CN106411819A - Method and apparatus for recognizing proxy Internet protocol address - Google Patents

Method and apparatus for recognizing proxy Internet protocol address Download PDF

Info

Publication number
CN106411819A
CN106411819A CN201510458585.6A CN201510458585A CN106411819A CN 106411819 A CN106411819 A CN 106411819A CN 201510458585 A CN201510458585 A CN 201510458585A CN 106411819 A CN106411819 A CN 106411819A
Authority
CN
China
Prior art keywords
address
client
threshold value
domain name
predetermined threshold
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510458585.6A
Other languages
Chinese (zh)
Other versions
CN106411819B (en
Inventor
王伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Advanced New Technologies Co Ltd
Advantageous New Technologies Co Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201510458585.6A priority Critical patent/CN106411819B/en
Publication of CN106411819A publication Critical patent/CN106411819A/en
Application granted granted Critical
Publication of CN106411819B publication Critical patent/CN106411819B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer

Abstract

Embodiments of the invention provide a method and apparatus for recognizing a proxy Internet protocol (IP) address. The method includes: obtaining an access request transmitted by a client; determining an IP address of the client and an IP address of a DNS server employed by the client according to the access request; and determining whether physical networks which the IP address of the client and the IP address of the DNS server belong to are the same, and if not, determining the IP address of the client as the proxy IP address. According to the method and apparatus, whether the client is a proxy client is determined by comparing whether the IP address of the client and the IP address of the DNS server employed by the client belong to the same physical network, whether a user using the client is a malicious user is determined, and risk control is reduced.

Description

A kind of method and device of identification agent Internet protocol address
Technical field
The present invention relates to networking technology area, particularly to a kind of identification agent Internet protocol (IP, Internet Protocol) the method and device of address.
Background technology
With the fast development of network technology, the region that some operators are covered is increasing.And proxy server conduct The Internet, applications being widely present, known to most of netizen and use.But, some malicious users, in order to prevent Tracked, deliberately hide the IP address (i.e. true source place) of itself, using first access proxies, visit again mesh The mode of labeling station point.
In prior art, in order to identify that these malicious users hide to own IP address, generally IP is used using user The distance whether geographical position of address occurs in short-term moves (i.e. instantaneous mobile technology) to judge.Such as, a use The previous minute in family is accessed by the IP address in a Shanghai, and one minute after accesses further through the IP address in a Gansu, says This user bright is malicious user, this is because, in reality, this distance movement in short-term not there may be, therefore Judge that this user employs agency, so that it is determined that this user has certain risk.
But, the region being covered with operator is increasing, the distribution of IP address and using also occur in that substantial amounts of across Administrative area, this by user using the geographical position of IP address whether occur distance in short-term mobile judging this user Whether it is malicious user, gradually lost efficacy.Because malicious user, after appropriating account, can check that stolen account is commonly used IP address, then is selected to be conducted interviews website with the proxy server in city with this IP address according to this IP address, increased Risk control.Therefore, how effectively to identify that the malicious user accessing network is that have technical problem to be solved at present.
Content of the invention
Provide a kind of method and device of identification agent Internet protocol address in the embodiment of the present invention, visited with effective identification Ask the malicious user of network, reduce the risk control problem of user.
In order to solve above-mentioned technical problem, the embodiment of the invention discloses following technical scheme:
First aspect provides a kind of method of identification agent Internet protocol IP address, including:
Obtain the access request that client sends;
The domain name resolution server that the IP address of described client and described client use is determined according to described access request IP address;
Judge physical network that the IP address of the IP address of described client and domain name resolution server is located whether phase With if it is different, then determining that the IP address of described client is agent IP address.
Optionally, the physics being located in the IP address of the IP address determining described client and domain name resolution server When network is different, also include:
Record the quantity of the IP address of the corresponding domain name resolution server of IP address of described client;
If it is determined that described quantity is more than predetermined threshold value it is determined that described quantity is more than the IP ground of the client of predetermined threshold value Location is agent IP address.
Optionally, also include:
If it is determined that the IP address of the IP address of described client and domain name resolution server is in Same Physical network In it is determined that described client IP address be normal IP address;Or
If it is determined that described quantity is not more than described predetermined threshold value it is determined that the IP address of described client is Agent IP ground Location, specially:Determine that the IP address that described quantity is not more than the client of described predetermined threshold value is agent IP address.
Second aspect provides a kind of method of identification agent Internet protocol IP address, including:
Obtain the access request that multiple client sends;
The domain name solution that the IP address of each client and each client described use is determined according to each described access request The IP address of analysis server;
Count and record the quantity of the IP address of the corresponding domain name resolution server of IP address of each client described;
If described quantity is more than predetermined threshold value it is determined that the IP address that described quantity is more than the client of predetermined threshold value is Agent IP address.
Optionally, also include:
If described quantity is less than or equal to described predetermined threshold value it is determined that described quantity is less than or equal to the visitor of described predetermined threshold value The IP address at family end is normal IP address.
The third aspect provides a kind of device of identification agent Internet protocol IP address, including:
Acquiring unit, for obtaining the access request of client transmission;
First determining unit, IP address and described client for determining described client according to described access request make The IP address of domain name resolution server;
First judging unit, for judging the IP address of described client and the IP address institute of domain name resolution server Physical network whether identical;
Second determining unit, for judging IP address and the domain name solution of described client in described first judging unit During the physical network difference that the IP address of analysis server is located, determine that the IP address of described client is agent IP address.
Optionally, also include:
Recording unit, for judging IP address and the domain name parsing clothes of described client in described first judging unit During the physical network difference that the IP address of business device is located, record the corresponding domain name resolution service of IP address of described client The quantity of the IP address of device;
Second judging unit, whether the described quantity for judging described recording unit records is more than predetermined threshold value;
3rd determining unit, for when described second judging unit judges that described data is more than predetermined threshold value, determining described It is agent IP address more than the IP address of the client of predetermined threshold value.
Optionally, also include:
4th determining unit, for judging IP address and the domain name solution of described client in described first judging unit When the physical network at the IP address place of analysis server is identical, determine that the IP address of described client is normal IP address; Or judge that described quantity is not more than described predetermined threshold value in described second judging unit, determine that described quantity is not more than described The IP address of the client of predetermined threshold value is agent IP address.
Fourth aspect provides a kind of device of identification agent Internet protocol IP address, including:
Acquiring unit, for obtaining the access request of multiple client transmission;
First determining unit, for determined according to each described access request each client IP address and described each The IP address of the domain name resolution server that client uses;
Statistic unit, for count and record each client described the corresponding domain name resolution server of IP address IP The quantity of address;
Judging unit, whether the described quantity for judging described statistic unit statistics is more than predetermined threshold value;
Second determining unit, for when described judging unit judges that described quantity is more than predetermined threshold value, determining described quantity It is agent IP address more than the IP address of the client of predetermined threshold value.
Optionally, also include:
3rd determining unit, for when described judging unit judges that described quantity is less than or equal to described predetermined threshold value, determining The IP address that described quantity is less than or equal to the client of described predetermined threshold value is normal IP address.
From technical scheme disclosed above, in the embodiment of the present invention, by comparing IP address and the client of client The IP address of the domain name resolution server that end uses, whether in Same Physical network, to determine whether this client is agency Client, so that it is determined that whether the user using this client is malicious user, reduces risk control.
Brief description
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, will make to required in embodiment below Accompanying drawing be briefly described it should be apparent that, drawings in the following description are only some embodiments of the present invention, for For those of ordinary skill in the art, on the premise of not paying creative work, can also be obtained other according to these accompanying drawings Accompanying drawing.
Fig. 1 is a kind of flow chart of the method for identification agent Internet protocol IP address provided in an embodiment of the present invention;
Fig. 2 is a kind of another flow chart of the method for identification agent Internet protocol IP address provided in an embodiment of the present invention;
Fig. 3 is a kind of another flow chart of the method for identification agent Internet protocol IP address provided in an embodiment of the present invention;
Fig. 4 is a kind of structural representation of the device of identification agent Internet protocol IP address provided in an embodiment of the present invention;
Fig. 5 is that a kind of another structure of the device of identification agent Internet protocol IP address provided in an embodiment of the present invention is shown It is intended to;
Fig. 6 is that a kind of another structure of the device of identification agent Internet protocol IP address provided in an embodiment of the present invention is shown It is intended to;
Fig. 7 is that a kind of another structure of the device of identification agent Internet protocol IP address provided in an embodiment of the present invention is shown It is intended to;
Fig. 8 is that a kind of another structure of the device of identification agent Internet protocol IP address provided in an embodiment of the present invention is shown It is intended to;
Fig. 9 is a kind of structural representation knowing server provided in an embodiment of the present invention;
Figure 10 is a kind of structural representation of application example provided in an embodiment of the present invention.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, clear, complete retouching is carried out to the technical scheme in the embodiment of the present invention State it is clear that described embodiment is only a part of embodiment of the present invention, rather than whole embodiments.Based on the present invention In embodiment, the every other embodiment that those of ordinary skill in the art are obtained under the premise of not making creative work, Broadly fall into the scope of protection of the invention.
The term using in embodiments of the present invention is the purpose only merely for description specific embodiment, and is not intended to be limiting this Bright." a kind of ", " described " and " being somebody's turn to do " of singulative used in the embodiment of the present invention and appended claims It is intended to including most forms, unless context clearly shows that other implications.It is also understood that term used herein " and / or " refer to and comprise one or more associated any or all possible combination listing project.
It will be appreciated that though various information may be described using term first, second, third, etc. in embodiments of the present invention, But these information should not necessarily be limited by these terms.These terms are only used for same type of information is distinguished from each other out.For example, not In the case of departing from range of embodiment of the invention, the first information can also be referred to as the second information it is not required that or implying this There is any this actual relation or order between a little entities or operation.Similarly, the second information can also be referred to as One information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or " when ... When " or " in response to determining ".And, term " inclusion ", "comprising" or its any other variant are intended to non- Comprising of exclusiveness, wants so that including a series of process of key elements, method, article or equipment and not only including those Element, but also include other key elements of being not expressly set out, or also include for this process, method, article or The intrinsic key element of equipment.
Refer to Fig. 1, Fig. 1 is a kind of method of identification agent Internet protocol IP address provided in an embodiment of the present invention Flow chart;Methods described includes:
Step 101:Obtain the access request that client sends;
Wherein, client sends access request to background server (such as, the webserver, Alipay server etc.), The IP address of client, and the IP address of the domain name resolution server of client use can be included in this access request, It is, of course, also possible to inclusion other information, the present embodiment is not restricted.
Wherein, in the present embodiment, access request can include:HTTP (HTTP, Hyper Text Transfer ) and/or firewall security session translation-protocol (socks) Protocol.It is of course also possible to as needed when other request, The present embodiment is not restricted.
Step 102:The domain name solution that the IP address of described client and described client use is determined according to described access request The IP address of analysis server (DNS, Domain Name Server);
Background server parses to the access request receiving, and obtains the IP address of client, and according to this visit Ask that request collects the IP address that this client accesses the DNS using during network.
In this embodiment, the IP address of client can correspond to the IP address of a DNS it is also possible to correspond to multiple DNS IP address, the present embodiment is not restricted.
Wherein, described DNS helps user to find path on the internet, needs in computer because user accesses internet Upper installation client, on the internet, every computer all can have unique address, referred to as IP address, this computer IP address is exactly the IP address of client.Because IP address (for string number) is inconvenient to remember, DNS allows user Replaced using a string common letter (i.e. " domain name ").
In internet, it is one-to-one between domain name and IP address, although domain name is easy to people's memory, machine Between can only recognize mutually IP address, the conversion work between them is referred to as domain name mapping, and domain name mapping needs by special Domain name resolution server is completing.Domain name must correspond to an IP address, i.e. the IP address of DNS, and IP address is not Certain only corresponding domain name.
Step 103:Judge the IP address of described client and the IP ground of the domain name resolution server of described client use Whether the physical network that location is located identical, if different (i.e. not in Same Physical network) it is determined that described client IP address is agent IP address.
In this embodiment, physical network (PN, physical network) is in a network (as master by various physical equipments Machine, router, switch etc.) and medium (optical cable, cable, twisted-pair feeder etc.) couple together the network of formation.
Wherein, background server judges the IP of the domain name resolution server that the IP address of client is used with described client Whether address in one of same physical network judgment mode is:
Judge the front three whether phase of the IP address of client and the corresponding subnet mask of IP address of domain name resolution server With, if identical, illustrate in described client and domain name resolution server place Same Physical network, otherwise, explanation The physical network that described client is located with domain name resolution server is different, that is, not in Same Physical network.
Wherein, subnet mask marks off network number and host number.If network number is identical, that just illustrate IP address be In same LAN.Before subnet mask three identical, mean that network is identical, such as, 192.168.0.1 and 192.168.0.7, as long as last position is less than 255, and do not repeat, just explanation belongs to same physical network.
Wherein, the IP address of client is agent IP address that is to say, that the IP ground of this client hidden oneself Location, employs agency, thus confirming using the user of this client is malicious user, that is, stores the user of risk.
In the embodiment of the present invention, the IP of the domain name resolution server being used by the IP address and client comparing client Address, whether in Same Physical network, to determine whether this client is agent client, so that it is determined that using this client Whether the user at end is malicious user, reduces risk control.
Also refer to Fig. 2, Fig. 2 is a kind of method of identification agent Internet protocol IP address provided in an embodiment of the present invention Another flow chart, methods described includes:
Step 201:Obtain the access request that client sends;
Described step 201 is same with step 101, specifically refers to above-mentioned.
Step 202:The domain name solution that the IP address of described client and described client use is determined according to described access request The IP address of analysis server;
Described step 202 is same with step 102, specifically refers to above-mentioned.
Step 203:Whether the IP address judging the IP address of described client and domain name resolution server is same In physical network, if it is not, execution step 204;Otherwise, execution step 207;
The process that it judges refers to the above-mentioned description to step 103, will not be described here.
Step 204:Record the quantity of the IP address of the corresponding domain name resolution server of IP of described client;
In this step, for background server, judge the IP address of client and the IP ground of domain name resolution server When in the no longer Same Physical network of location, record the IP address of domain name resolution server corresponding with the IP address of this client Quantity add 1 that is to say, that for each the IP address no longer in Same Physical network, all can record and client The quantity of the IP address of the corresponding domain name resolution server of IP.
Step 205:Judge whether described quantity is more than predetermined threshold value, if it is, execution step 206;Otherwise, execute Step 207;
Wherein, predetermined threshold value can set based on experience value, such as, is any one number in 10 to 15, certainly, This predetermined threshold value of accommodation can also be carried out according to actual needs, such as, this predetermined threshold value is adjusted to 20, or 5 etc., the present embodiment is not restricted.Under normal circumstances, if it is desired to improving the accuracy determining result, just by predetermined threshold value Setting larger, conversely, by predetermined threshold value arrange smaller.
Step 206:Determine that the IP address that described quantity is more than the client of described predetermined threshold value is agent IP address;
In this step, the client that will be greater than predetermined threshold value determines agent client, so that it is determined that the use using this client Family is exactly malicious user, or is the user that there is risk.
Step 207:Determine described client IP address be normal IP address.
In this step, if the IP address place Same Physical net of the IP address of client and domain name resolution server In network, or, when the quantity of the IP address of domain name resolution server is not more than described predetermined threshold value, then this client is described For normal client, that is, the user using this client is normal users, not using agency, that is, secured user.
In the embodiment of the present invention, judging the IP address of described client and the IP address institute of domain name resolution server Physical network different when, determine whether the number of the IP address of the corresponding domain name resolution server of IP of this client Whether amount is more than predetermined threshold value, if it is greater, then determining that the IP address of this client is agent IP address.By the party Formula, further determines that whether the user using this client is malicious user, reduces risk control.
Also refer to Fig. 3, Fig. 3 is a kind of method of identification agent Internet protocol IP address provided in an embodiment of the present invention Another flow chart, methods described includes:
Step 301:Obtain the access request that multiple client sends;
Wherein, the described access request that each user sends can include:HTTP HTTP and/or fire wall Secured session translation-protocol socks.It is, of course, also possible to adaptability includes other requests, the present embodiment is not limited to this.
Wherein, obtain the mode of the access request that each client sends in multiple client, can have multiple, such as, The access request that in multiple client, each client sends can be obtained in real time;The letter that can also record from access log In breath, obtain the access request of each client transmission.Certainly, the present embodiment is not limited to this both mode.
Step 302:The IP address of each client and each client described according to each described access request determines The IP address of the domain name resolution server using;
In this step, the access request that each client is sent parses, and obtains the IP address of each client, And, according to the access request of each client, collect the IP that each client accesses the domain name resolution server of network Address.
Step 303:Count and record the quantity of the IP address of domain name resolution server that each client described uses;
In this step, domain name resolution server that each client can use can be one or multiple.Phase Answer, same domain name resolution server can correspond to a client it is also possible to correspond to multiple client.
That is, the corresponding domain name resolution server of normal client can be one or several.
In this embodiment, need to count the quantity of the corresponding domain name resolution server of each client.
Step 304:If described quantity is more than predetermined threshold value it is determined that described quantity is more than the client of predetermined threshold value IP address is agent IP address.
In this step, predetermined threshold value is usually arranged as 10, and certainly, this predetermined threshold value can also adaptability as needed Adjustment, such as, could be arranged to 15 it is also possible to be set to 5 etc., the present embodiment is not restricted.
In the present embodiment, when employing agency for client, the IP (ClientIP) due to client employs The agency service of proxy server IP (ProxyIP), thus under this situation, ProxyIP collects and ClientIP pair The DNS1-IP answering is its dns server.
Because proxy server generally faces internet users, therefore, it is dispersed in using the user acting on behalf of ProxyIP In different physical networks, the dns server of each physical network can be collected the dns server for ProxyIP. In this case, the situation of normal 10 dns servers will be much more than.It is taking 10 as a example in the present embodiment, But not limited to this in actual applications.
Optionally, in another embodiment, on the basis of above-described embodiment, methods described can also include this embodiment: If described quantity is less than or equal to described predetermined threshold value it is determined that described quantity is less than or equal to the client of described predetermined threshold value IP address be normal IP address.
In the embodiment of the present invention, by counting the number of the IP address of the corresponding domain name resolution server of IP address of client Amount, and this quantity is defined as agent IP address more than the IP address of the client of predetermined threshold value.So that it is determined that use should Whether the user of client is malicious user, reduces risk control.
Based on the process of realizing of said method, the embodiment of the present invention also provides a kind of identification agent Internet protocol IP address Device, its structural representation is as shown in figure 4, described device includes:Acquiring unit 41, the first determining unit 42, the One judging unit 43 and the second determining unit 44, wherein,
Described acquiring unit 41, for obtaining the access request of client transmission;
Described first determining unit 42, for determining the IP address of described client and described visitor according to described access request The IP address of the domain name resolution server that family end uses;
Described first judging unit 43, for judging the IP address of described client and the IP of domain name resolution server Whether address is in Same Physical network;
Described second determining unit 44, for judging the IP address of described client and described in described first judging unit During the physical network difference that the IP address of domain name resolution server is located, determine that the IP address of described client is Agent IP Address.
Optionally, in another embodiment, on the basis of above-described embodiment, described device also includes this embodiment:Record Unit 51, the second judging unit 52 and the 3rd determining unit 53, its structural representation as shown in figure 5, wherein,
Described recording unit 51, for judging the IP address of described client and described domain in described first judging unit 43 During the physical network difference that the IP address of name resolution server is located, record the corresponding domain name of IP address of described client The quantity of the IP address of resolution server;
Whether described second judging unit 52, for judging the described quantity of described recording unit 51 record more than default threshold Value;
Described 3rd determining unit 53, for described second judging unit 52 judge described data be more than predetermined threshold value when, The IP address being more than the client of predetermined threshold value described in determining is agent IP address.
Optionally, in another embodiment, on the basis of above-described embodiment, described device can also include this embodiment: Also include:4th determining unit 61, its structural representation as shown in fig. 6, wherein,
Described 4th determining unit 61, for judging IP address and the institute of described client in described first judging unit 43 State domain name resolution server IP address place Same Physical network when, determine described client IP address be normal IP Address;Or judge that described quantity is not more than described predetermined threshold value in described second judging unit 52, determine described quantity not It is agent IP address more than the IP address of the client of described predetermined threshold value.
Optionally, the embodiment of the present invention also provides a kind of device of identification agent Internet protocol IP address, and its structure is shown It is intended to as shown in fig. 7, described device includes:Acquiring unit 71, the first determining unit 72, statistic unit 73, judge Unit 74 and the second determining unit 75, wherein,
Described acquiring unit 71, for obtaining the access request of multiple client transmission;
Described first determining unit 72, for determining IP address and the institute of each client according to each described access request State the IP address of the domain name resolution server of each client use;
Described statistic unit 73, for counting and recording the corresponding domain name resolution service of IP address of each client described The quantity of the IP address of device;
Described judging unit 74, whether the described quantity for judging described statistic unit 73 statistics is more than predetermined threshold value;
Described second determining unit 75, for described judging unit 74 judge described quantity be more than predetermined threshold value when, really The IP address that fixed described quantity is more than the client of predetermined threshold value is agent IP address.
Optionally, in another embodiment, in the above-described embodiments, described device also includes this embodiment:3rd determination Unit 81, its structural representation as shown in figure 8, wherein,
In described judging unit 74, described 3rd determining unit 81, for judging that described quantity is less than or equal to described default threshold During value, determine that the IP address that described quantity is less than or equal to the client of described predetermined threshold value is normal IP address.
In described device, the process of realizing of the function of unit and effect refers to the realization corresponding to step in said method Journey, will not be described here.
Accordingly, the embodiment of the present invention also provides a kind of server, and described server includes:Transceiver and processor, its In,
Described transceiver, for obtaining the access request of multiple client transmission;
Described processor, IP address and described client for determining described client according to described access request use Domain name resolution server IP address;And judging the IP address of described client and domain name resolution server During the physical network difference that IP address is located, determine that the IP address of described client is agent IP address.
Optionally, described processor, is additionally operable in the IP address determining described client and domain name resolution server The physical network that is located of IP address different when, record the corresponding domain name resolution server of IP address of described client The quantity of IP address;And when judging that described quantity is more than predetermined threshold value, determine that described quantity is more than the client of predetermined threshold value The IP address at end is agent IP address.
Optionally, described processor, is additionally operable in the IP address judging described client and domain name resolution server IP address place Same Physical network when, determine described client IP address be normal IP address;Or judging When described quantity is not more than described predetermined threshold value, determine that described quantity is not more than the IP address of the client of described predetermined threshold value For agent IP address.
Accordingly, the embodiment of the present invention also provides a kind of server, and described server includes:Transceiver and processor, its In, described transceiver, for obtaining the access request of multiple client transmission;
Described processor, for determining the IP address of each client and each visitor described according to each described access request The IP address of the domain name resolution server that family end uses;
Described transceiver, is additionally operable to count the IP ground of the corresponding domain name resolution server of IP address of each client described The quantity of location;
Described processor, is additionally operable to be more than predetermined threshold value it is determined that described quantity is more than the visitor of predetermined threshold value in described quantity The IP address at family end is agent IP address;It is less than or equal to described predetermined threshold value in described quantity it is determined that described quantity is little In the client equal to described predetermined threshold value IP address be normal IP address.
The embodiment of the present invention also provides a kind of server, and its structural representation is as shown in figure 9, described server 900 includes: Processor 910, memory 920, transceiver 930 and bus 940;
Wherein, described processor 910, memory 920, transceiver 930 are connected with each other by bus 940;Bus 940 Can be isa bus, pci bus or eisa bus etc..Described bus can be divided into address bus, data/address bus, control Bus processed etc..For ease of representing, only represented with a thick line in Fig. 9, it is not intended that only one bus or a species The bus of type.
Memory 920, is used for depositing program.Specifically, program can include program code, and described program code includes Computer-managed instruction.Memory 920 may comprise high-speed RAM memory it is also possible to also include nonvolatile memory (non-volatile memory), for example, at least one magnetic disc store.
Transceiver 930 is used for connecting other equipment, and is communicated with other equipment.Specifically described transceiver 930 can For:Obtain the access request that client sends;
Described processor 910 executes the described program code of storage in memory 920, specifically for being asked according to described access Seek the IP address of the domain name resolution server of the IP address determining described client and the use of described client;If it is determined that The IP address of described client different with the physical network that the IP address of domain name resolution server is located it is determined that institute The IP address stating client is agent IP address.
Alternatively, described processor 910 is additionally operable to:In the IP address judging described client and domain name parsing clothes During the physical network difference that the IP address of business device is located, record the corresponding domain name resolution service of IP address of described client The quantity of the IP address of device;And when judging that described quantity is more than predetermined threshold value, determine that described quantity is more than predetermined threshold value The IP address of client is agent IP address.
Alternatively, described processor 910 is additionally operable to:In the IP address judging described client and domain name parsing clothes During the IP address place Same Physical network of business device, determine that the IP address of described client is normal IP address, Yi Ji When judging that described quantity is not more than described predetermined threshold value, determine that described quantity is not more than the IP of the client of described predetermined threshold value Address is agent IP address.
In order to make it easy to understand, to be illustrated with specific application example below.
As shown in Figure 10, be a kind of application example provided in an embodiment of the present invention structural representation, as shown in Figure 10, Including client ClientIP, and the dns server that ClientIP uses is DNS1-IP, proxy server ProxyIP, And the dns server that ProxyIP uses is DNS2-IP;Alipay server, the present embodiment is with Alipay server As a example, but in actual applications however it is not limited to this.
Under normal circumstances, the dns server that ClientIP uses is DNS1-IP;The dns server that ProxyIP uses For DNS2-IP.
As agency, because ClientIP employs the agency service of ProxyIP, thus under this situation, The dns server that ProxyIP collects the use of ClientIP is DNS1-IP, and the DNS1-IP of collection is its DNS Server.
For Alipay server, the access of ProxyIP is used to ask when Alipay server receives ClientIP When asking, determine the IP address (i.e. the IP address of ProxyIP) of described client according to described access request, by collection The domain name resolution server obtaining ClientIP use is the DNS1-IP of ClientIP, and the IP address due to client is The IP address of ProxyIP, and the domain name resolution server of client is DNS1-IP, the two no longer Same Physical network, Hence, it can be determined that this client is using agency, thus identifying that this uses the user of this client is malicious user.
That is, in the embodiment of the present invention, the user equipment of access network, it is required for making when accessing Internet resources With an Internet basic service, DNS service.Normal users can access network by the dns server of oneself; And some malicious users generally to be hidden the real IP of oneself by agency and to access network.But generally, hide and use Although family can hide real IP, and cannot change the IP address of the dns server that real IP is used.The present invention is real Apply in example, first determine the IP address of described client and the IP address of the domain name resolution server of described client use, And judge that the IP address of the IP address of described client and domain name resolution server, whether in Same Physical network, is come Whether the IP address determining described client is agent IP address, thus identifying that whether the user using this client is Malicious user.
Under normal circumstances, because proxy server generally faces internet users, therefore, using acting on behalf of ProxyIP User be dispersed in different physical networks, the dns server of each physical network can be collected as ProxyIP Dns server.This will be much more than the situation of normal 10 dns servers, certainly however it is not limited to this 10, Accommodation can be carried out according to actual.
That is, for the user using agency, because the user using this agency disperses very much, therefore passing through should The DNS quantity that IP obtains can be much more than normal users.It is based on this point, we can adopt according on certain IP The user integrating using dns server quantity assert the IP of client whether as agency.
Those skilled in the art can be understood that technology in the embodiment of the present invention can be by software plus necessary The mode of general hardware platform is realizing.Based on such understanding, the technical scheme in the embodiment of the present invention substantially or Say that what prior art was contributed partly can be embodied in the form of software product, this computer software product is permissible It is stored in storage medium, such as ROM/RAM, magnetic disc, CD etc., including some instructions with so that a computer sets Standby (can be personal computer, server, or network equipment etc.) execution each embodiment of the present invention or embodiment Some partly described methods.
Each embodiment in this specification is all described by the way of going forward one by one, identical similar part between each embodiment Mutually referring to what each embodiment stressed is the difference with other embodiment.Especially for system For embodiment, because it is substantially similar to embodiment of the method, so description is fairly simple, referring to method in place of correlation The part of embodiment illustrates.
Invention described above embodiment, does not constitute limiting the scope of the present invention.Any the present invention's Modification, equivalent and improvement made within spirit and principle etc., should be included within the scope of the present invention.

Claims (10)

1. a kind of method of identification agent Internet protocol IP address is it is characterised in that include:
Obtain the access request that client sends;
The domain name resolution server that the IP address of described client and described client use is determined according to described access request IP address;
Judge physical network that the IP address of the IP address of described client and domain name resolution server is located whether phase With if it is different, then determining that the IP address of described client is agent IP address.
2. method according to claim 1 is it is characterised in that judging the IP address of described client and described During the physical network difference that the IP address of domain name resolution server is located, also include:
Record the quantity of the IP address of the corresponding domain name resolution server of IP address of described client;
If it is determined that described quantity is more than predetermined threshold value it is determined that described quantity is more than the IP ground of the client of predetermined threshold value Location is agent IP address.
3. method according to claim 2 is it is characterised in that also include:
If it is determined that the IP address of the IP address of described client and domain name resolution server is in Same Physical network In it is determined that described client IP address be normal IP address;Or
If it is determined that described quantity is not more than described predetermined threshold value it is determined that the IP address of described client is Agent IP ground Location, specially:Determine that the IP address that described quantity is not more than the client of described predetermined threshold value is agent IP address.
4. a kind of method of identification agent Internet protocol IP address is it is characterised in that include:
Obtain the access request that multiple client sends;
The domain name solution that the IP address of each client and each client described use is determined according to each described access request The IP address of analysis server;
Count and record the quantity of the IP address of the corresponding domain name resolution server of IP address of each client described;
If described quantity is more than predetermined threshold value it is determined that the IP address that described quantity is more than the client of predetermined threshold value is Agent IP address.
5. method according to claim 4 is it is characterised in that also include:
If described quantity is less than or equal to described predetermined threshold value it is determined that described quantity is less than or equal to the visitor of described predetermined threshold value The IP address at family end is normal IP address.
6. a kind of device of identification agent Internet protocol IP address is it is characterised in that include:
Acquiring unit, for obtaining the access request of client transmission;
First determining unit, IP address and described client for determining described client according to described access request make The IP address of domain name resolution server;
First judging unit, for judging the IP address of described client and the IP address institute of domain name resolution server Physical network whether identical;
Second determining unit, for judging IP address and the domain name solution of described client in described first judging unit During the physical network difference that the IP address of analysis server is located, determine that the IP address of described client is agent IP address.
7. device according to claim 6 is it is characterised in that also include:
Recording unit, for judging IP address and the domain name parsing clothes of described client in described first judging unit During the physical network difference that the IP address of business device is located, record the corresponding domain name resolution service of IP address of described client The quantity of the IP address of device;
Second judging unit, whether the described quantity for judging described recording unit records is more than predetermined threshold value;
3rd determining unit, for when described second judging unit judges that described data is more than predetermined threshold value, determining described It is agent IP address more than the IP address of the client of predetermined threshold value.
8. device according to claim 7 is it is characterised in that also include:
4th determining unit, for judging IP address and the domain name solution of described client in described first judging unit During the IP address place Same Physical network of analysis server, determine that the IP address of described client is normal IP address;Or In described second judging unit, person judges that described quantity is not more than described predetermined threshold value, determine that described quantity is not more than described pre- If the IP address of the client of threshold value is agent IP address.
9. a kind of device of identification agent Internet protocol IP address is it is characterised in that include:
Acquiring unit, for obtaining the access request of multiple client transmission;
First determining unit, for determined according to each described access request each client IP address and described each The IP address of the domain name resolution server that client uses;
Statistic unit, for count and record each client described the corresponding domain name resolution server of IP address IP The quantity of address;
Judging unit, whether the described quantity for judging described statistic unit statistics is more than predetermined threshold value;
Second determining unit, for when described judging unit judges that described quantity is more than predetermined threshold value, determining described quantity It is agent IP address more than the IP address of the client of predetermined threshold value.
10. device according to claim 9 is it is characterised in that also include:
3rd determining unit, for when described judging unit judges that described quantity is less than or equal to described predetermined threshold value, determining The IP address that described quantity is less than or equal to the client of described predetermined threshold value is normal IP address.
CN201510458585.6A 2015-07-30 2015-07-30 Method and device for identifying proxy internet protocol address Active CN106411819B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510458585.6A CN106411819B (en) 2015-07-30 2015-07-30 Method and device for identifying proxy internet protocol address

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510458585.6A CN106411819B (en) 2015-07-30 2015-07-30 Method and device for identifying proxy internet protocol address

Publications (2)

Publication Number Publication Date
CN106411819A true CN106411819A (en) 2017-02-15
CN106411819B CN106411819B (en) 2020-09-11

Family

ID=58009151

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510458585.6A Active CN106411819B (en) 2015-07-30 2015-07-30 Method and device for identifying proxy internet protocol address

Country Status (1)

Country Link
CN (1) CN106411819B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106888222A (en) * 2017-04-24 2017-06-23 中国工商银行股份有限公司 A kind of monitoring method and device for preventing malice safety detection activity
CN110198248A (en) * 2018-02-26 2019-09-03 北京京东尚科信息技术有限公司 The method and apparatus for detecting IP address
CN111064827A (en) * 2020-03-18 2020-04-24 同盾控股有限公司 Agent detection method, device, equipment and medium based on domain name generic resolution
CN111953810A (en) * 2020-08-03 2020-11-17 腾讯科技(深圳)有限公司 Method, apparatus and storage medium for identifying proxy internet protocol address
CN113489738A (en) * 2021-07-15 2021-10-08 恒安嘉新(北京)科技股份公司 Violation handling method, device, equipment and medium for broadband account

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101572701A (en) * 2009-02-10 2009-11-04 中科正阳信息安全技术有限公司 Security gateway system for resisting DDoS attack for DNS service
CN102868773A (en) * 2012-08-22 2013-01-09 北京奇虎科技有限公司 Method, device and system for detecting domain name system (DNS) black hole hijack
US8411650B2 (en) * 2005-04-18 2013-04-02 Cisco Technology, Inc. Method and system for providing virtual private network services through a mobile IP home agent
CN103051742A (en) * 2012-12-20 2013-04-17 新浪网技术(中国)有限公司 IP (Internet Protocol) address attribute determining method, page processing method, relevant equipment and system
WO2013143403A1 (en) * 2012-03-31 2013-10-03 北京奇虎科技有限公司 Method and system for accessing website
CN103379099A (en) * 2012-04-19 2013-10-30 阿里巴巴集团控股有限公司 Hostile attack identification method and system
CN104424433A (en) * 2013-08-22 2015-03-18 腾讯科技(深圳)有限公司 Anti-cheating method and anti-cheating system of application program

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8411650B2 (en) * 2005-04-18 2013-04-02 Cisco Technology, Inc. Method and system for providing virtual private network services through a mobile IP home agent
CN101572701A (en) * 2009-02-10 2009-11-04 中科正阳信息安全技术有限公司 Security gateway system for resisting DDoS attack for DNS service
WO2013143403A1 (en) * 2012-03-31 2013-10-03 北京奇虎科技有限公司 Method and system for accessing website
CN103379099A (en) * 2012-04-19 2013-10-30 阿里巴巴集团控股有限公司 Hostile attack identification method and system
CN102868773A (en) * 2012-08-22 2013-01-09 北京奇虎科技有限公司 Method, device and system for detecting domain name system (DNS) black hole hijack
CN103051742A (en) * 2012-12-20 2013-04-17 新浪网技术(中国)有限公司 IP (Internet Protocol) address attribute determining method, page processing method, relevant equipment and system
CN104424433A (en) * 2013-08-22 2015-03-18 腾讯科技(深圳)有限公司 Anti-cheating method and anti-cheating system of application program

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106888222A (en) * 2017-04-24 2017-06-23 中国工商银行股份有限公司 A kind of monitoring method and device for preventing malice safety detection activity
CN106888222B (en) * 2017-04-24 2020-08-18 中国工商银行股份有限公司 Monitoring method and device for preventing malicious security detection activities
CN110198248A (en) * 2018-02-26 2019-09-03 北京京东尚科信息技术有限公司 The method and apparatus for detecting IP address
CN110198248B (en) * 2018-02-26 2022-04-26 北京京东尚科信息技术有限公司 Method and device for detecting IP address
CN111064827A (en) * 2020-03-18 2020-04-24 同盾控股有限公司 Agent detection method, device, equipment and medium based on domain name generic resolution
CN111953810A (en) * 2020-08-03 2020-11-17 腾讯科技(深圳)有限公司 Method, apparatus and storage medium for identifying proxy internet protocol address
CN111953810B (en) * 2020-08-03 2023-05-19 腾讯科技(深圳)有限公司 Method, device and storage medium for identifying proxy internet protocol address
CN113489738A (en) * 2021-07-15 2021-10-08 恒安嘉新(北京)科技股份公司 Violation handling method, device, equipment and medium for broadband account
CN113489738B (en) * 2021-07-15 2023-05-30 恒安嘉新(北京)科技股份公司 Method, device, equipment and medium for processing violations of broadband account

Also Published As

Publication number Publication date
CN106411819B (en) 2020-09-11

Similar Documents

Publication Publication Date Title
CN106068639B (en) The Transparent Proxy certification handled by DNS
CN108259425A (en) The determining method, apparatus and server of query-attack
US8874695B2 (en) Web access using cross-domain cookies
US8122493B2 (en) Firewall based on domain names
CN107251528B (en) Method and apparatus for providing data originating within a service provider network
CN102884764B (en) Message receiving method, deep packet inspection device, and system
CN102571547B (en) Method and device for controlling hyper text transport protocol (HTTP) traffic
Radu et al. Consolidation in the DNS resolver market–how much, how fast, how dangerous?
US20080263626A1 (en) Method and system for logging a network communication event
CN104168316B (en) A kind of Webpage access control method, gateway
CN106411819A (en) Method and apparatus for recognizing proxy Internet protocol address
US9021085B1 (en) Method and system for web filtering
CN102055813A (en) Access controlling method for network application and device thereof
CN105228140A (en) A kind of data access method and device
CN109241733A (en) Crawler Activity recognition method and device based on web access log
KR101127246B1 (en) Method of identifying terminals which share an ip address and apparatus thereof
CN108063833A (en) HTTP dns resolutions message processing method and device
CN111818075A (en) Illegal external connection detection method, device, equipment and storage medium
CN109617753A (en) A kind of platform management method, system and electronic equipment and storage medium
CN106790073B (en) Blocking method and device for malicious attack of Web server and firewall
CN101599857A (en) Detect method, device and the network measuring system that inserts number of host of sharing
CN104639387A (en) Users' network behavior tracking method and equipment
CN114466054A (en) Data processing method, device, equipment and computer readable storage medium
EP3789890A1 (en) Fully qualified domain name (fqdn) determination
US20230254281A1 (en) Local network device connection control

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20200921

Address after: Grand Cayman Islands

Patentee after: Innovative advanced technology Co.,Ltd.

Address before: Grand Cayman Islands

Patentee before: Advanced innovation technology Co.,Ltd.

Effective date of registration: 20200921

Address after: Grand Cayman Islands

Patentee after: Advanced innovation technology Co.,Ltd.

Address before: Grand Cayman Islands

Patentee before: Alibaba Group Holding Ltd.

TR01 Transfer of patent right