DOI: 10.4018/IJDCF.2018040105
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
Copyright©2018,IGIGlobal.CopyingordistributinginprintorelectronicformswithoutwrittenpermissionofIGIGlobalisprohibited.
74
Detecting the Use of Anonymous ProxiesJonathan McKeague, Ulster University, Londonderry, United Kingdom
Kevin Curran, Faculty of Computing and Engineering, Ulster University, Londonderry, United Kingdom
ABSTRACT
TheInternetisbuiltatoptheInternetProtocol(IP)whichhasatitsheartauniqueidentifierknownasanIPaddress.KnowingthelocationofanIPaddresscanbeveryusefulinmanysituationssuchasforbankstoknowifaconnectionisinprogressfromonlinefraudhotspots.IPaddressescanbespoofedallowinghackerstobypassgeographicalIPrestrictionsandthusrendersomecategoryoffraudpreventionuseless.Anonymousproxies(AP)whichactasintermediaterelayswhichdisguisethesourceIPaddressescanplayalargeroleincybercrime.ThereisaneedtoascertainwhetheranincomingIPconnectionisanoriginalsourcematchedIPaddress,oronebeingroutedthroughananonymisingproxy.Thisarticleconcentratesonvariousmethodsusedbyanonymisingproxies,thecharacteristicsoftheanonymousproxiesandthepotentialmechanismsavailabletodetectifaproxyisinuse.
KeywoRDSAnonymous Proxies, Network Security, Security, Traffic Classification
1. INTRoDUCTIoN
Almost3billionpeopleaccesstheInternetdaily(ITU,2013).WhetherInternetusersarecheckingand sending emails, reading an online newspaper, researching, doing online shopping or onlinebanking,theneedforasecuresystemisamajorchallengeforthosewhodevelopinternetsecuritysystems(Mallia,2013).Thisisespeciallytrueforusersthatusetheinternettodobusiness,orsendprivateinformation,asmorepeoplearefindingdifferentwaysto‘hack’intosecureserversandexploitvulnerabledata.In2011alone,thetotalamountthatwasstolenfrombusinessesonlineamountedto$3.4billion,whichwasupby$700millionfrom2010(Neustar,2012).Thisfigureislikelytoincrease,withbusinessesusingtheInternetmore.Itisthereforeapriorityforbusinessestoinvestinmethodstoprotectthemselvesagainstsuchattacks.
InternetmisuseisalsoamajorheadacheforemployersduetotheincreaseinpopularityofwebsitessuchasFacebook,YouTube,TwitterandGoogle+.Thishasledtoadecreaseintheproductivity
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
75
oftheiremployees,whichinturnleadstolessprofit.Networkadministratorshavethereforehadtoblockmanyofthesewebsitesfrombeingusedintheworkplaceinanattempttomitigatetheproblem.InitiallytheyattemptedtosimplyblocktheIPofthewebsites.IPaddressesareregisteredtospecificgeographicallocations,althoughtheydon’tgivetheexactareaofwheretheuserislocated.However,itdoespinpointthecountrythatisaccessingthenetwork(Goralski,2008).IPblockingworkedquitewell,asanytimeausertriedtoaccessawebsitethathaditsIPblockedtheywouldbedeniedaccess.ThisprompteduserstotrytofindawayaroundtheblockedIP’s.
Onesimplemethodwastheuseofaproxy.AproxywebsitemaskstheIPofthewebsitethatyouaretryingtoview,whichbypassestheIPblockingmethodusedtodetecttheblockedwebsite.Duetoanincreaseinonlinebanking,banksthemselveshavehadtoincreasesecurityintheirsystemsandnetworks;examiningIP’sisonemethodtheyutilize.IfauserismakingatransferonlineandtheIPlooksfraudulent,thentheaccountholderwillbecontactedbeforethetransferisverified.TherearethousandsoffreePHP/CGIproxiestouseonline,makingitasimplewaytobypassthisbasicsecurityfeature.Eveniftheproxyserverthatwasusedwasblockedtherearethousandsmoretochoosefrom,makingthetaskofblockingthemdifficult(Lyon,2009).Thecodeforalloftheseproxiesisopensource,itcanbedownloadedandsetupwithease,whichmeansthatanyonewithacomputercouldtheoreticallycreateaproxyserver.AnothermethodthatcanbeusedtobypasssecuritymeasuresisOnionRouting(e.g.TorBrowser)whichisusedtoanonymizeauser’strafficontheinternet.Thismethodusesadifferentportthanwhatistypicallyusedtoaccessblockedwebsites.OnionRoutingworksbyroutinginternettrafficthroughmanydifferenthosts,encryptingdataateachdifferenthost(Dingledineetal,2004).
ThispaperoutlinesasystemcalledDetectProxywhichcandetectifanyproxiesarebeingusedinthenetworkbycomparingthecharacteristicsofthedifferentproxies.Thiswillbeaccomplishedbyanalysingthepacketsenteringthenetworkusingscriptstodeterminethetypeofproxybeingused.Oncetheproxieshavebeenidentified,informationwillbesenttothenetworkadministrator.Theywillthenbeabletoexaminethetimetheproxywasinuseandwillgivethemtheoptiontoblocktheproxyiftheproxyhasbeendeterminedtobeharmfulornotneededonthenetwork.Blockingtheproxywillprovideamoresecurenetworkforthebusinessorinstitution.
2. ANoNyMoUS PRoXIeS
Thisliteraturereviewwillbesplitupintotwodifferentsections.Thefirstsectionwilldiscussthedifferentwayspeoplecanaccessnetworksandsystemsusinganonymousproxies.Thesecondsectionwilldiscussthedifferentwaysofstoppingorblockingtheanonymousproxiesandthedifferenttoolsusedtoaidthis.SomeofthemainproxiesorwaystoaccesstheInternetanonymouslyarePHPProxy,CGIProxy,Glype,OnionRouting/TorandSSLProxy.
PHPProxyisoneofthemostcommonlyusedAnonymousProxyServers.ThecodeiswritteninPHPandcanbeobtainedfromSourceForge1.ItcanrunonWindows,BSD(BerkeleySoftwareDistribution),SolarisandLinuxplatforms,thereforemakingitpossibletorunonthemajorityofplatforms.When takinga closer lookat the statisticsof theamountof times thecodehasbeendownloaded,wewillseethatoverthepastyeartherehasbeenagradualdecrease,withthemostdownloadsbeing573inonemonthandthelowestbeing243,thesestatisticscanbefoundontheSourceForgewebsite2.AsampleofaproxywebsitethatusesPHPProxycanbefoundathttp://wb-proxy.com/.ThiswebsitesimplyallowstheusertoentertheURLdestinationthattheywouldlike,onceentereditwillre-directtheusertotheirwebsite;thiscanbeseeninFigure1.
TheresultingURLwhentheuserclicks‘Browse’isasfollows:
http://wb-proxy.com/index.php?q=aHR0cHM6Ly90d2l0dGVyLmNvbS8%3D
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
76
ThePHPProxyserverobfuscatestheURLtoBase64encoding;thismeansthananynetworkadministratorsthatusekeywordanalysismethodsofblockingwebsiteswillnotbeabletoblockthismethod.UponfurtherinspectionoftheproxyURL,itcanbesplitupintothreeparts.Thefirstpartisthehostname,whichishttp://wb-proxy.com,thesecondpartis‘index.php?q=’andthenthethirdpart,theobfuscatedURL,whichinthiscaseis‘aHR0cHM6Ly90d2l0dGVyLmNvbS8%3D’.WhentheobfuscatedURLisputinaBase64encoder/decoder3,theoutcomeis‘https://twitter.com/’.
Base64encodingisparticularlyimportantwhenthePHPProxyserverisbeingused,ifitwasnotused,theURLwouldbe:‘http://wb-proxy.com/index.php?q=https://twitter.com/’.Thiswouldbeeasilydetectedbyakeywordanalysisprogramandblocked.
CGIProxywascreatedbyJamesMarshallbackin1998andcanbedownloadedfromhiswebsite4.AnotabledifferencebetweenPHPProxyandCGIProxyis that theCGIProxydoesnotobfuscatetheURLunlessitisprogrammedtodoso.ThismeansthattheprogrammerwhoissettinguptheCGIProxywillhavetocustomisethecode,sothatitobfuscatestheURL.ItcanbeusedasaHTTPS,HTTPorFTPProxy.TherearethreemainwaystoencodetheURL,theseare:Base64,ROT-13andHex.InPHPProxy,itsolelyusesBase64.AsampleofaCGIProxywebsitethatencodestheURLishttps://scusiblog.org/proxy/nph-proxy.cgi.Whenwww.twitter.comisenteredintothewebsite,theoutcomeisasfollows:
https://scusiblog.org/proxy/nph-proxy.cgi/-0/68747470733a2f2f747769747465722e636f6d2f
FromthiswecanseethattheobfuscatedURLiscompletelydifferentfromthatofaPHPProxyalteredURL.WhentheURLissplitdownthe‘-0/’canberemovedfromthehostname, leaving‘68747470733a2f2f747769747465722e636f6d2f’. This particular CGIProxy uses hex encoding,thereforeenteringthestringintoahexdecoder5willleaveyouwith‘https://twitter.com/’.ThetwoURL’sthatarecreatedbybothPHPProxyandCGIProxyarecompletelydifferent,howevertheresultfrombothareexactlythesame.TheCGIProxyifithadBase64encodingwouldbeverysimilartothatofthePHPProxy.
GlypeisawebproxythathasbeencodedinPHP.Glypewasfirstreleasedin2007andsincethentherehasbeenover721,000downloadsofthecode6.Whenlookingthroughalistofdifferentproxies7,Glypeinparticularstandsoutasbeingoneofthemostpopularchoicesforhostingaproxy
Figure 1. PHPProxy Website
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
77
server.Glypeisverysimilar toPHPProxy, itusesPHPas itsprogramminglanguageanditusesBase64toencodetheobfuscatedURL.ThemaindifferencebetweenthetwoistheencodedURL;theencodedURLappearsdifferentfromthatofaPHPProxyencodedURL.AnexampleofaGlypepoweredanonymousproxycanbefoundathttps://branon.co.uk/glype/desktop-free/.Asbeforeintheotherproxywebsites,theusercanenterinthewebsitetheywanttoviewandjustclick‘Go’,thiswillbringthemstraighttotheirdestinationwebpage.Whenwww.twitter.comisenteredintothewebsite,theresultingURLisasfollows:https://branon.co.uk/glype/desktop-free/browse.php?u=czovL3R3aXR0ZXIuY29tLw%3D%3D&b=1
WhenyouextracttheencodedURLthatcontainstheBase64encodedstringandcompareitwiththeencodedURLfromaPHPProxy,youcanseethedifference.However,upondecodingtheURLtheresultisexactlythesame.Decoding‘L3R3aXR0ZXIuY29tLw’withaBase64decodersimplyleaves‘/twitter.com’,therestofthedataintheencodedURLisjustextraneousdata.
2.1. onion Routing and TorOnionRoutingsendsdatathroughanetworkofnodes/servers,eachnodeencryptsthedataonceitreceivesitthedatagoesthroughaseriesofdifferentnodes,untilitreachestheexitnode(Lee,2013).Whentheexitnodeisreachedthedata is thendecrypted.The‘Onion’partrefers to thevariouslayersofencryptionthattakesplacewhenmovingthroughthedifferentnodes.Aseachofthenodesencryptsyourdata,thismakesthedatavirtuallyimpossibletotrace(Chaabaneetal,2010).OnionroutingalsousesseveraldifferentportsonyourcomputertoaccesstheInternet,thismakesitmoredifficultfornetworkadministratorstomonitortraffic,asitwillnotonlybegoingthroughthenormalportforinternetbrowsing,whichisport80(Reedetal,1998).TheTorBrowserwasoriginallycalledTOR,whichstoodforTheOnionRouter(Lietal,2011).TheTorbrowserisexactlylikeanyotherwebbrowser;however,themaindifferencebetweenitandChrome/Safari/Operaisthattheusercansurfanonymously.TheTorbrowserwasfirstreleasedin2002.ItwasoriginallydevelopedwiththeU.S,Navyinmind,forthepurposeofprotectinggovernmentcommunications.Originallythiswasitsmainuse,howeverinmorerecenttimes;thepopularityoftheTorBrowserhassteadilygrown,withmorepeoplegrowingconcernedabouttheironlineprivacywithoneofthemainreasonsbehindthisbeingtheNSAsurveillancerevelationsbyEdwardSwonden(Dredge,2013).
TheTorBrowserbundleissimpletosetupandcanbedownloadeddirectlyfromtheTorwebsite8.OncethebundlehasbeeninstalledtheuserispresentedwiththeVidaliaControlPanelfromtheretheycanconnecttotheTorNetwork.WhilebrowsingtheTorBrowser,userscanaccessthousandsofwebsites that theycannotviewonanormalwebbrowser.AtypicalURLontheTorBrowserlooks like this:http://kpvz7ki2v5agwt35.onion/wiki/index.php/Main_Page. If theURLisenteredintoChrome,itwillbringupnoresults.MostofthewebsitesontheTorBrowseruse‘.onion’.ThehighlevelofsecurityprovidedbytheTorBrowsermaysuitsomeorganisationswhowanttosenddatathroughasecurenetwork,howeverblockedwebsitescanalsobeaccessedthroughthebrowser,thereforeawayofdeterminingwhethersomeoneisusingthebrowserisamust.
2.2. SSL ProxyASecureSocketsLayer(SSL)isthestandardwaytogetanencryptedlinkbetweenawebbrowserandawebserver9.WheneverauseraccessesaSSLProxy,theywillbeusing‘HTTPS’.SincetheProxyisusingSSLitwillencrypttheURLwith265-bitencryption,makingitvirtuallyimpossibletodetectinanetwork.OneofthemainproblemsassociatedwithSSLProxy’sisthecost.SSLcertificatesareexpensiveandmostanonymouswebproxieswillnotpayforthem,astheyaretryingtoprovideafreeservice.SomeoftheSSLProxysitesthatdocharge(http://www.slickyproxy.com/isanexample),canbeeasilyblockedbyanetworkadministrator,asitwillbeastaticURL.Evenifafreeproxyisblockedbyanetworkadministrator,tennewproxieswillreplaceit.ThemainincomethatthefreeSSLproxiessuchasthesslprxy.comhttps://www.thesslproxy.com/willgetisfromadvertising.When
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
78
enteringwww.twitter.comintotheproxywebsite,theresultingURLis:https://www.thesslproxy.com/browse.php/CiNBfghu/8_2FLToI/7Me2cWjh/YpqKxM7W/8dVJGzXr/W1/b29/#.UoOc9vm-2m4
Incomparisontotheotherproxiesinthispaper,wecanseethatthisobfuscatedURLiscompletelydifferent.Thisisnearlyimpossibleforakeywordanalysisfiltertopickup,howeverduetothelackofavailabilityofSSLProxies;manyofthemcanbeblocked,makingaSSLproxyanunviableoption.
2.3. IP BlockingIPblockingisoneofthemostcommonandbasicmethodsofblocking,filteringorcensoringIPaddressesthatmaypotentiallyhaveabadeffectonthenetwork/server(Thomasetal.,2011).Whenusingthismethodofsecurity,anetworkadministratorcanblockasingleIPormanydifferentIPaddressesfromaccessingthenetwork,orcertainpartsofthenetwork,dependingonthelevelofsecurityneeded.WhenevertheadministratorhasalistofblockedIPsinthenetworkidentified,anyoneonthenetworkwhotriestoaccessanyoftheIPaddresseswillbeblockedfromdoingso(Murdoch&Anderson,2008).NetworkadministratorscanalsoblockIPsfromaccessingtheirnetwork,thismeansthatanyIPnotinthenetworkthatisblocked,willnotbeabletoaccesstheirnetwork.ThisisveryusefulifthenetworkadministratorshaveidentifiedanIPthatistryingtocauseproblemswithinthenetwork.CompaniessuchasYahooandJoomlahavedetailedmeasuresinplaceforIPblocking,forinstanceYahoohasaserviceforuserswhohaveastoresetupwiththemintheirMerchantsolutionssection10.Withinthisthereisadmintoolsthatareveryuseful,oneofthemisasectionwhereyoucanenterIPaddressesthatyouwouldlikeblocked.Firstly,youhavetofindthedetailsoftheIPyouwanttoblockusingtheDNSlookup,againprovidedbyYahoo.ThiswillprovidetheIPaddressneededinorderforyoutoblockit.Yahooallowsupto25IPaddressestobeaddedtotheblocklistatonce,howeveritdoeshaveitsrestrictions,oneofthemisthefactyoucanonlyblock150IPsintotal.JoomlaisanothercompanythatprovidessolutionsforIPblockingtoitscustomers.Joomlaisacontentmanagementsystem(CMS);theyallowusersoftheirproducttobuildwebsitesandotherapplicationsonline11.Theyalsohaveextensionsthatcanbeaddedontothewebsitesthatarecreated,someoftheseinclude:contentrestriction,emailauthentication,contentprotectionandIPblocking.IntheIPblockingsection,theyhavedifferenttypesofextensionsthatcanbeaddedtothewebsite,theseare:Country/IPBlock,Jban,GeoBlocker,CFBlockCountry,UmBan,TorlpBlockandJuBlockIP12.Theseextensionscanbeveryusefulwhencombined,forinstance,ifyoudidnotwantacertaincountryaccessingyournetwork,CDBlockCountryshouldbeused,thisextensionwillfilteroutanyIPsfromthecountryyouwantblockedandwillnotallowaccesstothem.IPBlockingisasimplemethodofstoppingauserfromaccessinganetwork,asitwillmakesurethattheIPthatislistedtobeblockedisindeedblocked;however,thisformofsecurityiseasilybypassedwiththeuseofaproxy.
2.4. Access Control ListsAnAccessControlList(ACL)isusedbynetworkadministratorsasawayofallowingdifferentportsonuser’slocalmachinestobeaccessedoropened.TheportsthatareincludedintheACLarecalledaccesscontrolentries(ACE)(Microsoft,2013).Wheneverauser’sportisincludedintheACL,theyareallowedtoaccessthenetwork,howeveranyapplicationusedbytheuserwillalsohavetobeincludedintheACL,thisisduetothesecurityintheACLbeingveryrigid.WhenaportthatisnotincludedintheACLtriestoaccessthenetwork,itwillbeblockedstraightaway.AlthoughthisshowsthattheACLisactuallyworkingproperly,avaliduserwhoisusingaportthatisnotonthelistwillfindthemselvesbeingunabletoaccessthenetwork,theywillhavetocontacttheadministratortoaddthemtothelist.Thismaytakesometime,dependingifthenetworkadministratorisonsiteorifitispartofamajormulti-nationalcompany.AnexampleofacompanythatfocusesonprovidinganACLservicetocompaniesisCisco.WithintheirACL’s,theyhavedifferentcriteriathathastobemetwhensettingupthelists(Cisco,2006).AnetworkadministratorcansetupmanydifferentACL’sfordifferentdepartmentswithintheonecompany,forexample,ifacompanyhas2departments(Research&Development,andGovernment),anetworkadministratorcanspecifyifaportcanaccessbothof
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
79
thedepartmentsoronlyjustoneofthem.Iftheadministratordoesnotincludetheportinthelist,thentheaccesstothetwodepartmentswillbedenied.Inlargecompaniesthathavemanydifferentnetworksandsubnetworks,settingupanACLcantakealotoftime(Leeetal,2005).
2.5. Geolocation SecurityLocationBasedServices(LBS)suchasParcelTracking,IndoorPositioning,GPSNavigationandaccessing networks have become a vital occurrence in some people’s lives. Most if not all newsmartphonescomewithGPSabilitiesinbuiltinthem.Peopleoftentracktheirparcelstohaveanideaofwhentheymightarriveortofindoutwhatiscausingadelayintheirdelivery.IndoorPositioningsystemssuchasSeniorLab13,PoleStar14andIndoorAtlas15haveallbecomeverypopularproductsoverthepasttwoyears,astheindoorpositioningmarkethasseenasharprise,withmoreshoppingcentres,museumsandairportsusingthisnewtechnology.AnotherusefulserviceintheLocationBasedServicessectionisGeolocationSecurity.WithinGeolocationSecuritycompaniescanmonitorwhoaccessestheirnetworksandsometimesblockcertainusersfromaccessingthenetworksbasedsolelyontheir location.Ifacompanywasbeingattackedbyahacker, thenetworkadministratorcanlookattheIPaddressofthehacker,findoutwhatcountrytheIPislocatedinandblocktheIPaddressesassociatedwiththatcountryforabriefperiodoftimeuntiltheattacksstop(Kibirkstis,2009).OneofthemaincompaniesthatsuppliessoftwareinthefieldofgeolocationsecurityforonlineapplicationsisNeustar,formallyknownasQuova.OneoftheirmainproductsisIPIntelligence.Thisproductprovidesthecompanyusingitwithdataontheircustomers,wheretheyareandwhattheyareusingtoconnecttotheweb.Havingaccesstothisinformationmakesiteasierforcompaniestoblocktransactionsthattheydeemsuspicious.GmailalsousesGeolocationSecurity,Gmailwillmonitortheuser’smainIPaddressloginsandwillthencontacttheuserifasuspiciousIPaddresshastriedtoaccesstheaccount,andthisgivestheuserachancetochangetheirpasswordbeforethehackercanaccesstheiremail16.
2.6. Base64 encodingBase64encodingtakesastringoftextdataandchangesitintoASCIIformat.OneofthemainreasonsforchangingthetextdatatoASCIIissothatwhenmessagesarebeingsentthroughanetworkthatgenerallydealswithtext,itcanbesentthroughsecurely(Knickerbockeretal,2009).Base64encodingisveryusefulwhenitcomestobypassingIPBlockingorblacklistfiltering,forexample,whenyouenterwww.twitter.comintoaBase64encoder,yougetthefollowingoutput:d3d3LnR3aXR0ZXIuY29t.Manyproxywebsiteswillusethisformofencodingtobypassanyfiltersonthenetwork.
ToconverttextovertoBase64format,firstlyyouhavetochangeeachcharactertoitsequivalentASCIIvalue.OncetheASCIIvalueisgot,itwillbechangedinto8-bitbinaryformat.Each8-bitbinaryissplitinto6-bitbinarygroups;each6-bitbinarynumberisconvertedintoadecimalnumber.ThedecimalnumberisthencomparedwiththeBase64indextable,whichisshowninFigure2.
Table1showsstepsinvolvedinconverting‘www’toBase64encoding.Thereasonwhythebinarynumberissplitinto6-bitissothatalltheBase64valuescanberepresented.Themaximumbinaryvaluein6-bitformatis111111,whichwhenconvertedtodecimalformatequals63,thebiggestvalueintheBase64index.
AmajorsecurityriskcanbePHPobfuscation;Base64encodingcanbeusedtodothis.Thecodeinsomeoftheweb-basedprogramscanbemadeextremelydifficultforahumantoreadifitisconvertedtoBase64,thereforeroguecode,orcodethatcanbeharmfulcanmakeitswayontothemachinewithouttheuserorsomesecuritysoftwareknowing(Raynaletal,2012).However,changingthecodetoBase64cansometimesbequiteatedioustask,andmistakescanoftenoccur.InHTML5,therehasbeentwomethodscreatedthathasalloweddeveloperstochangethepagescontenttoandfromBase64encoding.Thesetwomethodsareatob()andbtoa()18.ThesetwomethodsareveryusefulwhenlookingtochangebinarytoBase64andvice-versa.
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
80
2.7. SnortSnortisanopensourcenetworkintrusiondetectionandpreventionsystemthatwascreatedbyMartinRoeschandreleasedin1998;theSnortprogramisabletorunquietlyinthebackground,providingrealtimetrafficanalysisandpacketloggingwithinnetworks19.Snorthasmanyusefulcapabilitiesintermsofdetectingattacksandprobes,someoftheseinclude:Stealthportscans,OperatingSystemFingerprinting attempts, Server Message Block (SMB) probes, Buffer Overflows and CommonGatewayInterface(CGI)attacks(Stangeretal,2007).Sourcefire,acompanythatwasfoundedbyRoesch,currentlyownsandcontinuestodevelopSnort.Theprogramhashadmillionsofdownloadsandcurrentlyhasnearly400,000registeredusers19.Snortprovidesthreedifferentfunctions/modes,theseareSnifferMode,PacketLoggerModeandNetworkIntrusionDetectionSystem(NIDS)Mode.
Sniffermodereadsallthepacketsthataregoingthroughthenetwork;itwillthendisplayallthepacketsthatwerereadfromthenetworkontheconsole.Thisprocessrunscontinuouslyuntiltheuserturnsitoff.Packetloggermodelikethesniffermodewillreadallthepacketsgoingthroughthe
Figure 2. Base64 index17
Table 1. Base64 encoding
Letter W W W
ASCII 119 119 119
Binary 01110111 01110111 01110111
DividedBinary 011101 110111 011101 110111
Decimal 29 55 29 55
Base64encoded D 3 d 3
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
81
network;however,itwillsavethepacketstoadiskinsteadofdisplayingthemcontinuouslyontheconsole.TheNIDSmodewillmonitoralltrafficthatmovesthroughthenetworkandwilldetectanyintrusionsthatoccur.ThisisthemostcomplexmodeofSnort(Sourcefire,2013).TheinstallationoftheNIDScanbecomplicated;however,thereisastepbystepguideinorderfortheprogramtobeinstalledcorrectly.SNORTcanbeusedinconjunctionwithotherprogramsinordertoanalysethedatathatisgoingthroughthenetwork,anexampleofonesuchprogramisBASE(BasicAnalysisandSecurityEngine).BASEisawebinterfacethatanalysistheintrusionsthataredetectedfromtheSnortIDS(intrusiondetectionsystem),withintheprogramuserscanalsousethesimpleweb-basedsetupprogramforthosethatmightnotbecomfortableineditingfiles20.
3. CAPTURING NeTwoRK TRAFFIC
Itisimportantfornetworkadministratorstomonitortrafficthatisenteringandexitingthenetwork.Securityisveryimportantthereforeitisvitalthatanyproxyoronionroutingapplicationsusedcanbeidentified.Ifaproxyisinuse,moreoftenthannotitisnotbeingusedforlegitimatereasons.Therecanhoweverbeavalidreasonforsomeoneinthecompanytouseaproxy,forinstance,iftheywantedtoblockcertainwebscriptsfrombeingusedoriftheyneededtotestanapplicationthatisbeingmistakenlyblockedonline,theusershouldcontactthenetworkadministratortoallowtheblockedapplicationtobemadeavailable,thelatterhowevershouldnothappen.
3.1. Monitoring Network TrafficThefirststepinthedesignofthesystemistomonitorthenetworktraffic.Programssuchas“Httpfox”,“Snort”or“Wireshark”canbeusedtomonitorthetraffic.Thiscategoryofprogramcan‘sniff’thetrafficonacontinuousbasis,whichisidealforintrusiondetectionsystems.IncludedinthedataistheDestinationIP,theSourceIP,theProtocolanddifferentinformationabouteachpacket.Allofthesedifferentprogramshavetheabilitytosavethenetworkpacketsintoatext(.txt)file;thiswouldmakeiteasierfortheIDStoreadthepackets.
ThefirststepinthedesignoftheIDSwastoexaminethenetworkpacketsandhaveagoodunderstandingof thedataprovided in eachof thepackets.Beingable todetermine the relevantinformationinthepacketswouldgreatlyreducethetimespentwhenfindingcommonsequenceswithintheproxypackets.Therefore,Wiresharkwouldinitiallybeusedtomonitorthenetworktraffic,withtheresultsfromthemonitoringdisplayedinatextfile,thistextfilewillbekeytodeterminehowtodetectananonymousproxy.Asthemainprogrambeingusedto‘sniff’thenetworkpacketswasWireshark,theinitialideawasthatitcouldbeusedinconjunctionwiththeproxydetectionscript.Thishowevermeantthattheprogramwouldnotbestandalone,whichwouldnothavebeenideal.AstheIDS’smainpurposeistoworkondifferentplatformsasastandaloneprogram,aprogramwroteinPythonwasused.Thisprogramexaminedallthepacketscomingintoandleavingthenetwork.Fromthisitcouldbealteredtoprintallthepacketstoalogfile,sotheycouldbeexamined,orruninthebackgroundscanningeachofthepacketsastheyentered/exited.
3.2. Software UsedPythonwasusedasIDSisrunonmultipleplatformsasthenetworkadministratormaybeusingmorethanWindows.OneofthemainlibrariesusedinthePythonscriptisthePcapypythonlibrary.Pcapycanbedefinedasfollows“PcapyisaPythonextensionmodulethatinterfaceswiththelibpcappacketcapturelibrary.Pcapyenablespythonscriptstocapturepacketsonthenetwork”21.ThePcapylibrarywillbeusedalongsideotherlibrariesinthescripttoproducetheIDS.Oneoftheothermainlibrariesisthe‘re’library22.The‘re’libraryprovidessupportforregularexpressionswhichwillbeusedfrequentlywithinthescript;theseregularexpressionswillbeusedtomatchdifferentkeywordsagainstwordsinthenetworkpackets.
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
82
Thenetworkadministratorwillstarttheprogramrunning;theycandosobyrunningitonthecommandlineorusingapythonprogramsuchasIDLE23, IDLEis thepythonIDE, it’samulti-platformIDEwithamultiwindowtexteditor,italsohasapythonshellwindow,wherethenetworkadministratorcaninteractwiththeprogram.Oncetheprogramisstarted,alistofalltheavailablenetworkinterfacesispresented.Eachoftheavailablenetworkinterfacesislistedwithanumber,sotheadministratorcanselecttheinterfacetheyrequire.Oncetheinterfaceisselected,theIDSstartsscanningthenetworkpacketscontinuously.Whenthescripthasstartedanewdirectoryiscreated.ThisdirectorystoresallthelogfilesthatarecreatedwhentheIDSisinuse.Alongwithadirectorybeingcreated,a logfile iscreatedtostoreanyproxiesfoundwhenit isrunning.Anewlogfileiscreatedeachtimetheprogramisrestarted,todifferentiatebetweenthelogsadateandtimeissuppliedwithinthelogfilename.Alistofcommoncharacteristicstringsthateachofthedifferentproxieshaswhenthenetworkpacketsaretraversingthenetworkisnecessary.Eachoftheproxiesoronionroutingapplicationshavetheirownuniquecharacteristicswhichmakethemdifferentfromanormalwebbrowsingnetworkpacket.Aseachproxyhasitsownuniquecharacteristics,thishoweverdoesnotmeanifoneofthecharacteristicsisfoundthenitisdefinitelyaproxy.Eachoftheproxieshavetomatchtwoormoreofthecharacteristicsbeforetheyareflaggeduptotheadministratorandprintedtothelogfile.Astheprogramisdesignedtoworkinlargenetworks,therecouldbemanydifferentproxiesoronionroutingapplicationsbeingusedatthesametime.Matchingthedifferentcharacteristicsandprintingtheresulttothelogisvital.Astheprogramisrunningcontinuously,eachpacketcontainingthematchedcharacteristicswillbeprintedtothelog,providingthetypeofproxy,thedateandtimeeachpacketwentthroughthenetworkandallthedifferentinformationcontainedinthepacket.Thisinformationthatiscontainedinthepacketwillallowtheadministratortotrackdownthecomputerusingtheproxyanddisabletheaccessorquerytheusageoftheproxy.Thetimeittakesfromaproxyenteringthenetworkanditbeingloggedshouldideallyonlybeafewseconds;thisenablestheadministratortoquicklyfindtheproxyuser.
3.3. Log FilesAsthesystemrunsonalocalmachinetheuseofadatabaseisnotnecessary.TheIDSstoreseachproxyfoundinatextfilewhichissimilartotheoutputreceivedwhenWiresharkisusedtoexaminethenetworkpackets.However,thesizeofthetextfileisgreatlyreduceddependingonhowmanyproxiesareinuseonthenetwork.Thefileisdesignedwiththeuserinmindandonlythenecessarydetailsareprintedtoit.ThedetailsthatareprintedtothelogcanbeviewedinTable2.
AnumberofthepacketsmaynotcontainallofthedetailsthatarelistedinTable5.However,theywillcontainthemajority.ThemostimportantdetailscontainedinthenetworkpacketsaretheProxyName,theDateandTimeofProxyUsage,theDestinationMAC,SourceMAC,boththeSourceandDestinationIPAddressesandtheSourceandDestinationPort.Allthisinformationshouldgivethenetworkadministratorenoughdetailstotrackdowntheproxyusage.Duetothelargeamountofnetworkpackets,ifthereisprolongedproxyusagewithoutthenetworkadministratoraddressingthesituationthenthelogfilecouldbecomeverylargeandmaytakeawhiletoopen,thereforeitisagoodideatomonitortheprogram,andrestartitifthefileisgettingtoobig.Restartingtheprogramwillsimplycreateanewlogfilewithanewtimestamp.
3.4. wamp ServerAstheproxieshadtobehostedonawebserver,aserverhadtobesourced.WAMPv2.4wastheversionused.ItcontainsApache2.4.4,MySQL5.6.12andPHP5.4.12.Oneofthemainsectionsofwampisthewwwdirectory,andthisdirectoryiswhereeachofthedifferentproxiesisstored.DifferentversionsofApacheandPHPcanbedownloadedandinstalledbyselectingtheApachefolder/PHPfolderthenselectingtheversion.SelectingadifferentversioncanbenecessaryforolderversionsoftheproxythatmaynotbeabletousethenewestversionofPHP.Tomakesurethewampserverisworkingcorrectly,openawebbrowserandintheaddressbartypeinhttp://localhost,ifthe
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
83
wampserverhomepageappears,thewampserverisworkingcorrectly.WhentheWAMPserverisfunctioningcorrectly,theproxiescanbedownloadedandplacedintheserver,theTorBrowsercanalsobedownloaded;however,itdoesnotneedtobeplacedwithintheserver.TheTorbrowsercanbedownloadeddirectlyfromthetorprojectwebsite24.ThedownloadcontainsaVidaliaControlPanelandtheTorwebbrowseritself.Eachofthethreewebscriptsweredownloadednext,PHPProxy25,Glype26andCGIProxy27,alloftheproxieswereavailabletodownloadasaZIPfile,whichcanbeextractedintothewwwdirectoryonthewampserver.Thefileshoweverhavetobeeditedbeforetheycanbeusedproperlyontheserver.PerlhastobedownloadedbeforetheCGIProxycanbeused;CGIfunctionalityalsohastobeenabled.PHPfunctionalityhastobeenabledbeforethePHPProxyandGlypewebscriptscanbeused.Wheneverthesestepsareperformedeachofthewebscriptscanbeusedtobrowsetheinternetanonymously.Freeproxiescanalsobefoundonlinethatenableyoutotestthesystemandalsotocomparethenetworkpackets,therearemanyliststhatcontaintheseproxies,asampleofthelistcanbefoundathttp://list.glype.com/.
4. PRoXy DeTeCTIoN
Whentheproxiesarerunningthenetwork,packetshavetobecaptured,todothisWiresharkhadtobedownloadedandinstalled28.Pythonwasusedtosnifffornetworkpackets.ThecodeinitiallyprintedallthepacketsouttothecommandlineortoIDLE,asthecodewasopensourceitcouldbeeditedwhichmadeusingthecodeveryconvenient.ItwasdecidedtocontinuetousethePythonnetworkanalysiscodeaspartofanintegralpartoftheIDS.Thefirststepwastogetittoprintthecodetoalogfile.Thiswasdonebycreatingadirectorytostorethelogfilesin.Oncethedirectorywascreateditwouldbecheckedeachtimetheprogramisrun,justtomakesureitexists,ifitdoesn’titwillcreateit.Thelogfileisthenextitemthatiscreatedeachtimetheprogramisstarted,thishoweverisdifferentfromthedirectoryasitisnotalwaysstatic,thelogfilecreatedwillhavethedateandthetimethatitwascreatedinitsuniquename.Afterthelogfilecodewasfinished,selectingthenetworkinterfacethatneededtobescannedhadtobecoded.Theoriginalcodehadthefunctiontosearchforthenetworkdevices,howeverselectingthedeviceswhentheywereprintedwastimeconsuming.
Table 2. Network Packet Details
-Proxy Name -Date and Time of Proxy Usage
-DestinationMAC -SourceMAC
-Protocol -Version
-IPHeaderLength -TimetoLive(TTL)
-SourceIPAddress -DestinationIPAddress
-SourcePort -DestinationPort
-SequenceNumber -Acknowledgment
-TCPHeaderLength -Data
-Host -UserAgent
-Accept(html,xml,etc.) -Accept-Language
-AcceptEncoding -Referrer
-Cookie -ConnectionType
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
84
4.1. Glype Proxy DetectionForeachofthedifferentproxiestherewerefourdifferentlogscreatedtocompareeachofthepacketstofindsimilaritieswithinthemthatcouldbeusedtoprovethattheyareinfactaproxy.Ifanyofthesimilaritiesarealsocontainedinnormalwebbrowsingpacketsthenitmaythrowofftheresults,thereforegettingthesimilaritiestobeuniqueisamust.Incomparisontoanormalwebbrowsingnetworkpacket,thereareafewcommonoccurrences,onebeingthedestinationport,whichisportnumber80.Thisistheportthatisusedformostofthenetworkpackets,ifthepacketsthataregoingthroughthenetworkaresecure,thenitwouldbegoingthroughport443.EachofthepacketsviewedwhentheGlypeproxywasbeingruncontainedthecommand“GET”,andtheprotocolusedwas“HTTP”thecommandandtheprotocolwerecontainedwithinthedatainthepacket.Anotherdifferencenoticedinthepacketwastheuseof“browse.php?u=”,inparticular‘.php?u=’wasidentified,thisismainlybecausethe‘browse’canbecalledanythingasthatisjusttheindexpage,thereforethismaydifferbetweenthedifferentproxyservers.OncethethreecharacteristicshadbeenidentifiedtheycouldbeusedtodetecttheGlypeproxy.Thefirstactionthathadtobetakenwastoaddthethreedifferentcharacteristicstoalist.Tobeabletosearchtheproxiesenteringthesystem,aftersomeresearchitwasdecideditwouldbebesttouseRegex.Togetstartedwithregex,‘importre’,wasaddedtotheglobalsintheIDScode.Thentheregexstringswerecreated,thesestringswerespecificallycreatedsotheywouldignorecasesensitivityandalsowhitespace.
Aftertheregexlistwascompleteditcouldbeusedtomatchagainstthenetworkpackets.Theregexwillgothrougheachdifferentcharacteristicandtrytomatchitagainstthepacket,thiscanbeseenfromtheline‘glype[0]=re.match(glypeStrings[0],str(packet1))’,thestring.php\?u=’willbematchedagainstpacket1.ThecodewillthengothroughanIFstatement,ifallthreecharacteristicsarefoundwithinthepacketthenitwillmaketheresultequalto1,itwillalsoprint‘GLYPE’followedbythetimetheproxywasfoundandthenthepacketthattheproxywasfoundintothelog.Theresultispassedthroughtheloop,ifitequals1,then“Glypeusagedetected”wouldbeprintedtotheconsole.
4.2. PHPProxy DetectionThedetectionmethodofPHPProxyisverysimilartothedetectionofGlype.Theprotocolusedinthepacketis‘HTTP’andthecommandis‘GET’,theonlydifferencebetweenthe3characteristicsofGlypeisthethirdcharacteristic.Inthepacket‘index.php?q=aHR0c’isthecommonoccurrenceinthedifferentlogfiles.Again,the‘index’partofthestringcanbedroppedasitcanvarybetweenthedifferentproxyservers,thisleavesthedetectionstringas‘.php?q=aHR0c’.TheonlydifferencefromthePHPProxycodeandtheGlypecodeisthedetectionstringintheregex.Theresultifaproxyisdetectedwillbe‘2’,whichwouldresultin“PHPProxyUsageDetected”beingprintedtotheconsole.
4.3. CGI Proxy DetectionTheCGIProxydiffersfromtheprevioustwoproxyservers.Theprevioustwoproxiesuseport80whentransferringpackets,whiletheCGIscriptusesasecureserverandgoesthroughport443.ThedatareceivedinthenetworkpacketisencryptedasitgoesthroughasecureserverusingtheSecureSocketLayer(SSL)protocol;thismakesitextremelydifficulttofindthecharacteristicsneededtodetermineifitisinfactaCGIproxywhichisbeingused.Decryptingthedatawithouttheuseofanencryptionkeywouldtakemanyyears;thisunfortunatelymeansitisimpossibletoprovidethecriterianecessarytodetecttheCGIproxy.Theonlyvisibledatathatcanbeusedfromthenetworkpacketsistheprotocolandtheportnumber,whichisusedbyanumberofdifferentwebsitesthatuse‘https’,includingGmail,Facebookandallbankingwebsites.
WhentestingdifferentCGIproxiesthatareavailableonlineitwasnotedthattheyalluseSSL.100%oftheCGIproxiesviewedonlinechargedasubscriptionfee,whichcouldcostupto€120ayear,orifpaidonamonthlybasis,€20permonth;duetothisfee,theyarenotascommonasGlypeorPHPProxy,withbothofferingtheirservicesforfree.ThishoweveronlyappliestotheproxiesusingSSL,theCGIproxycanalsobeusedwithoutSSL,thoughitishighlyrecommendedonthe
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
85
CGIwebpage29thatitshouldbeusedonasecureserver.SincetheCGIscriptcanbeimplementedonanunsecureserver,thepacketswouldthenbereadable.TheCGIproxies’maindifferencefromtheprevioustwoproxiesistheuseof.cgiinsteadof.php.Theproxyprotocolis‘HTTP’andthecommandusedis‘GET’,italsousesport80.Thereforethe4characteristicsusedtodeterminetheusageofanunsecureCGIproxyscriptare:HTTP,GET,.cgiandDestPort:80.Theformatofthecodeissimilartotheothertwoproxies,theonlydifferencebeingtheextramatchingstring.Ifeachofthecharacteristicsarematchedinthenetworkproxytheresultwillbeprintedtothelogfirstlythentheconsole.
4.4. Tor Browser DetectionThecodefortheTorBrowserwasthelasttobeimplemented.Thedetectioncharacteristicscomparedto theother threeproxiesarecompletelydifferent.This ismainlydue to the randomnessof thenetworkpacketswhentheTorBrowserisbeingused.TheTorBrowserusesmanydifferentportswhensendingandreceivingpackets,thedifferentportsare:9001,9002,9003,9004,9030,9031,9032,9033,9150,9151,italsousesport80whichisusedforallnormalwebbrowsingthatdoesn’tuseSSLandalsoport443,whichisusedforsecurebrowsing.ThemaintwoportstheTorBrowserusesareport80and443, these twoportshowevercannotbeused to identify theonion routingapplication,asallnormalwebbrowsingwouldalsobeflaggedupasusingthebrowser,thereforetheotherportslistedhavetobeusedtoidentifyit.ThisunfortunatelymeanstheTorBrowsercouldbeusedformanyminutesbeforeitisflaggeduponthescreen.Whenexaminingthepackettherewereafewinterestingbitsofdatathatcouldbeseen,firstlytheportthatwasusedwasport80,thisgenerallymeansthedatathatisinthenetworkpacketcanbeviewed,howeverthedatainthepacketinthisinstanceisencryptedandthereforenodetailscanbetakenfromit.ThesecondthingnoticedinthepacketwastheSourceAddress,whichwas131.188.40.188.WhensearchingfortheIPitwasfoundwithinalistofknownTornodes,thisverifiedthatitwasindeedapacketfromtheTorBrowser.ThesourceaddressisusefultoverifythatitistheTorbrowser;howeverduetothelargeamountofIPaddressesintheTornetworkitisnotpossibletoaddthemtothecharacteristics.Thisleavestheonlywaytoidentifythemisthroughtheportslistedabove,duetothistheaccuracyofthedatamaynotalwaysbe100%correct.Oneofthemaindifferencesinthecodeistheuseoftheoperator‘or’insteadof‘and’,thisisbecausethesystemdoesn’thavetomatch3or4differentcharacteristics,itonlyhastomatchoneofthemtoflagitupontheconsole.AnotherportthattheTorBrowserusesisport9100,thisporthoweverisusedoftenbywirelessprintersandusingthisportwouldcreatealotoffalsepositiveresults,itwasdecidedthatduetothelargeamountoffalsepositiveresultsleavingthatportoutofthedetectionstringwouldbethebestactiontotake.
5. TeSTING
Thissectionwilldocument the thoroughtesting thatwasperformedonthesystemtoensure thesystemisperformingthetasksthatwasdetailedintheprevioussectionsandthatitisperformingthemtoahighstandard.Itisimportantthatanyerrorsorunexpectedcrashesarefoundandfixedbeforetheendproductisfinalized.
EachofthedifferentproxiesandonionroutingapplicationsweretestedthoroughlybyperformingaseriesofInternetactivitiesthatmaybecarriedoutonadailybasisbyanaverageInternetuser.TheactivitiesarelistedinTable3.
TheIDSwillbegiven5minutespertesttomonitorthenetworkandtoverifythatitisdetectingeachoftheproxies.ThewebsiteswereaccessedbyfirstlyenteringtheURLintotheproxystartpageorfromthestartpageintheTorBrowser.TheprogramwasalsotestedwhentheuserwasnotusinganyproxyortheTorBrowser,justtoverifythatitwasn’tflaggingupanyproxieswhentheywerenotinuse.Altogethertherewere60logfilescreatedintotaltotesttheprogram.
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
86
5.1. Normal Browsing TestBeforeanyoftheproxiesandonionroutingapplicationscouldbetested,theIDSwastestedwhiletheuserwasbrowsingtheinternetnormallywithouttheuseofaproxy.ThewebbrowserusedforallthetestsapartfromtheTorBrowserwasGoogleChrome.Onlyonetabwasopenatanyonetime,withallotherinternetrelatedactivitiessuchasSkype,DropboxandGoogledriveclosedsothetestswouldbeprecise.
Table4showstheresultswhenthereisnoproxyusageinthenetwork,therewasnothingprintedtotheconsole,thereforenoproxywasfoundinthe5minutestheIDSwasrunningforeachofthetwelveindividualtests.Theseresultsareexactlywhatwasexpectedfromtheprogram,ifaproxyoronionroutingapplicationhadbeenfound,thesystemwouldbeflaggingupfalsepositiveresults.
Table 3. Regular Internet Browsing Tasks
Test Activity
1 BrowsetheGuardiannewswebsiteandviewvideos
2 LogintoGmailandsendanemail
3 LogintoTwitterandviewsometweets
4 BrowseAmazonandmakeapurchase
5 LogintoFacebookandbrowsemultiplepages
6 VisittheBBCSportssectionandpostacommentinthecommentssection
7 ListentoiRadioontheirliveradiostream
8 UploadanimagetoImgurorPhotobucket
9 SelectaYoutubevideofromyouraccount
10 DownloadaZIPfilefromareliablesource
11 PerformasearchusingaSearchEnginesuchasGoogleorBing
12 GotoMiniclipandplayagame
Table 4. Normal browsing test results
Test Result
1 NoProxyusagedetected
2 NoProxyusagedetected
3 NoProxyusagedetected
4 NoProxyusagedetected
5 NoProxyusagedetected
6 NoProxyusagedetected
7 NoProxyusagedetected
8 NoProxyusagedetected
9 NoProxyusagedetected
10 NoProxyusagedetected
11 NoProxyusagedetected
12 NoProxyusagedetected
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
87
5.2. Glype Proxy TestThefirstproxytobetestedwastheGlypeproxy.Itwasdecidedthatsincetheavailabilityofproxiesonlinewasveryhigh,itwouldbebesttotestaproxythatwascurrentlyavailableonline.ThewebbasedproxyusedtotesttheGlypeproxywas‘www.proxyserver.com’.ThisproxywasfoundwithinalistofavailableproxiesontheGlypewebsite30,thelistalsocontainedmanyotherdifferentproxieswhichwereusedtotesttheotherproxies.Thefirstthingtodowastostarttotheprogramrunning.Allotherwebpageswereclosedtomakesureitwasjusttheproxybeingusedinthenetwork.TheIDSwasthenstartedtosniffthenetworkpackets.TheresultsthatwereprintedontotheconsolewhentheprogramwasrunningduringeachofthetestsareshowninTable5.
AscanbeseeninTable5,theresultsshowthattheIDSisworkingasitshouldwhenaGlypeproxyisbeingusedinthenetwork.Eachtestwasdetected,withthestatement‘GlypeProxyusagedetected’beingprintedmultipletimes.Thenetworkpacketswerealsoprintedouttothelogshowingthe3differentcharacteristicsusedtodetecttheproxiescontainedwithinthem.AnotherGlypeproxywasalsotested;thisproxycanbefoundat‘’.TheresultsfromtheproxywereidenticaltothoseinTable8,provingthatthecharacteristicsarecorrectandthattheIDShasa100%successionratewhenaGlypeproxyisinuse.
5.3. PHPProxy TestThesecondproxythatwastestedwasthePHPProxy.Thesameformatastheprevioustestwasusedtotesttheproxy.Theproxythatwasusedcanbefoundat‘http://proxyanonymizer.net/’.TheresultsfromthedifferenttestscanbeseeninTable6.Therewereproblemswithusingtheproxy.WhileloggingintoasecurewebsitesuchasGmail,theGmailservicesblockedtheloginasthelocationwascompletelydifferentfromwheretheemailisusuallyaccessed.TheIDShoweverstillpickeduptheuseoftheproxy,astherewere3differentpagesaccessedwhileperformingthetest.
Onceagain, the results from the IDSproved tobe successful,with100%of the testsbeingdetectedbythesystem.Thisprovedthatthe3characteristics,‘GET’,‘HTTP’and‘.php?q=aHR0c’werebeingpickedupineverynetworkpacketthatwasbeingcreatedbythePHPProxy.AsecondPHPProxywastestedtoverifytheresults,theproxycanbefoundat:‘http://proxy-up.net/’.Again,theresultsreturned100%accuracy.
Table 5. Glype Proxy Test
Test Result
1 GlypeProxyusagedetected
2 GlypeProxyusagedetected
3 GlypeProxyusagedetected
4 GlypeProxyusagedetected
5 GlypeProxyusagedetected
6 GlypeProxyusagedetected
7 GlypeProxyusagedetected
8 GlypeProxyusagedetected
9 GlypeProxyusagedetected
10 GlypeProxyusagedetected
11 GlypeProxyusagedetected
12 GlypeProxyusagedetected
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
88
Sofartestingbothproxiesreturneda100%successrate,with48testsperformed,24fortheGlypeproxyand24forthePHPProxy(Figure3).
5.4. CGI Proxy TestTheCGIproxywasthethirdproxytobetested,asitwaspreviouslynoted,duetotheuseofSSLintheproxy,thecharacteristicscouldnotbefoundandthereforetheproxycouldnotbedetected.ThismeantthattheresultsforthetestoftheCGIproxywouldbea100%failrate,thisonlyappliedtotheproxywhenitwasusingSSL.TheproxyhowevercanalsobeusedwithoutSSLandduetothis,thecharacteristicswerefound.
Table7verifiestheresultsasexpectedwhentheCGIproxyisusingSSL,eachofthetestsfailedtoshowanyproxyusagewithinthenetwork.Theproxyusedwasfoundat‘https://morphium.info/’.
AftertheSSLCGIproxywastested,aCGIproxythatdoesnotrunonasecureserverwastested.Thisproxy’sURLis:‘http://anonymouse.org/’.OneofthemaindifferencesthatstandoutbetweenthetwoCGIProxiesURL’sisthefirstonecontains‘https’intheURLandinthesecondCGIproxy,
Table 6. PHPProxy usage test
Test Result
1 PHPProxyusagedetected
2 PHPProxyusagedetected
3 PHPProxyusagedetected
4 PHPProxyusagedetected
5 PHPProxyusagedetected
6 PHPProxyusagedetected
7 PHPProxyusagedetected
8 PHPProxyusagedetected
9 PHPProxyusagedetected
10 PHPProxyusagedetected
11 PHPProxyusagedetected
12 PHPProxyusagedetected
Figure 3. Pass rate for both the PHPProxy and Glype Proxy
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
89
ithas‘http’intheURL,thisshowsthatthesecondonedoesn’tuseasecureserver.TheresultsfromthetestingoftheunsecureCGIproxycanbeseeninTable8.
Theresultsbetweenthetwoarestark,withtheIDScatching100%oftheunsecureCGIProxiesandtheSSLCGIproxyevadingdetectioncompletely(Figure4).
5.5. Tor Browser TestThefinalproxy/onionroutingapplicationtobetestedwastheTorBrowser.Upuntilnowtheresultsfromeachoftheprevioustestshavebeenstraightforward,withtheresultsreturnedasexpected.ThishoweverwasnotthecasefortheTorBrowser,asthecharacteristicsforitdidnotincludetwoports,fromwhichmostofthetrafficflowedthrough.TheresultsfromtheTorBrowsertestingcanbeseenin
Table 7. CGI Proxy using SSL
Test Result
1 NoProxydetected
2 NoProxydetected
3 NoProxydetected
4 NoProxydetected
5 NoProxydetected
6 NoProxydetected
7 NoProxydetected
8 NoProxydetected
9 NoProxydetected
10 NoProxydetected
11 NoProxydetected
12 NoProxydetected
Table 8. Unsecure CGI proxy test
Test Result
1 CGIProxyusagedetected
2 CGIProxyusagedetected
3 CGIProxyusagedetected
4 CGIProxyusagedetected
5 CGIProxyusagedetected
6 CGIProxyusagedetected
7 CGIProxyusagedetected
8 CGIProxyusagedetected
9 CGIProxyusagedetected
10 CGIProxyusagedetected
11 CGIProxyusagedetected
12 CGIProxyusagedetected
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
90
Table9.With the twelve testscompleted,eightof thempassed,with ‘OnionRoutingusagedetected’beingprintedtotheconsole.Fourofthemresultedinnothingbeingprintedtotheconsole,thereforetheIDSdidnotdetecttheuseoftheTorBrowser.
Asthesetestswerecarriedoutduringafive-minuteperiod,itisnotalwaysguaranteedthattheIDSwillmissthedetectionoftheTorBrowser.Ifforinstanceithadtenminutespertest,theprogrammayhavepickeditup.Astheprogramismeanttopickupeachoftheproxies/onionroutingapplicationsalmostinstantaneouslyusingtenminutestotestitwouldnotbefeasible.WhilehavingacloserlookattheresultsgainedfromtheTorBrowsertests,wecanseeitfailedtodetectthebrowserintests2,3,5and11.ThesetestsinvolveusingGmail,Twitter,FacebookandGooglerespectively,onethingincommonthateachofthemshareistheuseof‘https’forsecurebrowsing.Takingacloserlookatthenetworkpacketswhilebrowsingeachofthewebsitesshowsthateachofthemuseport443forallofthepackets,duetothis,theIDSwillnotdetectthem.Amazonalsouses‘https’whentheconsumerispurchasinganitem,thisonlyapplieswhentheyareloggingintotheiraccounttopayfortheitem.Beforethispoint,amazonusesaregular‘http’connection,sothenetworkpacketscangothroughanyoftheportsinthecharacteristicsandalsoport80.InFigure5,theresultsofallthetestscanbe
Figure 4. Pass rate for the SSL CGI Proxy and the Unsecure CGI Proxy
Table 9. Tor Browser test
Test Result
1 OnionRoutingusagedetected
2 NoOnionRoutingusagedetected
3 NoOnionRoutingusagedetected
4 OnionRoutingusagedetected
5 NoOnionRoutingusagedetected
6 OnionRoutingusagedetected
7 OnionRoutingusagedetected
8 OnionRoutingusagedetected
9 OnionRoutingusagedetected
10 OnionRoutingusagedetected
11 NoOnionRoutingusagedetected
12 OnionRoutingusagedetected
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
91
seen.Threeoutofthefivethatweretestedhadasuccessrateof100%,withtheTorBrowserhavinga66%successrateandtheSecureCGIproxyhavinga0%successrate.
Theresultsfromeachofthetestswereasexpected,whentheproxyoronionroutingapplicationwasusinganunsecureservertheIDSpickedupitsusageeverytime,whentheproxywasusingasecureserveritevadedtheIDS’sdetection.TheresultunfortunatelycametothesameoutcomewhenotherSSLproxiesweretested,theIDSdidnotdetectanyofthem.WhenusingWiresharktotakeacloserlookatthepacketseachofthemusedport443andtheTCPprotocol,asthepacketsareverysimilartothoseofaregularSSLconnectionthatdoesnotuseaproxythereislittlethatcanbedonetofixtheIDSwithoutcreatingalotoffalsepositiveresults.
6. CoNCLUSIoN
Oneofthemainaimsoftheprojectwastofirstlyexaminethepacketsinthenetworktoseehoweachofthedifferentpacketslookedandwhatwascontainedtherein.Onceagoodgraspofthedatainthepacketswasobtained,theproxieswouldthenbeusedtocomparethedifference.Anynoticeabledifferencecontainedthereincouldthenbeusedtodetermineifaproxywasbeingusedandwhattypeofproxyitwas.Thiswassuccessfullydoneinfouroutofthefivetests,withtheSSLCGIproxybeingtheonlydownfall.Again,theprogramdidnothavea100%successrateindeterminingtheTorBrowser,howeverthedifferencesinthenetworkpacketswasnoticeableinmostofthem.Thiscriterioninthepacketswasputintoregexstringstobecomparedwitheachinboundandoutboundpacket,inturnsuccessfullydeterminingthedifferentproxies.Whentheprojectwasfirststartedtherewasaneedforasystemthatwouldbeabletodetecttheuseofanonymousproxies,securityisamajorfieldinInformationTechnologyandthesectorisincreasingatafastrate.Thissystemfillsthatneed,itcansuccessfullydetectGlype,PHPProxy,UnsecureCGIproxyandtheTorBrowserwhichinturnprovidesamorestableandsecureenvironmentforthecompany/organisationtoperformitseverydaytasks.OveralltheprojectwouldbeveryusefultoanetworkadministratorintermsofmonitoringthenetworkpacketstodetermineifthereisaproxyinuseoriftheTorbrowserisinuse.Thissystem,althoughitdoesn’tpickupeverysingleproxy,wouldbeanimportantsystemtoanycompanythathashighsecuritymeasures.
Thesystemwashopedtohave100%accuracyindetectinganonymousproxies.ThishowevercouldnotbeachievedasthedatatravellingthroughaSSLproxyorpagesthatuse‘https’onTorgenerallyuseport443,andthusthedatainthenetworkpacketswasencrypted.Thesystemhowever
Figure 5. Full proxy/onion routing results
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
92
didachieve100%accuracywhendetectingtheGlype,PHPProxyandtheunsecureCGIproxy.Alsoin testing ithad66.67%accuracy in finding theTorbrowser.The system’seffectivenesscanbedebatable;italldependsonthetypeofproxybeingused.Thesystemdoesnotdetect100%ofproxies,itdoeshoweverdetect100%of3differentproxiesand66%oftheTorBrowser,andthereforeitcanbequiteeffectivewhendetectingthose.However,itisnoteffectivewhenitisdetectingSSLproxies.
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
93
ReFeReNCeS
Chaabane,A.,PereManils,P.,&Kaafar,M.(2010).DiggingintoAnonymousTraffic:ADeepAnalysisoftheTorAnonymizingNetwork.InProceedings of the4th International Conference on Network and System Security(Vol.1,p.167).doi:10.1109/NSS.2010.47
Cisco. (2006).CiscoIOSSecurityConfigurationGuide,Release12.2,Access Control Lists: Overview and Guidelines.Retrievedfromhttp://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfacls.html
Dingledine,R.,Mathewson,N.,&Syverson,P.(2004).Tor:thesecond-generationonionrouter.InProceedings of the 13th conference on USENIX Security Symposium.
Dredge,S.(2013,November).What is Tor? A beginner’s guide to the privacy tool.TheGuardian.Retrievedfromhttp://www.theguardian.com/technology/2013/nov/05/tor-beginners-guide-nsa-browser
Goralski,W.(2008).The Illustrated Network: How TCP/IP Works in a Modern Network.SanFrancisco,CA,USA:MorganKaufmannPublishersInc.
InternationalTelecommunicationUnion.(2013).The World in 2013 ICT Facts and Figures.Retrievedfromhttp://www.itu.int/en/ITU-D/Statistics/Documents/facts/ICTFactsFigures2013.pdf
Kibirkstis, A. (2009). Intrusion Detection FAQ: What is Geolocation and How Does it Apply to NetworkDetection.Retrievedfromhttp://www.sans.org/security-resources/idfaq/geolocation-network-detection.php
Knickerbocker,P.,Yu,D.,&Li,J.(2009).Humboldt:Adistributedphishingdisruptionsystem.InProc. IEEE eCrime Researchers Summit,Tacoma,WA.
Lee,J.(2013).WhatisOnionRouting,Exactly?MakeUseOf.Retrievedfromhttp://www.makeuseof.com/tag/what-is-onion-routing-exactly-makeuseof-explains/
Lee,K.,Jiang,Z.,Kim,S.,Kim,S.,&Kim,S.(2005).AccessControlListMediationSystemforLarge-ScaleNetwork.InProceedings of the6th Int Conf on Parallel and Distributed Computing(pp.483-487).
Li,B.,Erdin,E.,Gunes,M.,Bebis,G.,&Shipley,T.(2011).AnAnalysisofAnonymityUsage.InProceedings of the Traffic Monitoring and Analysis: Third International Workshop,TMA2011,Vienna,Austria(pp.113-116).Springer.
Lyon,D.(2009).Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning.USA:Insecure.
Mallia, D. (2013). When was the Internet Invented. History News Network. Retrieved from http://hnn.us/article/142824
Microsoft.(2013).PartsoftheAccessControlModel.Access Control Lists.Retrievedfromhttp://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx
Murdoch,S.,&Anderson,R.(2008).ToolsandTechnologyofInternetFiltering.Access Denied: The Practice and Policy of Global Internet Filtering,1(1),58.
Neustar.(2012).Neustar®Insights:OnlineFraudPrevention:ThreeWhoStoodTheirGround,Availableat:http://www.banktech.com/whitepaper/download/showPDF?articleID=191705583
Raynal,F.,Ahmad,M.,Shaikhli,I.,&Ahmad,H.(2012).ProtectionoftheTextsUsingBase64andMD5.Journal of Advanced Computer Science and Technology Research,2(1),22–34.
Reed,M.G.,Syverson,P.F.,&Goldschlag,D.M.(1998).Anonymousconnectionsandonionrouting.IEEE Journal on Selected Areas in Communications,16(4),482–494.doi:10.1109/49.668972
SASI.(2006)Internet Use 1990,PosterofInternetusage,Availableat:http://www.worldmapper.org/posters/worldmapper_map335_ver5.pdf
Sourcefire.(2013)SnortUser’sManual2.9.5,The Snort Project,May2013.Availableat:http://s3.amazonaws.com/snort-org/www/assets/166/snort_manual.pdf
International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018
94
Jonathan McKeague is a graduate in Computer Science from Ulster University
Kevin Curran is a Reader in Computer Science and group leader for the Ambient Intelligence Research Group. Dr Curran has made significant contributions to advancing the knowledge of computer networking evidenced by over 800 published works. He is a regular contributor to BBC radio & TV news in the UK and quoted in trade and consumer IT magazines on a regular basis. He is an IEEE Technical Expert for Security and a member of the EPSRC Peer Review College.
Stanger,J.,Krishnamurthy,M.,Seagren,E.,Alder,R.,Bayles,A.,Burke,J.,&Faskha,E.et al.(2007).How to Cheat at Securing Linux. Introducing Intrusion Detection and Snort.USA:Syngress.
Thomas,K.,Grier,C.,Ma,J.,Paxson,V.,&Song,D.(2011)Monarch:Providingreal-timeURLspamfilteringasaservice.InProc.of theIEEE Symposium on Security and Privacy,Oakland,CA(pp.447-462).
eNDNoTeS
1 http://sourceforge.net/projects/phpproxy/2 http://sourceforge.net/projects/phpproxy/files/stats/timeline?dates=2012-11-12+to+2013-11-123 http://www.motobit.com/util/base64-decoder-encoder.asp4 http://www.jmarshall.com/tools/cgiproxy/5 http://www.string-functions.com/hex-string.aspx6 http://www.glype.com/7 http://www.proxysiteslist.net/category.php?id=458 https://www.torproject.org/projects/torbrowser.html.en#downloads9 http://www.digicert.com/ssl.htm10 http://help.yahoo.com/l/us/yahoo/smallbusiness/store/risk/risk-18.html11 http://www.joomla.org/about-joomla.html12 http://extensions.joomla.org/extensions/access-a-security/site-access/ip-blocking13 http://www.senionlab.com/14 http://www.polestar.eu/en/15 https://www.indooratlas.com/16 http://arstechnica.com/security/2010/03/googles-new-gmail-geolocation-feature-aims-to-prevent-scams/17 http://janav.files.wordpress.com/2013/05/base64chars.jpg18 http://www.w3.org/html/wg/drafts/html/master/webappapis.html#atob19 http://www.snort.org/20 http://base.secureideas.net/about.php21 http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Pcapy22 http://www.regular-expressions.info/python.html23 http://docs.python.org/2/library/idle.html24 https://www.torproject.org/projects/torbrowser.html.en25 http://sourceforge.net/projects/poxy/?source=recommended26 https://www.glype.com/download.php27 http://www.jmarshall.com/tools/cgiproxy/28 http://www.wireshark.org/download.html29 http://www.jmarshall.com/tools/cgiproxy/30 http://list.glype.com/