CN106411819B - Method and device for identifying proxy internet protocol address - Google Patents
Method and device for identifying proxy internet protocol address Download PDFInfo
- Publication number
- CN106411819B CN106411819B CN201510458585.6A CN201510458585A CN106411819B CN 106411819 B CN106411819 B CN 106411819B CN 201510458585 A CN201510458585 A CN 201510458585A CN 106411819 B CN106411819 B CN 106411819B
- Authority
- CN
- China
- Prior art keywords
- address
- client
- domain name
- name resolution
- resolution server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a method and a device for identifying proxy Internet Protocol (IP) addresses, wherein the method comprises the following steps: acquiring an access request sent by a client; determining the IP address of the client and the IP address of a domain name resolution server used by the client according to the access request; and judging whether the physical network where the IP address of the client and the IP address of the domain name resolution server are located is the same, and if so, determining that the IP address of the client is an agent IP address. In the embodiment of the invention, whether the client is a proxy client is determined by comparing whether the IP address of the client and the IP address of the domain name resolution server used by the client are in a physical network, so that whether a user using the client is a malicious user is determined, and risk control is reduced.
Description
Technical Field
The present invention relates to the field of network technologies, and in particular, to a method and an apparatus for identifying an Internet Protocol (IP) address.
Background
With the rapid development of network technology, the area covered by some operators is larger and larger. Proxy servers are well known and used by most netizens as a ubiquitous internet application. However, some malicious users intentionally hide their own IP address (i.e. the real source) in order to prevent tracking, and access the proxy server first and then the target site.
In the prior art, in order to identify the hiding of the malicious users from the own IP address, whether the geographic location of the users using the IP address appears short-term long-distance movement (i.e. instantaneous movement technology) is generally adopted for judging. For example, a user is visited through an IP address in shanghai one minute before and a IP address in Gansu one minute after, which indicates that the user is a malicious user because, in reality, such short-time long-distance movement is unlikely to exist, and thus the user is determined to use the agent, thereby determining that the user is at a certain risk.
However, as the area covered by operators is larger and larger, a large number of administrative areas are also generated by the allocation and use of the IP addresses, and the fact that whether a user is a malicious user is judged by whether the geographic position of the user using the IP addresses moves for a long distance for a short time is gradually invalidated. Because a malicious user can check the commonly used IP address of the stolen account after stealing the account, and then selects a proxy server in the same city as the IP address to access the website according to the IP address, risk control is increased. Therefore, how to effectively identify malicious users accessing the network is a technical problem to be solved at present.
Disclosure of Invention
The embodiment of the invention provides a method and a device for identifying proxy Internet protocol addresses, which are used for effectively identifying malicious users accessing a network and reducing the risk control problem of the users.
In order to solve the technical problem, the embodiment of the invention discloses the following technical scheme:
a first aspect provides a method of identifying a proxy internet protocol, IP, address, comprising:
acquiring an access request sent by a client;
determining the IP address of the client and the IP address of a domain name resolution server used by the client according to the access request;
and judging whether the physical network where the IP address of the client and the IP address of the domain name resolution server are located is the same, and if so, determining that the IP address of the client is an agent IP address.
Optionally, when it is determined that the physical network where the IP address of the client is different from the physical network where the IP address of the domain name resolution server is located, the method further includes:
recording the number of the IP addresses of the domain name resolution server corresponding to the IP address of the client;
and if the number is judged to be larger than the preset threshold value, determining the IP addresses of the clients of which the number is larger than the preset threshold value as proxy IP addresses.
Optionally, the method further includes:
if the IP address of the client and the IP address of the domain name resolution server are judged to be in the same physical network, determining the IP address of the client to be a normal IP address; or
If the number is not larger than the preset threshold value, determining that the IP address of the client is an agent IP address, specifically: and determining the IP addresses of the clients of which the number is not greater than the preset threshold value as proxy IP addresses.
A second aspect provides a method of identifying a proxy internet protocol, IP, address, comprising:
acquiring access requests sent by a plurality of clients;
determining the IP address of each client and the IP address of a domain name resolution server used by each client according to each access request;
counting and recording the number of the IP addresses of the domain name resolution server corresponding to the IP address of each client;
and if the number is larger than a preset threshold value, determining that the IP addresses of the clients of which the number is larger than the preset threshold value are proxy IP addresses.
Optionally, the method further includes:
and if the number is less than or equal to the preset threshold, determining that the IP addresses of the clients of which the number is less than or equal to the preset threshold are normal IP addresses.
A third aspect provides an apparatus for identifying a proxy internet protocol, IP, address, comprising:
the acquisition unit is used for acquiring an access request sent by a client;
a first determining unit, configured to determine, according to the access request, an IP address of the client and an IP address of a domain name resolution server used by the client;
the first judging unit is used for judging whether the physical network where the IP address of the client and the IP address of the domain name resolution server are located is the same or not;
and the second determining unit is used for determining that the IP address of the client is the proxy IP address when the first judging unit judges that the physical network where the IP address of the client and the IP address of the domain name resolution server are located are different.
Optionally, the method further includes:
the recording unit is used for recording the number of the IP addresses of the domain name resolution servers corresponding to the IP address of the client when the first judging unit judges that the physical networks where the IP address of the client and the IP address of the domain name resolution server are located are different;
a second judging unit, configured to judge whether the number recorded by the recording unit is greater than a preset threshold;
and a third determining unit, configured to determine, when the second determining unit determines that the data is greater than the preset threshold, that the IP address of the client greater than the preset threshold is the proxy IP address.
Optionally, the method further includes:
a fourth determining unit, configured to determine that the IP address of the client is a normal IP address when the first determining unit determines that the physical network where the IP address of the client is located is the same as the physical network where the IP address of the domain name resolution server is located; or the second judging unit judges that the number is not greater than the preset threshold value, and determines the IP addresses of the clients of which the number is not greater than the preset threshold value as proxy IP addresses.
A fourth aspect provides an apparatus for identifying a proxy internet protocol, IP, address, comprising:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring access requests sent by a plurality of clients;
a first determining unit, configured to determine, according to each access request, an IP address of each client and an IP address of a domain name resolution server used by each client;
the counting unit is used for counting and recording the number of the IP addresses of the domain name resolution server corresponding to the IP address of each client;
the judging unit is used for judging whether the number counted by the counting unit is larger than a preset threshold value or not;
and the second determining unit is used for determining the IP addresses of the clients of which the number is greater than the preset threshold value as proxy IP addresses when the judging unit judges that the number is greater than the preset threshold value.
Optionally, the method further includes:
and a third determining unit, configured to determine, when the determining unit determines that the number is smaller than or equal to the preset threshold, that the IP address of the client whose number is smaller than or equal to the preset threshold is a normal IP address.
According to the technical scheme, whether the client is the proxy client or not is determined by comparing whether the IP address of the client and the IP address of the domain name resolution server used by the client are in the same physical network, so that whether the user using the client is a malicious user or not is determined, and risk control is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a flowchart of a method for identifying a proxy IP address according to an embodiment of the present invention;
fig. 2 is another flowchart of a method for identifying a proxy IP address according to an embodiment of the present invention;
fig. 3 is another flowchart of a method for identifying a proxy IP address according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an apparatus for identifying a proxy IP address according to an embodiment of the present invention;
fig. 5 is another schematic structural diagram of an apparatus for identifying a proxy IP address according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an apparatus for identifying a proxy IP address according to an embodiment of the present invention;
fig. 7 is another schematic structural diagram of an apparatus for identifying a proxy IP address according to an embodiment of the present invention;
fig. 8 is another schematic structural diagram of an apparatus for identifying a proxy IP address according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of an identification server according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of an application example provided in the embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be described clearly and completely with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the examples of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used to describe various information in embodiments of the present invention, the information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, a first message may also be termed a second message without departing from the scope of embodiments of the present invention, and without necessarily requiring or implying any such actual relationship or order between such entities or operations. Similarly, the second information may also be referred to as the first information. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Referring to fig. 1, fig. 1 is a flowchart illustrating a method for identifying a proxy IP address according to an embodiment of the present invention; the method comprises the following steps:
step 101: acquiring an access request sent by a client;
the client sends an access request to a background server (e.g., a web server, a pay server, etc.), where the access request may include an IP address of the client and an IP address of a domain name resolution server used by the client, and of course, may also include other information, which is not limited in this embodiment.
In this embodiment, the access request may include: hypertext transfer Protocol (HTTP) and/or firewall security session transfer Protocol (socks). Of course, other requests may be requested as needed, and the embodiment is not limited.
Step 102: determining an IP address of the client and an IP address of a Domain Name Server (DNS) used by the client according to the access request;
the background server analyzes the received access request to obtain the IP address of the client and acquires the IP address of the DNS used when the client accesses the network according to the access request.
In this embodiment, the IP address of the client may correspond to an IP address of one DNS or may correspond to IP addresses of multiple DNS, which is not limited in this embodiment.
The DNS helps a user to find a path on the Internet, and because the user needs to install a client on a computer when accessing the Internet, each computer has a unique address on the Internet, which is called an IP address, and the IP address of the computer is the IP address of the client. DNS allows users to replace them with a string of common letters (i.e., a "domain name") due to the inconvenience of remembering IP addresses (which are a string of numbers).
In the internet, domain names correspond to IP addresses one to one, although domain names are convenient for people to remember, the machines can only know the IP addresses mutually, the conversion work between the machines is called domain name resolution, and the domain name resolution needs to be completed by a special domain name resolution server. The domain name must correspond to an IP address, i.e., the IP address of the DNS, and the IP address does not necessarily correspond to only one domain name.
Step 103: and judging whether the physical network where the IP address of the client and the IP address of the domain name resolution server used by the client are located is the same, and if the IP address of the client and the IP address of the domain name resolution server used by the client are different (namely, the IP addresses are not in the same physical network), determining that the IP address of the client is an agent IP address.
In this embodiment, a Physical Network (PN) is a network formed by connecting various physical devices (such as hosts, routers, switches, etc.) and media (optical cables, twisted pairs, etc.) in the network.
The method for judging whether the IP address of the client and the IP address of the domain name resolution server used by the client are in the same physical network by the background server comprises the following steps:
judging whether the first three bits of the subnet mask corresponding to the IP address of the client and the IP address of the domain name resolution server are the same or not, if so, indicating that the client and the domain name resolution server are in the same physical network, otherwise, indicating that the client and the domain name resolution server are in different physical networks, namely, not in the same physical network.
The subnet mask divides the network number and the host number. If the network numbers are the same, the IP addresses are in the same local area network. The first three of the subnet masks are the same, meaning that the networks are the same, e.g., 192.168.0.1 and 192.168.0.7, and are the same physical network as long as the last bit is less than 255 and is not repeated.
The IP address of the client is an agent IP address, that is, the client hides its own IP address and uses an agent, thereby confirming that the user using the client is a malicious user, that is, a user with a storage risk.
In the embodiment of the invention, whether the client is a proxy client or not is determined by comparing whether the IP address of the client and the IP address of the domain name resolution server used by the client are in the same physical network or not, so that whether a user using the client is a malicious user or not is determined, and risk control is reduced.
Referring to fig. 2, fig. 2 is another flowchart of a method for identifying a proxy internet protocol IP address according to an embodiment of the present invention, where the method includes:
step 201: acquiring an access request sent by a client;
the step 201 is the same as the step 101, and the details are described above.
Step 202: determining the IP address of the client and the IP address of a domain name resolution server used by the client according to the access request;
step 202 is the same as step 102, and is described in detail above.
Step 203: judging whether the IP address of the client and the IP address of the domain name resolution server are in the same physical network, if not, executing step 204; otherwise, go to step 207;
the process of the determination is described in detail in the above description of step 103, and is not described herein again.
Step 204: recording the number of IP addresses of a domain name resolution server corresponding to the IP of the client;
in this step, for the background server, when it is determined that the IP address of the client and the IP address of the domain name resolution server are no longer in the same physical network, the number of the IP addresses of the domain name resolution server corresponding to the IP address of the client is recorded plus 1, that is, the number of the IP addresses of the domain name resolution server corresponding to the IP address of the client is recorded for each IP address in the no-longer-same physical network.
Step 205: judging whether the number is larger than a preset threshold value, if so, executing a step 206; otherwise, go to step 207;
the preset threshold may be set according to an empirical value, for example, any number of 10 to 15, and of course, the preset threshold may also be adaptively adjusted according to actual needs, for example, the preset threshold is adjusted to 20 or 5, and the present embodiment is not limited. In general, if it is desired to improve the accuracy of the determination result, the preset threshold is set to be larger, whereas the preset threshold is set to be smaller.
Step 206: determining the IP addresses of the clients of which the number is greater than the preset threshold value as proxy IP addresses;
in this step, the client that is greater than the preset threshold is determined as a proxy client, so that it is determined that the user using the client is a malicious user or a user with risk.
Step 207: and determining the IP address of the client as a normal IP address.
In this step, if the IP address of the client and the IP address of the domain name resolution server are in the same physical network, or the number of the IP addresses of the domain name resolution server is not greater than the preset threshold, it is determined that the client is a normal client, that is, the user using the client is a normal user, and an agent is not used, that is, a safe user.
In the embodiment of the invention, when the IP address of the client is judged to be different from the physical network where the IP address of the domain name resolution server is located, whether the number of the IP addresses of the domain name resolution server corresponding to the IP of the client is greater than a preset threshold value is further judged, and if so, the IP address of the client is determined to be the proxy IP address. By the method, whether the user using the client is a malicious user or not is further determined, and risk control is reduced.
Referring to fig. 3, fig. 3 is another flowchart of a method for identifying a proxy internet protocol IP address according to an embodiment of the present invention, where the method includes:
step 301: acquiring access requests sent by a plurality of clients;
wherein the access request sent by each user may include: hypertext transfer protocol HTTP and/or firewall security session transfer protocol socks. Of course, other requests may also be adaptively included, and the embodiment is not limited thereto.
The access request sent by each client in the multiple clients can be obtained in various ways, for example, the access request sent by each client in the multiple clients can be obtained in real time; or the access request sent by each client can be acquired from the information recorded in the access log. Of course, the present embodiment is not limited to these two ways.
Step 302: determining the IP address of each client and the IP address of a domain name resolution server used by each client according to each access request;
in the step, the access request sent by each client is analyzed to obtain the IP address of each client, and the IP address of the domain name resolution server of each client access network is acquired according to the access request of each client.
Step 303: counting and recording the number of the IP addresses of the domain name resolution server used by each client;
in this step, there may be one or more domain name resolution servers that can be used by each client. Correspondingly, the same domain name resolution server may correspond to one client, or may correspond to a plurality of clients.
That is, there may be one or several domain name resolution servers corresponding to normal clients.
In this embodiment, the number of domain name resolution servers corresponding to each client needs to be counted.
Step 304: and if the number is larger than a preset threshold value, determining that the IP addresses of the clients of which the number is larger than the preset threshold value are proxy IP addresses.
In this step, the preset threshold is usually set to 10, and of course, the preset threshold may also be adaptively adjusted according to needs, for example, the preset threshold may be set to 15, or may be set to 5, and the like, which is not limited in this embodiment.
In this embodiment, when the client uses the proxy, the IP (ClientIP) of the client uses the proxy service of the proxy server IP (ProxyIP), and thus in this case, the ProxyIP collects the DNS1-IP corresponding to the ClientIP as the DNS server thereof.
Since the proxy server is generally oriented to a large number of users on the internet, users using the proxy ProxyIP are distributed in different physical networks, and the DNS server of each physical network is collected as the DNS server of the ProxyIP. In this case, there would be much more than the normal 10 DNS servers. In the present embodiment, 10 are taken as examples, but the present invention is not limited to this.
Optionally, in another embodiment, on the basis of the above embodiment, the method may further include: and if the number is less than or equal to the preset threshold, determining that the IP addresses of the clients of which the number is less than or equal to the preset threshold are normal IP addresses.
In the embodiment of the invention, the number of the IP addresses of the domain name resolution server corresponding to the IP address of the client is counted, and the IP address of the client of which the number is greater than a preset threshold value is determined as the proxy IP address. Therefore, whether the user using the client is a malicious user or not is determined, and risk control is reduced.
Based on the implementation process of the above method, an embodiment of the present invention further provides a device for identifying a proxy internet protocol IP address, a schematic structural diagram of which is shown in fig. 4, where the device includes: an acquisition unit 41, a first determination unit 42, a first judgment unit 43 and a second determination unit 44, wherein,
the obtaining unit 41 is configured to obtain an access request sent by a client;
the first determining unit 42 is configured to determine, according to the access request, an IP address of the client and an IP address of a domain name resolution server used by the client;
the first determining unit 43 is configured to determine whether the IP address of the client and the IP address of the domain name resolution server are in the same physical network;
the second determining unit 44 is configured to determine that the IP address of the client is an agent IP address when the first determining unit determines that the physical network where the IP address of the client and the IP address of the domain name resolution server are located are different.
Optionally, in another embodiment, on the basis of the above embodiment, the apparatus further includes: a recording unit 51, a second judging unit 52 and a third determining unit 53, which are schematically shown in fig. 5, wherein,
the recording unit 51 is configured to record the number of IP addresses of the domain name resolution server corresponding to the IP address of the client when the first determining unit 43 determines that the physical networks where the IP address of the client and the IP address of the domain name resolution server are located are different;
the second judging unit 52 is configured to judge whether the number recorded by the recording unit 51 is greater than a preset threshold;
the third determining unit 53 is configured to determine, when the second determining unit 52 determines that the data is greater than the preset threshold, that the IP address of the client greater than the preset threshold is the proxy IP address.
Optionally, in another embodiment, on the basis of the above embodiment, the apparatus may further include: further comprising: a fourth determination unit 61, a schematic structural diagram of which is shown in fig. 6, wherein,
the fourth determining unit 61 is configured to determine that the IP address of the client is a normal IP address when the first determining unit 43 determines that the IP address of the client and the IP address of the domain name resolution server are in the same physical network; or in the second determining unit 52, determining that the number is not greater than the preset threshold, and determining that the IP addresses of the clients whose number is not greater than the preset threshold are proxy IP addresses.
Optionally, an embodiment of the present invention further provides a device for identifying a proxy internet protocol IP address, where a schematic structural diagram of the device is shown in fig. 7, and the device includes: an acquisition unit 71, a first determination unit 72, a statistic unit 73, a judgment unit 74, and a second determination unit 75, wherein,
the obtaining unit 71 is configured to obtain access requests sent by multiple clients;
the first determining unit 72 is configured to determine, according to each access request, an IP address of each client and an IP address of a domain name resolution server used by each client;
the counting unit 73 is configured to count and record the number of the IP addresses of the domain name resolution server corresponding to the IP address of each client;
the judging unit 74 is configured to judge whether the number counted by the counting unit 73 is greater than a preset threshold;
the second determining unit 75 is configured to determine, when the determining unit 74 determines that the number is greater than the preset threshold, that the IP address of the client whose number is greater than the preset threshold is the proxy IP address.
Optionally, in another embodiment, this embodiment is the above embodiment, where the apparatus further includes: a schematic structural diagram of the third determining unit 81 is shown in fig. 8, wherein,
the third determining unit 81 is configured to determine, when the determining unit 74 determines that the number is smaller than or equal to the preset threshold, that the IP address of the client whose number is smaller than or equal to the preset threshold is a normal IP address.
The implementation process of the functions and actions of each unit in the device is detailed in the implementation process of the corresponding step in the method, and is not described herein again.
Correspondingly, an embodiment of the present invention further provides a server, where the server includes: a transceiver and a processor, wherein,
the transceiver is used for acquiring access requests sent by a plurality of clients;
the processor is used for determining the IP address of the client and the IP address of a domain name resolution server used by the client according to the access request; and when the IP address of the client and the IP address of the domain name resolution server are judged to be different, determining the IP address of the client as an agent IP address.
Optionally, the processor is further configured to record the number of IP addresses of the domain name resolution server corresponding to the IP address of the client when it is determined that the physical networks where the IP address of the client and the IP address of the domain name resolution server are located are different; and when the number is judged to be larger than the preset threshold value, determining the IP addresses of the clients of which the number is larger than the preset threshold value as proxy IP addresses.
Optionally, the processor is further configured to determine that the IP address of the client is a normal IP address when it is determined that the IP address of the client and the IP address of the domain name resolution server are in the same physical network; or when the number is judged to be not larger than the preset threshold value, determining the IP addresses of the clients of which the number is not larger than the preset threshold value as proxy IP addresses.
Correspondingly, an embodiment of the present invention further provides a server, where the server includes: the system comprises a transceiver and a processor, wherein the transceiver is used for acquiring access requests sent by a plurality of clients;
the processor is used for determining the IP address of each client and the IP address of the domain name resolution server used by each client according to each access request;
the transceiver is further configured to count the number of IP addresses of the domain name resolution server corresponding to the IP address of each client;
the processor is further configured to determine, when the number is greater than a preset threshold, that the IP address of the client whose number is greater than the preset threshold is an agent IP address; and when the number is less than or equal to the preset threshold, determining that the IP addresses of the clients of which the number is less than or equal to the preset threshold are normal IP addresses.
An embodiment of the present invention further provides a server, a schematic structural diagram of which is shown in fig. 9, where the server 900 includes: a processor 910, a memory 920, a transceiver 930, and a bus 940;
wherein the processor 910, the memory 920 and the transceiver 930 are connected to each other via a bus 940; the bus 940 may be an ISA bus, PCI bus, EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 9, but this does not indicate only one bus or one type of bus.
And a memory 920 for storing programs. In particular, the program may include program code comprising computer operating instructions. Memory 920 may include high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The transceiver 930 is used to connect and communicate with other devices. The transceiver 930 may specifically be configured to: acquiring an access request sent by a client;
the processor 910 executes the program code stored in the memory 920, and is specifically configured to determine, according to the access request, an IP address of the client and an IP address of a domain name resolution server used by the client; and if the IP address of the client is different from the physical network where the IP address of the domain name resolution server is positioned, determining that the IP address of the client is an agent IP address.
Optionally, the processor 910 is further configured to: when the IP address of the client is judged to be different from the physical network where the IP address of the domain name resolution server is located, recording the number of the IP addresses of the domain name resolution server corresponding to the IP address of the client; and when the number is judged to be larger than the preset threshold value, determining the IP addresses of the clients of which the number is larger than the preset threshold value as proxy IP addresses.
Optionally, the processor 910 is further configured to: when the IP address of the client and the IP address of the domain name resolution server are judged to be in the same physical network, the IP address of the client is determined to be a normal IP address, and when the number is judged not to be larger than the preset threshold value, the IP address of the client of which the number is not larger than the preset threshold value is determined to be an agent IP address.
For ease of understanding, the following description is given with specific examples of applications.
As shown in fig. 10, which is a schematic structural diagram of an application example provided in the embodiment of the present invention, as shown in fig. 10, the application example includes a client ClientIP, a DNS server used by the ClientIP is a DNS1-IP, a proxy server ProxyIP, and a DNS server used by the ProxyIP is a DNS 2-IP; the present embodiment takes the pay server as an example, but in practical application, the present embodiment is not limited to this.
Under normal conditions, the DNS server used by the ClientIP is DNS 1-IP; the DNS server used by ProxyIP is DNS 2-IP.
For the proxy case, since ClientIP uses proxy service of ProxyIP, in this case, ProxyIP gathers the DNS server used by ClientIP as DNS1-IP and gathers DNS1-IP as its DNS server.
For the Payment treasure server, when the Payment treasure server receives an access request of the ClientIP using ProxyIP, the IP address of the client (namely the IP address of ProxyIP) is determined according to the access request, the DNS1-IP of the ClientIP using the domain name resolution server is obtained through collection, and the IP address of the client is the IP address of the ProxyIP, and the domain name resolution server of the client is the DNS1-IP, so that the client does not have the same physical network, the client can be determined to use the proxy, and the user using the client is identified to be a malicious user.
That is to say, in the embodiment of the present invention, the user equipment accessing the network needs to use an internet basic service, DNS service, when accessing the internet resource. Normal users can access the network through own DNS server; while some malicious users typically access the network by hiding their real IP through proxies. However, in general, although the hidden user can hide the real IP, the hidden user cannot change the IP address of the DNS server used by the real IP. In the embodiment of the invention, the IP address of the client and the IP address of the domain name resolution server used by the client are determined, and whether the IP address of the client and the IP address of the domain name resolution server are in the same physical network is judged to determine whether the IP address of the client is an agent IP address, so that whether a user using the client is a malicious user is identified.
Generally, since the proxy server generally faces a large number of users on the internet, users using the proxy ProxyIP are distributed in different physical networks, and a DNS server of each physical network is collected as a ProxyIP DNS server. This is much more than the normal 10 DNS servers, and certainly, the number is not limited to 10, and the adaptive adjustment can be performed according to the actual situation.
That is, for a user using a proxy, since the user using the proxy is scattered, the number of DNS obtained through the IP is much greater than that of a normal user. Based on this, we can determine whether the IP of the client is a proxy according to the number of DNS servers used by the user collected from a certain IP.
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be essentially or partially implemented in the form of a software product, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above-described embodiments of the present invention do not limit the scope of the present invention. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (2)
1. A method of identifying a proxy internet protocol, IP, address, comprising:
acquiring an access request sent by a client;
determining the IP address of the client and the IP address of a domain name resolution server used by the client according to the access request;
judging whether the physical network where the IP address of the client and the IP address of the domain name resolution server are located is the same or not, and if the IP address of the client and the IP address of the domain name resolution server are different, determining that the IP address of the client is an agent IP address;
when the physical network where the IP address of the client and the IP address of the domain name resolution server are located is determined to be different, the method further includes:
recording the number of the IP addresses of the domain name resolution server corresponding to the IP address of the client;
if the number is judged to be larger than the preset threshold value, determining the IP addresses of the clients of which the number is larger than the preset threshold value as proxy IP addresses;
if the IP address of the client and the IP address of the domain name resolution server are judged to be in the same physical network, determining the IP address of the client to be a normal IP address; or
If the number is not larger than the preset threshold value, determining that the IP address of the client is a normal IP address, specifically: and determining the IP addresses of the clients of which the number is not greater than the preset threshold value as normal IP addresses.
2. An apparatus for identifying a proxy internet protocol, IP, address, comprising:
the acquisition unit is used for acquiring an access request sent by a client;
a first determining unit, configured to determine, according to the access request, an IP address of the client and an IP address of a domain name resolution server used by the client;
the first judging unit is used for judging whether the physical network where the IP address of the client and the IP address of the domain name resolution server are located is the same or not;
a second determining unit, configured to determine that the IP address of the client is an agent IP address when the first determining unit determines that the physical network where the IP address of the client and the IP address of the domain name resolution server are located are different;
the recording unit is used for recording the number of the IP addresses of the domain name resolution servers corresponding to the IP address of the client when the first judging unit judges that the physical networks where the IP address of the client and the IP address of the domain name resolution server are located are different;
a second judging unit, configured to judge whether the number recorded by the recording unit is greater than a preset threshold;
a third determining unit, configured to determine, when the second determining unit determines that the number is greater than a preset threshold, that the IP address of the client greater than the preset threshold is an agent IP address;
a fourth determining unit, configured to determine that the IP address of the client is a normal IP address when the first determining unit determines that the IP address of the client and the IP address of the domain name resolution server are in the same physical network; or the second judging unit judges that the number is not greater than the preset threshold value, and determines the IP addresses of the clients of which the number is not greater than the preset threshold value to be normal IP addresses.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510458585.6A CN106411819B (en) | 2015-07-30 | 2015-07-30 | Method and device for identifying proxy internet protocol address |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510458585.6A CN106411819B (en) | 2015-07-30 | 2015-07-30 | Method and device for identifying proxy internet protocol address |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106411819A CN106411819A (en) | 2017-02-15 |
| CN106411819B true CN106411819B (en) | 2020-09-11 |
Family
ID=58009151
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510458585.6A Active CN106411819B (en) | 2015-07-30 | 2015-07-30 | Method and device for identifying proxy internet protocol address |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106411819B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106888222B (en) * | 2017-04-24 | 2020-08-18 | 中国工商银行股份有限公司 | Monitoring method and device for preventing malicious security detection activities |
| CN110198248B (en) * | 2018-02-26 | 2022-04-26 | 北京京东尚科信息技术有限公司 | Method and device for detecting IP address |
| CN111064827B (en) * | 2020-03-18 | 2020-07-07 | 同盾控股有限公司 | Agent detection method, device, equipment and medium based on domain name generic resolution |
| CN111953810B (en) * | 2020-08-03 | 2023-05-19 | 腾讯科技(深圳)有限公司 | Method, device and storage medium for identifying proxy internet protocol address |
| CN113489738B (en) * | 2021-07-15 | 2023-05-30 | 恒安嘉新(北京)科技股份公司 | Method, device, equipment and medium for processing violations of broadband account |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101572701A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Security gateway system for resisting DDoS attack for DNS service |
| CN102868773A (en) * | 2012-08-22 | 2013-01-09 | 北京奇虎科技有限公司 | Method, device and system for detecting domain name system (DNS) black hole hijack |
| CN103051742A (en) * | 2012-12-20 | 2013-04-17 | 新浪网技术(中国)有限公司 | IP (Internet Protocol) address attribute determining method, page processing method, relevant equipment and system |
| CN103379099A (en) * | 2012-04-19 | 2013-10-30 | 阿里巴巴集团控股有限公司 | Hostile attack identification method and system |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8411650B2 (en) * | 2005-04-18 | 2013-04-02 | Cisco Technology, Inc. | Method and system for providing virtual private network services through a mobile IP home agent |
| CN102647482B (en) * | 2012-03-31 | 2015-05-06 | 北京奇虎科技有限公司 | Method and system for accessing website |
| CN104424433B (en) * | 2013-08-22 | 2018-12-11 | 腾讯科技(深圳)有限公司 | A kind of anti-cheat method and related system of application program |
-
2015
- 2015-07-30 CN CN201510458585.6A patent/CN106411819B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101572701A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Security gateway system for resisting DDoS attack for DNS service |
| CN103379099A (en) * | 2012-04-19 | 2013-10-30 | 阿里巴巴集团控股有限公司 | Hostile attack identification method and system |
| CN102868773A (en) * | 2012-08-22 | 2013-01-09 | 北京奇虎科技有限公司 | Method, device and system for detecting domain name system (DNS) black hole hijack |
| CN103051742A (en) * | 2012-12-20 | 2013-04-17 | 新浪网技术(中国)有限公司 | IP (Internet Protocol) address attribute determining method, page processing method, relevant equipment and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106411819A (en) | 2017-02-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106411819B (en) | Method and device for identifying proxy internet protocol address | |
| CN109474575B (en) | DNS tunnel detection method and device | |
| US9462009B1 (en) | Detecting risky domains | |
| US9648033B2 (en) | System for detecting the presence of rogue domain name service providers through passive monitoring | |
| US8904524B1 (en) | Detection of fast flux networks | |
| US11095671B2 (en) | DNS misuse detection through attribute cardinality tracking | |
| CN104168316B (en) | A kind of Webpage access control method, gateway | |
| WO2017049042A1 (en) | Identifying phishing websites using dom characteristics | |
| CN111641658A (en) | Request intercepting method, device, equipment and readable storage medium | |
| CN108270778B (en) | DNS domain name abnormal access detection method and device | |
| JP2015043204A (en) | Detection of pattern co-occurring in dns | |
| WO2017067443A1 (en) | Security domain name system and fault processing method therefor | |
| CN104579773A (en) | Domain name system analysis method and device | |
| US20200267172A1 (en) | Method of processing web requests directed to a website | |
| US8806001B2 (en) | Method, device and gateway server for detecting proxy at the gateway | |
| CN109241733A (en) | Crawler Activity recognition method and device based on web access log | |
| CN106685899A (en) | Method and device for identifying malicious access | |
| CN103905372A (en) | Method and device for removing false alarm of phishing website | |
| Zander et al. | Capturing ghosts: Predicting the used IPv4 space by inferring unobserved addresses | |
| CN111079138A (en) | Abnormal access detection method and device, electronic equipment and readable storage medium | |
| CN107426136B (en) | Network attack identification method and device | |
| CN109714335A (en) | A kind of information detecting method and information detector | |
| CN106713242B (en) | Data request processing method and processing device | |
| US8903998B2 (en) | Apparatus and method for monitoring web application telecommunication data by user | |
| CN106790073B (en) | Blocking method and device for malicious attack of Web server and firewall |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20200921 Address after: Grand Cayman Islands Patentee after: Innovative advanced technology Co.,Ltd. Address before: Grand Cayman Islands Patentee before: Advanced innovation technology Co.,Ltd. Effective date of registration: 20200921 Address after: Grand Cayman Islands Patentee after: Advanced innovation technology Co.,Ltd. Address before: Grand Cayman Islands Patentee before: Alibaba Group Holding Ltd. |