I am seeing an increasing number of hosts on our network become an open
proxy. So far the response to this has been reactive, once I receive
complaints from spam victims I deal with the source of the problem.
Is there an accepted way of blocking open proxy and open relay traffic at
the network edge?
Adi
The obvious way would be to block the commonly abused ports...
presumably, you will have very few customers who actually need to have
port 1080, 3128 8080, or whatever open. Obviously, I can't say whether
this would be effective for your particular application.
Also, you could consider running proactive scans on your network with
available proxy-checking tools.
I use proxycheck to manually check hosts for open proxies
(http://www.corpit.ru/mjt/proxycheck.html)… you could script this
(or a similar tool) and run scans of your entire network.
Is there an accepted way of blocking open proxy and open relay traffic
at the network edge?The obvious way would be to block the commonly abused ports...
presumably, you will have very few customers who actually need to have
port 1080, 3128 8080, or whatever open. Obviously, I can't say whether
this would be effective for your particular application.
This list of "commonly abused ports" is ever increasing. Might as well block everything and let through specific stuff if you're going down that path.
Also, you could consider running proactive scans on your network with
available proxy-checking tools.I use proxycheck to manually check hosts for open proxies
(http://www.corpit.ru/mjt/proxycheck.html)… you could script this
(or a similar tool) and run scans of your entire network.
That's what I would suggest. You could also reactively test your customers when they make a connection to your webserver or mailserver.
On 24 Apr 2003 14:11:12 -0500 (CDT), Adi Linden <adil@adis.on.ca> asked:
I am seeing an increasing number of hosts on our network become an open
proxy. So far the response to this has been reactive, once I receive
complaints from spam victims I deal with the source of the problem.Is there an accepted way of blocking open proxy and open relay traffic
at the network edge?
It's been established by several people that a number of recent viruses
(such as jeem, sobig.a; see http://www.lurhq.com/sobig.html) are used to
install or pave the way for remote installation of abusable proxies.
Because those installed proxies do NOT listen any consistent port number
you cannot rely on even proactive port-scanning to identify the proxy.
What the proxy does is to "phone home" and report its IP and port: so
detecting it by that behaviour will not always be straightforward.
Therefore if you get a complaint about virus activity from a user IP
it should be regarded as a free-of-charge heads-up that there may very
soon be an open proxy on that machine. As you'll see from the above URL,
the installation process is not immediate and therefore you may need to
develop a working procedure to analyse the situation as it develops.
If I could amplify Joe St Sauver's point, having an working and trusted
abuse address is half the battle; having a trained team who can spot the
signs and act on them *in a timely way* is the other, and perhaps more
important half. Remember that your reports will be likely to be coming
from the other side of the planet, and may therefore not observe your
local office hours. 24hr coverage by abuse staff (or by NOC staff who
can oversee the mailbox for relevant reports) is a great bonus here.
If you can deal with the situation quickly, you reduce the complaints
to a bare minimum and enhance your own reputation in the process.
SpamCop, for all the criticism it gets, DOES report abused proxies
quickly and with great reliability - far more reliably in the case
of proxies than, say, the human victims of the abuse. It might pay
to set up a special process with Spamcop to get those reports at an
unpublished box, and put them through an automated process to spot
any with the "proxy" keywords.
One other point to note is that a lot of the scanning for installed
trojans, such as Netbus and Sub-Seven, is specifically done to install
proxies using tools such as Firedaemon (actual cases of this have been
found, where the user had no knowledge of the Firedaemon and Analog-X
installations on their machine). Reports of THIS type of activity need
to be taken seriously, as the person who reports it (usually from a
firewall log) will be the one that escaped, but how many users in that
same /24 did not have a firewall and therefore got hit? A selection of
scanner-traps sitting on spare IPs will alert you to what's going on.
When you find out how MUCH of it is going on right now, it will become
obvious why there are so many open proxies being complained about.
On our DSL lines we provide the firewall and insist on it being used!
I am seeing an increasing number of hosts on our network become an open
proxy. So far the response to this has been reactive, once I receive
complaints from spam victims I deal with the source of the problem.
Is there an accepted way of blocking open proxy and open relay traffic at
the network edge?
Educate your customers. Seriously.
The details depend upon which type of problem you need to solve:
1) Customers are being tricked into installing open proxies, say by
downloading executable from file sharing services.
2) Customers are trying to set up proxies to allow them to share their
Internet connection with family members, but aren't securing them properly.
3) Customers are deliberately setting up open proxies as anonymizers.
Perhaps you have some other variation on these themes, but if you look at
all of these, you should be able to see that education is the best solution.
The possible exception is 3, in which case threats may be more appropriate.
DS
> I use proxycheck to manually check hosts for open proxies
> (http://www.corpit.ru/mjt/proxycheck.html)… you could script this (or
> a similar tool) and run scans of your entire network.That's what I would suggest. You could also reactively test your customers
when they make a connection to your webserver or mailserver.
that won't catch the case where a proxy is open and is being abused but
the resulting traffic is directed outside of the local isp, which is going
to be the common case since parasites don't like to endanger their hosts.
every network owner should routinely scan/probe every address they are
responsible for, looking for everything from ntpd vulnerabilities to
sendmail or bind vulnerabilities to open proxies to open relays to etc.
by "routinely" i mean every day. if something's found, block it 'til it's
fixed. this will save you huge money in abuse@ staffing costs, as well
as giving you "n'ya n'ya" rights when you meet uunet at the nanog bar :-).
this is as important as having abuse@ and noc@ mailboxes, or doing uRPF
on customer edges. if you're an ISP and your customer agreement doesn't
explicitly demand the ability to do this testing, then have it updated.
i now think that http://www.icann.org/committees/security/sac004.htm was
not nearly draconian enough, even though it claims...
3 - DDoS Vector
3.1. The typical vector for DDoS launches is a personal computer (PC)
running operating system and application software that purposely trades
off security for convenience. These computers are usually poorly
managed, such that there are weak passwords or no passwords, known
security "holes" that are never patched or closed, and services offered
to the global Internet that the owner has no knowledge and no use for.
3.2. From the point of view of almost any single purveyor -- or consumer
-- of operating system and application software, convenience will almost
always have more perceived value than security. It is only when viewed
in the aggregate that the value of security becomes obviously higher
than the value of convenience.
3.3. With the advent of high speed "always on" connections, these PCs
add up to either an enormous global threat, or a bonanza of freely
retargetable resources, depending upon one's point of view.
3.4. Bad actors, in teams or acting alone, exert constant background
effort to locate these hosts, probe them for known weaknesses, and
subvert them in any way possible. There are software "kits" available
that make all of this trivially easy, so no actual technical skill is
needed to locate, subvert, and direct an army of thousands of high
performance drones.
...to be aware of this problem.
True, but most people who end up with an open proxy trojan will also be using the machine to read their ISP provided email, etc
-----BEGIN PGP SIGNED MESSAGE-----
I am seeing an increasing number of hosts on our network become an open
proxy. So far the response to this has been reactive, once I receive
complaints from spam victims I deal with the source of the problem.
I see an increased number of proxy's being abused too. Unfortunately, I am
seeing them feeding mail servers to forge spams in my name. Most of them
are in argentina and brasil, but I also see crap from chinanet, taiwan, norway
and even just around the corner here in the NL.
However, do not mistake these machines for the funny small DDoS'es that might
happen on your server. Those are likely generated by silly spammers taking it
out on people who actually care about the state of the net by sending out
forged spam with 100+ embedded IFRAME's to your website.
I've been under attack for over two weeks now. Details have been put up at
http://www.xtdnet.nl/paul/spam/
If anyone is the traget of similar abuse, please contact me offlist and I'll
try to combine the data to see if we can pinpoint this to some person or group.
Paul
- --
Lawyer: "Now sir, I'm sure you are an intelligent and honest man--"
Witness: "Thank you. If I weren't under oath, I'd return the compliment."