CN106790077A

CN106790077A - A kind of DNS full flows kidnap the detection method and device of risk

Info

Publication number: CN106790077A
Application number: CN201611195637.6A
Authority: CN
Inventors: 高永岗; 张建新; 刘天
Original assignee: Beijing Qihoo Technology Co Ltd
Current assignee: 360 Digital Security Technology Group Co Ltd
Priority date: 2016-12-21
Filing date: 2016-12-21
Publication date: 2017-05-31
Anticipated expiration: 2036-12-21
Also published as: WO2018113732A1; CN106790077B

Abstract

Detection method and device that a kind of DNS full flows kidnap risk are the embodiment of the invention provides, the Detection accuracy of risk is kidnapped for improving DNS full flows.Methods described includes：Obtain for detecting that domain name system DNS full flow kidnaps one or more target domain names of risk；Wherein, one or more of target domain names are specially wide area network domain name；Dns resolution is carried out to one or more of target domain names, the corresponding targeted internet Protocol IP address of each described target domain name is obtained, and then obtain one or more target ip address；Judge to whether there is lan address in one or more of target ip address；When there is lan address in one or more of target ip address, determine that user equipment (UE) has DNS full flows and kidnaps risk.

Description

A kind of DNS full flows kidnap the detection method and device of risk

Technical field

The detection method and dress of risk are kidnapped the present invention relates to field of computer technology, more particularly to a kind of DNS full flows Put.

Background technology

Popularization and good application with network, the various information in people's daily life are more closely combined with network Together.Just because of this, the detection for network security must be more important.

Kidnapped with DNS (domain name system, Domain Name System) full flow as a example by detecting, some correlation techniques pass through Following manner is detected：First in electronic equipment or server storage blacklist storehouse, be have recorded in blacklist storehouse multiple with DNS Full flow kidnaps IP (Internet protocol, Internet Protocol) address of risk.Target domain name is parsed into corresponding IP Whether address, then compares the IP address for parsing in blacklist storehouse.If the IP address for parsing is not in the black name of IP address In single storehouse, then judge that there is currently no DNS full flows kidnaps risk.

However, lawless person generally controls multiple IP address, or even new IP address can be constantly kidnapped, cause blacklist Storehouse cannot record all IP address with risk.So the method that DNS full flows kidnap risk is detected by the above method, just There is the low technical problem of Detection accuracy.

The content of the invention

Detection method and device that a kind of DNS full flows kidnap risk are the embodiment of the invention provides, it is complete for improving DNS Flow kidnaps the Detection accuracy of risk.

In a first aspect, the invention provides the detection method that a kind of DNS full flows kidnap risk, including：

Obtain for detecting that domain name system DNS full flow kidnaps one or more target domain names of risk；Wherein, described one Individual or multiple target domain names are specially wide area network domain name；

Dns resolution is carried out to one or more of target domain names, the corresponding target of each described target domain name is obtained mutual Networking protocol IP address, and then obtain one or more target ip address；

Judge to whether there is lan address in one or more of target ip address；

When there is lan address in one or more of target ip address, determine that user equipment (UE) has DNS complete Flow kidnaps risk.

Optionally, when not existing lan address in one or more of target ip address, methods described also includes：

Judge to whether there is identical address in one or more of target ip address；Wherein, one or more of mesh Known IP address corresponding to mark domain name is differed；

When there is identical address in one or more of target ip address, determine that the UE has the misfortune of DNS full flows Hold risk.

Optionally, methods described also includes：

When not existing identical address in one or more of target ip address, determine that the UE flows entirely in the absence of DNS Amount kidnaps risk.

Optionally, obtain for detecting that domain name system DNS full flow kidnaps one or more target domain names of risk, bag Include：

Reception server corresponding with the UE is read to issue and store one in the memory space of the UE Or multiple target domain names；Or

From multiple alternative domain names, it is determined that meeting one or more pre-conditioned domain names for one or more of targets Domain name.

Optionally, before dns resolution is carried out to one or more of target domain names, also include：

Judge whether the UE has accessed new wireless access point AP；

When the UE has accessed new AP, dns resolution is being carried out to one or more of target domain names described in execution The step of.

Second aspect, the invention provides the detection method that a kind of DNS full flows kidnap risk, including：

Obtain for detecting that domain name system DNS full flow kidnaps one or more target domain names of risk；Wherein, described one Known IP address corresponding to individual or multiple target domain names is differed；

Judge to whether there is identical address in one or more of target ip address；

Optionally, when not existing identical address in one or more of target ip address, methods described also includes：

Judge to whether there is lan address in one or more of target ip address；Wherein, it is one or more of Target domain name is specially wide area network domain name；

When there is lan address in one or more of target ip address, determine that the UE has DNS full flows Kidnap risk.

Optionally, methods described also includes：

When not existing lan address in one or more of target ip address, determine that the UE is complete in the absence of DNS Flow kidnaps risk.

Judge whether the UE has accessed new wireless access point AP；

The third aspect, the invention provides the detection method that a kind of DNS full flows kidnap risk, including：

Obtain for detecting that domain name system DNS full flow kidnaps one or more target domain names of risk；Wherein, described one Individual or multiple target domain names are specially wide area network domain name, and the known internet corresponding to one or more of target domain names Protocol IP address is differed；

Dns resolution is carried out to one or more of target domain names, the corresponding Target IP of each described target domain name is obtained Address, and then obtain one or more target ip address；

Judge to whether there is lan address, and one or more of mesh in one or more of target ip address Whether there is identical address in mark IP address；

When there is lan address in one or more of target ip address, or one or more of Target IPs ground When there is identical address in location, determine that user equipment (UE) has DNS full flows and kidnaps risk.

Fourth aspect, the invention provides the detection means that a kind of DNS full flows kidnap risk, including：

Module is obtained, for obtaining for detecting that domain name system DNS full flow kidnaps one or more aiming fields of risk Name；Wherein, one or more of target domain names are specially wide area network domain name；

Parsing module, for carrying out dns resolution to one or more of target domain names, obtains each described target domain name Corresponding targeted internet Protocol IP address, and then obtain one or more target ip address；

First judge module, for judging to whether there is lan address in one or more of target ip address；

First determining module, for when there is lan address in one or more of target ip address, it is determined that with Risk kidnapped and there is DNS full flows in family equipment UE.

Optionally, when not existing lan address in one or more of target ip address, described device also includes：

Second judge module, for judging to whether there is identical address in one or more of target ip address；Wherein, Known IP address corresponding to one or more of target domain names is differed；

Second determining module, for when there is identical address in one or more of target ip address, it is determined that described Risk kidnapped and there is DNS full flows in UE.

Optionally, described device also includes：

3rd determining module, for when not existing identical address in one or more of target ip address, determining institute State UE and kidnap risk in the absence of DNS full flows.

Optionally, the acquisition module is issued and stored in the UE for reading reception server corresponding with the UE Memory space in one or more of target domain names；Or from multiple alternative domain names, it is determined that meeting pre-conditioned One or more domain names are one or more of target domain names.

Optionally, described device also includes：

3rd judge module, for before dns resolution is carried out to one or more of target domain names, judging the UE Whether new wireless access point AP has been accessed；

When the UE has accessed new AP, notify that the parsing module is carried out to one or more of target domain names Dns resolution.

5th aspect, the invention provides the detection means that a kind of DNS full flows kidnap risk, including：

Module is obtained, for obtaining for detecting that domain name system DNS full flow kidnaps one or more aiming fields of risk Name；Wherein, the known IP address corresponding to one or more of target domain names is differed；

First judge module, for judging to whether there is identical address in one or more of target ip address；

First determining module, for when there is identical address in one or more of target ip address, it is determined that described Risk kidnapped and there is DNS full flows in UE.

Optionally, when not existing identical address in one or more of target ip address, described device also includes：

Second judge module, for judging to whether there is lan address in one or more of target ip address；Its In, one or more of target domain names are specially wide area network domain name；

Second determining module, for when there is lan address in one or more of target ip address, determining institute State UE and there is DNS full flows abduction risk.

Optionally, described device also includes：

3rd determining module, for when in one or more of target ip address do not exist lan address when, it is determined that The UE kidnaps risk in the absence of DNS full flows.

Optionally, described device also includes：

When the UE has accessed new AP, notify that parsing module carries out DNS solutions to one or more of target domain names Analysis.

6th aspect, the invention provides the detection means that a kind of DNS full flows kidnap risk, including：

Module is obtained, for obtaining for detecting that domain name system DNS full flow kidnaps one or more aiming fields of risk Name；Wherein, one or more of target domain names are specially wide area network domain name, and one or more of target domain names institute is right The known internet protocol address answered is differed；

Parsing module, for carrying out dns resolution to one or more of target domain names, obtains each described target domain name Corresponding target ip address, and then obtain one or more target ip address；

Judge module, for judging to whether there is lan address, Yi Jisuo in one or more of target ip address State in one or more target ip address with the presence or absence of identical address；

Determining module, for when there is lan address in one or more of target ip address or one Or when in multiple target ip address there is identical address, determine that user equipment (UE) has DNS full flows and kidnaps risk.

Said one or multiple technical schemes in the embodiment of the present application, at least imitate with following one or more technology Really：

In the technical scheme of the embodiment of the present invention, obtain for detecting that DNS full flows kidnap one or more of risk Target domain name, wherein, one or more the target domain names in the embodiment of the present invention are specially wide area network domain name, then to one or Multiple target domain names carry out dns resolution, obtain each corresponding target ip address of target domain name, and then obtain one or more mesh Mark IP address, then judges to whether there is lan address in one or more target ip address.Due to target domain name correspondence IP address be wide area network address, so when there is lan address in one or more target ip address, determine that UE is present DNS full flows kidnap risk.Therefore, even if the target ip address that parses of target domain name is not in blacklist storehouse, if target IP address is lan address, then show that the network that UE is currently accessed may be kidnapped by full flow, and then can determine that UE is present DNS full flows kidnap risk.So, by above-mentioned technical proposal, realize and improve the Detection accuracy that DNS full flows are kidnapped.

Further, because the technical scheme of the embodiment of the present invention need not be contrasted with huge black list database, And then also avoid the need for storing black list database, thus save the device resource shared by storage black list database.

Further, because the technical scheme in the embodiment of the present invention can be performed by UE, without the ginseng of server With, it is possible to prevent lawless person to be monitored with interacting for server to UE after kidnapping DNS, so that Interference Detection, or even The deceptive information for representing network security is sent to UE.

Brief description of the drawings

By reading the detailed description of hereafter preferred embodiment, various other advantages and benefit is common for this area Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings：

Fig. 1 is the method flow diagram of the first DNS full flow abduction risk supervision in the embodiment of the present invention；

Fig. 2 is second method flow diagram of DNS full flows abduction risk supervision in the embodiment of the present invention；

Fig. 3 is the method flow diagram of the third DNS full flow abduction risk supervision in the embodiment of the present invention；

Fig. 4 is the first DNS full flow abduction risk supervision apparatus structure schematic diagram in the embodiment of the present invention；

Fig. 5 is second DNS full flows abduction risk supervision apparatus structure schematic diagram in the embodiment of the present invention；

Fig. 6 is the third DNS full flow abduction risk supervision apparatus structure schematic diagram in the embodiment of the present invention.

Specific embodiment

In order to solve the above-mentioned technical problem, the technical scheme general thought that the present invention is provided is as follows：

In the technical scheme of the embodiment of the present invention, obtain for detecting that DNS full flows kidnap one or more of risk Then one or more target domain names are carried out dns resolution by target domain name, obtain the corresponding Target IP ground of each target domain name Location, and then one or more target ip address are obtained, then, if the entitled wide area network domain name of one or more of aiming fields, Then judge to whether there is lan address in one or more target ip address, if there is lan address, it is determined that UE There is DNS full flows and kidnap risk；Or, if the domain that the entitled known IP address of one or more of aiming fields is differed Name, then judge to whether there is identical address in one or more target ip address, if there is identical address, it is determined that UE is deposited Risk is kidnapped in DNS full flows；Or, if the entitled wide area network domain name of one or more of aiming fields, and this or The known IP address of multiple target domain names is differed, then judge to whether there is local entoilage in one or more target ip address Location, and with the presence or absence of identical address, if there is lan address or identical in one or more of target ip address Address, it is determined that UE has DNS full flows and kidnaps risk.

Technical solution of the present invention is described in detail below by accompanying drawing and specific embodiment, it should be understood that the application Specific features in embodiment and embodiment are the detailed description to technical scheme, rather than to present techniques The restriction of scheme, in the case where not conflicting, the technical characteristic in the embodiment of the present application and embodiment can be mutually combined.

The terms "and/or", only a kind of incidence relation for describing affiliated partner, represents there may be three kinds of passes System, for example, A and/or B, can represent：Individualism A, while there is A and B, individualism B these three situations.In addition, herein Middle character "/", typicallys represent forward-backward correlation pair as if a kind of relation of "or".

First aspect present invention provides the detection method that a kind of DNS full flows kidnap risk, refer to Fig. 1, is this hair The first DNS full flow kidnaps the method flow diagram of risk supervision in bright embodiment.The method includes：

S101：Obtain for detecting that domain name system DNS full flow kidnaps one or more target domain names of risk；Wherein, One or more of target domain names are specially wide area network domain name；

S102：Dns resolution is carried out to one or more of target domain names, the corresponding mesh of each described target domain name is obtained Mark internet protocol address, and then obtain one or more target ip address；

S103：Judge to whether there is lan address in one or more of target ip address；

S104：When there is lan address in one or more of target ip address, determine that user equipment (UE) is present DNS full flows kidnap risk.

One or more aiming fields in the embodiment of the present invention are entitled for detecting one or one that DNS full flows are kidnapped Group test domain name.Risk is kidnapped in order to pass through this or one group of target domain name detection DNS full flow, of the invention real Apply in example, each target domain name is specially wide area network domain name.During implementing, UE can need detection DNS to flow entirely Amount obtains one or more target domain names when kidnapping risk, it is also possible to do not need to detect DNS full flows kidnap risk when Time is obtained ahead of time one or more target domain names, and the present invention is not particularly limited.

And the moment for performing detection DNS full flow abduction in S102 to S104 can be any time of electricity on UE, also may be used Think every predetermined interval, for example, started one-time detection every 1 hour, can also be the moment of each access network.Or, Before S102, also include：

Judge whether the UE has accessed new wireless access point AP；

Specifically, in embodiments of the present invention, new AP (WAP, Access Point) specifically has two kinds. Any time is represented with the T1 moment, the first, that UE was accessed before T1 is an AP, be have switched and first in any time The 2nd AP different AP, then the 2nd AP is new AP；Second, UE did not accessed any AP before T1, was accessed at the T1 moment 3rd AP, then the 3rd AP is new AP.

For above-mentioned the first situation, when UE have switched AP or AC (access controller, Access Control), obtain Access before the AP or the SSID (service set, Service Set IDentifier) of AC that are accessed after must switching and switching The SSID of AP or AC.Then, judge the SSID AP's for accessing or AC whether preceding with switching of the AP or AC accessed after switching SSID is identical.If the SSID of the AP accessed after switching or AC is different from the AP or the SSID of AC that are accessed before switching, then it represents that UE New AP is accessed.Now UE not can confirm that the network being currently accessed, i.e., the network where new AP flows entirely with the presence or absence of DNS Amount kidnaps risk, so, S102 is now performed, and then starts DNS full flows and kidnap risk supervision.In other words, when UE have switched During new network, to perform and risk is kidnapped to new network DNS full flow in S102 to S104 detect.

For above-mentioned second situation, access AP is switched to when UE never accesses AP, is currently accessed because UE not can confirm that Network kidnap risk with the presence or absence of DNS full flows, so, now perform S102, and then start DNS full flows and kidnap risk inspection Survey.In other words, risk is kidnapped to network DNS full flow when UE initial access networks, in execution S102 to S104 to detect.

The method that target domain name is obtained in S101 has various, and two of which is described below.Specifically, the present invention is implemented The S101 of example can be realized by following process：

Specifically, one or more target domain names that the UE in the embodiment of the present invention is obtained can be by under server Hair, it is also possible to voluntarily configured by UE and selected, can be issued with partial target domain name the reception server, while voluntarily configuration section Target domain name.During implementing, those skilled in the art can be according to actually being selected, this Invention is not particularly limited.

Specifically, if issuing target domain name by server, due to the entitled wide area of aiming field in the embodiment of the present invention Domain name, so after server selects one or more wide area network domain names as target domain name, being issued to UE at any time Target domain name.UE stores one or more target domain names after one or more target domain names that server is issued are received In the memory space of itself, and then one or more targets are read out from memory space when needing and obtaining target domain name Domain name.

For example, server issues the data of following JSON structures to UE,

Baifubao.com, mail.163.com, jd.com are parsed after the data of the above-mentioned JSON structures of UE receptions, Suning.com, alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn and www.cmbc.com.cn ten Individual target domain name, and then by ten target domain name storages in the memory space of UE.When needing to obtain target domain name, from depositing Storage reads out target domain name baifubao.com, mail.163.com, jd.com, suning.com, alipay.com in space, 95516.com, so.cn, ccb.com, icbc.com.cn and www.cmbc.com.cn.

And if voluntarily configuring target domain name by UE, then UE is determined from multiple alternative domain names and is met pre-conditioned one Individual or multiple domain names are used as target domain name.Specifically, alternative domain name is what UE history was accessed, or is currently able to what is accessed Domain name etc., the present invention is not particularly limited.In inventive embodiments, due to the entitled wide area network domain name of aiming field, therefore default bar Part is particularly as being wide area network domain name, and then UE selects one or more wide area network domain names as aiming field from multiple alternative domain names Name.

During implementing, those skilled in the art can be according to actual selection above two Obtain target domain name method in any one, it is also possible to select two methods to combine, the present invention is not particularly limited.

After one or more target domain names are obtained in S101, UE carries out dns resolution to each domain name in S102, obtains every The corresponding IP address of individual target domain name.In embodiments of the present invention, the IP address by target domain name by dns resolution out is referred to as Target ip address.

Next, in S103, judging to whether there is lan address in all target ip address.Specifically, judge One target ip address whether be LAN IP address method for judge the target ip address whether in ClassA, ClassB or Any one in ClassC is interval.Wherein, ClassA interval address realm is 10.0.0.0~10.255.255.255, ClassB interval address realm is 172.16.0.0-172.31.255.255, and the address realm in ClassC regions is 192.168.0.0-192.168.255.255.If target ip address is any one in ClassA, ClassB or ClassC In individual interval, then it represents that target ip address is lan address；, whereas if target ip address not in ClassA, ClassB and In ClassC intervals, then it represents that target ip address is not lan address.

Due to the entitled wide area network domain name of aiming field in the embodiment of the present invention, and under security situation, wide area network domain name institute Corresponding IP address is wide area network address, so, if there is lan address in one or more target ip address, Show that AP that now UE is accessed or AC may be held as a hostage.So, when there is LAN in one or more target ip address During address, determine that UE has the abduction of DNS full flows in S104.

By foregoing description as can be seen that because the corresponding IP address of target domain name is wide area network address, thus when one or When there is lan address in multiple target ip address, determine that UE has DNS full flows and kidnaps risk.Therefore, even if aiming field The target ip address that name is parsed can determine that UE has DNS full flows and kidnaps risk not in blacklist storehouse, still.So, By the technical scheme in the embodiment of the present invention, the Detection accuracy of DNS full flows abduction is improve.

Further, because the technical scheme of the embodiment of the present invention need not be contrasted with huge black list database, And then also avoid the need for storing black list database in electronic equipment or server, thus save storage blacklist data The device resource that place takes.

During implementing, above-mentioned S101 to S104 can be performed by UE, or, S101 is performed extremely by UE S102, is then performed S103 to S104, i.e. UE and to be parsed report server after target ip address and carry out detection and sentenced by server It is disconnected.Execution S101 to S104 independent for UE, because UE does not need the participation of server, institute when detecting that DNS full flows are kidnapped Further it is also prevented from being monitored UE with server interaction after lawless person kidnaps DNS with the present invention, so as to disturb inspection Survey, or even the deceptive information for representing network security is sent to UE.

Further, as a kind of optional embodiment, in order to further detect the risk that DNS full flows are kidnapped, when one Or when in multiple target ip address in the absence of lan address, can further include：

Specifically, in embodiments of the present invention, target domain name is not only wide area network domain name, and target domain name is known IP address is different.In other words, target domain name is specially the wide area network domain name that correspond to different IP addresses.

Therefore, if target domain name is issued by server, server is verified by parsing, and selects one or more institutes The different wide area network domain name of corresponding IP address is issued to UE as target domain name, stores UE, and then is obtaining target domain name When, UE reads out the wide area network domain name that one or more known IP address are differed from memory space.

For example, by parsing checking, server determines there is baifubao.com, mail.163.com, jd.com, Suning.com, alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn and www.cmbc.com.cn ten The corresponding IP address of individual wide area network domain name is different.Ten domain names and the corresponding IP address of each domain name are as shown in table 1.

Table 1

Therefore, server issues the data of following JSON structures to UE,

And if target domain name is determined by UE, then it is pre-conditioned to be specially the different wide area network domain name of correspondence IP address, enter And multiple alternative domain names are carried out with dns resolution, and corresponding one or more IP address of each alternative domain name are parsed, then select Go out identical ip addresses for empty set, and be the alternative domain name of wide area network domain name as target domain name.

During implementing, it is wide area network address that lawless person is likely to the IP address that UE is returned, so, at this In inventive embodiments, when not existing lan address in one or more target ip address, one or more are determined whether The risk that DNS full flows are kidnapped is detected in target ip address with the presence or absence of identical address.

In the full-range abduction of generation DNS, accessing all of domain name will all return to the same IP address of UE.Meanwhile, have When lawless person in order to avoid being found, can at random return to an IP address to UE from one group of IP address, and this group of IP address All it is the IP address of the server of lawless person's control.So, if there is identical address in one or more Target IP ground, Show that AP that now UE is accessed or AC may be held as a hostage.So, when in one or more target ip address do not exist local Net address, but when there is identical address, determine that UE has the abduction of DNS full flows.

As an example it is assumed that target ip address specifically includes 123.125.112.202,220.181.12.208, 111.206.227.118,110.76.19.33 and 123.125.112.202.Do not exist equal local entoilage in 5 target ip address Location, but the 1st target ip address and the 5th target ip address are identical, so determine there is identical address in target ip address, And then determine that UE has DNS full flows and kidnaps risk.

Or, then as an example it is assumed that target ip address specifically includes 123.125.112.202,110.76.19.33, 111.206.227.118,110.76.19.33 and 123.125.112.202.Do not exist equal local entoilage in 5 target ip address Location, but the 1st target ip address and the 5th target ip address are identical, the 2nd target ip address and the 4th target ip address It is identical, so there is identical address in determining target ip address, and then determine that UE has DNS full flows and kidnaps risk.

By foregoing description as can be seen that when in the target ip address that UE is parsed do not exist lan address when, further Judge in target ip address whether identical address, if there is identical address, it is determined that UE has the abduction of DNS full flows.So, By judging to whether there is lan address in target ip address, and determined whether when in the absence of lan address Detect that DNS full flows kidnap risk in target ip address with the presence or absence of identical address, further increase the embodiment of the present invention Detection accuracy.

Further, with reference to above-described embodiment, the method in the embodiment of the present invention also includes：

Specifically, when not existing identical address in one or more target ip address, current each aiming field is represented Name can be accurately resolved on different wide area network IP address, therefore the possibility that now generation DNS full flows are kidnapped is relatively low, So not existing lan address in one or more target ip address, when further also not existing identical address, UE is determined Risk is kidnapped in the absence of DNS full flows.

Second aspect present invention provides the detection method that another kind DNS full flows kidnap risk, refer to Fig. 2, is this Second method flow diagram of DNS full flows abduction risk supervision in inventive embodiments.The method includes：

S201：Obtain for detecting that domain name system DNS full flow kidnaps one or more target domain names of risk；Wherein, Known IP address corresponding to one or more of target domain names is differed；

S202：Dns resolution is carried out to one or more of target domain names, the corresponding mesh of each described target domain name is obtained Mark internet protocol address, and then obtain one or more target ip address；

S203：Judge to whether there is identical address in one or more of target ip address；

S204：When there is identical address in one or more of target ip address, determine that the UE has DNS and flows entirely Amount kidnaps risk.

Start second detection method of DNS full flows abduction risk during implementing to detect network security Moment is identical with the detection method Startup time that the first DNS full flow kidnaps risk, and just it is no longer repeated herein.Upper State in step, S201 is similar with S101, S202 is similar with S102, due to having carried out retouching in detail to S101 and S102 in above-mentioned State, thus the embodiment of the present invention to something in common just it is no longer repeated.

S201 and S101 differences are that it is different that the target domain name in the embodiment of the present invention is specially known IP address Domain name, so if target domain name is issued by server, then server is verified by parsing, and is selected corresponding to one or more The different domain name of IP address be issued to UE as target domain name, store UE, and then when target domain name is obtained, UE is from storage The different target domain name of one or more known corresponding IP address is read out in space.

For example, by parsing checking, server determines there is baifubao.com, mail.163.com, jd.com, Suning.com, alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn and www.cmbc.com.cn ten The corresponding IP address of individual domain name is different, as shown in table 1.

Therefore, server issues the data of following JSON structures to UE,

In addition, S201 also differ in that with S101, the target domain name in the embodiment of the present invention is specially known IP ground The different domain name in location, so if target domain name is determined by UE, then the pre-conditioned corresponding IP address of domain name that is specially is different, enters And multiple alternative domain names are carried out with dns resolution, and corresponding one or more IP address of each alternative domain name are parsed, then select Identical ip addresses are the alternative domain name of empty set as target domain name.

Next, in S203, judging that one or more target ip address whether there is identical address.Specifically, exist During the full-range abduction of generation DNS, accessing all of domain name will all return to the same IP address of UE.Meanwhile, sometimes illegal point Son can at random return to an IP address to UE in order to avoid being found from one group of IP address, and this group of IP address is all in fact not The IP address of the server of method molecular Control.So, if there is identical address in one or more Target IP ground, show this When the UE AP that is accessed or AC may be held as a hostage.So, when there is identical address in one or more target ip address, Determine that UE has the abduction of DNS full flows in S204.

As an example it is assumed that target ip address specifically includes 123.125.112.202,220.181.12.208, 111.206.227.118,110.76.19.33 and 123.125.112.202, the 1st target ip address and the 5th Target IP ground Location is identical, so there is identical address in determining target ip address, and then determines that UE has DNS full flows and kidnaps risk.

Or, then as an example it is assumed that target ip address specifically includes 123.125.112.202,110.76.19.33, 111.206.227.118,110.76.19.33 and 123.125.112.202, the 1st target ip address and the 5th Target IP ground Location is identical, and the 2nd target ip address and the 4th target ip address are identical, so determine there is identical address in target ip address, And then determine that UE has DNS full flows and kidnaps risk.

By foregoing description as can be seen that because the corresponding IP address of known target domain name is differed, thus when one or When there is identical address in multiple target ip address, determine that UE has DNS full flows and kidnaps risk.Therefore, even if target domain name The target ip address for parsing can determine that UE has DNS full flows and kidnaps risk not in blacklist storehouse, still.So, lead to The technical scheme crossed in the embodiment of the present invention, improves the Detection accuracy of DNS full flows abduction.

During implementing, above-mentioned S201 to S204 can be performed by UE, or, S201 is performed extremely by UE S202, is then performed S203 to S204, i.e. UE and to be parsed report server after target ip address and carry out detection and sentenced by server It is disconnected.Execution S201 to S204 independent for UE, because UE does not need the participation of server, institute when detecting that DNS full flows are kidnapped Further it is also prevented from being monitored UE with server interaction after lawless person kidnaps DNS with the present invention, so as to disturb inspection Survey, or even the deceptive information for representing network security is sent to UE.

Further, as a kind of optional embodiment, in order to further detect the risk that DNS full flows are kidnapped, when one Or when in multiple target ip address in the absence of identical address, can further include：

Specifically, in embodiments of the present invention, target domain name is not only the domain name that known IP address is different, and mesh Mark domain name is also wide area network domain name.In other words, target domain name is specially the wide area network domain name that correspond to different IP addresses.

Therefore, if target domain name is issued by server, server is verified by parsing, and selects one or more institutes The different wide area network domain name of corresponding IP address is issued to UE as target domain name, stores UE, and then is obtaining target domain name When, UE reads out one or more known IP address from memory space and differs, and is the target domain name of wide area network domain name.

And if target domain name is determined by UE, then it is pre-conditioned to be specially the different wide area network domain name of corresponding IP address, And then dns resolution is carried out to multiple alternative domain names, parse corresponding one or more IP address of each alternative domain name, Ran Houxuan Identical ip addresses are selected out for empty set, and is the alternative domain name of wide area network domain name as target domain name.

During implementing, the target ip address that lawless person may differ to UE returns just, but this Lan address in a little target ip address can equally expose abduction, so, in embodiments of the present invention, when one or more When not existing identical address in target ip address, determine whether to whether there is local entoilage in one or more target ip address Location come detect DNS full flows kidnap risk.

Judge whether one or more target ip address are that the method for LAN IP address hereinbefore has been carried out in detail It is thin to introduce, therefore just it is no longer repeated here.

Due to the entitled wide area network domain name of aiming field in the embodiment of the present invention, and under security situation, wide area network domain name institute Corresponding IP address is wide area network address, so, if there is lan address in one or more target ip address, Show that AP that now UE is accessed or AC may be held as a hostage.So, it is identical when not existing in one or more target ip address Address, but when there is lan address, determine that UE has the abduction of DNS full flows.

By foregoing description as can be seen that when not existing identical address in the target ip address that UE is parsed, further sentencing In disconnected target ip address whether lan address, if there is lan address, it is determined that UE has the abduction of DNS full flows.Institute By judging to whether there is identical address in target ip address, and to be determined whether when in the absence of identical address Detect that DNS full flows kidnap risk in target ip address with the presence or absence of lan address, further increase implementation of the present invention The Detection accuracy of example.

Specifically, when not existing lan address in one or more target ip address, current each target is represented Domain name can be accurately resolved on different wide area network IP address, thus now occur possibility that DNS full flows kidnap compared with It is low, so when not existing identical address in one or more target ip address, when further also not existing lan address, really Determine UE and kidnap risk in the absence of DNS full flows.

Third aspect present invention provides the detection method that another kind DNS full flows kidnap risk, refer to Fig. 3, is this The third DNS full flow kidnaps the method flow diagram of risk supervision in inventive embodiments.The method includes：

S301：Obtain for detecting that domain name system DNS full flow kidnaps one or more target domain names of risk；Wherein, One or more of target domain names are specially wide area network domain name, and known corresponding to one or more of target domain names Internet protocol address is differed；

S302：Dns resolution is carried out to one or more of target domain names, the corresponding mesh of each described target domain name is obtained Mark IP address, and then obtain one or more target ip address；

S303：Judge in one or more of target ip address with the presence or absence of lan address, and it is one or Whether there is identical address in multiple target ip address；

S304：When there is lan address, or one or more of mesh in one or more of target ip address When there is identical address in mark IP address, determine that user equipment (UE) has DNS full flows and kidnaps risk.

Start the detection method of the third DNS full flow abduction risk during implementing to detect network security Moment is identical with the detection method Startup time that the first and second DNS full flow kidnap risk, is just not repeated to go to live in the household of one's in-laws on getting married herein State.In above-mentioned steps, S301 is similar with S101 and S201, and S302 is similar with S102 and S202, due to right in above-mentioned S101 and S102 have been described in detail, thus the embodiment of the present invention to something in common just it is no longer repeated.

S301 and S101 differences are that the target domain name in the embodiment of the present invention is specially wide area network domain name, and Known IP address is differed, so if target domain name is issued by server, then server is verified by parsing, and selects one The different wide area network domain name of IP address corresponding to individual or multiple is issued to UE as target domain name, stores UE, and then is obtaining During target domain name, UE reads out one or more known IP address from memory space and differs, and is wide area network domain name Target domain name.

And if target domain name is determined by UE, then it is pre-conditioned to be specially the different wide area network of corresponding IP address, and then Dns resolution is carried out to multiple alternative domain names, corresponding one or more IP address of each alternative domain name are parsed, then selected Identical ip addresses are empty set, and are the alternative domain name of wide area network domain name as target domain name.

Next, in S303, judging one or more target ip address with the presence or absence of lan address, and whether deposit In identical address.If there is lan address in one or more Target IP ground, or there is identical address, then show now The AP or AC that UE is accessed may be held as a hostage.So, when there is lan address in one or more target ip address, or When there is identical address, determine that UE has the abduction of DNS full flows in S304.

As an example it is assumed that target ip address specifically includes 123.125.112.202,220.181.12.208, 111.206.227.118,110.76.19.33 and 123.125.112.202.5 target ip address are wide area network address, the 1st Individual target ip address and the 5th target ip address are identical, determine that UE has DNS full flows and kidnaps risk.

Or, then as an example it is assumed that target ip address specifically includes 123.125.112.202,220.181.12.208, 111.206.227.118,175.25.168.40 and 192.168.1.1.5 target ip address are differed, the 5th Target IP Address is lan address, and then determines that UE has DNS full flows and kidnaps risk.

Or, then as an example it is assumed that target ip address specifically includes 123.125.112.202, 123.125.112.202,111.206.227.118,175.25.168.40 and 192.168.1.1, the 5th target ip address be Lan address, the 1st target ip address and the 2nd target ip address are identical, and then determine that UE has DNS full flows and kidnaps wind Danger.

By foregoing description as can be seen that due to the known target domain name different known IP address of correspondence, and it is known each Know that IP address is wide area network address, so there is lan address in working as one or more target ip address, or there is phase During with target ip address, determine that UE has DNS full flows and kidnaps risk.Therefore, though target domain name parse Target IP ground Location can determine that UE has DNS full flows and kidnaps risk not in blacklist storehouse, still.So, by the embodiment of the present invention Technical scheme, improve DNS full flows abduction Detection accuracy.

During implementing, above-mentioned S301 to S304 can be performed by UE, or, S301 is performed extremely by UE S302, is then performed S303 to S304, i.e. UE and to be parsed report server after target ip address and carry out detection and sentenced by server It is disconnected.Execution S301 to S304 independent for UE, because UE does not need the participation of server, institute when detecting that DNS full flows are kidnapped Further it is also prevented from being monitored UE with server interaction after lawless person kidnaps DNS with the present invention, so as to disturb inspection Survey, or even the deceptive information for representing network security is sent to UE.

When not existing lan address, and one or more of Target IPs in one or more of target ip address When not existing identical address in address, determine that the UE kidnaps risk in the absence of DNS full flows.

Specifically, when not existing lan address in one or more target ip address, and during in the absence of identical address, Represent that current each target domain name can be accurately resolved on different wide area network IP address, therefore DNS now occurs and flow entirely Measure the possibility kidnapped relatively low, so do not exist lan address in one or more target ip address, and in the absence of identical During address, determine that UE kidnaps risk in the absence of DNS full flows.

Based on the same inventive concept of the detection method that risk is kidnapped with DNS full flows in first aspect, the present invention the 4th Aspect provides the detection means that the first DNS full flow kidnaps risk, as shown in figure 4, including：

Module 101 is obtained, for obtaining for detecting that domain name system DNS full flow kidnaps one or more targets of risk Domain name；Wherein, one or more of target domain names are specially wide area network domain name；

Parsing module 102, for carrying out dns resolution to one or more of target domain names, obtains each described target The corresponding targeted internet Protocol IP address of domain name, and then obtain one or more target ip address；

First judge module 103, for judging to whether there is lan address in one or more of target ip address；

First determining module 104, for when there is lan address in one or more of target ip address, it is determined that Risk kidnapped and there is DNS full flows in user equipment (UE).

Further, when not existing lan address in one or more target ip address, the dress in the embodiment of the present invention Putting also includes：

Further, the described device in the embodiment of the present invention also includes：

Wherein, specifically, obtain module 101 and issue and store for reading reception server corresponding with the UE One or more of target domain names in the memory space of the UE；Or from multiple alternative domain names, it is determined that meeting default One or more domain names of condition are one or more of target domain names.

Further, the device in the embodiment of the present invention also includes：

The first DNS full flow in the embodiment of earlier figures 1 kidnaps the various change mode and tool of the detection method of risk Body example is equally applicable to the detection means of the DNS full flows abduction risk of the present embodiment, and DNS full flows are kidnapped by foregoing The detailed description of the detection method of risk, DNS full flows are kidnapped during those skilled in the art are clear that the present embodiment The implementation of the detection means of risk, thus it is succinct for specification, will not be described in detail herein.

Based on the same inventive concept of the detection method that risk is kidnapped with DNS full flows in second aspect, the present invention the 5th Aspect provides second detection means of DNS full flows abduction risk, as shown in figure 5, including：

Module 201 is obtained, for obtaining for detecting that domain name system DNS full flow kidnaps one or more targets of risk Domain name；Wherein, the known IP address corresponding to one or more of target domain names is differed；

Parsing module 202, for carrying out dns resolution to one or more of target domain names, obtains each described target The corresponding targeted internet Protocol IP address of domain name, and then obtain one or more target ip address；

First judge module 203, for judging to whether there is identical address in one or more of target ip address；

First determining module 204, for when there is identical address in one or more of target ip address, determining institute State UE and there is DNS full flows abduction risk.

Further, when not existing identical address in one or more target ip address, the device in the embodiment of the present invention Also include：

Further, the device that the present invention is implemented in embodiment also includes：

Specifically, obtain module 201 and issue and store described for reading reception server corresponding with the UE One or more of target domain names in the memory space of UE；Or from multiple alternative domain names, it is determined that meeting pre-conditioned One or more domain names be one or more of target domain names.

Further, the device in the embodiment of the present invention also includes：

Second DNS full flow in the embodiment of earlier figures 2 kidnaps the various change mode and tool of the detection method of risk Body example is equally applicable to the detection means of the DNS full flows abduction risk of the present embodiment, and DNS full flows are kidnapped by foregoing The detailed description of the detection method of risk, DNS full flows are kidnapped during those skilled in the art are clear that the present embodiment The implementation of the detection means of risk, thus it is succinct for specification, will not be described in detail herein.

Based on the same inventive concept of the detection method that risk is kidnapped with DNS full flows in the third aspect, the present invention the 6th Aspect provides the detection means that the third DNS full flow kidnaps risk, as shown in fig. 6, including：

Module 301 is obtained, for obtaining for detecting that domain name system DNS full flow kidnaps one or more targets of risk Domain name；Wherein, one or more of target domain names are specially wide area network domain name, and one or more of target domain name institutes Corresponding known internet protocol address is differed；

Parsing module 302, for carrying out dns resolution to one or more of target domain names, obtains each described target The corresponding target ip address of domain name, and then obtain one or more target ip address；

Judge module 303, for judging to whether there is lan address in one or more of target ip address, and Whether there is identical address in one or more of target ip address；

Determining module 304, for when there is lan address, or described one in one or more of target ip address When there is identical address in individual or multiple target ip address, determine that user equipment (UE) has DNS full flows and kidnaps risk.

The third DNS full flow in the embodiment of earlier figures 3 kidnaps the various change mode and tool of the detection method of risk Body example is equally applicable to the detection means of the DNS full flows abduction risk of the present embodiment, and DNS full flows are kidnapped by foregoing The detailed description of the detection method of risk, DNS full flows are kidnapped during those skilled in the art are clear that the present embodiment The implementation of the detection means of risk, thus it is succinct for specification, will not be described in detail herein.

Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein. Various general-purpose systems can also be used together with based on teaching in this.As described above, construct required by this kind of system Structure be obvious.Additionally, the present invention is not also directed to any certain programmed language.It is understood that, it is possible to use it is various Programming language realizes the content of invention described herein, and the description done to language-specific above is to disclose this hair Bright preferred forms.

In specification mentioned herein, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention Example can be put into practice in the case of without these details.In some instances, known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.

Similarly, it will be appreciated that in order to simplify one or more that the disclosure and helping understands in each inventive aspect, exist Above to the description of exemplary embodiment of the invention in, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention：I.e. required guarantor The application claims of shield features more more than the feature being expressly recited in each claim.More precisely, such as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, and wherein each claim is in itself All as separate embodiments of the invention.

Those skilled in the art are appreciated that can be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment Unit or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or Sub-component.In addition at least some in such feature and/or process or unit exclude each other, can use any Combine to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power Profit is required, summary and accompanying drawing) disclosed in each feature can the alternative features of or similar purpose identical, equivalent by offer carry out generation Replace.

Although additionally, it will be appreciated by those of skill in the art that some embodiments in this include institute in other embodiments Including some features rather than further feature, but the combination of the feature of different embodiments means in the scope of the present invention Within and form different embodiments.For example, in the following claims, embodiment required for protection it is any it One mode can use in any combination.

All parts embodiment of the invention can be realized with hardware, or be run with one or more processor Software module realize, or with combinations thereof realize.It will be understood by those of skill in the art that can use in practice Microprocessor or digital signal processor (DSP) are come in realizing gateway according to embodiments of the present invention, proxy server, system Some or all parts some or all functions.The present invention is also implemented as performing side as described herein Some or all equipment or program of device (for example, computer program and computer program product) of method.It is such Realize that program of the invention can be stored on a computer-readable medium, or there can be the shape of one or more signal Formula.Such signal can be downloaded from internet website and obtained, or be provided on carrier signal, or with any other shape Formula is provided.

It should be noted that above-described embodiment the present invention will be described rather than limiting the invention, and ability Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol being located between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not Element listed in the claims or step.Word "a" or "an" before element is not excluded the presence of as multiple Element.The present invention can come real by means of the hardware for including some different elements and by means of properly programmed computer It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame Claim.

The invention discloses A1, a kind of DNS full flows kidnap the detection method of risk, it is characterised in that including：

Judge to whether there is lan address in one or more of target ip address；

A2, the method according to A1, it is characterised in that when in one or more of target ip address do not exist local During net address, methods described also includes：

A3, the method according to A2, it is characterised in that methods described also includes：

A4, the method according to any one of A1-A3, it is characterised in that obtain for detecting domain name system DNS full flow One or more target domain names of risk are kidnapped, including：

A5, the method according to any one of A1-A3, it is characterised in that enter to one or more of target domain names Before row dns resolution, also include：

Judge whether the UE has accessed new wireless access point AP；

B6, a kind of DNS full flows kidnap the detection method of risk, it is characterised in that including：

C7, a kind of DNS full flows kidnap the detection means of risk, it is characterised in that including：

C8, the device according to C7, it is characterised in that when in one or more of target ip address do not exist local During net address, described device also includes：

C9, the device according to C8, it is characterised in that described device also includes：

C10, the device according to any one of C7-C9, it is characterised in that the acquisition module is used to read reception and institute The corresponding servers of UE are stated to issue and store the one or more of target domain names in the memory space of the UE；Or from In multiple alternative domain names, it is determined that meeting one or more pre-conditioned domain names for one or more of target domain names.

C11, the device according to any one of C7-C9, it is characterised in that described device also includes：

D12, a kind of DNS full flows kidnap the detection means of risk, it is characterised in that including：

Claims

1. a kind of DNS full flows kidnap the detection method of risk, it is characterised in that including：

Obtain for detecting that domain name system DNS full flow kidnaps one or more target domain names of risk；Wherein, it is one or Multiple target domain names are specially wide area network domain name；

Dns resolution is carried out to one or more of target domain names, the corresponding targeted internet of each described target domain name is obtained Protocol IP address, and then obtain one or more target ip address；

Judge to whether there is lan address in one or more of target ip address；

When there is lan address in one or more of target ip address, determine that user equipment (UE) has DNS full flows Kidnap risk.

2. the method for claim 1, it is characterised in that when not existing local in one or more of target ip address During net address, methods described also includes：

Judge to whether there is identical address in one or more of target ip address；Wherein, one or more of aiming fields Known IP address corresponding to name is differed；

When there is identical address in one or more of target ip address, determine that the UE has DNS full flows and kidnaps wind Danger.

3. method as claimed in claim 2, it is characterised in that methods described also includes：

When not existing identical address in one or more of target ip address, determine that the UE is robbed in the absence of DNS full flows Hold risk.

4. the method as described in claim any one of 1-3, it is characterised in that obtain for detecting domain name system DNS full flow One or more target domain names of risk are kidnapped, including：

Reception server corresponding with the UE is read to issue and store one or many in the memory space of the UE Individual target domain name；Or

From multiple alternative domain names, it is determined that meeting one or more pre-conditioned domain names for one or more of aiming fields Name.

5. the method as described in claim any one of 1-3, it is characterised in that carried out to one or more of target domain names Before dns resolution, also include：

Judge whether the UE has accessed new wireless access point AP；

When the UE has accessed new AP, one or more of target domain names are being carried out with the step of dns resolution described in execution Suddenly.

6. a kind of DNS full flows kidnap the detection method of risk, it is characterised in that including：

Obtain for detecting that domain name system DNS full flow kidnaps one or more target domain names of risk；Wherein, it is one or Multiple target domain names are specially wide area network domain name, and the known Internet protocol corresponding to one or more of target domain names IP address is differed；

Dns resolution is carried out to one or more of target domain names, the corresponding target ip address of each described target domain name is obtained, And then obtain one or more target ip address；

Judge to whether there is lan address, and one or more of Target IPs in one or more of target ip address Whether there is identical address in address；

In it there is lan address, or one or more of target ip address in one or more of target ip address When there is identical address, determine that user equipment (UE) has DNS full flows and kidnaps risk.

7. a kind of DNS full flows kidnap the detection means of risk, it is characterised in that including：

Module is obtained, for obtaining for detecting that domain name system DNS full flow kidnaps one or more target domain names of risk；Its In, one or more of target domain names are specially wide area network domain name；

Parsing module, for carrying out dns resolution to one or more of target domain names, obtains each described target domain name correspondence Targeted internet Protocol IP address, and then obtain one or more target ip address；

First determining module, for when there is lan address in one or more of target ip address, determining that user sets Risk kidnapped and there is DNS full flows in standby UE.

8. device as claimed in claim 7, it is characterised in that when not existing local in one or more of target ip address During net address, described device also includes：

Second judge module, for judging to whether there is identical address in one or more of target ip address；Wherein, it is described Known IP address corresponding to one or more target domain names is differed；

Second determining module, for when there is identical address in one or more of target ip address, determining that the UE is deposited Risk is kidnapped in DNS full flows.

9. device as claimed in claim 8, it is characterised in that described device also includes：

3rd determining module, for when not existing identical address in one or more of target ip address, determining the UE Risk is kidnapped in the absence of DNS full flows.

10. a kind of DNS full flows kidnap the detection means of risk, it is characterised in that including：

Module is obtained, for obtaining for detecting that domain name system DNS full flow kidnaps one or more target domain names of risk；Its In, one or more of target domain names are specially wide area network domain name, and corresponding to one or more of target domain names Known internet protocol address is differed；

Parsing module, for carrying out dns resolution to one or more of target domain names, obtains each described target domain name correspondence Target ip address, and then obtain one or more target ip address；

Judge module, for judging to whether there is lan address, and described one in one or more of target ip address Whether there is identical address in individual or multiple target ip address；

Determining module, for when there is lan address in one or more of target ip address or one or many When there is identical address in individual target ip address, determine that user equipment (UE) has DNS full flows and kidnaps risk.