A kind of proxy server identification method and device
Technical field
The application is related to internet arena, more particularly, to a kind of proxy server identification method and device.
Background technology
One kind is existed at present on the Internet it is widely applied and mutually look into technology as IP address and geographical position, this technology is extensive
It is applied to the Internet every field, especially risk control field, uses as strong risks and assumptions, it is led in risk control
Domain scheme application principle is whether one user of detection logs in different geographical position, if it is, can recognize in the short time
For being an excessive risk operation.This judges it is to be that real IP is just set up based on the IP of user.But proxy server technology is beaten
Break the premise of this application.That is a Pekinese user then can be serviced by the proxy server in Hangzhou completely
The IP address that device is seen is the address of Hangzhou proxy server.
The problem how distinguishing proxy server in the industry cycle discusses always, and industry also has the solution party of such problems many
Case, but mainly still concentrate on both direction:
1st, the collection in proxy server storehouse, is had and is captured from the Internet based on reptile, also generation based on active scan
Reason server is collected.
In such solution, for the mode capturing from the Internet based on reptile, a lot of proxy servers are had to be not
Announce on the internet, or some meat machines that hacker controls, this information is very incomplete;It is directed to active scan
Mode, interconnection active online main frame amount is very huge, and the serve port of proxy server is not fixed, so scheme scanning week
Phase is very long, and cost performance is excessively poor.
2nd, the identification based on proxy server feature, for example, the message that sends of regular proxy server in HTTP head all
There is the fields such as Via, X-Forwarded-for.
It is effective that such solution is directed to regular proxy server software, but a lot of proxy server software
Can configure and be not added with this field, the method is very unreliable.
Content of the invention
The application technical problem to be solved is how to identify whether user employs proxy server.
In order to solve the above problems, this application provides a kind of proxy server identifying device, including:
HTTP message transmitter, for receive when server user GET request when, generate and return one and carry control
The HTTP message of instruction, described control instruction is used for browser one corresponding response of return that instruction receives this HTTP message
Message is to server;
Detector, for judging for the HTTP message issuing same user, server receives TCP ACK and confirms to be taken
Between and receive described corresponding response message required time length difference whether more than a predetermined threshold, if it is judging should
User employs proxy server.
Further, described control instruction is js code, and described corresponding response message is asked for ajax.
Further, server time stamp and signing messages, institute are also carried in the described HTTP message carrying control instruction
State and in corresponding response message, comprise this server time stamp and signing messages.
Further, described detector includes:
TCP time detector, corresponding to receiving this HTTP message from being sent to a user for calculating a HTTP message
Time difference between TCP ACK confirmation, obtains the TCP time difference of this user;
HTTP time detector, for carrying the HTTP message of control instruction described in calculating from being sent to a user to receiving
Time difference between corresponding response message, obtains the HTTP time difference of this user;
Comparator, for calculating the difference between the TCP time difference of a user and HTTP time difference, if this difference is exhausted
To value more than a predetermined threshold, then judge that this client employs proxy server.
Further, detector judges for the HTTP message issuing same user, and server receives TCPACK and confirms institute
Whether the difference taking time and receiving the length of described corresponding response message required time refers to more than a predetermined threshold:
After server sends the HTTP message carrying control instruction described in, record receives this HTTP to described detector
Moment and the moment receiving the corresponding response message of this HTTP message that message corresponding TCP ACK confirms;Judge this two
Whether the interval time lengths in moment are more than a predetermined threshold.
Present invention also provides a kind of proxy server identification method, including:
When server receives the GET request of user, generate and return a HTTP message carrying control instruction, described
Control instruction is used for instruction and receives browser one corresponding response message of return of this HTTP message to server;
Judge for the HTTP message issuing same user, server receives TCP ACK and confirms required time and receive institute
The difference of length stating corresponding response message required time, whether more than a predetermined threshold, if it is judges that this user employs
Proxy server.
Further, described control instruction is js code, and described corresponding response message is asked for ajax.
Further, server time stamp and signing messages, institute are also carried in the described HTTP message carrying control instruction
State and in corresponding response message, comprise this server time stamp and signing messages.
Further, for the HTTP message issuing same user, it is required that server receives TCPACK confirmation for described judgement
Whether the difference of time and the length receiving described corresponding response message required time includes more than the step of a predetermined threshold:
Calculate a HTTP message from be sent to a user to receive this HTTP message corresponding TCP ACK confirm when
Between poor, obtain the TCP time difference of this user;
The HTTP message of control instruction is carried from being sent to a user to receiving corresponding response message described in calculating
Time difference, obtain the HTTP time difference of this user;
Calculate the difference between the TCP time difference of a user and HTTP time difference, judge whether the absolute value of this difference surpasses
Cross a predetermined threshold.
Further, for the HTTP message issuing same user, it is required that server receives TCP ACK confirmation for described judgement
Whether the difference of time and the length receiving described corresponding response message required time includes more than the step of a predetermined threshold:
After server sends the HTTP message carrying control instruction described in, it is corresponding that record receives this HTTP message
Moment and the moment receiving the corresponding response message of this HTTP message that TCP ACK confirms;Judge the interval in this two moment
Whether time span is more than a predetermined threshold.
The time difference that the technical scheme of the application utilizes TCP ACK to confirm and the ajax request of browser feedback between, comes
Judge whether user employs proxy server, reliability is high, and without additionally carrying out the collection in proxy server storehouse.
Brief description
Fig. 1 is one of communication process schematic diagram in embodiment one;
Fig. 2 is two of communication process schematic diagram in embodiment one;
Fig. 3 is the schematic flow sheet of example in embodiment two.
Specific embodiment
Below in conjunction with drawings and Examples, the technical scheme of the application is described in detail.
If it should be noted that not conflicting, each feature in the embodiment of the present application and embodiment can mutually be tied
Close, all within the protection domain of the application.In addition, though showing logical order in flow charts, but in some situations
Under, can be with the step shown or described different from order execution herein.
Embodiment one, a kind of proxy server identifying device, including:
HTTP (HTTP) message transmitter, for receive when server user GET request when, generate simultaneously
Return a HTTP message carrying control instruction, described control instruction is used for indicating that the browser receiving this HTTP message returns
Return a corresponding response message to server;
Detector, for judging for the HTTP message issuing same user, server receives TCP (transmission control protocol)
ACK (acknowledgement indicator in Acknowledgement, TCP stem) confirms required time and receives described corresponding response message
The difference of the length of required time, whether more than a predetermined threshold, if it is judges that this user employs proxy server.
In the present embodiment, described control instruction can be, but not limited to as a kind of js (JavaScript, script) code,
Described corresponding response message can be, but not limited to ask for ajax;This is principle HTTP document being parsed using browser,
After the browser of client receives described js code, this js code can be executed, return ajax (Asynchronous
JavaScript and XML, asynchronous JavaScript and extensible markup language) ask to server.Also may be used during practical application
Can control the instruction of browser using other.
In the present embodiment, server time stamp in the described HTTP message carrying control instruction, can also be carried, described right
This server time stamp is comprised in the response message answered.
The signing messages of server, institute in the present embodiment, can also be carried in the described HTTP message carrying control instruction
State and in corresponding response message, comprise this signing messages.
In the present embodiment, described predetermined threshold can based on experience value or test value determine, and can according to judge needed for
Fineness is sized;Such as, when merely desiring to identify trans-regional proxy server, (actual customer end is with proxy server not
In same area) when, it is relatively large that this predetermined threshold can be arranged, and can be, but not limited to the TCP time difference for a times;When
When wanting to identify the proxy server with area, then can be less by the setting of described predetermined threshold.
In an embodiment of the present embodiment, described detection implement body can include:
TCP time detector, corresponding to receiving this HTTP message from being sent to a user for calculating a HTTP message
Time difference between TCP ACK confirmation, obtains the TCP time difference of this user, that is, receive TCP ACK and confirm required time;
HTTP time detector, for carrying the HTTP message of control instruction described in calculating from being sent to a user to receiving
Time difference between corresponding response message, obtains the HTTP time difference of this user, that is, receive corresponding response message and taken
Between;
Comparator, for calculating the difference between the TCP time difference of a user and HTTP time difference, if this difference is exhausted
To value more than a predetermined threshold, then judge that this client employs proxy server.
In this enforcement, the described HTTP message carrying control instruction can be somebody's turn to do with facilitating to follow the tracks of using special HTTP head
HTTP message and its corresponding TCP ACK confirmation/response message.
In the present embodiment, TCP time detector and HTTP time detector can be same HTTP message is carried out with
Track, obtains described TCP time difference and HTTP time difference respectively;Respectively different HTTP message can also be tracked, to obtain
Obtain described TCP time difference and HTTP time difference.
In the another embodiment of the present embodiment, detector judges, for the HTTP message issuing same user, to service
Device receives TCP ACK and confirms required time and whether receive the difference of the length of described corresponding response message required time more than one
Predetermined threshold specifically may refer to:
After server sends the HTTP message carrying control instruction described in, record receives this HTTP to described detector
Moment and the moment receiving the corresponding response message of this HTTP message that message corresponding TCP ACK confirms;Judge this two
Whether the interval time lengths in moment are more than a predetermined threshold.
Explain the realization mechanism of the present embodiment below with two specific communication process.
Between client and server direct-connected when, its communication process as shown in figure 1, include:
Client sends TCP SYN to server;
Server returns TCP SYN+ACK to client;
Client sends TCP ACK to server, wherein may carry GET request;
For GET request, server sends http response message to client, wherein carry js code, signing messages and
Server time stabs;
Client returns TCP ACK after receiving described http response message and confirms to server;The browser solution of client
When analysing described http response message, execute described js code, generate the ajax comprising described signing messages server timestamp
Request returns to server;This ajax request is carried in during above-mentioned TCP ACK confirms it is also possible to independent send.
In said process, TCP time difference sends http response message for server and confirms to the TCP ACK receiving client
Between time difference;HTTP time difference sends http response message for server and is returned according to server to receiving client browser
Time difference between the ajax request that the js returning is constructed;As can be seen that the size of two time differences is more or less the same each other.
When passing through trans-regional proxy server between client and server and connecting, its communication process as shown in Fig. 2
Including (explanations are omitted hering handshake procedure):
Client sends GET request to proxy server, and proxy server returns TCP ACK to client, and sends GET
Ask to server;
Server sends http response message to proxy server, when wherein carrying js code, signing messages and server
Between stab;
Proxy server is transmitted to client after receiving described http response message, and returns TCP ACK and confirm to service
Device;
Described in the browser resolves of client during http response message, execute described js code, send and include described label
The ajax of name information server timestamp asks to proxy server;
Proxy server is transmitted to server after receiving described ajax request, and returns TCP ACK to client.
In said process, TCP time difference sends http response message to the TCP ACK receiving proxy server for server
Time difference between confirmation;HTTP time difference for server send http response message to receive proxy server forwarding true
Time difference between the ajax request that client browser is constructed according to the js code that server returns;As can be seen that two
The size difference of time difference is larger.
Embodiment two, a kind of proxy server identification method, including:
When server receives the GET request of user, generate and return a HTTP message carrying control instruction, described
Control instruction is used for instruction and receives browser one corresponding response message of return of this HTTP message to server;
Judge for the HTTP message issuing same user, server receives TCP ACK and confirms required time and receive institute
The difference of length stating corresponding response message required time, whether more than a predetermined threshold, if it is judges that this user employs
Proxy server.
In the present embodiment, described control instruction can be, but not limited to as js code, described corresponding response message can but
It is not limited to ajax request;This is principle HTTP document being parsed using browser, when the browser of client receives institute
After stating js code, this js code can be executed, return ajax and ask to server.Can also be controlled using other during practical application
The instruction of browser.
In the present embodiment, server time stamp in the described HTTP message carrying control instruction, can also be carried, described right
This server time stamp is comprised in the response message answered.
The signing messages of server, institute in the present embodiment, can also be carried in the described HTTP message carrying control instruction
State and in corresponding response message, comprise this signing messages.
In the present embodiment, described predetermined threshold can based on experience value or test value determine, and can according to judge needed for
Fineness is sized;Such as, when merely desiring to identify trans-regional proxy server, (actual customer end is with proxy server not
In same area) when, it is relatively large that this predetermined threshold can be arranged, and can be, but not limited to the TCP time difference for a times;When
When wanting to identify the proxy server with area, then can be less by the setting of described predetermined threshold.
In an embodiment of the present embodiment, described judgement is received for the HTTP message issuing same user, server
Confirm required time to TCP ACK with whether the difference of the length receiving described corresponding response message required time is predetermined more than one
The step of threshold value specifically can include:
Calculate a HTTP message from be sent to a user to receive this HTTP message corresponding TCP ACK confirm when
Between poor, obtain the TCP time difference of this user, that is, receive TCP ACK confirm required time;
The HTTP message of control instruction is carried from being sent to a user to receiving corresponding response message described in calculating
Time difference, obtain the HTTP time difference of this user, that is, receive corresponding response message required time;
Calculate the difference between the TCP time difference of a user and HTTP time difference, judge whether the absolute value of this difference surpasses
Cross a predetermined threshold.
In this enforcement, the described HTTP message carrying control instruction can be somebody's turn to do with facilitating to follow the tracks of using special HTTP head
HTTP message and its corresponding TCP ACK confirmation/response message.
In the present embodiment, can be that same HTTP message is tracked, obtain described TCP time difference and HTTP respectively
Time difference;Respectively different HTTP message can also be tracked, to obtain described TCP time difference and HTTP time difference.
In the another embodiment of the present embodiment, described judgement is for the HTTP message issuing same user, server
Receive TCP ACK confirmation required time and whether the difference of the length receiving described corresponding response message required time is pre- more than one
The step determining threshold value specifically can include:
After server sends the HTTP message carrying control instruction described in, it is corresponding that record receives this HTTP message
Moment and the moment receiving the corresponding response message of this HTTP message that TCP ACK confirms;Judge the interval in this two moment
Whether time span is more than a predetermined threshold.
One specific example of the present embodiment is as shown in figure 3, comprise the steps:
Server passes through ICP/IP protocol stack receiving data message, after receiving the GET request of user, returns http response
Message, and bring special HTTP head, js code server timestamp;
Record the five-tuple in http response message, this http response message is sent by ICP/IP protocol stack, and wait
Corresponding TCP ACK confirms;After receiving corresponding TCP ACK confirmation, calculate and send this http response message and receive this TCP
Time difference between ACK confirmation, as TCP time difference;
Record the IP (purpose IP of http response message) of other side, send the time of this http response message and wait correspondence
Ajax request;After receiving corresponding ajax request, calculate and send this http response message and receive between this ajax request
Time difference, as HTTP time difference;
Relatively TCP time difference and HTTP time difference, if it exceeds a predetermined threshold, then judge that user is by agency service
Device connects, and otherwise judges that user connects not over proxy server.
One of ordinary skill in the art will appreciate that all or part of step in said method can be instructed by program
Related hardware completes, and described program can be stored in computer-readable recording medium, such as read only memory, disk or CD
Deng.Alternatively, all or part of step of above-described embodiment can also be realized using one or more integrated circuits.Accordingly
Ground, each module/unit in above-described embodiment can be to be realized in the form of hardware, it would however also be possible to employ the shape of software function module
Formula is realized.The application is not restricted to the combination of the hardware and software of any particular form.
Certainly, the application also can have other various embodiments, in the case of without departing substantially from the application spirit and its essence, ripe
Know those skilled in the art and work as and various corresponding changes and deformation can be made according to the application, but these corresponding changes and change
Shape all should belong to the protection domain of claims hereof.