Disclosure of Invention
The embodiment of the invention provides a method and a device for identifying proxy Internet protocol addresses, which are used for effectively identifying malicious users accessing a network and reducing the risk control problem of the users.
In order to solve the technical problem, the embodiment of the invention discloses the following technical scheme:
a first aspect provides a method of identifying a proxy internet protocol, IP, address, comprising:
acquiring an access request sent by a client;
determining the IP address of the client and the IP address of a domain name resolution server used by the client according to the access request;
and judging whether the physical network where the IP address of the client and the IP address of the domain name resolution server are located is the same, and if so, determining that the IP address of the client is an agent IP address.
Optionally, when it is determined that the physical network where the IP address of the client is different from the physical network where the IP address of the domain name resolution server is located, the method further includes:
recording the number of the IP addresses of the domain name resolution server corresponding to the IP address of the client;
and if the number is judged to be larger than the preset threshold value, determining the IP addresses of the clients of which the number is larger than the preset threshold value as proxy IP addresses.
Optionally, the method further includes:
if the IP address of the client and the IP address of the domain name resolution server are judged to be in the same physical network, determining the IP address of the client to be a normal IP address; or
If the number is not larger than the preset threshold value, determining that the IP address of the client is an agent IP address, specifically: and determining the IP addresses of the clients of which the number is not greater than the preset threshold value as proxy IP addresses.
A second aspect provides a method of identifying a proxy internet protocol, IP, address, comprising:
acquiring access requests sent by a plurality of clients;
determining the IP address of each client and the IP address of a domain name resolution server used by each client according to each access request;
counting and recording the number of the IP addresses of the domain name resolution server corresponding to the IP address of each client;
and if the number is larger than a preset threshold value, determining that the IP addresses of the clients of which the number is larger than the preset threshold value are proxy IP addresses.
Optionally, the method further includes:
and if the number is less than or equal to the preset threshold, determining that the IP addresses of the clients of which the number is less than or equal to the preset threshold are normal IP addresses.
A third aspect provides an apparatus for identifying a proxy internet protocol, IP, address, comprising:
the acquisition unit is used for acquiring an access request sent by a client;
a first determining unit, configured to determine, according to the access request, an IP address of the client and an IP address of a domain name resolution server used by the client;
the first judging unit is used for judging whether the physical network where the IP address of the client and the IP address of the domain name resolution server are located is the same or not;
and the second determining unit is used for determining that the IP address of the client is the proxy IP address when the first judging unit judges that the physical network where the IP address of the client and the IP address of the domain name resolution server are located are different.
Optionally, the method further includes:
the recording unit is used for recording the number of the IP addresses of the domain name resolution servers corresponding to the IP address of the client when the first judging unit judges that the physical networks where the IP address of the client and the IP address of the domain name resolution server are located are different;
a second judging unit, configured to judge whether the number recorded by the recording unit is greater than a preset threshold;
and a third determining unit, configured to determine, when the second determining unit determines that the data is greater than the preset threshold, that the IP address of the client greater than the preset threshold is the proxy IP address.
Optionally, the method further includes:
a fourth determining unit, configured to determine that the IP address of the client is a normal IP address when the first determining unit determines that the physical network where the IP address of the client is located is the same as the physical network where the IP address of the domain name resolution server is located; or the second judging unit judges that the number is not greater than the preset threshold value, and determines the IP addresses of the clients of which the number is not greater than the preset threshold value as proxy IP addresses.
A fourth aspect provides an apparatus for identifying a proxy internet protocol, IP, address, comprising:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring access requests sent by a plurality of clients;
a first determining unit, configured to determine, according to each access request, an IP address of each client and an IP address of a domain name resolution server used by each client;
the counting unit is used for counting and recording the number of the IP addresses of the domain name resolution server corresponding to the IP address of each client;
the judging unit is used for judging whether the number counted by the counting unit is larger than a preset threshold value or not;
and the second determining unit is used for determining the IP addresses of the clients of which the number is greater than the preset threshold value as proxy IP addresses when the judging unit judges that the number is greater than the preset threshold value.
Optionally, the method further includes:
and a third determining unit, configured to determine, when the determining unit determines that the number is smaller than or equal to the preset threshold, that the IP address of the client whose number is smaller than or equal to the preset threshold is a normal IP address.
According to the technical scheme, whether the client is the proxy client or not is determined by comparing whether the IP address of the client and the IP address of the domain name resolution server used by the client are in the same physical network, so that whether the user using the client is a malicious user or not is determined, and risk control is reduced.
Detailed Description
The technical solutions in the embodiments of the present invention will be described clearly and completely with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the examples of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used to describe various information in embodiments of the present invention, the information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, a first message may also be termed a second message without departing from the scope of embodiments of the present invention, and without necessarily requiring or implying any such actual relationship or order between such entities or operations. Similarly, the second information may also be referred to as the first information. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Referring to fig. 1, fig. 1 is a flowchart illustrating a method for identifying a proxy IP address according to an embodiment of the present invention; the method comprises the following steps:
step 101: acquiring an access request sent by a client;
the client sends an access request to a background server (e.g., a web server, a pay server, etc.), where the access request may include an IP address of the client and an IP address of a domain name resolution server used by the client, and of course, may also include other information, which is not limited in this embodiment.
In this embodiment, the access request may include: hypertext transfer Protocol (HTTP) and/or firewall security session transfer Protocol (socks). Of course, other requests may be requested as needed, and the embodiment is not limited.
Step 102: determining an IP address of the client and an IP address of a Domain Name Server (DNS) used by the client according to the access request;
the background server analyzes the received access request to obtain the IP address of the client and acquires the IP address of the DNS used when the client accesses the network according to the access request.
In this embodiment, the IP address of the client may correspond to an IP address of one DNS or may correspond to IP addresses of multiple DNS, which is not limited in this embodiment.
The DNS helps a user to find a path on the Internet, and because the user needs to install a client on a computer when accessing the Internet, each computer has a unique address on the Internet, which is called an IP address, and the IP address of the computer is the IP address of the client. DNS allows users to replace them with a string of common letters (i.e., a "domain name") due to the inconvenience of remembering IP addresses (which are a string of numbers).
In the internet, domain names correspond to IP addresses one to one, although domain names are convenient for people to remember, the machines can only know the IP addresses mutually, the conversion work between the machines is called domain name resolution, and the domain name resolution needs to be completed by a special domain name resolution server. The domain name must correspond to an IP address, i.e., the IP address of the DNS, and the IP address does not necessarily correspond to only one domain name.
Step 103: and judging whether the physical network where the IP address of the client and the IP address of the domain name resolution server used by the client are located is the same, and if the IP address of the client and the IP address of the domain name resolution server used by the client are different (namely, the IP addresses are not in the same physical network), determining that the IP address of the client is an agent IP address.
In this embodiment, a Physical Network (PN) is a network formed by connecting various physical devices (such as hosts, routers, switches, etc.) and media (optical cables, twisted pairs, etc.) in the network.
The method for judging whether the IP address of the client and the IP address of the domain name resolution server used by the client are in the same physical network by the background server comprises the following steps:
judging whether the first three bits of the subnet mask corresponding to the IP address of the client and the IP address of the domain name resolution server are the same or not, if so, indicating that the client and the domain name resolution server are in the same physical network, otherwise, indicating that the client and the domain name resolution server are in different physical networks, namely, not in the same physical network.
The subnet mask divides the network number and the host number. If the network numbers are the same, the IP addresses are in the same local area network. The first three of the subnet masks are the same, meaning that the networks are the same, e.g., 192.168.0.1 and 192.168.0.7, and are the same physical network as long as the last bit is less than 255 and is not repeated.
The IP address of the client is an agent IP address, that is, the client hides its own IP address and uses an agent, thereby confirming that the user using the client is a malicious user, that is, a user with a storage risk.
In the embodiment of the invention, whether the client is a proxy client or not is determined by comparing whether the IP address of the client and the IP address of the domain name resolution server used by the client are in the same physical network or not, so that whether a user using the client is a malicious user or not is determined, and risk control is reduced.
Referring to fig. 2, fig. 2 is another flowchart of a method for identifying a proxy internet protocol IP address according to an embodiment of the present invention, where the method includes:
step 201: acquiring an access request sent by a client;
the step 201 is the same as the step 101, and the details are described above.
Step 202: determining the IP address of the client and the IP address of a domain name resolution server used by the client according to the access request;
step 202 is the same as step 102, and is described in detail above.
Step 203: judging whether the IP address of the client and the IP address of the domain name resolution server are in the same physical network, if not, executing step 204; otherwise, go to step 207;
the process of the determination is described in detail in the above description of step 103, and is not described herein again.
Step 204: recording the number of IP addresses of a domain name resolution server corresponding to the IP of the client;
in this step, for the background server, when it is determined that the IP address of the client and the IP address of the domain name resolution server are no longer in the same physical network, the number of the IP addresses of the domain name resolution server corresponding to the IP address of the client is recorded plus 1, that is, the number of the IP addresses of the domain name resolution server corresponding to the IP address of the client is recorded for each IP address in the no-longer-same physical network.
Step 205: judging whether the number is larger than a preset threshold value, if so, executing a step 206; otherwise, go to step 207;
the preset threshold may be set according to an empirical value, for example, any number of 10 to 15, and of course, the preset threshold may also be adaptively adjusted according to actual needs, for example, the preset threshold is adjusted to 20 or 5, and the present embodiment is not limited. In general, if it is desired to improve the accuracy of the determination result, the preset threshold is set to be larger, whereas the preset threshold is set to be smaller.
Step 206: determining the IP addresses of the clients of which the number is greater than the preset threshold value as proxy IP addresses;
in this step, the client that is greater than the preset threshold is determined as a proxy client, so that it is determined that the user using the client is a malicious user or a user with risk.
Step 207: and determining the IP address of the client as a normal IP address.
In this step, if the IP address of the client and the IP address of the domain name resolution server are in the same physical network, or the number of the IP addresses of the domain name resolution server is not greater than the preset threshold, it is determined that the client is a normal client, that is, the user using the client is a normal user, and an agent is not used, that is, a safe user.
In the embodiment of the invention, when the IP address of the client is judged to be different from the physical network where the IP address of the domain name resolution server is located, whether the number of the IP addresses of the domain name resolution server corresponding to the IP of the client is greater than a preset threshold value is further judged, and if so, the IP address of the client is determined to be the proxy IP address. By the method, whether the user using the client is a malicious user or not is further determined, and risk control is reduced.
Referring to fig. 3, fig. 3 is another flowchart of a method for identifying a proxy internet protocol IP address according to an embodiment of the present invention, where the method includes:
step 301: acquiring access requests sent by a plurality of clients;
wherein the access request sent by each user may include: hypertext transfer protocol HTTP and/or firewall security session transfer protocol socks. Of course, other requests may also be adaptively included, and the embodiment is not limited thereto.
The access request sent by each client in the multiple clients can be obtained in various ways, for example, the access request sent by each client in the multiple clients can be obtained in real time; or the access request sent by each client can be acquired from the information recorded in the access log. Of course, the present embodiment is not limited to these two ways.
Step 302: determining the IP address of each client and the IP address of a domain name resolution server used by each client according to each access request;
in the step, the access request sent by each client is analyzed to obtain the IP address of each client, and the IP address of the domain name resolution server of each client access network is acquired according to the access request of each client.
Step 303: counting and recording the number of the IP addresses of the domain name resolution server used by each client;
in this step, there may be one or more domain name resolution servers that can be used by each client. Correspondingly, the same domain name resolution server may correspond to one client, or may correspond to a plurality of clients.
That is, there may be one or several domain name resolution servers corresponding to normal clients.
In this embodiment, the number of domain name resolution servers corresponding to each client needs to be counted.
Step 304: and if the number is larger than a preset threshold value, determining that the IP addresses of the clients of which the number is larger than the preset threshold value are proxy IP addresses.
In this step, the preset threshold is usually set to 10, and of course, the preset threshold may also be adaptively adjusted according to needs, for example, the preset threshold may be set to 15, or may be set to 5, and the like, which is not limited in this embodiment.
In this embodiment, when the client uses the proxy, the IP (ClientIP) of the client uses the proxy service of the proxy server IP (ProxyIP), and thus in this case, the ProxyIP collects the DNS1-IP corresponding to the ClientIP as the DNS server thereof.
Since the proxy server is generally oriented to a large number of users on the internet, users using the proxy ProxyIP are distributed in different physical networks, and the DNS server of each physical network is collected as the DNS server of the ProxyIP. In this case, there would be much more than the normal 10 DNS servers. In the present embodiment, 10 are taken as examples, but the present invention is not limited to this.
Optionally, in another embodiment, on the basis of the above embodiment, the method may further include: and if the number is less than or equal to the preset threshold, determining that the IP addresses of the clients of which the number is less than or equal to the preset threshold are normal IP addresses.
In the embodiment of the invention, the number of the IP addresses of the domain name resolution server corresponding to the IP address of the client is counted, and the IP address of the client of which the number is greater than a preset threshold value is determined as the proxy IP address. Therefore, whether the user using the client is a malicious user or not is determined, and risk control is reduced.
Based on the implementation process of the above method, an embodiment of the present invention further provides a device for identifying a proxy internet protocol IP address, a schematic structural diagram of which is shown in fig. 4, where the device includes: an acquisition unit 41, a first determination unit 42, a first judgment unit 43 and a second determination unit 44, wherein,
the obtaining unit 41 is configured to obtain an access request sent by a client;
the first determining unit 42 is configured to determine, according to the access request, an IP address of the client and an IP address of a domain name resolution server used by the client;
the first determining unit 43 is configured to determine whether the IP address of the client and the IP address of the domain name resolution server are in the same physical network;
the second determining unit 44 is configured to determine that the IP address of the client is an agent IP address when the first determining unit determines that the physical network where the IP address of the client and the IP address of the domain name resolution server are located are different.
Optionally, in another embodiment, on the basis of the above embodiment, the apparatus further includes: a recording unit 51, a second judging unit 52 and a third determining unit 53, which are schematically shown in fig. 5, wherein,
the recording unit 51 is configured to record the number of IP addresses of the domain name resolution server corresponding to the IP address of the client when the first determining unit 43 determines that the physical networks where the IP address of the client and the IP address of the domain name resolution server are located are different;
the second judging unit 52 is configured to judge whether the number recorded by the recording unit 51 is greater than a preset threshold;
the third determining unit 53 is configured to determine, when the second determining unit 52 determines that the data is greater than the preset threshold, that the IP address of the client greater than the preset threshold is the proxy IP address.
Optionally, in another embodiment, on the basis of the above embodiment, the apparatus may further include: further comprising: a fourth determination unit 61, a schematic structural diagram of which is shown in fig. 6, wherein,
the fourth determining unit 61 is configured to determine that the IP address of the client is a normal IP address when the first determining unit 43 determines that the IP address of the client and the IP address of the domain name resolution server are in the same physical network; or in the second determining unit 52, determining that the number is not greater than the preset threshold, and determining that the IP addresses of the clients whose number is not greater than the preset threshold are proxy IP addresses.
Optionally, an embodiment of the present invention further provides a device for identifying a proxy internet protocol IP address, where a schematic structural diagram of the device is shown in fig. 7, and the device includes: an acquisition unit 71, a first determination unit 72, a statistic unit 73, a judgment unit 74, and a second determination unit 75, wherein,
the obtaining unit 71 is configured to obtain access requests sent by multiple clients;
the first determining unit 72 is configured to determine, according to each access request, an IP address of each client and an IP address of a domain name resolution server used by each client;
the counting unit 73 is configured to count and record the number of the IP addresses of the domain name resolution server corresponding to the IP address of each client;
the judging unit 74 is configured to judge whether the number counted by the counting unit 73 is greater than a preset threshold;
the second determining unit 75 is configured to determine, when the determining unit 74 determines that the number is greater than the preset threshold, that the IP address of the client whose number is greater than the preset threshold is the proxy IP address.
Optionally, in another embodiment, this embodiment is the above embodiment, where the apparatus further includes: a schematic structural diagram of the third determining unit 81 is shown in fig. 8, wherein,
the third determining unit 81 is configured to determine, when the determining unit 74 determines that the number is smaller than or equal to the preset threshold, that the IP address of the client whose number is smaller than or equal to the preset threshold is a normal IP address.
The implementation process of the functions and actions of each unit in the device is detailed in the implementation process of the corresponding step in the method, and is not described herein again.
Correspondingly, an embodiment of the present invention further provides a server, where the server includes: a transceiver and a processor, wherein,
the transceiver is used for acquiring access requests sent by a plurality of clients;
the processor is used for determining the IP address of the client and the IP address of a domain name resolution server used by the client according to the access request; and when the IP address of the client and the IP address of the domain name resolution server are judged to be different, determining the IP address of the client as an agent IP address.
Optionally, the processor is further configured to record the number of IP addresses of the domain name resolution server corresponding to the IP address of the client when it is determined that the physical networks where the IP address of the client and the IP address of the domain name resolution server are located are different; and when the number is judged to be larger than the preset threshold value, determining the IP addresses of the clients of which the number is larger than the preset threshold value as proxy IP addresses.
Optionally, the processor is further configured to determine that the IP address of the client is a normal IP address when it is determined that the IP address of the client and the IP address of the domain name resolution server are in the same physical network; or when the number is judged to be not larger than the preset threshold value, determining the IP addresses of the clients of which the number is not larger than the preset threshold value as proxy IP addresses.
Correspondingly, an embodiment of the present invention further provides a server, where the server includes: the system comprises a transceiver and a processor, wherein the transceiver is used for acquiring access requests sent by a plurality of clients;
the processor is used for determining the IP address of each client and the IP address of the domain name resolution server used by each client according to each access request;
the transceiver is further configured to count the number of IP addresses of the domain name resolution server corresponding to the IP address of each client;
the processor is further configured to determine, when the number is greater than a preset threshold, that the IP address of the client whose number is greater than the preset threshold is an agent IP address; and when the number is less than or equal to the preset threshold, determining that the IP addresses of the clients of which the number is less than or equal to the preset threshold are normal IP addresses.
An embodiment of the present invention further provides a server, a schematic structural diagram of which is shown in fig. 9, where the server 900 includes: a processor 910, a memory 920, a transceiver 930, and a bus 940;
wherein the processor 910, the memory 920 and the transceiver 930 are connected to each other via a bus 940; the bus 940 may be an ISA bus, PCI bus, EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 9, but this does not indicate only one bus or one type of bus.
And a memory 920 for storing programs. In particular, the program may include program code comprising computer operating instructions. Memory 920 may include high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The transceiver 930 is used to connect and communicate with other devices. The transceiver 930 may specifically be configured to: acquiring an access request sent by a client;
the processor 910 executes the program code stored in the memory 920, and is specifically configured to determine, according to the access request, an IP address of the client and an IP address of a domain name resolution server used by the client; and if the IP address of the client is different from the physical network where the IP address of the domain name resolution server is positioned, determining that the IP address of the client is an agent IP address.
Optionally, the processor 910 is further configured to: when the IP address of the client is judged to be different from the physical network where the IP address of the domain name resolution server is located, recording the number of the IP addresses of the domain name resolution server corresponding to the IP address of the client; and when the number is judged to be larger than the preset threshold value, determining the IP addresses of the clients of which the number is larger than the preset threshold value as proxy IP addresses.
Optionally, the processor 910 is further configured to: when the IP address of the client and the IP address of the domain name resolution server are judged to be in the same physical network, the IP address of the client is determined to be a normal IP address, and when the number is judged not to be larger than the preset threshold value, the IP address of the client of which the number is not larger than the preset threshold value is determined to be an agent IP address.
For ease of understanding, the following description is given with specific examples of applications.
As shown in fig. 10, which is a schematic structural diagram of an application example provided in the embodiment of the present invention, as shown in fig. 10, the application example includes a client ClientIP, a DNS server used by the ClientIP is a DNS1-IP, a proxy server ProxyIP, and a DNS server used by the ProxyIP is a DNS 2-IP; the present embodiment takes the pay server as an example, but in practical application, the present embodiment is not limited to this.
Under normal conditions, the DNS server used by the ClientIP is DNS 1-IP; the DNS server used by ProxyIP is DNS 2-IP.
For the proxy case, since ClientIP uses proxy service of ProxyIP, in this case, ProxyIP gathers the DNS server used by ClientIP as DNS1-IP and gathers DNS1-IP as its DNS server.
For the Payment treasure server, when the Payment treasure server receives an access request of the ClientIP using ProxyIP, the IP address of the client (namely the IP address of ProxyIP) is determined according to the access request, the DNS1-IP of the ClientIP using the domain name resolution server is obtained through collection, and the IP address of the client is the IP address of the ProxyIP, and the domain name resolution server of the client is the DNS1-IP, so that the client does not have the same physical network, the client can be determined to use the proxy, and the user using the client is identified to be a malicious user.
That is to say, in the embodiment of the present invention, the user equipment accessing the network needs to use an internet basic service, DNS service, when accessing the internet resource. Normal users can access the network through own DNS server; while some malicious users typically access the network by hiding their real IP through proxies. However, in general, although the hidden user can hide the real IP, the hidden user cannot change the IP address of the DNS server used by the real IP. In the embodiment of the invention, the IP address of the client and the IP address of the domain name resolution server used by the client are determined, and whether the IP address of the client and the IP address of the domain name resolution server are in the same physical network is judged to determine whether the IP address of the client is an agent IP address, so that whether a user using the client is a malicious user is identified.
Generally, since the proxy server generally faces a large number of users on the internet, users using the proxy ProxyIP are distributed in different physical networks, and a DNS server of each physical network is collected as a ProxyIP DNS server. This is much more than the normal 10 DNS servers, and certainly, the number is not limited to 10, and the adaptive adjustment can be performed according to the actual situation.
That is, for a user using a proxy, since the user using the proxy is scattered, the number of DNS obtained through the IP is much greater than that of a normal user. Based on this, we can determine whether the IP of the client is a proxy according to the number of DNS servers used by the user collected from a certain IP.
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be essentially or partially implemented in the form of a software product, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above-described embodiments of the present invention do not limit the scope of the present invention. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.