Content of the invention
Provide a kind of method and device of identification agent Internet protocol address in the embodiment of the present invention, visited with effective identification
Ask the malicious user of network, reduce the risk control problem of user.
In order to solve above-mentioned technical problem, the embodiment of the invention discloses following technical scheme:
First aspect provides a kind of method of identification agent Internet protocol IP address, including:
Obtain the access request that client sends;
The domain name resolution server that the IP address of described client and described client use is determined according to described access request
IP address;
Judge physical network that the IP address of the IP address of described client and domain name resolution server is located whether phase
With if it is different, then determining that the IP address of described client is agent IP address.
Optionally, the physics being located in the IP address of the IP address determining described client and domain name resolution server
When network is different, also include:
Record the quantity of the IP address of the corresponding domain name resolution server of IP address of described client;
If it is determined that described quantity is more than predetermined threshold value it is determined that described quantity is more than the IP ground of the client of predetermined threshold value
Location is agent IP address.
Optionally, also include:
If it is determined that the IP address of the IP address of described client and domain name resolution server is in Same Physical network
In it is determined that described client IP address be normal IP address;Or
If it is determined that described quantity is not more than described predetermined threshold value it is determined that the IP address of described client is Agent IP ground
Location, specially:Determine that the IP address that described quantity is not more than the client of described predetermined threshold value is agent IP address.
Second aspect provides a kind of method of identification agent Internet protocol IP address, including:
Obtain the access request that multiple client sends;
The domain name solution that the IP address of each client and each client described use is determined according to each described access request
The IP address of analysis server;
Count and record the quantity of the IP address of the corresponding domain name resolution server of IP address of each client described;
If described quantity is more than predetermined threshold value it is determined that the IP address that described quantity is more than the client of predetermined threshold value is
Agent IP address.
Optionally, also include:
If described quantity is less than or equal to described predetermined threshold value it is determined that described quantity is less than or equal to the visitor of described predetermined threshold value
The IP address at family end is normal IP address.
The third aspect provides a kind of device of identification agent Internet protocol IP address, including:
Acquiring unit, for obtaining the access request of client transmission;
First determining unit, IP address and described client for determining described client according to described access request make
The IP address of domain name resolution server;
First judging unit, for judging the IP address of described client and the IP address institute of domain name resolution server
Physical network whether identical;
Second determining unit, for judging IP address and the domain name solution of described client in described first judging unit
During the physical network difference that the IP address of analysis server is located, determine that the IP address of described client is agent IP address.
Optionally, also include:
Recording unit, for judging IP address and the domain name parsing clothes of described client in described first judging unit
During the physical network difference that the IP address of business device is located, record the corresponding domain name resolution service of IP address of described client
The quantity of the IP address of device;
Second judging unit, whether the described quantity for judging described recording unit records is more than predetermined threshold value;
3rd determining unit, for when described second judging unit judges that described data is more than predetermined threshold value, determining described
It is agent IP address more than the IP address of the client of predetermined threshold value.
Optionally, also include:
4th determining unit, for judging IP address and the domain name solution of described client in described first judging unit
When the physical network at the IP address place of analysis server is identical, determine that the IP address of described client is normal IP address;
Or judge that described quantity is not more than described predetermined threshold value in described second judging unit, determine that described quantity is not more than described
The IP address of the client of predetermined threshold value is agent IP address.
Fourth aspect provides a kind of device of identification agent Internet protocol IP address, including:
Acquiring unit, for obtaining the access request of multiple client transmission;
First determining unit, for determined according to each described access request each client IP address and described each
The IP address of the domain name resolution server that client uses;
Statistic unit, for count and record each client described the corresponding domain name resolution server of IP address IP
The quantity of address;
Judging unit, whether the described quantity for judging described statistic unit statistics is more than predetermined threshold value;
Second determining unit, for when described judging unit judges that described quantity is more than predetermined threshold value, determining described quantity
It is agent IP address more than the IP address of the client of predetermined threshold value.
Optionally, also include:
3rd determining unit, for when described judging unit judges that described quantity is less than or equal to described predetermined threshold value, determining
The IP address that described quantity is less than or equal to the client of described predetermined threshold value is normal IP address.
From technical scheme disclosed above, in the embodiment of the present invention, by comparing IP address and the client of client
The IP address of the domain name resolution server that end uses, whether in Same Physical network, to determine whether this client is agency
Client, so that it is determined that whether the user using this client is malicious user, reduces risk control.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, clear, complete retouching is carried out to the technical scheme in the embodiment of the present invention
State it is clear that described embodiment is only a part of embodiment of the present invention, rather than whole embodiments.Based on the present invention
In embodiment, the every other embodiment that those of ordinary skill in the art are obtained under the premise of not making creative work,
Broadly fall into the scope of protection of the invention.
The term using in embodiments of the present invention is the purpose only merely for description specific embodiment, and is not intended to be limiting this
Bright." a kind of ", " described " and " being somebody's turn to do " of singulative used in the embodiment of the present invention and appended claims
It is intended to including most forms, unless context clearly shows that other implications.It is also understood that term used herein " and
/ or " refer to and comprise one or more associated any or all possible combination listing project.
It will be appreciated that though various information may be described using term first, second, third, etc. in embodiments of the present invention,
But these information should not necessarily be limited by these terms.These terms are only used for same type of information is distinguished from each other out.For example, not
In the case of departing from range of embodiment of the invention, the first information can also be referred to as the second information it is not required that or implying this
There is any this actual relation or order between a little entities or operation.Similarly, the second information can also be referred to as
One information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determining ".And, term " inclusion ", "comprising" or its any other variant are intended to non-
Comprising of exclusiveness, wants so that including a series of process of key elements, method, article or equipment and not only including those
Element, but also include other key elements of being not expressly set out, or also include for this process, method, article or
The intrinsic key element of equipment.
Refer to Fig. 1, Fig. 1 is a kind of method of identification agent Internet protocol IP address provided in an embodiment of the present invention
Flow chart;Methods described includes:
Step 101:Obtain the access request that client sends;
Wherein, client sends access request to background server (such as, the webserver, Alipay server etc.),
The IP address of client, and the IP address of the domain name resolution server of client use can be included in this access request,
It is, of course, also possible to inclusion other information, the present embodiment is not restricted.
Wherein, in the present embodiment, access request can include:HTTP (HTTP, Hyper Text Transfer
) and/or firewall security session translation-protocol (socks) Protocol.It is of course also possible to as needed when other request,
The present embodiment is not restricted.
Step 102:The domain name solution that the IP address of described client and described client use is determined according to described access request
The IP address of analysis server (DNS, Domain Name Server);
Background server parses to the access request receiving, and obtains the IP address of client, and according to this visit
Ask that request collects the IP address that this client accesses the DNS using during network.
In this embodiment, the IP address of client can correspond to the IP address of a DNS it is also possible to correspond to multiple DNS
IP address, the present embodiment is not restricted.
Wherein, described DNS helps user to find path on the internet, needs in computer because user accesses internet
Upper installation client, on the internet, every computer all can have unique address, referred to as IP address, this computer
IP address is exactly the IP address of client.Because IP address (for string number) is inconvenient to remember, DNS allows user
Replaced using a string common letter (i.e. " domain name ").
In internet, it is one-to-one between domain name and IP address, although domain name is easy to people's memory, machine
Between can only recognize mutually IP address, the conversion work between them is referred to as domain name mapping, and domain name mapping needs by special
Domain name resolution server is completing.Domain name must correspond to an IP address, i.e. the IP address of DNS, and IP address is not
Certain only corresponding domain name.
Step 103:Judge the IP address of described client and the IP ground of the domain name resolution server of described client use
Whether the physical network that location is located identical, if different (i.e. not in Same Physical network) it is determined that described client
IP address is agent IP address.
In this embodiment, physical network (PN, physical network) is in a network (as master by various physical equipments
Machine, router, switch etc.) and medium (optical cable, cable, twisted-pair feeder etc.) couple together the network of formation.
Wherein, background server judges the IP of the domain name resolution server that the IP address of client is used with described client
Whether address in one of same physical network judgment mode is:
Judge the front three whether phase of the IP address of client and the corresponding subnet mask of IP address of domain name resolution server
With, if identical, illustrate in described client and domain name resolution server place Same Physical network, otherwise, explanation
The physical network that described client is located with domain name resolution server is different, that is, not in Same Physical network.
Wherein, subnet mask marks off network number and host number.If network number is identical, that just illustrate IP address be
In same LAN.Before subnet mask three identical, mean that network is identical, such as, 192.168.0.1 and
192.168.0.7, as long as last position is less than 255, and do not repeat, just explanation belongs to same physical network.
Wherein, the IP address of client is agent IP address that is to say, that the IP ground of this client hidden oneself
Location, employs agency, thus confirming using the user of this client is malicious user, that is, stores the user of risk.
In the embodiment of the present invention, the IP of the domain name resolution server being used by the IP address and client comparing client
Address, whether in Same Physical network, to determine whether this client is agent client, so that it is determined that using this client
Whether the user at end is malicious user, reduces risk control.
Also refer to Fig. 2, Fig. 2 is a kind of method of identification agent Internet protocol IP address provided in an embodiment of the present invention
Another flow chart, methods described includes:
Step 201:Obtain the access request that client sends;
Described step 201 is same with step 101, specifically refers to above-mentioned.
Step 202:The domain name solution that the IP address of described client and described client use is determined according to described access request
The IP address of analysis server;
Described step 202 is same with step 102, specifically refers to above-mentioned.
Step 203:Whether the IP address judging the IP address of described client and domain name resolution server is same
In physical network, if it is not, execution step 204;Otherwise, execution step 207;
The process that it judges refers to the above-mentioned description to step 103, will not be described here.
Step 204:Record the quantity of the IP address of the corresponding domain name resolution server of IP of described client;
In this step, for background server, judge the IP address of client and the IP ground of domain name resolution server
When in the no longer Same Physical network of location, record the IP address of domain name resolution server corresponding with the IP address of this client
Quantity add 1 that is to say, that for each the IP address no longer in Same Physical network, all can record and client
The quantity of the IP address of the corresponding domain name resolution server of IP.
Step 205:Judge whether described quantity is more than predetermined threshold value, if it is, execution step 206;Otherwise, execute
Step 207;
Wherein, predetermined threshold value can set based on experience value, such as, is any one number in 10 to 15, certainly,
This predetermined threshold value of accommodation can also be carried out according to actual needs, such as, this predetermined threshold value is adjusted to 20, or
5 etc., the present embodiment is not restricted.Under normal circumstances, if it is desired to improving the accuracy determining result, just by predetermined threshold value
Setting larger, conversely, by predetermined threshold value arrange smaller.
Step 206:Determine that the IP address that described quantity is more than the client of described predetermined threshold value is agent IP address;
In this step, the client that will be greater than predetermined threshold value determines agent client, so that it is determined that the use using this client
Family is exactly malicious user, or is the user that there is risk.
Step 207:Determine described client IP address be normal IP address.
In this step, if the IP address place Same Physical net of the IP address of client and domain name resolution server
In network, or, when the quantity of the IP address of domain name resolution server is not more than described predetermined threshold value, then this client is described
For normal client, that is, the user using this client is normal users, not using agency, that is, secured user.
In the embodiment of the present invention, judging the IP address of described client and the IP address institute of domain name resolution server
Physical network different when, determine whether the number of the IP address of the corresponding domain name resolution server of IP of this client
Whether amount is more than predetermined threshold value, if it is greater, then determining that the IP address of this client is agent IP address.By the party
Formula, further determines that whether the user using this client is malicious user, reduces risk control.
Also refer to Fig. 3, Fig. 3 is a kind of method of identification agent Internet protocol IP address provided in an embodiment of the present invention
Another flow chart, methods described includes:
Step 301:Obtain the access request that multiple client sends;
Wherein, the described access request that each user sends can include:HTTP HTTP and/or fire wall
Secured session translation-protocol socks.It is, of course, also possible to adaptability includes other requests, the present embodiment is not limited to this.
Wherein, obtain the mode of the access request that each client sends in multiple client, can have multiple, such as,
The access request that in multiple client, each client sends can be obtained in real time;The letter that can also record from access log
In breath, obtain the access request of each client transmission.Certainly, the present embodiment is not limited to this both mode.
Step 302:The IP address of each client and each client described according to each described access request determines
The IP address of the domain name resolution server using;
In this step, the access request that each client is sent parses, and obtains the IP address of each client,
And, according to the access request of each client, collect the IP that each client accesses the domain name resolution server of network
Address.
Step 303:Count and record the quantity of the IP address of domain name resolution server that each client described uses;
In this step, domain name resolution server that each client can use can be one or multiple.Phase
Answer, same domain name resolution server can correspond to a client it is also possible to correspond to multiple client.
That is, the corresponding domain name resolution server of normal client can be one or several.
In this embodiment, need to count the quantity of the corresponding domain name resolution server of each client.
Step 304:If described quantity is more than predetermined threshold value it is determined that described quantity is more than the client of predetermined threshold value
IP address is agent IP address.
In this step, predetermined threshold value is usually arranged as 10, and certainly, this predetermined threshold value can also adaptability as needed
Adjustment, such as, could be arranged to 15 it is also possible to be set to 5 etc., the present embodiment is not restricted.
In the present embodiment, when employing agency for client, the IP (ClientIP) due to client employs
The agency service of proxy server IP (ProxyIP), thus under this situation, ProxyIP collects and ClientIP pair
The DNS1-IP answering is its dns server.
Because proxy server generally faces internet users, therefore, it is dispersed in using the user acting on behalf of ProxyIP
In different physical networks, the dns server of each physical network can be collected the dns server for ProxyIP.
In this case, the situation of normal 10 dns servers will be much more than.It is taking 10 as a example in the present embodiment,
But not limited to this in actual applications.
Optionally, in another embodiment, on the basis of above-described embodiment, methods described can also include this embodiment:
If described quantity is less than or equal to described predetermined threshold value it is determined that described quantity is less than or equal to the client of described predetermined threshold value
IP address be normal IP address.
In the embodiment of the present invention, by counting the number of the IP address of the corresponding domain name resolution server of IP address of client
Amount, and this quantity is defined as agent IP address more than the IP address of the client of predetermined threshold value.So that it is determined that use should
Whether the user of client is malicious user, reduces risk control.
Based on the process of realizing of said method, the embodiment of the present invention also provides a kind of identification agent Internet protocol IP address
Device, its structural representation is as shown in figure 4, described device includes:Acquiring unit 41, the first determining unit 42, the
One judging unit 43 and the second determining unit 44, wherein,
Described acquiring unit 41, for obtaining the access request of client transmission;
Described first determining unit 42, for determining the IP address of described client and described visitor according to described access request
The IP address of the domain name resolution server that family end uses;
Described first judging unit 43, for judging the IP address of described client and the IP of domain name resolution server
Whether address is in Same Physical network;
Described second determining unit 44, for judging the IP address of described client and described in described first judging unit
During the physical network difference that the IP address of domain name resolution server is located, determine that the IP address of described client is Agent IP
Address.
Optionally, in another embodiment, on the basis of above-described embodiment, described device also includes this embodiment:Record
Unit 51, the second judging unit 52 and the 3rd determining unit 53, its structural representation as shown in figure 5, wherein,
Described recording unit 51, for judging the IP address of described client and described domain in described first judging unit 43
During the physical network difference that the IP address of name resolution server is located, record the corresponding domain name of IP address of described client
The quantity of the IP address of resolution server;
Whether described second judging unit 52, for judging the described quantity of described recording unit 51 record more than default threshold
Value;
Described 3rd determining unit 53, for described second judging unit 52 judge described data be more than predetermined threshold value when,
The IP address being more than the client of predetermined threshold value described in determining is agent IP address.
Optionally, in another embodiment, on the basis of above-described embodiment, described device can also include this embodiment:
Also include:4th determining unit 61, its structural representation as shown in fig. 6, wherein,
Described 4th determining unit 61, for judging IP address and the institute of described client in described first judging unit 43
State domain name resolution server IP address place Same Physical network when, determine described client IP address be normal IP
Address;Or judge that described quantity is not more than described predetermined threshold value in described second judging unit 52, determine described quantity not
It is agent IP address more than the IP address of the client of described predetermined threshold value.
Optionally, the embodiment of the present invention also provides a kind of device of identification agent Internet protocol IP address, and its structure is shown
It is intended to as shown in fig. 7, described device includes:Acquiring unit 71, the first determining unit 72, statistic unit 73, judge
Unit 74 and the second determining unit 75, wherein,
Described acquiring unit 71, for obtaining the access request of multiple client transmission;
Described first determining unit 72, for determining IP address and the institute of each client according to each described access request
State the IP address of the domain name resolution server of each client use;
Described statistic unit 73, for counting and recording the corresponding domain name resolution service of IP address of each client described
The quantity of the IP address of device;
Described judging unit 74, whether the described quantity for judging described statistic unit 73 statistics is more than predetermined threshold value;
Described second determining unit 75, for described judging unit 74 judge described quantity be more than predetermined threshold value when, really
The IP address that fixed described quantity is more than the client of predetermined threshold value is agent IP address.
Optionally, in another embodiment, in the above-described embodiments, described device also includes this embodiment:3rd determination
Unit 81, its structural representation as shown in figure 8, wherein,
In described judging unit 74, described 3rd determining unit 81, for judging that described quantity is less than or equal to described default threshold
During value, determine that the IP address that described quantity is less than or equal to the client of described predetermined threshold value is normal IP address.
In described device, the process of realizing of the function of unit and effect refers to the realization corresponding to step in said method
Journey, will not be described here.
Accordingly, the embodiment of the present invention also provides a kind of server, and described server includes:Transceiver and processor, its
In,
Described transceiver, for obtaining the access request of multiple client transmission;
Described processor, IP address and described client for determining described client according to described access request use
Domain name resolution server IP address;And judging the IP address of described client and domain name resolution server
During the physical network difference that IP address is located, determine that the IP address of described client is agent IP address.
Optionally, described processor, is additionally operable in the IP address determining described client and domain name resolution server
The physical network that is located of IP address different when, record the corresponding domain name resolution server of IP address of described client
The quantity of IP address;And when judging that described quantity is more than predetermined threshold value, determine that described quantity is more than the client of predetermined threshold value
The IP address at end is agent IP address.
Optionally, described processor, is additionally operable in the IP address judging described client and domain name resolution server
IP address place Same Physical network when, determine described client IP address be normal IP address;Or judging
When described quantity is not more than described predetermined threshold value, determine that described quantity is not more than the IP address of the client of described predetermined threshold value
For agent IP address.
Accordingly, the embodiment of the present invention also provides a kind of server, and described server includes:Transceiver and processor, its
In, described transceiver, for obtaining the access request of multiple client transmission;
Described processor, for determining the IP address of each client and each visitor described according to each described access request
The IP address of the domain name resolution server that family end uses;
Described transceiver, is additionally operable to count the IP ground of the corresponding domain name resolution server of IP address of each client described
The quantity of location;
Described processor, is additionally operable to be more than predetermined threshold value it is determined that described quantity is more than the visitor of predetermined threshold value in described quantity
The IP address at family end is agent IP address;It is less than or equal to described predetermined threshold value in described quantity it is determined that described quantity is little
In the client equal to described predetermined threshold value IP address be normal IP address.
The embodiment of the present invention also provides a kind of server, and its structural representation is as shown in figure 9, described server 900 includes:
Processor 910, memory 920, transceiver 930 and bus 940;
Wherein, described processor 910, memory 920, transceiver 930 are connected with each other by bus 940;Bus 940
Can be isa bus, pci bus or eisa bus etc..Described bus can be divided into address bus, data/address bus, control
Bus processed etc..For ease of representing, only represented with a thick line in Fig. 9, it is not intended that only one bus or a species
The bus of type.
Memory 920, is used for depositing program.Specifically, program can include program code, and described program code includes
Computer-managed instruction.Memory 920 may comprise high-speed RAM memory it is also possible to also include nonvolatile memory
(non-volatile memory), for example, at least one magnetic disc store.
Transceiver 930 is used for connecting other equipment, and is communicated with other equipment.Specifically described transceiver 930 can
For:Obtain the access request that client sends;
Described processor 910 executes the described program code of storage in memory 920, specifically for being asked according to described access
Seek the IP address of the domain name resolution server of the IP address determining described client and the use of described client;If it is determined that
The IP address of described client different with the physical network that the IP address of domain name resolution server is located it is determined that institute
The IP address stating client is agent IP address.
Alternatively, described processor 910 is additionally operable to:In the IP address judging described client and domain name parsing clothes
During the physical network difference that the IP address of business device is located, record the corresponding domain name resolution service of IP address of described client
The quantity of the IP address of device;And when judging that described quantity is more than predetermined threshold value, determine that described quantity is more than predetermined threshold value
The IP address of client is agent IP address.
Alternatively, described processor 910 is additionally operable to:In the IP address judging described client and domain name parsing clothes
During the IP address place Same Physical network of business device, determine that the IP address of described client is normal IP address, Yi Ji
When judging that described quantity is not more than described predetermined threshold value, determine that described quantity is not more than the IP of the client of described predetermined threshold value
Address is agent IP address.
In order to make it easy to understand, to be illustrated with specific application example below.
As shown in Figure 10, be a kind of application example provided in an embodiment of the present invention structural representation, as shown in Figure 10,
Including client ClientIP, and the dns server that ClientIP uses is DNS1-IP, proxy server ProxyIP,
And the dns server that ProxyIP uses is DNS2-IP;Alipay server, the present embodiment is with Alipay server
As a example, but in actual applications however it is not limited to this.
Under normal circumstances, the dns server that ClientIP uses is DNS1-IP;The dns server that ProxyIP uses
For DNS2-IP.
As agency, because ClientIP employs the agency service of ProxyIP, thus under this situation,
The dns server that ProxyIP collects the use of ClientIP is DNS1-IP, and the DNS1-IP of collection is its DNS
Server.
For Alipay server, the access of ProxyIP is used to ask when Alipay server receives ClientIP
When asking, determine the IP address (i.e. the IP address of ProxyIP) of described client according to described access request, by collection
The domain name resolution server obtaining ClientIP use is the DNS1-IP of ClientIP, and the IP address due to client is
The IP address of ProxyIP, and the domain name resolution server of client is DNS1-IP, the two no longer Same Physical network,
Hence, it can be determined that this client is using agency, thus identifying that this uses the user of this client is malicious user.
That is, in the embodiment of the present invention, the user equipment of access network, it is required for making when accessing Internet resources
With an Internet basic service, DNS service.Normal users can access network by the dns server of oneself;
And some malicious users generally to be hidden the real IP of oneself by agency and to access network.But generally, hide and use
Although family can hide real IP, and cannot change the IP address of the dns server that real IP is used.The present invention is real
Apply in example, first determine the IP address of described client and the IP address of the domain name resolution server of described client use,
And judge that the IP address of the IP address of described client and domain name resolution server, whether in Same Physical network, is come
Whether the IP address determining described client is agent IP address, thus identifying that whether the user using this client is
Malicious user.
Under normal circumstances, because proxy server generally faces internet users, therefore, using acting on behalf of ProxyIP
User be dispersed in different physical networks, the dns server of each physical network can be collected as ProxyIP
Dns server.This will be much more than the situation of normal 10 dns servers, certainly however it is not limited to this 10,
Accommodation can be carried out according to actual.
That is, for the user using agency, because the user using this agency disperses very much, therefore passing through should
The DNS quantity that IP obtains can be much more than normal users.It is based on this point, we can adopt according on certain IP
The user integrating using dns server quantity assert the IP of client whether as agency.
Those skilled in the art can be understood that technology in the embodiment of the present invention can be by software plus necessary
The mode of general hardware platform is realizing.Based on such understanding, the technical scheme in the embodiment of the present invention substantially or
Say that what prior art was contributed partly can be embodied in the form of software product, this computer software product is permissible
It is stored in storage medium, such as ROM/RAM, magnetic disc, CD etc., including some instructions with so that a computer sets
Standby (can be personal computer, server, or network equipment etc.) execution each embodiment of the present invention or embodiment
Some partly described methods.
Each embodiment in this specification is all described by the way of going forward one by one, identical similar part between each embodiment
Mutually referring to what each embodiment stressed is the difference with other embodiment.Especially for system
For embodiment, because it is substantially similar to embodiment of the method, so description is fairly simple, referring to method in place of correlation
The part of embodiment illustrates.
Invention described above embodiment, does not constitute limiting the scope of the present invention.Any the present invention's
Modification, equivalent and improvement made within spirit and principle etc., should be included within the scope of the present invention.