For each of the different proxies there were four different logs created to compare each of the packets to find similarities within them that could be used to prove that they are in fact a proxy. If any of the similarities are also contained in normal web browsing packets then it may throw off the results, therefore getting the similarities to be unique is a must. A sample of the network packets created by a Glype proxy is the following:
“Destination MAC : 70:72:3c:db:c3:19 Source MAC : ac:72:89:8e:4a:9f Protocol : 8Version : 4 IP Header Length : 5 TTL : 128 Protocol : 6 Source Address : 192.168.1.100 Destination Address : 74.50.112.6Source Port : 25192 Dest Port : 80 Sequence Number : 515223919 Acknowledgement : 3525628824 TCP header length : 5Data : GET /browse.php?u=%2FsytI4GTjHWo83ivVDOuRefK1x3c&b=29&f=norefer HTTP/1.1
Host: proxyserver.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://proxyserver.com/
Cookie: rbm8vrpt=XxmdVoc2ZEPzt8wx2hDaMDJmiVWg5Aw%3D; __utma=231926494.1698960749.1393858908.1393858908.1393947133.2; __utmz=231926494.1393947133.2.2.utmcsr=list.glype.com|utmccn=(referral)|utmcmd=referral|utmcct=/; _referrer_og=http%3A%2F%2Flist.glype.com%2F; _jsuid=2791830717; __atuvc=3%7C10; s=tg5ne8nbia564p5caugekb7pa3; __utmb=231926494.1.10.1393947133; __utmc=231926494; _first_pageview=1; _eventqueue=%7B%22heatmap%22%3A%5B%7B%22type%22%3A%22heatmap%22%2C%22href%22%3A%22%252F%22%2C%22x%22%3A471%2C%22y%22%3A191%2C%22w%22%3A1024%7D%2C%7B%22type%22%3A%22heatmap%22%2C%22href%22%3A%22%252F%22%2C%22x%22%3A822%2C%22y%22%3A201%2C%22w%22%3A1024%7D%5D%2C%22events%22%3A%5B%5D%7D
DNT: 1
Connection: keep-alive”
There are a few important things that can be seen from this packet. In comparison to a normal web browsing network packet, there are a few common occurrences, one being the destination port, which is port number 80. This is the port that is used for most of the network packets, if the packets that are going through the network are secure, then it would be going through port 443. Each of the packets viewed when the Glype proxy was being run contained the command “GET”, and the protocol used was “HTTP” the command and the protocol were contained within the data in the packet. Another difference noticed in the packet was the use of “browse.php?u=”, in particular ‘.php?u=’ was identified, this is mainly because the ‘browse’ can be called anything as that is just the index page, therefore this may differ between the different proxy servers. Once the three characteristics had been identified they could be used to detect the Glype proxy.
The first action that had to be taken was to add the three different characteristics to a list.
Figure - Glype Regular Expressions
To be able to search the proxies entering the system, after some research it was decided it would be best to use Regex. To get started with regex, ‘import re’, was added to the globals in the IDS code. Then the regex strings were created, these strings were specifically created so they would ignore case sensitivity and also whitespace. Figure contains the criteria for the Glype string.
Figure - Glype Matching Statement
After the regex list was completed it could be used to match against the network packets. The regex will go through each different characteristic and try to match it against the packet, this can be seen from the line ‘glype[0] = re.match(glypeStrings[0], str(packet1))’, the string .php\?u=’ will be matched against packet1. The code will then go through an IF statement, if all three characteristics are found within the packet then it will make the result equal to 1, it will also print ‘GLYPE’ followed by the time the proxy was found and then the packet that the proxy was found in to the log. The result will then be brought through another function, which can be viewed in Figure .
Figure - Code to print to the console if a Proxy was found
The result is passed through the loop, if it equals 1, then “Glype usage detected” would be printed to the console. Figure shows the messages appearing in IDLE as the Glype proxy server is being used, each of the packets would be printed to the log.
Figure - Glype Proxy Usage Detected
The detection method of PHPProxy is very similar to the detection of Glype. One sample of the network packet when a PHPProxy is being used is as follows:
‘Destination MAC : 70:72:3c:db:c3:19 Source MAC : ac:72:89:8e:4a:9f Protocol : 8Version : 4 IP Header Length : 5 TTL : 128 Protocol : 6 Source Address : 192.168.1.101 Destination Address : 199.217.117.144Source Port : 28271 Dest Port : 80 Sequence Number : 882310268 Acknowledgement : 2522902821 TCP header length : 5Data : GET /index.php?q=aHR0cDovL3d3dy50aGVndWFyZGlhbi5jb20v HTTP/1.1
Host: proxyanonymizer.net
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36
Referer: http://proxyanonymizer.net/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8’
The protocol used in the packet is ‘HTTP’ and the command is ‘GET’, the only difference between the 3 characteristics of Glype is the third characteristic. In the packet ‘index.php?q=aHR0c’ is the common occurrence in the different log files. Again, the ‘index’ part of the string can be dropped as it can vary between the different proxy servers, this leaves the detection string as ‘.php?q=aHR0c’.
Figure - PHPProxy Regular Expression and Matching Statement
Figure contains the regex for the three characteristics that have to be matched before a PHPProxy is flagged up as being in use. The only difference from the PHPProxy code and the Glype code is the detection string in the regex. The result if a proxy is detected will be ‘2’, which would result in “PHPProxy Usage Detected” being printed to the console; this can be seen in Figure .
Figure - PHPProxy Usage Detected
Share with your friends: |