CN110602048B - Method and device for preventing domain name hijacking and computer equipment - Google Patents

Method and device for preventing domain name hijacking and computer equipment Download PDF

Info

Publication number
CN110602048B
CN110602048B CN201910749610.4A CN201910749610A CN110602048B CN 110602048 B CN110602048 B CN 110602048B CN 201910749610 A CN201910749610 A CN 201910749610A CN 110602048 B CN110602048 B CN 110602048B
Authority
CN
China
Prior art keywords
address
domain name
preset
local server
mapping
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910749610.4A
Other languages
Chinese (zh)
Other versions
CN110602048A (en
Inventor
张刘立
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Property and Casualty Insurance Company of China Ltd
Original Assignee
Ping An Property and Casualty Insurance Company of China Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Property and Casualty Insurance Company of China Ltd filed Critical Ping An Property and Casualty Insurance Company of China Ltd
Priority to CN201910749610.4A priority Critical patent/CN110602048B/en
Publication of CN110602048A publication Critical patent/CN110602048A/en
Application granted granted Critical
Publication of CN110602048B publication Critical patent/CN110602048B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/30Managing network names, e.g. use of aliases or nicknames
    • H04L61/3015Name registration, generation or assignment
    • H04L61/302Administrative registration, e.g. for domain names at internet corporation for assigned names and numbers [ICANN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a method, a device and computer equipment for preventing domain name hijacking, which are applied to a security cloud server, and are used for detecting whether a request domain name reported by an APP local server and a first mapping relation between the request domain name and a corresponding first IP address are in a preset mapping list or not; if the address is in the preset mapping list, allowing the APP to access the first IP address in a positive response mode or a negative response mode; if not, judging whether the request domain name is a preset specific domain name; if the specific domain name is preset, issuing a second IP address for the APP to access; and if the domain name is not the preset specific domain name, directly forbidding the APP to access the first IP address. When the network access of the APP is monitored safely, a dynamic monitoring processing mode is adopted, and a corresponding processing mode is adopted according to different conditions of the request domain name, so that the safety of the network access of the user is improved, the APP is not easy to suffer from loss, and the user is ensured to have good use experience.

Description

Method and device for preventing domain name hijacking and computer equipment
Technical Field
The present application relates to the field of APP networks, and in particular, to a method, an apparatus, and a computer device for preventing domain name hijacking.
Background
In modern society, network services have penetrated the aspects, and a great part of people's knowledge acquisition, social activities, clothes and eating and housing activities and the like all depend on the network services, and are an indispensable important ring in our lives. Therefore, if the network service is attacked, even if slight errors occur, the life of people can be greatly influenced. Domain hijacking is a mode of internet attack, and a domain name of a target website is resolved to an incorrect address by a method of attacking a domain name resolution server (DNS) or forging the domain name resolution server (DNS), so that the aim that a user cannot access the target website is fulfilled. With the increasing value of the internet, the interest is widely drawn, the phenomenon of domain name hijacking is often prohibited, certain adverse effects are caused to companies and users, and even property loss can be caused.
Disclosure of Invention
The application mainly aims to provide a method, a device and computer equipment for preventing domain name hijacking, so that the security of user network access is improved, and the APP side is not easy to suffer loss.
The application provides a method for preventing domain name hijacking, which is applied to a security cloud server and comprises the following steps:
acquiring a first mapping relation between a request domain name reported by an APP local server and a first IP address corresponding to the request domain name, detecting whether the first mapping relation is in a preset mapping list, and recording the mapping relation between the request domain name and the IP address correctly corresponding in the preset mapping list; the safety cloud server is in communication connection with the APP local server;
if the first mapping relation is in a preset mapping list, judging whether the request domain name is in a tacit list;
if the address is in the acquiescent list, the report of the APP local server is not responded so that the APP local server can carry out network access on the first IP address;
if the address is not in the acquiescence list, sending an allowance instruction to the APP local server so that the APP local server can carry out network access on the first IP address;
if the first mapping relation is not in the preset mapping list, judging whether the request domain name is a preset specific domain name in the preset mapping list;
if the request domain name is a preset specific domain name, issuing a second IP address or a second mapping relation between the second IP address and the request domain name to the APP local server so that the APP local server can perform network access on the second IP address; the second IP address is an IP address corresponding to the request domain name in a preset mapping list;
and if the request domain name is not the preset specific domain name, prohibiting the APP local server from performing network access on the first IP address.
Further, the method further comprises:
sending a preset domain name to an APP local server at regular time; the preset domain name is a domain name stored in a preset mapping list, and the preset domain name comprises a preset specific domain name;
receiving a third mapping relation between a preset domain name returned by the APP local server and a corresponding third IP address, and detecting whether the third mapping relation is in a preset mapping list;
if the third mapping relation is not in the preset mapping list, issuing a fourth IP address or a fourth mapping relation between the fourth IP address and a preset domain name to the APP local server, and simultaneously sending the third mapping relation to a preset IP address management page; and the fourth IP address is an IP address of the preset domain name which is mapped correspondingly in the preset mapping list.
Further, if the requested domain name is not the preset specific domain name, the step of prohibiting the APP local server from performing network access to the first IP address includes:
inquiring whether a first mapping relation between the request domain name and the first IP address exists in the detection cache and the report record;
if the first mapping relation does not exist in the detection cache or the report record, making a suspected hijacking mark on the request domain name, and forbidding the APP local server to perform network access on the first IP address;
if the first mapping relation exists in the detection cache or the report record, whether a suspected hijacking mark exists in a first IP address in the first mapping relation is detected;
if the suspected hijacking mark exists, directly forbidding the APP local server to perform network access on the first IP address;
and if the suspected hijacking mark does not exist, sending the first mapping relation to a preset IP address management page, and forbidding the APP local server to perform network access on the first IP address.
The application also provides a method for preventing domain name hijacking, which is applied to the APP local server and comprises the following steps:
judging whether the current cache data volume in the local cache reaches a preset data volume threshold value or not, and judging whether the current time is a reporting time point or not;
if the current cache data volume reaches a preset data volume threshold value and/or the current time is a reporting time point, reporting a first mapping relation between the request domain name and the corresponding first IP address to a security cloud server in batch; the APP local server is in communication connection with the security cloud server;
judging whether a feedback message sent by a security cloud server is received or not within a preset time period; the feedback message comprises one of a second IP address, a second mapping relation between the second IP address and the request domain name, an allowing instruction or a prohibiting instruction;
if the permission instruction is received or no feedback message is received within a preset time period, carrying out network access on the first IP address;
if the second IP address or the second mapping relation is received within the preset time period, replacing the first IP address in the first mapping relation with the second IP address, or replacing the first mapping relation with the second mapping relation, and performing network access on the second IP address;
and if the prohibition instruction is received within the preset time period, stopping network access to the first IP address.
Further, before the step of reporting the first mapping relationship between the request domain name and the corresponding first IP address to the secure cloud server in batch, the method further includes:
sending a request domain name to a DNS (domain name server), and receiving a first IP address returned by the DNS, wherein the first IP address is an analytic IP address obtained by the DNS according to the request domain name;
and storing a first mapping relation between the request domain name and the first IP address into a local cache, and updating the current cache data volume.
Further, the method further comprises:
when network access is carried out on the first IP address or the second IP address, analyzing a page code of an access page to acquire first control data of the access page;
judging whether the first control data is consistent with second control data in a preset protocol or not;
and if the first IP address is inconsistent with the second IP address, stopping network access to the first IP address or the second IP address.
Further, the step of determining whether the first control data is consistent with the second control data in the preset protocol includes:
judging whether a difference value exists between the first control data and the second control data;
if so, judging whether the page control generating the difference value is in an error allowable area of the access page;
if the data is not in the error allowable area, judging that the first control data is inconsistent with the second control data;
if the difference value exists in the error allowable area, judging whether the difference value is larger than or equal to a preset difference value;
and if the difference value is larger than or equal to the preset difference value, judging that the first control data is inconsistent with the second control data.
The application also provides a device for preventing domain name hijacking, which comprises:
the device comprises an acquisition module, a mapping module and a mapping module, wherein the acquisition module is used for acquiring a first mapping relation between a request domain name reported by an APP local server and a first IP address corresponding to the request domain name, detecting whether the first mapping relation is in a preset mapping list, and recording the mapping relation between the request domain name and the IP address correctly corresponding in the preset mapping list; the acquisition module is in communication connection with the APP local server;
the first judgment module is used for judging whether the request domain name is in a tacit list or not if the first mapping relation is in a preset mapping list;
the first response module is used for not responding to the report of the APP local server if the first response module is in the acquiescent list so that the APP local server can conveniently perform network access on the first IP address;
the second response module is used for sending an allowance instruction to the APP local server if the first IP address is not in the acquiescence list, so that the APP local server can perform network access on the first IP address;
the second judgment module is used for judging whether the request domain name is a preset specific domain name in the preset mapping list or not if the first mapping relation is not in the preset mapping list;
the sending module is used for issuing a second IP address or a second mapping relation between the second IP address and the request domain name to the APP local server if the request domain name is a preset specific domain name, so that the APP local server can perform network access on the second IP address; the second IP address is an IP address corresponding to the request domain name in a preset mapping list;
and the forbidding module is used for forbidding the APP local server to perform network access on the first IP address if the request domain name is not the preset specific domain name.
The application also provides a device for preventing domain name hijacking, which comprises:
the third judging module is used for judging whether the current cache data volume in the local cache reaches a preset data volume threshold value and judging whether the current time is a reporting time point;
the reporting module is used for reporting a first mapping relation between the request domain name and the corresponding first IP address to the security cloud server in batch if the current cache data volume reaches a preset data volume threshold and/or the current time is a reporting time point; the reporting module is in communication connection with the secure cloud server;
the fourth judging module is used for judging whether a feedback message sent by the security cloud server is received or not within a preset time period; the feedback message comprises one of a second IP address, a second mapping relation between the second IP address and the request domain name, an allowing instruction or a prohibiting instruction;
the first access module is used for performing network access on the first IP address if an allowing instruction is received or no feedback message is received within a preset time period;
the second access module is used for replacing the first IP address in the first mapping relation with the second IP address or replacing the first mapping relation with the second mapping relation and performing network access on the second IP address if the second IP address or the second mapping relation is received within a preset time period;
and the stopping module is used for stopping network access to the first IP address if the forbidding instruction is received within the preset time period.
The present application further proposes a computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the steps of any of the above methods when executing the computer program.
Compared with the prior art, the application has the beneficial effects that: the application and the security cloud server obtain a request domain name reported by an APP local server and a first mapping relation between the request domain name and a corresponding first IP address, and then detect whether the request domain name is in a preset mapping list or not; if the address is in the preset mapping list, allowing the APP to access the first IP address in a positive response mode or a negative response mode; if not, judging whether the request domain name is a preset specific domain name; if the domain name is preset, issuing a second IP address for the APP to access; and if the domain name is not the preset specific domain name, directly forbidding the APP to access the first IP address. When the network access of the APP is monitored safely, a dynamic monitoring processing mode is adopted, and a corresponding processing mode is adopted according to different conditions of the request domain name, so that the safety of the network access of the user is improved, the APP is not easy to suffer from loss, and the user is ensured to have good use experience.
Drawings
Fig. 1 is a schematic diagram illustrating steps of a method for preventing domain name hijacking according to an embodiment of the present application;
FIG. 2 is a schematic diagram illustrating steps of a method for preventing domain name hijacking according to another embodiment of the present application;
fig. 3 is a block diagram illustrating an apparatus for preventing domain name hijacking according to an embodiment of the present application;
FIG. 4 is a block diagram of an apparatus for preventing domain name hijacking according to another embodiment of the present application;
FIG. 5 is a block diagram illustrating the modules of a computer device according to an embodiment of the present application.
The implementation, functional features and advantages of the objectives of the present application will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The technical solutions in the embodiments of the present application will be described clearly and completely with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that all directional indicators (such as upper, lower, left, right, front and rear … …) in the embodiments of the present application are only used to explain the relative position relationship between the components, the movement situation, etc. in a specific posture (as shown in the drawings), and if the specific posture is changed, the directional indicator is changed accordingly, and the connection may be a direct connection or an indirect connection.
In addition, descriptions in this application as to "first", "second", etc. are for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicit to the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one of the feature. In addition, technical solutions between various embodiments may be combined with each other, but must be realized by a person skilled in the art, and when the technical solutions are contradictory or cannot be realized, such a combination should not be considered to exist, and is not within the protection scope of the present application.
Referring to fig. 1, the present application provides a method for preventing domain name hijacking in an embodiment, which is applied to a secure cloud server and mainly includes the following steps:
s1 a: acquiring a first mapping relation between a request domain name reported by an APP local server and a first IP address corresponding to the request domain name, detecting whether the first mapping relation is in a preset mapping list, and recording the mapping relation between the request domain name and the IP address correctly corresponding in the preset mapping list;
s2 a: if the first mapping relation is in a preset mapping list, judging whether the request domain name is in a tacit list;
s2a 1: if the address is in the acquiescent list, the report of the APP local server is not responded so that the APP local server can carry out network access on the first IP address;
s2a 2: if the address is not in the acquiescence list, sending an allowance instruction to the APP local server so that the APP local server can carry out network access on the first IP address;
s3 a: if the first mapping relation is not in the preset mapping list, judging whether the request domain name is a preset specific domain name;
s3a 1: if the request domain name is a preset specific domain name, issuing a second IP address or a second mapping relation between the second IP address and the request domain name to the APP local server so that the APP local server can perform network access on the second IP address; the second IP address is an IP address corresponding to the request domain name in a preset mapping list;
s3a 2: and if the request domain name is not the preset specific domain name, prohibiting the APP local server from performing network access on the first IP address.
When the above steps are implemented, when the APP local server accesses a specific website, first sending a domain name of the website to be accessed to the DNS server for query, in this embodiment, a domain name queried by the APP local server to the DNS server is referred to as a request domain name, then the DNS server replies an IP address corresponding to the request domain name to the APP local server, in this embodiment, an IP address returned by the DNS server is referred to as a first IP address, a mapping relationship between the domain name and the first IP address is referred to as a first mapping relationship, and finally, the APP local server performs specific network access according to the first IP address. In a specific embodiment, after receiving a first IP address returned by the DNS server, the APP local server reports a first mapping relationship between a request domain name and the corresponding first IP address to the secure cloud server. The security cloud server refers to a security center that monitors and analyzes all network requests of the APP local server and notifies exception messages, a preset mapping list records mapping relationships between some specific domain names and IP addresses, that is, for the security cloud server, correct IP addresses corresponding to the specific domain names should be IP addresses recorded in the preset mapping list, in this embodiment, the IP addresses recorded in the preset mapping list are referred to as second IP addresses, and a mapping relationship between a request domain name and the second IP addresses is referred to as a second mapping relationship. Whether a first mapping relation between a request domain name reported by an APP local server and a corresponding first IP address is in a preset mapping list or not is detected, namely whether the first mapping relation is consistent with a second mapping relation or not is detected, and whether the first IP address returned by a DNS server is a correct IP address or not is actually detected.
If the security cloud server detects that the first mapping relationship between the request domain name reported by the APP local server and the corresponding first IP address is in the preset mapping list, it indicates that the first IP address returned to the APP local server by the DNS server is consistent with the preset IP address, and at this time, the APP local server can safely perform network access on the correct first IP address. In this case, the secure cloud server may adopt two different processing modes, one is an active processing mode, that is, an allowing instruction is issued to the APP local server, and the APP local server performs network access to the first IP address only after receiving the allowing instruction issued by the secure cloud server; the first is a passive processing mode, that is, no response is given to the report of the APP local server within a preset time period, and if the APP local server does not receive a reply response from the secure cloud server within the preset time period, the APP local server performs network access to the first IP address. In some embodiments, because the reported data volume of the APP local server is large, if all the modes of issuing the permission instruction are adopted for processing, the requirement on the concurrent processing capability of the secure cloud server is high, and if all the modes of negative processing are adopted, situations that processing is not timely enough and the APP local server performs network access on the wrong first IP address due to too short preset time period may occur. Therefore, the security cloud server simultaneously adopts a processing mode of issuing the permission instruction and not responding to the report of the APP local server within a preset time period, and adopts a processing mode of issuing the permission instruction for some request domain names with higher importance degree or higher risk coefficient; and for some request domain names with lower importance degree or lower risk coefficients, the request domain names are placed in the acquiescent list, a processing mode that the report of the APP local server is not responded in a preset time period is adopted, and for different request domain names, whether the different request domain names are in the acquiescent list or not is judged, so that a dynamic processing mode is adopted, the requirement on the parallel processing capacity of the security cloud server is reduced, and meanwhile, the APP local server is ensured to be capable of carrying out network access on a correct first IP address.
If the security cloud server detects that the first mapping relationship between the request domain name reported by the APP local server and the corresponding first IP address is not in the preset mapping list, it indicates that the first IP address returned to the APP local server by the DNS server is not consistent with the preset IP address, that is, the first IP address may be an erroneous IP address, that is, the request domain name requested by the APP local server may be hijacked in the DNS server. At this time, the secure cloud server further determines whether the requested domain name requested by the APP local server is a preset specific domain name, and in a specific embodiment, because the request domain name of the network request sent by the APP local server has a strong directionality, that is, compared with a web browser, the APP local server developed by an organization or an individual requests a plurality of request domain names which are frequently and generally fixed in the APP local server, for example, points to a plurality of web pages specified by the organization or the individual. Therefore, the request domain names reported by the APP local server can be basically recorded in a preset mapping list of the secure cloud server, and a part of the request domain names are stored in the preset mapping list together with a second mapping relation between second IP addresses correctly corresponding to the request domain names as preset specific domain names according to user selection, so as to perform monitoring and query. In a specific application, the preset specific domain name refers to a domain name owned by a main company or a person of the APP local server, and a domain name owned by a third-party service provider is not listed in a range of the preset specific domain name.
If the request domain name requested by the APP local server is a preset specific domain name, the security cloud server sends a second mapping relation between the request domain name and a second IP address in a preset mapping list to the APP local server, the second IP address replaces the first IP address to serve as a result of domain name resolution request, and finally the APP local server performs network access on the second IP address, so that the situation that the APP local server accesses the wrong first IP address due to hijacking of the network domain name is prevented, the network access security of a user is improved, and the APP local server is not easy to suffer loss. In some embodiments, the secure cloud server issues an exception message warning to the data maintenance background while issuing the second IP address, and informs the background that the APP local server request domain name may be hijacked in the DNS server. In some embodiments, if the APP local server reports the first mapping relationship between the request domain name and the first IP address to the secure cloud server for monitoring and analysis before performing network access to the first IP address each time, when the first IP address is incorrect, the secure cloud server directly issues the second IP address to replace the first IP address, and finally the APP local server directly performs network access to the second IP address, and when the first IP address is incorrect, the APP local server directly accesses the first IP address after not receiving a reply from the secure cloud server for a preset time. In other embodiments, if the APP local server caches the obtained first IP address and the request domain name first, and then reports the obtained first IP address and the request domain name to the security cloud server in batch when the cached data amount reaches a certain preset value or after a preset reporting time elapses, then the security cloud server returns a second mapping relationship between the second IP address and the request domain name to the APP local server, the APP local server replaces the first mapping relationship cached in the local server with the second mapping relationship after receiving the second mapping relationship, and when the APP local server needs to perform network access on the request domain name, the APP local server can obtain a correct second IP address directly from the second mapping relationship in the local cache.
Most APP local servers need to access both the network server of the main company and the SDK of the external partner (need to access the server of the third party company), so the first IP address obtained by the DNS server through resolution according to the requested domain name of the APP local server may point to the third party server (i.e. access the third party web page in the APP local server). Compared with the network server of the APP local server main body company, the third-party server does not have determined directivity, and the IP address of the third-party server may be changed, so the secure cloud server cannot determine the real-time correct IP address of the third-party server, and the secure cloud server generally can only determine whether the first IP address is the same as the third-party IP address agreed in advance. Therefore, when the requested domain name is not the preset specific domain name, that is, when the APP local server requests access to the third-party page, if the first IP address returned by the DNS server is different from the record in the preset mapping list, the APP local server is directly prohibited from accessing the network of the first IP address, thereby avoiding the loss that the user may suffer, and improving the security of the network access of the user. In other embodiments, the secure cloud server may further perform information linkage with a third-party server, and when the first IP address is the third-party IP address, perform risk judgment on the first IP address in combination with the third-party server, and under the condition that the first IP address is correct, if a result of performing risk judgment on the first IP address is unsafe, that is, when the first IP address is considered to be hijacked possibly in combination with information shared by the third-party server, the network access of the APP local server to the first IP address may also be prohibited, so that the security of the network access of the user is further improved.
The application provides a method for preventing domain name hijacking, which is applied to a security cloud server, and is used for detecting whether a request domain name reported by an APP local server and a first mapping relation between the request domain name and a corresponding first IP address are in a preset mapping list or not; if the address is in the preset mapping list, allowing the APP to access the first IP address in a positive response mode or a negative response mode; if not, judging whether the request domain name is a preset specific domain name; if the domain name is preset, issuing a second IP address for the APP to access; and if the domain name is not the preset specific domain name, directly forbidding the APP to access the first IP address. When the network access of the APP is monitored safely, a dynamic monitoring processing mode is adopted, and a corresponding processing mode is adopted according to different conditions of the request domain name, so that the safety of the network access of the user is improved, the APP is not easy to suffer from loss, and the user is ensured to have good use experience.
In some embodiments, the method of preventing domain name hijacking further comprises:
s4 a: sending a preset domain name to an APP local server at regular time; the preset domain name is a domain name stored in a preset mapping list, and the preset domain name comprises a preset specific domain name;
s5 a: receiving a third mapping relation between a preset domain name returned by the APP local server and a corresponding third IP address, and detecting whether the third mapping relation is in a preset mapping list;
s6 a: if the third mapping relation is not in the preset mapping list, issuing a fourth IP address or a fourth mapping relation between the fourth IP address and a preset domain name to the APP local server, and simultaneously sending the third mapping relation to a preset IP address management page; and the fourth IP address is an IP address of the preset domain name which is mapped correspondingly in the preset mapping list.
When the above steps are implemented, in some embodiments, the secure cloud server can monitor and analyze all network requests of the APP local server, and can actively issue a domain name detection task to the APP local server, that is, send a preset domain name in the preset mapping list to the APP local server, so as to verify whether an IP address resolution result corresponding to the preset domain name is correct. Therefore, both the internal domain name of the APP host operating company and the external domain name of the third party company or the service provider exist in the preset mapping list, where the internal domain name and the external domain name are preset domain names, and the internal domain name is the preset specific domain name, so the preset domain name includes the preset specific domain name.
After issuing the preset domain name to the APP local server, receiving the preset domain name returned by the APP local server and the IP address obtained by resolution, in this embodiment, the IP address obtained by the APP local server according to the preset domain name issued by the security cloud server is referred to as a third IP address, and a mapping relationship between the preset domain name and the third IP address is referred to as a third mapping relationship. For the secure cloud server, a fourth IP address having a fourth mapping relationship with the preset domain name in the preset mapping list is a correct IP address, and it is detected whether the third mapping relationship is in the preset mapping list, that is, whether an IP address resolution result of the DNS server on the preset domain name is correct.
If the third mapping relation is not in the preset mapping list, the security cloud server considers that an IP address resolution result of the DNS server to the preset domain name is incorrect, the DNS server is possibly hijacked, and the APP local server cannot correctly access the preset domain name, so that a correct fourth IP address or a fourth mapping relation between the fourth IP address and the preset domain name is issued to the APP local server, the mapping relation is established between the third IP address and the preset domain name and is cached in a local server of the APP local server. In some embodiments, the secure cloud server further determines whether the returned first IP address is an incorrect IP address by monitoring a response time or a survival value of an inquiry packet of the domain name request, specifically, where the response time refers to a time from when the APP local server sends the domain name request to when the DNS server returns the IP address to the APP local server, and if it is detected that the response time of the DNS request is faster than a preset fastest theoretical response time, it indicates that the IP address is likely not returned by the DNS server, but is responded by a server with a shorter response route, and the domain name request of the APP local server is hijacked, and at this time, the secure cloud server issues a correct fourth IP address or a fourth mapping relationship between the fourth IP address and a preset domain name to the APP local server; a Time To Live value (Time To Live), which represents the maximum number of segments allowed To pass before an IP packet is dropped by a router, in the whole response reply path, every time an IP data packet passes through one router, the router modifies the value of the survival value field by subtracting 1 from the value of the survival value, and then the IP data packet is forwarded, so that the larger the survival value of the obtained query message is, the smaller the number of routers passing between the two hosts is, the closer the distance between the two hosts is, if the survival value in the query message is detected to be larger than the maximum theoretical survival value, it means that the response route of the server responding to the domain name request is shorter than the shortest correct response route, the fact that the IP address is probably not returned by the DNS server and the domain name request of the APP local server is hijacked indicates that the secure cloud server issues the correct fourth IP address or the fourth mapping relationship between the fourth IP address and the preset domain name to the APP local server.
In some embodiments, if the requested domain name is not the predetermined specific domain name, the step S5a of prohibiting the network access to the first IP address by the APP local server includes:
s3a 21: inquiring whether a first mapping relation between the request domain name and the first IP address exists in the detection cache and the report record;
s3a 22: if the first mapping relation does not exist in the detection cache or the report record, making a suspected hijacking mark on the request domain name, and forbidding the APP local server to perform network access on the first IP address;
s3a 23: if the first mapping relation exists in the detection cache or the report record, whether a suspected hijacking mark exists in a first IP address in the first mapping relation is detected;
s3a 24: and if the suspected hijacking mark exists, directly forbidding the APP local server to perform network access on the first IP address.
S3a 25: and if the suspected hijacking mark does not exist, sending the first mapping relation to a preset IP address management page, and forbidding the APP local server to perform network access on the first IP address.
When the above steps are implemented, if it is detected that the requested domain name is not the preset specific domain name, that is, when it is detected that the page to be accessed according to the requested domain name is the third party page, whether a first mapping relation between the requested domain name and the first IP address exists is queried in the detection cache and the report record. The detection cache refers to a cache left after the security cloud server detects the mapping relation between the domain name and the IP address reported by the APP local server, and the detection cache stores the request domain name and the corresponding IP address reported by the APP local server received by the security cloud server within a recent period of time; the reporting record refers to a record made by the secure cloud server on a mapping relationship between the domain name and the IP address reported by the APP local server, and the reporting record stores a request domain name and a corresponding IP address reported by the APP local server, which are received by the secure cloud server from a recording time point.
During query, if a first mapping relation does not exist in a detection cache or a report record, it is indicated that a first IP address corresponding to the requested domain name is a newly-appeared IP address, network access is never performed on the first IP address in the previous request, and on the premise that the access address of the APP local server is relatively fixed, the first IP address may be a wrong IP address after hijacking, so that a suspected hijacking mark is made on the requested domain name, network access performed by the APP local server to the first IP address is prohibited, and the security of network access performed by a user is ensured. In some embodiments, the administrator can perform certification and management on the first IP address according to the suspected hijacking mark, and if the first IP address is found to be a newly replaced correct IP address in subsequent certification, the suspected hijacking mark is cancelled and added into a preset mapping list; if the first IP address is found to be the wrong IP address, a suspected hijacking mark is kept for the first IP address, and the safety cloud server directly prohibits the APP local server from performing network access on the first IP address according to the suspected hijacking mark in subsequent detection.
If the first mapping relation exists in the detection cache or the report record, whether a suspected hijacking mark exists in a first IP address in the first mapping relation is detected; if the suspected hijacking mark exists, the fact that the first mapping relation between the first IP address and the request domain name exists once is shown, but the correctness of the mapping relation is still not proved, and the suspected hijacking mark shows that the risk that the request domain name is hijacked possibly exists, so that the network access of the APP local server to the first IP address is directly prohibited.
If the suspected hijacking mark does not exist, it is indicated that the first mapping relation between the first IP address and the request domain name has appeared once and also correctly existed in a certain period of time in the past, and now the first mapping relation does not exist in the preset mapping list for some reasons, and there is a risk that the request domain name is hijacked possibly, so that the first mapping relation is sent to a preset IP address management page, so that a manager can check whether the record of the preset mapping list is wrong, and thus the correct first mapping relation is recorded in time, the user is prevented from being unable to perform network access on the correct first IP address, and the network access of the APP local server on the first IP address is prohibited. In the query, whether the first mapping relationship between the request domain name and the first IP address exists is queried, but whether the first IP address exists is not directly queried, because the first IP address may not be a malicious IP address, and may be a correct mapping address of other request domain names, and thus appears in the detection cache or the report record, if the first IP address exists, it is impossible to confirm which request domain name corresponds to the first IP address.
In some embodiments, during querying, the security cloud server queries the first mapping relationship in the detection cache, and if the first mapping relationship is queried in the detection cache, the first mapping relationship does not need to be queried in the report record; and if the first mapping relation is not inquired in the detection cache, further inquiring in the report record. Because the query speed from the temporary detection cache is faster than the query from the special report record, the first mapping relation is queried in the detection cache, and further the query sequence of the query in the report record can react to the first mapping relation reported by the APP local server more quickly in time.
Referring to fig. 2, in an embodiment of the present invention, a method for preventing domain name hijacking is further provided, and is applied to an APP local server, and mainly includes the following steps:
s1 b: judging whether the current cache data volume in the local cache reaches a preset data volume threshold value or not, and judging whether the current time is a reporting time point or not;
s2 b: if the current cache data volume reaches a preset data volume threshold value and/or the current time is a reporting time point, reporting a first mapping relation between the request domain name and the corresponding first IP address to a security cloud server in batch;
s3 b: judging whether a feedback message sent by a security cloud server is received or not within a preset time period; the feedback message comprises one of a second IP address, a second mapping relation between the second IP address and the request domain name, an allowing instruction or a prohibiting instruction;
s4 b: if the permission instruction is received or no feedback message is received within a preset time period, carrying out network access on the first IP address;
s5 b: if the second IP address or the second mapping relation is received within a preset time period, replacing the first IP address in the first mapping relation with the second IP address, or replacing the first mapping relation with the second mapping relation, and accessing the second IP address;
s6 b: and if the prohibition instruction is received within the preset time period, stopping network access to the first IP address.
When the above steps are implemented, in some embodiments, because the number of users of the APP local server is large and network requests are frequent, if the secure cloud server replies in real time to each network request at the front end of the APP local server, firstly, there is a high requirement on the computation amount of the secure cloud server, and when the access amount is large, the concurrent processing capability of the secure cloud server may be insufficient, which may result in failure to perform monitoring; secondly, because the domain name directivity of the network request sent by the APP local server is strong, a plurality of fixed domain names are generally requested frequently in the APP local server, for example, the domain names point to a plurality of APP local server main body mechanisms or personally-specified webpages, and if each request is replied in real time, the monitoring efficiency and quality cannot be improved. Therefore, after receiving the first IP address returned by the DNS server each time, the APP local server does not report the first IP address to the security cloud server in real time, but caches the request domain name and the corresponding first IP address first, and reports the cached first mapping relationship between the request domain name and the corresponding first IP address to the security cloud server in batch after the cached data amount reaches a preset number value or reaches a preset reporting time point, so that the security cloud server performs detection and screening, and reduces the parallel processing amount of the security cloud server.
After the APP local server reports the cached request domain name and the first mapping relation of the corresponding first IP address to the security cloud server in batch, whether a second IP address issued by the security cloud server or a second mapping relation between the second IP address and the request domain name is received is judged, that is, whether the first mapping relation between the request domain name and the corresponding first IP address is wrong is judged.
Judging whether a feedback message sent by a security cloud server is received or not within a preset time period; the feedback message comprises a second IP address or a second mapping relation, an allowing instruction or a prohibiting instruction; if the permission instruction is received or no feedback message is received within the preset time period, the first mapping relation is correct, and the APP local server performs network access on the first IP address.
If the second IP address or the second mapping relation is received within the preset time period, the first IP address in the first mapping relation is replaced by the second IP address, or the first mapping relation is replaced by the second mapping relation, and the second IP address is accessed, it is indicated that the IP address resolution result of the DNS server for the requested domain name is incorrect, namely the first mapping relation is incorrect. At this moment, if the APP local server is just in a state of accessing the first IP address, namely the APP local server reports a first mapping relation between the request domain name and the first IP address to the security cloud server for monitoring and analysis before performing network access on the first IP address, when the first IP address is wrong, the security cloud server directly issues a second IP address to replace the first IP address, and finally the APP local server directly performs network access on the second IP address. If the APP local server is in timing/quantitative batch reporting, and network access is not performed on the first IP address at this time, the security cloud server returns a second mapping relation between the second IP address and the requested domain name to the APP local server, the APP local server replaces the first mapping relation cached in the local server with the second mapping relation after receiving the second mapping relation, and the APP local server can directly obtain the correct second IP address from the second mapping relation in the local cache when network access is required to be performed on the requested domain name.
If the prohibition instruction is received within the preset time period, the first mapping relation is incorrect, and meanwhile, the third-party page is required to be subjected to network access according to the request domain name, and the second correct IP address can not be issued in the secure cloud server, so that the network access to the first IP address is stopped, and the security of the network access of the user is ensured.
The application provides a method for preventing domain name hijacking, which is applied to an APP local server, and when the current cache data volume reaches a preset data volume threshold and/or the current time is a reporting time point, a first mapping relation between a request domain name and a corresponding first IP address is reported to a security cloud server in batches; then, judging whether a feedback message sent by a security cloud server is received or not within a preset time period; if the permission instruction is received or no feedback message is received, network access is carried out on the first IP address; if the second IP address or the second mapping relation is received, replacing the first IP address in the first mapping relation with the second IP address, or replacing the first mapping relation with the second mapping relation, and performing network access on the second IP address; and if the prohibition instruction is received, stopping network access to the first IP address. By adopting a dynamic monitoring processing mode and adopting a corresponding processing mode according to different feedback information, the security of user network access is improved, the APP side is not easy to suffer loss, and the user is ensured to have good use experience.
In some embodiments, before the step of batch reporting the first mapping relationship between the requested domain name and the corresponding first IP address to the secure cloud server, the method further includes:
s01 b: sending a request domain name to a DNS (domain name server), and receiving a first IP address returned by the DNS, wherein the first IP address is an analytic IP address obtained by the DNS according to the request domain name;
s02 b: and storing a first mapping relation between the request domain name and the first IP address into a local cache, and updating the current cache data volume.
In the step S01b of sending the request domain name to the DNS server and receiving the first IP address returned by the DNS server, where the first IP address is an analysis result obtained by the DNS server according to the request domain name, after the user inputs the request domain name to be accessed in the APP local server, the APP local server queries the DNS server for the first IP address corresponding to the request domain name, and the DNS server is responsible for searching for the first IP address from the root server and the domain name server. And after obtaining the query result of the first IP address, the DNS server forwards the first IP address to the APP local server. In a specific embodiment, the request domain name sent by the APP to the DNS server may be actively sent when the APP needs to perform specific network access, or may be sent according to a detection instruction after receiving a detection task sent by the secure cloud server.
In the step S03b of caching the first mapping relationship between the request domain name and the first IP address, in some embodiments, because the number of users of the APP local server is large and the network requests are frequent, if the secure cloud server replies to each network request at the front end of the APP local server in real time, firstly, there is a high requirement on the computation load of the secure cloud server, and when the access load is large, the concurrent processing capability of the secure cloud server may be insufficient, which may result in failure to perform the monitoring function; secondly, because the domain name directivity of the network request sent by the APP local server is strong, a plurality of fixed domain names are generally requested frequently in the APP local server, for example, the domain names point to a plurality of APP local server main body mechanisms or personally-specified webpages, and if each request is replied in real time, the monitoring efficiency and quality cannot be improved. Therefore, after receiving the first IP address returned by the DNS server each time, the APP local server does not report the first IP address to the security cloud server immediately, but caches the requested domain name and the corresponding first IP address, updates the current cached data amount, and reports the first mapping relationship between the cached requested domain name and the corresponding first IP address to the security cloud server in batch after the cached data amount reaches a preset number value or reaches a preset reporting time, so that the security cloud server performs detection and screening, thereby reducing the parallel processing amount of the security cloud server.
In some embodiments, when performing network access to the first IP address or the second IP address, the method further includes:
s7 b: analyzing a page code of the access page to acquire first control data of the access page;
s8 b: judging whether the first control data is consistent with second control data in a preset protocol or not;
s9 b: and if the first IP address and the second IP address are inconsistent, stopping network access to the first IP address or the second IP address.
When the above steps are implemented, because the domain name directivity of the network request sent by the APP local server is strong, a plurality of fixed domain names are generally requested frequently in the APP local server, for example, the domain names point to a plurality of APP local server main body mechanisms or personally-specified webpages, so that an agreement can be signed with the access webpage in advance in the APP local server, and the page control data in the webpage is agreed, and is second control data, for example, a control ID, a JS code, and the like, so as to serve as an auxiliary identity of the access webpage.
If the first control data of the obtained access page is detected to be inconsistent with the second control data agreed by the protocol, for example, the control ID is inconsistent, the JS code check is not passed, and the like, the current access webpage is considered not to be the correct webpage corresponding to the request domain name, and the request domain name is possibly hijacked in the DNS server, so that the access to the first IP address or the second IP address is stopped, the network access safety of the user is improved, and the APP local server is not easy to suffer from loss.
In some embodiments, the step S8b of determining whether the first control data is consistent with the second control data in the preset protocol includes:
s8b 1: judging whether a difference value exists between the first control data and the second control data;
s8b 2: if so, judging whether the page control generating the difference value is in an error allowable area of the access page;
s8b 3: if the data is not in the error allowable area, judging that the first control data is inconsistent with the second control data;
s8b 4: if the difference value exists in the error allowable area, judging whether the difference value is larger than or equal to a preset difference value;
s8b 5: and if the difference value is larger than or equal to the preset difference value, judging that the first control data is inconsistent with the second control data.
When the steps are implemented, the APP local server firstly judges whether a difference value exists between the first control data and the second control data, and if the difference value exists, whether the page control generating the difference value is in an error allowable area of the access page is judged. The judgment of the control data in the webpage mainly comprises the judgment of the number of controls and the judgment of the ID of the controls, and in some embodiments, the difference value between the control data in the currently accessed webpage and the data recorded in the protocol is calculated, for example, the actual number of the controls is more than or less than the data recorded in the protocol, and the difference value is calculated; and if the actual ID of the control is not found in the protocol, calculating a difference value, and quantitatively defining the difference between the current access page and the correct page by using the difference value.
And if the control data do not exist in the error allowance area, judging that the first control data are inconsistent with the second control data. In a specific embodiment, for example, the account password input area is high in importance, and if the account password input area is leaked, unnecessary loss is easily caused to a user, so that the account password input area must be completely consistent with a protocol, and the account password input area is defined not to belong to an error allowance area; for example, the advertisement display area only plays a function of displaying a promotion, and a user does not need to input important information in the area, so that the importance degree is low, and certain errors are allowed to exist on the premise that the user is ensured to have good access experience.
If the difference value is not generated in the error allowable area, the first control data and the second control data are directly judged to be inconsistent, the APP is prohibited from accessing the current webpage, and the access safety of the user is guaranteed.
If the difference value exists in the error allowable area, whether the difference value is larger than or equal to a preset difference value is judged. In a specific embodiment, for example, the page currently accessed by the APP local server is a correct page, that is, the first IP address is correct, but there are sporadic advertisement plug-ins popped up without permission on the page, and normal use of the user is not affected, and at this time, if it is considered that the control data is inconsistent with the protocol, directly prohibiting the APP local server from accessing the first IP address may affect the use experience of the user or interfere with the normal use of the user. Therefore, a preset value is set in advance, only when the difference value between the first control data and the second control data is larger than the preset value, namely, when the current page has a plurality of control pieces which are not agreed in the protocols and the use experience of the user is seriously influenced, the control pieces data are considered to be inconsistent with the protocols, the first IP address corresponding to the request domain name is probably hijacked in the DNS server, and therefore the APP local server is forbidden to access the first IP address. In some embodiments, when the difference value between the first control data and the second control data is smaller than the preset value, although the APP local server is not prohibited from accessing the first IP address or the second IP address, the APP local server reports the difference value to the secure cloud server to remind the maintenance background APP local server that a control inconsistent with the protocol appears in the currently accessed webpage.
Referring to fig. 3, in an embodiment, the present invention provides an apparatus for preventing domain name hijacking, including:
an obtaining module 10, configured to obtain a first mapping relationship between a request domain name reported by an APP local server and a first IP address corresponding to the request domain name, and detect whether the first mapping relationship is in a preset mapping list, where a mapping relationship between the request domain name and an IP address corresponding to the request domain name is recorded in the preset mapping list; the acquisition module is in communication connection with the APP local server;
a first determining module 20, configured to determine whether the requested domain name is in a default mapping list if the first mapping relationship is in the preset mapping list;
a first response module 30, configured to, if the first response module is in the acquiescent list, not respond to the report of the APP local server, so that the APP local server performs network access to the first IP address;
the second response module 40 is configured to send an allow instruction to the APP local server if the first IP address is not in the acquiescent list, so that the APP local server performs network access to the first IP address;
a second determining module 50, configured to determine whether the requested domain name is a preset specific domain name in the preset mapping list if the first mapping relationship is not in the preset mapping list;
a sending module 60, configured to issue the second IP address or a second mapping relationship between the second IP address and the request domain name to the APP local server if the request domain name is the preset specific domain name, so that the APP local server performs network access on the second IP address; the second IP address is an IP address corresponding to the request domain name in a preset mapping list;
and a prohibiting module 70, configured to prohibit the APP local server from performing network access to the first IP address if the requested domain name is not the preset specific domain name.
The operations executed by the modules 10 to 70 correspond to the steps of the method for preventing domain name hijacking in the secure cloud server in the foregoing embodiment one by one, and are not described herein again.
Further, corresponding to the subdivision steps of the method for preventing domain name hijacking in the foregoing embodiment, the modules 10 to 70 correspondingly include sub-modules, units or sub-units, which are used for executing the subdivision steps of the method for preventing domain name hijacking, and are not described herein again.
Referring to fig. 4, in an embodiment of the present invention, a device for preventing domain name hijacking is further provided, including:
a third determining module 80, configured to determine whether a current cache data amount in the local cache reaches a preset data amount threshold, and determine whether a current time is a reporting time point;
a reporting module 90, configured to report a first mapping relationship between the requested domain name and the corresponding first IP address to the secure cloud server in batch if the current cache data amount reaches a preset data amount threshold and/or the current time is a reporting time point; the reporting module is in communication connection with the secure cloud server;
a fourth determining module 100, configured to determine whether a feedback message sent by the security cloud server is received within a preset time period; the feedback message comprises one of a second IP address, a second mapping relation between the second IP address and the request domain name, an allowing instruction or a prohibiting instruction;
a first access module 110, configured to perform network access on the first IP address if an allow instruction is received or no feedback message is received within a preset time period;
the second access module 120 is configured to, if the second IP address or the second mapping relationship is received within the preset time period, replace the first IP address in the first mapping relationship with the second IP address, or replace the first mapping relationship with the second mapping relationship, and perform network access on the second IP address;
the stopping module 130 is configured to stop performing network access on the first IP address if the prohibition instruction is received within a preset time period.
The operations performed by the modules 80 to 130 correspond to the steps of the method applied to the APP local server for preventing domain name hijacking in the foregoing embodiment one by one, and are not described herein again.
Further, corresponding to the subdivision steps of the method for preventing domain name hijacking in the foregoing embodiment, the modules 10 to 70 correspondingly include sub-modules, units or sub-units, which are used for executing the subdivision steps of the method for preventing domain name hijacking, and are not described herein again.
Referring to fig. 5, the present application further proposes a computer device 1001 comprising a memory 1003 and a processor 1002, where the memory 1003 stores a computer program 1004, and the processor 1002 executes the computer program 1004 to implement the steps of any one of the methods described above, including:
the method is applied to the security cloud server: acquiring a request domain name reported by an APP local server and a first mapping relation between the request domain name and a corresponding first IP address, and detecting whether the first mapping relation is in a preset mapping list; the safety cloud server is in communication connection with the APP local server; if the first mapping relation is in a preset mapping list, judging whether the request domain name is in a tacit list; if the address is in the acquiescent list, the report of the APP local server is not responded so that the APP local server can carry out network access on the first IP address; if the address is not in the acquiescence list, sending an allowance instruction to the APP local server so that the APP local server can carry out network access on the first IP address; if the first mapping relation is not in the preset mapping list, judging whether the request domain name is a preset specific domain name in the preset mapping list; if the request domain name is a preset specific domain name, issuing a second IP address or a second mapping relation between the second IP address and the request domain name to the APP local server so that the APP local server can perform network access on the second IP address; the second IP address is an IP address corresponding to the request domain name in a preset mapping list; and if the request domain name is not the preset specific domain name, prohibiting the APP local server from performing network access on the first IP address.
And applied in the APP local server: judging whether the current cache data volume in the local cache reaches a preset data volume threshold value or not, and judging whether the current time is a reporting time point or not; if the current cache data volume reaches a preset data volume threshold value and/or the current time is a reporting time point, reporting a first mapping relation between the request domain name and the corresponding first IP address to a security cloud server in batch; the APP local server is in communication connection with the security cloud server; judging whether a feedback message sent by a security cloud server is received or not within a preset time period; the feedback message comprises one of a second IP address, a second mapping relation between the second IP address and the request domain name, an allowing instruction or a prohibiting instruction; if the permission instruction is received or no feedback message is received within a preset time period, carrying out network access on the first IP address; if the second IP address or the second mapping relation is received within the preset time period, replacing the first IP address in the first mapping relation with the second IP address, or replacing the first mapping relation with the second mapping relation, and performing network access on the second IP address; and if the prohibition instruction is received within the preset time period, stopping network access to the first IP address.
The above description is only a preferred embodiment of the present application, and not intended to limit the scope of the present application, and all modifications of equivalent structures and equivalent processes, which are made by the contents of the specification and the drawings of the present application, or which are directly or indirectly applied to other related technical fields, are also included in the scope of the present application.

Claims (10)

1. A method for preventing domain name hijacking is applied to a security cloud server, and is characterized by comprising the following steps:
acquiring a first mapping relation between a request domain name reported by an APP local server and a first IP address corresponding to the request domain name, and detecting whether the first mapping relation is in a preset mapping list, wherein the mapping relation between the request domain name and the IP address corresponding to the request domain name is recorded in the preset mapping list; the safety cloud server is in communication connection with the APP local server;
if the first mapping relation is in the preset mapping list, judging whether the request domain name is in a tacit list;
if the first IP address is in the acquiescent list, the report of the APP local server is not responded so that the APP local server can carry out network access on the first IP address;
if the first IP address is not in the acquiescent list, sending an allowance instruction to the APP local server so that the APP local server can perform network access on the first IP address;
if the first mapping relation is not in the preset mapping list, judging whether the request domain name is a preset specific domain name in the preset mapping list;
if the request domain name is the preset specific domain name, issuing a second IP address or a second mapping relation between the second IP address and the request domain name to the APP local server so that the APP local server can perform network access on the second IP address; the second IP address is an IP address corresponding to the request domain name in the preset mapping list;
and if the request domain name is not the preset specific domain name, prohibiting the APP local server from performing network access on the first IP address.
2. The method of preventing domain name hijacking according to claim 1, wherein said method further comprises:
sending a preset domain name to the APP local server at regular time; the preset domain name is a domain name stored in the preset mapping list, and the preset domain name comprises the preset specific domain name;
receiving a third mapping relation between the preset domain name and a corresponding third IP address returned by the APP local server, and detecting whether the third mapping relation is in the preset mapping list;
if the third mapping relation is not in a preset mapping list, issuing a fourth IP address or a fourth mapping relation between the fourth IP address and the preset domain name to the APP local server, and sending the third mapping relation to a preset IP address management page; and the fourth IP address is an IP address of the preset domain name which is mapped correspondingly in the preset mapping list.
3. The method according to claim 1, wherein the step of prohibiting the APP local server from performing network access to the first IP address if the requested domain name is not the predetermined specific domain name comprises:
inquiring whether the first mapping relation between the request domain name and the first IP address exists in a detection cache and a report record;
if the first mapping relation does not exist in the detection cache or the report record, making a suspected hijacking mark on the request domain name, and forbidding the APP local server to perform network access on the first IP address;
if the first mapping relation exists in the detection cache or the report record, detecting whether the suspected hijacking mark exists in the first IP address in the first mapping relation;
if the suspected hijacking mark exists, directly forbidding the APP local server to perform network access on the first IP address; and if the suspected hijacking mark does not exist, sending the first mapping relation to a preset IP address management page, and forbidding the APP local server to perform network access on the first IP address.
4. A method for preventing domain name hijacking is applied to an APP local server, and is characterized by comprising the following steps:
judging whether the current cache data volume in the local cache reaches a preset data volume threshold value or not, and judging whether the current time is a reporting time point or not;
if the current cache data volume reaches the preset data volume threshold and/or the current time is the reporting time point, reporting a first mapping relation between the request domain name and the corresponding first IP address to a security cloud server in batch; the APP local server is in communication connection with the security cloud server;
judging whether a feedback message sent by the security cloud server is received or not within a preset time period; wherein the feedback message includes one of a second IP address, a second mapping relationship between the second IP address and the request domain name, an enable instruction, or a disable instruction;
if the permission instruction is received or no feedback message is received within the preset time period, carrying out network access on the first IP address;
if the second IP address or the second mapping relation is received within the preset time period, replacing the first IP address in the first mapping relation with the second IP address, or replacing the first mapping relation with the second mapping relation, and performing network access on the second IP address;
and if the prohibition instruction is received within the preset time period, stopping network access to the first IP address.
5. The method according to claim 4, wherein before the step of bulk reporting the first mapping relationship between the requested domain name and the corresponding first IP address to the secure cloud server, the method further comprises:
sending the request domain name to a DNS (domain name server), and receiving the first IP address returned by the DNS, wherein the first IP address is an analytic IP address obtained by the DNS according to the request domain name;
and storing the first mapping relation between the request domain name and the first IP address into the local cache, and updating the current cache data volume.
6. The method of preventing domain name hijacking according to claim 4, wherein said method further comprises:
when the first IP address or the second IP address is subjected to network access, analyzing a page code of an access page to acquire first control data of the access page;
judging whether the first control data is consistent with second control data in a preset protocol or not;
and if the first IP address and the second IP address are not consistent, stopping network access to the first IP address or the second IP address.
7. The method according to claim 6, wherein the step of determining whether the first control data is consistent with the second control data in a preset protocol comprises:
judging whether a difference value exists between the first control data and the second control data;
if so, judging whether the page control generating the difference value is in an error allowable area of the access page;
if the error exists in the error allowance area, judging that the first control data is inconsistent with the second control data;
if the difference value exists in the error allowable area, judging whether the difference value is larger than or equal to a preset difference value;
and if the difference value is larger than or equal to the preset difference value, judging that the first control data is inconsistent with the second control data.
8. An apparatus for preventing domain name hijacking, comprising:
the device comprises an acquisition module, a mapping module and a mapping module, wherein the acquisition module is used for acquiring a first mapping relation between a request domain name reported by an APP local server and a first IP address corresponding to the request domain name, detecting whether the first mapping relation is in a preset mapping list, and recording the mapping relation between the request domain name and the IP address corresponding to the request domain name in the preset mapping list; the obtaining module is in communication connection with the APP local server;
a first determining module, configured to determine whether the requested domain name is in a default list if the first mapping relationship is in the preset mapping list;
a first response module, configured to, if the APP address is in the acquiescent list, not respond to the report of the APP local server, so that the APP local server performs network access to the first IP address;
a second response module, configured to send an allow instruction to the APP local server if the APP local server is not in the acquiescent list, so that the APP local server performs network access to the first IP address;
a second determining module, configured to determine whether the requested domain name is a preset specific domain name in the preset mapping list if the first mapping relationship is not in the preset mapping list;
the sending module is used for issuing a second IP address or a second mapping relation between the second IP address and the request domain name to the APP local server if the request domain name is the preset specific domain name, so that the APP local server can perform network access on the second IP address; the second IP address is an IP address corresponding to the request domain name in the preset mapping list;
and the forbidding module is used for forbidding the APP local server to perform network access on the first IP address if the request domain name is not the preset specific domain name.
9. An apparatus for preventing domain name hijacking, comprising:
the third judging module is used for judging whether the current cache data volume in the local cache reaches a preset data volume threshold value and judging whether the current time is a reporting time point;
a reporting module, configured to report a first mapping relationship between the requested domain name and the corresponding first IP address to a secure cloud server in batch if the current cache data amount reaches the preset data amount threshold and/or the current time is the reporting time point; the reporting module is in communication connection with the secure cloud server;
the fourth judging module is used for judging whether a feedback message sent by the security cloud server is received or not within a preset time period; wherein the feedback message includes one of a second IP address, a second mapping relationship between the second IP address and the request domain name, an enable instruction, or a disable instruction;
a first access module, configured to perform network access to the first IP address if the permission instruction is received or no feedback message is received within the preset time period;
a second access module, configured to replace the first IP address in the first mapping relationship with the second IP address or replace the first mapping relationship with the second mapping relationship and perform network access on the second IP address if the second IP address or the second mapping relationship is received within the preset time period;
and the stopping module is used for stopping the network access to the first IP address if the forbidding instruction is received within the preset time period.
10. A computer device comprising a memory and a processor, the memory storing a computer program, wherein the processor implements the steps of the method of any one of claims 1 to 7 when executing the computer program.
CN201910749610.4A 2019-08-14 2019-08-14 Method and device for preventing domain name hijacking and computer equipment Active CN110602048B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910749610.4A CN110602048B (en) 2019-08-14 2019-08-14 Method and device for preventing domain name hijacking and computer equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910749610.4A CN110602048B (en) 2019-08-14 2019-08-14 Method and device for preventing domain name hijacking and computer equipment

Publications (2)

Publication Number Publication Date
CN110602048A CN110602048A (en) 2019-12-20
CN110602048B true CN110602048B (en) 2022-06-03

Family

ID=68854264

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910749610.4A Active CN110602048B (en) 2019-08-14 2019-08-14 Method and device for preventing domain name hijacking and computer equipment

Country Status (1)

Country Link
CN (1) CN110602048B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111262881B (en) * 2020-02-26 2021-07-02 杭州云缔盟科技有限公司 Method for hiding DNS domain name of server accessed by mobile phone APP
CN112202675B (en) * 2020-10-10 2022-04-15 四川天邑康和通信股份有限公司 Method for realizing access to router by using domain name based on Linux kernel DNS
US11456987B1 (en) 2021-05-07 2022-09-27 State Farm Mutual Automobile Insurance Company Systems and methods for automatic internet protocol address management
CN113676561A (en) * 2021-07-16 2021-11-19 阿里巴巴新加坡控股有限公司 Domain name access control method and device
CN114039799B (en) * 2021-12-10 2023-11-17 国网福建省电力有限公司 Network security protection system and method

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102790807B (en) * 2011-05-16 2016-05-25 北京奇虎科技有限公司 Domain name resolution agent method and system, domain name resolution agent server
CN104901943A (en) * 2012-03-31 2015-09-09 北京奇虎科技有限公司 Method and system for accessing website
CN106330849A (en) * 2015-07-07 2017-01-11 安恒通(北京)科技有限公司 Method and device for preventing domain name hijack
CN105897947B (en) * 2016-04-08 2019-04-30 网宿科技股份有限公司 The Network Access Method and device of mobile terminal

Also Published As

Publication number Publication date
CN110602048A (en) 2019-12-20

Similar Documents

Publication Publication Date Title
CN110602048B (en) Method and device for preventing domain name hijacking and computer equipment
US20220046055A1 (en) Systems and methods for preventing denial of service attacks utilizing a proxy server
US9282114B1 (en) Generation of alerts in an event management system based upon risk
US8447856B2 (en) Policy-managed DNS server for to control network traffic
US8392963B2 (en) Techniques for tracking actual users in web application security systems
US9438616B2 (en) Network asset information management
US7526806B2 (en) Method and system for addressing intrusion attacks on a computer system
US11290485B2 (en) Method and system for detecting and blocking data transfer using DNS protocol
US11223602B2 (en) IP address access based on security level and access history
CN110474911B (en) Terminal credibility identification method, device, equipment and computer readable storage medium
CN114301673A (en) Vulnerability detection method and device, electronic equipment and storage medium
US10397225B2 (en) System and method for network access control
US20160381056A1 (en) Systems and methods for categorization of web assets
CN107733699B (en) Internet asset security management method, system, device and readable storage medium
CN112019516B (en) Access control method, device, equipment and storage medium for shared file
EP3322157A1 (en) Profiling domain name system (dns) traffic
CN105827599A (en) Cache infection detection method and apparatus based on deep analysis on DNS message
CN114095258A (en) Attack defense method and device, electronic equipment and storage medium
CN114301700B (en) Method, device, system and storage medium for adjusting network security defense scheme
CN109413015B (en) DNS hijacking defense method and device
CN112839005B (en) DNS domain name abnormal access monitoring method and device
US8549623B1 (en) Detecting suspicious domains using domain profiling
CN113783892B (en) Reflection attack detection method, system, device and computer readable storage medium
US20190036949A1 (en) Malicious content detection with retrospective reporting
US9077639B2 (en) Managing data traffic on a cellular network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant