The widespread abuse of proxies started years ago with a program called Wingate. Before Windows had Internet connection sharing built in, people with a home network needed a way to route all their machines’ Internet traffic through a single dialup. Wingate served this purpose, but unfortunately it shipped with an insecure default configuration. Basically anyone could connect to your Wingate server and telnet back out to another machine on another port. The company that wrote the software eventually closed the hole, but the original versions were widely deployed and infrequently upgraded.

Turning to the modern day, we see a second trend in proxy use. Web traffic has grown at a phenomenal rate over the past 7 years. Companies and ISPs often turn to caching proxy servers to reduce the tremendous load on their networks. In order to satisfy the demands of their content-hungry users, these proxy servers are often configured to proxy any port, with little regard to security. If there are no access controls blocking connections from outside the network, it makes it possible to anonymously portscan the entire TCP port range of other outside systems. Even worse, some proxies will allow you to connect in reverse; to machines on a company’s internal network. This flaw has been thoroughly exploited in companies such as WorldCom, Excite@Home and others.

Unsecured proxies currently are the most significant conduit of junk email, best known as SPAM. This is a particularly vexing problem, because open proxies, unlike open mail relays, hide the origin of the spam, making it impossible to trace. Proxies can also be installed by online criminals, in order to eavesdrop upon the dataflow between the client machine and the web. All accessed pages, and also, all forms submitted (including passwords), can be captured, analysed and used by the proxy operator. Other possible uses for proxy servers is being able to vote more than once in sites that allow only one vote per IP address. Switching proxies (or using proxies that change their IP address in every request) would allow them to artificially inflate any given rating at those sites.

Is it possible to detect proxy servers? Most proxies will add headers to HTTP connections in order to let the server know the user is behind a proxy. This fact can be exploited by the server to spot people hiding behind them and stop them. Recently, there has appeared a myriad of so-called “elite” proxies or “high-anonimity” proxy servers that completely hide the client’s IP and do not send any special headers, making them look as any other website. In this case, webmasters need to develop better countermeasures in other to spot them, such as the use of proxy server blacklists.

What follows is a short PHP script that makes use of 2 PHP classes (XIP and Defensive Attack), two excellent examples of how to detect and ban users hiding behind open proxy servers.

<?php
require_once(’class.php4.DefensiveAttack.php’);

//Create object
$def_attack = new DefensiveAttack(’my.sitename.com’);

//Set my IP address
$def_attack->SetMyIpAddress(’SERVER_IP’);

require(’class.XIP.php’);
$XIP=new XIP();

$ip =$XIP->IP['client']; // Find the IP received by the server

$blacklist=implode(”, file(”blacklist.txt”)); // Load blacklist from the filesystem (a list of IP addresses)
if ($XIP->CheckNet($blacklist, $XIP->IP['client'])) die(”Blacklisted Proxy DETECTED<br>”) ;

// Check IP for Known open proxies. Uses SPAMCOP services to detect well-known spammers’ IP addresses
$handle = @fopen(”http://www.spamcop.net/w3m?action=checkblock&ip=$ip”, “rb”);
stream_set_timeout($handle,$timeout);
$contents = ”;
while (!feof($handle))
{
$contents .= @fread($handle, 8192);
}
fclose($handle);
if ( preg_match(”/$ip\s*listed in \w*\.spamcop\.net/”,$contents) )
{
die(’IP Listed in Spamcop!’);
}

if ($XIP->Proxy['detected'])
{
die(”Proxy DETECTED<br>”) ;
}
//Looking for proxy. Uses the other class.
if ($def_attack->IsUseProxy())
{
die(”You are using proxy<br>”);
}

//Check referer if I do not want direct access to my site.
if (false === $def_attack->CheckReferer())
{
die (”Access deny. Direct access not allowed<br>”);
}

?>

These methods are only just a few of the possibilities but they should serve as a starting for webmasters wanting to protect their sites. As malicious users devise ever smarter tools to circumvent server security, site owners must stay on their toes and develop new, better countermeasures. If you want to take a look, you can take a look at the code in this ZIP file. One thing to remember is that proxy lists change every hour, so if you choose to use blacklists, you should renew them frequently (2-3 times a day).