I read that attackers are using Web proxies to hide the devices performing their attacks. I know we could just...
block IP addresses, but some of our clients also use Web proxies. Is there another way to block and prevent these attacks without losing legitimate communications?
Attackers have been obfuscating source IP addresses almost as long as IP networks have been in use. Many of the previous methods of hiding source IP address -- such as forging the source IP address -- have been prevented by following recommendations from BCP38, namely, by only routing network traffic for your enterprise networks and customers.
While detection systems have improved over the last almost 25 years since BCP38 was published, there are still many ways to obfuscate the source IP address of the devices performing the attacks; it can be done using Tor, a Web proxy or network address translation. It's important to also note that Web proxies can be used to improve the security of a system by filtering out malicious encrypted traffic that passes through the Web proxy unencrypted. Web proxies also provide some level of anonymity for a legitimate user. However, Web proxies can also be used to negatively impact privacy, but that is a different story for a different time.
Blocking individual IP addresses or Web proxies is not going to be scalable. But increasing monitoring for individual IPs that are suspicious could help identify an attack in progress and help identify which systems have been compromised.
Enterprises can also subscribe to a blacklist or threat intelligence service to help keep an up-to-date IP block list to block only unapproved proxies. However, this could still be very challenging, as you don't want to block legitimate customers. Depending on how you want to block malicious connections, you could improve the authentication used to validate legitimate connections or even put a Web proxy (or Web application firewall) in front of your Web applications to filter out unauthenticated connections to the destination Web application. You could also whitelist customer's networks to allow access to the Web application.
Learn more about blocking IP addresses and get in on the debate of whitelisting vs. blacklisting.
Dig Deeper on VPN security
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Island hopping attacks create enterprise risk by threatening their business affiliates. Here's how to create an incident response plan to mitigate ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading