Search

US-12621269-B2 - Proxy detection systems and methods

US12621269B2US 12621269 B2US12621269 B2US 12621269B2US-12621269-B2

Abstract

A method includes receiving, from a client device, a first request to establish a transport-layer connection between the client device and the server, the first request containing a first source port number; in response to receiving the first request, initiating a delay timer and withholding transmission of an acknowledgement to the first request until expiry of the delay timer; receiving from the client device, prior to expiry of the delay timer, a second request to establish the transport-layer connection; determining whether the second request contains a second source port number matching the first source port number; and selecting, based on the determination, a handling action for the second request.

Inventors

  • Elisa CHIAPPONI
  • Marc Dacier
  • Olivier Thonnard
  • Vincent Rigal
  • Mohamed FANGAR

Assignees

  • AMADEUS S.A.S.

Dates

Publication Date
20260505
Application Date
20240109

Claims (20)

  1. 1 . A proxy detection method in a server, the method comprising: receiving, from a client device, a first request to establish a transport-layer connection between the client device and the server, the first request containing a first source port number; in response to receiving the first request and prior to establishing the transport-layer connection, initiating a delay timer and withholding transmission of an acknowledgement to the first request until expiry of the delay timer; receiving from the client device, prior to expiry of the delay timer, a second request to establish the transport-layer connection; in response to determining that the second request contains a second source port number matching the first source port number, initiating establishment of the transport-layer connection with the client device; and selecting, based on the determination, a handling action for the second request.
  2. 2 . The method of claim 1 , wherein selecting the handling action includes: when the determination is negative, discarding the first request and the second request, without sending an acknowledgement to the client device.
  3. 3 . The method of claim 1 , wherein selecting the handling action includes: when the determination is negative, providing an indication that the client device is likely a proxy for a client endpoint to an auxiliary detector.
  4. 4 . The method of claim 1 , wherein the transport-layer connection is based on the Transport Control Protocol (TCP), wherein the first request includes a SYN message, and wherein initiating establishment of the transport-layer connection includes sending a SYN-ACK message to the client device.
  5. 5 . The method of claim 4 , further comprising: determining a first time period associated with the transport-layer connection; in response to receiving, from the client device over the transport-layer connection, a second request to establish a secure link between a client endpoint and the server, transmitting a second message to the client endpoint according to a handshake sequence for establishing the secure link; determining a second time period associated with completion of the second handshake sequence; and generating, based on the first time period and the second time period, a score indicating a likelihood that the client device is a proxy for the client endpoint.
  6. 6 . The method of claim 5 , wherein generating the score includes determining a difference between the first and second time periods.
  7. 7 . The method of claim 5 , wherein determining the first time period includes determining a time elapsed between transmission of the acknowledgement, and receipt of an ACK message from the client device.
  8. 8 . The method of claim 1 , wherein the first request contains a first sequence number; and wherein the determination further comprises: determining whether the second request contains a second sequence number matching the first sequence number.
  9. 9 . The method of claim 8 , wherein selecting the handling action includes: when at least one of (i) the first source port number does not match the second source port number, or (ii) the first sequence number does not match the second sequence number, discarding the first request and the second request, without sending an acknowledgement to the client device.
  10. 10 . The method of claim 1 , wherein the delay timer is between 1 second and 2 seconds.
  11. 11 . A computing device, comprising: a communications interface; and a processor configured to: receive via the communications interface, from a client device, a first request to establish a transport-layer connection between the client device and the server, the first request containing a first source port number; in response to receiving the first request and prior to establishing the transport-layer connection, initiate a delay timer and withhold transmission of an acknowledgement to the first request until expiry of the delay timer; receive from the client device, prior to expiry of the delay timer, a second request to establish the transport-layer connection; in response to determining that the second request contains a second source port number matching the first source port number, initiate establishment of the transport-layer connection with the client device; and select, based on the determination, a handling action for the second request.
  12. 12 . The computing device of claim 11 , wherein the processor is configured to select the handling action by: when the determination is negative, discarding the first request and the second request, without sending an acknowledgement to the client device.
  13. 13 . The computing device of claim 11 , wherein the processor is configured to select the handling action by: when the determination is negative, providing an indication that the client device is likely a proxy for a client endpoint to an auxiliary detector.
  14. 14 . The computing device of claim 11 , wherein the transport-layer connection is based on the Transport Control Protocol (TCP), wherein the first request includes a SYN message, and wherein the processor is configured to initiate establishment of the transport-layer connection by sending a SYN-ACK message to the client device.
  15. 15 . The computing device of claim 14 , wherein the processor is further configured to: determine a first time period elapsed between transmission of the acknowledgement, and receipt of an ACK message from the client device; in response to receiving, from the client device over the transport-layer connection, a second request to establish a secure link between a client endpoint and the server, transmit a second message to the client endpoint according to a handshake sequence for establishing the secure link; determine a second time period associated with completion of the second handshake sequence; and generate, based on the first time period and the second time period, a score indicating a likelihood that the client device is a proxy for the client endpoint.
  16. 16 . The computing device of claim 15 , wherein the processor is configured to generate the score by determining a difference between the first and second time periods.
  17. 17 . The computing device of claim 15 , wherein the processor is configured to determine the first time period by determining a time elapsed between transmission of the acknowledgement, and receipt of an ACK message from the client device.
  18. 18 . The computing device of claim 11 , wherein the first request contains a first sequence number; and wherein the determination further comprises: determining whether the second request contains a second sequence number matching the first sequence number.
  19. 19 . The computing device of claim 18 , wherein the processor is configured to select the handling action by: when at least one of (i) the first source port number does not match the second source port number, or (ii) the first sequence number does not match the second sequence number, discarding the first request and the second request, without sending an acknowledgement to the client device.
  20. 20 . The computing device of claim 11 , wherein the delay timer is between 1 second and 2 seconds.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application claims priority to U.S. provisional patent application No. 63/497,053, filed Apr. 19, 2023, the contents of which is incorporated herein by reference. BACKGROUND Servers receive and respond to requests from client devices, e.g., to deliver data requested by the client devices in connection with web-based services. For certain services, responding to such requests can be computationally intensive. For example, servers handling search requests for travel-related services (e.g., flights, hotels, and the like) may incur significantly higher computational costs to generate responses to such requests than the costs incurred by other servers responsible for the retrieval of previously generated and indexed data. The operators of the above-mentioned servers may derive little or no return for the cost of servicing fraudulent or abusive client requests. Upon detecting such requests, discarding or otherwise altering the usual request handling process may therefore be desirable, to reduce the allocation of computational resources to responding to such requests, with little likelihood of return, e.g., in the form of travel services being purchased from the server's operator. Fraudulent or abusive client requests, however, may be routed through proxy devices, which complicates their detection. Detecting such requests may be particularly challenging when the proxy devices are residential or other consumer-level devices that may also originate legitimate requests. SUMMARY An aspect of the specification provides a proxy detection method in a server, the method including: receiving, from a client device, a first request to establish a transport-layer connection between the client device and the server, the first request containing a first source port number; in response to receiving the first request, initiating a delay timer and withholding transmission of an acknowledgement to the first request until expiry of the delay timer; receiving from the client device, prior to expiry of the delay timer, a second request to establish the transport-layer connection; determining whether the second request contains a second source port number matching the first source port number; and selecting, based on the determination, a handling action for the second request. Another aspect of the specification provides a server, including: a communications interface; and a processor configured to: receive via the communications interface, from a client device, a first request to establish a transport-layer connection between the client device and the server, the first request containing a first source port number; in response to receiving the first request, initiate a delay timer and withhold transmission of an acknowledgement to the first request until expiry of the delay timer; receive from the client device, prior to expiry of the delay timer, a second request to establish the transport-layer connection; determine whether the second request contains a second source port number matching the first source port number; and select, based on the determination, a handling action for the second request. BRIEF DESCRIPTIONS OF THE DRAWINGS Embodiments are described with reference to the following figures. FIG. 1 is a diagram illustrating a communications system. FIG. 2 is a diagram illustrating certain internal components of the proxy detector of FIG. 1. FIG. 3 is a flowchart of a proxy detection method. FIG. 4A is a diagram illustrating an example performance of blocks 305 to 308 of the method of FIG. 3. FIG. 4B is a diagram illustrating another example performance of blocks 305 to 308 of the method of FIG. 3. FIG. 5 is a diagram illustrating an example performance of blocks 310 to 340 of the method of FIG. 3. FIG. 6 is a diagram illustrating another example performance of blocks 310 to 340 of the method of FIG. 3. FIG. 7 is a flowchart of another proxy detection method. DETAILED DESCRIPTION FIG. 1 depicts a communications system 100, including a request handler 104 and a plurality of client devices, referred to collectively as client devices 108 and generically as a client device 108. In the illustrated example, the system 100 includes four client devices 108-1, 108-2, 108-3, and 108-4, although it will be understood that the system 100 can include greater and smaller numbers of client devices 108 in other examples. The client devices 108 are computing devices such as desktop computers, smart phones, laptop computers, or the like. Each client device 108 thus includes suitable hardware elements, such as processing, storage and network communications components, as well as input and output devices (e.g., keyboards, touch panels, displays, and the like), enabling the client device 108 to communicate with the request handler 104 over a network or combination of networks. Communications between the client devices 108 and the request handler 104 include the transmission of requests from client device