阅读说明：本技术 代理ip地址识别方法、装置、电子设备及存储介质 (Proxy IP address identification method, device, electronic equipment and storage medium ) 是由 郑力枪 杨勇 张�杰 廖晨 李龙 黄楠驹 欧阳婷 夏雄风 李韬 于 2019-10-21 设计创作，主要内容包括：本申请涉及计算机技术领域,公开了一种代理IP地址识别方法、装置、电子设备及存储介质,所述方法包括：根据客户端在同一次请求过程中发送给业务服务器的一对SYN包和ACK包；根据SYN包到达业务服务器的时间和ACK包到达业务服务器的时间,确定客户端与业务服务器之间传输数据包的网络时延；若网络时延大于时延阈值,则确定客户端使用的IP地址为代理IP地址。本申请实施例提供的代理IP地址识别方法、装置、电子设备及存储介质,不需要主动发送检测数据包,实现了实时在线无感知检测,即便客户端使用的代理服务器具备鉴权、防火墙等反检测功能,也可以进行有效地识别,从而能够提高检测覆盖面。(The application relates to the technical field of computers, and discloses a proxy IP address identification method, a device, electronic equipment and a storage medium, wherein the method comprises the following steps: according to a pair of SYN packet and ACK packet sent to the service server by the client in the same request process; determining the network time delay of data packet transmission between the client and the service server according to the time of the SYN packet arriving at the service server and the time of the ACK packet arriving at the service server; and if the network delay is greater than the delay threshold, determining the IP address used by the client as the proxy IP address. The method, the device, the electronic equipment and the storage medium for identifying the proxy IP address do not need to actively send a detection data packet, realize real-time online non-perception detection, and can effectively identify even if a proxy server used by a client has anti-detection functions such as authentication, firewall and the like, so that the detection coverage can be improved.)

1. A method for identifying a proxy IP address, comprising:

acquiring a pair of SYN packet and ACK packet which are sent to a service server by a client in the same request process;

determining the network delay of data packet transmission between the client and the service server according to the time of the SYN packet arriving at the service server and the time of the ACK packet arriving at the service server;

and if the network delay is greater than a delay threshold value, determining that the IP address used by the client is an agent IP address, wherein the delay threshold value is determined based on the network delay of data packets transmitted between the client which does not use the agent IP address and the service server.

2. The method of claim 1, wherein prior to determining that the IP address used by the client is a proxy IP address, further comprising:

and acquiring a delay threshold corresponding to the IP address used by the client from a network delay comparison table, wherein the network delay comparison table comprises a corresponding relation between the IP address and the delay threshold.

3. The method of claim 2, wherein the network latency comparison table is obtained by:

acquiring a white sample set, wherein each white sample comprises a pair of SYN packets and ACK packets which are sent to the service server by a client side not using an agent IP address in the same request process;

determining the time difference of arrival of the SYN packet and the ACK packet in each white sample at the service server;

dividing the time difference corresponding to each white sample into a plurality of IP address classes in the network delay comparison table according to the IP address of the client corresponding to each white sample;

and counting the time difference contained in each IP address class in the network delay comparison table, and determining the delay threshold corresponding to the IP address class.

4. The method according to claim 3, wherein the counting the time difference included in the IP address class and determining the delay threshold corresponding to the IP address class specifically includes:

counting time differences corresponding to the Nth percentile according to the sequence of the time differences contained in the IP address classes from small to large, and determining the time difference corresponding to the Nth percentile as a time delay threshold value corresponding to the IP address classes; or

And calculating a statistic value of the time difference contained in the IP address class, and determining the statistic value as a time delay threshold value corresponding to the IP address class, wherein the statistic value is one of an average value, a mode and a standard deviation.

5. The method according to claim 3, wherein the dividing the time difference corresponding to each white sample into a plurality of IP address classes in the network delay look-up table according to the IP address of the client corresponding to each white sample specifically comprises:

determining the IP address class corresponding to each white sample according to the first K bits of data of the IP address of the client corresponding to each white sample;

and dividing the time difference corresponding to each white sample into corresponding IP address classes.

6. An agent IP address identification apparatus, comprising:

the acquisition module is used for acquiring a pair of SYN packets and ACK packets which are sent to the service server by the client in the same request process;

a delay determining module, configured to determine a network delay for transmitting a data packet between the client and the service server according to a time when the SYN packet reaches the service server and a time when the ACK packet reaches the service server;

and the identification module is used for determining that the IP address used by the client is the proxy IP address if the network delay is greater than a delay threshold, wherein the delay threshold is determined based on the network delay of data packet transmission between the client which does not use the proxy IP address and the service server.

7. The apparatus of claim 6, wherein the identifying module is further configured to, before determining that the IP address used by the client is the proxy IP address, obtain a delay threshold corresponding to the IP address used by the client from a network delay look-up table, where the network delay look-up table includes a correspondence between IP addresses and delay thresholds.

8. The apparatus of claim 7, wherein the network delay comparison table is obtained through a statistical module, and the statistical module is specifically configured to:

acquiring a white sample set, wherein each white sample comprises a pair of SYN packets and ACK packets which are sent to the service server by a client side not using an agent IP address in the same request process;

determining the time difference of arrival of the SYN packet and the ACK packet in each white sample at the service server;

dividing the time difference corresponding to each white sample into a plurality of IP address classes in the network delay comparison table according to the IP address of the client corresponding to each white sample;

and counting the time difference contained in each IP address class in the network delay comparison table, and determining the delay threshold corresponding to the IP address class.

9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method according to any of claims 1 to 5 are implemented when the computer program is executed by the processor.

10. A computer-readable storage medium having computer program instructions stored thereon, which, when executed by a processor, implement the steps of the method of any one of claims 1 to 5.

Technical Field

The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for identifying a proxy IP address, an electronic device, and a storage medium.

Background

With the wide application of internet technology, the security requirement on the Network environment is higher and higher, and Network hackers can hide their own real IP addresses by using VPN (Virtual Private Network) and other technologies, which brings great difficulty to Network security detection and fighting against Network crimes, so a method capable of identifying proxy IP addresses is urgently needed to assist in identifying malicious attacks and malicious users and improve Network security or service security.

The currently commonly used method for identifying the proxy IP address is mainly an active scanning detection mode, in which a detection server actively sends a test data packet to an IP address to be detected, and determines whether the IP address is a proxy IP address disguised by a proxy server such as a VPN or the like by analyzing a return packet corresponding to the IP address.

However, the number of active IP addresses in the internet is up to 4 hundred million, the detection cost of one-by-one scanning is high, the types of proxy servers are complex, the protocol change is large, the number of proxy ports is large, and the coverage is difficult to complete.

Disclosure of Invention

The embodiment of the application provides a proxy IP address identification method, a device, an electronic device and a storage medium, a detection data packet does not need to be actively sent, real-time online non-perception detection is realized, and even if a proxy server used by a client has anti-detection functions such as authentication and firewall, effective identification can be carried out, so that the detection coverage is improved.

In one aspect, an embodiment of the present application provides a method for identifying an agent IP address, including:

acquiring a pair of SYN packet and ACK packet which are sent to a service server by a client in the same request process;

determining the network delay of data packet transmission between the client and the service server according to the time of the SYN packet arriving at the service server and the time of the ACK packet arriving at the service server;

and if the network delay is greater than a delay threshold value, determining that the IP address used by the client is an agent IP address, wherein the delay threshold value is determined based on the network delay of data packets transmitted between the client which does not use the agent IP address and the service server.

In one aspect, an embodiment of the present application provides a proxy IP address identification apparatus, including:

the acquisition module is used for acquiring a pair of SYN packets and ACK packets which are sent to the service server by the client in the same request process;

a delay determining module, configured to determine a network delay for transmitting a data packet between the client and the service server according to a time when the SYN packet reaches the service server and a time when the ACK packet reaches the service server;

and the identification module is used for determining that the IP address used by the client is the proxy IP address if the network delay is greater than a delay threshold, wherein the delay threshold is determined based on the network delay of data packet transmission between the client which does not use the proxy IP address and the service server.

Optionally, the statistical module is specifically configured to: counting time differences corresponding to the Nth percentile according to the sequence of the time differences contained in the IP address classes from small to large, and determining the time difference corresponding to the Nth percentile as a time delay threshold value corresponding to the IP address classes; or calculating a statistic value of the time difference contained in the IP address class, and determining the statistic value as a time delay threshold value corresponding to the IP address class, wherein the statistic value is one of an average value, a mode and a standard deviation.

Optionally, the statistical module is specifically configured to:

determining the IP address class corresponding to each white sample according to the first K bits of data of the IP address of the client corresponding to each white sample;

and dividing the time difference corresponding to each white sample into corresponding IP address classes.

In one aspect, an embodiment of the present application provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the steps of any one of the methods when executing the computer program.

In one aspect, an embodiment of the present application provides a computer-readable storage medium having stored thereon computer program instructions, which, when executed by a processor, implement the steps of any of the above-described methods.

In one aspect, an embodiment of the present application provides a computer program product comprising a computer program stored on a computer-readable storage medium, the computer program comprising program instructions that, when executed by a processor, implement the steps of any of the methods described above.

According to the proxy IP address identification method, the device, the electronic equipment and the storage medium, whether the network delay is in a reasonable range is analyzed by collecting the flow characteristics of the client at the service server side, so that whether the client uses the proxy IP address is identified, therefore, a detection data packet does not need to be sent actively, real-time online non-sensing detection is realized, even if the proxy server used by the client has the anti-detection functions of authentication, firewall and the like, effective identification can be carried out, the detection range covers all proxy ports corresponding to the IP addresses which attempt to acquire service from the service server, and the detection coverage can be improved. In addition, the proxy IP address identification method can directly acquire the data packet actually transmitted between the client and the service server in the network for identification, so that the performance load of the network can not be increased, and the transmission of the normal service data packet can not be influenced.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the embodiments of the present application will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

Fig. 1 is a schematic view of an application scenario of a proxy IP address identification method according to an embodiment of the present application;

fig. 2 is a schematic flowchart of a method for identifying an agent IP address according to an embodiment of the present application;

FIG. 3 is a schematic diagram of the difference in network latency between when a proxy server is used and when it is not used;

FIG. 4 is a schematic diagram of the computation of network delay through TCP three-way handshake process;

fig. 5 is a schematic flowchart of determining a network delay based on a data packet in a TCP handshake process according to an embodiment of the present application;

fig. 6 is a schematic flowchart of acquiring a network delay comparison table according to an embodiment of the present application;

fig. 7 is a flowchart illustrating a method for identifying a proxy IP address according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of a proxy IP address identification apparatus according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.

For convenience of understanding, terms referred to in the embodiments of the present application are explained below:

the Transmission Control Protocol (TCP) is a connection-oriented, reliable transport layer communication Protocol based on a byte stream.

TCP three-way handshake: the three-way handshake protocol refers to that three interactions are required between the server side and the client side in the preparation phase of sending data. First handshake: the client SENDs a SYN packet (SYN ═ j) to the server, enters a SYN _ SEND state, and waits for the server to confirm; second handshake: the server receives the SYN packet, must confirm the SYN (ACK ═ j +1) of the customer, send a SYN packet (SYN ═ k) at the same time (SYN ═ k), namely SYN + ACK packet, the server enters SYN _ RECV state at this moment; third handshake: the client receives the SYN + ACK packet of the server, and sends an acknowledgement packet ACK (ACK ═ k +1) to the server, and after the packet is sent, the client and the server enter an ESTABLISHED state, and the three-way handshake is completed. After the connection is established, the client and the server can start data transmission.

SYN (synchronization Sequence Numbers) packet: is a data packet containing handshake signals sent when TCP/IP establishes connection. When a normal TCP network connection is established between the client and the server, the client first sends out a SYN packet, the server uses a SYN + ACK response to indicate that the SYN packet is received, and finally the client responds with an ACK packet, so that a reliable TCP connection can be established between the client and the server.

ACK (acknowledgement character) packet: that is, the identifier replied after the receiver successfully receives the data confirms that the data packet of the data is received.

RTT (round-trip time): the time taken for data to go back and forth when being transmitted from the client to the server, namely the network delay in the application.

VPN (Virtual Private Network): the VPN gateway realizes remote access through encryption of a data packet and conversion of a target address of the data packet, and the VPN exposes the address of a VPN server to the target server, so that a real source address can be hidden.

Proxy IP address: in this application a class of IP addresses provided by a proxy server to a user for accessing a network is specified to hide the user's real IP address. For example, when the proxy server is a VPN server, the user may access the network via the VPN IP address provided by the VPN server, thereby hiding the user's real IP address.

The proxy ports commonly used by proxy servers are for example: (1) HTTP protocol proxy server common port number: 80/8080/3128/8081/9080, respectively; (2) common port numbers of SOCKS proxy protocol servers: 1080; (3) FTP (file transfer) protocol proxy server commonly uses port number: 21; (4) telnet (Telnet) protocol proxy server common port: 23.

a client: the electronic device can be mobile or fixed, and can display an object provided in the installed application. For example, a mobile phone, a tablet computer, various wearable devices, a vehicle-mounted device, a Personal Digital Assistant (PDA), a point of sale (POS), or other electronic devices capable of implementing the above functions may be used.

Percentile: if a group of data is sorted from small to large and the corresponding cumulative percentile is calculated, the value of the data corresponding to a certain percentile is called the percentile of the percentile. For example, a set of p observations is numerically sized, e.g., the value at the N% position is called the nth percentile.

Any number of elements in the drawings are by way of example and not by way of limitation, and any nomenclature is used solely for differentiation and not by way of limitation.

In the specific practice, the commonly used method for identifying the proxy IP address is mainly a detection mode of active scanning: the detection server actively sends a test data packet to the agent port commonly used by the IP address to be detected, if a return packet aiming at the test data packet returned by the agent port is received, the agent port is indicated to be an open port, and if the open port exists in the agent port commonly used by the IP address, the IP address to be detected is the agent IP address disguised by the agent server such as VPN. However, in reality, the number of active IP addresses in the internet is up to 4 hundred million, the detection cost of scanning one by one is high, the proxy servers are complex in type, the protocol change is large, the number of proxy ports is large, scanning is generally performed only on commonly used proxy ports, some of the commonly used proxy ports are omitted, and it is difficult to cover all the proxy ports. In addition, some proxy servers are provided with a reverse detection means, for example, the proxy server sends a corresponding packet back after completing authentication (for example, identity verification), the test data packet actively sent by the detection server cannot pass the authentication, and the proxy server does not send the corresponding packet back, so that the detection server cannot identify whether the proxy port is open, which results in that the detection method of active scanning cannot be effectively performed.

Therefore, the inventor of the present application considers that the IP address used by the client is determined to be the proxy IP address by using the network delay of the data packet transmitted between the client and the service server. Specifically, the identification mode of the proxy IP address comprises the following steps: the method comprises the steps of obtaining network delay of a data packet transmitted between a client and a service server, and if the network delay is larger than a delay threshold, determining that an IP address used by the client is an agent IP address, wherein the delay threshold is determined based on the network delay of the data packet transmitted between the client which does not use the agent IP address and the service server. According to the proxy IP address identification method, the service server side acquires the flow characteristics of the client side to analyze whether the network delay is in a reasonable range or not, so that whether the client side uses the proxy IP address or not is identified, a detection data packet does not need to be sent actively, real-time online non-perception detection is realized, even if the proxy server used by the client side has the anti-detection functions of authentication, a firewall and the like, effective identification can be carried out, the detection range covers all proxy ports corresponding to all IP addresses attempting to acquire service from the service server, and the detection coverage is improved. In addition, the proxy IP address identification method can directly acquire the data packet actually transmitted between the client and the service server in the network for identification, so that the performance load of the network can not be increased, and the transmission of the normal service data packet can not be influenced. Furthermore, whether the IP address used by the client is the proxy IP address or not can be judged based on a data packet in a TCP handshaking process between the client and the service server, a malicious request which attempts to hide a real IP address and wants to bypass an IP strategy can be identified in the handshaking process between the client and the service server, and then corresponding safety measures can be executed before the service server provides specific service, so that safety early warning is realized, and network safety or service safety is ensured.

After introducing the design concept of the embodiment of the present application, some simple descriptions are provided below for application scenarios to which the technical solution of the embodiment of the present application can be applied, and it should be noted that the application scenarios described below are only used for describing the embodiment of the present application and are not limited. In specific implementation, the technical scheme provided by the embodiment of the application can be flexibly applied according to actual needs.

Fig. 1 is a schematic view of an application scenario of the proxy IP address identification method according to the embodiment of the present application. The application scenario includes a plurality of clients 101 (including client 101-1, client 101-2, … …, client 101-n-1, client 101-n), a proxy server 102, a service server 103, and a proxy IP address identification device 104. The client 101 in this embodiment of the application may be installed in an electronic device such as a desktop computer, a mobile phone, a mobile computer, a tablet computer, a media player, an intelligent wearable device, and an intelligent television, and the client 101 may communicate with other devices through the electronic device, for example, the client 101 may be directly connected to the service server 103 through the electronic device (for example, the client 101-n-1 and the client 101-n are directly connected to the service server 103 through their own electronic devices respectively), or connected to the service server 103 through the electronic device and the proxy server 102 (for example, the client 101-1 and the client 101-2 are connected to the service server 103 through their own electronic devices and the proxy server 102 respectively) to obtain service services provided by the service server 103, such as live network service, data query service, and the like, Cloud computing services, online shopping services, authentication services, and the like. Proxy server 102 may be any server capable of providing a proxy IP address to a user, such as a VPN server. The service server 103 refers to any server capable of providing network service for a user, and the service server 103 may be a server, a server cluster composed of a plurality of servers, or a cloud computing center. In the application scenario, the electronic device in which the client 101 is installed, the proxy server 102, and the service server 103 may all be connected through a wireless or wired network.

The proxy IP address identifying device 104 may obtain a data packet passing through a network outlet of the service server 103, that is, obtain a data packet transmitted between each client 101 and the service server 103, or the client 101 passes through the proxy server 102 and the service server 103, obtain a network delay of the data packet transmitted between the client 101 and the service server 103 according to the obtained data packet, and determine, if the network delay is greater than a delay threshold, an IP address used by the client 101 as the proxy IP address, where the delay threshold is determined based on the network delay of the data packet transmitted between the client not using the proxy IP address and the service server.