CN106789413B - Method and device for detecting proxy internet surfing - Google Patents
Method and device for detecting proxy internet surfing Download PDFInfo
- Publication number
- CN106789413B CN106789413B CN201611133870.1A CN201611133870A CN106789413B CN 106789413 B CN106789413 B CN 106789413B CN 201611133870 A CN201611133870 A CN 201611133870A CN 106789413 B CN106789413 B CN 106789413B
- Authority
- CN
- China
- Prior art keywords
- user terminal
- proxy
- identification information
- address
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
Abstract
the embodiment of the invention provides a method for detecting proxy internet surfing, which comprises the following steps: pre-establishing an agent equipment identification table; receiving a Web webpage request message sent by a first user terminal after TCP connection is established with a Web server; feeding back a message for detecting the identification information of the user terminal to the first user terminal according to the terminal type information in the Web page request message; receiving a message which is sent by the first user terminal and contains the identification information of the first user terminal; and when the source IP address of the message containing the identification information of the first user terminal is in the proxy equipment identification table, determining whether the first user terminal is a user terminal accessing the Internet through proxy equipment or not according to the identification information of the first user terminal and the proxy equipment identification table. Meanwhile, the invention also provides a device for detecting proxy surfing. The embodiment of the invention has low false alarm rate and good user internet experience effect.
Description
Technical Field
The invention belongs to the technical field of data communication, and particularly relates to a method and a device for detecting proxy internet surfing.
background
proxy internet surfing refers to a technology for realizing internet surfing by sharing one IP address by multiple people by using a router or proxy software, and is commonly called "one drags N". Most commonly, a plurality of terminals perform proxy internet access through a router, or a proxy server or network address translation software is installed on a host. Under the condition, a plurality of users can share the same account number to surf the internet, so that the account number charging mode of an operator is bypassed, benefit damage is caused to the operator, and the normal construction of a network is influenced finally. In addition, when illegal behaviors such as network violence, illegal statement publication, pornography video uploading and the like occur, a network supervision department cannot trace the source through an account or an IP address to audit individuals, and the difficulty of tracing the blame afterwards is increased.
in the twenty-first century, the network scale is explosively increased, and the behaviors of network violence and network intrusion are more and more serious, so that the government administration door more and more attaches importance to the standard internet surfing behavior and the network real-name system, however, to achieve the goal of the network real-name system, the problem of the user internet agent needs to be solved. The main solutions at present are the following:
1. Installing client software, and monitoring the internet surfing condition of a user at regular time by the client and sending information to a gateway; the gateway judges whether the current user allows to use the proxy or not according to the user proxy internet access authority; if so, maintaining the network connection; if not, the current user is kicked off the line, and meanwhile, a logout notice is sent to the client; and after receiving the notification, the client disconnects the network connection of the current user.
2. By using a flash cookie technology, a detection device periodically intercepts a webpage access request uploaded by a terminal and returns a monotonically increasing or decreasing digital identifier to the terminal; when the identification attribute value in the flash cookie in the browser cache is empty, the terminal writes the digital identification into the identification attribute value; the detection equipment acquires an identifier attribute value uploaded by a terminal and acquires an identifier attribute value sequence under a target IP; and judging whether the target IP corresponds to the internet access agent mode or not according to monotonicity of the identification attribute value sequence.
3. and counting message characteristics including a timestamp rule of the message, TCP connection quantity limitation, DNS request quantity limitation, message ID loop-back time and the like.
the existing method for detecting whether a user surfs the internet by proxy at least has the following problems:
1. a client program needs to be installed, the popularization difficulty of installing the client is high, the compatibility problem of different desktop systems, mobile terminals and various antivirus software needs to be solved, and the maintenance cost is high;
2. by using the flash cookie technology, the problem that a plurality of browsers and browser compatible modes exist on the same host computer can be met, so that one host computer can be identified into more than two host computers, and the situation that a plurality of browsers are installed on the same host computer is common, so that the misjudgment rate is high; 3. other technologies for collecting message data fingerprint characteristics, such as the number of TCP connections, the number of DNS requests, the ID loop time of IP messages, have the defects of large individual difference, high false alarm rate, large management and maintenance difficulty and the like.
4. The requirement on a network administrator is high, and in the method for counting the message characteristics, a judgment threshold needs to be set, and the selection of the threshold needs very rich network maintenance experience;
therefore, in the prior art, the method for identifying proxy internet access is either inaccurate or requires installing a client, and there is a need to provide a method for detecting proxy internet access, which can improve accuracy and is easy to deploy and implement.
disclosure of Invention
In order to solve the technical problem, the embodiment of the invention discloses a method for detecting proxy internet surfing, which comprises the following steps:
pre-establishing an agent equipment identification table;
receiving a Web webpage request message sent by a first user terminal after TCP connection is established with a Web server;
Feeding back a message for detecting user terminal identification information to the first user terminal according to the terminal type information in the Web page request message, so that the first user terminal can obtain the identification information of the first user terminal according to the message for detecting the user terminal identification information;
receiving a message which is sent by the first user terminal and contains the identification information of the first user terminal;
And when the source IP address of the message containing the identification information of the first user terminal is in the proxy equipment identification table, determining whether the first user terminal is a user terminal accessing the Internet through proxy equipment or not according to the identification information of the first user terminal and the proxy equipment identification table.
alternatively to this, the first and second parts may,
The terminal type is a desktop terminal, and the first user terminal identification information is an IP address of the first user terminal;
the step of determining whether the first user terminal is a user terminal accessing the internet through the proxy device according to the identification information of the first user terminal and the proxy device identification table specifically includes:
And when the IP address of the first user terminal is not in the proxy equipment identification table, determining that the first user terminal is a user terminal accessing the Internet through proxy equipment.
Alternatively to this, the first and second parts may,
The agent equipment identification table also comprises a hash value of the version information of the user terminal operating system corresponding to the first agent equipment identification in the agent equipment identification table;
the terminal type is a mobile terminal, and the first user terminal identification information is a hash value of version information of an operating system of the first user terminal;
when the source IP address of the packet containing the identification information of the first user terminal is in the proxy device identification table, the step of determining whether the first user terminal is a user terminal accessing the internet through the proxy device according to the identification information of the first user terminal and the proxy device identification table specifically includes:
and when the source IP address of the message containing the identification information of the first user terminal is matched with the first proxy equipment identification, corresponding the hash value of the version information of the operating system of the first user terminal to the first proxy equipment identification, and when the number of different hash values of the version information of the operating system of the user terminal corresponding to the first proxy equipment identification is more than or equal to 2, determining that the first user terminal is a user terminal which accesses the internet through the first proxy equipment.
Alternatively to this, the first and second parts may,
before feeding back a detection message to the first user terminal according to the Web page request message, the method further includes: closing the TCP connection;
The method further comprises the following steps: and feeding back an original access website URL in the Web page request message to the user terminal according to the Web page request message, so that the first user terminal can send the Web page request message again according to the original access website URL after acquiring the identification information of the first user terminal.
optionally, the method further includes:
when the IP address of the first user terminal is not in the agent equipment identification table and the IP address of the first user terminal is not in the user terminal equipment identification table, adding the IP address of the first user terminal to the user terminal equipment identification table;
and determining the number of the user terminals accessing the Internet through the proxy equipment according to the number of different IP addresses in the user terminal equipment identification table.
another aspect of the embodiments of the present invention further provides a device for detecting proxy surfing, including:
the establishing module is used for establishing an agent equipment identification table in advance;
the first receiving module is used for receiving a Web webpage request message sent by a first user terminal after TCP connection is established with a Web server;
a sending module, configured to feed back, to the first user terminal, a message used for detecting user terminal identification information according to terminal type information in the Web page request message, so that the first user terminal obtains the identification information of the first user terminal according to the message used for detecting user terminal identification information;
A second receiving module, configured to receive a message that is sent by the first user terminal and contains identification information of the first user terminal;
and the determining module is used for determining whether the first user terminal is a user terminal accessing the internet through the proxy equipment or not according to the identification information of the first user terminal and the proxy equipment identification table when the source IP address of the message containing the identification information of the first user terminal is in the proxy equipment identification table.
optionally, the terminal type is a desktop terminal, and the first user terminal identification information is an IP address of the first user terminal;
the determining module is specifically configured to:
and when the IP address of the first user terminal is not in the proxy equipment identification table, determining that the first user terminal is a user terminal accessing the Internet through proxy equipment.
alternatively to this, the first and second parts may,
the agent equipment identification table also comprises a hash value of the version information of the user terminal operating system corresponding to the first agent equipment identification in the agent equipment identification table;
the terminal type is a mobile terminal, and the first user terminal identification information is a hash value of version information of an operating system of the first user terminal;
the determining module is specifically configured to:
and when the source IP address of the message containing the identification information of the first user terminal is matched with the first proxy equipment identification, corresponding the hash value of the version information of the operating system of the first user terminal to the first proxy equipment identification, and when the number of different hash values of the version information of the operating system of the user terminal corresponding to the first proxy equipment identification is more than or equal to 2, determining that the first user terminal is a user terminal which accesses the internet through the first proxy equipment.
optionally, the apparatus further comprises:
The switch module is used for closing the TCP connection;
The sending module is further configured to feed back an original access website URL in the Web page request message to the user terminal according to the Web page request message, so that the first user terminal sends the Web page request message again according to the original access website URL after acquiring the identification information of the first user terminal.
optionally, the apparatus further comprises:
An adding module, configured to add the IP address of the first user terminal to the user terminal device identifier table when the IP address of the first user terminal is not in the proxy device identifier table and when the IP address of the first user terminal is not in the user terminal device identifier table;
and the counting module is used for determining the number of the user terminals accessing the Internet through the proxy equipment according to the number of different IP addresses in the user terminal equipment identification table.
the embodiment of the invention has the advantages that the false alarm rate is low, the user internet experience effect is good, the detection rate of the proxy internet terminal is high, the main calculation and logic processing tasks are all put on each user terminal device, the processing logic of the exit gateway device is simple, and the device can still realize the linear speed forwarding; the method is easy to deploy and popularize, client software is not required to be used, and the user acceptance degree is high; the cost is low, the development cost of client software or hardware is avoided, and the upgrading and maintenance are easy; the method has the advantages of high popularity and high recognition rate, and is suitable for mainstream browsers and mobile intelligent terminal systems in the market.
drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a schematic diagram of a system architecture of an embodiment of the present invention;
FIG. 2 is a flow diagram of a method of an embodiment of the invention;
fig. 3 is a diagram showing the structure of an apparatus according to an embodiment of the present invention.
Detailed Description
the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
the system structure diagram of the embodiment of the invention is shown in fig. 1, a proxy terminal (such as a PC, a mobile terminal, etc.) accesses an egress gateway (such as an egress gateway router, etc.) to access the internet through a proxy device (such as a wireless router, etc.), while a non-proxy terminal (such as a PC, a mobile terminal, etc.) does not access the egress gateway (such as an egress gateway router, etc.) to access the internet through a proxy device.
the embodiment of the invention provides a method for detecting proxy surfing, which comprises the following steps as shown in figure 2:
s101, pre-establishing an agent equipment identification table;
S103, receiving a Web page request message sent by a first user terminal after the first user terminal establishes TCP connection with a Web server;
s105, feeding back a message for detecting user terminal identification information to the first user terminal according to the terminal type information in the Web page request message, so that the first user terminal can obtain the identification information of the first user terminal according to the message for detecting the user terminal identification information;
s107, receiving a message which is sent by the first user terminal and contains the identification information of the first user terminal;
and S109, when the source IP address of the message containing the identification information of the first user terminal is in the proxy equipment identification table, determining whether the first user terminal is a user terminal accessing the Internet through proxy equipment according to the identification information of the first user terminal and the proxy equipment identification table.
Alternatively to this, the first and second parts may,
The terminal type is a desktop terminal, and the first user terminal identification information is an IP address of the first user terminal;
The step of determining whether the first user terminal is a user terminal accessing the internet through the proxy device according to the identification information of the first user terminal and the proxy device identification table specifically includes:
And when the IP address of the first user terminal is not in the proxy equipment identification table, determining that the first user terminal is a user terminal accessing the Internet through proxy equipment.
Alternatively to this, the first and second parts may,
The agent equipment identification table also comprises a hash value of the version information of the user terminal operating system corresponding to the first agent equipment identification in the agent equipment identification table;
the terminal type is a mobile terminal, and the first user terminal identification information is a hash value of version information of an operating system of the first user terminal;
when the source IP address of the packet containing the identification information of the first user terminal is in the proxy device identification table, the step of determining whether the first user terminal is a user terminal accessing the internet through the proxy device according to the identification information of the first user terminal and the proxy device identification table specifically includes:
and when the source IP address of the message containing the identification information of the first user terminal is matched with the first proxy equipment identification, corresponding the hash value of the version information of the operating system of the first user terminal to the first proxy equipment identification, and when the number of different hash values of the version information of the operating system of the user terminal corresponding to the first proxy equipment identification is more than or equal to 2, determining that the first user terminal is a user terminal which accesses the internet through the first proxy equipment.
alternatively to this, the first and second parts may,
Before feeding back a detection message to the first user terminal according to the Web page request message, the method further comprises the following steps: closing the TCP connection;
The method further comprises the following steps: and feeding back an original access website URL in the Web page request message to the user terminal according to the Web page request message, so that the first user terminal can send the Web page request message again according to the original access website URL after acquiring the identification information of the first user terminal.
optionally, the method further includes:
when the IP address of the first user terminal is not in the agent equipment identification table and the IP address of the first user terminal is not in the user terminal equipment identification table, adding the IP address of the first user terminal to the user terminal equipment identification table;
and determining the number of the user terminals accessing the Internet through the proxy equipment according to the number of different IP addresses in the user terminal equipment identification table.
in an embodiment of the present invention, description is made in conjunction with a specific application scenario:
The exit gateway device identifies a user terminal by an IP address, and since the proxy internet access device or proxy software performs NAT address translation, the source IP addresses of the received IP data packets are all the same for the exit gateway device regardless of whether the user terminal performs internet access by using a proxy or not, and the source IP address is recorded as ipsrc. The specific method for identifying proxy internet surfing comprises the following steps:
Step one, an exit gateway device maintains a User table UserTable corresponding to an ipsrc, the User table at least comprises information such as a source IP address and a hash value of a User Agent, the source IP address is marked as the ipsrc, and the hash value of the User Agent is marked as the uahash. When the exit gateway equipment receives an IP data packet of a certain user for the first time, initializing the uahash to be 0;
The User Agent is named as a User Agent UA for short, and is a special character string header, so that the server can identify an operating system and version, a CPU type, a browser and version, a browser rendering engine, a browser language, a browser plug-in and the like used by the User terminal. Statistical analysis is carried out on mainstream intelligent mobile equipment in the market, and the operating system and version information contained in the User Agent character string can be used for identifying the mobile terminal.
step two, the exit gateway device periodically intercepts a webpage access request uploaded by the user terminal, returns a detection page to the user terminal and closes the TCP connection between the user terminal and the external network Web server;
step three, detecting the main content of the page can comprise the following steps:
a) the original website url of the webpage access request uploaded by the user terminal can be marked as original _ href;
b) acquiring user agent information of the browser;
c) judging the type of the user terminal according to the user agent information, wherein the type can be divided into an intelligent mobile terminal and a desktop system;
d) for the desktop system, a network card IP address of the user terminal can be acquired by using a related interface function of WebRTC, and the acquired network card IP address can be marked as ipx; the method for acquiring the network card IP address of the user terminal comprises but is not limited to a related interface function of WebRTC;
the WebRTC is a technology supporting a web browser to carry out real-time voice conversation or video conversation, is compiled by pure JavaScript language and is built in the browser, so that a user does not need to use any plug-in or software and has strong NAT penetrating capability, and therefore, by using the technology, the network card address information of a user terminal can be easily obtained.
e) for an intelligent mobile terminal, such as an Android system mobile phone, a blackberry mobile phone, an apple mobile phone, an Ipad, a Windows phone and the like, if a browser supports the WebRTC technology, a network card IP address of the intelligent mobile terminal is obtained by using a related interface function of the WebRTC, the IP address is ipx, if the browser does not support the WebRTC technology, a regular expression is used for extracting operating system and version information, and hash calculation is carried out to obtain a positive integer value uax;
f) sending an http detection result message to the exit gateway device by using Ajax (Asynchronous JavaScript And XML), wherein url parameters of the message carry a network card IP address of the user terminal or a uax value;
g) and after the http detection result message is sent, refreshing the page as the original url requested by the user, namely, origin _ href.
step four, the exit gateway equipment receives the http detection result message sent back by the user terminal, analyzes the source IP address ipsrc of the message from the http detection result message, and analyzes the value ipx or uax of the network card address of the user terminal from the url of the message;
Step five, the exit gateway device judges the proxy internet surfing, if ipx is not zero, ipx is compared with ipsrc, and when the two are not equal, the proxy internet surfing behavior can be judged to occur; if the uax value is not zero, obtaining a uahash value in the user table, updating the uahash value to be uax when the uahash is zero, comparing whether the uahash and uax are equal when the uahash is not zero, and judging that a proxy internet surfing behavior occurs when the uahash and uax are not equal;
and step six, after the exit gateway equipment judges that the agent is generated, an alarm prompt can be output to an administrator or a network disconnection action can be taken for the user according to a pre-configured processing strategy.
The embodiment of the invention has the advantages that the false alarm rate is low, the user internet experience effect is good, the detection rate of the proxy internet terminal is high, the main calculation and logic processing tasks are all put on each user terminal device, the processing logic of the exit gateway device is simple, and the device can still realize the linear speed forwarding; the method is easy to deploy and popularize, client software is not required to be used, and the user acceptance degree is high; the cost is low, the development cost of client software or hardware is avoided, and the upgrading and maintenance are easy; the method has the advantages of high popularity and high recognition rate, and is suitable for mainstream browsers and mobile intelligent terminal systems in the market.
Another aspect of the embodiments of the present invention further provides a device for detecting proxy surfing, as shown in fig. 3, including:
an establishing module 201, configured to establish an agent device identifier table in advance;
a first receiving module 203, configured to receive a Web page request message sent by a first user terminal after establishing a TCP connection with a Web server;
a sending module 205, configured to feed back, to the first user terminal, a message for detecting user terminal identification information according to terminal type information in the Web page request message, so that the first user terminal obtains the identification information of the first user terminal according to the message for detecting user terminal identification information;
A second receiving module 207, configured to receive a message sent by the first user terminal and including identification information of the first user terminal;
a determining module 209, configured to determine, when the source IP address of the packet including the identifier information of the first user terminal is in the proxy device identifier table, whether the first user terminal is a user terminal that accesses internet through proxy device according to the identifier information of the first user terminal and the proxy device identifier table.
optionally, the terminal type is a desktop terminal, and the first user terminal identification information is an IP address of the first user terminal;
The determining module 209 is specifically configured to:
And when the IP address of the first user terminal is not in the proxy equipment identification table, determining that the first user terminal is a user terminal accessing the Internet through proxy equipment.
alternatively to this, the first and second parts may,
the agent equipment identification table also comprises a hash value of the version information of the user terminal operating system corresponding to the first agent equipment identification in the agent equipment identification table;
The terminal type is a mobile terminal, and the first user terminal identification information is a hash value of version information of an operating system of the first user terminal;
the determining module 209 is specifically configured to:
and when the source IP address of the message containing the identification information of the first user terminal is matched with the first proxy equipment identification, corresponding the hash value of the version information of the operating system of the first user terminal to the first proxy equipment identification, and when the number of different hash values of the version information of the operating system of the user terminal corresponding to the first proxy equipment identification is more than or equal to 2, determining that the first user terminal is a user terminal which accesses the internet through the first proxy equipment.
Optionally, the apparatus further comprises:
the switch module is used for closing the TCP connection;
the sending module is further configured to feed back an original access website URL in the Web page request message to the user terminal according to the Web page request message, so that the first user terminal sends the Web page request message again according to the original access website URL after acquiring the identification information of the first user terminal.
optionally, the apparatus further comprises:
an adding module 211, configured to add the IP address of the first user terminal to the user terminal device identifier table when the IP address of the first user terminal is not in the proxy device identifier table and the IP address of the first user terminal is not in the user terminal device identifier table;
and the counting module 213 is configured to determine the number of the user terminals accessing the internet through the proxy device according to the number of the different IP addresses in the user terminal device identification table.
The embodiment of the invention has the advantages that the false alarm rate is low, the user internet experience effect is good, the detection rate of the proxy internet terminal is high, the main calculation and logic processing tasks are all put on each user terminal device, the processing logic of the exit gateway device is simple, and the device can still realize the linear speed forwarding; the method is easy to deploy and popularize, client software is not required to be used, and the user acceptance degree is high; the cost is low, the development cost of client software or hardware is avoided, and the upgrading and maintenance are easy; the method has the advantages of high popularity and high recognition rate, and is suitable for mainstream browsers and mobile intelligent terminal systems in the market.
finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. a method for detecting proxy surfing is characterized by comprising the following steps:
pre-establishing an agent equipment identification table;
receiving a Web webpage request message sent by a first user terminal after TCP connection is established with a Web server;
Feeding back a message for detecting user terminal identification information to the first user terminal according to the terminal type information in the Web page request message, so that the first user terminal can obtain the identification information of the first user terminal according to the message for detecting the user terminal identification information;
receiving a message which is sent by the first user terminal and contains the identification information of the first user terminal;
and when the source IP address of the message containing the identification information of the first user terminal is in the proxy equipment identification table, determining whether the first user terminal is a user terminal accessing the Internet through proxy equipment or not according to the identification information of the first user terminal and the proxy equipment identification table.
2. The method of claim 1,
The terminal type is a desktop terminal, and the first user terminal identification information is an IP address of the first user terminal;
the step of determining whether the first user terminal is a user terminal accessing the internet through the proxy device according to the identification information of the first user terminal and the proxy device identification table specifically includes:
and when the IP address of the first user terminal is not in the proxy equipment identification table, determining that the first user terminal is a user terminal accessing the Internet through proxy equipment.
3. the method of claim 1,
the agent equipment identification table also comprises a hash value of the version information of the user terminal operating system corresponding to the first agent equipment identification in the agent equipment identification table;
The terminal type is a mobile terminal, and the first user terminal identification information is a hash value of version information of an operating system of the first user terminal;
when the source IP address of the packet containing the identification information of the first user terminal is in the proxy device identification table, the step of determining whether the first user terminal is a user terminal accessing the internet through the proxy device according to the identification information of the first user terminal and the proxy device identification table specifically includes:
And when the source IP address of the message containing the identification information of the first user terminal is matched with the first proxy equipment identification, corresponding the hash value of the version information of the operating system of the first user terminal to the first proxy equipment identification, and when the number of different hash values of the version information of the operating system of the user terminal corresponding to the first proxy equipment identification is more than or equal to 2, determining that the first user terminal is a user terminal which accesses the internet through the first proxy equipment.
4. the method of claim 1,
before feeding back a detection message to the first user terminal according to the Web page request message, the method further includes: closing the TCP connection;
The method further comprises the following steps: and feeding back an original access website URL in the Web page request message to the user terminal according to the Web page request message, so that the first user terminal can send the Web page request message again according to the original access website URL after acquiring the identification information of the first user terminal.
5. The method of claim 2, further comprising:
when the IP address of the first user terminal is not in the agent equipment identification table and the IP address of the first user terminal is not in the user terminal equipment identification table, adding the IP address of the first user terminal to the user terminal equipment identification table;
and determining the number of the user terminals accessing the Internet through the proxy equipment according to the number of different IP addresses in the user terminal equipment identification table.
6. An apparatus for detecting proxy surfing, comprising:
the establishing module is used for establishing an agent equipment identification table in advance;
The first receiving module is used for receiving a Web webpage request message sent by a first user terminal after TCP connection is established with a Web server;
A sending module, configured to feed back, to the first user terminal, a message used for detecting user terminal identification information according to terminal type information in the Web page request message, so that the first user terminal obtains the identification information of the first user terminal according to the message used for detecting user terminal identification information;
a second receiving module, configured to receive a message that is sent by the first user terminal and contains identification information of the first user terminal;
and the determining module is used for determining whether the first user terminal is a user terminal accessing the internet through the proxy equipment or not according to the identification information of the first user terminal and the proxy equipment identification table when the source IP address of the message containing the identification information of the first user terminal is in the proxy equipment identification table.
7. the apparatus of claim 6, wherein the terminal type is a desktop terminal, and the first user terminal identification information is an IP address of the first user terminal;
the determining module is specifically configured to:
And when the IP address of the first user terminal is not in the proxy equipment identification table, determining that the first user terminal is a user terminal accessing the Internet through proxy equipment.
8. The apparatus of claim 6,
the agent equipment identification table also comprises a hash value of the version information of the user terminal operating system corresponding to the first agent equipment identification in the agent equipment identification table;
the terminal type is a mobile terminal, and the first user terminal identification information is a hash value of version information of an operating system of the first user terminal;
The determining module is specifically configured to:
and when the source IP address of the message containing the identification information of the first user terminal is matched with the first proxy equipment identification, corresponding the hash value of the version information of the operating system of the first user terminal to the first proxy equipment identification, and when the number of different hash values of the version information of the operating system of the user terminal corresponding to the first proxy equipment identification is more than or equal to 2, determining that the first user terminal is a user terminal which accesses the internet through the first proxy equipment.
9. the apparatus of claim 6, wherein the apparatus further comprises:
the switch module is used for closing the TCP connection;
the sending module is further configured to feed back an original access website URL in the Web page request message to the user terminal according to the Web page request message, so that the first user terminal sends the Web page request message again according to the original access website URL after acquiring the identification information of the first user terminal.
10. The apparatus of claim 7, further comprising:
An adding module, configured to add the IP address of the first user terminal to the user terminal device identifier table when the IP address of the first user terminal is not in the proxy device identifier table and when the IP address of the first user terminal is not in the user terminal device identifier table;
and the counting module is used for determining the number of the user terminals accessing the Internet through the proxy equipment according to the number of different IP addresses in the user terminal equipment identification table.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611133870.1A CN106789413B (en) | 2016-12-10 | 2016-12-10 | Method and device for detecting proxy internet surfing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611133870.1A CN106789413B (en) | 2016-12-10 | 2016-12-10 | Method and device for detecting proxy internet surfing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106789413A CN106789413A (en) | 2017-05-31 |
| CN106789413B true CN106789413B (en) | 2019-12-06 |
Family
ID=58875911
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611133870.1A Active CN106789413B (en) | 2016-12-10 | 2016-12-10 | Method and device for detecting proxy internet surfing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106789413B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108055072A (en) * | 2017-11-20 | 2018-05-18 | 大唐软件技术股份有限公司 | A kind of network failure investigates method and apparatus |
| CN107769999B (en) * | 2017-12-07 | 2020-09-25 | 锐捷网络股份有限公司 | Method and device for identifying user agent internet surfing |
| CN109889485A (en) * | 2018-12-28 | 2019-06-14 | 顺丰科技有限公司 | A kind of user's abnormal operation behavioral value method, system and storage medium |
| CN114338139B (en) * | 2021-12-27 | 2023-03-24 | 北京安博通科技股份有限公司 | Method for internet behavior management supporting terminal type control |
| CN115767144A (en) * | 2022-10-26 | 2023-03-07 | 杭州迪普科技股份有限公司 | Target video uploading object determining method and device |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1795447A (en) * | 2002-05-15 | 2006-06-28 | 英特尔公司 | Automatic proxy detection |
| CN1878096A (en) * | 2006-07-04 | 2006-12-13 | 陈玲玲 | Method for detecting number of computer users in inner compute network |
| CN101035031A (en) * | 2007-04-03 | 2007-09-12 | 华为技术有限公司 | Method and device for detecting the number of the shared access host |
| CN101064642A (en) * | 2006-04-29 | 2007-10-31 | 华为技术有限公司 | Method for improving IP multimedia subsystem register flow |
| CN101112046A (en) * | 2004-12-28 | 2008-01-23 | 株式会社Kt | System and method for detecting and interception of ip sharer |
| CN101442450A (en) * | 2008-12-24 | 2009-05-27 | 成都市华为赛门铁克科技有限公司 | Method, system and apparatus for detecting sharing access terminal quantity |
| CN101631052A (en) * | 2009-08-25 | 2010-01-20 | 杭州华三通信技术有限公司 | Method and device for detecting number of access terminals |
-
2016
- 2016-12-10 CN CN201611133870.1A patent/CN106789413B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1795447A (en) * | 2002-05-15 | 2006-06-28 | 英特尔公司 | Automatic proxy detection |
| CN101112046A (en) * | 2004-12-28 | 2008-01-23 | 株式会社Kt | System and method for detecting and interception of ip sharer |
| CN101064642A (en) * | 2006-04-29 | 2007-10-31 | 华为技术有限公司 | Method for improving IP multimedia subsystem register flow |
| CN1878096A (en) * | 2006-07-04 | 2006-12-13 | 陈玲玲 | Method for detecting number of computer users in inner compute network |
| CN101035031A (en) * | 2007-04-03 | 2007-09-12 | 华为技术有限公司 | Method and device for detecting the number of the shared access host |
| CN101442450A (en) * | 2008-12-24 | 2009-05-27 | 成都市华为赛门铁克科技有限公司 | Method, system and apparatus for detecting sharing access terminal quantity |
| CN101631052A (en) * | 2009-08-25 | 2010-01-20 | 杭州华三通信技术有限公司 | Method and device for detecting number of access terminals |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106789413A (en) | 2017-05-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106789413B (en) | Method and device for detecting proxy internet surfing | |
| US11323469B2 (en) | Entity group behavior profiling | |
| CN109152095B (en) | Wireless network connection method for terminal | |
| EP3855692A1 (en) | Network security monitoring method, network security monitoring device, and system | |
| CN108737333B (en) | Data detection method and device | |
| CN110213212B (en) | Equipment classification method and device | |
| CN104767775B (en) | Web application information push method and system | |
| US10469514B2 (en) | Collaborative and adaptive threat intelligence for computer security | |
| US9185093B2 (en) | System and method for correlating network information with subscriber information in a mobile network environment | |
| WO2022083417A1 (en) | Method and device for data pack processing, electronic device, computer-readable storage medium, and computer program product | |
| WO2018121331A1 (en) | Attack request determination method, apparatus and server | |
| RU2498520C2 (en) | Method of providing peer-to-peer communication on web page | |
| US20170134957A1 (en) | System and method for correlating network information with subscriber information in a mobile network environment | |
| CN109218457B (en) | Network data processing method, device and system | |
| CN108134816B (en) | Access to data on remote device | |
| CN105635073B (en) | Access control method and device and network access equipment | |
| WO2015021873A1 (en) | Method, platform server, and system of data pushing | |
| EP4033717A1 (en) | Distinguishing network connection requests | |
| EP3789890A1 (en) | Fully qualified domain name (fqdn) determination | |
| CN117040799A (en) | Page interception rule generation and page access control method and device and electronic equipment | |
| WO2024040794A1 (en) | Abnormal traffic detection method and apparatus, electronic device, and storage medium | |
| JP6383847B2 (en) | Web server | |
| CN112994934B (en) | Data interaction method, device and system | |
| CN114760083A (en) | Method and device for issuing attack detection file and storage medium | |
| CN112152915A (en) | Message forwarding network system and message forwarding method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |