Principle of detecting whether a single IP address is a router or a cascade PC

Original article: Portal

The topic is not too long. How does an ISP find that multiple computers share bandwidth?

According to relevant sources, the products frequently used by China Telecom previously include the network Vanguard, the star sky speed, and the Nanjing news style, especially the network Vanguard. Netsniper network leader is a network access detection and controller developed by Shanghai Grand Lake Network System Co., Ltd. It can automatically detect the proxy server system or illegal router set up without permission in the network, and control the IP packets passing through the illegal proxy server and the IP packets flowing to the illegal router.

The original detection technologies were:

1. Check whether the IP-ID of the IP package from the lower-level IP address is continuous. If not, determine that the user uses Nat.
2. Check whether the TTL value of the IP package from the lower-level IP address is 32, 64, or 128. If not, check that the user uses Nat.
3. Check whether the HTTP request package from the lower-level IP Address Contains the proxy field. If yes, it is determined that the user uses the HTTP proxy.
 

The operator limits the router shared Internet, which directly pushes the TP-link, D-LINK manufacturers of home SoHo-level network products to the road. As a result, the network router manufacturers constantly upgrade the software of the router to combat ISP detection, so the operator's investigation content is also being upgraded-investigation and anti-investigation, you can all create a 007 disc war blockbuster!

New investigation methods

New investigation methods

I. Behavior Statistics:
1. Request two or more websites from the same IP address within three seconds. The IP address is located and transmitted through NAT.
2. If the same IP address initiates more than two requests to the same website within two seconds, the IP address is located and transmitted through NAT.

Ii. Deep detection packet content:

1. Check the number of concurrent connections
2. Check the number of QQ numbers from the lower-level IP addresses. If there are five QQ numbers at the same time, it is determined to be shared.

Iii. ID (identification) Track detection method:

For a Windows user in a TCP connection from a source IP address, the identification is gradually increased as the number of IP packets sent by the user increases, if, after a period of time, a source IP address is found to have three consecutive identification changes, it means that the "Black user" has at least three users simultaneously using broadband.

Iv. clock offset Detection:

Different hosts have different physical clock offsets, and the network protocol stack clock corresponds to the physical clock. Different Hosts send packets at different frequencies, so there is a statistical relationship with the clock; through specific spectrum analysis algorithms, different network clock offsets are found to determine different hosts.

5. Apply the feature detection method:

The User-Agent field in the HTTP header of the data packet varies with the operating system version, IE version, and pudding. Therefore, the number of hosts is determined by analyzing the number of different HTTP headers. In addition, only one MSN account can be logged on to a host at a time. Based on this analysis, the number of hosts can be determined. Windows Update
The message also contains information about the operating system version, and the number of hosts can be calculated accordingly.

The preceding three methods can be used to accurately check the number of terminals illegally accessed by the user, whether it uses SHARED Nat, shared proxy, or shared account access over time (including ADSL and LAN), the operator can obtain an accurate ing between the IP address and the number of users carried. Of course, when the operator uses a complex investigation method to scan the following users, it will certainly affect the user's network speed. Therefore, such investigation is not carried out on the whole network at any time, it is usually done by time and Partition Block. If you are unfortunately found, you can only point back