mailing list archives
Detecting anomaly in client software behaviour (Re: Proxy Detection)
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Mon, 24 Apr 2006 12:51:06 +0400
Dear Georgi Guninski,
There are multiple ways to detect proxy without x-forwarded-for header.
1. Changed HTTP protocol. Some browsers, including IE, use HTTP 1.1
with direct connection and HTTP 1.0 for proxy.
2. Changed request headers in browser (example is Accept: header in
Internet Explorer, which is different if proxy is used).
3. Proxy-specific headers modification. E.g. squid can easily be
detected regardless of X-Forwarded-For:
4. Changed "border values". For example, 'proximitron' in fully
transparent mode can be detected by limited maximal length of GET
1. Changed TCP 'PUSH' flag sequences because of different buffer layout
2. Changed client port. By default Windows use limited range of ports for dynamic
assignment. Client port with high number in combination with Windows
browser indicates NAT or proxy.
1. Passive fingerprinting techniques (e.g. different default TTL for
Windows and Linux). If Windows browser request comes from Linux box it
indicates proxy (and only proxy, as NAT doesn't change TTL).
--Monday, April 24, 2006, 12:03:37 PM, you wrote to gluttony () gmail com:
GG> On Sun, Apr 23, 2006 at 01:48:45AM -0700, Andrew A wrote:
Tor does not give an x-forward-for.
GG> some isps make transparent proxying mainly via squid.
GG> probably an exit node in such an isp may give proxy headers.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/