Insecured Proxies in Internet Abuse

Eur Ing Brian TompsettDepartment of Computer Science

University of HullB.C.Tompsett@dcs.hull.ac.uk

Busan, Korea

2

Analysis of Proxy Abuse

• Web Server since 93/94

• Large popular content (genealogy)

• 1-2M clicks month

• Same IP/domain

• 1999 saw first proxy requests

• Allowed a few, experimentally

Busan, Korea

3

Proxy Server?

• Web Server – Port 80

• Not a proxy

• Scanned for Proxy ability

• Pages/robots indicated not open

• Added to lists of “open” servers

Busan, Korea

4

Level of Intrusions?

• Measured general Intrusion– 100’s a day per machine– Machine compromise risk high

• Analysed bulk email– 1000s month since 1996– Open proxies main vehicle

Busan, Korea

5

Origins of Proxy Abuse

• 1st Austrian Universities

• Russian/Ukrainian Origin

• CZ, CN, EDU.CA, IL– Russian Speakers

• Proxy Abuse Software in Russian found

Busan, Korea

6

General Problem of Proxies

• Denial of Service– Tracking and Complaining– Scripts to assist log extracting

• Others noticed– APAN-JP Proxy Abuse Campaign

Busan, Korea

7

The Proxy Abusers

• Initially Adult Oriented

• Hotel/Travel material

• Avoid local censorship/blocking– Education site seems inoffensive

• ISP load sharing

• Researchers cache timing experiments

Busan, Korea

8

Counter Fraud

• Manipulate Click Counters

• Improving Ranking

• Polls, Talent Contest, TV Votes

• Make minority interests appear normal

Busan, Korea

9

Pay-per-Click

• Web pages full of adverts

• Adverts Clicked Mechanically

• Advert Revenue Collected

• Organised Crime– Clicking Clubs– Software Promoted & Available

Busan, Korea

10

The Advertisers

• Unaware of Fraud

• No expertise to control

• Disbelieving

• Minority aware and capable

• Many Bankrupted

• E-commerce growth harmed

Busan, Korea

11

What is a Proxy?

• Application Gateway

• Carry Traffic for third parties– http proxy– Socks Proxy– NAT– Firewalls– SMTP– AnalogX, WinGate, Squid

Busan, Korea

12

Proxy Trends

• Make the Unacceptable Acceptable– Counter Manipulation

• DSL connected proxies

• World Growth in Broadband– Political Prominence– Technical Naivety– Commercial Imperatives

Busan, Korea

13

Proxy Implantation

• Worm delivers viral Proxy– Sobig

• Web server Implantation– Pornographic distribution

• Problem for Forensics– Criminals can claim virus caused it– Forensic Examination needs more rigour– ISP hindering public protection

Busan, Korea

14

SuperZonda

• Latest proxy use• Done by DNS control with open proxy• Method:

www.doubtful-domain.zz– Web browser fetches page– DNS lookup => open proxy– Open proxy fetches page– DNS lookup return true IP– Can be layered

Busan, Korea

15

Why?

• Obscures True Page Location

• Makes Organisation Appear Large

• Improves apparent responsiveness– Millions of effective web servers

• Enhances reputation of advertiser

• Diverts Complaints

Busan, Korea

16

Why Worry?

• Paedophile Material

• Appear to be hosted at schools

• Fulfils their fantasy

• Combined with AnalogX at Korean Schools

• Damaged Reputation

• Needs Local Action – Lobby Admins & Politicians

Busan, Korea

17

Further Hiding

• Bogons– Traffic from non-existent IP blocks– Identified by CIDR-report.org

• Zombies– Dormant IP block taken over by fraud– Documentation is forged

• Hides origins of Proxy Abusers

• Traceroute fooling Busan, Korea

18

Regional Perspectives

• Korean Schools

• Japan– formerly free of proxies– Now broadband expansion

• Many proxies – worrying

• Malaysia, broadband proxies

• Thailand – educational proxies

• China – registration data & Language Busan, Korea

19

Dirty Money

• Overseas Currency– Powerful draw– Naivety regarding issues– Causes Internet Routing Sanctions

Busan, Korea

20

Solving The Problem

• Too many proposals – Too a narrow perspective– Vested Interests – hope to profit– Vendors only looking at their part

• Need holistic approach to abuse– Across applications– All Layers of protocol

Busan, Korea

21

Layered Defence

• Protection at all Levels of Network Model

• Action by end users at application layer– Not fully protected– Need action at lower layers

Busan, Korea

22

Physical/Datalink

• Secure Physical Access– Plug in cables– Wireless range

• Control Access by medium

• Control Access by Authorization– No free rides– Particularly important in wireless

Busan, Korea

23

Network (IP) Layer

• Some IP not routed– RFC1918– Bogons– Zombies– Own policy based restrictions

• Manage this database

Busan, Korea

24

Transport (TCP/UDP) Layer

• Only route to provided services– Restrict port 25 through mailhubs– Restrict port 80 to web servers– No incoming port 23

• Restrict dialups (in and out)

• Local Policy based restrictions– Manage this database

• Protects from worm propagation Busan, Korea

25

Application Level

• Enforce Protocols/Handshaking

• Filter for application targetting– Web pages (e.g. browser attacks)– Email (e.g. browser attacks)– Viral content

• Checksumming (DCC)

• Content Filters (Bayesian)

• Local & User filters Busan, Korea

26

The Layers

Transport

Network

Datalink

Physical

Application User Filter; Baysian; DCC; Format; Handshake;RFC-Ignorant

Service PolicyRFC-ignorant

Policy; Zombie;Bogons; RFC1918

Authorised

Connection -Medium

Busan, Korea

27

Managing Layered Prevention

• Not a Single Point Solution– Distributed Responsibility– Network Managers– Customer Service– Clients

• No unmanaged Broadband

• Managed Software Install– Child Protection enabled

Busan, Korea

28

Role of the Regulator

• Legislators are confused

• Abuse is immune to Legislation

• Regulators need to enforce best practice– Managed Broadband– Track Best Practice

• Regulate Registrars– More resources, better data

Busan, Korea

29

Conclusions

• National Interest to Regulate Registrar– Provide Resources– Operate as Internet Licensees– Identity Proved

• Internet Product Safety Regulation

• Regulate Network Best Practise– To protect the consumer

Busan, Korea