KR102367545B1 - Method and system for preventing network pharming - Google Patents

Abstract

The present invention relates to a network pharming preventing method and a system thereof. The network pharming preventing method comprises the following steps of: detecting that a domain name for accessing a website is inputted; extracting a host file associated with the domain name from a terminal of a user; transmitting a DNS query packet associated with the domain name to a secure DNS server; receiving a website IP address from the secure DNS server; comparing the host file extracted from the user terminal with the IP address received from the secure DNS server; comparing pre-stored website page content with website page content accessed by the host file; allowing access to a website accessed by the host file; and blocking access to the website accessed by the host file. Therefore, the network pharming preventing method reliably prevents network pharming.

Description

Network pharming blocking method and system {METHOD AND SYSTEM FOR PREVENTING NETWORK PHARMING}

The present invention relates to a method and system for blocking network pharming, and more particularly, when a plurality of domain name servers are used in a website while reliably preventing network pharming, it is possible to clearly distinguish a domain name server change from network pharming. It is an invention related to a network pharming blocking method and system configured to increase the accuracy and efficiency of server monitoring.

Due to the convenience of the Internet, the Internet is used in all areas of daily life, from economic activities of individuals and businesses to simple business processing such as e-mail and file transfer, electronic payment, corporate advertisements through web servers, and e-commerce. is becoming

As the use of the Internet has become common as described above, various attacks on the Internet for stealing users' personal information and the like on the Internet are prevalent.

The attack on the Internet network may be, for example, a pharming attack.

When Internet users access a specific website, they can access it by entering a domain name instead of the IP address of the website. A system that translates IP addresses into IP addresses.

However, when a terminal such as a computer converts a domain name into an IP address, it does not search the DNS from the beginning, but first refers to the host file inside the computer.

There is usually a host file on the computer that users use, and this file corresponds to a file that matches IP addresses and domain names.

Therefore, if a desired domain name is found in the hosts file, it no longer requests an IP address from DNS.

1 illustrates a process in which a terminal 100 such as a computer or a smart phone accesses the website 150 through a host file in its own device or through a host file stored in the router 110 .

When a user inputs a domain name of a specific website, if there is a domain name and an IP address matching a host file (not shown) stored in the terminal 100 or the router 110 in advance, the terminal 100 is a DNS server ( 120) is not called, and the website 150 is accessed with the IP address found directly from the hosts file.

The aforementioned pharming attack corresponds to a case of exploiting the characteristics of such a host file.

That is, if the host file of the user's terminal is tampered with due to direct hacking or malicious code infection by a hacker, a fake site address intended by the hacker is recorded in the host file.

Therefore, even if the user tries to access the Internet by inputting the correct domain address, the terminal refers to the host file and moves to the fake site address to show the fake site to the user.

Accordingly, the user may access a fake site and leak personal information.

Meanwhile, when the domain name input by users is not in the host file, the terminal inquires the DNS server 120 for an IP address corresponding to the domain name to be accessed as shown in FIG. 1(b) (DNS). Query: DNS query)

In this case, the DNS server 120 transmits the corresponding IP address to the user's terminal 100 , and the terminal 100 accesses the corresponding website 150 using the received IP address.

However, the pharming attack may send a DNS response packet to the user terminal 100 as an attack target faster than the actual DNS server 120 , and induce the terminal 100 to access a website with an incorrect IP address.

For example, if it is confirmed that the user sends a DNS Query packet to the DNS server 120 through the terminal 100, the hacker sends a forged DNS Response packet to the user before the DNS server 120 sends the correct DNS Response packet. can send.

At this time, the user's terminal 100 recognizes the DNS Response packet sent by the hacker as a correct packet and accesses the website. In this case, the site accessed by the user corresponds to a fake site created by the hacker, not a normal site.

However, when a website has a large capacity, a very large number of DNS servers are used to maintain it, and also, a rental type cloud server is often used due to a problem in facility cost.

In the case of cloud servers, the DNS server is frequently changed after a certain period of use.

It is an object of the present invention to provide a method and system for blocking network pharming, which are configured to reliably prevent network pharming.

Another object of the present invention is to provide a method and system for blocking network pharming, which is configured to clearly distinguish between DNS server change and network pharming when a plurality of DNS servers are used in a website.

Another object of the present invention is to provide a network pharming blocking method and system configured to increase the accuracy and efficiency of DNS server monitoring.

A method for blocking network pharming according to the present invention for achieving the above object includes the steps of detecting that a domain name for website access is input from a user's terminal through an Internet network, and a host file associated with the domain name of the user. extracting from a terminal; transmitting a DNS query packet associated with the domain name to a secure DNS server; receiving a website IP address from the secure DNS server; a host file extracted from the user terminal; Comparing the IP address received from the secure DNS server; and if the website IP address received from the secure DNS server and the IP address included in the host file are different, the stored website page content and the host file are stored in advance. comparing contents of a website page accessed by , blocking access to the website accessed by the host file when the content of the pre-stored website page and the content of the website page accessed by the host file are different, wherein the content of the pre-stored website page is different from each other another two first website pages and a second website page, wherein the second website page is configured to be accessed by a domain name downstream of the domain name representing the first website page. .

Preferably, it is configured to receive server identification information of a website accessed by the host file, and to determine that the server identification information is a secure DNS server when the server identification information is pre-stored fixed server identification information.

In addition, when the server identification information is non-fixed server identification information, it may be configured to be determined as an insecure DNS server.

In addition, the first website page content is divided and corresponded by a plurality of DNS servers, and when the server identification information of the plurality of DNS servers is fixed server identification information stored in advance, access to the website accessed by the host file is performed. can be configured to allow.

Meanwhile, when the server identification information of the plurality of DNS servers includes both the fixed server identification information and the non-fixed server identification information, it may be configured to block access to a website accessed by the host file.

In addition, when the server identification information of the plurality of DNS servers is configured differently at a predetermined ratio, it may be configured to block access to a website accessed by the host file.

In addition, the first website page and the second website page of the secure DNS server may be configured to check whether they are the same at predetermined intervals.

Preferably, the predetermined period is set differently according to the server identification information.

Here, the predetermined period may be configured to vary according to the amount of access traffic to the first website page.

In addition, when the server identification information includes the non-fixed server identification information, it may be configured to receive information about the period of use of the non-fixed server identification information.

On the other hand, the network pharming blocking system according to the present invention includes a domain name detection module for detecting a domain name input from a user's terminal, and a host file for extracting a host file associated with the domain name input from the user's terminal from the user's terminal. An extraction module, a secure DNS server management module for transmitting and receiving DNS query packets related to the domain name to a DNS server, and an IP address included in the host file extracted from the user terminal and the IP address received from the secure DNS server are compared an IP address comparison module, a data storage module for storing website page contents, and a page comparison module for comparing website page contents stored in advance in the data storage module with website page contents accessed by the host file; Including, when the IP address of the website received from the secure DNS server and the IP address included in the host file are different, by comparing the contents of the website page stored in advance with the contents of the website page accessed by the host file, When the content of the pre-stored website page and the content of the website page accessed by the host file are the same, access to the website accessed by the host file is allowed, and the content of the website page accessed by the pre-stored website page content and the host file is the same When the website page content is different, the access to the website accessed by the host file is blocked, and the pre-stored website page content includes two different first website pages and a second website page, wherein the The second website page may be configured to be accessed by a domain name downstream of the domain name representing the first website page.

Preferably, the server identification information of the website accessed by the host file is received, and when the server identification information is a fixed server identification information stored in advance, it may be configured to be determined as a safe DNS server.

Here, when the server identification information is non-fixed server identification information, it may be configured to determine as an insecure DNS server.

In addition, the first website page content is divided and corresponding by a plurality of DNS servers, and when the server identification information of the plurality of DNS servers is fixed server identification information stored in advance, access to the website accessed by the host file is performed. can be configured to allow.

Meanwhile, when the server identification information of the plurality of DNS servers includes both the fixed server identification information and the non-fixed server identification information, it may be configured to block access to a website accessed by the host file.

In addition, when the server identification information of the plurality of DNS servers is configured differently at a predetermined ratio, it may be configured to block access to a website accessed by the host file.

In addition, the first website page and the second website page of the secure DNS server may be configured to check whether they are the same at predetermined intervals.

Preferably, the predetermined period may be set differently according to the server identification information.

Here, the predetermined period may be configured to vary according to the amount of access traffic to the first website page.

In addition, when the server identification information includes the non-fixed server identification information, it may be configured to receive information about the period of use of the non-fixed server identification information.

According to the present invention, it is possible to reliably prevent a network pharming attack by a hacker.

In addition, when a plurality of DNS servers are used for a website, it is possible to clearly distinguish between DNS server change and network pharming.

In addition, it is possible to increase the accuracy and efficiency of DNS server monitoring.

The accompanying drawings are for understanding the technical spirit of the present invention together with the detailed description of the present invention, so the present invention should not be construed as limited to the matters shown in the drawings.
1 is a schematic diagram showing a conventional process of accessing a website through a terminal;
2 is a schematic diagram showing a state in which the network pharming blocking system according to the present invention is connected by a user terminal and a network environment,
3 is a block diagram of the network farming system;
4 is a flowchart illustrating a method for blocking network pharming according to the present invention.

Hereinafter, the configuration of the present invention will be described in detail with reference to the accompanying drawings.

Prior to this, the terms used in the present specification and claims should not be construed as being limited in the dictionary meaning, and based on the principle that the inventor can appropriately define the concept of the term to describe his invention in the best way. , should be interpreted as meanings and concepts consistent with the technical spirit of the present invention.

Accordingly, the configurations shown in the embodiments and drawings described in this specification are only preferred embodiments of the present invention, and do not express all the technical spirit of the present invention, so various equivalents that can be substituted for them at the time of the present application It should be understood that water and variations may exist.

2 is a schematic diagram showing a state in which the network pharming blocking system according to the present invention is connected to a user terminal by a network environment, FIG. 3 is a block diagram of the network pharming system, and FIG. 4 is a network pharming blocking method according to the present invention is a flowchart showing

2 and 3, the network pharming blocking system according to the present invention includes a domain name detection module 32 for detecting a domain name input from the user's terminal 10, and a domain input from the user terminal 10. A host file extraction module 34 for extracting a host file associated with a name from the terminal 10 of the user, and a secure DNS server management module 36 for transmitting and receiving a DNS query packet associated with the domain name to and from the safe DNS server 50 ), an IP address comparison module 35 comparing the IP address included in the host file extracted from the user terminal 10 with the IP address received from the secure DNS server 50, and storing the website page content a data storage module 37 for When the IP address of the website received from the DNS server and the IP address included in the host file are different, the previously stored website page content is compared with the website page content accessed by the host file, and the previously stored website When the page content and the website page content accessed by the host file are the same, access to the website accessed by the host file is allowed, and the pre-stored website page content and the website page content accessed by the host file are In a different case, the access to the website accessed by the host file is blocked, and the pre-stored website page content includes two different first website pages and a second website page, wherein the second website page may be composed of a domain name downstream of the domain name displaying the first website page.

The network pharming blocking system according to the present invention may be physically connected through a network switch (not shown) through which the user's terminal 10 accesses the Internet.

In addition, the network pharming blocking system according to the present invention, when the user's terminal 10 accesses the website server 40 through the IP address of the host file, or through the IP address received from the DNS server 50 For the case of accessing the site server 40 , it is possible to monitor whether the terminal 10 accesses a normal website.

The user terminal 10 may be a PC or a smartphone terminal, and for security management, a program or an app implementing the network pharming blocking method according to the present invention may be stored in the user terminal 10 for security management, or a general terminal it may be

The domain name detection module 32 is configured to detect a domain name input from the user's terminal 10 .

In addition, the host file extraction module 34 is configured to extract a host file associated with the domain name input from the user terminal 10 from the user terminal 10 .

The host file extraction module 34 retrieves the IP address of the website corresponding to the domain name through the port mirroring method for the network switch or router 20 through which the user's terminal 10 accesses the Internet. can be extracted.

The host file extraction module 34 analyzes the source IP, destination IP, HTTP method, HTTP header information, etc. of the website to be accessed through the port mirroring technique, and returns the IP address of the website corresponding to the domain name to the terminal. (10) or configured to receive from the router (20).

The data storage module 37 corresponds to a database that stores an IP address of a website accessed by a user through the terminal 100 and a domain name corresponding to the IP address.

In addition, the data storage module 37 is configured to store the contents of a website page to be accessed by the IP address.

The website page content is stored as a hash function of the website for efficient data management.

The hash function is a function that maps data of an arbitrary length to data of a fixed length for the purpose of efficient management of stored data.

At this time, the original data value before mapping is called the key, and the value of the data after mapping is called a hash value or hash code, and the mapping process itself is called hashing.

A basic property of the hash function is that, when two hash values are different, the original data value is also determined differently.

The secure DNS server management module 36 is configured to transmit a DNS query packet associated with the domain name to a DNS server and receive an IP address associated with the domain name from the DNS server.

In addition, the safe DNS server management module 36 stores and manages a list of safe DNS servers 50 whose safety is guaranteed by verification among DNS servers.

And, the IP address comparison module 35 compares the IP address extracted from the host file extracted from the user terminal 10 with the IP address received from the secure DNS server 50 to determine whether they are the same. is the composition

In addition, the page comparison module 38 is configured to compare the content of the website page stored in advance in the data storage module 37 with the page content of the website accessed by the host file to determine whether the content is the same.

The page comparison module 38 compares the content of the web site page stored in advance with the content of the web site page accessed by the host file as the hash value.

In addition, the IP address comparison module 35 serves to compare whether the IP address included in the host file extracted from the user terminal 10 matches the IP address received from the secure DNS server 50 . do.

The safe DNS server means a DNS server that is recognized and stored as a true DNS server by prior safety verification, and the list of safe DNS servers may be stored in the data storage module 37 .

On the other hand, when the domain name of a website to be accessed through the Internet network is input from the user's terminal 10, the host file associated with the domain name is extracted from the user's terminal 10, and at the same time, the safe DNS server The DNS query packet associated with the domain name is transmitted to the secure DNS server 50 through the management module 36 .

Then, the website IP address is received from the secure DNS server 50 and the IP address from the host file extracted from the user terminal 10 is compared with the IP address received from the secure DNS server 50 .

Thus, when the IP address of the website received from the secure DNS server 50 and the IP address extracted from the host file are the same, access to the website is permitted.

However, if the website IP address received from the secure DNS server 50 and the IP address included in the host file are different from each other, the website page content stored in advance in the data storage module 37 and the host Compare the content of the website page accessed by the IP address extracted from the file.

When the content of the previously stored website page and the content of the website page accessed by the IP address extracted from the host file are different from each other, access to the website accessed by the host file is blocked.

Then, this fact may be notified to the user terminal 10 , and the IP address stored in the secure DNS server 50 and a domain name corresponding thereto may be transmitted to the user terminal 10 .

As described above, by comparing the contents of the website page stored in advance with the contents of the website page acquired by the newly changed IP address, it can be determined whether the DNS server is changed by a true user due to reasons such as the expiration of the cloud server usage period. there is.

When the DNS server is changed by a genuine user, the main partial structures such as the initial screen and bulletin board of most websites are not changed to prevent confusion among users. Determine whether or not to change.

As the pre-stored website page content, an initial screen content or structure of the website may be set as a first website page content, and a bulletin board screen accessed by selecting a part of the initial screen as a second website page content Alternatively, the content or structure of the login screen may be set.

The bulletin board screen or login screen may be accessed by a domain name downstream of the domain name that induces access to the initial screen of the website.

In most cases of pharming attacks, it is intended to induce access by modulating the initial screen of a website, and does not alter the lower page of the initial screen.

This is because the pharming attack itself causes confusion in the initial screen of the website and induces access to it to leak personal information.

And, in the case of a DNS server, the server provider's identification information is included in the DNS Response packet and transmitted.

The server provider may be typically classified into a provider that provides a leased cloud server and a server provider that a website management entity owns.

Here, in the case of a server owned by the website management subject itself, it is generally not changed even after a period of time, and in the case of a leased cloud server, it is highly likely to change after a certain period of time has elapsed.

In the present invention, a server that the website providing entity owns and rarely changes is named "fixed server 52", and a leased cloud server with high possibility of change over a certain period of time is referred to as "non-fixed server ( 54)".

The identification information of the fixed server 52 and the non-fixed server 54 managed by the pharming blocking system according to the present invention, and data on the providing subject are stored in the data storage module 37 in advance.

In addition, data related to a provider who plans to install the fixed server 52 may also be stored in the data storage module 37 .

Then, in the DNS response packet of the website accessed by the host file, server identification information for identifying whether the response packet is from the fixed server 52 or the response packet from the non-fixed server 54 is received. do.

In this case, if the server identification information is the same as the previously stored fixed server 54 identification information, the DNS server of the website accessed by the host file is determined as a safe DNS server, and the first website page and the second website Don't do site page comparisons.

Thus, when the DNS server providing subject of the website accessed by the host file is identified as the same as the fixed server providing subject stored in the data storage module 37, the safe DNS server does not perform the page comparison as described above. By judging by , it is possible to increase the system driving efficiency.

In addition, it can be determined whether the DNS server is additionally installed by the existing fixed server providing entity or the DNS server is installed by a new fixed server providing entity.

However, if the server identification information is determined to be the non-fixed server 54 identification information, it is determined as an insecure DNS server, and the first website page and the second website page comparison operation is performed to determine whether or not to farm is configured to determine

Therefore, considering that the pharming attack is mainly performed using cloud servers, if the server identification information is determined to be the non-fixed server 54, carefully determine whether pharming is done through the website comparison work as described above. is composed

Also, there is a case where the first website page content is configured to be divided and corresponded by a plurality of DNS servers 40 .

At this time, in a state where the server identification information of the plurality of DNS servers 40 is the same as the fixed server identification information stored in the data storage module 37, the server included in the DNS response packet of the website accessed by the host file When the identification information is the same as the fixed server identification information, it may be configured to allow access to a website.

Thus, when it is determined that a new DNS server is additionally installed by the existing fixed server providing subject or it is determined that the DNS server is installed by a new fixed server providing subject whose safety has been verified in advance, it is configured to allow access to the website.

And, when the server identification information of the plurality of DNS servers 40 includes both the fixed server identification information and the non-fixed server identification information, the website access by the DNS Response packet of the website accessed by the host file is performed. It can be configured to block.

In the case of a fixed server provider, it is common to add a fixed server mainly managed by the same provider when expanding or changing website contents. If the non-fixed server identification information is included together, it is judged to be unusual, and it is configured to carefully determine whether or not to farm through the website comparison work as described above.

And, when the server identification information of the plurality of DNS servers 40 is configured differently at a predetermined ratio, it may be configured to block access to a website accessed by the host file.

If it is determined that the server identification information included in the DNS Response packet of the website accessed by the host file does not represent a single server provider but represents different server providers, the website access is blocked and the It is configured to carefully judge whether pharming is done through website comparison work such as

The server identification information also means information indicating the server's provider, and when it is determined that the DNS server 40 is provided by a different server provider other than the same fixed server provider or cloud server provider, more prudent It is configured to block access to the website for judgment and perform a website comparison operation.

In addition, whether the first website page and the second website page designated in advance in the secure DNS server recognized as the safe DNS server by the prior verification and stored in the data storage module 37 are the same at every predetermined period is configured to be checked.

Thus, by performing a website page comparison operation at regular intervals, it is configured to check whether the first website page and the second website page have been changed legitimately, thereby increasing the accuracy of blocking anti-pharming.

Also, it is possible to maintain the accuracy of the first website page and the second website page data stored in the data storage module 37 .

Preferably, the predetermined period may be set differently according to identification information indicating the server providing entity.

Thus, when the website page content is changed more frequently by reflecting the average value of the website page change period by the fixed server providing entity and the website page change period by the non-fixed server providing entity such as a cloud server, the website The cycle of comparison operation can be set to be shorter.

Here, the cycle of the website page comparison operation may be configured to vary according to the amount of access traffic to the first website page.

Thus, when the amount of access traffic to the first website page that can be set as the main page of the website is large, the cycle of the website page comparison operation can be set to be shorter.

Accordingly, in the case of a website that is frequently accessed by Internet users and generates more data traffic, that is, a website that is used more frequently by people and is more likely to be a target of pharming, the cycle of the website page comparison operation is reduced. By making it shorter, it is configured to increase safety and the probability of blocking farming.

In addition, when the server identification information includes the non-fixed server 54 identification information, it may be configured to receive information on the period of use of the non-fixed server identification information.

In the case of a non-fixed server used in a leased form, such as a cloud server, information on the period of use of the non-fixed server may be included in the DNS response packet.

And, if the server identification information is changed within the remaining usage period of the non-fixed server, it is configured to carefully determine whether to farm by performing the web page comparison operation.

Meanwhile, referring to FIG. 4 , the method for blocking network pharming according to the present invention includes the steps of detecting that a domain name for accessing a website is input from a user's terminal through an Internet network (step 10), and the domain name-related Extracting a host file from the user's terminal (step 20), transmitting a DNS query packet associated with the domain name to a secure DNS server (step 30), and receiving a website IP address from the secure DNS server (step 40), comparing the host file extracted from the user terminal with the IP address received from the secure DNS server (step 50), and the website IP address received from the secure DNS server and the host If the IP addresses included in the file are different, comparing the content of the website page stored in advance with the content of the website page accessed by the host file (step 70); When the content of the website page accessed by the host file is the same, the step of allowing access to the website accessed by the host file (step 60); if different, blocking access to the website accessed by the host file (step 80), wherein the pre-stored website page content includes two different first website pages and second website pages However, the second website page is characterized in that it is composed of a domain name downstream of the domain name displaying the first website page.

In the network pharming blocking method according to the present invention, when a domain name of a website to be accessed through the Internet network is input from the user's terminal 10, it is detected through the domain name detection module 32. ( Step 10)

Thereafter, the host file associated with the domain name is extracted from the user's terminal 10 through the host file extraction module 34 (step 20).

Then, the DNS query packet associated with the domain name is transmitted to the secure DNS server 50 through the secure DNS server management module 36 (step 30).

In addition, the secure DNS server management module 36 receives the website IP address associated with the domain name from the secure DNS server 50 (step 40).

Then, through the IP address comparison module 35, the IP address from the host file extracted from the user terminal 10 is compared with the IP address received from the secure DNS server 50 (step 50).

If the IP address of the website received from the secure DNS server 50 and the IP address extracted from the host file are the same, access to the website is permitted (step 60).

However, if the website IP address received from the secure DNS server 50 and the IP address included in the host file are different from each other, the website page content stored in advance in the data storage module 37 and the host Compare the contents of the website page accessed by the IP address extracted from the file. (Step 70)

And, if the content of the website page stored in advance and the content of the website page accessed by the IP address extracted from the host file are different from each other, access to the website by the host file is blocked (step 80).

Then, this fact may be notified to the user terminal 10 , and the IP address stored in the secure DNS server 50 and a domain name corresponding thereto may be transmitted to the user terminal 10 .

However, if the content of the website page stored in advance and the content of the website page accessed by the IP address extracted from the host file are the same, access to the website by the host file is permitted (step 60).

By the method according to the present invention, by comparing the content of the website page stored in advance as described above with the content of the website page acquired by the changed IP address, the DNS server by the true user due to the reason such as the expiration of the cloud server usage period It can be determined whether it is a change or an IP address change due to pharming.

As described above, when the DNS server is changed by a real user, the main partial structures such as the initial screen and bulletin board of most websites are not changed to prevent confusion among users. It is determined whether the change is due to DNS server change or pharming.

As described above, as the website page content stored in advance, the initial screen content or structure of the website may be set and stored as the first website page content, and a bulletin board accessed by selecting a part of the initial screen The content or structure of the screen or login screen may be set and stored as the second website page content.

As described above, the bulletin board screen or login screen can be accessed through a domain name downstream of the domain name that induces access to the initial screen of the website.

Then, in the DNS response packet of the website accessed by the host file, server identification information for identifying whether the response packet is from the fixed server 52 or the response packet from the non-fixed server 54 is received. do.

The server identification information is information for identifying the DNS server provider, and is included in the DNS response packet and transmitted.

The DNS server provider may be classified into a provider that provides a leased cloud server and a server provider that a website management entity owns.

As described above, in the case of a server owned by the website management subject itself, it is generally not changed even after a period of time, so in the present invention, it is named "fixed server 52", and in the case of a leased cloud server, when a certain period elapses Since the server provider is likely to be changed, it is named "non-fixed server 54".

The identification information of the fixed server 52 and the non-fixed server 54 managed by the pharming blocking method according to the present invention and the data on the providing subject thereof are stored in the data storage module 37 in advance.

In addition, data on a provider who is planning to install the fixed server 52 may also be stored in the data storage module 37 .

If the server identification information indicating the server provider is the same as the fixed server 54 identification information stored in the data storage module 37 in advance, the DNS server of the website accessed by the host file is determined as the safe DNS server.

Thus, when the DNS server providing subject of the website accessed by the host file is identified as the same as the fixed server providing subject stored in the data storage module 37, the first website page and the second website page are compared It is possible to increase the system operation efficiency by judging it as a safe DNS server without performing any work.

In addition, if the server identification information indicating the server provider is the same as the fixed server 54 identification information stored in advance in the data storage module 37, a DNS server is additionally installed or verified in advance by the existing fixed server providing entity. It can be determined whether the DNS server is installed by the stored new fixed server provider.

However, if it is determined that the server identification information is the non-fixed server 54 identification information, once it is determined as an insecure DNS server, the first website page and the second website page comparison operation is performed to determine whether to farm is configured to more accurately determine

Thus, when it is determined that the server is not provided by the pre-stored fixed server providing entity, it is configured to determine whether to farm by performing the page comparison operation.

As described above, considering that the pharming attack is mainly performed using cloud servers, if the server identification information is determined to be the non-fixed server 54, whether or not to farm through the website page comparison operation as described above is designed to carefully evaluate

Also, there is a case in which the first website page content is configured to be divided and corresponded by a plurality of DNS servers 40 .

At this time, in a state where the server identification information of the plurality of DNS servers 40 is the same as the fixed server identification information stored in the data storage module 37, the server included in the DNS response packet of the website accessed by the host file If the identification information is the same as the fixed server identification information, it may be determined as a safe website and configured to allow the access.

Thus, when it is determined that a new DNS server is additionally installed by the existing fixed server providing subject or it is determined that the DNS server is installed by a new fixed server providing subject whose safety has been verified in advance, it is configured to allow access to the website.

And, when the server identification information of the plurality of DNS servers 40 includes both the fixed server identification information and the non-fixed server identification information, the website access by the DNS Response packet of the website accessed by the host file is performed. configured to block.

As described above, in the case of a fixed server provider, it is common to add a fixed server managed by the same provider when expanding or changing website contents. As described above, the server identification information of the DNS servers 40 If the fixed server 52 identification information and the non-fixed server 54 identification information are included together, it is judged to be unusual, and it is configured to carefully determine whether or not to farm through the website page comparison work as described above.

And, when the server identification information of the plurality of DNS servers 40 is configured differently at a predetermined ratio, it may be configured to block access to a website accessed by the host file.

When it is determined that the server identification information included in the DNS Response packet of the website accessed by the host file does not represent a single server provider but represents different server providers, the website access is blocked and the It is configured to carefully judge whether pharming is done through website page comparison work, such as

Thus, when a plurality of legitimate DNS servers 40 are used to provide a website, when a plurality of DNS servers are used for pharming, as described above, it is configured to primarily block website access with server identification information.

The server identification information also means information indicating the server's provider, and when it is determined that the DNS server 40 is provided by a different server provider other than the same fixed server provider or cloud server provider, more prudent It is configured to block access to the website for judgment and perform a website comparison operation.

In addition, in the secure DNS server recognized as a safe DNS server by the prior verification, the first website page and the second website page, which are designated in advance and stored in the data storage module 37, are It is configured to check whether it is the same.

Thus, by performing a website page comparison operation at regular intervals, it is possible to increase the accuracy of preventing pharming by checking whether the first website page and the second website page are maintained in the same state or have been changed justly. there is.

In addition, it is possible to maintain the accuracy of the first website page and the second website page stored in the data storage module 37 .

The predetermined period may be set differently according to the identification information indicating the server providing entity, and the website page change period by the fixed server providing entity and the website page change period by the non-fixed server providing entity such as the cloud server By reflecting the average value, when the website page content is changed more frequently, the cycle of the website comparison operation may be set to be shorter.

Here, the cycle of the website page comparison operation may be configured to vary according to the amount of access traffic to the first website page.

Accordingly, when the size of the access tree pack for the first website page that can be set as the main page of the website is large, the cycle of the website page comparison operation can be set to be shorter.

Accordingly, in the case of a website that is frequently accessed by Internet users and generates more data traffic, that is, a website that is used more frequently by people and is more likely to be a target of pharming, the cycle of the website page comparison operation is reduced. It is configured to increase safety and the probability of blocking farming by making it shorter.

In addition, when the server identification information includes the non-fixed server 54 identification information, it may be configured to receive information about the period of use of the non-fixed server identification information.

As described above, in the case of a non-fixed server used in a leased form, such as a cloud server, information on the period of use of the non-fixed server may be included in the DNS Response packet.

And, if the server identification information is changed within the remaining period of use of the non-fixed server, it is configured to carefully determine whether or not to farm by performing the web page comparison operation.

Above, the terms used in the embodiments of the present invention have the same meanings as commonly understood by those of ordinary skill in the art to which the present invention pertains.

Although the present invention has been described with reference to the limited embodiments and drawings, the embodiments are not intended to limit the technical spirit of the present invention, but rather to explain, so the technical spirit of the present invention is not limited thereto, and the present invention pertains to By those of ordinary skill in the art, various modifications and variations will be possible within the technical spirit of the present invention and the equivalent scope of the claims to be followed.

Accordingly, the protection scope of the present invention should be construed by the claims, and all technical ideas within the scope equivalent thereto should be construed as being included in the scope of the present invention.

And, within the scope of the object of the present invention, all the components may be configured by selectively combining one or more.

The terms "included" or "consisting of" above mean that the corresponding component may be included, and should be construed as being able to additionally include other components.

10: user terminal
20: Network switch or router
30: Network pharming blocking system
40: DNS server
50: safe DNS server

Claims (20)

detecting that a domain name for accessing a website is input from a user's terminal through an Internet network;
extracting a host file associated with the domain name from the user's terminal;
transmitting a DNS query packet associated with the domain name to a secure DNS server;
receiving a website IP address from the secure DNS server;
comparing the host file extracted from the user terminal with the IP address received from the secure DNS server;
comparing the web site page content stored in advance with the web site page content accessed by the host file when the web site IP address received from the secure DNS server and the IP address included in the host file are different;
allowing access to the website accessed by the host file when the content of the pre-stored website page and the website page accessed by the host file are the same;
and blocking access to the website accessed by the host file when the content of the web site page stored in advance and the content of the website page accessed by the host file are different;
The pre-stored website page content includes two different first website pages and second website pages,
The initial screen content of the website is set and stored as the first website page,
The contents of the screen accessed by selecting a part of the first website page are set and stored as the second website page,
the second website page is configured to be accessed by a domain name downstream of the domain name representing the first website page;
Including the step of receiving server identification information of the website accessed by the host file,
If the server identification information is server identification information stored by the website management subject in advance, it is configured to be determined as a safe DNS server,
If the server identification information is cloud server identification information in a leased form, it is configured to be determined as an unsafe DNS server,
When the content of the first website page is divided and corresponded by a plurality of DNS servers, when the server identification information of the plurality of DNS servers is pre-stored server identification information owned by the website management entity, it is stored in the host file. configured to allow access to a website accessed by
When the server identification information of the plurality of DNS servers includes both the server identification information owned by the website management subject and the cloud server identification information in a leased form, the website access is configured to block access to the host file. becomes,
Network pharming blocking method, characterized in that configured to block access to a website accessed by the host file when the server identification information of the plurality of DNS servers is configured differently at a predetermined ratio. The method of claim 1,
The method for blocking network pharming, characterized in that the first website page and the second website page of the safe DNS server are configured to be checked for the same at predetermined intervals. 3. The method of claim 2,
Network pharming blocking method, characterized in that the predetermined period is set differently according to the server identification information. 3. The method of claim 2,
The network pharming blocking method, characterized in that the predetermined period is configured to vary according to the amount of traffic access to the first website page. The method of claim 1,
When the server identification information includes non-fixed server identification information,
Network pharming blocking method, characterized in that configured to receive information on the period of use of the non-fixed server identification information. a domain name detection module for detecting a domain name input from a user's terminal;
a host file extraction module for extracting a host file associated with the domain name input from the user terminal from the user terminal;
a secure DNS server management module for transmitting and receiving DNS query packets associated with the domain name to and from a DNS server;
an IP address comparison module for comparing the IP address included in the host file extracted from the user terminal with the IP address received from the secure DNS server;
a data storage module for storing website page content;
and a page comparison module for comparing the contents of the website page stored in advance in the data storage module with the contents of the website page accessed by the host file,
When the IP address of the website received from the secure DNS server and the IP address included in the host file are different, by comparing the contents of the website page stored in advance with the contents of the website page accessed by the host file,
If the content of the website page stored in advance and the content of the website page accessed by the host file are the same, allow access to the website accessed by the host file,
When the content of the website page stored in advance and the content of the website page accessed by the host file are different, the access to the website accessed by the host file is blocked,
The pre-stored website page content includes two different first website pages and second website pages,
The initial screen content of the website is set and stored as the first website page,
The contents of the screen accessed by selecting a part of the first website page are set and stored as the second website page,
the second website page is configured to be accessed by a domain name downstream of the domain name representing the first website page;
to receive server identification information of a website accessed by the host file;
If the server identification information is server identification information stored by the website management subject in advance, it is configured to be determined as a safe DNS server,
If the server identification information is cloud server identification information in a leased form, it is configured to be determined as an unsafe DNS server,
When the content of the first website page is divided and corresponded by a plurality of DNS servers, when the server identification information of the plurality of DNS servers is pre-stored server identification information owned by the website management entity, it is stored in the host file. configured to allow access to a website accessed by
When the server identification information of the plurality of DNS servers includes both the server identification information owned by the website management subject and the cloud server identification information in a leased form, the website access is configured to block access to the host file. becomes,
Network pharming blocking system, characterized in that configured to block access to a website accessed by the host file when the server identification information of the plurality of DNS servers is configured differently at a predetermined ratio. 7. The method of claim 6,
The network pharming blocking system, characterized in that the first website page and the second website page of the safe DNS server are configured to be checked for the same at predetermined intervals. 8. The method of claim 7,
The network pharming blocking system, characterized in that the predetermined period is set differently according to the server identification information. 8. The method of claim 7,
The network pharming blocking system, characterized in that the predetermined period is configured to vary according to the amount of access traffic to the first website page. 7. The method of claim 6,
When the server identification information includes non-fixed server identification information,
Network pharming blocking system, characterized in that it is configured to receive information on the period of use of the non-fixed server identification information. delete delete delete delete delete delete delete delete delete delete

Images