Detailed Description
In order to solve the problem that in the prior art, an attacker cannot accurately locate an attacked domain name when performing DDoS attack on a CDN server, so that the service quality of other normal domain names is affected, the embodiment of the application provides an attacked domain name locating method, an attacked domain name locating device, electronic equipment and a storage medium.
The preferred embodiments of the present application will be described below with reference to the accompanying drawings of the specification, it being understood that the preferred embodiments described herein are for illustration and explanation only, and not for limitation of the present application, and embodiments of the present application and features of the embodiments may be combined with each other without conflict.
Referring to fig. 1, which is a schematic view of an application scenario of an attack domain name positioning method provided by the embodiment of the present application, the application scenario may include a terminal 101 (i.e., a user terminal), a DNS server 102, a content distribution network 103 and a probing module 104, where the terminal 101 includes clients of different websites, the content distribution network 103 includes a plurality of CDN servers deployed in different regions in the global scope, the CDN servers are used for storing and distributing website contents, the DNS server 102 is used for resolving a domain name of a client carried in a domain name resolution request sent by the terminal 101, the IP address information of the CDN servers in the content distribution network 103 associated with the domain name can be queried, further, the DNS server 102 sends the queried IP address information of the CDN servers to the content distribution network 103, the content distribution network 103 selects an IP address meeting the service quality requirement of the client and returns the IP address to the DNS server 102, and the DNS server 102 returns the IP address to the terminal 101 to respond to the domain name of the client requested by the terminal 101, and further, the terminal 101 may directly send a data request to the DNS address returned by the DNS server 102 to request for the required content. A client may associate multiple domain names, one domain name may associate IP address information of at least one CDN server, the at least one CDN server provides a corresponding content service for a domain name of a client requested by the terminal 101, the probing module 104 is configured to monitor in real time whether a DDoS attack occurs on the CDN server in the content delivery network 103, when the probing module 10 monitors that the DDoS attack occurs, send the IP address information of the attacked CDN server to the content delivery network 103, record, by the content delivery network 103, the IP address information of the attacked CDN server in a database according to an attack time, and record, in the database of the content delivery network 103, a response log for a DNS domain name resolution request, where a response log records a client to which an IP address of the CDN server in the content delivery network 103 has responded and domain name information associated with the client.
Based on the above application scenario, an exemplary embodiment of the present application will be described in more detail with reference to fig. 2 to 4, and it should be noted that the above application scenario is only shown for the convenience of understanding the spirit and principles of the present application, and the embodiments of the present application are not limited in any way herein. Rather, embodiments of the application may be applied to any scenario where applicable.
As shown in fig. 2, which is a schematic implementation flow chart of the method for locating an attack domain name according to the embodiment of the present application, the method for locating an attack domain name may be applied to the content distribution network 103, and may specifically include the following steps:
s21, if the content delivery network is determined to generate distributed denial of service attack, the IP address information of the attacked CDN server is obtained.
In a specific implementation, the detecting module monitors data flow information flowing through a CDN server in the content delivery network in real time, which may include bandwidth usage, request rate, and the like, establishes flow references under normal operation conditions in advance, such as bandwidth usage, average request frequency, and the like, and when current flow deviates from these references, it may be determined that the CDN server is subjected to a DDoS attack.
And when the detection module detects the attacked CDN server, the IP address information of the attacked CDN server is sent to the content delivery network.
S22, obtaining a response log of the content distribution network for the domain name system DNS domain name resolution request.
In the implementation, a response log of the content delivery network to a Domain Name System (DNS) domain name resolution request can be obtained from a database of the content delivery network, the DNS domain name resolution request is sent to a DNS server by a terminal, the DNS domain name resolution request carries domain name information of a client requested by a user through the terminal, the DNS server returns IP address information of a CDN server in the content delivery network, the domain name of the client requested by the terminal is responded, and the response log comprises domain name information of the client responded by the IP address of the attacked CDN server.
S23, determining suspicious clients according to domain name information of the clients, the IP addresses of which are responded by the attacked CDN servers in a preset history period recorded in the response log.
In specific implementation, the preset history period can be set according to the requirement, for example, the first 1 day of the current time can be set, the first 3 days of the current time can be set, and the like, which is not limited by the embodiment of the present application.
For example, the IP address information of the attacked CDN server includes IP address IP1 of CDN server 1 and IP address IP2 of CDN server 2, taking 3 days as an example of a preset history period, the clients served by IP1 and IP2 and the domain name information associated with the clients in 3 days before the current time can be extracted from the response log, for example, the clients served by IP1 and the domain name of the clients thereof include client A [ Domain name 1, domain name 2, domain name 3], client B [ Domain name 4, domain name 5, domain name 6, domain name 7], client C [ Domain name 8, domain name 9, domain name 10], the clients served by IP2 and the domain name of the clients include client A [ Domain name 1, domain name 2, domain name 3, domain name X ], client B [ Domain name 4, domain name 5, domain name 6, 7, domain name Y ], client C [ Domain name 8, domain name 9, domain name 10], client D [ Domain name 11, domain name 12, domain name 13]. It can be seen that both IP1 and IP2 respond to client a, client B and client C, the domain name of client a to which IP1 responds is not identical to the domain name of client a to which IP2 responds, the domain name of client B to which IP1 responds is not identical to the domain name of client B to which IP2 responds, and the domain name of client C to which IP1 responds is identical to the domain name of client C to which IP2 responds, namely domain name 8, domain name 9 and domain name 10, and domain name 11, domain name 12 and domain name 13 to which IP2 also responds to client D, and the domain name to which IP1 does not respond to client D.
After extracting domain name information of the client to which the IP address of each attacked CDN server responds in the preset history period from the response log, a suspicious client may be determined according to a flow shown in fig. 3, including the following steps:
s31, counting the number of the IP addresses of the attacked CDN servers responding to the domain name information of the client according to the domain name information of the client responding to the IP address of each attacked CDN server in a preset history period.
Continuing the above example, if the IP addresses of the attacked CDN servers that respond to the domain name 1 of the client a are the IP address IP1 of the attacked CDN server 1 and the IP address IP2 of the attacked CDN server 2, the number of the IP addresses of the attacked CDN servers that respond to the domain name 1 of the client a is 2, the number of the IP addresses of the attacked CDN servers that respond to the domain name 2 of the client a is 2, the number of the IP addresses of the attacked CDN servers that respond to the domain name 3 of the client a is 2, and the number of the IP addresses of the attacked CDN servers that respond to the domain name X of the client a is 1; the number of IP addresses of the attacked CDN servers responding to the domain name 4 of the client B is 2, the number of IP addresses of the attacked CDN servers responding to the domain name 5 of the client B is 2, the number of IP addresses of the attacked CDN servers responding to the domain name 6 of the client B is 2, the number of IP addresses of the attacked CDN servers responding to the domain name 7 of the client B is 2, the number of IP addresses of the attacked CDN servers responding to the domain name Y of the client B is 1, the number of IP addresses of the attacked CDN servers responding to the domain name 8 of the client C is 2, the number of IP addresses of the attacked CDN servers responding to the domain name 9 of the client C is 2, and the number of IP addresses of the attacked CDN servers responding to the domain names 10, 12 and 13 of the client D is 1.
S32, determining the client corresponding to the domain name information with the response number of the IP address of the attacked CDN server being larger than the preset threshold as the suspicious client.
In specific implementation, the preset threshold may be flexibly set according to the number of IP addresses of the attacked CDN server, for example, when the number of IP addresses of the attacked CDN server is 2, the preset threshold may be set to 1, and when the number of IP addresses of the attacked CDN server is 5, the preset threshold may be set to 2.
In this step, a client corresponding to domain name information with the number of responses of the IP addresses of the attacked CDN servers greater than a preset threshold is used as a suspicious client, and domain name information with the number of responses of the IP addresses of the attacked CDN servers greater than the preset threshold in the suspicious client is determined as an associated suspicious domain name of the suspicious client, wherein the suspicious client is a client suspected of being attacked by DDoS, that is, a client containing a domain name suspected of being attacked by DDoS, and the suspicious domain name is a domain name suspected of being attacked by DDoS.
Continuing the above example, assuming that the preset threshold is 1, the suspicious client and suspicious domain associated with the suspicious client include client A [ Domain name 1, domain name 2, domain name 3], client B [ Domain name 4, domain name 5, domain name 6, domain name 7], client C [ Domain name 8, domain name 9, domain name 10]. Thus, determination of suspicious clients is completed.
S24, dividing the specific IP addresses into different specific IP address sets, arranging and combining the specific IP address sets to obtain a plurality of specific IP address set combinations, and distributing a group of corresponding first specific IP address set combinations for each suspicious client.
In particular, the content delivery network is provided with a plurality of unused specific IP addresses of specific CDN servers, and the specific CDN servers are distributed in different geographic locations around the world, and each geographic region may be provided with a plurality of specific CDN servers.
In this step, the specific IP addresses are divided into different specific IP address sets, where each specific IP address set includes different specific IP addresses, and the specific IP addresses in one specific IP address set may be from different geographic locations, and the geographic locations to which the specific IP addresses in the different specific IP address sets belong may be the same. For example, the specific IP address set 1 includes the following specific IP addresses: [ IPa1-1, IPa2-1, IPa3-1, IPa4-1, ]. Ipan-1], the specific set of IP addresses 2 includes the following specific IP addresses: the specific IP address set 3 includes specific IP addresses [ IPa1-3, IPa2-3, IPa4-3, ], of which n is the number of specific IP addresses in each specific IP address set, m is the number of specific IP address sets, each specific IP address in the specific IP address set 1~m is unique, each specific IP address in the specific IP address set 1 is from a different geographical area, the specific IP address IPa1-1 in the specific IP address set 1, the specific IP address in the specific IP address set 2, the specific IP address set m includes specific IP addresses [ IPa1-m, IPa2-m, IPa3-m, IPa4-m, the number of specific IP addresses in each specific IP address set, m is the number of specific IP address sets, each specific IP address in the specific IP address set 1 is unique, each specific IP address in the specific IP address set 1-1, the specific IP address in the specific IP address set 2, the specific IP address in the specific IP address set 1-3, the specific IP address in the specific IP address set 2, the specific IP address in the specific IP address set 1, the specific IP address in the specific IP address set 2-m, the specific IP address set 1, the specific IP address in the specific IP address set 2, the specific IP address set 1-m is the specific IP address in the specific IP address set 1, the specific IP address in the specific IP address set 1, the specific IP address set 1 and the specific IP address set, the specific IP address and the specific IP address set 2 And the specific IP addresses IPa2-m in the specific IP address set m are all from the same geographical area, such as IP addresses of Jilin, and so on, the specific IP address IPan-1 in the specific IP address set 1, the specific IP address IPan-2 in the specific IP address set 2, the specific IP address IPan-3 in the specific IP address set 3, and the specific IP address IPan-m in the specific IP address set m are all from the same geographical area, such as IP addresses of Beijing.
Furthermore, the specific IP address sets can be arranged and combined to obtain a plurality of specific IP address set combinations by respectively dividing the preset number of specific IP address sets into corresponding specific IP address set combinations, wherein the specific IP address sets contained in each specific IP address set combination are not completely identical, the preset number can be set by itself, for example, can be set to 4, and can also be set to other numbers, and the embodiment of the application is not limited to this. Assuming that 10 specific IP address sets are total, namely, a specific IP address set 1-10, a specific IP address set 1, a specific IP address set 2, a specific IP address set 3 and a specific IP address set 4 can be divided into a group to obtain a specific IP address set combination 1, a specific IP address set 2, a specific IP address set 3 and a specific IP address set 5 are divided into a group to obtain a specific IP address set combination 2, a specific IP address set 1, a specific IP address set 3, a specific IP address set 4 and a specific IP address set 5 are divided into a group to obtain a specific IP address set combination 3 and the like. Each combination may include the same specific IP address set, but not the same specific IP address set, and different combinations may also include different specific IP address sets, which is not limited in the embodiment of the present application, and only needs to ensure that each combination is unique.
Further, each suspicious client is respectively allocated with a group of corresponding specific IP address set combinations, which can be recorded as the first specific IP address set combinations. For example, suspicious client A may be assigned combination 1 of the specific set of IP addresses, suspicious client B may be assigned combination 2 of the specific set of IP addresses, and suspicious client C may be assigned combination 3 of the specific set of IP addresses.
S25, when the user accesses the domain name of the suspicious client, respectively selecting one first specific IP address from each specific IP address set in the combination of the first specific IP address sets corresponding to the suspicious client to respond.
When a user accesses a suspicious domain name of a suspicious client, sending a DNS domain name resolution request to a DNS server through a terminal, wherein the DNS domain name resolution request carries suspicious domain name information of the suspicious client requested, resolving the suspicious domain name of the suspicious client in the DNS domain name resolution request by the DNS server, inquiring IP address information (which can comprise a plurality of IP address information) of a CDN server in a content delivery network associated with the suspicious domain name, sending the inquired IP address information of the CDN server and the IP address information of the user terminal to the content delivery network, and selecting one IP address information of a normal CDN server which meets the quality requirement of the suspicious client and is not subjected to DDoS attack from the IP address information of the CDN server sent by the DNS server by the content delivery network according to the IP address information of the user terminal, wherein the response is performed if the IP address of the normal CDN server which is closer to the geographical position where the IP address of the user terminal belongs is selected. The user terminal may be a user device provided with the suspicious client, and may be, but not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, etc., which is not limited in the embodiment of the present application. The IP address information of the user terminal is source IP address information when the user terminal transmits a DNS domain name resolution request to the DNS server.
At the same time, the content distribution network selects a first specific IP address from each specific IP address set in the combination of the first specific IP address sets allocated to the suspicious client to respond.
For example, if the user accesses any suspicious domain name associated with the suspicious client a, such as domain name 1, a first specific IP address is selected from each specific IP address set 1, specific IP address set 2, specific IP address set 3 and specific IP address set 4 in the first specific IP address set 1 allocated to the suspicious client a to respond, when the first specific IP address is selected, dynamic adjustment can be performed according to factors such as client service quality requirement and network load balancing, for example, if the user accessing the domain name 1 of the suspicious client a in the Fujian telecom, an IP address of the telecom and closest to the Fujian geographic location is selected from each specific IP address set in the first specific IP address set 1 to respond, then the terminal sends a data request to the first specific IP address while sending a data request to the normal IP address returned by the DNS server, the DNS server to which the first specific IP address belongs returns the requested data, and if the suspicious client interacts with the first specific IP address subsequently, the DDoS monitors the specific IP address in real-time, and judges whether the first specific IP address is attacked by the DDoS.
Thus, when the first specific IP address is attacked, the suspicious client responded by the first specific IP address can be quickly positioned to the attacked suspicious client by analyzing the suspicious client. In the application, the data transmission efficiency can be improved while the service quality is ensured by distributing enough first specific IP addresses meeting the quality requirement for each suspicious client to respond.
S26, determining a target attack domain name according to the first specific IP address attacked in the combination of the first specific IP address set.
In implementation, the target attack domain name may be determined according to the flow shown in fig. 4, including the following steps:
S41, determining a target attack client according to the suspicious client responded by the first specific IP address to be attacked.
In the implementation, after the first specific IP address is attacked, the specific attacked suspicious client can be quickly located by analyzing the suspicious domain name of the limited suspicious client responded by the first specific IP address. Assuming that IP a1-2 in the specific IP address set 2 is subject to a DDoS attack, it may be located that the suspicious domain name associated with the suspicious client a and the suspicious client B is attacked, and in a subsequent response process, if it is assumed that a certain first specific IP address in the specific IP address set 4 is subject to a DDoS attack, it may be further located that the target attack client (i.e. the target client being attacked) is the suspicious client B.
After locating the target attack client, further locating the target attack domain name (i.e. the target domain name being attacked) in the suspicious domain name associated with the target attack client.
S42, a group of corresponding combinations of the second specific IP address sets is allocated to each piece of domain name information of the target attack client from the unused combinations of the second specific IP address sets.
In specific implementation, the unused specific IP address sets (which may be denoted as second specific IP address sets) are regrouped, the preset number of second specific IP address sets are divided into corresponding combinations of second specific IP address sets, the second specific IP address sets contained in each combination of the second specific IP address sets are not identical, and a group of unique combinations of the second specific IP address sets are allocated to each suspicious domain name information associated with the target attack client. In the embodiment of the application, the specific IP address set allocated when the target attack client is positioned is not multiplexed when the specific attacked domain name is positioned, so that pollution is avoided, and the accuracy of positioning the attacked domain name is improved.
S43, when the user accesses the domain name of the target attack client, selecting a second specific IP address from each specific IP address set in the combination of the second specific IP address sets allocated for the domain name to respond.
When a user accesses any suspicious domain name associated with a target attack client, selecting a second specific IP address from second specific IP address sets in a combination of the second specific IP address sets allocated for the suspicious domain name to respond.
Specifically, when a user accesses any suspicious domain name associated with a target attack client, sending a DNS domain name resolution request to a DNS server through a terminal, wherein the DNS domain name resolution request carries suspicious domain name information of the target attack client of the request, the DNS server resolves the suspicious domain name of the target attack client in the DNS domain name resolution request, inquires IP address information of the CDN server in a content delivery network associated with the suspicious domain name, sends the inquired IP address information of the CDN server and the IP address information of a user terminal to the content delivery network, at this time, normal IP address information is not selected from the IP address information of the CDN server inquired by the DNS server, but one second specific IP address meeting the quality requirement of the target attack client is selected from each second specific IP address set in a combination of the second specific IP address sets allocated to the suspicious domain name, the content delivery network returns the selected second specific IP address information to the DNS server, the DNS server returns the inquired IP address information of the content delivery network, and then the user can directly send the second specific IP address information of the second specific server to the second specific server through the terminal to the request the second specific IP address of the second specific IP address server, and then the request is interacted with the second specific IP address of the target attack client in real-time, and whether the request is received or not.
Thus, when the second specific IP address is attacked, the attacked domain name can be rapidly positioned by analyzing the suspicious domain name responded by the second specific IP address.
S44, determining the target attack domain name according to the attacked second specific IP address in the combination of the second specific IP address set.
In particular implementations, the domain name of the target client to which the second particular IP address being attacked responds may be determined to be the target attack domain name.
Specifically, the suspicious domain name of the target client responded by the second specific attacked IP address is determined as the target attack domain name, namely the attacked domain name.
The application can rapidly and accurately locate the attacked domain name associated with the attacked client by dynamically adjusting the allocation strategy of the specific IP address.
After the target attack domain name is determined, the traffic of the target attack domain name can be led to the IP address corresponding to the black hole, and the IP address of the CDN server and the second specific IP address allocated for the IP address are not used for responding.
In one embodiment, after determining the target attack domain name, the method further includes:
And when the user accesses the target attack domain name of the target attack client, selecting a third specific IP address from each specific IP address set in the combination of the third specific IP address sets allocated for the target attack domain name to respond.
In specific implementation, after the DDoS attack on the target attack domain name is determined, the risk grade of the target attack domain name can be determined according to the number of times the target attack domain name is attacked, a corresponding isolation strategy is adopted according to the risk grade of the target attack domain name, if the risk grade of the target attack domain name is smaller than a preset risk grade threshold value, an unused combination of third specific IP address sets can be allocated to the target attack domain name, when a user accesses the target attack domain name of the target attack client, one third specific IP address is selected from each specific IP address combination in the combination of the third specific IP address sets to respond, and if the risk grade of the target attack domain name is greater than or equal to the preset risk grade threshold value, a designated IP address is allocated to the target attack domain name to respond so as to directly isolate the target attack domain name.
Specifically, when determining the risk level of the target attack domain name, the risk level of the target attack domain name may be increased by one level when the target attack domain name is attacked once, for example, when the target attack domain name is attacked once, the risk level of the target attack domain name is 1, and when the target attack domain name is attacked twice, the risk level of the target attack domain name is 2. The preset risk level threshold may be, but not limited to, set to 3, where the target attack domain name may be determined to be a low risk domain name when the target attack domain name risk level is less than 3, and may be determined to be a high risk domain name when the target attack domain name risk level is greater than or equal to 3. For the low-risk domain name, one third specific IP address is selected from each specific IP address set in the combination of unused third specific IP address sets to respond, and the target attack domain name is limited and responds to the IP addresses of other domain names never served, so that the speed of the attack of the third specific IP address in each specific IP address set in the combination of the third specific IP address sets is faster, and the interference of normal IP resources is reduced, and meanwhile, the service quality of other unauthorised domain names is not influenced. The designated IP address may be an IP address of an unused server node in the content delivery network that does not provide any services, and the client risk pool may be established, so that traffic of the high-risk domain name is directed to the designated IP address for quick isolation, thereby avoiding affecting the service quality of domain names of other clients that are not attacked.
In one embodiment, a cooperative defense network can be established between different CDN server nodes, attack information and a defense policy can be shared, and through cooperative defense, the capability of the overall content delivery network for resisting DDoS attacks can be improved, the identification and isolation process of the attacked domain name can be accelerated, the adaptability and effectiveness under a complex network environment can be further improved, risks of clients in large-scale DDoS attacks can be positioned and reduced in real time, and a protection system can be optimized.
According to the method for locating the attack domain name, the IP address information of the attacked CDN server when the DDoS attack occurs in the content distribution network is obtained, the domain name information of the client served by the IP address of the attacked CDN server in a past section of preset history period is extracted from the response log aiming at the DNS domain name resolution request, the suspicious client in the content is identified, namely the client suspected to be attacked (DDoS attack), further, the specific IP address is divided into different specific IP address sets, the specific IP address sets are arranged and combined to obtain a plurality of different combinations of specific IP address sets, unique combined IP resources are allocated for each suspicious client, when a user accesses the domain name associated with the suspicious client through the suspicious client, one specific IP address (recorded as a first specific IP address) is selected from each specific IP address set in the combinations allocated for the suspicious client, and accordingly, the specific subsequent specific IP address is accurately located to the target of the attacked domain name according to the condition that the normal domain name service quality of other clients is not affected.
Based on the same inventive concept, the embodiment of the application also provides an attack domain name positioning device, and because the principle of solving the problem of the attack domain name positioning device is similar to that of the attack domain name positioning method, the implementation of the device can refer to the implementation of the method, and the repetition is omitted.
As shown in fig. 5, which is a schematic structural diagram of an attack domain name positioning device provided by an embodiment of the present application, the attack domain name positioning device may be applied to the content distribution network 103 shown in fig. 1, and may specifically include:
The first obtaining module 51 is configured to obtain IP address information of an attacked CDN server if it is determined that the content delivery network CDN has a distributed denial of service attack;
A second obtaining module 52, configured to obtain a response log of the content distribution network for a domain name system DNS domain name resolution request;
a first determining module 53, configured to determine a suspicious client according to domain name information of a client to which the IP address of the each attacked CDN server responds within a preset history period recorded in the response log;
The first allocation module 54 is configured to divide the specific IP addresses into different specific IP address sets, arrange and combine the specific IP address sets to obtain a combination of a plurality of specific IP address sets, and allocate a group of corresponding combinations of the first specific IP address sets to each suspicious client;
A first selecting module 55, configured to, when a user accesses a domain name of the suspicious client, select a first specific IP address from each specific IP address set in a combination of first specific IP address sets corresponding to the suspicious client, respectively, to respond;
A second determining module 56 is configured to determine a target attack domain name according to the first specific IP address that is attacked in the combination of the first specific IP address set.
In one embodiment, the first determining module 53 is specifically configured to count, according to domain name information of clients to which the IP address of each attacked CDN server has responded in a preset history period, the number of IP addresses of the attacked CDN servers to which the domain name information of each client has responded, and determine, as suspicious clients, clients corresponding to domain name information for which the number of IP addresses of the attacked CDN servers is greater than a preset threshold.
In one embodiment, the first allocation module 54 is specifically configured to divide the preset number of specific IP address sets into corresponding specific IP address sets, where each specific IP address set includes a specific IP address set that is not identical, and each specific IP address set includes a different specific IP address.
In one implementation, the second determining module 56 is specifically configured to determine a target attack client according to the suspicious client responded by the first specific IP address, allocate a set of corresponding combinations of second specific IP address sets from combinations of unused second specific IP address sets for each domain name information of the target attack client, select, when a user accesses a domain name visited by the target attack client, a second specific IP address from each specific IP address set in the combinations of second specific IP address sets allocated for the domain name, and respond according to the second specific IP address attacked in the combinations of second specific IP address sets.
In one embodiment, the second determining module 56 is specifically configured to determine, as a target attack domain name, the domain name of the target client that is responded to by the second specific IP address that is attacked.
In one embodiment, the apparatus further comprises:
the second allocation module is used for allocating a group of corresponding combinations of the third specific IP address sets from combinations of the unused third specific IP address sets for the target attack domain name;
And the second selecting module is used for respectively selecting a third specific IP address from each specific IP address set in the combination of the third specific IP address sets allocated for the target attack domain name to respond when the user accesses the target attack domain name of the target attack client.
Based on the same technical concept, the embodiment of the present application further provides an electronic device 600, and referring to fig. 6, the electronic device 600 is used to implement the method for locating an attack domain name according to the embodiment of the method, where the electronic device 600 of this embodiment may include a memory 601, a processor 602, and a computer program stored in the memory and capable of running on the processor, for example, an attack domain name locating program. The steps in the above embodiments of the attack domain name positioning method are implemented when the processor executes the computer program.
The specific connection medium between the memory 601 and the processor 602 is not limited in the embodiment of the present application. In the embodiment of the present application, the memory 601 and the processor 602 are connected through the bus 603 in fig. 6, the bus 603 is shown by a thick line in fig. 6, and the connection manner between other components is only schematically illustrated and not limited to the above. The bus 603 may be classified into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in fig. 6, but not only one bus or one type of bus.
The memory 601 may be a volatile memory (RAM) such as a random-access memory (RAM), the memory 601 may be a non-volatile memory (non-volatile memory) such as a read-only memory (rom), a flash memory (flash memory), a hard disk (HARD DISK DRIVE, HDD) or a solid state disk (solid-state drive) (STATE DRIVE, SSD), or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto. The memory 601 may be a combination of the above memories.
Processor 602 is configured to implement the method for locating an attack domain name according to the embodiment of the present application.
The embodiment of the application also provides a computer readable storage medium which stores computer executable instructions required to be executed by the processor and contains a program for executing the processor.
In some possible embodiments, aspects of the attack domain name localization method provided by the present application may also be implemented in the form of a program product comprising program code for causing an electronic device to perform the steps of the attack domain name localization method according to the various exemplary embodiments of the present application described above when the program product is run on the electronic device.
It will be apparent to those skilled in the art that embodiments of the present application may be provided as a method, apparatus, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (devices), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the spirit or scope of the application. Thus, it is intended that the present application also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.