detecting the use of anonymous proxies - kevin curran - detecting... ·...

DOI: 10.4018/IJDCF.2018040105

International Journal of Digital Crime and ForensicsVolume 10 • Issue 2 • April-June 2018

Copyright©2018,IGIGlobal.CopyingordistributinginprintorelectronicformswithoutwrittenpermissionofIGIGlobalisprohibited.

74

Detecting the Use of Anonymous ProxiesJonathan McKeague, Ulster University, Londonderry, United Kingdom

Kevin Curran, Faculty of Computing and Engineering, Ulster University, Londonderry, United Kingdom

ABSTRACT

TheInternetisbuiltatoptheInternetProtocol(IP)whichhasatitsheartauniqueidentifierknownasanIPaddress.KnowingthelocationofanIPaddresscanbeveryusefulinmanysituationssuchasforbankstoknowifaconnectionisinprogressfromonlinefraudhotspots.IPaddressescanbespoofedallowinghackerstobypassgeographicalIPrestrictionsandthusrendersomecategoryoffraudpreventionuseless.Anonymousproxies(AP)whichactasintermediaterelayswhichdisguisethesourceIPaddressescanplayalargeroleincybercrime.ThereisaneedtoascertainwhetheranincomingIPconnectionisanoriginalsourcematchedIPaddress,oronebeingroutedthroughananonymisingproxy.Thisarticleconcentratesonvariousmethodsusedbyanonymisingproxies,thecharacteristicsoftheanonymousproxiesandthepotentialmechanismsavailabletodetectifaproxyisinuse.

KeywoRDSAnonymous Proxies, Network Security, Security, Traffic Classification

1. INTRoDUCTIoN

Almost3billionpeopleaccesstheInternetdaily(ITU,2013).WhetherInternetusersarecheckingand sending emails, reading an online newspaper, researching, doing online shopping or onlinebanking,theneedforasecuresystemisamajorchallengeforthosewhodevelopinternetsecuritysystems(Mallia,2013).Thisisespeciallytrueforusersthatusetheinternettodobusiness,orsendprivateinformation,asmorepeoplearefindingdifferentwaysto‘hack’intosecureserversandexploitvulnerabledata.In2011alone,thetotalamountthatwasstolenfrombusinessesonlineamountedto$3.4billion,whichwasupby$700millionfrom2010(Neustar,2012).Thisfigureislikelytoincrease,withbusinessesusingtheInternetmore.Itisthereforeapriorityforbusinessestoinvestinmethodstoprotectthemselvesagainstsuchattacks.

InternetmisuseisalsoamajorheadacheforemployersduetotheincreaseinpopularityofwebsitessuchasFacebook,YouTube,TwitterandGoogle+.Thishasledtoadecreaseintheproductivity


75

oftheiremployees,whichinturnleadstolessprofit.Networkadministratorshavethereforehadtoblockmanyofthesewebsitesfrombeingusedintheworkplaceinanattempttomitigatetheproblem.InitiallytheyattemptedtosimplyblocktheIPofthewebsites.IPaddressesareregisteredtospecificgeographicallocations,althoughtheydon’tgivetheexactareaofwheretheuserislocated.However,itdoespinpointthecountrythatisaccessingthenetwork(Goralski,2008).IPblockingworkedquitewell,asanytimeausertriedtoaccessawebsitethathaditsIPblockedtheywouldbedeniedaccess.ThisprompteduserstotrytofindawayaroundtheblockedIP’s.

Onesimplemethodwastheuseofaproxy.AproxywebsitemaskstheIPofthewebsitethatyouaretryingtoview,whichbypassestheIPblockingmethodusedtodetecttheblockedwebsite.Duetoanincreaseinonlinebanking,banksthemselveshavehadtoincreasesecurityintheirsystemsandnetworks;examiningIP’sisonemethodtheyutilize.IfauserismakingatransferonlineandtheIPlooksfraudulent,thentheaccountholderwillbecontactedbeforethetransferisverified.TherearethousandsoffreePHP/CGIproxiestouseonline,makingitasimplewaytobypassthisbasicsecurityfeature.Eveniftheproxyserverthatwasusedwasblockedtherearethousandsmoretochoosefrom,makingthetaskofblockingthemdifficult(Lyon,2009).Thecodeforalloftheseproxiesisopensource,itcanbedownloadedandsetupwithease,whichmeansthatanyonewithacomputercouldtheoreticallycreateaproxyserver.AnothermethodthatcanbeusedtobypasssecuritymeasuresisOnionRouting(e.g.TorBrowser)whichisusedtoanonymizeauser’strafficontheinternet.Thismethodusesadifferentportthanwhatistypicallyusedtoaccessblockedwebsites.OnionRoutingworksbyroutinginternettrafficthroughmanydifferenthosts,encryptingdataateachdifferenthost(Dingledineetal,2004).

ThispaperoutlinesasystemcalledDetectProxywhichcandetectifanyproxiesarebeingusedinthenetworkbycomparingthecharacteristicsofthedifferentproxies.Thiswillbeaccomplishedbyanalysingthepacketsenteringthenetworkusingscriptstodeterminethetypeofproxybeingused.Oncetheproxieshavebeenidentified,informationwillbesenttothenetworkadministrator.Theywillthenbeabletoexaminethetimetheproxywasinuseandwillgivethemtheoptiontoblocktheproxyiftheproxyhasbeendeterminedtobeharmfulornotneededonthenetwork.Blockingtheproxywillprovideamoresecurenetworkforthebusinessorinstitution.

2. ANoNyMoUS PRoXIeS

Thisliteraturereviewwillbesplitupintotwodifferentsections.Thefirstsectionwilldiscussthedifferentwayspeoplecanaccessnetworksandsystemsusinganonymousproxies.Thesecondsectionwilldiscussthedifferentwaysofstoppingorblockingtheanonymousproxiesandthedifferenttoolsusedtoaidthis.SomeofthemainproxiesorwaystoaccesstheInternetanonymouslyarePHPProxy,CGIProxy,Glype,OnionRouting/TorandSSLProxy.

PHPProxyisoneofthemostcommonlyusedAnonymousProxyServers.ThecodeiswritteninPHPandcanbeobtainedfromSourceForge1.ItcanrunonWindows,BSD(BerkeleySoftwareDistribution),SolarisandLinuxplatforms,thereforemakingitpossibletorunonthemajorityofplatforms.When takinga closer lookat the statisticsof theamountof times thecodehasbeendownloaded,wewillseethatoverthepastyeartherehasbeenagradualdecrease,withthemostdownloadsbeing573inonemonthandthelowestbeing243,thesestatisticscanbefoundontheSourceForgewebsite2.AsampleofaproxywebsitethatusesPHPProxycanbefoundathttp://wb-proxy.com/.ThiswebsitesimplyallowstheusertoentertheURLdestinationthattheywouldlike,onceentereditwillre-directtheusertotheirwebsite;thiscanbeseeninFigure1.

TheresultingURLwhentheuserclicks‘Browse’isasfollows:

http://wb-proxy.com/index.php?q=aHR0cHM6Ly90d2l0dGVyLmNvbS8%3D


76

ThePHPProxyserverobfuscatestheURLtoBase64encoding;thismeansthananynetworkadministratorsthatusekeywordanalysismethodsofblockingwebsiteswillnotbeabletoblockthismethod.UponfurtherinspectionoftheproxyURL,itcanbesplitupintothreeparts.Thefirstpartisthehostname,whichishttp://wb-proxy.com,thesecondpartis‘index.php?q=’andthenthethirdpart,theobfuscatedURL,whichinthiscaseis‘aHR0cHM6Ly90d2l0dGVyLmNvbS8%3D’.WhentheobfuscatedURLisputinaBase64encoder/decoder3,theoutcomeis‘https://twitter.com/’.

Base64encodingisparticularlyimportantwhenthePHPProxyserverisbeingused,ifitwasnotused,theURLwouldbe:‘http://wb-proxy.com/index.php?q=https://twitter.com/’.Thiswouldbeeasilydetectedbyakeywordanalysisprogramandblocked.

CGIProxywascreatedbyJamesMarshallbackin1998andcanbedownloadedfromhiswebsite4.AnotabledifferencebetweenPHPProxyandCGIProxyis that theCGIProxydoesnotobfuscatetheURLunlessitisprogrammedtodoso.ThismeansthattheprogrammerwhoissettinguptheCGIProxywillhavetocustomisethecode,sothatitobfuscatestheURL.ItcanbeusedasaHTTPS,HTTPorFTPProxy.TherearethreemainwaystoencodetheURL,theseare:Base64,ROT-13andHex.InPHPProxy,itsolelyusesBase64.AsampleofaCGIProxywebsitethatencodestheURLishttps://scusiblog.org/proxy/nph-proxy.cgi.Whenwww.twitter.comisenteredintothewebsite,theoutcomeisasfollows:

https://scusiblog.org/proxy/nph-proxy.cgi/-0/68747470733a2f2f747769747465722e636f6d2f

FromthiswecanseethattheobfuscatedURLiscompletelydifferentfromthatofaPHPProxyalteredURL.WhentheURLissplitdownthe‘-0/’canberemovedfromthehostname, leaving‘68747470733a2f2f747769747465722e636f6d2f’. This particular CGIProxy uses hex encoding,thereforeenteringthestringintoahexdecoder5willleaveyouwith‘https://twitter.com/’.ThetwoURL’sthatarecreatedbybothPHPProxyandCGIProxyarecompletelydifferent,howevertheresultfrombothareexactlythesame.TheCGIProxyifithadBase64encodingwouldbeverysimilartothatofthePHPProxy.

GlypeisawebproxythathasbeencodedinPHP.Glypewasfirstreleasedin2007andsincethentherehasbeenover721,000downloadsofthecode6.Whenlookingthroughalistofdifferentproxies7,Glypeinparticularstandsoutasbeingoneofthemostpopularchoicesforhostingaproxy

Figure 1. PHPProxy Website


77

server.Glypeisverysimilar toPHPProxy, itusesPHPas itsprogramminglanguageanditusesBase64toencodetheobfuscatedURL.ThemaindifferencebetweenthetwoistheencodedURL;theencodedURLappearsdifferentfromthatofaPHPProxyencodedURL.AnexampleofaGlypepoweredanonymousproxycanbefoundathttps://branon.co.uk/glype/desktop-free/.Asbeforeintheotherproxywebsites,theusercanenterinthewebsitetheywanttoviewandjustclick‘Go’,thiswillbringthemstraighttotheirdestinationwebpage.Whenwww.twitter.comisenteredintothewebsite,theresultingURLisasfollows:https://branon.co.uk/glype/desktop-free/browse.php?u=czovL3R3aXR0ZXIuY29tLw%3D%3D&b=1

WhenyouextracttheencodedURLthatcontainstheBase64encodedstringandcompareitwiththeencodedURLfromaPHPProxy,youcanseethedifference.However,upondecodingtheURLtheresultisexactlythesame.Decoding‘L3R3aXR0ZXIuY29tLw’withaBase64decodersimplyleaves‘/twitter.com’,therestofthedataintheencodedURLisjustextraneousdata.

2.1. onion Routing and TorOnionRoutingsendsdatathroughanetworkofnodes/servers,eachnodeencryptsthedataonceitreceivesitthedatagoesthroughaseriesofdifferentnodes,untilitreachestheexitnode(Lee,2013).Whentheexitnodeisreachedthedata is thendecrypted.The‘Onion’partrefers to thevariouslayersofencryptionthattakesplacewhenmovingthroughthedifferentnodes.Aseachofthenodesencryptsyourdata,thismakesthedatavirtuallyimpossibletotrace(Chaabaneetal,2010).OnionroutingalsousesseveraldifferentportsonyourcomputertoaccesstheInternet,thismakesitmoredifficultfornetworkadministratorstomonitortraffic,asitwillnotonlybegoingthroughthenormalportforinternetbrowsing,whichisport80(Reedetal,1998).TheTorBrowserwasoriginallycalledTOR,whichstoodforTheOnionRouter(Lietal,2011).TheTorbrowserisexactlylikeanyotherwebbrowser;however,themaindifferencebetweenitandChrome/Safari/Operaisthattheusercansurfanonymously.TheTorbrowserwasfirstreleasedin2002.ItwasoriginallydevelopedwiththeU.S,Navyinmind,forthepurposeofprotectinggovernmentcommunications.Originallythiswasitsmainuse,howeverinmorerecenttimes;thepopularityoftheTorBrowserhassteadilygrown,withmorepeoplegrowingconcernedabouttheironlineprivacywithoneofthemainreasonsbehindthisbeingtheNSAsurveillancerevelationsbyEdwardSwonden(Dredge,2013).

TheTorBrowserbundleissimpletosetupandcanbedownloadeddirectlyfromtheTorwebsite8.OncethebundlehasbeeninstalledtheuserispresentedwiththeVidaliaControlPanelfromtheretheycanconnecttotheTorNetwork.WhilebrowsingtheTorBrowser,userscanaccessthousandsofwebsites that theycannotviewonanormalwebbrowser.AtypicalURLontheTorBrowserlooks like this:http://kpvz7ki2v5agwt35.onion/wiki/index.php/Main_Page. If theURLisenteredintoChrome,itwillbringupnoresults.MostofthewebsitesontheTorBrowseruse‘.onion’.ThehighlevelofsecurityprovidedbytheTorBrowsermaysuitsomeorganisationswhowanttosenddatathroughasecurenetwork,howeverblockedwebsitescanalsobeaccessedthroughthebrowser,thereforeawayofdeterminingwhethersomeoneisusingthebrowserisamust.

2.2. SSL ProxyASecureSocketsLayer(SSL)isthestandardwaytogetanencryptedlinkbetweenawebbrowserandawebserver9.WheneverauseraccessesaSSLProxy,theywillbeusing‘HTTPS’.SincetheProxyisusingSSLitwillencrypttheURLwith265-bitencryption,makingitvirtuallyimpossibletodetectinanetwork.OneofthemainproblemsassociatedwithSSLProxy’sisthecost.SSLcertificatesareexpensiveandmostanonymouswebproxieswillnotpayforthem,astheyaretryingtoprovideafreeservice.SomeoftheSSLProxysitesthatdocharge(http://www.slickyproxy.com/isanexample),canbeeasilyblockedbyanetworkadministrator,asitwillbeastaticURL.Evenifafreeproxyisblockedbyanetworkadministrator,tennewproxieswillreplaceit.ThemainincomethatthefreeSSLproxiessuchasthesslprxy.comhttps://www.thesslproxy.com/willgetisfromadvertising.When


78

enteringwww.twitter.comintotheproxywebsite,theresultingURLis:https://www.thesslproxy.com/browse.php/CiNBfghu/8_2FLToI/7Me2cWjh/YpqKxM7W/8dVJGzXr/W1/b29/#.UoOc9vm-2m4

Incomparisontotheotherproxiesinthispaper,wecanseethatthisobfuscatedURLiscompletelydifferent.Thisisnearlyimpossibleforakeywordanalysisfiltertopickup,howeverduetothelackofavailabilityofSSLProxies;manyofthemcanbeblocked,makingaSSLproxyanunviableoption.

2.3. IP BlockingIPblockingisoneofthemostcommonandbasicmethodsofblocking,filteringorcensoringIPaddressesthatmaypotentiallyhaveabadeffectonthenetwork/server(Thomasetal.,2011).Whenusingthismethodofsecurity,anetworkadministratorcanblockasingleIPormanydifferentIPaddressesfromaccessingthenetwork,orcertainpartsofthenetwork,dependingonthelevelofsecurityneeded.WhenevertheadministratorhasalistofblockedIPsinthenetworkidentified,anyoneonthenetworkwhotriestoaccessanyoftheIPaddresseswillbeblockedfromdoingso(Murdoch&Anderson,2008).NetworkadministratorscanalsoblockIPsfromaccessingtheirnetwork,thismeansthatanyIPnotinthenetworkthatisblocked,willnotbeabletoaccesstheirnetwork.ThisisveryusefulifthenetworkadministratorshaveidentifiedanIPthatistryingtocauseproblemswithinthenetwork.CompaniessuchasYahooandJoomlahavedetailedmeasuresinplaceforIPblocking,forinstanceYahoohasaserviceforuserswhohaveastoresetupwiththemintheirMerchantsolutionssection10.Withinthisthereisadmintoolsthatareveryuseful,oneofthemisasectionwhereyoucanenterIPaddressesthatyouwouldlikeblocked.Firstly,youhavetofindthedetailsoftheIPyouwanttoblockusingtheDNSlookup,againprovidedbyYahoo.ThiswillprovidetheIPaddressneededinorderforyoutoblockit.Yahooallowsupto25IPaddressestobeaddedtotheblocklistatonce,howeveritdoeshaveitsrestrictions,oneofthemisthefactyoucanonlyblock150IPsintotal.JoomlaisanothercompanythatprovidessolutionsforIPblockingtoitscustomers.Joomlaisacontentmanagementsystem(CMS);theyallowusersoftheirproducttobuildwebsitesandotherapplicationsonline11.Theyalsohaveextensionsthatcanbeaddedontothewebsitesthatarecreated,someoftheseinclude:contentrestriction,emailauthentication,contentprotectionandIPblocking.IntheIPblockingsection,theyhavedifferenttypesofextensionsthatcanbeaddedtothewebsite,theseare:Country/IPBlock,Jban,GeoBlocker,CFBlockCountry,UmBan,TorlpBlockandJuBlockIP12.Theseextensionscanbeveryusefulwhencombined,forinstance,ifyoudidnotwantacertaincountryaccessingyournetwork,CDBlockCountryshouldbeused,thisextensionwillfilteroutanyIPsfromthecountryyouwantblockedandwillnotallowaccesstothem.IPBlockingisasimplemethodofstoppingauserfromaccessinganetwork,asitwillmakesurethattheIPthatislistedtobeblockedisindeedblocked;however,thisformofsecurityiseasilybypassedwiththeuseofaproxy.

2.4. Access Control ListsAnAccessControlList(ACL)isusedbynetworkadministratorsasawayofallowingdifferentportsonuser’slocalmachinestobeaccessedoropened.TheportsthatareincludedintheACLarecalledaccesscontrolentries(ACE)(Microsoft,2013).Wheneverauser’sportisincludedintheACL,theyareallowedtoaccessthenetwork,howeveranyapplicationusedbytheuserwillalsohavetobeincludedintheACL,thisisduetothesecurityintheACLbeingveryrigid.WhenaportthatisnotincludedintheACLtriestoaccessthenetwork,itwillbeblockedstraightaway.AlthoughthisshowsthattheACLisactuallyworkingproperly,avaliduserwhoisusingaportthatisnotonthelistwillfindthemselvesbeingunabletoaccessthenetwork,theywillhavetocontacttheadministratortoaddthemtothelist.Thismaytakesometime,dependingifthenetworkadministratorisonsiteorifitispartofamajormulti-nationalcompany.AnexampleofacompanythatfocusesonprovidinganACLservicetocompaniesisCisco.WithintheirACL’s,theyhavedifferentcriteriathathastobemetwhensettingupthelists(Cisco,2006).AnetworkadministratorcansetupmanydifferentACL’sfordifferentdepartmentswithintheonecompany,forexample,ifacompanyhas2departments(Research&Development,andGovernment),anetworkadministratorcanspecifyifaportcanaccessbothof


79

thedepartmentsoronlyjustoneofthem.Iftheadministratordoesnotincludetheportinthelist,thentheaccesstothetwodepartmentswillbedenied.Inlargecompaniesthathavemanydifferentnetworksandsubnetworks,settingupanACLcantakealotoftime(Leeetal,2005).

2.5. Geolocation SecurityLocationBasedServices(LBS)suchasParcelTracking,IndoorPositioning,GPSNavigationandaccessing networks have become a vital occurrence in some people’s lives. Most if not all newsmartphonescomewithGPSabilitiesinbuiltinthem.Peopleoftentracktheirparcelstohaveanideaofwhentheymightarriveortofindoutwhatiscausingadelayintheirdelivery.IndoorPositioningsystemssuchasSeniorLab13,PoleStar14andIndoorAtlas15haveallbecomeverypopularproductsoverthepasttwoyears,astheindoorpositioningmarkethasseenasharprise,withmoreshoppingcentres,museumsandairportsusingthisnewtechnology.AnotherusefulserviceintheLocationBasedServicessectionisGeolocationSecurity.WithinGeolocationSecuritycompaniescanmonitorwhoaccessestheirnetworksandsometimesblockcertainusersfromaccessingthenetworksbasedsolelyontheir location.Ifacompanywasbeingattackedbyahacker, thenetworkadministratorcanlookattheIPaddressofthehacker,findoutwhatcountrytheIPislocatedinandblocktheIPaddressesassociatedwiththatcountryforabriefperiodoftimeuntiltheattacksstop(Kibirkstis,2009).OneofthemaincompaniesthatsuppliessoftwareinthefieldofgeolocationsecurityforonlineapplicationsisNeustar,formallyknownasQuova.OneoftheirmainproductsisIPIntelligence.Thisproductprovidesthecompanyusingitwithdataontheircustomers,wheretheyareandwhattheyareusingtoconnecttotheweb.Havingaccesstothisinformationmakesiteasierforcompaniestoblocktransactionsthattheydeemsuspicious.GmailalsousesGeolocationSecurity,Gmailwillmonitortheuser’smainIPaddressloginsandwillthencontacttheuserifasuspiciousIPaddresshastriedtoaccesstheaccount,andthisgivestheuserachancetochangetheirpasswordbeforethehackercanaccesstheiremail16.

2.6. Base64 encodingBase64encodingtakesastringoftextdataandchangesitintoASCIIformat.OneofthemainreasonsforchangingthetextdatatoASCIIissothatwhenmessagesarebeingsentthroughanetworkthatgenerallydealswithtext,itcanbesentthroughsecurely(Knickerbockeretal,2009).Base64encodingisveryusefulwhenitcomestobypassingIPBlockingorblacklistfiltering,forexample,whenyouenterwww.twitter.comintoaBase64encoder,yougetthefollowingoutput:d3d3LnR3aXR0ZXIuY29t.Manyproxywebsiteswillusethisformofencodingtobypassanyfiltersonthenetwork.

ToconverttextovertoBase64format,firstlyyouhavetochangeeachcharactertoitsequivalentASCIIvalue.OncetheASCIIvalueisgot,itwillbechangedinto8-bitbinaryformat.Each8-bitbinaryissplitinto6-bitbinarygroups;each6-bitbinarynumberisconvertedintoadecimalnumber.ThedecimalnumberisthencomparedwiththeBase64indextable,whichisshowninFigure2.

Table1showsstepsinvolvedinconverting‘www’toBase64encoding.Thereasonwhythebinarynumberissplitinto6-bitissothatalltheBase64valuescanberepresented.Themaximumbinaryvaluein6-bitformatis111111,whichwhenconvertedtodecimalformatequals63,thebiggestvalueintheBase64index.

AmajorsecurityriskcanbePHPobfuscation;Base64encodingcanbeusedtodothis.Thecodeinsomeoftheweb-basedprogramscanbemadeextremelydifficultforahumantoreadifitisconvertedtoBase64,thereforeroguecode,orcodethatcanbeharmfulcanmakeitswayontothemachinewithouttheuserorsomesecuritysoftwareknowing(Raynaletal,2012).However,changingthecodetoBase64cansometimesbequiteatedioustask,andmistakescanoftenoccur.InHTML5,therehasbeentwomethodscreatedthathasalloweddeveloperstochangethepagescontenttoandfromBase64encoding.Thesetwomethodsareatob()andbtoa()18.ThesetwomethodsareveryusefulwhenlookingtochangebinarytoBase64andvice-versa.


80

2.7. SnortSnortisanopensourcenetworkintrusiondetectionandpreventionsystemthatwascreatedbyMartinRoeschandreleasedin1998;theSnortprogramisabletorunquietlyinthebackground,providingrealtimetrafficanalysisandpacketloggingwithinnetworks19.Snorthasmanyusefulcapabilitiesintermsofdetectingattacksandprobes,someoftheseinclude:Stealthportscans,OperatingSystemFingerprinting attempts, Server Message Block (SMB) probes, Buffer Overflows and CommonGatewayInterface(CGI)attacks(Stangeretal,2007).Sourcefire,acompanythatwasfoundedbyRoesch,currentlyownsandcontinuestodevelopSnort.Theprogramhashadmillionsofdownloadsandcurrentlyhasnearly400,000registeredusers19.Snortprovidesthreedifferentfunctions/modes,theseareSnifferMode,PacketLoggerModeandNetworkIntrusionDetectionSystem(NIDS)Mode.

Sniffermodereadsallthepacketsthataregoingthroughthenetwork;itwillthendisplayallthepacketsthatwerereadfromthenetworkontheconsole.Thisprocessrunscontinuouslyuntiltheuserturnsitoff.Packetloggermodelikethesniffermodewillreadallthepacketsgoingthroughthe

Figure 2. Base64 index17

Table 1. Base64 encoding

Letter W W W

ASCII 119 119 119

Binary 01110111 01110111 01110111

DividedBinary 011101 110111 011101 110111

Decimal 29 55 29 55

Base64encoded D 3 d 3


81

network;however,itwillsavethepacketstoadiskinsteadofdisplayingthemcontinuouslyontheconsole.TheNIDSmodewillmonitoralltrafficthatmovesthroughthenetworkandwilldetectanyintrusionsthatoccur.ThisisthemostcomplexmodeofSnort(Sourcefire,2013).TheinstallationoftheNIDScanbecomplicated;however,thereisastepbystepguideinorderfortheprogramtobeinstalledcorrectly.SNORTcanbeusedinconjunctionwithotherprogramsinordertoanalysethedatathatisgoingthroughthenetwork,anexampleofonesuchprogramisBASE(BasicAnalysisandSecurityEngine).BASEisawebinterfacethatanalysistheintrusionsthataredetectedfromtheSnortIDS(intrusiondetectionsystem),withintheprogramuserscanalsousethesimpleweb-basedsetupprogramforthosethatmightnotbecomfortableineditingfiles20.

3. CAPTURING NeTwoRK TRAFFIC

Itisimportantfornetworkadministratorstomonitortrafficthatisenteringandexitingthenetwork.Securityisveryimportantthereforeitisvitalthatanyproxyoronionroutingapplicationsusedcanbeidentified.Ifaproxyisinuse,moreoftenthannotitisnotbeingusedforlegitimatereasons.Therecanhoweverbeavalidreasonforsomeoneinthecompanytouseaproxy,forinstance,iftheywantedtoblockcertainwebscriptsfrombeingusedoriftheyneededtotestanapplicationthatisbeingmistakenlyblockedonline,theusershouldcontactthenetworkadministratortoallowtheblockedapplicationtobemadeavailable,thelatterhowevershouldnothappen.

3.1. Monitoring Network TrafficThefirststepinthedesignofthesystemistomonitorthenetworktraffic.Programssuchas“Httpfox”,“Snort”or“Wireshark”canbeusedtomonitorthetraffic.Thiscategoryofprogramcan‘sniff’thetrafficonacontinuousbasis,whichisidealforintrusiondetectionsystems.IncludedinthedataistheDestinationIP,theSourceIP,theProtocolanddifferentinformationabouteachpacket.Allofthesedifferentprogramshavetheabilitytosavethenetworkpacketsintoatext(.txt)file;thiswouldmakeiteasierfortheIDStoreadthepackets.

ThefirststepinthedesignoftheIDSwastoexaminethenetworkpacketsandhaveagoodunderstandingof thedataprovided in eachof thepackets.Beingable todetermine the relevantinformationinthepacketswouldgreatlyreducethetimespentwhenfindingcommonsequenceswithintheproxypackets.Therefore,Wiresharkwouldinitiallybeusedtomonitorthenetworktraffic,withtheresultsfromthemonitoringdisplayedinatextfile,thistextfilewillbekeytodeterminehowtodetectananonymousproxy.Asthemainprogrambeingusedto‘sniff’thenetworkpacketswasWireshark,theinitialideawasthatitcouldbeusedinconjunctionwiththeproxydetectionscript.Thishowevermeantthattheprogramwouldnotbestandalone,whichwouldnothavebeenideal.AstheIDS’smainpurposeistoworkondifferentplatformsasastandaloneprogram,aprogramwroteinPythonwasused.Thisprogramexaminedallthepacketscomingintoandleavingthenetwork.Fromthisitcouldbealteredtoprintallthepacketstoalogfile,sotheycouldbeexamined,orruninthebackgroundscanningeachofthepacketsastheyentered/exited.

3.2. Software UsedPythonwasusedasIDSisrunonmultipleplatformsasthenetworkadministratormaybeusingmorethanWindows.OneofthemainlibrariesusedinthePythonscriptisthePcapypythonlibrary.Pcapycanbedefinedasfollows“PcapyisaPythonextensionmodulethatinterfaceswiththelibpcappacketcapturelibrary.Pcapyenablespythonscriptstocapturepacketsonthenetwork”21.ThePcapylibrarywillbeusedalongsideotherlibrariesinthescripttoproducetheIDS.Oneoftheothermainlibrariesisthe‘re’library22.The‘re’libraryprovidessupportforregularexpressionswhichwillbeusedfrequentlywithinthescript;theseregularexpressionswillbeusedtomatchdifferentkeywordsagainstwordsinthenetworkpackets.


82

Thenetworkadministratorwillstarttheprogramrunning;theycandosobyrunningitonthecommandlineorusingapythonprogramsuchasIDLE23, IDLEis thepythonIDE, it’samulti-platformIDEwithamultiwindowtexteditor,italsohasapythonshellwindow,wherethenetworkadministratorcaninteractwiththeprogram.Oncetheprogramisstarted,alistofalltheavailablenetworkinterfacesispresented.Eachoftheavailablenetworkinterfacesislistedwithanumber,sotheadministratorcanselecttheinterfacetheyrequire.Oncetheinterfaceisselected,theIDSstartsscanningthenetworkpacketscontinuously.Whenthescripthasstartedanewdirectoryiscreated.ThisdirectorystoresallthelogfilesthatarecreatedwhentheIDSisinuse.Alongwithadirectorybeingcreated,a logfile iscreatedtostoreanyproxiesfoundwhenit isrunning.Anewlogfileiscreatedeachtimetheprogramisrestarted,todifferentiatebetweenthelogsadateandtimeissuppliedwithinthelogfilename.Alistofcommoncharacteristicstringsthateachofthedifferentproxieshaswhenthenetworkpacketsaretraversingthenetworkisnecessary.Eachoftheproxiesoronionroutingapplicationshavetheirownuniquecharacteristicswhichmakethemdifferentfromanormalwebbrowsingnetworkpacket.Aseachproxyhasitsownuniquecharacteristics,thishoweverdoesnotmeanifoneofthecharacteristicsisfoundthenitisdefinitelyaproxy.Eachoftheproxieshavetomatchtwoormoreofthecharacteristicsbeforetheyareflaggeduptotheadministratorandprintedtothelogfile.Astheprogramisdesignedtoworkinlargenetworks,therecouldbemanydifferentproxiesoronionroutingapplicationsbeingusedatthesametime.Matchingthedifferentcharacteristicsandprintingtheresulttothelogisvital.Astheprogramisrunningcontinuously,eachpacketcontainingthematchedcharacteristicswillbeprintedtothelog,providingthetypeofproxy,thedateandtimeeachpacketwentthroughthenetworkandallthedifferentinformationcontainedinthepacket.Thisinformationthatiscontainedinthepacketwillallowtheadministratortotrackdownthecomputerusingtheproxyanddisabletheaccessorquerytheusageoftheproxy.Thetimeittakesfromaproxyenteringthenetworkanditbeingloggedshouldideallyonlybeafewseconds;thisenablestheadministratortoquicklyfindtheproxyuser.

3.3. Log FilesAsthesystemrunsonalocalmachinetheuseofadatabaseisnotnecessary.TheIDSstoreseachproxyfoundinatextfilewhichissimilartotheoutputreceivedwhenWiresharkisusedtoexaminethenetworkpackets.However,thesizeofthetextfileisgreatlyreduceddependingonhowmanyproxiesareinuseonthenetwork.Thefileisdesignedwiththeuserinmindandonlythenecessarydetailsareprintedtoit.ThedetailsthatareprintedtothelogcanbeviewedinTable2.

AnumberofthepacketsmaynotcontainallofthedetailsthatarelistedinTable5.However,theywillcontainthemajority.ThemostimportantdetailscontainedinthenetworkpacketsaretheProxyName,theDateandTimeofProxyUsage,theDestinationMAC,SourceMAC,boththeSourceandDestinationIPAddressesandtheSourceandDestinationPort.Allthisinformationshouldgivethenetworkadministratorenoughdetailstotrackdowntheproxyusage.Duetothelargeamountofnetworkpackets,ifthereisprolongedproxyusagewithoutthenetworkadministratoraddressingthesituationthenthelogfilecouldbecomeverylargeandmaytakeawhiletoopen,thereforeitisagoodideatomonitortheprogram,andrestartitifthefileisgettingtoobig.Restartingtheprogramwillsimplycreateanewlogfilewithanewtimestamp.

3.4. wamp ServerAstheproxieshadtobehostedonawebserver,aserverhadtobesourced.WAMPv2.4wastheversionused.ItcontainsApache2.4.4,MySQL5.6.12andPHP5.4.12.Oneofthemainsectionsofwampisthewwwdirectory,andthisdirectoryiswhereeachofthedifferentproxiesisstored.DifferentversionsofApacheandPHPcanbedownloadedandinstalledbyselectingtheApachefolder/PHPfolderthenselectingtheversion.SelectingadifferentversioncanbenecessaryforolderversionsoftheproxythatmaynotbeabletousethenewestversionofPHP.Tomakesurethewampserverisworkingcorrectly,openawebbrowserandintheaddressbartypeinhttp://localhost,ifthe


83

wampserverhomepageappears,thewampserverisworkingcorrectly.WhentheWAMPserverisfunctioningcorrectly,theproxiescanbedownloadedandplacedintheserver,theTorBrowsercanalsobedownloaded;however,itdoesnotneedtobeplacedwithintheserver.TheTorbrowsercanbedownloadeddirectlyfromthetorprojectwebsite24.ThedownloadcontainsaVidaliaControlPanelandtheTorwebbrowseritself.Eachofthethreewebscriptsweredownloadednext,PHPProxy25,Glype26andCGIProxy27,alloftheproxieswereavailabletodownloadasaZIPfile,whichcanbeextractedintothewwwdirectoryonthewampserver.Thefileshoweverhavetobeeditedbeforetheycanbeusedproperlyontheserver.PerlhastobedownloadedbeforetheCGIProxycanbeused;CGIfunctionalityalsohastobeenabled.PHPfunctionalityhastobeenabledbeforethePHPProxyandGlypewebscriptscanbeused.Wheneverthesestepsareperformedeachofthewebscriptscanbeusedtobrowsetheinternetanonymously.Freeproxiescanalsobefoundonlinethatenableyoutotestthesystemandalsotocomparethenetworkpackets,therearemanyliststhatcontaintheseproxies,asampleofthelistcanbefoundathttp://list.glype.com/.

4. PRoXy DeTeCTIoN

Whentheproxiesarerunningthenetwork,packetshavetobecaptured,todothisWiresharkhadtobedownloadedandinstalled28.Pythonwasusedtosnifffornetworkpackets.ThecodeinitiallyprintedallthepacketsouttothecommandlineortoIDLE,asthecodewasopensourceitcouldbeeditedwhichmadeusingthecodeveryconvenient.ItwasdecidedtocontinuetousethePythonnetworkanalysiscodeaspartofanintegralpartoftheIDS.Thefirststepwastogetittoprintthecodetoalogfile.Thiswasdonebycreatingadirectorytostorethelogfilesin.Oncethedirectorywascreateditwouldbecheckedeachtimetheprogramisrun,justtomakesureitexists,ifitdoesn’titwillcreateit.Thelogfileisthenextitemthatiscreatedeachtimetheprogramisstarted,thishoweverisdifferentfromthedirectoryasitisnotalwaysstatic,thelogfilecreatedwillhavethedateandthetimethatitwascreatedinitsuniquename.Afterthelogfilecodewasfinished,selectingthenetworkinterfacethatneededtobescannedhadtobecoded.Theoriginalcodehadthefunctiontosearchforthenetworkdevices,howeverselectingthedeviceswhentheywereprintedwastimeconsuming.

Table 2. Network Packet Details

-Proxy Name -Date and Time of Proxy Usage

-DestinationMAC -SourceMAC

-Protocol -Version

-IPHeaderLength -TimetoLive(TTL)

-SourceIPAddress -DestinationIPAddress

-SourcePort -DestinationPort

-SequenceNumber -Acknowledgment

-TCPHeaderLength -Data

-Host -UserAgent

-Accept(html,xml,etc.) -Accept-Language

-AcceptEncoding -Referrer

-Cookie -ConnectionType


84

4.1. Glype Proxy DetectionForeachofthedifferentproxiestherewerefourdifferentlogscreatedtocompareeachofthepacketstofindsimilaritieswithinthemthatcouldbeusedtoprovethattheyareinfactaproxy.Ifanyofthesimilaritiesarealsocontainedinnormalwebbrowsingpacketsthenitmaythrowofftheresults,thereforegettingthesimilaritiestobeuniqueisamust.Incomparisontoanormalwebbrowsingnetworkpacket,thereareafewcommonoccurrences,onebeingthedestinationport,whichisportnumber80.Thisistheportthatisusedformostofthenetworkpackets,ifthepacketsthataregoingthroughthenetworkaresecure,thenitwouldbegoingthroughport443.EachofthepacketsviewedwhentheGlypeproxywasbeingruncontainedthecommand“GET”,andtheprotocolusedwas“HTTP”thecommandandtheprotocolwerecontainedwithinthedatainthepacket.Anotherdifferencenoticedinthepacketwastheuseof“browse.php?u=”,inparticular‘.php?u=’wasidentified,thisismainlybecausethe‘browse’canbecalledanythingasthatisjusttheindexpage,thereforethismaydifferbetweenthedifferentproxyservers.OncethethreecharacteristicshadbeenidentifiedtheycouldbeusedtodetecttheGlypeproxy.Thefirstactionthathadtobetakenwastoaddthethreedifferentcharacteristicstoalist.Tobeabletosearchtheproxiesenteringthesystem,aftersomeresearchitwasdecideditwouldbebesttouseRegex.Togetstartedwithregex,‘importre’,wasaddedtotheglobalsintheIDScode.Thentheregexstringswerecreated,thesestringswerespecificallycreatedsotheywouldignorecasesensitivityandalsowhitespace.

Aftertheregexlistwascompleteditcouldbeusedtomatchagainstthenetworkpackets.Theregexwillgothrougheachdifferentcharacteristicandtrytomatchitagainstthepacket,thiscanbeseenfromtheline‘glype[0]=re.match(glypeStrings[0],str(packet1))’,thestring.php\?u=’willbematchedagainstpacket1.ThecodewillthengothroughanIFstatement,ifallthreecharacteristicsarefoundwithinthepacketthenitwillmaketheresultequalto1,itwillalsoprint‘GLYPE’followedbythetimetheproxywasfoundandthenthepacketthattheproxywasfoundintothelog.Theresultispassedthroughtheloop,ifitequals1,then“Glypeusagedetected”wouldbeprintedtotheconsole.

4.2. PHPProxy DetectionThedetectionmethodofPHPProxyisverysimilartothedetectionofGlype.Theprotocolusedinthepacketis‘HTTP’andthecommandis‘GET’,theonlydifferencebetweenthe3characteristicsofGlypeisthethirdcharacteristic.Inthepacket‘index.php?q=aHR0c’isthecommonoccurrenceinthedifferentlogfiles.Again,the‘index’partofthestringcanbedroppedasitcanvarybetweenthedifferentproxyservers,thisleavesthedetectionstringas‘.php?q=aHR0c’.TheonlydifferencefromthePHPProxycodeandtheGlypecodeisthedetectionstringintheregex.Theresultifaproxyisdetectedwillbe‘2’,whichwouldresultin“PHPProxyUsageDetected”beingprintedtotheconsole.

4.3. CGI Proxy DetectionTheCGIProxydiffersfromtheprevioustwoproxyservers.Theprevioustwoproxiesuseport80whentransferringpackets,whiletheCGIscriptusesasecureserverandgoesthroughport443.ThedatareceivedinthenetworkpacketisencryptedasitgoesthroughasecureserverusingtheSecureSocketLayer(SSL)protocol;thismakesitextremelydifficulttofindthecharacteristicsneededtodetermineifitisinfactaCGIproxywhichisbeingused.Decryptingthedatawithouttheuseofanencryptionkeywouldtakemanyyears;thisunfortunatelymeansitisimpossibletoprovidethecriterianecessarytodetecttheCGIproxy.Theonlyvisibledatathatcanbeusedfromthenetworkpacketsistheprotocolandtheportnumber,whichisusedbyanumberofdifferentwebsitesthatuse‘https’,includingGmail,Facebookandallbankingwebsites.

WhentestingdifferentCGIproxiesthatareavailableonlineitwasnotedthattheyalluseSSL.100%oftheCGIproxiesviewedonlinechargedasubscriptionfee,whichcouldcostupto€120ayear,orifpaidonamonthlybasis,€20permonth;duetothisfee,theyarenotascommonasGlypeorPHPProxy,withbothofferingtheirservicesforfree.ThishoweveronlyappliestotheproxiesusingSSL,theCGIproxycanalsobeusedwithoutSSL,thoughitishighlyrecommendedonthe


85

CGIwebpage29thatitshouldbeusedonasecureserver.SincetheCGIscriptcanbeimplementedonanunsecureserver,thepacketswouldthenbereadable.TheCGIproxies’maindifferencefromtheprevioustwoproxiesistheuseof.cgiinsteadof.php.Theproxyprotocolis‘HTTP’andthecommandusedis‘GET’,italsousesport80.Thereforethe4characteristicsusedtodeterminetheusageofanunsecureCGIproxyscriptare:HTTP,GET,.cgiandDestPort:80.Theformatofthecodeissimilartotheothertwoproxies,theonlydifferencebeingtheextramatchingstring.Ifeachofthecharacteristicsarematchedinthenetworkproxytheresultwillbeprintedtothelogfirstlythentheconsole.

4.4. Tor Browser DetectionThecodefortheTorBrowserwasthelasttobeimplemented.Thedetectioncharacteristicscomparedto theother threeproxiesarecompletelydifferent.This ismainlydue to the randomnessof thenetworkpacketswhentheTorBrowserisbeingused.TheTorBrowserusesmanydifferentportswhensendingandreceivingpackets,thedifferentportsare:9001,9002,9003,9004,9030,9031,9032,9033,9150,9151,italsousesport80whichisusedforallnormalwebbrowsingthatdoesn’tuseSSLandalsoport443,whichisusedforsecurebrowsing.ThemaintwoportstheTorBrowserusesareport80and443, these twoportshowevercannotbeused to identify theonion routingapplication,asallnormalwebbrowsingwouldalsobeflaggedupasusingthebrowser,thereforetheotherportslistedhavetobeusedtoidentifyit.ThisunfortunatelymeanstheTorBrowsercouldbeusedformanyminutesbeforeitisflaggeduponthescreen.Whenexaminingthepackettherewereafewinterestingbitsofdatathatcouldbeseen,firstlytheportthatwasusedwasport80,thisgenerallymeansthedatathatisinthenetworkpacketcanbeviewed,howeverthedatainthepacketinthisinstanceisencryptedandthereforenodetailscanbetakenfromit.ThesecondthingnoticedinthepacketwastheSourceAddress,whichwas131.188.40.188.WhensearchingfortheIPitwasfoundwithinalistofknownTornodes,thisverifiedthatitwasindeedapacketfromtheTorBrowser.ThesourceaddressisusefultoverifythatitistheTorbrowser;howeverduetothelargeamountofIPaddressesintheTornetworkitisnotpossibletoaddthemtothecharacteristics.Thisleavestheonlywaytoidentifythemisthroughtheportslistedabove,duetothistheaccuracyofthedatamaynotalwaysbe100%correct.Oneofthemaindifferencesinthecodeistheuseoftheoperator‘or’insteadof‘and’,thisisbecausethesystemdoesn’thavetomatch3or4differentcharacteristics,itonlyhastomatchoneofthemtoflagitupontheconsole.AnotherportthattheTorBrowserusesisport9100,thisporthoweverisusedoftenbywirelessprintersandusingthisportwouldcreatealotoffalsepositiveresults,itwasdecidedthatduetothelargeamountoffalsepositiveresultsleavingthatportoutofthedetectionstringwouldbethebestactiontotake.

5. TeSTING

Thissectionwilldocument the thoroughtesting thatwasperformedonthesystemtoensure thesystemisperformingthetasksthatwasdetailedintheprevioussectionsandthatitisperformingthemtoahighstandard.Itisimportantthatanyerrorsorunexpectedcrashesarefoundandfixedbeforetheendproductisfinalized.

EachofthedifferentproxiesandonionroutingapplicationsweretestedthoroughlybyperformingaseriesofInternetactivitiesthatmaybecarriedoutonadailybasisbyanaverageInternetuser.TheactivitiesarelistedinTable3.

TheIDSwillbegiven5minutespertesttomonitorthenetworkandtoverifythatitisdetectingeachoftheproxies.ThewebsiteswereaccessedbyfirstlyenteringtheURLintotheproxystartpageorfromthestartpageintheTorBrowser.TheprogramwasalsotestedwhentheuserwasnotusinganyproxyortheTorBrowser,justtoverifythatitwasn’tflaggingupanyproxieswhentheywerenotinuse.Altogethertherewere60logfilescreatedintotaltotesttheprogram.


86

5.1. Normal Browsing TestBeforeanyoftheproxiesandonionroutingapplicationscouldbetested,theIDSwastestedwhiletheuserwasbrowsingtheinternetnormallywithouttheuseofaproxy.ThewebbrowserusedforallthetestsapartfromtheTorBrowserwasGoogleChrome.Onlyonetabwasopenatanyonetime,withallotherinternetrelatedactivitiessuchasSkype,DropboxandGoogledriveclosedsothetestswouldbeprecise.

Table4showstheresultswhenthereisnoproxyusageinthenetwork,therewasnothingprintedtotheconsole,thereforenoproxywasfoundinthe5minutestheIDSwasrunningforeachofthetwelveindividualtests.Theseresultsareexactlywhatwasexpectedfromtheprogram,ifaproxyoronionroutingapplicationhadbeenfound,thesystemwouldbeflaggingupfalsepositiveresults.

Table 3. Regular Internet Browsing Tasks

Test Activity

1 BrowsetheGuardiannewswebsiteandviewvideos

2 LogintoGmailandsendanemail

3 LogintoTwitterandviewsometweets

4 BrowseAmazonandmakeapurchase

5 LogintoFacebookandbrowsemultiplepages

6 VisittheBBCSportssectionandpostacommentinthecommentssection

7 ListentoiRadioontheirliveradiostream

8 UploadanimagetoImgurorPhotobucket

9 SelectaYoutubevideofromyouraccount

10 DownloadaZIPfilefromareliablesource

11 PerformasearchusingaSearchEnginesuchasGoogleorBing

12 GotoMiniclipandplayagame

Table 4. Normal browsing test results

Test Result

1 NoProxyusagedetected













87

5.2. Glype Proxy TestThefirstproxytobetestedwastheGlypeproxy.Itwasdecidedthatsincetheavailabilityofproxiesonlinewasveryhigh,itwouldbebesttotestaproxythatwascurrentlyavailableonline.ThewebbasedproxyusedtotesttheGlypeproxywas‘www.proxyserver.com’.ThisproxywasfoundwithinalistofavailableproxiesontheGlypewebsite30,thelistalsocontainedmanyotherdifferentproxieswhichwereusedtotesttheotherproxies.Thefirstthingtodowastostarttotheprogramrunning.Allotherwebpageswereclosedtomakesureitwasjusttheproxybeingusedinthenetwork.TheIDSwasthenstartedtosniffthenetworkpackets.TheresultsthatwereprintedontotheconsolewhentheprogramwasrunningduringeachofthetestsareshowninTable5.

AscanbeseeninTable5,theresultsshowthattheIDSisworkingasitshouldwhenaGlypeproxyisbeingusedinthenetwork.Eachtestwasdetected,withthestatement‘GlypeProxyusagedetected’beingprintedmultipletimes.Thenetworkpacketswerealsoprintedouttothelogshowingthe3differentcharacteristicsusedtodetecttheproxiescontainedwithinthem.AnotherGlypeproxywasalsotested;thisproxycanbefoundat‘’.TheresultsfromtheproxywereidenticaltothoseinTable8,provingthatthecharacteristicsarecorrectandthattheIDShasa100%successionratewhenaGlypeproxyisinuse.

5.3. PHPProxy TestThesecondproxythatwastestedwasthePHPProxy.Thesameformatastheprevioustestwasusedtotesttheproxy.Theproxythatwasusedcanbefoundat‘http://proxyanonymizer.net/’.TheresultsfromthedifferenttestscanbeseeninTable6.Therewereproblemswithusingtheproxy.WhileloggingintoasecurewebsitesuchasGmail,theGmailservicesblockedtheloginasthelocationwascompletelydifferentfromwheretheemailisusuallyaccessed.TheIDShoweverstillpickeduptheuseoftheproxy,astherewere3differentpagesaccessedwhileperformingthetest.

Onceagain, the results from the IDSproved tobe successful,with100%of the testsbeingdetectedbythesystem.Thisprovedthatthe3characteristics,‘GET’,‘HTTP’and‘.php?q=aHR0c’werebeingpickedupineverynetworkpacketthatwasbeingcreatedbythePHPProxy.AsecondPHPProxywastestedtoverifytheresults,theproxycanbefoundat:‘http://proxy-up.net/’.Again,theresultsreturned100%accuracy.

Table 5. Glype Proxy Test

Test Result

1 GlypeProxyusagedetected













88

Sofartestingbothproxiesreturneda100%successrate,with48testsperformed,24fortheGlypeproxyand24forthePHPProxy(Figure3).

5.4. CGI Proxy TestTheCGIproxywasthethirdproxytobetested,asitwaspreviouslynoted,duetotheuseofSSLintheproxy,thecharacteristicscouldnotbefoundandthereforetheproxycouldnotbedetected.ThismeantthattheresultsforthetestoftheCGIproxywouldbea100%failrate,thisonlyappliedtotheproxywhenitwasusingSSL.TheproxyhowevercanalsobeusedwithoutSSLandduetothis,thecharacteristicswerefound.

Table7verifiestheresultsasexpectedwhentheCGIproxyisusingSSL,eachofthetestsfailedtoshowanyproxyusagewithinthenetwork.Theproxyusedwasfoundat‘https://morphium.info/’.

AftertheSSLCGIproxywastested,aCGIproxythatdoesnotrunonasecureserverwastested.Thisproxy’sURLis:‘http://anonymouse.org/’.OneofthemaindifferencesthatstandoutbetweenthetwoCGIProxiesURL’sisthefirstonecontains‘https’intheURLandinthesecondCGIproxy,

Table 6. PHPProxy usage test

Test Result

1 PHPProxyusagedetected












Figure 3. Pass rate for both the PHPProxy and Glype Proxy


89

ithas‘http’intheURL,thisshowsthatthesecondonedoesn’tuseasecureserver.TheresultsfromthetestingoftheunsecureCGIproxycanbeseeninTable8.

Theresultsbetweenthetwoarestark,withtheIDScatching100%oftheunsecureCGIProxiesandtheSSLCGIproxyevadingdetectioncompletely(Figure4).

5.5. Tor Browser TestThefinalproxy/onionroutingapplicationtobetestedwastheTorBrowser.Upuntilnowtheresultsfromeachoftheprevioustestshavebeenstraightforward,withtheresultsreturnedasexpected.ThishoweverwasnotthecasefortheTorBrowser,asthecharacteristicsforitdidnotincludetwoports,fromwhichmostofthetrafficflowedthrough.TheresultsfromtheTorBrowsertestingcanbeseenin

Table 7. CGI Proxy using SSL

Test Result

1 NoProxydetected

2 NoProxydetected

3 NoProxydetected

4 NoProxydetected

5 NoProxydetected

6 NoProxydetected

7 NoProxydetected

8 NoProxydetected

9 NoProxydetected

10 NoProxydetected

11 NoProxydetected

12 NoProxydetected

Table 8. Unsecure CGI proxy test

Test Result

1 CGIProxyusagedetected













90

Table9.With the twelve testscompleted,eightof thempassed,with ‘OnionRoutingusagedetected’beingprintedtotheconsole.Fourofthemresultedinnothingbeingprintedtotheconsole,thereforetheIDSdidnotdetecttheuseoftheTorBrowser.

Asthesetestswerecarriedoutduringafive-minuteperiod,itisnotalwaysguaranteedthattheIDSwillmissthedetectionoftheTorBrowser.Ifforinstanceithadtenminutespertest,theprogrammayhavepickeditup.Astheprogramismeanttopickupeachoftheproxies/onionroutingapplicationsalmostinstantaneouslyusingtenminutestotestitwouldnotbefeasible.WhilehavingacloserlookattheresultsgainedfromtheTorBrowsertests,wecanseeitfailedtodetectthebrowserintests2,3,5and11.ThesetestsinvolveusingGmail,Twitter,FacebookandGooglerespectively,onethingincommonthateachofthemshareistheuseof‘https’forsecurebrowsing.Takingacloserlookatthenetworkpacketswhilebrowsingeachofthewebsitesshowsthateachofthemuseport443forallofthepackets,duetothis,theIDSwillnotdetectthem.Amazonalsouses‘https’whentheconsumerispurchasinganitem,thisonlyapplieswhentheyareloggingintotheiraccounttopayfortheitem.Beforethispoint,amazonusesaregular‘http’connection,sothenetworkpacketscangothroughanyoftheportsinthecharacteristicsandalsoport80.InFigure5,theresultsofallthetestscanbe

Figure 4. Pass rate for the SSL CGI Proxy and the Unsecure CGI Proxy

Table 9. Tor Browser test

Test Result

1 OnionRoutingusagedetected

2 NoOnionRoutingusagedetected












91

seen.Threeoutofthefivethatweretestedhadasuccessrateof100%,withtheTorBrowserhavinga66%successrateandtheSecureCGIproxyhavinga0%successrate.

Theresultsfromeachofthetestswereasexpected,whentheproxyoronionroutingapplicationwasusinganunsecureservertheIDSpickedupitsusageeverytime,whentheproxywasusingasecureserveritevadedtheIDS’sdetection.TheresultunfortunatelycametothesameoutcomewhenotherSSLproxiesweretested,theIDSdidnotdetectanyofthem.WhenusingWiresharktotakeacloserlookatthepacketseachofthemusedport443andtheTCPprotocol,asthepacketsareverysimilartothoseofaregularSSLconnectionthatdoesnotuseaproxythereislittlethatcanbedonetofixtheIDSwithoutcreatingalotoffalsepositiveresults.

6. CoNCLUSIoN

Oneofthemainaimsoftheprojectwastofirstlyexaminethepacketsinthenetworktoseehoweachofthedifferentpacketslookedandwhatwascontainedtherein.Onceagoodgraspofthedatainthepacketswasobtained,theproxieswouldthenbeusedtocomparethedifference.Anynoticeabledifferencecontainedthereincouldthenbeusedtodetermineifaproxywasbeingusedandwhattypeofproxyitwas.Thiswassuccessfullydoneinfouroutofthefivetests,withtheSSLCGIproxybeingtheonlydownfall.Again,theprogramdidnothavea100%successrateindeterminingtheTorBrowser,howeverthedifferencesinthenetworkpacketswasnoticeableinmostofthem.Thiscriterioninthepacketswasputintoregexstringstobecomparedwitheachinboundandoutboundpacket,inturnsuccessfullydeterminingthedifferentproxies.Whentheprojectwasfirststartedtherewasaneedforasystemthatwouldbeabletodetecttheuseofanonymousproxies,securityisamajorfieldinInformationTechnologyandthesectorisincreasingatafastrate.Thissystemfillsthatneed,itcansuccessfullydetectGlype,PHPProxy,UnsecureCGIproxyandtheTorBrowserwhichinturnprovidesamorestableandsecureenvironmentforthecompany/organisationtoperformitseverydaytasks.OveralltheprojectwouldbeveryusefultoanetworkadministratorintermsofmonitoringthenetworkpacketstodetermineifthereisaproxyinuseoriftheTorbrowserisinuse.Thissystem,althoughitdoesn’tpickupeverysingleproxy,wouldbeanimportantsystemtoanycompanythathashighsecuritymeasures.

Thesystemwashopedtohave100%accuracyindetectinganonymousproxies.ThishowevercouldnotbeachievedasthedatatravellingthroughaSSLproxyorpagesthatuse‘https’onTorgenerallyuseport443,andthusthedatainthenetworkpacketswasencrypted.Thesystemhowever

Figure 5. Full proxy/onion routing results


92

didachieve100%accuracywhendetectingtheGlype,PHPProxyandtheunsecureCGIproxy.Alsoin testing ithad66.67%accuracy in finding theTorbrowser.The system’seffectivenesscanbedebatable;italldependsonthetypeofproxybeingused.Thesystemdoesnotdetect100%ofproxies,itdoeshoweverdetect100%of3differentproxiesand66%oftheTorBrowser,andthereforeitcanbequiteeffectivewhendetectingthose.However,itisnoteffectivewhenitisdetectingSSLproxies.


93

ReFeReNCeS

Chaabane,A.,PereManils,P.,&Kaafar,M.(2010).DiggingintoAnonymousTraffic:ADeepAnalysisoftheTorAnonymizingNetwork.InProceedings of the4th International Conference on Network and System Security(Vol.1,p.167).doi:10.1109/NSS.2010.47

Cisco. (2006).CiscoIOSSecurityConfigurationGuide,Release12.2,Access Control Lists: Overview and Guidelines.Retrievedfromhttp://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfacls.html

Dingledine,R.,Mathewson,N.,&Syverson,P.(2004).Tor:thesecond-generationonionrouter.InProceedings of the 13th conference on USENIX Security Symposium.

Dredge,S.(2013,November).What is Tor? A beginner’s guide to the privacy tool.TheGuardian.Retrievedfromhttp://www.theguardian.com/technology/2013/nov/05/tor-beginners-guide-nsa-browser

Goralski,W.(2008).The Illustrated Network: How TCP/IP Works in a Modern Network.SanFrancisco,CA,USA:MorganKaufmannPublishersInc.

InternationalTelecommunicationUnion.(2013).The World in 2013 ICT Facts and Figures.Retrievedfromhttp://www.itu.int/en/ITU-D/Statistics/Documents/facts/ICTFactsFigures2013.pdf

Kibirkstis, A. (2009). Intrusion Detection FAQ: What is Geolocation and How Does it Apply to NetworkDetection.Retrievedfromhttp://www.sans.org/security-resources/idfaq/geolocation-network-detection.php

Knickerbocker,P.,Yu,D.,&Li,J.(2009).Humboldt:Adistributedphishingdisruptionsystem.InProc. IEEE eCrime Researchers Summit,Tacoma,WA.

Lee,J.(2013).WhatisOnionRouting,Exactly?MakeUseOf.Retrievedfromhttp://www.makeuseof.com/tag/what-is-onion-routing-exactly-makeuseof-explains/

Lee,K.,Jiang,Z.,Kim,S.,Kim,S.,&Kim,S.(2005).AccessControlListMediationSystemforLarge-ScaleNetwork.InProceedings of the6th Int Conf on Parallel and Distributed Computing(pp.483-487).

Li,B.,Erdin,E.,Gunes,M.,Bebis,G.,&Shipley,T.(2011).AnAnalysisofAnonymityUsage.InProceedings of the Traffic Monitoring and Analysis: Third International Workshop,TMA2011,Vienna,Austria(pp.113-116).Springer.

Lyon,D.(2009).Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning.USA:Insecure.

Mallia, D. (2013). When was the Internet Invented. History News Network. Retrieved from http://hnn.us/article/142824

Microsoft.(2013).PartsoftheAccessControlModel.Access Control Lists.Retrievedfromhttp://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx

Murdoch,S.,&Anderson,R.(2008).ToolsandTechnologyofInternetFiltering.Access Denied: The Practice and Policy of Global Internet Filtering,1(1),58.

Neustar.(2012).Neustar®Insights:OnlineFraudPrevention:ThreeWhoStoodTheirGround,Availableat:http://www.banktech.com/whitepaper/download/showPDF?articleID=191705583

Raynal,F.,Ahmad,M.,Shaikhli,I.,&Ahmad,H.(2012).ProtectionoftheTextsUsingBase64andMD5.Journal of Advanced Computer Science and Technology Research,2(1),22–34.

Reed,M.G.,Syverson,P.F.,&Goldschlag,D.M.(1998).Anonymousconnectionsandonionrouting.IEEE Journal on Selected Areas in Communications,16(4),482–494.doi:10.1109/49.668972

SASI.(2006)Internet Use 1990,PosterofInternetusage,Availableat:http://www.worldmapper.org/posters/worldmapper_map335_ver5.pdf

Sourcefire.(2013)SnortUser’sManual2.9.5,The Snort Project,May2013.Availableat:http://s3.amazonaws.com/snort-org/www/assets/166/snort_manual.pdf

http://dx.doi.org/10.1109/NSS.2010.47

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfacls.html

http://www.theguardian.com/technology/2013/nov/05/tor-beginners-guide-nsa-browser

http://www.itu.int/en/ITU-D/Statistics/Documents/facts/ICTFactsFigures2013.pdf

http://www.sans.org/security-resources/idfaq/geolocation-network-detection.php

http://www.makeuseof.com/tag/what-is-onion-routing-exactly-makeuseof-explains/

http://www.makeuseof.com/tag/what-is-onion-routing-exactly-makeuseof-explains/

http://hnn.us/article/142824

http://hnn.us/article/142824

http://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx

http://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx

http://www.banktech.com/whitepaper/download/showPDF?articleID=191705583

http://dx.doi.org/10.1109/49.668972

http://www.worldmapper.org/posters/worldmapper_map335_ver5.pdf

http://www.worldmapper.org/posters/worldmapper_map335_ver5.pdf

http://s3.amazonaws.com/snort-org/www/assets/166/snort_manual.pdf

http://s3.amazonaws.com/snort-org/www/assets/166/snort_manual.pdf


94

Jonathan McKeague is a graduate in Computer Science from Ulster University

Kevin Curran is a Reader in Computer Science and group leader for the Ambient Intelligence Research Group. Dr Curran has made significant contributions to advancing the knowledge of computer networking evidenced by over 800 published works. He is a regular contributor to BBC radio & TV news in the UK and quoted in trade and consumer IT magazines on a regular basis. He is an IEEE Technical Expert for Security and a member of the EPSRC Peer Review College.

Stanger,J.,Krishnamurthy,M.,Seagren,E.,Alder,R.,Bayles,A.,Burke,J.,&Faskha,E.et al.(2007).How to Cheat at Securing Linux. Introducing Intrusion Detection and Snort.USA:Syngress.

Thomas,K.,Grier,C.,Ma,J.,Paxson,V.,&Song,D.(2011)Monarch:Providingreal-timeURLspamfilteringasaservice.InProc.of theIEEE Symposium on Security and Privacy,Oakland,CA(pp.447-462).

eNDNoTeS

1 http://sourceforge.net/projects/phpproxy/2 http://sourceforge.net/projects/phpproxy/files/stats/timeline?dates=2012-11-12+to+2013-11-123 http://www.motobit.com/util/base64-decoder-encoder.asp4 http://www.jmarshall.com/tools/cgiproxy/5 http://www.string-functions.com/hex-string.aspx6 http://www.glype.com/7 http://www.proxysiteslist.net/category.php?id=458 https://www.torproject.org/projects/torbrowser.html.en#downloads9 http://www.digicert.com/ssl.htm10 http://help.yahoo.com/l/us/yahoo/smallbusiness/store/risk/risk-18.html11 http://www.joomla.org/about-joomla.html12 http://extensions.joomla.org/extensions/access-a-security/site-access/ip-blocking13 http://www.senionlab.com/14 http://www.polestar.eu/en/15 https://www.indooratlas.com/16 http://arstechnica.com/security/2010/03/googles-new-gmail-geolocation-feature-aims-to-prevent-scams/17 http://janav.files.wordpress.com/2013/05/base64chars.jpg18 http://www.w3.org/html/wg/drafts/html/master/webappapis.html#atob19 http://www.snort.org/20 http://base.secureideas.net/about.php21 http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Pcapy22 http://www.regular-expressions.info/python.html23 http://docs.python.org/2/library/idle.html24 https://www.torproject.org/projects/torbrowser.html.en25 http://sourceforge.net/projects/poxy/?source=recommended26 https://www.glype.com/download.php27 http://www.jmarshall.com/tools/cgiproxy/28 http://www.wireshark.org/download.html29 http://www.jmarshall.com/tools/cgiproxy/30 http://list.glype.com/