TW201608850A - Method for detecting a number of client terminals from the internet request traffics sharing the public IP address and system for detecting the same - Google Patents

Method for detecting a number of client terminals from the internet request traffics sharing the public IP address and system for detecting the same Download PDF

Info

Publication number
TW201608850A
TW201608850A TW104115309A TW104115309A TW201608850A TW 201608850 A TW201608850 A TW 201608850A TW 104115309 A TW104115309 A TW 104115309A TW 104115309 A TW104115309 A TW 104115309A TW 201608850 A TW201608850 A TW 201608850A
Authority
TW
Taiwan
Prior art keywords
client
dns
domain
server
address
Prior art date
Application number
TW104115309A
Other languages
Chinese (zh)
Other versions
TWI590616B (en
Inventor
崔鍾浩
高承廣
Original Assignee
普蘭蒂網絡有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 普蘭蒂網絡有限公司 filed Critical 普蘭蒂網絡有限公司
Publication of TW201608850A publication Critical patent/TW201608850A/en
Application granted granted Critical
Publication of TWI590616B publication Critical patent/TWI590616B/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention is provided a method and a system for detecting the number of client terminals on the private network using the same public IP address from the internet request traffics sharing the public IP address, the method comprising the following steps of: mirroring DNS request message traffic of the client terminals, forwarding the mirrored DNS request message traffic to the push server; extracting a DNS Request message information, wherein the push server parse (Parsing) the mirrored traffic to ensure that the mirrored traffic is a DNS request message, extracting the transaction ID and domain name as information required for generation of a fake DNS response message; generating fake DNS response message and transmitting it to the client terminal, wherein TTL(Time To Live) of its answer field is set to a value designated by the push server; and calculating the number of devices of the client terminal by counting the maximum times of transmissions of DNS request message which is for the same domain with the same ID or the same public IP address of the client terminal during the time period.

Description

用於自共用公開IP位址之網際網路請求訊務偵測用戶端數量之方法及系統 Method and system for detecting the number of clients in the Internet requesting public IP address

本發明係關於用於自共用公開IP位址之網際網路請求訊務偵測用戶端數量的方法及公開IP共用狀態偵測系統。更特定而言,本發明係關於用於偵測私用網路上之複數個用戶端之數量的方法及系統,該私用網路使用同一公開IP位址以使用網際網路服務用戶間的IP路由器偵測多重存取用戶,以防網際網路服務用戶之使用者藉由複數個終端經由具有IP位址翻譯功能之一個IP路由器(諸如,共用超出線路之單一公開IP的NAT或網際網路路由器)連接至由ISP提供之網際網路服務網路。 The present invention relates to a method for detecting the number of clients of an Internet requesting traffic from a public IP address and a public IP sharing state detecting system. More particularly, the present invention relates to a method and system for detecting the number of multiple clients on a private network using the same public IP address to use IP between Internet service users The router detects multiple access users in case the users of the Internet service users pass through an IP router with IP address translation function through multiple terminals (such as NAT or Internet sharing a single public IP beyond the line) The router) is connected to the Internet service network provided by the ISP.

近年來,在同時連接至用於諸如複數個PC之用戶端的網路之情況下,公開IP共用狀態常常藉由使用具有指派給網際網路服務用戶之單一公開IP的IP路由器使用網際網路服務,該網際網路服務用戶在複數個終端中共用以用於同時使用網際網路服務,且在公司或企業中,在路由器中組態NAT(網路位址轉譯)以便在內部網路與外部網際網路之間建置防火牆,且在內部網路中使用私用IP。 In recent years, in the case of simultaneous connection to a network for a client such as a plurality of PCs, the public IP sharing state often uses Internet services by using an IP router having a single public IP assigned to the Internet service user. The Internet service user is shared among multiple terminals for simultaneous use of Internet services, and in the company or enterprise, NAT (network address translation) is configured in the router for internal network and external A firewall is built between the Internet and private IP is used in the internal network.

另一方面,網際網路服務提供者(ISP:網際網路服務提供者)具有 受限之網路資源,諸如本發明基礎架構中之網路裝置、網路維護預算及網路速度。若NAT或IP路由器之使用頻率增加,則針對經由網路供應之一個線路連接多個使用者。作為此等多個連接之結果,產生訊務之巨增。在此情況下,具有相對於一個用戶端(PC或智慧型器件)之用於網際網路服務的一個公開IP線路或相對於複數個用戶端之每一用戶端(PC或智慧型器件)的複數個公開IP線路的普通使用者將遇到相對較大的不足之處。 On the other hand, an Internet service provider (ISP: Internet Service Provider) has Restricted network resources, such as network devices, network maintenance budgets, and network speeds in the infrastructure of the present invention. If the frequency of use of the NAT or IP router is increased, multiple users are connected for one line that is supplied via the network. As a result of these multiple connections, there has been a tremendous increase in traffic. In this case, there is a public IP line for Internet service with respect to one client (PC or smart device) or with respect to each client (PC or smart device) of a plurality of clients. Ordinary users of multiple public IP lines will encounter relatively large deficiencies.

有必要經由超出對應於網際網路服務用戶線路之公開IP線路的複數個用戶端器件(使用者終端、使用者PC或智慧型終端)偵測多個連接。為此,有必要追蹤連接至網際網路服務之用戶端器件之真實IP位址(私用IP位址),但不可能內部網路外部之真實IP位址(私用IP位址),此係由於使用者真實IP位址(亦即私用IP位址)應經由NAT或IP路由器轉移至公開IP位址。因此,亦難以偵測哪一私用IP位址為通常經由一個公開IP位址使用的。 It is necessary to detect multiple connections via a plurality of client devices (user terminals, user PCs or smart terminals) that exceed the public IP line corresponding to the Internet service subscriber line. For this reason, it is necessary to track the real IP address (private IP address) of the client device connected to the Internet service, but it is not possible to have a real IP address (private IP address) outside the internal network. Because the user's real IP address (that is, the private IP address) should be transferred to the public IP address via a NAT or IP router. Therefore, it is also difficult to detect which private IP address is normally used via a public IP address.

為解決此問題,韓國專利第10-0723657號(2007年5月23日公開)揭示技術方案以準確獲得關於藉由識使用特定公開網際網路IP之私用網路中之別使用者的各別私用IP而同時使用使用者之資訊。更具體而言,建議以下程序。 In order to solve this problem, Korean Patent No. 10-0723657 (published May 23, 2007) discloses a technical solution for accurately obtaining each user in a private network by using a specific public Internet IP. Don't use IP privately and use the user's information at the same time. More specifically, the following procedure is recommended.

-在使用特定公開IP(網際網路IP)之私用網路內,重導向所有工作階段使其連接至第一網域在請求頁面中將TCP/IP封包分析給共用者的網域 - Redirect all work phases to connect to the first domain in the private network using a specific public IP (Internet IP) to analyze the TCP/IP packet to the sharer's domain in the request page

-在同一時間捕捉使用者私用IP - Capture user private IP at the same time

-製造DB(資料庫)以查看恰好同時使用網際網路之使用者數量 - Build a DB (Library) to see how many users are using the Internet at the same time

-當複數個私用IP使用者藉由使用以上DB(資料庫)經由同一特定公開IP線路同時存取網際網路時,選擇性地允許及阻止至基於TCP/IP(傳輸控制協定/網際網路協定)的網際網路之存取 - When multiple private IP users selectively access and block to the Internet based on TCP/IP by using the above DB (database) to simultaneously access the Internet via the same specific public IP line (Transmission Control Protocol/Internet) Internet access

然而,可僅由在使用者電腦中安裝及執行應用程式之小程式完成此技術。但是,若使用者可識別此小程式之安裝或執行,則使用者將刪除小程式或停止其執行。因此,其不可為恰當的最終方案。 However, this technique can be accomplished only by a small program that installs and executes the application on the user's computer. However, if the user can recognize the installation or execution of the applet, the user will delete the applet or stop its execution. Therefore, it cannot be an appropriate final solution.

同時,為解決上文提及之先前技術的缺陷,韓國專利申請案早期公開出版物第10-2009-0041752號(2009年4月29日公開)教示另一先前技術。根據另一先前技術,一技術用以藉由精確偵測演算法來找出用戶端側上之複數個器件的準確數量,該精確偵測演算法在具有待偵測之多個用戶端之私用網路中使用在用戶端側上之多個器件中產生的網頁瀏覽器小型文字檔(Cookie)。此先前技術亦教示基於TCP/IP之技術,其中監視伺服器阻斷用戶端器件之網際網路連接,該用戶端器件藉由使用在私用網路下藉由時間間隔更新之小型文字檔集區DB資訊及工作(JOB)排程器選定,此係在特定公開IP私用網路使用者嘗試將超過容許線路數量之網際網路同時連接至網際網路連接之情況下。 Meanwhile, in order to solve the deficiencies of the prior art mentioned above, the Korean Patent Application Laid-Open Publication No. 10-2009-0041752 (published Apr. 29, 2009) teaches another prior art. According to another prior art, a technique is used to find the exact number of devices on the user side by accurately detecting an algorithm, and the exact detection algorithm has a private number of users to be detected. A web browser small text file (cookie) generated in a plurality of devices on the client side is used in the network. This prior art also teaches a TCP/IP based technique in which the monitoring server blocks the internet connection of the client device by using a small text file set updated by the time interval under the private network. The District DB Information and Work (JOB) scheduler is selected when a specific public IP private network user attempts to connect an Internet connection that exceeds the allowable number of lines to the Internet connection at the same time.

[發明目標]:先前技術之技術問題[Invention goal]: Technical problems of prior art

然而,根據先前技術之用於偵測及阻斷IP路由器之一方法或用於偵測及阻斷IP路由器之一系統正使用儲存於使用者電腦之特定區域中的小型文字檔以用於偵測具有一IP位址共用功能之IP路由器的重度使用者。將為一標準HTTP協定擴展提供此等小型文字檔以由一網頁瀏覽器(亦即,應用程式層級)操作,以將連續性給予用戶端側,隨後在使用者電腦硬碟之一已知位置中儲存此等小型文字檔,且大部分電腦使用者亦知道關於如何刪除小型文字檔。 However, according to one of the prior art methods for detecting and blocking an IP router or for detecting and blocking one of the IP routers, the system is using a small text file stored in a specific area of the user's computer for detection. A heavy user of an IP router with an IP address sharing function. These small text files will be provided for a standard HTTP protocol extension to be operated by a web browser (ie, application level) to give continuity to the client side, followed by a known location on one of the user's computer hard drives. These small text files are stored in the middle, and most computer users also know how to delete small text files.

若以一批次儲存小型文字檔,由於其出現網際網路速度降低之一問題,則在其一預定時段之後,網頁瀏覽器提供由預設刪除小型文字檔之能力。 If a small text file is stored in one batch, due to one of the problems of reduced internet speed, the web browser provides the ability to delete small text files by default after a predetermined period of time.

然而,當在網際網路連接期間藉由再次操作網頁瀏覽器而刪除小 型文字檔以產生具有新的小型文字檔之一網頁訊務時,根據上文所描述之先前技術之阻斷系統將來自一個終端(一個電腦)之一網頁訊務誤認為來自具有同一公開IP位址之另一終端(另一電腦;另一小型文字檔)的另一網頁訊務(亦即,經由同一IP路由器之另一訊務)。 However, when you re-operate the web browser during the internet connection, delete the small When a text file is generated to generate web traffic with one of the new small text files, the blocking system from one terminal (one computer) is mistakenly considered to have the same public IP according to the prior art blocking system described above. Another web page of another terminal (another computer; another small text file) of the address (ie, another service via the same IP router).

且其可由此錯誤造成對訊務阻斷錯誤之普通使用者的一問題,此問題對由網際網路服務提供者(ISP)提供之服務的安全性造成極大損害。 And this can cause a problem for ordinary users of traffic blocking errors, which greatly damages the security of the services provided by the Internet Service Provider (ISP).

另外,此小型文字檔具有一問題,其在於當與單一器件中之若干類型的瀏覽器(例如,Microsoft網際網路探測器、Google Chrome、Firefox、Opera、Safari等)一起使用時,同一終端可由不同瀏覽器識別為不同終端,此係由於檔必須由網頁瀏覽器特性之類型個別地控制此等網頁小型文字。作為此混淆之結果,其可由將一個終端誤認為複數個終端之此錯誤對訊務阻斷錯誤之普通使用者造成問題。 In addition, this small text file has a problem in that when used with several types of browsers in a single device (for example, Microsoft Internet Explorer, Google Chrome, Firefox, Opera, Safari, etc.), the same terminal can be Different browsers recognize different terminals, which are because the files must be individually controlled by the type of web browser features. As a result of this confusion, it can cause problems for a general user who mistakes a terminal for a plurality of terminals for a traffic blocking error.

為解決此問題且由網頁瀏覽器克服依賴性,韓國專利第10-108791號(2011年11月29日公開)提議一方法,除使用一小型文字檔確認器件數量之步驟以外,該方法進一步包含用於檢查過去在終端之特定位置中產生之快閃小型文字檔的一步驟。 In order to solve this problem and to overcome the dependency by the web browser, Korean Patent No. 10-108791 (published on Nov. 29, 2011) proposes a method which, in addition to the step of confirming the number of devices using a small text file, further includes A step for checking a flashing small text file that was generated in a particular location in the terminal in the past.

然而,在此方法中,難以持續維持快閃小型文字檔儲存器位置,且當網頁瀏覽器之製造者新近產生或更新一瀏覽器時,可改變一快閃小型文字檔儲存器位置及所儲存之快閃小型文字檔之一調用程序。並且,若此改變發生,則有可能在使用第二網頁瀏覽器之情況下由調用已由第一網頁瀏覽器儲存之快閃小型文字檔的失敗產生一新的快閃小型文字檔。作為產生一新的快閃小型文字檔之結果,其可由將一個終端誤認為複數個終端之此錯誤對訊務阻斷錯誤之普通使用者造成問題。 However, in this method, it is difficult to continuously maintain the location of the flash small text file storage, and when the manufacturer of the web browser newly generates or updates a browser, the location and storage of a flash small text file storage can be changed. One of the flashing small text files calls the program. Moreover, if this change occurs, it is possible to generate a new flash small text file by the failure of calling the flash small text file that has been stored by the first web browser in the case of using the second web browser. As a result of generating a new flash small text file, it can cause problems for a normal user who mistakes a terminal for a plurality of terminals for a traffic blocking error.

因此,為保持由網際網路服務提供者(ISP)提供之服務的安全性, 用於此方法之系統對相對於根據網頁瀏覽器種類之快閃小型文字檔儲存器位置及其調用程序而執行持續監視管理特徵之變化造成負擔。 Therefore, in order to maintain the security of the services provided by the Internet Service Provider (ISP), The system for this method places a burden on performing changes to the continuous monitoring management feature relative to the location of the flashing small text file store and its calling program according to the type of web browser.

[發明內容]:技術方案[Summary of the Invention]: Technical Solution

根據用於相對於上述先前技術解決問題之本發明之一態樣,提供一種用於自共用公開IP位址之網際網路請求訊務偵測私用網路上使用同一公開IP位址之用戶端數量之方法,該方法包含以下步驟:(I)在用戶端操作一網頁瀏覽器且請求至網際網路上之一網站的一連接時,將DNS請求訊息傳輸至DNS(網域名稱系統;其將網域或主機名稱解譯成由網路上之複數個數字組成的IP位址)伺服器,以便找出待由用戶端存取的一網站網域(例如,www.naver.com)之IP位址;(II-1)鏡像複製用戶端之DNS請求訊息訊務,其中在ISP(網際網路服務提供者)之骨幹網路中所提供之一鏡像複製裝置鏡像複製由用戶端產生之DNS請求訊息訊務,且將經鏡像複製之DNS請求訊息訊務轉遞至推播伺服器;(II-2)提取一DNS請求訊息資訊,其中推播伺服器剖析經鏡像複製之訊務以確保經鏡像複製之訊務為一DNS請求訊息,且提取作為產生一假DNS回應訊息所需之資訊的交易ID及網域名稱;(III)產生假DNS回應訊息且將其傳輸至用戶端,其中推播伺服器確認提取之網域為由推播伺服器監視之監視中(in-monitoring)網域,僅在監視中網域之情況下將網域名稱轉換成網域IP,產生假DNS回應訊息且將假DNS回應訊息傳輸至用戶端,其中假DNS回應訊息包括一提取之交易ID及一轉換之網域IP,且其中其答覆欄位之TTL(存留時間)設定成由推播伺服器指定之一值(例如,2小時);(IV-1)將DNS歷史資訊自推播伺服器傳輸至分析伺服器,其中DNS歷史資訊包括將假DNS回應訊息傳輸至用戶端之回應時間、由用戶端請求之網域及用戶端之公開IP位址或ID; (IV-2)將特定網域之IP位址儲存至作業系統之核心中,其中在用戶端接收一假DNS回應訊息時,用戶端連接至特定網站網域,且儲存作為在由推播伺服器指定之時段期間解譯作業系統之核心中之特定網域之DNS的結果而獲得的IP位址,以便禁止用戶端在由推播伺服器指定之時段期間產生用於特定網域之DNS請求訊息;(V)將經由分析伺服器自推播伺服器接收之DNS歷史資訊儲存至一第一DB伺服器,其中DNS歷史資訊包括將假DNS回應訊息傳輸至用戶端之回應時間、由用戶端請求之網域及用戶端之公開IP位址或ID;及(VI)計算用戶端之器件數量,其中分析伺服器藉由對在由推播伺服器藉由利用一第一DB伺服器中儲存之DNS歷史資訊而指定之時段(TTL值;例如,2小時)期間用於具有用戶端之同一ID或同一公開IP位址之同一網域的DNS請求訊息之傳輸的最大次數進行計數而計算經由IP路由器組合之用戶端的器件數量以使用同一公開IP位址。 According to an aspect of the present invention for solving the problem with respect to the prior art described above, a client for using the same public IP address on an Internet requesting traffic detection private network from a shared public IP address is provided. A method of quantity, the method comprising the steps of: (I) transmitting a DNS request message to a DNS (domain name system; when the user operates a web browser and requests a connection to a website on the Internet; The domain or host name is interpreted as an IP address server consisting of a plurality of digits on the network to identify the IP address of a website domain (eg, www.naver.com) to be accessed by the client. (II-1) Mirroring the DNS request message of the client, wherein one of the mirror copying devices provided in the backbone network of the ISP (Internet Service Provider) copies the DNS request generated by the client Message service, and the mirrored copy of the DNS request message service is forwarded to the push server; (II-2) extracts a DNS request message information, wherein the push server parses the mirrored copy of the message to ensure The mirrored copy of the service is a DNS request. And extract the transaction ID and domain name as the information needed to generate a fake DNS response message; (III) generate a fake DNS response message and transmit it to the client, where the push server confirms that the extracted domain is The in-monitoring domain monitored by the push server converts the domain name into the domain IP only in the case of the monitored domain, generates a fake DNS response message and transmits the fake DNS response message to the user. End, wherein the fake DNS response message includes an extracted transaction ID and a converted domain IP, and wherein the TTL (residence time) of the response field is set to a value specified by the push server (for example, 2 hours) (IV-1) transmitting the DNS history information from the push server to the analysis server, wherein the DNS history information includes the response time for transmitting the fake DNS response message to the client, the domain requested by the client, and the client. Public IP address or ID; (IV-2) storing the IP address of the specific domain to the core of the operating system, wherein when the user receives a fake DNS response message, the client connects to the specific website domain and stores it as the push server. The IP address obtained by interpreting the results of the DNS of the particular domain in the core of the operating system during the specified time period to prevent the UE from generating DNS requests for a particular domain during the time period specified by the push server a message; (V) storing the DNS history information received by the analysis server from the push server to a first DB server, wherein the DNS history information includes a response time for transmitting the fake DNS response message to the client, by the client Requesting the public domain IP address or ID of the domain and the client; and (VI) calculating the number of devices on the client side, wherein the analysis server is stored by the push server by using a first DB server DNS history information and the specified number of times (TTL value; for example, 2 hours) is used to count the maximum number of transmissions of DNS request messages for the same domain with the same ID of the client or the same public IP address. IP road The number of devices on the client side of the combination is used to use the same public IP address.

更特定而言,若作為指定網域之DNS解譯結果的IP位址儲存於作業系統之核心中,則用戶端藉由使用儲存於作業系統之核心中的IP位址連接至指定網域,且不再由用戶端產生用於指定網域之再連接的一DNS請求訊息。 More specifically, if the IP address as the result of the DNS interpretation of the specified domain is stored in the core of the operating system, the client connects to the specified domain by using an IP address stored in the core of the operating system. And a DNS request message for re-connection of the specified domain is no longer generated by the UE.

在由用於同一網域之推播伺服器指定之時段(TTL值)期間一個用戶端器件不可多次發送一DNS請求訊息。因此,若在由推播伺服器指定之時段(TTL值;例如,2小時)期間用於具有用戶端之同一ID或同一公開IP位址之同一網域的DNS請求訊息之傳輸的最大次數經計數,則分析伺服器可計算請求至在時段期間共用同一公開IP位址之指定網域之連接的用戶端之器件數量。 A client device may not send a DNS request message multiple times during a time period (TTL value) specified by the push server for the same domain. Therefore, if the maximum number of transmissions of DNS request messages for the same domain with the same ID of the client or the same public IP address during the period specified by the push server (TTL value; for example, 2 hours) Counting, the analysis server can calculate the number of devices requesting the client to connect to the specified domain of the same public IP address during the time period.

然而,在自推播伺服器至分析伺服器傳輸DNS歷史資訊之步驟中,推播伺服器將DNS歷史資訊傳輸至分析伺服器,DNS歷史資訊包 括將假DNS回應訊息傳輸至用戶端之回應時間、由用戶端請求之網域及用戶端之公開IP位址或ID。此時,若推播伺服器嘗試將用戶端之ID而非公開IP位址傳輸至分析伺服器,則有可能自一第二DB伺服器提供即時使用者IP分配歷史。第二DB伺服器提供區別於上述第一DB伺服器之功能性,其可為第一DB伺服器之實體整合組態。另一方面,可在與第一DB伺服器實體分離之情況下組態第二DB伺服器。 However, in the step of transmitting the DNS history information from the push server to the analysis server, the push server transmits the DNS history information to the analysis server, the DNS history information packet. The response time for transmitting the fake DNS response message to the client, the domain IP address requested by the client, and the public IP address or ID of the client. At this time, if the push server attempts to transmit the ID of the client terminal instead of the public IP address to the analysis server, it is possible to provide an instant user IP allocation history from a second DB server. The second DB server provides functionality that is different from the first DB server described above, which can be a physical integration configuration of the first DB server. Alternatively, the second DB server can be configured in isolation from the first DB server entity.

此外,本發明亦在另一態樣之一種類圖中提供一公開IP共用狀態偵測系統。 In addition, the present invention also provides a public IP shared state detection system in one of the other types of diagrams.

[本發明之有利影響] [Advantageous effects of the present invention]

根據本發明,有可能自用戶端偵測較精確的過度使用狀態,以經由IP路由器使用同一公開IP存取網際網路。更特別而言,不同於根據先前技術之小型文字檔,偵測之步驟中之使用者不能輕易移除經儲存以用於作業系統之核心階段中所闡述之時段的DNS分析結果。因此,若其由根據先前技術之小型文字檔之消除過度估計為大於用戶端之實數,則有可能相對於網際網路連接阻止線路故障之出現。 According to the present invention, it is possible to detect a more accurate over-utilization state from the UE to access the Internet using the same public IP via an IP router. More specifically, unlike the small text file according to the prior art, the user in the step of detecting cannot easily remove the DNS analysis result stored for use in the time period set forth in the core phase of the operating system. Therefore, if it is excessively estimated to be larger than the real number of the client by the elimination of the small text file according to the prior art, it is possible to prevent the occurrence of a line failure with respect to the internet connection.

此外,在用作進一步推薦以解決具有典型小型文字檔之網頁瀏覽器之依賴性問題的檢測器快閃共用對象(『快閃共用對象』,被稱作快閃小型文字檔)之上述先前技術中,系統業者應持續監視快閃共用對象之儲存位置是否相對於各種網頁瀏覽器之每一網頁瀏覽器上的訊務而保持。但是,根據本發明,若作業系統無變化,則其可經由各種網頁瀏覽器如何在作業系統之核心中儲存假DNS回應訊息而保持,因此,相對於IP路由器過度使用偵測系統之操作,根據本發明之偵測方法或系統提供影響以降低錯誤偵測機率且減少操作成本。 In addition, the above prior art is used as a detector flash sharing object ("flash shared object", referred to as a flash small text file) for further recommendation to solve the dependency problem of a web browser having a typical small text file. The system operator should continuously monitor whether the storage location of the flash shared object is maintained relative to the traffic on each web browser of various web browsers. However, according to the present invention, if the operating system has no change, it can be maintained by how various web browsers store the fake DNS response message in the core of the operating system. Therefore, the operation of the detection system is excessively used with respect to the IP router, according to The detection method or system of the present invention provides an impact to reduce the chance of false detection and reduce operating costs.

100‧‧‧IP路由器 100‧‧‧IP router

200‧‧‧公開IP共用狀態偵測系統 200‧‧‧ Public IP shared status detection system

210‧‧‧鏡像複製裝置 210‧‧‧Mirror copying device

220‧‧‧推播伺服器 220‧‧‧Pushing server

230‧‧‧分析伺服器 230‧‧‧Analysis server

240‧‧‧第一DB伺服器 240‧‧‧First DB server

300‧‧‧網際網路 300‧‧‧Internet

310‧‧‧DNS伺服器 310‧‧‧DNS server

圖1為說明用於本發明之偵測系統之例示性實施例的示意圖;圖2a為說明根據本發明之例示性實施例之執行步驟以用於偵測使 用同一公開IP位址之私用網路上之用戶端數量的總流程圖,且圖2b為說明產生及傳輸由推播伺服器執行之假DNS回應訊息之步驟的特定流程圖;圖3為說明在用戶端中產生DNS請求訊務之第一執行狀態以便連接至特定網域的示意性狀態圖;圖4為在圖3之狀態之後說明用戶端之鏡像複製DNS請求訊息訊務及將經鏡像複製之DNS請求訊息訊務轉遞至推播伺服器之執行狀態的示意性狀態圖;圖5為說明剖析經鏡像複製之DNS請求訊息訊務及提取DNS請求訊息資訊之執行狀態的示意下一狀態圖;圖6為說明DNS請求訊息訊務之例示性實施例的螢幕擷取影像;圖7為說明推播伺服器產生假DNS回應訊息且將其傳輸至用戶端之執行狀態之主執行步驟的示意性狀態圖;圖8a為說明由提取之DNS請求訊息資訊製成的假DNS回應訊息之例示性實施例的螢幕擷取影像;且圖8b更精確地展示答覆欄位中之TTL(存留時間)已設定成2小時;圖9為說明推播伺服器將DNS歷史資訊傳輸至分析伺服器且分析伺服器將其儲存於第一DB(資料庫)伺服器中之程序的示意性狀態圖;圖10a為說明藉由利用第一DB伺服器中儲存之DNS歷史資訊而計算使用同一公開IP位址之用戶端之器件數量的程序之例示性實施例的示意性狀態圖;圖10b為說明由提供即時使用者IP分配歷史之額外程序添加之例示性實施例的示意性狀態圖;圖11為說明以下程序之示意性狀態圖:當用戶端接收假DNS回應訊息時,用戶端儲存IP位址,該IP位址由於在由推播伺服器指定之時段期間將特定網域之DNS解譯成作業系統之核心而獲得,以便禁止用戶端在由推播伺服器指定之時段期間產生用於特定網域之DNS請求訊 息,且用戶端連接至特定網站網域。 1 is a schematic diagram illustrating an exemplary embodiment of a detection system for use with the present invention; and FIG. 2a is a diagram illustrating steps performed in accordance with an exemplary embodiment of the present invention for detecting A general flow diagram of the number of clients on the private network using the same public IP address, and Figure 2b is a specific flow diagram illustrating the steps of generating and transmitting a fake DNS response message executed by the push server; Figure 3 is an illustration Generating a first execution state of the DNS request message in the UE to connect to a schematic state diagram of the specific domain; FIG. 4 is a view illustrating the mirror copy DNS request message of the client and will be mirrored after the state of FIG. Schematic diagram of the execution status of the replicated DNS request message traffic to the push server; Figure 5 is a schematic diagram illustrating the execution status of the mirrored copy of the DNS request message and the extracted DNS request message information. FIG. 6 is a screen capture image illustrating an exemplary embodiment of a DNS request message service; FIG. 7 is a main execution step illustrating a push server generating a fake DNS response message and transmitting it to the execution state of the client. Schematic state diagram; Figure 8a is a screen capture image illustrating an exemplary embodiment of a fake DNS response message made from extracted DNS request message information; and Figure 8b shows the answer field more accurately The TTL (residence time) has been set to 2 hours; Figure 9 is a schematic diagram illustrating the procedure by which the push server transmits DNS history information to the analysis server and the analysis server stores it in the first DB (database) server. FIG. 10a is a schematic state diagram illustrating an exemplary embodiment of a program for computing the number of devices using a client terminal of the same public IP address by utilizing DNS history information stored in the first DB server; 10b is a schematic state diagram illustrating an exemplary embodiment added by an additional program providing an instant user IP allocation history; FIG. 11 is a schematic state diagram illustrating the following procedure: when the client receives a fake DNS response message, the client Storing an IP address obtained by interpreting the DNS of the particular domain into the core of the operating system during the time period specified by the push server to prohibit the client from being during the time period specified by the push server Generate DNS request messages for specific domains Interest, and the client connects to a specific website domain.

在下文中,將參考附圖描述經提供以偵測使用同一公開IP位址之私用網路中之用戶端數量的本發明之例示性實施例。 In the following, an exemplary embodiment of the present invention provided to detect the number of clients in a private network using the same public IP address will be described with reference to the accompanying drawings.

參看圖1、圖2a、圖2b及圖3至圖11之基本建構圖及流程圖,將描述根據本發明之公開IP共用狀態偵測系統之例示性實施例。 Referring to the basic construction and flowchart of FIG. 1, FIG. 2a, FIG. 2b and FIG. 3 to FIG. 11, an exemplary embodiment of the disclosed IP shared state detection system according to the present invention will be described.

如圖1中所示,根據本發明之公開IP共用狀態偵測系統(200)之例示性實施例包含鏡像複製裝置(210)、推播伺服器(220)、分析伺服器(230)、第一DB伺服器(240)及額外第二DB伺服器(參看圖10b)。更特定而言,以上構成部分工作如下。 As shown in FIG. 1, an exemplary embodiment of a disclosed IP shared state detection system (200) according to the present invention includes a mirror copying device (210), a push server (220), an analysis server (230), and a A DB server (240) and an additional second DB server (see Figure 10b). More specifically, the above components work as follows.

該鏡像複製裝置(210)為如下裝置:其位於網際網路服務提供者(ISP;網際網路服務提供者)之骨幹網路中,且經提供以用於將DNS請求訊息訊務(參看圖3)自用戶端鏡像複製(參看圖4)至DNS伺服器以便獲得特定網域之IP位址,該用戶端為ISP之用戶的用戶端(PC-1、PC-2、智慧型手機-1、智慧型TV-1),其中特定網域為由用戶端操作網頁瀏覽器請求之網際網路(300)之目標網站網域(例如,www.naver.com)。 The image replication device (210) is a device that is located in a backbone network of an Internet service provider (ISP; Internet Service Provider) and is provided for use in DNS request message services (see figure) 3) From the client side image copy (see Figure 4) to the DNS server to obtain the IP address of the specific domain, the client is the user end of the ISP user (PC-1, PC-2, smart phone-1 , Smart TV-1), wherein the specific domain is the target website domain (for example, www.naver.com) of the Internet (300) requested by the client to operate the web browser.

該推播伺服器(220)為經提供以用於進行以下操作之裝置:剖析(參看圖5)經鏡像複製之訊務以確保經鏡像複製之訊務為DNS請求訊息;提取作為產生假DNS回應訊息(參看圖6)所需之資訊的交易ID及網域名稱;確認提取之網域為所監視之監視中網域;僅在監視中網域之情況下將網域名稱轉換成網域IP;產生包括提取之交易ID及轉換之網域IP的假DNS回應訊息(參看圖8a);及將產生之假DNS回應訊息傳輸至用戶端(參看圖7),其中其(假DNS回應訊息之)答覆欄位之TTL(存留時間)設定成由推播伺服器指定之值(例如,2小時;參看圖8b)。此外,該推播伺服器(220)將DNS歷史資訊傳輸至分析伺服器(230)(參看圖9),其中DNS歷史資訊包括將假DNS回應訊息傳輸至用戶端之回應時間、 由用戶端請求之網域及用戶端之公開IP位址或ID。 The push server (220) is a device provided for performing the following operations: profiling (see FIG. 5) mirrored copy of the message to ensure that the mirrored copy of the message is a DNS request message; extracting as a generating fake DNS The transaction ID and domain name of the information required to respond to the message (see Figure 6); confirm that the extracted domain is the monitored monitored domain; convert the domain name to the domain only if the domain is being monitored IP; generates a fake DNS response message including the extracted transaction ID and the translated domain IP (see FIG. 8a); and transmits the generated fake DNS response message to the client (see FIG. 7), where (false DNS response message) The TTL (residence time) of the reply field is set to the value specified by the push server (for example, 2 hours; see Figure 8b). In addition, the push server (220) transmits the DNS history information to the analysis server (230) (refer to FIG. 9), wherein the DNS history information includes a response time for transmitting the fake DNS response message to the user terminal, The public IP address or ID of the domain and client requested by the client.

並且,該分析伺服器(230)為經提供以用於進行以下操作之裝置:將包括將假DNS回應訊息傳輸至用戶端之回應時間、由用戶端請求之網域及用戶端之公開IP位址或ID的DNS歷史資訊儲存至第一DB伺服器(240);及藉由計數在由推播伺服器(220)藉由利用第一DB伺服器(240)中儲存之DNS歷史資訊而指定之時段(TTL值;例如,2小時)期間用於具有用戶端之同一ID或同一公開IP之同一網域的DNS請求訊息之傳輸最大次數而計算經由IP路由器(100)組合之用戶端的器件數量以使用同一公開IP位址。 And, the analysis server (230) is a device provided for performing the following operations: including a response time for transmitting the fake DNS response message to the client, a public domain IP address requested by the client, and a public IP address of the client. The DNS history information of the address or ID is stored to the first DB server (240); and is specified by counting by the push server (220) by utilizing the DNS history information stored in the first DB server (240) The number of devices for calculating the number of UEs combined via the IP router (100) for the maximum number of transmissions of the DNS request message with the same ID of the client or the same domain of the same public IP during the period (TTL value; for example, 2 hours) To use the same public IP address.

然而,在自推播伺服器(220)至分析伺服器(230)傳輸包括將假DNS回應訊息傳輸至用戶端之回應時間、由用戶端請求之網域及用戶端之公開IP位址或ID的DNS歷史資訊時,若推播伺服器(220)嘗試將用戶端之ID而非公開IP位址傳輸至分析伺服器(230),則有可能自第二DB伺服器提供即時使用者IP分配歷史。第二DB伺服器提供區別於上述第一DB伺服器(240)之功能性,其可為第一DB伺服器(240)之實體整合組態。另一方面,可在與第一DB伺服器(240)實體分離之情況下組態第二DB伺服器。 However, the self-pushing server (220) to the analysis server (230) transmits a response time including transmitting the fake DNS response message to the client, a public domain IP address or ID of the domain requested by the client and the client. DNS history information, if the push server (220) attempts to transmit the client ID instead of the public IP address to the analysis server (230), it is possible to provide instant user IP allocation from the second DB server. history. The second DB server provides functionality that is distinct from the first DB server (240) described above, which can be a physical integration configuration of the first DB server (240). Alternatively, the second DB server can be configured in isolation from the first DB server (240) entity.

根據本發明,若作為指定網域之DNS解釋結果之IP位址儲存於作業系統之核心中,則用戶端藉由使用儲存於作業系統之核心中的IP位址連接至指定網域,且不再由用戶端產生用於指定網域之再連接的一DNS請求訊息。 According to the present invention, if the IP address as the result of the DNS interpretation of the specified domain is stored in the core of the operating system, the client connects to the specified domain by using the IP address stored in the core of the operating system, and Then, the UE generates a DNS request message for specifying reconnection of the domain.

因此,在由用於同一網域(例如,www.naver.com)之推播伺服器(220)指定的時段(TTL值)期間一個用戶端器件不可多次發送DNS請求訊息。因此,若計數在由推播伺服器(220)指定之時段(TTL值;例如,2小時)期間用於具有用戶端之同一ID或同一公開IP位址之同一網域的DNS請求訊息之傳輸最大次數,則分析伺服器(230)可計算請求至在時 段期間共用同一公開IP位址之指定網域之連接的用戶端之器件數量。若在一段時間內更新此等分析結果,則有可能識別私用網路上之用戶端最小數量(經由IP路由器同時連接之用戶端數量)以經由IP路由器(100)連接至同一公開IP。 Therefore, a client device may not transmit a DNS request message multiple times during a time period (TTL value) specified by the push server (220) for the same domain (eg, www.naver.com). Therefore, if the count is used during the time period specified by the push server (220) (TTL value; for example, 2 hours), the transmission of the DNS request message for the same domain having the same ID of the client or the same public IP address is transmitted. The maximum number of times, the analysis server (230) can calculate the request to the time The number of devices that connect to the client of the specified domain of the same public IP address during the segment. If the results of these analyses are updated over a period of time, it is possible to identify the minimum number of clients on the private network (the number of clients simultaneously connected via the IP router) to connect to the same public IP via the IP router (100).

關於本方法發明,如藉由圖2a、圖2b中所示之流程圖及參看基本建構圖之圖1繪製的圖3至圖11中所示之示意性狀態圖所說明,提供根據本發明之用於自共用公開IP位址之網際網路請求訊務偵測用戶端數量的方法之例示性實施例,該方法包含以下步驟: With regard to the inventive method, as illustrated by the flow chart shown in Figures 2a, 2b and the schematic state diagrams shown in Figures 3 to 11 drawn with reference to Figure 1 of the basic construction diagram, it is provided in accordance with the present invention. An exemplary embodiment of a method for detecting the number of clients from an Internet requesting a public IP address, the method comprising the steps of:

(I)步驟(S100):當用戶端操作網頁瀏覽器且請求至網際網路上之網站的連接時,將DNS請求訊息傳輸至DNS伺服器(310)(網域名稱系統;其將網域或主機名稱解譯成由網路上之複數個數字組成的IP位址),以便找出待由用戶端(PC、智慧型手機、平板PC、智慧型TV等)存取的網站網域(例如,www.naver.com)之IP位址;(參看圖3中之箭頭①及箭頭②) (I) Step (S100): When the client operates the web browser and requests a connection to a website on the Internet, the DNS request message is transmitted to the DNS server (310) (the domain name system; The host name is interpreted as an IP address consisting of a plurality of digits on the network) to identify the website domain to be accessed by the client (PC, smart phone, tablet PC, smart TV, etc.) (eg, Www.naver.com) IP address; (see arrow 1 and arrow 2 in Figure 3)

(II-1)步驟(S200):鏡像複製用戶端之DNS請求訊息訊務,其中在ISP(網際網路服務提供者)之骨幹網路中所提供之鏡像複製裝置(210)鏡像複製由用戶端產生之DNS請求訊息訊務且將經鏡像複製之DNS請求訊息訊務轉遞至推播伺服器(220);(參看圖4中之箭頭③) (II-1) Step (S200): Mirroring the DNS request message of the client, wherein the mirror copying device (210) provided in the backbone network of the ISP (Internet Service Provider) is mirrored by the user The generated DNS request message service and forwards the mirrored copy of the DNS request message to the push server (220); (see arrow 3 in FIG. 4)

(II-2)步驟(S300):提取DNS請求訊息資訊,其中推播伺服器(220)剖析(S310)經鏡像複製之DNS請求訊息訊務(參看圖6)以確保(S320)經鏡像複製之訊務為DNS請求訊息,且提取(S330)作為產生假DNS回應訊息所需之資訊的交易ID及網域名稱;(參看圖5中之箭頭④) (II-2) Step (S300): Extracting DNS request message information, wherein the push server (220) parses (S310) the mirrored copy of the DNS request message service (see FIG. 6) to ensure (S320) mirrored copy The service is a DNS request message, and extracts (S330) the transaction ID and the domain name as the information required to generate the fake DNS response message; (see arrow 4 in FIG. 5)

(III)步驟(S400):產生假DNS回應訊息且將其傳輸至用戶端,其中推播伺服器(220)確認(圖2b中之S410)提取之網域為由推播伺服器(220)監視之監視中網域(在設計中,系統預先選擇某一數量之網域,諸如頻繁存取的網際網路門戶網站),僅在監視中網域之情況下將網域名 稱轉換(圖2b中之S420)成網域IP,且產生(圖2b中之S430)假DNS回應訊息(參看圖8a及圖8b),且將假DNS回應訊息傳輸(圖2b中之S440)至用戶端,其中假DNS回應訊息包括提取之交易ID及轉換之網域IP,且其中其答覆欄位之TTL(存留時間)設定成由推播伺服器(220)指定之值(例如,2小時);(參看圖7中之箭頭⑤) (III) Step (S400): generating a fake DNS response message and transmitting it to the client, wherein the push server (220) confirms (S410 in FIG. 2b) the extracted domain is the push server (220) Monitoring the monitored domain (in the design, the system pre-selects a certain number of domains, such as frequently accessed Internet portals), and only the domain name in the case of monitoring the domain The conversion (S420 in Figure 2b) is referred to as the domain IP, and a false DNS response message (see Figure 8a and Figure 8b) is generated (S430 in Figure 2b), and the fake DNS response message is transmitted (S440 in Figure 2b). To the user end, wherein the fake DNS response message includes the extracted transaction ID and the converted domain IP, and wherein the TTL (residence time) of the reply field is set to a value specified by the push server (220) (for example, 2) Hour); (see arrow 5 in Figure 7)

(IV-1)步驟(S500):將DNS歷史資訊自推播伺服器(220)傳輸至分析伺服器(230),其中DNS歷史資訊包括將假DNS回應訊息傳輸至用戶端之回應時間、由用戶端請求之網域及用戶端之公開IP位址或ID;(參看圖9中之箭頭⑥) (IV-1) Step (S500): transmitting the DNS history information from the push server (220) to the analysis server (230), wherein the DNS history information includes a response time for transmitting the fake DNS response message to the user end, The public IP address or ID of the domain and client requested by the client; (see arrow 6 in Figure 9)

(IV-2)步驟(SC500):將特定網域之IP位址儲存至作業系統之核心中,其中在用戶端接收假DNS回應訊息時,用戶端連接至特定網站網域(參看圖11中之箭頭⑥'),且儲存作為在由推播伺服器指定之時段(TTL值)期間解譯作業系統之核心中(參看圖11中之箭頭⑥")之特定網域之DNS的結果而獲得的IP位址,以便禁止用戶端在由推播伺服器指定之時段(TTL值)期間產生用於特定網域之DNS請求訊息;(V)步驟(S600):將經由分析伺服器(230)自推播伺服器(220)接收之DNS歷史資訊儲存至第一DB伺服器(240),其中DNS歷史資訊包括將假DNS回應訊息傳輸至用戶端之回應時間、由用戶端請求之網域(www.naver.com)及用戶端之公開IP位址(Ip-Addr1)或ID(USER-1);(參看圖9中之箭頭⑦);及(VI)步驟(S700):計算用戶端之器件數量,其中分析伺服器(230)藉由對在由推播伺服器(220)藉由利用一第一DB伺服器(240)中儲存之DNS歷史資訊而指定之時段(TTL值;例如,2小時)期間用於具有用戶端之同一ID或同一公開IP位址之同一網域的DNS請求訊息之傳輸的最大次數進行計數而計算經由IP路由器組合以使用同一公開IP位址之用戶端的器件數量(參看圖10a中之箭頭⑧-1及圖10b中之箭頭⑧-2)。 此外,正如用於建構提取DNS請求訊息資訊之步驟(S300)的特定步驟,其中確保經鏡像複製之訊務為DNS請求訊息之步驟(S320)包含:確認DNS請求訊息之格式常態;及驗證DNS請求訊息之欄位值(例如,旗標欄位之回應值=0,旗標欄位之作業碼值=0,問題欄位之值=1,查詢欄位之類型值=1,查詢欄位之等級值=1)。 (IV-2) Step (SC500): The IP address of the specific domain is stored in the core of the operating system, wherein when the user receives the fake DNS response message, the client connects to the specific website domain (see Figure 11). Arrow 6'), and stored as a result of DNS of a particular domain in the core of the interpretation operating system (see arrow 6" in Figure 11) during the time period (TTL value) specified by the push server IP address to prevent the UE from generating a DNS request message for a specific domain during the time period (TTL value) specified by the push server; (V) step (S600): via the analysis server (230) The DNS history information received by the push server (220) is stored in the first DB server (240), wherein the DNS history information includes a response time for transmitting the fake DNS response message to the client, and a domain requested by the client ( Www.naver.com) and the public IP address (Ip-Addr1) or ID (USER-1) of the client; (see arrow 7 in Figure 9); and (VI) step (S700): calculate the user side The number of devices, wherein the analysis server (230) is configured by utilizing a DNS stored in a first DB server (240) by the push server (220) Historical information and specified period (TTL value; for example, 2 hours) during the maximum number of transmissions of DNS request messages for the same domain with the same ID of the client or the same public IP address is counted and calculated via the IP router The number of devices combined to use the same public IP address (see arrow 8-1 in Figure 10a and arrow 8-2 in Figure 10b). Further, as a specific step of constructing the step of extracting the DNS request message information (S300), the step of ensuring that the mirrored copy of the message is a DNS request message (S320) includes: confirming the format of the DNS request message; and verifying the DNS The field value of the request message (for example, the response value of the flag field = 0, the job code value of the flag field = 0, the value of the question field = 1, the type value of the query field = 1, the query field The rating value = 1).

此外,在作為指定網域之DNS解釋結果之IP位址儲存於作業系統之核心中之情形下,用戶端藉由使用儲存於作業系統之核心中的IP位址連接至指定網域,且不再由用戶端產生用於指定網域之再連接的一DNS請求訊息。 In addition, in the case where the IP address as the result of the DNS interpretation of the specified domain is stored in the core of the operating system, the UE connects to the specified domain by using the IP address stored in the core of the operating system, and Then, the UE generates a DNS request message for specifying reconnection of the domain.

因此,在由用於同一網域(www.naver.com)之推播伺服器(220)指定的時段(TTL值)期間一個用戶端器件不可多次發送DNS請求訊息。因此,若如圖10a及圖10b中所示而按時段計數在由推播伺服器(220)指定之時段(TTL值;例如,2小時)期間用於具有用戶端之同一ID或同一公開IP位址之同一網域的DNS請求訊息之傳輸最大次數,則分析伺服器(230)可計算請求至在時段期間共用同一公開IP位址(IP-Addr1)之指定網域之連接的用戶端之器件數量。 Therefore, a client device may not transmit a DNS request message multiple times during a time period (TTL value) specified by the push server (220) for the same domain (www.naver.com). Therefore, if the time period is counted as shown in Figures 10a and 10b for the period specified by the push server (220) (TTL value; for example, 2 hours) for the same ID with the client or the same public IP The maximum number of times the DNS request message of the same domain of the address is transmitted, the analysis server (230) can calculate the request to the client of the connection of the specified domain sharing the same public IP address (IP-Addr1) during the time period. The number of devices.

同時,在將DNS歷史資訊傳輸至分析伺服器之步驟(S500)中,當推播伺服器(220)將包括將假DNS回應訊息傳輸至用戶端之回應時間、由用戶端請求之網域及用戶端之公開IP位址或ID的DNS歷史資訊發送至分析伺服器(230)時,其中可自第二DB伺服器提供即時使用者IP分配歷史,以用於將用戶端之ID而非用戶端之IP位址傳輸至如圖10b中所示之分析伺服器(230)。 Meanwhile, in the step of transmitting the DNS history information to the analysis server (S500), when the push server (220) includes the response time for transmitting the fake DNS response message to the client, the domain requested by the client and When the DNS history information of the public IP address or ID of the client is sent to the analysis server (230), the instant user IP allocation history may be provided from the second DB server for using the ID of the user terminal instead of the user. The IP address of the terminal is transmitted to the analysis server (230) as shown in Figure 10b.

儘管已參考附圖描述本發明之技術精神,但諸如圖6、圖8a及圖8b中所說明之DNS請求訊息及假回應訊息的描述並不限制本發明,而僅解釋本發明之較佳實施例。此外,熟習此項技術者將理解,可對其作 出各種變化及修改而不偏離由申請專利範圍範疇定義的本發明之技術精神及範疇。 Although the technical spirit of the present invention has been described with reference to the accompanying drawings, the description of the DNS request message and the fake response message such as illustrated in FIG. 6, FIG. 8a and FIG. 8b does not limit the present invention, but merely explains the preferred embodiment of the present invention. example. In addition, those skilled in the art will understand that they can Various changes and modifications may be made without departing from the spirit and scope of the invention as defined by the scope of the claims.

100‧‧‧IP路由器 100‧‧‧IP router

200‧‧‧公開IP共用狀態偵測系統 200‧‧‧ Public IP shared status detection system

210‧‧‧鏡像複製裝置 210‧‧‧Mirror copying device

220‧‧‧推播伺服器 220‧‧‧Pushing server

230‧‧‧分析伺服器 230‧‧‧Analysis server

240‧‧‧第一DB伺服器 240‧‧‧First DB server

300‧‧‧網際網路 300‧‧‧Internet

310‧‧‧DNS伺服器 310‧‧‧DNS server

Claims (5)

一種根據本發明之用於自共用公開IP位址之網際網路請求訊務偵測用戶端數量的方法,該方法包含以下步驟:(I)步驟(S100):當該等用戶端操作一網頁瀏覽器且請求至網際網路(300)上之一網站的一連接時,將DNS請求訊息傳輸至DNS伺服器(310)(網域名稱系統;其將網域或主機名稱解譯成由網路上之複數個數字組成的IP位址),以便找出待由該等用戶端(PC、智慧型手機、平板PC、智慧型TV等)存取的一網站網域(例如,www.naver.com)之該等IP位址;(II-1)步驟(S200):鏡像複製該等用戶端之DNS請求訊息訊務,其中在ISP(網際網路服務提供者)之骨幹網路中所提供之一鏡像複製裝置(210)鏡像複製由該等用戶端產生之該DNS請求訊息訊務,且將該經鏡像複製之DNS請求訊息訊務轉遞至推播伺服器(220);(II-2)步驟(S300):提取一DNS請求訊息資訊,其中該推播伺服器(220)剖析(S310)該經鏡像複製之DNS請求訊息訊務以確保(S320)該經鏡像複製之訊務為一DNS請求訊息,且提取(S330)作為產生一假DNS回應訊息所需之資訊的交易ID及網域名稱;(III)步驟(S400):產生假DNS回應訊息且將其傳輸至該用戶端,其中該推播伺服器(220)確認(S410)該提取之網域為由該推播伺服器(220)監視之監視中網域,僅在監視中網域之情況下將該網域名稱轉換(S420)成網域IP,且產生(S430)假DNS回應訊息,且將該假DNS回應訊息傳輸(S440)至該用戶端,其中該假DNS回應訊息包括一提取之交易ID及一轉換之網域IP,且其中其答覆欄位之TTL(存留時間)設定成由該推播伺服器(220)指定之一值; (IV-1)步驟(S500):將DNS歷史資訊自推播伺服器(220)傳輸至分析伺服器(230),其中DNS歷史資訊包括將假DNS回應訊息傳輸至該用戶端之回應時間、由該用戶端請求之網域及該用戶端之公開IP位址或ID;(IV-2)步驟(SC500):將該特定網域之IP位址儲存至作業系統之核心中,其中在該用戶端接收一假DNS回應訊息時,該用戶端連接至該特定網站網域,且儲存作為在由推播伺服器指定之時段(TTL值)期間解譯該作業系統之該核心中的該特定網域之該DNS的結果而獲得的IP位址,以便禁止該用戶端在由推播伺服器指定之該時段(TTL值)期間產生用於該特定網域之DNS請求訊息;(V)步驟(S600):將經由分析伺服器(230)自推播伺服器(220)接收之該DNS歷史資訊儲存至一第一DB伺服器(240),其中DNS歷史資訊包括將假DNS回應訊息傳輸至該用戶端之回應時間、由該用戶端請求之網域及該用戶端之公開IP位址或ID;及(VI)步驟(S700):計算該用戶端之器件數量,其中該分析伺服器(230)藉由對在由該推播伺服器(220)藉由利用一第一DB伺服器(240)中儲存之DNS歷史資訊而指定之該時段(TTL值)期間用於具有該用戶端之同一ID或同一公開IP位址之同一網域的DNS請求訊息之傳輸的最大次數進行計數而計算經由IP路由器組合以使用同一公開IP位址之該用戶端的該器件數量。 A method for detecting the number of clients of an Internet requesting traffic from a public IP address according to the present invention, the method comprising the following steps: (I) step (S100): when the clients operate a webpage When the browser requests a connection to one of the websites on the Internet (300), the DNS request message is transmitted to the DNS server (310) (the domain name system; it interprets the domain or host name into a network An IP address consisting of a plurality of digits on the road) to identify a website domain to be accessed by such clients (PC, smart phone, tablet PC, smart TV, etc.) (eg, www.naver. Com) of the IP addresses; (II-1) step (S200): mirroring the DNS request message services of the clients, which are provided in the backbone network of the ISP (Internet Service Provider) One of the mirror copying devices (210) mirrors the DNS request message service generated by the clients, and forwards the mirrored copy of the DNS request message to the push server (220); (II- 2) Step (S300): Extracting a DNS request message information, wherein the push server (220) parses (S310) the mirrored copy DNS request message service to ensure (S320) the mirrored copy of the message as a DNS request message, and extract (S330) the transaction ID and the domain name as the information required to generate a fake DNS response message; (III) Step (S400): generating a fake DNS response message and transmitting it to the client, wherein the push server (220) confirms (S410) that the extracted domain is monitored by the push server (220) The monitored medium domain converts (S420) the domain name into the domain IP only in the case of monitoring the domain, and generates (S430) a fake DNS response message, and transmits the fake DNS response message (S440) to The user terminal, wherein the fake DNS response message includes an extracted transaction ID and a converted domain IP, and wherein a TTL (residence time) of the response field is set to be specified by the push server (220) value; (IV-1) Step (S500): transmitting the DNS history information from the push server (220) to the analysis server (230), wherein the DNS history information includes a response time for transmitting the fake DNS response message to the client, The domain requested by the client and the public IP address or ID of the client; (IV-2) step (SC500): storing the IP address of the specific domain into the core of the operating system, where When the client receives a fake DNS response message, the client connects to the specific website domain and stores the specific one in the core of the operating system during the time period (TTL value) specified by the push server. The IP address obtained as a result of the DNS of the domain, in order to prevent the client from generating a DNS request message for the particular domain during the time period (TTL value) specified by the push server; (V) step (S600): storing the DNS history information received from the push server (220) via the analysis server (230) to a first DB server (240), wherein the DNS history information includes transmitting the fake DNS response message to The response time of the client, the domain requested by the client, and the public IP of the client Address or ID; and (VI) step (S700): calculating the number of devices of the client, wherein the analysis server (230) is utilized by the push server (220) by utilizing a first DB servo The maximum number of transmissions of DNS request messages for the same domain with the same ID or the same public IP address of the client during the specified period (TTL value) during the DNS history information stored in the device (240) is counted. The number of devices of the client that is combined via the IP router to use the same public IP address is calculated. 如請求項1之方法,作為用於建構提取一DNS請求訊息資訊之該步驟(S300)的一特定步驟,其中確保該經鏡像複製之訊務為一DNS請求訊息之該步驟(S320)包含:確認DNS請求訊息之格式常態;及驗證DNS請求訊息之欄位值。 The method of claim 1, as a specific step of constructing the step (S300) of extracting a DNS request message information, wherein the step (S320) of ensuring that the mirrored copy of the message is a DNS request message comprises: Confirm the format of the DNS request message; and verify the field value of the DNS request message. 如請求項1之方法,在將DNS歷史資訊傳輸至分析伺服器之該步驟 (S500)中,當該推播伺服器(220)將包括將假DNS回應訊息傳輸至該用戶端之回應時間、由該用戶端請求之網域及該用戶端之公開IP位址或ID的DNS歷史資訊發送至該分析伺服器(230)時,其中自一第二DB伺服器提供即時使用者IP分配歷史以用於將該用戶端之ID傳輸至該分析伺服器(230)。 The method of transmitting the DNS history information to the analysis server as in the method of claim 1. (S500), when the push server (220) includes a response time for transmitting the fake DNS response message to the client, a domain requested by the client, and a public IP address or ID of the client. When the DNS history information is sent to the analysis server (230), an instant user IP allocation history is provided from a second DB server for transmitting the ID of the client to the analysis server (230). 一種用於公開IP共用狀態偵測系統(200)之裝置,該裝置包含:一鏡像複製裝置(210),其位於網際網路服務提供者之骨幹網路中,且經提供以用於將一DNS請求訊息訊務自用戶端鏡像複製至DNS伺服器以便獲得特定網域之IP位址,該用戶端為一ISP之一用戶的用戶端(PC-1、PC-2、智慧型手機-1、智慧型TV-1),其中該特定網域為藉由在用戶端中操作網頁瀏覽器而請求之網際網路(300)之一目標網站網域(例如,www.naver.com);一推播伺服器(220),其經提供以用於進行以下操作:剖析該經鏡像複製之訊務以確保該經鏡像複製之訊務為一DNS請求訊息;提取作為產生一假DNS回應訊息所需之資訊的交易ID及網域名稱;確認該提取之網域為所監視之監視中網域;僅在監視中網域之情況下將該網域名稱轉換成網域IP;產生包括一提取之交易ID及一轉換之網域IP的假DNS回應訊息;及將該產生之假DNS回應訊息傳輸至該用戶端,其中該假DNS回應訊息之答覆欄位之TTL(存留時間)設定成預設值,且其中該推播伺服器(220)將DNS歷史資訊傳輸至分析伺服器(230),其中DNS歷史資訊包括將假DNS回應訊息傳輸至該用戶端之回應時間、由該用戶端請求之網域及該用戶端之公開IP位址或ID;及一分析伺服器(230),其經提供以用於進行以下操作:將包括將假DNS回應訊息傳輸至該用戶端之回應時間、由該用戶端請求之網域及該用戶端之公開IP位址或ID的DNS歷史資訊儲存至一第一 DB伺服器(240);及藉由對在由該推播伺服器(220)藉由利用一第一DB伺服器(240)中儲存之DNS歷史資訊而指定之時段(TTL值)期間用於具有該用戶端之同一ID或同一公開IP之同一網域的DNS請求訊息之傳輸的最大次數計數而計算經由IP路由器(100)組合以使用同一公開IP位址之該用戶端的器件數量。 An apparatus for disclosing an IP shared state detection system (200), the apparatus comprising: a mirror copying device (210) located in a backbone network of an internet service provider and provided for use in The DNS request message is copied from the client image to the DNS server to obtain the IP address of the specific domain. The client is the client of one of the ISPs (PC-1, PC-2, and smart phone-1). Smart TV-1), wherein the specific domain is a target website domain (eg, www.naver.com) of the Internet (300) requested by operating a web browser in the client; Pushing server (220), which is provided for performing the following operations: parsing the mirrored copy of the message to ensure that the mirrored copy of the message is a DNS request message; extracting as a false DNS response message The transaction ID and domain name of the required information; confirm that the extracted domain is the monitored monitoring domain; convert the domain name to the domain IP only in the case of monitoring the domain; generate an extraction a transaction ID and a fake DNS response message for the converted domain IP; and the generation The fake DNS response message is transmitted to the client, wherein the TTL (residence time) of the reply field of the fake DNS response message is set to a preset value, and wherein the push server (220) transmits the DNS history information to the analysis server. (230), wherein the DNS history information includes a response time for transmitting the fake DNS response message to the client, a domain requested by the client, and a public IP address or ID of the client; and an analysis server ( 230), which is provided for performing the following operations: including a response time for transmitting a fake DNS response message to the client, a domain requested by the client, and a public IP address or ID of the client. Historical information stored to first The DB server (240); and by using during a period (TTL value) specified by the push server (220) by utilizing DNS history information stored in a first DB server (240) The number of devices having the same ID of the same user or the same domain of the same public IP for the transmission of the DNS request message is counted to calculate the number of devices of the client that are combined via the IP router (100) to use the same public IP address. 如請求項4之裝置,若推播伺服器(220)嘗試將該用戶端之ID而非公開IP位址傳輸至該分析伺服器(230),則該裝置進一步包含一第二DB伺服器,其中自該第二DB伺服器提供即時使用者IP分配歷史。 For the device of claim 4, if the push server (220) attempts to transmit the ID of the client instead of the public IP address to the analysis server (230), the device further includes a second DB server. The real-time user IP allocation history is provided from the second DB server.
TW104115309A 2014-05-14 2015-05-13 Method for detecting a number of client terminals from the internet request traffics sharing the public ip address and system for detecting the same TWI590616B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020140057940A KR101518468B1 (en) 2014-05-14 2014-05-14 Method for detecting a number of client terminal from the internet request traffics sharing the public IP address and System for detecting the same

Publications (2)

Publication Number Publication Date
TW201608850A true TW201608850A (en) 2016-03-01
TWI590616B TWI590616B (en) 2017-07-01

Family

ID=53394131

Family Applications (1)

Application Number Title Priority Date Filing Date
TW104115309A TWI590616B (en) 2014-05-14 2015-05-13 Method for detecting a number of client terminals from the internet request traffics sharing the public ip address and system for detecting the same

Country Status (3)

Country Link
KR (1) KR101518468B1 (en)
TW (1) TWI590616B (en)
WO (1) WO2015174742A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI677218B (en) * 2016-12-29 2019-11-11 大陸商中國銀聯股份有限公司 SDN-based packet mirroring method and network traffic monitoring and management system

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107341651B (en) * 2016-04-28 2020-08-14 阿里巴巴集团控股有限公司 Transaction data association method, IP acquisition method, transaction server and terminal
CN105939231B (en) * 2016-05-16 2020-04-03 杭州迪普科技股份有限公司 Shared access detection method and device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100724731B1 (en) * 2005-08-23 2007-06-04 주식회사 네이블커뮤니케이션즈 Subscriber Management System and Method for Detecting Communication Devices Simultaneously Using One IP Address
KR101013996B1 (en) * 2008-10-10 2011-02-14 플러스기술주식회사 A method for detecting a judgement whether or not a client use NATNetwork Address Translation, and the number of terminals sharing
KR101002421B1 (en) * 2010-04-09 2010-12-21 주식회사 플랜티넷 Method for selectively permitting/blocking a plurality of internet request traffics sharing the public ip address and system for detecting and blocking internet request traffics sharing the public ip address
KR101047997B1 (en) * 2010-12-07 2011-07-13 플러스기술주식회사 A detecting system and a management method for terminals sharing by analyzing network packets and a method of service

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI677218B (en) * 2016-12-29 2019-11-11 大陸商中國銀聯股份有限公司 SDN-based packet mirroring method and network traffic monitoring and management system

Also Published As

Publication number Publication date
KR101518468B1 (en) 2015-05-15
WO2015174742A1 (en) 2015-11-19
TWI590616B (en) 2017-07-01

Similar Documents

Publication Publication Date Title
US9270567B2 (en) Shared terminal identification system using a network packet and processing method thereof
US20120297478A1 (en) Method and system for preventing dns cache poisoning
WO2016006520A1 (en) Detection device, detection method and detection program
JP6315640B2 (en) Communication destination correspondence collection apparatus, communication destination correspondence collection method, and communication destination correspondence collection program
US10230691B2 (en) Systems, devices, and methods for improved domain name system firewall protection
KR101002421B1 (en) Method for selectively permitting/blocking a plurality of internet request traffics sharing the public ip address and system for detecting and blocking internet request traffics sharing the public ip address
KR101518472B1 (en) Method for detecting a number of the devices of a plurality of client terminals selected by a web server with additional non-specified domain name from the internet request traffics sharing the public IP address and System for detecting selectively the same
CN111865990B (en) Method, device, equipment and system for managing and controlling malicious reverse connection behavior of intranet
CN104168339A (en) Method and device for preventing domain name from being intercepted
TWI590616B (en) Method for detecting a number of client terminals from the internet request traffics sharing the public ip address and system for detecting the same
KR101127246B1 (en) Method of identifying terminals which share an ip address and apparatus thereof
CN106411819A (en) Method and apparatus for recognizing proxy Internet protocol address
CN108667913B (en) Method, device, computer equipment and storage medium for access management of shared terminal
KR101087291B1 (en) A method for identifying whole terminals using internet and a system thereof
KR101518470B1 (en) Method for detecting a number of the devices of a plurality of client terminals selected by a web server from the internet request traffics sharing the public IP address and System for detecting selectively the same
US11979374B2 (en) Local network device connection control
KR101603692B1 (en) Method of identifying terminals and system thereof
KR101603694B1 (en) Method of identifying terminals and system thereof
KR101518469B1 (en) Method for detecting a number of the selected devices of a plurality of client terminals from the internet request traffics sharing the public IP address and System for detecting selectively the same
KR101661858B1 (en) Apparatus and method for bridge cookies
KR20150061350A (en) Method of identifying terminals and system thereof
KR101661857B1 (en) Method for counting the client using a shared IP
CN107888651B (en) Method and system for multi-profile creation to mitigate profiling
JP5569105B2 (en) Network terminal management system, network terminal management method, network terminal management program
CN110034977B (en) Equipment safety monitoring method and safety monitoring equipment

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees