Detecting the Use of Anonymous Proxies - Kevin Curran - Detecting... · Anonymousproxies(AP)whichactasintermediaterelayswhichdisguise thesourceIPaddressescanplayalargeroleincybercrime.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
DOI: 10.4018/IJDCF.2018040105
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
PHPProxyisoneofthemostcommonlyusedAnonymousProxyServers.ThecodeiswritteninPHPandcanbeobtainedfromSourceForge1.ItcanrunonWindows,BSD(BerkeleySoftwareDistribution),SolarisandLinuxplatforms,thereforemakingitpossibletorunonthemajorityofplatforms.When takinga closer lookat the statisticsof theamountof times thecodehasbeendownloaded,wewillseethatoverthepastyeartherehasbeenagradualdecrease,withthemostdownloadsbeing573inonemonthandthelowestbeing243,thesestatisticscanbefoundontheSourceForgewebsite2.AsampleofaproxywebsitethatusesPHPProxycanbefoundathttp://wb-proxy.com/.ThiswebsitesimplyallowstheusertoentertheURLdestinationthattheywouldlike,onceentereditwillre-directtheusertotheirwebsite;thiscanbeseeninFigure1.
CGIProxywascreatedbyJamesMarshallbackin1998andcanbedownloadedfromhiswebsite4.AnotabledifferencebetweenPHPProxyandCGIProxyis that theCGIProxydoesnotobfuscatetheURLunlessitisprogrammedtodoso.ThismeansthattheprogrammerwhoissettinguptheCGIProxywillhavetocustomisethecode,sothatitobfuscatestheURL.ItcanbeusedasaHTTPS,HTTPorFTPProxy.TherearethreemainwaystoencodetheURL,theseare:Base64,ROT-13andHex.InPHPProxy,itsolelyusesBase64.AsampleofaCGIProxywebsitethatencodestheURLishttps://scusiblog.org/proxy/nph-proxy.cgi.Whenwww.twitter.comisenteredintothewebsite,theoutcomeisasfollows:
2.1. onion Routing and TorOnionRoutingsendsdatathroughanetworkofnodes/servers,eachnodeencryptsthedataonceitreceivesitthedatagoesthroughaseriesofdifferentnodes,untilitreachestheexitnode(Lee,2013).Whentheexitnodeisreachedthedata is thendecrypted.The‘Onion’partrefers to thevariouslayersofencryptionthattakesplacewhenmovingthroughthedifferentnodes.Aseachofthenodesencryptsyourdata,thismakesthedatavirtuallyimpossibletotrace(Chaabaneetal,2010).OnionroutingalsousesseveraldifferentportsonyourcomputertoaccesstheInternet,thismakesitmoredifficultfornetworkadministratorstomonitortraffic,asitwillnotonlybegoingthroughthenormalportforinternetbrowsing,whichisport80(Reedetal,1998).TheTorBrowserwasoriginallycalledTOR,whichstoodforTheOnionRouter(Lietal,2011).TheTorbrowserisexactlylikeanyotherwebbrowser;however,themaindifferencebetweenitandChrome/Safari/Operaisthattheusercansurfanonymously.TheTorbrowserwasfirstreleasedin2002.ItwasoriginallydevelopedwiththeU.S,Navyinmind,forthepurposeofprotectinggovernmentcommunications.Originallythiswasitsmainuse,howeverinmorerecenttimes;thepopularityoftheTorBrowserhassteadilygrown,withmorepeoplegrowingconcernedabouttheironlineprivacywithoneofthemainreasonsbehindthisbeingtheNSAsurveillancerevelationsbyEdwardSwonden(Dredge,2013).
TheTorBrowserbundleissimpletosetupandcanbedownloadeddirectlyfromtheTorwebsite8.OncethebundlehasbeeninstalledtheuserispresentedwiththeVidaliaControlPanelfromtheretheycanconnecttotheTorNetwork.WhilebrowsingtheTorBrowser,userscanaccessthousandsofwebsites that theycannotviewonanormalwebbrowser.AtypicalURLontheTorBrowserlooks like this:http://kpvz7ki2v5agwt35.onion/wiki/index.php/Main_Page. If theURLisenteredintoChrome,itwillbringupnoresults.MostofthewebsitesontheTorBrowseruse‘.onion’.ThehighlevelofsecurityprovidedbytheTorBrowsermaysuitsomeorganisationswhowanttosenddatathroughasecurenetwork,howeverblockedwebsitescanalsobeaccessedthroughthebrowser,thereforeawayofdeterminingwhethersomeoneisusingthebrowserisamust.
2.3. IP BlockingIPblockingisoneofthemostcommonandbasicmethodsofblocking,filteringorcensoringIPaddressesthatmaypotentiallyhaveabadeffectonthenetwork/server(Thomasetal.,2011).Whenusingthismethodofsecurity,anetworkadministratorcanblockasingleIPormanydifferentIPaddressesfromaccessingthenetwork,orcertainpartsofthenetwork,dependingonthelevelofsecurityneeded.WhenevertheadministratorhasalistofblockedIPsinthenetworkidentified,anyoneonthenetworkwhotriestoaccessanyoftheIPaddresseswillbeblockedfromdoingso(Murdoch&Anderson,2008).NetworkadministratorscanalsoblockIPsfromaccessingtheirnetwork,thismeansthatanyIPnotinthenetworkthatisblocked,willnotbeabletoaccesstheirnetwork.ThisisveryusefulifthenetworkadministratorshaveidentifiedanIPthatistryingtocauseproblemswithinthenetwork.CompaniessuchasYahooandJoomlahavedetailedmeasuresinplaceforIPblocking,forinstanceYahoohasaserviceforuserswhohaveastoresetupwiththemintheirMerchantsolutionssection10.Withinthisthereisadmintoolsthatareveryuseful,oneofthemisasectionwhereyoucanenterIPaddressesthatyouwouldlikeblocked.Firstly,youhavetofindthedetailsoftheIPyouwanttoblockusingtheDNSlookup,againprovidedbyYahoo.ThiswillprovidetheIPaddressneededinorderforyoutoblockit.Yahooallowsupto25IPaddressestobeaddedtotheblocklistatonce,howeveritdoeshaveitsrestrictions,oneofthemisthefactyoucanonlyblock150IPsintotal.JoomlaisanothercompanythatprovidessolutionsforIPblockingtoitscustomers.Joomlaisacontentmanagementsystem(CMS);theyallowusersoftheirproducttobuildwebsitesandotherapplicationsonline11.Theyalsohaveextensionsthatcanbeaddedontothewebsitesthatarecreated,someoftheseinclude:contentrestriction,emailauthentication,contentprotectionandIPblocking.IntheIPblockingsection,theyhavedifferenttypesofextensionsthatcanbeaddedtothewebsite,theseare:Country/IPBlock,Jban,GeoBlocker,CFBlockCountry,UmBan,TorlpBlockandJuBlockIP12.Theseextensionscanbeveryusefulwhencombined,forinstance,ifyoudidnotwantacertaincountryaccessingyournetwork,CDBlockCountryshouldbeused,thisextensionwillfilteroutanyIPsfromthecountryyouwantblockedandwillnotallowaccesstothem.IPBlockingisasimplemethodofstoppingauserfromaccessinganetwork,asitwillmakesurethattheIPthatislistedtobeblockedisindeedblocked;however,thisformofsecurityiseasilybypassedwiththeuseofaproxy.
2.4. Access Control ListsAnAccessControlList(ACL)isusedbynetworkadministratorsasawayofallowingdifferentportsonuser’slocalmachinestobeaccessedoropened.TheportsthatareincludedintheACLarecalledaccesscontrolentries(ACE)(Microsoft,2013).Wheneverauser’sportisincludedintheACL,theyareallowedtoaccessthenetwork,howeveranyapplicationusedbytheuserwillalsohavetobeincludedintheACL,thisisduetothesecurityintheACLbeingveryrigid.WhenaportthatisnotincludedintheACLtriestoaccessthenetwork,itwillbeblockedstraightaway.AlthoughthisshowsthattheACLisactuallyworkingproperly,avaliduserwhoisusingaportthatisnotonthelistwillfindthemselvesbeingunabletoaccessthenetwork,theywillhavetocontacttheadministratortoaddthemtothelist.Thismaytakesometime,dependingifthenetworkadministratorisonsiteorifitispartofamajormulti-nationalcompany.AnexampleofacompanythatfocusesonprovidinganACLservicetocompaniesisCisco.WithintheirACL’s,theyhavedifferentcriteriathathastobemetwhensettingupthelists(Cisco,2006).AnetworkadministratorcansetupmanydifferentACL’sfordifferentdepartmentswithintheonecompany,forexample,ifacompanyhas2departments(Research&Development,andGovernment),anetworkadministratorcanspecifyifaportcanaccessbothof
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
2.5. Geolocation SecurityLocationBasedServices(LBS)suchasParcelTracking,IndoorPositioning,GPSNavigationandaccessing networks have become a vital occurrence in some people’s lives. Most if not all newsmartphonescomewithGPSabilitiesinbuiltinthem.Peopleoftentracktheirparcelstohaveanideaofwhentheymightarriveortofindoutwhatiscausingadelayintheirdelivery.IndoorPositioningsystemssuchasSeniorLab13,PoleStar14andIndoorAtlas15haveallbecomeverypopularproductsoverthepasttwoyears,astheindoorpositioningmarkethasseenasharprise,withmoreshoppingcentres,museumsandairportsusingthisnewtechnology.AnotherusefulserviceintheLocationBasedServicessectionisGeolocationSecurity.WithinGeolocationSecuritycompaniescanmonitorwhoaccessestheirnetworksandsometimesblockcertainusersfromaccessingthenetworksbasedsolelyontheir location.Ifacompanywasbeingattackedbyahacker, thenetworkadministratorcanlookattheIPaddressofthehacker,findoutwhatcountrytheIPislocatedinandblocktheIPaddressesassociatedwiththatcountryforabriefperiodoftimeuntiltheattacksstop(Kibirkstis,2009).OneofthemaincompaniesthatsuppliessoftwareinthefieldofgeolocationsecurityforonlineapplicationsisNeustar,formallyknownasQuova.OneoftheirmainproductsisIPIntelligence.Thisproductprovidesthecompanyusingitwithdataontheircustomers,wheretheyareandwhattheyareusingtoconnecttotheweb.Havingaccesstothisinformationmakesiteasierforcompaniestoblocktransactionsthattheydeemsuspicious.GmailalsousesGeolocationSecurity,Gmailwillmonitortheuser’smainIPaddressloginsandwillthencontacttheuserifasuspiciousIPaddresshastriedtoaccesstheaccount,andthisgivestheuserachancetochangetheirpasswordbeforethehackercanaccesstheiremail16.
ThefirststepinthedesignoftheIDSwastoexaminethenetworkpacketsandhaveagoodunderstandingof thedataprovided in eachof thepackets.Beingable todetermine the relevantinformationinthepacketswouldgreatlyreducethetimespentwhenfindingcommonsequenceswithintheproxypackets.Therefore,Wiresharkwouldinitiallybeusedtomonitorthenetworktraffic,withtheresultsfromthemonitoringdisplayedinatextfile,thistextfilewillbekeytodeterminehowtodetectananonymousproxy.Asthemainprogrambeingusedto‘sniff’thenetworkpacketswasWireshark,theinitialideawasthatitcouldbeusedinconjunctionwiththeproxydetectionscript.Thishowevermeantthattheprogramwouldnotbestandalone,whichwouldnothavebeenideal.AstheIDS’smainpurposeistoworkondifferentplatformsasastandaloneprogram,aprogramwroteinPythonwasused.Thisprogramexaminedallthepacketscomingintoandleavingthenetwork.Fromthisitcouldbealteredtoprintallthepacketstoalogfile,sotheycouldbeexamined,orruninthebackgroundscanningeachofthepacketsastheyentered/exited.
4.4. Tor Browser DetectionThecodefortheTorBrowserwasthelasttobeimplemented.Thedetectioncharacteristicscomparedto theother threeproxiesarecompletelydifferent.This ismainlydue to the randomnessof thenetworkpacketswhentheTorBrowserisbeingused.TheTorBrowserusesmanydifferentportswhensendingandreceivingpackets,thedifferentportsare:9001,9002,9003,9004,9030,9031,9032,9033,9150,9151,italsousesport80whichisusedforallnormalwebbrowsingthatdoesn’tuseSSLandalsoport443,whichisusedforsecurebrowsing.ThemaintwoportstheTorBrowserusesareport80and443, these twoportshowevercannotbeused to identify theonion routingapplication,asallnormalwebbrowsingwouldalsobeflaggedupasusingthebrowser,thereforetheotherportslistedhavetobeusedtoidentifyit.ThisunfortunatelymeanstheTorBrowsercouldbeusedformanyminutesbeforeitisflaggeduponthescreen.Whenexaminingthepackettherewereafewinterestingbitsofdatathatcouldbeseen,firstlytheportthatwasusedwasport80,thisgenerallymeansthedatathatisinthenetworkpacketcanbeviewed,howeverthedatainthepacketinthisinstanceisencryptedandthereforenodetailscanbetakenfromit.ThesecondthingnoticedinthepacketwastheSourceAddress,whichwas131.188.40.188.WhensearchingfortheIPitwasfoundwithinalistofknownTornodes,thisverifiedthatitwasindeedapacketfromtheTorBrowser.ThesourceaddressisusefultoverifythatitistheTorbrowser;howeverduetothelargeamountofIPaddressesintheTornetworkitisnotpossibletoaddthemtothecharacteristics.Thisleavestheonlywaytoidentifythemisthroughtheportslistedabove,duetothistheaccuracyofthedatamaynotalwaysbe100%correct.Oneofthemaindifferencesinthecodeistheuseoftheoperator‘or’insteadof‘and’,thisisbecausethesystemdoesn’thavetomatch3or4differentcharacteristics,itonlyhastomatchoneofthemtoflagitupontheconsole.AnotherportthattheTorBrowserusesisport9100,thisporthoweverisusedoftenbywirelessprintersandusingthisportwouldcreatealotoffalsepositiveresults,itwasdecidedthatduetothelargeamountoffalsepositiveresultsleavingthatportoutofthedetectionstringwouldbethebestactiontotake.
5. TeSTING
Thissectionwilldocument the thoroughtesting thatwasperformedonthesystemtoensure thesystemisperformingthetasksthatwasdetailedintheprevioussectionsandthatitisperformingthemtoahighstandard.Itisimportantthatanyerrorsorunexpectedcrashesarefoundandfixedbeforetheendproductisfinalized.
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
86
5.1. Normal Browsing TestBeforeanyoftheproxiesandonionroutingapplicationscouldbetested,theIDSwastestedwhiletheuserwasbrowsingtheinternetnormallywithouttheuseofaproxy.ThewebbrowserusedforallthetestsapartfromtheTorBrowserwasGoogleChrome.Onlyonetabwasopenatanyonetime,withallotherinternetrelatedactivitiessuchasSkype,DropboxandGoogledriveclosedsothetestswouldbeprecise.
Onceagain, the results from the IDSproved tobe successful,with100%of the testsbeingdetectedbythesystem.Thisprovedthatthe3characteristics,‘GET’,‘HTTP’and‘.php?q=aHR0c’werebeingpickedupineverynetworkpacketthatwasbeingcreatedbythePHPProxy.AsecondPHPProxywastestedtoverifytheresults,theproxycanbefoundat:‘http://proxy-up.net/’.Again,theresultsreturned100%accuracy.
Table 5. Glype Proxy Test
Test Result
1 GlypeProxyusagedetected
2 GlypeProxyusagedetected
3 GlypeProxyusagedetected
4 GlypeProxyusagedetected
5 GlypeProxyusagedetected
6 GlypeProxyusagedetected
7 GlypeProxyusagedetected
8 GlypeProxyusagedetected
9 GlypeProxyusagedetected
10 GlypeProxyusagedetected
11 GlypeProxyusagedetected
12 GlypeProxyusagedetected
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
5.5. Tor Browser TestThefinalproxy/onionroutingapplicationtobetestedwastheTorBrowser.Upuntilnowtheresultsfromeachoftheprevioustestshavebeenstraightforward,withtheresultsreturnedasexpected.ThishoweverwasnotthecasefortheTorBrowser,asthecharacteristicsforitdidnotincludetwoports,fromwhichmostofthetrafficflowedthrough.TheresultsfromtheTorBrowsertestingcanbeseenin
Table 7. CGI Proxy using SSL
Test Result
1 NoProxydetected
2 NoProxydetected
3 NoProxydetected
4 NoProxydetected
5 NoProxydetected
6 NoProxydetected
7 NoProxydetected
8 NoProxydetected
9 NoProxydetected
10 NoProxydetected
11 NoProxydetected
12 NoProxydetected
Table 8. Unsecure CGI proxy test
Test Result
1 CGIProxyusagedetected
2 CGIProxyusagedetected
3 CGIProxyusagedetected
4 CGIProxyusagedetected
5 CGIProxyusagedetected
6 CGIProxyusagedetected
7 CGIProxyusagedetected
8 CGIProxyusagedetected
9 CGIProxyusagedetected
10 CGIProxyusagedetected
11 CGIProxyusagedetected
12 CGIProxyusagedetected
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
90
Table9.With the twelve testscompleted,eightof thempassed,with ‘OnionRoutingusagedetected’beingprintedtotheconsole.Fourofthemresultedinnothingbeingprintedtotheconsole,thereforetheIDSdidnotdetecttheuseoftheTorBrowser.
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
92
didachieve100%accuracywhendetectingtheGlype,PHPProxyandtheunsecureCGIproxy.Alsoin testing ithad66.67%accuracy in finding theTorbrowser.The system’seffectivenesscanbedebatable;italldependsonthetypeofproxybeingused.Thesystemdoesnotdetect100%ofproxies,itdoeshoweverdetect100%of3differentproxiesand66%oftheTorBrowser,andthereforeitcanbequiteeffectivewhendetectingthose.However,itisnoteffectivewhenitisdetectingSSLproxies.
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
93
ReFeReNCeS
Chaabane,A.,PereManils,P.,&Kaafar,M.(2010).DiggingintoAnonymousTraffic:ADeepAnalysisoftheTorAnonymizingNetwork.InProceedings of the4th International Conference on Network and System Security(Vol.1,p.167).doi:10.1109/NSS.2010.47
Cisco. (2006).CiscoIOSSecurityConfigurationGuide,Release12.2,Access Control Lists: Overview and Guidelines.Retrievedfromhttp://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfacls.html
Dingledine,R.,Mathewson,N.,&Syverson,P.(2004).Tor:thesecond-generationonionrouter.InProceedings of the 13th conference on USENIX Security Symposium.
Dredge,S.(2013,November).What is Tor? A beginner’s guide to the privacy tool.TheGuardian.Retrievedfromhttp://www.theguardian.com/technology/2013/nov/05/tor-beginners-guide-nsa-browser
Goralski,W.(2008).The Illustrated Network: How TCP/IP Works in a Modern Network.SanFrancisco,CA,USA:MorganKaufmannPublishersInc.
InternationalTelecommunicationUnion.(2013).The World in 2013 ICT Facts and Figures.Retrievedfromhttp://www.itu.int/en/ITU-D/Statistics/Documents/facts/ICTFactsFigures2013.pdf
Kibirkstis, A. (2009). Intrusion Detection FAQ: What is Geolocation and How Does it Apply to NetworkDetection.Retrievedfromhttp://www.sans.org/security-resources/idfaq/geolocation-network-detection.php
Lee,K.,Jiang,Z.,Kim,S.,Kim,S.,&Kim,S.(2005).AccessControlListMediationSystemforLarge-ScaleNetwork.InProceedings of the6th Int Conf on Parallel and Distributed Computing(pp.483-487).
Li,B.,Erdin,E.,Gunes,M.,Bebis,G.,&Shipley,T.(2011).AnAnalysisofAnonymityUsage.InProceedings of the Traffic Monitoring and Analysis: Third International Workshop,TMA2011,Vienna,Austria(pp.113-116).Springer.
Lyon,D.(2009).Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning.USA:Insecure.
Mallia, D. (2013). When was the Internet Invented. History News Network. Retrieved from http://hnn.us/article/142824
Microsoft.(2013).PartsoftheAccessControlModel.Access Control Lists.Retrievedfromhttp://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx
Murdoch,S.,&Anderson,R.(2008).ToolsandTechnologyofInternetFiltering.Access Denied: The Practice and Policy of Global Internet Filtering,1(1),58.
Raynal,F.,Ahmad,M.,Shaikhli,I.,&Ahmad,H.(2012).ProtectionoftheTextsUsingBase64andMD5.Journal of Advanced Computer Science and Technology Research,2(1),22–34.
Reed,M.G.,Syverson,P.F.,&Goldschlag,D.M.(1998).Anonymousconnectionsandonionrouting.IEEE Journal on Selected Areas in Communications,16(4),482–494.doi:10.1109/49.668972
SASI.(2006)Internet Use 1990,PosterofInternetusage,Availableat:http://www.worldmapper.org/posters/worldmapper_map335_ver5.pdf
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
94
Jonathan McKeague is a graduate in Computer Science from Ulster University
Kevin Curran is a Reader in Computer Science and group leader for the Ambient Intelligence Research Group. Dr Curran has made significant contributions to advancing the knowledge of computer networking evidenced by over 800 published works. He is a regular contributor to BBC radio & TV news in the UK and quoted in trade and consumer IT magazines on a regular basis. He is an IEEE Technical Expert for Security and a member of the EPSRC Peer Review College.
Stanger,J.,Krishnamurthy,M.,Seagren,E.,Alder,R.,Bayles,A.,Burke,J.,&Faskha,E.et al.(2007).How to Cheat at Securing Linux. Introducing Intrusion Detection and Snort.USA:Syngress.
Thomas,K.,Grier,C.,Ma,J.,Paxson,V.,&Song,D.(2011)Monarch:Providingreal-timeURLspamfilteringasaservice.InProc.of theIEEE Symposium on Security and Privacy,Oakland,CA(pp.447-462).