CN110233774B - Detection method, distributed detection method and system for Socks proxy server - Google Patents

Detection method, distributed detection method and system for Socks proxy server Download PDF

Info

Publication number
CN110233774B
CN110233774B CN201910453811.XA CN201910453811A CN110233774B CN 110233774 B CN110233774 B CN 110233774B CN 201910453811 A CN201910453811 A CN 201910453811A CN 110233774 B CN110233774 B CN 110233774B
Authority
CN
China
Prior art keywords
host
tested
socks proxy
proxy server
port
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910453811.XA
Other languages
Chinese (zh)
Other versions
CN110233774A (en
Inventor
李瑞轩
辜希武
赵铭富
江钰
李玉华
彭宇琪
刘冰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huazhong University of Science and Technology
Original Assignee
Huazhong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huazhong University of Science and Technology filed Critical Huazhong University of Science and Technology
Priority to CN201910453811.XA priority Critical patent/CN110233774B/en
Publication of CN110233774A publication Critical patent/CN110233774A/en
Application granted granted Critical
Publication of CN110233774B publication Critical patent/CN110233774B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0695Management of faults, events, alarms or notifications the faulty arrangement being the maintenance, administration or management system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services

Abstract

The invention discloses a detection method, a distributed detection method and a system of Socks proxy servers, belonging to the field of network resource space detection and comprising the following steps: if the host to be tested opens the service, executing the subsequent steps; otherwise, finishing the detection; sending a pre-constructed GET request message based on an HTTP protocol to a host to be tested through a preset port respectively, and acquiring response information of each port; analyzing the response information of each port, and if the response information does not contain the first characteristic character string and contains the second characteristic character string, judging that the host opens the Socks proxy service through the corresponding port; otherwise, judging that the host does not open the Socks proxy service through the corresponding port; if the host opens the Socks proxy service through any one port, identifying the host to be tested as the Socks proxy server; otherwise, identifying the host to be tested as a non-Socks proxy server; and finishing the detection. The invention can effectively solve the problem of low recognition rate of the existing detection method of the Socks proxy server and accelerate the detection speed through the distributed detection system.

Description

Detection method, distributed detection method and system for Socks proxy server
Technical Field
The invention belongs to the field of network resource space detection, and particularly relates to a distributed detection method and system for Socks proxy servers.
Background
With the rapid development of the network society, at present, various industries rely on the internet to process related services, and activities such as daily chatting, shopping, entertainment, learning and the like are closely combined with the network, so that the internet is closely related to life. Although the network facilitates our lives, the security problem brought by the network is not negligible.
As a field with strong openness, currently, enterprises and users can build own proxy servers, and users can obtain resources which are difficult to access under normal conditions through the proxy servers, and in addition, the proxy servers generally have large buffer areas, so that the speed of accessing network resources can be increased, and privacy information of the users can be hidden. The proxy server brings convenience to internet users and has certain potential safety hazards. Many network attacks and illegal message transfers are implemented by offending agents, such as hackers using proxy servers to perform DDoS attacks to hide their own messages, and lawbreakers performing gambling and fraud message transfers through proxy servers. Therefore, the research on the identification method of the proxy server is significant for further use and can provide technical support for network security. Among a plurality of proxy servers, the Socks proxy server is the most widely used proxy server at present, and the detection difficulty is relatively large, so that the research on the Socks proxy detection method has important significance in production and life.
At present, mainstream detection tools such as Zmap and ProxyBroker can detect the Socks proxy server, but these detection tools are based on a Socks protocol request response packet analysis method, and only can identify the Socks proxy server without account number and password, and for the Socks proxy server with account number and password, during actual detection, the sent detection data packet is usually directly discarded by the host to be detected, and no response information can be obtained, so that the Socks proxy server cannot be identified effectively. In general, the recognition rate of the existing Socks proxy server detection method is low.
Disclosure of Invention
Aiming at the defects and improvement requirements of the prior art, the invention provides a detection method, a distributed detection method and a system of a Socks proxy server, and aims to solve the problem of low recognition rate of the existing detection method of the Socks proxy server.
To achieve the above object, according to a first aspect of the present invention, there is provided a method for detecting a Socks proxy server, for identifying whether an ip known host to be detected is the Socks proxy server, including:
(1) judging whether the host to be tested opens the service, if so, turning to the step (2); otherwise, turning to the step (6);
(2) presetting a plurality of ports for establishing communication connection on a host to be tested;
(3) sending a pre-constructed GET request message based on an HTTP protocol to a host to be tested through preset ports respectively, and acquiring response information of each port;
(4) analyzing the response information of each port, and if the response information does not contain the first characteristic character string and contains the second characteristic character string, judging that the host to be tested opens the Socks proxy service through the corresponding port; otherwise, judging that the host to be tested does not open the Socks proxy service through the corresponding port;
(5) if the host to be tested opens the Socks proxy service through any one port, identifying the host to be tested as the Socks proxy server; otherwise, identifying the host to be tested as a non-Socks proxy server;
(6) finishing detection;
the first characteristic character string and the second characteristic character string are character strings pre-collected according to proxy characteristics, the first characteristic character string is used for eliminating interference of other proxy servers, and the second characteristic character string is used for identifying the Socks proxy servers.
The invention carries out detection of the Socks proxy server based on the GET request message of the HTTP protocol, and identifies whether the host to be detected is the Socks proxy server according to whether the response information of the port of the host to be detected contains the characteristic character string.
Further, the first characteristic string is 'SSH', 'FTP', 'xff \ xfd \ x18\ xff \ xfd \ xff \ xfd # \ xff \ xfd', 'SMTP' or 'HTTP'.
Further, the second characteristic character string is '\\ x05\ x00', '\ x00[ \ x00\ x00\ x00\ x00\ x00\ x00' or 'www.herokucdn.com'.
The first characteristic character string is a special character string in response information generated by other proxy servers aiming at a GET request message of an HTTP protocol, such as SSH, FTP, SMTP and HTTP; the second characteristic character string is a character string which is specially contained in response information generated by the Socks proxy server aiming at a GET request message of an HTTP (hyper text transport protocol); because other proxy servers such as SSH, FTP, SMTP and HTTP can interfere the detection of the Socks proxy server, the invention only identifies the host to be detected which does not contain the first characteristic character string and contains the second characteristic character string as the Socks proxy server, and avoids the interference of other proxy servers in the process of identifying the Socks proxy server, thereby having higher identification precision.
Further, the method for detecting the Socks proxy server provided by the invention further comprises the following steps: if the host to be tested is identified as the Socks proxy server, the spatial position of the host to be tested is obtained according to the ip of the host to be tested, so that the physical positioning of the Socks proxy server is realized;
the invention further realizes the positioning of the Socks proxy server according to the ip, and provides convenience for the supervision of the Socks proxy server.
According to a second aspect of the present invention, there is provided a distributed detection method for a Socks proxy server, configured to identify whether a large-scale ip-known host to be detected is the Socks proxy server, including:
dividing all hosts to be tested into a plurality of host sets to be tested;
for each host set to be tested, sequentially detecting the hosts to be tested by using the detection method of the Socks proxy server provided by the first aspect of the invention to identify the Socks proxy server; and executing the detection of all the host computer sets to be detected in parallel.
According to the distributed detection method of the Socks proxy server, the plurality of hosts to be detected are divided into the host set to be detected, so that detection of the hosts to be detected in the set is executed in series, detection of the plurality of sets is executed in parallel, and therefore the detection rate can be effectively improved.
According to a third aspect of the present invention, there is provided a detection system for a Socks proxy server, configured to identify whether an ip known host to be tested is the Socks proxy server, including: the device comprises a prejudgment module, a port setting module, a transceiving module, an analysis module and an identification module;
the pre-judging module is used for judging whether the host to be detected opens the service or not and ending the detection when the host to be detected does not open the service;
the port setting module is used for presetting a plurality of ports for establishing communication connection on the host to be tested when the pre-judging module judges that the host to be tested is open to service;
the receiving and sending module is used for respectively sending a pre-constructed GET request message based on the HTTP to the host to be tested through each preset port and acquiring response information of each port;
the analysis module is used for analyzing the response information of each port, and judging that the host to be tested opens the Socks proxy service through the corresponding port when the response information does not contain the first characteristic character string and contains the second characteristic character string; and under other conditions, judging that the host to be tested does not open the Socks proxy service through the corresponding port;
the identification module is used for identifying the host to be tested as a Socks proxy server when the analysis module judges that the host to be tested opens the Socks proxy service through any one port; under other conditions, identifying the host to be tested as a non-Socks proxy server;
the first characteristic character string and the second characteristic character string are character strings pre-collected according to proxy characteristics, the first characteristic character string is used for eliminating interference of other proxy servers, and the second characteristic character string is used for identifying the Socks proxy servers.
According to a fourth aspect of the present invention, there is provided a distributed detection system for a Socks proxy server, configured to identify whether a large-scale ip-known host to be tested is the Socks proxy server, including: the system comprises a database, a central scheduling node and a plurality of parallel task execution nodes;
the central scheduling node is used for dividing all the hosts to be tested into a plurality of host sets to be tested and distributing the detection tasks of the host sets to be tested to a plurality of different task execution nodes so that the detection tasks of the host sets to be tested are executed in parallel;
the task execution node is used for sequentially detecting the hosts to be detected in the received host set to be detected by using the detection method of the Socks proxy server provided by the first aspect of the invention so as to identify the Socks proxy server in the host set to be detected, returning the task execution result to the central scheduling result, and persistently storing the detection result in the database; the execution result is used for displaying the success or failure of task execution, and the detection result comprises the ip address, the port and the space position information of the Socks proxy server;
and the central scheduling node is also used for receiving the execution result returned by each task execution node and transferring the task failed to be executed from the original task execution node to other task execution nodes to continue executing according to the execution result.
In the distributed detection system of the Socks proxy server, the central scheduling node and the task execution nodes form a Master-Slave model, and each task execution node executes the detection task of the Socks proxy server in parallel after scheduling, so that the detection rate of a large-scale host to be detected can be effectively improved.
Further, the central scheduling node comprises: the system comprises a task distribution module and a fault transfer module;
the task distribution module is used for dividing all the hosts to be tested into a plurality of host sets to be tested and distributing the detection tasks of the host sets to be tested to a plurality of different task execution nodes so that the detection tasks of the host sets to be tested are executed in parallel;
and the fault transfer module is used for receiving the execution result returned by each task execution node and transferring the task failed to be executed from the original task execution node to other task execution nodes to continue executing according to the execution result.
According to the distributed detection system, a fault transfer mechanism is realized by transferring the failed detection task from the original task execution node to another task execution node, so that the detection of each host to be detected is normally executed.
Further, the task execution node includes: the device comprises a prejudgment module, a port setting module, a transceiving module, an analysis module, an identification module, a storage module and a return module;
the pre-judging module is used for judging whether the host to be detected opens the service or not and finishing the detection of the host to be detected when the host to be detected does not open the service;
the port setting module is used for presetting a plurality of ports for establishing communication connection on the host to be tested when the pre-judging module judges that the host to be tested is open to service;
the receiving and sending module is used for respectively sending a pre-constructed GET request message based on the HTTP to the host to be tested through each preset port and acquiring response information of each port;
the analysis module is used for analyzing the response information of each port, and judging that the host to be tested opens the Socks proxy service through the corresponding port when the response information does not contain the first characteristic character string and contains the second characteristic character string; and under other conditions, judging that the host to be tested does not open the Socks proxy service through the corresponding port;
the identification module is used for identifying the host to be tested as a Socks proxy server when the analysis module judges that the host to be tested opens the Socks proxy service through any one port; under other conditions, identifying the host to be tested as a non-Socks proxy server;
the storage module is used for storing the detection result into a database in a persistent mode;
the back transmission module is used for transmitting the execution result back to the central scheduling node;
the first characteristic character string and the second characteristic character string are character strings pre-collected according to proxy characteristics, the first characteristic character string is used for eliminating interference of other proxy servers, and the second characteristic character string is used for identifying the Socks proxy servers.
Generally, by the above technical solution conceived by the present invention, the following beneficial effects can be obtained:
(1) according to the detection method of the Socks proxy server and the detection system of the Socks proxy server, the GET request message based on the HTTP protocol is used for detecting the Socks proxy server, whether the host to be detected is the Socks proxy server or not is identified according to whether the response information of the port of the host to be detected contains the specific characteristic character string, and the response information is correspondingly generated aiming at the GET request message of the HTTP protocol no matter the Socks proxy server with the account number password or the Socks proxy server without the account number password, so that the invention can identify the Socks proxy server without the account number password and the Socks proxy server with the account number password, and the problem of low identification rate of the detection method of the existing Socks proxy server is effectively solved.
(2) According to the detection method of the Socks proxy server and the detection system of the Socks proxy server, the first characteristic character string for eliminating interference and the second characteristic character string for identifying the Socks proxy server are accurately set, and the host to be detected which does not contain the first characteristic character string and contains the second characteristic character string is identified as the Socks proxy server, so that the method can avoid the interference of other proxy servers in the process of identifying the Socks proxy server, and therefore the identification precision is high.
(3) The detection method and the detection system of the Socks proxy server provided by the invention can also perform space positioning on the Socks proxy server according to the ip, and provide convenience for supervision of the Socks proxy server.
(4) The distributed detection method of the Socks proxy server and the distributed detection system of the Socks proxy server provided by the invention are based on the detection method of the Socks proxy server provided by the invention, and the Socks proxy server detection is carried out on a plurality of task execution nodes in a distributed mode, so that the tasks can be executed in parallel.
(5) According to the distributed detection system of the Socks proxy server, provided by the invention, when the central scheduling node fails to detect any host to be detected, the detection task of the host to be detected is transferred from the original task execution node to another task execution node so as to restart the detection task of the host to be detected, so that a fault transfer mechanism is realized, and the detection of each host to be detected is ensured to be normally executed.
Drawings
Fig. 1 is a flowchart of a detection method of a Socks proxy server according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a distributed detection method for Socks proxy servers according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a distributed detection system module of a Socks proxy server according to an embodiment of the present invention;
fig. 4 is a schematic diagram of an execution flow of a distributed detection system of a Socks proxy server provided in an application example of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
In order to realize the detection of a Socks proxy server with an account number and a password and solve the problem of low recognition rate of the existing detection method of the Socks proxy server, the invention provides a detection method of the Socks proxy server, which is used for recognizing whether a host to be detected with known ip is the Socks proxy server or not, and as shown in figure 1, the detection method comprises the following steps:
(1) judging whether the host to be tested opens the service, if so, turning to the step (2); otherwise, turning to the step (6);
optionally, the test may be performed by a network test instruction such as ping, tracert, and the like in combination with the ip of the host to be tested, for example, sending a test instruction "ping-c 3-w 6" + ip to the host to be tested; if the host to be tested returns corresponding information, the host to be tested is represented to open the service; if the host to be tested does not have any return information, the host to be tested is represented to have no open service;
only when the host to be tested opens the service, the subsequent detection task of the Socks proxy server is continuously executed, so that invalid operation can be avoided, and the time required by detection is greatly saved;
(2) presetting a plurality of ports for establishing communication connection on a host to be tested;
in the internet, not all port numbers 1-65535 can be used for Socks opening agents, the detection speed can be saved and the detection efficiency can be improved by arranging common ports, and in the embodiment of the invention, the preset ports comprise 27274,443,2333,80,8080,4145,6667,9999,8082,9050,3128,8388,8000,8888,8088,1080,9000,53281,54566,808,8081,8118,65103,21071,1080,64312,53281, 54321;
it should be understood that, in other application scenarios, the setting may also be set according to the actual port opening condition of the detected host;
(3) sending a pre-constructed GET request message based on an HTTP protocol to a host to be tested through preset ports respectively, and acquiring response information of each port;
the constructed GET request message may be a GET request message conforming to any content of the HTTP protocol, for example, the content of a GET request message constructed according to a blank website is as follows:
'GET/HTTP/1.1\r\nHost:hm.baidu.com\r\n\r\n';
in the request message, hm.baidu.com is the website address of the blank website; the above contents are merely exemplary illustrations of the GET request message, and should not be construed as the only limitations of the present invention;
(4) analyzing the response information of each port, and if the response information does not contain the first characteristic character string and contains the second characteristic character string, judging that the host to be tested opens the Socks proxy service through the corresponding port; otherwise, judging that the host to be tested does not open the Socks proxy service through the corresponding port;
the first characteristic character string and the second characteristic character string are character strings pre-collected according to proxy characteristics, the first characteristic character string is used for eliminating interference of other proxy servers, and the second characteristic character string is used for identifying the Socks proxy servers;
specifically, the first characteristic character string and the second characteristic character string are both character strings predefined according to response characteristics of the proxy server for the GET request message;
in an alternative embodiment, the first characteristic string is 'SSH', 'FTP', '\ xff \ xfd \ x18\ xff \ xfd \ xff \ xfd # \ xff \ xfd', 'SMTP', or 'HTTP';
the first characteristic character string is a special character string in response information generated by other proxy servers aiming at a GET request message of an HTTP protocol, such as SSH, FTP, SMTP, HTTP and the like; these proxy servers can interfere with the detection of Socks proxy servers;
in an alternative embodiment, the second characteristic string is '\ x05\ x00', '\ x00[ \ x00\ x00\ x00\ x00\ x00\ x00' or 'www.herokucdn.com';
the second characteristic character string is a special character string in the return information generated by the Socks proxy server aiming at the GET request message of the HTTP protocol;
by identifying the host to be tested which does not contain the first characteristic character string and contains the second characteristic character string as the Socks proxy server, the interference of other proxy servers can be avoided in the process of identifying the Socks proxy server, so that the identification precision of the invention is higher;
it should be noted that the first characteristic character string and the second characteristic character string are not limited to the above, and other character strings that can identify the relevant interference server may be also included in the first characteristic character string; similarly, other character strings that can identify the Socks proxy server can also be included in the second characteristic character string; in addition, the first characteristic character string and the second characteristic character string can be updated according to the actual application scene;
(5) if the host to be tested opens the Socks proxy service through any one port, identifying the host to be tested as the Socks proxy server; otherwise, identifying the host to be tested as a non-Socks proxy server;
(6) and finishing the detection.
The invention utilizes the GET request message based on the HTTP protocol to detect the Socks proxy server, and identifies whether the host to be detected is the Socks proxy server according to whether the response information of the upper port of the host to be detected contains the specific characteristic character string, and because the response information of the GETs proxy server with or without the account number password generates the return information correspondingly aiming at the GET request message of the HTTP protocol, the invention can identify the Socks proxy server without the account number password and the Socks proxy server with the account number password, thereby effectively solving the problem of low identification rate of the existing detection method of the Socks proxy server.
In order to further implement spatial positioning of the Socks proxy server, optionally, the method for detecting the Socks proxy server may further include:
if the host to be tested is identified as the Socks proxy server, the spatial position of the host to be tested is obtained according to the ip of the host to be tested, so that the physical positioning of the Socks proxy server is realized, and convenience is provided for the supervision of the Socks proxy server;
optionally, after the host to be tested is identified as the Socks proxy server, acquiring the corresponding longitude and latitude according to the API of the ip strip of the host to be tested by using a Baidu map, the API of a Google map or other APIs, so as to acquire the geographic position of the Socks proxy server; furthermore, according to application requirements, the city or other administrative regions to which the Socks proxy server belongs can be judged based on the obtained longitude and latitude of the Socks proxy server, and the specific mode can also be obtained through a related map API.
Based on the detection method of the Socks proxy server, the invention also provides a distributed detection method of the Socks proxy server, which is used for identifying whether a large-scale ip known host to be detected (namely a plurality of ip known host to be detected) is the Socks proxy server or not, and the distributed detection method comprises the following steps:
dividing all hosts to be tested into a plurality of host sets to be tested;
for each host set to be tested, sequentially detecting the hosts to be tested by using the detection method of the Socks proxy server to identify the Socks proxy server; performing detection on all host sets to be detected in parallel;
according to the distributed detection method of the Socks proxy server, the plurality of hosts to be detected are divided into the host set to be detected, so that detection of the hosts to be detected in the set is executed in series, and detection of the plurality of sets is executed in parallel, and therefore the detection rate can be effectively improved; in general, in order to improve the parallelism to the maximum extent, the number of hosts to be tested included in each host set to be tested is equal or similar.
The invention also provides a detection system of the Socks proxy server, which is used for realizing the detection method of the Socks proxy server, and the detection system comprises the following components: the device comprises a prejudgment module, a port setting module, a transceiving module, an analysis module and an identification module;
the pre-judging module is used for judging whether the host to be detected opens the service or not and ending the detection when the host to be detected does not open the service;
the port setting module is used for presetting a plurality of ports for establishing communication connection on the host to be tested when the pre-judging module judges that the host to be tested is open to service;
the receiving and sending module is used for respectively sending a pre-constructed GET request message based on the HTTP to the host to be tested through each preset port and acquiring response information of each port;
the analysis module is used for analyzing the response information of each port, and judging that the host to be tested opens the Socks proxy service through the corresponding port when the response information does not contain the first characteristic character string and contains the second characteristic character string; and under other conditions, judging that the host to be tested does not open the Socks proxy service through the corresponding port;
the identification module is used for identifying the host to be tested as a Socks proxy server when the analysis module judges that the host to be tested opens the Socks proxy service through any one port; under other conditions, identifying the host to be tested as a non-Socks proxy server;
the first characteristic character string and the second characteristic character string are character strings pre-collected according to proxy characteristics, the first characteristic character string is used for eliminating interference of other proxy servers, and the second characteristic character string is used for identifying the Socks proxy servers;
in the embodiment of the present invention, the detailed implementation of each module may refer to the description of the method embodiment described above, and will not be repeated here.
According to a fourth aspect of the present invention, there is provided a distributed detection system of a Socks proxy server, configured to implement the distributed detection method of the Socks proxy server, as shown in fig. 2, where the distributed detection system includes: the system comprises a database, a central scheduling node and a plurality of parallel task execution nodes;
the central scheduling node is used for dividing all the hosts to be tested into a plurality of host sets to be tested and distributing the detection tasks of the host sets to be tested to a plurality of different task execution nodes so as to execute the detection tasks of the host sets to be tested in parallel;
the task execution node is used for sequentially detecting the hosts to be detected in the received host set to be detected by using the detection method of the Socks proxy server so as to identify the Socks proxy server, returning the task execution result to the central scheduling result and persistently storing the detection result in the database; the execution result is used for displaying the success or failure of task execution, and the detection result comprises the ip address, the port and the space position information of the Socks proxy server;
the central scheduling node is also used for receiving the execution result returned by each task execution node and transferring the task failed to be executed from the original task execution node to other task execution nodes to continue executing according to the execution result;
as shown in fig. 3, in the embodiment of the present invention, the central scheduling node specifically includes: the system comprises a task distribution module and a fault transfer module;
the task distribution module is used for dividing all the hosts to be tested into a plurality of host sets to be tested and distributing the detection tasks of the host sets to be tested to a plurality of different task execution nodes so as to execute the detection tasks of the host sets to be tested in parallel;
the fault transfer module is used for receiving the execution result returned by each task execution node and transferring the task failed to be executed from the original task execution node to other task execution nodes to continue executing according to the execution result;
the task execution node comprises: the device comprises a prejudgment module, a port setting module, a transceiving module, an analysis module, an identification module, a storage module and a return module;
the pre-judging module is used for judging whether the host to be detected opens the service or not and finishing the detection of the host to be detected when the host to be detected does not open the service;
the port setting module is used for presetting a plurality of ports for establishing communication connection on the host to be tested when the pre-judging module judges that the host to be tested is open to service;
the receiving and sending module is used for respectively sending a pre-constructed GET request message based on the HTTP to the host to be tested through each preset port and acquiring response information of each port;
the analysis module is used for analyzing the response information of each port, and judging that the host to be tested opens the Socks proxy service through the corresponding port when the response information does not contain the first characteristic character string and contains the second characteristic character string; and under other conditions, judging that the host to be tested does not open the Socks proxy service through the corresponding port;
the identification module is used for identifying the host to be tested as a Socks proxy server when the analysis module judges that the host to be tested opens the Socks proxy service through any one port; under other conditions, identifying the host to be tested as a non-Socks proxy server;
the storage module is used for storing the detection result into a database in a persistent mode;
the back transmission module is used for transmitting the execution result back to the central scheduling node;
the first characteristic character string and the second characteristic character string are character strings pre-collected according to proxy characteristics, the first characteristic character string is used for eliminating interference of other proxy servers, and the second characteristic character string is used for identifying the Socks proxy servers;
in the embodiment of the present invention, the detailed implementation of each module may refer to the description of the method embodiment described above, and will not be repeated here.
In the distributed detection system of the Socks proxy server, the central scheduling node and the task execution nodes form a Master-Slave model, and each task execution node executes the detection task of the Socks proxy server in parallel after scheduling, so that the detection rate of a large-scale host to be detected can be effectively improved.
In an optional implementation manner, in the distributed detection system of the Socks proxy server, the task execution node is further configured to re-execute all detection tasks distributed to the task execution node after a preset time interval elapses; the time interval can be comprehensively set according to the execution time of the detection task and the change of the agent to be detected, the execution time of the detection task is determined according to the actual task execution time, the change of the agent to be detected can be set to be a constant, and the time interval is the sum of the execution time of the detection task and the constant; for example, a task execution node needs 3 hours to execute a task, and a proxy to be probed updates once in 3 hours, because the proxy will change addresses and ports frequently, then, the corresponding time interval is 6 hours, the task execution time of the task execution node can be predicted through experiments, but the proxy change is changed by the proxy provider, so a constant, for example, several days, a week, a month, or the like, can be set in actual probing;
the ip and the port list of the Socks proxy server are updated, and after a preset time interval, the task execution node re-executes all the detection tasks distributed to the task execution node, so that the validity and the real-time performance of the detection result can be ensured.
Examples of the applications
Fig. 3 is a schematic diagram illustrating an implementation of a distributed detection system of a Socks proxy server according to the present invention, based on the detection system, according to the distributed detection method of the Socks proxy server provided by the present invention, as shown in fig. 4;
the Master node is a central scheduling node, and the Slave node is a task execution node; storing the original data in a database, and storing corresponding execution results in a log;
based on the distributed detection system shown in fig. 3, the distributed detection method of the Socks proxy server provided by the invention can be generally simplified into the following steps:
1. the method comprises the steps that a user submits a task to a Master node- >2. the Master node receives the task and distributes the task to a Slave node- >3. the Slave node starts a detection task- >4. the Slave node obtains Socks proxy data and records a log- >5. the Slave node stores the Socks proxy data in a database- >6. the Slave node returns an execution result to the Master node- >7. the Master node stores the execution result in a disk file mode, and whether a fault transfer mechanism is adopted or not is determined according to the execution result.
The following description is made in conjunction with fig. 3 and 4:
(S1) the user collects target servers to be detected, and mainly collects open ip section collection of some cloud service manufacturers;
(S2) the user Client submits a list of hosts to be detected to the Master node, the Master node inquires the number of the online Slave nodes and segments the hosts to be detected, the segmentation strategy can dynamically use various customized strategies, including selecting polling, random, consistent HASH, least frequently used, least recently used, fault transfer, busy transfer and other strategies, generally, the consistent HASH strategy can be selected for realizing load balance, and the Master node issues segmentation tasks to each Slave node according to the selected segmentation strategy;
(S3) the Master node and the Slave node communicate through heartbeat information, after receiving the fragments issued by the Master node, an agent detection task is started, the ip is detected according to a preset port, data transmission is realized mainly by using network I/O, and the detected information comprises the ip, the port for opening the Socks agent service, the longitude and latitude information of the Socks agent server and the city to which the Socks agent server belongs;
(S4) when the Slave node proxy is detected, information such as ip and open ports can be directly obtained, wherein the geographic position, namely longitude and latitude, of a website cannot be directly detected and obtained, an API (application programming interface) of a Baidu map or an API of a Google map needs to be called according to the specific ip for obtaining, and a city corresponding to the website needs to call a related map API for obtaining;
(S5) in the process of executing the detection task, aiming at the detection task execution failure of any host to be detected, the task execution node retries for a certain number of times, if the detection task execution failure still occurs, the Master node sends the related information of the task execution failure;
(S6) the Slave node executes the detection task and keeps communication with the Master node, once the Slave node fails to execute the task, the Master can monitor the abnormal condition, and the Mater node transfers the detection task which fails to execute from the original execution node to another execution node to realize a fault transfer mechanism;
(S7) each Slave node stores the collected data in a database, the database needs to be opened to allow remote connection, in order to ensure the safety, the database only allows the Slave nodes to log in, meanwhile, the Master node also needs a database of the Master node to store task execution logs, the execution condition of the tasks is recorded, once the tasks fail, the tasks can be analyzed by inquiring the logs, and then the detection task specific to which host to be detected fails is determined, and the detection task is restarted, so that the integrity of data collection is ensured.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (9)

1. A detection method of a Socks proxy server is used for identifying whether a host to be detected with known ip is the Socks proxy server or not, and is characterized by comprising the following steps:
(1) judging whether the host to be tested opens the service, if so, turning to the step (2); otherwise, turning to the step (6);
(2) presetting a plurality of ports for establishing communication connection on the host to be tested;
(3) sending a pre-constructed GET request message based on an HTTP protocol to the host to be tested through each preset port respectively, and acquiring response information of each port;
(4) analyzing the response information of each port, and if the response information does not contain the first characteristic character string and contains the second characteristic character string, judging that the host to be tested opens the Socks proxy service through the corresponding port; otherwise, judging that the host to be tested does not open the Socks proxy service through the corresponding port;
(5) if the host to be tested opens the Socks proxy service through any one port, identifying the host to be tested as the Socks proxy server; otherwise, identifying the host to be tested as a non-Socks proxy server;
(6) finishing detection;
the first characteristic character string and the second characteristic character string are character strings pre-collected according to proxy characteristics, the first characteristic character string is used for eliminating interference of other proxy servers, and the second characteristic character string is used for identifying the Socks proxy servers.
2. The method of probing a Socks proxy server of claim 1, wherein the first characteristic string is 'SSH', 'FTP', '\ xff \ xfd \ x18\ xff \ xfd \ xff \ xfd # \ xff \ xfd', 'SMTP', or 'HTTP'.
3. The method for detecting the Socks proxy server of claim 1, wherein the second characteristic string is '\ x05\ x00', '\ x00[ \ x00\ x00\ x00\ x00\ x00\ x00' or 'www.herokucdn.com'.
4. The probing method for Socks proxy server of any one of claims 1 to 3, further comprising: and if the host to be tested is identified as the Socks proxy server, obtaining the spatial position of the host to be tested according to the ip of the host to be tested, thereby realizing the physical positioning of the Socks proxy server.
5. A distributed detection method of a Socks proxy server is used for identifying whether a large-scale ip known host to be detected is the Socks proxy server or not, and is characterized by comprising the following steps:
dividing all hosts to be tested into a plurality of host sets to be tested;
for each host set to be tested, sequentially testing the hosts to be tested by using the testing method of the Socks proxy server as claimed in any one of claims 1 to 4 to identify the Socks proxy server; the probing of all guessed host sets is performed in parallel.
6. A detection system of a Socks proxy server is used for identifying whether a host to be detected with known ip is the Socks proxy server or not, and is characterized by comprising the following steps: the device comprises a prejudgment module, a port setting module, a transceiving module, an analysis module and an identification module;
the pre-judging module is used for judging whether the host to be detected opens the service or not and ending the detection when the host to be detected does not open the service;
the port setting module is configured to preset a plurality of ports for establishing communication connection on the host to be tested when the pre-judging module judges that the host to be tested opens the service;
the receiving and sending module is used for respectively sending a pre-constructed GET request message based on an HTTP protocol to the host to be tested through each preset port and acquiring response information of each port;
the analysis module is used for analyzing the response information of each port, and judging that the host to be tested opens the Socks proxy service through the corresponding port when the response information does not contain the first characteristic character string and contains the second characteristic character string; and under other conditions, judging that the host to be tested does not open the Socks proxy service through the corresponding port;
the identification module is used for identifying the host to be tested as a Socks proxy server when the analysis module judges that the host to be tested opens the Socks proxy service through any one port; under other conditions, identifying the host to be tested as a non-Socks proxy server;
the first characteristic character string and the second characteristic character string are character strings pre-collected according to proxy characteristics, the first characteristic character string is used for eliminating interference of other proxy servers, and the second characteristic character string is used for identifying the Socks proxy servers.
7. A distributed detection system of Socks proxy server is used for identifying whether a large-scale ip known host to be detected is the Socks proxy server or not, and is characterized by comprising the following steps: the system comprises a database, a central scheduling node and a plurality of parallel task execution nodes;
the central scheduling node is used for dividing all the hosts to be tested into a plurality of host sets to be tested and distributing the detection tasks of the host sets to be tested to a plurality of different task execution nodes so that the detection tasks in the host sets to be tested are executed in parallel;
the task execution node is used for sequentially detecting the hosts to be detected in the received host set to be detected by using the detection method of the Socks proxy server according to any one of claims 1 to 4 so as to identify the Socks proxy server in the host set, returning the task execution result to the central scheduling node, and persistently storing the detection result in the database; the execution result is used for displaying the success or failure of task execution, and the detection result comprises ip address, port and space position information of the Socks proxy server;
and the central scheduling node is also used for receiving the execution result returned by each task execution node and transferring the task failed to be executed from the original task execution node to other task execution nodes to continue executing according to the execution result.
8. The distributed probing system for Socks proxy server of claim 7 wherein the central scheduling node comprises: the system comprises a task distribution module and a fault transfer module;
the task distribution module is used for dividing all the hosts to be tested into a plurality of host sets to be tested and distributing the detection tasks of the host sets to be tested to a plurality of different task execution nodes so that the detection tasks of the host sets to be tested are executed in parallel;
and the fault transfer module is used for receiving the execution result returned by each task execution node and transferring the task failed to be executed from the original task execution node to other task execution nodes to continue executing according to the execution result.
9. The distributed probing system for Socks proxy server of claim 7 or 8 wherein the task execution node comprises: the device comprises a prejudgment module, a port setting module, a transceiving module, an analysis module, an identification module, a storage module and a return module;
the pre-judging module is used for judging whether a host to be detected opens the service or not and finishing the detection of the host to be detected when the host to be detected does not open the service;
the port setting module is configured to preset a plurality of ports for establishing communication connection on the host to be tested when the pre-judging module judges that the host to be tested opens the service;
the receiving and sending module is used for respectively sending a pre-constructed GET request message based on an HTTP protocol to the host to be tested through each preset port and acquiring response information of each port;
the analysis module is used for analyzing the response information of each port, and judging that the host to be tested opens the Socks proxy service through the corresponding port when the response information does not contain the first characteristic character string and contains the second characteristic character string; and under other conditions, judging that the host to be tested does not open the Socks proxy service through the corresponding port;
the identification module is used for identifying the host to be tested as a Socks proxy server when the analysis module judges that the host to be tested opens the Socks proxy service through any one port; under other conditions, identifying the host to be tested as a non-Socks proxy server;
the storage module is used for storing the detection result into the database in a persistent mode;
the return module is used for returning the execution result to the central scheduling node;
the first characteristic character string and the second characteristic character string are character strings pre-collected according to proxy characteristics, the first characteristic character string is used for eliminating interference of other proxy servers, and the second characteristic character string is used for identifying the Socks proxy servers.
CN201910453811.XA 2019-05-28 2019-05-28 Detection method, distributed detection method and system for Socks proxy server Active CN110233774B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910453811.XA CN110233774B (en) 2019-05-28 2019-05-28 Detection method, distributed detection method and system for Socks proxy server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910453811.XA CN110233774B (en) 2019-05-28 2019-05-28 Detection method, distributed detection method and system for Socks proxy server

Publications (2)

Publication Number Publication Date
CN110233774A CN110233774A (en) 2019-09-13
CN110233774B true CN110233774B (en) 2020-12-29

Family

ID=67858806

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910453811.XA Active CN110233774B (en) 2019-05-28 2019-05-28 Detection method, distributed detection method and system for Socks proxy server

Country Status (1)

Country Link
CN (1) CN110233774B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111130916B (en) * 2018-10-31 2022-02-08 中国电信股份有限公司 Network quality detection method and management device
CN112769635B (en) * 2020-12-10 2022-04-15 青岛海洋科学与技术国家实验室发展中心 Service identification method and device for multi-granularity feature analysis
CN113965577B (en) * 2021-08-31 2024-02-27 联通沃音乐文化有限公司 System and method for intelligently switching Socks5 proxy server nodes

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101217508A (en) * 2007-12-29 2008-07-09 腾讯科技(深圳)有限公司 A network agent system and the corresponding realizing methods based on instant communication platform
CN106534172A (en) * 2016-12-07 2017-03-22 北京数字观星科技有限公司 Intranet remote scanning system and method thereof for scanning intranet
WO2017154978A1 (en) * 2016-03-09 2017-09-14 東洋紡株式会社 Elastic conductor sheet and paste for forming elastic conductor sheet
CN107818132A (en) * 2017-09-21 2018-03-20 中国科学院信息工程研究所 A kind of webpage agent discovery method based on machine learning
CN108628722A (en) * 2018-05-11 2018-10-09 华中科技大学 A kind of distributed Web Component services detection system
WO2018213615A2 (en) * 2017-05-17 2018-11-22 Legionarius Llc Wearable device
CN109756501A (en) * 2019-01-02 2019-05-14 中国科学院信息工程研究所 A kind of high concealment network agent method and system based on http protocol

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7360075B2 (en) * 2001-02-12 2008-04-15 Aventail Corporation, A Wholly Owned Subsidiary Of Sonicwall, Inc. Method and apparatus for providing secure streaming data transmission facilities using unreliable protocols
CN101031134A (en) * 2006-02-28 2007-09-05 华为技术有限公司 Agent server and method and safety telecommunication system therewith
CN101031124B (en) * 2006-03-03 2010-07-14 中兴通讯股份有限公司 Platform for testing applied large-traffic volume of packet data service father in CDMA telecommunication system
CN101030889A (en) * 2007-04-18 2007-09-05 杭州华为三康技术有限公司 Method and apparatus against attack
CN101175036B (en) * 2007-11-01 2010-06-09 南京大学 Fire wall/subnet penetration method based on intranet node forwarding technology
CN101431511B (en) * 2007-11-09 2013-03-06 友讯科技股份有限公司 Method for penetrating fire wall and establishing on-line channel between network terminal apparatus
CN101662387B (en) * 2009-10-14 2013-01-23 中国电信股份有限公司 System for detecting computer accessing situation in network and method thereof
CN102882865B (en) * 2012-09-19 2015-10-28 上海美琦浦悦通讯科技有限公司 The method of multimedia agency service control is realized based on socks5 agency agreement
WO2014100489A2 (en) * 2012-12-20 2014-06-26 Airbiquity Inc. Efficient headunit communication integration

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101217508A (en) * 2007-12-29 2008-07-09 腾讯科技(深圳)有限公司 A network agent system and the corresponding realizing methods based on instant communication platform
WO2017154978A1 (en) * 2016-03-09 2017-09-14 東洋紡株式会社 Elastic conductor sheet and paste for forming elastic conductor sheet
CN106534172A (en) * 2016-12-07 2017-03-22 北京数字观星科技有限公司 Intranet remote scanning system and method thereof for scanning intranet
WO2018213615A2 (en) * 2017-05-17 2018-11-22 Legionarius Llc Wearable device
CN107818132A (en) * 2017-09-21 2018-03-20 中国科学院信息工程研究所 A kind of webpage agent discovery method based on machine learning
CN108628722A (en) * 2018-05-11 2018-10-09 华中科技大学 A kind of distributed Web Component services detection system
CN109756501A (en) * 2019-01-02 2019-05-14 中国科学院信息工程研究所 A kind of high concealment network agent method and system based on http protocol

Also Published As

Publication number Publication date
CN110233774A (en) 2019-09-13

Similar Documents

Publication Publication Date Title
US10693734B2 (en) Traffic pattern detection and presentation in container-based cloud computing architecture
US10841324B2 (en) Method and system for uniquely identifying a user computer in real time using a plurality of processing parameters and servers
Miller et al. Discovering bitcoin’s public topology and influential nodes
US8020045B2 (en) Root cause analysis method, apparatus, and program for IT apparatuses from which event information is not obtained
Thomas et al. 1000 days of UDP amplification DDoS attacks
RU2494453C2 (en) Method for distributed performance of computer security tasks
CN110233774B (en) Detection method, distributed detection method and system for Socks proxy server
US9451036B2 (en) Method and apparatus for fingerprinting systems and operating systems in a network
CN114145004B (en) System and method for using DNS messages to selectively collect computer forensic data
US10659335B1 (en) Contextual analyses of network traffic
US11354152B2 (en) Self-evolving microservices
CN110247932A (en) A kind of detection system and method for realizing DNS service defence
Schomp et al. Towards a model of DNS client behavior
RU2008121872A (en) NEAREST NODE FOR CONNECTIONS OF DISTRIBUTED SERVICES
CN106874371A (en) A kind of data processing method and device
CN115190107B (en) Multi-subsystem management method based on extensive domain name, management terminal and readable storage medium
CN106789979B (en) Method and device for diagnosing effectiveness of active domain name in IDC machine room
US11789743B2 (en) Host operating system identification using transport layer probe metadata and machine learning
EP4167526A1 (en) Remote attack surface discovery and management
RU2776349C1 (en) Systems and methods for using dns messages for selective collection of computer forensic data
US10757117B1 (en) Contextual analyses of network traffic
Aniello et al. Agilis: An Internet-Scale Distributed Event Processing System for Collaborative Detection of Cyber Attacks
WO2022174218A1 (en) Systems and methods for dynamic zone protection of networks
CN115567532A (en) Identification analysis test system and method and electronic equipment
CN112769776A (en) Distributed service response method, system, device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant