CN106790071B

CN106790071B - Method and device for detecting DNS full-flow hijacking risk

Info

Publication number: CN106790071B
Application number: CN201611191559.2A
Authority: CN
Inventors: 陈耀攀
Original assignee: Beijing Qihu Ceteng Science & Technology Co ltd
Current assignee: Beijing Hongteng Intelligent Technology Co ltd; Beijing Qihu Hongteng Technology Co ltd; 360 Digital Security Technology Group Co Ltd
Priority date: 2016-12-21
Filing date: 2016-12-21
Publication date: 2020-04-03
Anticipated expiration: 2036-12-21
Also published as: CN106790071A

Abstract

The embodiment of the invention provides a method and a device for detecting DNS full-flow hijacking risks, which are used for improving the accuracy rate of detecting the DNS full-flow hijacking risks. The method comprises the following steps: obtaining one or more target domain names for detecting the risk of domain name system DNS full-traffic hijacking; wherein, the known IP addresses corresponding to the one or more target domain names are different; performing DNS analysis on the one or more target domain names to obtain a target Internet Protocol (IP) address corresponding to each target domain name so as to obtain one or more target IP addresses; judging whether the one or more target IP addresses have the same address or not; and when the same address exists in the one or more target IP addresses, determining that the UE has the risk of DNS full-flow hijacking.

Description

Method and device for detecting DNS full-flow hijacking risk

Technical Field

The invention relates to the technical field of computers, in particular to a method and a device for detecting DNS full-flow hijacking risks.

Background

With the popularization and deep application of networks, various information in daily life of people is more closely combined with the networks. As such, detection of network security is becoming more important.

Taking DNS (Domain Name System) full traffic hijacking detection as an example, some related technologies detect in the following manner: firstly, a blacklist library is stored in the electronic device or the server, and a plurality of IP (Internet Protocol) addresses with DNS full-traffic hijacking risks are recorded in the blacklist library. And resolving the target domain name to obtain a corresponding IP address, and then comparing whether the resolved IP address is in a black name list library. And if the analyzed IP address is not in the IP address blacklist library, judging that the risk of DNS full-flow hijacking does not exist currently.

However, lawbreakers often control multiple IP addresses and even hijack new IP addresses, resulting in the black list library not being able to record all of the risky IP addresses. Therefore, the method for detecting the DNS full-flow hijacking risk by the method has the technical problem of low detection accuracy.

Disclosure of Invention

The embodiment of the invention provides a method and a device for detecting DNS full-flow hijacking risks, which are used for improving the accuracy rate of detecting the DNS full-flow hijacking risks.

In a first aspect, the present invention provides a method for detecting a risk of DNS full traffic hijacking, including:

obtaining one or more target domain names for detecting the risk of domain name system DNS full-traffic hijacking; wherein the one or more target domain names are specifically wide area network domain names;

performing DNS analysis on the one or more target domain names to obtain a target Internet Protocol (IP) address corresponding to each target domain name so as to obtain one or more target IP addresses;

judging whether a local area network address exists in the one or more target IP addresses;

and when the local area network address exists in the one or more target IP addresses, determining that the user equipment UE has the risk of DNS full flow hijacking.

Optionally, when a local area network address does not exist in the one or more target IP addresses, the method further includes:

judging whether the one or more target IP addresses have the same address or not; wherein, the known IP addresses corresponding to the one or more target domain names are different;

and when the same address exists in the one or more target IP addresses, determining that the UE has the risk of DNS full-flow hijacking.

Optionally, the method further includes:

and when the same address does not exist in the one or more target IP addresses, determining that the UE does not have the risk of DNS full flow hijacking.

Optionally, obtaining one or more target domain names for detecting a risk of domain name system DNS full traffic hijacking includes:

reading and receiving the one or more target domain names which are issued by a server corresponding to the UE and stored in a storage space of the UE; or

And determining one or more domain names meeting preset conditions from the plurality of candidate domain names as the one or more target domain names.

Optionally, before performing DNS resolution on the one or more target domain names, the method further includes:

judging whether the UE is accessed to a new wireless Access Point (AP);

and when the UE accesses a new AP, executing the step of performing DNS resolution on the one or more target domain names.

In a second aspect, the present invention provides a method for detecting a risk of DNS full traffic hijacking, including:

obtaining one or more target domain names for detecting the risk of domain name system DNS full-traffic hijacking; wherein, the known IP addresses corresponding to the one or more target domain names are different;

judging whether the one or more target IP addresses have the same address or not;

Optionally, when the same address does not exist in the one or more target IP addresses, the method further includes:

judging whether a local area network address exists in the one or more target IP addresses; wherein the one or more target domain names are specifically wide area network domain names;

and when the local area network address exists in the one or more target IP addresses, determining that the UE has the risk of DNS full flow hijacking.

Optionally, the method further includes:

and when the local area network address does not exist in the one or more target IP addresses, determining that the UE does not have the risk of DNS full flow hijacking.

judging whether the UE is accessed to a new wireless Access Point (AP);

In a third aspect, the present invention provides a method for detecting a DNS full traffic hijacking risk, including:

obtaining one or more target domain names for detecting the risk of domain name system DNS full-traffic hijacking; the one or more target domain names are specifically wide area network domain names, and known Internet Protocol (IP) addresses corresponding to the one or more target domain names are different;

performing DNS analysis on the one or more target domain names to obtain a target IP address corresponding to each target domain name, and further obtain one or more target IP addresses;

judging whether one or more target IP addresses have local area network addresses and whether one or more target IP addresses have the same address;

and when the local area network address exists in the one or more target IP addresses or the same address exists in the one or more target IP addresses, determining that the user equipment UE has the risk of DNS full flow hijacking.

In a fourth aspect, the present invention provides a device for detecting a risk of DNS full traffic hijacking, including:

the system comprises an obtaining module, a detecting module and a judging module, wherein the obtaining module is used for obtaining one or more target domain names used for detecting the risk of domain name system DNS full-flow hijacking; wherein the one or more target domain names are specifically wide area network domain names;

the resolution module is used for performing DNS resolution on the one or more target domain names to obtain a target Internet Protocol (IP) address corresponding to each target domain name so as to obtain one or more target IP addresses;

the first judging module is used for judging whether a local area network address exists in the one or more target IP addresses;

and the first determining module is used for determining that the user equipment UE has the risk of DNS full flow hijacking when the local area network address exists in the one or more target IP addresses.

Optionally, when a local area network address does not exist in the one or more target IP addresses, the apparatus further includes:

the second judging module is used for judging whether the same address exists in the one or more target IP addresses or not; wherein, the known IP addresses corresponding to the one or more target domain names are different;

a second determining module, configured to determine that the UE has a risk of DNS full traffic hijacking when the same address exists in the one or more target IP addresses.

Optionally, the apparatus further comprises:

a third determining module, configured to determine that the UE does not have a risk of DNS full traffic hijacking when the same address does not exist in the one or more target IP addresses.

Optionally, the obtaining module is configured to read and receive the one or more target domain names that are issued by the server corresponding to the UE and stored in the storage space of the UE; or determining one or more domain names meeting preset conditions from a plurality of candidate domain names as the one or more target domain names.

Optionally, the apparatus further comprises:

a third determining module, configured to determine whether the UE accesses a new wireless access point AP before performing DNS resolution on the one or more target domain names;

and when the UE accesses a new AP, informing the resolution module to perform DNS resolution on the one or more target domain names.

In a fifth aspect, the present invention provides a device for detecting a risk of DNS full traffic hijacking, including:

the system comprises an obtaining module, a detecting module and a judging module, wherein the obtaining module is used for obtaining one or more target domain names used for detecting the risk of domain name system DNS full-flow hijacking; wherein, the known IP addresses corresponding to the one or more target domain names are different;

the first judging module is used for judging whether the same address exists in the one or more target IP addresses or not;

a first determining module, configured to determine that the UE has a risk of DNS full traffic hijacking when the same address exists in the one or more target IP addresses.

Optionally, when the same address does not exist in the one or more target IP addresses, the apparatus further includes:

the second judging module is used for judging whether a local area network address exists in the one or more target IP addresses; wherein the one or more target domain names are specifically wide area network domain names;

a second determining module, configured to determine that the UE has a risk of DNS full traffic hijacking when a local area network address exists in the one or more target IP addresses.

Optionally, the apparatus further comprises:

a third determining module, configured to determine that the UE does not have a risk of DNS full traffic hijacking when a local area network address does not exist in the one or more target IP addresses.

Optionally, the apparatus further comprises:

and when the UE accesses a new AP, informing a resolution module to perform DNS resolution on the one or more target domain names.

In a sixth aspect, the present invention provides a device for detecting a risk of DNS full traffic hijacking, including:

the system comprises an obtaining module, a detecting module and a judging module, wherein the obtaining module is used for obtaining one or more target domain names used for detecting the risk of domain name system DNS full-flow hijacking; the one or more target domain names are specifically wide area network domain names, and known Internet Protocol (IP) addresses corresponding to the one or more target domain names are different;

the resolution module is used for performing DNS resolution on the one or more target domain names to obtain a target IP address corresponding to each target domain name and further obtain one or more target IP addresses;

the judging module is used for judging whether a local area network address exists in the one or more target IP addresses and whether the same address exists in the one or more target IP addresses;

and the determining module is used for determining that the user equipment UE has the risk of DNS full flow hijacking when the one or more target IP addresses have local area network addresses or the same address exists in the one or more target IP addresses.

One or more technical solutions in the embodiments of the present application have at least one or more of the following technical effects:

in the technical scheme of the embodiment of the invention, one or more target domain names for detecting the risk of DNS full flow hijacking are obtained, wherein the one or more target domain names in the embodiment of the invention are specifically wide area network domain names, then DNS resolution is carried out on the one or more target domain names, a target IP address corresponding to each target domain name is obtained, one or more target IP addresses are further obtained, and then whether a local area network address exists in the one or more target IP addresses is judged. Because the IP address corresponding to the target domain name is a wide area network address, when one or more target IP addresses have a local area network address, the UE is determined to have the risk of DNS full traffic hijacking. Therefore, even if the target IP address resolved by the target domain name is not in the blacklist library, if the target IP address is a local area network address, the network currently accessed by the UE is possibly hijacked by the full traffic, and further the UE can be determined to have the risk of DNS full traffic hijacking. Therefore, by the technical scheme, the detection accuracy rate of DNS full-flow hijacking is improved.

Furthermore, the technical scheme of the embodiment of the invention does not need to compare with a huge blacklist database, and further does not need to store the blacklist database, so that the equipment resources occupied by storing the blacklist database are saved.

Furthermore, because the technical scheme in the embodiment of the invention can be executed by the UE without the participation of the server, the interaction between the UE and the server can be prevented from being monitored after a lawless person hijacks the DNS, so that the detection is interfered, and even false information representing the network security is sent to the UE.

Drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:

fig. 1 is a flowchart of a first method for detecting risk of DNS full traffic hijacking according to an embodiment of the present invention;

fig. 2 is a flowchart of a second method for detecting risk of DNS full traffic hijacking according to an embodiment of the present invention;

fig. 3 is a flowchart of a third method for detecting risk of DNS full traffic hijacking according to an embodiment of the present invention;

fig. 4 is a schematic structural diagram of a first DNS full traffic hijacking risk detection apparatus according to an embodiment of the present invention;

fig. 5 is a schematic structural diagram of a second DNS full traffic hijacking risk detection apparatus according to an embodiment of the present invention;

fig. 6 is a schematic structural diagram of a third DNS full traffic hijacking risk detection apparatus according to an embodiment of the present invention.

Detailed Description

In order to solve the technical problems, the technical scheme provided by the invention has the following general idea:

in the technical scheme of the embodiment of the invention, one or more target domain names used for detecting DNS full-flow hijack risk are obtained, then DNS analysis is carried out on the one or more target domain names, a target IP address corresponding to each target domain name is obtained, one or more target IP addresses are further obtained, then if the one or more target domain names are wide area network domain names, whether a local area network address exists in the one or more target IP addresses is judged, and if the local area network address exists, the UE is determined to have DNS full-flow hijack risk; or if the one or more target domain names are domain names with different known IP addresses, judging whether the one or more target IP addresses have the same address, and if the one or more target IP addresses have the same address, determining that the UE has the risk of DNS full-flow hijacking; or if the one or more target domain names are wide area network domain names and the known IP addresses of the one or more target domain names are different, judging whether a local area network address exists in the one or more target IP addresses and whether the same address exists, and if the local area network address exists in the one or more target IP addresses or the same address exists in the one or more target IP addresses, determining that the UE has the risk of DNS full traffic hijacking.

The technical solutions of the present invention are described in detail below with reference to the drawings and specific embodiments, and it should be understood that the specific features in the embodiments and examples of the present invention are described in detail in the technical solutions of the present application, and are not limited to the technical solutions of the present application, and the technical features in the embodiments and examples of the present application may be combined with each other without conflict.

The term "and/or" herein is merely an association describing an associated object, meaning that three relationships may exist, e.g., a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.

A first aspect of the present invention provides a method for detecting a DNS full traffic hijacking risk, and please refer to fig. 1, which is a flowchart of a first method for detecting a DNS full traffic hijacking risk in an embodiment of the present invention. The method comprises the following steps:

s101: obtaining one or more target domain names for detecting the risk of domain name system DNS full-traffic hijacking; wherein the one or more target domain names are specifically wide area network domain names;

s102: performing DNS analysis on the one or more target domain names to obtain a target Internet Protocol (IP) address corresponding to each target domain name so as to obtain one or more target IP addresses;

s103: judging whether a local area network address exists in the one or more target IP addresses;

s104: and when the local area network address exists in the one or more target IP addresses, determining that the user equipment UE has the risk of DNS full flow hijacking.

One or more target domain names in the embodiment of the invention are one or a group of domain names for testing, which are used for detecting DNS full-traffic hijacking. In order to be able to detect the risk of DNS full traffic hijacking through the one or the group of target domain names, in the embodiment of the present invention, each target domain name is specifically a wide area network domain name. In a specific implementation process, the UE may obtain one or more target domain names when detecting the risk of DNS full traffic hijacking, or may obtain one or more target domain names in advance when not detecting the risk of DNS full traffic hijacking, which is not limited in the present invention.

The time for detecting the DNS full traffic hijacking in S102 to S104 may be any time when the UE is powered on, may also be any time at preset intervals, for example, the detection is started every 1 hour, and may also be a time when the UE accesses the network each time. Or, before S102, further comprising:

judging whether the UE is accessed to a new wireless Access Point (AP);

Specifically, in the embodiment of the present invention, there are two types of new APs (Access points). An arbitrary time is represented by time T1, and in the first mode, if the UE accesses the first AP before T1, and switches to a second AP different from the first AP at the arbitrary time, the second AP is a new AP; second, the UE does not access any AP before T1, and accesses a third AP at time T1, so the third AP is a new AP.

For the first case, when the UE switches an AP or an AC (Access controller), an SSID (Service Set IDentifier) of the AP or the AC accessed after the switching and an SSID of the AP or the AC accessed before the switching are obtained. Then, whether the SSID of the AP or AC accessed after the switching is the same as the SSID of the AP or AC accessed before the switching is judged. And if the SSID of the AP or AC accessed after the switching is different from the SSID of the AP or AC accessed before the switching, indicating that the UE accesses the new AP. At this time, the UE cannot determine whether the network currently accessed, that is, the network where the new AP is located has a risk of DNS full traffic hijacking, so that S102 is executed at this time, and DNS full traffic hijacking risk detection is further started. In other words, when the UE switches to a new network, detecting the risk of DNS full traffic hijacking for the new network in S102 to S104 is performed.

For the second case, when the UE is switched from the AP not accessed to the AP, since the UE cannot determine whether the currently accessed network has the risk of DNS full traffic hijacking, at this time, S102 is executed, and then DNS full traffic hijacking risk detection is started. In other words, when the UE initially accesses the network, the detection of the risk of network DNS full traffic hijacking in S102 to S104 is performed.

There are various methods for obtaining the target domain name in S101, two of which are described below. Specifically, S101 of the embodiment of the present invention may be implemented by the following process:

Specifically, one or more target domain names obtained by the UE in the embodiment of the present invention may be issued by a server, or may be configured and selected by the UE itself, or may be issued by a partial target domain name receiving server, and meanwhile, may configure a partial target domain name by itself. In the specific implementation process, a person skilled in the art to which the present invention pertains may select according to the practice, and the present invention is not particularly limited.

Specifically, if the server issues the target domain name, since the target domain name in the embodiment of the present invention is a wide area network domain name, the server selects one or more wide area network domain names as the target domain name, and then issues the target domain name to the UE at any time. After receiving one or more target domain names issued by a server, the UE stores the one or more target domain names in a storage space of the UE, and then reads the one or more target domain names from the storage space when the target domain names need to be obtained.

For example, the server issues the following JSON-structured data to the UE,

the UE receives the data of the JSON structure, and then parses ten target domain names, i.e., baifubao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn, and www.cmbc.com.cn, and further stores the ten target domain names in the storage space of the UE. When a target domain name needs to be obtained, the target domain names baifuao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn and www.cmbc.com.cn are read out from the storage space.

And if the target domain name is configured by the UE, the UE determines one or more domain names meeting preset conditions from the multiple alternative domain names as the target domain name. Specifically, the candidate domain name is a domain name that has been visited by the UE in history or that can be currently accessed, and the like, and the present invention is not limited in particular. In the embodiment of the present invention, since the target domain name is a wide area network domain name, the preset condition is specifically the wide area network domain name, and then the UE selects one or more wide area network domain names from the multiple candidate domain names as the target domain name.

In the specific implementation process, a person skilled in the art to which the present invention belongs may select any one of the two methods for obtaining the target domain name according to actual selection, or may select a combination of the two methods, and the present invention is not limited specifically.

After obtaining one or more target domain names in S101, in S102, the UE performs DNS resolution on each domain name to obtain an IP address corresponding to each target domain name. In the embodiment of the invention, the IP address obtained by resolving the target domain name through the DNS is called the target IP address.

Next, in S103, it is determined whether or not a local network address exists among all the target IP addresses. Specifically, the method for determining whether a target IP address is a local area network IP address is to determine whether the target IP address is in any one of ClassA, ClassB, or ClassC. Wherein, the address range of the ClassA section is 10.0.0-10.255.255.255, the address range of the ClassB section is 172.16.0.0-172.31.255.255, and the address range of the ClassC area is 192.168.0.0-192.168.255.255. If the target IP address is located in any one of the ClassA, ClassB or ClassC intervals, the target IP address is represented as a local area network address; on the contrary, if the target IP address is not in the interval between ClassA, ClassB and ClassC, it means that the target IP address is not a local area network address.

Since the target domain name in the embodiment of the present invention is a wide area network domain name, and the IP address corresponding to the wide area network domain name is a wide area network address under a security condition, if a local area network address exists in one or more target IP addresses, it indicates that the AP or AC accessed by the UE at this time may be hijacked. Therefore, when the local network address exists in the one or more target IP addresses, it is determined that the UE has DNS full traffic hijacking in S104.

As can be seen from the above description, since the IP address corresponding to the target domain name is a wide area network address, when a local area network address exists in one or more target IP addresses, it is determined that the UE has a risk of DNS full traffic hijacking. Therefore, even if the target IP address resolved by the target domain name is not in the blacklist library, the UE can still be determined to have the risk of DNS full-traffic hijacking. Therefore, the technical scheme of the embodiment of the invention improves the detection accuracy of DNS full flow hijacking.

Furthermore, the technical scheme of the embodiment of the invention does not need to compare with a huge blacklist database, and further does not need to store the blacklist database in the electronic equipment or the server, so that the equipment resources occupied by storing the blacklist database are saved.

In a specific implementation process, the above S101 to S104 may be executed by the UE, or the UE executes S101 to S102, and then the server executes S103 to S104, that is, the UE analyzes the target IP address and reports the target IP address to the server for detection and judgment. For the UE to independently execute the steps from S101 to S104, because the UE does not need the participation of the server when detecting the DNS full flow hijacking, the invention can further prevent lawless persons from monitoring the interaction between the UE and the server after hijacking the DNS, thereby interfering the detection and even sending false information representing the network security to the UE.

Further, as an optional embodiment, in order to further detect a risk of DNS full traffic hijacking, when a local network address does not exist in the one or more target IP addresses, the method may further include:

Specifically, in the embodiment of the present invention, the target domain name is not only a wide area network domain name, but also known IP addresses of the target domain names are all different. In other words, the target domain name is specifically a domain name of the wide area network corresponding to a different IP address.

Therefore, if the target domain name is issued by the server, the server selects one or more wan domain names with different corresponding IP addresses to be issued to the UE as the target domain name through resolution verification, so that the UE stores the target domain name, and then when the target domain name is obtained, the UE reads one or more wan domain names with different known IP addresses from the storage space.

For example, through resolution verification, the server determines that the IP addresses corresponding to the ten wan domain names baifubo.com, mail.163.com, jd.com, suning.com, Alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn, and www.cmbc.com.cn are different. The ten domain names and the corresponding IP addresses for each domain name are shown in table 1.

TABLE 1

Therefore, the server issues the following JSON structure data to the UE,

If the target domain name is determined by the UE, the preset condition is specifically that the target domain name corresponds to the wide area network domain names with different IP addresses, then DNS analysis is carried out on a plurality of alternative domain names, one or more IP addresses corresponding to each alternative domain name are obtained through analysis, then the same IP address is selected as a null set, and the alternative domain name which is the wide area network domain name is selected as the target domain name.

In a specific implementation process, an IP address returned to the UE by a lawless person may also be a wide area network address, so in the embodiment of the present invention, when a local area network address does not exist in one or more target IP addresses, it is further determined whether the same address exists in the one or more target IP addresses to detect a risk of DNS full traffic hijacking.

When the hijacking of the DNS full flow occurs, all the visited domain names return the same IP address of the UE. Meanwhile, in order to avoid being discovered, the lawless person sometimes returns an IP address to the UE randomly from a group of IP addresses, and the group of IP addresses are all IP addresses of servers controlled by the lawless person. So, if the same address exists in one or more target IPs, it indicates that the AP or AC accessed by the UE at this time may be hijacked. Therefore, when the local network address does not exist in the one or more target IP addresses but the same address exists, the UE is determined to have DNS full traffic hijacking.

For example, assume that the target IP addresses specifically include 123.125.112.202, 220.181.12.208, 111.206.227.118, 110.76.19.33, and 123.125.112.202. The 5 target IP addresses do not have the uniform local area network address, but the 1 st target IP address is the same as the 5 th target IP address, so that the same address exists in the target IP addresses, and further the UE is determined to have the risk of DNS full-flow hijacking.

Alternatively, as another example, assume that the target IP address specifically includes 123.125.112.202, 110.76.19.33, 111.206.227.118, 110.76.19.33, and 123.125.112.202. No uniform local area network address exists in the 5 target IP addresses, but the 1 st target IP address is the same as the 5 th target IP address, and the 2 nd target IP address is the same as the 4 th target IP address, so that the same address exists in the target IP addresses, and further the UE is determined to have the risk of DNS full flow hijacking.

It can be seen from the above description that when the local network address does not exist in the target IP address analyzed by the UE, it is further determined whether the same address exists in the target IP address, and if the same address exists, it is determined that the DNS full traffic hijacking exists in the UE. Therefore, the detection accuracy of the embodiment of the invention is further improved by judging whether the local area network address exists in the target IP address and further judging whether the same address exists in the target IP address when the local area network address does not exist to detect the risk of DNS full flow hijacking.

Further, with reference to the foregoing embodiment, the method in the embodiment of the present invention further includes:

Specifically, when the same address does not exist in one or more target IP addresses, it indicates that each current target domain name can be accurately resolved to a different wan IP address, so the probability of DNS full traffic hijacking is low at this time, and therefore, when the local network address does not exist in the one or more target IP addresses, and further the same address does not exist, it is determined that the UE does not have the risk of DNS full traffic hijacking.

Referring to fig. 2, a flowchart of a second method for detecting a DNS full traffic hijacking risk in an embodiment of the present invention is provided. The method comprises the following steps:

s201: obtaining one or more target domain names for detecting the risk of domain name system DNS full-traffic hijacking; wherein, the known IP addresses corresponding to the one or more target domain names are different;

s202: performing DNS analysis on the one or more target domain names to obtain a target Internet Protocol (IP) address corresponding to each target domain name so as to obtain one or more target IP addresses;

s203: judging whether the one or more target IP addresses have the same address or not;

s204: and when the same address exists in the one or more target IP addresses, determining that the UE has the risk of DNS full-flow hijacking.

In a specific implementation process, the time for starting the second detection method for detecting the DNS full traffic hijacking risk to detect the network security is the same as the starting time of the first detection method for detecting the DNS full traffic hijacking risk, and details are not repeated here. In the above steps, S201 is similar to S101, and S202 is similar to S102, and since S101 and S102 have been described in detail in the foregoing, repeated description of the same parts in the embodiments of the present invention is omitted.

S201 is different from S101 in that the target domain name in the embodiment of the present invention is specifically a domain name with different known IP addresses, so that if the target domain name is issued by the server, the server selects one or more domain names with different corresponding IP addresses to issue to the UE as the target domain name through resolution verification, so that the UE stores the target domain name, and when the target domain name is obtained, the UE reads one or more target domain names with different known corresponding IP addresses from the storage space.

For example, through the resolution verification, the server determines that the IP addresses corresponding to the ten domain names, baifubao.com, mail.163.com, jd.com, suning.com, Alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn and www.cmbc.com.cn are different, as shown in table 1.

Therefore, the server issues the following JSON structure data to the UE,

In addition, S201 is different from S101 in that the target domain name in the embodiment of the present invention is specifically a domain name with a different known IP address, so if the target domain name is determined by the UE, the preset condition is specifically that the IP addresses corresponding to the domain names are different, and then DNS resolution is performed on multiple candidate domain names, so as to resolve one or more IP addresses corresponding to each candidate domain name, and then a candidate domain name with the same IP address as an empty set is selected as the target domain name.

Next, in S203, it is determined whether the same address exists for one or more target IP addresses. Specifically, when the DNS full-flow hijacking occurs, accessing all domain names will return the same IP address of the UE. Meanwhile, sometimes, in order to avoid being discovered, the lawless person randomly returns an IP address to the UE from a group of IP addresses, and the group of IP addresses are all the IP addresses of the server controlled by the lawless person. So, if the same address exists in one or more target IPs, it indicates that the AP or AC accessed by the UE at this time may be hijacked. Therefore, when the same address exists among the one or more target IP addresses, it is determined that the UE has DNS full traffic hijacking in S204.

For example, assume that the target IP addresses specifically include 123.125.112.202, 220.181.12.208, 111.206.227.118, 110.76.19.33 and 123.125.112.202, and the 1 st target IP address and the 5 th target IP address are the same, so it is determined that the same address exists in the target IP addresses, and it is determined that the UE is at risk of DNS full traffic hijacking.

Or, for another example, assume that the target IP addresses specifically include 123.125.112.202, 110.76.19.33, 111.206.227.118, 110.76.19.33, and 123.125.112.202, the 1 st target IP address is the same as the 5 th target IP address, and the 2 nd target IP address is the same as the 4 th target IP address, so it is determined that the same address exists in the target IP addresses, and it is further determined that the UE has a risk of DNS full traffic hijacking.

As can be seen from the above description, since it is known that IP addresses corresponding to target domain names are different, when the same address exists in one or more target IP addresses, it is determined that the UE has a risk of DNS full traffic hijacking. Therefore, even if the target IP address resolved by the target domain name is not in the blacklist library, the UE can still be determined to have the risk of DNS full-traffic hijacking. Therefore, the technical scheme of the embodiment of the invention improves the detection accuracy of DNS full flow hijacking.

In a specific implementation process, the above S201 to S204 may be executed by the UE, or the UE executes S201 to S202, and then the server executes S203 to S204, that is, the UE analyzes the target IP address and reports the target IP address to the server for detection and determination. For the UE to independently execute the steps from S201 to S204, because the UE does not need the participation of the server when detecting the DNS full flow hijacking, the invention can further prevent lawless persons from monitoring the interaction between the UE and the server after hijacking the DNS, thereby interfering the detection and even sending false information representing the network safety to the UE.

Further, as an optional embodiment, in order to further detect a risk of DNS full traffic hijacking, when the same address does not exist in the one or more target IP addresses, the method may further include:

Specifically, in the embodiment of the present invention, the target domain name is not only a domain name whose known IP addresses are all different, but also a wide area network domain name. In other words, the target domain name is specifically a domain name of the wide area network corresponding to a different IP address.

Therefore, if the target domain name is issued by the server, the server selects one or more wide area network domain names with different corresponding IP addresses to issue to the UE as the target domain name through resolution verification, so that the UE stores the target domain name, and further, when the target domain name is obtained, the UE reads one or more known IP addresses which are different and are the target domain name of the wide area network domain name from the storage space.

If the target domain name is determined by the UE, the preset condition is specifically that the corresponding wide area network domain names with different IP addresses are different, then DNS analysis is carried out on a plurality of alternative domain names, one or more IP addresses corresponding to each alternative domain name are analyzed, then the same IP address is selected as a null set, and the alternative domain name which is the wide area network domain name is selected as the target domain name.

In a specific implementation process, lawless persons may just return different target IP addresses to the UE, but local network addresses in the target IP addresses may also be exposed for hijacking, so in the embodiment of the present invention, when the same address does not exist in one or more target IP addresses, it is further determined whether a local network address exists in the one or more target IP addresses to detect a risk of DNS full traffic hijacking.

The method for determining whether one or more target IP addresses are IP addresses of a local area network has been described in detail above, and therefore, the description thereof is not repeated here.

Since the target domain name in the embodiment of the present invention is a wide area network domain name, and the IP address corresponding to the wide area network domain name is a wide area network address under a security condition, if a local area network address exists in one or more target IP addresses, it indicates that the AP or AC accessed by the UE at this time may be hijacked. Therefore, when the same address does not exist in the one or more target IP addresses but a local network address exists, it is determined that the UE has DNS full traffic hijacking.

It can be seen from the above description that when the same address does not exist in the target IP address analyzed by the UE, it is further determined whether the local network address exists in the target IP address, and if the local network address exists, it is determined that the DNS full traffic hijacking exists in the UE. Therefore, the detection accuracy of the embodiment of the invention is further improved by judging whether the same address exists in the target IP address and further judging whether the local area network address exists in the target IP address when the same address does not exist to detect the risk of DNS full flow hijacking.

Specifically, when a local area network address does not exist in one or more target IP addresses, it indicates that each current target domain name can be accurately resolved to a different wide area network IP address, so that the probability of DNS full traffic hijacking is low at this time, and therefore when the same address does not exist in one or more target IP addresses, and further when the local area network address does not exist, it is determined that the UE does not have the risk of DNS full traffic hijacking.

Referring to fig. 3, a flowchart of a third method for detecting a DNS full traffic hijacking risk in an embodiment of the present invention is provided. The method comprises the following steps:

s301: obtaining one or more target domain names for detecting the risk of domain name system DNS full-traffic hijacking; the one or more target domain names are specifically wide area network domain names, and known Internet Protocol (IP) addresses corresponding to the one or more target domain names are different;

s302: performing DNS analysis on the one or more target domain names to obtain a target IP address corresponding to each target domain name, and further obtain one or more target IP addresses;

s303: judging whether one or more target IP addresses have local area network addresses and whether one or more target IP addresses have the same address;

s304: and when the local area network address exists in the one or more target IP addresses or the same address exists in the one or more target IP addresses, determining that the user equipment UE has the risk of DNS full flow hijacking.

In a specific implementation process, the time for starting the third detection method for detecting the DNS full traffic hijacking risk to detect the network security is the same as the starting time of the first detection method and the second detection method for detecting the DNS full traffic hijacking risk, and details are not repeated here. In the above steps, S301 is similar to S101 and S201, and S302 is similar to S102 and S202, and since S101 and S102 have been described in detail in the foregoing, repeated description of the same parts in the embodiments of the present invention is omitted.

S301 differs from S101 in that the target domain name in the embodiment of the present invention is specifically a wan domain name, and known IP addresses are different, so that if the target domain name is issued by the server, the server selects one or more wan domain names with different corresponding IP addresses through resolution verification and issues the selected wan domain names to the UE as the target domain name, so that the UE stores the target domain name, and when the target domain name is obtained, the UE reads out one or more known IP addresses that are different and are the target domain name of the wan domain name from the storage space.

If the target domain name is determined by the UE, the preset condition is specifically that the corresponding wide area networks with different IP addresses are different, then DNS analysis is carried out on a plurality of alternative domain names, one or more IP addresses corresponding to each alternative domain name are analyzed, then the same IP address is selected as a null set, and the alternative domain name which is the domain name of the wide area network is selected as the target domain name.

Next, in S303, it is determined whether one or more target IP addresses have a local network address and whether the same address exists. If the local network address exists in one or more target IP places or the same address exists, the fact that the AP or the AC accessed by the UE at the moment can be hijacked is indicated. Therefore, when there is a local network address among the one or more target IP addresses, or there is the same address, it is determined that the UE has DNS full traffic hijacking in S304.

For example, assume that the target IP addresses specifically include 123.125.112.202, 220.181.12.208, 111.206.227.118, 110.76.19.33, and 123.125.112.202. The 5 target IP addresses are all wide area network addresses, the 1 st target IP address is the same as the 5 th target IP address, and the UE is determined to have DNS full flow hijacking risk.

Alternatively, as another example, assume that the target IP addresses specifically include 123.125.112.202, 220.181.12.208, 111.206.227.118, 175.25.168.40, and 192.168.1.1. The 5 target IP addresses are different, and the 5 th target IP address is a local area network address, so that the UE is determined to have the risk of DNS full-flow hijacking.

Or, for another example, assume that the target IP addresses specifically include 123.125.112.202, 123.125.112.202, 111.206.227.118, 175.25.168.40, and 192.168.1.1, the 5 th target IP address is a local area network address, and the 1 st target IP address is the same as the 2 nd target IP address, thereby determining that the UE has a risk of DNS full traffic hijacking.

As can be seen from the above description, since the target domain names are known to correspond to different known IP addresses, and each known IP address is known to be a wide area network address, when a local area network address exists in one or more target IP addresses, or the same target IP address exists, it is determined that the UE has a risk of DNS full traffic hijacking. Therefore, even if the target IP address resolved by the target domain name is not in the blacklist library, the UE can still be determined to have the risk of DNS full-traffic hijacking. Therefore, the technical scheme of the embodiment of the invention improves the detection accuracy of DNS full flow hijacking.

In a specific implementation process, the above S301 to S304 may be executed by the UE, or the UE executes S301 to S302, and then the server executes S303 to S304, that is, the UE analyzes the target IP address and reports the target IP address to the server for detection and determination. For the UE to independently execute S301 to S304, because the UE does not need the participation of the server when detecting the DNS full flow hijacking, the invention can further prevent lawless persons from monitoring the interaction between the UE and the server after hijacking the DNS, thereby interfering the detection and even sending false information representing the network security to the UE.

and when the local area network address does not exist in the one or more target IP addresses and the same address does not exist in the one or more target IP addresses, determining that the UE does not have the risk of DNS full traffic hijacking.

Specifically, when a local area network address does not exist in one or more target IP addresses and the same address does not exist, it indicates that each current target domain name can be accurately resolved to a different wide area network IP address, and therefore, the possibility of DNS full traffic hijacking is low at this time, and therefore, a local area network address does not exist in one or more target IP addresses and the same address does not exist, it is determined that the UE does not have a DNS full traffic hijacking risk.

Based on the same inventive concept as the method for detecting the risk of the DNS full traffic hijacking in the first aspect, a fourth aspect of the present invention provides a device for detecting the risk of the DNS full traffic hijacking, as shown in fig. 4, including:

an obtaining module 101, configured to obtain one or more target domain names for detecting a risk of domain name system DNS full traffic hijacking; wherein the one or more target domain names are specifically wide area network domain names;

the resolution module 102 is configured to perform DNS resolution on the one or more target domain names, obtain a target internet protocol IP address corresponding to each target domain name, and further obtain one or more target IP addresses;

a first determining module 103, configured to determine whether a local area network address exists in the one or more target IP addresses;

a first determining module 104, configured to determine that the user equipment UE has a risk of DNS full traffic hijacking when a local area network address exists in the one or more target IP addresses.

Further, when the local area network address does not exist in the one or more target IP addresses, the apparatus in the embodiment of the present invention further includes:

Further, the apparatus in the embodiment of the present invention further includes:

Specifically, the obtaining module 101 is configured to read and receive the one or more target domain names issued by a server corresponding to the UE and stored in a storage space of the UE; or determining one or more domain names meeting preset conditions from a plurality of candidate domain names as the one or more target domain names.

Various changes and specific examples of the first method for detecting the risk of the DNS full traffic hijacking in the embodiment of fig. 1 are also applicable to the device for detecting the risk of the DNS full traffic hijacking in the embodiment of the present invention, and through the detailed description of the method for detecting the risk of the DNS full traffic hijacking, a person skilled in the art can clearly know the method for implementing the device for detecting the risk of the DNS full traffic hijacking in the embodiment of the present invention, so for the brevity of the description, detailed description is not given here.

Based on the same inventive concept as the method for detecting the risk of DNS full traffic hijacking in the second aspect, a fifth aspect of the present invention provides a second apparatus for detecting the risk of DNS full traffic hijacking, as shown in fig. 5, including:

an obtaining module 201, configured to obtain one or more target domain names for detecting a risk of domain name system DNS full traffic hijacking; wherein, the known IP addresses corresponding to the one or more target domain names are different;

the resolution module 202 is configured to perform DNS resolution on the one or more target domain names, obtain a target internet protocol IP address corresponding to each target domain name, and further obtain one or more target IP addresses;

a first judging module 203, configured to judge whether the one or more target IP addresses have the same address;

a first determining module 204, configured to determine that the UE has a DNS full traffic hijacking risk when the same address exists in the one or more target IP addresses.

Further, when there is no identical address in the one or more target IP addresses, the apparatus in the embodiment of the present invention further includes:

Furthermore, the apparatus in the embodiment of the present invention further includes:

Specifically, the obtaining module 201 is configured to read the one or more target domain names that are issued by a server corresponding to the UE and stored in a storage space of the UE; or determining one or more domain names meeting preset conditions from a plurality of candidate domain names as the one or more target domain names.

Various changes and specific examples of the second method for detecting the risk of the DNS full traffic hijacking in the embodiment of fig. 2 are also applicable to the device for detecting the risk of the DNS full traffic hijacking in the embodiment of the present invention, and through the detailed description of the method for detecting the risk of the DNS full traffic hijacking, a person skilled in the art can clearly know the method for implementing the device for detecting the risk of the DNS full traffic hijacking in the embodiment of the present invention, so for the brevity of the description, detailed description is not given here.

Based on the same inventive concept as the method for detecting the risk of DNS full traffic hijacking in the third aspect, a sixth aspect of the present invention provides a third apparatus for detecting the risk of DNS full traffic hijacking, as shown in fig. 6, including:

an obtaining module 301, configured to obtain one or more target domain names for detecting a risk of domain name system DNS full traffic hijacking; the one or more target domain names are specifically wide area network domain names, and known Internet Protocol (IP) addresses corresponding to the one or more target domain names are different;

an analysis module 302, configured to perform DNS analysis on the one or more target domain names, obtain a target IP address corresponding to each target domain name, and further obtain one or more target IP addresses;

a determining module 303, configured to determine whether a local area network address exists in the one or more target IP addresses and whether the same address exists in the one or more target IP addresses;

a determining module 304, configured to determine that the UE has a risk of DNS full traffic hijacking when a local area network address exists in the one or more target IP addresses or the same address exists in the one or more target IP addresses.

Various changes and specific examples of the third method for detecting the risk of the DNS full traffic hijacking in the embodiment of fig. 3 are also applicable to the device for detecting the risk of the DNS full traffic hijacking in the embodiment of the present invention, and through the detailed description of the method for detecting the risk of the DNS full traffic hijacking, a person skilled in the art can clearly know the method for implementing the device for detecting the risk of the DNS full traffic hijacking in the embodiment of the present invention, so for the brevity of the description, detailed description is not given here.

The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.

In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.

Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.

Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

Furthermore, those skilled in the art will appreciate that while some embodiments herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.

The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components of a gateway, proxy server, system according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.

It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.

The invention discloses a1 detection method of DNS full flow hijack risk, which is characterized by comprising the following steps:

A2, the method according to A1, wherein when there is no identical one of the one or more target IP addresses, the method further comprises:

A3, the method according to A2, wherein the method further comprises:

A4, the method according to any one of a1-A3, wherein obtaining one or more target domain names for detecting risk of domain name system DNS full traffic hijacking comprises:

A5, the method according to any one of a1-A3, further comprising, before DNS resolution of the one or more target domain names:

judging whether the UE is accessed to a new wireless Access Point (AP);

B6, a device for detecting DNS full traffic hijacking risk, comprising:

B7, the apparatus according to B6, wherein when there is no identical one of the one or more target IP addresses, the apparatus further comprises:

B8, the device according to B7, characterized in that the device further comprises:

The apparatus of any one of B9 and B6-B8, wherein the obtaining module is configured to read and receive the one or more target domain names that are issued by a server corresponding to the UE and stored in a storage space of the UE; or determining one or more domain names meeting preset conditions from a plurality of candidate domain names as the one or more target domain names.

B10, the device according to any one of B6-B8, characterized in that the device further comprises:

Claims

1. A method for detecting DNS full flow hijacking risk is characterized by comprising the following steps:

when the same address exists in the one or more target IP addresses, determining that the UE has the risk of DNS full flow hijacking;

when the same address does not exist in the one or more target IP addresses, judging whether a local area network address exists in the one or more target IP addresses or not; wherein the one or more target domain names are specifically wide area network domain names;

2. The method of claim 1, wherein the method further comprises:

3. A method according to any of claims 1-2, wherein obtaining one or more target domain names for detecting a risk of domain name system, DNS, full traffic hijacking comprises:

4. The method of any of claims 1-2, wherein prior to DNS resolution of the one or more target domain names, further comprising:

judging whether the UE is accessed to a new wireless Access Point (AP);

5. A device for detecting DNS full-traffic hijacking risk is characterized by comprising:

a first determining module, configured to determine that the UE has a risk of DNS full traffic hijacking when the one or more target IP addresses have the same address;

the second judging module is used for judging whether a local area network address exists in the one or more target IP addresses or not when the same address does not exist in the one or more target IP addresses; wherein the one or more target domain names are specifically wide area network domain names;

6. The apparatus of claim 5, wherein the apparatus further comprises:

7. The apparatus of any one of claims 5-6, wherein the obtaining module is configured to read the one or more target domain names that are received from a server corresponding to the UE and stored in a storage space of the UE; or determining one or more domain names meeting preset conditions from a plurality of candidate domain names as the one or more target domain names.

8. The apparatus of any of claims 5-6, further comprising: