republican-creole
Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsJob BoardISP NewsFAQsForumsToolsMapsAbout 
 
   News
home

Probing for open proxies with CONNECT
(old news - 11:51AM Thursday Oct 11 2007)
Looking through server logs just has to be done regularly. After ignoring mine for some time, I did my regular audit recently and found some unpleasant surprises. My first observation is that the number of bots probing for open proxy servers with syntax such as this:
has increased dramatically. In a single day we get over 1000 such requests from over 400 different IP addresses.

This was an unfortunate waste of bandwidth because we don't show a 403 error page for invalid URLs, instead we redirect invalid URLs to our home page.

The next hassle is the rise of bots looking for web servers which respond to the CONNECT command. I didn't even know this command existed in the spec, but it is listed there, right after GET, POST and HEAD. The typical CONNECT command is:


Where these IPs are well known mail servers. 45 different IPs a day are trying this, some over 100 times per day.

As well as this noise of course there are the normal stream of probes for badly configured php admin programs and other exploitable standard packages:


Here test.txt at 124.0.201.20 is fetched by the vulnerable script, and therefore the script can be used as a dumb proxy server if the URL succeeds.

It is worth paying attention to your access_log and error_log. The amount of noise directed against public web servers has clearly risen as the cost of generating the noise (via compromised bot nets) drops to nearly zero.

On the topic of logs: With the increasing power of web servers to deal with normal traffic, you can also increase the amount of logging they do. Apache 2.x has a useful millisecond per request field which I immediately added to my CustomLog line so that I could write a program to tail the log, and dynamically generate a live chart of response times, request response sizes, and error codes.

Here is a snapshot, but mine refreshes every few seconds:
»/front/frontend.html

If you watch the general shape of this graph it becomes quite easy to determine if things have skewed in some way to the point of abnormality. In fact, I'll probably add to this program to display a long term average on the right and the current very short term view on the left.

rss feed About dslreports.com

Random site news information and ponderings, by Justin
Forums » Probing for open proxies with CONNECT
view: topics flat text 
Post a:

Jameson
Premium
join:2004-05-28
Fallbrook, CA
clubs:

.

Brilliant
permalink · 2007-10-17 00:36:11 · Reply to this

state
relax, it's only pandemonium
Premium,Mod
join:2002-02-08
Hampton, VA
clubs:
·1and1

Host:
Webhosting
Sonic.net
UK Broadband
Washington DC/Balt..
UK Chat

Seeing similar probes

I started seeing something similar a few days ago, but hadn't had a chance to really dig into it - it was more of a nuisance than anything else since 404s were being returned to the requester:


The logs show somewhere in the neighborhood of 40-50 entries per day from this particular IP address, sequentially walking the IPs that were assigned to the machine - each GET request with it's own unique hash.

After adding a rule to iptables I saw it send a dozen or so ping packets to see if the host was up:


And then nothing. So far. With so many script kiddies running what would appear to be "out-of-the-box" scripts against large netblocks, it sometimes makes me wonder if I should follow in the footsteps of CNN and the like and simply discard inbound ICMP requests..
permalink · 2007-10-23 23:50:26 · Print · Reply to this
mikenolan7
Premium
join:2005-06-07
Torrance, CA
·Sprint Mobile Broa..
·RoadRunner Cable

Re: Seeing similar probes

Think twice before dropping traffic. I'm just a home user, but I have a pretty good-sized network I experiment with here (15 machines +/-). I run zero externally accessible services, but I'm on a cable modem and live in LA. The number of attacks is hard to believe (I average anywhere between one every 3 to 10 seconds). I used to just drop it all, but I found when I rejected everything instead, the number of attacks dropped by about 70%. I run strict rate limits on the rejections so no one can get much benefit from using my address as part of a reverse DDOS, but I haven't seen that even tried, yet (using my address anyway).

The only explanation I can come up with is that the automated attacks move on when they get a rejection, but try a few more times if nothing comes back - possibly hoping that the lack of a rejection indicates other "misconfigurations". RoadRunners arp blasters pretty much tell anyone with a clue what IP's are in use at any time.
permalink · 2007-11-07 15:02:41 · Print · Reply to this
Forums » Probing for open proxies with CONNECT

Friday, 29-Aug 22:48:23 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 9 years online! © 1999-2008 dslreports.com.