Detecting Anonymous Proxy Usage

Similar documents
Detecting and Preventing Anonymous Proxy Usage

Proxy Blocking: Preventing Tunnels Around Your Web Filter. Information Paper August 2009

K7 Mail Security FOR MICROSOFT EXCHANGE SERVERS. v.109

Creating a User Profile for Outlook 2013

Windows Family Safety Filter

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

Set internet safety parental controls with Windows

WildFire Cloud File Analysis

Action Steps for Setting Up a Successful Home Web Design Business

WhatWorks in Detecting and Blocking Advanced Threats:

12Planet Chat end-user manual

IOSMap: TCP and UDP Port Scanning on Cisco IOS Platforms

Secure Web Appliance. Reverse Proxy

Still Aren't Doing. Frank Kim

WildFire Cloud File Analysis

Content Filtering Client Policy & Reporting Administrator s Guide

Online signature API. Terms used in this document. The API in brief. Version 0.20,

ASPAlliance: Articles, reviews, and samples for.net Developers Review: BrowserHawk 9

Kiwi SyslogGen. A Freeware Syslog message generator for Windows. by SolarWinds, Inc.

User Guide For ipodder on Windows systems

SOA Software API Gateway Appliance 7.1.x Administration Guide

Website Maintenance Information For My Clients Bob Spies, Flying Seal Systems, LLC Updated: 08- Nov- 2015

Network Security Monitoring

FirstClass FAQ's An item is missing from my FirstClass desktop

Contents Release Notes System Requirements Administering Jive for Office

Jive Connects for Openfire

Step-by-Step Configuration

JOOMLA REFLECTION DDOS-FOR-HIRE

Installing and configuring Microsoft Reporting Services

Desktop and Laptop Security Policy

Collax Web Security. Howto. This howto describes the setup of a Web proxy server as Web content filter.

BusinessObjects Enterprise XI Release 2

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Tunnels and Redirectors

An Introduction To The Web File Manager

Lab exercise: Working with Wireshark and Snort for Intrusion Detection

Check list for web developers

GoToMeeting, GoToWebinar & GoToTraining. Active Directory Connector Administration Guide Hollister Avenue Goleta CA 93117

Using TestLogServer for Web Security Troubleshooting

Release Notes for Websense Security v7.2

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

F-Secure Messaging Security Gateway. Deployment Guide

SonicWALL Security Quick Start Guide. Version 4.6

Novell ZENworks Asset Management 7.5

Windows Mail POP Instructions - Bloomsburg University Students

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

IDS and Penetration Testing Lab III Snort Lab

Internet Technologies. World Wide Web (WWW) Proxy Server Network Address Translator (NAT)

Users Manual. Super Silent Client. Super Silent Client Users Manual Piravi Software Solutions. Document Revision 1.

User Guide. Copyright 2003 Networks Associates Technology, Inc. All Rights Reserved.

Bulk Downloader. Call Recording: Bulk Downloader

Ipswitch Client Installation Guide

The full setup includes the server itself, the server control panel, Firebird Database Server, and three sample applications with source code.

Setting Up Scan to SMB on TaskALFA series MFP s.

Section 1: Ribbon Customization

How to move to your account with MAC Mail

Thanks for choosing sentora-paranoid for your sentora hosting environment security solution

Subversion Integration for Visual Studio

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.

COMMANDS 1 Overview... 1 Default Commands... 2 Creating a Script from a Command Document Revision History... 10

Documentation to use the Elia Infeed web services

Network Security, ISA 656, Angelos Stavrou. Snort Lab

If you see "Skip installation of the current version and test the currently installed version of Java" then select that hyperlink.

Deposit Direct. Getting Started Guide

Notification messages

Sophos for Microsoft SharePoint startup guide

Exercises: FreeBSD: Apache and SSL: pre SANOG VI Workshop

Web Security School Final Exam

Deploying Microsoft Operations Manager with the BIG-IP system and icontrol

Implementation notes on Integration of Avaya Aura Application Enablement Services with Microsoft Lync 2010 Server.

SPAMfighter Mail Gateway

DNS FLOODER V1.1. akamai s [state of the internet] / Threat Advisory

Cloud Services. Sharepoint. Admin Quick Start Guide

Salesforce Classic Guide for iphone

OVERVIEW OF ASP. What is ASP. Why ASP

McAfee SIEM Alarms. Setting up and Managing Alarms. Introduction. What does it do? What doesn t it do?

Wireshark Deep packet inspection with Wireshark

Contents Jive for Outlook

Intrusion Detections Systems

Troubleshooting / FAQ

Owner of the content within this article is Written by Marc Grote

Browser Client 2.0 Admin Guide

Firewalls and Software Updates

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

Dell KACE K1000 System Management Appliance Version 5.4. Service Desk Administrator Guide

Connection and Printer Setup Guide

Integration Guide. LogicNow MAXfocus

Steps for Basic Configuration

White Paper Instant Messaging (IM) and Sarbanes Oxley Compliance

A Sample OFBiz application implementing remote access via RMI and SOAP Table of contents

HomeNet. Gateway User Guide

Juniper Secure Analytics Release Notes

Page 18. Using Software To Make More Money With Surveys. Visit us on the web at:

Data Warehouse Troubleshooting Tips

Transcription:

Detecting Anonymous Proxy Usage John Brozycki March 2008 GIAC GPEN, GCIH, GSEC, GCIA, GCFW, GCFA, GREM John@trueinsecurity.com SANS Technology Institute - Candidate for Master of Science Degree 1 1 John Brozycki. March 2009. SANS 2009 1

Objective Understand the threats posed by anonymous proxies. Understand why the solution used by many vendors doesn't work. Examine three methods for preventing or detecting anonymous proxies in your environment. SANS Technology Institute - Candidate for Master of Science Degree 2 If you manage a user population that accesses the Internet, you've probably faced the problem of restricting the content that users are permitted to view. Some sites violate acceptable use policy while others may be sites known to host malware. You may have implemented filtering solutions, only to find that your users get to the restricted sites anyway thanks to anonymous proxy servers. What are anonymous proxies, why should you be concerned about them, and how can you prevent or at least detect them? 2

Anonymous Proxies Allow access to restricted sites, which: - violates security policy - puts systems at risk to malware Change frequently. Sites added daily. How can we detect them? SANS Technology Institute - Candidate for Master of Science Degree 3 Anonymous Proxies are servers on the Internet that allow users to access sites that are forbidden by a company security policy and blocked by company site filtering solutions. You may block myspace.com, but a user can access "someproxy.com" and enter "myspace.com" in a user entry field, and the proxy server will retrieve the content from myspace.com. Since the user is accessing someproxy.com, not myspace.com, your filtering solution is unaware and effectively bypassed. URLs for anonymous proxies change frequently and new ones are added every day. While there is no single solution that will prevent all anonymous proxy usage, this presentation will discuss some techniques to detect and prevent their usage. 3

Typical Blacklist Solutions Don't Stop Anonymous Proxies 1) Vendor detects proxy site. 2) Vendor adds a filtering rule for proxy to update customer's filtering solution. 3) Proxy owner adds or changes URL or proxy. 4) Users find new URLs to proxies and access forbidden sites. 5) Repeat Step 1. SANS Technology Institute - Candidate for Master of Science Degree 4 Since proxy URLs may be changed frequently and new proxies are added every day, blacklisting discovered anonymous proxies becomes a game of "catch up" where you are always behind; able to block the proxies that users used today, but not the proxies they'll be using tomorrow. These steps illustrate the process many vendors use to push updates to customers and why this process isn't enough. Much like the game of "Whack a Mole" each time you knock down one mole another one pops up somewhere else. 4

1) Using Proxy Lists to Block Proxies Proactively Proxy owners must advertise new proxies or new URLs for users to find them. Users search for new proxies as their old ones get blocked. We can scrape those same lists to import into our filtering solution. SANS Technology Institute - Candidate for Master of Science Degree 5 When today's proxies are blocked tomorrow, how do users learn about new ones? Many proxy owners are financially motivated to attract users, often displaying advertisements. Proxy list sites are where the two sides meet up. If you can get a list of fresh proxies the same time your users do, you can create a much better blacklist/blocklist. Method number 1 is to create blocklists using the same proxy list websites that your users are likely using. 5

Making Your Own Blacklist Example: www.proxy4free.com Contains five pages of IP addresses of proxies. We can make our own blacklist. SANS Technology Institute - Candidate for Master of Science Degree 6 Here is an example of one such proxy list. Some will provide IP addresses, others names. Some update more frequently and more reliably. Once you find one or more good ones, you can utilize them for your blacklist. Integrate your list with your filtering solution, and you've blocked access to these proxies. 6

Scripting a Blacklist Use CURL cmd to copy web page, then GREP, CUT, and SORT to create IP blacklist Repeat for each page of proxies: curl http://www.proxy4free.com/page1.html > proxy1.html grep whois\.cgi\?domain\= proxy1.html cut -d \= -f 3 cut -d \" -f 1 sort uniq > proxy.txt Alter accordingly for different sites and when site alters page formatting. SANS Technology Institute - Candidate for Master of Science Degree 7 Using a few Linux/Unix commands (ports also available for Windows) the proxy lists can be downloaded, parsed, and formatted into something that you should be able to integrate into your Internet filtering solution. Remember that sites can change their formatting and proxy list sites can come and go. The key point here is not that you can use the list from proxy4free.com in your blocking (although you certainly can) but that you can make use of these resources with a minimal amount of effort to provide much better site blocking. 7

2) Detecting Popular Proxies Majority of proxies utilize a few significant projects: 1) PHPProxy - PHP-based proxy server 2) CGIProxy - Perl-based CGI script 3) Glype - PHP-based proxy script Most proxy admins do not write their own proxy and do not modify base functionality. SANS Technology Institute - Candidate for Master of Science Degree 8 Not all proxies will be caught by blacklisting, so let's look at method number two. A trend that I found is that most proxies are installed from only a few different open source projects. These key projects provide themes and templates and make it easier for the proxy owner to integrate advertising. Why reinvent the wheel when these projects already exist? Another trend that I found was that the proxy owners don't customize the functionality or formatting from the base project. This gives the potential to detect proxies by the class of proxy server that they are running. 8

Detecting a Glype Server Example Glype URL: http://www.reverseproxy.us/browse.php?u= Oi8vd3d3Lm15c3BhY2UuY29t&b=143 Format: {hostname}/browse.php?u={obfuscatedurl} &b={identifier} Regular Expression to Match: (browse\.php\?u=).+(&b).* SANS Technology Institute - Candidate for Master of Science Degree 9 In this example we see the format of the URL sent from the user's browser back to the proxy server. Note the obfuscated URL, which we'll discuss in a few slides. We're able to find some text that is common to all default installs of Glype proxies that is relatively unique and probably won't match on any legitimate site. We can turn this text into a regular expression. We can use grep to find this in our Internet access logs, but there's something even better we can do with it. 9

Detecting a Glype Server 2 The format of the proxy server URL can be turned into a Snort IDS rule Example rule for a Glype Proxy: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: Glype Proxy detected ; pcre: /(browse\.php\?u=).+(&b).*/i ; classtype:policy-violation; sid:50015;) SANS Technology Institute - Candidate for Master of Science Degree 10 Snort is a very popular, open source IDS. Other IDS systems may also support Snort signatures or regular expressions. Here, the Perl Compatible Regular Expression (PCRE) functionality is used to make a rule that can alert you in real time of Glype proxy usage. Rules can also be made for the other proxy projects, allowing you to detect whole classes of proxies without relying on proxy site names and IP addresses. 10

3) Detecting Obfuscated Proxy Destinations Remember the Glype URL from a few slides back? http://www.reverseproxy.us/browse.p hp?u=oi8vd3d3lm15c3bhy2uuy29t&b =143 To prevent detection by log review, most proxies encode the user's URL destination. When Base64 decoded, above string becomes ://www.myspace.com SANS Technology Institute - Candidate for Master of Science Degree 11 The third method is to detect obfuscated proxy destinations in your web access logs. To prevent detection, most proxies utilize obfuscation of the destination web site. Somehow, the user has to tell the proxy what site to go and retrieve. I've observed that Base64 is the prominent method of obfuscation, as it's well understood, well supported in programming environments, and efficient. The encoding happens within the browser and is sent to the proxy server, which decodes it to the real URL. 11

Base64 Encoding Base64 encoding is not encryption, but is very effective at thwarting detection of banned sites in a log review. Base64 is the dominant encoding scheme. Widely supported. I found no tools to detect and decode Base64 strings in web logs, so I decided to try to write my own. SANS Technology Institute - Candidate for Master of Science Degree 12 To determine if users have still been able to access prohibited sites, it would be very convenient if we could look for Base64 entries in Internet access logs and automatically decode them. I was unable to find any existing tool that could do this. I decided to try to write my own in Perl. 12

findbase64.pl Difficulties: No sure way to tell if a string was Base64. Many proxies truncate padding character (ie: "=".) Decodes OK, but means you can't rely on length to detect. Reduced false positives by: decoding and then looking for characters invalid for a URL, such as "*^". Surprisingly effective. SANS Technology Institute - Candidate for Master of Science Degree 13 Perl has built in functionality for Base64 encoding and decoding, so that wasn't the hard part. After getting through the parsing of the URL string, the biggest problem was determining if the string was Base64 or not. Base64 characters are a-z, A-Z, 0-9, and a couple others that depend upon the implementation. Often, a "=" is used for padding, as Base64 values are always a multiple of 4 bytes. Some implementations drop the use of padding characters, meaning the encoded string may not be divisible by 4. This doesn't prevent decoding, but it makes it more difficult to programmatically determine whether a set of characters has been Base64 encoded. Initially, I had a lot of false positives, and the script decoded strings that were not Base64 encoded. I noticed a lot of character combinations that weren't valid for URLs. I realized that if I checked for some of these after decoding and they were found,then the original string wasn't Base64 encoded. This false positive elimination worked out even better than I thought. 13

Running findbase64.pl Option for loose or strict Base64 boundary adherence. Strict will miss truncated strings, but loose will increase false positives. Run on web access log, such as Microsoft ISA Server proxy logs. Processes 1.5 million record log in about 30 seconds on fast laptop. SANS Technology Institute - Candidate for Master of Science Degree 14 Findbase64.pl takes a file of URLs as its input and looks for a file named "weblog.txt". Depending upon how you log your users' Internet access, you may have to filter out additional fields that may be provided. For example, if you use Microsoft's ISA Server to control Internet access, its default log has many additional fields that you don't need and that need to be removed before running findbase64.pl. To filter out just the URLs from the ISA log, you could run the following command: awk -F "\t" '{print $16}' nameofloffile.log > weblog.txt. Awk parses each line of the input log file, using the TAB character as a delineator (as specified with the -F parameter) and then sends the 16th field, which is where the full URLs are, to the output. Note that while you can accomplish this with the CUT command, I have experienced issues doing this where CUT quits during processing of the data, especially in the case of ISA logs. A search on the Internet revealed that others have had problems with the CUT command. Unless and until this is fixed, I recommend using awk. If you do use CUT, make sure that your output file has the same number of records as your input file. After creating the weblog.txt file, type "perl findbase64.pl". The resulting file, base64check.txt, can be loaded into a spreadsheet program for review. 14

Summary Block proxies more effectively by using same lists your users do. Most proxies are one of a few common projects and currently detectable. Proxies rely on encoding to protect destination, but can be decoded with findbase64.pl. More information in paper in SANS Reading Room. Search on 32943 Updates at www.trueinsecurity.com/proxy SANS Technology Institute - Candidate for Master of Science Degree 15 While there is no way to prevent or detect anonymous proxy usage 100% of the time, this presentation has presented three techniques, which may be used in unison, to greatly decrease the possibility that anonymous proxies are used without your knowledge. More techniques are discussed in my research paper, which can be found by going to the SANS site (www.sans.org/reading_room) and searching on the paper number, 32943. Like all things on the Internet, anonymous proxies, proxy list sites, and detection methods are subject to rapid change. I've set up a web page where I will try to provide updated information as time allows. The URL is www.trueinsecurity.com/proxy 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information