Transcript Proxy Abuse Slides - University of Hull

Insecured Proxies in
Internet Abuse
Eur Ing Brian Tompsett
Department of Computer Science
University of Hull
[email protected]
Busan, Korea
Analysis of Proxy Abuse
•
•
•
•
•
•
Web Server since 93/94
Large popular content (genealogy)
1-2M clicks month
Same IP/domain
1999 saw first proxy requests
Allowed a few, experimentally
Busan, Korea
2
Proxy Server?
•
•
•
•
•
Web Server – Port 80
Not a proxy
Scanned for Proxy ability
Pages/robots indicated not open
Added to lists of “open” servers
Busan, Korea
3
Level of Intrusions?
• Measured general Intrusion
– 100’s a day per machine
– Machine compromise risk high
• Analysed bulk email
– 1000s month since 1996
– Open proxies main vehicle
Busan, Korea
4
Origins of Proxy Abuse
• 1st Austrian Universities
• Russian/Ukrainian Origin
• CZ, CN, EDU.CA, IL
– Russian Speakers
• Proxy Abuse Software in Russian found
Busan, Korea
5
General Problem of Proxies
• Denial of Service
– Tracking and Complaining
– Scripts to assist log extracting
• Others noticed
– APAN-JP Proxy Abuse Campaign
Busan, Korea
6
The Proxy Abusers
• Initially Adult Oriented
• Hotel/Travel material
• Avoid local censorship/blocking
– Education site seems inoffensive
• ISP load sharing
• Researchers cache timing experiments
Busan, Korea
7
Counter Fraud
•
•
•
•
Manipulate Click Counters
Improving Ranking
Polls, Talent Contest, TV Votes
Make minority interests appear normal
Busan, Korea
8
Pay-per-Click
•
•
•
•
Web pages full of adverts
Adverts Clicked Mechanically
Advert Revenue Collected
Organised Crime
– Clicking Clubs
– Software Promoted & Available
Busan, Korea
9
The Advertisers
•
•
•
•
•
•
Unaware of Fraud
No expertise to control
Disbelieving
Minority aware and capable
Many Bankrupted
E-commerce growth harmed
Busan, Korea
10
What is a Proxy?
• Application Gateway
• Carry Traffic for third parties
– http proxy
– Socks Proxy
– NAT
– Firewalls
– SMTP
– AnalogX, WinGate, Squid
Busan, Korea
11
Proxy Trends
• Make the Unacceptable Acceptable
– Counter Manipulation
• DSL connected proxies
• World Growth in Broadband
– Political Prominence
– Technical Naivety
– Commercial Imperatives
Busan, Korea
12
Proxy Implantation
• Worm delivers viral Proxy
– Sobig
• Web server Implantation
– Pornographic distribution
• Problem for Forensics
– Criminals can claim virus caused it
– Forensic Examination needs more rigour
– ISP hindering public protection
Busan, Korea
13
SuperZonda
• Latest proxy use
• Done by DNS control with open proxy
• Method:
www.doubtful-domain.zz
– Web browser fetches page
– DNS lookup => open proxy
– Open proxy fetches page
– DNS lookup return true IP
– Can be layered
Busan, Korea
14
Why?
• Obscures True Page Location
• Makes Organisation Appear Large
• Improves apparent responsiveness
– Millions of effective web servers
• Enhances reputation of advertiser
• Diverts Complaints
Busan, Korea
15
Why Worry?
•
•
•
•
Paedophile Material
Appear to be hosted at schools
Fulfils their fantasy
Combined with AnalogX at Korean
Schools
• Damaged Reputation
• Needs Local Action
– Lobby Admins & Politicians
Busan, Korea
16
Further Hiding
• Bogons
– Traffic from non-existent IP blocks
– Identified by CIDR-report.org
• Zombies
– Dormant IP block taken over by fraud
– Documentation is forged
• Hides origins of Proxy Abusers
• Traceroute fooling
Busan, Korea
17
Regional Perspectives
• Korean Schools
• Japan
– formerly free of proxies
– Now broadband expansion
• Many proxies – worrying
• Malaysia, broadband proxies
• Thailand – educational proxies
• China – registration data & Language
Busan, Korea
18
Dirty Money
• Overseas Currency
– Powerful draw
– Naivety regarding issues
– Causes Internet Routing Sanctions
Busan, Korea
19
Solving The Problem
• Too many proposals
– Too a narrow perspective
– Vested Interests – hope to profit
– Vendors only looking at their part
• Need holistic approach to abuse
– Across applications
– All Layers of protocol
Busan, Korea
20
Layered Defence
• Protection at all Levels of Network Model
• Action by end users at application layer
– Not fully protected
– Need action at lower layers
Busan, Korea
21
Physical/Datalink
• Secure Physical Access
– Plug in cables
– Wireless range
• Control Access by medium
• Control Access by Authorization
– No free rides
– Particularly important in wireless
Busan, Korea
22
Network (IP) Layer
• Some IP not routed
– RFC1918
– Bogons
– Zombies
– Own policy based restrictions
• Manage this database
Busan, Korea
23
Transport (TCP/UDP) Layer
• Only route to provided services
– Restrict port 25 through mailhubs
– Restrict port 80 to web servers
– No incoming port 23
• Restrict dialups (in and out)
• Local Policy based restrictions
– Manage this database
• Protects from worm propagation
Busan, Korea
24
Application Level
• Enforce Protocols/Handshaking
• Filter for application targetting
– Web pages (e.g. browser attacks)
– Email (e.g. browser attacks)
– Viral content
• Checksumming (DCC)
• Content Filters (Bayesian)
• Local & User filters
Busan, Korea
25
The Layers
Application
User Filter;
Baysian; DCC;
Format; Handshake;
RFC-Ignorant
Transport
Service Policy
RFC-ignorant
Network
Policy; Zombie;
Bogons; RFC1918
Datalink
Authorised
Physical
Connection Medium
Busan, Korea
26
Managing Layered Prevention
• Not a Single Point Solution
– Distributed Responsibility
– Network Managers
– Customer Service
– Clients
• No unmanaged Broadband
• Managed Software Install
– Child Protection enabled
Busan, Korea
27
Role of the Regulator
• Legislators are confused
• Abuse is immune to Legislation
• Regulators need to enforce best practice
– Managed Broadband
– Track Best Practice
• Regulate Registrars
– More resources, better data
Busan, Korea
28
Conclusions
• National Interest to Regulate Registrar
– Provide Resources
– Operate as Internet Licensees
– Identity Proved
• Internet Product Safety Regulation
• Regulate Network Best Practise
– To protect the consumer
Busan, Korea
29