Dec 26th, 2007
Fun with open proxies
I was recently playing around with web proxies at my data center lab and got an idea to open up a couple anonymous proxies to see how long it would take for someone to start exploiting them. I fired up two anonymous proxies–using 3APA3A’s very cool and very tiny 3proxy tool–on adjacent IP addresses, each listening on port 8080.
Then, I went to several well-known web sites where you can upload a list of proxies to test them. On each site I uploaded just one of my proxy addresses. The other I kept secret.
I opened up the proxy logs for the address I checked and, as I expected, there were several requests testing to see if the proxy was open. I then added a rule on my router so I could monitor that traffic. As soon as I created the rule I saw that I was getting 1mb/s of traffic to the proxy’s port. Surprised, I went back to the proxy logs and they were already 100mb on disk. The other proxy I had kept secret had no traffic.
Within five minutes the proxy was averaging 3mb/s and I noticed checks from several companies that provide paid proxy services. Apparently they use free proxies as part of their services. Within fifteen minutes it was doing a steady 6mb/s and my proxy server had transferred over a gigabit of data! Sure I had expected people to use the proxy but I had never expected 6mb/s of use so quickly.
In that fifteen minutes there were 75 source IP addresses, many of them other open proxies, TOR exit points, or compromised servers. Those IP addresses hit 9,359 target hosts. Who were the targets? Just about anyone and everyone.
Most of the traffic consisted of probes for exploitable CGI scripts, mostly the kind that would allow user-generated content such as guestbooks, unauthenticated forums, or comment forms for blogs. The content wasn’t quite what I had expected but I really wasn’t too surprised.
Oh yeah, I also had Cain & Abel running and I collected over 500 passwords from HTTP authentication attempts.
After fifteen minutes, I killed the proxy with all the traffic but kept the other one up. After several weeks there was still minimal traffic on the private proxy. However, several times that month I fired up the other proxy and within a few minutes it was right back up to 5-6mb/s.
So why did I find this so interesting?
1. If you get a proxy server IP address that has been on a public web site for more than 5 minutes it is probably already being hammered to death.
2. Online proxy checkers, along with other proxy-related tools, no doubt are there to collect or publish lists of open proxy servers. Many others seem to automatically harvest those lists.
3. Running an open proxy is an excellent glimpse into the workings of the evil side of the internet. No doubt there are many organizations that set up open proxies just to monitor those who would use them. If a proxy is still good after 24 hours I’d say chances are it’s there on purpose.
4. If you are evil and want to eat up someone’s bandwidth, sneak a few proxies onto their network, check them using online tools, then watch the traffic start flowing.
5. On your own network you should probably monitor the most common proxy ports for surges in traffic. In fact, a simple rule would be to watch inbound traffic to TCP ports 80 (excluding your web servers), 81, 1080, 3128, 6588, 8000, and 8080 where traffic exceeds 1-2mb/s.
