CN102868773B - Method, device and system for detecting domain name system (DNS) black hole hijack - Google Patents
Method, device and system for detecting domain name system (DNS) black hole hijack Download PDFInfo
- Publication number
- CN102868773B CN102868773B CN201210300947.5A CN201210300947A CN102868773B CN 102868773 B CN102868773 B CN 102868773B CN 201210300947 A CN201210300947 A CN 201210300947A CN 102868773 B CN102868773 B CN 102868773B
- Authority
- CN
- China
- Prior art keywords
- address
- black hole
- verified
- dns
- abduction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a method, a device and a system for detecting domain name system (DNS) black hole hijack. The method comprises the following steps of: capturing hyper text transfer protocol (HTTP) connection data packets corresponding to webpage access requests in a network, extracting domain names and Internet protocol (IP) addresses which correspond to webpages in the data packets, and recording the corresponding relationships between the domain names and the IP addresses; counting captured results, and acquiring the quantity of different domain names corresponding to the same IP address; determining IP addresses which are used for performing black hole hijack according to the quantity of the different domain names corresponding to the same IP address, and storing the IP addresses which are used for performing the DNS black hole hijack; when the webpage access request of a user generates the current HTTP connection data packet, extracting an IP address in the current HTTP connection data packet; and if the extracted IP address appears in the stored IP addresses which are used for performing the DNS black hole hijack, determining that the webpage access request is subjected to the DNS black hole hijack. By the method, the device and the system, the phenomenon that the user is disturbed by a DNS black hole hijack webpage is avoided.
Description
Technical field
The present invention relates to field of information security technology, particularly relate to the method, the Apparatus and system that detect DNS black hole and kidnap.
Background technology
Along with popularizing of the Internet, the demand of user to network is increasing.And domestic consumer's modal method when daily accesses network website passes through domain name access, and machine is actual, and what can read is the IP address of main frame, now will relate to the problem of a domain name mapping, this will use DNS (Domain NameSystem, computer domain name system).DNS is made up of resolver and name server.Wherein, name server refers to the domain name and corresponding IP address of preserving All hosts in this network, and has server domain name being converted to IP address function.By DNS, people can be made to access the Internet more easily, and do not spend the IP address digit string remembeing directly to be read by machine.
But, in actual applications, often there will be the situation that domain name cannot normally be resolved.When domain name cannot normally be resolved, website just cannot normally be accessed.Now some Virtual network operator just may perform the abduction of DNS black hole, also the domain name being about to resolve is redirected to the IP address of Virtual network operator oneself, and when user connects this IP address, show advertisement or a navigation page etc. to substitute the page that cannot access to user, in order to reach objects such as increasing self advertising income.But this advertisement or navigation page also can cause interference to user, cause user to dislike simultaneously.
Therefore, the technical problem solved in the urgent need to those skilled in the art is just, how in the process of user's accessed web page, detects that behavior is kidnapped in DNS black hole, and then avoid user to be subject to interference that advertisement or navigation page etc. kidnap the page.
Summary of the invention
The invention provides the method, the Apparatus and system that detect DNS black hole and kidnap, can detect that behavior is kidnapped in DNS black hole, and then avoid user to be subject to the interference of the abduction such as advertisement or the navigation page page.
The invention provides following scheme:
Detect the method that DNS black hole is kidnapped, comprising:
The HTML (Hypertext Markup Language) HTTP connection packet that web access requests in crawl network is corresponding, extracts domain name corresponding to webpage and IP address, and records the corresponding relation between domain name and I P address from described packet;
The result grabbed is added up, obtains the quantity of different domain names corresponding to same IP address;
According to the quantity of different domain names corresponding to same IP address, determine the IP address of carrying out the abduction of DNS black hole, and preserve the IP address for carrying out the abduction of DNS black hole determined;
When the web access requests of user produces current HTTP connection packet, from described current HTTP connection packet, extract IP address;
If the IP address extracted appears at preserved for carrying out in the IP address of DNS black hole abduction, then determine that the web access requests of user is subjected to DNS black hole and kidnaps.
DNS black hole is kidnapped DNS black hole and is kidnapped the abduction DNS black hole abduction of DNS black hole
Optionally, the quantity of the described different domain names corresponding according to same IP address, the IP address determining carrying out the abduction of DNS black hole comprises:
The quantity extracting corresponding different domain name reaches the IP address of prerequisite as IP address to be verified;
Obtain the server response message that described IP address to be verified is corresponding;
According to described server response message, described IP address to be verified being verified, if the verification passes, then IP address to be verified being defined as the IP address for carrying out the abduction of DNS black hole.
Optionally, described server response message comprises web content data bag, describedly carries out checking according to described server response message to described IP address to be verified and comprises:
Web page contents is extracted from the web content data bag that described IP address to be verified is corresponding, that web page contents corresponding to IP address for carrying out the abduction of DNS black hole is compared by the web page contents extracted with known, if similarity reaches preset threshold value, be then verified.
Optionally, described server response message comprises web page code, describedly carries out checking according to described server response message to described IP address to be verified and comprises:
Judge whether comprise preset key code in described web page code, if comprised, be then verified.
Optionally, described preset key code comprises jump instruction code.
Detect the device that DNS black hole is kidnapped, comprising:
Placement unit, for capturing HTML (Hypertext Markup Language) HTTP connection packet corresponding to web access requests in network, extracting domain name corresponding to webpage and IP address, and recording the corresponding relation between domain name and IP address from described packet;
Statistic unit, for adding up the result grabbed, obtains the quantity of different domain names corresponding to same IP address;
For the IP address determination unit kidnapped, for the quantity according to different domain names corresponding to same IP address, determine the IP address of carrying out the abduction of DNS black hole, and preserve the IP address for carrying out the abduction of DNS black hole determined;
IP address extraction unit, for when the web access requests of user produces current HTTP connection packet, extracts IP address from described current HTTP connection packet;
Detecting unit, if the IP address for extracting appears at preserved for carrying out in the IP address of DNS black hole abduction, then determines that the web access requests of user is subjected to DNS black hole and kidnaps.
Optionally, the described IP address determination unit for kidnapping comprises:
Extract subelement, the quantity for extracting corresponding different domain name reaches the IP address of preset threshold value as IP address to be verified;
Response information acquisition subelement, for obtaining server response message corresponding to described IP address to be verified;
Checking subelement, for verifying described IP address to be verified according to described server response message, if the verification passes, is then defined as the IP address for carrying out the abduction of DNS black hole by IP address to be verified.
Optionally, described server response message comprises web content data bag, and described checking subelement comprises:
First checking subelement, for extracting web page contents from web content data bag corresponding to described IP address to be verified, that web page contents corresponding to IP address for carrying out the abduction of DNS black hole is compared by the web page contents extracted with known, if similarity reaches preset threshold value, be then verified.
Optionally, described server response message comprises web page code, and described checking subelement comprises:
Second checking subelement, for judging whether comprise preset key code in described web page code, if comprised, is then verified.
Detect the system that DNS black hole is kidnapped, comprise server end and client, wherein, described server end comprises:
Placement unit, for capturing HTML (Hypertext Markup Language) HTTP connection packet corresponding to web access requests in network, extracting domain name corresponding to webpage and IP address, and recording the corresponding relation between domain name and IP address from described packet;
Statistic unit, for adding up the result grabbed, obtains the quantity of different domain names corresponding to same IP address;
For the IP address determination unit kidnapped, for the quantity according to different domain names corresponding to same IP address, determine the IP address of carrying out the abduction of DNS black hole, and preserve the IP address for carrying out the abduction of DNS black hole determined;
Described client comprises:
IP address extraction unit, for when the web access requests of user produces current HTTP connection packet, extracts IP address from described current HTTP connection packet;
Uploading unit, for the end that uploaded onto the server the IP extracted address;
Described server end also comprises:
Detecting unit, if the IP address for extracting appears at preserved for carrying out in the IP address of DNS black hole abduction, then determines that the web access requests of user is subjected to DNS black hole and kidnaps.
According to specific embodiment provided by the invention, the invention discloses following technique effect:
Pass through the present invention, by collecting a large amount of HTTP packets, therefrom extract the corresponding relation of domain name and IP address, and it is added up, draw it may is IP address for carrying out the abduction of DNS black hole, and then when user's accessed web page, the IP address in HTTP packet can be extracted, judging whether it appears at for carrying out in the IP address of DNS black hole abduction, if so, then can conclude that the web page access of user receives DNS black hole and kidnaps.Visible, in the process of user's accessed web page, can detect that behavior is kidnapped in DNS black hole, and then avoid user to be subject to the interference of the abduction such as advertisement or the navigation page page.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the flow chart of the method that the embodiment of the present invention provides;
Fig. 2 is the schematic diagram of the device that the embodiment of the present invention provides;
Fig. 3 is the schematic diagram of the system that the embodiment of the present invention provides.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art obtain, all belongs to the scope of protection of the invention.
In order to avoid causing conceptual confusion, first it should be noted that, although DNS black hole presentation sees to seem Webpage, from technological essence, this behavior is still carried out based on this step of dns resolution, but kidnaps also different with DNS.Also namely, DNS black hole is kidnapped from DNS black hole, DNS kidnaps etc. is all different concepts, simply introduces respectively below.
So-called " webpage abductions " or cry " Pagejack ", be that machine has access to correct web page server, web page server returns the correct page, but pass at the page can in the process of the machine, by other people replacement or revise in some links.
DNS kidnaps then more thorough, abduction be exactly dns server itself, that is when dns resolution, the parsing inherently provided by a wrong dns server, finally return naturally namely one be replaced after the wrong page.
So-called DNS black hole is then the analysis service provided by correct dns server, just take wrong IP address in this step of dns resolution, have access to when causing HTTP to access be exactly mistake web page server, and then obtain be also mistake the page.
From another angle, DNS kidnaps and webpage abduction is general is all caused by virus or hacker attacks, DNS black hole is then the one service that legal operator provides mostly, by the page that DNS black hole is kidnapped also be only limitted to this domain name cannot resolve (that is domain name is invalid) when, for user returns the alternative page, the domain name that can normally resolve can not be kidnapped by DNS black hole.
See Fig. 1, the method that the detection DNS black hole that the embodiment of the present invention provides is kidnapped can comprise the following steps:
S101: the HTTP(Hypertext TransferProtocol that the web access requests in crawl network is corresponding, HTML (Hypertext Markup Language)) connection packet, from described packet, extract domain name corresponding to webpage and IP address, and record the corresponding relation between domain name and IP address;
Use in the process of browser access webpage user, web access requests can be produced, first the URL of accessed webpage can be converted to IP address by dns server afterwards, and generate HTTP packet, IP address can preserve conversion in HTTP packet after, to be sent to web page server corresponding to this IP address by web access requests.In the process, if there is the situation that domain name cannot normally be resolved, then may be replaced to IP address for carrying out the abduction of DNS black hole by Virtual network operator etc.That is, the IP address comprised in HTTP packet, being likely the actual corresponding IP address of URL of webpage, is also likely the IP address after being replaced.In embodiments of the present invention, just can collect this HTTP packet, therefrom extract domain name and the IP address of webpage, and record this corresponding relation of domain name and IP address.
Wherein, a certain computer or calculate the title of unit on the Internet that domain name is made up of the name of a string separation, for the electronic bearing of mark computer during transfer of data on the internet, as abc.com.Briefly, domain name is the title that computer or calculating unit are registered on the internet, and user can have access to corresponding computer by the title of this registration or calculate unit.This title can comprise some information of registrant, such as company or organization name, service content etc.Domain name also has the difference of rank simultaneously, and abc.com described above is a TLD, and TLD is distributed by special international organization, can have second level domain, three grades of domain names, if news.abc.com is a second level domain under TLD.Some second level domains, especially for the second level domain that some establishment register, usually may be used for difference and outstanding different business plate, otherwise different business plate often can be reflected by different second level domains, news.abc.com described above can represent news plate, and sports.abc.com can represent the physical culture plate of this website.
For user, a domain name represents a website usually, each webpage that user browses, it is then the preset file of certain file of downloading in the server of from then on website, by the network address of user's browsing page, can obtain the domain-name information comprised in this network address, the network address of such as user's access is sports.abc.com/football/fifa2010/123.htm, and the domain name that can wherein be comprised is: sports.abc.com.
In embodiments of the present invention, in order to capture the HTTP packet in network, can realize based on the cloud engine of browser.So-called cloud engine, namely refers to the browser program run at server end, and this program can with the browser program cooperating at user's local runtime, jointly for user completes the access task of webpage.Such as, when using cloud engine, user is after initiation web access requests, and this request can not be directly send to web page server, but first sends to the cloud engine of browser, sends to web page server by cloud engine.Like this, in network, each user of this browser is in the process of accessed web page, the cloud engine of browser can get web access requests, like this, just can collect a large amount of HTTP packets by the cloud engine of browser, and therefrom extract the corresponding relation of domain name and IP address respectively, operate for follow-up process.Or under other implementation, HTTP packet also can be copied the cloud engine that portion sends to browser by the browser of user this locality, for the collection of the information of carrying out, etc.
It should be noted that why will capture HTTP packet and detect, is because the object in DNS black hole inherently kidnaps specific webpage, shows the page of oneself.And this must since browser resolves http data reach the object of displaying.The data of non-http protocol can directly cannot be shown by browser, so also there is not the meaning of abduction as HTTP.Can have kidnap meaning only have HTTP and HTTPS two kinds of agreements, but the communication process of HTTPS be encryption, interior data cannot obtain completely, also have no way of analyze, so capture in the embodiment of the present invention only have HTTP data.
S102: add up the result grabbed, obtains the quantity of different domain names corresponding to same IP address;
Owing to having grabbed the corresponding relation between a large amount of domain names and IP address, therefore just can add up based on these data, may be IP address for carrying out the abduction of DNS black hole to therefrom getting.Because Virtual network operator is when carrying out DNS black hole and kidnapping, generally can use one or several fixing IP address, as long as there is the abnormal situation of domain name mapping, just all be redirected to this one or several fixing IP address, but the domain name that can not normally resolve may have multiple, therefore, just may be found by statistics, multiple domain name is had to correspond to same IP address, also be, a lot of domain name all jumps to same IP, this is likely because these domain names cannot normally be resolved, be subject to DNS black hole to kidnap and cause, now, just can judge that this IP address is likely the IP address for carrying out the abduction of DNS black hole, because under normal circumstances, general be all a domain name is all uniquely correspond to an IP address.Therefore, after grabbing the corresponding relation between a large amount of domain names and IP address, just can add up, obtain the domain name quantity that each IP address is corresponding respectively.Such as, in certain the HTTP packet grabbed, the domain name extracted is domain name A, its correspondence be certain IP address, in another HTTP packet grabbed, the domain name extracted is domain name B, its correspondence be also this IP address, now, domain name quantity corresponding to this IP address is exactly 2, by that analogy.
S103: according to the quantity of different domain names corresponding to same IP address, determine the IP address of carrying out the abduction of DNS black hole, and preserve the IP address for carrying out the abduction of DNS black hole determined;
After the quantity determining the different domain names that each IP address is corresponding, can sort to the quantity of different domain names corresponding to each IP, several maximum for quantity IP addresses are defined as the IP address for carrying out the abduction of DNS black hole, or, the IP address that also quantity of different for correspondence domain name can be reached certain preset threshold value is defined as the IP address for carrying out the abduction of DNS black hole, etc.
In actual applications, also may there is following situation: due to the reason such as restriction of network facet, possibly directly cannot access some special webpages, now, user may need to conduct interviews by means of proxy server.Proxy server is used to connect INTERNET(Internet mostly) and INTRANET(local area network (LAN)).Such as, in China, so-called Chinese multimedia public information network and education network are all independently large-scale national local area network (LAN)s, completely cut off with Internet.For various needs, some group or individual have offered proxy server between two nets, if know the address of these proxy servers, it just can be utilized to arrive external website.The user of local area network (LAN) inside, when accessing extraneous webpage by proxy server, is only mapped as an IP address, now, when resolving HTTP packet, also there will be the situation of the corresponding multiple domain name in an IP address.
Therefore, in order to distinguish mutually with above-mentioned situation, in embodiments of the present invention, after the corresponding multiple domain name in certain IP address of discovery, can also verify that whether this IP address is the IP address for carrying out the abduction of DNS black hole further.Can be specifically: obtain the web page server response message that IP address to be verified is corresponding, then according to this server response message, IP address to be verified is verified, if the verification passes, then IP address to be verified is defined as the IP address for carrying out the abduction of DNS black hole.Wherein, the content-data of webpage can be comprised in web page server response message, therefore, wherein a kind of concrete verification mode can time: from the web content data bag that IP address to be verified is corresponding, extract web page contents, that web page contents corresponding to IP address for carrying out the abduction of DNS black hole is compared by the web page contents extracted with known, if similarity reaches preset threshold value, be then verified.That is, the web page contents (may be certain advertising page or navigation page etc. of Virtual network operator) that the IP address determining to belong to for carrying out the abduction of DNS black hole is corresponding can be obtained in advance, if web page contents corresponding to IP address to be verified is identical with these web page contents or similarity acquires a certain degree, then can think that IP address to be verified is exactly the IP address for carrying out the abduction of DNS black hole.And if IP address to be verified is the IP address of proxy server, then the web page contents that this IP address is corresponding can not have high similitude with certain advertising page of Virtual network operator or navigation page, therefore, can be foreclosed this IP address accordingly.Wherein, content of pages is basically one section of text data, specifically when carrying out webpage similarity comparison, can compare based on the hash value etc. of webpage, also the algorithm calculating the text similarity such as COS distance coupling can be used to be calculate COS distance, concrete not as limit.
Or, under another kind of implementation, consider in the web page code that IP address for carrying out network address abduction is corresponding and generally all can comprise one section of special code, this special code is generally javascrIPt code, certain jump instruction corresponding, the code carrying out all needing when DNS black hole is kidnapped to be written in webpage, such as:
This code can be used for jumping to abc.com.cn domain name, and this domain name is held for certain Virtual network operator.Therefore, web page code can be extracted from server response message corresponding to IP address to be verified, judging whether comprise preset key code in web page code, if comprised, then can concluding that IP address to be verified is that this Virtual network operator is for carrying out the IP address of DNS black hole abduction.Certainly, jump instruction is one of them of above-mentioned key code, when specific implementation, can also be have the keyword (this keyword may be one section of character string but not executable instruction) of specifying.
After finding the IP address for carrying out the abduction of DNS black hole, can preserve in modes such as lists, in order to kidnap the basis for estimation of behavior as detection DNS black hole.In actual applications, this list can be kept at the cloud engine end of browser.
S104: when the web access requests of user produces current HTTP connection packet, extracts IP address from described current HTTP connection packet;
After saving the IP address for carrying out the abduction of DNS black hole, just can detect the behavior of kidnapping of DNS black hole accordingly.Specifically when detecting, after the accessed web page request of user produces a HTTP packet, can equally therefrom extract IP address.Same, this IP address may be the actual corresponding IP address of URL of accessed webpage, also may be the IP address for carrying out the abduction of DNS black hole after being redirected.
S105: if the IP address extracted appears at preserved for carrying out in the IP address of DNS black hole abduction, then determine that the web access requests of user is subjected to DNS black hole and kidnaps.
After extracting the IP address comprised in HTTP packet, just can with comparing for each IP address of carrying out the abduction of DNS black hole of preserving in advance, if there is at these for carrying out in the IP address of DNS black hole abduction, then prove the web access requests of user be subject to DNS black hole kidnap.After this situation of discovery, can, directly by this HTTP data packet discarding, make this HTTP request cannot arrive the IP address after being redirected; Or, prompting message can also be ejected to user, the prompting current DNS black hole that may suffer of user is kidnapped, whether inquiry user continues, or end this visit, if user selects to continue, this HTTP packet can let pass, make it arrive the IP address after being redirected, and return corresponding web page contents to user and represent, if user selects to terminate this visit, then can by HTTP data packet discarding, etc., certainly, other adjustment mode can also be adopted, will not enumerate here.
In a word, in embodiments of the present invention, by collecting a large amount of HTTP packets, therefrom can extract the corresponding relation of domain name and IP address, and it added up, draw it may is IP address for carrying out the abduction of DNS black hole, and then when user's accessed web page, the IP address in HTTP packet can be extracted, judge whether it appears at for carrying out in the IP address of DNS black hole abduction, if so, then can conclude that the web page access of user receives DNS black hole and kidnaps.Visible, in the process of user's accessed web page, can detect that behavior is kidnapped in DNS black hole, and then avoid user to be subject to the interference of the abduction such as advertisement or the navigation page page.
Corresponding with the method that behavior is kidnapped in the detection DNS black hole that the embodiment of the present invention provides, the embodiment of the present invention additionally provides a kind of device detecting the abduction behavior of DNS black hole, and see Fig. 2, this device can comprise:
Placement unit 201, for capturing HTML (Hypertext Markup Language) HTTP connection packet corresponding to web access requests in network, extracting domain name corresponding to webpage and IP address, and recording the corresponding relation between domain name and IP address from described packet;
Statistic unit 202, for adding up the result grabbed, obtains the quantity of different domain names corresponding to same IP address;
For the IP address determination unit 203 kidnapped, for the quantity according to different domain names corresponding to same IP address, determine the IP address of carrying out the abduction of DNS black hole, and preserve the IP address for carrying out the abduction of DNS black hole determined;
IP address extraction unit 204, for when the web access requests of user produces current HTTP connection packet, extracts IP address from described current HTTP connection packet;
Detecting unit 205, if the IP address for extracting appears at preserved for carrying out in the IP address of DNS black hole abduction, then determines that the web access requests of user is subjected to DNS black hole and kidnaps.
Or the described IP address determination unit 203 for kidnapping also can comprise:
Extract subelement, the quantity for extracting corresponding different domain name reaches the IP address of preset threshold value as IP address to be verified;
Response information acquisition subelement, for obtaining server response message corresponding to described IP address to be verified;
Checking subelement, for verifying described IP address to be verified according to described server response message, if the verification passes, is then defined as the IP address for carrying out the abduction of DNS black hole by IP address to be verified.
During specific implementation, described server response message comprises web content data bag, and now, described checking subelement can comprise:
First checking subelement, for extracting web page contents from web content data bag corresponding to described IP address to be verified, that web page contents corresponding to IP address for carrying out the abduction of DNS black hole is compared by the web page contents extracted with known, if similarity reaches preset threshold value, be then verified.
Or under another kind of verification mode, owing to also comprising web page code in described server response message, therefore, described checking subelement can comprise:
Second checking subelement, for judging whether comprise jump instruction code in described web page code, if comprised, is then verified.
Corresponding with the device that the aforementioned DNS of detection black hole is kidnapped, the embodiment of the present invention additionally provides a kind of system detecting DNS black hole and kidnap, and see Fig. 3, this system can comprise server end 301 and client 302, and wherein, described server end 301 comprises:
Placement unit 3011, for capturing HTML (Hypertext Markup Language) HTTP connection packet corresponding to web access requests in network, extracting domain name corresponding to webpage and IP address, and recording the corresponding relation between domain name and IP address from described packet;
Statistic unit 3012, for adding up the result grabbed, obtains the quantity of different domain names corresponding to same IP address;
For the IP address determination unit 3013 kidnapped, for the quantity according to different domain names corresponding to same IP address, determine the IP address of carrying out the abduction of DNS black hole, and preserve the IP address for carrying out the abduction of DNS black hole determined;
Described client 302 comprises:
IP address extraction unit 3021, for when the web access requests of user produces current HTTP connection packet, extracts IP address from described current HTTP connection packet;
Uploading unit 3022, for the end that uploaded onto the server the IP extracted address;
Described server end 301 also comprises:
Detecting unit 3014, if the IP address for extracting appears at preserved for carrying out in the IP address of DNS black hole abduction, then determines that the web access requests of user is subjected to DNS black hole and kidnaps.
In the said apparatus provided in the embodiment of the present invention and system, can by collecting a large amount of HTTP packets, therefrom extract the corresponding relation of domain name and IP address, and it is added up, draw it may is IP address for carrying out the abduction of DNS black hole, and then when user's accessed web page, the IP address in HTTP packet can be extracted, judge whether it appears at for carrying out in the IP address of DNS black hole abduction, if so, then can conclude that the web page access of user receives DNS black hole and kidnaps.Visible, in the process of user's accessed web page, can detect that behavior is kidnapped in DNS black hole, and then avoid user to be subject to the interference of the abduction such as advertisement or the navigation page page.
As seen through the above description of the embodiments, those skilled in the art can be well understood to the mode that the present invention can add required general hardware platform by software and realizes.Based on such understanding, technical scheme of the present invention can embody with the form of software product the part that prior art contributes in essence in other words, this computer software product can be stored in storage medium, as ROM/RAM, magnetic disc, CD etc., comprising some instructions in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) perform the method described in some part of each embodiment of the present invention or embodiment.
Each embodiment in this specification all adopts the mode of going forward one by one to describe, between each embodiment identical similar part mutually see, what each embodiment stressed is the difference with other embodiments.Especially, for device or system embodiment, because it is substantially similar to embodiment of the method, so describe fairly simple, relevant part illustrates see the part of embodiment of the method.Apparatus and system embodiment described above is only schematic, the wherein said unit illustrated as separating component or can may not be and physically separates, parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of module wherein can be selected according to the actual needs to realize the object of the present embodiment scheme.Those of ordinary skill in the art, when not paying creative work, are namely appreciated that and implement.
Above to method, Apparatus and system that detection DNS black hole provided by the present invention is kidnapped, be described in detail, apply specific case herein to set forth principle of the present invention and execution mode, the explanation of above embodiment just understands method of the present invention and core concept thereof for helping; Meanwhile, for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications.In sum, this description should not be construed as limitation of the present invention.
Claims (6)
1. detect the method that DNS black hole is kidnapped, comprising:
The HTML (Hypertext Markup Language) HTTP connection packet that web access requests in crawl network is corresponding, extracts domain name corresponding to webpage and IP address, and records the corresponding relation between domain name and IP address from described packet;
The result grabbed is added up, obtains the quantity of different domain names corresponding to same IP address;
The quantity extracting corresponding different domain name reaches the IP address of prerequisite as IP address to be verified;
Web page contents is extracted from the web content data bag that described IP address to be verified is corresponding;
According to server response message, described IP address to be verified is verified, wherein, the process of checking is: be that web page contents corresponding to IP address for carrying out the abduction of DNS black hole is compared by the web page contents extracted with known, if similarity reaches preset threshold value, be verified, IP address to be verified is defined as the IP address for carrying out the abduction of DNS black hole, and preserves the IP address for carrying out the abduction of DNS black hole determined;
When the web access requests of user produces current HTTP connection packet, from described current HTTP connection packet, extract IP address;
If the IP address extracted appears at preserved for carrying out in the IP address of DNS black hole abduction, then determine that the web access requests of user is subjected to DNS black hole and kidnaps.
2. method according to claim 1, described server response message comprises web page code, describedly carries out checking according to described server response message to described IP address to be verified and comprises:
Judge whether comprise preset key code in described web page code, if comprised, be then verified.
3. method according to claim 2, is characterized in that, described preset key code comprises jump instruction code.
4. detect the device that DNS black hole is kidnapped, comprising:
Placement unit, for capturing HTML (Hypertext Markup Language) HTTP connection packet corresponding to web access requests in network, extracting domain name corresponding to webpage and IP address, and recording the corresponding relation between domain name and IP address from described packet;
Statistic unit, for adding up the result grabbed, obtains the quantity of different domain names corresponding to same IP address;
Extract subelement, the quantity for extracting corresponding different domain name reaches the IP address of preset threshold value as IP address to be verified;
Response information acquisition subelement, for extracting web page contents from web content data bag corresponding to described IP address to be verified;
First checking subelement, for verifying described IP address to be verified according to server response message, wherein, the process of checking is: be that web page contents corresponding to IP address for carrying out the abduction of DNS black hole is compared by the web page contents extracted with known, if similarity reaches preset threshold value, being verified, IP address to be verified being defined as the IP address for carrying out the abduction of DNS black hole, and preserve the IP address for carrying out the abduction of DNS black hole determined;
IP address extraction unit, for when the web access requests of user produces current HTTP connection packet, extracts IP address from described current HTTP connection packet;
Detecting unit, if the IP address for extracting appears at preserved for carrying out in the IP address of DNS black hole abduction, then determines that the web access requests of user is subjected to DNS black hole and kidnaps.
5. device according to claim 4, described server response message comprises web page code,
Second checking subelement, for judging whether comprise preset key code in described web page code, if comprised, is then verified.
6. detect the system that DNS black hole is kidnapped, comprise server end and client, wherein, described server end comprises:
Placement unit, for capturing HTML (Hypertext Markup Language) HTTP connection packet corresponding to web access requests in network, extracting domain name corresponding to webpage and IP address, and recording the corresponding relation between domain name and IP address from described packet;
Statistic unit, for adding up the result grabbed, obtains the quantity of different domain names corresponding to same IP address;
Extract subelement, the quantity for extracting corresponding different domain name reaches the IP address of preset threshold value as IP address to be verified;
Response information acquisition subelement, for extracting web page contents from web content data bag corresponding to described IP address to be verified;
Checking subelement, for verifying described IP address to be verified according to server response message, wherein, the process of checking is: be that web page contents corresponding to IP address for carrying out the abduction of DNS black hole is compared by the web page contents extracted with known, if similarity reaches preset threshold value, being verified, IP address to be verified being defined as the IP address for carrying out the abduction of DNS black hole, and preserve the IP address for carrying out the abduction of DNS black hole determined;
Described client comprises:
IP address extraction unit, for when the web access requests of user produces current HTTP connection packet, extracts IP address from described current HTTP connection packet;
Uploading unit, for the end that uploaded onto the server the IP extracted address;
Described server end also comprises:
Detecting unit, if the IP address for extracting appears at preserved for carrying out in the IP address of DNS black hole abduction, then determines that the web access requests of user is subjected to DNS black hole and kidnaps.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210300947.5A CN102868773B (en) | 2012-08-22 | 2012-08-22 | Method, device and system for detecting domain name system (DNS) black hole hijack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210300947.5A CN102868773B (en) | 2012-08-22 | 2012-08-22 | Method, device and system for detecting domain name system (DNS) black hole hijack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102868773A CN102868773A (en) | 2013-01-09 |
| CN102868773B true CN102868773B (en) | 2015-04-15 |
Family
ID=47447358
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210300947.5A Active CN102868773B (en) | 2012-08-22 | 2012-08-22 | Method, device and system for detecting domain name system (DNS) black hole hijack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102868773B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103561120B (en) * | 2013-10-08 | 2017-06-06 | 北京奇虎科技有限公司 | Detect method, the processing method of device and suspicious DNS, the system of suspicious DNS |
| CN103634422B (en) * | 2013-11-29 | 2017-03-08 | 北京奇安信科技有限公司 | A kind of IP address recognition methodss of CDN source station and device |
| CN104065762A (en) * | 2014-05-30 | 2014-09-24 | 小米科技有限责任公司 | Method and device for detecting hijacking of DNS (Domain Name Server) |
| CN105323210A (en) * | 2014-06-10 | 2016-02-10 | 腾讯科技(深圳)有限公司 | Method, apparatus and cloud server for detecting website security |
| CN104486140B (en) * | 2014-11-28 | 2017-12-19 | 华北电力大学 | It is a kind of to detect device and its detection method that webpage is held as a hostage |
| CN104506525B (en) * | 2014-12-22 | 2018-04-20 | 北京奇安信科技有限公司 | Prevent the method and protective device that malice captures |
| CN106330849A (en) * | 2015-07-07 | 2017-01-11 | 安恒通(北京)科技有限公司 | Method and device for preventing domain name hijack |
| CN106411819B (en) * | 2015-07-30 | 2020-09-11 | 阿里巴巴集团控股有限公司 | Method and device for identifying proxy internet protocol address |
| US10594728B2 (en) * | 2016-06-29 | 2020-03-17 | AVAST Software s.r.o. | Detection of domain name system hijacking |
| CN111526129B (en) * | 2020-04-01 | 2022-07-08 | 五八有限公司 | Information reporting method and device |
| CN114168945A (en) * | 2021-12-09 | 2022-03-11 | 绿盟科技集团股份有限公司 | Method and device for detecting potential risk of sub-domain name |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101815105A (en) * | 2010-03-25 | 2010-08-25 | 上海交通大学 | Domain name resolution service system with intelligent buffer and service method thereof |
| CN102082836A (en) * | 2009-11-30 | 2011-06-01 | 中国移动通信集团四川有限公司 | DNS (Domain Name Server) safety monitoring system and method |
| CN102255778A (en) * | 2011-09-06 | 2011-11-23 | 网宿科技股份有限公司 | Anti-hijacking domain name authorization monitoring system |
| CN102271168A (en) * | 2011-09-14 | 2011-12-07 | 吴兴利 | Method of shielding and hijacking internet popup window by modifying approach of DNS (domain name system) replying IP (internet protocol) |
| CN102571770A (en) * | 2011-12-27 | 2012-07-11 | 北京神州绿盟信息安全科技股份有限公司 | Man-in-the-middle attack detection method, device, server and system |
-
2012
- 2012-08-22 CN CN201210300947.5A patent/CN102868773B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102082836A (en) * | 2009-11-30 | 2011-06-01 | 中国移动通信集团四川有限公司 | DNS (Domain Name Server) safety monitoring system and method |
| CN101815105A (en) * | 2010-03-25 | 2010-08-25 | 上海交通大学 | Domain name resolution service system with intelligent buffer and service method thereof |
| CN102255778A (en) * | 2011-09-06 | 2011-11-23 | 网宿科技股份有限公司 | Anti-hijacking domain name authorization monitoring system |
| CN102271168A (en) * | 2011-09-14 | 2011-12-07 | 吴兴利 | Method of shielding and hijacking internet popup window by modifying approach of DNS (domain name system) replying IP (internet protocol) |
| CN102571770A (en) * | 2011-12-27 | 2012-07-11 | 北京神州绿盟信息安全科技股份有限公司 | Man-in-the-middle attack detection method, device, server and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102868773A (en) | 2013-01-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102868773B (en) | Method, device and system for detecting domain name system (DNS) black hole hijack | |
| CN104125209B (en) | Malice website prompt method and router | |
| Maggi et al. | Two years of short urls internet measurement: security threats and countermeasures | |
| CN102594934B (en) | Method and device for identifying hijacked website | |
| CN106657044B (en) | It is a kind of for improving the web page address jump method of web station system Prevention-Security | |
| CN102200980B (en) | Method and system for providing network resources | |
| CN102957664B (en) | A kind of method and device identifying fishing website | |
| US20140380477A1 (en) | Methods and devices for identifying tampered webpage and inentifying hijacked web address | |
| CN104580540B (en) | The implementation method and device of website visiting | |
| CN109905288B (en) | Application service classification method and device | |
| US20170132669A1 (en) | Resource Downloading Method and Device | |
| CN110430188B (en) | Rapid URL filtering method and device | |
| CN103888490A (en) | Automatic WEB client man-machine identification method | |
| CN105376217B (en) | A kind of malice jumps and the automatic judging method of malice nested class objectionable website | |
| CN108768921B (en) | Malicious webpage discovery method and system based on feature detection | |
| CN107294919A (en) | A kind of detection method and device of horizontal authority leak | |
| CN105407186A (en) | Method and device for acquiring subdomain names | |
| CN108900554B (en) | HTTP asset detection method, system, device and computer medium | |
| CN105282096A (en) | XSS vulnerability detection method and device | |
| CN104199962A (en) | Trusted webpage forensics system and trusted webpage forensics method based on three-layer trusted webpage forensic model | |
| US10931688B2 (en) | Malicious website discovery using web analytics identifiers | |
| Piredda et al. | Deepsquatting: Learning-based typosquatting detection at deeper domain levels | |
| CN112804369A (en) | Network system, network access security detection method and device and related equipment | |
| US11582226B2 (en) | Malicious website discovery using legitimate third party identifiers | |
| US20160140351A1 (en) | Validating user control over contact information in a domain name registration database |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee after: Beijing Qizhi Business Consulting Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220413 Address after: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Beijing Qizhi Business Consulting Co.,Ltd. |
|
| TR01 | Transfer of patent right |