Detecting Anonymous Proxy Usage

Problem

Anonymising Proxies are a growing problem for schools and businesses across the world as more people become aware of their capabilities. These Proxy sites enable users to bypass the network’s filtering system leaving the internet use wide open to banned content and harmful threats. Network administrators have tried blocking these online proxy sites but more and more are created every day leaving this a trivial task to keep up with new URL’s and IP addresses to blacklist. Many existing solutions rely almost entirely on Access Control Lists which blacklist undesirable web sites, with the end result being that many users learn that anonymous proxies allow them to easily bypass this filtering. While Access Control Lists serve a purpose, there are lots of difficulties especially in detecting if users are circumventing the policies and Access Control Lists. One possible solution is to focus on detecting access to anonymous proxies.

Background

This project should focus on discovering how anonymous proxies work and what techniques they use to remain undetected by standard Web Filters used in networks - and then develop a solution which makes them detectable. A good place to start is to examine and research the world of Anonymous Proxies. Get to grips with a software called SNORT which is an open source network intrusion system and also look into popular proxy packages such as PHPProxy, CGIProxy, and Glype as well as TOR and SSL Proxies. Find out how Access Control Lists work and read up on Base64 encoding/decoding and try to see how this method of obfuscation is used in most of the online proxy implementations. Examine search strings that Network Administrators can use to review their web access logs, and regular expressions which can be used to search for whole types of anonymous proxies in logs or incorporate into a Snort IDS rule and develop a technical solution which will detect the use of anonymous proxies in any series of transactions. Ultimately, your solution should detect anonymous proxy usage by searching for known characteristics of anonymous proxies from the incoming context, which would not be obtainable compared to those of a normal HTTP Web server. The main deliverable will be an architecture that will proactively determine whether an incoming connection is originating from anonymous proxy website. This will subsequently enable the Network administrators to blacklist these sites as they are detected.

References

[1] Chaabane, A., Pere Manils, P. & Kaafar, M. 2010, "Digging into Anonymous Traffic: A Deep Analysis of the Tor Anonymizing Network", 4th International Conference on Network and System Security, vol. 1, no. 1, pp. 167.

[2] Gong, X., Kiyavash, N. & Borisov, N. 2010, "Fingerprinting Websites Using Remote Traffic Analysis", Proceedings of the 17th ACM Conference on Computer and Communications, vol. 1, no. 1, pp. 684.