Insecured Proxies in Internet Abuse
Eur Ing Brian TompsettDepartment of Computer Science
University of [email protected]
Busan, Korea
2
Analysis of Proxy Abuse
• Web Server since 93/94
• Large popular content (genealogy)
• 1-2M clicks month
• Same IP/domain
• 1999 saw first proxy requests
• Allowed a few, experimentally
Busan, Korea
3
Proxy Server?
• Web Server – Port 80
• Not a proxy
• Scanned for Proxy ability
• Pages/robots indicated not open
• Added to lists of “open” servers
Busan, Korea
4
Level of Intrusions?
• Measured general Intrusion– 100’s a day per machine– Machine compromise risk high
• Analysed bulk email– 1000s month since 1996– Open proxies main vehicle
Busan, Korea
5
Origins of Proxy Abuse
• 1st Austrian Universities
• Russian/Ukrainian Origin
• CZ, CN, EDU.CA, IL– Russian Speakers
• Proxy Abuse Software in Russian found
Busan, Korea
6
General Problem of Proxies
• Denial of Service– Tracking and Complaining– Scripts to assist log extracting
• Others noticed– APAN-JP Proxy Abuse Campaign
Busan, Korea
7
The Proxy Abusers
• Initially Adult Oriented
• Hotel/Travel material
• Avoid local censorship/blocking– Education site seems inoffensive
• ISP load sharing
• Researchers cache timing experiments
Busan, Korea
8
Counter Fraud
• Manipulate Click Counters
• Improving Ranking
• Polls, Talent Contest, TV Votes
• Make minority interests appear normal
Busan, Korea
9
Pay-per-Click
• Web pages full of adverts
• Adverts Clicked Mechanically
• Advert Revenue Collected
• Organised Crime– Clicking Clubs– Software Promoted & Available
Busan, Korea
10
The Advertisers
• Unaware of Fraud
• No expertise to control
• Disbelieving
• Minority aware and capable
• Many Bankrupted
• E-commerce growth harmed
Busan, Korea
11
What is a Proxy?
• Application Gateway
• Carry Traffic for third parties– http proxy– Socks Proxy– NAT– Firewalls– SMTP– AnalogX, WinGate, Squid
Busan, Korea
12
Proxy Trends
• Make the Unacceptable Acceptable– Counter Manipulation
• DSL connected proxies
• World Growth in Broadband– Political Prominence– Technical Naivety– Commercial Imperatives
Busan, Korea
13
Proxy Implantation
• Worm delivers viral Proxy– Sobig
• Web server Implantation– Pornographic distribution
• Problem for Forensics– Criminals can claim virus caused it– Forensic Examination needs more rigour– ISP hindering public protection
Busan, Korea
14
SuperZonda
• Latest proxy use• Done by DNS control with open proxy• Method:
www.doubtful-domain.zz– Web browser fetches page– DNS lookup => open proxy– Open proxy fetches page– DNS lookup return true IP– Can be layered
Busan, Korea
15
Why?
• Obscures True Page Location
• Makes Organisation Appear Large
• Improves apparent responsiveness– Millions of effective web servers
• Enhances reputation of advertiser
• Diverts Complaints
Busan, Korea
16
Why Worry?
• Paedophile Material
• Appear to be hosted at schools
• Fulfils their fantasy
• Combined with AnalogX at Korean Schools
• Damaged Reputation
• Needs Local Action – Lobby Admins & Politicians
Busan, Korea
17
Further Hiding
• Bogons– Traffic from non-existent IP blocks– Identified by CIDR-report.org
• Zombies– Dormant IP block taken over by fraud– Documentation is forged
• Hides origins of Proxy Abusers
• Traceroute fooling Busan, Korea
18
Regional Perspectives
• Korean Schools
• Japan– formerly free of proxies– Now broadband expansion
• Many proxies – worrying
• Malaysia, broadband proxies
• Thailand – educational proxies
• China – registration data & Language Busan, Korea
19
Dirty Money
• Overseas Currency– Powerful draw– Naivety regarding issues– Causes Internet Routing Sanctions
Busan, Korea
20
Solving The Problem
• Too many proposals – Too a narrow perspective– Vested Interests – hope to profit– Vendors only looking at their part
• Need holistic approach to abuse– Across applications– All Layers of protocol
Busan, Korea
21
Layered Defence
• Protection at all Levels of Network Model
• Action by end users at application layer– Not fully protected– Need action at lower layers
Busan, Korea
22
Physical/Datalink
• Secure Physical Access– Plug in cables– Wireless range
• Control Access by medium
• Control Access by Authorization– No free rides– Particularly important in wireless
Busan, Korea
23
Network (IP) Layer
• Some IP not routed– RFC1918– Bogons– Zombies– Own policy based restrictions
• Manage this database
Busan, Korea
24
Transport (TCP/UDP) Layer
• Only route to provided services– Restrict port 25 through mailhubs– Restrict port 80 to web servers– No incoming port 23
• Restrict dialups (in and out)
• Local Policy based restrictions– Manage this database
• Protects from worm propagation Busan, Korea
25
Application Level
• Enforce Protocols/Handshaking
• Filter for application targetting– Web pages (e.g. browser attacks)– Email (e.g. browser attacks)– Viral content
• Checksumming (DCC)
• Content Filters (Bayesian)
• Local & User filters Busan, Korea
26
The Layers
Transport
Network
Datalink
Physical
Application User Filter; Baysian; DCC; Format; Handshake;RFC-Ignorant
Service PolicyRFC-ignorant
Policy; Zombie;Bogons; RFC1918
Authorised
Connection -Medium
Busan, Korea
27
Managing Layered Prevention
• Not a Single Point Solution– Distributed Responsibility– Network Managers– Customer Service– Clients
• No unmanaged Broadband
• Managed Software Install– Child Protection enabled
Busan, Korea
28
Role of the Regulator
• Legislators are confused
• Abuse is immune to Legislation
• Regulators need to enforce best practice– Managed Broadband– Track Best Practice
• Regulate Registrars– More resources, better data
Busan, Korea
29
Conclusions
• National Interest to Regulate Registrar– Provide Resources– Operate as Internet Licensees– Identity Proved
• Internet Product Safety Regulation
• Regulate Network Best Practise– To protect the consumer
Busan, Korea