I read that attackers are using Web proxies to hide the devices performing their attacks. I know we could just...
block IP addresses, but some of our clients also use Web proxies. Is there another way to block and prevent these attacks without losing legitimate communications?
Attackers have been obfuscating source IP addresses almost as long as IP networks have been in use. Many of the previous methods of hiding source IP address -- such as forging the source IP address -- have been prevented by following recommendations from BCP38, namely, by only routing network traffic for your enterprise networks and customers.
While detection systems have improved over the last almost 25 years since BCP38 was published, there are still many ways to obfuscate the source IP address of the devices performing the attacks; it can be done using Tor, a Web proxy or network address translation. It's important to also note that Web proxies can be used to improve the security of a system by filtering out malicious encrypted traffic that passes through the Web proxy unencrypted. Web proxies also provide some level of anonymity for a legitimate user. However, Web proxies can also be used to negatively impact privacy, but that is a different story for a different time.
Blocking individual IP addresses or Web proxies is not going to be scalable. But increasing monitoring for individual IPs that are suspicious could help identify an attack in progress and help identify which systems have been compromised.
Enterprises can also subscribe to a blacklist or threat intelligence service to help keep an up-to-date IP block list to block only unapproved proxies. However, this could still be very challenging, as you don't want to block legitimate customers. Depending on how you want to block malicious connections, you could improve the authentication used to validate legitimate connections or even put a Web proxy (or Web application firewall) in front of your Web applications to filter out unauthenticated connections to the destination Web application. You could also whitelist customer's networks to allow access to the Web application.
Dig Deeper on VPN security
Related Q&A from Nick Lewis
Zscaler recently discovered a malvertising campaign that spreads the Terror exploit kit through malicious ads. Discover more about the threat with ... Continue Reading
Cybersecurity vendor Wordfence reported a rise in scans for SSH private keys that are often accidentally exposed to the public. Learn how to stay ... Continue Reading
The SANS Internet Storm Center discovered a DDE attack spreading Locky ransomware through Microsoft Word. Learn what a DDE attack is and how to ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.