WO2018113732A1 - Procédé et appareil de détection de risque de détournement de trafic complet de dns - Google Patents

Procédé et appareil de détection de risque de détournement de trafic complet de dns Download PDF

Info

Publication number
WO2018113732A1
WO2018113732A1 PCT/CN2017/117696 CN2017117696W WO2018113732A1 WO 2018113732 A1 WO2018113732 A1 WO 2018113732A1 CN 2017117696 W CN2017117696 W CN 2017117696W WO 2018113732 A1 WO2018113732 A1 WO 2018113732A1
Authority
WO
WIPO (PCT)
Prior art keywords
target
addresses
domain names
dns
risk
Prior art date
Application number
PCT/CN2017/117696
Other languages
English (en)
Chinese (zh)
Inventor
高永岗
张建新
刘天
Original Assignee
北京奇虎科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇虎科技有限公司 filed Critical 北京奇虎科技有限公司
Publication of WO2018113732A1 publication Critical patent/WO2018113732A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Definitions

  • the present disclosure relates to the field of computer technologies, and in particular, to a method and apparatus for detecting a full traffic hijacking risk of a DNS.
  • DNS Domain Name System
  • Some related technologies are detected by the following methods: First, the electronic device or server stores the blacklist library, and the blacklist library records multiple DNS full traffic hijacking risks. IP (Internet Protocol, Internet Protocol) address. The target domain name is parsed out to the corresponding IP address, and then the parsed IP address is compared in the blacklist library. If the resolved IP address is not in the IP address blacklist, it is determined that there is no DNS full traffic hijacking risk.
  • IP Internet Protocol, Internet Protocol
  • the embodiments of the present disclosure provide a method and a device for detecting a full traffic hijacking risk of a DNS, which are used to improve the detection accuracy of the full traffic hijacking risk of the DNS.
  • the present disclosure provides a method for detecting a full traffic hijacking risk of a DNS, including:
  • One or more target domain names are specifically WAN domain names;
  • the present disclosure provides a method for detecting a full traffic hijacking risk of a DNS, including:
  • the present disclosure provides a method for detecting a full traffic hijacking risk of a DNS, including:
  • target domain names for detecting the risk of DNS full traffic hijacking of the domain name system; wherein one or more target domain names are specifically WAN domain names, and the known Internet Protocol IP addresses corresponding to one or more target domain names are not the same;
  • the disclosure provides a detecting device for a DNS full traffic hijacking risk, including:
  • Obtaining a module configured to obtain one or more target domain names for detecting a risk of DNS full traffic hijacking of the domain name system; wherein, one or more target domain names are specifically a wide area network domain name;
  • the parsing module is configured to perform DNS resolution on one or more target domain names, obtain a target Internet Protocol IP address corresponding to each target domain name, and obtain one or more target IP addresses;
  • a first determining module configured to determine whether a local area network exists in one or more target IP addresses site
  • the first determining module is configured to determine that the user equipment UE has a risk of DNS full traffic hijacking when a local area network address exists in one or more target IP addresses.
  • the disclosure provides a detecting device for a DNS full traffic hijacking risk, including:
  • Obtaining a module configured to obtain one or more target domain names for detecting a full traffic hijacking risk of the domain name system; wherein, the known IP addresses corresponding to the one or more target domain names are different;
  • the parsing module is configured to perform DNS resolution on one or more target domain names, obtain a target Internet Protocol IP address corresponding to each target domain name, and obtain one or more target IP addresses;
  • a first determining module configured to determine whether the same address exists in one or more target IP addresses
  • the first determining module is configured to determine that the UE has a full traffic hijacking risk when the same address exists in one or more target IP addresses.
  • the disclosure provides a device for detecting a full traffic hijacking risk of a DNS, including:
  • Obtaining a module configured to obtain one or more target domain names for detecting a risk of DNS full traffic hijacking of the domain name system; wherein the one or more target domain names are specifically a WAN domain name, and the known Internet corresponding to the one or more target domain names Protocol IP addresses are not the same;
  • the parsing module is configured to perform DNS resolution on one or more target domain names, obtain a target IP address corresponding to each target domain name, and obtain one or more target IP addresses;
  • a determining module configured to determine whether a local area network address exists in one or more target IP addresses, and whether the same address exists in one or more target IP addresses;
  • the determining module is configured to determine that the user equipment UE has a risk of DNS full traffic hijacking when a local area network address exists in one or more target IP addresses, or when the same address exists in one or more target IP addresses.
  • the present disclosure provides a computer program comprising:
  • Computer readable code when the computer readable code is run on a computing device, causes the computing device to perform the aforementioned method of detecting the risk of full DNS traffic hijacking.
  • the present disclosure provides a computer readable medium, comprising:
  • a computer program for performing the above-described detection method for performing the above-mentioned DNS full traffic hijacking risk is stored.
  • one is obtained for detecting the risk of DNS full traffic hijacking
  • One or more target domain names wherein one or more target domain names in the embodiment of the present disclosure are specifically a wide area network domain name, and then perform DNS resolution on one or more target domain names to obtain a target IP address corresponding to each target domain name, and further Obtain one or more target IP addresses, and then determine whether a local area network address exists in the one or more target IP addresses. Since the IP address corresponding to the target domain name is a wide area network address, when a local area network address exists in one or more target IP addresses, it is determined that the UE has a full traffic hijacking risk of the DNS.
  • the target IP address resolved by the target domain name is not in the blacklist database, if the target IP address is a local area network address, it indicates that the network currently accessed by the UE may be hijacked by full traffic, and thus the risk of DNS full traffic hijacking of the UE may be determined. Therefore, through the above technical solutions, the detection accuracy of improving the risk of DNS full traffic hijacking is realized.
  • the technical solution of the embodiment of the present disclosure does not need to be compared with a huge blacklist database, and thus does not need to store a blacklist database, thereby saving the device resources occupied by the storage blacklist database.
  • the technical solution in the embodiment of the present disclosure can be executed by the UE without the participation of the server, it is possible to prevent the illegal agent from hijacking the DNS and monitor the interaction between the UE and the server, thereby detecting the interference and even transmitting the representation to the UE. False information about network security.
  • FIG. 1 is a flow chart of a method for detecting a full DNS traffic hijacking risk in the first embodiment of the present disclosure
  • FIG. 2 is a flow chart of a method for detecting a full DNS traffic hijacking risk according to an embodiment of the present disclosure
  • FIG. 3 is a flowchart of a method for detecting a third DNS full traffic hijacking risk according to an embodiment of the present disclosure
  • FIG. 4 is a schematic structural diagram of a first DNS full traffic hijacking risk detecting apparatus according to an embodiment of the present disclosure
  • FIG. 5 is a schematic structural diagram of a second DNS full traffic hijacking risk detecting apparatus according to an embodiment of the present disclosure
  • FIG. 6 is a schematic structural diagram of a third DNS full traffic hijacking risk detecting apparatus according to an embodiment of the present disclosure
  • FIG. 7 schematically illustrates a block diagram of a computing device for performing a DNS full traffic hijacking detection method in accordance with an embodiment of the present disclosure
  • FIG. 8 schematically illustrates a storage unit for maintaining or carrying program code that implements a DNS full traffic hijacking detection method in accordance with an embodiment of the present disclosure.
  • the embodiments of the present disclosure provide a method and a device for detecting a full traffic hijacking risk of a DNS, which are used to improve the detection accuracy of the full traffic hijacking risk of the DNS.
  • one or more target domain names for detecting a risk of DNS full traffic hijacking are obtained, and then one or more target domain names are subjected to DNS resolution to obtain a target IP address corresponding to each target domain name.
  • Obtaining one or more target IP addresses and then, if one or more target domain names are WAN domain names, determining whether there is a local area network address in the one or more target IP addresses, and if there is a local area network address, determining that the UE has a full DNS address Traffic hijacking risk; or, if one or more target domain names are domain names with different known IP addresses, it is determined whether the same address exists in the one or more target IP addresses, and if the same address exists, it is determined that the UE has a full DNS Traffic hijacking risk; or, if one or more target domain names are WAN domain names, and the known IP addresses of the one or more target domain names are different, determining whether a local area network address exists in the one or more target IP addresses, and Whether the
  • the first aspect of the disclosure provides a method for detecting the risk of DNS full traffic hijacking, please refer to the figure. 1.
  • S101 Obtain one or more target domain names for detecting a risk of DNS full traffic hijacking of the domain name system; wherein, one or more target domain names are specifically WAN domain names;
  • S102 Perform DNS resolution on one or more target domain names, obtain a target Internet Protocol IP address corresponding to each target domain name, and obtain one or more target IP addresses.
  • S104 When a local area network address exists in one or more target IP addresses, determine that the user equipment UE has a risk of DNS full traffic hijacking.
  • One or more target domain names in the embodiments of the present disclosure are one or a group of test domain names for detecting DNS full traffic hijacking.
  • each target domain name is specifically a wide area network domain name.
  • the UE may obtain one or more target domain names when it is required to detect the risk of DNS full traffic hijacking, or may obtain one or more target domain names in advance when there is no need to detect the risk of DNS full traffic hijacking. Make specific restrictions.
  • the time of detecting the full traffic hijacking of the DNS in S102 to S104 may be any time when the UE is powered on, or may be started every preset interval, for example, every hour, or may be used for each time accessing the network. . Or, before S102, it also includes:
  • the step of performing DNS resolution on one or more target domain names is performed.
  • the second AP is the new AP, and the second AP is the new AP.
  • the second AP is the new AP.
  • the second AP is the new AP.
  • the UE does not access any AP before T1, and accesses the third AP at time T1, and the third AP is a new AP.
  • the SSID Service Set Identifier
  • the UE accesses the new AP.
  • the UE cannot confirm the currently accessed network, that is, whether the network where the new AP is located has the risk of full DNS traffic hijacking. Therefore, S102 is executed at this time, and then the DNS full traffic hijacking risk detection is started. In other words, when the UE switches the new network, the risk of the full network DNS full traffic hijacking is detected in S102 to S104.
  • the UE when the UE is not switched to the access AP, the UE cannot confirm whether the currently accessed network has the risk of full DNS traffic hijacking. Therefore, S102 is executed at this time, and then the DNS full traffic hijacking is started. Risk detection. In other words, when the UE initially accesses the network, the network DNS full traffic hijacking risk is detected in S102 to S104.
  • S101 of the embodiment of the present disclosure may be implemented by the following process:
  • one or more domain names satisfying the preset condition are determined to be one or more target domain names.
  • the one or more target domain names obtained by the UE in the embodiment of the present disclosure may be delivered by the server, or may be configured and selected by the UE, and may be delivered by part of the target domain name receiving server, and at the same time, part of the target is configured. domain name.
  • the specific implementation process those skilled in the art to which the present disclosure belongs may make selection according to actual conditions, and the disclosure does not specifically limit.
  • the target domain name in the embodiment of the present disclosure is the WAN domain name.
  • the server selects one or more WAN domain names as the target domain name
  • the server delivers the target domain name to the UE at any time.
  • the UE stores one or more target domain names in its own storage space, and then reads the one or more storage spaces from the storage space when the target domain name needs to be obtained.
  • the target domain name is OK.
  • the server sends the following JSON structure data to the UE.
  • the UE After receiving the data of the above JSON structure, the UE parses baifubao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn and Www.cmbc.com.cn ten target domain names, and then store the ten target domain names in the storage space of the UE.
  • the target domain name baifubao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com, so.cn, ccb.com are read from the storage space. Icbc.com.cn and www.cmbc.com.cn.
  • the UE determines one or more domain names that meet the preset condition from the multiple candidate domain names as the target domain name.
  • the alternate domain name is a domain name visited by the UE, or a domain name that can be accessed currently, and the disclosure does not specifically limit the disclosure.
  • the preset condition is specifically a WAN domain name, and the UE selects one or more WAN domain names from the plurality of candidate domain names as the target domain name.
  • one of ordinary skill in the art to which the present disclosure belongs may select any one of the above two methods for obtaining the target domain name, or may combine the two methods, and the present disclosure does not specifically limit the disclosure.
  • the UE After obtaining one or more target domain names in S101, the UE performs DNS resolution on each domain name in S102, and obtains an IP address corresponding to each target domain name.
  • the IP address resolved by the target domain name through the DNS is referred to as a target IP address.
  • the method for determining whether a target IP address is a local area network IP address is to determine whether the target IP address is in any one of ClassA, ClassB, or ClassC.
  • the address range of the ClassA interval is 10.0.0.0 ⁇ 10.255.255.255
  • the address range of the ClassB interval is 172.16.0.0-172.31.255.255
  • the address range of the ClassC interval is 192.168.0.0-192.168.255.255. If the destination IP address is in any of the ClassA, ClassB, or ClassC intervals, the destination IP address is the LAN address. Otherwise, if the destination IP address is not in the ClassA, ClassB, and ClassC intervals, the destination IP address is not the LAN address. .
  • the target domain name in the embodiment of the present disclosure is a WAN domain name
  • the IP address corresponding to the WAN domain name is a WAN address
  • the AP or AC accessed by the UE may be hijacked. Therefore, when a local area network address exists in one or more target IP addresses, the UE is determined in S104. There is a risk of DNS full traffic hijacking.
  • the IP address corresponding to the target domain name is a wide area network address
  • the technical solution of the embodiment of the present disclosure does not need to be compared with the huge blacklist database, and thus the blacklist database is not stored in the electronic device or the server, thereby saving the device resources occupied by the blacklist database. .
  • the foregoing S101 to S104 may be performed by the UE, or the S101 to S102 are performed by the UE, and then the S101 to S104 are executed by the server, that is, the UE parses the target IP address and reports it to the server for detection and determination.
  • the UE parses the target IP address and reports it to the server for detection and determination.
  • the present disclosure can further prevent the illegal agent from hijacking the DNS and monitor the interaction between the UE and the server, thereby interfering with detection and even The UE sends false information indicating network security.
  • the method further includes:
  • the target domain name is not only a wide area network domain name, but the known IP address of the target domain name is different.
  • the target domain name is specifically a WAN domain name corresponding to a different IP address.
  • the server selects one or more WAN domain names with different IP addresses and sends them to the UE as the target domain name, so that the UE stores the target domain name.
  • the UE reads out one or more wide area network domain names whose known IP addresses are different from the storage space.
  • the server determines that there are baifubao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn
  • the IP addresses corresponding to the ten WAN domain names of www.cmbc.com.cn are different.
  • the ten domain names and the IP addresses corresponding to each domain name are shown in Table 1.
  • the server sends the following JSON structure data to the UE.
  • the UE After receiving the data of the above JSON structure, the UE parses baifubao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn and Www.cmbc.com.cn ten target domain names, and then store the ten target domain names in the storage space of the UE.
  • the target domain name baifubao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com is read from the storage space. So.cn, ccb.com, icbc.com.cn and www.cmbc.com.cn.
  • the preset condition is specifically a WAN domain name corresponding to the different IP addresses, and then multiple DNS domain names are parsed, and one or more IP addresses corresponding to each candidate domain name are parsed, and then Select the same IP address as the empty set, and the alternate domain name of the WAN domain name as the target domain name.
  • the IP address returned by the criminal to the UE may also be a wide area network address. Therefore, in the embodiment of the present disclosure, when there is no local area network address in one or more target IP addresses, one or more further determinations are made. Whether the same address exists in the target IP address to detect the risk of DNS full traffic hijacking.
  • the target IP address specifically includes 123.125.112.202, 220.181.12.208, 111.206.227.118, 110.76.19.33, and 123.125.112.202.
  • the first target IP address and The fifth destination IP address is the same, so it is determined that the same address exists in the target IP address, thereby determining that the UE has a full traffic hijacking risk.
  • the target IP address specifically includes 123.125.112.202, 110.76.19.33, 111.206.227.118, 110.76.19.33, and 123.125.112.202.
  • the first target The IP address is the same as the fifth destination IP address
  • the second destination IP address is the same as the fourth destination IP address. Therefore, it is determined that the same address exists in the target IP address, thereby determining that the UE has a full DNS traffic hijacking risk.
  • the detection accuracy of the embodiment of the present disclosure is further improved by determining whether a local area network address exists in the target IP address, and further determining whether the same address exists in the target IP address when there is no local area network address to detect the risk of DNS full traffic hijacking. .
  • the method in the embodiment of the present disclosure further includes:
  • each target domain name can be accurately resolved to a different WAN IP address, so that the possibility of DNS full traffic hijacking occurs at this time. Low, so if there is no LAN address in one or more target IP addresses, and there is no further same address, it is determined that the UE does not have the risk of DNS full traffic hijacking.
  • the second aspect of the present disclosure provides another method for detecting a DNS full traffic hijacking risk.
  • FIG. 2 a flow chart of a method for detecting a full DNS traffic hijacking risk in the second embodiment of the present disclosure is provided. The method includes:
  • S201 Obtain one or more target domain names for detecting a full traffic hijacking risk of the domain name system; wherein, the known IP addresses corresponding to the one or more target domain names are different;
  • S202 Perform DNS resolution on one or more target domain names, obtain a target Internet Protocol IP address corresponding to each target domain name, and obtain one or more target IP addresses.
  • S203 Determine whether the same address exists in one or more target IP addresses.
  • the detection method of detecting the second DNS full traffic hijacking risk to detect the network security is the same as the detection method of the first DNS full traffic hijacking risk detection method, and will not be repeated here.
  • S201 is similar to S101
  • S202 is similar to S102. Since S101 and S102 have been described in detail above, the description of the embodiments of the present disclosure will not be repeated.
  • S201 is different from S101 in that the target domain name in the embodiment of the present disclosure is specifically a domain name with a different IP address. Therefore, if the target domain name is delivered by the server, the server selects one or more corresponding ones by parsing and verifying. A domain name with a different IP address is delivered to the UE as the target domain name, so that the UE stores, and when the target domain name is obtained, the UE reads one or more target domain names with different known IP addresses from the storage space.
  • the server determines that there are baifubao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn
  • the IP addresses corresponding to the ten domain names of www.cmbc.com.cn are different, as shown in Table 1.
  • the server sends the following JSON structure data to the UE.
  • the UE After receiving the data of the above JSON structure, the UE parses baifubao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn and Www.cmbc.com.cn ten target domain names, and then store the ten target domain names in the storage space of the UE.
  • the target domain name baifubao.com, mail.163.com, jd.com, suning.com, alipay.com, 95516.com, so.cn, ccb.com are read from the storage space. Icbc.com.cn and www.cmbc.com.cn.
  • S201 is different from S101 in that the target domain name in the embodiment of the present disclosure is specifically a domain name with a different IP address. Therefore, if the target domain name is determined by the UE, the preset condition is specifically that the IP address corresponding to the domain name is different. Then, the DNS is parsed for multiple alternate domain names, and one or more IP addresses corresponding to each alternate domain name are parsed, and then the alternate domain name with the same IP address as the empty set is selected as the target domain name.
  • S203 it is determined whether one or more target IP addresses have the same address. Specifically, when a hijacking of the entire DNS process occurs, accessing all domain names will return the same IP address of the UE. At the same time, sometimes the criminals randomly return an IP address from a set of IP addresses to the UE in order to avoid being discovered. This set of IP addresses is actually the IP address of the server controlled by the criminal. Therefore, if the same address exists in one or more target IP addresses, it indicates that the AP or AC accessed by the UE may be hijacked at this time. Therefore, when the same address exists in one or more target IP addresses, it is determined in S204 that the UE has a DNS full traffic hijacking risk.
  • the target IP address specifically includes 123.125.112.202, 220.181.12.208, 111.206.227.118, 110.76.19.33, and 123.125.112.202, and the first target IP address and the fifth target IP address are the same, so the target IP address is determined. The same address exists in the middle, thereby determining that the UE has a full traffic hijacking risk.
  • the target IP address specifically includes 123.125.112.202, 110.76.19.33, 111.206.227.118, 110.76.19.33, and 123.125.112.202, the first target.
  • the IP address is the same as the fifth destination IP address
  • the second destination IP address is the same as the fourth destination IP address. Therefore, it is determined that the same address exists in the target IP address, thereby determining that the UE has a full DNS traffic hijacking risk.
  • the technical solution in the embodiment of the present disclosure improves the detection accuracy of the DNS full traffic hijacking risk.
  • the technical solution of the embodiment of the present disclosure does not need to be compared with the huge blacklist database, and thus the blacklist database is not stored in the electronic device or the server, thereby saving the device resources occupied by the blacklist database. .
  • the foregoing S201 to S204 may be performed by the UE, or the S201 to S202 are performed by the UE, and then the S201 to S204 are performed by the server, that is, the UE parses the target IP address and reports it to the server for detection and determination.
  • the UE parses the target IP address and reports it to the server for detection and determination.
  • the present disclosure can further prevent the illegal agent from hijacking the DNS and monitor the interaction between the UE and the server, thereby interfering with detection and even The UE sends false information indicating network security.
  • the method further includes:
  • the target domain name is not only a domain name with a known IP address, but the target domain name is also a WAN domain name.
  • the target domain name is specifically a WAN domain name corresponding to a different IP address.
  • the server selects one or more WAN domain names with different IP addresses and sends them to the UE as the target domain name, so that the UE stores the target domain name.
  • the UE reads out from the storage space that one or more known IP addresses are different, and is the target domain name of the WAN domain name.
  • the preset condition is specifically a WAN domain name with a different IP address, and then multiple DNS domain names are parsed, and one or more IP addresses corresponding to each candidate domain name are parsed. Then select the same IP address as an empty set, and the alternate domain name of the WAN domain name as the target domain name.
  • the criminals may return different target IP addresses to the UE, but the local area network addresses in the target IP addresses may also expose the hijacking. Therefore, in the embodiment of the present disclosure, when one or more targets are When the same address does not exist in the IP address, it is further determined whether a local area network address exists in one or more target IP addresses to detect the risk of DNS full traffic hijacking.
  • the IP address corresponding to the WAN domain name is a WAN address, so if a local area network address exists in one or more target IP addresses, this indicates The AP or AC accessed by the UE may be hijacked. Therefore, when there is no same address in one or more target IP addresses, but there is a local area network address, it is determined that the UE has a risk of DNS full traffic hijacking.
  • the detection accuracy of the embodiment of the present disclosure is further improved by determining whether the same address exists in the target IP address, and further determining whether the local area network address exists in the target IP address when the same address does not exist to detect the risk of DNS full traffic hijacking. .
  • the method in the embodiment of the present disclosure further includes:
  • the third aspect of the present disclosure provides another method for detecting the risk of DNS full traffic hijacking.
  • FIG. 3 it is a flowchart of a method for detecting a third DNS full traffic hijacking risk according to an embodiment of the present disclosure.
  • the Methods include:
  • S301 Obtain one or more target domain names for detecting a full traffic hijacking risk of the domain name system.
  • the one or more target domain names are specifically WAN domain names, and the known Internet Protocol IP addresses corresponding to the one or more target domain names. Are not the same;
  • S302 Perform DNS resolution on one or more target domain names, obtain a target IP address corresponding to each target domain name, and obtain one or more target IP addresses.
  • S303 Determine whether a local area network address exists in one or more target IP addresses, and whether the same address exists in one or more target IP addresses;
  • S304 When there is a local area network address in one or more target IP addresses, or the same address exists in one or more target IP addresses, it is determined that the user equipment UE has a risk of DNS full traffic hijacking.
  • the detection method of the third DNS full traffic hijacking risk is detected in the specific implementation process to detect the network security at the same time as the detection method of the first and second DNS full traffic hijacking risks, and the description will not be repeated here. It is.
  • S301 is similar to S101 and S201
  • S302 is similar to S102 and S202. Since S101 and S102 have been described in detail above, the description of the embodiments of the present disclosure will not be repeated.
  • S301 is different from S101 in that the target domain name in the embodiment of the present disclosure is specifically a WAN domain name, and the known IP addresses are different. Therefore, if the target domain name is delivered by the server, the server selects one or more by parsing and verifying. The WAN domain name with the corresponding IP address is delivered to the UE as the target domain name, so that the UE stores, and when the target domain name is obtained, the UE reads one or more known IP addresses from the storage space, and is The target domain name of the WAN domain name.
  • the preset condition is specifically a WAN with a different IP address, and then multiple DNS domains are parsed, and one or more IP addresses corresponding to each alternate domain name are parsed, and then Select the same IP address as the empty set, and the alternate domain name of the WAN domain name as the target domain name.
  • S303 it is determined whether one or more target IP addresses have a local area network address and whether the same address exists. If a local area network address exists in one or more target IP addresses, or the same address exists, it indicates that the AP or AC accessed by the UE may be hijacked at this time. Therefore, when there is a local area network address in one or more target IP addresses, or if the same address exists, it is determined in S304 that the UE has a DNS full traffic hijacking risk.
  • the target IP address specifically includes 123.125.112.202, 220.181.12.208, 111.206.227.118, 110.76.19.33 and 123.125.112.202.
  • the five target IP addresses are all WAN addresses, and the first target IP address and the fifth target IP address are the same, and it is determined that the UE has a full DNS traffic hijacking risk.
  • the target IP address specifically includes 123.125.112.202, 220.181.12.208, 111.206.227.118, 175.25.168.40, and 192.168.1.1.
  • the five target IP addresses are different, and the fifth target IP address is the local area network.
  • the address determines the risk of DNS full traffic hijacking in the UE.
  • the target IP address specifically includes 123.125.112.202, 123.125.112.202, 111.206.227.118, 175.25.168.40, and 192.168.1.1
  • the fifth destination IP address is the local area network address
  • the first destination IP address and
  • the second target IP address is the same, thereby determining that the UE has a full DNS traffic hijacking risk.
  • the target domain name is known to correspond to different known IP addresses, and each known IP address is known to be a wide area network address, a local area network address exists in one or more target IP addresses, or exists.
  • the same target IP address is used, it is determined that the UE has a DNS full traffic hijacking risk. Therefore, even if the target IP address resolved by the target domain name is not in the blacklist library, it can be determined that the UE has a full traffic hijacking risk. Therefore, the technical solution in the embodiment of the present disclosure improves the detection accuracy of the DNS full traffic hijacking risk.
  • the technical solution of the embodiment of the present disclosure does not need to be compared with the huge blacklist database, and thus the blacklist database is not stored in the electronic device or the server, thereby saving the device resources occupied by the blacklist database. .
  • the foregoing S301 to S304 may be performed by the UE, or the S1 to S302 are performed by the UE, and then the S303 to S304 are performed by the server, that is, the UE parses the target IP address and reports it to the server for detection and determination.
  • the UE parses the target IP address and reports it to the server for detection and determination.
  • the present disclosure can further prevent the illegal agent from hijacking the DNS and monitor the interaction between the UE and the server, thereby interfering with detection and even The UE sends false information indicating network security.
  • the method in the embodiment of the present disclosure further includes:
  • the fourth aspect of the present disclosure provides the first DNS full traffic hijacking risk detecting device, as shown in FIG. 4, including:
  • the obtaining module 101 is configured to obtain one or more target domain names for detecting a full traffic hijacking risk of the domain name system DNS; wherein, the one or more target domain names are specifically a wide area network domain name;
  • the parsing module 102 is configured to perform DNS resolution on one or more target domain names, obtain a target Internet Protocol IP address corresponding to each target domain name, and obtain one or more target IP addresses;
  • the first determining module 103 is configured to determine whether a local area network address exists in one or more target IP addresses;
  • the first determining module 104 is configured to determine that the user equipment UE has a DNS full traffic hijacking risk when a local area network address exists in one or more target IP addresses.
  • the device in the embodiment of the present disclosure further includes:
  • a second determining module configured to determine whether the same address exists in one or more target IP addresses; wherein the known IP addresses corresponding to the one or more target domain names are different;
  • the second determining module is configured to determine that the UE has a full traffic hijacking risk when the same address exists in one or more target IP addresses.
  • the device in the embodiment of the present disclosure further includes:
  • the third determining module is configured to determine that the UE does not have a DNS full traffic hijacking risk when the same address does not exist in the one or more target IP addresses.
  • the obtaining module 101 is configured to read one or more target domain names that are sent by the server corresponding to the UE and stored in the storage space of the UE, or determine that the preset is satisfied from the multiple candidate domain names.
  • One or more domain names of the condition are one or more target domain names.
  • the device in the embodiment of the present disclosure further includes:
  • a third determining module configured to determine whether the UE accesses the new wireless access point AP before performing DNS resolution on the one or more target domain names
  • the notification parsing module When the UE accesses the new AP, the notification parsing module performs DNS resolution on one or more target domain names.
  • the fifth aspect of the present disclosure provides a second DNS full traffic hijacking risk detecting apparatus, as shown in FIG. 5, including:
  • the obtaining module 201 is configured to obtain one or more target domain names for detecting a full traffic hijacking risk of the domain name system; wherein the known IP addresses corresponding to the one or more target domain names are different;
  • the parsing module 202 is configured to perform DNS resolution on one or more target domain names, obtain a target Internet Protocol IP address corresponding to each target domain name, and obtain one or more target IP addresses.
  • the first determining module 203 is configured to determine whether the same address exists in one or more target IP addresses
  • the first determining module 204 is configured to determine that the UE has a full DNS traffic hijacking risk when the same address exists in one or more target IP addresses.
  • the apparatus in the embodiment of the present disclosure further includes:
  • a second determining module configured to determine whether a local area network address exists in one or more target IP addresses; wherein the one or more target domain names are specifically a wide area network domain name;
  • the second determining module is configured to determine that the UE has a full traffic hijacking risk when a local area network address exists in one or more target IP addresses.
  • the device in the embodiment of the present disclosure further includes:
  • the third determining module is configured to determine that the UE does not have a DNS full traffic hijacking risk when the local area network address does not exist in the one or more target IP addresses.
  • the obtaining module 201 is configured to read one or more target domain names that are sent by the server corresponding to the UE and stored in the storage space of the UE, or determine that the preset condition is met from the multiple candidate domain names.
  • One or more domain names are one or more target domain names.
  • the device in the embodiment of the present disclosure further includes:
  • a third determining module configured to determine whether the UE accesses the new wireless access point AP before performing DNS resolution on the one or more target domain names
  • the notification parsing module When the UE accesses the new AP, the notification parsing module performs DNS resolution on one or more target domain names.
  • the sixth aspect of the present disclosure provides a third DNS full traffic hijacking risk detecting apparatus, as shown in FIG. 6, including:
  • the obtaining module 301 is configured to obtain one or more target domain names for detecting a full traffic hijacking risk of the domain name system DNS; wherein, one or more target domain names are specifically WAN domain names, and one or more target domain names are correspondingly known Internet protocol IP addresses are not the same;
  • the parsing module 302 is configured to perform DNS resolution on one or more target domain names, obtain a target IP address corresponding to each target domain name, and obtain one or more target IP addresses.
  • the determining module 303 is configured to determine whether a local area network address exists in one or more target IP addresses, and whether the same address exists in one or more target IP addresses;
  • the determining module 304 is configured to determine that the user equipment UE has a DNS full traffic hijacking risk when a local area network address exists in one or more target IP addresses, or when the same address exists in one or more target IP addresses.
  • FIG. 7 illustrates a computing device that can implement a method of detecting a DNS full traffic hijacking risk in accordance with the present disclosure.
  • the computing device has traditionally been included
  • Storage device 720 can be an electronic memory such as flash memory, EEPROM (Electrically Erasable Programmable Read Only Memory), EPROM, hard disk, or ROM.
  • Storage device 720 has a storage space 730 that stores program code 731 for performing any of the method steps described above.
  • storage space 730 storing program code may include various program code 731 for implementing various steps in the above methods, respectively.
  • the program code can be read from or written to one or more computer program products.
  • These computer program products include program code carriers such as a hard disk, a compact disk (CD), a memory card, or a floppy disk.
  • Such a computer program product is typically a portable or fixed storage unit such as that shown in FIG.
  • the storage unit may have storage segments, storage spaces, and the like that are similarly arranged to storage device 720 in the computing device of FIG.
  • the program code can be compressed, for example, in an appropriate form.
  • a storage unit includes computer readable code 731' for performing the steps of the method in accordance with the present disclosure, ie, code that can be read by a processor, such as 710, that when executed by a computing device causes the computing device Perform the various steps in the method described above.
  • one or more target domain names for detecting a risk of DNS full traffic hijacking are obtained, where one or more target domain names in the embodiment of the present disclosure are specifically a wide area network domain name, and then one or The plurality of target domain names are subjected to DNS resolution, obtaining a target IP address corresponding to each target domain name, thereby obtaining one or more target IP addresses, and then determining whether a local area network address exists in the one or more target IP addresses. Since the IP address corresponding to the target domain name is a wide area network address, when a local area network address exists in one or more target IP addresses, it is determined that the UE has a full traffic hijacking risk of the DNS.
  • the target IP address resolved by the target domain name is not in the blacklist database, if the target IP address is a local area network address, it indicates that the network currently accessed by the UE may be hijacked by full traffic, and thus the risk of DNS full traffic hijacking of the UE may be determined. Therefore, through the above technical solutions, the detection accuracy of improving the risk of DNS full traffic hijacking is realized.
  • the technical solution of the embodiment of the present disclosure does not need to be compared with a huge blacklist database, and thus does not need to store a blacklist database, thereby saving the device resources occupied by the storage blacklist database.
  • the participation of the server can prevent the illegal elements from hijacking the DNS and monitor the interaction between the UE and the server, thereby interfering with the detection and even sending false information indicating network security to the UE.
  • modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment.
  • the modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components.
  • any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined.
  • Each feature disclosed in this specification (including the accompanying claims, the abstract and the drawings) may be replaced by alternative features that provide the same, equivalent or similar purpose.
  • Various component embodiments of the present disclosure may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof.
  • a microprocessor or digital signal processor may be used in practice to implement some or all of the functionality of a gateway, proxy server, some or all of the components in accordance with embodiments of the present disclosure.
  • the present disclosure may also be implemented as a device or device program (eg, a computer program and a computer program product) for performing some or all of the methods described herein.
  • Such a program implementing the present disclosure may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Des modes de réalisation de la présente invention concernent un procédé et un appareil permettant de détecter un risque de détournement de trafic complet de DNS. Le procédé consiste à : obtenir un ou plusieurs noms de domaine cibles pour détecter un risque de détournement de trafic complet de systèmes de noms de domaine (DNS), le ou les noms de domaine cibles étant des noms de domaine de réseau étendu ; effectuer une analyse DNS sur le ou les noms de domaine cibles, et obtenir une adresse de protocole Internet (IP) cible correspondant à chaque nom de domaine cible, de sorte à obtenir en outre une ou plusieurs adresses IP cibles ; déterminer si une adresse de réseau local se trouve parmi la ou les adresses IP cibles ; et lorsque l'adresse de réseau local se trouve parmi la ou les adresses IP cibles, déterminer que l'UE présente un risque de détournement de trafic complet de DNS.
PCT/CN2017/117696 2016-12-21 2017-12-21 Procédé et appareil de détection de risque de détournement de trafic complet de dns WO2018113732A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201611195637.6 2016-12-21
CN201611195637.6A CN106790077B (zh) 2016-12-21 2016-12-21 一种dns全流量劫持风险的检测方法和装置

Publications (1)

Publication Number Publication Date
WO2018113732A1 true WO2018113732A1 (fr) 2018-06-28

Family

ID=58899341

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/117696 WO2018113732A1 (fr) 2016-12-21 2017-12-21 Procédé et appareil de détection de risque de détournement de trafic complet de dns

Country Status (2)

Country Link
CN (1) CN106790077B (fr)
WO (1) WO2018113732A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113630409A (zh) * 2021-08-05 2021-11-09 哈尔滨工业大学(威海) 基于dns解析流量和ip流量融合分析的异常流量识别方法

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106790077B (zh) * 2016-12-21 2020-05-26 北京奇虎科技有限公司 一种dns全流量劫持风险的检测方法和装置
CN107566420B (zh) * 2017-10-27 2020-04-14 深信服科技股份有限公司 一种被恶意代码感染的主机的定位方法及设备
CN108848076B (zh) * 2018-05-31 2020-09-25 上海连尚网络科技有限公司 一种用于通过用户设备检测dns劫持的方法与设备

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110078517A1 (en) * 2009-09-29 2011-03-31 Hon Hai Precision Industry Co., Ltd. Network connection device and method for detecting network errors
CN104065762A (zh) * 2014-05-30 2014-09-24 小米科技有限责任公司 一种检测dns服务器劫持的方法及装置
CN104468860A (zh) * 2014-12-04 2015-03-25 北京奇虎科技有限公司 域名解析服务器危险性的识别方法和装置
CN105681358A (zh) * 2016-03-31 2016-06-15 北京奇虎科技有限公司 检测域名劫持的方法、装置和系统
CN106790071A (zh) * 2016-12-21 2017-05-31 北京奇虎科技有限公司 一种dns全流量劫持风险的检测方法和装置
CN106790077A (zh) * 2016-12-21 2017-05-31 北京奇虎科技有限公司 一种dns全流量劫持风险的检测方法和装置

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110078517A1 (en) * 2009-09-29 2011-03-31 Hon Hai Precision Industry Co., Ltd. Network connection device and method for detecting network errors
CN104065762A (zh) * 2014-05-30 2014-09-24 小米科技有限责任公司 一种检测dns服务器劫持的方法及装置
CN104468860A (zh) * 2014-12-04 2015-03-25 北京奇虎科技有限公司 域名解析服务器危险性的识别方法和装置
CN105681358A (zh) * 2016-03-31 2016-06-15 北京奇虎科技有限公司 检测域名劫持的方法、装置和系统
CN106790071A (zh) * 2016-12-21 2017-05-31 北京奇虎科技有限公司 一种dns全流量劫持风险的检测方法和装置
CN106790077A (zh) * 2016-12-21 2017-05-31 北京奇虎科技有限公司 一种dns全流量劫持风险的检测方法和装置

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113630409A (zh) * 2021-08-05 2021-11-09 哈尔滨工业大学(威海) 基于dns解析流量和ip流量融合分析的异常流量识别方法

Also Published As

Publication number Publication date
CN106790077A (zh) 2017-05-31
CN106790077B (zh) 2020-05-26

Similar Documents

Publication Publication Date Title
WO2018113732A1 (fr) Procédé et appareil de détection de risque de détournement de trafic complet de dns
US8910280B2 (en) Detecting and blocking domain name system cache poisoning attacks
WO2015051720A1 (fr) Procédé et dispositif de détection d'un dns suspect, et procédé et système de traitement d'un dns suspect
TWI745473B (zh) 網路驗證方法及裝置
WO2018113730A1 (fr) Procédé et appareil de détection de sécurité réseau
US8782745B2 (en) Detection of unauthorized wireless access points
CN101827136B (zh) 域名系统服务器缓存感染的防御方法和网络出口设备
CN101345643B (zh) 对网络设备进行预警的方法及装置
CN109474575A (zh) 一种dns隧道的检测方法及装置
CN109802919B (zh) 一种web网页访问拦截方法及装置
WO2018113728A1 (fr) Procédé et dispositif de détermination du risque d'attaque par hameçonnage dans un réseau wi-fi public
CN109889511B (zh) 进程dns活动监控方法、设备及介质
CN112272164B (zh) 报文处理方法及装置
US20160234205A1 (en) Method for providing security service for wireless device and apparatus thereof
CN104023336A (zh) 移动终端的无线接入方法及移动终端
WO2018113731A1 (fr) Procédé et dispositif de réduction du risque de détournement de dns
WO2018113726A1 (fr) Procédé et appareil de détection de risque d'ap
CN106790071B (zh) 一种dns全流量劫持风险的检测方法和装置
CN113301155B (zh) 数据路由方法、装置、设备和存储介质
WO2018113727A1 (fr) Procédé et appareil destinés à réduire le risque de piratage de dns
US11811806B2 (en) System and apparatus for internet traffic inspection via localized DNS caching
WO2016065565A1 (fr) Générateur d'alerte de machine virtuelle malveillante
CN108848076B (zh) 一种用于通过用户设备检测dns劫持的方法与设备
WO2018113729A1 (fr) Procédé et appareil de détection de piratage de dns de réseau local
EP2749097B1 (fr) Authentification de l'emplacement d'un utilisateur dans un réseau basé sur femtocell

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17882427

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17882427

Country of ref document: EP

Kind code of ref document: A1