just based on newest history ttl value, next detection cycle judges whether that network link occurs to be kidnapped.
Afterwards, subsequent operation is not performed.
212, export above-mentioned monitored server and the warning message that network link is kidnapped occurs.
Fig. 3 is the flow chart of another embodiment of inventive network detection method.The embodiment has with one
Illustrate as a example by body example, those skilled in the art's record according to embodiments of the present invention can know this
Other implementations of inventive embodiments.As shown in figure 3, the network detecting method of the embodiment specifically may be used
To be performed by detection means, which includes following operation:
302, domain name and IP address that monitored server is used are configured with detection means, according to default
Detection cycle such as 4~8 hours, sends icmp echo request to the IP address that monitored server is used
Packet, and the icmp echo reply packet of monitored server return is received, the ICMP is echoed
Reply data bag includes ttl field value.
Wherein, the operation 302 is performed according to the triggering of default detection cycle.
304, compare the ttl field value in icmp echo reply packet and storage in the detection means
History ttl value it is whether consistent.
If the ttl field value in icmp echo reply packet is inconsistent with the history ttl value of storage,
Perform operation 306.Otherwise, if the ttl field value in icmp echo reply packet and going through for storing
History ttl value is consistent, does not continue executing with the operation of the embodiment of the present invention.
306, using the device identifier of the detection means as detection character string, sent by HTTP request
A dynamic URL under the monitored domain name used to above-mentioned monitored server.
For example, HTTP request specifically can be sent to above-mentioned quilt by POST method by detection means
Monitoring server.Wherein, POST method is generally used to send renewal request to destination server, and attached
There is request entity, in the embodiment of the present invention, submitted to specified dynamic URL resources by POST method
Detection character string in HTTP request to be processed.
308, judge that in default reception duration whether receiving monitored server returns for HTTP request
The http response of the carrying response character string for returning.
If receiving the http response for carrying response character string, operation 310 is performed.Otherwise, if not connecing
Receive the http response for carrying response character string, it is believed that the monitored server occurs lattice chain mugging
Hold, perform operation 316.
310, whether the web page address carried in judging the http response for receiving can access, i.e.,:Phase
The webpage answered whether there is, whether web page contents can access.
If the web page address carried in the http response for receiving can be accessed, operation 312 is performed.It is no
Then, if the web page address carried in the http response for receiving cannot be accessed, perform operation 316.
312, judge whether the response character string in http response is identical with expected character string.
If the response character string in http response is identical with expected character string, it is believed that monitored server is not
Generation network link is kidnapped, and performs operation 314.Otherwise, if the response character string in http response with
Expected character string is differed, it is believed that monitored server occurs network link and kidnaps, and further can select
Property execution operation 312.
314, the history ttl value of storage is updated to into the ttl field in icmp echo reply packet
Value.
Afterwards, the subsequent operation of the present embodiment is not performed.
316, export above-mentioned monitored server and the warning message that network link is kidnapped occurs.
One of ordinary skill in the art will appreciate that:Realize all or part of step of said method embodiment
Can be completed by the related hardware of programmed instruction, aforesaid program can be stored in a computer-readable
Take in storage medium, the program upon execution, performs the step of including said method embodiment;And it is aforementioned
Storage medium include:ROM, RAM, magnetic disc or CD etc. are various can be with Jie of store program codes
Matter.
Structural representations of the Fig. 4 for inventive network detection means one embodiment.The network of the embodiment
Detection means can be used to realize above-mentioned each method embodiment of the invention.As shown in figure 4, the net of the embodiment
Network detection means includes the first transmitting element 402, the first receiving unit 404 and recognition unit 406.Its
In:
First transmitting element 402, for sending detection character string to the URL under monitored domain name, wherein
The domain name that uses for monitored server of monitored domain name.
First receiving unit 404, for receiving response character string.
Recognition unit 406, for whether being received for detecting character string according to the first receiving unit 404
Whether the response character string of return and the response character string for receiving are identical with expected character string, identification
Whether above-mentioned monitored server there is network link abduction.
The network detection means that the above embodiment of the present invention is provided, by the dynamic under monitored domain name
URL sends a detection character string, according to whether receiving the response word returned for the detection character string
Symbol string, and the response character string that receives it is whether identical with expected character string, identification monitored server
Whether network link abduction there is, there is provided whether a kind of active, automatic detection server occur lattice chain
The implementation that mugging is held, it is passive relative to prior art, whether network link occur by artificial cognition
The mode of abduction, improves the discovery rate of network link abduction, and saves human cost.
Fig. 5 is the structural representation of another embodiment of inventive network detection means.As shown in figure 5,
Compared with the embodiment shown in Fig. 4, the network detection means of the embodiment also includes the first memory element
502 and first computing unit 504.Wherein:
First memory element 502, for storing the preset algorithm for pre-setting, being uniquely corresponding to the network
The detection character string of detection means and expected character string.Expected character string therein is by the network detection dress
Put and be calculated to detecting character string by above-mentioned preset algorithm.
First computing unit 504, based on being carried out to above-mentioned detection character string by above-mentioned preset algorithm
Calculate, acquisition is uniquely corresponding to the expected character string of the detection character string and is stored in the first memory element 502
In, the expection character string can detect that character string itself can also be different from the detection character string
Individual new character strings.
It is unrestricted according to a specific example of the above-mentioned each network detection means embodiment of the present invention, first
Transmitting element 402, should specifically for sending HTTP request to the dynamic URL under monitored domain name
HTTP request includes detecting character string.Accordingly, the first receiving unit 404 is specifically receiving pin
During the effective http response returned to the HTTP request, it is believed that receive and return for the detection character string
The response character string for returning, http response therein include response character string, and the response character string is by quilt
Monitoring server carries out calculating acquisition to detecting character string by preset algorithm.
In addition, referring back to Fig. 5, in another embodiment of inventive network detection means, also including
Comparing unit 506 and updating block 508.In the embodiment, the first transmitting element 402, be additionally operable to according to
Default detection cycle sends icmp echo request packet to the IP address that monitored server is used;With
And with specific reference to the comparative result of comparing unit 506, the TTL words in icmp echo reply packet
When segment value is inconsistent with the history ttl value of storage, performs to the URL under monitored domain name and send detection
The operation of character string.First receiving unit 404, is additionally operable to receive the ICMP that monitored server is returned
Echo reply data bag, the icmp echo reply packet include life span ttl field value.Phase
Ying Di, comparing unit 506, for comparing the ttl field value in icmp echo reply packet and depositing
Whether the history ttl value of storage is consistent.Updating block 508, for being tied according to the identification of recognition unit 406
Really, when identifying that the monitored server does not occur network link abduction, the history ttl value that will be stored
The ttl field value being updated in icmp echo reply packet.
Further, referring back to Fig. 5, in the further embodiment of inventive network detection means, also
Alarm unit 510 can be included, for the recognition result according to recognition unit 406, supervised identifying
When control server occurs network link abduction, export the monitored server and the report that network link is kidnapped occurs
Alarm message.
Fig. 6 is the structural representation that inventive network link kidnaps processing meanss one embodiment.The enforcement
The network link abduction processing meanss of example can be coupled and are arranged in monitored server, realize that the present invention is above-mentioned
The corresponding function of monitored server in each method embodiment.As shown in fig. 6, the lattice chain of the embodiment
Processing meanss are held in mugging includes the second memory element 602, the second receiving unit 604, the second computing unit
606 and second transmitting element 608.Wherein:
Second memory element 602, for storing preset algorithm, in the preset algorithm and network detection means
Preset algorithm it is consistent.
Second receiving unit 604, for receiving the detection character string of network detection means transmission.
Second computing unit 606, for being connect to second by the preset algorithm in the second memory element 602
The detection character string that receipts unit 604 is received is calculated, and obtains response character string.
Second transmitting element 608, calculates for returning the second computing unit 606 to network detection means
The response character string for arriving.
The network link that the above embodiment of the present invention is provided kidnaps processing meanss, can pass through preset algorithm pair
The detection character string for receiving is calculated, and is obtained response character string and is returned detection means, to detect
Whether device identification monitored server there is network link abduction, there is provided a kind of active, automatic detection
Whether server there is the implementation of network link abduction, passive relative to prior art, by artificial
Identify whether the mode for network link abduction occur, improve the discovery rate of network link abduction, and save
Human cost.
Structural representations of the Fig. 7 for inventive network detecting system one embodiment.The network of the embodiment
Detecting system can be used to realize above-mentioned each method embodiment of the invention.As shown in fig. 7, the net of the embodiment
Network detecting system includes detection means 10 and processing meanss 20.Wherein:
Detection means 10, for sending detection character string to the URL under monitored domain name, this is monitored
The domain name that domain name is used for monitored server, dynamic URL are that coupling is arranged in monitored server
The address of processing meanss 20;And according to whether receive the response character for detecting character string return
Whether string, the response character string for receiving are identical with expected character string, whether recognize the monitored server
Generation network link is kidnapped.
The detection means of the embodiment of the present invention can arrange multiple according to demand, be arranged in a distributed manner each easy
In it there is the network that network link is kidnapped, for example in home network or carrier network, more specifically
Ground, can be carrier network access network in.
Processing meanss 20, coupling are arranged in monitored server, for receiving detection means 10
During the detection character string of transmission, response character string is returned to detection means 10 for the detection character string.
The network detection system that the above embodiment of the present invention is provided, by detection means under monitored domain name
Dynamic URL send a detection character string, according to whether receiving what is returned for the detection character string
Whether response character string and the response character string for receiving are identical with expected character string, and identification is monitored
Whether server there is network link abduction, there is provided whether a kind of active, automatic detection server occur
The implementation that network link is kidnapped, it is passive relative to prior art, whether existing network is gone out by artificial cognition
The mode that network link is kidnapped, improves the discovery rate of network link abduction, and saves human cost.This
The detection means of inventive embodiments can arrange multiple according to detection demand, be arranged in a distributed manner and be respectively easy to
Occur in the network that network link is kidnapped, network detection is carried out by the timing of each detection means, so as to actively
The network link abduction action that has found that it is likely that simultaneously is reported to the police, and actively improves the discovery of Web-site links abduction
Rate.
In another embodiment of above-mentioned network detection system of the invention, detection means 10 is additionally operable to lead to
Cross preset algorithm to calculate to detecting character string, acquisition is uniquely corresponding to the expected character for detecting character string
String, the expection character string can be above-mentioned detection character string itself, or be different from above-mentioned detection word
One new character strings of symbol string.Correspondingly, processing meanss 20, are additionally operable to by preset algorithm to receiving
Detection character string calculated, obtain response character string.
In another embodiment of above-mentioned network detection system of the invention, detection means 10 is additionally operable to:
Icmp echo request data are sent to the IP address that monitored server is used according to default detection cycle
Bag, and receive the icmp echo reply packet of monitored server return, the icmp echo reply
Packet includes life span ttl field value;TTL words relatively in icmp echo reply packet
Whether segment value is consistent with the history ttl value of storage;In response to the TTL in icmp echo reply packet
Field value is inconsistent with the history ttl value of storage, performs to the URL under monitored domain name and sends detection
The operation of character string;And in response to identifying that monitored server does not occur network link abduction, will deposit
The history ttl value of storage is updated to the ttl field value in icmp echo reply packet.
In this specification, each embodiment is described by the way of progressive, what each embodiment was stressed
All it is the difference with other embodiments, same or analogous part cross-reference between each embodiment
.It is for device, system embodiment, substantially corresponding with embodiment of the method due to which, so retouching
That what is stated is fairly simple, and related part is illustrated referring to the part of embodiment of the method.
The method of the present invention, system and device may be achieved in many ways.For example, can pass through soft
Part, hardware, firmware or software, hardware, any combinations of firmware are realizing the method for the present invention, be
System and device.For said sequence the step of methods described merely to illustrating, the side of the present invention
The step of method, is not limited to order described in detail above, unless specifically stated otherwise.Additionally,
In some embodiments, also the present invention can be embodied as recording program in the recording medium, these program bags
Include for realizing the machine readable instructions of the method according to the invention.Thus, the present invention also covers storage and uses
In the recording medium of the program for performing the method according to the invention.
Description of the invention in order to example and description for the sake of and be given, and be not exhaustively or
Limit the invention to disclosed form.Many modifications and variations are for one of ordinary skill in the art
Speech is obvious.Select and describe embodiment be in order to more preferably illustrate the present invention principle and practical application,
And one of ordinary skill in the art is made it will be appreciated that the present invention is suitable to carrying for special-purpose so as to design
The various embodiments of various modifications.
Claims (10)
1. a kind of network detecting method, it is characterised in that include:
Detection character is sent to the dynamic unity URLs URL under monitored domain name by detection means
String, the domain name that the monitored domain name is used for monitored server;
According to whether receiving the response character string returned for the detection character string and receiving
Whether response character string is identical with expected character string, recognizes whether the monitored server occurs lattice chain
Mugging is held.
2. method according to claim 1, it is characterised in that also include:
Preset algorithm is set on detection means in advance and the detection character of the detection means is uniquely corresponding to
String;
The detection means is calculated to the detection character string by the preset algorithm, obtains unique
Corresponding to the expected character string of the detection character string, the expected character string includes the detection character string
Or different from the new character strings of the detection character string.
3. method according to claim 1 and 2, it is characterised in that described under monitored domain name
Dynamic URL send detection character string and send detection character string and include:Dynamic under monitored domain name
URL sends HTTP request, and the HTTP request includes the detection character string;
The response character string returned for the detection character string that receives includes:Receive for institute
Effective http response of HTTP request return is stated, the http response includes response character string.
4. method according to claim 3, it is characterised in that also include:
The preset algorithm is set on the monitored server in advance;And
HTTP request in response to receiving detection means transmission, the monitored server is by described
Preset algorithm is calculated to the detection character string, is obtained response character string and is returned by http response
Return the detection means.
5. method according to claim 1 and 2, it is characterised in that also include:
Sent to the IP address that the monitored server is used according to default detection cycle by detection means
Internet Control Message Protocol icmp echo request packet, and receive what the monitored server was returned
Icmp echo reply packet, the icmp echo reply packet include life span TTL word
Segment value;
Ttl field value in the comparison icmp echo reply packet with the history ttl value for storing is
It is no consistent;
In response to the ttl field value in the icmp echo reply packet and the history ttl value for storing
It is inconsistent, perform the behaviour for sending detection character string by detection means to the URL under monitored domain name
Make;And
In response to identifying that the monitored server does not occur network link abduction, by history TTL
Value is updated to the ttl field value in the icmp echo reply packet.
6. method according to claim 1 and 2, it is characterised in that also include:
Kidnap in response to identifying that the monitored server occurs network link, export the monitored clothes
There is the warning message that network link is kidnapped in business device.
7. a kind of network detection system, it is characterised in that including detection means and processing meanss;Wherein:
The detection means, for sending inspection to the dynamic unity URLs URL under monitored domain name
Survey character string;The domain name that the monitored domain name is used for monitored server, the dynamic URL are institute
State the address of processing meanss;And according to whether receive the response word returned for the detection character string
Whether symbol string, the response character string for receiving are identical with expected character string, recognize the monitored server
Whether network link abduction there is;
The processing meanss, coupling are arranged in the monitored server, for receiving detection dress
When putting the detection character string of transmission, response character is returned to the detection means for the detection character string
String.
8. system according to claim 7, it is characterised in that the detection means, is additionally operable to lead to
Cross preset algorithm to calculate the detection character string, acquisition is uniquely corresponding to the detection character string
Expected character string, the expected character string include the detection character string or are different from the detection character string
New character strings;
The processing meanss, are additionally operable to calculate the detection character string by the preset algorithm,
Obtain response character string.
9. the system according to claim 7 or 8, it is characterised in that the detection means, also uses
In:
Send to the IP address that the monitored server is used according to default detection cycle message is controlled between net
Agreement icmp echo request packet, and receive ICMP echos that the monitored server returns should
Packet is answered, the icmp echo reply packet includes life span ttl field value;
Ttl field value in the comparison icmp echo reply packet with the history ttl value for storing is
It is no consistent;
In response to the ttl field value in the icmp echo reply packet and the history ttl value for storing
It is inconsistent, perform the operation that the URL under monitored domain name sends detection character string;And
In response to identifying that the monitored server does not occur network link abduction, by history TTL
Value is updated to the ttl field value in the icmp echo reply packet.
10. a kind of network detection means, it is characterised in that include:
First transmitting element, for sending inspection to the dynamic unity URLs URL under monitored domain name
Survey character string, the domain name that the monitored domain name is used for monitored server;
First receiving unit, for receiving response character string;
Recognition unit, for returning for the detection character string according to whether the first receiving unit receives
Response character string and the response character string that receives it is whether identical with expected character string, identification is described
Whether monitored server there is network link abduction.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510662480.2A CN106603464A (en) | 2015-10-14 | 2015-10-14 | Network detection method, system and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510662480.2A CN106603464A (en) | 2015-10-14 | 2015-10-14 | Network detection method, system and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106603464A true CN106603464A (en) | 2017-04-26 |
Family
ID=58551873
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510662480.2A Pending CN106603464A (en) | 2015-10-14 | 2015-10-14 | Network detection method, system and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106603464A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107018156A (en) * | 2017-06-01 | 2017-08-04 | 北京云端智度科技有限公司 | The defence support method of Domain Hijacking |
CN107294803A (en) * | 2017-06-15 | 2017-10-24 | 北京小度信息科技有限公司 | Response message conformance test method and device |
CN107360187A (en) * | 2017-08-21 | 2017-11-17 | 网宿科技股份有限公司 | A kind of processing method of network abduction, apparatus and system |
CN109218270A (en) * | 2017-07-06 | 2019-01-15 | 北京京东尚科信息技术有限公司 | A kind of method and apparatus handling request of being held as a hostage |
CN109474587A (en) * | 2018-11-01 | 2019-03-15 | 北京亚鸿世纪科技发展有限公司 | The method that HTTP based on letter peace system kidnaps monitoring analysis and positioning |
CN112311724A (en) * | 2019-07-26 | 2021-02-02 | 贵州白山云科技股份有限公司 | Method, device, medium and equipment for positioning HTTP hijacking |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103095681A (en) * | 2012-12-03 | 2013-05-08 | 微梦创科网络科技(中国)有限公司 | Loophole detection method and device |
CN103401836A (en) * | 2013-07-01 | 2013-11-20 | 北京卓易讯畅科技有限公司 | Method and device used for judging whether webpage is hijacked by ISP (internet service provider) or not |
CN103546590A (en) * | 2013-10-18 | 2014-01-29 | 北京奇虎科技有限公司 | Method and device for choosing DNS (domain name server) |
CN103685584A (en) * | 2012-09-07 | 2014-03-26 | 中国科学院计算机网络信息中心 | Method and system of resisting domain name hijacking based on tunnelling |
CN104092647A (en) * | 2013-11-25 | 2014-10-08 | 腾讯科技(深圳)有限公司 | Network access method, system and client |
CN104239577A (en) * | 2014-10-09 | 2014-12-24 | 北京奇虎科技有限公司 | Method and device for detecting authenticity of webpage data |
-
2015
- 2015-10-14 CN CN201510662480.2A patent/CN106603464A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103685584A (en) * | 2012-09-07 | 2014-03-26 | 中国科学院计算机网络信息中心 | Method and system of resisting domain name hijacking based on tunnelling |
CN103095681A (en) * | 2012-12-03 | 2013-05-08 | 微梦创科网络科技(中国)有限公司 | Loophole detection method and device |
CN103401836A (en) * | 2013-07-01 | 2013-11-20 | 北京卓易讯畅科技有限公司 | Method and device used for judging whether webpage is hijacked by ISP (internet service provider) or not |
CN103546590A (en) * | 2013-10-18 | 2014-01-29 | 北京奇虎科技有限公司 | Method and device for choosing DNS (domain name server) |
CN104092647A (en) * | 2013-11-25 | 2014-10-08 | 腾讯科技(深圳)有限公司 | Network access method, system and client |
CN104239577A (en) * | 2014-10-09 | 2014-12-24 | 北京奇虎科技有限公司 | Method and device for detecting authenticity of webpage data |
Non-Patent Citations (1)
Title |
---|
LAKE2: ""链路劫持攻击一二三"", 《腾讯安全应急响应中心》 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107018156A (en) * | 2017-06-01 | 2017-08-04 | 北京云端智度科技有限公司 | The defence support method of Domain Hijacking |
CN107294803A (en) * | 2017-06-15 | 2017-10-24 | 北京小度信息科技有限公司 | Response message conformance test method and device |
CN109218270A (en) * | 2017-07-06 | 2019-01-15 | 北京京东尚科信息技术有限公司 | A kind of method and apparatus handling request of being held as a hostage |
CN107360187A (en) * | 2017-08-21 | 2017-11-17 | 网宿科技股份有限公司 | A kind of processing method of network abduction, apparatus and system |
CN107360187B (en) * | 2017-08-21 | 2020-09-25 | 网宿科技股份有限公司 | Network hijacking processing method, device and system |
CN109474587A (en) * | 2018-11-01 | 2019-03-15 | 北京亚鸿世纪科技发展有限公司 | The method that HTTP based on letter peace system kidnaps monitoring analysis and positioning |
CN112311724A (en) * | 2019-07-26 | 2021-02-02 | 贵州白山云科技股份有限公司 | Method, device, medium and equipment for positioning HTTP hijacking |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106603464A (en) | Network detection method, system and device | |
US10243989B1 (en) | Systems and methods for inspecting emails for malicious content | |
CN103794033B (en) | Monitoring alarm method and device | |
CN101741643B (en) | Content delivery network node detecting method and system | |
CN104348803B (en) | Link kidnaps detection method, device, user equipment, Analysis server and system | |
CN105897947B (en) | The Network Access Method and device of mobile terminal | |
CN104573520B (en) | The method and apparatus for detecting resident formula cross site scripting loophole | |
US9251367B2 (en) | Device, method and program for preventing information leakage | |
CN110768999B (en) | Method and device for detecting illegal external connection of equipment | |
CN113489734A (en) | Phishing mail detection method and device and electronic device | |
CN104753730A (en) | Vulnerability detection method and device | |
CN105871509A (en) | Data transmission method and device | |
CN112804358B (en) | Method and device for transferring data in cross-link mode based on relay equipment network | |
CN109600362A (en) | Zombie host recognition methods, identification equipment and medium based on identification model | |
CN102447707A (en) | DDoS (Distributed Denial of Service) detection and response method based on mapping request | |
CN109660552A (en) | A kind of Web defence method combining address jump and WAF technology | |
CN106230775A (en) | Prevent from attacking method and the device of URL rule base | |
CN107547505B (en) | Message processing method and device | |
US9385993B1 (en) | Media for detecting common suspicious activity occurring on a computer network using firewall data and reports from a network filter device | |
CN108040036A (en) | A kind of industry cloud Webshell safety protecting methods | |
CN105812324B (en) | The method, apparatus and system of IDC information security management | |
CN103685298A (en) | Deep packet inspection based SSL (Secure Sockets Layer) man-in-the-middle attack discovering method | |
CN106506553B (en) | A kind of Internet protocol IP filter method and system | |
CN107786531B (en) | APT attack detection method and device | |
KR101473652B1 (en) | Method and appratus for detecting malicious message |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: 100083 No. 401, 4th Floor, Haitai Building, 229 North Fourth Ring Road, Haidian District, Beijing Applicant after: Beijing Guoshuang Technology Co.,Ltd. Address before: 100086 Cuigong Hotel, 76 Zhichun Road, Shuangyushu District, Haidian District, Beijing Applicant before: Beijing Guoshuang Technology Co.,Ltd. |
|
CB02 | Change of applicant information | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170426 |
|
RJ01 | Rejection of invention patent application after publication |