A method, device, equipment and medium for detecting a lost host

Abstract

The present application discloses a method, device, equipment and medium for detecting a lost host. The method includes: extracting target information in the DNS traffic request when threat information exists in the monitored DNS traffic request; using a preset The tracking IP address in the IP address of the network segment and the target information construct a DNS reply message corresponding to the DNS traffic request and return the DNS reply message in the same way; The notification information of the tracking IP address, so that the terminal security application management platform sends the tracking IP address to the target terminal, and determines the lost host according to the query result fed back by the target terminal. In this way, the lost host can be detected without affecting the performance of DNS, so there will be no forwarding delay and impact on service experience, and the applicability is high and the cost is low.

Description

technical field [0001] The present application relates to the technical field of network security, and in particular, to a method, apparatus, device and medium for detecting a lost host. Background technique [0002] More and more network security devices, such as situational awareness and next-generation firewalls, have added threat intelligence to detect whether there is traffic accessing the address of external malicious threat servers, so as to discover the compromised host of the intranet. Among them, the most used threat intelligence is DNS (Domain Name Server, domain name server) intelligence, which detects threats by collecting DNS protocol traffic. However, due to the general network architecture, one or more DNS servers are used to forward the DNS requests of the intranet hosts, and when the DNS server forwards the DNS requests of the intranet hosts, it will send the source IP (Internet Protocol, Internet Protocol) address to the DNS server's own IP address, which...

AI Technical Summary

Problems solved by technology

However, since the general network architecture internally uses one or more DNS servers to forward the DNS requests of the intranet hosts, and when the DNS server forwards the DNS requests of the intranet hosts, it will send the source IP (Internet Protocol, Internet Protocol) address to the DNS server's own IP address, which will cause the network security device to mistakenly detect that the compromised host is the DNS server

[0003] In view of the above problems, the current solutions mainly include the following. One is to copy the original DNS traffic to the network security device by implanting a proxy in the DNS server, but this will consume the performance of the DNS server, and the DNS server will cause insufficient performance due to Forwarding delay and affecting business experience; the second is to modify the DNS server, install a device that can collect DNS request logs, and forward the logs to network security devices, but many DNS server configurations do not support recording the real request source IP in the logs, so The applicability of this method will be low, and it may not be applicable to the DNS server environment after transformation, that is, there will be compatibility risks, which may easily cause risks such as DNS server downtime, resulting in unavailable services and affecting the normal Internet access of the intranet; the third is to transform the network. Mirror the traffic to the network security device before the DNS request reaches the DNS server

However, in this way, if the intranet network structure is large or the partitions and domains are finely divided, multiple traffic mirroring devices are required, and the cost will be high.

Images