Problem solve Get help with specific problems with your technologies, process and projects.

Attack obfuscation: Detecting attacks that use Web proxies

While many Web proxies are legitimate, some attackers use them to hide their attacks. Expert Nick Lewis explains how block the malicious proxies.

I read that attackers are using Web proxies to hide the devices performing their attacks. I know we could just...

block IP addresses, but some of our clients also use Web proxies. Is there another way to block and prevent these attacks without losing legitimate communications?

Attackers have been obfuscating source IP addresses almost as long as IP networks have been in use. Many of the previous methods of hiding source IP address -- such as forging the source IP address -- have been prevented by following recommendations from BCP38, namely, by only routing network traffic for your enterprise networks and customers.

While detection systems have improved over the last almost 25 years since BCP38 was published, there are still many ways to obfuscate the source IP address of the devices performing the attacks; it can be done using Tor, a Web proxy or network address translation. It's important to also note that Web proxies can be used to improve the security of a system by filtering out malicious encrypted traffic that passes through the Web proxy unencrypted. Web proxies also provide some level of anonymity for a legitimate user. However, Web proxies can also be used to negatively impact privacy, but that is a different story for a different time.

Blocking individual IP addresses or Web proxies is not going to be scalable. But increasing monitoring for individual IPs that are suspicious could help identify an attack in progress and help identify which systems have been compromised.

Enterprises can also subscribe to a blacklist or threat intelligence service to help keep an up-to-date IP block list to block only unapproved proxies. However, this could still be very challenging, as you don't want to block legitimate customers. Depending on how you want to block malicious connections, you could improve the authentication used to validate legitimate connections or even put a Web proxy (or Web application firewall) in front of your Web applications to filter out unauthenticated connections to the destination Web application. You could also whitelist customer's networks to allow access to the Web application.

Next Steps

Learn more about blocking IP addresses and get in on the debate of whitelisting vs. blacklisting.

This was last published in October 2014

Dig Deeper on VPN security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.